[creshal]

It's depressing to see the US still treating EMV cards like a strange exotic novelty while Europe is already upgrading those again and moving to NFC-enabled cards after EMV has worked without any major issues for 20 years.

For small, repeated transactions you just hold the card to the reader and are done in 1-3 seconds. The first transaction on each reader and random transactions every 20-50$ (and all transactions above a $20 limit) will require chip+PIN verification, which seems to cut down fraudulent transactions for now.

[darkr]

More like 10 years. UK + Europe rollout of chip+pin/EMV + incentivised liability shift was around 2005/2006, and has reduced card fraud by around 70% in most countries. Contactless/NFC payment facilities have been pretty widespread (at least in the UK) since 2010 or so, and since the last couple of years or so are pretty much ubiquitous.

I suspect that America being so backwards in this respect has a lot to do with the power and influence wielded by corporate lobbyists in congress.

[creshal]

German rollout was in 2000.

[tgflynn]

France had them in the early 90's.

[lucaspiller]

In the US (even without a chip) you usually don't need to sign for smaller transactions - the shop assistant just swipes your card and it's done. This can even work on some European cards there (it did for my UK credit card).

Chip-and-PIN was invented to make card transactions more secure at a time when most transactions were 'offline', i.e. there was no direct connection from the card terminal to the issuer, so it wasn't possible to ask the issuer whether a transaction should be allowed. To attempt to combat card skimming, the chip was added, and terminals upgraded to require the PIN to be entered if the card had a chip [1].

Nowadays almost all transactions happen 'online', so the bank is asked whether the transaction should be authorised first (this is why there is sometimes a delay on terminals as they connect to the issuer). This means the issuer can run their own fraud detection before the transaction takes place. In the US they took this a step further, and just used that instead of requiring a signature to be collected for most purchases. To the end user it's an even better experience than NFC provides.

[1] This also means you have no reason to give your card to anyone, when the card needs to be inserted above/below the PIN pad, so it prevents another opportunity for skimming.

[davb]

> The first transaction on each reader and random transactions every 20-50$ (and all transactions above a $20 limit) will require chip+PIN verification

Not necessarily. In the UK (at least, at the banks where my fiancée and I hold accounts), you need to enter your PIN:

1) On the first transaction after activating a new card

2) On transactions above £30 (~$45) starting 1st Sep 2015 (however apparently some terminals have the former £20 limit hard coded and require a firmware update to increase the limit)

3) On random transactions

In the case of the random PIN verification for contactless payments, the frequency with which these are required isn't entirely clear. I have spent ~£100 over numerous successive contactless transactions (local store then rounds of drinks at the bar) without requiring PIN verification. In fact, I've never needed to enter my PIN - every contactless transaction has been automatically approved.

Over a typical week, I do contact a good mix of contactless and Chip-and-PIN transactions, so my risk profile might be different from someone who has, for example, a 80/20 contactless-to-chip ratio.

I'm unsure whether the PIN verification requirement is triggered by the application running on the card or by the transaction processor. This might actually be covered in the EMV spec [1].

[1] https://www.emvco.com/specifications.aspx?id=21

[someguy1233]

I believe the fact you haven't been caught by the random transaction issue is because you use Chip&Pin a lot, which might reset the contactless counter (since it knows that you have the pin, so you're likely the card holder)

When I went to the MetroCentre the other week, I did about 5-6 contactless transactions in a day (probably somewhere around £100 spent total), by the end of the day my card got declined and I had to use Chip&Pin, so it does definitely happen in the UK, though the limits may be quite high (wonder if this may also vary based on the bank, I'm with a certain bank which refused to give me a contactless card until I had a credit check).

This is the first time since I got the card (quite a few months ago) that it was actually declined however, so it's quite a rare occurrence.

As for the EMV spec, It sounds like the terminal is the one that decides whether or not to request Chip&PIN:

During kernel processing, the kernel will determine from the acceptance environment and issuer settings in the card whether a cardholder verification is needed for the transaction. Methods that may be supported are online PIN and signature – offline PIN is not suitable due to the “card in field” timing issues.

what is the kernel?

The kernel contains interface routines, security and control functions, and logic to manage a set of commands and responses to retrieve the necessary data from a card to complete a transaction.

[slashink]

Fully agree, the few times i visited the U.S. it always surprised me that a country with such technological speed still relies on the "unsafe" magnetic swipe. Not saying the chip is foolproof in any way but it's a good step from the magnetic system in place.

The same problems was raised when countries in the EU switched to chip but it was mostly vendors who was on old cash registers with no interfaces for the new card systems. That was solved through a manual total price entry into the EMV system, acting as it own system basically.

And as the parent comment mentioned, contactless payment is just really nice for smaller transactions. The ability to buy a coffee without opening your wallet (goods under $20) makes lines in stores so much faster since no signing/code entry is needed.

[tyoma]

I'm curious, what happens if you have more than one credit card -- do you get to pick which gets charged?

[davb]

In this UK (at least), this is known as "card clash". You can't select which card is used. I'm not sure what the EMV contactless specification actually says, but anecdotally terminals will either fail to process the transaction (general card read error or a more specific collision message) or unpredictably select a card to charge.

Most card issuers (and companies like TfL - Transport for London, the transport authority who use contactless travel cards) recommend taking your card our of your wallet if you have more than one contactless card.

[run4yourlives2]

You are tapping the card you wish to charge in "contact-less" payment.

[pjc50]

Indeed. There were a bunch of security objections to the system by Ross Anderson et al at launch; it has turned out that EMV is not at all the weak link compared to online transactions, which are where most of the fraud is. Or skimmed ATMs, which don't seem to use the chip.

[creshal]

As far as I can tell, skimmers in Germany still copy the (fallback) magnet stripe and PIN, to use those in countries that don't require EMV. It's far easier than trying to break EMV chips.

[davb]

This is the case in the UK too.

When it became more difficult to use cloned magstripe-only cards in the UK, banks relied more heavily on behavioural profiling and risk analysis ("has this card been used in this country in the past?", "does this cardholder travel frequently?", "is this vendor known to have weak cardholder verification processes?").

[toomuchtodo]

Can I wipe my magstrip so only the EMV chip can be used?

[cbhl]

In Canada, EMV and NFC rolled out at around the same time -- EMV gets used for big transactions where you want PIN auth, and NFC gets used for low-risk transactions like buying a coffee.

There was definitely a learning curve for figuring out the new terminals at first (some PoSes required both swiping and using the chip), but that only lasted about a year or two.

[run4yourlives2]

We've had them so long here in Canada that I can barely remember when I last used a swipe outside of visiting the US, or maybe using square.

[cryoshon]

We're not on the metric system, man.

We are backwards as fuck.