Community

1. Doesn't Brexit affect this?

2. Cybersecurity and PCI are related but not synonymous. 

@Matt: I am saying that the US is better off with EMV and Signature, because in the risk analysis the benefits of using the PIN are less that the risk in exposing it.

@Matt: Exactly, with online PIN it would not work. But using the PIN exposes it to many other attacks, and it is not worth it.

Today the signature of the transaction would indicate that the PIN was not verified if the card was properly configured.

But this does support the US decision to use EMV without PIN.

There is a more basic question. Every use of the PIN is a potential exposure. I don't think it is desireable to go into details here. Is it justified to check the PIN when the purchase is a cup of coffee? Visa should establish a minimum transaction amount below which PINs are not required.

I suppose they were using offline PIN verification. If it were online I don't see how it could have been Tesco's fault.

PCI?

Percentages are nice, but absolutes are important too. What are the absolute figures related to the use of cash in Sweden, Australia and the UK? Are they going down too?

6 digit cardholder selected PINs would only be marginally more secure. One would, I guess, still get a preponderance of 123456, 555555, 333333, birthdays and zip codes related PINs.

Customer selected PINs are a disaster. There exists better research, based on actual cracked PINs rather than passwords, where the results are different though similar. The most common PINs were 1234, 5555 and 3333, followed by birthdate and ZIP code related numbers. It was claimed that if a thief has your wallet or access to your pesonal data he needs on average 6 trials to get to 50% of the PINs.

Banks should use random or cryptographically generated PINs.