Where do you stand with “chip and PIN” credit cards?

November 10 2008 by Ellen Roseman

Canadian credit card issuers are moving to a new security system. By 2010, you will have to use a four-digit password to validate a credit card sale in a store or restaurant.

The problem is this: Who’s responsible for credit card fraud or unauthorized transactions?

Visa, MasterCard and American Express have zero liability policies for credit card users. They say this will continue.

But some Visa card issuers are sending new terms and conditions to cardholders. They’re saying you may be held responsible if it appears you have not taken care of your personal identification number (PIN).

This is worrisome, since it’s eroding your rights. There are no laws or voluntary codes to say how the credit card issuers will decide who’s right and who’s wrong in these cases.

If such an important issue is still up in the air, why are the banks sending out chip and PIN cards already? And why are they sending out unilateral changes in card terms and conditions?

The banks are reluctant to respond when I ask them. They defer to Visa and MasterCard, who say the zero liability policy will stay. But Visa and MasterCard don’t deal with customers. Only financial institutions deal with customers.

Check out my previous columnshere and here too — and tell me what you think of this new development.

25 comments

  1. Harald

    Nov 10 2008

    Oh never mind; I see someone already linked to Bruce Schneier’s article 🙂

  2. JM

    Nov 10 2008

    The PIN chip card is not completely safe nor is it much different from our debit cards.

    I believe that the zero liability clauses should state that the losses for fraud will be paid for by cardholders and customers of the issuing bank. Zero liability is a misnomer – it is not at all true.

    The exact opposite applies – we pay fully for losses and share the losses of all cardholders of the issuing bank and of VISA. We are technically insurers for the card and it is not stated anywhere.

    There is a HUGE liability for us as cardholders and the costs of the new technology are not reducing fraud. As consumers, we pay twice — in fees for cards and at the checkout, when retailer costs increase for payment
    processing.

    Wearing my RBC Infinite chip cardholder hat … I am most upset that when the new cards were issued to replace our Avion Card, the card number was changed.

    I did not take notice of this until I heard from some of
    the companies that had expected the automatic payments to continue. The payments did not continue as I did not send the new number until notified by those companies (not RBC). This is not customer service but rather customer disservice.

    The cost of innovation does not always reduce our risk or costs, but it seems to reduce the level of customer service.

  3. Lior

    Nov 11 2008

    Dear Ellen,

    I’ve read your column in the Star. The banks are trying to relegate more responsibility to the consumer when it is the banks who should be putting security measures in place.

    The PIN is worthless when it comes to security.

    While the new chip is far more secure than conventional credit cards, it doesn’t provide bullet proof protection against fraud. Just as it was easy to hack satellite cards and obtain all the information that was stored in memory, it is possibly just a matter of time before credit card chips are compromised in a similar way.

    It is clear that the banks are trying to shift the burden of responsibility to the consumer. There have to be laws in place that specify what constitutes deliberate negligence on the part of the consumer when dealing with this technology, which is different than a conventional card.

    Until such laws are in place, the banks, naturally, will try to minimize their losses by holding customers accountable for unauthorized activities.

    I think we will certainly be hearing of plenty of horror stories about this.

  4. Andy

    Nov 11 2008

    I have had the experience of someone “acquiring” my debit card number and pin.

    One day, I had calls from TD security at home and work. They asked if I had gotten cash from a bank machine in Montreal the previous evening (home is Toronto). I said no.

    Apparently, someone had managed to extract $500 with my info and tried again a few more times. That, I guess, was the ding, ding, ding with security.

    The $500 was returned to my account within a few days and I had to get a new account number, pin, etc. Fortunately, I had only recently reduced my single time withdrawal and daily limits from several thousand dollars at the behest of TD.

    That was pretty sweet. But I realized that my $500 loss that was quickly returned had to be made up somewhere in the system. Anyone wonder why VISA interest rates are as high as they are?

    I was lucky and am very careful about displaying my numbers now.

    I also recently heard of a person who was mugged. The two perps took his bank card and asked him for his pin. He refused and was beaten more. So, in an effort to remain alive, he gave it to them. One stayed with him and the other went to a bank machine, where he withdrew some sum of money. One would assume that the penalty for giving a false pin would have been more beating.

    That person was unable to recover his losses because he gave the perps his pin. I can understand the bank policy, but what are you supposed to do when someone physically threatens you for your pin? Stay home and stay safe? I guess the best strategy is to minimize your withdrawal limit.

    Any similar experiences?

  5. Mike Macdonald

    Nov 12 2008

    As an ex-banker I think the comments to date have good merit, but occasionally a little paranoia as well. Banks do not share PIN numbers and I have seen only the utmost discretion in my 27 years inside the bank when it came to PIN numbers.

    After that, all bets are off the table: if the bank can blame a loss on you, they will.

    Bank employees are so accustomed to having half the required training that they typically have no confidence to act on behalf of the customer, even where it is reasonable. In all cases, you need to get to a regional office and talk directly with somebody in the executive ranks.

    Do not go away and do not be deterred by the slow response. They need to be certain you are not scamming them (a very legitimate concern) and a clean past record is important.

    PIN’s will reduce losses, without question. Banks will try to avoid their responsibility for losses, without question!

  6. LD

    Nov 14 2008

    Aren’t the “merchants” responsible for the costs of fraud. Since when are Banks responsible?

  7. Robert Nabloid

    Nov 14 2008

    It’s a double-edged sword! It was only a matter of time before pin numbers were implemented due to so much fraud… but like you said, the banks will take away their liability and place it upon us… even if they say they aren’t going to, they will, just read the fine print! It’s coming.

    If too much fraud occurs and people are held personally liable for it, it will create a lot of bad PR and eventually people may stop using credit cards – why use a credit card if it can put you on the hook for thousands of dollars in unauthorized transactions?? There would be no point.

  8. onarock

    Nov 15 2008

    i like the good old fashioned signature……..i have enuff pin #s to remember now………….

    k

  9. Patricia M

    Nov 16 2008

    My husband and I have only Mastercard credit cards. They do not expire until 2010, but recently while booking airfare with one, I was asked in the middle of the transaction to provide a secure code password, even though I had provided the pin number on the back of the card.

    Since I thought I had one which was all numbers, it did not go through and I was prompted to register. My computer timed out and I had to phone Mastercard and request a secure code, which I had to register.

    Meanwhile, I lost my airfare booking and when I booked a new one, the price had gone up $60 for two seats in a matter of 10 minutes.

    In the next couple of days, I was ordering ink cartridges for my printer and while using another card, I was once more prompted for a secure code. I had to register for another password.

    I now have passwords on each of the Mastercard websites to check my account, plus passwords to use the card.

    We are a couple in our 60’s and we have a difficult time remembering what we had for dinner the week before, let alone a lot of passwords to remember.

    I wonder when our cards expire, are we going to have to register them again?

  10. elman

    Jan 19 2009

    We own 4 credit cards and would not enjoy remembering 4 separate PINs. We would cancel any one of our credit cards that switched to chips+pin technology. This is very troubling news indeed.

    Six months ago, everyone in our office in downtown Vancouver who used their debit card on a bank machine at a convenience store got their PINs stolen. All of them lost money in their bank account.

    A friend in Richmond got held up at gunpoint to hand over his debit card and PIN. The bank said that if you gave them your PIN, they wouldn’t reimburse you the money.

    So this new credit card with chip and PIN is very bad news. The reason we carry credit cards is because it is safer than cash.

  11. James

    May 4 2009

    Here in the UK, we’ve been using Chip & PIN (C&P) since Feb 2006. There was a pre-launch campaign ‘Safety in Numbers’ stating that there would be no shift in liability for fraud and it was safer to use a PIN. On both counts. this isn’t so.

    Let’s look at liability shift first. BBC’s Watchdog had a programme dedicated to Chip & PIN fraud and the Banking Code (Still on YouTube), where victims of PIN based fraud were accused, without proof, that they’d been careless with their PINs. They ended up picking up the cost of fraud. It wouldn’t have happened with a signature.

    Only last week, 30 April, there’s a case going through Nottingham County Court, Job v the Halifax PLC, whereby a consumer is challenging C&P.

    So how about personal safety? Any search of the Internet turns up case after case where cardholders have been mugged, assaulted or even worse by criminals just to obtain their PIN and Card.

    Here’s a thought: someone walking round with a Debit card may be down to their last few pounds, sorry dollars. But if they’ve also got credit cards, they’re more than likely a gold mine on legs.

    If perchance the whole world were to be C&P compliant, I’d bet that incidents of robbery or violence against the person would increase exponentially.

    I wonder if readers are aware that Chip & Signature Cards are still available and will remain so? No PIN = No liability.

    Add to that Chip & PIN Entry devices in shops being hacked, and ATM’s tampered with in all sorts of ways, then this would suggest that the Industry can’t keep PIN’s secret.

    So how can they hold anyone liable? Well, they do.

  12. Ross

    Sep 28 2010

    My wife had her BMO Mastercard and PIN compromised. We have a good idea where, since we suspect that a clerk picked up the card inadvertently left behind after she had observed the PIN with the transaction.

    The incident was reported the next day. Six weeks later, she was told to make a report to the York Region police, even though she had already reported to OPP.

    All help greatly appreciated.

  13. Elmer

    Mar 27 2011

    Since the new chip can be scanned where can I purchase a protector for the credit card??

    Thanks,
    Elmer

  14. bobo

    Apr 25 2012

    I recently got money taken from an ABM in Montreal with my credit card. Not sure if a PIN was used or not, but I would assume so along with a counterfeit copy. Otherwise, how do they withdraw money without a PIN?

    I feel violated and feel there should be some liability on the bank for incidents like this. The new Paypass is even more stupid.

  15. Shawn

    Aug 3 2012

    I just received my last months’s statement for my TD Credit card and in there is a pamphlet describing the changes that were made to the credit card agreement on July 1st.

    First of all, shame on TD for letting me know a month later that my card’s agreement was unilaterally changed 30 days ago.

    To top it, the agreement states that if I used my credit card after July 1st, they would assume that I accept the new agreement. It was completely unethical of TD to do this.

    Secondly, and more importantly, the changes in the agreement impact the way PIN transactions are treated.

    The cardholder agreement now states that if any transaction was carried out by entering a PIN, it would be treated as an ‘authorized’ transaction, whether the cardholder carried it out or not.

    They have taken the view that if a PIN was used, it would have to have been carried out solely by the cardholder and nobody else. There is no mention or exemption for fraud-like scenarios.

    A lot of us are trained to believe that carrying credit and debit cards is much safer than cash. While it may still be true, the latest agreements being drafted by the banks puts the onus of theft, fraud etc. solely on the cardholder.

    If this is the case, I would go back to making weekly cash withdrawals and keeping my card at home and paying for everything in cash.

    Sounds like a step backwards, but this is the direct result of such one-sided agreements that protect the banks against every circumstance but offer little or no protection to the cardholder.

    I am assuming that provincial consumer protection acts would take precedence over this document written by TD’s lawyers; it will be interesting to watch how this plays out in real life fraud situations over the next few months.

    Would the banks now be more reluctant to refund the amount of fraud transactions back to the cardholder??

    In Ontario, the consumer protection act limits cardholder liability to a maximum of $50 for unauthorized transactions carried out before one reports loss or theft to the card company.

    Agreements aren’t drafted in a vacuum. How could TD draft an agreement that is directly contradictory to provincial legislation?