Chip card technology, also known as chip-and-PIN, chip-and-sign or EMV technology, is quickly becoming the global payment standard. According to Payments Leader, 40 percent of cards issued worldwide and 70 percent of point-of-sale (POS) terminals use EMV. However, American banks and merchants are just starting to make the switch, with an October 2015 deadline looming for businesses to implement chip-capable technology. But how do chip cards really work? What are the benefits? More importantly, are there any drawbacks?

The New Chip Card Standard

American consumers are familiar with swipe credit card technology, in which card data is statically encoded on a magnetic stripe (magstripe) that is then run through POS systems. Typically, users must supply their swipe card and PIN or their card and a signature. The problem? Data on these cards can be easily copied using inexpensive reader machines, allowing criminals to duplicate credit and debit cards. To address this issue, Europay, MasterCard and Visa (EMV) developed a new standard: chip cards.

So what are they? As noted by Chase Paymentech, these cards come with an embedded micro computer chip and magstripe. The chip must be inserted into a compatible POS machine, at which time it is dynamically authenticated. First, the card is checked to ensure it is activated and hasn’t expired. Then, a set of unpredictable numbers is generated to encrypt the transmission of card data to the relevant financial institution. The bank or credit card company then authenticates the transaction and sends back an encrypted approval. The biggest benefit of chip cards is reduced fraud, since chips are much harder to duplicate and it is impossible to manually enter card numbers or use carbon-copy paper alternatives.

Half Measures?

In an effort to align with global POS technologies and improve security, MasterCard and Visa have set an October 2015 deadline for what they term a “liability shift,” according to the Wall Street Journal. Both companies are putting their full support behind EMV technology in the United States, and as of this fall, they will shift liability for fraud to whichever party — merchant or financial institution — uses less secure technology. Thus, if merchants have chip capabilities but banks don’t issue chip cards, banks bear the cost. If merchants choose swipe-and-sign chip cards, they’re liable if fraud occurs. The idea here is to compel both banks and retailers to adopt chip cards at the same time and significantly reduce total credit card fraud.

However, as discussed by GeekWire, there is a loophole. While chip cards fall under the new rules, the choice to go chip-and-PIN or chip-and-sign is left up to merchants. Mike Cook, assistant treasurer of Wal-Mart, put it bluntly when he said, “The fact that we didn’t go to PIN is such a joke.” Why? Because signatures are much easier to fake than PINs since they’re rarely checked for accuracy. This means a chip card is no defense in the case of a lost or stolen wallet since criminals could simply insert the chip, scribble a signature and be on their way.

Risky Business

There are also concerns that chip card technology may not be entirely secure and cannot completely eliminate fraud. In the United Kingdom, for example, EMV was fully adopted in 2006. Counterfeit card fraud is down significantly, but card-not-present fraud, which occurs during online or telephone transactions, is on the rise.

According to The Hacker News, chip cards also have several inherent vulnerabilities. First, researchers have been able to predict the pattern of supposedly unpredictable numbers, allowing them to duplicate chip cards and eliminate the ability of banks to detect fraudulent transactions. Security researchers also found a way to perform man-in-the-middle attacks on chip cards by compromising the subprocess, which determines the authentication required by a POS terminal. The result is the ability to bypass PIN or signature requirements altogether. Finally, Wired reports that a British team found flaws in some “contactless” Visa chip cards, which allowed the approval of foreign currency transactions up to $999,999.99

Card Blanche?

What’s the bottom line for EMV? Is this technology the new way forward, or do companies need to start from scratch? As evidenced by success in Europe, opting for chip-and-PIN cards can significantly reduce the amount of counterfeit card fraud and limit the chances of fraud in the case of lost or stolen cards. However, the technology isn’t perfect. Chip-and-signature is a less secure form, and several card-level vulnerabilities have been identified. However, big credit players are throwing their weight behind the chip card standard — like it or loathe it, liability shifts in October.

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today