Chip and PIN

Chip and PIN is a brand name adopted by the banking industries in the United Kingdom and Ireland for the EMV smart card payment system for credit, debit, and ATM cards. "Chip" refers to a computer chip embedded in the smartcard, and "PIN" refers to a personal identification number that the customer must supply. "Chip and PIN" is also used in a generic sense to mean any EMV smart card technology that relies on an embedded chip and a PIN.

Chip and signature, which as the name implies, is an alternative implementation that requires the cardholder to verify identity by signing a printed receipt rather than entering a PIN.

History

Until the introduction of Chip and PIN, all face-to-face credit or debit card transactions used a magnetic stripe or mechanical imprint to read and record account data, and a signature for verification. Under that system, the customer hands their card to the clerk at the point of sale, who either "swipes" the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the system verifies account details and prints a slip for the customer to sign. In the case of a mechanical imprint, the transaction details are filled in and the customer signs the imprinted slip. In either case, the clerk verifies that the customer's signature matches that on the back of the card to authenticate the transaction.

This system has a number of security flaws, including the ability to steal a card in the post, or to learn to forge the signature on the card. More recently, technology has become available on the black market for both reading and writing the magnetic stripes, making cards easy to clone and use without the owner's knowledge.

Some US banks are now issuing Chip and PIN cards. However, not all are Chip and PIN. Some are in fact Chip and Signature cards;^[1] as they require verification with a signature instead of an encoded PIN. Cardholders should be aware that Chip and Signature cards do not always work on standalone kiosks in Europe designed for Chip and PIN cards.

How it works

To solve this, banks and retailers are replacing traditional magnetic stripe equipment with smartcard technology, where credit and debit cards contain an embedded microchip and are authenticated automatically using a personal identification number (PIN). When a customer wishes to pay for goods using this system, the card is placed into a "Point of Sale" (POS) terminal, which connects to the chip on the card. To complete the transaction, the customer enters a PIN. When the POS terminal is connected to the network, the authenticity of the card and chip can be confirmed, along with the PIN, with the bank servers. If the POS terminal is not connected to the network, the chip can confirm to the terminal if PIN was entered correctly.

France has cut card fraud by more than 80% since its introduction in 1992 (see: Carte Bleue).

Chip and PIN is the name given to the initiative in the UK; other countries are launching their own systems based on the EMV standard, which is a group effort between Europay, MasterCard and Visa Inc.

Online, phone, and mail order transactions

While EMV technology has helped reduce crime at the tills, fraudulent transactions have shifted to more vulnerable telephone, internet, and mail order transactions — known in the industry as card-not-present or CNP transactions. as of May 2009 CNP transactions made up more than 50% of all credit card fraud.^[2] Because of physical distance, it is not possible for the merchant to present a keypad to the customer in these cases, so alternatives have been devised, including:

• Software solutions for online transactions that involve interaction with the card-issuing bank or network's web site, such as Verified by Visa and MasterCard SecureCode (implementations of Visa's 3-D Secure protocol).
• Additional hardware with keypad and screen that can produce a one-time password, such as the Chip Authentication Program.
• Keypad and screen integrated into the card to produce a one-time password. Since 2008, VISA has been running pilot projects using the Emue card,^[3] where the generated number replaces the code printed on the back of standard cards.^[4]

Conversion

Chip and PIN was trialled in Northampton, England from May 2003,^[5] and as a result was rolled out nationwide in the United Kingdom on 14 February 2004^[6] with advertisements in the press and national television touting the "Safety in Numbers" slogan. During the first stages of deployment, if a fraudulent magnetic swipe card transaction was deemed to have occurred, the retailer was refunded by the issuing bank, as was the case prior to the introduction of Chip and PIN. On January 1, 2005, the liability for such transactions was shifted to the retailer; this acted as an incentive for retailers to upgrade their Point of sale (PoS) systems, and most major high-street chains upgraded on time for the EMV deadline. Many smaller businesses were initially reluctant to upgrade their equipment, as it required a completely new PoS system—a significant investment.

New cards featuring both magnetic strips and chips are now issued by all major banks. The replacement of pre-Chip and PIN cards was a major issue, as banks simply stated that consumers would receive their new cards "when their old card expires" — despite many people having had cards with expiry dates as late as 2007. The card issuer Switch lost a major contract with HBOS to VISA as they were not ready to issue the new cards as early as the bank wanted to. The Republic of Ireland has required Chip-and-PIN-enabled cards since 17 March 2007.

Chip and Signature

Cardholders who can't enter a PIN because of a disability can ask their bank to issue a Chip and Signature card.

Benefits

Under the old system, a customer typically had to hand their card to a sales clerk to pay for a transaction. When credit cards were first introduced, merchants used offline portable card imprinters (mechanical rather than magnetic). They did not connect to the card issuer, and the card never left the customer's sight. The merchant had to verify transactions over a certain limit by telephoning the card issuer.

Later, equipment electronically contacted the card issuer, using information from the magnetic stripe to verify the card and authorise the transaction. This was much faster, but had to be in a fixed location. Consequently, if the transaction did not take place near a terminal (in a restaurant, for example) the clerk or waiter had to take the card away from the customer to the card machine. It was easily possible at any time for a dishonest employee to swipe the card surreptitiously through a cheap machine that instantly recorded the information on the card and stripe; in fact, even at the terminal, the criminal could bend down in front of the customer and swipe the card on a hidden reader. This made illegal cloning of cards easy, and a common occurrence.

Since the introduction of Chip and PIN, cloning of the chip is not feasible; only the magnetic stripe can be copied, and a copied card cannot be used on a PIN terminal. The introduction of chip and PIN coincided with wireless data communications technology becoming inexpensive and widespread. Merchant personnel can now bring wireless PIN pads to the customer, so the card is never out of the cardholder's sight. (This would have been possible with magnetic stripe cards had the technology been available.) Chip and PIN and wireless together reduce the risk of cloning of cards by surreptitious swiping.

Banks' liability

Until 1 November 2009, banks' legal liability in cases of unauthorised use of card accounts was subject to terms of the voluntary Banking Code, and in many cases banks refused to reimburse cardholders who reported unauthorised card use, claiming that their systems could not fail and consequently the cardholder must have acted "without reasonable care"—the Code states that unless a bank can prove that its customer acted fraudulently or without reasonable care, the most that the customer is liable for is £50.^[7]

The Financial Services Authority (FSA) Payment Services Regulations 2009 came into force on 1 November 2009^[8] and shifted the onus onto the banks to prove, rather than assume, that the cardholder is at fault.^[9] The Financial Services Authority said "It is for the bank, building society or credit card company to show that the transaction was made by you, and there was no breakdown in procedures or technical difficulty" before refusing liability.

Criticism

Banks originally not liable by default

The Chip and PIN implementation was criticised as designed to reduce the liability of banks in cases of claimed card fraud by requiring the customer to prove that they had acted "with reasonable care" to protect their PIN and card, rather than on the bank having to prove that the signature matched. Before Chip and PIN, if a customer's signature was forged, the banks were legally liable and had to reimburse the customer. Until 1 November 2009 there was no such law protecting consumers from fraudulent use of their Chip and PIN transactions, only the voluntary Banking Code. While this code stated that the burden of proof is on the bank to prove negligence or fraud rather than the cardholder having to prove innocence, ^[10] there were many reports that banks refused to reimburse victims of fraudulent card use, claiming that their systems could not fail under the circumstances reported, despite several documented successful large-scale attacks.

This changed on 1 November 2009 when legal, rather than voluntary, regulations came into force requiring banks to reimburse cardholders unless they could prove that the transaction was authorised by the cardholder.^[9]

Foreign cards

Chip and PIN systems can cause problems for travellers from countries that do not issue chip and PIN cards (most notably, the USA) as some retailers may refuse to accept their chipless cards.^[11] While most terminals still accept a magnetic strip card, and the major credit card brands require vendors to accept them,^[12] some staff may refuse to take the card, under the belief that they are held liable for any fraud if the card cannot verify a PIN. Non-chip-and-PIN cards may also not work in some unattended vending machines at, for example, train stations, or self-service check-out tills at supermarkets.^[13]

In 2010 a number of companies began issuing pre-paid debit cards that incorporate Chip & PIN and allow Americans to load cash as Euros or British Pounds.^[14] United Nations Federal Credit Union was the first US issuer to offer Chip and PIN credit cards.^[15] As of June 17, 2011, Chase began offering the JP Morgan Select Visa credit card, which also offers a Chip & Signature, but not Chip & PIN capability, to US cardholders.^[16] As of December 2013, the Chase Sapphire Preferred Visa Signature credit card is issued with Chip & Signature as well.

Vulnerabilities, fraud, and misuse

Chip and PIN cards are not foolproof; several vulnerabilities have been found and demonstrated, and there have been large-scale instances of fraudulent exploitation. In many cases banks have been reluctant to accept that their systems could be at fault and have refused to refund victims of what is arguably fraud, although legislation introduced in November 2009 has improved victims' rights and put the onus on the banks to prove negligence or fraud by the cardholder. Vulnerabilities and fraud are discussed in depth in the main article.

See also

References

1. ↑ Hartley, David, "Chip & PIN & Signature, Magstripes and EMV Go-Faster Stripes", We Live Security, July 1, 2014, retrieved July 11, 2014
2. ↑ BBC:Credit card code to combat fraud, May 2009
3. ↑ VISA EMUE card website
4. ↑ ITPro: Visa tests cards with built in PIN machine, November 2008
5. ↑ http://news.bbc.co.uk/1/hi/business/2937447.stm
6. ↑ http://www.chipandpin.co.uk/reflib/Consumer_digi-guide_Post_14_Feb_FINAL.PDF
7. ↑ Banks reluctant to pay victims of chip-and-PIN fraud, Times Online, 23 January 2009
8. ↑ FSA: Payment Services Regulations 2009, in force from 1 November 2009
9. ↑ 9.0 9.1 Telegraph - Card fraud: banks now have to prove your guilt, 12 February 2010
10. ↑ http://www.thisismoney.co.uk/help-and-advice/ask-an-expert/article.html?in_article_id=395091&in_page_id=92
11. ↑ U.S. credit cards becoming outdated, less usable abroad
12. ↑ Visa Australia
13. ↑ For Americans, Plastic Buys Less Abroad
14. ↑ "Travelex Offers America’s First Chip & PIN Enabled Prepaid Foreign Currency Card". Business Wire. Business Wire. 1 December 2010. Retrieved 6 February 2014. 
15. ↑ UNFCU to be first issuer in the US to offer credit cards with a high security chip
16. ↑ Some U.S. banks issuing 'chip and pin' cards

External links

• Chip and PIN Official homepage
• Chip and PIN Ireland homepage
• Now the Pin is mightier than the pen, from BBC News Online

Credit, charge, stored-value, and debit cards Major cards American Express Diners Club MasterCard Debit MasterCard Maestro Visa Visa Debit Visa Electron Regional and specialty cards BC Card BCA Card Carte Bleue China UnionPay Dankort Discover EFTPOS Electronic Payment Services (EPS) Girocard Interac JCB NETS RuPay UATP V PAY MEPS Stored-value cards Touch n Go EasyCard Octopus card EZ-link Shanghai Public Transportation Card Yikatong Shenzhen Tong Suzhoutong Yang Cheng Tong Defunct cards Access Bankcard Carte Blanche Choice enRoute Eurocard Everything Laser Rail travel card Revolution Card Solo Switch Accounts Bank card number Card enclosure Credit card balance transfer Credit limit Revolving account Deposit account Current/Checking account Savings account Debt Cash advance Charge-off Maxed out Interest Grace period Introductory rate Universal default Payment Card not present transaction Chargeback Controlled payment number Dispute Interchange fee Interchange fee Surcharge Security Card security code Chargeback fraud Credit card fraud Credit card hijacking Enculturation Technology Automated teller machine Chip and PIN Contactless payment Credit card terminal EMV Interbank network Magnetic stripe card Smart card