Chip and Pin, will EMV cards enhance security at POS?

Don Miller

Authentication is an essential function of a secure managed file transfer process. Basically, authentication is the process of verifying “the source (identity), uniqueness, and integrity (unaltered contents) of a message.” With TDXchange, users can be authenticated automatically using their network identity or by entering a secure username and password, or both.

The issue of payment authentication generated a great deal of attention after the highly publicized data breaches involving theft of credit card data from retailers such as Target and Neiman Marcus. Retailers, both large and small, have had their systems hacked to gain lists of this oh-so precious credit card information.

Existing Payment Authentication Method – “Swipe-and-Sign”

So what is the root cause of all these credit card fraud problems?  Many people have pointed to the magnetic-stripe credit card and the “swipe-and-sign” method of payment authentication. This is the problem, according to one industry publication:

“So you can take any ordinary plastic card,” Conroy says. “It can be an old gift card you’ve gotten. Create your own magnetic stripe. And then use it like any other ATM card.” This magnetic stripe technology is older than the Ford Pinto.Its vulnerabilities let the presumed crooks in this case make duplicate debit cards to use all at once.

This same publication correctly points out that the U.S. is the world’s only advanced economy using “swipe-and-sign,” and that very other member of the G20 group of industrialized countries uses a newer technology.

New Payment Authentication Method – “Chip & PIN”

Believe it or not, a newer technology is coming to the U.S.  The move is toward a smart card, or “Chip & PIN” as it is commonly known.  A microprocessor chip is embedded in the card, and when inserted into a card acceptance device, the chip connects to a reader and allows the exchange of data with the terminal. Instead of signing, you can enter a PIN.  This authentication method has helped to reduce credit card fraud significantly in Europe.

Chip & PIN Authentication is Not a Cure-All for Fraud

You would think from the recent announcements about Chip & Pin cards coming soon to a wallet near you, this sort of activity will be stopped dead in its tracks.  Well, it’s not that easy. Unfortunately Chip & PIN isn’t really going to do much to stop the card number theft. It will, however, make it harder to use those numbers on a cloned card.

The Chip & PIN technology is somewhat old, having been deployed in Europe, Canada and other countries many years ago. I went through the conversion process myself having lived in Europe for quite a number of years. I will admit it wasn’t that much of a problem for me, and after some short period of time, and when most merchants had the new POS terminals, it did make the checkout process so much faster. The added security at restaurants is also a great feature. No longer will you need to give your waiter your card, they will just bring the terminal to you. The small handheld system communicates wirelessly to the main POS system and you handle the transaction right there at the table.

The bigger problem of credit card fraud, of course, is online shopping, and online shopping is worth billions of dollars.  In addition to Chip & PIN, the banks that I was a customer of implemented an online verification process. You registered your card with them and added a personal password. When you made an online purchase, you were sent to the card processor where you entered selected digits from that password, and they verified you and sent you back to the originating site. Once again, this works only on those sites where this technology is installed.

Upon my return to the U.S., I noticed that no one seems to be using that system, and again, while not perfect, it does help reduce the problem. With the coming changes in October 2015, the onus is now going to be on the merchant to validate the purchaser, not the bank. I think we will soon see some major changes in that arena.

According to the UK Card Association, credit card fraud has been reduced by 32%. One frequent problem that still remains, though, is cloning foreign cards and using them in the U.S. with its current swipe and sign system. Once the U.S. does away with this and moves to Chip&Pin, the easy ability to use the massive U.S. market as a source of funds from fraud will be gone.  The hackers may have the numbers, but nowhere to use them. In addition, adding the different forms of authentication should put the unsophisticated criminals out of business, and a serious damper on credit card theft.

While these are major changes, requiring every business in the U.S. to update their POS terminals, it is necessary. Change has to come sometime. These high profile thefts are nothing but advertisements for the cybercriminal mindset. Chip & PIN will also not eliminate credit card theft/fraud because cybercriminals are smart, and sometimes even well organized. But as the criminals change and adapt, so must the payment industry.