Lauren Weinstein <lauren@vortex.com> (09/28/90)
There are two different scenarios for ATM PIN validation. Up until a relatively few years ago, most of the systems did all their validation within the ATM terminal itself, using the match between the encrypted form of the PIN on the card and the user's entry after being run through the same algorithm. These were usually four digit PIN systems. While some banks (particularly small ones not connected to external banking networks) may still be using this technique, I believe that most of the major banks, or most banks associated with the large ATM networks (e.g. STAR, etc.) no longer use this technique. Instead, the encrypted PIN is stored on the card, but is fed along with other user data to a regional or central network where the validation is performed. This is generally required by the interbank networks for a variety of reasons. In addition to PIN encoding, many of the ATM to network lines use higher level (e.g. DES) encryption these days. Under this system, when you take your card into a bank for a new PIN, they run the card through a machine that writes the encrypted PIN on the card, and that same machine calls a central computer and feeds the information into the main system. At Wells Fargo you can watch this all happen, since it all occurs in realtime while you sit there. Under systems that used the older "in-ATM" validation, you would find that your PIN was accepted as soon as you finished entering it. Under the newer systems, the PIN won't be accepted until there has been validation from the regional/central system. Since this introduces a delay of some seconds in most cases, the instructions on these ATMs usually tell you to go ahead and start entering your transaction without waiting after you've entered the PIN. They store up the additional data and as soon as the PIN verification is complete the transaction goes through. Most of this change was driven by the rise of the interbank ATM networks which let you walk up to tens of thousands of ATMs around the country and withdraw money from any of them (for an additional fee, of course). --Lauren--