What is EMV?
The abbreviation for EMV comes from the blending of Europay, MasterCard, and Visa—the three organizations that created the specifications for the program in 1994. Today, the EMV standard is managed by EMVCo LLC, which is equally owned by American Express, JCB, MasterCard, and Visa.
EMV is the technical interoperability standard that ensures chip-based payment cards and terminals are compatible around the world. EMV chip cards or personal devices such as a key fob or mobile phone contain embedded microprocessors that offer strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards when it connects to an EMV-enabled POS terminal. The terminal can be either contact or contactless, many POS machines have both. The smart chip in the payment instrument securely stores the information about the cardholder’s account and the issuer’s payment application, and it performs cryptographic processing for validating the integrity of the cad number and certain static and dynamic data used in the transaction. Overall, providing a strong form of card authentication to validate the legitimacy of the payment type.
EMV Liability Shift
On October 1, 2015, the EMV liability shift went into place that applies to counterfeit and stolen cards. In the case of counterfeit cards, the merchant avoids liability by having an EMV-ready terminal. In the case of stolen cards, the merchant must have an EMV-ready PIN accepting device to validate the user. If the issuer does not prompt for a PIN on a stolen card, the issuer assumes liability. If the merchants are not EMV-ready, and are victim of a data breach, the card brands can also levy fines and penalties for deeming their system unsecure.
The liability shift is only applicable for card present transactions when a new EMV chip card is used, and only if the transaction if found to be fraudulent. In the event of a fraudulent transaction, the merchant without an EMV-ready terminal will be liable for the value of that transaction.
A Chip to Dip
Unlike traditional transactions, EMV cards are inserted or “dipped” into the card reader until the terminal lets both the cashier and customer know the sale is complete.
Comparing the “How” of a Magnetic Card Transaction and Chip Card Transaction.
Going beyond the “chip to dip” aspect of performing an EMV transaction, we take a look at how a traditional magnetic stripe transaction differs from the more complex EMV transaction. This gives you a high level view of the process:
Magnetic stripe transaction
- There is a onetime interaction between the card and the terminal—the terminal reads the static information on the card.
Chip card transaction
- The terminal interacts with the chip on the card on an ongoing basis during the transaction.
- The chip processes information and determines many of the rules that determine the outcome of the transaction.
- The terminal helps enforce the rules set by the issuer on the chip, like cardholder verification methods.
- If the terminal cannot provide the services requested by the chip, the issuer can set rules that will cause the chip to decline the transaction.
EMV Confirmation Types
EMV employs either a signature or an offline PIN to authenticate the cardholder. In a “Chip and PIN” environment, the user of the card enters a PIN to the POS terminal rather than using a signature to complete the transaction. The PIN entered by the cardholder is validated against either the PIN stored on the chip or at the processor to ensure that card is used by the authorized party. The version of EMV whether signature or offline PIN is relative to geographical region implementation.
EMV Benefits for Card Fraud Prevention
A primary motivation for implementing EMV is the belief that it is fundamentally more resistant against fraud vs. the magnetic stripe. A combination of card number validation via the chip and authentication of the user via PIN protects against common attacks such as fraudulent use of lost or stolen cards, counterfeit cards and skimming (vulnerability of magnetic stripe cards).
EMV works in both “online authorization” and “offline transaction” environments. In an “online authorization”, with EMV, a dynamic cryptogram is associated to each authorization and clearing transaction, as a unique password for the card that is only good for single use. In an “offline transaction”, security against skimming and counterfeiting is provided for businesses performing payment processing without an online issuer host data connection.
For merchants, the use of chip-enabled cards means greater security and more streamlined processing, especially when chip is combined with PIN authentication, which can reduce fraud. Merchants gain other benefits, including fewer chargebacks, increased opportunity for self service, streamlined checkout with contactless payments, and marketing opportunities.
It is possible for a card issued from an EMV-enabled country to be used fraudulently where EMV is not supported. Common scenarios include where a card number from an EMV card is counterfeited onto a magnetic stripe card and used either in a country that doesn’t have EMV terminals or in a card not present environment. The enablement of EMV in the US market only narrows the places where fraud can occur.
EMV represents a vast improvement over technology of magnetic stripe cards, but it is fundamentally an authentication technology, rather a data security technology. EMV does not address merchant specific risks such as the interception of card numbers in transmission on the merchant network or attacks against repositories of card information within the merchant, acquirer, processor, network or issuer environment. The largest breaches of card information come from vulnerabilities within the merchant and processor environment that EMV does not address.
In the majority of both EMV and non-EMV transactions, payment card information is sent from the point of interaction to the processing host in an unencrypted form. The vulnerability to capture the data “in flight” has been exploited. While the dynamic cryptogram provides some level of protection, the payment card information still travels in the clear and could theoretically be counterfeited onto a magnetic stripe or used in a card not present environment. The primary method of eliminating this risk is to encrypt the payment card at the point of interaction.
Another key exposure is that many merchants retain payment card data after the transaction in long term data stores. Some businesses have data warehouses containing hundreds of millions of card numbers they use for marketing and analysis of consumer purchase behavior. The massive volume and value of this data makes these data stores targets.
The simplest method to circumventing EMV is to use a stolen card number where EMV validation does not occur, such as in an ecommerce transaction. EMV is designed for instances where a payment instrument is presented in person. EMV does not address the fraudulent use of payment data when there is no direct connection, such as when data is entered into an ecommerce application or given over the phone or through mail, card not present situations.
A Layered Approach to Security
While EMV primarily focuses on card fraud prevention at the consumer level or consumer merchant exchange, a bundled technology solution of point-to-point encryption and tokenization are complementary to those delivered by EMV and are relevant to merchants regardless of a potential future of EMV adoption.
Along with bringing in EMV at the POS and securing data with encryption and tokenization, merchants need to address the issue of card-not-present fraud, with additional security such as fraud protection solutions and increased verification methods. Address Verification Service (AVS) and Card Verification Value 2 (CVV2) are two simple and common ways to verify legitimacy of cardholders and card in CNP situations. MasterCard Secure Code and Verified by Visa are other fraud prevention tools that are available, as well as sophisticated fraud management solutions that allow merchants to implement multiple functions within their businesses to help reduce CNP fraud.
A Semi-Integrated Approach to EMV Migration
NAB Velocity offers a fully pre-certified semi-integrated solution inclusive of EMV, encryption and tokenization that is cost-effective, flexible and helps reduce merchants’ PCI burden. Learn More!