Documentation
CLOWD9 API Toolkit

Personal Identification Number (PIN) Management

Suggest Edits

An EMV Chip profile typically supports more than one Cardholder Verification Method, known as a CVM. The various methods are:

  • Offline PIN: The PIN stored on the Chip is used for verification
  • Online PIN: The PIN value is verified by CLOWD9 securely
  • Signature: The Customer is required to sign before the transaction can be completed

During the transaction process, the terminal (where the card has been entered) will communicate to the Chip to identify the first CVM supported by both.

Offline PIN

The offline PIN is verified by the chip on the card itself, not by the CLOWD9's platform.

  • As part of the card manufacturing and personalization process, the PIN is stored on the Chip securely using EMV encryption
  • During a transaction, the card terminal prompts the user to enter their PIN
  • The terminal sends the encrypted PIN to the Chip on the card
  • The card compares the encrypted PIN to it's stored encrypted value and returns a response: verified or not verified
  • The Chip Profile contains a PIN try counter, that is increased each time an incorrect value is entered into the terminal. For your Customers security, after a predefined number of incorrect attempts, the Chip will block the offline PIN preventing any further offline PIN or Contactless transactions
  • After every successful offline PIN validation, the count is reset to zero to ensure it is only consecutive invalid offline PIN attempts that will trigger a block

The offline PIN can also be unblocked using one of the following services:

  • PIN reset via an ATM
  • PIN reset via the Vista portal
  • PIN reset via the Unblock PIN API

Online PIN

An online PIN is verified by CLOWD9 as part of processing an online authorisation request received from a network.

  • CLOWD9 stores the PIN encrypted securely on its databases as part of the card onboarding process
  • During a transaction, the POS or ATM prompts the user to enter their PIN
  • The POS or ATM sends the encrypted PIN to CLOWD9 via the payment network
  • CLOWD9 verifies the encrypted PIN. Where the PIN value does not match, CLOWD9 will respond with "Incorrect PIN" to the Network.
  • CLOWD9 configured online PIN counters in line with your requirements, which increase each time there is an incorrect PIN entered. After the predefined number of incorrect PIN attempts, CLOWD9 will apply a block. As a result all transactions whether online PIN, offline PIN or ecommerce will not be permitted. CLOWD9 will respond "Allowable PIN Tries Exceeded"
  • The online PIN counter is reset following a correct online PIN verification; however if the online PIN tries counter has been exceeded, the PIN must be reset via Vista or the Unblock PIN API

PIN Block and PIN Reset - offline vs online

In order to keep the online and offline values synchronised there are several considerations.

As the PIN values are stored in 2 locations, the status and counters can be independently managed and impacted. Most typically fraudulent attempts to enter PIN values are against a lost or stolen card. It is therefore possible for the online and offline PIN status and / or PIN value to become unsynchronised.

The recommendation to unblock / reset the offline PIN is via an ATM. The ATM will force an online PIN check and assuming the PIN value is validated by CLOWD9, CLOWD9 will approve the authorisation and send a message in the authorisation response to force the chip to unblock the offline PIN status and update the offline PIN value. This will re-synchronise the offline and online PIN check behaviour. However, you may not support this service and therefore resetting the offline PIN via API or Vista is also available. In this case, your Customer may be declined until the required messages have been sent by CLOWD9 to the terminal via the Network. Until the card has received these messages, the offline PIN will remain blocked.

Where PIN is blocked online, offline PIN not blocked

Your Customer will not be able to use their card as authorisation requests will be declined at the CLOWD9 host, regardless of the merchant type e.g. POS, ATM, e-comm etc.

Your Customer will be required to pass the appropriate security checks, usually via an app or the call center. On validation the online PIN reset will be completed. Depending upon the use case required, either a new PIN value will be generated which will be held online by CLOWD9 or the existing PIN value may remain valid. The cardholder will be advised to recover the PIN value via a secure channel using our Secure Framework.

If a new PIN value has been issued, it must be synchronised with the offline value on the chip. As with resetting the offline, the recommendation is for the Customer to use an ATM with the new PIN value as their first transaction. The ATM will force an online PIN check and assuming the PIN value is validated by CLOWD9, CLOWD9 will approve the authorisation and send the required messages in the authorisation response to update the Chip with the new PIN value. This will re-synchronise the offline and online PIN check behaviour.

If the original PIN value has been communicated via a secure channel, the cardholder can be advised that their next transaction can be made at any POS/ATM as the online and offline PIN values will still be synchronised.

Updated 9 days ago