| > The first transaction on each reader and random transactions every 20-50$ (and all transactions above a $20 limit) will require chip+PIN verification Not necessarily. In the UK (at least, at the banks where my fiancée and I hold accounts), you need to enter your PIN: 1) On the first transaction after activating a new card 2) On transactions above £30 (~$45) starting 1st Sep 2015 (however apparently some terminals have the former £20 limit hard coded and require a firmware update to increase the limit) 3) On random transactions In the case of the random PIN verification for contactless payments, the frequency with which these are required isn't entirely clear. I have spent ~£100 over numerous successive contactless transactions (local store then rounds of drinks at the bar) without requiring PIN verification. In fact, I've never needed to enter my PIN - every contactless transaction has been automatically approved. Over a typical week, I do contact a good mix of contactless and Chip-and-PIN transactions, so my risk profile might be different from someone who has, for example, a 80/20 contactless-to-chip ratio. I'm unsure whether the PIN verification requirement is triggered by the application running on the card or by the transaction processor. This might actually be covered in the EMV spec [1]. [1] https://www.emvco.com/specifications.aspx?id=21 |
When I went to the MetroCentre the other week, I did about 5-6 contactless transactions in a day (probably somewhere around £100 spent total), by the end of the day my card got declined and I had to use Chip&Pin, so it does definitely happen in the UK, though the limits may be quite high (wonder if this may also vary based on the bank, I'm with a certain bank which refused to give me a contactless card until I had a credit check).
This is the first time since I got the card (quite a few months ago) that it was actually declined however, so it's quite a rare occurrence.
As for the EMV spec, It sounds like the terminal is the one that decides whether or not to request Chip&PIN:
During kernel processing, the kernel will determine from the acceptance environment and issuer settings in the card whether a cardholder verification is needed for the transaction. Methods that may be supported are online PIN and signature – offline PIN is not suitable due to the “card in field” timing issues.
what is the kernel?
The kernel contains interface routines, security and control functions, and logic to manage a set of commands and responses to retrieve the necessary data from a card to complete a transaction.