Chip card technology, also known as chip-and-PIN, chip-and-sign or EMV technology, is quickly becoming the global payment standard. According to Payments Leader, 40 percent of cards issued worldwide and 70 percent of point-of-sale (POS) terminals use EMV. However, American banks and merchants are just starting to make the switch, with an October 2015 deadline looming for businesses to implement chip-capable technology. But how do chip cards really work? What are the benefits? More importantly, are there any drawbacks?

The New Chip Card Standard

American consumers are familiar with swipe credit card technology, in which card data is statically encoded on a magnetic stripe (magstripe) that is then run through POS systems. Typically, users must supply their swipe card and PIN or their card and a signature. The problem? Data on these cards can be easily copied using inexpensive reader machines, allowing criminals to duplicate credit and debit cards. To address this issue, Europay, MasterCard and Visa (EMV) developed a new standard: chip cards.

So what are they? As noted by Chase Paymentech, these cards come with an embedded micro computer chip and magstripe. The chip must be inserted into a compatible POS machine, at which time it is dynamically authenticated. First, the card is checked to ensure it is activated and hasn’t expired. Then, a set of unpredictable numbers is generated to encrypt the transmission of card data to the relevant financial institution. The bank or credit card company then authenticates the transaction and sends back an encrypted approval. The biggest benefit of chip cards is reduced fraud, since chips are much harder to duplicate and it is impossible to manually enter card numbers or use carbon-copy paper alternatives.

Half Measures?

In an effort to align with global POS technologies and improve security, MasterCard and Visa have set an October 2015 deadline for what they term a “liability shift,” according to the Wall Street Journal. Both companies are putting their full support behind EMV technology in the United States, and as of this fall, they will shift liability for fraud to whichever party — merchant or financial institution — uses less secure technology. Thus, if merchants have chip capabilities but banks don’t issue chip cards, banks bear the cost. If merchants choose swipe-and-sign chip cards, they’re liable if fraud occurs. The idea here is to compel both banks and retailers to adopt chip cards at the same time and significantly reduce total credit card fraud.

However, as discussed by GeekWire, there is a loophole. While chip cards fall under the new rules, the choice to go chip-and-PIN or chip-and-sign is left up to merchants. Mike Cook, assistant treasurer of Wal-Mart, put it bluntly when he said, “The fact that we didn’t go to PIN is such a joke.” Why? Because signatures are much easier to fake than PINs since they’re rarely checked for accuracy. This means a chip card is no defense in the case of a lost or stolen wallet since criminals could simply insert the chip, scribble a signature and be on their way.

Risky Business

There are also concerns that chip card technology may not be entirely secure and cannot completely eliminate fraud. In the United Kingdom, for example, EMV was fully adopted in 2006. Counterfeit card fraud is down significantly, but card-not-present fraud, which occurs during online or telephone transactions, is on the rise.

According to The Hacker News, chip cards also have several inherent vulnerabilities. First, researchers have been able to predict the pattern of supposedly unpredictable numbers, allowing them to duplicate chip cards and eliminate the ability of banks to detect fraudulent transactions. Security researchers also found a way to perform man-in-the-middle attacks on chip cards by compromising the subprocess, which determines the authentication required by a POS terminal. The result is the ability to bypass PIN or signature requirements altogether. Finally, Wired reports that a British team found flaws in some “contactless” Visa chip cards, which allowed the approval of foreign currency transactions up to $999,999.99

Card Blanche?

What’s the bottom line for EMV? Is this technology the new way forward, or do companies need to start from scratch? As evidenced by success in Europe, opting for chip-and-PIN cards can significantly reduce the amount of counterfeit card fraud and limit the chances of fraud in the case of lost or stolen cards. However, the technology isn’t perfect. Chip-and-signature is a less secure form, and several card-level vulnerabilities have been identified. However, big credit players are throwing their weight behind the chip card standard — like it or loathe it, liability shifts in October.

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read