Talk:Chip and PIN: Difference between revisions

I've removed some paragraphs which contained some fact and some personal interpretation from the article; I hope someone will be able to reinsert the usable material from them in a more encyclopedic fashion. (Where you see italicized text, material was added in the middle of an existing paragraph, and the italics denote the text that was there before.) -- Antaeus Feldspar 21:21, 22 Nov 2004 (UTC)

• The new chip and pin system is being advertised as a way of reducing card fraud at an expense in the UK approaching £300 million pounds, a cost significantly less than the potential savings if successful. It is questionable whether any such savings made as a result of the new system will be passed onto their respective British customers. Further more it is likely a way of transferring responsibility for card fraud from the Bank to the customer. It is currently the Banks responsibility to compensate customers for any spending on an ordinary bank card following the reporting of a theft and a purchases being made with a counterfeited signature. However, with chip and pin the likelihood of a four digit pin number being obtained is immeasurably greater. Acquisition of pin numbers currently is limited to the cash machine where you are generally alert and the machine is reasonably well shielded but with chip and pin coupled to the poorly designed card machines; cheaply produced and with no real measures taken to prevent the observation of a pin number (general visibility on all sides). From a banks point of view if withdrawals/purchases are made with the corresponding pin number then whose fault is it that t years he money was illegitimately obtained. Surely it should rest with the person whose account it is. It is therefore the responsibility of the victim of fraud to prove to the bank/court that the pin number was not carelessly given out/recorded and that they had taken all reasonable action to safe guard against fraud. Is this measure really needed, after all how many times do you make a purchase with your card and received your card back simultaneously as you hand the cashier the signed receipt.

• France has cut card fraud by more than 80% using a similar, but incompatible system. Although the french system is less advanced than the system currently being rolled out in the UK; the french system was introduced at a time when no other countries posesed such a system and thus most corresponding organised crime asociated with debit/credit card fraud fled predominantly to the UK but also to the Netherlands and Denmark. It is worth keeping in mind that when the Dutch intoduced a chip and pin system no real reduction in card fraud occurred comparable to that experienced by the French some years earlier. Chip and PIN is the name given to the initiative in the UK but countries worldwide are launching their own initiatives based on the EMV standard, which is a group effort between Europay, MasterCard and VISA. By the end of 2004, 100 countries will be using compatible systems based on this standard, and France aims to migrate its existing systems to be compatible with the new cards.

Chip and PIN cards in the UK (not sure if this applies elsewhere but pretty sure it does) have a signiture with them as well, this allows for user to facilitate their signiture in cases where the chip and PIN machine may not be functioning. A little known fact is that if you request to sign instead of use your PIN then the shop must allow you, this is so that people with illnesses such as Dislexia, Parkinsons or other mental and memory related illnesses who cannot make use of the PIN functionality, are not discriminated against. So all in all with the combination of increased risk of revealing your PIN to people by using it more often and criminals abilities to still use the signiture, they are not safer and Chip and PIN's main security benefits rest solely on the criminal communities ignorance.

Chip and Signature Vice PIN:

The Guardian article, ‘Safety in Numbers? Not Likely,’ http://money.guardian.co.uk/creditanddebt/creditcards/story/0,1456,1336619,00.html suggests we can do little if we have issues with having a PIN. This could be one having no trust in PIN security, either PIN issuing methods, physical PIN pad security or faith in our own ability to remember seldom used numbers or fears over liability shift.

Card issuers being card issuers are not telling us the whole truth, in fact they are trying to force PINs onto consumers who are totally unable to manage a PIN never mind those of us who fall into the afore mentioned category. ‘Confusion over Chip and PIN is worse than expected.’ http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2005/03/11/nchip11.xml

The point is anyone who insists can have a Chip & Signature Card vice Chip & PIN. A Chip and Signature Card when inserted into the new type card reader, reads to the Chip to ensure the card is genuine and hasn’t been reported lost or stolen. When this is done, rather than a prompt asking the cardholder to enter a PIN, a transaction slip is produced for the cardholder to sign in the normal manner.

The choice is yours, Chip & PIN or Chip & Signature. If you opt for Chip & Signature then beware you have to be firm with your card issuer. In my own experience acquiring a Chip & Signature Debit card is a lot easier than acquiring a Chip & Signture Credit Card.

Hopefully not too POV, but I haven't included any references yet.

One thing I would say though, is that it is extremely easy to know a person's PIN by being behind them at Sainsburys -- I've yet to see anyone who successfully shielded their PIN so that I couldn't read it.

In fact, it's pretty obvious just from the delay between subsequent keypresses which numbers someone has typed, even if they do hold their hand over the keypad (which only prevents viewing from one direction) Ojw 18:18, 16 October 2005 (UTC)[reply]

Referencing the above stats. etc. would be add strength to this critic

It talks about the new system having introducing a whole lot of new card reader machines increasing the likelyhood of duplicating cards. I don't see this as being the case, as a magnetic card duplicator could have been used in every instance where chip duplication can occur currently... Every place in the new system was clonable in the old system, so no MORE OPPORTUNITIES TO CLONE CARDS

Stealing cards in post could be done in the old system also...

It doesn't mention the benefit of the card potentially being useless, if stolen without the pin.... kinda obvious but should be there.

I'd also like to see statistics on fraud and sources of those statistics...

Talking of sources, please remember to sign and date your talk entries.--Ear1grey 13:52, 28 February 2007 (UTC)[reply]

This system has proved reasonably effective, but has a number of security flaws, including the ability to steal a card in the post, or to learn to forge the signature on the card. More recently, technology has become available on the black market for both reading and writing the magnetic stripes, allowing cards to be easily cloned and used without the owner's knowledge.

Chip and PIN doesn't address the problem of postal theft since it is just as easy to steal a chip card as it is to steal a magstripe card. The only additional security is that you need to steal two items of mail (card plus PIN notifier) rather than just one - which isn't going to bee too difficult.

The equipment to read and write magstripes isn't new or black market. These readers have been openly available to the public since magstripe cards were first used.

58.11.33.178

• In my opinion EMV and Chip and PIN should remain separate. One refers to the technology whereas the other refers to the UK initiative. However, comments on the safety and security of the Chip and PIN/EMV technology belong in the EMV article unless they are UK-specific. --Jal 14:13, 17 May 2006 (UTC)[reply]

• I agree they should remain separate. One is UK (Chip and PIN) and the other is World wide 'Standard'.

The safety of the PIN method is not related to EMV (Which is a standard), but to the way it is implemented (i.e using PIN as the verification). It could be in either! Ben 16:06, 23 May 2006 (UTC)[reply]

"Under the old system, a customer would have to hand their card to the assistant for each payment. In certain environments such as restaurants, for example, this often meant that the card would be taken away from the customer to the card machine. This is no longer the case with the introduction of Chip and PIN as wireless PIN pads have been introduced that can be brought to the customer's table." How is this a benefit? Chip and Pin tableside payment in restaurants confuses the technophobic/slightly dozy [often to the extent that a customer end up paying too much or too little for their meal], rushes customers and yet manages not to be any faster than the old method, creates problems if there is a language barrier [i speak from personal experience here] and it is just downright uncouth and higly impersonal to have a machine plonked in front of your face at the end of a meal. Suggest either careful rewording or removal of this section. who's with me?

I think it is a benefit (or at least an improvement) for the purpose of the article. I could probably do with a little rewording to say WHY it is a benefit - along the lines of reducing the chances of card cloning (by an restaurant employee quickly copying the mag swipe), as the card does not leave your view - but do not think it should be deleted as it could be used to help explain reasoning behind C&P (even if you or I, may or may not agree with the reasoning). From a NPOV, technophobic people will probably have an issue wherever they pay with a C&P card, and paying by these machines will be something people will get used too. Language issues would be same for static and mobile machines. Having a machine plonked in front of you seems down to the (bad) restaurants staff not the C&P format. There is already a large critisums section, and the benefits section should be BIGGER not smaller or deleted to make the article more NPOV. Ben 19:20, 19 June 2006 (UTC)[reply]

just wondering why american express in the states is the only company to also do chip and pin?

Regarding an edit asking for a citation for the origins of the phrase "liability shift": I was responsible for the original edit, and cannot provide a citation for this. I was heavily involved in early UK chip & PIN development, as a software vendor. As such, the quotation is word-of-mouth from an insider. It is, nonetheless, true