Chip and PIN technology may have gotten off to a rocky start in its European rollout, but according to a Harris/Decima researcher, the lessons learned across the pond may actually benefit banks and merchants in the Canadian adoption of the technology.
The new verification technology, which is already undergoing a trial run in Ontario’s Kitchener/Waterloo region, will equip all payment cards with a PIN number. When a customer wishes to pay for goods they can place the card into a “PIN pad” terminal and verify payment by entering the PIN. This will replace the traditional need for signature verification and would also require customers to hang on to their cards at all times – as opposed to today’s practice in certain environments such as restaurants where their cards are often be swiped out of sight.
The major card associations – such as Visa and Mastercard – are saying that Canadians will need to be onboard with the new technology by 2010, as the issuers are looking to shift the liability for payment fraud claims to the merchants.
“There is going to be a widespread rollout within the next two years and many consumers and merchants haven’t had the chance to work with the technology yet,” Lise Dellazizzo, senior vice-president of technology research at Harris/Decima, said. “However, we are very lucky that we can learn from what’s happened overseas, particularly in the U.K., and avoid those pitfalls.”
One of the most prominent issues coming out of the U.K. for chip and PIN was publicized last year when researchers at the University of Cambridge demonstrated how a payment terminal could be compromised to steal sensitive data.
For the proof-of-concept hack the researchers opened up one of the supposedly tamper-proof terminals, replaced its internal hardware with their own, put it back together without any external evidence of tampering and then got the machine to play Tetris.
“We demonstrated that with the new hardware, everything is under our control — the card reader, the LCD display and the keypad,” said Saar Drimer, one of the researchers involved in the demonstration.
And recent data from U.K.-based payments association APACS also indicates that the PIN-enabled technology may not be helping the cause as greatly as advertised. Counterfeit (skimmed/cloned) fraud card was up 46 per cent in 2007 compared to the previous year, while Card-not-Present (CNP) fraud was up 37 per cent in the same time period. Another telling statistic, according to Dellazizzo was fraud outside of the U.K., which APACS said increased by 77 per cent in the last year.
“When you are transacting with your credit card in person, a huge reduction is obviously evident,” she said. “The problem we see from these statistics is transactions being done on the Internet…as well as cards being stolen and brought to not yet PIN-enabled countries, such as Canada.”
Dellazizzo said U.K.-based fraudsters have been stealing the PIN cards and taking them to countries like Canada where the magnetic stripe is all that’s needed to carry out the transactions.
“Of course, it would serve everybody’s best interests to speed up the migration process, but we have to be careful of the holes that still exist with implementation of this technology,” she said.
The distribution of the cards, Dellazizzo said, might also be a key issue for Canadian card issuers and banks to address. One such example was the widespread theft of the PIN cards via the postal system in the U.K.
“The fraudsters were simply intercepting the cards in the mail, setting their own PINs, and using the cards,” she said.
Dellazizzo stressed the importance of embracing the technology for its benefits in cutting down fraud in face-to-face transactions, but said deeper investigation of the “side-effects” that can arise from the technology – such as its effectiveness on the Internet – needs to be addressed. Harris/Decima is currently planning a study on merchant and consumer chip and PIN migration in Canada set to get underway next month.
With files from Jaikumar Vijayan, Computerworld (US online)