Chip-and-PIN versus Chip-and-Signature Cards

In an earlier entry, we examined the primary differences between chip-based credit cards versus those without. This piece will take a look at two different kinds of chip-cards: chip-and-PIN and chip-and-signature, as well as additional safeguarding technologies.

As mentioned in the subhead above, we recently took a look at the chip-and-PIN style of credit cards that are already the standard in Europe and many countries around the world, and slowly but surely gaining in popularity here stateside. But within the subset of chip-based cards, there are a two different types of cards – chip-and-PIN and chip-and-signature – the differences of which is the topic of this follow-up blog post. We’ll also take a look at a few additional security technologies that can significantly help reduce fraud.

Overview

Again, we covered chip-and-pin style cards at length in the previous article, but we’ll provide a brief overview in case you missed it. Chip-and-PIN (or EMV, for Europay, Mastercard, and Visa) cards have a microchip embedded in them that you can see on the front of the card. The chip contains all the data the older magnetic strips do about your account, but also create a unique transaction code while in the reader that can never be duplicated. The PIN entered by the cardholder is an extra layer of protection (in case of a lost or stolen card), and so far, this system of cards has been shown to significantly reduce credit card fraud.

Chip-and-signature is slightly different, and has actually been the style of choice for the U.S. banks and financial institutions that have begun the switch to chip-based cards. As you might guess from their names, the primary difference in a chip-and-signature card is that you still use your signature as your method of personal identification verification. A forged signature is obviously much easier to produce than it would be for a thief to try and guess a stolen card’s PIN number, so chip-and-signature cards are a bit less secure than their PIN-based brethren. And as most of us can attest to, it’s not entirely uncommon for retail clerks to even bother to check if the signature on the card matches the one they’re given on the receipt.

That, coupled with the fact that many automated kiosks don’t even involve a signature (filling up your tank at the gas station, for instance), and it’s easy to see why chip-and-PIN cards are the most secure format of credit cards available today, with chip-and-signature cards being seen as a half-measure of increased security above traditional mag-strip cards.

But despite reduced amounts of fraud involved, even chip-and-PIN cards aren’t perfect. Let’s take a look at a couple of technology solutions that add even greater security to card transactions.

Point-to-Point Encryption (P2Pe)

The advantage of a P2Pe system is that the credit card data is encrypted right at the moment the card is swiped – before the point of sale (POS). A Payment Card Industry (PCI) certified P2Pe card reader encrypts the card information instantly. This encrypted information is then sent to the payment gateway or processor for decryption, meaning the merchant actually never sees, stores, or handles the customer’s card information. Once the payment processor has the encrypted information on their secured network, it is then decrypted and passed along to the financial institution where it either confirms or rejects the transaction. If confirmed, the merchant is sent the “green light” to go ahead and process the transaction. While this process sounds intricate, the entire process generally takes place in about a single second.

Tokenization

Much like P2Pe, tokenization is a technology that aims to reduce credit card fraud and make it more difficult for hackers/thieves to access your data. And although the broad strokes are essentially the same (replacing card data with other alphanumeric information), the process behind it is a bit different. Encryption relies on an algorithm to change those 16 digit numbers, your name, billing address, expiration date, and any other sort of personally identifiable information (PII) into a code – which is great, except when hackers or thieves can somehow get their hands on or crack that code. If so, they will be able to get the card information from any encrypted card data processed.

With tokenization, the process is essentially random. Your card information gets transformed into a token for the payment gateway or processor to handle, but that token is not based on any sort of cipher or algorithm. Each card processed gets its own unique, randomized token, meaning that if nefarious parties were to somehow acquire all of the tokens used by a merchant, no amount of codebreaking in the world would ever allow them to get all of the card information the tokens represent, since they are assigned completely at random.

An incredibly oversimplified version would be as follows: with encryption, the number 1 equals the letter A across all cards in an encrypted system; in a token system, the number 1 could represent A on one card, the number 4 on another, etc.

Solution

John Perry, CEO of Bluefin Payment Systems, said that “The truth is that breaches will continue to occur, as there are smart, resourceful people out there who are committed to fraud.” There is no one solution that will solve all credit card theft, fraud, and data breaches, but enhancing your transaction system obviously leaves you in the strongest possible position by making theft as difficult as possible. Chip-and-PIN, P2Pe, and tokenization also shouldn’t be viewed as mutually exclusive entities – in fact, utilizing all three can be the most effective way to safeguard the storage of card data, the cardholder, and the transmission of data. Talk to Valued Merchant Services today to find out what kind of security we offer in our systems and how we can help protect you and your customers.

By Chris Del Grande

Menu