Go Back  British Expats > Living & Moving Abroad > USA > The Trailer Park
Reload this Page >

Delta Amex and EMV chips... Target too.

Delta Amex and EMV chips... Target too.

Old May 30th 2014, 11:30 pm
  #16  
Forum Regular
 
Joined: Dec 2013
Posts: 264
Markie is an unknown quantity at this point
Default Re: Delta Amex and EMV chips... Target too.

Originally Posted by fsm View Post
Citibank issued me with a chip and pin card August last year, when I asked about the pin they gave me the cash advance pin.

According to citibank if used in an ATM it will be a cash advance, if used at a point of sale terminal it will be a normal credit transaction, alas I have not been out of the country yet to test it.
This is correct, the "cash advance PIN" is just an online-verified PIN. I'm glad Citi understands this, Bank of America tells people any transaction using it will be treated as a cash advance, which is utter nonsense.

That said, do you have a Citi Visa or Mastercard? Citi Visa cards are set up to NEVER ask for the online PIN for a purchase (only for a cash advance). Citi Mastercards will ask for the online PIN if the terminal doesn't allow signatures. That's not to say you WON'T be asked for the PIN on the Visa, but the card is set up so that you SHOULDN'T be if the terminal properly obeys the CVM list so it'll be rare.

Here's the exact setup (translated to plain English):

Citi Mastercard:

If at an ATM (unattended cash), ask for the online PIN, if this fails, move down the list.
If supported, ask for a signature, if this fails, move down the list.
If supported, ask for the online PIN, if this fails, move down the list.
If supported, attempt authorisation without verifying the card holder, if this fails, the transaction fails.

Citi Visa:

If at an ATM (unattended cash), ask for the online PIN, if this fails, the transaction fails. [note - this is the correct behaviour, I don't know why the MC says to move down the list on a bad PIN, thankfully no ATM should actually allow that]
If supported, ask for a signature, if this fails, move down the list.
If supported, attempt authorisation without verifying the card holder, if this fails, move down the list. [note - to where? there's nothing after this in the list to move on to!]

For comparison, the Bank of America Travel Rewards Visa:

If at an ATM (unattended cash), ask for the online PIN, if this fails, move down the list.
If supported, ask for a signature, if this fails, the transaction fails. [note - this makes more sense than the Citi cards - the Citi cards are set up so if the cashier says the signature doesn't match, the terminal should still attempt to push the transaction through!]
If supported, ask for the online PIN, if this fails, move down the list. [note - ideally this step would fail it too - but because Bank of America even tells people NOT to use their PIN - it makes sense as a temporary measure to try and move to no CVM if they get the PIN wrong]
If supported, attempt authorisation without verifying the card holder, if this fails, the transaction fails.

Now, I'm translating the actual EMV language to plain English to help everyone understand, so no one jump on me for my over simplistic descriptions of what happens!

P.S. NONE of these cards have an OFFLINE PIN. In many chip and PIN countries, terminals are set up to require an offline PIN (a PIN verified by the card instead of sent in to the issuing bank to verify).

Last edited by Markie; May 30th 2014 at 11:32 pm.
Markie is offline  
Old May 31st 2014, 1:32 am
  #17  
Heading for Poppyland
 
robin1234's Avatar
 
Joined: Jul 2007
Location: North Norfolk and northern New York State
Posts: 11,675
robin1234 has a reputation beyond reputerobin1234 has a reputation beyond reputerobin1234 has a reputation beyond reputerobin1234 has a reputation beyond reputerobin1234 has a reputation beyond reputerobin1234 has a reputation beyond reputerobin1234 has a reputation beyond reputerobin1234 has a reputation beyond reputerobin1234 has a reputation beyond reputerobin1234 has a reputation beyond reputerobin1234 has a reputation beyond repute
Default Re: Delta Amex and EMV chips... Target too.

A first for us yesterday - our US credit card was refused in Canada. This was in IKEA in Ottawa. Strangely enough, we'd used the credit card in the IKEA restaurant an hour earlier, but when we were going through the checkout on leaving the store, the checkout guy said they had new machines which did not have the swipe & signature facility, they were now only able to accept chip & pin cards. We didn't pursue this, we simply paid cash. But if this a trend in Canada, we'll start using our British debit card up there instead of US card.
robin1234 is offline  
Old May 31st 2014, 8:49 pm
  #18  
Forum Regular
 
Joined: Dec 2013
Posts: 264
Markie is an unknown quantity at this point
Default Re: Delta Amex and EMV chips... Target too.

Originally Posted by robin1234 View Post
A first for us yesterday - our US credit card was refused in Canada. This was in IKEA in Ottawa. Strangely enough, we'd used the credit card in the IKEA restaurant an hour earlier, but when we were going through the checkout on leaving the store, the checkout guy said they had new machines which did not have the swipe & signature facility, they were now only able to accept chip & pin cards. We didn't pursue this, we simply paid cash. But if this a trend in Canada, we'll start using our British debit card up there instead of US card.
I highly doubt what they said is actually true, I imagine a chip and signature card would work fine, so ask your American bank for a chip card.
Markie is offline  
Old Jun 9th 2014, 1:41 am
  #19  
fsm
So I am where?
 
fsm's Avatar
 
Joined: Oct 2009
Location: North Carolina
Posts: 485
fsm is a glorious beacon of lightfsm is a glorious beacon of lightfsm is a glorious beacon of lightfsm is a glorious beacon of lightfsm is a glorious beacon of lightfsm is a glorious beacon of lightfsm is a glorious beacon of lightfsm is a glorious beacon of lightfsm is a glorious beacon of lightfsm is a glorious beacon of lightfsm is a glorious beacon of light
Default Re: Delta Amex and EMV chips... Target too.

Originally Posted by Markie View Post
This is correct, the "cash advance PIN" is just an online-verified PIN. I'm glad Citi understands this, Bank of America tells people any transaction using it will be treated as a cash advance, which is utter nonsense.

That said, do you have a Citi Visa or Mastercard? Citi Visa cards are set up to NEVER ask for the online PIN for a purchase (only for a cash advance). Citi Mastercards will ask for the online PIN if the terminal doesn't allow signatures. That's not to say you WON'T be asked for the PIN on the Visa, but the card is set up so that you SHOULDN'T be if the terminal properly obeys the CVM list so it'll be rare.

Here's the exact setup (translated to plain English):

Citi Mastercard:

If at an ATM (unattended cash), ask for the online PIN, if this fails, move down the list.
If supported, ask for a signature, if this fails, move down the list.
If supported, ask for the online PIN, if this fails, move down the list.
If supported, attempt authorisation without verifying the card holder, if this fails, the transaction fails.

Citi Visa:

If at an ATM (unattended cash), ask for the online PIN, if this fails, the transaction fails. [note - this is the correct behaviour, I don't know why the MC says to move down the list on a bad PIN, thankfully no ATM should actually allow that]
If supported, ask for a signature, if this fails, move down the list.
If supported, attempt authorisation without verifying the card holder, if this fails, move down the list. [note - to where? there's nothing after this in the list to move on to!]

For comparison, the Bank of America Travel Rewards Visa:

If at an ATM (unattended cash), ask for the online PIN, if this fails, move down the list.
If supported, ask for a signature, if this fails, the transaction fails. [note - this makes more sense than the Citi cards - the Citi cards are set up so if the cashier says the signature doesn't match, the terminal should still attempt to push the transaction through!]
If supported, ask for the online PIN, if this fails, move down the list. [note - ideally this step would fail it too - but because Bank of America even tells people NOT to use their PIN - it makes sense as a temporary measure to try and move to no CVM if they get the PIN wrong]
If supported, attempt authorisation without verifying the card holder, if this fails, the transaction fails.

Now, I'm translating the actual EMV language to plain English to help everyone understand, so no one jump on me for my over simplistic descriptions of what happens!

P.S. NONE of these cards have an OFFLINE PIN. In many chip and PIN countries, terminals are set up to require an offline PIN (a PIN verified by the card instead of sent in to the issuing bank to verify).
Great information, thanks!!!
fsm is offline  
Old Jun 9th 2014, 2:07 am
  #20  
BE Forum Addict
 
jmood's Avatar
 
Joined: May 2009
Posts: 1,309
jmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond repute
Default Re: Delta Amex and EMV chips... Target too.

I think the PIN (in the US) is usually your zip code - though I could be wrong. That's what I get asked for most often by cashiers and also the metro (subway) ticket machines in NYC ask for it like asking for your PIN when using the CC.
jmood is offline  
Old Jun 9th 2014, 4:45 am
  #21  
Forum Regular
 
Joined: Dec 2013
Posts: 264
Markie is an unknown quantity at this point
Default Re: Delta Amex and EMV chips... Target too.

Originally Posted by jmood View Post
I think the PIN (in the US) is usually your zip code - though I could be wrong. That's what I get asked for most often by cashiers and also the metro (subway) ticket machines in NYC ask for it like asking for your PIN when using the CC.
Not at all. The PIN is completely separate from address verification (which ZIP code verification is part of).

The PIN is a four-digit (can be longer, but not in the US that I've ever seen - in fact, I've only ever seen longer PINs with UnionPay) number used as a secret password (knowledge factor). There are two types of PIN - online PIN and offline PIN. An online PIN is verified by the issuer, while an offline PIN is verified by the card. Offline PIN is what is used in the UK, whereas when you do get a PIN in the US it is usually online (and usually referred to as a cash advance PIN since that's the only thing they're used for normally, though some cards do allow it to be used for purchases as a backup, such as Bank of America cards and Citi {Citi Mastercard only, not Citi Visa})

The ZIP code is a US postcode (for foreign visitors, enter JUST THE NUMBERS from your postcode, then pad with zeroes to make a five digit number. This is supposed to work, but usually doesn't).

Both are technically knowledge factors, but the ZIP code is far less secure, especially in a small town with only one or two ZIP codes.

To be secure, transactions should be based on two of the three types of authentication factors:

1. Possession factors - things you HAVE (e.g. the physical card, your phone, etc)
2. Knowledge factors - things you KNOW (e.g. passwords, your address, etc)
3. Inherence factors - things you ARE (e.g. your signature, finger print, palm vein pattern, iris design, etc)

Technically, all credit card transactions satisfy this, but some factors are easier to duplicate than others. A traditional swipe and sign transaction and a modern chip and PIN transaction both use two factors.

The magnetic stripe card and the chip card are both possession factors. The chip is essentially impossible to copy, while the stripe has no copy protection. However, the physical magnetic stripe card has security features that are very difficult to copy (holograms, printing techniques, embossed name, multiple copies of the last digits, matching the card data to the stripe). An attentive cashier will be able to detect all but the best forged magnetic stripe cards. But this requires effort to detect from a working card, while the chip card just can't be forged in a functional manner.

Likewise, the PIN is a knowledge factor and your signature is an inherence factor (albeit one that is somewhat knowledge too, since you can change it). The difference is that the PIN is kept secret and can be instantly checked by machine. Not only is your signature visible to be learned by a thief (though that is easier said than done), it's also rarely checked by cashiers and if it IS checked they often are just putting on a show - few would even know what to look for to actually check a signature.

So, both systems use two factors... the difference is the quality of those factors. And chip and PIN is the vastly superior system in this regard.
Markie is offline  
Old Jun 9th 2014, 5:09 am
  #22  
BE Forum Addict
 
jmood's Avatar
 
Joined: May 2009
Posts: 1,309
jmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond reputejmood has a reputation beyond repute
Default Re: Delta Amex and EMV chips... Target too.

Wow. OK, thanks.
jmood is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information -

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.