Yes, the US system is ridiculous, why should anyone be allowed to pull $ from your account with only a routing code, account number, and possibly some other easily obtained information? I don't know what requirements the bank has before qualifying someone to do these "ACH" payments, but it is likely easy enough to get approved. The UK has a much better system where, you as the account holder either have to initiate the transaction, or you have previously filled out and signed a physical authorization paper that the person receiving the money has to file with the bank. At any time, you can, as the account holder withdraw permission for that debit (if it is monthly recurring), without needing consent from the receiving party.
With the system in the UK mentioned above, people freely exchange their routing (aka "sort code") and account number information. It is quite a common way for two people to pay each other because most banks don't charge for UK to UK transfers in the same currency.
Someone also mentioned the credit card terminal PIN system used in France. This is similar to what you need in the US to use most debit cards and the UK is also starting to use this with credit cards that have embedded smart chips. However, apparently, it is optional for the merchant on whether or not they accept payments without the PIN on chip/PIN enabled cards. One merchant kept having a faily low value transaction declined when using the mag-stripe, once they used the chip reader and I entered my PIN it went through. Since implementing this system however, it seems all the banks no longer allow you to change the PIN over the phone, you have to go to an ATM and not just any, it has to be specific banks withink the UK.
This tells me that, it's likely they store the PIN in the chip, with some type of encryption, which will be broken some day no doubt and become useless. Further evidence that makes me believe they store the PIN inside the chip is the fact that I was told merchants can do "chip & PIN" transactions while offline. If this is the case, they are either 1) When offline hoping you entered the right PIN and authorizing the transaction regardless 2) Decrypting the PIN, stored locally on the card, with a certificate stored in the POS terminal (and once that certificate is compromised you have the keys to the city).
If they are not storing the PIN in the card, I see absolutely no reason why they won't update the PIN for you over the phone, unless they have some type of PIN database encrypted with a certificate which is only available within the CHIP on the card. If anyone familiar with the system cares to comment?
Just as a side note, some companies within the US tried to implement smart chip systems in their cards, Providian Smart Visa and the Fleet Fusion card are two that come to mind. They failed to get anyone to actually use it and gave up, converting back to non-chip cards. I'm not too sure what their system really had to offer, not much, they tried to tout it as a way to make more secure online transactions, have the online web store form automagically filled out with your details, etc.. At the time, they were sending out free smart card readers to try to get people using these, probably one of the reasons they decided it cost too much and scrapped it.