Problem solve Get help with specific problems with your technologies, process and projects.

How secure is the Chip and PIN card system?

In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin discusses the Chip and PIN card system and examines whether or not it would be productive in the United States.

I've heard that the UK is using smart card/PIN systems to make credit card transactions safer. How does the technology work, and does it make sense for the U.S. as well?

The technology you describe is called Chip and PIN. A British technology designed to fulfill European mandates for secure credit card transactions; it requires credit card users to enter a PIN number into a card reader when making a transaction. The PIN is meant to replace the signature that a user normally gives when purchasing with a credit card; an onboard chip securely holds authentication information and encryption keys. The system was designed to prevent fraud and forged signatures.

In essence, Chip and PIN was meant to turn every credit card into a smart card, and enable strong "two-factor" authentication, The PIN would serve as the second authentication factor: the card being "what you have and the PIN being "what you know."

Chip and PIN was also meant to replace the magnetic stripe currently found on credit cards. In practice, however, the stripe remains on the card as a backup, reserved for those transactions when the chip can't be read properly. The technology was first rolled out in the UK in 2003, and within three years the UK government required all card holders to use only their PIN.

Similar technology -- based on the EMV chip card standard -- has been successful in France, where the country has reduced credit card fraud by about 80%, but the UK program has had problems from the start. The implementation of expensive smart card readers at the point of sale has been an issue for smaller businesses, which led to Chip and PIN cards continuing to include magnetic stripes. Research has also suggested that Chip and PIN cards aren't any more secure than traditional cards, as PIN numbers can be stolen and readers can be tampered with.

Would the Chip and PIN system work in the U.S.? Perhaps, but its security kinks would first need to be resolved. Remember, a PIN isn't inherently more secure than a signature. It's basically just another credential that can be stolen or "nicked" as the British would say. There are also cultural issues. While smart cards have been adopted within enterprises, they have yet to hit the American market, which tends to be more resistant to these types of technologies.

Next Steps

Prevent fraud: security expert Shon Harris discuses several fraud risk assessment methodologies.

If your organization processes credit card holder information, make sure you know the 12 PCI requirements.

This was last published in April 2007

Dig Deeper on Two-factor and multifactor authentication strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.