Where do you stand with “chip and PIN” credit cards?
November 10 2008 by Ellen Roseman
Canadian credit card issuers are moving to a new security system. By 2010, you will have to use a four-digit password to validate a credit card sale in a store or restaurant.
The problem is this: Who’s responsible for credit card fraud or unauthorized transactions?
Visa, MasterCard and American Express have zero liability policies for credit card users. They say this will continue.
But some Visa card issuers are sending new terms and conditions to cardholders. They’re saying you may be held responsible if it appears you have not taken care of your personal identification number (PIN).
This is worrisome, since it’s eroding your rights. There are no laws or voluntary codes to say how the credit card issuers will decide who’s right and who’s wrong in these cases.
If such an important issue is still up in the air, why are the banks sending out chip and PIN cards already? And why are they sending out unilateral changes in card terms and conditions?
The banks are reluctant to respond when I ask them. They defer to Visa and MasterCard, who say the zero liability policy will stay. But Visa and MasterCard don’t deal with customers. Only financial institutions deal with customers.
Check out my previous columns — here and here too — and tell me what you think of this new development.
DF
Nov 10 2008
I enjoyed your article on the “new” chip and pin credit cards. As you are probably aware, this type of security feature has been available on cards in the UK for a number of years and not without problems.
If you go into this link you will see chip and pin is not foolproof by any means:
http://www.telegraph.co.uk/telegraph/search/sitesearch.do?action=doBasicSearch&advSearch=false&queryText=chip+and+pin+fraud&Search=Search&ch=&selectedChannel=&sort=1
The real point of chip and pin is not that it improves security of these cards, but that it shifts the losses (or at least a greater portion of the losses) away from the credit card companies directly to the consumer.
Keep up the good work!
(I am retired from a major Canadian bank.)
Skeptical
Nov 10 2008
TD Visa says you’re responsible for the full amount of all unauthorized activity that occurs “if your PIN, password or card may have become known to an unauthorized person.”
The big problem I see with this is that the burden of proof is raised significantly, AND is placed on the consumer - not the credit card company.
On the current/old cards, a credit card company can look at a signature to validate whether a purchase was legitimate. Without a signature, how does a cardholder prove that their PIN number was copied by a hidden camera, a person peeking over your shoulder or a hacked keypad?
With a signature. you could always ask for proof of purchase, and the signatures could be compared. Without a signature, it ends up being your word against the objections of the credit card company.
How can the cardholder prove that they didn’t “reasonably prevent the PIN’s use”…?
In the past, the burden of proof was on the credit card company to prove that the signature of the card-holder was the same. Now the PIN number is basically an ‘electronic signature’ which will look the same no matter who uses it.
If you are the victim of a ‘PIN-skimmer’, and you don’t know where it happened, then it will be impossible to prove. Without a police report, the credit card company may reject every claim.
Considering the high level of credit card losses that credit card companies endure, you can be assured that they will be looking for any way to push some of those losses back onto the consumers.
One question I have, since they say the card will still have the strip on the back (since the U.S. won’t be using these chip cards) – could a cardholder still opt to use a signature instead of the PIN with a chip-card?
Heck, what if a person forgets their PIN, could they still sign for their purchase instead?
Also, since the expiry of the current cards may not be for a number of years, could a person just not ‘activate’ their new card and continue to use the old one?
One of the biggest issues consumers had with confidence of internet transactions was to have credit card companies assure zero-liability.
It would seem that many people have confidence issues with these new cards that need to be addressed, or the credit card companies may see reduced levels of transactions.
DL
Nov 10 2008
If the credit card companies are looking to change their policy in respect to their existing guarantee of zero liability on unathorized transactions, does it not make sense that cardholders limit the amount for which they could be held liable?
My current credit card has a credit line of $24,900, which is increased every year without my request or authorization.
Would it not make sense to have this amount reduced to $2,000 to $5000 ? Will the credit card companies accede to this request?
SS
Nov 10 2008
I received a new CIBC Infinite VISA chip card and a few weeks later I received the secret PIN number in the mail.
I was very surprised and concerned that the CIBC PIN number was the same number I have used for my TD debit card for years.
I went to our local TD Branch, explained what happened and questioned if the numbers are shared. I was advised that they are not. That the numbers are randomly generated by the CIBC computer.
If this is true, I believe in Santa Claus and my odds of winning the 649 Lottery are better than having the same PIN number assigned by CIBC as I have for my TD Debit card.
I assume since I have used my TD Debit card at some CIBC branches previously, the CIBC computer “lifted” my TD Debit card number, which is most likely stored in their cyberspace vault.
But as mentioned in your column “according to some banks, doing so could put you at risk of being held responsible for unauthorized use of credit cards”.
The Banks send us their credit cards and later the secret PIN numbers by regular mail (I assume to save money) and we are held responsible.
GIVE ME A BREAK.
DM
Nov 10 2008
I currently don’t have one of the new chip cards, but in my last credit card statement I received an updated cardholder agreement which concerns me.
It basically states that the credit card companies’ logs will be used as the definitive record of what happened.
So even if you have a receipt printed by the retailer that would contradict that their logs say, I cannot, under the cardholder agreement, use that to dispute charges.
My question is: if the only “evidence” allowed is controlled by the credit card company, what recourse is there in disputing any charges on a statement?
It should be noted that in the UK, where this technology is already quite prevalent, there have been some very sophisticated attacks on the system:
http://www.schneier.com/blog/archives/2008/10/new_chip-and-pi.html
http://www.schneier.com/blog/archives/2008/03/chip_and_pin_vu.html
When fraud did occur and people reported it, some were actually charged with filing false police reports because the UK banks or police thought it was “impossible” for the Chip and PIN system to be cracked:
http://news.bbc.co.uk/1/hi/programmes/newsnight/7265437.stm
The BBC”s “Newswight” program had an episode on this a few months back:
http://video.google.com/videoplay?docid=7109740591622124830
AG
Nov 10 2008
My wife just received a notice of “Important Changes to your TD VISA Account”….”Effective December 1, 2008.”
Among the changes - “To accommodate the introduction of Chip/Pin cards…..”
“c) Your responsibility for use of the Card, Connect ID, PIN and Password - You are responsible for the full amount of all authorized activity or other Transactions resulting from use of the Card or Connect ID or Password by any person, including any entry error or fraudulent or worthless deposit at an ABM or other machine.
“You are responsible for the full amount of all unauthorized activity or other transactions which occur before we receive notification that your PIN, Password or Card was lost or stolen or that your Connect ID, PIN or Password may have become known to an unauthorized person…….”
My wife is now responsible for “…any entry error…”.
This “legalese” does not support the claim by the banks (in your article in the Sunday Star on November 9/08) that the liability for fraudulent use remains with the banks:
“Zero liability does extend to PIN transactions,” says Visa spokesperson Amy Cole.”
The quote from Amy Cole is contradicted 100% by the written agreement.
JH
Nov 10 2008
Received a new Visa cardholder agreement last month, validated by the first purchase in December, which says that the cardholder is liable for “unauthorized purchases made until loss or theft of the card is reported.”
Now, this might be a carry-over from agreements past, but clearly in the event of loss or theft (or general rip-off) the vulnerable time is that between the moment the cardholder is aware of irregularity (and immediately reports same) and the occurrence.
Under the most vigilant and reasonable circumstances, this could be hours - resulting in a significant period for fraudulent use of the card.
There should be clarification of what your Visa supplier’s policy really is about loss or theft.
My reaction is to greatly reduce the maximum credit permitted, so as to minimize my exposure, pursuant to the new Cardholder Agreement.
Such “alignment” of maximum credit allowed with real-world purchasing habits is probably a good idea for the budget in any case. Those interest rates are punishing.
Harald
Nov 10 2008
Oh never mind; I see someone already linked to Bruce Schneier’s article
JM
Nov 10 2008
The PIN chip card is not completely safe nor is it much different from our debit cards.
I believe that the zero liability clauses should state that the losses for fraud will be paid for by cardholders and customers of the issuing bank. Zero liability is a misnomer - it is not at all true.
The exact opposite applies - we pay fully for losses and share the losses of all cardholders of the issuing bank and of VISA. We are technically insurers for the card and it is not stated anywhere.
There is a HUGE liability for us as cardholders and the costs of the new technology are not reducing fraud. As consumers, we pay twice — in fees for cards and at the checkout, when retailer costs increase for payment
processing.
Wearing my RBC Infinite chip cardholder hat … I am most upset that when the new cards were issued to replace our Avion Card, the card number was changed.
I did not take notice of this until I heard from some of
the companies that had expected the automatic payments to continue. The payments did not continue as I did not send the new number until notified by those companies (not RBC). This is not customer service but rather customer disservice.
The cost of innovation does not always reduce our risk or costs, but it seems to reduce the level of customer service.
Lior
Nov 11 2008
Dear Ellen,
I’ve read your column in the Star. The banks are trying to relegate more responsibility to the consumer when it is the banks who should be putting security measures in place.
The PIN is worthless when it comes to security.
While the new chip is far more secure than conventional credit cards, it doesn’t provide bullet proof protection against fraud. Just as it was easy to hack satellite cards and obtain all the information that was stored in memory, it is possibly just a matter of time before credit card chips are compromised in a similar way.
It is clear that the banks are trying to shift the burden of responsibility to the consumer. There have to be laws in place that specify what constitutes deliberate negligence on the part of the consumer when dealing with this technology, which is different than a conventional card.
Until such laws are in place, the banks, naturally, will try to minimize their losses by holding customers accountable for unauthorized activities.
I think we will certainly be hearing of plenty of horror stories about this.
Andy
Nov 11 2008
I have had the experience of someone “acquiring” my debit card number and pin.
One day, I had calls from TD security at home and work. They asked if I had gotten cash from a bank machine in Montreal the previous evening (home is Toronto). I said no.
Apparently, someone had managed to extract $500 with my info and tried again a few more times. That, I guess, was the ding, ding, ding with security.
The $500 was returned to my account within a few days and I had to get a new account number, pin, etc. Fortunately, I had only recently reduced my single time withdrawal and daily limits from several thousand dollars at the behest of TD.
That was pretty sweet. But I realized that my $500 loss that was quickly returned had to be made up somewhere in the system. Anyone wonder why VISA interest rates are as high as they are?
I was lucky and am very careful about displaying my numbers now.
I also recently heard of a person who was mugged. The two perps took his bank card and asked him for his pin. He refused and was beaten more. So, in an effort to remain alive, he gave it to them. One stayed with him and the other went to a bank machine, where he withdrew some sum of money. One would assume that the penalty for giving a false pin would have been more beating.
That person was unable to recover his losses because he gave the perps his pin. I can understand the bank policy, but what are you supposed to do when someone physically threatens you for your pin? Stay home and stay safe? I guess the best strategy is to minimize your withdrawal limit.
Any similar experiences?
Mike Macdonald
Nov 12 2008
As an ex-banker I think the comments to date have good merit, but occasionally a little paranoia as well. Banks do not share PIN numbers and I have seen only the utmost discretion in my 27 years inside the bank when it came to PIN numbers.
After that, all bets are off the table: if the bank can blame a loss on you, they will.
Bank employees are so accustomed to having half the required training that they typically have no confidence to act on behalf of the customer, even where it is reasonable. In all cases, you need to get to a regional office and talk directly with somebody in the executive ranks.
Do not go away and do not be deterred by the slow response. They need to be certain you are not scamming them (a very legitimate concern) and a clean past record is important.
PIN’s will reduce losses, without question. Banks will try to avoid their responsibility for losses, without question!
LD
Nov 14 2008
Aren’t the “merchants” responsible for the costs of fraud. Since when are Banks responsible?
Robert Nabloid
Nov 14 2008
It’s a double-edged sword! It was only a matter of time before pin numbers were implemented due to so much fraud… but like you said, the banks will take away their liability and place it upon us… even if they say they aren’t going to, they will, just read the fine print! It’s coming.
If too much fraud occurs and people are held personally liable for it, it will create a lot of bad PR and eventually people may stop using credit cards - why use a credit card if it can put you on the hook for thousands of dollars in unauthorized transactions?? There would be no point.
onarock
Nov 15 2008
i like the good old fashioned signature……..i have enuff pin #s to remember now………….
k
Patricia M
Nov 16 2008
My husband and I have only Mastercard credit cards. They do not expire until 2010, but recently while booking airfare with one, I was asked in the middle of the transaction to provide a secure code password, even though I had provided the pin number on the back of the card.
Since I thought I had one which was all numbers, it did not go through and I was prompted to register. My computer timed out and I had to phone Mastercard and request a secure code, which I had to register.
Meanwhile, I lost my airfare booking and when I booked a new one, the price had gone up $60 for two seats in a matter of 10 minutes.
In the next couple of days, I was ordering ink cartridges for my printer and while using another card, I was once more prompted for a secure code. I had to register for another password.
I now have passwords on each of the Mastercard websites to check my account, plus passwords to use the card.
We are a couple in our 60’s and we have a difficult time remembering what we had for dinner the week before, let alone a lot of passwords to remember.
I wonder when our cards expire, are we going to have to register them again?
Onarock
Nov 17 2008
I like the good old fashioned signature.
I have enuff pin #s to remember now.
k
CL
Nov 19 2008
For the last three years, I have had the RBC Platinum Avion Visa card with the chip built into it. RBC was ahead of its time, though nobody was asking to use it in restaurants.
Suddenly for the first time the last week, I was asked twice to pay using the portable debit style machine. My two experiences were as follows:
1) Sunset Grill at Yonge & Richmond. I took a business colleague for lunch. Gave my Visa card, the waitress took it away and then came back to ask me to go to the counter to punch my PIN. For a moment, I was embarrassed with my business acquaintance, as I had to explain what just happened. I thought they were supposed to bring the portable machine to your table.
2) Went to a nice restaurant. The waitress brought the machine. I pressed okay for the bill amount, not realizing a message came afterward asking about tipping on the machine. I punched in my PIN number (instead of a tip) and consequently the overall amount became huge.
I think this is a good warning to give to first-time users.
Thank you for your articles and I will keep reading them.
FM
Nov 19 2008
Your article, Credit Cards Need to Lose the Legalese, was an eye opener.
The power is not, however, completely in the hands of the credit card suppliers, powerful though they are.
How about every one of us writing our respective banks to say that we will switch our credit card loyalty to the first bank that offers a clear perspective about a consumer’s credit card rights?
I’m doing just that today. A mere 200,000 of us should do it.
elman
Jan 19 2009
We own 4 credit cards and would not enjoy remembering 4 separate PINs. We would cancel any one of our credit cards that switched to chips+pin technology. This is very troubling news indeed.
Six months ago, everyone in our office in downtown Vancouver who used their debit card on a bank machine at a convenience store got their PINs stolen. All of them lost money in their bank account.
A friend in Richmond got held up at gunpoint to hand over his debit card and PIN. The bank said that if you gave them your PIN, they wouldn’t reimburse you the money.
So this new credit card with chip and PIN is very bad news. The reason we carry credit cards is because it is safer than cash.
James
May 4 2009
Here in the UK, we’ve been using Chip & PIN (C&P) since Feb 2006. There was a pre-launch campaign ‘Safety in Numbers’ stating that there would be no shift in liability for fraud and it was safer to use a PIN. On both counts. this isn’t so.
Let’s look at liability shift first. BBC’s Watchdog had a programme dedicated to Chip & PIN fraud and the Banking Code (Still on YouTube), where victims of PIN based fraud were accused, without proof, that they’d been careless with their PINs. They ended up picking up the cost of fraud. It wouldn’t have happened with a signature.
Only last week, 30 April, there’s a case going through Nottingham County Court, Job v the Halifax PLC, whereby a consumer is challenging C&P.
So how about personal safety? Any search of the Internet turns up case after case where cardholders have been mugged, assaulted or even worse by criminals just to obtain their PIN and Card.
Here’s a thought: someone walking round with a Debit card may be down to their last few pounds, sorry dollars. But if they’ve also got credit cards, they’re more than likely a gold mine on legs.
If perchance the whole world were to be C&P compliant, I’d bet that incidents of robbery or violence against the person would increase exponentially.
I wonder if readers are aware that Chip & Signature Cards are still available and will remain so? No PIN = No liability.
Add to that Chip & PIN Entry devices in shops being hacked, and ATM’s tampered with in all sorts of ways, then this would suggest that the Industry can’t keep PIN’s secret.
So how can they hold anyone liable? Well, they do.