Today, TD Visa sent me a chip and pin card.
For those of us who have been away from Canada now, chip-and-pin cards, as a result of intense pressure from card issuers, have become a de-facto standard for merchant transactions in Canada. Rather than the familiar process of swiping a magnetic stripe and signing a piece of paper, you instead stick your credit card into a terminal, and enter a short numeric code (your PIN). The system has become so pervasive that in many establishments in Vancouver, new members of the service industry don't even know how to swipe a card - much to my amusement when I visit with my ancient magstripe cards.
Why chip-and-pin? It's more secure! Anyone with cheap (or even free) hardware can duplicate the information on a magstripe card, write a random squiggle on a receipt, and walk out of any merchant with as much as they can carry. It's much harder to steal from a chip-and-pin. The card never has to leave the user's hand, and even if it does, is exceedingly difficult to duplicate (millions of dollars of high-end forensics hardware). Even if the card is duplicated or just outright stolen, without the PIN it is difficult to extract any money from it.
Credit cards that are harder for people to steal from? Sounds pretty good, right? Well they are! Except many banks, including TD Canada Trust, have used it as an opportunity to offload risks onto their cardholders.
From their cardholder agreement:
Before you notify us, the Primary Cardholder will not be responsible for any unauthorized Transactions that occurred, as long as you have complied with the Agreement. If at any time your Card or the Account is used, including at an ATM, with a personal identification code (such as a Personal Identification Number (PIN), Connect ID and/or Password), that will be considered an authorized Transaction for which the Primary Cardholder will responsible.
What this translates to is: if you use a credit card, you're not liable for any theft or fraud, unless it's a chip and pin, in which case you're liable for 100%. You're liable for a mugging. You're liable for a terminal with a tampered screen. You're liable if someone uses well-known man-in-the-middle attacks to use your card without your PIN. It may be a bit harder to steal from you, but if they do, it's your problem, no matter what the circumstances.
I don't know if all banks do this. It seems to be a recent change or clarification with TD Canada Trust. I've heard CIBC made this change years ago. Smaller credit unions may be behaving more responsibly than TD Canada Trust. I desperately hope I can find an institution in Canada that actually respects its cardholders, rather than lining them up for theft.
... or maybe I'll just drop my Canadian credit cards entirely. In an ironic role reversal, US law protects cardholders from liability.