The chip-and-pin system is, certainly, an advancement over magnetic strip cards (which are easier to "skim") but in the case of Target and Neiman Marcus and other retailers, the breach of security had nothing to do with physical cards' security features.
People who understand little about card-payment technology simply use this incident to again glom onto the usual "Others (Europeans?) do it better" and old and tired "American banks and credit card companies just don't want to spend money on security because it's cheaper for them to absorb the costs of fraud" laments.
Actually, the magnetic strip cards hold minimal amount of information, so while it's easier to manufacture a forged one, it's also easier to cancel and replace without criminals getting too much of your personal info.
The problem with this particular security breach is that it happened on the back-end of payment processing, using an old (at least, since before 2007) vulnerability that likely has not been patched up by certain payment processors, despite warnings from Visa and security experts.
From What the Heck Is a RAM Scraper? - Re/code, by Arik Hesseldahl, 2014 January 13
So what the heck is a RAM scraper and how does it work? First, remember that payment systems the cash registers and credit card terminals you see in stores and restaurants every day have a lot of strong requirements for encrypting data, pretty much end-to-end during the transaction process, as well as any records that are stored afterward. But there's one particular moment when that data is vulnerable, and it occurs during the milliseconds that it is stored in the system memory a.k.a. random access memory, or RAM of the back-end server that processes the transaction. Think of it as a package being delivered to you with a lock on it. Even though you have the key, you still have to open it to see what's inside. The same thing happens when your credit card number gets decrypted. And when that happens, your credit card number is briefly stored in the system memory of the server processing the payment. When that happens, that data is "in the clear," as in unencrypted. Typically this step in the process should only take milliseconds. Once the payment is verified, the next transaction in line comes through and the process repeats itself, and numbers are overwritten each time as new ones come in. But it's at this vulnerable moment that RAM scraper malware is designed to strike. RAM scraping is an old attack technique that has in recent years been given new life for the purpose of compromising payment systems. Security researchers at Verizon first noted it in a report in 2009. ..... < snip > ..... Visa issued security alerts on an uptick in RAM scraper activity in April and August of last year. Among the suggestions it made at the time: Tighten firewalls to allow systems to communicate only with known systems. It also advised companies to separate payment systems from non-payment systems. ..... < snip > ..... Over the summer, the security firm Sophos took a look at RAM scraper attack trends and found that the most common one is Alina, one of a family with many variants that has come to be called Trackr. Retail stores and hotels were most likely to be targeted by attacks using Trackr variants during the first six month of 2013, Sophos found, accounting for a combined 26 percent of attacks. Educational institutions, restaurants and health care businesses were also targeted. And most of the attacks during the same time period 56 percent were in the U.S., which combined with Germany, Canada, and the U.K. accounted for 89 percent of these attacks. ..... < snip > As the mystery around the credit card hacking at retail giants Target and Nieman Marcus continues to unfold, you're going to start hearing a lot about something called a "RAM scraper." ..... < snip >
As can be seen, the US companies are not alone in being attacked by this method, because vulnerability has nothing to do with magnetic strips or other physical cards' properties.
Chip-and-pin wouldn't protect from this attack, it could only help making it more difficult to counterfeit the physical card, which is mostly a waste of time, anyway - much less important than the identity info on the payment processors' servers.
I'll even bet that most of these so called HACKING incidences are merely INSIDE jobs.
Not very many men (or women) have the virtue to resist the highest bidder.
Great information. Thanks.
In a properly-designed smartcard-based system, the merchant's computer should request from the card issuer a random security token, and should never--even for a microsecond--hold enough information to perform a transaction not associated with that token. The card issuer would know that the token was issued to the merchant, and could require that any money taken from the card using it must go to an account associated with the merchant.
Ideally, credit-card-entry terminals would be constructed in such a way that a plugged-in smart card would get first "dibs" at keyboard data, nothing else could see it unless the smart card passed it along, and no change to such behavior would be possible without physically compromising the card entry terminal. In such a design, no remotely-programmable machine would ever see a customer's PIN, and thus even attack code with full access to ram-scrape all reprogrammable devices would not gain access to it.
Given the extent to which financial institutions have failed to achieve the level of security which would be possible even with simple magnetic stripe cards, and checks, I wouldn't expect them to implement the best possible smart-card system; nonetheless, a well-designed smart-card system could be made much more secure than would be possible without smart cards.