I've heard that the UK is using smart card/PIN systems to make credit card transactions safer. How does the technology...
work, and does it make sense for the U.S. as well?
The technology you describe is called Chip and PIN. A British technology designed to fulfill European mandates for secure credit card transactions; it requires credit card users to enter a PIN number into a card reader when making a transaction. The PIN is meant to replace the signature that a user normally gives when purchasing with a credit card; an onboard chip securely holds authentication information and encryption keys. The system was designed to prevent fraud and forged signatures.
In essence, Chip and PIN was meant to turn every credit card into a smart card, and enable strong "two-factor" authentication, The PIN would serve as the second authentication factor: the card being "what you have and the PIN being "what you know."
Chip and PIN was also meant to replace the magnetic stripe currently found on credit cards. In practice, however, the stripe remains on the card as a backup, reserved for those transactions when the chip can't be read properly. The technology was first rolled out in the UK in 2003, and within three years the UK government required all card holders to use only their PIN.
Similar technology -- based on the EMV chip card standard -- has been successful in France, where the country has reduced credit card fraud by about 80%, but the UK program has had problems from the start. The implementation of expensive smart card readers at the point of sale has been an issue for smaller businesses, which led to Chip and PIN cards continuing to include magnetic stripes. Research has also suggested that Chip and PIN cards aren't any more secure than traditional cards, as PIN numbers can be stolen and readers can be tampered with.
Would the Chip and PIN system work in the U.S.? Perhaps, but its security kinks would first need to be resolved. Remember, a PIN isn't inherently more secure than a signature. It's basically just another credential that can be stolen or "nicked" as the British would say. There are also cultural issues. While smart cards have been adopted within enterprises, they have yet to hit the American market, which tends to be more resistant to these types of technologies.
Prevent fraud: security expert Shon Harris discuses several fraud risk assessment methodologies.
If your organization processes credit card holder information, make sure you know the 12 PCI requirements.
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.