Chip card technology, also known as chip-and-PIN, chip-and-sign or EMV technology, is quickly becoming the global payment standard. According to Payments Leader, 40 percent of cards issued worldwide and 70 percent of point-of-sale (POS) terminals use EMV. However, American banks and merchants are just starting to make the switch, with an October 2015 deadline looming for businesses to implement chip-capable technology. But how do chip cards really work? What are the benefits? More importantly, are there any drawbacks?

The New Chip Card Standard

American consumers are familiar with swipe credit card technology, in which card data is statically encoded on a magnetic stripe (magstripe) that is then run through POS systems. Typically, users must supply their swipe card and PIN or their card and a signature. The problem? Data on these cards can be easily copied using inexpensive reader machines, allowing criminals to duplicate credit and debit cards. To address this issue, Europay, MasterCard and Visa (EMV) developed a new standard: chip cards.

So what are they? As noted by Chase Paymentech, these cards come with an embedded micro computer chip and magstripe. The chip must be inserted into a compatible POS machine, at which time it is dynamically authenticated. First, the card is checked to ensure it is activated and hasn’t expired. Then, a set of unpredictable numbers is generated to encrypt the transmission of card data to the relevant financial institution. The bank or credit card company then authenticates the transaction and sends back an encrypted approval. The biggest benefit of chip cards is reduced fraud, since chips are much harder to duplicate and it is impossible to manually enter card numbers or use carbon-copy paper alternatives.

Half Measures?

In an effort to align with global POS technologies and improve security, MasterCard and Visa have set an October 2015 deadline for what they term a “liability shift,” according to the Wall Street Journal. Both companies are putting their full support behind EMV technology in the United States, and as of this fall, they will shift liability for fraud to whichever party — merchant or financial institution — uses less secure technology. Thus, if merchants have chip capabilities but banks don’t issue chip cards, banks bear the cost. If merchants choose swipe-and-sign chip cards, they’re liable if fraud occurs. The idea here is to compel both banks and retailers to adopt chip cards at the same time and significantly reduce total credit card fraud.

However, as discussed by GeekWire, there is a loophole. While chip cards fall under the new rules, the choice to go chip-and-PIN or chip-and-sign is left up to merchants. Mike Cook, assistant treasurer of Wal-Mart, put it bluntly when he said, “The fact that we didn’t go to PIN is such a joke.” Why? Because signatures are much easier to fake than PINs since they’re rarely checked for accuracy. This means a chip card is no defense in the case of a lost or stolen wallet since criminals could simply insert the chip, scribble a signature and be on their way.

Risky Business

There are also concerns that chip card technology may not be entirely secure and cannot completely eliminate fraud. In the United Kingdom, for example, EMV was fully adopted in 2006. Counterfeit card fraud is down significantly, but card-not-present fraud, which occurs during online or telephone transactions, is on the rise.

According to The Hacker News, chip cards also have several inherent vulnerabilities. First, researchers have been able to predict the pattern of supposedly unpredictable numbers, allowing them to duplicate chip cards and eliminate the ability of banks to detect fraudulent transactions. Security researchers also found a way to perform man-in-the-middle attacks on chip cards by compromising the subprocess, which determines the authentication required by a POS terminal. The result is the ability to bypass PIN or signature requirements altogether. Finally, Wired reports that a British team found flaws in some “contactless” Visa chip cards, which allowed the approval of foreign currency transactions up to $999,999.99

Card Blanche?

What’s the bottom line for EMV? Is this technology the new way forward, or do companies need to start from scratch? As evidenced by success in Europe, opting for chip-and-PIN cards can significantly reduce the amount of counterfeit card fraud and limit the chances of fraud in the case of lost or stolen cards. However, the technology isn’t perfect. Chip-and-signature is a less secure form, and several card-level vulnerabilities have been identified. However, big credit players are throwing their weight behind the chip card standard — like it or loathe it, liability shifts in October.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today