Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 917
- Points
- 113
Good day everyone!
After reading several articles about plastic cards, POS terminals and related things, it seemed to me that this topic is quite interesting to the community. In this short publication, I want to finally analyze the topic of entering a PIN code on POS terminals and finally answer, to the best of my knowledge, the question: why is PIN entry required in some cases, and not in others?
If the topic is also interesting to the community – then in the future you will find several more articles about the principles of operation ofthis entire kitchen, everything related to POS-terminal equipment, processing centers and plastic cards.
But first, a preface.
It just so happens that I work in one of the banks in our country. I am engaged, in fact, in setting up POS terminals "from scratch" and before, in fact, commissioning.
This is my first article, so I apologize in advance for any confusion, as well as for the fact that I may miss something, because it is impossible to fit all the details into the article.
First of all, you will need to mention TMS (Terminal Management Server\Station). In short, this is a computer running a certain program-the configuration center for all POS terminals. It is there that the so-called "application configuration files" are created, that is, what is uploaded to the POS and characterizes its operation.
TMS sets all parameters of POS operation, both very significant (for example, the list of payment systems that the POS works with, settings of these systems, CVM sheets, terminal action codes), and minor (such as the order of menu items on the terminal screen, or the design of checks).
As a result, a specially packaged file appears at the output, which the terminal "understands". This file is uploaded to the terminal.
Now to the point: ask or don't ask for a PIN (in the case of an EMV card):
The so-called CVM-list (CVM – Cardholder Verification Method) is uploaded to the card's EMV chip at the application loading stage. You can also change it during a transaction with a special issuing script sent from the processing center, but I will allow myself to let go of these subtleties.
Each issuing bank chooses a CVM list based on its own requirements. Here is an example of a classic CVM list:
4403410342031E031F02
The transcript looks like this:
And it reads from left to right (I apologize in advance for the clumsy scheme from master paint minus 92 levels):
The terminal itself also has its own terminal CVM list. It is set in TMS at the stage of creating configuration files that are uploaded to the POS. It is configured by the acquiring bank, again, according to its own requests.
Everything works very simply: during a transaction, two CVM sheets (cards and terminals) are compared. Only those verification methods that match in both sheets are triggered (in fact, the intersection of CVM sheets is checked). All other methods are discarded!
That is, in this example, the algorithm is as follows::
Ask for a encrypted PIN (after checking whether there is such a method in the terminal's CVM list), if the user refuses (this is the same pressing the red button on the PIN keyboard) - request an offline open PIN (and he has the right to refuse-see the picture), if he refuses again-request an online PIN (it is not checked by card, but by host), if you refused again — request a signature (you can't refuse it anymore — see the image again). If there is no signature verification in the terminal's CVM list – the method is skipped (this does NOT equate to a failure!). and the "No CVM" method is used with the condition "If not unattended cash and not manual cash and not purchase" (but usually it is not used much). If this method is not included in the terminal's CVM list, the check fails and the transaction is rejected.
Naturally, the number of different variations of CVM lists of cards and terminals-and even more so their combinations — is very large. So now, I think it's more clear to everyone why the card in the device asks for a PIN, and in another device the same card asks for a signature. And why another card works properly with the PIN request in the same device, and the card that works in the third one-here it refuses to work at all. I also hope that after reading this article, the topic of requesting PIN codes when paying with a card has become more clear and transparent, and you will no longer have to be surprised in stores about this.
Thank you all for your attention!
After reading several articles about plastic cards, POS terminals and related things, it seemed to me that this topic is quite interesting to the community. In this short publication, I want to finally analyze the topic of entering a PIN code on POS terminals and finally answer, to the best of my knowledge, the question: why is PIN entry required in some cases, and not in others?
If the topic is also interesting to the community – then in the future you will find several more articles about the principles of operation of
But first, a preface.
It just so happens that I work in one of the banks in our country. I am engaged, in fact, in setting up POS terminals "from scratch" and before, in fact, commissioning.
This is my first article, so I apologize in advance for any confusion, as well as for the fact that I may miss something, because it is impossible to fit all the details into the article.
First of all, you will need to mention TMS (Terminal Management Server\Station). In short, this is a computer running a certain program-the configuration center for all POS terminals. It is there that the so-called "application configuration files" are created, that is, what is uploaded to the POS and characterizes its operation.
TMS sets all parameters of POS operation, both very significant (for example, the list of payment systems that the POS works with, settings of these systems, CVM sheets, terminal action codes), and minor (such as the order of menu items on the terminal screen, or the design of checks).
As a result, a specially packaged file appears at the output, which the terminal "understands". This file is uploaded to the terminal.
Now to the point: ask or don't ask for a PIN (in the case of an EMV card):
The so-called CVM-list (CVM – Cardholder Verification Method) is uploaded to the card's EMV chip at the application loading stage. You can also change it during a transaction with a special issuing script sent from the processing center, but I will allow myself to let go of these subtleties.
Each issuing bank chooses a CVM list based on its own requirements. Here is an example of a classic CVM list:
4403410342031E031F02
The transcript looks like this:
And it reads from left to right (I apologize in advance for the clumsy scheme from master paint minus 92 levels):
The terminal itself also has its own terminal CVM list. It is set in TMS at the stage of creating configuration files that are uploaded to the POS. It is configured by the acquiring bank, again, according to its own requests.
Everything works very simply: during a transaction, two CVM sheets (cards and terminals) are compared. Only those verification methods that match in both sheets are triggered (in fact, the intersection of CVM sheets is checked). All other methods are discarded!
That is, in this example, the algorithm is as follows::
Ask for a encrypted PIN (after checking whether there is such a method in the terminal's CVM list), if the user refuses (this is the same pressing the red button on the PIN keyboard) - request an offline open PIN (and he has the right to refuse-see the picture), if he refuses again-request an online PIN (it is not checked by card, but by host), if you refused again — request a signature (you can't refuse it anymore — see the image again). If there is no signature verification in the terminal's CVM list – the method is skipped (this does NOT equate to a failure!). and the "No CVM" method is used with the condition "If not unattended cash and not manual cash and not purchase" (but usually it is not used much). If this method is not included in the terminal's CVM list, the check fails and the transaction is rejected.
Naturally, the number of different variations of CVM lists of cards and terminals-and even more so their combinations — is very large. So now, I think it's more clear to everyone why the card in the device asks for a PIN, and in another device the same card asks for a signature. And why another card works properly with the PIN request in the same device, and the card that works in the third one-here it refuses to work at all. I also hope that after reading this article, the topic of requesting PIN codes when paying with a card has become more clear and transparent, and you will no longer have to be surprised in stores about this.
Thank you all for your attention!
Last edited by a moderator:
