Fraud Tactics Against Chip-and-PIN Technology

Very Soon, Swipes will be Out and Inserts will be In

On October 1, retailers across the United States are expected to fully implement EMV payment cards or smart cards and the technology used to authenticate them.

This means that American customers will now be using debit and credit cards with computer chips on them—a technology that is commonly used in Europe, the U.K., and some Asian countries.

This nationwide shift into a new payment system is in response to the breaches of major U.S. companies resulting to identity and card fraud. Such threats have not only affected thousands but millions of American customers. A spokeswoman from MasterCard revealed in a recent NBC news clip that they have observed a 70 to 80 percent decrease in fraud reports after chip-and-PIN cards were distributed to customers.

While about 60 percent of all stores already have the new card readers in place, credit card companies are given until the end of the year to issue these new cards in compliance to the new scheme in place.

Do note, however, that although the new cards and system will take full effect on October, customers will still be signing for credit card transactions; thus, the swipe-and-sign approach will be upgraded to the insert-and-sign approach, at least for the time being, as the debate on whether customers should remember another PIN continues on.

Some Things That are Good to Know

A lot of material is already available online regarding this switch to the new payment systems. There may be some terms and concepts that some of you, dear Reader, may still find confusing. This section of the post aims to help you understand some of these terms you may encounter in your reading. We have outlined them below, beginning with the basics:

  • EMV. This refers to the chip-based payment standard or technology that we know of today. The abbreviation stands for Europay, MasterCard, and Visa—the founding organizations that developed this standard. EMVCo, an equity group comprising of American Express, JCB, Discover, MasterCard, UnionPay, and Visa, is currently the governing body behind EMV. In the payment industry, “EMV” is frequently used to refer to the chip-and-PIN payment card, excluding the software and EMV-compliant terminals—point-of-sale (POS) devices, automated teller machine (ATM), and automated fuel dispensers to name a few—used in authenticating transactions.
  • Chip. Also known as an integrated circuit (IC) or microchip. It is essentially a small computer embedded inside a debit or credit card that can both store and process data, ensuring a card’s authenticity every time it is used. The chip is usually hidden underneath the metallic square called the contact plate found on the front of the card. Data stored in the chip includes the card holder’s information (such as account number), a secret encryption key, and the Application Transaction Counter (ATC). Currently, there are two ways a chip can be read by an EMV terminal: for a contact payment scheme, cards are inserted to physically connect the reader to the hidden chip; for a contactless payment scheme, cards are waved in front or held within proximity of a reader.
  • Personal Identification Number (PIN). This refers to the 4-digit number (the would-be standard in the U.S.) that customers enter via a PIN pad on terminal. A PIN is one of the few known methods of cardholder verification currently practiced today, and it can be verified online and offline. For the former, the PIN is encrypted and sent to the card issuer; for the latter, the PIN is verified by the chip on the card itself. ISO 9564-1 is the current standard for the secure management of PIN. It has been in effect since 2011.
  • Chip-and-PIN card. This refers to the card with an embedded microchip that is configured to require a PIN for identity verification. To date, it is believed to be the most secure type of card technology. The signature becomes a fallback option in the event that PIN verification is not available. Chip-and-PIN cards are not entirely unknown in the U.S. In fact, some banks issue chip-and-PIN to their wealthier customers who frequently travel to countries who favor chip cards over mag-striped cards.
  • Chip-and-signature card. This refers to the card with an embedded microchip that is configured to require the card holder’s signature for identity verification. To date, this is believed to be less secure than cards requiring a PIN, but they are more secure than your average swipe card. Chip-and-signature type cards are also more accepted anywhere in the U.S. compared to the chip-and-PIN when it comes to face-to-face transactions. Majority of U.S. banks have pushed for this type of EMV card.
  • “Liability shift.” MasterCard defined this industry jargon as “The party, either the issuer or merchant, who does not support EMV, assumes liability for counterfeit card transactions.” Usually when fraud occurs, only the card issuer or bank is liable to reimburse victims. With this new authorization, merchants may be forced to upgrade their terminals and software in compliance with EMV standards to avoid the liability. Having EMV terminals could also encourage customers to use the chip of their cards for payments instead of the mag strip.

Expectations on October 1 and (Perhaps) Beyond

According to this Joram Borenstein article, the Greater Boston area is not yet prepared for this new shift, and it’s possible that other areas would seem that way, too. Borenstein pointed out that clerks have not been trained to cater to processing chip-based transactions, still heavily reliant on customers swiping instead of inserting their cards. Furthermore, most customers may be clueless on how to use their new card’s chip to make payments.

With these in mind, we can have a rough idea on what to expect when October 1 rolls in. We have listed here just a few of them, and we’d like to hear your views and expectations in the Comments section at the end of this post:

  • Majority of American consumers would continue to use the magnetic strip of their chip-and-PIN cards. Not only would they refuse to give up the ease of swiping, a PIN requirement is also a major turn off. Unless they adopt the use of PINs, the security provided by chip cards will never fully take effect.
  • Consumers could still be affected by current threats revolving around mag-stripe cards and card not present (CNP) transactions. This, we expect, is something that can’t be avoided in this period of transition to the new system, which is expected to take several years to complete. Although expect that the number of fraud victims may have been higher if not for the EMV system.
  • CNP fraud in America may likely increase. This has happened in Europe, the UK, and Canada after they adapted the EMV payment system.
  • Consumers who also travel abroad may still find it a challenge to use their chip-and-signature cards in countries that require them to enter their PINs. How the EMV system will be implemented in the U.S. is different compared to how it was implemented in other countries.
  • Consumers who use the chip of their cards to pay for the first time may find themselves walking away from the till, forgetting their cards. This may be a minor human error, but it could easily result to lost cards.

Consumers may begin exploring other modes of payment all together. Some say that the EMV system is already becoming dated, thanks to the new technologies emerging that may replace plastic cards all together. We’re talking about mobile payment platforms, key fobs and other wearable payment devices, and even biometrics in payment.

Practical Security Practices for Chip Cards

Payment card threats need not be as sophisticated as the “pre-play attack” (PDF) in order to be effective. As long as chip-and-PIN and chip-and-signature card are continually issued with a working magnetic strip on them, potentially all threats affecting the old credit and debit cards can also affect EMV cards.

  1. Continue to apply security best practices for handling debit and credit cards. This includes making sure that there are no skimming devices attached to ATM kiosks, covering the pad when entering your PIN to a terminal to hinder “shoulder-surfing” individuals, keeping your PIN a secret, and asking attendants in shops and restaurants to swipe your payment card in front of you.
  2. Consider purchasing your own chip card reader to authenticate Internet transactions. Doing so can address fraud threats for CNP transactions.
  3. Opt to use the PIN instead of your signature in every purchase transaction. We understand that you’re not used to it; however, choosing the security of your account and personal details over ease of use is a sacrifice worth taking.
  4. Check chip card terminal slots for modifications or wires. This may be a sign of obvious tampering and should be reported to the merchant immediately.

Recommended reading:

Other related post(s):

Jovi Umawing


Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.