I never understood the idea of CVC. Every website asks for it - so it seems like an extension of the card number. Why isn't there an app (or some digital way) to verify the card is mine, like authentication systems have 2FA? It will change for every transaction, unlike CVC.
The US population values convenience over security. Honestly, I'm in that boat. Our CC processes -> Merchants -> Customers probably end up eating the fees somehow, but being able to just insert a card and bounce keeps the machine running.
I assume fraud is minimal enough that the profit of convenience outweighs it.
You are describing in-person purchases, but the discussion is about online purchases.
The EU+UK and Visa/MasterCard have different policies for these. Low-value [1] contactless purchases only occasionally require a PIN, higher-value in-person purchases always do, and online ones require the 2FA system linked above.
I believe it's still the same for the US. Some merchants will requires additional verification over a certain amount, but for the most part it is seamless.
I've bought things for 700-800$ that don't require any checks.
There's a difference between trials and every bank starting to gradually (and silently, some people got upset) issue contactless cards from 2013 on, and payment terminals being updated everywhere.
I remember going to the US in 2015 and 2016 and while Apple/Samsung Pay had started to gain traction, the idea of tapping my card to pay was still science-fiction.
I moved back to Finland after years in the USA, and found out that credit cards from Finnish banks now require a 2FA system for online payments. It works fine. The online purchase enters a short flow with my bank, they send a request to the bank’s app on my phone, I approve it there and the purchase flow returns to the vendor’s site.
Everything about banking in the USA was seemingly decades behind my experiences in Northern Europe, so it may take a while for American banks to figure out credit card 2FA… (They still regularly use paper checks in America. Bank transfers don’t exist. Many operations require a visit to a bank branch, of which there are absurdly many. I’m surprised they didn’t have mechanical calculators.)
> Everything about banking in the USA was seemingly decades behind my experiences in Northern Europe, so it may take a while for American banks to figure out credit card 2FA…
Having worked closely with multiple banks' credit card departments, this assertion is incorrect. American banks (and merchants) choose to not implement more security for card-not-present transactions because it meaningfully dents conversion rates for online commerce. Same goes for credit card PINs which are extremely common in Europe but rarely seen in the US. Most merchants and banks are okay with a non-zero level of fraud because stricter fraud prevention methods negatively impact user experience.
You claim that the assertion is false but you've only looked at one aspect for why the parent might think the US banking system is behind.
To put another one out there, there's no universal and practical way to electronically transfer money from one person to another. The only options are cash, checks, wire transfers and ACH. Wire transfers are expensive and ACH is difficult to use.
In the SEPA area you can transfer money to anybody else within about a day for the cost of a local transfer (usually free) with nothing but an IBAN (which can be freely-given, unlike a US bank account number).
Plus, the US has been behind for a long time for card-present transactions as well. Only in the past few years have chips started to see widespread use.
> To put another one out there, there's no universal and practical way to electronically transfer money from one person to another. The only options are cash, checks, wire transfers and ACH. Wire transfers are expensive and ACH is difficult to use.
This is only true for retail banking, not business banking.
The rule of thumb about the US financial system is that it goes out of its way to facilitate commerce between consumers and businesses (debit cards, credit cards), where intermediaries can take a cut of each transaction and the liability for fraud is clearly defined (merchants are generally liable for fraud and consumers have recourse in the form of chargebacks).
Conversely, retail to retail customer transactions have higher likelihood of fraud, a costly chargeback or reversal process and hardly make any money for the banks.
> To put another one out there, there's no universal and practical way to electronically transfer money from one person to another. The only options are cash, checks, wire transfers and ACH. Wire transfers are expensive and ACH is difficult to use.
The FedNow system, scheduled to roll out next year, is designed to fulfill this purpose.
Similar system in Norway - where there's common 2fa Id system where banks are identity provider, and mechanism for 2fa is app, sim app (deprecated) or otp token:
The Indian Banks also require the same. The central bank forced them to adopt this. Any txn over certain amount (I think Rs 500, $5) needs a one time code, sent to user's phone, valid for like 10 minutes. Merchants always get a token of validation from bank, not the actual credit card number.
I agree with your sentiment, but we don't "regularly" use paper checks in the US. Many stores simply do not accept them anymore, and I can remember just a few times in the past few years where someone in front of me at a checkout was using a paper check --- because it happens so rarely that it is memorable.
Edit: And bank transfers do exist, I don't know how you can get away with just flat out asserting they don't. That's ridiculous. Wire transfers are very old but still supported for a fee, and ACH transfers are ubiquitous. They aren't as quick and easy as in Europe, but they certainly do exist. Zelle is also a pretty recent cross-bank platform for transfers that has made things much easier.
How do I make an ACH transfer to a third person (i.e. not my own account in another bank)? Can I send you money using ACH with an account number you provide?
If it's possible, this functionality must be extremely well hidden.
Wire transfers aren't the same as European-style bank transfers because they're slow, expensive and seem to have weird manual validation steps.
Zelle is a proprietary kludge that has very low transfer limits, and most people don't seem to know it exists. I certainly wasn't able to pay my Manhattan rent using Zelle, so it's not a replacement for bank transfers either.
How would you pay a plumber who came at short notice to unblock a drain?
Or, say, the fees paid for your child's karate class?
Or a 'cash' gift for a teenage nephew?
Those are/were cases where cheques were used in Britain, but the first and second are now often a portable chip debit/credit card reader, or else an electronic transfer. The third could still be a cheque, or could be an electronic bank transfer.
(No-one has paid by cheque in a shop since about 2011, when the system to protect against fraud in this case was removed.)
> How would you pay a plumber who came at short notice to unblock a drain?
> Or, say, the fees paid for your child's karate class?
I forgot a third development, which is thanks to Stripe and other mobile-friendly payment processors. All you need is a smartphone, and they send you a mini card reader that plugs into your phone. I see them all the time at farmers markets and even paid for a tow truck using one once.
> Or a 'cash' gift for a teenage nephew?
Kids these days use Venmo or rarely paypal. I don't like them and my family uses Zelle to send money to each other from our different banks. Same when we do collections at work for an employee's retirement gift, the organizer just sent their mobile and asked everyone to send money through Zelle. People even pay their landlords with Zelle now.
> I forgot a third development, which is thanks to Stripe and other mobile-friendly payment processors. All you need is a smartphone, and they send you a mini card reader that plugs into your phone.
Did you mean Square? They were one of the first (if not the first) payment processors, iirc, to make it easy for merchants to offer card-swipe to customers, via the mobile phone attachment you mentioned.
Here in the US, when you hire a plumber/electrician/etc the large polished companies will all take a card payment (or offer financing), and the small independent one-man operations will sometime take card, but often offer a discount for paying check or cash.
Amex offer to email me with a OTP. I guess those without email probably don’t have much to worry about given that they’re unlikely to be doing much online shopping.
You might be unsurprised to know that alternatives exist. Generally SMS/email auth or hardware token auth. (Less secure and more unwieldy respectively, but there are still surprisingly many dumbphone users with a lot of money.)
I'm not sure where you are but USA is very lax compared to the rest of the world. Obviously someone has crunched the numbers and decided a little more fraud that gets easily refunded means the customer is more profitable that strict security that could frustrate people. I've had a card with the extra Bank verification step and I stopped using it. Maybe the lower interchange fees in Europe makes the difference.
Took a trip to the US recently and was astounded at how many places charged my card without any PIN or verification requirements. The seeming normality of service staff taking your card out-of-sight is also unnerving - staff typically don't even lay a finger on your card in Europe. The US is truly in the dark-ages when it comes to payment security.
It seems this is yet another example - didn't even realise US cards didn't have 2FA for online transactions.
I prefer it. We have good fraud liability laws. If someone steals my card number, it's the bank's problem.
I am a heavy credit card user, and over my lifetime I've only had two instance of unauthorized purchase. Both times, the bank caught it algorithmically and prevented the purchase anyway.
You're right, it cannot explain everything, there's a lot more cashback in the US for example, which has to come from the interchange. But the fraud rate doesn't tell us the full picture here, there are indirect costs in dealing with fraud, I'd be more curious about a figure that also estimates externalities.
Anyway the European report is very interesting because it shows that ATM and POS fraud is fairly marginal in Europe, which justifies pushing better SCA mechanisms as the most effective way to reduce fraud.
I've had more than that. And I've had random purchases declined for whatever algorithmic fraud reasons. But it's never been a serious problem and these days I make sure I have multiple cards so even if one is declined, I have backup.
It's because payment processors basically calculated that people would be less likely to use their credit card if they had the hassle of entering a PIN (or god forbid some rotating code thing!). They're willing to put up with slightly more fraud for the increased CC use, as Americans are much more prone to use their card as a financing vehicle, carrying revolving debt at a usurious interest rate. Every European I know pays their card off every month, so this tactic is much less lucrative; better to increase security in that case.
It is pretty funny when I use my US credit card abroad and the payment terminal spits out a receipt I have to sign. So many confused people on restaurant waitstaff xD
> Every European I know pays their card off every month, so this tactic is much less lucrative; better to increase security in that case.
What do you mean? Credit cards are incredibly rare in European countries, and all that i know of don't have any option outside of paying it in full at the end of the month.
Picking the lowest EU country on that list (Lithuania, 12%), the first bank I found has a 45 day interest-free credit period, and a 14-17% interest rate if you borrow for longer: https://www.seb.lt/en/private/cards/mastercard-standard
I live in Europe, have two credit cards (& know many people with CCs), and there's no requirement to pay it off each month. Possibly a per-country thing?
I can assure you that my American Express is marked as a credit card everywhere, even though it autopays itself automatically at the end of each month.
You may want to review the fine print. AMEX offers both types of card, but "credit card" and "charge card" (sometimes "purchasing card") are meaningful financial terms. AMEX used to offer primarily charge cards back in the day, but they've changed many of their cards to credit cards these days.
Does your particular card offer credit as a feature? This is how some of the US cards are, they sort of position the credit feature more like an "option" compared to what other issuers do. Because it is offered at all, it is a credit card, even if you pay the full balance normally.
FWIW, all the cards I see on their French site are described as:
Given the snails-pace rollout of contactless in the US, this seems like conjecture. Paying is much less hassle in Europe in my experience - having to sign paper, waiting for your card to be brought back? This is hassle.
I was sitting at a bar eating lunch when in Vegas for a conference a few years back. The Brit (I think) next to me was suddenly "Why did the bartender just take my card away?" and I had to explain that was how things generally work. You do see wireless terminals now and then today but they're not super common.
Restaurant staff stealing your card info just isn't really a problem here in the US. I'm sure it happens occasionally, but there's just not a whole lot that can be done with it. Online purchases will almost always require address verification, for example.
> The seeming normality of service staff taking your card out-of-sight is also unnerving
You usually don't need to do this anymore though. I think I have eaten out in the US about 15 times this year, and never needed to hand out my credit card. Many restaurants have a QR code on the check that allows you to pay online. Some have credit card terminals on tables (Ziosk). Others let you pay at the register when you leave.
One thing to note is that payment systems are never supposed to store the CVC number, so a data breach shouldn't include that number if the vendor does things correctly. This does make it slightly different to being a 'longer card number'.
In the UK, they also have additional verification steps, which can cause some issue when they go async to a payment system that expects to get a verification immediately.
I've had Apple take payment twice because the 2FA verification text took too long to come through from a phone order for collection and I ended up buying the item in the store.
I'd assume that for such restaurants there are no auditors, they would do 'self-certification' where they fill out a questionnaire where they assert that they are not doing anything like this. The consequence is that if the data is leaked (finding 'common point of purchase' is sometimes done for sets of fraud) they can become fully liable for the cost of fraud because of this lie in self-certification, otherwise it would generally fall on the receiving merchant.
A few years ago I read a book about a prolific CC hacker, which said restaurants were the worst for CC security. It wasn't unusual for them to store CC numbers with CVC on easily-hacked computers. The hacker would target common restaurant software and just snarf up the numbers remotely.
(USA resident here) I've made several high value purchases ($100+) online without getting an additional 3D secure prompt. However, my credit union is rather liberal in locking my card for what they think are suspicious transactions. It's a text or call to customer service to unlock (where they verify recent transactions), but I'd rather enter a password more often than have my card randomly locked.
Actually it's possible you did get a 3D Secure prompt, but many US banks don't do anything with it and just instantly redirect back with authorization.
It's impressive how far behind US financial institutes are.
I'd been under the assumption that the CVC is on the other side on purpose so that it doesn't allow seeing all card details at once. But I just got sent a new credit card, and all of the details - card number, expiration, name, CVC - are on the magnetic stripe side.
I wouldn't want it. In my 15 years of using a credit card I've had fewer than a handful of times where there was a fraudulent transaction on my account. The credit card company covered me, and in total I don't think it has exceeded a few hundred dollars. And in that same time I've made thousands of transactions. The addition of a 2FA step for every one of those transactions would be an enormous cost increase on my attention and time.
In India, all online transactions require providing an OTP sent to mobile. Retails transaction require entering PIN on the terminal. You can make transactions below 5000 INR using NFC swipe, but that is optional and can be disabled.
UPI, India's smartphone/app based payment system also requires entering a PIN to make the payments.
The thing about 3-D Secure is that it uses your phone number to verify it's 'you' making the purchase, but if your phone is lost/stolen and you get a new SIM, you're locked out of making any purchases with any cards tied to your old number. You can always update your details on the card provider's site so there is that. Another thing: SMS is not secure and a SIM-swap away from someone being able to make purchases in your name. I wish SMS just got deprecated as a form of verification. It's 2022, come on, we can do this!
3DS delegates the second factor authentication to the card emitter (your bank): the 3DS interface is really just an iframe provided by the bank.
One of my banks embeds their login form, which asks for a portion of your login credentials (probably secure enough in recent browsers, but still a bit yucky). My other bank requires transactions to be approved in the account management interface (either via their mobile app or by logging into their website in another tab). Other banks use one-time-password generators for their website, and reuse that system as their second factor.
> SMS is not secure and a SIM-swap away from someone being able to make purchases in your name.
as in physically getting hold of a SIM card and putting it into another phone? That's what SIM PIN codes are supposed to protect against, but nobody uses them anymore because they are disabled by default now and set to 0000. But you can still do it, every SIM has a PIN and PUK codes.
But SMS isn't 100% secure for different reasons though.
Ah I've heard of those, but that seems like another "first world problem" similar to 3-D Secure not being widespread. That's why identity theft is such an issue in USA, just by having enough information you can make customer support do all kinds of things over the phone.
Stripe provides SCA as a standalone product. They connect with the bank issuer of the CC, prompts the Challenge asked by the bank, and then Stripes sends if it's ok or not.
Happens most of the time I spend a few hundred dollars or more with N26 (Germany), Revolut, ING Direct (Australia) and Nubank (Brazil). OTP via their mobile apps (or SMS fallback).
1. Ye, it'd be great if I could configure it to do 2FA on all online transactions. Does anyone know what exactly triggers 2FA?
2. I have an account with BTG Pactual (Brazil) and their virtual card gets a new CVC after each transaction, pretty cool.
> Ye, it'd be great if I could configure it to do 2FA on all online transactions. Does anyone know what exactly triggers 2FA?
AFAIK, 3DS is opt-in on the merchant side, as it requires integration work. Visa & MS are pushing the envelope by only insuring against fraud if 3DS is properly setup. If the merchant chooses not to implement it (and some have decided not to, to reduce checkout friction), they have to bear the financial risk of the fraudulent transactions.
In Germany: 1) register a credit card for online transactions at https://www.sicher-online-einkaufen.de/, 2) activate with an activation code sent by post, 3) every transaction or 1st of every recurring transactions has to be approved via bank's online app (in my case Volksbank via touchid).
First World problem, literally. I've read that swiping cards is still widespread and magnetic strip is mandatory and chips are optional, but I wonder whether people in USA still sign their cards.
Paying online without a code from SMS or push notification is an exception, usually happens when you save your payment method when buying something through a well known giant like PayPal or Steam.
To everyone mentioning 3D Secure et al, I've only used them on the payments side, but it doesn't resemble the 2FA systems that the original poster was asking about. What's going on when the browser does stuff just before the payment is accepted?
In Turkey, where I live, online transactions require 2FA. An sms is sent for you to enter the pin or a notification is sent to your online banking app asking for approval. I thought this was a standard procedure in online banking.
https://en.wikipedia.org/wiki/3-D_Secure
https://www.mastercard.com/gateway/payment-solutions/securit...
https://www.visa.co.uk/partner-with-us/payment-technology/st...
https://www.barclaycard.co.uk/business/business-matters/frau...