From a security standpoint: if you've used a magnetic stripe credit card at a store, is there a security benefit to using the same credit card (via Apple Pay) at the same store? I assume that once you've used a normal credit card at a store they have all your info, and using Apple Pay is like locking the barn door after the horse has escaped.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Why use Apple Pay at a store that you've shopped at before?
- Thread starter Bill Av
- Start date
- Sort by reaction score
I shopped at Target, they got hacked. I got a new card.
I shopped at Home Depot with my card, they got hacked.
I shopped at Kmart, they too got hacked. http://www.kmart.com/en_us/dap/statement1010140.html
I then shop at local groceries, Albertsons. They got hacked. http://www.albertsons.com/recent-update/
The credit card number on Apple Pay is not the same as the number on my magnetic stripe card.
Do you understand now?
So if you use your magnetic striped card and it's number gets stored on the stores computer today and starting tomorrow you only use AP, when the stores computer gets hacked 6 mo. from now the hackers still have the number from your magnetic striped card unless the store purges old information or the hack didn't access the stores computers.
I have it in a couple of mine, it doesn't help though. You can still just swipe the card and sign. Also most retailers I've been to can't even accept chip and pin because they don't have the terminal for it.
Why wear a seat belt when the last time you drove you made it just fine?
Its a more secure method of payment and getting in the habit of making use of it both provides you a level of protection for that specific transaction and lets the business know people are interested in the technology. Your point is valid if the hack makes use of recorded data but if that happens you hope to catch it, swap the card then use AP from that point forward with that store.
Many of the hacks occur with some type of malware/exploit at the Point of Sale (POS) terminal. They typically don't store your CC#. So getting those hacked, which has been the norm, will start capturing CC#s from the point of exploit going forward. Using AP today at a place where you used your CC# yesterday should protect you from hacks starting today.
The PCI standards are also pretty rigorous around storing CC#s and the systems they are stored on, which is why they weren't targeted, but and easier place to create a hack, the POS systems.
Bottom line, starting to use AP, or the new Google Pay (when it comes out with temporary tokens) will protect you going forward.
Strange. It shouldn't be that way. It is impossible to swipe my card if the POS is equipped with chip support. It just says "insert card".
Almost all American credit cards are actually chip and signature, not chip and PIN. The one chip and PIN card I have is from a bank that's not currently accepting applications for it. Using said chip and PIN card is actually a hassle at restaurants because they're not getting the portable readers like in other countries.
My debit card has a chip too but I was never asked for PIN the few times I tried using said chip. Or it was rejected outright (Walmart) and forced to swipe.
Almost all American credit cards are actually chip and signature, not chip and PIN. The one chip and PIN card I have is from a bank that's not currently accepting applications for it. Using said chip and PIN card is actually a hassle at restaurants because they're not getting the portable readers like in other countries.
October 2015: The End of the Swipe-and-Sign Credit Card
- February 6, 2014, 2:03 PM ET
ByTom Gara
Mastercard
(We have corrected this article to reflect the fact that customers will still be able to sign for credit card payments after October 2015.)
It’s a payment ritual as familiar as handing over a $20 bill, and it’s soon to go extinct: prepare to say farewell to the swipe-and-sign of a credit card transaction.
Beginning later next year, you will stop swiping the credit card. Instead, you will insert your card into a slot, just like people do in much of the rest of the world, where the machine will read a microchip, not a magnetic stripe. You’ll still be signing for the time being, but the new system also enables the use of PIN numbers, if card issuers decide to add them to their cards.
The U.S. is the last major market to still use the old-fashioned swipe-and-sign system, and it’s a big reason why almost half the world’s credit card fraud happens in America, despite the country being home to about a quarter of all credit card transactions.
The recent large-scale theft of credit card data from retailers including Target and Neiman Marcus brought the issue more mainstream attention, leading to a Senate Judiciary Committee hearing this week. Executives told the senators that once the country transitions to the new system — which includes credit cards embedded with a microchip containing security data — these kind of hacking attacks will be much more difficult to pull off.
The shift is coming though: both MasterCard and Visa have roadmaps for the changeover, and both have set October, 2015 as an important deadline in the switch. But why has it taken this long, and how will the changeover work for card users and businesses?
We spoke with MasterCard’s Carolyn Balfany, the company’s expert on all things related to the new payment system, known as EMV, that will lead to the end of the swipe-and-sign and the beginning of the chip-and-PIN. Here’s what she had to say.
Much of the rest of the world switched to chip and PIN cards years ago. Why has it taken the U.S. so much longer?
There’s a historical view to this. In the past, other markets migrated for two reasons. First, there were higher fraud rates in some other markets, and they wanted to make this move to combat fraud. Second, this system can operate in offline mode – the card and the terminal can authorize a transaction independent of communication with the bank’s systems. In some other markets they struggled with robust telephony networks, so this offline capacity was attractive.
Both those factors were not driving factors here in America. Fraud was more prominent in some other markets, but what has happened since then is that as other markets migrated to EMV and became more secure, fraudsters migrated their activity to markets with less security. We saw fraudsters move over to the US market – they are looking for the path of least resistance.
There were also some more specific challenges to US migration to the new system. Because the US is one of the largest and most complex markets, the business cases for the costs had to be established. And there were requirements of the Durbin amendment, mandating all us debit transactions are able to go across at least two networks, which took some time for the industry to sort out.
It seems now like there is agreement on the switch. So when will the changeover happen?
For Mastercard, now is the time, and we’ve been very consistent on that message for years. We introduced our roadmap for migration in 2012, and that roadmap says that for face-to-face transactions, where a consumer uses their card at a merchant’s location, the liability shift will happen in October, 2015.
The “liability shift” is a big moment in the changeover. Can you explain what it means?
Part of the October 2015 deadline in our roadmap is what’s known as the ‘liability shift.’ Whenever card fraud happens, we need to determine who is liable for the costs. When the liability shift happens, what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability.
So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.
The key point of a liability shift is not actually to shift liability around the market. It’s to create co-ordination in the market, so you have issuers and merchants investing in the migration at the same time. This way, we’re not shifting fraud around within the system; we’re driving fraud out of the system.
How will the change over to the new system actually happen?
One important thing to know is that it’s not as if everybody just got to the starting line just now, there has been a lot of work on this that has already happened. For merchants, the terminals in many cases are readily available or already there, they already have the equipment ready to handle the new cards. Banks who issue cards in many cases already can issue cards with the chip, and they have been issuing them to customers who travel overseas.
U.S. consumers are already pretty aware of the chip and PIN system, because most of the rest of the world has already migrated. And we would expect in the wake of these latest breaches and the media coverage that awareness is now even higher. And as banks issue consumers their new cards, they will get information explaining the system and all the benefits, and obviously how to use it.
Aside from the security of the system, are there any other benefits for consumers?
One thing to remember is this migration really isn’t about a single device or technology, it’s about establishing a technological platform for the next generation of payments. So the EMV standard that we are moving toward isn’t limited to chip and PIN cards, it also includes things like contactless payments, where you can tap the card against the reader, all with the same level of security.
Card issuers will probably always issue a card, but in this system an account can be resident in multiple places – so you can have the card, but also maybe a tag affixed to your phone for mobile payments, or a fob on your key ring.
There are lots of different use cases and it depends on the venue, and the devices and what interaction method makes the most sense. In a transit location, contactless interfaces make a lot of sense. We’ll continue to see interactions broaden and evolve as this migration happens.
Corrections & Amplifications: The new EMV credit card system the U.S. is set to migrate to by October, 2015 will use microchip-enabled credit cards, but still allows customers to sign for their payments. Banks can choose to issue cards that require a PIN number instead of a signature, but the switch to PINs will not be required in October 2015 as reported in an earlier version of this article.
I've had my chip die for what ever reason to the point where even tapping it doesn't work (the antennas lead into the same chip, so no surprise). Technically, the mag strip would be unaffected, and after inserting the chip into the terminal it tells me "CHIP ERROR, PLEASE SWIPE" however the transaction fails when I swipe.
In Canada at least, I don't know why they even make them with mag strips anymore. Virtually no places even accept them. I still have an Amex card that doesn't have a chip and while I can use it most places, I've learned never to use it at the pump at a Shell station. I don't think they can physically read them anymore.
Thanks. I had always pictured the hacks as a database being breached and the information being downloaded all at once. If I'm understanding you correctly, the data was stolen over the course of months as the hackers were "listening" to the transactions as they were being made.
Out of curiosity, does anyone know how long do retail stores hold on to your credit card info? I assumed that once they get it, they never let it go.
The reason you still have a magnet strip if you're going to the ancient country called USA
The reason you still have a magnet strip if you're going to the ancient country called USA
Even if the US became 100% chip tomorrow most cards would still have the strip simply because most banks still allow fallback transactions.
Jeez, I missed this reply. Thanks for the Apple Pay for Dummies refresher.
I wasn't trolling. I've been getting into the habit for the past six months of using Apple Pay or my chip card whenever possible. For me, that's been 5% of my purchases. One store that I've consistently used Apple Pay at is BJ's. Until a few days ago. The NFC light was out, and instead holding up the line, I just swiped my card (since Chip & Signature isn't an option there). And I figured that seven months of protecting my info was down the drain. I'd like it so that no store has my CC info on file.
For those of you who are security conscious in the US, what do you do when NFC is down, chip card isn't an option, and you don't have the cash to cover your purchase?
Barclays Arrival+ supports C&P (both online and offline) - but defaults to signature.
Walmart (and I think some Targets) as of a few days ago now require chipped cards to be inserted. If you try and swipe the machine will tell you to insert the card. Although I've heard chipped debit support might be a bit ways off for various technical reasons.
This will become more and more mainstream in the coming months.
But there are multiple standpoints. Security aside, using Apple Pay will prevent the store from tracking your purchase over time and building a profile of you.
I wouldn't call that a security issue, but it is a thing. The point is, whether or not one particular reason matters to you isn't such a big deal when there are multiple reasons.
How does this work? So does this card not work for internet purchases? And if you travel to the U.S. it's worthless? Do you have a second, less-secure card for use in those situations?
I still use my credit card for online bill payments (the ones that don't charge a fee) and for Amazon purchases.
Before the hacking incidents, I still used Credit Cards at Brick and Mortar stores, but never restaurants or any situation where the card left my sight, preferably my hands.
Since the hacking happened (Both Target and Home Depot) to me, and I got card replacements, The physical cards never leave my wallet except for gasoline purchases (required pump swipe for 5% rebate). I guess I should stop carrying them, but for emergency purposes I continue to do so. I suppose I may adopt apple pay when it becomes more ubiquitous, but for now its more likely a store will take cash. I hope gas stations begin to accept apple pay, but it is not clear to me if I will still get my 5% rebate, which requires at pump swipe of the card.
I've adapted to using cash and I have to admit sometimes it seems as if stores make it unnecessarily difficult. It wasn't an easy or small change, but it has come with several benefits, not the least of which is better spending habits.
A) I have to really want something to turn loose of the cash
B) I have to leave the store to get cash and return, or plan ahead for big purchases -- impulse buys don't happen.
C) When my monthly budget allowance is gone, its gone -- no going over without tapping money earmarked for savings. It was too easy to go over budget with the huge credit limit and be forced into going over budget when the bill came.
D) Stores (and other interested parties) can't track your spending habits with cash, unless you also use a rewards/shoppers card. I don't like being watched.
EDIT: For those that mentioned the chipped cards as extra security:
1) A defective chip reader declined my PenFed card at Wal-Mart for no reason with a line of people behind me. Guy who hates shopping at Wal-Mart finds himself there for motor oil and even though he has an 846 out of 850 credit score, the people carrying WIC/Food Stamp cards behind him stare at him like he's a deadbeat. The next register (after waiting in line again) accepted the chip after 4 more tries. I knew the card was ok because I made a paypal purchase as I entered the store on my phone.
2) The chips are an obvious attempt to shift the fraud blame from creditor to consumer.
Before the hacking incidents, I still used Credit Cards at Brick and Mortar stores, but never restaurants or any situation where the card left my sight, preferably my hands.
Since the hacking happened (Both Target and Home Depot) to me, and I got card replacements, The physical cards never leave my wallet except for gasoline purchases (required pump swipe for 5% rebate). I guess I should stop carrying them, but for emergency purposes I continue to do so. I suppose I may adopt apple pay when it becomes more ubiquitous, but for now its more likely a store will take cash. I hope gas stations begin to accept apple pay, but it is not clear to me if I will still get my 5% rebate, which requires at pump swipe of the card.
I've adapted to using cash and I have to admit sometimes it seems as if stores make it unnecessarily difficult. It wasn't an easy or small change, but it has come with several benefits, not the least of which is better spending habits.
A) I have to really want something to turn loose of the cash
B) I have to leave the store to get cash and return, or plan ahead for big purchases -- impulse buys don't happen.
C) When my monthly budget allowance is gone, its gone -- no going over without tapping money earmarked for savings. It was too easy to go over budget with the huge credit limit and be forced into going over budget when the bill came.
D) Stores (and other interested parties) can't track your spending habits with cash, unless you also use a rewards/shoppers card. I don't like being watched.
EDIT: For those that mentioned the chipped cards as extra security:
1) A defective chip reader declined my PenFed card at Wal-Mart for no reason with a line of people behind me. Guy who hates shopping at Wal-Mart finds himself there for motor oil and even though he has an 846 out of 850 credit score, the people carrying WIC/Food Stamp cards behind him stare at him like he's a deadbeat. The next register (after waiting in line again) accepted the chip after 4 more tries. I knew the card was ok because I made a paypal purchase as I entered the store on my phone.
2) The chips are an obvious attempt to shift the fraud blame from creditor to consumer.
Last edited:
That's why I consider the Arrival+ to be chip and signature. Using the term C&P to refer to cards configured like the Arrival+ seems to have stuck though.