Tag Archives: Chip and PIN

A Tale Of Chip and PIN

I went in to my local grocery store tonight and went to use my credit card and poof – something new.

A couple of details first.

My credit card is actually a Visa logoed debit card meaning that, in theory, you should be able to use it as a debit or credit card.  Debit with a PIN, credit with a signature.

The store, King Soopers, a subsidiary of Kroger, the mega- supermarket chain, just upgraded their point of sale terminals this weekend to accept chip cards.  A little late, but better late than never.

There is now a hand written sign on the register that says all debit cards now require your PIN.

So why is this of interest?

First, my bank has set up the credit card to be chip and signature and, according to my bank, there is no way for the store to change that to chip and PIN – the card is actually set up differently.  This means that the store – King Soopers in this case – is completing the transaction as a debit card instead of credit card.  Why might they be interested in doing this?  Well, possibly, they think PIN transactions are less likely to be fraudulent.  Also possibly, debit network transactions are dramatically cheaper for the store.  Why do you think, for example, Walmart has made it very obscure for you to use your debit card as a credit card in their stores for years?  Money!

I have written before that chip and PIN is more secure than chip and signature, so why am I whining.

In the interest of full disclosure, I am not sure that I am whining – I am just not sure one way or the other.

My first complaint is that King Soopers is not being transparent with their customers.  For years I have used by Visa logoed debit card as a credit card and now, all of a sudden, with no explanation of what they are doing, they are forcing this to be a debit card transaction.  In terms of my bank account balance, there is no difference, so why do I care?

In part because I don’t trust their security.  Just this part month, Safeway stores discovered skimmers on a number of credit card terminals in their stores, including one near me.  If this happens to King Soopers and they have the card information and the PIN, they could, potentially, empty my bank account.  If someone has my PIN, is the bank going to say that it must have been me that withdrew the money from the ATM?  It could be a fight.

Next, there are very different federal laws regarding recovering from fraudulent transactions between credit and debit cards.  Radically different.  Even if the bank says that they will treat them the same, the LAW is very different.  The law favors credit cards,

SO what I told King Soopers is that, for the moment, I have decided not to shop there any more.  In part this is my way to vote on the lack of transparency.

Obviously, if I needed to shop there, I can pay cash.  There is an ATM in every grocery store if I don’t have cash.

I can also use a true credit card – they can’t force that to be a debit card – although I have not tested that, I am pretty sure that is true.

I may change my mind at some point in the future.  Right now, I am writing this to make sure that people ARE educated and understand what the situation is.  Most people are not as paranoid as me and won’t consider this to be a problem.  Who knows – maybe they are right.

Facebooktwitterredditlinkedinmailby feather

Retailers Ask Congress To Fix The Cyber Security Problem

The National Retail Federation, in testimony before Congress (see article), said that the government should expand protections for debit card users (Federal protections for debit card users are less than for credit card users), pass a national breach notification law and boost prosecution for cyber crimes.

The harder question is who is responsible for breaches.  Is it the software companies that make buggy software?  Is it the businesses that don’t install patches and take aggressive measures to protection consumer’s information?  Or is it consumers that choose passwords like 123456.

The answer to this is that all of these parties share blame and all of these parties need to take action to fix the problem.  Absent that, the bad guys will likely continue to win.  While consumers are not liable for more than $50 when hackers use their credit cards, those costs show up somewhere.  That somewhere is higher bank fees and prices at stores.

Will changing laws on debit cards stop the Target attack?  Will a national breach notification law protect Sony or it’s employees?  Will more prosecutors or different laws stop the Chinese (if it is them) from attacking Anthem.  Unfortunately, the answer to all of these questions is no.

The only way we are going to make any impact on hacking is if we – businesses, software makers and consumers – start taking the right actions.

The article points out that some retailers, like Target, are swapping out mag stripe credit card readers for chip and pin based readers.  These cards, already in use in many countries but not widely used in the United States, the article says and I agree,  will reduce credit card fraud because they are harder to counterfeit.

Lets examine why those stores are doing that.

Merchants don’t want to get new credit card readers because they have to pay for them and train both employees and customers on how to use them.  This is especially painful for older people who did not grow up in the digital world.

So if this is true, why are businesses starting to replace their credit card readers?

Mastercard and Visa have changed the rules.  Effective October of this year, if credit card fraud takes place and the store does not use chip based credit card readers, the store eats the fraud rather than Mastercard and Visa (this is a slight simplification, but basically accurate).

You draw your own conclusions.

I suggest that people – Software developers, businesses and consumers – will change their ways when it is more painful or expensive to not change rather than to change. Unfortunate but true.

My two cents.



Facebooktwitterredditlinkedinmailby feather