By silicon.com, 13 June 2007 12:50
What is it?
Chip and PIN cards look the same as standard magnetic-strip cards, but inside the chip and PIN cards have a computer chip. The main difference to you is that instead of signing for each purchase you enter a four-digit number into a keypad at the cash register, much like you do when withdrawing cash at an ATM machine. It's nothing new - it's was used in France, Australia and New Zealand for around 10 years before coming to the UK.
I remember in the old days, having to sign my name
That's right. In 2006 the UK migrated retail and banking transactions to chip and PIN from the standard magnetic strip technology. Even if the store you want to use it at has not switched to chip and PIN - although most have - you can still use the card, you'll just have to provide your signature instead of a PIN to verify the transaction. Same goes for using it overseas - you can still use the card, but you may have to sign instead of entering your PIN.
So mind if I ask - why the change?
The official line is that chip and PIN technology would help cut down on fraud, which card companies say costs them about £500m per year. PINs are harder to guess than signatures are to forge and that chip and PIN cards are more difficult to replicate than magnetic strip cards. It should be noted that the switchover cost more than £1bn, according to the card companies, so it does seem they're expecting to recoup quite a bit of money from reducing fraud.
Why not use biometrics instead?
Funny you should mention that. A number of other technologies were examined to cut down on fraud, including putting photos on cards as well as biometric solutions such as fingerprint and iris scanning and voice recognition. But all of these were deemed too expensive to implement and/or not reliable enough.
Why isn't it the best approach?
Well, I'm not saying it isn't. It's just that there's been a lot of debate over why chip and PIN was chosen and how well it will work. The first concern for many people is having to remember a PIN for each card they own - and making sure that PIN is relatively hard to guess. This is an especially big concern for the visually impaired or any disabled person that may have trouble entering or remembering a PIN. Anyone who falls into these categories should contact their card company - they may be able to continue to sign for transactions.
Anything else I should know about?
Why, yes. A debate is still raging over whether PINs really are more secure than signatures. Some say PINs are easier to glean than signatures. You could get them by peeking over someone's shoulder while they enter it in the keypad. Of course, the PIN alone will not do any damage - the person committing fraud will have to get hold of the card too. Others say signatures are the less secure of the two options, especially because many shop keepers don't actually examine the signature and compare it to the one on the card at the time of purchase.
Do I have to use chip and PIN?
Unless you carry foreign bank or credit cards or some type of other chip card, such as Chip and Signature, you will have to learn those four digits.
So has it stamped out fraud like it was meant to?
Since Chip and PIN was launched Apacs, the UK payment industry body, says it has had a significant impact in reducing fraud. During the first year following Chip and PIN's introduction, UK card fraud fell by 13 per cent and by another three per cent in the year after.
Counterfeit card fraud was also cut by 24 per cent in 2005 while card fraud at retailers fell by an impressive 47 per cent in 2006, meaning a £146.7m fall in the two years Chip and PIN had been in place. Apacs said that as a result of the switchover, shoppers are safer and that fraudsters have been denied millions of pounds of stolen money.
I sense there's a 'but' coming
And you'd be right. Despite the overall reduction in card fraud, statistics have shown a marked increase in online, phone and mail order or 'card not present' fraud with online banking fraud doubling in 2005.
But card-not-present fraud now makes up nearly 50 per cent of all card fraud losses and online banking losses rose by 44 per cent. Apacs blames this on this kind of fraud being relatively new and it is likely to continue to rise until people become more aware of it.
There was also one notable scam allegedly linked to Chip and PIN shortly after it became compulsory. Shell had to take the precautionary measure of suspending the use of Chip and PIN at its 600 UK filling stations after the theft of more than £1m from customer accounts.
Having said that, Shell and Apacs said the issue was the result of an inside job so this perhaps shouldn't be taken as a serious indicator of a problem with Chip and PIN.
Apacs also points out that in 2002, it forecast card fraud would hit £800m by 2005 if Chip and PIN was not brought in, so in those terms you could say it has been a success.
So where next for Chip and PIN?
The banking industry is addressing the issue of card-not-present fraud by working on the next generation of fraud prevention technologies - such as handheld chip and PIN device.
The technology developed by MasterCard and Visa for use when shopping online or over the phone has been taken on by Apacs, Barclays and RBS, among others.
The jury's still out then?
You could say that. But in truth, the evidence points to Chip and PIN being a success in the long term with a few niggles - such as the rise in online fraud - that remain to be resolved.
Comments
There are 17 comments. Join the discussion
1. anonymous
I think there will be an increase in mugging, all they need to do is watch you type your pin in, steal your card from you outside and then happily withdraw cash from any ATM in the land !! Apparently in Franch they use two pin numbers a private one for cash and a less secure one for purchases.
2. anonymous
In Iceland recently, not one establishment checked the signature I gave before returning the card. In the USA, Canada and Italy it seems to be the same. So roll on the advent of chip-&-pin - the extra backbone in the checking will be welcome!
3. anonymous
I worked in Iceland a few years ago and all the debit/credit cards there have a coloured photo on. They check the photo not the signature.
Icelandic bank cards are also used as a form of official ID. The cards have your date of birth on them, your ID number aswell as the coloured photo. Therefore if you lose your bank card then you have lost your official ID which means you cannot things varying from the very official like interact with government departments to hire videos.
I have a Royal Bank of Scotland card and this has a black and white photo on it. The vast majority of shops I go into only check my photo properly not my actual signature. Shop assistents have actually said to me many times that having my photo on my card makes their life easier.
Having worked in a shop myself you are aware that you have to allow for a slight variation on the signature that someone signs on the card to what they sign on the receipt. This means it's very hard to work out if the card is stolen, and most stolen cards that are uncovered are due to the shop assistent's gut instinct.
4. Terence Freedman
Many types of transaction will avoid PIN technology - all non-present transactions: post, Web, e-mail, phone.
What are the ratios by number and by value of holder present to hold not present transactions in UK?
5. anonymous
I do not trust the technology.
What is to stop a terminal which stores card details and keyed PIN from being used and the information sold to third parties?
My issuer told me that only official machines will be used but I have seen a variety of logos on card readers(and some with none). The issuer will not respond to my concern.
6. Bill Johnston
The likelyhood of anyone acquiring PINs by "hacking" a bank's systems is virtually zero because PINs are securely stored in an encrypted form and never available in the clear. This has been standard practice for over a decade.
The (fraud) issue is not the security of the method. Rather it is the accuracy of authenticating the card holder.
Given that the card holder protects their PIN properly, only they will know the digits. Therefore, the entry of the PIN is a positive and secure form of authentication. Given that the PIN is associated with a specific card, this constitutes a two factor authentication; very strong.
Signatures are not a secure form of authentication because virtually no retailer personnel can discern between legitimate and fraudulent signatures. Also, there is no electronic association with the card. Visual association by the store clerk is far less accurate than PIN verification.
There is no fraud with PIN-based payments. The fraud on signature authenticated payments is rampant, world-wide. That alone should end the debate.
7. Bill Johnston
Terminals do not store PINs. In fact, the regulations and standards expressly prohibit the terminal from storing a PIN. Visa and MasterCard have published the rules. ISO, ANSI, FIPs, and others have published the standards. All PIN Entry Devices and software are required to be laboratory tested and approved.
8. Mike
The two pin idea is good. If the weak link is the magnetic stripe (surely this doesn't hold the pin?) then one pin associated with chip transactions and one with swipe transactions would virtually eliminate skimming.
With regard to "Card not present" transactions, there are basically two solutions: 1) the use of "one time" authentication codes. 2) preauthentication of certain suppliers with whom you regularly do business eg. Tescos, Amazon, Your Garage etc. - but this would require big changes for the card companies.
Another way, the punter can keep the fraud down is to use one card for chip and pin and a different card for "swipe" or "card not present etc". with a low credit limit. The problem here is the card companies keep upping the credit limit automatically.
9. Nick Rozanski
Chip and PIN technology may be secure but you are ignoring the people aspect.
I already have to remember many PINs, passwords and identifiers and it gets worse by the day. I'm able to resist the temptation to use my birthday for all PINs and passwords, but many people won't.
And even if you pick a hard-to-guess PIN, you're probably going to have to write it down somewhere. And even if it's not written down what's to stop a fraudster using threat, blackmail or deception to get someone to reveal their PIN.
That's the weak point in this solution, not the technology, and I have yet to see any ways of mitigating the people risk. (But of course the banks don't care now, because liability is with someone else ...)
10. Simon
Even if chip and pin does not reduce the actual volume of high street fraud, the figures can show that it does - because the banks have taken the opportunity to shift the risk onto the retailer ! The banks will do much better, but retailers will take the losses and their figures will be much harder to add up.
As to terminals not storing pins, tosh ! Yes, official terminals will not store pins, but there is nothing to stop an unscrupulous gang changing the software so that it does.
A good number of EPOS systems run on commodity hardware (often running that highly secure OS called Windows XP !). Many of them are connected to the internet and/or open wireless networks.
OK, it's a very non-trivial task, hard to do without detection and/or a trail back to the criminal, and at the moment almost certainly 'hard enough' that it's not worth the effort. Not a big risk, but certainly a risk that cannot be said to not exist.
11. anonymous
Think hard about this, have any of you ever thought of using REAL MONEY (pounds and pence) to pay for your purchases?
Chip and pin, swipe and sign are now out of date due to so called technology that is so easily copied.
I work out how much I need and add a percentage for "emergencies", then draw that amount over the counter. Any money left over either goes back to the Bank, or is included in the following weeks budget.
This is not rocket science, just basic common sense.
12. anonymous
The downside for C&P for the consumer lies in your Bank dismissing any card transaction that completes using the stored PIN, EVEN IF YOU DIDN'T SUPPLY IT!!! This is all about shifting the blame to innocent third parties. Demand a Chip & signature card to avoid this problem.
13. David
I agree with Anonymous from Maidenhead. I travel fairly frequently to the US and most places seem to swipe the card and give it back to you not having looked at the sig strip at all. I've been tempted to sign the slip s D Duck and see what happened.
14. BillK
So, it cost about 1,000 million to deploy?
And it saved 146.7 million in two years, offset by increases in fraud elsewhere?
What a waste of time and money!
Good business for the IT industry though, so we musn't grumble too much.
15. Graham Coles
So, 'There is no fraud with PIN-based payments.'
Absolute rubbish!
Reminds me of the UK banks denial that fraud was impossible with cash dispensor, until it was proven that it was.
UK filling stations have also proven that C&P fraud can, and does take place. Never underestimate the ingenuity of people when it comes to scamming money.
Hustlers are good at spotting pins when entered (they can only ever be secret in your head). This is worsened by the way in which terminals are often presented for payment, making it difficult to even conceal the pin when entered.
And that's before you consider all the store cameras that are recording you (or the micro wireless camera that someone has placed in an appropriate position).
Sorry, but until someone invents telepathic pin entry, fraud still exists with C&P.
16. Mike
To deter fraud we have these two options.
OPTION 1: Stop fraudsters from obtaining our personal details, stolen and skimmed cards and PIN numbers. It is obvious that it is virtually impossible for us to stop fraudsters from obtaining these details. This shows why our bad problems will continue to get worse because we are relying on this bad system to deter fraud.
OPTION 2: Make signature and PIN number systems reliable as proposed via use of ID KEY system described on website www.xwave.co.uk Since this system will deter fraudsters from getting tempted to misuse our details they have obtained it will be effective in deterring fraud and hence eliminate the need for us to protect our personal details, cards and PIN numbers. This shows that unless the government and financial institutions support and implement ID KEY system fraud crimes will continue to grow like wild forest fires in every sector of the industry.
Since the government and financial institutions do not have effective system to protect the public and entire business from fraudsters, they should exploit proposed ID KEY system before it is too late to stop a fraud boom.
17. peter
Just like fake passports, photos do not work on fake cards. In reality this system will make it easier for the fraudsters to fool others to trust them and this is why this system now outdated and is not getting exploited.