A couple of months ago I started gathering content to write about payment cards of various types, after discussing with some colleagues about the difference in payment cards between countries. I still have the draft there, with a bunch of connected links to expand upon, but I realized that it was going to become really unwieldy and, honestly, not interesting to the mass anyway. I decided then to limit myself and to provide some commentary on one of the banes of my existence here in Dublin: chip-and-pin cards.
My American readers might know chip-and-pin just by name; my Italian readers will probably not know what it is at all, given that the term was never really used in Italy, but it’s very much in use. In Europe, most of the payment (credit and debit) cards in Europe are actually smartcards, and their chip, rather than the magnetic band, is used for the payment. In the US this is not that common at all, although this is changing as we speak.
The presence of the chip, though, does not by itself make the card a chip-and-pin card. Indeed, I have two credit cards I brought from Italy, and both have trouble working in Ireland, where chip-and-pin has been forced for a while — the same is true in the UK, and indeed when I first visited London, I knew it was the case, but my bank manager, and the documentation he had available, had no clue about it. Instead, my Italian cards are chip-and-signature: you don’t swipe them in, but then you still get the same kind of receipt that you have to sign for. This has been the default for credit cards in Italy for the longest time. Some banks, and American Express, do provide Italian customers with chip-and-pin cards; on the other hand, I’ve been told that US Amex provides chip-and-signature cards nowadays.
But the funny part is that one of the two Italian credit cards I have does have a PIN, and I know I’ve been asked for it at least once in London. So how does that work? If you own a smartcard reader – I do – you can easily find out the way it works using cardpeek. This tool includes inspector protocols for a series of different smartcard applications, including EMV, the application type used by chip-and-pin (and also chip-and-signature) cards.
All of this combined together makes for a headache of some cards working in some countries and not others (my Irish debit card does not reliably work in the US, but sometimes it does, one of my Italian credit cards always works fine in the US but does not work in Switzerland, and so on so forth). Unfortunately I did not bring with me the collection of older cards that I owned, or I could be trying an American Express too, so I’ll have to stop my description at an Italian debit card (chip-and-pin), an Italian credit card (chip-and-signature), and Irish debit card (chip-and-pin, contactless), and an Irish credit card (chip-and-pin).
When you inspect an EMV card with cardpeek, you can identify the Cardholder Verification Method (CVM) records, which are, basically, an ordered list of options to validate a transaction. In the case of my Italian credit card, these read:
- Fail cardholder verification if this CVM is unsuccessful: Signature (paper) — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: Enciphered PIN verified online — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: Plaintext PIN verification performed by ICC — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: No CVM required — Always
What this implements is a very restrictive CVM list, and in particular if the terminal supports paper signatures, that’s the only option that the chip gives to the vendor. Now, in Ireland there are many terminals that theoretically support signature verification, but the vendors themselves will not accept them; the reason is that the liability in that case lies with the vendor, rather than its bank, in case of fraud. The same problem in Italy is tackled by requiring photo ID every time you use the credit card, but that is not the case here in Ireland as no photo ID is mandatory to possess.
It’s very interesting to check the Italian debit card’s CVM too. It’s interesting because the card have two applications installed in it: one is Maestro and the other is PagoBANCOMAT, the Italian banks-operated debit card circuit. The latter has a single CVM supported: “Fail cardholder verification if this CVM is unsuccessful: Plaintext PIN verification performed by ICC — Always”, which basically means that every single operation happens through the card’s verification of the user’s PIN. On the other hand, the Maestro app has a list:
- Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verified online — If unattended cash
- Fail cardholder verification if this CVM is unsuccessful: Enciphered PIN verified online — If manual cash
- Fail cardholder verification if this CVM is unsuccessful: Plaintext PIN verification performed by ICC — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: Enciphered PIN verified online — Always
You can see that it’s an interestingly complicated series of options; in particular it seems like “manual cash” only works with online PIN, and it’s preferred to use online PIN for unattended cash, but for everything else, if the terminal supports offline PIN, that’s what it has to use. I’m not sure why this happens, but this particular card does not always work here in Ireland either.
So what about the second Italian credit card?
- Apply succeeding CV rule if this rule is unsuccessful: Signature (paper) — If terminal supports the CVM
- Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verified online — If terminal supports the CVM
- Apply succeeding CV rule if this rule is unsuccessful: Plaintext PIN verified online — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: No CVM required — If terminal supports the CVM
So this card is actually very permissive; it’s probably not by chance that this is the only card I can use in the US without risks of getting it rejected. The Irish debit card is a bit more complex too, and not as reliable in the US:
- Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verified online — If unattended cash
- Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verification performed by ICC — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: Plaintext PIN verification performed by ICC — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: Enciphered PIN verified online — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: Signature (paper) — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: No CVM required — Always
Again, unattended cash prefers online verification, but then everything else prefers offline. Unlike the Italian debit card, though, enciphered PIN is preferred over plaintext one. And surprisingly enough, the same CVM is present on the NFC interface.
Finally, this is the CVM list for my Irish credit card:
- Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verified online — If terminal supports the CVM
- Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verification performed by ICC — If terminal supports the CVM
- Apply succeeding CV rule if this rule is unsuccessful: Plaintext PIN verification performed by ICC — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: Signature (paper) — If terminal supports the CVM
- Fail cardholder verification if this CVM is unsuccessful: No CVM required — Always
This resembles a lot the permissiveness of the second Italian card (but just for reference, that one is a MasterCard while the Irish one is a Visa). And indeed it matches the fact that this card also works flawlessly in the US. Unlike the Italian one, though, the PIN is never transmitted in plaintext for online verification, and it’s only used as second-to-last resort within the ICC itself.
So when you expect things to be easy because your card is “chip-and-pin”, try to keep in mind that it might not be strictly true. If you’re curious about your own debit and credit card, and you happen to have a smartcard reader, take a look at cardpeek and ask it to analyze an EMV card. Keep in mind that what you read out of the card itself is not to be shared with anybody as is! The full number of the card, as well as the expiration date and a little more private data is present in the EMV dump that cardpeek produce. For some cards, such as my Italian MasterCard, a log of the most recent transactions executed on a terminal is also available.
On a related note there is this paper [1]. TL;DR: A MITM can make a terminal believe that the transaction was PIN-protected when it wasn’t.1: https://www.cl.cam.ac.uk/re…
The CVM list is actually useless as you can always downgrade to any method you like: http://dev.inversepath.com/…
Yeah I’ve seen that one — and nice to see you’re still reading this ;)As a security measure, agreed, it’s not very useful. As a way to get in your way from actually making a transaction, it works very well…