FlyerTalk Forums - View Single Post - USA EMV cards: Availability, Q&A (Chip & PIN -or- Chip & Signature) [2012-2015]
Thread: USA EMV cards: Availability, Q&A (Chip & PIN -or- Chip & Signature) [2012-2015]
View Single Post
Old Mar 16, 2015 | 9:53 am
  #10322  
uds0
 
Join Date: Oct 2014
Location: Portland, OR, USA
Programs: Delta + United Airmiles
Posts: 703
Online vs Offline PIN processing details
Originally Posted by D582
Offline PIN means the PIN in stored in the chip and the terminal verifies the PIN with the card only. It is a challenge-response mechanism - in plain English this means the terminal will send a command basically saying "PIN Entered is: 1234" and the card will respond back with a "Yes" or "No". This can be accomplished using 'Plaintext' or 'Enciphered' mechanisms' In Plaintext, the terminal will transmit 1234 essesntially as is to the card. In Enciphered, the terminal will encrypt the PIN with a Public Key presented by the card and the card will decrypt the PIN with the corresponding Private Key and then perform the verification. Cards supporting Enciphered Offline PIN are more expensive to manufacture as they need to support additional cryptographic processing.

Online PIN means the PIN as entered by the cardholder is encrypted by the terminal using a PIN Encrypting Key. This is sent online to the acquirer of the transaction. At the acquirer level, the PIN has to be decrypted (in a HSM) and then sent along to another level in the network re-encrypted with a different key. This same process can repeat itself many times until a connection with the issuer is reached. The issuer will then respond with a 'Yes' or 'No' message which then has to be relayed back to the terminal.

ATM transactions always use Online PIN. POS transactions can use either mechanism.

The type of PIN verification used does not have to directly correlate to how a transaction is authorised. Transactions that are authorised offline can only use Offline PIN. However, transactions that are authorised online can use either Offline PIN or Online PIN. Using Canada as an example, 99% of transactions are authorised online, but Offline PIN is used. In fact, Canadian debit cards primarily switched from using Online PIN verification (with mag-stripe) to Offline PIN verification (with EMV).

From the POS side, Online PIN is not universally implemented as there are many complexities with encryption key management at the terminal level (for each individual terminal and PIN pad) as well as the acquirer level and other intermediaries between the terminal and issuer.

From the issuer side, Offline PIN can be more complicated to implement as mechanisms need to be developed to a) allow cardholders to change their PIN (which must be updated on the card) and b) ensure synchronisation between a card's Offline and Online PINs.
Excellent recap - thanks!
uds0 is offline