Markie

This is correct, the "cash advance PIN" is just an online-verified PIN. I'm glad Citi understands this, Bank of America tells people any transaction using it will be treated as a cash advance, which is utter nonsense.

That said, do you have a Citi Visa or Mastercard? Citi Visa cards are set up to NEVER ask for the online PIN for a purchase (only for a cash advance). Citi Mastercards will ask for the online PIN if the terminal doesn't allow signatures. That's not to say you WON'T be asked for the PIN on the Visa, but the card is set up so that you SHOULDN'T be if the terminal properly obeys the CVM list so it'll be rare.

Here's the exact setup (translated to plain English):

Citi Mastercard:

If at an ATM (unattended cash), ask for the online PIN, if this fails, move down the list.
If supported, ask for a signature, if this fails, move down the list.
If supported, ask for the online PIN, if this fails, move down the list.
If supported, attempt authorisation without verifying the card holder, if this fails, the transaction fails.

Citi Visa:

If at an ATM (unattended cash), ask for the online PIN, if this fails, the transaction fails. [note - this is the correct behaviour, I don't know why the MC says to move down the list on a bad PIN, thankfully no ATM should actually allow that]
If supported, ask for a signature, if this fails, move down the list.
If supported, attempt authorisation without verifying the card holder, if this fails, move down the list. [note - to where? there's nothing after this in the list to move on to!]

For comparison, the Bank of America Travel Rewards Visa:

If at an ATM (unattended cash), ask for the online PIN, if this fails, move down the list.
If supported, ask for a signature, if this fails, the transaction fails. [note - this makes more sense than the Citi cards - the Citi cards are set up so if the cashier says the signature doesn't match, the terminal should still attempt to push the transaction through!]
If supported, ask for the online PIN, if this fails, move down the list. [note - ideally this step would fail it too - but because Bank of America even tells people NOT to use their PIN - it makes sense as a temporary measure to try and move to no CVM if they get the PIN wrong]
If supported, attempt authorisation without verifying the card holder, if this fails, the transaction fails.

Now, I'm translating the actual EMV language to plain English to help everyone understand, so no one jump on me for my over simplistic descriptions of what happens!

P.S. NONE of these cards have an OFFLINE PIN. In many chip and PIN countries, terminals are set up to require an offline PIN (a PIN verified by the card instead of sent in to the issuing bank to verify).

robin1234

A first for us yesterday - our US credit card was refused in Canada. This was in IKEA in Ottawa. Strangely enough, we'd used the credit card in the IKEA restaurant an hour earlier, but when we were going through the checkout on leaving the store, the checkout guy said they had new machines which did not have the swipe & signature facility, they were now only able to accept chip & pin cards. We didn't pursue this, we simply paid cash. But if this a trend in Canada, we'll start using our British debit card up there instead of US card.

Markie

I highly doubt what they said is actually true, I imagine a chip and signature card would work fine, so ask your American bank for a chip card.

fsm

Great information, thanks!!!

jmood

I think the PIN (in the US) is usually your zip code - though I could be wrong. That's what I get asked for most often by cashiers and also the metro (subway) ticket machines in NYC ask for it like asking for your PIN when using the CC.

Markie

Not at all. The PIN is completely separate from address verification (which ZIP code verification is part of).

The PIN is a four-digit (can be longer, but not in the US that I've ever seen - in fact, I've only ever seen longer PINs with UnionPay) number used as a secret password (knowledge factor). There are two types of PIN - online PIN and offline PIN. An online PIN is verified by the issuer, while an offline PIN is verified by the card. Offline PIN is what is used in the UK, whereas when you do get a PIN in the US it is usually online (and usually referred to as a cash advance PIN since that's the only thing they're used for normally, though some cards do allow it to be used for purchases as a backup, such as Bank of America cards and Citi {Citi Mastercard only, not Citi Visa})

The ZIP code is a US postcode (for foreign visitors, enter JUST THE NUMBERS from your postcode, then pad with zeroes to make a five digit number. This is supposed to work, but usually doesn't).

Both are technically knowledge factors, but the ZIP code is far less secure, especially in a small town with only one or two ZIP codes.

To be secure, transactions should be based on two of the three types of authentication factors:

1. Possession factors - things you HAVE (e.g. the physical card, your phone, etc)
2. Knowledge factors - things you KNOW (e.g. passwords, your address, etc)
3. Inherence factors - things you ARE (e.g. your signature, finger print, palm vein pattern, iris design, etc)

Technically, all credit card transactions satisfy this, but some factors are easier to duplicate than others. A traditional swipe and sign transaction and a modern chip and PIN transaction both use two factors.

The magnetic stripe card and the chip card are both possession factors. The chip is essentially impossible to copy, while the stripe has no copy protection. However, the physical magnetic stripe card has security features that are very difficult to copy (holograms, printing techniques, embossed name, multiple copies of the last digits, matching the card data to the stripe). An attentive cashier will be able to detect all but the best forged magnetic stripe cards. But this requires effort to detect from a working card, while the chip card just can't be forged in a functional manner.

Likewise, the PIN is a knowledge factor and your signature is an inherence factor (albeit one that is somewhat knowledge too, since you can change it). The difference is that the PIN is kept secret and can be instantly checked by machine. Not only is your signature visible to be learned by a thief (though that is easier said than done), it's also rarely checked by cashiers and if it IS checked they often are just putting on a show - few would even know what to look for to actually check a signature.

So, both systems use two factors... the difference is the quality of those factors. And chip and PIN is the vastly superior system in this regard.

jmood

Wow. OK, thanks.