Chip & PIN vs. Chip & Signature

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

Read Full Story at http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/

 

Advertisements

Obama signs chip and PIN executive order

usa flag

US president Barack Obama has signed an executive order mandating the use of Chip and PIN Technology at executive departments and agencies for card payments.

With more than a 100 million Americans falling to data breaches over the past year, thanks in part to massive attacks on the likes of Target, Home Depot and JPMorgan, the Obama administration has moved to get its own house in order.

From 1 January, cards issued by the federal government to distribute benefits will have to be chip and PIN and payment terminals acquired by agencies through the department of the treasury will also be upgraded.

“We know this technology works — when Britain switched to a chip-and-pin system, they cut fraud in stores by 70%,” says the president.

For online transactions, Obama has given a group of agencies 90 days to come up with a plan to ensure that all those making personal data accessible to citizens through digital applications use multiple factors of authentication and an effective identity proofing process.

Obama ha also set out plans designed to cut the time victims of identity theft have to wait for remediation and actions designed to improve credit score transparency.

“There is a need to act, and to move our economy toward stronger, more secure technologies that better secure transactions and safeguard sensitive data,” says the White House in a statement.

The president called on the private sector to up its game, commending those that have taken action, including breach victims Target and Home Depot, who are now rolling out chip and PIN. Earlier today, a trade body set up to push the migration from magstripes, estimated that nearly half of US merchant terminals will accept EMV chip card payments by the end of next year.

In an effort to speed up adoption, there will be a White House Summit on cybersecurity and consumer protection later this year to promote partnership and innovation, with mobile payments a particular focus. Obama is also renewing his call to Congress to enact cybersecurity legislation.

National Retail Federation CEO Matthew Shay, says: “We applaud the administration for taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards, among other things.”

Obama admits his card was rejected

At today’s event, Obama revealed that even the most powerful man on the planet can suffer the indignity of having his payment declined. “My credit card was rejected,” at a restaurant in New York last month, the president said. “Fortunately, Michelle had hers.”

Author Bill Trueman, is an independent Payments, Fraud & Risk Specialist and Managing Director of UK Fraud and Riskskill

Source: http://www.finextra.com/news/fullstory.aspx?newsitemid=26601