Tackling Chip and Pin

If you work in retail, or use a credit card, you have come across the latest technology: chip and pin.  In the U.S. this is a newer and less prevalent technology than it is in the rest of the world, but that does not diminish its importance.  The more technical name for this technology is EMV (a shortened version of the card schemas: Europay, MasterCard, and Visa) and you can find usually find both phrases used in discussions about it.  You may wonder what good it is and why it matters, but if you are a company that accepts credit cards this is a technology crucial to your future.

It is More Secure

Chip and pin cards are more secure than traditional card swipe cards as it has more built in validation and verification. Without getting too technical, the big difference is that traditional cards use only a card number and expiration date in a transaction, but the chip contains much more information that can be used to make it that much harder for hackers to fake a transaction.  This increased security comes at a cost, but the major financial institutions are putting pressure on merchants to accept these more secure cards.  A fraudulent transaction often ends up being paid for by the financial institution so a reduction in fraud is a quick way to improve the bottom line.

You may have noticed as a user that signatures are not needed for a chip card transaction, but a pin is.  This is one of the ways this sort of transaction is more secure.  How often have you seen a store clerk validate your signature?  This is an easy to get around "security" feature as the bar is pretty low for a forged signature.  When a pin is required then there must have been either a willing share of that pin or somehow the fraudster found a way to steal your pin.

There is Less Liability

In October, 2015 a change was made to the liability agreements of major card issuers where a merchant can now be liable for fraudulent transactions using a magnetic card reader, but they will continue to be protected from fraudulent transactions if they use a chip and pin transaction.  There is a much more complicated series of steps that have to be taken to process a chip transaction and these make it much less likely that fraud will occur.  This not only saves a copmany from the liability of fraudulent charges, it also limits access to key account information during a transaction.  A vendor will thus have less information they never wanted to know.  Just as moving to electronic transactions saved companies from having to tear up the paper used to make a credit card impression, now the chip cards remove the need for an account number to ever be known by a merchant.  This is a case where what you don't know can't hurt you.

Be Aware of Hidden Costs

The challenge in using chip and pin in the U.S. is twofold.  One issue is that there are not a large number of technical resources available with the experience to adapt the old systems to the new technology.  Like all new technology issues, the "newness" limits the pool of those that have "done it before".  The other issue is that the integration with magnetic readers was built far enough in the past that there is no longer a large number of resources that have done the core work required to integrate software with hardware like a card reader.

One of the things to look for when moving to chip and pin is a solution provider that can understand the complexity of processing transactions.  In the past it was a matter of getting an account number and expiration from a reader and you are set to go.  Chip transactions follow a much more complicated flow along these lines:

• Card Detection
• Find supported applications
• Select Application
• Read Application Data
• Authenticate Data
• Verify Cardholder
• Processing Restrictions
• Terminal Risk Management
• Decide on terminal action
• Decide on card action
• Online/Offline Decision
• Online Processing
• Analyse Results
• Complete Transaction

As you can see, the chip transactions are new to many providers as a hardware transaction, but there are also a much more complicated series of business transactions to be performed.  This often makes pure technical providers struggle to solve this problem due to how much business knowledge is needed for it to be solved correctly.

Finding Reliable Resources

The two main problems that need to be solved in building a reliable chip and pin system are: integrate with the hardware and be able to create complex transactions.  Integrating with the hardware varies in complexity, but I have come across many situations where a good library has not already been built and you have to rely on developers that can build their own solution.  Although you may not find developers that have specific experience in this technology you can find related experience in developers that have worked with card readers of various sorts in the past. In particular, where a custom solution (work beyond using a library) was needed.  For the complex transaction side there are a lot of similarities in health care where a transaction often includes several steps to determine the transaction type, payer information, and validation/verification along the way.  If you can find resources that have both of these types of experiences in their background you can be confident there is not going to be much they will see in a chip and pin project that they have not seen before.

I have discussed this with a partner at Medicom technologies and we have both found that the experience we gained in prior projects that had to integrate with hardware (card readers and cash registers for example) and those that had to deal with the payer side of medical cover all the problems we have seen as "need to be solved" for chip and pin projects.  If you would like to further discuss how our related experience can be used to solve your chip and pin challenges please contact me directly at [email protected].

Taken from the RB Consulting Blog - IT Matters

Chip and pin techology is the way transactions are moving, even in the U.S., so the sooner you embrace this technology, the more advantage you will have over competitors that drag their feet.  We recognize this challenge and would love to help you overcome it.

Rob is the founder of RB Consulting and also co-founder of, and frequent contributor to, IT 4 Recruiters.  He is a longtime student of technology as a developer, designer, and manager of software and software projects.  He has also managed to author a book about his family experiences.  In his free time he and his wife Karla keep busy raising eight children and he spends time on the ice playing hockey to relax.

View more posts by Rob | See more from the RB Consulting Blog