Chip and PIN

Chip and PIN is the brandname adopted by the banking industries in the United Kingdom and Ireland for the rollout of the EMV smartcard payment system for credit, debit and ATM cards.

Contents

History

Until the introduction of Chip and PIN, all face-to-face credit or debit card transactions used a magnetic stripe or mechanical imprint to read and record account data, and a signature for verification. Under this system, the customer hands their card to the clerk at the point of sale, who either "swipes" the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the account details are verified and a slip for the customer to sign is printed. In the case of a mechanical imprint, the transaction details are filled in and the customer signs the imprinted slip. In either case, the clerk verifies that the signature matches that on the back of the card to authenticate the transaction.

This system has proved reasonably effective, but has a number of security flaws, including the ability to steal a card in the post, or to learn to forge the signature on the card. More recently, technology has become available on the black market for both reading and writing the magnetic stripes, allowing cards to be easily cloned and used without the owner's knowledge.

How it works

To solve this, banks and retailers are replacing traditional magnetic stripe equipment with smartcard technology, where credit and debit cards contain an embedded microchip and are authenticated automatically using a personal identification number (PIN). When a customer wishes to pay for goods using this system, the card is placed into a "PIN pad" terminal or a modified swipe-card reader, which accesses the chip on the card. Once the card has been verified as authentic, the customer enters a 4-digit PIN, which is submitted to the chip on the smartcard; if the two match, the chip tells the terminal the PIN was correct, otherwise it informs it the PIN was incorrect.

France has cut card fraud by more than 80%. Chip and PIN is the name given to the initiative in the UK; other countries are launching their own systems based on the EMV standard, which is a group effort between Europay, MasterCard and VISA. By the end of 2004 100 countries should have been using compatible systems based on this standard.

Crime reduction

While EMV technology has helped reduce crime at the tills, when it comes to telephone, internet, and mail order—known in the industry as card-not-present or CNP—fraud, the figures are growing every year, and as of May 2009 made up more than 50% of all credit card fraud.[1] Since this has become a major area of fraud, other initiatives such as Verified by Visa and MasterCard SecureCode (implementations of Visa's 3-D Secure protocol) are being implemented to improve CNP security. Since 2008 VISA has been running pilot projects using the Emue card,[2] which has a chip, a mini-keypad, a display, and a battery expected to last three years; the user enters a PIN and a secure one-time-only code is displayed which replaces the code printed on the back of standard cards.[3]

Conversion

Chip and PIN was trialled in Northampton, England from May 2003, and as a result was rolled out nationwide in the United Kingdom in 2004 with advertisements in the press and national television touting the "Safety in Numbers" slogan. During the first stages of deployment, if a fraudulent magnetic swipe card transaction was deemed to have occurred, the retailer was refunded by the issuing bank, as was the case prior to the introduction of Chip and PIN. On January 1, 2005, the liability for such transactions was shifted to the retailer; this acted as an incentive for retailers to upgrade their Point of sale (PoS) systems, and most major high-street chains upgraded on time for the EMV deadline. Many smaller businesses were initially reluctant to upgrade their equipment, as it required a completely new PoS system—a significant investment.

New cards featuring both magnetic strips and chips are now issued by all major banks. The replacement of pre-Chip and PIN cards was a major issue, as banks simply stated that consumers would receive their new cards "when their old card expires"—despite many people having had cards with expiry dates as late as 2007. The card issuer Switch lost a major contract with HBOS to VISA as they were not ready to issue the new cards as early as the bank wanted to. This change angered many, as Visa's Electron cards are generally not accepted online, unlike Switch's Solo.

Cardholders who are incapable of entering a PIN because of a disability can contact their bank to be issued with a Chip and Signature card.

In the Republic of Ireland a PIN has been required with Chip-and-PIN-enabled cards since 17 March 2007.

Benefits

Under the old system, a customer had to hand their card to the assistant to pay for a transaction. When credit cards were first introduced, offline portable card imprinters (mechanical rather than magnetic) which did not connect to the card issuer were used without the card leaving the customer's sight; transactions over a certain limit had to be verified by telephoning the card issuer. Later equipment was introduced which electronically contacted the card issuer using information from the magnetic stripe to verify the card and authorise the transaction; this was much faster, but had to be in a fixed location. Consequently, if the transaction did not take place near a terminal (in a restaurant, for example) the card had to be taken away from the customer to the card machine. It was easily possible at any time for a dishonest employee to swipe the card surreptitiously through a cheap machine which would take a couple of seconds to record the information on the card and stripe; in fact, even at the terminal, the criminal could bend down in front of the customer and swipe the card on a hidden reader. This made illegal cloning of cards easy, and a common occurrence.

Since the introduction of Chip and PIN, cloning of the chip is not feasible; only the magnetic stripe can be copied, and a copied card cannot be used on a PIN terminal. Fortuitously, the introduction of chip and PIN coincided with wireless data communications technology becoming inexpensive and widespread, and wireless PIN pads were introduced that could be brought to the customer and used without the card ever being out of sight (this would have been possible, had the technology been available, with magnetic stripe cards). Chip and PIN and wireless together reduce the risk of cloning of cards by brief swiping.

Banks' liability

Until 1 November 2009 banks' legal liability in cases of unauthorised use of card accounts was subject to terms of the voluntary Banking Code, and in many cases banks refused to reimburse cardholders who reported unauthorised card use, claiming that their systems could not fail and consequently the cardholder must have acted "without reasonable care"—the Code states that unless a bank can prove that its customer acted fraudulently or without reasonable care, the most that the customer will be liable for is £50.[4]

The Financial Services Authority (FSA) Payment Services Regulations 2009 came into force on 1 November 2009[5] and shifted the onus onto the banks to prove, rather than assume, that the cardholder is at fault.[6] The Financial Services Authority said "It is for the bank, building society or credit card company to show that the transaction was made by you, and there was no breakdown in procedures or technical difficulty" before refusing liability.

Criticism

Banks originally not liable by default

The Chip and PIN implementation was criticised as designed to reduce the liability of banks in cases of claimed card fraud by requiring the customer to prove that they had acted "with reasonable care" to protect their PIN and card, rather than on the bank having to prove that the signature matched. Before Chip and PIN, if a customer's signature was forged, the banks were legally liable and had to reimburse the customer. Until 1 November 2009 there was no such law protecting consumers from fraudulent use of their Chip and PIN transactions, only the voluntary Banking Code. While this code stated that the burden of proof is on the bank to prove negligence or fraud rather than the cardholder having to prove innocence, [7] there were many reports that banks refused to reimburse victims of fraudulent card use, claiming that their systems could not fail under the circumstances reported, despite several documented successful large-scale attacks.

This changed on 1 November 2009 when legal, rather than voluntary, regulations came into force requiring banks to reimburse cardholders unless they could prove that the transaction was authorised by the cardholder.[6]

Foreign cards

Chip and PIN systems can cause problems for travellers from countries that do not issue chip and PIN cards (most notably, the USA) as some retailers may refuse to accept their chipless cards.[8]

However, United Nations Federal Credit Union UNFCU will be first issuer in the US to offer credit cards with a high security chip, although one must be a staff member of the United Nations to apply.[9] While most terminals will still accept a magnetic strip card, and the major credit card brands require vendors to accept them,[10] poorly trained staff may refuse to take the card under the mistaken belief that they will be held liable for any fraud if the card cannot verify a PIN. Non-chip-and-PIN cards may also not work in some unattended vending machines at, for example, transport stations.[11] In 2010 a number of companies began issuing pre-paid debit cards that incorporate the Chip & PIN which allows Americans to load up cash as Euros or British Pounds.[12]

As of June 17, 2011, Chase began offering the JP Morgan Select Visa credit card, which also offers a Chip & Signature, but not Chip & PIN capability, to US cardholders. No prior relationship with JP Morgan is required to sign up for the new card, but the absence of a PIN associated with the Chip may make these cards less useful as most unattended kiosks will not accept them.[13] Chase is telling customers that when used in unattended kiosks or fuel stations, the chip in the card is recognized, then the terminal will report "checking PIN", and the transaction will be approved without having entered a PIN. This transaction process is similar to Chase's existing "Blink" [14] approval process.

Vulnerabilities, fraud, and misuse

Chip and PIN cards are not foolproof; several vulnerabilities have been found and demonstrated, and there have been large-scale instances of fraudulent exploitation. In many cases banks have been reluctant to accept that their systems could be at fault and have refused to refund victims of what is arguably fraud, although legislation introduced in November 2009 has improved victims' rights and put the onus on the banks to prove negligence or fraud by the cardholder. Vulnerabilities and fraud are discussed in depth in the main article.

See also

References

  1. ^ BBC:Credit card code to combat fraud, May 2009
  2. ^ VISA EMUE card website
  3. ^ ITPro: Visa tests cards with built in PIN machine, November 2008
  4. ^ Banks reluctant to pay victims of chip-and-PIN fraud, Times Online, 23 January 2009
  5. ^ FSA: Payment Services Regulations 2009, in force from 1 November 2009
  6. ^ a b Telegraph - Card fraud: banks now have to prove your guilt, 12 February 2010
  7. ^ http://www.thisismoney.co.uk/help-and-advice/ask-an-expert/article.html?in_article_id=395091&in_page_id=92
  8. ^ U.S. credit cards becoming outdated, less usable abroad
  9. ^ [1]
  10. ^ Visa Australia
  11. ^ For Americans, Plastic Buys Less Abroad
  12. ^ Travelex Offers America’s First Chip & PIN Enabled Prepaid Foreign Currency Card
  13. ^ Some U.S. banks issuing 'chip and pin' cards
  14. ^ [2]

External links