Light Dark
April 10, 2015 By Douglas Bonderud 3 min read
Banking & Finance
Identity & Access

Chip card technology, also known as chip-and-PIN, chip-and-sign or EMV technology, is quickly becoming the global payment standard. According to Payments Leader, 40 percent of cards issued worldwide and 70 percent of point-of-sale (POS) terminals use EMV. However, American banks and merchants are just starting to make the switch, with an October 2015 deadline looming for businesses to implement chip-capable technology. But how do chip cards really work? What are the benefits? More importantly, are there any drawbacks?

The New Chip Card Standard

American consumers are familiar with swipe credit card technology, in which card data is statically encoded on a magnetic stripe (magstripe) that is then run through POS systems. Typically, users must supply their swipe card and PIN or their card and a signature. The problem? Data on these cards can be easily copied using inexpensive reader machines, allowing criminals to duplicate credit and debit cards. To address this issue, Europay, MasterCard and Visa (EMV) developed a new standard: chip cards.

So what are they? As noted by Chase Paymentech, these cards come with an embedded micro computer chip and magstripe. The chip must be inserted into a compatible POS machine, at which time it is dynamically authenticated. First, the card is checked to ensure it is activated and hasn’t expired. Then, a set of unpredictable numbers is generated to encrypt the transmission of card data to the relevant financial institution. The bank or credit card company then authenticates the transaction and sends back an encrypted approval. The biggest benefit of chip cards is reduced fraud, since chips are much harder to duplicate and it is impossible to manually enter card numbers or use carbon-copy paper alternatives.

Half Measures?

In an effort to align with global POS technologies and improve security, MasterCard and Visa have set an October 2015 deadline for what they term a “liability shift,” according to the Wall Street Journal. Both companies are putting their full support behind EMV technology in the United States, and as of this fall, they will shift liability for fraud to whichever party — merchant or financial institution — uses less secure technology. Thus, if merchants have chip capabilities but banks don’t issue chip cards, banks bear the cost. If merchants choose swipe-and-sign chip cards, they’re liable if fraud occurs. The idea here is to compel both banks and retailers to adopt chip cards at the same time and significantly reduce total credit card fraud.

However, as discussed by GeekWire, there is a loophole. While chip cards fall under the new rules, the choice to go chip-and-PIN or chip-and-sign is left up to merchants. Mike Cook, assistant treasurer of Wal-Mart, put it bluntly when he said, “The fact that we didn’t go to PIN is such a joke.” Why? Because signatures are much easier to fake than PINs since they’re rarely checked for accuracy. This means a chip card is no defense in the case of a lost or stolen wallet since criminals could simply insert the chip, scribble a signature and be on their way.

Risky Business

There are also concerns that chip card technology may not be entirely secure and cannot completely eliminate fraud. In the United Kingdom, for example, EMV was fully adopted in 2006. Counterfeit card fraud is down significantly, but card-not-present fraud, which occurs during online or telephone transactions, is on the rise.

According to The Hacker News, chip cards also have several inherent vulnerabilities. First, researchers have been able to predict the pattern of supposedly unpredictable numbers, allowing them to duplicate chip cards and eliminate the ability of banks to detect fraudulent transactions. Security researchers also found a way to perform man-in-the-middle attacks on chip cards by compromising the subprocess, which determines the authentication required by a POS terminal. The result is the ability to bypass PIN or signature requirements altogether. Finally, Wired reports that a British team found flaws in some “contactless” Visa chip cards, which allowed the approval of foreign currency transactions up to $999,999.99

Card Blanche?

What’s the bottom line for EMV? Is this technology the new way forward, or do companies need to start from scratch? As evidenced by success in Europe, opting for chip-and-PIN cards can significantly reduce the amount of counterfeit card fraud and limit the chances of fraud in the case of lost or stolen cards. However, the technology isn’t perfect. Chip-and-signature is a less secure form, and several card-level vulnerabilities have been identified. However, big credit players are throwing their weight behind the chip card standard — like it or loathe it, liability shifts in October.

 |  |  |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Banking & Finance
December 19, 2024

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

November 26, 2024

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature