Blog article
See all stories »

Chip and Signature, a Paradise Lost

By now, most participants in the US payments industry are finally about to realize that the day of the mag stripe is doomed and that EMV, the secure payment card technology rolled out in Europe nearly a decade ago, is finally about to make its debut in the US. Incredulous as it may seem, the financial integrity of the payment card industry continues to rely on 1970’s technology. But what I find even more shocking is that despite all the security breaches, card data thefts and all the evidence that cybercrime continues to outsmart even the most sophisticated security systems (JP Morgan Chase being the highest profile casualty), that the majority of credit and charge card issuers in the US haven’t pushed more quickly for a complete transition to Chip and PIN for their entire card estates. Instead, major players like Chase and American Express, amongst many other key institutions, have opted to issue Chip and Signature cards by the millions.

While any attempts to prevent card fraud with enhanced security should be welcomed, we need to be also mindful that there are problems to consider as a consequence of the issuance of Chip and Signature payment cards. One of the most obvious being that that in countries that have made Chip & PIN their payment card standard, Chip and Signature payment cards are pretty much useless. Forget the premise that a signature must be accepted as an alternative to a PIN, because in reality that simply isn’t the case. It’s a cold comfort to find oneself stranded when trying to check into a hotel late at night, or purchasing a travel ticket at an unattended automated kiosk, or trying to purchase necessities at any late night convenience store, where the transaction cannot be completed or is rejected. Simply put, for the international traveler Chip and PIN is mandatory. And for good reason.

Chip and Signature is not as secure as Chip and PIN – that’s a fact, and consequently we shouldn’t expect that the benefit in the reduction in Card Present fraud derived from the implementation of EMV Chip and PIN elsewhere will be realized in the US. It won’t, in particular, as the majority of cards to be issued in the US will be Chip and Signature. Fraudsters will always find the weakest link in the process – in this instance, it’s relatively easy to forge a signature in the case of a stolen card or even intercept the card before it reaches the genuine customer – and the fraudster can simply sign in his own handwriting. And there are other weaknesses as a consequence of Chip and Signature (e.g., Chip & PIN cards require issuers to assign a PIN before mailing the card and require a cardholder to visit a branch to reset the PIN).The sad fact is that the critical security benefit that comes with a PIN is seriously undermined by the reliance on an easy-to-fake signature.

As many have written in the past, myself included, EMV is a much needed security technology that significantly raises the barrier for payment card fraud by virtually eliminating the ability to manufacture cloned credit cards, something that accounts for as much as 45% of all payment card fraud today. While Chip & PIN is part of the solution in the US, it should be noted that it isn’t without serious issues of its own, including exploitation by so-called “replay attacks” even before you consider the implementation costs and additional burdens on merchants. So while I applaud the US in its efforts to adopt more modern consumer card protection scheme, by taking only a “half step” into EMV with clearly weaker signature authentication, the industry is investing hundreds of millions of dollars into an infrastructure that will not produce the significant security it expects. It will no doubt confuse and anger consumers who are expecting increased fraud protection and worse, it may actually exacerbate card fraud through increased physical card theft, putting customers and their money at risk, since the card itself is now the primary authentication factor. Clearly, Chip and Signature is not the answer.

Today, almost two out of three Americans have been exposed to, or have become victims of, data theft and card fraud, being subjected to the stress and aggravation of potentially having their accounts unlawfully accessed and their cards replaced, in some cases, multiple times. The card issuers appear to be accepting this as the status quo, so perhaps what is needed is action, action like the example being set by the White House which announced that president Obama signed an executive order mandating the use of Chip and PIN technology at executive departments and agencies for card payments and is formulating new multi-factor authentication guidelines to protect personal data available online. One can only hope that this is just the catalyst that the US needs to truly move forward and protect its consumers against card present payment card fraud. However, whilst these measures are clearly a step in the right direction, there’s more that can be done.

So, the die is cast and the US will have Chip and Signature alongside Chip and PIN. There is, however, a solution to the fraud challenge of Chip and Signature. EMV technology can be combined with zero-friction, real-time, authentication technologies such as privacy sensitive proximity/geo-location technology to determine that the genuine customer is at the place of the transaction. If further user/transaction verification is required, an automated “conversation” can be conducted with the customer through an APP on the mobile phone, utilizing Voice Biometrics, thereby providing the highest level of transaction authentication/verification, but in a totally low friction format (it should also be noted that this model could also be used to address the Card Not Present fraud issue, but that’s a separate discussion topic). The audit trail resulting from such an approach provides the greatest assurance in the event that there is repudiation of the transaction, the bane of the payments industry today for both the consumer and the service provider. This approach recognizes the importance of authentication not just for the initiation of a transaction, but its persistence through to completion via true transaction verification. Underpinning such an implementation lies the trusted device, established during the low-friction Enrolment/Registration process, and a strong contributor to the “invisible” security process. This approach, represents probably the strongest barrier there is available today.

As I have said previously, card fraud and security is a complex global problem, one without any single solution. It is therefore incumbent upon the industry, a moral responsibility I believe, to ensure no stone is unturned in the protection of our customers from fraud. EMV is one technological piece of the puzzle. Device Trust, incorporating Proximity Correlation combined with strong User Authentication, incorporating multi-factor authentication and voice biometrics, are additional highly complementary technologies in stopping fraud and helping to ensure that when identity data and payment card data is stolen, that the data is rendered worthless to the fraudsters. Without such a holistic approach, we are only presenting a mirage, an appearance of protection, but one that will vanish when tested by today’s sophisticated cybercrooks.





Comments: (4)

Melvin Haskins
Melvin Haskins - Haston International Limited - 29 October, 2014, 11:35Be the first to give this comment the thumbs up 0 likes

Pat - an excellent article. One minor correction. In the UK it is not neccessary to visit a branch to change the PIN. It can be done at any ATM owned by the issuer.

Pat Carroll
Pat Carroll - ValidSoft - London 30 October, 2014, 13:31Be the first to give this comment the thumbs up 0 likes

Many thanks Melvin. You are correct that this is the process in the UK, unless of course the consumer has forgotten their PIN entirely which requires a reminder or a new PIN to be send by post. In the US the process appears to be different as the banks I spoke to don't allow PIN resets at the ATM, instead relying on a process whereby the customer must appear in person at the bank with their card and ID. 

Melvin Haskins
Melvin Haskins - Haston International Limited - 30 October, 2014, 13:44Be the first to give this comment the thumbs up 0 likes


I have changed the PIN on my US card by calling an 0800 telephone number and answering a number of automated questions - date of birth; month and year in which the account was opened, as well as providing the card number and the expiry date. However, I do agree that retaining signatures is foolish.

Pat Carroll
Pat Carroll - ValidSoft - London 30 October, 2014, 13:50Be the first to give this comment the thumbs up 0 likes

The process you describe makes total sense Melvin, in particular as Chip and PIN is primarily focused on the international traveler (if I am abroad I can't present myself at my branch). It does also highlight additional potential security vulnerabilities concerning PIN resets and spearphishing.

Pat Carroll

Pat Carroll

Founder/Executive Chairman


Member since

17 Mar 2011



Blog posts




This post is from a series of posts in the group:

Disruption in Retail Banking

Growth in internet and mobile technologies has transformed many industries and economies. The market forces and competitive landscape has completely changed in many sectors. iTunes has fundamentally changed music industry, Amazon has driven most big brick and mortar book sellers out of business, Expedia is one of the worlds' biggest travel company….. the list goes on. Internet and mobile technologies are big disrupters for most industries. What started (and tapered a bit!) with the dot com boom of 2000 has become a lethal threat to most business models today. Powered by mass adoption in mobiles phones, proliferation of smart phones and cheaper band-width, internet and mobile technology have changed many industries. The banking industry in has been dominated by a handful of big global or regional banks for 100s of years. While the credit crisis has shaken this industry, the core market forces for the industry have not changed. Will Innovation in Internet and Mobile technologies disrupt retail banking? Will there be 5 new names in global top 10 retail banks in 2020?

See all

Now hiring