Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > How secure is the Chip and PIN card system?
Ask The Security Expert: Questions & Answers
EMAIL THIS

How secure is the Chip and PIN card system?

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 11 March 2007
I've heard that the UK is using smart card/PIN systems to make credit card transactions safer. How does the technology work, and does it make sense for the U.S. as well?

>
EXPERT RESPONSE
The technology you describe is called Chip and PIN. A British technology designed to fulfill European mandates for secure credit card transactions; it requires credit card users to enter a PIN number into a card reader when making a transaction. The PIN is meant to replace the signature that a user normally gives when purchasing with a credit card; an onboard chip securely holds authentication information and encryption keys. The system was designed to prevent fraud and forged signatures.

In essence, Chip and PIN was meant to turn every credit card into a smart card, and enable strong "two-factor" authentication, The PIN would serve as the second authentication factor: the card being "what you have and the PIN being "what you know."

Chip and PIN was also meant to replace the magnetic stripe currently found on credit cards. In practice, however, the stripe remains on the card as a backup, reserved for those transactions when the chip can't be read properly. The technology was first rolled out in the UK in 2003, and within three years the UK government required all card holders to use only their PIN.

Similar technology -- based on the EMV chip card standard -- has been successful in France, where the country has reduced credit card fraud by about 80%, but the UK program has had problems from the start. The implementation of expensive smart card readers at the point of sale has been an issue for smaller businesses, which led to Chip and PIN cards continuing to include magnetic stripes. Research has also suggested that Chip and PIN cards aren't any more secure than traditional cards, as PIN numbers can be stolen and readers can be tampered with.

Would the Chip and PIN system work in the U.S.? Perhaps, but its security kinks would first need to be resolved. Remember, a PIN isn't inherently more secure than a signature. It's basically just another credential that can be stolen or "nicked" as the British would say. There are also cultural issues. While smart cards have been adopted within enterprises, they have yet to hit the American market, which tends to be more resistant to these types of technologies.

For more information:

  • Prevent fraud: security expert Shon Harris discuses several fraud risk assessment methodologies.
  • If your organization processes credit card holder information, make sure you know the 12 PCI requirements.


    • Sound Off! -   Be the first to post a message to Sound Off!


    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Identity Management and Access Control
    CardSpace vs. user IDs and passwords
    Biometrics vs. biostatistics
    What are the dangers of using radio frequency identification (RFID) tags?
    What should an internal support model for identity management look like?
    What are the risks of connecting a Web service to an external system via SSL?
    What precautions should be taken if biometric data is compromised?
    How to choose the right biometric security product
    How to prevent hackers from accessing your router security password
    How does identity propagation work?
    Is it secure to use .NET membership class for user authentication?

    Tokens and Smart Cards
    Video: Changes ahead for MIT Kerberos Consortium
    Kerberos: Authentication with some drawbacks
    What are the dangers of using radio frequency identification (RFID) tags?
    Smart card deployment: How to know if it's smart for your enterprise
    Can tokenization of credit card numbers satisfy PCI requirements?
    Is there a way to bridge physical and logical security without using smart cards or biometrics?
    Preparing for integrated physical and logical access control: The common authenticator
    Are one-time password tokens susceptible to man-in-the-middle attacks?
    What are the PCI DSS compliance benefits of tokenization?
    Compliance benefits of tokenization

    Security Industry Market Trends, Predictions and Forecasts
    Economic lull
    Forrester: NAC ready for wider deployments
    RSA's Coviello: Security professionals must spark innovation
    RSA Conference begins as companies tighten security budgets
    RSA Conference 2008: Special news coverage
    Uncertain economy
    Finjan wins patent dispute against Secure Computing
    Security priorities
    Security Squad: Debating FISA, fighting cybercrime
    NAC, disk encryption gaining attention, survey shows
    Security Industry Market Trends, Predictions and Forecasts Research

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    authentication server  (SearchSecurity.com)
    Chameleon Card  (SearchSecurity.com)
    key chain  (SearchSecurity.com)
    key fob  (SearchSecurity.com)
    key string  (SearchSecurity.com)
    national identity card  (SearchSecurity.com)
    security token  (SearchSecurity.com)
    smart card  (SearchSecurity.com)
    two-factor authentication  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice

    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts