The EMV specification, originally named for Europay, MasterCard and Visa, is a global standard for interoperable credit and debit payment cards, point-of-sale (POS) payment terminals and transaction processing networks based on chip card technology.
Chip cards, also known as smart cards, contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. The EMV specifications also provide for new, highly efficient transaction methods that cannot be achieved with traditional magnetic stripe cards. These include contact and contactless transactions as well as mobile payment operations.
Why is EMV More Secure?
The secure microprocessor chip on the EMV payment card contains the information needed for payment and additional protection features, making it significantly more secure than a traditional magnetic stripe card.
EMV improves the security of payment transactions with added functionality in three areas:
Card authentication: Transactions require an authentic card validated either online using a dynamic cryptogram or offline using Static Data Authentication (SDA) or Dynamic Data Authentication (DDA).
Cardholder Verification Method (CVM): The CVM ensures that the person attempting to make the transaction is the person to whom the card belongs using Online PIN, Offline PIN, Signature, or no CVM.
Online and Offline Authorization: EMV transactions are authorized based on security parameters established by the issuer.
Online and Offline Card Authentication
Card authentication protects the payment system against counterfeit cards. Card authentication methods are defined in the EMV and associated payment-brand chip specifications. Card authentication can take place online, offline, or both.
Online card authentication typically takes place using symmetric key technology. The card generates a cryptogram using a shared secret key, and this cryptogram is validated by the issuer during the online authorization request.
Offline card authentication involves the EMV card and EMV terminal using public key technology.
Offline capability is designed into EMV to address environments where reliable online communication is not available or is expensive.
Online and Offline Authorization
The EMV standard supports online and offline transaction authorization. Online authorization transactions would proceed much as they do today. Transaction information is sent to the issuer with the added security of a transaction-specific cryptogram. This prevents the use of stolen payment account information at merchant locations and opens the opportunity to eventually use EMV cards to prevent eCommerce fraud.
In an offline EMV transaction, the card and payment terminal communicate and use issuer-defined risk parameters stored in the card, such as a cumulative offline “floor limit” or consecutive transaction limit, to determine if the transaction can be authorized offline. Offline transactions are used with terminals that do not have online connectivity, or in countries where telecommunications costs are high. Offline transactions are also typically for low-value amounts.
EMV Cardholder Verification
Depending on payment brand rules and issuer preference, chip cards are personalized with one or more CVMs in order to be accepted in as wide a variety of locations as possible.
Online PIN or offline PIN CVMs directly protect against fraud resulting from lost, stolen, and never-received cards.
Signature verification requires a written signature at the POS, as is currently required with magnetic stripe cards. Validation occurs when the signature on the receipt is compared to and matches the signature on the back of the card.
EMV also supports transactions that require "no CVM." No CVM is typically used for low value transactions or for transactions at unattended POS locations.
EMV Chip & PIN Cardholder Verification
When EMV cards use a PIN for cardholder verification, the PIN can be verified offline or online.
An online PIN is not stored on the card. Once the cardholder enters the PIN at the POS terminal, the PIN is encrypted by the PIN pad and sent online to the host for validation, similar to how PIN debit transactions are authorized in the U.S. today.
Offline PIN is the only CVM supported by EMV that is not available with magnetic stripe cards. The offline PIN is stored securely on the chip card and during a transaction, when the cardholder enters the PIN, the POS terminal sends the PIN to the chip card for verification. The authorization for the transaction therefore takes place within the chip card.
Neither online nor offline PIN are required by the EMV specifications and can be combined with other methods based on issuer preference.
EMV Around the World
Since the first version in 1996, EMV has become the de-facto global standard for payment cards worldwide in developed countries other than the United States. According to EMVco, the organization responsible for managing the EMV specifications, over 1.5 billion EMV cards have been issued globally and 21.9 million POS terminals accept EMV cards, representing 76.4% of payment terminals worldwide excluding the U.S. EMVCo is jointly owned by America Express, JCB, MasterCard and Visa.
A map of EMV global card and payment terminal penetration is available at EMVCo.com.
EMV–Solidifying EMV as the foundation of the next generation of payments
Immediate focus on acquirer infrastructure–Working with acquirers to ensure infrastructure readiness by April 2013
Encouraging greater security and cardholder verification–Providing consumers with greater control and reducing fraudulent transactions
Provide benefits for merchant terminalization–Providing true financial benefits for merchants as they implement EMV-compatible terminals
Cover all channels–Addressing all touch points where consumers will interact with MasterCard, including ATMs, the physical point-of-sale, online and mobile commerce
Commitment to leadership and collaboration–Fostering industry collaboration to deliver the next generation of payments into the U.S. marketplace
In March, 2012, Discover announced its plan to implement a 2013 EMV mandate for acquirers and direct-connect merchants in the U.S., as well as Canada and Mexico. This plan will include its payment businesses consisting of Discover Network, PULSE, and Diners Club International.
Discover says that its approach to EMV is “both universal and choice-centric,” meaning the company will not restrict any channel, verification process or transaction type, supporting:
All card authentication channels - including online and offline
All cardholder verification methods - including both chip and PIN or chip and signature
All commerce channels - including contact and contactless
American Express EMV Roadmap
American Express joined the other payment brands and announced its U.S. EMV roadmap in June 2012. The company’s key policy requirements and dates are:
By April 2013, processors must be able to support American Express EMV chip-based contact, contactless and mobile transactions.
Beginning October 2013, merchants will be eligible to receive relief from PCI Data Security Standard (DSS) reporting requirements if the merchants’ POS acceptance locations, where 75% of their transactions occur, are enabled to process American Express EMV chip-based contact and contactless transactions.
Effective October 2015, American Express will institute a fraud liability shift policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. U.S. fuel merchants will have an additional two years, until October 2017, before the fraud liability shift takes effect for transactions generated from automated fuel dispensers.
EMV Implementation Options for U.S. Issuers
The roadmaps to EMV from American Express, Discover, MasterCard, and Visa give issuers the flexibility to choose the selection of options from the EMV standard that suits their business and the U.S. environment best.
Each represents an independent choice, many of which overlap, and some of which dynamically vary depending on the circumstances. The result is a multitude of implementation options as shown here.
Cardholder Verification and Transaction Authorization Implications for U.S. Issuers
Depending on the preference of the issuer, chip cards in the U.S. can be personalized with one or more cardholder verification methods (CVM) so that they can be accepted in as wide a variety of locations as possible. These include online PIN, offline PIN, signature and no CVM.
At the card issuer’s discretion, EMV chip cards can require online authorization and no PIN. Support for offline EMV transactions is an option, not a requirement, under the control of the card issuer.
EMV is designed so that both offline and online authorization can be used depending on the circumstances. In a virtually 100% online environment like United States, it is expected that any chip implementation would continue to require online authorization for every transaction.
EMV in the U.S.
Based on the recent announcements from American Express, Discover, MasterCard and Visa one thing is clear: EMV chip technology is coming to the United States. Issuers will have to choose card interface (contact, contactless or dual), card authentication method, transaction authorization method, and cardholder verification method. It is likely that we will see the U.S. evolve to a hybrid combination of options to best support venue, transaction type, and compatibility with the rest of the world.