You’ve perhaps heard about a new credit card technology called Chip and Pin. Well, I say new, but it’s been in Europe already for around a decade, and when it rolled out there it reduced credit card fraud by around 80%.
The old way
Regular credit cards in the United States work off of a static (non-changing) system of data storage on the card—the magnetic strip. There are numerous techniques for stealing the data on that strip, and once it’s gone you essentially have a compromise credit card.
The CVV number (the three or four digits on the card) tries to help with that, but it has two flaws:
- It’s not required for all transactions
- It can also be stolen
The key thing to remember about the U.S. system is that both the credit card data on the magnetic strip and the CVV number are static, meaning they don’t change. So once they’re gone they’re gone.
The new way
Chip and PIN adds security to the system by simply adding a variable component to every transaction. The technical spec used is called EVM, which stands for Europay, Visa, and MasterCard.
The Chip and Pin enabled cards are actually called Smart Cards, which has a specific meaning. Smart cards interact with the network in a one-time fashion that makes it difficult or impossible to reuse.
In the case of Chip and Pin credit cards (one such type of smart card), the system works like this:
- You place your card into the machine that reads the chip
- While the card is still in the machine, you enter your pin number
- The smart card (your credit card, debit card, or ATM card) then produces a one-time use code and communicates it with the network to authorize the transaction
The key to then enhanced security of the system is that each time the chip is used and combined with a PIN a different one-time transaction code is created, so stealing information on the card is not useful to attackers.
- As with most security mechanisms, perfect security is not achieved by implementing Chip and Pin. The implementation simply makes attacks more difficult when compared to legacy magnetic-strip-based cards like those used in the United States.
- No signature is required for Chip and Pin transactions.
- Around 50% of fraud is now done without a credit card present, which is called CNP. When the consumer is making a transaction without a terminal to read the chip it’s not possible to benefit from the increased security of Chip and Pin, and these types of transactions are where attackers are now focusing their attention.