The chip payment standard used on modern cards and terminals falls under a specification called “EMV”, which was name after the three companies that made the standard - Europay, MasterCard and Visa.
Europay merged with MasterCard in 2002.
Source: used to write software to validate and test EMV.
Also the US payment systems and the European payment systems are identical (same standard) but implemented badly in the US, that’s why it’s much faster in Europe. I have several war stories about all this.
A point of clarification before I begin though - when I talk about chip cards or smart cards, I mean cards equipped with an EMV chip in them. The USA was one of the last countries to adopt this technology, only doing so roughly in the last 10 or so years. The technology has existed since the 90’s (when Europay still existed) and gets regular updates to add new encryption schemes and security gubbins, so while it’s 90’s technology, it has been updated since (Today’s cards use AES and ECC).
Prior to that adoption, the USA basically refused to use them because of the cost (Cost of cards, cost of new terminals, cost of upgrading legacy infrastructure), however they wanted all the modern conveniences like contactless payments - so those first contactless cards were equipped with simple RFID chips. You know the kind, the ones that just spew out static data. Those are the ones the Mythbusters guys investigated and were forced to not air their findings because they’re so dogshit insecure (and where the idea of someone walking down the street with a big RFID reader hoovering up credit cards comes from).
With an EMV chip card, you can’t do that. Those chips are like mini computers, they don’t just spew out static data like your card number, they do challenges and responses, they do encryption, MAC’s, the works. They really are quite secure. A transaction works in such a way that the card doesn’t trust the terminal and the terminal doesn’t trust the card, they validate each other and at any time either of them can say “Nah fuck this, I want to talk to the Bank” - this is called “going online” and if that doesn’t work, the transaction is aborted.
The point of all of this preamble is to say that it’s actually really difficult to perform fraud on a proper chip card (And again I’m talking about EMV chips, not RFID chips). Not impossible, but very difficult to the point where it’s usually not worth it.
So, to try and push adoption of the EMV standard in the USA, the big issuers (Your Mastercards and your Visas) tried to push what they termed the “Liability shift”. To put it simply, they’d say something like “If you don’t support EMV by November 15th, any fraud in your shop/bank/whatever will come out of your pockets, not ours”. Meanwhile, they charged a fee (like 2%) on every transaction to cover fraud. So as a shopkeeper, you’d lose an extra 2% (or whatever it was) on every sale, but if someone came in and bought 10 big-assed TV’s using a stolen or cloned card, you didn’t lose that money.
The problem is, no shops or businesses were going to upgrade all their equipment any time soon and certainly not before their banks could support it. Likewise the banks didn’t want to spend all that money and then tell their clients to buy all new equipment - they were afraid of losing customers because why would a customer spend thousands on a new terminal to stick with the same bank, they may as well shop around.
This weird stalemate meant that adoption was basically nill, so the issuers had to keep pushing back the liability shift over and over. Each time they got a little bit firmer, a sort of “Okay it’s now October next year before you need to adopt EMV but this time we mean it for realsies!”. This went on for YEARS and years until one day, Mastercard decided “you know what, fuck it, we’re not going to bother at all”. It turns out, those fees for protecting against fraud? They were lucrative. They made shitloads of money from it, way more than what the actual fraud was costing them.
We got told in advance that an announcement was going to go out - pushing back the liability shift “Indefinitely”, which was a real bummer for us because we were about to make shitloads of money selling testing tools and equipment to every fucker who suddenly needed to adopt EMV. Then, literally like 4 days before that announcement was due, a miracle happened - Target got hacked.
Yes, that target hack from 2013 where like 40 million credit cards were leaked onto the internet. The hack that made national news for weeks, the one that rustled the jimmies of everyone who had ever set foot inside a target. There was the biggest credit card breach on record, costing hundreds of millions of dollars in fraud and untold bad blood for tens of millions of customers and Mastercard was about to make an announcement to the effect of “Hey we’re going to cancel the one thing that would have prevented all this impending fraud from ever being able to happen”.
Yeah, they didn’t make that announcement. Instead, they put their foot down and suddenly the USA woke the fuck up and decided to finally adopt chip card technology.
(And of course they did a shit job of it, but that’s another story for another day).
The actual answer: they did.
The chip payment standard used on modern cards and terminals falls under a specification called “EMV”, which was name after the three companies that made the standard - Europay, MasterCard and Visa.
Europay merged with MasterCard in 2002.
Source: used to write software to validate and test EMV.
Also the US payment systems and the European payment systems are identical (same standard) but implemented badly in the US, that’s why it’s much faster in Europe. I have several war stories about all this.
I want to hear those war stories.
I’ll give you a fun one.
A point of clarification before I begin though - when I talk about chip cards or smart cards, I mean cards equipped with an EMV chip in them. The USA was one of the last countries to adopt this technology, only doing so roughly in the last 10 or so years. The technology has existed since the 90’s (when Europay still existed) and gets regular updates to add new encryption schemes and security gubbins, so while it’s 90’s technology, it has been updated since (Today’s cards use AES and ECC).
Prior to that adoption, the USA basically refused to use them because of the cost (Cost of cards, cost of new terminals, cost of upgrading legacy infrastructure), however they wanted all the modern conveniences like contactless payments - so those first contactless cards were equipped with simple RFID chips. You know the kind, the ones that just spew out static data. Those are the ones the Mythbusters guys investigated and were forced to not air their findings because they’re so dogshit insecure (and where the idea of someone walking down the street with a big RFID reader hoovering up credit cards comes from).
With an EMV chip card, you can’t do that. Those chips are like mini computers, they don’t just spew out static data like your card number, they do challenges and responses, they do encryption, MAC’s, the works. They really are quite secure. A transaction works in such a way that the card doesn’t trust the terminal and the terminal doesn’t trust the card, they validate each other and at any time either of them can say “Nah fuck this, I want to talk to the Bank” - this is called “going online” and if that doesn’t work, the transaction is aborted.
The point of all of this preamble is to say that it’s actually really difficult to perform fraud on a proper chip card (And again I’m talking about EMV chips, not RFID chips). Not impossible, but very difficult to the point where it’s usually not worth it.
So, to try and push adoption of the EMV standard in the USA, the big issuers (Your Mastercards and your Visas) tried to push what they termed the “Liability shift”. To put it simply, they’d say something like “If you don’t support EMV by November 15th, any fraud in your shop/bank/whatever will come out of your pockets, not ours”. Meanwhile, they charged a fee (like 2%) on every transaction to cover fraud. So as a shopkeeper, you’d lose an extra 2% (or whatever it was) on every sale, but if someone came in and bought 10 big-assed TV’s using a stolen or cloned card, you didn’t lose that money.
The problem is, no shops or businesses were going to upgrade all their equipment any time soon and certainly not before their banks could support it. Likewise the banks didn’t want to spend all that money and then tell their clients to buy all new equipment - they were afraid of losing customers because why would a customer spend thousands on a new terminal to stick with the same bank, they may as well shop around.
This weird stalemate meant that adoption was basically nill, so the issuers had to keep pushing back the liability shift over and over. Each time they got a little bit firmer, a sort of “Okay it’s now October next year before you need to adopt EMV but this time we mean it for realsies!”. This went on for YEARS and years until one day, Mastercard decided “you know what, fuck it, we’re not going to bother at all”. It turns out, those fees for protecting against fraud? They were lucrative. They made shitloads of money from it, way more than what the actual fraud was costing them.
We got told in advance that an announcement was going to go out - pushing back the liability shift “Indefinitely”, which was a real bummer for us because we were about to make shitloads of money selling testing tools and equipment to every fucker who suddenly needed to adopt EMV. Then, literally like 4 days before that announcement was due, a miracle happened - Target got hacked.
Yes, that target hack from 2013 where like 40 million credit cards were leaked onto the internet. The hack that made national news for weeks, the one that rustled the jimmies of everyone who had ever set foot inside a target. There was the biggest credit card breach on record, costing hundreds of millions of dollars in fraud and untold bad blood for tens of millions of customers and Mastercard was about to make an announcement to the effect of “Hey we’re going to cancel the one thing that would have prevented all this impending fraud from ever being able to happen”.
Yeah, they didn’t make that announcement. Instead, they put their foot down and suddenly the USA woke the fuck up and decided to finally adopt chip card technology.
(And of course they did a shit job of it, but that’s another story for another day).