VISA USA has made some recommendations for how to implement the shift from magnetic stripe payment cards to those which use a chip for authentication and seems primarily concerned with explaining that the new chip cards will not need associated personal identification numbers.
“One thing that’s clear from the questions is that there’s a lot of confusion around the myth that EMV means ‘chip-and-PIN.’ It doesn’t in many countries, including the U.S.,” Stephanie Ericksen, head of Authentication Product Integration for Visa Inc., write in an online entry about the recommendations.
“That’s because, in the U.S., we can rely on online processing where transactions are transmitted in real-time to the issuer for approval. With that in place, there’s no need for the offline authentication that was the genesis of chip-and-PIN,” Ericksen wrote.
The card brand announced it was prepared to start supporting the use of chips in payment cards in the U.S. in August 2011.
The difference between an online and offline PIN is that an online PIN is not stored on the card. Once the cardholder enters the PIN at the point-of-sale terminal, the PIN is encrypted by the PIN pad and sent online to the host for validation, similar to how PIN debit transactions are authorized today.
In an offline PIN situation, the offline PIN is stored securely on the chip card and during a transaction, when the cardholder enters the PIN, the POS terminal sends the PIN to the chip card for verification. The cardholder verification therefore takes place within the chip card.