Comments for Level 2 Kernel Blog - Chip and PIN EMV Kernel Software

Comment on It’s time for SDA and Plaintext Offline PIN to bow out gracefully by David

David — Thu, 16 Feb 2012 14:07:00 +0000

It’s not a question of whether or not a particular merchant terminal is capable of accepting magstripe transactions, it’s a question of getting the cafe owner in the dusty backwaters of desirable holiday locations to accept that magstripe cards (i.e. no visible chip) are still valid forms of payment.

Comment on It’s time for SDA and Plaintext Offline PIN to bow out gracefully by Jeremy Gumbley

Jeremy Gumbley — Wed, 15 Feb 2012 13:10:00 +0000

Thanks for your comments, it’s great to see some debate on the subject! Whereas it is difficult to pinpoint cases of fraud as you suggest it is equally difficult to eliminate the possibility that any cases have ever occurred. Perhaps Stuart would like to comment further on your points about magnetic stripe.

Comment on It’s time for SDA and Plaintext Offline PIN to bow out gracefully by L_Thomas_Horton

L_Thomas_Horton — Wed, 15 Feb 2012 03:50:00 +0000

SDA and Plaintext Offline PIN are separate issues.

Once again we have a situation where “an expert” is making claims based on non-factual information.

1. Ask the real live person in either MasterCard of Visa who actually knows to the single digit how many their MasterCard or Visa transactions have reported fraud as the result of SDA.

2. Ask the real live person in either MasterCard of Visa who actually knows to the single digit how many of their MasterCard or Visa transactions have reported fraud as the result of Plaintext Offline PIN.

The number of instances of reported fraud for the two scenarios above is essentially none existant.

Finally, while it is not a subject of the Post above, the other fallacy that has taken on a life of its own is the “issue of magnetic stripe cards not being accepted because they are not chip cards”.

Yes, there are instances where a US-issued magnetic stripe card can not complete a transaction, and it is an extremely rare exception.

I will happily take a wager of $100 from the 1st 10 persons that:

For every merchant you can show me that can not process a transaction with a US-issued magnetic stripe card but can process the transaction with an European-issued EMV card, I can show you two merchants who cannot process a transaction with an European-issued EMV card but can process the transaction with a US-issued magnetic stripe card.

Cheers,

Tom

Comment on It’s time for SDA and Plaintext Offline PIN to bow out gracefully by Anonymous

Anonymous — Wed, 08 Feb 2012 08:59:00 +0000

I completely agree with your point about retiring SDA, but I’m much less convinced than you about the apparent evils of Plaintext Offline PIN. Knowledge of the PIN should only be of value if you also have the genuine card (in 2-factor authentication its having BOTH factors which are important) unless the card can be cloned. Retiring magnetic stripe and SDA prevent cloning and makes the need to retire Offline Plaintext PIN irrelevant, which is good as its still actually quite useful.

Enciphered offline PIN does not remove the need for PCI PED as the PIN is still entered in the clear before being enciphered.

Your final suggestion about encrypting ALL the information between card and terminal is, frankly, insane. In the context of a globally interoperable system it leads to an astronomical key management nightmare . Much smaller closed loop systems like transit attempt to do this, with very well publicised failures.

Comment on Global EMV Adoption Continues to Grow by MasterCard's U.S. EMV Migration Plans | Level 2 Kernel Blog - Chip and PIN EMV Kernel Software

Wed, 01 Feb 2012 18:44:25 +0000

[...] Europay, MasterCard and Visa. It is now owned by American Express, JCB, MasterCard and Visa. Click here for the latest EMV deployment and adoption [...]

Comment on Visa update for EMV Chip implementation in the U.S. by MasterCard's U.S. EMV Migration Plans | Level 2 Kernel Blog - Chip and PIN EMV Kernel Software

Wed, 01 Feb 2012 18:25:01 +0000

[...] is gaining momentum in the US. After Visa’s EMV Migration announcement back in August 2011 and January 2012, MasterCard has now rolled out its migration roadmap from magnetic stripe to EMV chip card [...]

Comment on U.S. EMV Migration: Cardholder verification for American EMV terminals by EMV Chip Implementation in the U.S. | Level 2 Kernel Blog - Chip and PIN EMV Kernel Software

Tue, 17 Jan 2012 17:52:46 +0000

[...] to our recent blog article about the EMV cardholder verification methods (CVM) that are likely to be used during the EMV Chip implementation in the U.S., Visa have just [...]

Comment on EMVCo Releases EMV 4.3 Specifications by EMV 4.3 Specifications Released by EMVCo Level 2 Kernel Blog … | NFC IP

Sun, 04 Dec 2011 21:45:10 +0000

[...] EMV 4.3 Specifications Released by EMVCo | Level 2 Kernel Blog …EMVCo just released a new version of the EMV specifications EMV 4.3. EMV 4.3 incorporates all changes since the previous version 4.2b, published in June …blog.level2kernel.com/emv-4-3/ [...]

Comment on EMV fallback scenarios to magnetic stripe by EMV fallback scenarios to magnetic stripe Level 2 Kernel Blog … | NFC IP

Tue, 29 Nov 2011 15:20:02 +0000

[...] EMV fallback scenarios to magnetic stripe | Level 2 Kernel Blog …There are different EMV fallback scenarios where merchants in EMV markets can process magnetic stripe card transactions instead of Chip and PIN.blog.level2kernel.com/emv_fallback/ [...]

Comment on EMV Cardholder Verification Methods by U.S. EMV Migration: Cardholder verification for US EMV terminals | Level 2 Kernel Blog - Chip and PIN EMV Kernel Software

Thu, 10 Nov 2011 16:23:11 +0000

[...] blogged previously (see EMV Cardholder Verification Methods) about the different types of cardholder verification that are supported by the EMV specifications [...]