Yes, what you say is certainly true in the UK, the PIN being used being regarded by the banks as proof that either you did it, or were sufficiently negligent (writing the PIN on the card for example) that it becomes your responsibilty.

Some of the UK research you mention was partially driven by that, enough reports of people saying that they DIDN'T make the transaction that it got hard to believe that they were all lying.

It also doesnt help when Wells Fargo sends me a PIN that is the same digit repeating 4 times... I asked them to issue me a new pin, it was the same PIN.  ugh.

Debit cards in the US are like that and have been like that. We are told by the bank that if a debit card is used with a PIN there will never be a chargeback to us, meaning the customer is left on the hook. If your debit card has a Visa or Mastercard logo on it run it as credit. 

It is the same way with other European card issuers.  If used with the correct pin the reliabilty is with the customers until the moment the card is reported lost or stolen. What the main problem is in some European countries that the lender sends a default pin on the card and does not allow  it to be changed for a number that can easy be remembered. So the pin on my 4 German cards  I do have to write down and basically need to look up each time I want to use the card. This is a security  issue for me and a nightmare. Switzerland is easy and the cards allow you to modify the pin at any ATM for the pin you like. Therefore many customers with cards where the lender does not allow to select the pin of choice and only accepts the intitial default pin people are writing it down and worse carry it in their wallet or even write it on the card.  I do not like that I have to save it in my mobile but there is simply no way to remember a ton of different pin numbers for each card.    If the US starts with chip & pin it will be mandatory that the card issuer lets the customers select their pin of choice. Like this you can remember and do not have to write it down.

---

@Anonymous wrote:

Hello!

 

I've been reading these forums off and on for about 2 years now and I finally decided to join to offer my knowledge of Chip & PIN technology as a fairly longtime banker.

 

Nearly everyone here seems so excited about Chip & PIN coming to the US, but I personally prefer Chip & Signature myself. And here's why: 

 

For the past 5 years I have worked for a major Canadian bank (until very recently) and have handled numerous fraud investigations at the branch level. What most people don't seem to realize is that Chip & PIN is not at all a secure system. Studies by major UK universities have shown repeatedly that Chip and PIN technology has been flawed and easily exploited from the very beginning, and I have seen it happen!

 

I realize that Chip and PIN does have some advantages, and it is certainly more secure (for the banks) than magnetic stripe technology. But what about for the customer?

 

Many people here have discussed the upcoming liability shift from banks to merchants. Unfortunately, nobody seems to realize that the real liability shift, kind of a secret one, is from the banks to their customers.

 

An example: I recently took a complaint from a customer about a nearly $2000 charge that appeared on her account statement. This person swore up and down that it wasn't hers and that she had no idea what it was. Having personally waited on this customer many times in the past, I had no reason to doubt her and every reason to believe her based on a well established banking relationship and knowledge of her character.

 

So I sent the dispute off for investigation, knowing what the result would be. When the answer came back a few days later, the bank said that the person's Chip card and correct PIN were used to pay for the charge and that the bank would not reverse the transaction--just as I thought. It was then my great privlege to pass this awful news along to the customer, who ultimately lost the entire $2000. This particular Chip and PIN transaction was on her debit card, so the money had already left her account at the time the transaction was made. The transaction also did not go over a VISA or MasterCard debit network, but rather the Canadian Interac debit network, so there was no opportunity to use VISA or MasterCard policies to limit her liability.

 

So, what happened? Well, somehow (I don't know how) the customer's card was compromised, and likely the criminal used any 4 digit PIN number at all to make the charge. There is a way these people have of tricking the chip terminal into thinking the entered PIN was correct. I don't know all of the ins and outs of how they do it, but I have seen the results many times. When the bank sends away for information from, for example, VISA International or MasterCard or whichever network was used, a report is generated by the card processing company of the bank whose terminal was used. For example, a company such as Moneris in Canada, or Chase Payment Tech. Anyway, the report indicates whether or not a correct PIN had been used by sending a code of Y for yes and N for no. If the report says Y, then even the bank that owns the credit card believes that the correct PIN was used, and they then refuse to take any liability for the charge--the customer has to pay.

 

This example is just one of many that turned out the same way during my time with the bank. Part of my reason for ultimately leaving banking was due to my disgust with this kind of situation. I saw many customers taken advantage of after Chip and PIN became the standard in Canada. I don't know in every case whether or not the customer was being honest, but in a number of cases I did know the customer quite well and do not believe it was in the person's character to lie to the bank. The bank's character, however, is another story...

 

Why am I telling you all this? Well, Chip and PIN is coming--that's inevitable! So there's no way around it. My advice is to never let your card out of your hand/wallet/sight when Chip and PIN comes, because then it is much more difficult to have your card compromised. If your card has a RFID chip in it, it can't hurt to get a RFID blocking sleeve or wallet either! I have both. My other way of dealing with this is to have a few different cards all with relatively low limits. This way, if the bank says "Your PIN was used, you have to pay!" then at least the damage won't be as significant.

 

In Canada, a law was passed a few years ago that no auto CLIs are allowed. If the bank wants to increase your limit, they have to ask you for permission to do it. If you consent, then up it goes to the offered amount. This makes it easy to keep limits where they are. In one case I became uncomfortable with a 5 digit limit I had and decided to call the issuer and lower it by a few K to $7,000. Personally I think anywhere in the $2,000 to $5,000 range is ideal, though having one card with above $5K isn't too bad. I prefer higher limits on LOC accounts that are not accessable by either a bank card or credit card. This is also good if you carry a balance as the interest on a LOC is usually much lower than on a CC (at least in Canada).

 

Please note that all banks in Canada operate in the way I have described--as I believe they do in other Chip and PIN countries and untilately will in the US. In Canada they all eventually made some slight changes to their terms and conditions, and from then on the customers were on the hook. I make no guarantees that the same WILL happen in the US, but I would be extremely surprised if it didn't happen after while. I have advised numerous people in Canada to write to their federal MP to have a law enacted to pass liability back over to the banks whether or not a correct PIN was used, but since it affects a relatively low percentage of the population overall, most people are neither aware of the issue nor inclined to write letters about it--right up until it happens to them! 

 

If anyone has any questions about this issue, I am happy to answer them insofar as I can without giving out any confidential information related to my past customers. I also prefer not to say which bank I worked for.

 

I have some (limited) knowledge of underwriting from my time as a banker as well and will eventually share some of that. Whether or not people choose to believe this post is of no interest to me. I offer it simply for informational purposes. Do with it as you will. 

 

G

---

And thats why i no longer use my debit card period.  Only credit cards.

---

@Anonymous wrote:

Hmm... I assumed  the chip and PIN system was better on all fronts. After hearing this, I'd almost rather use the magnetic stripe technology safe in the knowledge that, per my CCC, I'm not liable for any fraud.

 

I've heard that Apple Pay is one of the most secure ways to pay, since it's almost impossible for someone to obtain any meaningful information. Do you have an opinion on the security aspect of it?

---

Chip & Pin is much more secure than stripe.   The bad impacts only come if the rules are changed to limit the protection, due to the "security" of chip&pin.

Re Apple Pay, I don't know.   If you look at the papers that describe chip&pin attacks, a lot of work has been put in into identifying weaknesses (e.g. the algorithm depends at one point on a Unpredictable Number being generated.  Researchers found that some implementations used are really highly predictable, using timestamps for example, see http://www.bbc.com/news/technology-19559124  for an older example)

While I'm sure Apple has got a lot of security people to examine it, it probably hasn't had the number of people or length of time, for weaknessse to be exposed.