We measure the success of Chip and PIN by its two core
goals: first, to prevent counterfeit card fraud using the chip,
and second to prevent lost and stolen card fraud using the
PIN. Because stolen cards can be used without knowing the
PIN, by our definition, Chip and PIN is broken. We do not
believe that the system is broken beyond repair, but neither is
it the case that a simple fix will suffice, due to the unmanageable
complexity of EMV. This has been demonstrated by the
spirited disagreement among experts discussing the attack
on our blog [22] and proposing different favoured solutions,
and by the continued absence of a fix at the time of writing,
almost three months since the industry was notified.
Some of our respondents argued that Chip and PIN was
a success on economic grounds, claiming that it saved more
money from fraud than it cost to deploy. However they did
not present figures to back up this claim. And counterfactual
history is hard: how would one show that in the absence of
EMV, fraud would have increased even more than it in fact
has? Other respondents agreed that Chip and PIN simply
pushed fraud to other areas such as card-not-present fraud,
undermining the argument of economic success.
goals: first, to prevent counterfeit card fraud using the chip,
and second to prevent lost and stolen card fraud using the
PIN. Because stolen cards can be used without knowing the
PIN, by our definition, Chip and PIN is broken. We do not
believe that the system is broken beyond repair, but neither is
it the case that a simple fix will suffice, due to the unmanageable
complexity of EMV. This has been demonstrated by the
spirited disagreement among experts discussing the attack
on our blog [22] and proposing different favoured solutions,
and by the continued absence of a fix at the time of writing,
almost three months since the industry was notified.
Some of our respondents argued that Chip and PIN was
a success on economic grounds, claiming that it saved more
money from fraud than it cost to deploy. However they did
not present figures to back up this claim. And counterfactual
history is hard: how would one show that in the absence of
EMV, fraud would have increased even more than it in fact
has? Other respondents agreed that Chip and PIN simply
pushed fraud to other areas such as card-not-present fraud,
undermining the argument of economic success.