Chip & PIN in Saibsury's

The pin number never leaves the chip/pin reader in an unencrypted form, but the till knows, in all cases that I'm aware of, the credit card number so that money can be taken from the shoppers account and transferred into the shops account.

"Derek *" wrote

How does the till put (the last four digits of) the credit card number on the receipt, if it doesn't know the cc number?

So you are saying there are 2 seperate dialogs with the issuing bank.

The card goes into the reader, the till requests from the reader an authorisation for the transaction. The reader gets a PIN from the user, checks it, and sends the card and transaction details to the issuing bank which subject to successful authorisation responds with an authorisation code. The reader sends this to the till with the card number so that the till can then initiate a second dialogue of it's own using the authorisation code and card number which actually completes the debit transaction.

Well, that would work. It would permit transactions to be done later maybe overnight when it was more convenient for the bank. It might be more "backwards compatible".

But why not complete the transaction within the first initial dialogue with the reader and have the reader send a message to the till to the effect.

"Transaction no. nnnn authorised and completed. Auth. code =zzzz"

This would also work and would be much more secure because effectively there are 2 "secrets" (PIN + card No.) instead of 1, proof against PINs being captured by overseeing or concealed photography, and card numbers being obtained from till listings, or receipts even.

This was the way I thought it happened. A feeling supported by the need in some stores to swipe the card, presumably for their records, so that for instance, refunds/reversals can be applied to the correct card, (but also possibly a training issue) as well as use the chip/reader.

Maybe more than one mode of operation is possible?

DG

I reckoned that was why they swiped the card as well.

DG

"Derek *" wrote

How about those that *don't* also swipe??

Which is exactly what I said was my experience in Sainsbury's. The customer ahead of me had her card swiped, but presumably becuse she also had a loyalty card, and it was easy for the cashier to swipe both. My card (I got rid of my loyalty card yonks ago) was inserted into the PIN terminal.

Chris

Dunno, does it happen?

Just been in Sainsburys where they didn't use the chip reader/verifier (which was present) but did ask for the pin to be entered onto it's keyboard. The till terminals apparently had a c&p reader at the bottom of the slot. Obviously they'd be in a position to grab the card no. :(

A leaflet I got with a new card today said proceadures may vary at different establishments.

Maybe at the moment some places are working in "software backwards compatability" mode?

DG

"Derek *" wrote

Yes, of course it does!

Sainsbury's (like Tesco, and I think off hand Dixons Group, Woolworths) have deployed Dione Xtreme keypads in conjunction with "Swipe & Park" type readers (like Dione Xpress

fitted to their tills EPOS systems. To be honest I find Swipe & Park a bit of a pain, a simple swipe in the top of a reader and out the bottem a more fluid action when you have a chip reader in the keypad anyway. I wonder what would happen if you were to swipe your loyalty card through the bottem of a Dione Xtreme keypad in a supermarket, would it accept it???

At 13:32:51 on 14/04/2005, snipped-for-privacy@altavista.co.uk delighted uk.finance by announcing:

sometimes

sometimes

always

At 11:47:49 on 15/04/2005, Derek * delighted uk.finance by announcing:

Depending upon what protocol is in use, yes.

At 12:28:42 on 15/04/2005, Tim delighted uk.finance by announcing:

Then it's read from the card. The track data is stored in the chip.