The Fable of the Tortoise and the Tortoise

The world of electronic-supported payment transactions changed substantially two days ago. You might have missed it, because it seems that nobody involved in the process seemed to give a shit.

Dominus vobiscum nabisco. Espiritu sanctum. De gustibus. Me gustibus. You gustibus. We missed the bus. They missed the bus. Summa cum laude. Magna cum laude. The radio's too laude. Adeste fidelis. Centra fidelis. High fidelis. Post meridian. Ante meridian. Uncle meridian. All of the little meridians. Magna carta. Master charga.

The quote is from Johnny Dangerously, which Eleanor brought out last night and we finished watching a little while ago. It's that last reference thatsa the mosta relevant: Master Chargas, and Visas, work mucha more differenta in the US today than they did on 30 September. Or not.

You go to Wegmans. You buy dishwasher soap at Wegmans. (My law school professor. who I'm mocking here, didn't understand the market and said "you buy dishwasher at Weg-mannnns.") To pay, you swipe your payment method; if it's under 50 bucks, you're APPROVED! without further action. A penny beyond, you sign on the terminal (I typically sign the words "WITH PEN" because that's what the terminal tells me to do;)  If it turns out that Johnny Dangerously stole or cloned my card? Until Thursday, my bank ate the charge. But as of October 1, the liability shifted to any merchant which did not process a newly-issued "chipped" card with a compliant chippy cardy readery.

Wegmans has them- has had them for years. Because, Canadians. They long ago adopted the "EMV protocol" which stores the card's data on a chip rather than on a magnetic stripe, and which, coupled with other anti-fraud things on the chip, makes it much harder for hackers to take you down just by knowing your 16-digit number.

American banks, you'd think, would have been quick to adopt the new type of card standard to shift liability over to the merchants. They have not. Between us, we have at least five cards (debit or credit) which allow us to buy anything within our credit limits or current bank balances; not a one of them put a chipped card into our wallets by the October 1 changeover date.  One site offers the best explanation of why, and it has to do with the alternative uses of the same pieces of plastic which also require the much more secure use of a four-digit PIN:

Visa and MasterCard could have resolved this problem by forcing card issuers to use chip ‘n’ PIN only; but they never did.

Why some card issuers have chosen to require only a signature instead of a PIN is up for interpretation. “We can’t speak for all banks but one reason a bank may be issuing signature-preferring cards today is because cardholders are used to signing for most card purchases and adding a PIN would add cost and complexity,” Vanderhoof told WIRED. “This approach allows them to get chip cards in consumers hands quickly and start protecting against counterfeit card fraud, and then they may take the opportunity to introduce PIN-preferring cards later down the line.”

Avivah Litan, an analyst with Gartner Research who specializes in card fraud among other things, says this argument is bogus.

“This argument that [signatures are] more convenient for consumers is … not a legitimate argument if you look at the evidence with the consumer experience in Canada and other countries. The PIN has not been a barrier,” she notes.

Not to mention, Brewer adds, that cardholders are already used to using PINs at ATMs and four-digit passcodes to unlock their mobile phones. If there’s any confusion on the part of cardholders about using the new cards, he notes, it’s due to the fact that card issuers have been poor at communicating how the chip cards are different from old cards. According to a recent survey of 1,000 cardholders, the majority who received new chip cards from their card issuers didn’t know why they had received them. And only about 30 percent were even aware that the US was in the process of migrating to EMV technology.

Instead, Litan suggests there’s another reason why banks in particular want to use signatures with the new cards instead of PINs. “Because if the PIN [and card are] stolen, then that PIN [and card] can be used at the ATM machine, where banks are responsible for the fraud,” she told WIRED. Cards that don’t have a PIN associated with them can’t be used at ATMs, but can be used in stores, where the merchants share liability. “They’re more interested in protecting themselves than they are in helping the retailers out.”

So Wegmans, and, yes, Walmart, will endure more lost profits because Chase and Citi  and their ilk are afraid of 1-2-3-4 PINs that would expose them to greater losses if script kiddies got a hold of an account-linked debit card.  Banks and merchants have been fighting over this sort of thing for years, mainly over pennies and mills of fees which vary based on whether you sign for a purchase or use a PIN. As of October 1, the stakes got even higher, and neither party seems to be rushing to protect its own turf.

Therefore, if you have a credit or debit card with a Visa or Mastercard logo on it, check where your issuer stands.  If necessary, go in, as I did the other day, and ask for a new chipped card. It'll at least minimize the need for you to have to screw around figuring out where-all that card is authorized to deduct for gym memberships, Netflix fees, whatever, the next time some major retailer gets h!ck3d.