Chip and PIN Tech on Your Credit Cards
Believe it or not, chip and PIN technology has been around since 1984, when French banks started testing chip-based credit cards to eventually replaced magnetic-stripe-based cards. But you may not have seen those little metallic chips show up on your credit cards until 2014 or later, and most retailers had until 2017 to install chip-reader terminals. So why the shift in technology? What’s changed? And why did it take the U.S. so long to adopt this technology when it has been used in Europe and other parts of the world since the ‘90s?
Let’s answer the last question first. The U.S. already had a well-built credit card system with strong anti-fraud measures in place when Europe, primarily, began introducing chip and PIN technology into their banking and retail systems. They had a more immediate need for the additional security that chip and PIN tech offers (explained later), so it was worth the upheaval and additional costs of changing systems.
Now that credit cards equipped with chip technology are here to stay in the U.S., here’s what you might want to know.
EMV refers to a security standard for how account information is stored on credit cards. The initialism stands for Europay, Mastercard, and Visa, the three credit companies who started the initiative to change how this personal information is stored and communicated when a credit card transaction takes place. Before EMV, account information—i.e. all the info a thief would need to commit credit card fraud—was stored in the magnetic (mag) stripe on the back of credit cards.
There are two different card verification modes (CVMs) when using a credit card with an EMV chip to verify that the real accountholder and not a fraudster is using the card: chip-and-signature and chip-and-PIN. However, a card can have both capabilities. In fact, all cards issued in the U.S. have a chip-and-signature CVM, with a few having both signature and PIN functionalities. Cards with both capabilities will prefer one over the other, making them either signature-priority or PIN priority. The card issuer will tell you which type your card is either online or in the paperwork mailed with your latest card.
Debit cards also have chip-and-PIN technology and continue to work like they always have.
Chip-and-signature cards will be familiar to Americans as they require a signature to verify transactions. In addition to a chip on the front of the card, there will also be a mag stripe along the back.
The PIN function of EMV tech requires a four-digit PIN to verify use, just like a debit card. Chip-and-PIN and PIN-priority cards are more compatible for use overseas and are more secure in the U.S. This makes sense: merchants abroad have been using the chip-and-PIN EMV system for years, and the PIN verification mode is more secure because it’s easy to forge a signature—and most cashiers don’t even check to see that the signature used matches the one on the card!
A card issuer will assign a PIN after you’re approved for a card, or you’ll be asked to create one. You can change or check your PIN by contacting the card company, either online or by calling.
The security advantages of EMV chip cards are twofold: account security for card-present transactions and prevention of card duplication. This increased security should cut down on credit card fraud, which is better for businesses and consumers.
Here’s how the unique cryptogram that’s created for each transaction with a chip card makes for enhanced user and account security.
When you buy something in person with a credit card (called a “card-present transaction”), the sales terminal needs a way to verify that you’re the true card owner. In the past, you’d slide your card through a reader and the terminal would gather all of your account information from the magnetic strip it just read. The problem with this is that it’s easy for this info to be “skimmed,” or stolen, with a special credit card reader attachment used by thieves.
With a chip, the credit card and terminal communicate to create a unique, one-time-only encrypted code called a token or cryptogram. The token is a number made from information in the chip combined with information in the terminal, but using instructions contained only in the chip. Because this token is dynamic—meaning its used only once for a transaction and then changes—it’s useless if stolen. A thief could not copy it, put it on a fake card, and convince other terminals it’s your card.
Once a merchant’s system has this token, it needs to be decoded to verify it really came from your card’s chip. The token can either be sent to the card issuer over the internet in an online verification, or it can be verified within the terminal in an offline verification. Once the token is verified, the system will know if you have available credit for the purchase and the transaction can proceed. This whole process takes only seconds. If your card has a PIN, you’ll use this to authorize the purchase; if it uses your signature, you’ll sign the terminal’s electronic screen.
Despite these security measures, EMV chip cards can still be vulnerable to fraud. If a card still has a mag stripe, it can be read with a skimmer and copies can be made. So, if you have a card that offers the choice between using the chip, along with a PIN or signature, or swiping the stripe, always opt for using the chip.Go to main navigation