The Green Sheet Online Edition
April 4, 2014 • 14:04:01
Readers Speak
Is chip and PIN bullet proof?
I recently read about a Canadian man who is suing his bank. He claims a criminal used his account data without his knowledge to make an $80,000 purchase, and the bank won't reimburse the funds, even though the bank removed a subsequent charge of about $4,000 made by the same party. The bank won't reimburse the first charge partly because the fine print of its consumer agreement states it will credit charges made after a fraud is reported, but it says nothing about charges made before the fraud is reported.
The bank also claims it is impossible to make fraudulent charges when EMV chip and PIN are both used to make purchases. The man suing his bank insists he never wrote down his PIN, nor did he divulge it to anyone else. And he says the card never left his possession.
Is it true that when both chip and PIN are used fraud is impossible? And will the upcoming U.S. EMV liability shift make it easier for merchants and banks to shift liability to consumers?
Brian Manchester Merchant Level Salesperson
Brian,
We cannot speak to the particulars of this case, but research appears to indicate Europay/MasterCard/Visa (EMV) chip and PIN transactions are susceptible to fraud. In the paper "Chip and PIN is Broken" researchers in the Security Group at Cambridge University in Britain described a "protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card's PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the card that no PIN was entered at all."
We also cannot speculate regarding banks' and merchants' intentions. However, it would likely be a public relations nightmare for card issuing banks if they changed their consumer fraud protections after EMV is implemented in the United States.
Editor
Sound off
Do you have thoughts on U.S. EMV implementation? Do you have other concerns of interest to payment pros? Please let us know at greensheet@greensheet.com.
Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.
Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.
