Another update, just for funsies - 10 months later, chip readers are still pretty much non-existent. Samsung Pay works pretty much everywhere, and now with the recent expansions in banks, my bank is supported, so I don't even carry my cards with me anymore. Samsung Pay is my wallet, and it is all I use.
For dip and swoop machines, it still will not work, but if you need to pump gas, finding a handicapped pump usually has a swipe machine instead, which works great. I don't even get "Ooh, that's cool, how does it work" from many merchants anymore, except the ones that say "We don't support iPhones." When I prove that its not an iPhone and it just works regardless of their backwards technology choices or disabled NFC reader.
I'm not sure I'll ever go back to using a card. Now Colorado just needs to launch a drivers license app, and I'll never need to carry any cards.
You may not believe me, but it is coming, and gaining traction.
The big issue right now is that all the brands and processors are big time back logged on EMV certifications. They just don't have enough certification analysts to handle all of the merchants and service providers that are requesting certifications... The hardware is pretty widely deployed right now with merchants but most of that hardware is disabled because it hasn't been certified. There are also lots of technical issues with each certification that really complicates things and makes them take a LONG time and take LOTS of engineering. Any change in the EMV transaction flow is another re-certification. The certifications are slowly getting a little more efficient.
Mag-stripe transactions will die. It's not a matter of if, just when, and that when isn't as far out as it may look.
Magstripes are dumb. They just hold some data about the card. Chips are smart and can participate in meaningful discourse. All a magstripe terminals does is read the stripe because the stripe is dumb. EMV terminals, on the other hand, facilitate a lively dialogue between the chip and the merchant processor. Chips can do that because they're smart.
Not only are chips smart, but they're also almost impossible to clone because they craftily encrypt everything they say. That means the chances of your card numbers being stolen during an EMV transaction are almost zero. Having had old-fashioned magstripe card numbers stolen, I'll gladly take the short delay. The only thing I wish is that we had the option to force a PIN rather than a signature.
Rich
Indeed. There is a hell of a lot of stuff that happens between the chip in the card, the terminal, and the processor. In fact, it's possibly to get a legally binding credit card authorization completely off-line, authorized by chip in the card, communicated to the terminal, submitted to the processor/issuer in a settlement batch later. An off-line authorization like that is just as valid as an online one.
I spend a LOT of time looking at the data flowing back and worth between EMV cards and terminals. Our test hardware is essentially a dongle that plugs into the terminal (its a plastic card with an EMV chip on it) that wires into a box then into a computer via USB. With that we can do everything a real card does and test tons of oddball scenarios (thousands of them) (there is a lot of crazy **** an EMV card can technically do). This hardware is an annual fee that would buy an airplane each year. Different test hardware for different processors. It gets expensive in a hurry just to play in the EMV card flow business.
If you're really bored and want to know everything about how EMV works...
https://www.emvco.com/specifications.aspx?id=223
Book 3 is probably the most interesting.
The only thing I wish is that we had the option to force a PIN rather than a signature.
RJM62 said:
All my EMV cards have PINs assigned to them, but no terminal in the U.S. has ever asked me for a PIN nor offered me the opportunity to use one. My understanding is that there's no way to force the use of a PIN rather than a signature in the U.S. implementation of EMV. Using a PIN would really be my preference.
The standard definitely supports it. However most of the solutions being built/deployed today (even if the hardware is capable) isn't being certified with PIN capability at all. The card brands currently are not requiring it in the United States. This means it'll be a LONG LONG time before you see cards that won't authorize without a PIN.
But hell, who knows, the standards for this stuff are changing on literally a daily basis. What would have been correct during a certification 6 months ago would not be correct today. Or even a month ago in many cases.
