I think in the US, at least for now, the new chip cards will be/are primarily chip + signature, not chip + pin which is the most secure you can have.

I believe a chip is able to encrypt the information differently, and it isn't stored the same way it is on a stripe, so it's not like someone can steal the info the same way.

To understand why chip cards are more secure, you first need to understand why magnetic stripes are less so. The magnetic stripe holds static information. Simply put, it holds your card information in unchanging form. Because static info is passed to payment terminals, once copied, it can be easily used for fraud.

The chips in chip cards hold information more dynamically. What? It means that when a terminal reads a chip, the chip gives the terminal a one-time code to send to the bank, which the bank then authenticates and authorizes the payment. The next time you use the chip, it issues a different code. The codes are like encryption codes, only the bank knows how to decrypt it and know whether it's the genuine article.

So if one even were to copy a chip, because the thief does not know the bank's encryption keys, the chip will only issue the same one time code over and over. And since the code is already used from the first transaction (which was legit, since it had to be copied after), it becomes useless. Hence card-present fraud declines.

It's important to note that up to this point, there is no distinction between Chip and PIN and Chip and Signature cards. PIN and Signature are simply different methods of user verification, and which is safer is a different debate.

Thanks for making it much more clear than I did, yfan. I wasn't really aware that chip+pin was not more secure; I just assumed it was, but you're right, it's certainly debateable.

---

@kdm31091 wrote:

Thanks for making it much more clear than I did, yfan. I wasn't really aware that chip+pin was not more secure; I just assumed it was, but you're right, it's certainly debateable.

---

Right, for now I'm just saying that the security element for the card itself lies in the chip, not in the user verification method.

---

@yfan wrote:

---

@kdm31091 wrote:

Thanks for making it much more clear than I did, yfan. I wasn't really aware that chip+pin was not more secure; I just assumed it was, but you're right, it's certainly debateable.

---

Right, for now I'm just saying that the security element for the card itself lies in the chip, not in the user verification method.

---

Unfortunately, the chip seems fairly useless until the magnetic strip is removed from the card. As long as it's still there, the info can still be taken. 

---

@jsucool76 wrote:

Unfortunately, the chip seems fairly useless until the magnetic strip is removed from the card. As long as it's still there, the info can still be taken. 

---

Right, either the strip or machines that only read magnetic strips. If a machine can read EMV and a card has EMV, it won't read the strip even if it is swiped.

---

@Anonymous wrote:

It's debateable, but really depends on real-world context, which of course can change.   Imagine doing an EMV transaction in the US today with a card tthat you have just stolen.  If the card is chip&pin, and you don't know the pin, your transaction will not proceed.   With chip&sig, you will be "asked" for your signature.   This might well mean scrawling something on a terminal screen, or on a signature slip, and hoping that it won't be carefully checked.   In the US today, you are exteremely likely to be lucky, the sig won't be compared with anything, or if you have done a tenth way decent job, it will pass the check. 

 

---

This can absolutely happen with PIN, and when it does, it may leave the owner with little recourse.

There has been reports that banks are using PINs as an excuse to force users to pay fraudulent charges. A machine can be programmed to accept any PIN - which in effect redners it authentication-less. The bank end only asks "Was correct PIN entered?" It doesn't keep a record of what PIN is entered, so as long as the requesting party responds "Yes," the bank will process. This is worse than not verifying signatures, because this is a black box. If a machine claims the right PIN was entered, how are you going to prove it wasn't? If it's a signature, that is simple to prove. "Nope, it's not my signature. You can verify with a handwriting expert if you wish."