My personal experience with EMV payment cards goes back over 15 years.
Credit cards and debit cards were both EMV-compliant in Germany when I was there in the early 2000s. They had a chip and required the entry of PIN on the POS terminal to complete a payment.
Ditto in UK when I was there in 2006-8.
Likewise in India for the last couple of years.
Last year, I had made the following observation about EMV in USA in Winners Don’t Let Security Screw Up User Experience:
The EMV migration deadline has come and gone over a year ago in USA, still fewer than one-third of US retailers have implemented Chip and PIN technologies.
This topic came up recently during a customer engagement.
Since the aforementioned post is a bit dated, I thought I’ll do a reality check of the current status of EMV rollout in the USA.
I conducted a “quick-and-dirty” poll of a few contacts in USA, who include Ron Shevlin, Paresh Banerjee, Prashant Khambekar, Sohag Desai, Jawahar Desai, and one more person who wishes to go by their initial MA.
This is what I learned (context: instore credit card payments, unless noted otherwise):
- Almost all credit cards are Chip cards
- Swipe has virtually ended; you dip your credit card into the POS terminal at over 80% of merchants
- But there’s no PIN entry anywhere, with one sorta exception that I’ll come to in a moment
- Credit card payments below a certain value – which varies from merchant to merchant but is typically $50 – at supermarkets go through without any further step after inserting the card in the POS terminal. For transactions above the threshold, signature is required, which is typically done with a stylus on a digital tablet
- For credit card payments at a restaurant, the staff hands over a printed chargeslip, which the customer signs in wet ink
- At gas stations where customers pump their own fuel – which is the normal practice in all but three states of the USA – customers dip the credit card in the card reader at the forecourt and enter their billing address zip code by way of authentication. Zip code is more like a passphrase known to some others rather than a PIN / password that’s supposed to be kept confidential and not disclosed to anyone else
- At gas stations in New Jersey, which is one of the three states which don’t have self-pumping, you hand over the credit card to the staff. That’s it – no PIN or signature required.
Just for the record, when it comes to debit cards, a 4-6 digit PIN is required to withdraw cash from ATM via debit card. None of the people I polled use debit cards at POS to make purchases, so I couldn’t find out whether PIN is required in that context or not.
I’ve skipped online payments because they are not affected in any way by EMV cards compared to magstripe cards.
Going by my exposure to EMV in Germany, UK and India, EMV has always meant chip, which has always meant PIN. So, I tend to think of EMV interchangeably as “Chip and PIN”.
Whereas, in the USA, EMV is “Chip but no PIN”.
I couldn’t make out whether the US implementation is fully EMV compliant. I did a deep dive on the topic with the aforementioned credit card industry professional Paresh Banerjee.
I gathered that full EMV compliance entails the use of technology to drive three goals before a payment is deemed complete. Without going too deeply into the underlying technologies, the goals are:
- Authenticate the card to the card issuer, so the card can’t be cloned
- Authenticate the card issuer to the card, so a man-in-the-middle attack will fail
- Authenticate the user of the card as the legitimate owner of the card, so there’s no chance of fraud.
The American implementation of EMV achieves the first two goals.
When it comes to the third goal, opinion is divided.
- Since signature is a valid Cardholder Verification Method (CVM) per EMV specs, some people argue that USA is fully EMV compliant.
Others, typically diehard EMV practitioners, point out that the majority of EMV implementations confirm the identity of the card user by requiring entry of PIN, so dismiss the PIN-less US implementation as non-compliant.
From a practical standpoint, the US EMV implementation fulfills at least two out of the aforementioned three prerequisites of EMV, so I’d call it “mostly compliant”.
In a follow-on post, I’ll speculate on why the US has skipped the PIN requirement. (Spoiler Alert: It reinforces my long held belief that Winners Don’t Let Security Screw Up User Experience.)