Community

Why can't the issuer simply compare the IAD "offline PIN = false" with the CVMR "PIN verification performed by ICC"?

I also had my magstripe zapped and since then I cannot withdraw cash from ATMs in Thailand and Sweden, although the chip is working fine for payments and cashback in stores. I'm not sure, but I believe these ATMs do use the chip, but only after verifying that the magstripe is ok. D'oh!

"* One personal observation relates to T&E card transactions. For example, restaurant bills in the U.S. are not totaled and require signatures. The tip is always added to the bill and the cardholder can enter any tip amount he wants to give to the server, then sign. I might add that in the U.S., tips MUST be added! How can you possibly do this with a hand-held terminal that a server in Europe carry around with him/her?"

This is already done in Norway. The customer inserts (or swipes) the card in the hand-held terminal, the amount without tip is displayed, the customer enters the total amount including tip and finally enters the PIN-code.

Sweden is about to implement the same behaviour.

"* With the lack of pin-codes, fraudsters would have to not only clone the mag-stripes but must also do way beyond white-plastic fraud. In addition to creating authentic looking cards (with the bank logo, embossed card number and name), fraudsters must also come up with an official-looking ID card to match the name on the fake card."

As far as I know, Visa/MasterCard does not require the cashier to check the ID-card. The requirement is only to check that the signature on the receipt match the signature on the payment card.

In Sweden, ID-cards are typically only required for amounts above ~€20, but not for foreign cards. However, it's very rare to see a cashier match the signature on the receipt with the signature on the payment card. The customer will usually get the payment card back before signing the receipt.

In Norway you are only required to check the ID card for offline purchases (which rarely happens) and then the ID is usually printed on the back of the payment card.

Most payments in Scandinavia are made online with PIN verification though.

It would be interesting to see some statistics about the various national rules/practices regarding ID check and signature matching.

Thanks Dean. The only problem (I hope) with your solution is that it sounds too good to be true. Please let me know when a demonstration is available on youtube. I would love to compare it to other solutions currently available in Sweden.

"NFC is part of the wrong approach. It will always need something extra to make it work, ad infinitem."

Totally agree. NFC alone is great for things like bus/train tickets. For other purchases, I think a PIN code would be the "extra to make it work".

Steve, the article refers to a "global ATM heist", not internet purchases.

I agree with David. This is very disturbing. Having the PINs encrypted at all time, in environments like this, has been a requirement long before PCI DSS came around.

Thanks for the explanation Marite. I don't know enough about these 7 issues to give you a good answer, but I believe most of them were fixed in Scandinavia back in the 80's or something.

Well, we do have cash only restaurants in Sweden too, but that's just to make it easier to hide the profit from the government. We have a lot of poor people too, but I think most of them have bank accounts, since it's free and convenient.

Still sounds weird to me... Too poor to have a bank account, but have cash to buy stuff on the internet.

Makes more sense to hear about people too poor to have any cash because they used their credit cards too much on the internet.