The EMV Evolution: Chip-and-PIN vs. Chip-and-signature

By: Ben Apel on 22 October 2014

You may have heard that EMV cards (better known as chip-and-PIN) will soon be the accepted norm at retailers across the United States. By October 2015, most payment terminals in the US will process charges using this new standard.

Unfortunately, unless you travel to Europe on a regular basis, you might not be familiar. And thus far, banks haven’t done the best job of explaining what makes EMV cards better, and why they’re switching over.

What’s the Difference?

On the surface, not much will change - you’ll insert your card’s chip into a reader, rather than swiping the magnetic strip. Enter a PIN or sign your name, and the payment is complete.

If it’s such a minor shift, why bother changing anything? Because switching to integrated circuit cards will help prevent fraudulent charges, potentially saving hundreds of millions of dollars, (global credit card fraud accounted for more than $11 billion in losses in 2012 alone, nearly 50% of which occurred in the United States) [1].

After adopting CVM (cardholder verification method) cards, U.K. credit fraud fell by 75% over a four-year period [2]. Conversely, the US and Mexico are both on the magnetic-strip standard, and currently lead the world in credit card fraud [3].

After October 2015, any retailers who opt out of the new standard will be liable for fraudulent charges on their terminals. Until now, issuing banks refunded merchants for bogus charges, and they will continue to, so long as the charge was made with an EMV card.

Why EMV Is More Secure

 Thanks to multiple added layers of security, EMV cards have the potential to reduce credit card fraud by a considerable amount. PIN implementation is an effective authentication tool, and EMV cards also use cryptographic algorithms like RSA, SHA, and Triple DES.

In practice, this makes the card’s sensitive information much more difficult to duplicate than data from those with a magnetic strip. Additionally, (for some transactions), the data is transmitted within what is essentially a one-time-use only encryption, making “skimming” card numbers much less effective as a fraud technique.

Making these new physical cards does cost more ($1.25 or so, vs. $0.25 for magnetic-strip cards), but big-picture, that’s a small price to pay.

A Strong, But Imperfect Solution

While a convincing step forward in payment security, EMV is not a fix-all solution to card-present fraud or breaches. There are two main vulnerabilities already exposed by researchers.

The first is a classic “man in the middle” attack: A point-of-sale terminal is compromised, and the back-and-forth communication between a card and the processing network is listened in to by malware. By capturing signals in both directions, enough information can be gathered to create a duplicate card.

When using this card, the key lies in making the terminal and card believe they are involved in different transaction types; the terminal thinks it’s chip-and-PIN, while the card thinks it’s a chip-and-signature transaction. This allows the fraudster to enter any PIN they’d like in order to authenticate the transaction.

The second vulnerability is tied into the random number generators integral to EMV security. Every terminal creates a so-called “unpredictable” number for every transaction, used for authentication. Unfortunately, the numbers generated by some POS terminals and ATMs are, in fact, predictable.

Some are built using timestamps or simple ascending transaction counters; others are homemade random number generators. With access to a list of past numbers (supplied at times by the banks themselves, during disputed cases of fraud), a clever fraudster can create a forward-looking algorithm capable of predicting future “random” numbers, and using those to authenticate illegitimate transactions.

EMV Terminology

Chip-and-signature: A card with a metallic contact point that is inserted into and read by a credit card terminal. The user is authenticated via their signature.

Chip-and-PIN: The same type of card, with a metallic contact point that is inserted into and read by a credit card terminal. In this case, entering their PIN authenticates the user.

[The chip in both instances is the same; it’s that metallic contact point you can see on most credit cards issued in the last few years. This is also called the integrated circuit.]

CVM: Cardholder Verification Method

This refers to either the PIN or Signature associated with the card. It’s up to the issuing bank whether to accept PIN, Signature, or both.

The general term for both varieties is EMV, or Europay, MasterCard, and Visa, and any Integrated Circuit card can also be called an EMV card.