Chip card technology, also known as chip-and-PIN, chip-and-sign or EMV technology, is quickly becoming the global payment standard. According to Payments Leader, 40 percent of cards issued worldwide and 70 percent of point-of-sale (POS) terminals use EMV. However, American banks and merchants are just starting to make the switch, with an October 2015 deadline looming for businesses to implement chip-capable technology. But how do chip cards really work? What are the benefits? More importantly, are there any drawbacks?
The New Chip Card Standard
American consumers are familiar with swipe credit card technology, in which card data is statically encoded on a magnetic stripe (magstripe) that is then run through POS systems. Typically, users must supply their swipe card and PIN or their card and a signature. The problem? Data on these cards can be easily copied using inexpensive reader machines, allowing criminals to duplicate credit and debit cards. To address this issue, Europay, MasterCard and Visa (EMV) developed a new standard: chip cards.
So what are they? As noted by Chase Paymentech, these cards come with an embedded micro computer chip and magstripe. The chip must be inserted into a compatible POS machine, at which time it is dynamically authenticated. First, the card is checked to ensure it is activated and hasn’t expired. Then, a set of unpredictable numbers is generated to encrypt the transmission of card data to the relevant financial institution. The bank or credit card company then authenticates the transaction and sends back an encrypted approval. The biggest benefit of chip cards is reduced fraud, since chips are much harder to duplicate and it is impossible to manually enter card numbers or use carbon-copy paper alternatives.
In an effort to align with global POS technologies and improve security, MasterCard and Visa have set an October 2015 deadline for what they term a “liability shift,” according to the Wall Street Journal. Both companies are putting their full support behind EMV technology in the United States, and as of this fall, they will shift liability for fraud to whichever party — merchant or financial institution — uses less secure technology. Thus, if merchants have chip capabilities but banks don’t issue chip cards, banks bear the cost. If merchants choose swipe-and-sign chip cards, they’re liable if fraud occurs. The idea here is to compel both banks and retailers to adopt chip cards at the same time and significantly reduce total credit card fraud.
However, as discussed by GeekWire, there is a loophole. While chip cards fall under the new rules, the choice to go chip-and-PIN or chip-and-sign is left up to merchants. Mike Cook, assistant treasurer of Wal-Mart, put it bluntly when he said, “The fact that we didn’t go to PIN is such a joke.” Why? Because signatures are much easier to fake than PINs since they’re rarely checked for accuracy. This means a chip card is no defense in the case of a lost or stolen wallet since criminals could simply insert the chip, scribble a signature and be on their way.
There are also concerns that chip card technology may not be entirely secure and cannot completely eliminate fraud. In the United Kingdom, for example, EMV was fully adopted in 2006. Counterfeit card fraud is down significantly, but card-not-present fraud, which occurs during online or telephone transactions, is on the rise.
According to The Hacker News, chip cards also have several inherent vulnerabilities. First, researchers have been able to predict the pattern of supposedly unpredictable numbers, allowing them to duplicate chip cards and eliminate the ability of banks to detect fraudulent transactions. Security researchers also found a way to perform man-in-the-middle attacks on chip cards by compromising the subprocess, which determines the authentication required by a POS terminal. The result is the ability to bypass PIN or signature requirements altogether. Finally, Wired reports that a British team found flaws in some “contactless” Visa chip cards, which allowed the approval of foreign currency transactions up to $999,999.99
What’s the bottom line for EMV? Is this technology the new way forward, or do companies need to start from scratch? As evidenced by success in Europe, opting for chip-and-PIN cards can significantly reduce the amount of counterfeit card fraud and limit the chances of fraud in the case of lost or stolen cards. However, the technology isn’t perfect. Chip-and-signature is a less secure form, and several card-level vulnerabilities have been identified. However, big credit players are throwing their weight behind the chip card standard — like it or loathe it, liability shifts in October.