Offline PIN not resetting/updating on new Visa card

Hi,

This is going to be very technical - I work in this area.

I’ve only recently started using the Visa replacement card for the Debit Mastercard. One of the things I had to do was to update the card PIN using the App. I then took out €10 at a local ATM (Sparkasse) to ensure the new PIN was correct (CVM was online PIN at ATM), and I anticipated that the offline PIN would also be changed using an Issuer Script.

This [offline PIN update/reset] does not appear to be working.

I performed another €10 ATM transaction this evening (May 13, 2020), and had a successful cash withdrawal. Following this cash withdrawal transaction, the offline PIN and the offline PIN try counters on the card have not been updated.

GET DATA of the PIN try counter for the next session with the card following the cash withdrawal. ATC below is 0x000A.

S-5 [0x5]>>‚80CA9F1700‘
R-2 [0x2]>>‚6C04‘
S-5 [0x5]>>‚80CA9F1704‘
R-6 [0x6]>>‚9F1701009000‘

Response to the 1st GEN AC also shows some issues with an Issuer Script

S-34 [0x22]>>‚80AE80001D000000000001000000000000084000000080000978200513004AAB9446‘
R-2 [0x2]>>‚6114‘
S-5 [0x5]>>‚00C0000014‘
R-22 [0x16]>>‚801280000A621507C3BA7CD34D06011203A0601A9000‘

Here you can see that there was one Issuer Script on the last transaction, and it failed. You can also see that the Offline PIN try limit is still exceeded.

Your PIN CHANGE issuer script is failing when presented to the card. Without a response Field 55 to look at, I can only guess at the issue here.

Your CVM list preferences makes this a bit of an invisible problem - in Germany most POS devices and all ATMs support online PIN, so the offline PIN is never checked. In the UK and Ireland, almost all POS devices use offline PIN, and so this card possibly fall back to signature, or fail the transaction.

In some circumstances, unattended devices, e.g. Parking machines that accept contact transactions, will likely support only offline PIN. This is the case with some machines near where I live.

From an ADVT test card I have, the PIN change issuer script should look like this when presented to the card.

S-29 [0x1D]>>‚842400021835BDAF13A3331CDCA70D18306B0E0316E8480EA2D9DD0876‘
R-2 [0x2]>>‚9000‘

Note it should be this long [this many bytes inside tag 86]. If your PIN change issuer script is 8 bytes shorter, for example „8424000210…“, then you’re trying to change a VSDC PIN with an M/Chip command, and I would not recommend that.

The ATM transaction does complete correctly so the cryptograms are OK, and this is only connected to the issuer script.

Thanks,

Aidan

2 Like

Does this card even provide an offline PIN/Limit? The service code of this card is 221 so there is always an online connection needed, as far as I know. For the card to work offline a code like 201 would be required.

Please correct me when I’m wrong.

This definitely needs the attention of someone like @Vinz

I will add some thoughts to this because this might actually be what happened to me, when I used my card in the UK.
The scenario is as follows:
My card was activated normally and working fine. Both in Germany and in the UK. The first issue with the card became apparent when I had to use it using chip and PIN (in the UK that is). The PIN was rejected and I am sure it was definitely the right one! The support suggested resetting the PIN. Said and done. Used at an ATM (in the UK) the new PIN was accepted. Fine, I thought. The contactless limit was reseted getting money from the machine, so the same error only became apparent again when the contactless limit was reached: chip and PIN and the PIN was rejected (the very same PIN that had been used and accepted at the ATM to receive money.) The tomorrow support was so kind as to replace the card with which I ran into the same trouble. So @aidanic’s post might be the answer to that and there might be an issue with the offline PIN not being transmitted to the card correctly.

@Prompto Service code plays no part in this issue. On the magnetic stripe it still has a part in those types of transactions. For chip/contactless transactions, the value of the service code is on the chip, but is just informational.

The choice of Cardholder Verification Method (CVM) is decided by the device (PIN, signature or none), based on the capabilities of the device (what it supports), and the priority order defined by the card issuer. Check out EMVCo Book 3, Section 10.5 for the Engineering details of this CVM flow for contact transactions. Contactless has some slight differences, and the various entry point kernels have their own specifics.

Regional differences in Europe do play a role on the capabilities of specific devices, so a card might behave one way in London and a different way in Berlin for what looks like the same acceptance circumstances.

Back to this issue, the background is as follows:

  • I activated the new Visa card
  • I count not remember the PIN for the Mastercard, and chose a new one with the app
  • Shortly afterwards I took out €10 from an ATM to verify the new PIN (and hopefully set the offline PIN on the card)
  • A few days later, I tried to use the card in a contact reader at a parking machine that would not normally support online PIN, and the device responded with incorrect PIN twice. This confirmed to me that the new PIN chosen on the app was not correctly written to the card.
  • I tried the offline PIN in an industry test tool yesterday, and it was incorrect
  • I checked the results of a new 1st GEN AC and identified the issuer script failure
  • Today I went back to the ATM, and took out €10 (using the same PIN as at the parking), and the transaction was OK
  • The card still reports issuer script failure in the 1st GEN AC

The symptoms of the issue are the offline PIN is still blocked after an ATM transaction, and that I cannot use an unattended device supporting offline PIN. Diagnostics show a series of card flags in the CVR indicating issues with Issuer Scripts.

@simon-t In the UK (and some other countries), offline PIN is the main method of cardholder verification (this is where the PIN on the chip is checked securely). Most attended POS devices do not support online PIN. All ATMs worldwide must support online PIN. When you change the PIN on the App, the „back end at the bank“ gets reset. Any ATM transactions will then work fine.

In Germany the majority of attended POS devices support online PIN (as well as offline PIN). Using the Visa card in Germany means (in most cases) contact transactions with the chip will use online PIN, and the good (or bad) offline PIN is never checked.

I’m being very specific here - contact transactions at an attended POS device on this card will either use online or offline PIN, with an issuer preference for online PIN, but it depends on what the POS device supports (the EMVCo Book 3 reference above).

Contactless is quite different. There are two limits, one being the maximum possible contactless transaction, and the other being the CVM limit. Typically these values are set by the card brand, and implemented/processed by the POS device. The maximum limit is clear - this is the most you can purchase with contactless. The CVM limit controls whether or not the POS device applies the standard CVM processing rules as per the EMVCo Book 3 reference above. Transactions above the CVM limit are sometimes described as „high value contactless transactions“.

In the UK, both of these values are set to £25. It’s not possible to perform a „high value“ contactless transaction in the UK. In Ireland, before April 1 this year, the limit was €30, and in most locations it’s now €50.

For contactless transactions in Germany, the CVM limit is set to either €25 or €30 (I can’t remember), and the maximum transaction value is much bigger (say €1000). Between €25 and €1000, you get the full CVM rules being applied (… Book 3 …), and in most cases (here in Germany) that will be online PIN. In Spain some years back I signed a receipt for a €200 contactless transaction.

Simon, your experience in the UK suggests to me that process to set the offline PIN at ATM is not working.

1 Like

@aidanic thanks for sharing this in detail.

I’d like to add: new limit in the UK as of April 1: 45 GBP
Visa raised the limit already 2017 in Germany to 50 EUR (all others, including Girocard, followed this year).

Hey guys. Thanks for raising this topic. To be honest I’m not very competent when it comes to these technical discussions, so I can’t really add anything productive to the thread. I’ll forward this to the appropriate people however.
Have a mind-bogglingly beautiful evening lads!

Quick update: We discussed this internatlly and have handed it over to solaris, since we do not process and handle cards and their firmware. I’ll keep you posted on this thread once we get new info on the subject. Thanks a lot @aidanic for raising this topic!

6 Like