Without a hint of irony, Mike Scott astounded uk.finance on 13 Nov 2004 by announcing:
Basically, and missing out many steps here, the terminal powers up the card, sends certain information such as the terminal capabilities [1], transaction amount etc. to the card. The card then sends a CVM [2] list to the terminal. The terminal compares this list with its own list of supported CVMs and works down them in order [3]. Assuming PIN is supported on both, the terminal will ask for the PIN to be entered.
This PIN is then sent *unencrypted in the UK* to the card. The card then validates the PIN and returns a cryptogram. This cryptogram indicates whether the card has done one of the following:
- Authorised offline
- Requested online referral
- Declined
The terminal then takes this and decides whether to accept the card's decision. The terminal can never authorise if the card hasn't - it can, however, decline or refer a card-authorised transaction for instance.
If the PIN is incorrect, and the PIN-try limit has been reached, the card will indicate that it is now blocked and the transaction should be declined.
Assuming the transaction goes online, the cryptogram is sent up to the host with the regular transaction data. The response will obviously state the decision but may also contain an Issuer Script [4]. Certain scripts are processed now. The response is then sent to the card and another cryptogram is returned with the final transaction status. Other scripts are processed now. The terminal then tells the card the transaction is complete and powers it down.
[1] This is how a card knows if it's being used in an ATM, regular merchant, unattended kiosk etc. [2] Cardholder Verification Method - includes Online PIN, Offline PIN, Signature [3] If the terminal supports Offline PIN and Sig and the card supports Online, Offline and Sig then it will request Offline PIN. If the terminal supports Offline PIN & Sig but the card supports Online PIN & Sig then Sig will be requested. [4] This is a set of instructions from the Cardholder's bank to the Card. It may be to increase/decrease the spending limit, block the card, change the PIN, change the CVM, etc.