Comment Re:Late on all fronts (Score 1) 210
the PIN vs signature subject (the cardholder verification methods) has more to do with who pays when the fraud happens. Signature is by far easier to use, and this is the reason why in europe it is usual for good customers (cards with expensive subscription fees etc.) to get chip and signature and low end cc and debit cards get chip and pin.
To me the problem is not the PIN, but the magstripe itself, which for europe is kept there for legacy reasons (and at this point, yes I am looking at you US...). If the magstripe was completely disabled then there would be no way to skim the card because you would lose one of the 2 required pieces of information (PAN/CVV).
The second problem is that even with the PAN/PIN, the card should be useless but again there are 2 problems.
1. is again legacy reasons. You steal the PAN, write it in a new card, enter the stolen PIN, bob's your uncle. This should not be possible if the cards where full EMV as the card itself is authenticated against Visa/Master PKI.
2. Internet purchases! Now this is a biggie. You don't want to inconvenience anyone so you keep it as easy as possible. No card authentication, no cardholder authentication. Everything goes. To me this problem can be best tackled with one time passwords/tokens generated by a smartcard.
As you understand this is not a technical problem - and I can assure you that the technology exists and it is solid, but an adoption problem and a backwards compatibility problem.
btw: Come on, you can't read Bruce Schneier and at the same time write the PIN on the back of the card. This is like writing your password on a postit and stick it on the screen. Sure, it's annoying but have some standards!