Shopping on line can be easy, simple and save you lots of money. It can also take a lot of your time, frustrate you, and result in unwanted purchases. Now the same can be said for regular high street shopping, but with the vast opportunity presented by the Internet it will pay you to spend a few minutes reading this and understanding how to better optimize your Chip And Pin shopping experience:

1. Compare - without doubt the biggest advantage that the Chip And Pin offers shoppers today is the ability to compare thousands of Chip And Pin at a time. This is a great thing, but not necessarily all the time! Too much can be daunting at times so take advantage of the great comparison sites and where possible let them do the hard work for you.

2. Research - if it has been said it will be on the internet. Ignorance is no longer a justifiable reason for buying the wrong thing. Take the time to research in detail everything that you could possible want to know about

3. Testimonials - don't know anybody that has bought a Chip And Pin? Wrong! If the Chip And Pin is good the internet will let you know. Use the Internet as a friend and get testimonials before you buy.

4. Questions - Got a question about Chip And Pin then search the Forums, FAQ's, Blogs etc. Don't be afraid to ask .....

5. Reputation - Never heard of the company selling Chip And Pin? Don't worry, no reason why you should know every company in the world, but you know someone that does! Use the internet to find out what people are saying about Chip And Pin and build up a picture of their reputation for sales, returns, customer service, delivery etc.

6. Returns - still worried that even after all of the above your Chip And Pin wont be what you want? Check out the returns policy. There is so much competition now that someone, somewhere is bound to offer the terms that you are comfortable with.

7. Feedback - happy with your Chip And Pin then let people know, after all you are depending on others people input in your buying decision, so why not give a little back.

8. Security - check for the yellow padlock on the Chip And Pin site before you buy, and the s after http:/ /i.e. https:// = a secure site

9. Contact - got a question about Chip And Pin, or want to leave a comment then check out the sites contact page. Reputable companies have them and respond.

10. Payment - ready to pay for your Chip And Pin, then use your credit card or PayPal! Be aware of companies that don't accept them, there may be genuine reasons but given the huge amount of choice you have when buying online there is no reason at all not to buy via credit card or PayPal.

Chip and PIN is the name of a government-backed initiative in the United Kingdom to implement the EMV standard for secure payments. There is also a similar initiative in the Republic of Ireland called Chip and PIN Ireland.

History Until the introduction of Chip and PIN, all face-to-face credit card or debit card transactions used a magnetic stripe or mechanical imprint to read and record account data, and a signature for verification. Under this system, the customer hands their card to the clerk at the point of sale, who either "swipes" the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the account details are verified and a slip for the customer to sign is printed. In the case of a mechanical imprint, the transaction details are filled in and the customer signs the imprinted slip. In either case, the clerk verifies that the signature matches that on the back of the card to authenticate the transaction.

This system has proved reasonably effective, but has a number of security flaws, including the ability to steal a card in the post, or to learn to forgery the signature on the card. More recently, technology has become available on the black market for both reading and writing the magnetic stripes, allowing cards to be easily cloned and used without the owner's knowledge.

How it works To solve this, banks and retailers are replacing traditional magnetic stripe equipment with that based around smartcards, which contain an embedded microchip and are authenticated automatically using a Personal identification number. When a customer wishes to pay for goods using this system, the card is placed into a "PIN pad" terminal (often by the customer themselves) or a modified swipe-card reader, which accesses the chip on the card. Once the card has been verified as authentic, the customer enters a 4-digit PIN, which is checked against the PIN stored on the card; if the two match, the transaction will be automatically completed.

France has cut card fraud by more than 80% using a similar, but incompatible system. Chip and PIN is the name given to the initiative in the UK but countries worldwide are launching their own initiatives based on the EMV standard, which is a group effort between Europay, MasterCard and VISA (credit card). By the end of 2004, 100 countries will be using compatible systems based on this standard, and France aims to migrate its existing systems to be compatible with the new cards.

Note that "cardholder not present" transactions such as Internet, telephone or mail order purchases are not affected by the introduction of the Chip and PIN system. Since these are also major areas of fraud, other initiatives such as Verified by Visa and MasterCard SecureCode—both of which are implementations of Visa's 3-D Secure protocol—are being developed to improve security in these situations, such as additional security codes printed on the back of the card and more complex authentication services.

Conversion Chip and PIN was trialled in Northampton from May 2003, and as a result was rolled out nationwide in 2004 with advertisements in the press and national television touting the Safety in Numbers slogan. During the first stages of deployment, if a fraudulent magnetic swipe card transaction was deemed to have occurred, the retailer was refunded by the issuing bank, as was the case prior to the introduction of Chip and PIN. However, as of January 1 2005, the liability for such transactions was shifted to the retailer. This acted as an incentive for retailers to upgrade their Point of sale (PoS) systems, and most major high street chains upgraded on time for the EMV deadline. Nonetheless, many smaller businesses are still reluctant to upgrade their equipment, as it may require a completely new PoS system - an investment they may normally make only after several years.

New cards featuring both magnetic stripes and chips are being issued in increasing numbers by all major banks. This replacement of actual cards has been a major issue, with some banks simply stating that consumers will receive their new cards "when their old card expires" - despite many people having old cards with expiry dates as late as 2007. The card issuer Switch Card Scheme lost a major contract with HBOS to VISA (credit card) as they were not ready to issue the new cards as early as the bank wanted to. This change has angered many, as Visa's Visa Electron cards are generally not accepted online, unlike Switch's Solo (debit card).

When a customer does not know their PIN, or the PIN verification fails, the cashier can instigate a PIN Bypass, allowing a signature to complete the transaction. However, this PIN Bypass option was only scheduled to be available during the infancy of Chip and PIN within the UK. From February 14 2006 the banks have decided to discourage this facility. From this date on, PIN verification should be used for all Chip and PIN enabled cards. Should the customer not know their PIN then the cashier can still instigate a PIN Bypass transaction (with signature), however, the card issuer/bank may choose to decline the transaction.

Cardholders who are incapable of entering a PIN because of a mental or physical disability can contact their bank to be issued with a so-called Chip and Signature card.

In the Republic of Ireland, a PIN must be used with chip and PIN enabled cards and this came into effect on St. Patrick's Day 2007 (17 March, 2007).

Benefits Under the old system, a customer would have to hand their card to the assistant for each payment. In certain environments such as restaurants, for example, this often meant that the card would be taken away from the customer to the card machine. This is no longer the case with the introduction of Chip and PIN as wireless PIN pads have been introduced that can be brought to the customer's table.

Criticism Decreased security for PINs

Direct observation Before Chip and PIN, a person's PIN would only be entered at an Automatic teller machine in a bank or other secure area. However, the use of PINs in supermarkets, bars, and shops forces the customer to type their PIN in plain view of all other customers waiting behind them in the queue. Because of the difficulty of shielding a PIN (supermarkets often elevate the keypad, which is visible from all directions), it is relatively easy to gain another person's PIN by watching them buy groceries. Also, counterfeit PIN pads are sometimes used in systems which still swipe the magnetic strip, allowing the fraudster to clone the card and know the PIN for use in older-style ATM's that only read the magnetic strip.

Indirect observation Security cameras that are installed to deter shoplifters and opportunist thieves may also compromise the security of Chip and PIN, because stores often focus a camera on the cash register and the customer; consequently a recording of the customer entering their PIN can be replayed and analysed at leisure. PIN Security may therefore depend on how the store protects the transmission and storage of such recordings.

There is also the factor of cardholders not bothering/being able to remember the pin code. Therefore it is sometime written down on a piece of paper in their wallet, saved as an entry in a mobile phone contacts list, or in some cases even written on the inside of the wallet. If for example this person had lost the wallet or had it stolen, then the pin code is with the card and the account is easily compromised.

Opportunities to clone magnetic stripes In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing him to reconstruct a magnetic stripe card which can then be used, for example, in terminal devices which permit fallback to magstripe processing. This attack is only possible where (a) the offline PIN is presented in plaintext by the PIN entry device to the card, where (b) magstripe fallback is permitted by the card issuer and (c) where geographic and behavioral checking may not be carried out by the card issuer.

Within the UK and Ireland, plaintext offline PIN is the standard mode of operation, and cards which support encrypted offline PIN are rare, despite being common in other countries. Permitting magstripe fallback transactions to take place is a well-known risk to card issuers and has been permitted while the fraud levels are low, in order to facilitate cardholders. If magstripe fallback fraud levels grow, this processing option will be disabled at those card issuers where it's not already been disabled. Finally, geographic and behavioral fraud analysis tools are in use in many card issuers and are capable of tracking and declining suspicious transactions -- for example, an EMV card-present transaction at a UK ATM followed, two hours later, by a magstripe fallback transaction in the Far East.

This conversation-capturing attack is the form of attack which was reported to have taken place against Shell in May 2006, when they were forced to disable all EMV authentication in their petrol stations.

Decreased liability for banks A common criticism of the Chip and PIN implementation is that it was done to reduce the liability of banks in cases of credit card fraud, by putting the burden of proof on the customer to prove that their PIN was compromised, rather than on the bank having to prove that the signature did not match. Rather than being a mere cynical opinion, this is actually supported by the almost-universal usage of the term "Liability Shift deadline" to refer to the 1 January 2005 within the UK payment card industry. However, the financial institutions are still bound by The Banking Code, which states that the burden of proof is on the bank to prove their claims of negligence as opposed to the consumer having to prove his or her innocence.

Before chip and pin, if a customer's signature was forged, the banks were liable and had to reimburse the customer. Currently there is no such law protecting consumers from fraudulent use of their chip and pin transactions, only a voluntary banking code. Cambridge University researchers Steven Murdoch and Saar Drimer demonstrated in a BBC Watchdog programme one example attack, to illustrate that Chip and PIN is not secure enough to justify such a shift in liability. .

See also

External links

Problems

Chip and PIN is the name of a government-backed initiative in the United Kingdom to implement the EMV standard for secure payments. There is also a similar initiative in the Republic of Ireland called Chip and PIN Ireland.

History Until the introduction of Chip and PIN, all face-to-face credit card or debit card transactions used a magnetic stripe or mechanical imprint to read and record account data, and a signature for verification. Under this system, the customer hands their card to the clerk at the point of sale, who either "swipes" the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the account details are verified and a slip for the customer to sign is printed. In the case of a mechanical imprint, the transaction details are filled in and the customer signs the imprinted slip. In either case, the clerk verifies that the signature matches that on the back of the card to authenticate the transaction.

This system has proved reasonably effective, but has a number of security flaws, including the ability to steal a card in the post, or to learn to forgery the signature on the card. More recently, technology has become available on the black market for both reading and writing the magnetic stripes, allowing cards to be easily cloned and used without the owner's knowledge.

How it works To solve this, banks and retailers are replacing traditional magnetic stripe equipment with that based around smartcards, which contain an embedded microchip and are authenticated automatically using a Personal identification number. When a customer wishes to pay for goods using this system, the card is placed into a "PIN pad" terminal (often by the customer themselves) or a modified swipe-card reader, which accesses the chip on the card. Once the card has been verified as authentic, the customer enters a 4-digit PIN, which is checked against the PIN stored on the card; if the two match, the transaction will be automatically completed.

France has cut card fraud by more than 80% using a similar, but incompatible system. Chip and PIN is the name given to the initiative in the UK but countries worldwide are launching their own initiatives based on the EMV standard, which is a group effort between Europay, MasterCard and VISA (credit card). By the end of 2004, 100 countries will be using compatible systems based on this standard, and France aims to migrate its existing systems to be compatible with the new cards.

Note that "cardholder not present" transactions such as Internet, telephone or mail order purchases are not affected by the introduction of the Chip and PIN system. Since these are also major areas of fraud, other initiatives such as Verified by Visa and MasterCard SecureCode—both of which are implementations of Visa's 3-D Secure protocol—are being developed to improve security in these situations, such as additional security codes printed on the back of the card and more complex authentication services.

Conversion Chip and PIN was trialled in Northampton from May 2003, and as a result was rolled out nationwide in 2004 with advertisements in the press and national television touting the Safety in Numbers slogan. During the first stages of deployment, if a fraudulent magnetic swipe card transaction was deemed to have occurred, the retailer was refunded by the issuing bank, as was the case prior to the introduction of Chip and PIN. However, as of January 1 2005, the liability for such transactions was shifted to the retailer. This acted as an incentive for retailers to upgrade their Point of sale (PoS) systems, and most major high street chains upgraded on time for the EMV deadline. Nonetheless, many smaller businesses are still reluctant to upgrade their equipment, as it may require a completely new PoS system - an investment they may normally make only after several years.

New cards featuring both magnetic stripes and chips are being issued in increasing numbers by all major banks. This replacement of actual cards has been a major issue, with some banks simply stating that consumers will receive their new cards "when their old card expires" - despite many people having old cards with expiry dates as late as 2007. The card issuer Switch Card Scheme lost a major contract with HBOS to VISA (credit card) as they were not ready to issue the new cards as early as the bank wanted to. This change has angered many, as Visa's Visa Electron cards are generally not accepted online, unlike Switch's Solo (debit card).

When a customer does not know their PIN, or the PIN verification fails, the cashier can instigate a PIN Bypass, allowing a signature to complete the transaction. However, this PIN Bypass option was only scheduled to be available during the infancy of Chip and PIN within the UK. From February 14 2006 the banks have decided to discourage this facility. From this date on, PIN verification should be used for all Chip and PIN enabled cards. Should the customer not know their PIN then the cashier can still instigate a PIN Bypass transaction (with signature), however, the card issuer/bank may choose to decline the transaction.

Cardholders who are incapable of entering a PIN because of a mental or physical disability can contact their bank to be issued with a so-called Chip and Signature card.

In the Republic of Ireland, a PIN must be used with chip and PIN enabled cards and this came into effect on St. Patrick's Day 2007 (17 March, 2007).

Benefits Under the old system, a customer would have to hand their card to the assistant for each payment. In certain environments such as restaurants, for example, this often meant that the card would be taken away from the customer to the card machine. This is no longer the case with the introduction of Chip and PIN as wireless PIN pads have been introduced that can be brought to the customer's table.

Criticism Decreased security for PINs

Direct observation Before Chip and PIN, a person's PIN would only be entered at an Automatic teller machine in a bank or other secure area. However, the use of PINs in supermarkets, bars, and shops forces the customer to type their PIN in plain view of all other customers waiting behind them in the queue. Because of the difficulty of shielding a PIN (supermarkets often elevate the keypad, which is visible from all directions), it is relatively easy to gain another person's PIN by watching them buy groceries. Also, counterfeit PIN pads are sometimes used in systems which still swipe the magnetic strip, allowing the fraudster to clone the card and know the PIN for use in older-style ATM's that only read the magnetic strip.

Indirect observation Security cameras that are installed to deter shoplifters and opportunist thieves may also compromise the security of Chip and PIN, because stores often focus a camera on the cash register and the customer; consequently a recording of the customer entering their PIN can be replayed and analysed at leisure. PIN Security may therefore depend on how the store protects the transmission and storage of such recordings.

There is also the factor of cardholders not bothering/being able to remember the pin code. Therefore it is sometime written down on a piece of paper in their wallet, saved as an entry in a mobile phone contacts list, or in some cases even written on the inside of the wallet. If for example this person had lost the wallet or had it stolen, then the pin code is with the card and the account is easily compromised.

Opportunities to clone magnetic stripes In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing him to reconstruct a magnetic stripe card which can then be used, for example, in terminal devices which permit fallback to magstripe processing. This attack is only possible where (a) the offline PIN is presented in plaintext by the PIN entry device to the card, where (b) magstripe fallback is permitted by the card issuer and (c) where geographic and behavioral checking may not be carried out by the card issuer.

Within the UK and Ireland, plaintext offline PIN is the standard mode of operation, and cards which support encrypted offline PIN are rare, despite being common in other countries. Permitting magstripe fallback transactions to take place is a well-known risk to card issuers and has been permitted while the fraud levels are low, in order to facilitate cardholders. If magstripe fallback fraud levels grow, this processing option will be disabled at those card issuers where it's not already been disabled. Finally, geographic and behavioral fraud analysis tools are in use in many card issuers and are capable of tracking and declining suspicious transactions -- for example, an EMV card-present transaction at a UK ATM followed, two hours later, by a magstripe fallback transaction in the Far East.

This conversation-capturing attack is the form of attack which was reported to have taken place against Shell in May 2006, when they were forced to disable all EMV authentication in their petrol stations.

Decreased liability for banks A common criticism of the Chip and PIN implementation is that it was done to reduce the liability of banks in cases of credit card fraud, by putting the burden of proof on the customer to prove that their PIN was compromised, rather than on the bank having to prove that the signature did not match. Rather than being a mere cynical opinion, this is actually supported by the almost-universal usage of the term "Liability Shift deadline" to refer to the 1 January 2005 within the UK payment card industry. However, the financial institutions are still bound by The Banking Code, which states that the burden of proof is on the bank to prove their claims of negligence as opposed to the consumer having to prove his or her innocence.

Before chip and pin, if a customer's signature was forged, the banks were liable and had to reimburse the customer. Currently there is no such law protecting consumers from fraudulent use of their chip and pin transactions, only a voluntary banking code. Cambridge University researchers Steven Murdoch and Saar Drimer demonstrated in a BBC Watchdog programme one example attack, to illustrate that Chip and PIN is not secure enough to justify such a shift in liability. .

See also

External links

Problems



Chip and PIN - Home
An introduction to the UK Chip and PIN programme. What is chip and PIN? Chip and PIN is the new, more secure way to pay with credit or debit cards in the UK.

Chip and PIN - Consumer Information
all chip and pin cardholders must know their pin on their chip and pin card to be sure they can pay. the consumer chip and pin guide (pdf)

Chip and PIN Solutions - Terminal
Secure Credit Card Payment services in the UK, Chip & PIN Solutions Ltd. Mobile and Static Secure Credit Card Payment Solutions UK. Chip and PIN secure credit card transactions ...

Chip and PIN Solutions - Chip and PIN
Secure Credit Card Payment services in the UK, Chip & PIN Solutions Ltd. Mobile and Static Secure Credit Card Payment Solutions UK. Chip and PIN secure credit card transactions ...

Chip and PIN
14.02.06 the most important chip and PIN number yet From 14th February 2006 you must use your PIN to be sure you can pay with your chip and PIN card.  If you don’t know your PIN ...

Chip and PIN information page
The time has finally come to part with your pen for good. That's because chip and PIN is now well and truly in. And this means that making an in-store purchase with your Egg Card ...

Integrated chip and PIN functionality from Pinnacle
Overview of each of the Pinnacle modules relative to dealership management processes ... Chip and PIN payment technology is uniquely available with our Pinnacle DMS

BBC NEWS | Business | Q&A: Chip and pin
How is chip and pin being used in the fight against fraud? ... Over the past two years card issuers have been replacing credit and debit cards in the UK with ones that include an ...

BBC - Comedy - That Mitchell And Webb Site - Chip and Pin
The official site for the BBC comedy series That Mitchell and Webb Look, starring David Mitchell and Robert Webb. Watch an exclusive video interview, play the Numberwang game ...

Chip and Pin Terminals
Chip and pin terminals from various manufacturers at low prices. Tel: 0800 634 9898 ... Chip and Pin Equipment: Primemark supplies a range of Chip and Pin Pads ...

 

Chip And Pin



 
Copyright © 2008 Hintcenter.com - All rights reserved.
Home | Terms of Use | Privacy Policy
All Trademarks belong to their repective owners. Many aspects of this page are used under
commercial commons license from Yahoo!