How Secure Is Chip-And-Pin Authentication?
Chip-and-PIN cards are the most secure form of plastic payment currently available.
It’s incredibly hard to make counterfeit cards or to crack legit ones.
Their biggest weak spot is … you!
What Are EMV Chip Cards?
As old debit and credit cards reach their expiration dates and are replaced, ones without an onboard integrated-circuit chip are becoming rare.
The stripe generally worked well enough when it came to transactions, but it was incredibly insecure. And criminals could purchase “skimmers” (card readers that could capture and store your magnetic stripe’s information) for next to nothing. At the time this was written, anyone could buy one on Amazon for $15.99.
The temptation was too much, and skimmers began appearing under counters (and sometimes even in staff members’ pockets) in stores and restaurants across the country. More sophisticated criminals even installed them in ATMs and gas pumps. Once your card’s information was harvested, it was easy to create a duplicate, counterfeit (or “cloned”) card.
EMV chip cards are, as you’re about to discover, much more secure. If yours is lost, stolen or skimmed, it’s much less likely that anyone’s going to be able to clone it. But do read on to discover ways in which criminals can still exploit it.
Forget EMV. The United States was one of the last countries in the world to adopt EMV chip cards. And the abbreviation is rarely used elsewhere. In most places, they’re simply chipped cards — or, given their universality, just cards.
But, for the record, “EMV” stands for “Europay, MasterCard and Visa,” which were the three companies that originally partnered to set the standards. But now American Express, Discover and just about all card issuers use EMV chips. So the “EMV” abbreviation is pretty much redundant. Basically, all chipped cards are EMV.
How Does EMV Technology Work?
If you’re a bit of a nerd, you’ll love “EMV in a nutshell,” a 2016 report published by global accountancy firm KPMG with IBM Research and Radboud University Nijmegen. But most of us need less technological jargon.
What makes EMV so robust is that the account information stored on it changes every time it’s used. So even if a criminal could intercept it during one transaction, it would be useless for later ones. In other words, that information is “encrypted” (converted into a cipher or code) each time it is accessed — but the encryption is different every time.
Are Chipped Cards 100% Secure Now?
That level of security has almost eliminated card-skimming and counterfeit cards. But that doesn’t mean chips are totally impenetrable.
Over the last several years, reports have emerged from Brazil about a gang there that had developed malware capable of cracking chips. But, so far, it’s hard to find examples of counterfeit chipped cards circulating in the United States. This writer failed to find any such reports at all.
And, were it to become an issue, banks and card issuers would be able to rein it in, according to data security specialists Kaspersky Lab. Right now, the only mandatory step in a transaction at a point of sale is “initialization.” But that provides the most basic information: cardholder name, account number, expiration date and a bit of technical stuff.
And, at the moment, a second step, “data authentication,” is optional. Were that to be made compulsory too, it’s unlikely counterfeit cards would survive that test.
When Chips Are Useless
So, today, card chips are doing great work securing nearly all “in-person” or “card-present” transactions. Those are ones where you personally present your card at a point of sale.
In 2019, Visa reported: “Merchants who accept chip cards witnessed a 76 percent dip in card present (CP) counterfeit payment fraud since the U.S. payments industry began the shift to EMV chip …”
But there are a couple of circumstances in which chips can do nothing to protect you:
- Card-not-present (CNP) transactions — most commonly, those used for online and telephone purchases
- Contactless payments (or tap-to-pay) — For smaller transactions, you don’t need to sign or enter a personal identification number (PIN) so anyone finding or stealing your card could use it for those
Making Online and Phone Purchases with Chips
When you use your card online or to pay for something over the phone, your chip plays zero part in the transaction. So it can’t protect you.
And these card-not-present transactions require no PIN or signature either. You provide only details visible on the card: its number, expiration date and three-digit CVV (more on that next), usually plus your name as it appears on the card.
“CVV” stands for “card verification value” and some call the same thing a “CSC” or “card security code.” These are the lonely looking three digits on your card’s signature strip. However, American Express cards carry a four-digit version of the same thing.
What is your liability?
Clearly, anyone finding or stealing your card can use it for CNP purchases. However, the Federal Trade Commission says, “your liability for unauthorized use of your credit card tops out at $50” — or zero, once you’ve reported your card missing.
With a debit card, the FTC advises your liability could be as high as $500, but only if you wait to report its loss, “More than 2 business days after you learn about the loss or theft, but less than 60 calendar days after your statement is sent to you.”
Either way, you’re in for endless hassle. So you should:
- Keep your cards safe
- Never let them fall into the hands of someone you don’t trust implicitly
- Don’t reveal your cards’ details to anyone — including websites or telesales people unless you know the companies that own or employ them to be reputable
- For telesales, only hand out your details if you initiated the call. Anyone can claim to be anybody on the phone
It’s common sense, really.
Are Contactless Payments Safe?
About 60% of point-of-sale terminals in U.S. stores allow you to use contactless payments, which are also known as tap-to-pay. You tap the terminal with your card or hold it close by and near-field communications (NFC) technology transfers its details to the terminal.
Many merchants don’t require you to sign for the transaction or use a PIN for small-value transactions. And the COVID-19 pandemic made this a very attractive option for shoppers who wanted to minimize their chances of touching potentially infected surfaces.
Visa reckons, “31 million Americans tapped a Visa contactless card or digital wallet in March 2020, up from 25 million in November, with overall contactless usage in the U.S. growing 150% since March 2019.”
Where merchants don’t require a PIN or signature, a contactless transaction turns your lost or stolen card into cash — in anyone’s hands. The card’s chip confirms it’s a genuine, legitimate card. But it doesn’t help in confirming that you’re the one using it.
The good news is that many card issuers are shouldering all the risk arising from fraudulent contactless use. And your legal liability is the same for other credit card fraud — as laid out by the FTC in the last section. Still, you may want to keep your contactless card safe to avoid an administrative headache.
Chip-and-PIN Cards vs. Chip-and-Signature Cards
It’s not hard to distinguish between these two. Their names say it all.
A chip-and-PIN card requires you to authorize each transaction using your four-digit personal identification number (PIN). But chip-and-signature cards let you do that just by signing.
The problem with signing for transactions is that too few clerks or wait staff bother comparing the transaction slip signature with the one on the card. And, even when they do, they tend to shrug if the two are wildly different. And who can blame them? If you were on minimum wage, would you pick a fight with someone whose side your employer might take?
Chip-and-PIN Cards More Secure
We know chip-and-pin cards are more secure. Nearly all other nations use them exclusively. And, in 2016, a paper by the Congressional Research Service quoted data from a study by the Federal Reserve Bank of Atlanta.
It found that, in 2010, chip-and-pin debit cards in this country produced fraud at a rate of 0.013%. The chip-and-signature debit cards that year generated it at a rate of 0.075% — nearly six times greater.
So why has the U.S. been slow to embrace chip-and-PIN cards? We have more cards than people in most other nations. And banks and credit card companies doubted we’d be able to remember all our PINs.
Are You the Weakest Link?
Of course, you personally may behave impeccably. But many are less cautious when it comes to keeping their debit and credit cards secure. And, all too often, card fraud can be traced back to the legitimate holder’s carelessness.
Chances are you won’t be hurt financially too badly if your plastic’s compromised. But it inevitably brings a lot of hassle and inconvenience.So keep your cards safe – and never share your PIN.
Be sure when making purchases online or buying by phone that you’re dealing with somebody reputable. And generally act as if a card fraudster is out to get you … because one just might be.