Protecting Your Credit Card With Chip and Pin


NEW YORK (MainStreet) — There are lots of reasons why America's credit networks remain insecure, but the two biggest are costs and liability.

It's obvious that the magnetic stripes on the back of current credit cards don't carry enough data to protect identities or transactions. Hacking is now done on an industrial, global scale. But solving the problem will take money, and banks want to pay for it by shifting the liability for fraud to merchants.

Authorities now think the recent Target breach began with eastern European hackers who got malware into cash registers and may have accessed central databases. It has resulted in the arrest of two Mexican nationals using the stolen numbers. The numbers were supposedly obtained online.

The Target breach makes clear that the mag-stripes on the back of today's credit cards, and the processing networks they connect with, can't keep up with what criminals can do to break them. Terminals and cards have to be replaced, and networks updated.

The solution is called "chip and pin" technology. It has been used on European credit cards for a decade. It isn't perfect but it's much better than mag-stripes.

Such cards use a computer chip called an EMV chip instead of a mag-stripe (EMV stands for Europay, MasterCard, and Visa, who cooperated in creating the technology). The chips contain a random number generator which creates a "digital signature" for each transaction using a four-digit PIN input by the customer. No data will get stored or transmitted "in the clear," and the encryption for each transaction is unique. Thieves can't use a stolen credit card without knowing the PIN number.

It will cost money to implement chip and pin. All consumers will need new credit cards. Merchants have to get new terminals. Clerks have to be retrained to use the technology.

Small merchants will likely wait for their acquiring banks to change out terminals. Larger merchants may pay for their own replacements, with an eye toward future updates in technology.

Companies like Square that currently sell mag-stripe based transaction processing systems will have to match competitors like Payleven that have already introduced mobile chip and pin systems in Europe.

Still, the old technology has one key advantage. Customers can get back what is stolen from them. Merchants are not liable for fraud.

To push chip and pin, banks plan to change that, altering liability rules for merchants by October 2015. Visa U.S.A. documents call this date the "liability shift." Instead of issuing banks taking responsibility for fraud, acquiring banks will be on the hook for it.

Your issuing bank is named on the front of your card. An acquiring bank is hired by the merchant to process their transactions and get their money from you. Credit card networks handle the dance between issuing and acquiring banks, with processors handling the details and passing out the money.

Acquiring banks charge merchants for transactions and can raise the rate merchants pay based on losses from all sources, which after October 2015 could include fraud. Responsibility for fraud is thus shifted to merchants, through the acquiring banks.

In the U.S., consumers have almost never been held liable for credit card fraud beyond $50. In Europe, with chip and pin, the burden of proving that fraud did occur is on the consumer.

As a result, news in 2012 that there may be a fault in chip and pin was a very big deal.

Researchers at Cambridge University in the United Kingdom found the random number generator could be tricked, using a smartcard, or by injecting phony transactions into the network. They said a shop controlled by crooks could also extract data from chip and pin cards, including PINs, allowing the crooks to create copies.

Officials admit chip and pin isn't 100% safe but claim that cracking the chip and pin random number, and thus its encryption, is much harder than just stealing mag-stripe data. Vulnerabilities can also be closed faster than with mag-stripes, the banks say, since they occur on a transaction-by-transaction basis. Huge caches of unencrypted card numbers just aren't made available under chip and pin.

Then again, there's always cash.

--Written by Dana Blankenhorn for MainStreet

Show Comments

Back to Top