Documentation

How are offline and online PINs synchronised ?

Suggest Edits

Chip cards typically support two types of PIN verification methods; online PIN and offline PIN.

These are used to authenticate the cardholder during a transaction.

PINS are typically securely stored in 2 locations:

  • onboard the chip where terminals support offline PIN validation
  • CLOWD9 host for use at ATMs and where terminals do not support offline PIN validation and the PIN value must be validated online by CLOWD9

In both locations PIN status can be impacted independently of the other by real world events - most typically fraudulent attempts to enter PIN values against a lost or stolen card. It is therefore possible for the online and offline PIN status and the online and offline PIN value to become unsynchronised.

For example:

  • if an invalid PIN is entered at an offline PIN capable POS terminal 3 times (3 is typical), the chip will block the card from initiating any subsequent authorisation activity at POS terminals. However the online PIN status will remain valid. It would therefore be possible to successfully complete an online PIN transaction at an ATM assuming the correct PIN is used.
  • if a cardholder changes the value of their PIN via an app or webpage on the CLOWD9 host, the new value will not be updated on the chip. Therefore offline PIN validations using the new value will fail triggering a poor cardholder experience. The new PIN value cannot be sent to the chip until the cardholder completes an online PIN validation - typically at an ATM - where the new PIN value entered at the ATM can be validated against the new value stored on the CLOWD9 host. If the online validation is successful the authorisation response will update the offline PIN value stored on the card in order to complete the synchronisation between online and offline values.

In order to keep the online and offline values synchronised there are several considerations.

Offline PIN

An offline PIN is verified by the chip on the card itself, not by CLOWD9's backend system.

  • The card stores the PIN encrypted securely onboard the chip as part of the card personalisation process.
  • During a transaction, the card terminal prompts the user to enter their PIN.
  • The terminal sends the encrypted PIN to the card.
  • The card compares the encrypted PIN to it's stored encrypted value and returns a response: verified or not verified.
  • Typically the chip keeps a count of consecutive non verified offline PIN attempts and after a predefined number of non verified attempts the chip sets an offline PIN block preventing further offline PIN validation attempts
  • After every successful offline PIN validation, the count is reset to zero to ensure it is only consecutive invalid offline PIN attempts that will trigger a block.

Online PIN

An online PIN is verified by CLOWD9 systems as part of processing an online authorisation request received from a network.

  • CLOWD9 stores the PIN encrypted securely on its databases as part of the card onboarding process.
  • During a transaction, the POS or ATM prompts the user to enter their PIN.
  • The POS or ATM sends the encrypted PIN to CLOWD9 via the payment network.
  • CLOWD9 checks the encrypted PIN and returns an approval or decline response.
  • CLOWD9 keep a count of consecutive non verified online PIN attempts and after a predefined number of non verified attempts CLOWD9 sets an online PIN block preventing the account from approving subsequent online PIN attempts.
  • After every successful online PIN validation, the online count is reset to zero to ensure it is only consecutive invalid online PIN attempts that will trigger a block.

PIN Block and PIN Reset - offline vs online

As PINS are stored in 2 locations and can be independently managed it is important to understand how online and offline PIN blocks can be reset.

A key part of the synchronisation of offline and online PIN values and status is the understanding that ATMs authorization requests are always forced online for a PIN check. This ensures that CLOWD9 always has a way to reach and reset the PIN management settings onboard the chip card by requesting that the card is used in an ATM.

Where PIN is blocked offline, online PIN not blocked

Cardholder will be unable to use their card at offline PIN terminals.

Cardholder should be advised to recover their original PIN value via a secure channel or issued with a new PIN value which will be held online by CLOWD9, pending the next successful cardholder online PIN validation check.

Cardholder should be advised to use an ATM with the recovered original PIN or the new PIN value.

The ATM will force an online PIN check and assuming the PIN value is validated by CLOWD9, CLOWD9 will approve the authorisation and send a message in the authorisation response to force the chip to unblock the offline PIN status and update the offline PIN value. This will re-synchronise the offline and online PIN check behaviour.

Where PIN is blocked online, offline PIN not blocked

Cardholder will be unable to use their card as authorisation requests will be declined at the CLOWD9 host regardless of the merchant type e.g. POS, ATM, e-comm etc. that originated the request.

Cardholder will need to validate themselves via appropriate security checks, usually via an app or call center. On validation a PIN reset will be completed. Depending upon the use case required, either a new PIN value will be generated which will be held online by CLOWD9 or the old PIN value may remain valid. The cardholder will be advised to recover the PIN value via a secure channel.

If a new PIN value has been issued, it must be synchronised with the offline value on the chip. Therefore the Cardholder must be advised that they must use an ATM with the new PIN value as their first transaction. The ATM will force an online PIN check and assuming the PIN value is validated by CLOWD9, CLOWD9 will approve the authorisation and send a message in the authorisation response to force the chip to update the offline PIN value. This will re-synchronise the offline and online PIN check behaviour.

If the original PIN value has been communicated via a secure channel, the cardholder can be advised that their next transaction can be made at any POS/ATM as the online and offline PIN values will still be synchronised.

Updated 6 days ago