PIN's and credit cards.

Peter Tomlinson pwt@iosis.co.uk
Sat, 16 Nov 2002 20:54:09 -0000 

Roland Perry <roland@linx.net> wrote:
> I can't remember the time I last had a merchant use a manual credit card
> machine. If the PDQ machines and Tesco tills aren't, in fact, online,
> then that's hardly my fault.

The UK model makes use of a financial parameter called the "floor limit".
The norm is that all transactions below the floor limit are offline and the
transaction record is stored locally until collected by an organisation
known as an "acquirer". Above the floor limit, an online check and
reservation of value takes place first. In addition, there are other rules,
such as a requirement for a certain but small percentage of transactions to
be chosen at random for online verification. And there is a card blacklist
downloaded into the terminal.

This model grew up because of the very high cost of telephone calls.
Instead, the accumulated transaction records were collected overnight by
phone - and this still happens for many small merchants.

Thus, for many merchants with single card machines, the transaction model is
little different from the paper slip and a rule to phone for authorisation
if the transaction is above a certain limit.

For large retailers with in-store networks, the main difference is that
transaction records may be collected more frequently from the store's back
office computer, via the store owner's national data network.

The technical point about this is that the online reservation of value does
not need to be secured in the same way as a true online transaction has to
be secured.

As we move to smart cards, the store and forward method continues, but
security on the cards is higher and security of the link between card, card
holder and terminal is gradually (oh so gradually) being ratcheted up.

The French (where Cartes Bancaires rules and most transactions are debit)
wanted to go to online transactions (and thus at the same time provide a low
cost method for personal online transactions using a small secure terminal
to your home PC), but the global card associations did not wish to follow. A
major move to online transactions would cut out the intermediary acquirer,
as the transaction needs to be online to the card issuer (payment
application issuer if its a multi-app card).

The basic EMV smart card payment spec is really only an electronic version
of the paper slip (as was the mag stripe method before it).

Peter