How Secure is Chip-and-PIN Authentication?
Ever wondered why you got a new card in the mail that came with a fancy-looking chip embedded into the plastic?
Welcome to the world of chip-and-PIN, a process that combines technology and two-factor authentication to keep your financial information safe and protect you against fraud.
But how secure is chip-and-PIN authentication? Read on to learn more about why your card now features this security measure, how it works, and why there may still be better payment alternatives out there if you’re concerned about fraud.
Quick answer: It is the standard security protocol now. Chip-and-PIN will scramble your card information during a transaction and also require a PIN -- multiple ways to minimize fraud.
How Chip-and-PIN Got Its Start
Chip-and-PIN authentication refers to a security system designed to protect credit cardholders when they use their cards to make purchases. Chip-and-PIN was designed to be used offline, at physical point-of-sale counters and card readers.
Cards that use chips are known as EMV cards. The letters stand for Europay, MasterCard, and VISA, the companies who first originated and used the technology. They initially set up standards and specifications for new credit cards designed to prevent and reduce instances of fraud.
Today, a separate company called EMVCo oversees these standards. Other credit card companies, tech brands, and interested parties joined and co-own the business, including American Express, Discover, and China Unionpay.
EMV cards feature a built-in microprocessing chip that helps keep your information safe and secure. These types of cards are the standard throughout the world -- with the exception of the US.
Chipped credit cards are still fairly new in the United States and have been slow to catch on. That’s actually caused by a positive reason: fraud rates in the US are low compared to other countries. There was less incentive for banks (and cardholders) here to make the switch to EMV cards.
Understanding How the Technology Works
Chip-and-PIN authentication keeps credit cards secure in two ways. The chip itself allows the card to communicate with the card reader when you insert your plastic into the machine.
The information on the chip is dynamic, which means it changes. It also interacts with the card reader to actively create and encrypt the information it shares with the machine.
The chip in your card creates a unique transaction code every time you swipe it. This code is only valid for that one transaction. Even if this information is stolen, it’s pretty useless -- using it again would cause a payment to be declined.
The “PIN” part comes next. Once the chip communicates with the card reader and the system authorizes the transaction, you provide your PIN. If your PIN doesn’t line up to the PIN required to use the card, the system won’t authorize the transaction.
While chipped cards offer more security, you probably won’t notice a difference when you go to use your card. You’ll still insert your card into a reader (which is just slightly different than swiping it through).
Next, the machine and the card exchange information to confirm the card and the information it generates is authentic and not fraudulent. Once confirmed, you enter your PIN and complete your transaction.
Why Is This More Secure?
You need to understand how older credit cards worked to know why chip-and-PIN is considered “more secure” than previous credit cards. In the past, the only security feature built into a credit card was the magnetic strip on the back.
This strip contained information about your line of credit, and it’s what a machine read when you swiped your card at a cash register or through an ATM. The information stored on the strip was tied to your account and is what determined whether or not your payment was accepted.
Here’s the thing: this technology is the same used in cassette tapes. But we’re talking about our credit cards and financial information here. You can see why this just wasn’t secure enough to prevent issues like fraud.
Stealing data from credit cards with just the magnetic strip is easy for thieves to do. The information is static, it’s not encrypted, and it’s easy to read. People committing fraud could easily take the information -- either with a credit card skimmer or by taking the card out of sight and copying down the number and security code -- and use it to make purchases or even counterfeit copies of the card.
(And of course, thieves could simply steal the original card itself and use it to commit fraud.)
Chip-and-PIN authentication makes it hard to steal information from your credit card this way. The chip keeps information dynamic, not static, which makes skimming data ineffective. And the chip itself is nearly impossible to replicate if thieves tried to create a counterfeit card.
The PIN part of the authentication process means stealing the original card doesn’t do much good, either. The thief would have to possess not only the card but also know the PIN you created to use with it.
The PIN also reduces the chance for human error. Another type of card that uses the chip technology is called chip and signature. Instead of using a PIN for added security, it uses signature verification.
But this requires a cashier or salesperson to verify a signature manually. That slows down the checkout process, but more importantly, when it comes to security, it’s easy for someone to make a mistake (especially if they’ve been examining signatures in every cash wrap transaction for hours during their work shift).
Chip-and-PIN is much more secure than older credit cards that only feature the magnetic strip. You can also argue that it’s more secure than other chipped cards that only rely on signature verification and not a straightforward (and objective) PIN you enter at the point of purchase.
Chip-and-PIN Authentication Doesn’t Come Without Its Own Problems
That’s not to say chip-and-PIN authentication is the most secure solution, or the best one. The technology was super effective when it was new. But it was introduced in Europe over 10 years ago -- and a decade makes a big difference when it comes to tech innovation.
Chip-and-PIN is still relatively new in the U.S., but European cardholders and retailers have been working with these cards for a long time. The actual trademark for “EMV” cards was established in 1999, and cards with chips were issued to users in the early 2000s.
And that means it’s old news to a hacker community that has managed to get around the security measures on these credit cards to pull off massive frauds.
Back in 2011, officials in France busted a fraud ring that managed to steal and use a number of credit cards using chip-and-PIN authentication. The group used complicated, sophisticated measures to steal $680,000 with 25 credit cards and a lot of specialized equipment.
It’s not the kind of scheme your average fraudster could pull off -- but it’s possible. A team of computer scientists from Cambridge University also studied chip-and-PIN authentication back in 2010 and found a number of flaws in how the cards kept information secure.
They showed how criminals could still get enough information off cards using chip-and-PIN authentication to commit fraud, either by creating a counterfeit copy or tricking the card reader into accepting payment with a stolen card.
So while chip-and-PIN does offer increased security, it’s not perfect. If you have a chip card that uses either PIN or signature for verification, don’t get complacent.
You could still experience credit card fraud, and you need to take the right action steps to keep your card, your line of credit, and your information safe.
Keep Your Payments and Transactions Safe
We may see credit cards continue to change and evolve to become more secure in the future. But as it was with the adoption of chip-and-PIN authentication, that shift may be slow to happen in the US.
So is there anything you can do right now to keep your information, accounts, and transactions safe?
Yes, because credit cards aren’t the only safe and convenient ways to pay. Again, chip-and-PIN authentication and the technology it uses has been around for a long time. New technologies are available and third party payment processors may offer more secure solutions -- especially when you’re shopping online.
The first of these are mobile payment options like ApplePay. ApplePay requires you to link your credit card information to their system, which then encrypts the information. It uses tokenization to protect your data. That means neither Apple nor merchants see your data.
Your personal information gets replaced with randomly-generated token codes. These codes are then used for individual transactions and cannot be used for additional, future transactions.
Of course, you need an Apple product in order to use ApplePay. Other non-iOS alternatives include Google Wallet. And some credit card companies offer their own solutions like MasterCard’s “contactless” payment systems.
Additional options include using third party systems like PayPal. PayPal bills itself as the “safer way to shop online” because it thoroughly obscures your payment details when you go to checkout and pay for your purchase.
You can connect your bank accounts and credit cards to PayPal, which then encrypts the information. When you go to pay online, you can use your PayPal account -- and not your credit card directly.
If something does go wrong, PayPal won’t hold you liable for fraud (just like your credit card company). But that may not be enough if someone does access your info through PayPal. Because your accounts and cards are directly linked, a thief could gain a lot more access to your financial life than they could have if they only stolen your credit card information.
Any newer payment method you use will offer some range of security, whether it’s a chipped card complete with PIN authentication or a third-party processor that obscures your data from being read directly by retailers and point-of-sale systems. Chip-and-PIN authentication is secure, but like any system, comes with flaws that you shouldn’t ignore.