At 18:08:08 on 27/12/2005, Peter Hucker delighted uk.finance by announcing:
On Amex cards it was purely a marketing gimmick and served no useful purpose. On VISA and Mastercard brands, I believe it did actually contain card details (account number etc.) but no PIN.
At 21:50:46 on 27/12/2005, Peter Hucker delighted uk.finance by announcing:
Well, yes. EMV has been through several different versions, all mostly backwardly compatible. The system under discussion wasn't EMV though - it was a proprietary system; in the same way that the French have had to change their debit card systems to comply with EMV.
And as the somebody else has told you, your card wouldn't know its new PIN until it contacted the bank and the least complicated way to do this is to stick it in an ATM. Since you're visiting the ATM anyway, there's no need to change the back-end and telephone systems to accept a PIN change over the phone.
I wasn't originally aware the pin was on the card. Would it not make more sense (security wise) to store the pin at the bank? Or are offline transactions allowed?
Yes, they are, but even if they weren't, it would not make sense, securitywise, to store them at the bank because that would involve them having to be transmitted over the network for checking purposes. A network is more prone to eavesdropping, and although the PINs will be encrypted, insiders (bent bank employees) may be able to get hold of decryption keys.
At 16:08:29 on 28/12/2005, Peter Hucker delighted uk.finance by announcing:
Not particularly. The easiest way to get someone's PIN is by shoulder surfing. The next easiest is sticking a knife in their face and asking them for it. Then comes intercepting the transmission of the PIN to the card during the transaction. Way down the bottom of the list (somewhere just above cracking the bank's database) is retrieving the private data on the card, cracking the key and decoding its stored PIN.
Yes.
But cannot a thief decrypt what's on the card?
In message , Alex writes
Ahh! Fame at last!
In message , Peter Hucker writes
Not a C&P card, that is the whole point.
The old cards with data on the magnetic stripe had to send the Pin to the bank and also the stripe could be cloned relatively easily.
C&P claims to make cloning very much harder indeed and the PIN isnt sent anywhere supposedly making it substantially more secure all round but no doubt somebody will figure a way round it in due course.
Have a look at
.co.uk? Does that mean I can't use my Visa card abroad? I suppose I could sign it. But what about foreigners trying to buy here?
If the pin is stored on the card, why can a fraudster not read this information?
At 18:34:41 on 28/12/2005, john boyle delighted uk.finance by announcing:
Not at present in the UK, no. But online enciphered PIN is a valid CVM and may be in use in other countries.
At 16:53:51 on 28/12/2005, Ronald Raygun delighted uk.finance by announcing:
Which is what currently happens with an ATM.
I'd hope not, given the amounts of money banks spend on their Host Security Modules.
At 18:42:35 on 28/12/2005, Peter Hucker delighted uk.finance by announcing:
No. It means that this is the website of the UK implementation of the global EMV standard.
1) There is no facility to programatically read this data from the card 2) Common fraudsters would not have the time, money, or knowhow to physically read the silicon 3) Even if they read it, they would need to decrypt the PIN. Banks aren't in the habit of making their secret keys public.
If we have a different implementation, are they all compatible?
I assume the pin is fed from the keypad into the card's chip, which says "yes" or "no"?
So that's why the bloody thing locks when I forget the number three times :-/ Or someone could feed it 1111, 1112, 1113, ......
In message , Peter Hucker writes
No it doesnt. That merely tells you where the site is and that it is a commercial organisation.
When abroad your Visa reverts to old technology for the time being.
You MUST sign it!!!
They use the old system which remains available. But from 14 Feb 06 UK Chip & Pin enabled card users MUST use the PIN. (At the moment if you claim not to know your pin then you will be asked to sign just as before).
It is very cleverly encrypted. The terminal at the shop doesnt extract the PIN from the card to compare it with what the customer types in. it merely says 'the customer typed in 1234. Is that the correct PIN?' and the chip will merely reply 'yes' or 'no'.
At 19:05:35 on 28/12/2005, Peter Hucker delighted uk.finance by announcing:
Yes, in that they all comply with the EMV specs; but they do not necessarily implement the whole set. For instance, the UK has decided not to implement online enciphered PIN for regular transactions which means that the PIN entry is sent offline to the card for verification. Then the transaction may or may not proceed online. In other countries they may have implemented this, meaning the PIN is encrypted and then sent to the card issuer for verification. UK cards will still work there though (and vice-versa), since the CVM rules will simply fall back to this in the same way that signature is a valid option; the card & terminal compare lists of what's allowed (terminal supports PIN & sig, card supports sig only) and since the highest mutually supported method is sig, that's used.
Basically, yes.
Indeed. The card maintains a PIN retry counter which counts down. The terminal can query (but not alter) this counter at any time, so the display can tell you how many tries you have left. When it reaches zero, your card is PIN blocked. It can also be card blocked. In the latter, only specialised terminals can unblock it; these are not being introduced in the UK so the card is effectively dead if this happens - most likely as a result of the card being reported lost/stolen.
If I get the PIN right after having got it wrong, is the counter reset?
At 19:28:43 on 28/12/2005, Peter Hucker delighted uk.finance by announcing:
At 19:15:27 on 28/12/2005, john boyle delighted uk.finance by announcing:
When you're in the USA it reverts to 'old technology' since they have decided not to implement EMV. Most of Europe, Middle East and Africa are going (or have already gone) with EMV though.
Again, see above. They have their own EMV cards which work here (except the merkins who still use the mag stripe).
Peter Ramm wrote
ROTFL!
Peter Hucker wrote
No it isn't, it's a very old joke.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.