---

@stone wrote:

Just have this question come to my mind, looks like this is easy to implement than chip-and-pin.

 

can anyone explain on this?

---

You mean like a US ATM card?  No additional security, it's too easy to read and clone the magnetic strip.

It also ignores the fact that in much of the world, the card readers are not continuously connected to the internet. One of the advantages of chip/pin is that the pin confirmation is contained on the chip. The card authorizes itself. Swipe and pin would either have to contain the pin on the magnetic strip (too easy to copy, as bs pointed out) or would have to access a remote server for confirmation (very expensive in places where internet connections are billed by the minute). Thus, chip/pin. Also why chip/pin hasn't been popular in US (where internet is "unlimited") but dominates UK (where internet is wicked pricy).

Of course it would provide additional security, lots of it, the PIN isn't stored on the stripe.

The problem is that to do this requires online PIN verification. Chip-and-PIN cards enable the PIN to be verified offline with the chip.

Most credit cards DO have a PIN number generally used for cash advances, but sometimes requested - and used - for purchases in Europe (especially with Chip and Signature cards at unattended kiosks). These are charged, correctly, as a purchase, not a cash advance, since that actually has nothing to do with the PIN.

In conclusion, however, I agree with you. The "service code" of the card determines if the PIN is generally requested. The third digit relates to PIN and cash advance policies. "0 - No restrictions, PIN required" obviously is a bad option, but does that mean that "1 - No restrictions" should be used? I don't think so. There's a third option I've never seen used "6 - No restrictions, use PIN where feasible." My understanding is that this would cause an online terminal with a PIN pad to request the PIN (since doing so is feasible) but other terminals would not (since it's not feasible).

I cannot see any good reason NOT to do this, and every card should be issued that way immediately. Of course, I also can't see any good reason to not start issuing chip and offline PIN EMV cards immediately either...

P.S. it's cultural as much as anyting, Internet today in the UK is similar in price or cheaper than in the US.

---

@nyancat wrote:

Of course it would provide additional security, lots of it, the PIN isn't stored on the stripe.

 

The problem is that to do this requires online PIN verification. Chip-and-PIN cards enable the PIN to be verified offline with the chip.

 

Most credit cards DO have a PIN number generally used for cash advances, but sometimes requested - and used - for purchases in Europe (especially with Chip and Signature cards at unattended kiosks). These are charged, correctly, as a purchase, not a cash advance, since that actually has nothing to do with the PIN.

 

In conclusion, however, I agree with you. The "service code" of the card determines if the PIN is generally requested. The third digit relates to PIN and cash advance policies. "0 - No restrictions, PIN required" obviously is a bad option, but does that mean that "1 - No restrictions" should be used? I don't think so. There's a third option I've never seen used "6 - No restrictions, use PIN where feasible." My understanding is that this would cause an online terminal with a PIN pad to request the PIN (since doing so is feasible) but other terminals would not (since it's not feasible).

 

I cannot see any good reason NOT to do this, and every card should be issued that way immediately. Of course, I also can't see any good reason to not start issuing chip and offline PIN EMV cards immediately either...

 

P.S. it's cultural as much as anyting, Internet today in the UK is similar in price or cheaper than in the US.

---

---

@nyancat wrote:

Of course it would provide additional security, lots of it, the PIN isn't stored on the stripe.

 

The problem is that to do this requires online PIN verification. Chip-and-PIN cards enable the PIN to be verified offline with the chip.

 

Most credit cards DO have a PIN number generally used for cash advances, but sometimes requested - and used - for purchases in Europe (especially with Chip and Signature cards at unattended kiosks). These are charged, correctly, as a purchase, not a cash advance, since that actually has nothing to do with the PIN.

 

In conclusion, however, I agree with you. The "service code" of the card determines if the PIN is generally requested. The third digit relates to PIN and cash advance policies. "0 - No restrictions, PIN required" obviously is a bad option, but does that mean that "1 - No restrictions" should be used? I don't think so. There's a third option I've never seen used "6 - No restrictions, use PIN where feasible." My understanding is that this would cause an online terminal with a PIN pad to request the PIN (since doing so is feasible) but other terminals would not (since it's not feasible).

 

I cannot see any good reason NOT to do this, and every card should be issued that way immediately. Of course, I also can't see any good reason to not start issuing chip and offline PIN EMV cards immediately either...

 

P.S. it's cultural as much as anyting, Internet today in the UK is similar in price or cheaper than in the US.

---

Well, look at ATM card cloning in some countries.  The point is that it's not to hard too steal the PIN via a fake reader and then clone the mag tape.  Harder with a chip.  But yes, offline is probably the biggest reason.

Oh yeah, it would absolutely be far less secure than EMV. But that doesn't change the fact it literally would be as simple as changing one digit encoded on the stripe to use the PIN where possible. Quite a bit of security for zero effort...

thank you for the cc pin 101 class, hahaha