Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > How secure is the Chip and PIN card system?
Ask The Security Expert: Questions & Answers
EMAIL THIS

How secure is the Chip and PIN card system?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 11 March 2007
I've heard that the UK is using smart card/PIN systems to make credit card transactions safer. How does the technology work, and does it make sense for the U.S. as well?

>
The technology you describe is called Chip and PIN. A British technology designed to fulfill European mandates for secure credit card transactions; it requires credit card users to enter a PIN number into a card reader when making a transaction. The PIN is meant to replace the signature that a user normally gives when purchasing with a credit card; an onboard chip securely holds authentication information and encryption keys. The system was designed to prevent fraud and forged signatures.

In essence, Chip and PIN was meant to turn every credit card into a smart card, and enable strong "two-factor" authentication, The PIN would serve as the second authentication factor: the card being "what you have and the PIN being "what you know."

Chip and PIN was also meant to replace the magnetic stripe currently found on credit cards. In practice, however, the stripe remains on the card as a backup, reserved for those transactions when the chip can't be read properly. The technology was first rolled out in the UK in 2003, and within three years the UK government required all card holders to use only their PIN.

Similar technology -- based on the EMV chip card standard -- has been successful in France, where the country has reduced credit card fraud by about 80%, but the UK program has had problems from the start. The implementation of expensive smart card readers at the point of sale has been an issue for smaller businesses, which led to Chip and PIN cards continuing to include magnetic stripes. Research has also suggested that Chip and PIN cards aren't any more secure than traditional cards, as PIN numbers can be stolen and readers can be tampered with.

Would the Chip and PIN system work in the U.S.? Perhaps, but its security kinks would first need to be resolved. Remember, a PIN isn't inherently more secure than a signature. It's basically just another credential that can be stolen or "nicked" as the British would say. There are also cultural issues. While smart cards have been adopted within enterprises, they have yet to hit the American market, which tends to be more resistant to these types of technologies.

For more information:

  • Prevent fraud: security expert Shon Harris discuses several fraud risk assessment methodologies.
  • If your organization processes credit card holder information, make sure you know the 12 PCI requirements.


    • BROWSE BY TAG
    Identity Management and Access Control,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Security Industry Market Trends, Predictions and Forecasts,   Information Security Management,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    Is Identity Management as a Service (IDaaS) a good idea?
    How to log in to multiple servers with federated single sign-on (SSO)
    How to confirm the receipt of an email with security protocols
    Learn about enterprise strategy for server virtualization single sign-on
    Employee information security awareness training for new IAM systems
    Can you combine RFID tag technology with GPS to track stolen goods?
    Is there a free enterprise-caliber password-management tool?
    Cryptosystem attacks that do not involve obtaining the decryption key
    Can any firm or organization get a digital signature certificate?
    Should the CTO have domain administrator access?

    Security Token and Smart Card Technology
    First Data, RSA push tokenization for payment processing
    How to log in to multiple servers with federated single sign-on (SSO)
    Best Authentication Products
    Are 'strong authentication' methods strong enough for compliance?
    Risk management must include physical-logical security convergence
    RSA researcher Ari Juels: RFID tags may be easily hacked
    Portable security storage device could replace OTP devices
    Can you combine RFID tag technology with GPS to track stolen goods?
    Security token and smart card authentication
    Embedded smart card chips are open to hack attacks

    Security Industry Market Trends, Predictions and Forecasts
    Hackers to sharpen malware, malicious software in 2010
    Part 1: Marcus Ranum on the state of information security
    Part 2: Marcus Ranum on the state of information security
    Part 4: Marcus Ranum on the state of information security
    Part 3: Marcus Ranum on the state of information security
    Part 5: Marcus Ranum on the state of information security
    Layoffs prompt insider threat fears, cybersecurity survey finds
    Healthcare security spending remains sluggish, report shows
    How to use Internet security threat reports
    M86 buys Web security gateway vendor Finjan
    Security Industry Market Trends, Predictions and Forecasts Research

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    authentication server  (SearchSecurity.com)
    Chameleon Card  (SearchSecurity.com)
    key chain  (SearchSecurity.com)
    key fob  (SearchSecurity.com)
    key string  (SearchSecurity.com)
    national identity card  (SearchSecurity.com)
    security token  (SearchSecurity.com)
    smart card  (SearchSecurity.com)
    tokenization  (SearchSecurity.com)
    two-factor authentication  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts