EMV Chip Payment Technology
What is EMV?
EMV is an open-standard set of specifications for smart card payments and acceptance devices. The EMV specifications were developed to define a set of requirements to ensure interoperability between chip-based payment cards and terminals. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. Today, EMVCo manages, maintains and enhances the specifications. EMVCo is owned by American Express, China UnionPay, Discover, JCB, MasterCard, UnionPay, and Visa, and includes other organizations from the payments industry participating as technical and business associates. Information on the specifications and organization is available at http://www.emvco.com.
Where has EMV been adopted?
Financial institutions in Europe, Latin America, Asia/Pacific, Canada and the United States are issuing contact or dual-interface EMV chip cards for credit and debit payment (commonly referred to as “chip and PIN”) or migrating to EMV issuance and acceptance. EMVCo publishes global statistics on EMV issuance and acceptance. EMVCo reported that over 3.4 billion EMV cards were in circulation globally at the end of 2014. EMVCo also reports the status of “chip-on-chip” transactions; one in three of all card-present transactions undertaken globally between June 2014 and June 2015 used EMV chip technology.
The U.S. is now migrating to EMV chip cards. The EMV Migration Forum is the cross-industry organization focused to address issues that require broad cooperation and coordination across many constituents in the payments space in order to successfully introduce secure EMV contact and contactless technology in the United States. As of the end of 2015, the Forum estimates that approximately 400 million EMV chip cards have been issued in the U.S., with 675,000 merchant locations accepting EMV chip transactions.
The Forum has published a variety of resources to assist payments industry stakeholders with EMV migration; resources are available on the EMV Connection website.
Why are countries migrating to EMV?
Issuers around the world are including chips in bank cards and merchants are moving to EMV-compliant point-of-sale (POS) terminals to increase security and reduce card-present fraud resulting from counterfeit, lost and stolen cards.
What are the benefits of EMV?
The biggest benefit of EMV is the reduction in card-present fraud resulting from counterfeit, lost and stolen cards. EMV also provides interoperability with the global payments infrastructure – consumers with EMV chip payment cards can use their card on any EMV-compatible payment terminal. EMV technology also supports enhanced cardholder verification methods.
Why are EMV credit and debit cards and EMV payment transactions secure?
EMV secures the payment transaction with enhanced functionality in three areas:
- Card authentication, protecting against counterfeit cards. The card is authenticated during the payment transaction, protecting against counterfeit cards. Transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.
- Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards. Cardholder verification ensures that the person attempting to make the transaction is the person to whom the card belongs. EMV supports four cardholder verification methods (CVM): offline PIN, online PIN, signature, or no CVM. The issuer prioritizes CVMs based on the associated risk of the transaction (for example, no CVM is used for unattended devices where transaction amounts are typically quite low).
- Transaction authorization, using issuer-defined rules to authorize transactions. The transaction is authorized either online and offline. For an online authorization, transactions proceed as they do today in the U.S. with magnetic stripe cards. The transaction information is sent to the issuer, along with a transaction-specific cryptogram, and the issuer either authorizes or declines the transaction. In an offline EMV transaction, the card and terminal communicate and use issuer-defined risk parameters that are set in the card determine whether the transaction can be authorized. Offline transactions are used when terminals do not have online connectivity (e.g., at a ticket kiosk) or in countries where telecommunications costs are high.
EMV cards store payment information in a secure chip rather than on a magnetic stripe and the personalization of EMV cards is done using issuer-specific keys. Unlike a magnetic stripe card, it is virtually impossible to create a counterfeit EMV card that can be used to conduct an EMV payment transaction successfully.
Should U.S. travelers with magnetic stripe only payment cards expect issues when traveling to countries that have implemented EMV?
Some U.S. travelers have been reporting troubles using their magnetic stripe cards while traveling. The most common areas where travelers may face issues are at unmanned kiosks for tickets, gasoline, tolls and/or parking, and in rural areas where shop owners do not know how to accept magnetic stripe cards.
Will travelers with EMV cards visiting the U.S. have issues paying for purchases?
Currently, all EMV chip cards also have a magnetic stripe, so that those cards can be used in regions and countries that have not deployed EMV. There has been some discussion by the European Payment Council (EPC) to allow European financial institutions the option to issue chip-only cards. However, European cardholders who travel internationally would be able to enable magnetic stripe acceptance as needed.
How does EMV address payments fraud?
First, the EMV chip card includes a secure microprocessor chip that can store information securely and perform cryptographic processing during a payment transaction. Chip cards carry security credentials that are encoded by the card issuer at personalization. These credentials, or keys, are stored securely in the EMV card’s chip and are impervious to access by unauthorized parties. These credentials therefore help to prevent card skimming and card cloning, one of the common ways magnetic stripe cards are compromised and used for fraudulent activity. Second, in an EMV chip transaction, the card is authenticated as being genuine, the cardholder is verified, and the transaction includes dynamic data and is authorized online or offline, according to issuer-determined risk parameters. As described above, each of these transaction security features helps to prevent fraudulent transactions. Third, even if fraudsters are able to steal account data from chip transactions, this data cannot be used to create a fraudulent transaction in an EMV chip or magnetic stripe environment, since every EMV transaction carries dynamic data.