Markie

A small number of Walmarts (less than 5% of stores), and some small shops using Chase Paymentech or First Data for their processing, with compatible equipment, which has been updated recently.

Markie

I've heard this video has been going around to merchants in the UK, along with the accompanying literature:

http://www.youtube.com/watch?v=F4HFL4JgkdQ

Of course, I've never heard of a chip-and-signature card being an issue in the UK. Ireland is the country I've heard of the most problems in.

Casual Observer

The real problem in introducing them widely in the USA has been the cost and who bears it. There is a huge difference in the number of companies providing the retail outlets with terminals and their pricing model compared to the much narrower choice in the UK and much of Europe. I think you are likely to see them become more widespread fairly soon ( read. Based on the new terms and conditions being issued by the major banks. In a nutshell retailers will have to eat the cost of fraud as the banks will no longer entertain chargebacks on alleged fraud if the retailer is not using a chip and pin terminal.

Ash UK/US

Which Walmart? Will be handy to know for the people that shop there, definitely none local to me but good to know they are starting the ball rolling.

When I am back in the UK and last summer when we where in Canada I much prefer having my credit card in constant sight not that 'issues' couldn't arise there too but I does feel safer.

Casual Observer

It may "feel" safer. The actual figures show otherwise. Indeed consumer legislation was brought in to specifically protect consumers when the banks said tough you must have given your pin to someone and stuffed the customer with disputed charges.

Chip and Pin is NOT the magic potion everyone perceives it to be. Is it better than the current mag strip? Yes by a wide enough margin to justify the cost? Very debatable. Card based systems will go the way of the first vodaphone which weighed around 3lbs if I recall correctly - and the analogy with a cell phone is not accidental.

Markie

It is much safer, much much safer. I can't believe after Target, URM Stores, Neiman Marcus that there are still those who'd argue it's not worth it.

As for which Walmart's - I don't have a list. I know their stores in the Orlando area are EMV enabled though.

Casual Observer

Ummmm you do know how the data breach occurred at Target right? The type of card used is totally irrelevant.

Markie

How is it totally irrelevant? You do know that, yes, the same breach could have occurred with EMV but that the data obtained would have been completely worthless, right?

Casual Observer

Worthless perhaps or perhaps not. Totally worthless? You are having a laugh. The encryption used is subject to being broke. Is it easy? NO Is it possible YES. Given the knowledge and ability the hackers had to obtain the data in the first place it is far from beyond the realms of possibility that they they could figure out how to deal with the encryption. If I had a dollar for every time the techies told me the system was foolproof over the years I would have a lot more dollars and an even larger collection of fools in my circle of colleagues. Card technology is way behind the curve and largely a moot point as we move away from card based systems in the not too distant future.

It is totally irrelevant because the type of card has nothing to do with the Target security breach.

Markie

It's not just about encryption, my friend. Let's make the assumption they can get the name, account number and expiration date. They still won't be able to make working counterfeit cards because the EMV card generates one-time transaction codes (in place of the conventional fixed CVV). If you can't generate these keys, the numbers are useless.

Also, while years ago you could've used this data online, now you need the CVV2 for online use (numbers printed on the back of the card).

In short, a Target-style breach in an EMV world would've resulted in a bunch of worthless data even if names, account numbers and expiration dates were obtained, so saying it wouldn't have mattered is utterly silly.

Also, what do you think will power card-less payment? Oh yeah, EMV. Well, Google Wallet uses contactless magnetic stripe data (which doesn't have the encryption of EMV, but still is more secure than the stripe because in place of the CVV, it uses a rotating one-time CVV) to ensure full compatibility in the US. But going forward, mobile wallet systems are based on contactless EMV.

Casual Observer

All of which is still irrelevant.

It is akin to saying it is harder to spend diamonds than cash. Therefore it safer to store diamonds in a safe rather than cash.

The point is quite simple the safe was the weak link not the contents.

If the safe were secure and you could not get at either the diamonds or the cash then the contents become irrelevant, they may as well be mushy peas.

To suggest that a chip and pin card would somehow have stopped Target from being hacked is a very large stretch indeed.

Markie

How is it irrelevant? That's silly. I'm not claiming the hack on Target couldn't have occurred but the effect on people is vastly different. Which do YOU think is a worse situation:

40 million people, as it is, who need new cards, who have to fight fraudulent charges, etc.

Or - 40 million people who had some information leaked, but nothing usable. NOBODY needing new cards, no fraud, etc.

If you can't see that as a big difference, well, I dunno. Plus the breach probably wouldn't have occurred. Not because it'd be impossible, but because it would've been pointless.

Casual Observer

Pointless how exactly? Chip-and-PIN cards do not help with card-not-present fraud (such as online transactions) and as long as POS terminals and ATMs accept both EMV and magnetic stripe cards.

Markie

Pointless because the data obtained would've been useless. Even breaking encryption, hackers would not have obtained the CVV needed to make a magnetic stripe card (that is only on the magnetic stripe) nor the CVV2 needed to complete a card-not-present transaction.

They MIGHT, with a similarly high-level attack to Target, have obtained the cardholder's name, expiration date, account number and the one-time transaction key used (now invalid).

All of that information is, on it's own, worthless, and cannot be used to complete a transaction (except for the very, very rare instance where CVV2 is not required by a card-not-present merchant). Thus, the hack would have been pointless.

Casual Observer

I am not sure where you are getting the very very rare from.

Card not present accounts for 63% of card fraud not rare by the wildest stretch of the imagination.

Chip and Pin despite the myths CAN be cloned and those random number generators are not so random. Again the weakness is not the card but the terminal.

Is Chip and Pin ( which may or may not become the final adopted international standard - personally I have my doubts in its present format) more secure than magnetic stripe cards? On balance yes it is.

Is it the panacea that people appear to think it is and the answer to fraud? Not even close :shrug: