walkitout (walkitout) wrote,

A great summary of the EMV transition


It's written as an advisory to credit unions, not to Ordinary People, but it's quite clear, and gives a good sense of what to expect in the next few years.

(1) EMV online only cards in the US, in all likelihood -- so your chip + signature and/or chip + online PIN probably still won't help you out in Europe, if you want to buy at an unattended gas station or whatever. *shrug* But for most purposes (hotel, lodging, restaurants, attractions, car rental, etc.) it should be fine. This advisory specifically suggests running an EMV pilot program issuing first to customers who have a history of traveling internationally. (This is confusing! Online in this context means, when the transaction occurs, is the PIN verified by connecting with a database somewhere ese -- online -- or is the PIN verified by what the chip on the card says -- offline. EMV offline, which is chip + PIN, euro style, requires a more expensive card, better cryptography, etc., and is still probably a bit weaker from a fraud perspective than a card that requires online verification.)

(2) Contact-ful and contact-less at the same time: so _yes_ we'll be stuck with the put the card in the machine and wait until the end of the transaction to retrieve it (which so thoroughly sucked Back In the Day and led to many abandoned/lost/destroyed cards) UNLESS the contact-less/NFC option is available. Which (fingers crossed) it probably often will be.

(3) As other write-ups have indicated, don't expect EMV everywhere for a while. The expectation is that customer cards will be replaced with EMV as part of the regular card replenishment cycle (when your card expires is when you'll get the EMV replacement, presumably). Similarly, big chains will (or already have) accept EMV contact-ful or contact-less long before every last place does.

I ran across a writeup of whether or not Square was PCI DSS compliant in a blog (I cannot seem to find it at the moment). Part of its compliance revolves around who is considered the "merchant" for purposes of PCI DSS compliance -- turns out it is Square, not the entity you bought whatever it was from. Obvs, for other purposes, that latter is still the merchant; it's just for contract purposes. That answered a question I had been wondering about for a while.
Tags: our future economy today

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.