At the end of last year, two of the biggest credit card companies in America officially rolled out their newest technology—the microchip. Visa and MasterCard paraded this advancement as an answer to the swipe technology that was employed for decades. Hundreds of millions of dollars were spent to distribute newly chipped debit and credit cards to account holders. Over $8 billion dollars was spent by large retailers to install new card readers that are capable of handling the new microchip technology to process transactions. All of this expense and effort was done to increase card security and decrease fraudulent transactions.
The marketing behind the new technology sounds impressive and the chipped cards look sleek. But for all of the bells and whistles that these new cards offer, increased security against fraud and cybercrime isn’t one of them. In fact, some experts are arguing that these new cards may be even less secure than their chip-less predecessors.
So why were these chips introduced as the answer to credit card security? Well, the answer is a little complicated, at their conception, the chips were designed to decrease the ease of making purchases with fraudulent cards made with stolen numbers. The chip contains a cryptographic key that authenticates the card as the credit or debit card that it is claiming to be. The problem, however, comes in when retailers and credit card companies allow a signature to be used in conjunction with the chipped cards rather than a PIN. If customers are forced to use chip-and-pin, the transaction produces multifactor authentication. If the PIN doesn’t match the card PIN, then the transaction fails. If the retailer allows cardholders to use the chip-and-signature combination there is nothing to validate the signature in any way that produces additional security.
In an interview with Wired, Brian Dodge, Executive Vice President of the Retail Industry Leaders Association said, “Chip-and-PIN has been proven to combat fraud dramatically. But that’s not what American consumers are getting, and thus far, banks have gone to great lengths to blur the lines between the two distinctly different transactions.” Signatures can easily be forged, and since card readers make no attempts to authenticate the signature, the whole process undoes the added security measures that the chip claims to offer. Visa and MasterCard have thus far defended the chip, noting that PINs add protection for stolen cards and the chip is designed to protect against counterfeit fraud.
It may be too soon to tell what the real impacts of the chip may be, but it is clear that educated consumers should still be taking every precaution to avoid credit card theft rather than relying on the chips to do it for them. After about 6 months with this new technology, it is clear there is still much confusion. Even with card readers in place, some stores do not force customers to use them. Other stores will use the reader and ask for a PIN if it is a debit card and a signature if it is a credit card. The reasoning behind this could be that most people don’t know their credit card pins but do know their ATM pin number. There is still a large learning curve and we have yet to determine if chip-and-card will provide better protection for retail purchases.
What we do know is that chip-and-PIN technology provides no benefit for online transactions. Cybercrime, data leaks and online fraud continue to grow. News about websites being hacked is occurring more and more frequently. Hackers are now after more than just our credit card information. Usernames and passwords have become just as valuable. These new cards with the microchip will never help solve the problems with online transactions. However, the idea behind chip-and-PIN may be quite valuable to the Internet. The most effective way of controlling online fraud is by using multifactor authentication. The only way for this to be effective is to force the user to have to authenticate a transaction with something that is never shared online. This could be a biometric authentication such as a fingerprint or quite simply a PIN. Since the second form of authentication can never be shared online, it will have to occur on a physical device not related to the Web. This could be a fingerprint reader that has been added to a keyboard or mouse. However, it is more likely that this control device will become a mobile phone.
The idea behind chip-and-PIN is very strong. Implementing and enforcing the requirements that will make the chip become more than just an ornament will be the big challenge.