You heard you needed an EMV chip card for your trip abroad, so you got one from your bank. All set, right?
Not necessarily. While your new card will probably work much of the time (and more often than your magnetic stripe card would), some travelers with U.S.-issued EMV cards have run into snags overseas, often when using the cards at unmanned terminals. The comments on this blog post are a testament to that.
So what’s going on? It’s a combination of the U.S. implementing EMV in a different way than the rest of the world combined with technology of some overseas payment terminals.
First, some background on EMV
EMV chip technology offers more security than the magnetic card stripes that are still the norm stateside. Because the microprocessor chip uniquely scrambles the data generated by each transaction, a hacker can’t use it to clone a usable card. The clone would be nothing more than a key to a changed lock.
“Imagine you have a key and want to get into a house, but the lock for each entrance to the house is dynamically changing,” explains Gokhan Inonu, president of Cardtek USA, the American division of Cardtek Group, a global provider of software, training courses and consultancy services for EMV migration and payment solutions.
Countries across the world have implemented EMV, many of them more than a decade ago. The U.S. is just starting to convert, in anticipation of the liability shift that will occur in October 2015: Whichever party (issuers or merchants) does not upgrade will be held responsible by the card networks (Visa, MasterCard, etc.) if card fraud occurs. Several banks are starting to issue cards with EMV chips, and some retailers (including Wal-Mart) are using EMV chip-reading point-of-sale devices at checkout. Mobile payments company Square also recently announced it would be converting its little white card-reading dongles to EMV.
The United States takes a different path
EMV chips function in two major ways: as “chip and signature” and “chip and PIN.” Both have the microchip, which gets read by the POS device when you make a purchase. That’s where the similarities end: With chip and signature, the cardholder signs for the purchase. With chip and PIN, the cardholder must input a PIN.
The rest of the EMV world has primarily gone the chip and PIN route. That means the PIN is encoded in the EMV chip, Inonu says. U.S. issuers, for the most part, have primarily opted for chip and signature – no PIN is encoded into the chip, meaning, when the card is inserted into an EMV POS device, the device will prompt for a signature rather than a PIN.
A handful of U.S. issuers do offer chip and PIN cards – including credit unions that cater to service members and global travelers. Meanwhile, the Barclaycard Arrival Plus, some Wells Fargo cards and the Sam’s Club card function primarily as chip and signature, but as chip and PIN when necessary. Depending on your issuer, you’ll get a PIN in the mail, or be able to set it yourself online or via a secured phone line with a touch-tone phone.
Inonu says he’s not sure why most U.S. issuers aren’t opting for chip and PIN. Perhaps the banks don’t have the capacity to do it, or perhaps they don’t want to change their current approaches, he says.
In any case, chip and signature is less than ideal from a security standpoint, Inonu says. A PIN greatly reduces the chance that a thief can use your card. But a signature? Not so much. Inonu points out that many cardholders don’t even sign the backs of their credit cards, meaning there’s nothing for the cashier to compare. Plus, even if the cashier compares signatures, they’re easy to forge.
“A better scenario is when complete security is provided with the chip and a PIN,” Inonu says.
Issues for travelers
In addition to not being as secure, chip and signature cards can lead to culture clash when Americans try to use them in places that have been practicing chip and PIN for years.
When you might have trouble:
If you’re using an unmanned payment terminal (for train tickets or fuel, for example), your chip and signature card may not work. There’s no human cashier involved, so verifying via signature isn’t possible. A PIN is therefore necessary.
“The system will ask for the PIN, and if you don’t have the PIN at an unmanned terminal, you can’t complete the transaction,” Inonu says.
Chances are, your credit card already has a PIN – you need it for cash advances at ATMs. But, unless that PIN is encoded into the chip (which, as discussed above, most U.S. issuers aren’t doing), it may not work, Inonu says. That’s because some self-service terminals rely on offline verification. Unlike online terminals, which connect to a server and communicate with the card issuer, these terminals can’t connect and rely only on the information provided on the card. The PIN, therefore, must be encoded into your card’s chip.
FlyerTalk has a thread explaining the various scenarios travelers may encounter with unmanned terminals. With an online terminal, your ATM PIN should be fine, as the terminal can “ask” your issuer if it’s legitimate. With offline terminals, however, you’ll need one of the few U.S.-issued cards that function as chip and PIN – or have to go to a ticketing window and get a live human to help you complete the transaction. If there’s no ticketing staff (perhaps it’s late at night) and the terminal doesn’t take cash, you might simply be out of luck.
When you’re probably OK:
In many cases, such as at hotels or shops with staffed cash registers, your chip and signature card will probably be fine.
“Cardholders who have an EMV chip card can easily use that card in EMV-chip-reading devices,” Inonu says. “That will help them a lot and give them the transactional security.”
You’ll simply insert the card into the chip-reading slot. The POS machine should recognize what type of card you have and respond as follows (image courtesy of ChipandPin.co.uk, an educational website from the U.K.’s EMV migration in 2006):
The cashier might be surprised when the terminal spits out a slip for you to sign, however. And even if you do have a chip and PIN card, the cashier may make you jump through a few security hoops. For example, on a trip to Indonesia, Inonu inserted his chip and PIN card, entered his PIN and was still prompted by the cashier for a signature and ID. Some merchants, Inonu says, might just want to take extra precautions when presented with an international card.
“It’s like this: Chip — OK. Chip and PIN — Double OK. Chip and PIN and signature — Triple OK. And Chip and PIN and signature and ID — even better,” he says.
Issues back home
Soon it won’t be just travelers who have to contend with EMV. As the liability deadline approaches, consumers, merchants and financial institutions stateside may be in for a bumpy ride. In fact, Inonu says, the U.S. is proving to be an EMV-migration challenge.
Inonu recalls how, in his home country (Turkey), consumers were bombarded with television commercials from the banks explaining the importance of the new technology. There hasn’t been as much of a public relations push stateside, although the past year’s massive data breaches may have helped get the word out.
“Even if the industry decided to pay huge money to create that awareness, it wouldn’t be as effective as that,” Inono says, referring to the Target breach.
And then there’s the hesitance from other industry players. Cardtek, Inonu says, has been involved in a lot of conferences and EMV-related events, and, at those events, he’s seen push-back from retail giants.
“The retailers have the power in the United States,” Inonu says. “The rest of the world all migrated to EMV because Visa and MasterCard said they had to. …It’s taking longer than expected here because Visa and MasterCard are not accepted as authorities.”
Inonu estimates it will take at least five years for the U.S. to be near EMV compliance. It took Venezuela, a much smaller market, three years.
“The cards need to be replaced. The terminals have to be replaced. The customers need to be informed,” he says. “All the players in the industry need to actually do what they have to do for the support of the chip.”