The ‘chip and PIN’ type credit card was introduced to provide a greater level of security to the cardholder than a regular magnetic strip. While not mainstream in the USA, there are over a billion of these type of cards being used around the world. The ‘chip’ is an embedded microchip in the card which, when placed on a point of sale system, processes the card much like it would when swiping with a magnetic strip. The ‘PIN’ refers to a personal identification number which the customer then has to enter to complete the transaction, much like you would with a debit card. It is supposed to help protect against security fraud like forging signatures, card theft, and cloning information found on magnetic strips. In a lot of cases, it has worked. For example, since the introduction of ‘chip and PIN’ card types in France, it has cut credit card fraud by about 80%.
However, Cambridge University has found a flaw in this payment method. When a ‘chip and PIN’ transaction occurs, there’s a number assigned to each transaction. This number is supposed to be unpredictable, but the research has found that it’s sometimes not. This may be due to faulty equipment, but if a hacker finds these numbers, they can essentially clone the chip found on the card and use that customers card or bank account at will. And now with new terminals for mobile payments introduced, it will create more opportunities for fraud to occur now more than ever. If they can find a way to steal information on ‘chip and PIN’ cards, it’s a safe bet to assume a mobile payment breach in the future as well. Because evidence shows that the fraud is aided by faulty equipment, it is essential for the merchant to make sure their employees are properly trained on how to use the equipment and that they are properly kept and updated.
Moreover, up until recently, the regulations were against the cardholder in the case of ‘chip and PIN’ transactions. The banks have stated that the system could not fail and therefore any fraudulent transactions were the fault of the cardholder unless the could prove otherwise. This was even said despite the fact that there were several documented cases of fraud that were not the cardholders fault. It wasn’t until 2009 that the regulation was changed. Now, the bank has to reimburse the customer and prove their negligence instead of cardholders trying to prove their innocence.
While reports state that even if the information is stolen, it might prove be difficult to use the stolen information without exposing their identity. Still, this study shows that new processing technology is not always safe, and customers and merchants alike might want to double check their bank statements.