[lawpoop]

I suppose at a very high level your thesis might be true, but at a practical level, I don't think it is. The banks have simply seen it's cheaper to eat the cost of fraud (and ensure the victim has the burden of proof wherever possible) than implement stricter security measures.

This goes from the transaction terminal to the bank's server room.

Europe has had chip cards for over 20 years. In the US, it was very recently implemented; only in the past year.

It wasn't that the US banks were occupying some "sweet spot" of retail transaction risk/reward; they simply didn't want to shell out the extra bucks to send people cards with chips in them. Neither merchant nor bank wanted to pay for chip-reading terminals. So, nobody budged until just the past year.

I don't know whether it was legislation, or perhaps the growing cost of credit card fraud (i.e. card skimmers, etc), but for whatever reason, it certainly wasn't a "sweet spot". We've had chip technology for 20+ years, they just didn't want to pay for it.

[seer]

Well here in europe it didn't happen all at once. It was a gradual rolling of chip based cards, atms and terminals. There was a non-insignificant amount of time where some atms / pos terminals would reject your card because you/it didn't have the right technology.

But ultimately I think its the people themselves that demand more security from their banks. E.g. Bank one introduces chip based cards and more people choose that bank because they want more security. Then gradually some atms start to be "chip only", and banks start to see the chipless ones get all the skimmers and accelerate their replacement to lower costs which forces business to atart getting more pos terminals with chips to meet the demand of people with cards that have mag strip disabled.

Having more security seems to be what everybody wants and benefits from, its just that europe has smaller players which accelerates market forces in that direction, and meybe because european consumers just want more security in general.

[wildrhythms]

How do banks in Europe verify identity? i.e. I call the bank and claim to be "Margaret Thatcher," what's the next step?

Here in the U.S. the next step is usually asking for the social security number. I called VISA/Citi to re-activate my card after traveling and they asked for the associated phone number with my account. Neither of these are especially secure, in my opinion.

[kbart]

Can't talk about the whole Europe, but in my country there aren't many banking services provided via phone and banks keep decreasing their count insisting on their clients to use mobile app, online banking or ATM. I believe you can't even get available balance in my current bank via phone.

[heavenlyblue]

Local UK bank after separation from Lloyds (now called TSB) asks for 3 random letters of your security answer which is also used as part of online banking authentication. Additionally, your address and previous transactions if you're calling re. fraud.

[chiefalchemist]

I think people would demand more security if they really understood how venerable the technology was. But no one beats that drum. So consumer remain ignorant and just keep shopping.

[scient]

And even after pushing out chip reader terminals and cards with chips, banks in the US refuse to institute mandatory PIN code entry on all payments with the chip - as its everywhere in Europe. So nothing really changed.

[WorldMaker]

It still amazes that people don't know the chip readers work faster with PINs, too. An argument against PINs I keep hearing is that the chip readers are so slow that PINs would slow things down further. The funny thing is that the chip readers right now are waiting real wall clock time in a "wish-it-were-PIN" system to generate signatures in two different timestamps instead of generate a single signature with a user PIN. It's technically hilarious.

[chiefalchemist]

Re: Cost of fraud.

Agreed. It still amazes me how prevalent credit card fraud is. Certainly that's preventable - if they want it to be. The problem is, the banks don't bear that cost, the consumer does. Even if the bank factors the loss into the cost of doing business, that still gets passed on to the consumer.

[300bps]

Consumers are limited by law to a $50 loss for credit card fraud and every bank I know waives even that.

It is merchants (stores, internet sites) that bear the cost of fraud.

[chiefalchemist]

But what of the time, stress, etc.?

Merchants don't bear the cost, the consumer does. The merchant might not hand me a bill but that cost is embedded somewhere in the price.

The bottomline is the consumer pays. No matter how you cut it, the consumer always pays.