BBC TwoNewsnight
Last Updated: Tuesday, 26 February 2008, 20:04 GMT
How secure is Chip and PIN?

Below are reproduced various statements in response to Newsnight's report on Chip and PIN fraud, and the vulnerability of the Ingenico i3300 PED.

25 February 2008

The UK payment industry is confronting fraudsters everyday and our top priority remains to keep customers and their money safe. We want cardholders to be vigilant and we constantly issue good, simple advice to help them stay safe. We also recognise the need for retailers to play their part by keeping their PIN pads secure and to protect their businesses and customers safe from fraud. The type of attack described by the Cambridge academics is extremely difficult to achieve in the real world.

The answers to the Cambridge Team's supplementary questions were also provided to them last week. We have asked them to share some additional detail with us so we can continue to ensure we take every step possible to protect our customers.

The wording in your letter suggests both an account number and PIN can be captured from a credit card, but to ensure that there is no misunderstanding, in the scenario described the PIN was not obtained from the card itself but was intercepted as part of the transaction process.

We would also like to clarify that in a number of court cases APACS is not arguing that fraud 'cannot happen' or that customers need to prove that they have not been negligent. The Banking Code remains very clear that the burden of proof lies with the card company to demonstrate any negligence by the cardholder.

We would also like to make you aware of the following points:

- We continue to be grateful for the cooperation the Cambridge Team has shown in sharing their valuable work with us so we can ensure that we are kept informed of what is technically feasible. However, the report does not identify any threats or vulnerabilities of which the industry is not already aware.
- As part of the industry's ongoing programme to educate merchants and retailers, we ensure that all merchants are aware of the proper procedures to keep their PIN pads safe and to help identify potential tampering.
In our view, the types of attack on PIN entry devices (PEDs) detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out. Unfortunately there are simpler, more cost-effective ways of committing card fraud - and we believe that fraudsters are far more likely to continue to exploit these rather than move to more complex, costly and more high-risk attacks.
- There has been no real-life example of this type of attack happening in the UK or anywhere else in the world where chip and PIN is in use. These PEDs are used in many countries which have chip and PIN all over the world and the evaluation process used in the UK matches that used globally.
- The banking industry is not reliant on one single layer of protection and has multiple layers of protection around each component of the transaction. The fraud identified by the Cambridge Team is completely reliant on every single layer failing.
- To commit the fraud outlined by the Cambridge Team, the fraudster would need access to a live PIN pad. That means they would either be a collusive or fraudulent member of staff or would have been coerced by a fraudster. They would also need a level of technical expertise.
- In the unlikely event that such an attack were to take place in the UK marketplace, the banking industry's fraud prevention systems would be able to detect where such an attack had happened and would liaise with police to stop the fraud.
- All UK issued cards issued after 1 January 2008 include an updated iCVV (Integrated Circuit Card Verification Value) which means that if one of these cards were compromised in the method described, the data would be useless to the fraudster (i.e. a fake magnetic stripe card created via a compromise of this type would not work in a cash machine, even overseas in a non-chip and PIN country).

26 February 2008

Retailers and card users should rest assured that the devices, from various suppliers, identified by the Cambridge University scientists remain amongst the most secure terminals on the market and have contributed to card fraud at UK retailers falling by up to 47% year-on-year since the introduction of Chip and PIN. The banking industry has already expressed its confidence in the security capabilities of all Chip and PIN payment devices being used in the UK today.

The method identified by the Cambridge University paper requires specialist knowledge and has inherent technical difficulties. This method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry.

Security remains a top priority for Ingenico and we invest around 40 million euros each year* in Research & Development to ensure our customers remain at the forefront of the fight against fraud - a fight in which everyone must remain vigilant.

This investment is highlighted in the latest generation of our terminals which are approved under the latest security standards. These meet the higher security required by industry mandates introduced on 1 January, 2008 and are designed to stay one step ahead of the evolving security threat.


*average over last two years of published financials (2005 & 2006).

26 February 2008

We have seen no evidence from the Cambridge academic paper of anything we did not know or anything that presents a real-world threat to card security and as the BBC would not show us or describe to us in detail what was being alleged we cannot comment further.

25 February 2008

We believe the PIN Entry Devices for the UK 'chip and pin' system are performed to the process laid out by the Common Criteria methodology by labs accredited to ISO17025. However, the assessments do not involve the UK Common Criteria Certification Body (CB) at CESG which would provide independent quality assurance on the security target, evaluation work and process.

APACS took a decision on behalf of the payment industry that product certification was not a mandatory requirement. Since these devices have not been certified by the UK CB, CESG has no knowledge of them or their evaluation.

CESG has approved the APACS PIN Entry Device Protection Profile, which is a template for security targets for these devices, but it remains with APACS to determine the security requirements for these devices.

CESG welcomes the work of the Cambridge team which again highlights the importance on ongoing threat analysis. However, this work does not call into question the Common Criteria methodology as a basis for internationally recognised security assessment and evaluation, since the products examined in this work were not certified by that scheme.

25 February 2008

Boots is committed to the confidentiality of our customers personal information when they shop in our stores. We would like to reinforce the message Ingenico have issued stating "there is no cause for concern" for users of their terminals. We would like to take this opportunity to remind our customers that they should be vigilant at all times when entering their pin number in any chip and pin terminals.

26 February 2008

We are disappointed that the BBC have not shown us the footage of the Cambridge team. However we take these sort of allegations very seriously indeed and have spoken to Ingenico who have reassured us that there is no cause for alarm for cardholders or retailers. We would also like to take this opportunity to reassure customers that instances of credit card fraud at ASDA are extremely low.

26 February 2008

Just to confirm that we use the Ingenico 3300 device in the majority of food stores belonging to The Co-operative Group, including the Cambridge store.

We know of no incident where a device within a Co-operative Food store has been "abused" to gain the level of information needed to clone a card.

Please note, The Co-operative Group is one of 28 independent retail co-operative societies in the UK and we cannot speak on behalf of the other 27 societies, which may use other systems.

26 February 2008

Egg confirms that at no point did we hold our customer liable for disputed withdrawals, nor did we report her to the police for prosecution. However, we were unable to progress our internal investigation as our customer declined repeated requests to return the relevant ATM declarations, a standard procedure for the bank.

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

banner watch listen bbc sport Americas Africa Europe Middle East South Asia Asia Pacific