Chip and PIN: Wikis

Advertisements
  
  

Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.

Encyclopedia

From Wikipedia, the free encyclopedia

Chipandpin.png
Chip and PIN Ireland.png

Chip and PIN is the name of a government-backed initiative in the United Kingdom to implement the EMV standard for secure payments. There is also a similar initiative in Ireland called Chip and PIN Ireland.

Contents

History

Until the introduction of Chip and PIN, all face-to-face credit or debit card transactions used a magnetic stripe or mechanical imprint to read and record account data, and a signature for verification. Under this system, the customer hands their card to the clerk at the point of sale, who either "swipes" the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the account details are verified and a slip for the customer to sign is printed. In the case of a mechanical imprint, the transaction details are filled in and the customer signs the imprinted slip. In either case, the clerk verifies that the signature matches that on the back of the card to authenticate the transaction.

This system has proved reasonably effective, but has a number of security flaws, including the ability to steal a card in the post, or to learn to forge the signature on the card. More recently, technology has become available on the black market for both reading and writing the magnetic stripes, allowing cards to be easily cloned and used without the owner's knowledge.

How it works

A chip from a credit card, with a six inch pin for scale.

To solve this, banks and retailers are replacing traditional magnetic stripe equipment with smartcard technology, where credit/debit cards contain an embedded microchip and are authenticated automatically using a PIN. When a customer wishes to pay for goods using this system, the card is placed into a "PIN pad" terminal (often by the customer themselves) or a modified swipe-card reader, which accesses the chip on the card. Once the card has been verified as authentic, the customer enters a 4-digit PIN, which is checked against the PIN stored on the card; if the two match, the transaction completes.

France has cut card fraud by more than 80% using a similar, but incompatible system.[citation needed] Chip and PIN is the name given to the initiative in the UK but countries worldwide are launching their own initiatives based on the EMV standard, which is a group effort between Europay, MasterCard and VISA. By the end of 2004, 100 countries should have been using compatible systems based on this standard, and France aims to migrate its existing systems to be compatible with the new cards.

Crime reduction

While chip and pin technology has helped reduce crime at the tills, when it comes to telephone, internet, and mail order fraud - known in the industry as card-not-present or CNP fraud - the figures are growing every year and now make up more than 50% of all credit card fraud.[1] Since this has become a major area of fraud, other initiatives such as Verified by Visa and MasterCard SecureCode (both of which are implementations of Visa's 3-D Secure protocol) are being developed to improve security in these situations, such as additional security codes printed on the back of the card and more complex authentication services. The most recent development being piloted by Visa involve Emue Cards. These cards combine a debit or credit chip with technology that generates a secure one-time-only code displayed to the cardholder via an integrated eight-digit alpha-numeric screen - displayed after cardholder enters their PIN via a mini keypad on the card.[2]

Conversion

Chip and PIN was trialled in Northampton, England from May 2003, and as a result was rolled out nationwide in the United Kingdom in 2004 with advertisements in the press and national television touting the "Safety in Numbers" slogan. During the first stages of deployment, if a fraudulent magnetic swipe card transaction was deemed to have occurred, the retailer was refunded by the issuing bank, as was the case prior to the introduction of Chip and PIN. On January 1, 2005, the liability for such transactions was shifted to the retailer; this acted as an incentive for retailers to upgrade their Point of sale (PoS) systems, and most major high-street chains upgraded on time for the EMV deadline. Many smaller businesses were initially reluctant to upgrade their equipment, as it required a completely new PoS system—a significant investment.

New cards featuring both magnetic strips and chips are now issued by all major banks. The replacement of pre-Chip and PIN cards was a major issue, as banks simply stated that consumers would receive their new cards "when their old card expires"[citation needed]—despite many people having had cards with expiry dates as late as 2007. The card issuer Switch lost a major contract with HBOS to VISA as they were not ready to issue the new cards as early as the bank wanted to. This change angered many, as Visa's Electron cards are generally not accepted online, unlike Switch's Solo.[citation needed]

When a customer does not know their PIN, or the PIN verification fails, the cashier can instigate a PIN Bypass, allowing a signature to complete the transaction. However, this PIN Bypass option was scheduled to be available only during the infancy of Chip and PIN within the UK. The banks decided to discourage this facility from 14 February 2006; after this date PIN verification is required for all Chip and PIN enabled cards. Should customers not know their PIN the cashier may instigate a PIN Bypass transaction with signature, but the card issuer or bank may choose to decline the transaction, making this procedure very infrequent.

Cardholders who are incapable of entering a PIN because of a disability can contact their bank to be issued with a Chip and Signature card.

In the Republic of Ireland a PIN has been required with Chip-and-PIN-enabled cards since 17 March 2007.

Benefits

Under the old system, a customer had to hand their card to the assistant to pay for a transaction. When credit cards were first introduced, offline portable card imprinters (mechanical rather than magnetic) which did not connect to the card issuer were used without the card leaving the customer's sight; transactions over a certain limit had to be verified by telephoning the card issuer. Later equipment was introduced which electronically contacted the card issuer using information from the magnetic stripe to verify the card and authorise the transaction; this was much faster, but had to be in a fixed location. Consequently, if the transaction did not take place near a terminal (in a restaurant, for example) the card had to be taken away from the customer to the card machine. It was easily possible at any time for a dishonest employee to swipe the card surreptitiously through a cheap machine which would take a couple of seconds to record the information on the card and stripe; in fact, even at the terminal, the criminal could bend down in front of the customer and swipe the card on a hidden reader. This made illegal cloning of cards easy, and a common occurrence.

Since the introduction of Chip and PIN, cloning of the chip is not feasible; only the magnetic stripe can be copied, and a copied card cannot be used on a PIN terminal. Fortuitously, the introduction of chip and PIN coincided with wireless data communications technology becoming inexpensive and widespread, and wireless PIN pads were introduced that could be brought to the customer and used without the card ever being out of sight (this would have been possible, had the technology been available, with magnetic stripe cards). Chip and PIN and wireless together reduce the risk of cloning of cards by brief swiping.

Banks' liability

Until 1 November 2009 banks' legal liability in cases of unauthorised use of card accounts was subject to terms of the voluntary Banking Code, and in many cases banks refused to reimburse cardholders who reported unauthorised card use, claiming that their systems could not fail and consequently the cardholder must have acted "without reasonable care"—the Code states that unless a bank can prove that its customer acted fraudulently or without reasonable care, the most that the customer will be liable for is £50[3].

The Financial Services Authority (FSA) Payment Services Regulations 2009 came into force on 1 November 2009[4] and shifted the onus onto the banks to prove, rather than assume, that the cardholder is at fault[5]. The Financial Services Authority said "It is for the bank, building society or credit card company to show that the transaction was made by you, and there was no breakdown in procedures or technical difficulty" before refusing liability.

Criticism

Advertisements

Banks originally not liable by default

The Chip and PIN implementation was criticised as designed to reduce the liability of banks in cases of claimed card fraud by requiring the customer to prove that they had acted "with reasonable care" to protect their PIN and card, rather than on the bank having to prove that the signature did not match. Before Chip and PIN, if a customer's signature was forged, the banks were legally liable and had to reimburse the customer. Until 1 November 2009 there was no such law protecting consumers from fraudulent use of their Chip and PIN transactions, only the voluntary Banking Code. While this code stated that the burden of proof is on the bank to prove negligence or fraud rather than the cardholder having to prove innocence, [6] there were many reports that banks refused to reimburse victims of fraudulent card use, claiming that their systems could not fail under the circumstances reported, despite several documented successful large-scale attacks.

This changed on 1 November 2009 when legal, rather than voluntary, regulations came into force requiring banks to reimburse cardholders unless they could prove that the transaction was authorised by the cardholder[5].

Foreign cards

Chip and PIN systems can cause problems for travellers from countries that do not issue chip and PIN cards (most notably, the USA) as some retailers may refuse to accept their chipless cards.[7] While most terminals will still accept a magnetic strip card, and the major credit card brands require vendors to accept them, poorly trained staff may refuse to take the card under the mistaken belief that they will be held liable for any fraud if the card cannot verify a PIN. Non-chip-and-PIN cards may also not work in some unattended vending machines at, for example, transport stations.[8]

Vulnerabilities, fraud, and misuse

Chip and PIN cards are not foolproof; several vulnerabilities have been found and demonstrated, and there have been large-scale instances of fraudulent exploitation. In many cases banks have been reluctant to accept that their systems could be at fault and have refused to refund victims of what is arguably fraud, although legislation introduced in November 2009 has improved victims' rights. Vulnerabilities and fraud are discussed in depth in the main article.

See also

References

  1. ^ http://news.bbc.co.uk/1/hi/technology/8046492.stm
  2. ^ http://www.visaeurope.com/pressandmedia/newsreleases/press363_pressreleases.jsp
  3. ^ Banks reluctant to pay victims of chip-and-PIN fraud, Times Online, 23 January 2009]
  4. ^ FSA: Payment Services Regulations 2009, in force from 1 November 2009
  5. ^ a b Telegraph - Card fraud: banks now have to prove your guilt, 12 February 2010
  6. ^ http://www.thisismoney.co.uk/help-and-advice/ask-an-expert/article.html?in_article_id=395091&in_page_id=92
  7. ^ U.S. credit cards becoming outdated, less usable abroad
  8. ^ For Americans, Plastic Buys Less Abroad

External links


Advertisements






Got something to say? Make a comment.
Your name
Your email address
Message