Going from pen to PIN

KUALA LUMPUR: Security for cre­dit and debit card usage will move a significant notch higher with the signature-based system to be replaced with PIN (personal identification number) verification.

About 39 million – eight million credit and 31 million co-badged debit cards in Malaysia – will be replaced with new PIN-enabled cards to meet the January 2017 deadline set by Bank Negara.

Merchant payment terminals are also to be upgraded to accommodate the new security-enhanced system.

The massive exercise is already underway with credit cardholders receiving their new cards in batches, while debit card users generally have to go to their respective banks to collect them.

The migration to PIN from signature is part of a worldwide shift which has been implemented in Europe, Canada, Australia and New Zealand, among others, with the Middle East also following suit.

The United States, however, is still using the old signature-verified system.



“This is a preventive measure as fraudsters will eye the weakest link – which is the signature-verified market,” said Paul Brisk, founding director of payment systems consultant Cotignac Consultancy Systems, which is employed as a consultant by Sutherland Global Services Malaysia, the project management office handling the Malaysian system migration.

“That’s why the US has one of the highest number of credit card fraud cases, as it’s still dependent on signature verification,” he said in an interview.

The Association of Banks in Malaysia (ABM) executive director Chuah Mei-Lin said PIN-verification would be effective when it came to lost or stolen cards.

The issue of cloned cards was addressed with EMV (Europay, MasterCard, Visa) global chip standard cards introduced here between 2002 and 2005, she added.

“An EMV chip helps to reduce fraud as it is very difficult and costly to counterfeit. When a transaction is performed by reading the chip, it produces a unique one-time cryptogram which must then be validated for the transaction to be approved.

“The chip contains a secret unique cryptographic key, and unless that key can be extracted, it isn’t possible to copy or clone the chip,” Chuah explained.

Brisk said PIN-verification added an extra layer of security as it was a two-pronged system – combining a physical card and a PIN which would only be known to the user.



“In countries which have introduced this system, it is common practice for users to insert their own cards in the terminal. The transaction is faster and safer,” he said.

He said Malaysian-issued cards would use a six-digit PIN which will be required for all transactions except “contactless” (by way of waving or tapping the card at the terminal) transactions involving amounts of RM250 and below.

“The PIN should only be known to the user, it’s part of the terms and conditions of the card,” said Brisk.

Sathish Kumar, an information security manager for financial services, advised that one should have different PINs for different cards.

“I understand that most people use multiple banks and it may be difficult to remember different PINs, but it is the safest way,” he added.

“Some fraudsters use social engineering to detect your PIN. If you use different PINs, at least they won’t have access to all your accounts,” he said, suggesting that one way to remember PINs is to reverse the numbers for different cards.


Source : The Star Online / 13 June 2016