The U.K. is all abuzz about "chip and PIN," but it's not a popular pub snack or a nickname for the newest celebrity power couple. It's the credit card security system rolled out in recent years to stem a wave of credit card crime.
Chip and PIN replaces the credit card system we're used to -- swiping a magnetic strip and signing a receipt -- with a new generation of card readers that scan a tiny chip activated by a personal identification number, or PIN.
Yet in the United States, no one is rushing to adopt chip and PIN. The cost of new card readers, liability for fraud loss, and criminals already working around the system all figure into the reluctance to bring it to American cardholders.
Crime stopper?The chip and PIN system is designed to make it more difficult for criminals to cash in on credit card fraud. The magnetic strip system used in the United States only requires a signature to authenticate a purchase. This allows criminals who get their hands on victims' credit cards to start making purchases immediately, potentially charging up thousands of dollars before the card is canceled. More enterprising thieves can also use information gained by Internet hacking or skimming -- secretly swiping a victim's card on a card reader -- to "clone" copies of victims' cards.
Chip and PIN aims to make it more difficult for wannabe criminals to make fraudulent purchases by either of these methods.
"It's very difficult if not impossible to clone the (chip and PIN) card," says Andi Coleman, a member of the Accredited Standards Committee X9, which determines standards for the financial industry in the U.S. "If you steal the card out of someone's wallet, you have to know the PIN in order to be able to use the card in a transaction."
These built-in barriers to fraud have had a measurable impact on the types of in-store credit card fraud chip and PIN was designed to prevent. Total losses from such fraud fell from 218.8 million pounds ($356.5 million) in 2004 to 98.5 million pounds ($160.5 million) in 2008, according to statistics from the U.K. Payments Administration.
British credit card issuers sing the praises of the system. "Having a chip and a PIN method of identification and authentication is more secure than the magnetic stripe and the signature, so that's a benefit for both retailers and cardholders," says Mark Bowerman, a spokesman for Financial Fraud Action U.K., an affiliate of U.K. Payments Administration, an industry trade group.
Other benefits cited by Bowerman: Fewer paper receipts mean savings in processing costs for banks and retailers, and quicker transactions, on average, than conventional "swipe and sign" systems.
"It's more of a tangible benefit for retailers," says Bowerman, "because quicker transaction times mean shorter queues."
The greatest beneficiaries of chip and PIN, though, are the card issuers.
"(Chip and PIN's) main attraction to banks is the 'liability shift,' which is precluded in the U.S. by Regulation E," wrote Ross Anderson, a professor of security engineering at the University of Cambridge, in an e-mail. "This shift means that disputed transactions will be blamed on the customer if a PIN was used and the merchant otherwise. Thus, in theory, the bank would never again be liable. In practice it has not worked. You can't have a secure system if one party guards it and another party pays the cost of failure."
This "liability shift" has been a "good incentive'" for merchants to adopt chip and PIN, says Bowerman. Such a shift isn't possible in the U.S. because of rules set up under the Electronic Fund Transfer Act of 1978, says Steven J. Murdoch, Ph.D., a security researcher at Cambridge University. This is probably good news for U.S. consumers: Murdoch says that since the standard was fully adopted, it's been next to impossible for British consumers to recover money stolen in fraud.
"The banks get to effectively make up their own rules, and the rule they've chosen is that if your PIN is used, then you must have been negligent about protecting your PIN, therefore you're liable for the fraud," says Murdoch.
And because the loser pays legal fees in the British system, Murdoch says, few consumers risk a lawsuit that can end up costing many times the amount they've lost to fraud.
Who foots the bill for fraud is a big part of why the chip and PIN system was put in place in the U.K., said Anderson.