Thales Blog

Chip and PIN – not perfect, but the best we have

February 10, 2010

Cambridge University computer scientists’ discovery of a way to carry out transactions without knowing a card’s PIN hit the headlines yesterday; however consumers should not lose faith in credit card security. Chip and PIN is by far and away the most secure way of protecting payment transactions currently available.

No security system can claim to be completely bulletproof – there is always a three-way trade off between cost, ease of use and security and the industry is constantly looking for improvements. Consequently, the aim of security systems is not to make security unbreakable but to make it unprofitable for criminals to attempt to break it. The benefits of Chip and PIN are proven. Once the UK adopted Chip and PIN in 2003, losses on UK high street transactions reduced by 55 per cent by 2008. However, not all countries have followed suit and the US, for example, still use magnetic stripe cards with signature verification. Verification by signature remains an option even for EMV cards, and it is the availability of this weaker security that has been exploited by the attack highlighted by Cambridge University.

These recent findings should be discussed. However, the bigger problem lies not with Chip and PIN technology itself, but rather with the differing levels of adoption of advanced security technologies and procedures across the industry. The Cambridge scientists’ research provides interesting insight and could be an important input to future revisions of card security technologies.