Update Nov 4, 2013: I was in the UK last week and it looks like the Underground has fixed their terminals to allow the use of the chip at a UPT! This is great news. My guess is there is some upper limit to what can be accepted without signature and it is now implemented.
Well, it has struck again. Remember how I told you guys about some of my EMV experiences now that I have a card with the chip in it? Well, it struck again… but not in the place y0u might think!
I’m here in Salt Lake City, Utah, and I decided to take advantage of the lovely public transit (UTA) by hopping on the light rail into downtown. The weather is amazing here, and I wanted to walk a bit as well! So, I go up to the terminal to pay for a ticket, and guess what? REJECTED. Tried in the other machine… REJECTED. Tried another chip card… REJECTED! Then I tried a card that did not have a chip in it, APPROVED!
The implementation of EMV here in the states is done as chip and sign, just like an existing swipe credit card. My guess is that it is done this way so as not to confuse the US consumer with a debit transaction—typically done with a PIN (although you can do a signature for debit too… did you know that?). So we are adding the security of EMV for card present transactions, but the implementation here in the US has a massive hole in it. Unattended payment terminals, or UPTs.
The way that EMV enabled readers work is they require that cards with a chip always present the chip for tender. This means that you cannot use the mag stripe to swipe a card with a chip embedded into it. An EMV enabled reader will only process a card with a chip in it if you present the chip for tender—otherwise it is rejected right there at the terminal. But since we are doing chip and sign here in the US, there is a requirement (today) for some kind of signature capture to be presented with the actual transaction. So even though you can swipe at a UPT without signing (think about a gas pump or train ticket kiosk), you cannot present an EMV card using the chip because there is nowhere to sign. Instant rejection.
For the record (because I know some of you who read this might get offended), EMV is a good technology. It’s implementation for US cardholders is not. If I had only chip cards in my possession, I would now be forced to use cash for any UPT purchase which means less money earned on interchange. So for you EMV lovers and supporters out there, it would be smart to figure out how to fix the US implementation of this so that you don’t lose market share to alternative payment schemes like SMS or NFC. And this isn’t just something that impacts us here in the US, it impacts US cardholders GLOBALLY. So when I head over to Amsterdam for RSA EU this month, I can’t use my EMV-enabled cards at any UPT.
Hopefully the powers-at-be will figure out this conundrum, but for you UPT owners that are looking for alternative payment schemes, now might be a good time to review your strategy. Contact me if you want a team of specialists to help!
Possibly Related Posts:
- Ten Things Companies Get Wrong About CIAM
- Protect Yourself and Freeze Your Credit
- PCI DSS 4.0 Released plus BOOK DETAILS!
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug