Monday, May 4, 2015

Chip and PIN Compared to Chip and Signature

As we begin on the long process of changing credit cards from the obsolete magnetic stripe technology to smart (EMV) "chip" cards, there has been a lot of criticism of the decision of the credit card issuers not to implement "Chip and PIN."  Much of this discussion has asserted that "Chip and PIN" is more secure than the chosen chip card and signature strategy.  Apparently this position is so obvious that it has stifled analysis.

I assert that Chip and PIN is only marginally more secure than Chip and Signature. It protects against the fraudulent use of lost or stolen cards. However, fraudulent use of lost or stolen cards is only a small portion of the fraud. The largest part uses counterfeit cards; chips resist counterfeiting.
For both the individual and the issuer, the best protection against fraudulent use of lost or stolen cards is to report the card lost or stolen. The individual is now protected against any use of the card. The issuer will revoke the card and is now protected against any online use of the card.
Note that the effectiveness of revocation depends in part upon the market. In the U.S., where most transactions take place online, it is very effective. In markets where the infrastructure is less robust and many transactions take place offline, revocation is less effective. Thus in the U.S. issuers are opting for Chip and Signature while in other markets Chip and PIN is chosen.
Note that only the issuers know what the losses are for fraudulent use of lost or stolen cards is, that is, how much fraud might be reduced by the use of a PIN on all transactions. It is fair to assume that they know what they are doing.
Some have asserted that, in the absence of the PIN, security will rely upon clerks to reconcile a signature on the transaction document to,the reference signature on the card.  For most routine transactions we do not rely upon the clerk to verify the signature or even to touch the card. While in some places we still sign a chit, at checkout stands we sign on a little tablet (I hate them.) No one ever checks the signature unless the transaction is disputed. Said another way, at least in the U.S., we rely mostly on possession of a current card to authenticate most transactions; both signatures and PINs are backup and there is little to choose between them?

3 comments:

  1. Hello, Thanks a lot for sharing such a good source with all, i appreciate your efforts taken for the same. I found this worth sharing and must share this with all.
    Data security service

    ReplyDelete
  2. Wow! A comment from the master himself. A comment from Ross Anderson makes all this worthwhile. Reminds me of our dinner in London with a dozen people around a little,tiny table.

    Ross raises a great point. In the payment system there are multiple players including consumers, merchants, in the US, transaction acquirer/processors, card issuers, and brands, All of these are victims of fraud. Whatever resists fraud benefits all. That said, as Ross suggests, some measures may benefit one player more than others. This has become very apparent with the "liability shift" from issuers to merchants. It also differs with culture and law; in the UK the law and culture has benefited the banks at the expense of the consumer while in the US it has been the opposite.

    I tend to write from the consumer view point; this post is an exception because, at least in the US, the issue of Chip and PIN has been raised by merchants. However, the control, the agreements, tend to originate with the brands and issuers. It is the brands and issuers, again in the US, that have preferred signature over PIN.

    While I appreciate the difference between the US and Europe, I tend to write from the perspective of the US. One major difference between the US and Europe has been the portion of transactions that are verified online and in "real time." "Chip and PIN" is more effective for resisting fraud in offline transactions.

    All that said, I hope that Ross will agree with me that liability should rest with the banks, security should favor the consumer, and that hope is in the mobile.
    k

    ReplyDelete
  3. Things have changed since this was written. Contactless cards have become very popular in Europe. For small transactions, usually tens of Euros, neither PIN nor signature are required.

    In North America, while we are too poor to have contactless cards, though the brands and issuers keep promising, contactless payment using mobiles has gained wide acceptance. Again, neither PIN nor signature are required for these transactions; possession and beneficial use of a registered mobile is sufficient. While the use is about convenience, security is better than chip or signature.

    ReplyDelete