On Sat, 25 Feb 2012 16:24:49 +0000, Roland Perry
wrote:

In message , at 16:06:24 on Sat, 25 Feb
2012, Adam H. Kerman remarked:
No, UK credit cards also have a magnetic stripe on the back, so they can
be swiped through a US retail terminal. You just have to sign on the
transaction, rather than use your PIN.

That's interesting. In the UK, do you use the PIN both when swiping

Almost no-one swipes cards any more, they are fitted into a chip reader.

In both cases you'd need a PIN, unless it's one of those intangible
purchases like a parking garage, where they seem to have decided that
the cost of doing PIN verification is greater than the potential fraud
from skimmed cards (and the product has a zero marginal costs anyway).

and using it as a proximity card?

I'm told about 1:10 proximity card transactions require a PIN. Whether
it's random, or by profiling the retailer/customer, I doubt is in the
public domain.

http://conversation.which.co.uk/mone...tactless-card/
refers to a PIN being used for any transaction over 15 UKP or any
taking the running daily total over 50 UKP.

In message , at 15:28:15 on Sat, 25 Feb
2012, Stephen Sprunk remarked:
No, UK credit cards also have a magnetic stripe on the back, so they can
be swiped through a US retail terminal. You just have to sign on the
transaction, rather than use your PIN.

Only if, as above, the transaction is above the merchant's floor limit.
When using my UK credit card in the US I only needed to sign for some
transactions.

There's some over-simplification here. While I agree that some retailers
(especially high-margin ones like restaurants) may not require a
signature, there's a second floor limit above which they have to call
the credit card company. That limit seems to me to be much lower than
you'd get in the UK for a similar transaction verified by PIN.

By "call the credit card company", do you mean actually speak with a
human, or just do a standard automated authorization?

With a human.

The merchant's "floor" allows them to post transactions below a certain
threshold without prior authorization. At least in the US, the floor is
usually USD 25-50, though for some merchants it's $0 due to high
chargeback rates.

Yes, that's [US] Credit Card 101.

The occasional machine, e.g. at gas stations, wanted to know my home
zip code (which, of course, I don't have) but I was able to pay in
the kiosk. (US gas stations need payment before dispensing fuel,
rather than afterwards, as in the UK.)

There's some over-generalisation here, it depends where you are in the
USA; some places need payment first, others don't. It depends a little
on the local demographic.

More specifically, it will depend on the drive-off (i.e. theft) rate at
that location or in that neighborhood.

And you can't predict that by the demographic, of course.
--
Roland Perry

No. I routinely spend amounts of the order of a thousand dollars at
retailers by Chip and PIN card, and it's a one-shot process.

If that's true, then I suspect your credit limit is stored on the card.

No, it's EMV. The card creates a signed transaction that the terminal
sends to the bank. From the user's point of view, the terminal
displays the amount, you enter the PIN and press OK, then a few
seconds later the terminal says the transaction is approved.

They never ask for a signature, unless you're swiping a non-chip
(usually U.S.) card.

R's,
John


--
Regards,
John Levine, , Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

On 25-Feb-12 10:58, Graham Nye wrote:
On 25/02/2012 16:21, Roland Perry wrote:
In message , at 15:48:40 on Sat, 25
Feb 2012, Graham Nye remarked:
When using my UK credit card in the US I only needed to sign for some
transactions.

There's some over-simplification here. While I agree that some retailers
(especially high-margin ones like restaurants) may not require a
signature, there's a second floor limit above which they have to call
the credit card company. That limit seems to me to be much lower than
you'd get in the UK for a similar transaction verified by PIN.

Having signed my CC bill in restaurants I was expecting a waiter
to come back and at least pretend to check the signature. But no,
you just sign and go, and they collect the CC slip when they clear
the table. Perhaps I didn't need to sign the slip (but they had
the usual pre-printed lines to sign along).

In practice, few merchants care whether the signature matches; how
strictly the rules are enforced depends almost entirely on the
merchant's chargeback rate. As a general rule, the industry tolerates a
"manageable" level of fraud because it's less costly than actually
eliminating fraud--mainly in lost revenues, not higher expenses.

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

In message , at 19:02:04 on Sat, 25
Feb 2012, " remarked:
UK credit cards and proximity cards are different things.

They are "converging things". I don't know of any post-payment proximity
cards that aren't also conventional credit cards. But only a few
conventional credit cards have the proximity technology.

Barclays Bank, IIRC.

Barclaycards, which were at one time all VISA, but I have a Barclay
Mastercard, just to prove it's possible.
--
Roland Perry

In message , at 21:47:58 on
Sat, 25 Feb 2012, Charles Ellson remarked:
I'm told about 1:10 proximity card transactions require a PIN. Whether
it's random, or by profiling the retailer/customer, I doubt is in the
public domain.

http://conversation.which.co.uk/mone...tactless-card/
refers to a PIN being used for any transaction over 15 UKP or any
taking the running daily total over 50 UKP.

£50 sounds a lot like "the average amount you'll run up before meeting a
random PIN check". Do any of the banks publish the algorithm?
--
Roland Perry

I was in San Francisco this week, and tried to use my Clipper smart
card on the BART train from the airport. Faregate said see attendant,
attendant's terminal said BLOCKED. Sorry, said the attendant, you'll
have to buy a separate ticket and call the service center when it's
open tomorrow morning.

When I called the service center, they could see that my card had been
blocked due to my card company changing the card number, but they
could also see that I'd given them the new valid card number so it
should work. The Clipper seems to work like Oyster, the updates are
downloaded from the central computer to the faregates, and are loaded
onto your card the next time you tap it. Tap it today, it should
work. Tried it on an addfare machine, BLOCKED. Grr. Called them
again, hmmn, we pushed it out, should be OK tomorrow.

The problem, I think, is that I only use the card for a week every
three or four months when I have a meeting in San Francisco, so it had
been about two months since they emailed me about the card problem and
I'd fixed it, so whatever they loaded into the faregates had timed out.

The day after that, it finally worked, but what a pain. The day after
that, for the first time I can remember, they did a ticket check on a
Muni streetcar, guy with a handheld reader and a display that said YES
or NO in large letters when it tapped your card. Lucky my card was
unblocked.


--
Regards,
John Levine, , Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

Of course, a thief could just steal the lightweight terminal and have
all the days numbers in it. Do you know for a fact that PINs aren't
captured at a local terminal in the UK altered to do so?

That wouldn't work since it's EMV. There's other crypto stuff in the
card that makes it extremely difficult to clone.

Ross Anderson and his security group at Cambridge has done a lot of
work on chip+pin security problems. There are certainly security
issues, but it's considerably more complex than the kind of mag stripe
copying skimming common in the U.S.


--
Regards,
John Levine, , Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

On 25-Feb-12 15:45, John Levine wrote:
Not actually come across any contactless credit cards in the wild yet.
On-line you need a different PIN, aka a security code.

I have a contactless AmEx in the U.S. which I can tap at the till in
my local Wegmans supermarket (sort of like if Waitrose was owned by a
family of Italian-Americans) and many convenience stores. Wegmans
don't require a signature up to $50, tap or swipe.

So, that just means their floor is apparently $50; whether the card
number is acquired via tap, swipe or imprint is irrelevant to
that--though it affects the merchant's rate and liability.

I really don't understand the resistance of US banks to chip+pin
cards.

Apparently, our banks don't think that the (minuscule) projected
reduction in fraud is worth the cost, and so far they haven't yet
managed to bribe Congress into letting them use EMV as an excuse to dump
that liability on consumers--shocking, considering how corrupt those
buffoons usually are.

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

What does Canada use, I wonder?

They're most of the way through converting to chip+pin. When I stopped at a
Tim Horton's in Niagara Falls last night, I could have used my chip Interac
(the Canadian debit network) card and pin if I hadn't had $3.28 in coins.

R's,
John
--
Regards,
John Levine, , Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly