Smart Card Talk : February 2011 : Feature of the Month

Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?

The EMV specification defines technical requirements for bank cards with embedded microchips and for the accompanying point-of-sale (POS) infrastructure. With few exceptions (primarily in the United States), financial institutions worldwide issue EMV bank cards to businesses and consumers. Approximately 1 billion EMV cards have been issued globally and 15.4 million POS terminals accept EMV cards. [1] The primary purposes of including a chip in a bank card are to store cardholder data securely, protect data stored on the chip against unauthorized modification, and reduce the number of fraudulent transactions resulting from counterfeit, lost, and stolen cards.

This month’s article reviews the current state of the payments infrastructure in the U.S., provides a primer on EMV and card security, and discusses possible roadmap options for the U.S.

U.S. Payments Industry Background

The United States did not choose to implement EMV while Europe, Canada, Latin America, and Asia are in various stages of EMV chip migration. The U.S. has historically had relatively low fraud rates, due to nearly 100 percent online authorization and sophisticated real-time fraud detection by the issuer authorization systems. In addition, substantial costs are associated with the deployment of an EMV infrastructure. Chip cards are more expensive than magnetic stripe cards, POS terminals require additional features to read the card, and legacy back-office systems must be upgraded. Without a perceived fraud problem and given the cost of implementation, U.S. financial institutions and merchants did not make the investment required to convert the legacy bank card issuance and acceptance infrastructure to the EMV standard.

Today, however, several factors are driving the U.S. payments industry to reconsider implementation and deployment of EMV for payments. Most important are the increasing amount of card-related fraud losses [2] and the cost of enhancing security features incrementally. In addition, the investment being made by merchants to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by the industry to implement new capabilities for contactless and NFC mobile payment transactions provides an opportunity to move to EMV in the U.S. Moreover, U.S. travelers abroad are discovering that their magnetic stripe bank cards are sometimes rejected. Finally, as other markets have adopted chip cards, the per-unit costs for cards and devices have decreased. Some POS device manufacturers now sell only hybrid devices with both chip and magnetic stripe capabilities.

The EMV specification can resolve key issues that challenge financial institutions. The majority of work on EMV was conducted in the late 1990s. Over the years, EMVCo has maintained and revised the specification to sustain the highest level of security. EMVCo also develops and manages new functionality required by the market.

U.S. payments industry stakeholders recognize that there is a need to educate themselves about EMV and to leverage the lessons learned in other parts of the world. When compared to other regions, the U.S. market has unique characteristics, such as low cost telecommunications and the presence of contactless chip cards. Industry stakeholders are exploring which implementation options in the EMV specification will be required to meet U.S. market needs in the most cost-effective manner.

U.S. Bank Card Market Overview and Card-Based Fraud

The size and complexity of the U.S. credit and debit card market make changes to the payments infrastructure costly and difficult to implement.

Over 1 billion credit and debit cards were in use in the United States in 2009, generating over 52 billion of purchase transactions. Credit and debit cards are accepted at over 10 million merchant POS terminals. Terminal functionality varies by merchant, with increasing numbers supporting PIN pads and contactless readers. Some merchants are also starting to purchase POS terminals with hardware support for contact EMV cards.

The U.S. has historically had relatively low fraud rates, implementing online authorizations as well as other online techniques to detect and react to fraud. There are no reliable, precise, consistent statistics for U.S. payment fraud. Rather, the industry relies on surveys and extrapolations to gauge the levels and trends for payment fraud. By any account, however, the value of losses are significant.

At a global level, the Nilson Report estimated card fraud losses of $6.89 billion on $14.6 trillion in purchases of goods and services and cash advances in 2009. [2] According to the Nilson Report, while the global fraud rate has remained steady, the amount of fraud losses is rising and, at current growth rates, estimated to be $10 billion by 2015. Aite Group estimates the total cost of fraud in the United States is $8.6 billion per year (0.4% of the $2.1 trillion card payment industry); Aite estimates that counterfeit card fraud accounts for 15.9% of the total, $1.35 billion. [3] Mercator Advisory Group reports that fraud losses are probably dramatically underreported and may actually be as high as $16 billion, especially when all of the associated costs such as data breach forensics, lawsuits, undetected fraud, and misclassified issuer losses are considered. [4]

The true cost of fraud, however, exceeds the actual dollar amount of losses. Financial services companies incur damage to their reputations, higher overall operating costs for increased vigilance (including transaction monitoring), reduced productivity, and higher staff expenditures; they also bear the cost of reissuing cards after a fraud incident. An often overlooked and less well understood cost is the impact that fraud has on card usage and lost revenue, with issuers seeing reduced activation rates on re-issued cards and decreased transaction volumes. [5]

Merchants and processors/acquirers also incur damage to their reputations and bear the cost of Payment Card Industry Data Security Standard (PCI DSS) compliance.

As an example of the impact of EMV, the UK Cards Association reports a dramatic reduction in fraud since the introduction of EMV cards. “Fraud on lost and stolen cards is now at its lowest level for two decades and counterfeit card fraud losses have also fallen and are at their lowest level since 1999. Losses at U.K. retailers have fallen by 67 per cent since 2004; lost and stolen card fraud fell by 58 per cent between 2004 and 2009; and mail non-receipt fraud has fallen by 91 per cent since 2004.” [6]

The experiences of the U.K. and other countries that have adopted chip have shown a reduction of domestic card-present fraud. But their experiences have also shown a migration to other types of fraud, namely card-not-present (CNP) fraud and cross-border counterfeit fraud (particularly ATM fraud). Fraud migration offsets some of the savings from the decrease in domestic card-present fraud. This reality reinforces the need for a layered approach to security, even with EMV deployment, to address fraud migration and other security vulnerabilities.

Criminals are known to exploit the weakest link, moving from locations where stronger authentication is present to those where it is not, or from financial institutions and merchants who have more sophisticated fraud detection and prevention tools to those with less. With over 1 billion EMV cards issued in the rest of the world and projections for continued growth in EMV card issuance outside of the U.S., criminals are more likely to move counterfeit magnetic stripe card activities to the U.S., leading to an increase in cross-border counterfeit fraud acquired in the U.S. The U.S. payments industry needs to determine whether it is prepared for the potential of significantly higher payment card fraud if fraud migrates to the U.S. from EMV-enabled locations.

The adoption of EMV chip cards and POS terminals in the United States would have a dual benefit. Not only would American merchants, acquirers and issuers benefit from smaller losses and improved cost management controls, but all EMV-enabled issuers globally could experience reduced losses and decreased operational impact from payment card fraud.

EMV and Card Security

EMV is an open-standard set of specifications for smart card payments and acceptance devices. EMVCo, owned by American Express, JCB, MasterCard, and Visa, manages, maintains and enhances the EMV specifications, to ensure global interoperability of chip-based payment cards with acceptance devices including point of sale terminals and ATMs. The specifications address interoperability at two levels. Level 1 defines the electromagnetic and physical characteristics of cards and readers, while Level 2 defines data elements and protocols.

EMV’s primary purpose is to ensure that standards for smart card-based payments are interoperable globally. The standards were initially limited to contact cards; however, certain contactless card standards are included.

In addition to storing payment information in a secure chip rather than on a magnetic stripe, using EMV improves the security of a payment transaction by adding functionality in three areas:

  • Card authentication, protecting against counterfeit cards
  • Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards
  • Transaction authorization, using issuer-defined rules to authorize transactions

Card Authentication Methods

Card authentication protects the payment system against counterfeit cards. Card authentication methods are defined in the EMV specifications and the associated payment brand chip specifications. Card authentication can take place online, offline, or both.

Online Card Authentication. Online card authentication requires the transaction to be sent online for the issuer to authenticate and authorize in the same way magnetic stripe transactions are sent online today in the U.S. The important difference is the chip card’s use of symmetric key technology to generate a cryptogram using a shared secret key. This cryptogram, called the Authorization Request Cryptogram (ARQC), is validated by the issuer during the online authorization request.

The ARQC is the dynamic data that makes an EMV transaction unique and provides card-present counterfeit fraud protection. The chip generates this cryptogram by applying an algorithm to the card, device, and transaction data, and then encrypting all data with a Triple Data Encryption Algorithm (TDEA) key (referred to as the Unique Derivation Key (UDK)), that is stored in a secure area on the chip. Because some of the data used in the cryptogram generation is different for each transaction, the resulting cryptogram is unique for each transaction.

Offline Card Authentication. Offline card authentication involves the EMV card and EMV terminal. Three methods of offline card authentication are defined by EMVCo, offering increasing levels of protection against counterfeit cards:

  • Static data authentication (SDA). As of 2009, most cards issued worldwide support SDA. SDA calculates a cryptogram using a static public key certificate and static data elements. SDA relies on a public key infrastructure (PKI) in which the payment brands act as the certificate authorities (CAs) and provide public key certificates to participating issuers. During personalization, the issuer uses the issuer’s private key to sign a set of card-specific data and loads the signed data onto the card along with the issuer’s public key certificate.

    To authenticate a card, a terminal loads the payment brand’s public root key. The terminal uses the payment brand’s root key to validate the issuer’s public key certificate. The terminal then extracts the issuer’s public key from the validated certificate. The terminal uses the extracted public key to validate the static card data (which has been signed by the issuer).

    This process is known as static data authentication because the data used for authentication is static–the same data is used at the start of every transaction. If this data can be skimmed, it can be used to recreate a transaction.

    SDA is the simplest method of chip card authentication and provides the lowest level of protection against counterfeit fraud. Although the current level of chip card counterfeit fraud is low, it can increase as chip card markets become more mature and other opportunities for fraud are removed.

  • Dynamic data authentication (DDA). DDA is similar to SDA but goes one step further. DDA calculates a cryptogram for each transaction that is unique to the specific card and transaction. In addition to the issuer key pair, an asymmetric (RSA) key pair is generated for each card. The issuer then creates an associated public key certificate by signing the card public key. All data is loaded onto the card during personalization.

    To authenticate a card, terminals follow basically the same process as for SDA, except that a random number is also sent to the card to be signed by the card private key. The terminal then validates the signature using the card public key.

    DDA protects against card skimming and counterfeiting. The technique is similar to the dynamic card verification value (dCVV) and dynamic card verification code (dCVC) which are used in online contactless magnetic stripe data (MSD) transactions.

  • Combined DDA with application cryptogram (AC) generation (CDA). CDA combines DDA functionality with an additional application cryptogram at the end of the transaction. This final application cryptogram is used to assure that the data in the transaction maintain integrity even after the transaction is completed. In other words, the use of a final application cryptogram prevents the type of fraud in which data are manipulated after host authentication.

Cardholder Verification Methods

Cardholder verification authenticates the cardholder. Use of a personal identification number (PIN) is a common cardholder verification method (CVM) that authenticates the cardholder and protects against the use of a lost or stolen card. EMV supports four CVMs:

  • Offline PIN
  • Online PIN
  • Signature verification
  • No CVM

Depending on payment brand rules and issuer preference, chip cards are personalized with one or more CVMs in order to be accepted in as wide a variety of locations as possible. Different terminal types support different CVMs. For example, attended POS devices, in addition to supporting signature, may support online or offline PINs (or both), while some unattended card-activated terminals may support “no CVM.”

Offline PIN is the only method of cardholder verification supported by EMV that is not available with magnetic stripe cards. The offline PIN is stored securely on the card. When the cardholder enters a PIN during a transaction, the POS terminal sends the PIN to the EMV card for verification. The card compares the entered PIN to the stored PIN and sends the result of the comparison back to the POS terminal, which can then either approve the transaction offline or send the transaction and PIN verification result to an issuer host for authorization. The offline PIN is never sent to the issuer host–only the result of the comparison is passed.

Online PIN is not stored on the card because the PIN is being sent online for the issuer to validate. Online PIN is currently supported on magnetic stripe cards and widely available at POS terminals and ATMs in the U.S. today. The cardholder enters the PIN at the POS terminal, the PIN is encrypted by the PIN pad and sent online to the host for validation. The security of the online PIN is based on Triple Data Encryption Standard (TDES) and standardized across the globe. For an ATM, online PIN is required and is the only valid CVM. As a result, any implementation of offline PIN will still require online PIN if ATM access is needed.

If a card supports both online and offline PIN CVMs, the issuer must ensure that the two PINs are synchronized. Synchronization is important, because when cardholders are asked to enter a PIN, they do not know whether they should enter their offline PIN or online PIN.

Signature verification requires a written signature at the POS, as is currently required with magnetic stripe cards. Validation occurs when the signature on the receipt is compared to and matches the signature on the back of the card.

EMV also supports transactions that require “no CVM.” No CVM is typically used for low value transactions or for transactions at unattended POS locations.

In general, online PIN or offline PIN CVMs directly protect against fraud resulting from lost, stolen, and never-received cards.

Transaction Authorization

EMV transactions can be authorized online or offline. For an online authorization, transactions proceed as they do today in the U.S. with magnetic stripe cards. The transaction information is sent to the issuer, along with a transaction-specific cryptogram, and the issuer either authorizes or declines the transaction.

In an offline EMV transaction, the card and terminal communicate and use issuer-defined risk parameters that are set in the card to determine whether the transaction can be authorized. Offline transactions are used when terminals do not have online connectivity (e.g., at a ticket kiosk) or in countries where telecommunications costs are high.

Cards can be configured to allow both online and offline authorization, depending on the circumstances. It is also important to note that use of the offline PIN CVM is not restricted exclusively to offline authorized transactions. Offline PIN can be used as the CVM, and the transaction can then go online for authorization in the majority of circumstances.

Roadmap Options for the U.S.

For the past year, the Smart Card Alliance has been providing educational material on the considerations for migrating to EMV. Over the past decade, the benefits of migration have increased, while the costs and implementation difficulties have decreased. Many of the terminal providers and some acquirers/processors have already put in place the EMV features and infrastructure to support customers in Canada and other countries.

The benefits of migrating to EMV include:

  • Improving the security of the U.S. payments infrastructure and eliminating the U.S. as a destination for criminals and global magnetic-stripe fraud activity.

  • Increasing the satisfaction of cardholders, especially when traveling internationally. In 2008, U.S. payment card issuers missed out on nearly $4 billion in charge volume, including $78.7 million in interchange fees, because of problems cardholders had with their cards while traveling abroad. [7]

  • Increasing the satisfaction of international customers, who will be using EMV cards at U.S. merchants and ATMs.

  • Maintaining interoperability with the rest of the world as it migrates to EMV.

  • Leveraging commercially available EMV-compatible products and services for a low risk, proven approach to fraud reduction.

  • Positioning the industry for other forms of payment, notably NFC mobile contactless payments.

Roadmap Considerations

Many interconnected factors and developments must be considered to construct an EMV migration roadmap for the U.S., including the current contactless implementation, use of contact or contactless EMV, selection of options from the EMV standard to suit the U.S. environment, convergence with NFC mobile contactless payments, and the use of a PIN as opposed to a signature CVM.

Planning for EMV implementation requires choices in four areas:

  1. Card interface
  2. Card authentication method
  3. Transaction authorization
  4. Cardholder verification method

While each choice must be made independently, some are interconnected, and some choices may vary dynamically depending on the circumstances. In other words, there are numerous possibilities.

The figure below highlights the potential complexity of selecting implementation options.

One further complication can be the distinction between authentication and authorization. Authentication checks the authenticity of the card itself. Authorization validates the issuing bank’s approval of a transaction, considering the status of the cardholder’s account (e.g., “open to buy” balance) and the results of fraud checks. If a card is authenticated offline, the transaction can also be authorized offline, subject to certain predetermined limits (such as transaction dollar size); however, if the card is authenticated offline but the transaction must be authorized online, then the card will be authenticated a second time online.

For the U.S. roadmap, the payments industry will need to make choices in each of the four areas–card interface, card authentication, transaction authorization and cardholder verification. The table below summarizes these options and the impact of the choices is discussed in the next sections.

Roadmap Options

Roadmap Option Description
1. Card Interface a) Contact
  • Standard EMV chip card.
  • Requires contact reader.
b) Contactless
  • RF card, NFC on a mobile phone, or various form factors, including stickers.
  • Requires contactless reader.
  • Leverages second-generation contactless cards being deployed in the U.S.
c) Dual Interface
  • Card containing both contact and contactless interfaces.
  • Works with either contact or contactless reader.
2. Card Authentication a) Online
  • Uses 8-byte Triple DES cryptogram.
  • No requirement for SDA, DDA, or PKI cryptographic coprocessor.¹
b) Offline
  • Uses SDA, DDA and/or CDA and PKI.
  • Requirement for PKI cryptographic co-processor (for DDA and CDA only).
3. Transaction Authorization a) Online
  • Authorization message sent to issuer as currently implemented for magnetic stripe card transactions.
b) Offline
  • Authorization determined by EMV risk assessment and communication between card and terminal.
  • May be forced online, depending on limits and other factors.
4. Cardholder Verification a) Signature
  • No special POS requirement.
b) Online PIN
  • Requires POS PIN pad.
c) Offline PIN²
  • Requires POS PIN pad.
  • Uses SDA for plain text PIN, and/or DDA or CDA and PKI for enciphered PIN.
  • Requirement for PKI cryptographic co-processor (for DDA and CDA only).
d) No CVM
  • No special POS requirement.
  • Usually reserved for low value transactions.

¹ All microprocessor cards used for EMV include a DES cryptography engine. DES cryptography is employed as a core part of chip security and is used in the personalization process and in any post-issuance EMV scripts from the issuer that are used to change EMV settings on the card.

² Offline PIN can be either enciphered or plain text.

Card Interface Options

Each of the three card interface options, contact, contactless, or dual-interface, has advantages and disadvantages for industry stakeholders in an EMV migration.

The contact interface requires the issuance of contact chip cards and the installation of contact chip readers at merchants and ATMs. Contact EMV card security features cannot be used with today’s contactless POS readers.

The contactless interface provides a bridge to implementation of NFC-enabled mobile contactless payments. The disadvantage of choosing only a contactless interface is the limited deployment of contactless implementations outside of the U.S. and Canada.

Dual-interface cards carry both contactless and contact EMV interfaces. Selecting a dual interface card allows the same card to be used both at domestic contactless POS readers and contact readers outside of North America. This interface would be ideal for cardholders who travel internationally.

Whether the industry will evolve toward contact or contactless EMV is an open question. Contactless cards can leverage current investment in contactless terminals and cards and prepare the industry to support NFC mobile contactless payments. On the other hand, since much of the rest of the world is implementing contact EMV (and, in some markets, both contact and contactless EMV), the U.S. chip card infrastructure would be incompatible.

For the foreseeable future, all cards will continue to carry a magnetic stripe to ensure acceptance in regions without EMV. To remedy chip card incompatibility, some merchants could choose to install contact chip POS readers to accommodate non-U.S. EMV cards, and those cards could be accepted by falling back to signature or no CVM, if the POS were unable to accommodate offline PIN.

Card Authentication and Transaction Authorization Options

It is important to differentiate between offline authentication and offline transaction authorization. EMV is designed so that both offline and online authentication can be leveraged in a single transaction. Even when transactions are authenticated online, if the card supports SDA, DDA, or CDA, offline authentication procedures are performed as part of the EMV transaction. Performing offline authentication neither requires nor implies that the transaction be performed completely offline. Offline capability is designed into EMV to address environments where reliable online communication is not available or is expensive. With EMV, a card can be required to perform transactions offline even when terminals are online-capable until a certain dollar amount or number of consecutive transactions is reached, at which time the transaction goes online. The same offline parameters are used for terminals that are completely offline.

Online card authentication and online transaction authorization together are known as “online EMV,” a streamlined implementation with 100 percent online authentication that is compatible with EMV deployments everywhere. Online EMV may be appropriate for countries with a fast, reliable telecommunications infrastructure, such as the U.S. For online authentication, the EMV standard specifies that the card generate an 8-byte cryptogram using Triple Data Encryption Standard (TDES) symmetric keys, rather than using the more complex RSA public key infrastructure. Online EMV implementation does not need to support SDA, DDA, or offline PIN. This implementation avoids the additional cost of cards with crypto co-processors to support DDA or CDA, certificate authorities, and PKI support in POS terminals. Implementation of Online EMV, especially if contactless, leverages the industry’s investment in contactless terminals, contactless cards, and implementation of new fields in the authorization message to carry the 8-byte cryptogram and related chip data. These cost savings should be a factor when comparing the cost of implementing online EMV to the cost of implementing offline-capable EMV in other markets.

Another option is to implement offline-capable EMV but require the majority of transactions to be online. In Canada, only a few acquirers are offline-capable. The others are “online preferring” and set floor limits to zero, in effect forcing all transactions online. However, POS terminals installed at Canadian merchants all support the full complement of SDA, DDA, and CDA.

Cardholder Verification

The choice of cardholder verification methods–online PIN, offline PIN, signature, or no CVM–is more straightforward. Selecting signature verification avoids the requirement to install PIN pads and eliminates certain cardholder behavioral change and training requirements. Selecting the PIN option requires the installation of PIN pads at merchant locations. The choice of PIN also impacts the EMV authorization process for issuers and acquirers/processors.

Hybrid Options

It is likely that the U.S. EMV implementation would combine options, depending on venue and transaction type. Depending on what product is being offered, individual issuers might choose to implement multiple approaches, the acquirer infrastructure will support all of them, and merchants will choose which EMV features they want to support. This is the situation in most other markets today, as well as in the current U.S. environment with magnetic stripe for cardholder verification.

A hybrid solution could incorporate the benefits available with all of the options, leverage the existing contactless infrastructure, and ensure compatibility with cards from the rest of the world. While at first glance this solution may appear complicated, the flexibility it offers would ease the transition to EMV by accommodating unique merchant, venue, and issuer objectives.

Implications for International Travelers

Aite Group [8] has estimated that 9.7 million U.S. cardholders experience magnetic stripe card acceptance issues when they travel internationally in 2008, costing banks $447 million in lost revenue. A small percentage of European offline-only POS terminals, mostly located at after-hours and unattended gas stations and train ticketing kiosks in Spain, France, and the U.K., will not accept online-only EMV cards. (Source: Smart Card Alliance Payments Council) While such locations are currently in the minority, there tend to be fairly significant consequences if cardholders are unable to use their payment cards at them. This situation necessitates a critical decision for U.S. issuers. Should they issue online-only EMV cards and accept the risk that their cards will not work in offline locations? Should they configure their cards to go online whenever possible and only allow offline transactions when the terminal indicates that it cannot go online?

The contactless options represent another issue. Since most markets have implemented contact EMV, U.S. international travelers would need dual-interface cards, equipped with both contact and contactless EMV. U.S. merchants who cater to international visitors would need to install contact readers to accommodate internationally-issued contact EMV cards

Conclusions

The Smart Card Alliance researched the topic of an industry-wide roadmap to EMV to educate the U.S. payments industry stakeholders, including bank issuers, merchants, acquirers/processors and suppliers to the industry, on the actions each stakeholder needs to consider to issue, accept and process EMV transactions. In keeping with the unique characteristics of the U.S. market, the Alliance explored a variety of potential scenarios.

Planning a roadmap to EMV requires choice of card interface (contact, contactless or dual), card authentication method, cardholder verification method , transaction authorization approach. The U.S. may evolve to a hybrid combination of options to best support venue, transaction type, and compatibility with the rest of the world.

Although the enormous size of the U.S. payment industry makes widespread change costly and difficult, the true cost of fraud is increasing and threatens to damage the industry’s reputation. This damage could accelerate as criminals move to the U.S. as the weakest link. The cost of EMV implementation in the U.S. has likely declined from original estimates due to maturation of the technology. Ad hoc comparison to representative costs from Canada support this premise. The roadmap options discussed in this article demonstrate that various options are available to migrate to EMV. Due to the maturity and wide availability of EMV technology and products, migration will be less complicated than it would have been a decade ago.

References

[1] “Over 1 billion EMV cards now active,” EMVCo

[2] The Nilson Report, “Global Card Fraud,” June 2010

[3] “Card Fraud Costs U.S. Payment Providers $8.6 Billion Per Year,” Bank Systems and Technology, January 13, 2010

[4] “Fraud to the Left of Me, Risk to the Right,” Mercator Advisory Group, October 2008

[5] “The True Cost of Fraud,” First Data Corporation white paper, March 2009

[6] “New Card and Banking Fraud Figures,” The UK Cards Association, March 10, 2010

[7] “Card Problems Cost U.S. Issuers Hundreds of Millions Overseas,” Digital Transaction News, October 2009

[8] “The Broken Promise of Pay Anywhere, Anytime: The Experience of the U.S. Cardholder Abroad,” Aite Group report, October, 2009

About this Article

This article is an extract from the recently-published Payments Council white paper, ”“Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure?”. The white paper was developed to educate stakeholders across the payments value chain about the critical aspects of deploying an EMV solution in their business environments in the U.S. The white paper describes the current state of the payments infrastructure in the U.S., discusses the impact of the global deployment of EMV on possible roadmaps, and provides a primer on EMV card authentication, cardholder verification and transaction authorization methods. For each stakeholder (issuers, merchants, acquirers/processors and ATM owners), the white paper outlines actions that need to be taken to issue EMV cards, and to accept and process EMV transactions.

The Smart Card Alliance thanks the Council members who were involved in the development of the white paper, including: Accenture LLP; American Express; Apriva; Booz Allen Hamilton; Capgemini; Capital One; CPI Card Group; Datacard Group; Discover Financial Services; epay North America; First Data Corporation; Fiserv; Gemalto; Giesecke & Devrient; Heartland Payment Systems; HID Global; IBM; JPMorgan Chase; LTK Engineering Services; MasterCard Worldwide; NagraID Security; Oberthur Technologies; Smartcard Marketing Solutions; Thales e-Security; Visa, Inc.; ViVOtech; Watchdata Technologies.

About the Payment Council

The Smart Card Alliance Payments Council focuses on facilitating the adoption of chip-enabled payments and payment applications in the U.S. through education programs for consumers, merchants, issuers, acquirers/processors, government regulators, mobile telecommunications providers and payments service providers. The group is bringing together payments industry stakeholders, including payments industry leaders, merchants and suppliers, and is working on projects related to implementing EMV, contactless payments, NFC-enabled payments and applications, mobile payments, and chip-enabled e-commerce. The Council’s primary goal is to inform and educate the market about the value of chip-enabled payments in improving the security of the payments infrastructure and in enhancing the value of payments and payment-related applications for industry stakeholders. Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.