Let’s say for a moment that the US implements EMV and goes the way of on-line PIN verification only.[From Why US travellers’ EMV cards may not work in Europe]
This would be crazy. At the recent Smart Card Alliance conference in Chicago, my colleague Stuart Fiske from Consult Hyperion had a (moderately intemperate) go at a couple of speakers who were saying chip and online PIN was a good idea. He made the point that offline PIN was the only globally interoperable solution and that the US should go with it and he got a big round of applause for doing saying so. I don’t see the point of issuing EMV cards and then using them with an online PIN: if the merchant has a PIN pad then why wouldn’t you use chip and offline PIN? And I can see a practical problem here: if customers are encouraged to continue to use cards that are chip and online PIN only, then when they get off the plane at Heathrow and try and buy a train ticket in a machine, they won’t be able to buy anything because the online PIN won’t work (it will only work in ATMs).
Having just got back from a few days in the US, I decided to dust off this piece about the EMV options and tidy it up, because Visa has announced its EMV migration plan for the USA. In our little corner of the payments world, this is officially a big deal.
But in a departure from nearly every other global market that has switched to EMV cards, which are commonly called chip-and-PIN for their most prominent security feature, Visa’s plan excludes PINs.[From Visa s Plan to Drop PINs Leaves Some Concerned About Security – American Banker Article]
It would be interesting to understand the reason for this, so I went over to Visa’s site to see and I found a rather odd statement.
And we continue to believe that long-term static data elements, including PIN, can create an increased risk for fraud. An increase in ATM fraud could occur in cases in which the PIN is stolen along with cardholder account information.[From PIN largely unaffected in U.S. migration to EMV chip « Visa’s Blog – Visa Viewpoints]
This is what used to happen in the UK. People would steal card details along with the PIN and then use those details to create counterfeit magnetic stripe cards to use at US ATMs. But they can’t do that anymore because the UK issuers have moved to ICVV (which means that the card details on the chip are different from the card details on the stripe, so you can’t make a bogus stripe card with chip details). And in any case this only worked because you could copy magnetic stripe cards: you can’t use the cardholder data to make chip cards. So once the US ATMs turn off the magnetic stripe fallback for Visa card, counterfeiting isn’t a threat at ATMs and it doesn’t matter if someone gets hold of the card details and the PIN. There must be another dynamic.
In the US market there are about six million POS terminals in use and about a quarter of them already have PIN pads. These PIN pads, which are used for online PINs, are already secure enough to use for offline PINs. Hence Visa’s point…
Visa will continue to support online PIN as a cardholder verification method for debit transactions, and at the same time encourages the move toward future adoption of dynamic cardholder verification methods.[From PIN largely unaffected in U.S. migration to EMV chip « Visa’s Blog – Visa Viewpoints]
A digression. If you’re getting confused about what’s going on here, you need to take a break and go back to EMV basics. The EMV specification allows for a number of different Cardholder Verification Methods (CVMs) and any particular card will have the acceptable CVMs stored on it, in order, by its issuer. These could be (in no particular order):
- Plain-text offline PIN, the default in the UK;
- Enciphered offline PIN—which should be the only option in the UK, but isn’t because we started by issuing Static Data Authentication (SDA) cards that couldn’t support it. Now we are issuing Dynamic Data Authentication (DDA) cards we really should be moving over to this option to stop PINs from being harvested from terminals that have been tampered with;
- Encrypted online PIN—where there is an offline PIN as well (e.g., my Barclays debit card) then the online and offline PINs are synchronised in the back end.
You can also have combinations of these, with the most obvious example being signature plus enciphered offline PIN for the paranoid. To illustrate the point with a real case study: one of the UK cards that is in my pocket right now has the following actual CVM list in priority order:
- encrypted online PIN for cash at ATMs;
- plain text offline PIN for purchases;
- enciphered offline PIN for purchases;
- signature for purchases.
This means that if I go into a shop and their PIN pad is broken or my chip is damaged, I can still buy something and sign for it. I could imagine a typical Visa US debit card having a different CVM list:
- encrypted online PIN for cash at ATMs;
- encrypted online PIN for purchases.
Please note: this is speculation based on public documentation only. Why does this approach make sense when online PIN only doesn’t? Well, the US is never going to get rid of signatures in the timeframe under discussion for EMV this makes for an easy transition. The signature is decoupled from the chip infrastructure as it as anyway so, basically, whatever the chip says the merchant terminal can just ask for a signature anyway and most Americans won’t notice any difference.
that there are more EMV markets that have implemented chip and signature than chip and PIN.[From PIN largely unaffected in U.S. migration to EMV chip « Visa’s Blog – Visa Viewpoints]
There may be another factor here, though. The US is a special case because the interchange on signature transactions is higher than the interchange on PIN transactions (or at least it was: who knows where Durbin will take it) and therefore issuers want to keep signature going for a long as possible despite the large retailers having PIN pads in place.
If Wal-Mart had its way, mag-stripe cards would disappear immediately, to be replaced with cards running chip and PIN.[From Untitled]
As I said. So why bother with chip and signature? I think the explanation might be that Visa USA, in common with many industry observers, just don’t see the current cards and terminals as a long-term technology worth investing in. Hence the reasonable, from their point of view, compromise. You issue chip and signature cards for credit and debit. The debit cards have encrypted online PIN as well for use at POS with the current pin pads. This works fine in the US and at international ATMs. The only place where it causes problems is international unattended terminals that accept offline PIN only (such as Belgian petrol stations) and for international travellers the US banks can issue cards with offline PIN anyway. All sensible from the US perspective. While I was googling for something else on this topic, as an aside, I came across this voice of the customer that confirms this analysis.
I have a Citibank Singapore chip-and-signature EMV card. It caused a lot of confusion in Europe when it was a chip card that wanted a signature, and again in New Zealand as they started their EMV rollout. Only time I recall it failing in Europe was trying to buy rail tickets at AMS, where my mag-only cards also didn’t work[From USA issuers announce EMV cards (Chip & PIN -or- Chip & Signature). – Page 3 – FlyerTalk Forums]
When I last used my chip and PIN card in Singapore, I was asked for PIN and signature, because of the decoupling mentioned earlier, but that’s a digression. At some point in the future, we’re going to stop entering PINs in POS terminals. I’ve said before that in the next generation of consumer payments, we must make a fundamental change in the point-of-sale (POS) user interface by ending the practice of having customer enter a PIN into something that isn’t theirs. The cost of providing certified PIN pads is high: making customers buy their own non-certified PIN pad seems like a much better solution all round. Since most customers have already bought a non-certified PIN pad (their mobile phone) that has other security features associated with it, we (the industry) may as well use them. This means using the “PIN” to unlock a handset-based wallet, not to authenticate card transactions.
To see the more interesting future context Visa USA’s announcement, then, you have to stop thinking about cards and terminals and start thing about virtual cards and phones. Post 2015 people will be using their chip and signature cards, it’s just that those cards will be inside mobile phones and will have all sorts of other security that cards don’t so the offline PIN is less relevant. This way, the readers (POS terminals, television, Squares, iPhones and goodness knows what else) will be spared the expense of a certified PIN entry devices and innovative new solutions can come to market exploiting chip-based dynamic authentication. These are, I stress, merely my reflections on the topic based on public statement, but I think they’re a reasonable summary of the current situation.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers