Swiping debit cards without PIN being needed

[TUC]

When buying tickets from gateline staff a couple of times I've been intrigued by how they swipe my debit card without a PIN being needed. I'm not talking about contactless payment as the card is swiped rather than used in proximity.
Is this a specific arrangement between banks and TOCs as I've never come across shops where a non-contactless card can be used without a PIN?

 

[Bletchleyite]

When buying tickets from gateline staff a couple of times I've been intrigued by how they swipe my debit card without a PIN being needed. I'm not talking about contactless payment as the card is swiped rather than used in proximity.
Is this a specific arrangement between banks and TOCs as I've never come across shops where a non-contactless card can be used without a PIN?

The old pre-chip method of "swipe and sign" can be used at the risk of the business taking the payment if they wish.

 

[TUC]

The old pre-chip method of "swipe and sign" can be used at the risk of the business taking the payment if they wish.

I'm not asked to sign.

 

[najaB]

I'm not asked to sign.

The point is that the swipe is all that is needed. Since the liability shift it wouldn't make any difference if you signed or not.

 

[TUC]

The point is that the swipe is all that is needed. Since the liability shift it wouldn't make any difference if you signed or not.

But why would a TOC want to take that risk instead of simply requiring a PIN?

 

[najaB]

But why would a TOC want to take that risk instead of simply requiring a PIN?

Possibly because their machines don't do chip and PIN, or for speed.

 

[TUC]

Possibly because their machines don't do chip and PIN, or for speed.

Surely every machine by virtue of the nature of the task they are designed for would be chip and PIN enabled?

 

[najaB]

Surely every machine by virtue of the nature of the task they are designed for would be chip and PIN enabled?

They might by design, but that doesn't mean the chip reader is working.

 

[TUC]

They might by design, but that doesn't mean the chip reader is working.

Although presumably common sense would dictate that a TOC would want to get such a unit repaired?

 

[najaB]

Although presumably common sense would dictate that a TOC would want to get such a unit repaired?

Or use it on secondary duties like working a gateline. I suspect though that they swipe simply because it is faster.

 

[hairyhandedfool]

Gateline staff often use Avantix, which only has 'offline' authorisation for chip and pin transactions. Quite a few cards seem to have a zero limit for 'offline' transactions (including all Electron cards) and so, in certain circumstances (as notified by the relevant people at each TOC), a swipe is permitted.

As I understand it, a new generation of mobile ticket machine is in the development which should see the end of swiping.

 

[jon0844]

Seems a bit risky to me. As in anyone could just claim they didn't swipe and get their money back. Cloning cards via a magstrip is stupidly easy.

 

[Bletchleyite]

Seems a bit risky to me. As in anyone could just claim they didn't swipe and get their money back.

If they did, would it not be the case that it would be quite easy to identify the individual and proceed with a RoRA prosecution for deliberate avoidance of the fare?

 

[TUC]

It does also leave the passenger vulnerable, should someone else obtain and misuse their card. I recognise what is said above about the retailer bearing the risk, but it still requires the customer to notice that an unauthorised transaction has gone through their account.

At the very least it seems like sloppy practice that would not be used by other retailers.

 

[Bletchleyite]

At the very least it seems like sloppy practice that would not be used by other retailers.

Swipe and signature is often used by other retailers if a chip and PIN transaction fails. Another notable place it is used is the M6 Toll, where the only two card payment choices are contactless or swipe - no option for C&P at all in order to keep things moving quickly.

The main purpose of the signature is not to check it against the card (though that provides a minor check) - it allows for the signatures to be recalled and verified in the event of alleged fraud.

A credit/debit card holder should never assume their account is OK, in any case - always review your statements to check for possible fraudulent transactions.

 

[jon0844]

If they did, would it not be the case that it would be quite easy to identify the individual and proceed with a RoRA prosecution for deliberate avoidance of the fare?

You'd hope so, but I can't imagine it being that easy. Would it be that easy to identify the individual for a start?

Most retailers knew the liability was shifting and changed their systems ages ago. I know some car park ticket machines still just work on a simple swipe, but they're changing. Heathrow was amazingly still taking cards without PINs not that long ago (don't think they still do) and I noticed the machines at Stansted are changing to have PIN pads at the exits.

It's quite amazing that airports and the railway have reacted so slow to what's a serious change that could cost each dearly.

 

[Bletchleyite]

It is worth noting that Chip & PIN is not universal in every country, and the contracts with Visa etc will require acceptance of non-UK cards to a certain extent.

(Were this not the case the magstripe could be removed completely, and with it a big vulnerability. I do wonder why we can't have two cards - one with a chip but no magstripe for European use, and one, on request, with a magstripe but no chip for US use)

 

[jon0844]

That would be sensible. Giving peace of mind for the majority of time that people aren't abroad.

Mind you, I doubt lenders would want you to have two cards in case you either lost one - OR decided to share with a partner, as I suspect people already do.

I once worked for a company where the boss would give staff his card to pay for meals at meetings with clients. He'd share the PIN, which is risky in itself, but on one occasion a colleague was made to sign. That was fun, not.

Luckily, the restaurant waitress did the usual check. I.e. not checking.

 

[headshot119]

That would be sensible. Giving peace of mind for the majority of time that people aren't abroad.

Mind you, I doubt lenders would want you to have two cards in case you either lost one - OR decided to share with a partner, as I suspect people already do.

I once worked for a company where the boss would give staff his card to pay for meals at meetings with clients. He'd share the PIN, which is risky in itself, but on one occasion a colleague was made to sign. That was fun, not.

Luckily, the restaurant waitress did the usual check. I.e. not checking.

A lot of Credit Cards already give out two cards with an account.

I've got one with an Amex and a Visa card.

 

[Bletchleyite]

Mind you, I doubt lenders would want you to have two cards in case you either lost one - OR decided to share with a partner, as I suspect people already do.

There's no need to do this, of course - authorised user cards are available, so you can give someone an approved card to use if you wish. While I was a student (and indeed from age 16 up, as you could have one from then) I had an authorised user card from one of my parents' credit card accounts. It was for two purposes - so that if I wanted to purchase a high value item myself I could use it rather than have to draw out a load of cash and be vulnerable to an attacker, and as a "get out of jail free" card in the event of getting stranded somewhere. It was certainly not to be used without permission or a very good reason - just like the corporate card I now carry on behalf of my employer!

But yes, one of the issues with C&P is that it's easy to tell someone else your PIN, so people often do.

 

[kieron]

Seems a bit risky to me. As in anyone could just claim they didn't swipe and get their money back.

Anyone could, but if you use the station at all regularly you'd have to be confident that the TOC can't use its CCTV records to connect the person who made that transaction with the person who used the same card at other times.

 

[jon0844]

It might be risky doing it on a line you use a lot, close to home where you might be spotted, but not everyone necessarily has a lot of sense.

But how long until the bank is told the payment wasn't authorised, a chargeback is made and the TOC has to then investigate when and where the payment was made.. contact the staff member, asked if they remember.

Chances are any CCTV footage will be erased by then anyway, and I doubt a RPI or TM is going to remember who presented what card.

I assume it doesn't happen more because people aren't willing to risk it. But I wouldn't want to have a system that allows people to try.

 

[me123]

When I worked in a petrol station, we occasionally had instances where we needed to swipe cards. This was most commonly men over the age of 70 who couldn't work out which way to put their card into the machine (if it can't read the chip three times it defaults to swiping), but there were instances where the chip couldn't be read or, of course, the connection to the bank went down. We had a procedure which was very simple.

I always amazed how many people had not signed their card (rendering it invalid in the first place, even for chip&pin transactions), and how many people had written the PIN on the back (secure). More amazingly, lots of people were using cards with a name belonging to someone of the opposite gender. They'd invariably claim it was their wife's card and/or that they had a joint account (and it probably was) but I still had to decline it. I have no evidence to prove this. When you see a man with a beard signing his name as "Lucy", you have to be concerned of fraud. And it is fraud. Entering the PIN or signing your name is verifying your identity, and using someone else's PIN or signature is a form of fraud.

I'd be very concerned if my card was authorised without any signature check and would complain. It puts me at risk of fraud. It's not a perfect system, but in the fallback scenario it is the best thing we have to ensure that the cardholder's account is safe.

 

[Crossover]

It is presumably a risk the vendor is willing to take. For the probably relatively few chargebacks they'll likely get, it's better to do it than not bother at all. I guess the M6 toll worked on the same principle

As for Chip only cards for Europe, you'll probably find that half the EU don't C&P either...certainly a number of visits to Germany have shown most of them swipe. It does feel like the UK are quite ahead of the game in those terms!

 

[me123]

And I've heard that Chip & Pin may be on its way out, to be replaced by secure contactless cards (similar to Apple Pay/Android Pay but with no need for a phone).

 

[BestWestern]

It does amuse me the millions spent on the introduction of secure chip & pin, only to undo it a few years later with the most ludicrously unsecure medthod possible in Contactless!

Avantix can be set to automatically decline any card already refused by the chip & pin. This means that the card will be refused at every level and cannot then be used for the purchase. This is a ballache, as not everybody has an immediate alternative, and staff then have to come up with a Plan B. Swiping straight away will avoid the chip & pin deciding to refuse and the resulting above scenario. A signature should be requested though, and of course checked against the original supposedly on the reverse of the card.

There is another way; some TOCs will allow the card number to manually entered. A card will then always process. It does however carry security risks as it is essentially overriding the verification process; hence it isn't universally allowed.

 

[me123]

It does amuse me the millions spent on the introduction of secure chip & pin, only to undo it a few years later with the most ludicrously unsecure medthod possible in Contactless!

FWIW, when I mentioned secured contactless potentially replacing chip & pin, it's in relation to MasterCard developing a contactless card that requires fingerprint verification.

And whilst contactless is not secure in its current form, it's the banks who take the risk. If you report your card as stolen in a timely manner, any contactless (and other) fraudulent transactions are covered.

 

[Clip]

Mind you, I doubt lenders would want you to have two cards in case you either lost one - OR decided to share with a partner, as I suspect people already do.

.

If I didn't I think She may shoot me

Though on the contactless thing my bank have given me a little foil envelope thing just bigger than a card and that protects it from anything untoward happening whilst in me pocket.

 

[TUC]

It's striking that the webpage for the body that represents the card payments industry http://www.theukcardsassociation.or...ns/card-present-transactions.asp#content_1312 gives a number of different ways cards can be used, but does not include swiping without a PIN, except where a card is not PIN-enabled.

 

[craigybagel]

Avantix can be set to automatically decline any card already refused by the chip & pin. This means that the card will be refused at every level and cannot then be used for the purchase. This is a ballache, as not everybody has an immediate alternative, and staff then have to come up with a Plan B. Swiping straight away will avoid the chip & pin deciding to refuse and the resulting above scenario. A signature should be requested though, and of course checked against the original supposedly on the reverse of the card.

I understand that Northern's Avantix's (presumably including those used by the barrier staff) are set up this way. Given how many cards get declined on Avantix (including many Business cards at well known banks) it doesn't surprise me that they have resorted to this, especially as most tickets sold at the barrier will be relatively low in price.

Where I work we are allowed to swipe a declined ticket up to a certain value, above that we have to call the bank for authorisation. Another TOC I know of, an Intercity one, permits swipes for any value.