Matt White - Finextra - Toronto 13 October, 2008, 15:13 0 likes

Chip and PIN is being well and truly forced down our throats here in Britain.

Last week the BBC reported that a man is considering taking Tesco to court for discrimination after it refused to let him pay by chip and signature.

Tim Arnold has a brain disorder which means he struggles to remember numbers - like PINs.

Tesco refused to let him sign for his payments on two separate occasions despite the fact its tills are capable of accepting signature cards.

A Finextra member 13 October, 2008, 15:36 0 likes

I remember the PIN issue being discussed on the radio a couple of years back, it was alleged the banks were keeping a bit quiet about Chip and Signature cards. Here's some info on the issue from the RNIB site.

I was taken aback this morning when I paid by debit card in Pret and they didn't need a PIN or anything. Just my card.

A Finextra member 13 October, 2008, 17:55 0 likes

I bought some sushi from Itsu canary warf today. Bill GBP 3.5, Paid by card.... no pin required. When I asked why, I was told for purchases below 5 GBP no pin is required. Sounds sensible... is this is only shop following this or have i never noticed.

A Finextra member 13 October, 2008, 19:47 0 likes

1.  Tesco have no right to refuse chip and signature if the card and the terminal are agreed that this is acceptable.  It is absolutely nothing whatsoever to do with the checkout people!  However, it is Tesco, Tesco is big and Tesco can generally do what it wants.  Rules, what rules?

2.  Banks don't generally have a problem with chip and signature cards.  All of the implementations I have done have always included them.

3. Chip only for low value items is NOT allowed, by the issuers, by the acquirers or by the card schemes.  However, it would appear that some smaller shops think they are like bigger shops and can do what they like.  Rules, what rules?

Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv 14 October, 2008, 00:15 0 likes

1. Under the current scheme, shops are indeed required to get the PIN if the card indicates so, but may waive the requirement at their own risk. Doing so is not going against any rule.

2. I was suggesting that the rules ought to be changed, and a floor limit established for using the PIN. The EMV specifications do allow this, but the brands and the banks chose not to use this feature.

 

A Finextra member 14 October, 2008, 08:46 0 likes

At the risk of being shown up to be a fool ...

I have looked through the EMV specs, and I can't find any references to a value driven PIN requirement.  I can see PIN Bypass, but that's not the same thing.

ANyhow, the problem is that after 25 years of mag stripe and PIN, where magstripe cards were easy to copy, PINs were difficult to obtain, as their only use was at ATMs.  The strength of the system was in the PINs, proven by the fact that the ATM card issuers never lost a case.

Chip and PIN has turned that model upside down, and now PINs are easy to get hold of, but the cards are secure.  The strength is now in the card.

It is therfore, I believe, inappropriate to look at ways of reducing the transaction risk by reducing the PIN requireent.  It gives the public the wrong message regarding PIN (Saftey in Numbers, and all that good stuff) and begins to pass the responsibility back to the cardholder.

The real weakness is not in the PIN, it is not in the chip, it is in the way that chip and PIN has been implemented by the issuing banks.  Implementing iCVV in the first place would have completely eliminated the possibility of cloning a chip card onto magstripe; upgrading to DDA on the first re-issue would have eliminated the possibility of cloning SDA cards (which we are all aware of, and some of us can do!!).

PIN is not the issue - there is safety in numbers. 

There is no safety in allowing the accountants to drive security policy. 

Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv 14 October, 2008, 09:00 0 likes

In the EMV specifications, see Book 3, clause 10.5, Cardholder Verification, and appendix C3, Cardholder Verification Rule Format. There are X and Y amounts, and a condition code that says how they are to be used.

 

A Finextra member 14 October, 2008, 11:04 0 likes Wake up! Chip and PIN improves security for every transaction and users will get used to it even faster if there is no exception. Norwegians are world leaders in card usage and PIN is NO problem. We are used to it and the problems is far less than the benefits. If you read the article the problematic issue is that someone has managed to distribute fake terminals. That problem is not solved by not using PIN.

Itai Sela - B2 Group - Delray Beach 14 October, 2008, 12:28 0 likes

I think the main problem is not the PIN as well but the rather how easy it is to hack a terminal or to put a fraudulent terminal in the market.  There is a very easy way to make sure that the terminal is genuine - very similar to the process that happens with the card.  This way the terminal will need to go through a key exchange process which might not solve this issue (which I agree there needs to be harder rules around the way the terminal vendors ship out their terminals) but will solve many other issues that a terminal will have a fake applicaiton and just read the card data.

A Finextra member 14 October, 2008, 14:57 0 likes

There are two aspects for this.

One would be improving the setup i.e card, terminal, transaction (only online transaction allowed) to the maximum security level possible.

Second will be to educate the customers will necessary information and advice about how to be alert during the card/pin usage particularly at POS terminals. Also if the card issuer does not charge for pin change transaction customers can be advised to change pin once a week or when transaction has been done at un-familiar locations.

And when the customer is doing transaction at an completely unfamiliar location it's always an risk, customer needs to be aware about this that a simple use in case can expose him to a fraudsters net. The card issuer needs to put this to customer notice. With this info then customer I believe will always make an informed choice about unfamiliar location card usage.

Joe Pitcher - Irrelevant - Wirral 15 October, 2008, 16:11 0 likes

PIN is not always required for low value transactions. PayPass and Visa Paywave are designed for low value no CVM transactions.

A Finextra member 16 October, 2008, 14:08 0 likes

Pin requirement all depends on the POS system. Some merchants require pincodes because their POS only accepts card payments authenticated with pincodes. 

CHIP and PIN has made cards more vulnerable than ever. The proliferation of standalone terminals that accept chip and pin is a bonanza for card fraudsters. It's like cherry-picking time for them. Cash is king and cloned cards are usually used to do cross-border ATM. With the chip and the pin, all fraudsters need to do is to skim the magnetic stripe and record the pin-code (or sometimes even implant a card with a chip that registers a valid pincode no matter what numbers you enter) and make a new card using a WHITE card (thus, its called WHITE PLASTIC fraud). They don't even need to create authentic-looking laminated cards. They also don't need to forge new identity cards to match the information on the clone cards.

So, wake-up Bjorn Soland. You also might wish that you have not advertised Norway as the leader in chip and pin. That's more cherry trees for card fraudsters.

Joe Pitcher - Irrelevant - Wirral 16 October, 2008, 16:53 0 likes

Its the mag stripe that is the weak link not the chip. The cloning, as you rightly point out, is the mag not the chip so how can Chip & PIN make this situation worse? Once Chip is accepted everywhere or (as UK banks are doing) mag stripe transactions declined the problem diminishes. Not saying it goes completely as it won't, there will always be a weak link somewhere for fraudsters to exploit, all we can do is try to make it as difficult and costly for them to do so as possible.

A Finextra member 17 October, 2008, 09:35 0 likes

The market knows. You can't force the U.S. market to implement chip and pin when the costs outweigh the benefits.

"Brian Triplett, a security executive for the biggest payment network, Visa Inc. of San Francisco, said the company's statistics also show low levels of fraud, roughly one in every 10,000 transactions.

 

Rather than replacing all the 12 million card readers in the United States with ones that could handle the Chip and PIN standard, Triplett said the money would be better spent on other fraud-fighting technologies. "

What I'm saying is that it's the PROLIFERATION of standalone chip and pin terminals that created the bonanza for fraudsters.

 

A static pin-code is also weak.

It's just a matter of time until hackers overcome DDA cards as they have done with SDA cards.

--------

To share a personal anecdote, in 2002, 4 men broke into my house in the early morning and started asking me the pincodes for my cards. Since my cards were all issued in the U.S., they had no pincodes. When I said "U.S. cards, no pincodes" - they left my wallet with my cards alone.

Joe Pitcher - Irrelevant - Wirral 17 October, 2008, 11:18 0 likes

I didn't realise cards were issued in the US with no ATM access...you learn something new everyday.....

A Finextra member 20 October, 2008, 16:45 0 likes

OK, so I am a fool ...

Have looked at the EMV reference, and after having quick "conference" here, we are of the opinion that it might just work, although no issuer (in our experience) has even got close to doing anything so creative with the CVM list.  So, no PIN for <£50 is possible, but not exactly sure how the rest of the CVM logic would work in other circumstances (like ATM), and haven't got time to think it all through at the moment.

But, my argument is that the PIN (compromise) is a bit of a red herring, and the safety is actually in the chip (idiot issuers accepted), and this I still stand by.

If iCVV and DDA were implemented, there would be no cloning fraud (unless you could get hold of the card and actually swipe it, but that isn't what's going on in the iffy terminals). 

The only transaction players that are going to loose out as a result of cloning fraud are the issuers, and who cares, it's their fault.

Joe Pitcher - Irrelevant - Wirral 22 October, 2008, 10:21 0 likes

The CVM logic works fine, you can restrict the usage of a particular method to certain terminal types i.e. unattended cash, purchase with cashback etc.

EMV allows it, whether or not card schemes do is a different matter...