Chip and Pin cards are safe, are they?
Card payments are, now-a-days, very common mode of payment. Cards have changed their forms from magnetic stripe cards to chip and pin cards, in many countries. Major driver for this transformation of cards was transaction safety. There were many occasions where magnetic stripe cards failed to ensure authentication of cardholder, during transaction authorization process. These frauds were result of either leaked information or stolen identities of magnetic stripe cards. To control these issues, EMV came up with chip and pin cards. This innovation has given card issuers ability to execute processing logic at the card reader itself, thereby reducing online verification traffic and providing better authentication of cardholder at point of sale. It transmits encrypted information that is hardly of any reuse for purpose of making fraudulent transaction, even if it is intercepted. Issuers are mostly under impression that once they implement chip and pin cards, they are safe. However did it serve purpose of eliminating frauds? Probably not. Frauds are still reported by cardholders on their chip and pin cards. At several incidences banks have even declined claims of frauds on chip and pin cards, leaving card holders in a fix.
Success of transaction security in this case, lies in how encryption algorithm is implemented at card readers. The weaker and predictable the algorithm implemented at card reader to generate session key for transaction, the more vulnerable is the card. Unfortunately, neither issuer nor card holder is at fault, if encryption algorithm gives predictable session keys. But consequences of such weak encryption, leaves cardholder at mercy of his/her luck. It potentially makes entire investment in modern card processing infrastructure look like unworthy. Hence it is very important to have strong and unpredictable encryption algorithm for card reader to actually, justify the huge investment that went in.