Old vs New: A Comparison of Magnetic Stripe and Chip-and-PIN
I was doing some poking around on the internet recently, reading various stories about different network breaches and loss of credit card numbers and I was reminded of the semi-recent Target breach and how they're making a push to switch to chip-and-PIN cards. This made me think it would be a good idea to do a a write up on the differences between chip-and-PIN and traditional magnetic stripe credit cards.
I'm sure most of us are familiar with the traditional magnetic stripe style cards. I'd be willing to bet that nearly everyone reading this has at least three or even more of them in their wallets. Magnetic stripe technology has been around for years. The idea of using magnetic storage has been around since the 1950's, but the first magnetic striped plastic cards didn't come around until the late 1960's. Now they've evolved so much that, as mentioned before, everyone has at least one, some people may even have ten or more. Magnetic stripes are used most commonly on credit cards and ATM cards, but are also used for driver's licenses, membership cards, library cards, even student and employee badges. There's no doubt that they've become a part of everyday life for many of us.
Here's a bit of history on the newer more secure chip-and-PIN style cards. Chip-and-PIN is actually a brand name used by the banking industries in Europe. Chip-and-PIN is specifically a brand of EMV (Europay, MasterCard, and Visa) smart cards. I'm going to continue calling these newer cards chip-and-PIN because it illustrates how they work. Since mass production of computer chips is a much more recent discovery than that of magnetic storage media, chip-and-PIN cards are a much newer technology. They've been around since the early 1990's but didn't really gain much traction until about the turn of the millennium. Rather than swiping a chip-and-PIN card at a point of sale, it works much closer to how an ATM treats a magnetic stripe card. The card is placed inside the reader, a PIN number is entered, and only if the PIN number is correct will the POS be authorized to process the charge.
Since electrical current is required to interact with a chip-and-PIN card they're much harder to duplicate or read without someone knowing. There is a massive problem in the US with criminals "skimming" credit card numbers and PINs from ATMs by laying their own hardware over top of the real hardware so when someone comes along to use the machine the "fake" hardware reads the card's magnetic stripe on it's way into the real ATM's card reader and some skimmers actually have their own buttons that lay down over the real ones so they can capture your PIN as well. The criminals then come back in a few hours to retrieve their hardware and go home to duplicate all the cards they skimmed and use their respective PINs to withdraw all the cash they can. This process is nearly impossible with chip-and-PIN cards, thus nearly eliminating one whole realm of fraud for the issuing banks.
Believe it or not, the United States is well behind the ball when it comes to credit card security. Most of the globe has been using the more secure chip-and-PIN style cards for years. Each year millions of dollars are spent on replacing magnetic stripe cards due to fraud and lost or stolen credit cards. I believe most of the resistance against migrating to chip-and-PIN technology can be boiled down to two things. The first being the fact that many people don't like change and the banks issuing the cards are afraid that consumers will prefer to use other cards that don't require a PIN to complete the transaction. So on top of the cost of switching card types they'll also lose business. And The second reason being the massive cost associated with outfitting retailers with the hardware required to read a customer's chip-and-PIN card. Since the two card types operate so differently there isn't a way to retrofit any kind of adapter onto current magnetic stripe readers to accept chip-and-PIN cards. And because of this it looks like the US may see it's first wave of smart cards actually be chin-and-signature rather than chip-and-PIN. But why spend all the time, effort, and money to only improve on half the situation? Without going all the way to chip-and-PIN it's just going to cost a whole bunch more money down the road to finish the transition.
Chip-and-PIN cards aren't the holy grail that's going to eliminate all fraud though. People still need to protect their PINs, and chip-and-PIN transactions that take place over the Internet or any other card not present (CNP) transaction encounter many of the same problems as magnetic stripe cards. There are some software alternatives that interface with the card issuing banks to validate PINs for CNP transactions done with chip-and-PIN cards, making them more secure than the increasingly outdated magnetic stripe. It's only a matter of time before magnetic stripe cards become the minority and it's more common to have newer, smarter chip-and-PIN style cards in all of our wallets.
If you would like to dig deeper into these topics here are a couple good wiki articles as well as a similar recent article by David Heun: