PIN code when paying by card - dots above i
Good day to all!
After reading a few articles on Habré about plastic cards, POS terminals and related things, it seemed to me that this topic is quite interesting to the community. In this small publication, I want to finally understand the topic of entering a PIN-code on POS terminals and finally answer, to the best of my knowledge, the question: why is it necessary to enter a PIN in some cases and not in others?
If the topic is just as interesting to the community, then in the future you will see several more articles about the principles of operation ofthis entire kitchen , everything related to the POS terminal, processing centers and plastic cards.
But for a start foreword.
')
It just so happened that I work in one of the banks of our country. I am actually engaged in setting up POS terminals from scratch to, in fact, commissioning.
This is my first article, so I apologize in advance for some confusion, as well as for the fact that maybe I will miss something, because it is impossible to fit all the details into the framework of the article.
First of all, you will need to mention the TMS (Terminal Management Server \ Station). In short, it is a computer on which a program runs - the configuration center for all POS terminals. It is there that the so-called “application configuration files” are created, that is, what is poured into the POS and characterizes its operation.
In TMS, all POS parameters are set, both very significant (for example, the list of payment systems with which POS works, the settings of these systems, CVM sheets, terminal action codes) and minor ones (such as the order of the menu items on the screen terminal, or design checks).
At the output, a specially packed file appears that “understands” the terminal. This file is uploaded to the terminal.
Now about the point: ask or not ask for a PIN (in the case of an EMV card):
On the card's EMV chip, at the stage of loading the application, a so-called CVM-sheet (CVM - Cardholder Verification Method) is poured. It can also be changed during a transaction with a special issuing script sent from the processing center, but I will allow myself to release these subtleties.
Each issuing bank selects a CVM list based on its requirements. Here is an example of a classic CVM list:
4403410342031E031F02
Decryption looks like this:
And it is read from left to right (I apologize in advance for the clumsy scheme from the master paint minus 92 leveled):
The terminal itself also has its own terminal CVM list. It is set in TMS at the stage of creating configuration files that are uploaded to the POS. It is set up by the acquiring bank, again, according to its requests.
Everything works very simply: during a transaction, two CVM lists (cards and terminals) are compared. Only those verification methods that match in both sheets work (in fact, the intersection of CVM sheets is checked). Remaining methods are discarded!
That is, in this example, the algorithm is as follows:
Ask the encrypted PIN (after checking if there is such a method in the terminal's CVM list), if the user refuses (this is the very pressing of the red button on the PIN keyboard), request an offline open PIN (and he has the right to refuse - see the picture), if it refuses again - request an online PIN (it is checked not by a card, but by the host), if it refuses again - you can not request a signature (you can’t refuse it - see the picture again). If there is no signature verification in the terminal's CVM list, the method is skipped (this is NOT equal to failure!) And the “No CVM” method is used with the “If not unattended cash and not purchase cash” condition (but usually in few used). If there is no such method in the CVM list of the terminal either, then the check fails and the transaction is rejected.
Naturally, the number of different variations of the CVM-sheets of cards and terminals - and even more so their combinations - is very large. So now, I think, it has become clearer to everyone why the card in the device requests a PIN, and in the other device the same card asks for a signature. And why does another card work properly with a PIN request in the same device, and a card that works in the third one - here it refuses to work at all. I also hope that after reading this article, the topic of requesting PIN codes when paying with a card has become clearer and more transparent and will not have to be surprised in stores about this.
Thank you all for your attention!
After reading a few articles on Habré about plastic cards, POS terminals and related things, it seemed to me that this topic is quite interesting to the community. In this small publication, I want to finally understand the topic of entering a PIN-code on POS terminals and finally answer, to the best of my knowledge, the question: why is it necessary to enter a PIN in some cases and not in others?
If the topic is just as interesting to the community, then in the future you will see several more articles about the principles of operation of
But for a start foreword.
')
It just so happened that I work in one of the banks of our country. I am actually engaged in setting up POS terminals from scratch to, in fact, commissioning.
This is my first article, so I apologize in advance for some confusion, as well as for the fact that maybe I will miss something, because it is impossible to fit all the details into the framework of the article.
First of all, you will need to mention the TMS (Terminal Management Server \ Station). In short, it is a computer on which a program runs - the configuration center for all POS terminals. It is there that the so-called “application configuration files” are created, that is, what is poured into the POS and characterizes its operation.
In TMS, all POS parameters are set, both very significant (for example, the list of payment systems with which POS works, the settings of these systems, CVM sheets, terminal action codes) and minor ones (such as the order of the menu items on the screen terminal, or design checks).
At the output, a specially packed file appears that “understands” the terminal. This file is uploaded to the terminal.
Now about the point: ask or not ask for a PIN (in the case of an EMV card):
On the card's EMV chip, at the stage of loading the application, a so-called CVM-sheet (CVM - Cardholder Verification Method) is poured. It can also be changed during a transaction with a special issuing script sent from the processing center, but I will allow myself to release these subtleties.
Each issuing bank selects a CVM list based on its requirements. Here is an example of a classic CVM list:
4403410342031E031F02
Decryption looks like this:
And it is read from left to right (I apologize in advance for the clumsy scheme from the master paint minus 92 leveled):
The terminal itself also has its own terminal CVM list. It is set in TMS at the stage of creating configuration files that are uploaded to the POS. It is set up by the acquiring bank, again, according to its requests.
Everything works very simply: during a transaction, two CVM lists (cards and terminals) are compared. Only those verification methods that match in both sheets work (in fact, the intersection of CVM sheets is checked). Remaining methods are discarded!
That is, in this example, the algorithm is as follows:
Ask the encrypted PIN (after checking if there is such a method in the terminal's CVM list), if the user refuses (this is the very pressing of the red button on the PIN keyboard), request an offline open PIN (and he has the right to refuse - see the picture), if it refuses again - request an online PIN (it is checked not by a card, but by the host), if it refuses again - you can not request a signature (you can’t refuse it - see the picture again). If there is no signature verification in the terminal's CVM list, the method is skipped (this is NOT equal to failure!) And the “No CVM” method is used with the “If not unattended cash and not purchase cash” condition (but usually in few used). If there is no such method in the CVM list of the terminal either, then the check fails and the transaction is rejected.
Naturally, the number of different variations of the CVM-sheets of cards and terminals - and even more so their combinations - is very large. So now, I think, it has become clearer to everyone why the card in the device requests a PIN, and in the other device the same card asks for a signature. And why does another card work properly with a PIN request in the same device, and a card that works in the third one - here it refuses to work at all. I also hope that after reading this article, the topic of requesting PIN codes when paying with a card has become clearer and more transparent and will not have to be surprised in stores about this.
Thank you all for your attention!
Source: https://habr.com/ru/post/244107/
All Articles