Chip and PIN
Encyclopedia
Chip and PIN is the brandname adopted by the banking industries in the United Kingdom
and Ireland
for the rollout of the EMV
smartcard payment system for credit, debit and ATM cards.
or debit card
transactions used a magnetic stripe
or mechanical imprint to read and record account data, and a signature for verification. Under this system, the customer hands their card to the clerk at the point of sale
, who either "swipes" the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the account details are verified and a slip for the customer to sign is printed. In the case of a mechanical imprint, the transaction details are filled in and the customer signs the imprinted slip. In either case, the clerk verifies that the signature matches that on the back of the card to authenticate the transaction.
This system has proved reasonably effective, but has a number of security flaws, including the ability to steal a card in the post, or to learn to forge
the signature on the card. More recently, technology has become available on the black market for both reading and writing the magnetic stripes, allowing cards to be easily cloned and used without the owner's knowledge.
(PIN). When a customer wishes to pay for goods using this system, the card is placed into a "PIN pad" terminal or a modified swipe-card reader, which accesses the chip on the card. Once the card has been verified as authentic, the customer enters a 4-digit PIN, which is submitted to the chip on the smartcard; if the two match, the chip tells the terminal the PIN was correct, otherwise it informs it the PIN was incorrect.
France
has cut card fraud by more than 80%. Chip and PIN is the name given to the initiative in the UK; other countries are launching their own systems based on the EMV
standard, which is a group effort between Europay, MasterCard
and VISA
. By the end of 2004 100 countries should have been using compatible systems based on this standard.
, internet
, and mail order
—known in the industry as card-not-present or CNP—fraud, the figures are growing every year, and made up more than 50% of all credit card fraud. Since this has become a major area of fraud, other initiatives such as Verified by Visa and MasterCard SecureCode (implementations of Visa's 3-D Secure
protocol) are being implemented to improve CNP security. Since 2008 VISA has been running pilot projects using the Emue card, which has a chip, a mini-keypad, a display, and a battery expected to last three years; the user enters a PIN and a secure one-time-only code is displayed which replaces the code printed on the back of standard cards.
, England
from May 2003, and as a result was rolled out nationwide in the United Kingdom
in 2004 with advertisements in the press and national television touting the "Safety in Numbers" slogan. During the first stages of deployment, if a fraudulent magnetic swipe card transaction was deemed to have occurred, the retailer was refunded by the issuing bank, as was the case prior to the introduction of Chip and PIN. On January 1, 2005, the liability for such transactions was shifted to the retailer; this acted as an incentive for retailers to upgrade their Point of sale
(PoS) systems, and most major high-street chains upgraded on time for the EMV deadline. Many smaller businesses were initially reluctant to upgrade their equipment, as it required a completely new PoS system—a significant investment.
New cards featuring both magnetic strips and chips are now issued by all major banks. The replacement of pre-Chip and PIN cards was a major issue, as banks simply stated that consumers would receive their new cards "when their old card expires"—despite many people having had cards with expiry dates as late as 2007. The card issuer Switch lost a major contract with HBOS
to VISA
as they were not ready to issue the new cards as early as the bank wanted to. This change angered many, as Visa's Electron
cards are generally not accepted online, unlike Switch's Solo
.
Cardholders who are incapable of entering a PIN because of a disability can contact their bank to be issued with a Chip and Signature card.
In the Republic of Ireland
a PIN has been required with Chip-and-PIN-enabled cards since 17 March 2007.
was introduced which electronically contacted the card issuer using information from the magnetic stripe to verify the card and authorise the transaction; this was much faster, but had to be in a fixed location. Consequently, if the transaction did not take place near a terminal (in a restaurant, for example) the card had to be taken away from the customer to the card machine. It was easily possible at any time for a dishonest employee to swipe the card surreptitiously through a cheap machine which would take a couple of seconds to record the information on the card and stripe; in fact, even at the terminal, the criminal could bend down in front of the customer and swipe the card on a hidden reader. This made illegal cloning of cards easy, and a common occurrence.
Since the introduction of Chip and PIN, cloning of the chip is not feasible; only the magnetic stripe can be copied, and a copied card cannot be used on a PIN terminal. Fortuitously, the introduction of chip and PIN coincided with wireless
data communications technology becoming inexpensive and widespread, and wireless PIN pads were introduced that could be brought to the customer and used without the card ever being out of sight (this would have been possible, had the technology been available, with magnetic stripe cards). Chip and PIN and wireless together reduce the risk of cloning of cards by brief swiping.
, and in many cases banks refused to reimburse cardholders who reported unauthorised card use, claiming that their systems could not fail and consequently the cardholder must have acted "without reasonable care"—the Code states that unless a bank can prove that its customer acted fraudulently or without reasonable care, the most that the customer will be liable for is £50.
The Financial Services Authority
(FSA) Payment Services Regulations 2009 came into force on 1 November 2009 and shifted the onus onto the banks to prove, rather than assume, that the cardholder is at fault. The Financial Services Authority
said "It is for the bank, building society or credit card company to show that the transaction was made by you, and there was no breakdown in procedures or technical difficulty" before refusing liability.
and had to reimburse the customer. Until 1 November 2009 there was no such law protecting consumers from fraudulent use of their Chip and PIN transactions, only the voluntary Banking Code
. While this code stated that the burden of proof is on the bank to prove negligence or fraud rather than the cardholder having to prove innocence,
there were many reports that banks refused to reimburse victims of fraudulent card use, claiming that their systems could not fail under the circumstances reported, despite several documented successful large-scale attacks.
This changed on 1 November 2009 when legal, rather than voluntary, regulations came into force requiring banks to reimburse cardholders unless they could prove that the transaction was authorised by the cardholder.
However, United Nations Federal Credit Union
UNFCU will be first issuer in the US to offer credit cards with a high security chip, although one must be a member of the United Nations
to apply. While most terminals will still accept a magnetic strip card, and the major credit card brands require vendors to accept them, poorly trained staff may refuse to take the card under the mistaken belief that they will be held liable for any fraud if the card cannot verify a PIN. Non-chip-and-PIN cards may also not work in some unattended vending machines at, for example, transport stations. In 2010 a number of companies began issuing pre-paid debit cards that incorporate the Chip & PIN which allows Americans to load up cash as Euros or British Pounds.
As of June 17, 2011, Chase began offering the JP Morgan Select Visa credit card, which also offers a Chip & Signature, but not Chip & PIN capability, to US cardholders. No prior relationship with JP Morgan is required to sign up for the new card, but the absence of a PIN associated with the Chip may make these cards less useful as most unattended kiosks will not accept them. Chase is telling customers that when used in unattended kiosks or fuel stations, the chip in the card is recognized, then the terminal will report "checking PIN", and the transaction will be approved without having entered a PIN. This transaction process is similar to Chase's existing "Blink" approval process.
have been found and demonstrated, and there have been large-scale instances of fraud
ulent exploitation. In many cases banks have been reluctant to accept that their systems could be at fault and have refused to refund victims of what is arguably fraud, although legislation introduced in November 2009 has improved victims' rights and put the onus on the banks to prove negligence or fraud by the cardholder. Vulnerabilities and fraud are discussed in depth in the main article.
United Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...
and Ireland
Republic of Ireland
Ireland , described as the Republic of Ireland , is a sovereign state in Europe occupying approximately five-sixths of the island of the same name. Its capital is Dublin. Ireland, which had a population of 4.58 million in 2011, is a constitutional republic governed as a parliamentary democracy,...
for the rollout of the EMV
EMV
EMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards and IC card capable point of sale terminals and automated teller machines , for authenticating credit and debit card transactions.It is a joint effort between Europay, MasterCard and...
smartcard payment system for credit, debit and ATM cards.
History
Until the introduction of Chip and PIN, all face-to-face creditCredit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
or debit card
Debit card
A debit card is a plastic card that provides the cardholder electronic access to his or her bank account/s at a financial institution...
transactions used a magnetic stripe
Magnetic stripe card
A magnetic stripe card is a type of card capable of storing data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on the card...
or mechanical imprint to read and record account data, and a signature for verification. Under this system, the customer hands their card to the clerk at the point of sale
Point of sale
Point of sale or checkout is the location where a transaction occurs...
, who either "swipes" the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the account details are verified and a slip for the customer to sign is printed. In the case of a mechanical imprint, the transaction details are filled in and the customer signs the imprinted slip. In either case, the clerk verifies that the signature matches that on the back of the card to authenticate the transaction.
This system has proved reasonably effective, but has a number of security flaws, including the ability to steal a card in the post, or to learn to forge
Forgery
Forgery is the process of making, adapting, or imitating objects, statistics, or documents with the intent to deceive. Copies, studio replicas, and reproductions are not considered forgeries, though they may later become forgeries through knowing and willful misrepresentations. Forging money or...
the signature on the card. More recently, technology has become available on the black market for both reading and writing the magnetic stripes, allowing cards to be easily cloned and used without the owner's knowledge.
How it works
To solve this, banks and retailers are replacing traditional magnetic stripe equipment with smartcard technology, where credit and debit cards contain an embedded microchip and are authenticated automatically using a personal identification numberPersonal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
(PIN). When a customer wishes to pay for goods using this system, the card is placed into a "PIN pad" terminal or a modified swipe-card reader, which accesses the chip on the card. Once the card has been verified as authentic, the customer enters a 4-digit PIN, which is submitted to the chip on the smartcard; if the two match, the chip tells the terminal the PIN was correct, otherwise it informs it the PIN was incorrect.
France
France
The French Republic , The French Republic , The French Republic , (commonly known as France , is a unitary semi-presidential republic in Western Europe with several overseas territories and islands located on other continents and in the Indian, Pacific, and Atlantic oceans. Metropolitan France...
has cut card fraud by more than 80%. Chip and PIN is the name given to the initiative in the UK; other countries are launching their own systems based on the EMV
EMV
EMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards and IC card capable point of sale terminals and automated teller machines , for authenticating credit and debit card transactions.It is a joint effort between Europay, MasterCard and...
standard, which is a group effort between Europay, MasterCard
MasterCard
Mastercard Incorporated or MasterCard Worldwide is an American multinational financial services corporation with its headquarters in the MasterCard International Global Headquarters, Purchase, Harrison, New York, United States...
and VISA
VISA (credit card)
Visa Inc. is an American multinational financial services corporation headquartered on 595 Market Street, Financial District in San Francisco, California, United States, although much of the company's staff is based in Foster City, California. It facilitates electronic funds transfers throughout...
. By the end of 2004 100 countries should have been using compatible systems based on this standard.
Crime reduction
While EMV technology has helped reduce crime at the tills, when it comes to telephoneTelephone
The telephone , colloquially referred to as a phone, is a telecommunications device that transmits and receives sounds, usually the human voice. Telephones are a point-to-point communication system whose most basic function is to allow two people separated by large distances to talk to each other...
, internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
, and mail order
Mail order
Mail order is a term which describes the buying of goods or services by mail delivery. The buyer places an order for the desired products with the merchant through some remote method such as through a telephone call or web site. Then, the products are delivered to the customer...
—known in the industry as card-not-present or CNP—fraud, the figures are growing every year, and made up more than 50% of all credit card fraud. Since this has become a major area of fraud, other initiatives such as Verified by Visa and MasterCard SecureCode (implementations of Visa's 3-D Secure
3-D Secure
3-D Secure is an XML-based protocol designed to be an added layer of security for online credit and debit card transactions. It was developed by Visa with the intention of improving the security of Internet payments and offered to customers as the Verified by Visa service...
protocol) are being implemented to improve CNP security. Since 2008 VISA has been running pilot projects using the Emue card, which has a chip, a mini-keypad, a display, and a battery expected to last three years; the user enters a PIN and a secure one-time-only code is displayed which replaces the code printed on the back of standard cards.
Conversion
Chip and PIN was trialled in NorthamptonNorthampton
Northampton is a large market town and local government district in the East Midlands region of England. Situated about north-west of London and around south-east of Birmingham, Northampton lies on the River Nene and is the county town of Northamptonshire. The demonym of Northampton is...
, England
England
England is a country that is part of the United Kingdom. It shares land borders with Scotland to the north and Wales to the west; the Irish Sea is to the north west, the Celtic Sea to the south west, with the North Sea to the east and the English Channel to the south separating it from continental...
from May 2003, and as a result was rolled out nationwide in the United Kingdom
United Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...
in 2004 with advertisements in the press and national television touting the "Safety in Numbers" slogan. During the first stages of deployment, if a fraudulent magnetic swipe card transaction was deemed to have occurred, the retailer was refunded by the issuing bank, as was the case prior to the introduction of Chip and PIN. On January 1, 2005, the liability for such transactions was shifted to the retailer; this acted as an incentive for retailers to upgrade their Point of sale
Point of sale
Point of sale or checkout is the location where a transaction occurs...
(PoS) systems, and most major high-street chains upgraded on time for the EMV deadline. Many smaller businesses were initially reluctant to upgrade their equipment, as it required a completely new PoS system—a significant investment.
New cards featuring both magnetic strips and chips are now issued by all major banks. The replacement of pre-Chip and PIN cards was a major issue, as banks simply stated that consumers would receive their new cards "when their old card expires"—despite many people having had cards with expiry dates as late as 2007. The card issuer Switch lost a major contract with HBOS
HBOS
HBOS plc is a banking and insurance company in the United Kingdom, a wholly owned subsidiary of the Lloyds Banking Group having been taken over in January 2009...
to VISA
VISA (credit card)
Visa Inc. is an American multinational financial services corporation headquartered on 595 Market Street, Financial District in San Francisco, California, United States, although much of the company's staff is based in Foster City, California. It facilitates electronic funds transfers throughout...
as they were not ready to issue the new cards as early as the bank wanted to. This change angered many, as Visa's Electron
Visa Electron
Visa Electron is a debit card available across most of the world, with the exception of Canada, Australia, Ireland and the United States. The card was introduced by VISA in the 1980s and is a sister card to the Visa Debit card...
cards are generally not accepted online, unlike Switch's Solo
Solo (debit card)
Solo is a debit card in the United Kingdom. It is a sister to the UK Maestro debit card. Solo was launched on 1 July 1997 by the Switch Card Scheme for use on deposit accounts, as well as by customers who did not qualify for a Maestro card on current accounts.Solo was formerly issued as a...
.
Cardholders who are incapable of entering a PIN because of a disability can contact their bank to be issued with a Chip and Signature card.
In the Republic of Ireland
Republic of Ireland
Ireland , described as the Republic of Ireland , is a sovereign state in Europe occupying approximately five-sixths of the island of the same name. Its capital is Dublin. Ireland, which had a population of 4.58 million in 2011, is a constitutional republic governed as a parliamentary democracy,...
a PIN has been required with Chip-and-PIN-enabled cards since 17 March 2007.
Benefits
Under the old system, a customer had to hand their card to the assistant to pay for a transaction. When credit cards were first introduced, offline portable card imprinters (mechanical rather than magnetic) which did not connect to the card issuer were used without the card leaving the customer's sight; transactions over a certain limit had to be verified by telephoning the card issuer. Later equipmentComputer terminal
A computer terminal is an electronic or electromechanical hardware device that is used for entering data into, and displaying data from, a computer or a computing system...
was introduced which electronically contacted the card issuer using information from the magnetic stripe to verify the card and authorise the transaction; this was much faster, but had to be in a fixed location. Consequently, if the transaction did not take place near a terminal (in a restaurant, for example) the card had to be taken away from the customer to the card machine. It was easily possible at any time for a dishonest employee to swipe the card surreptitiously through a cheap machine which would take a couple of seconds to record the information on the card and stripe; in fact, even at the terminal, the criminal could bend down in front of the customer and swipe the card on a hidden reader. This made illegal cloning of cards easy, and a common occurrence.
Since the introduction of Chip and PIN, cloning of the chip is not feasible; only the magnetic stripe can be copied, and a copied card cannot be used on a PIN terminal. Fortuitously, the introduction of chip and PIN coincided with wireless
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
data communications technology becoming inexpensive and widespread, and wireless PIN pads were introduced that could be brought to the customer and used without the card ever being out of sight (this would have been possible, had the technology been available, with magnetic stripe cards). Chip and PIN and wireless together reduce the risk of cloning of cards by brief swiping.
Banks' liability
Until 1 November 2009 banks' legal liability in cases of unauthorised use of card accounts was subject to terms of the voluntary Banking CodeBanking Code
The Banking Code was a voluntary code of practice agreed by United Kingdom banks.On 1 November 2009 the Financial Services Authority Banking Conduct Regime commenced...
, and in many cases banks refused to reimburse cardholders who reported unauthorised card use, claiming that their systems could not fail and consequently the cardholder must have acted "without reasonable care"—the Code states that unless a bank can prove that its customer acted fraudulently or without reasonable care, the most that the customer will be liable for is £50.
The Financial Services Authority
Financial Services Authority
The Financial Services Authority is a quasi-judicial body responsible for the regulation of the financial services industry in the United Kingdom. Its board is appointed by the Treasury and the organisation is structured as a company limited by guarantee and owned by the UK government. Its main...
(FSA) Payment Services Regulations 2009 came into force on 1 November 2009 and shifted the onus onto the banks to prove, rather than assume, that the cardholder is at fault. The Financial Services Authority
Financial Services Authority
The Financial Services Authority is a quasi-judicial body responsible for the regulation of the financial services industry in the United Kingdom. Its board is appointed by the Treasury and the organisation is structured as a company limited by guarantee and owned by the UK government. Its main...
said "It is for the bank, building society or credit card company to show that the transaction was made by you, and there was no breakdown in procedures or technical difficulty" before refusing liability.
Banks originally not liable by default
The Chip and PIN implementation was criticised as designed to reduce the liability of banks in cases of claimed card fraud by requiring the customer to prove that they had acted "with reasonable care" to protect their PIN and card, rather than on the bank having to prove that the signature matched. Before Chip and PIN, if a customer's signature was forged, the banks were legally liableLegal liability
Legal liability is the legal bound obligation to pay debts.* In law a person is said to be legally liable when they are financially and legally responsible for something. Legal liability concerns both civil law and criminal law. See Strict liability. Under English law, with the passing of the Theft...
and had to reimburse the customer. Until 1 November 2009 there was no such law protecting consumers from fraudulent use of their Chip and PIN transactions, only the voluntary Banking Code
Banking Code
The Banking Code was a voluntary code of practice agreed by United Kingdom banks.On 1 November 2009 the Financial Services Authority Banking Conduct Regime commenced...
. While this code stated that the burden of proof is on the bank to prove negligence or fraud rather than the cardholder having to prove innocence,
there were many reports that banks refused to reimburse victims of fraudulent card use, claiming that their systems could not fail under the circumstances reported, despite several documented successful large-scale attacks.
This changed on 1 November 2009 when legal, rather than voluntary, regulations came into force requiring banks to reimburse cardholders unless they could prove that the transaction was authorised by the cardholder.
Foreign cards
Chip and PIN systems can cause problems for travellers from countries that do not issue chip and PIN cards (most notably, the USA) as some retailers may refuse to accept their chipless cards.However, United Nations Federal Credit Union
United Nations Federal Credit Union
United Nations Federal Credit Union is a federal credit union headquartered in Long Island City, New York, chartered and regulated under the authority of the National Credit Union Administration .-Key data:...
UNFCU will be first issuer in the US to offer credit cards with a high security chip, although one must be a member of the United Nations
United Nations
The United Nations is an international organization whose stated aims are facilitating cooperation in international law, international security, economic development, social progress, human rights, and achievement of world peace...
to apply. While most terminals will still accept a magnetic strip card, and the major credit card brands require vendors to accept them, poorly trained staff may refuse to take the card under the mistaken belief that they will be held liable for any fraud if the card cannot verify a PIN. Non-chip-and-PIN cards may also not work in some unattended vending machines at, for example, transport stations. In 2010 a number of companies began issuing pre-paid debit cards that incorporate the Chip & PIN which allows Americans to load up cash as Euros or British Pounds.
As of June 17, 2011, Chase began offering the JP Morgan Select Visa credit card, which also offers a Chip & Signature, but not Chip & PIN capability, to US cardholders. No prior relationship with JP Morgan is required to sign up for the new card, but the absence of a PIN associated with the Chip may make these cards less useful as most unattended kiosks will not accept them. Chase is telling customers that when used in unattended kiosks or fuel stations, the chip in the card is recognized, then the terminal will report "checking PIN", and the transaction will be approved without having entered a PIN. This transaction process is similar to Chase's existing "Blink" approval process.
Vulnerabilities, fraud, and misuse
Chip and PIN cards are not foolproof; several vulnerabilitiesVulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
have been found and demonstrated, and there have been large-scale instances of fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
ulent exploitation. In many cases banks have been reluctant to accept that their systems could be at fault and have refused to refund victims of what is arguably fraud, although legislation introduced in November 2009 has improved victims' rights and put the onus on the banks to prove negligence or fraud by the cardholder. Vulnerabilities and fraud are discussed in depth in the main article.
See also
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- Two-factor authenticationTwo-factor authenticationTwo-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
, an article on the security principles behind Chip and PIN. - Chip Authentication ProgramChip Authentication Programthumb|right|250px|A GemAlto EZIO CAP Device Whitelabeled as Barclays PINSentryThe Chip Authentication Program is a MasterCard initiative and technical specification for using EMV banking smartcards for authenticating users and transactions in online and telephone banking. It was also adopted by...
, using Chip-and-PIN cards to secure online and telephone banking. - Supply chain attackSupply chain attackA supply chain attack is a cryptographic attack where a product, typically a device that performs encryption or secure transactions, is tampered with during manufacture or while it is still in the supply chain by persons with physical access...
- VulnerabilitiesVulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
External links
- Chip and PIN Official homepage
- Chip and PIN Ireland homepage
- Lloyds TSB: Chip and PIN Guide
- Visa EU
- What is EMV?, a technical guide to EMV transactions, complete with a glossary of terms a flowchart showing the stages of a typical transaction
- BBC News OnlineBBC News OnlineBBC News Online is the website of BBC News, the division of the BBC responsible for newsgathering and production. The website is the most popular news website in the United Kingdom and forms a major part of BBC Online ....
- Chip and Pin is Broken
- Chip and Pin is Definitely Broken