Sunday, November 12, 2017

Chip and PIN Cards

So do you have one of the new "Chip and PIN" cards? They are also known as "EMV" for Europay/MasterCard/Visa.

Instead of swiping you're supposed to "dip" them. Currently not all merchants have implemented the "dip" technology. There are fiscal liability implications related to that don't affect the consumer so I won't cover that here.

What I will try to explain is the part of the new EMV cards that is known as the Card Verification Method (CVM).

I have a USAA Visa card. In preparation for a trip to Ireland a couple of years ago I called USAA and asked for an EMV card which they supplied. When I received it I followed up with USAA and set a PIN for the chip.

I successfully used the USAA EMV card during my trip to Ireland. At most merchants I was asked to sign a receipt. This seemed to confuse most merchants but it never impacted the success of the transaction. No merchants' terminals challenged me for a PIN.

Subsequently US merchants have been replacing their credit card terminals with the new "dip" capable ones. These don't challenge me for a PIN and not always even for a signature.

This got more interesting recently at a self-service gas station in Quebec City, Canada.

The card reader on the pump was chip-enabled. It fussed at me in French for inserting and withdrawing my card like I would do in the US. Finally I understood enough French to leave the card in. Then it asked me how much to pre-authorize on the card. In the US this is just done silently. I wasn't ready to perform a quick calculation in a foreign currency so I just chose the largest amount 125$. Then it asked me for the PIN of the chip not the stripe. Thankfully I had activated a PIN on the chip in preparation for my trip to Ireland. It churned for a second and told me to remove the card and begin pumping.

That transaction got me interested in what the process was to determine whether an EMV card transaction will require a PIN or signature or nothing.

At a summary level, each EMV card has a prioritized list of verification methods (CVMs) that may vary with the value of the transaction. This list is processed by the terminal searching for a matching CVM from the card.

SpottersWiki has a database of EMV cards and associated CVM methods. When I searched it for my USAA Visa card it reported the CVM methods were:
1: Signature (paper)
2: Enciphered PIN verified online
3: Enciphered PIN verified by ICC (aka offline PIN)
4: Plaintext PIN verified by ICC (aka offline PIN)
5: No CVM required
There is another database here but it isn't being updated.

The kicker here is that gas pump in Quebec City obviously couldn't accept a signature as verification and therefore required a PIN. It is not clear to me that the chip PIN is necessarily the same as the magnetic stripe PIN. I suggest you contact your card issuer to make sure.

This process is due to be implemented in US gas pumps by October 2020.

A more in depth explanation is here.
Although EMV is often referred to as “Chip and PIN”, in fact EMV supports several different methods of verifying the identity of the cardholder, known as Cardholder Verification Methods (CVM). Every card contains a list of the CVM that it supports, and when they need to be applied (e.g. Use online PIN if the transaction is an ATM cash withdrawal, else use signature).
Whenever an EMV transaction is performed, the terminal’s EMV Level 2 Kernel processes the CVM list in order, until it finds a CVM that it supports and can process. In the event that no supported CVM is found or an error occurs during CVM processing (e.g. the PIN-Pad was malfunctioning), the EMV kernel will flag this in the Terminal Verification Results, which may cause the transaction to be declined or sent online for authorisation by the card issuer.
The CVM that EMV currently supports are Online PIN (required in certain countries for all transactions, and also for all ATM cash withdrawals), Offline PIN verified by the chip card (required in certain countries for all payment transactions), signature (for attended payment terminals in some countries), or a combination of both PIN and signature if additional verification is required.
Also, in some environments it is permissible to use no CVM for low-value transactions or for terminals that do not support any of the CVM on the cards.

No comments: