18

Certain banks (like Capital One or NAB) offer to change a debit/credit card PIN remotely, from an app or the bank's website.

However, it seems to me that the PIN is also stored on the chip of the physical card, as it is actively checked when using Chip & PIN or certain TAN generators.

(How) does a remotely changed PIN get propagated to the physical card? The alternatives I could think of is that the PIN gets updated the next time the card is inserted into a terminal or ATM, or that the PIN is not stored on the card after all but checked online for every transaction, but both don't seem to always work or be very secure.

Victor Le Pochat
  • 305
  • 2
  • 7

2 Answers2

27

The EMV standard supports two (technically three) methods of verifying a PIN. In the first method ("online"), the PIN is encrypted and sent to the bank for verification. The other method ("offline") asks the chip to verify the PIN, and only the result is transmitted to the bank. (Offline is further subdivided into "encrypted" and "plaintext", depending on how the PIN is transmitted to the chip, but the practical differences are minimal.)

In general the banks in a given country tend to be all online-PIN or offline-PIN. In the US, which it sounds like you're in, most cards are online-PIN. Thus, changing your PIN via the bank's website or app will immediately take effect, without having to update the card.

Additionally, there's a specific EMV tag that a bank can return to the terminal to pass on to the chip which can update the PIN stored in it. Not all terminals support it (the feature is called "issuer scripts"), and it doesn't work with contactless or "quickchip" transactions (because the card is no longer present when the response is received), so I don't know how common it actually is - but it does technically exist, and was presumably used at some point in time. It's probably more commonly used over the ATM network than the credit card networks.

Bobson
  • 2,282
  • 17
  • 17
0

What is generally stored in the mag stripe and also from what I know in the EMV is the pin offset, not the actual pin. The pin offset is a pointer to the actual value of the pin on the banking accounting server. The offset effectively is the memory address of the person's PIN. Done that way, they can change your pin at any moment, and it has no effect on transactions and requires no change on the physical card. This offset still is sent encrypted as is the entered pin.

Note that my experience with this is related to credit unions, who generally use different core accounting systems than banks.

Eric Lizotte
  • 9
  • 1