When paying with a bank card at a terminal, the terminal must know how the cardholder should be verified. The verification method could vary card by card, terminal by terminal, depending on what kind of means the payment card and the terminal support.
Cardholder Verification Method
CVM (Cardholder Verification Method) tells how the cardholder should verify him or herself during a payment transaction. There are several methods described in EMV. It may be a PIN in clear text or encrypted form, online or offline, signature, cardholder device, or even biometrics. The card contains a list that specifies the kind of CVM acceptable by the card. Dual interface cards carry a different list of contact and contactless interfaces.
The terminal reads this list and verifies which item is compliant with the capabilities of the terminal. When the terminal has read the list, it goes through the list one by one and verifies the compliance. For every item in the list, the terminal may or may not recognize the verification method. How could it happen that a terminal doesn’t know the verification method? EMV added biometric support to its specifications in 2017. Consequently, terminal kernels developed earlier may not understand this kind of CVM.
Unsupported CVN and failure
If the terminal recognizes the CVM, it may support it or not. For example, a terminal without a fingerprint sensor doesn’t support fingerprint CVM. EMV specification states that the terminal not supporting a CVM should go to the next item in the CVM list.
At the same time, in EMV specification, there are specific rules for the cases when the terminal supports the CVM, and the cardholder verification fails. In such a case, the CVM list item instructs the terminal to abandon the transaction or to read the next element of the CVM list. This regulation of the specification seems to cause kernel implementations to behave differently.
Case with biometrics
Some issuers want to verify the cardholder by biometrics. They support PIN only in case the terminal doesn’t support biometric at all. But if the terminal supports a biometric verification method and fails, the issuer doesn’t want to allow PIN.
In a bulletin issued by EMVCo in March 2020, EMVCo warned issuers that in some cases terminal kernels doesn’t work as required by EMV, because of misunderstanding EMV specification at the time of implementation. As a result, some terminal, not recognizing the biometric verification method, may fail the verification, instead of ignoring the biometric item. So, in case the card supports both biometric and PIN and prefers biometric against PIN, some terminal types may improperly fail the transaction if the biometric method is unknown by the POS. In this case, the terminal doesn’t require the PIN.
In 2019, EMVCo updated the test cases to ensure the proper behaviour of the terminal kernels. Despite this, there may be a couple of devices in production, with an incorrect response. Issuers would better note the fact that their cardholders may face anomaly with their cards even if they configured the card correctly.
Sources:
- EMV ® 4.3 Book 3
- EMV ® Specification Bulletin No. 185
- EMV ® Best Practice for Biometric Proprietary CVM Support
