Thales Blog

Why US Travellers' EMV Card PIN May Not Work In Europe

June 6, 2011

Specifications for all sorts of things have multiple options on how they are implemented, and the EMV standard used in the world of payments cards is no exception. There are several options on how your PIN is verified when you want to make a payment, and as to how your payment is authorised.

When Europe was contemplating the roll-out of chip cards, on-line connection of POS terminals was not the norm, so countries chose an implementation that worked for off-line POS terminals. PINs are authenticated to the card, and transactions do not always have to be authenticated on-line to your issuer. In actual fact, several years on since these decisions were taken, telecoms has moved on, and most EMV transactions in Europe are authorised on-line by your issuer. Your PIN however is still verified to your card – because that’s how the cards are set up.

But there is another way to implement EMV. When you make a payment, the PIN is verified with your issuer (not to the card) and the transaction is authenticated on-line. If implemented this way, the POS must always be on-line to verify your PIN. This is not a problem in countries like the US where this is the norm. In fact implementing EMV in this way is one option for the US that is being talked about (should the US ever move to EMV of course).

Let’s say for a moment that the US implements EMV and goes the way of on-line PIN verification only. Does it make a difference from a security point of view to the way Europe has implemented EMV? Well, not really. Your PIN is protected if it is on your card which is a Secure Element, or if your PIN is checked by your issuer it is protected by them at their site and as it is switched through the network using Hardware Security Modules.

Where it would make a difference is if a US issued card was used by a traveller to Europe. The traveller may find that their card, requiring on-line PIN verification, but unable to do this in the European POS/network infrastructure, falls back to require his signature. There is a risk then (perhaps a small one) that criminals may target travellers to steal and use their cards before they are reported as stolen, easily forging a signature and avoiding the need to know the PIN. So the choice for the US, if it moves to EMV, is whether the benefits of implementing on-line PIN verification outweigh the differences in authentication for international travellers.