My wife had to go to Holland for a week because of family illness. While there her credit cards were refused, because of an apparently new policy that American credit cards without a "chip" are being refused. Chase Visa Freedom doesn't have them, nor does Amazon Visa. Apparently a Visa Btrish Aorways card may have a chip. Citibank was nice and is sending me new MC cards with a chip.
If you are contemplating using your credit cards on travel in Europe (certainly Holland), make sure you get new ones with a chip. Or be prepared for hassles.
VIsa USA authorized member banks to issue Chip & Pin cards, but it's expected to take at least a year or more before they become generally available. TravelEx issues prepaid Chip & Pin debit cards at their US locations (airports and city offices). They are available in Euros and Pounds Sterling.
I would qualify that - I spend quite a bit of time in the UK. US signature cards work fine at most of the major establishments - Tesco, Asda, M&S, etc. Quite often the clerk won't have a clue and will have to pull out their instruction book, but if they swipe the card at the register instead of the PIN pad, it usually works fine.
They definitely won't work in kiosks, parking payment terminals, Network Rail ticketing machines, self serve petrol pumps, and smaller establishments (pubs, convenience stores, etc).
I was in the UK last fall, and (mostly in London, but elsewhere too) used my US credit card without a problem. I didn't use it in kiosks, parking payment terminals, Network Rail ticketing machines, or self serve petrol pumps, but I used it in several pubs.
This is one area where the US is way behind the rest of the world. The magstrip is not very secure, which is why most everybody is phasing it out. Here, the banks don't care because the burden is on you when it's compromised.
Not true. Frederal law explicitly states that the card holder is not responsible for fraudulent transactions above $50 if the issuer is notified and most issuers offer a zero liability guarantee.
OTOH, good luck challenging a fraudulent transaction of a Chip & Pin card, even though they have demonstrated attacks on those. Not as common as signature fraud, I grant you, but quite possible. The assumption with those cards is that you gave your Pin and card to someone and good luck convincing the bank otherwise.
There's a lot of history around why many countries use Chip & Pin and the US has stayed with signature cards. In the early days of credit cards, it had to do with the fact that phone systems for online transaction validation elsewhere were expensive and unreliable. Chip and Pin smart cards were a way to keep track of offline transactions and balances and reporting them to the bank when a link was available.
While that's no longer the case, the number of terminals that will need to be swapped out in the US dwarf other countries. When you compare the cost of fraud against the cost of swapping out those terminals (which ultiately will get borne by the consumer), it's understandable why it hasn't happened.
I've been following this thread but still haven't figured out what this "chip" is. My credit cards have a holographic image on the back, next to my signature. This holographic image doesn't mean anything special other than it would be hard for anyone to produce it on a counterfeit credit card.
Does the "chip" mentioned in this thread mean that it will interact, electronically with some complex identification means?
The chip is actually a small CPU that performs certain crypto routines with the PIN number and authenticates the card. That way the PIN never gets transmitted in the clear and theoretically can't be intercepted.
I say theoretically because they have figured out ways of reverse engineering the PIN, but doing so does require access to the card by means of a modified terminal.
Antares 531 wrote in news: snipped-for-privacy@4ax.com:
As Robert Neville said. One of the ways it is more secure is that the card doesn't get out of your sight. In restaurants they'll come with a portable reader/printer (that is or was true for all credit cards). There is a chip embedded in the card with something like 4 or 6 contacts on it that get read. At least that is with the card I have most often used, a Dutch bank debit card. Just so I didn't have to pay currency exchange fees and/or exorbitant exchange rates. This time my wife went to Holland, and I didn't give her my Dutch card. At Schiphol airport at the train station ticket counter, they refused her credit cards. Maybe if you insist they'll accept them, maybe they won't. The Chip Cards are much easier to use anyway. I'm trying to get her authorized on my account, with her own card. In the meantime I've made lots of noise at diverse institutions, because I can't imagine what'll happen if you try to pay for your nice dinner in Amsterdam and they won't take your card. CitiBank said they'll send me replacement cards with chips for their MasterCard, and I told Chase about that so the higherups can decide what to do with their Visa cards.
The train ticket kiosks at Schiphol definitely won't take signature cards, or at least they wouldn't the last time I was there a couple of years ago. I think I was able to use a signature card at the counter window, but am not positive.
If my bank doesn't have a Chip & Pin card available before my next trip, I'll probably get one of the TravelEx prepaid cards as a backup. If you get them at certain locations there's no charge - just the usual foreign exchange conversion at only slightly unfavorable rates. Details on their web site.
It doesn't perform cryptographic routines nor has a CPU. It stores user information and cryptographic hashes like a Smart Card. Each card has a user certificate and the user uses a PIN. When the card is utilitized in Smart Card Reader and the PIN has been entered correctly by the purchaser the system then checks the certificate against a OCSP server and verifies if the certificate is valid or revoked using the ISO/IEC 7816-3 standard before rendering the transaction.
You seem to be misinformed - the card definitely does crypto processing. Wikipedia isn't authoratative, but has a pretty good explanation:
formatting link
Key quotes follow:
"The use of a PIN and cryptographic algorithms such as DES, Triple-DES, RSA and SHA provide authentication of the card to the processing terminal and the card issuer's host system."
"ISO/IEC 7816-3 defines the transmission protocol between chip cards and readers. Using this protocol, data is exchanged in application protocol data units (APDUs). This comprises sending a command to a card, the card processing it, and sending a response."
What is authoratative is the association that controls the spec for chip & pin cards. From their website:
formatting link
"EMV chip-based payment cards, also known as smart cards, contain an embedded microprocessor, a type of small computer. The microprocessor chip contains the information needed to use the card for payment, and is protected by various security features. Chip cards are a more secure alternative to traditional magnetic stripe payment cards."
It is NOT a small CPU but it is a repository of information that is encrypted in the chip's memory banks. The surface of the 'chip' that you see on the face of the card has the contacts that are used to interact with the repository. The pin is a calculation of the offset between what you enter and the natural pin as generated by the issuer of the card and uses the same method of computation as the pin used in an automated banking machine before the chips were put onto the cards. I know this because it was my field when I worked in Canadian banks, and I was the Canadian representative to ISO when the current design's standard was finalized.
The chip used can vary greatly, and the ones used for these 'banking' cards is one of the cheapest available, since a lot of horsepower and memory is not required in these chips. Far more secure chips are available but at a higher price, and when you calculate the number of cards that need to be replaced to make the use of the chip universal, you can see why the banks and Visa, Master Card and Amex have chosen one of the least expensive chips to use in their cards.
Here in Canada almost everyone has converted to the chip card as well, and soon the swipe and sign cards will be a thing of the past. As for fraudulent use of the cards, in Canada that $50 limit still applies, and you had better let your bank know your destinations and days you will be at those destinations before you travel outside your own province or your card may be rejected. This is one additional way that the banks here have of controlling theft of cards and PIN numbers from unsuspecting individuals... If we travel to the U.S. we call in advance and advise where we will be, when we will be there, and when we will return, as well as how we will be traveling. We, of course, hold the bank responsible for not misusing that information to permit a 'break-in' at our residence while we are gone, which usually leaves them 'spitting' at our implication that we don't trust them, but then again, that is part of the game these days.
So for what it is worth, I would not call the chip a small CPU. It is memory with programming stored on the chip as well as the offset of the PIN and account data that replicates the data visible on the card's surface, all encrypted using something that the bank and the terminals can understand. There may be one encryption level for the terminal, allowing it to know which bank to contact, and a second level of encryption at the bank to take what is sent and unscramble it for processing at the bank. That is more secure than only one level of encryption, but those are design issues and once determined, are easy to inject into the cards as they are being prepared for issue to you, the customer of the bank or organization.
I suspect that is more than you want to know... In Canada, which is about 10% the size of the U.S. in population, we HAVE switched over, and merchants have, in the main, replaced their swipe only units with combined units that work with swiping and cards with chips, which in turn require a pin pad. Progress, you know...
Go to
formatting link
look at the card that is displayed. That small silver square you see in themiddle of the left side of the card is the area of thecontacts that connect to the chip buried underneath those contacts. Thisparticular card includes $0 liability coverage if the card isstolen, etc. as you can see when you read the details. This is a VISA offering,and the Canadian banks that offer this particular card arelisted ...
Yeah, I think that they are exagerating it. Call it hype or marketing for the layperson.
I have used Smart Cards for a decade. My computers have Smart Card readers. There is no processing of data on the card that a "microprocessor" would perform. It is nothing but a specific kind of non-volitile memory chip front-ended by a some very simple logic processing. It is not like a microprocessor in you computer and is much, much, simpler. Call it a nano-microprocessor for its simple logic processing.
Read the technical specifications, EMV 20000, of the actual card implementation and its association with Public Key Infrastructurte (PKI). You'll find there really is no "processing" of data on the Banking Smart Card itself asside from some simple logical routines. I am sure those logical routines are hyped with the text "contain an embedded microprocessor, a type of small computer" to help explain to the lay person what it is. That's why it is on the Main page of that URL. You don't find real technical information on a main Web Page.
The card stores data in the form of a 64bit block cipher either coded in Electronic Codebook (ECB) Mode or in Cipher Block Chaining (CBC) mode. The real processing is done at the POS terminal. The card implements a 4-12 digit Personal Identification Number (PIN - ISO 9564-1) that is encoded on the card (which is read/write) and if the PIN is entered correctly the personal certificate is read and sent for certificate verification and revocation status. If the Certificate Authority (CA) shows that the certificate is valid and the user has entered the correct PIN then the transaction is approved.
The security of the card has some logic built-in. When the user enters a PIN it is checked against the stored PIN. IF the number does not match then an accumulator register is incremented and the user is issues a "wrong PIN entered" type of message. If that happens a preset number of times in a row (usually 3) the the card is placed in a deactivated state and the person must got to an issuing agent and reinstate the card. If a user enters a correct PIN equal to or under the preset number of times in a row then the accumulator register set set to zero and the certificate verification and revocation status process can commence. This simple logic performed on the card and could be the basis for the text "contain an embedded microprocessor, a type of small computer". Again, simple text for the layperson.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.