News & Views - Savantor

Chip & PIN “Failings”?

Friday, 01 April 2005

There have been some recent items in the media notably the 'London Tonight' programme and 'Tonight with Trevor Macdonald' which have focused on supposed security weaknesses with Chip and PIN(C&P).  Apparently these programmes also mentioned the fact that the fraud that C&P was brought in to target, Counterfeit and Lost and Stolen fraud, both went up in the last year and that , therefore, the C&P initiative is a failure. 

What has been conveniently missed out from these programmes is that C&P is a migration and that whilst we still have PIN Bypass available at POS and fallback available from chip to mag stripe there will still be loopholes available to fraudsters to use.  This was a joint industry decision between Banks and Retailers worried about upsetting their cardholders by putting too much pressure on them asking them to remember 4 numbers.

In the TV programmes much emphasis was put on the fact that a copy can be made of the mag stripe on a chip card and the fake card used to take money out of an ATM. 

Whether the code indicating that a chip is present on the card can be turned off is debateable, but why bother?  Hitting the chip with a hammer or covering it with cellotape has the same effect in making it fallback to mag stripe.  Also the only reason they could get money out of an ATM was that they copied a card for which they already knew the PIN.  The PIN is not on the mag stripe and cannot be read from the chip.

If it is a stolen card and the fraudster does not have the PIN they only have 3 attempts to guess the correct PIN at an ATM or a POS.  This is unlikely to succeed.

There is also the suggestion that C&P is inherently weaker than mag stripe because fraudsters can look over your shoulder in a shop and see your PIN before stealing your card and that once they have your card and PIN they can now use it at ATM's as well as POS.  How this is easier than copying a signature which is conveniently displayed on the back of a card and which retailers never look at anyway is not clear to me.  Fraudsters already target branches to make cash withdrawals over the counter with stolen/fraudulent mag stripe cards.  If cardholders

a) look over their shoulders first

b) don't write their PIN number down and keep it with their cards

c) change their PIN if they can't remember their current number

then that seems like a more secure system rather than a less secure one.

The fraud figures are likely to continue to rise until PIN Bypass is removed – probably in 2006.  Counterfeit went up by 17% to 129m and L&S went up by 2% to 114m.  Fraudsters are not stupid.  They realise that time is running out for this type of fraud in the UK therefore they are maximising their ROI and hitting the weak spots as hard as they can.  Total fraud has increased from £135m in 1998 to £504m in 2004 – a growth rate which would be very attractive to investors if fraudsters were a plc!  Without C&P the 2004 figure may well have been around £800m.

Fraud is also migrating from Counterfeit and Lost and Stolen to Card Not Present (up 24% to £150.8m).  From the end of 2005 when somewhere around 95% of cards will have been upgraded and the majority of transactions will be C&P these two types of fraud will start to decline and when PIN Bypass is switched off the decline will accelerate rapidly.  CNP will then even more rapidly become the fraudster's preferred choice of income stream. 

There are processes available to retailers to reduce CNP fraud – notably AVS and CVV2.  However, CVV2 is still only used in 1 in 3 Visa transactions and VbV/SecureCode is also not yet attracting merchants in the numbers necessary to make this system viable as a fraud prevention. 

Schemes/Acquirers need to push harder on the existing systems to broaden the protection they can offer cardholders.  Several UK banks are also looking at Chip Authentication Programmes (also known as two factor authentication) to utilise the chip and PIN cards in the CNP environment.  These are small, remote calculator like devices which can be used to generate a one time number for use in on line banking and online retailing.  As this provides wider usage of the investment in chip and PIN this is clearly an area of interest to banks and retailers.  As the technology has been proven the major question now is who pays for the devices – the banks or the cardholders?

As an industry we need to put effort behind these initiatives in CNP to avoid having to wait, as we did with Chip and PIN, for fraud to reach big enough levels for someone to shout.

Savantor Services

Savantor Services

Savantor services are tailored to Client needs based on our core service areas

Specialist Resourcing Payments Strategy Platform Transition Operational Efficiency
Savantor Services

Job Opportunities

Consulting and contracting roles in the payments, mobile and banking arena within the UK and across Europe

View more
Savantor Services

Savantor Views

Find out more from our Savantor brochures, MarketEye back copies and Industry opinion

Collateral Market Eye News & Views Sign Up to receive MarketEye

Client Quotes

Payments Workshop Material

"Savantor helped ACI build a payments onboarding workshop for new technical staff in ACI EMEA. Their extensive experience took our outline and built a great starting presentation of industry facts that we have now customised further into a half day session that is used for all new joiners. Our Americas and APAC regions have also taken the material and customised it for their regions. A great job by Savantor has meant new joiners to ACI hit the ground running."

Richard Sanders, Principal Solution Consultant - ACI - Worldwide EMEA

Complex Multi-Country Migration

"This complex migration, undertaken simultaneously in Spain and Portugal, has been a complete success. Savantor has provided us with excellent support for over 3 years, both in the original business transformation programme and now this double migration. We value their open and honest approach to business, and of course the expertise that they bring."

Ricardo Gomez, Director, Operations & Technology - WiZink Bank – Spain & Portugal

Card Migration

"I was impressed by the speed with which the Savantor team were able to start delivering and as a team they have made a significant contribution to the success of the Programme."

Bjorn Niels, Programme Director - ABN AMRO Bank - The Netherland

Acquirer Specialist Support

"OP-Pohjola Group has used Savantors help in numerous different specialist projects differing from risk assessment to management tool creation to transaction analysis. We have been very satisfied by the quality of the service provided by Savantor's experts."

Kai Lindstrom, Head of Acquiring - OP-Services Ltd - Finland

Acquirer Risk Assessment

"The expertise provided by Savantor has greatly helped us evaluate our risk position and to take the right steps in managing our future risks. Strong, disciplined planning and an ongoing willingness to work closely with our staff played an enormous part in making this a very successful well-delivered project which will greatly help us in achieving our business goals."

Mark Healy, Chief Risk Officer - NEOVIA Financial - UK

Acquirer Strategy and Operating Model

"Savantor brought an effective blend of European acquirer market expertise and transaction processing solution design. Their experts quickly forged strong working relationships with our team. We enjoyed working with them to create our future acquirer strategy."

Mikko Hyttinen, SVP - Lending Services - OP-Pohjola Group - Finland

Credit Card Migration and Operational Support

"The bank has undergone significant transformation of its card business on both the issuing and acquiring sides. One business partner we have looked to for support in the areas of strategy, major project leadership, management analysis and ongoing business support is Savantor. The Savantor team has contributed to our success as we have leveraged their deep industry knowledge and broad range of operational skills."

Sean Sheehan, Service Management Director - Bank of Ireland

Commercial Card Migration

"Execution at its best. We're delighted that this project has been truly outstanding and received an award from 'The Banker'. Savantor provided crucial expertise that helped us keep all our promises in terms of delivery. The scheduling, planning and control regime throughout was excellent."

Chris Mason, Director - Commercial Cards EMEA - Citi - UK

Clients - Request Support

Send us a support request and one of our specialists will be in contact to assist you.

Consultants – Upload your CV

Register your CV with us and gain access to a range of job opportunities through our online job search portal.