When is the PIN code requested when paying?

I noticed that people often argue about the reasons for not requesting a PIN code, or, on the contrary, wonder why it was suddenly needed. Trying to explain in what situations a PIN code is needed, I got confused and decided to collect data and write an article.

Theory

First, let's deal with the cards

Non-chip magnetic cards are rare, but still used today. Responsibility for the lost funds was carried by the bank, but the EMV standard appeared (international standard for bank card operations with a chip), which allowed banks to transfer responsibility for the lost funds to trading organizations that do not support the EMV, otherwise to the cardholder (if he cannot prove that has nothing to do with surgery). Equipment that does not support EMV is abandoned due to the fact that the purchase of equipment that supports the new standard is not profitable for organizations. It turns out that if the store has old equipment, they can service it with any card, but if the client has an EMV- compliant EMV- compliant card, the store is liable, if the store is against, it will have to buy new equipment.

As a result, we get two types of cards: supporting EMV and not supporting. There are other payment cards, but they are used by banks locally and we are not interested.
')

Next, we will deal with the PIN-code

Requesting the PIN or signature of the terminal will be referring to the CVM-list of the chip card and relying on its mode. How many people - so many opinions, someone for a signature, someone against. In fact, all banks in different ways. Some banks score a priority on the card for the signature, others on the PIN code, and still others allow you to reconfigure the card through an ATM at the request of the client.

Now about the trading equipment

I did not find specific information about how terminals are set up in stores, but I realized that they also contain certain settings that, for example, allow you to require a signature instead of a PIN code, even if the card has a PIN code priority, but only if the amount does not exceed a certain limit. This mode is necessary in stores where there are many customers in the queue with small amounts. This mode, if I’m not mistaken is called Offline, transfers responsibility to the store, even if EMV equipment is used.

Result

Based on the above, I compiled a table in order to calculate in which case the PIN code will be requested:



Green marks the safest operations, red marks the most dangerous ones. In the column responsible (for the lost funds) in some cells indicated two / three sides, I think who exactly depends on the specific tariff plan. (correct me if I'm wrong). Safe operations are marked in blue, provided that the tape has not been read.

Security

You can compromise data on any card, if the tape is read and a PIN code is entered. In a compromised card, an attacker will be able to make purchases only in retail outlets with equipment that does not support EMV. A card that supports EMV cannot be used at ATMs (there is a record in the tape that the card has a chip). And on a card without an EMV, an attacker other than shopping can make transactions at an ATM, for example, withdraw money.

Pay attention to this rather common situation: the operator carries out a magnetic tape, “slows down”, noticing that the card has a chip (or “severely slows down” when he saw a message on the display about the chip), then inserts the card as expected and asks for a PIN -code. In this case, you also compromise your card data, because the operator may have done this on purpose.

In any case, we can always refuse to enter a PIN code, so as not to compromise it. To do this, after requesting the PIN code, you need to press the red key on the terminal, after which the cashier will see the “Customer refused to enter the PIN code” screen and he will have the choice to accept the signature (press “continue”) instead of the PIN code or refuse the operation ( click "cancel"). I don’t know about you, but personally I didn’t know about this function and thought that the red button was to cancel the operation completely. Of course, the operator may be outraged, but there is a simple answer to this: “I do not remember the PIN code” or “I do not know it” (there are credit cards to which they do not issue an envelope with a PIN code).

I hope this information was helpful to you.

useful links

PowerMetall has written an excellent CVM article.