net.wars: PIN the signature on the chip

by Wendy M Grossman | posted on 16 July 2004

This week I received my brand new Barclaycard along with a leaflet explaining how lucky I was to be part of this "major payment card industry initiative".

Wendy M Grossman

Yes, it's time for Chip and PIN! American readers won't have come across this. For some years, British (and European) credit cards have had a thumbnail sized gold-coloured chip on the front. Now, the plan is to do away with written signatures to authorise transactions. Just type in a four-digit code, and there you go. The idea is that a secret PIN is less easily forged than a signature, and a chip is harder to clone than today's magnetic stripes. In introducing Chip and PIN, the UK is ten years behind France and a lot of other places.

There's been a lot of discussion about Chip and PIN among the security-aware in locations such as the UKCrypto mailing list. Those folks aren't as enchanted by the new system as you might think from the chirpy cartoon graphics at Chip and PIN Web site (which does not work in Mozilla). One question is whether the system stops fraud or displaces it.

For most people, the biggest practical problem is likely to be the difficulty of remembering and keeping track of all those PINs. A friend has already told me about her mother in the supermarket running over - aloud - the various PINs for her many cards trying to work out which one was the right one to type in.

The bigger concern is whether the new system will shift the burden of proof on to the consumer in a disputed transaction. It could be much harder for a consumer to prove that a PIN was stolen or a card cracked than to challenge a bank to produce a signature.

The Royal National Institute for the Blind has raised concerns about whether the number pads will be usable by blind or partially sighted people. Similarly, other organisations that represent the disabled say that for some the pads may be inaccessible for other reasons.

However, people at the Association for Payment Clearing Services (APACS), say that Chip and PIN will be more, rather than less, inclusive. "The people who can't sign are going to be included in Chip and Pin," says a spokesman. "Our research has said people will be able to enter a four-digit PIN even if they don't have the dexterity to sign their name. People who can't remember PINs can contact the bank and explain. We're making it available as an extra way of identifying yourself."

The effect of this was ruined almost immediately, however, when the APACS spokesman went on to say, "If you can use it, you will have to use it." No, there's no law -

But in January 2005, liability for fraudulent transactions will shift onto retailers who do not have Chip and PIN equipment in place. Therefore, APACS expects doing away with signatures will be quick.

The initiative is billed as a plan to cut down on fraud, which card issuers say costs £402 million a year in the UK, half to two-thirds of which they hope Chip and PIN will cut. The cost of rolling out the new system, however, is £3 billion. That's such a gross disparity that there has to be more in it, presumably the cost savings in not having to ship around all those signed pieces of paper. For that purpose, the US has instead introduced electronic signature capture devices; Americans (like me) have typically rejected smart credit cards.

The APACS spokesman became utterly baffled when I told him what happened when I phoned Barclaycard to say that I would prefer to have an old-style credit card that required a signature. The customer service representative said, "No problem. I'll put it into the system now." He did not ask why, or if I were disabled (although I did tell him, because don't these big companies always value customer feedback?).

Chip and PIN cards retain a magnetic stripe to tell the reader whether to prompt for a PIN or a signature. If you decide you don't want to use Chip and PIN, but you do want to have ATM access to cash using your credit card, you will need to ask your issuer to give you a Chip and Signature card but ensure that the PIN remains active. (Barclaycard says it can't do this.) There is, I suppose, a slight risk that those of us with Signature and Chip cards will be automatically treated as mentally defective or have transactions refused by retailers who don't want the liability. The rail companies' training manual suggests otherwise, though.

Neither APACS nor Barclaycard was able to say what percentage of users might not be able - or choose not - to use Chip and PIN. What they do say is that their research shows that as many as 84 percent of people are pretty eager to use it. We'll see. You do have a choice.

P.S. You also have a choice about the national ID card. It's not too late to send in your comments before the July 20 deadline.

Technorati tags:    
You can discuss this article on our discussion board.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).