By Steve Ranger, 27 September 2005 09:55
NEWS Chip and PIN debit and credit cards have all but conquered the high street and will soon be taking on internet fraudsters.
There are around 140 million payment cards in circulation in the UK and 107 million are now chip and PIN cards. As most of us have more that one card in our wallets and purses that means 83 per cent of us will have one, with more and more banks and building societies rolling out the cards.
During June 2005 a total of 221 million chip and PIN transactions took place - around 85 PIN-verified transactions per second at tills across the UK.
Apacs, the Association for Payment Clearing Services, which is overseeing the rollout, insists that the new cards are much more secure than the old magnetic strip cards, despite claims that shoulder surfing and other tricks are undermining them.
A spokesman for Apacs said: "With the old-style card if someone was to steal it all they would need was the signature. With chip and PIN there's an extra level of security because you need to know the number as well - and it's not written on the back of the card in the same way as the signature is."
Next month it will release figures for card fraud covering January to June this year, which will be the first since the chip and PIN deadline passed. Since 1 January this year, retailers have had to swallow the cost of fraudulent card purchases if they aren't PIN verified.
Apacs told silicon.com: "What we can say for certain is that when we first announced we were going down the chip and PIN route we said that if we didn't, card fraud for 2005 would be £800m. It's definitely not going to be anywhere near that - so that's the impact it's having."
Chip and PIN was designed to cut fraud at the till. But it is also being extended to cover 'card not present' transactions such as online shopping.
Apacs is working with the banking industry to develop a standard for chip and PIN card readers for the home. Placing the card into the reader and tapping in the PIN will generate a one-time password which could be used to authenticate purchases online.
MasterCard has created a worldwide standard for the card readers but Apacs is working on a local version.
The Apacs spokesman said: "What we are doing in the UK is working on a UK-specific standard. We want one device that you could use for any card."
The token-based authentication standard should be complete sometime later this year, with UK banks piloting it around nine months later - probably around this time next year.
But some companies are already dipping their toes into the water - last year Barclaycard kicked off its own trial of the technology, issuing 5,000 customers with standalone card readers in a bid to reduce online fraud, which it said at the time was a "critical barrier" to ecommerce.
Barclaycard's trial is still ongoing but a spokesman told silicon.com that "the results of the initial tests were encouraging".
But as around 35 to 40 per cent of all credit card losses are thought to come from 'card not present' transactions, anything that drives down fraud is likely to be welcomed by customers and banks.
Comments
There are 6 comments. Join the discussion
1. Ian Livermore
Chip and Pin, insecure and un-popular with card holders. The majority of card holders that enter our retail premises hate using chip and pin and still question the security behind it. For security you must enhance what you already have so to cut down on fraud we should of had chip pin and sign. Some cards are in joint names how can we tell who's card it is when a chip and pin is used? Why does our terminal still give all the card holder details on the printout? Banks don't care in the slightest what happens financially as they are always covering themselves. PS that also includes juggling statistics when mistakes are made!
2. David
Chip and PIN is all very well, but as far as I can see, if someone steals your card then the highest risk is from your own bank. I bank with Smile and recently a branch of the Coop bank was more than happy to allow me to withdraw £500 over the counter just using my debit card and a signature, even though it was a Chip and PIN card. How secure is that?
3. anonymous
I have just become a 'refusnik' for what would have been a new chip & pin card. I called CS and expressed my concerns, they are sending an alternative card.
4. anonymous
I was just reading the comments left by other readers... and may I say, how ignorant can you possibly be?
To the person who said "a criminal used my card and signed for their purchases despite it being a chip and pin card"...
pin-verification isn't mandatory at the point of sale until Feb 14th 2006... to allow people to get used to the system.
To the person who talked about not knowing the difference between joint account cards...
joint accounts have two cards issued, the cards have different names on them and can have either the same PIN for both, or different pins. You can tell who's card it is... by looking at the name on the front!
And to everyone who questions the security behind chip and pin... it's not a perfect system that will completely eliminate cardholder-present fraud.
But look at it this way... if you drop your card on the street, and it's not chip and pin... all a criminal has to do is copy your signature which is most conveniently printed on the back. But with PINs.. it's private. yes people "shoulder-surf"... but shoulder surfing is harder on the criminal than simply turning the card over!
5. Roger
When you enter your PIN, where does the matching take place, to check you have entered the right number? A retailer told me that the online terminal sends your PIN to the card company's computer, where it is checked against their records. This seems in principle to be reasonably secure. However, recently in a restaurant I was given a hand-held card reader, with no wires connecting it to anything else. This reader accepted my PIN, which makes me think that the PIN must be encoded in the chip on each card. If this is the case, this seems very insecure. If a small hand-held device can read the PIN encoded on the chip on my card, it can't be long before crook works out how to produce a machine which will read and divulge my PIN. Can someone enlighten me?
6. Marc Wilson
The hand-held card readers are connected via a wireless link to a server in the back of the restaurant. The PIN and card details are sent encrypted.
There are concerns about PIN and Chip, but that's not one of them- the PIN is *not* embedded in the card anywhere.