I've heard that the UK is using smart card/PIN systems to make credit card transactions safer. How does the technology work, and does it make sense for the U.S. as well?
The technology you describe is called Chip and PIN. A British technology designed to fulfill European mandates for secure credit card transactions; it requires credit card users to enter a PIN number into a card reader when making a transaction. The PIN is meant to replace the signature that a user normally gives when purchasing with a credit card; an onboard chip securely holds authentication information and encryption keys. The system was designed to prevent fraud and forged signatures.
In essence, Chip and PIN was meant to turn every credit card into a smart card, and enable strong "two-factor" authentication, The PIN would serve as the second authentication factor: the card being "what you have and the PIN being "what you know."
Chip and PIN was also meant to replace the magnetic stripe currently found on credit cards. In practice, however, the stripe remains on the card as a backup, reserved for those transactions when the chip can't be read properly. The technology was first rolled out in the UK in 2003, and within three years the UK government required all card holders to use only their PIN.
Similar technology -- based on the EMV chip card standard -- has been successful in France, where the country has reduced credit card fraud by about 80%, but the UK program has had problems from the start. The implementation of expensive smart card readers at the point of sale has been an issue for smaller businesses, which led to Chip and PIN cards continuing to include magnetic stripes. Research has also suggested that Chip and PIN cards aren't any more secure than traditional cards, as PIN numbers can be stolen and readers can be tampered with.
Would the Chip and PIN system work in the U.S.? Perhaps, but its security kinks would first need to be resolved. Remember, a PIN isn't inherently more secure than a signature. It's basically just another credential that can be stolen or "nicked" as the British would say. There are also cultural issues. While smart cards have been adopted within enterprises, they have yet to hit the American market, which tends to be more resistant to these types of technologies.
Prevent fraud: security expert Shon Harris discuses several fraud risk assessment methodologies.
If your organization processes credit card holder information, make sure you know the 12 PCI requirements.
Dig Deeper on Two-factor and multifactor authentication strategies
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading