I have no doubt you're right, and the banks absolutely should not reject fraud reports based on PIN.
I've had a read of the first paper there, the nopin one, and it reads like a really preventable flaw in the IAD, which (as it's issuer specific) could be very easily fixed without the involvement of terminal vendors. I agree with the conclusion that the TVR is a flawed concept though, I had always assumed (never having worked directly for an issuer) that there would be enough data in the IAD to marry up the terminal and card perspectives on what had happened.
And on the second one I'd be the first to agree that SDA and offline-plaintext PIN are a bad idea, I could have told you that when I did my first implementation in 2001!
--edit-- I had actually assumed that by now the cost differential between SDA/plaintext and DDA(or CDA)/encrypted cards would be so small that nobody would use the SDA cards any more. Guess I was wrong!
I've had a read of the first paper there, the nopin one, and it reads like a really preventable flaw in the IAD, which (as it's issuer specific) could be very easily fixed without the involvement of terminal vendors. I agree with the conclusion that the TVR is a flawed concept though, I had always assumed (never having worked directly for an issuer) that there would be enough data in the IAD to marry up the terminal and card perspectives on what had happened.
And on the second one I'd be the first to agree that SDA and offline-plaintext PIN are a bad idea, I could have told you that when I did my first implementation in 2001!
--edit-- I had actually assumed that by now the cost differential between SDA/plaintext and DDA(or CDA)/encrypted cards would be so small that nobody would use the SDA cards any more. Guess I was wrong!