Blog article
See all stories »

Why US travellers' EMV cards may not work in Europe

Specifications for all sorts of things have multiple options on how they are implemented, and the EMV standard used in the world of payments cards is no exception. There are several options on how your PIN is verified when you want to make a payment, and as to how your payment is authorised.

When Europe was contemplating the roll-out of chip cards, on-line connection of POS terminals was not the norm, so countries chose an implementation that worked for off-line POS terminals. PINs are authenticated to the card, and transactions do not always have to be authenticated on-line to your issuer. In actual fact, several years on since these decisions were taken, telecoms has moved on, and most EMV transactions in Europe are authorised on-line by your issuer. Your PIN however is still verified to your card - because that's how the cards are set up.

But there is another way to implement EMV. When you make a payment, the PIN is verified with your issuer (not to the card) and the transaction is authenticated on-line. If implemented this way, the POS must always be on-line to verify your PIN. This is not a problem in countries like the US where this is the norm. In fact implementing EMV in this way is one option for the US that is being talked about (should the US ever move to EMV of course).

Let's say for a moment that the US implements EMV and goes the way of on-line PIN verification only. Does it make a difference from a security point of view to the way Europe has implemented EMV? Well, not really. Your PIN is protected if it is on your card which is a Secure Element, or if your PIN is checked by your issuer it is protected by them at their site and as it is switched through the network using Hardware Security Modules.

Where it would make a difference is if a US issued card was used by a traveller to Europe. The traveller may find that their card, requiring on-line PIN verification, but unable to do this in the European POS/network infrastructure, falls back to require his signature. There is a risk then (perhaps a small one) that criminals may target travellers to steal and use their cards before they are reported as stolen, easily forging a signature and avoiding the need to know the PIN. So the choice for the US, if it moves to EMV, is whether the benefits of implementing on-line PIN verification outweigh the differences in authentication for international travellers.

 

6042

Comments: (4)

Nick Green
Nick Green - ISD Consultants - Northampton 07 June, 2011, 09:51Be the first to give this comment the thumbs up 0 likes

Steve, I think you are missing something here. You can have both solutions. The issuer can personalise the card's CVM List to be On-Line PIN as the first choice, Off-Line PIN as the second and then Signature and probably No CVM as the last to cover some unattended devices. In this way if the card is presented in a country that supports On-Line PIN or in an ATM the On-Line PIN will be used. If the country doesn't support On-Line PIN then the card and terminal will agree to use Off-Line PIN.

A Finextra member
A Finextra member 07 June, 2011, 10:39Be the first to give this comment the thumbs up 0 likes

Hi Nick,

Yes it's certainly possible to personalise the card this way, but this is not what some people at least are proposing for the US initially. A "Cost effective" option is proposed, with on-line PIN only, and fall back to signature.  This makes the card profile much simpler, requiring no RSA keys, no CA, no SDA or DDA.

A Finextra member
A Finextra member 08 June, 2011, 07:17Be the first to give this comment the thumbs up 0 likes

Hi Steve , could you explain your cost argument more explicitly please.

 

A Finextra member
A Finextra member 08 June, 2011, 11:42Be the first to give this comment the thumbs up 0 likes

You can see some of the arguments for this approach here http://bit.ly/lIbeIf. I think there's also some information on the Smart Card Alliance web site, but I can' get it to load (web site down?) to check out the links for you. It was the presentation of this approach at the Smart Card Alliance conference in Chicago last month that prompted me to write this post.