EMV, Smart Cards and PIN’s

22. June 2007, 5:45 UhrCredit Cards, Debit CardsJohn Januszczak

EMV is a standard for authenticating credit and debit card payments when using chip cards (”smart cards”) and chip card capable POS terminals. This standard was originally developed by Europay, Mastercard and Visa (and hence the term “EMV”). The main benefit of EMV is improved security and a reduction in fraudulent card use.

EMV is being rolled out in the UK under the Chip and PIN program. An earlier system for smart cards called Carte Bleue has been deployed in France which although originally incompatible with EMV, is now moving towards this standard. In Canada there appears to be a commitment to a broad industry migration to chip technology (covered in the recent report Global EMV Migration Update: Canada by the Mercator Advisory Group).

In traditional credit card transactions, the magnetic stripe is used to verify the account, and the customer’s signature is verified by the merchant against the signature on the card to authenticate the transaction. While in wide use, this system has numerous flaws, the big ones being:

  • The stealing of credit cards in the mail.
  • The forging of signatures.
  • The use of magnetic card readers and writers to clone cards.

With EMV, a smart card with an embedded chip is used by the customer, and is read by the merchant’s card reader, which accesses the chip on the card. This communication between the card’s chip, the POS terminal (and the underlying card network) is used to verify that the card is authentic and is encrypted using a strong standard such as DES or RSA. This reduces the opportunity to clone cards. The customer then (usually) authenticates the transaction by entering a PIN number, thus eliminating signature forgery as a weakness in the authentication process.

Of course with any system, there are weaknesses. The weaknesses of EMV/Smart cards are thought to be:

  • Observation of the PIN (e.g. by someone looking over the shoulder of a purchaser or by security cameras and such).
  • Cloning: In this case the card reading terminal has to be compromised, and typically the captured data can only be used in off line transactions or where there is magnetic stripe fallback, i.e. using the cloned card at a merchant that does not have smart card reading equipment.
  • Liability Shift: By implementing EMV or other smart card technologies, banks/issuers and/or the credit card networks may try to shift liability for fraudulent transactions back to the merchant or consumer.
Share this with: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • NewsVine
  • Reddit
  • StumbleUpon
  • Technorati

No comments yet.

Write a comment:

*
To prove you're a person (not a spam script), type the security word shown in the picture.
Anti-Spam Image