Since Visa first announced its support for a U.S. migration to EMV cards, plenty of questions have cropped up. One of the most persistent is the question of the PIN number and especially the status of the off-line PIN that’s used in so many other countries. Last week, Visa released a clarifying set of guidelines that say the United States does not need such off-line PIN capability (link below). The distinction between offline and online PIN is an important one as the offline card requires significant added cost given the cryptographic capabilities the process requires. For the U.S. market, that cost is very hard to justify as the need for it is very very low, applicable only to travelers visiting other countries and in very specific situations.
The difference between an online and off-line PIN is that an online PIN is not stored on the card. Once the cardholder enters the PIN at the point of sale terminal, the PIN is encrypted by the PIN pad and sent online to the host for validation, similar to how PIN debit transactions are authorized today.
In an off-line PIN situation, the PIN is stored securely on the chip card and during a transaction, when the cardholder enters the PIN, the POS terminal sends the PIN to the chip card for verification. The cardholder verification therefore takes place within the chip card.
“One thing that’s clear from the questions is that there’s a lot of confusion around the myth that EMV means chip-and-PIN. It doesn’t in many countries, including the U.S.,” Ericksen wrote in an online entry about the recommendations. “That’s because, in the U.S., we can rely on online processing where transactions are transmitted in real-time to the issuer for approval. With that in place, there’s no need for the off-line authentication that was the genesis of chip-and-PIN.”
Visa’s recommendation document is here: http://usa.visa.com/download/merchants/bulletin-chip-recommended-practices.pdf