Offline PIN Processing

The following requirements apply whether a PIN is transmitted in the clear to the card or the PIN is enciphered at the PIN pad or card reader and deciphered by the card.

1. Checking the PIN Try Counter

After the terminal determines that an offline PIN is to be entered, the terminal may transmit a GET DATA command to the card to retrieve the PIN Try Counter.

a. If the card supports returning the PIN Try Counter with the GET DATA command, then the card shall:

 If the PIN Try Counter is zero, set the ‘PIN Try Limit exceeded’ bit of the CVR to 1b.

 Return the PIN Try Counter to the terminal in the GET DATA response. The terminal does not allow offline PIN entry if the PIN Try Counter is zero.

b. If the card does not support return of the PIN Try Counter with the GET DATA command, then the card shall return an SW1 SW2 error code to the terminal. This error code should be '6A88'.

Figure 8-1: Checking The PIN Try Counter

Card supports return of PIN Try

Counter?

Set SW1 SW2 = error in GET DATA response

PIN Try Counter = 0?

Set 'PIN Try Limit exceeded' in CVR

Insert PIN Try Counter in GET DATA response

Return response GET DATA

command

GET DATA response

N

Y

N Y

Visa Integrated Circuit Card Specification (VIS) 8 Cardholder Verification

Version 1.5 8.4 Processing

2. PIN Encipherment

If the CVM is Offline Enciphered PIN, then the terminal requests an unpredictable number from the card using the GET CHALLENGE command. The card shall generate and return an unpredictable number that the terminal uses in the PIN encipherment algorithm.

Figure 8-2: PIN Encipherment

3. Receiving the VERIFY command

After the Transaction PIN is entered, the terminal transmits a VERIFY command containing this PIN. When the VERIFY command is received, the card shall set the

‘Offline PIN verification performed’ bit of the CVR to 1b.

The Transaction PIN may be plaintext or enciphered as shown by the P2 parameter of the VERIFY command:

a. P2 = '80'—The PIN is in the clear. The card shall proceed to the PIN Verification step.

b. P2 = '88'—The PIN is enciphered. The card shall proceed to the PIN verification step.

Generate and return unpredictable number GET CHALLENGE

command

GET CHALLENGE response w/ unpredictable number

8 Cardholder Verification Visa Integrated Circuit Card Specification (VIS)

8.4 Processing Version 1.5

4. PIN Verification

The card performs the following PIN verification steps:

a. PIN Try Limit Already Exceeded

If the PIN try function is blocked because the PIN Try Limit was exceeded previously, then the card shall:

 Set the ‘PIN Try Limit exceeded’ bit of the CVR to 1b

 Set the ‘Offline PIN verification failed’ bit of the CVR to 1b

 Return SW1 SW2 = '6984' in the VERIFY response if the PIN Try Limit was exceeded on a previous transaction

 Return SW1 SW2 = '6983' in the VERIFY response if the PIN Try Limit was exceeded during the current transaction

b. Compare Transaction PIN to Reference PIN

If the PIN try function is not blocked, the card shall decrement the PIN Try Counter by one. Then the card shall:

 If the PIN is in the clear, compare the Transaction PIN to the Reference PIN.

 If the PIN is enciphered, decipher the PIN using the ICC PIN Encipherment Private Key, if present, or ICC Private Key if the ICC PIN Encipherment Private Key is not present. This process is described in EMV Book 2,

section 7. Then the card shall compare the deciphered Transaction PIN to the Reference PIN.

c. Matching PINs

If they match, then the card shall:

 Reset the PIN Try Counter to the PIN Try Limit value

 Set the ‘Offline PIN verification failed’ bit of the CVR to 0b

 Return a VERIFY command response indicating that the command was successfully executed (SW1 SW2 = '9000').

d. Non-Matching PINs

If the Transaction PIN does not match the Reference PIN or there was an error during PIN decipherment, then the card shall set the ‘Offline PIN verification failed’

bit of the CVR to 1b.

The card shall determine whether the PIN Try Limit was exceeded:

 If the PIN Try Counter is zero (no PIN tries remaining, then the card shall:

Visa Integrated Circuit Card Specification (VIS) 8 Cardholder Verification

Version 1.5 8.4 Processing

– Set the ‘PIN Try Limit exceeded’ bit of the CVR to 1b

– If the ‘If PIN Try Limit exceeded on current transaction, block application’

bit of the ADA is 1b, then set the ‘Application blocked by card because PIN Try Limit exceeded’ bit of the CVR to 1b and block the application. The card shall allow the current transaction to proceed through Completion. If the application is blocked by this method, then the card shall respond to the GENERATE AC command with an AAC. Blocking the application as described here shall not permanently disable the application or the card.

– Return a VERIFY command response indicating that the PIN Try Limit is exceeded (SW1 SW2 = '63C0')

 If the PIN Try Counter is greater than zero (PIN Tries Remaining):

– If PIN verification failed because of an error during PIN decipherment, then the card shall return a VERIFY command response indicating an error.

The recommended error is SW1 SW2 = '6983' or '6984' (this can prevent the PIN Try counter from being decremented to zero, thereby blocking the PIN, when the actual failure is a PIN decipherment failure).

– Otherwise, if the resulting value of the PIN Try Counter is not zero, then the card shall return a VERIFY response indicating the remaining number of PIN tries (SW1 SW2 = '63Cx' where x equals the remaining PIN tries).

5. Follow-up Processing

After each unsuccessful PIN try with PIN tries remaining, the terminal requests another PIN entry and sends the card another VERIFY command.

If PIN verification is successful prior to the PIN Try Counter being decremented to zero, then the card shall:

– Reset the PIN Try Counter to the value of the PIN Try Limit – Set the ‘Offline PIN verification failed’ bit of the CVR to 0b.

The cardholder may continue to enter a PIN until the PIN Try Counter is decremented to zero. At that time, the terminal will not transmit any further VERIFY command messages to the card.

8 Cardholder Verification Visa Integrated Circuit Card Specification (VIS)

8.4 Processing Version 1.5

Figure 8-3: Offline PIN Processing

Visa Integrated Circuit Card Specification (VIS) 8 Cardholder Verification

Version 1.5 8.5 Prior Related Processing