cancel
Showing results for 
Search instead for 
Did you mean: 

Please default to PIN transactions rather than signed ones.

Highlighted
City Slicker

Re: Please default to PIN transactions rather than signed ones.

As someone who's spent way too much time researching and following the US chip card migration (including creating a Google Map of places that accept chip), I may have some insights as to why the Arrival+ may not be behaving as intended. The good news is that Barclaycard isn't wrong about how the card works--in theory, anyway.

 

To start, each chip card has something called a Cardholder Verification Method list on it, which (along with available hardware/software on the terminal) controls the priority in which various authentication methods are tried. I used a program called cardpeek along with a USB smartcard reader to read the chip on my Arrival+ and ended up with the following:

 

  1. Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verified online - If unattended cash
  2. Fail cardholder verification if this CVM is unsuccessful: Signature (paper) - If terminal supports the CVM
  3. Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verified online - 
  4. If terminal supports the CVM
  5. Apply succeeding CV rule if this rule is unsuccessful: Enciphered PIN verification performed by ICC - If terminal supports the CVM
  6. Apply succeeding CV rule if this rule is unsuccessful: Plaintext PIN verification performed by ICC - If terminal supports the CVM
  7. Fail cardholder verification if this CVM is unsuccessful: No CVM Required - Always

(Definitions: "performed by ICC" - verified by the chip on the card itself, "verified online" - sent to Barclaycard and verified by them, "enciphered" - PIN is encrypted before being verified, "if unattended cash" - if ATM/cash advance.)

 

As shown above, this matches with Barclaycard's description of the card as a chip and signature card with PIN capability. However, the card does not come with a PIN saved onto it when first received--this is evidenced by the "PIN Try Counter" on the card being set to zero. In theory the very first signature transaction after activating the card is supposed to save the PIN to the card.

 

(On that note, it is possible to use the card's PIN at unattended terminals before this happens--I just used it at a Vons/Safeway gas pump tonight with no problems, for instance. The problem is that since the PIN Try Counter is zero at that point, it'll only be asked for if the unattended terminal supports PIN "verified online"--which might not be commonly supported depending on where you're visiting. Heck, it very well might never be supported much in the US either considering that the majority of cards don't support PIN for any purchases and that many other unattended terminals here such as parking meters, etc. don't have PIN pads.)

 

However, that assumes merchants do every single step of the chip card transaction workflow--and this is where is starts getting weird. Due to customer and merchant complaints when chip first started rolling out in the US, Visa introduced something called Quick Chip (Mastercard's equivalent is called M/Chip Fast and is generally used as well whenever Quick Chip is). This allows chip cards to be inserted and removed before the authorization process completes--and can even allow cards to be inserted and removed while items are still being scanned depending on the store. The downside of this is that the transaction effectively ends (from the card's perspective) before Barclaycard authorizes it; since the new PIN is sent as part of the approval message, the card never gets the new PIN at merchants that use Quick Chip.

 

To demonstrate this, I used the card at several places tonight: the Vons gas pump as mentioned above, the convenience store at the Vons gas station (both with chip) and at a Red Robin (swipe, unfortunately). I then read the card again with cardpeek and the PIN Try Counter is still set to zero, meaning that the PIN wasn't pushed to it. If Vons didn't support Quick Chip, my PIN would possibly have been pushed when I used it at the gas pump and definitely would have inside the convenience store.

 

Unfortunately this does reduce the number of places where one could do their first domestic chip and signature transaction and have the PIN pushed to the card properly. And over time, I wouldn't be surprised if the vast majority of US merchants--if not close to all of them--eventually enable Quick Chip support. For the time being, the best* way to determine whether a store is doing Quick Chip is if it lets you remove the card before saying "approved"; if not, there's a decent chance the PIN was saved. Long-term, it may be best for Barclaycard to update their instructions to indicate that the first chip and signature transaction should be overseas and not in the US; I suspect that Quick Chip will never become a thing internationally since it was designed to solve a uniquely American issue.

 

(BTW, changing the card so that it prefers PIN for in-person transactions instead of signature may not work as people expect, either, precisely because of Quick Chip. For instance, some stores in the US don't support "online" PIN and will only verify it with the card; if it takes a significant number of transactions for the new PIN to "take", then there may be some stores where it accepts the new PIN and some where it doesn't, confusing people further.)

 

* There is another way if you have one of a select set of credit cards with a transaction log. This is difficult for someone to find out before applying for a card, though, and thus probably isn't a realistic option for most. However, I know for a fact that Diners Club and UNFCU credit cards have it, if you happen to have one of those. If so, I can explain how to go about determining Quick Chip usage using the log.