> Chip + PIN is basically the EMV standard for cards with chips on them
Worse than that, it's a marketing name :)
Or it was in the UK. Strictly speaking the cards contain a customer verification method list that gives the terminal the info about whether and in what priority order it should process PIN offline, online, signature or other methods. This method allows american cards to function elsewhere in the world, depending on the terminal risk profile, and euro cards which usually would require a PIN to function in PIN-less US terminals.
> There is very little difference in the process when using NFC, except that the power to the chip in the card is via the NFC field.
Sure, but in contactless EMV there is no user interaction part of the process, so 'offline PIN' is not a possibility. This is because the transaction process would have to halt while the user entered their PIN and continue afterwards. So I'm pretty sure that for contactless transactions there is no offline PIN CVM. The process is also going to be slightly different in that the card/phone doesn't stick around for any post-transaction issuer scripts, and IIRC from the short time I worked on a contactless product, there is only a single application-cryptogram generation phase compared to the two in a chip transaction, though I can't remember the significance of that now!
Or can I ... the second Gen AC phase is where the card signs off on the bank's authorisation of a transaction, if the transaction has gone online. Strictly your chip card can still decline a transaction even if the bank says it's OK. This is missing in contactless flow because, again, it would require the transaction to pause and take longer than a quick wave.
> I didn't need to re-present the card to the reader. It processed the rest of the transaction after the PIN was entered.
Yeah that's an online PIN, it's sent to your bank for verification, not the card (which has already done its part of the transaction).
(If you want to be pedantic, yes, you're quite right! The EMV transaction process is still going on at that point, between the terminal and the bank, and it has indeed paused to allow the user to enter a PIN. The process between the terminal and the card has completed though, so offline PIN can't be done, because in the offline PIN process the card performs the verification.
Very true, and if there's one thing about EMV, it is pedantic and convoluted and confusing, primarily because it has evolved and is not particularly subject to "intelligent design". :)
Worse than that, it's a marketing name :)
Or it was in the UK. Strictly speaking the cards contain a customer verification method list that gives the terminal the info about whether and in what priority order it should process PIN offline, online, signature or other methods. This method allows american cards to function elsewhere in the world, depending on the terminal risk profile, and euro cards which usually would require a PIN to function in PIN-less US terminals.
> There is very little difference in the process when using NFC, except that the power to the chip in the card is via the NFC field.
Sure, but in contactless EMV there is no user interaction part of the process, so 'offline PIN' is not a possibility. This is because the transaction process would have to halt while the user entered their PIN and continue afterwards. So I'm pretty sure that for contactless transactions there is no offline PIN CVM. The process is also going to be slightly different in that the card/phone doesn't stick around for any post-transaction issuer scripts, and IIRC from the short time I worked on a contactless product, there is only a single application-cryptogram generation phase compared to the two in a chip transaction, though I can't remember the significance of that now!
Or can I ... the second Gen AC phase is where the card signs off on the bank's authorisation of a transaction, if the transaction has gone online. Strictly your chip card can still decline a transaction even if the bank says it's OK. This is missing in contactless flow because, again, it would require the transaction to pause and take longer than a quick wave.