Hitherto, PINs have been held on the cards as ATMs and tills are not online to the issuing institution all the time.
Im not sure that PINs on C&P are NOT on cards. If they werent then transactions could not be performed with a permanent link to the provider, as opposed to a link to an 'authoriser'.
That's true enough, but it simply means the thief can fool the shopkeeper. When later on the nickee denies knowledge of the transaction, the nicker's forgery can be confirmed by a handwriting expert. With PINs it is impossible to tell who entered it.
It's not a question of preventing fraud, but of being able to prove after the event that it has occurred.
Not if you consider the possibility that the nicker is actually well known to the nickee and so has ample opportunity to nick the card, probably even at a well-separated time from when he observed the PIN being typed. And worst of all, he can nick the card and then put it back before the nickee notices it's missing. Then the poor old nickee will really be toiling to try to prove that it wasn't him who stole the £300 from the cash machine because he actually used the card as normal thereafter, and wasn't alerted to the problem until weeks later when he got his card bill.
Alison Having a PIN with your credit card is not compulsory nor a legal requirement. I've already arranged to have a Chip and Signature card by sheer persistance. Your card supplier has no right to ask you why you can't handle a PIN - tell them this. If you've not got a PIN with your credit card neither you OR a crook can get money at an ATM. If fraud occurs at any other place then the most you can be liable for is £50. However if you have a PIN, and your card issuer considers you've been negligent with it - you could get clobbered for the whole cost of the fraud. Another way to look at having a PIN with a credit card is their value to crooks - access to instant cash or they can use them in Chip and PIN compliant shops and walk away with expensive goods without ever being challenged.
No no no NO, PINS are _definitely_ not held on cards at present!! Usually an ATM wont authorise if there is no connection, its up to a retailer whether or not to if there is no connection, or if the cost of the connection is more than the perceived risk, this is why they have floor limits.
Of course transactions can be performed without being on line, its just that the retailer takes the risk if they arent.
Just wait until someone works out how to enter a transaction using your card, when you definitely did not give out the PIN, and try and convince the banks you either didnt give your PIN out through stupidity, or aren't just plain lying. THEN you'll see the problem!
There was a thread somewhere or other discussing this, where a chap who claimed to work for a bank says the PIN is stored on the card, and that he was able to change people's PINs on the fly. I didn't believe it, but I've no way of confirming it.
To me it doesn't seem likely that it's on the card, as you can have your PIN changed just by making a phonecall; a few days later you'll have the new PIN in the post.
In the old days the cash card PINs were stored on the swipe stripe, no doubt in encrypted form, together with a record of recent withdrawals and balances, so they could enforce at least daily limits even when the machine was off line. Now, the PIN will be in the chip, but more securely, not only encrypted but unreadable too. What happens is that the machine into which you type the PIN will ask the chip whether this PIN is correct and will simply get a yes/no answer, instead of asking the chip to tell it the encrypted PIN so that it can do the comparison itself.
Even the PIN sent by the machine to the chip will be encryted, in case someone slips a "man in the middle" device into the machine that could sit undetected between the machine and the card's chip to "harvest" data.
Hmmm. Surely it cannot simply come down to what the *card issuer* "considers". There must be recourse to the courts - and then it would be up to the *court* to decide - not the card issuer!
Thats incorrect, and provably so. Firstly, why do you need to be online to tell if the PIN is correct, if the PIN was in the card there would be no need for that? Secondly, how do PINS get changed by banks without your card being involved? Oh, and thirdly, if the card is doing the authorisation, all I need do is make my own cards and have them always say 'yes this transacion is valid'. Thats how they are able to crack some mobile phones, because they alter the software inside the phone that then ignores the check against the sim card.
Its much simpler than that, the PIN is sent to a central system which checks to see if its the same. It will be encrypted as its sent of course.
The encryption is between the ATM/store terminal and the authorising system. The reason for the chip in the new cards is to check that the card itself is not a forgery, since its now easy to fake the magnetic strip on the old style cards.
That is what they are saying, they are saying "only you know the PIN, its impossible to read the PIN from the card, therefore I have proved it was you that used it" (Or that you carelessly gave the PIN away, thereby also making it your fault)
Because the bank can claim 'negligence' on the part of the card-holder to avoid having to keep to their part of the contract. The card-holder is then is the very difficult position of having to prove that they didn't do anything unreasonabe to compromise their pin, they never have to do this with a sig, cos everybody recognises that it is possible to forge a signature without any help for the card-owner.
That's life, innit. - No, actually, that's not what I meant to imply at all. I meant that at least there exists a means to establish to a high level of confidence whether the signature was genuine or forged. I did not intend to say anything about on whom the onus of proof falls, and agree that it should not fall upon the victim.
Trouble is, the card company *can* prove that the cardholder did use the card. "Well, Sir, here's the chit and that's your signature." - "No it bloody well isn't."
It's just prima facie evidence, though, and the next stage is initially up to the cardholder. He has to deny that he signed it, and only after that will it be up to the CCo to call in a signaturologist if they wish to try to prove the cardholder is trying to defraud them.
This is no worse than if you stand accused of a burglary on the flimsiest of circumstantial evidence. There is an initial informal burden of proof of innocence upon you by, say, offering an credible alibi to eliminate you from their enquiries. It's not entirely fair, but a reasonable compromise to ensure the system can work.
But if it's plain for all to see that the PIN-entering keypads are in full view of every crook and his parrot (and it's a dead parrot, stuffed, with a mini camcorder peering out through the eyes), any such claim should be easily capable of being laughed out of court.
Do you? I'm not convinced. It's desirable to be online, but not, I would have thought, mandatory. Big shops are capable of being on line full-time, but surely the chip technology is intended to be capable of being used in, say, small B&Bs, where there's no way they will dial up each time. You could say one falls back to signatures in such circumstacnes, but I expect the intention is that they will be phased out completely in due course.
The card can be updated next time it goes on line.
I think you'll find "saying yes" is not as easy as simply pulsing a wire one way or the other. The chip will send a verifiably secure packet to the machine, which will contain the yes/no somewhere in it, but loads of proof of "I am genuine" in there as well.
Fair enough, that makes sense, but they could do so much more with it.
In the case of a credit card, you just refuse to pay the bill. You don't need to take the matter to court yourself - that's up to the credit card issuer.
Not in every case. The larger outfits have an arrangement whereby all their transactions are authorised by an 'authoriser' who may or may not be on line to the banks, but once so authorised the amount is paid to the retailer. The retailer carries no risk for an offline transaction.
Smaller retailers with those small readers that dial up whilst you wait operate in the way that you describe.
Sadly RR you are wrong here. They DO dial up everytime. The chip just carries more complicated encryption than that which can be carried on a swipe strip. I reckon the Pin is held on the chip though.
I reckon this is right, having recently changed the PIN on my EGG card I was told that my old PIN may be required for a while until I get a 'PIN wrong try again' message at which point I should use my new Pin but to be aware that I had one chance at getting it right.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.