Just a quick note and redirect here... if you've not seen Ross Anderson's post "Chip and PIN Is Broken" yet, then I highly recommend zipping right over to his site to read through it. Basically, the underlying schema is broken because of the way the "solution" has been aggregated from various standards. This finding underscores the need for coherent and well-coordinated standards when it comes to things like handling sensitive data.
http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/"
Update (2/18/10): The Smart Card Alliance has provided a response questioning the viability of this attack in the "real world." It certainly seems somewhat unlikely, though the truth is probably somewhere in the middle. Maybe they should just fix the schema.
http://www.digitalidnews.com/2010/02/15/emv-hack-may-be-overstated"
