CSI EMV WHITE PAPER SERIES - sf.csiweb.comsf.csiweb.com/uploads/96568/Content/WhitePapers/WP... · CSI EMV White Paper Series Part 1 of 3: Introduction to EMV. CSI WHITE PAPER. 3

Advancements in technological capabilities, along with increasing levels of counterfeit fraud, led the

payments industry to develop both chip card technology and global EMV specification for payments.

EMV is designed to leverage the advanced processing capabilities of chip card technology in securely

storing and transmitting card payment credentials.

The card payments industry in the United States is one of the last to enable EMV. But the card brands have

announced plans—and increasing risks associated with compromised merchants resulting in counterfeit card

fraud have accelerated efforts—to enhance the U.S. payment infrastructure to support EMV-based payments.

This three-part white paper aims to educate individuals about EMV and the efforts underway at CSI

to support EMV payments. Our first installment focuses on its deployment in the United States, while part

two will address considerations for ATM terminal owners and part three will highlight important

business considerations for issuers.

CSI EMV WHITE PAPER SERIESPart 1 of 3: Introduction to EMV

C S I E M V W h i t e P a p e r S e r i e s | P a r t 1 o f 3 : I n t r o d u c t i o n t o E M V

C S I W H I T E P A P E R

EMV SPECIFICATION

EMV is the chip card payment specification standard

that was developed by Europay, MasterCard and Visa

(from which the specification gets its name). The

standard is managed by EMVCo, which is owned by

American Express, JCB, MasterCard and Visa.

EMV’s objective is to facilitate the global

interoperability and security of chip cards

and acceptance terminals, as well as provide

certifications for issuer card programs and

terminal devices.

CHIP CARD TECHNOLOGY

Embedded in the plastic of chip cards is an

Integrated Circuit Card (ICC) microprocessor.

The chip functions similarly to a computer: it

has an operating system, communication

protocols, applications and a secure element.

While the secure element actually is the memory

storage area of the chip, many publications use

the term secure element to refer to the entirety

of the microprocessor.

EMV SECURITY

EMV defines the communication protocols by which

payment credentials can be provisioned to the

chip and cryptographically stored and encrypted.

A portion of the payment credentials stored in

the chip is a group of unique cryptographic keys

used to establish and encrypt the communication

protocols when the credentials are transmitted

from the chip card to the terminal chip card

reader. The credentials that are transmitted, unlike

mag-stripe payment credentials, use the card’s

unique cryptographic keys to generate dynamic

cryptograms for each transaction. Dynamic

cryptograms prevent the ability to clone the EMV

credentials, which aids in protecting against

skimming and counterfeit fraud.

2

DRIVING U.S. EMV MIGRATION

There is no mandate from any network or

regulatory agency in the U.S. payments industry

that requires issuers or merchants to upgrade

their cards or terminals to EMV. However, several

driving forces are pushing issuers and merchants

to enable EMV.

One of the major driving forces is the prevention of

counterfeit fraud. Counterfeit fraud is increasing,

with high-profile merchant security compromises

of mag-stripe card data becoming more common.

Mag-stripe counterfeit fraud is expected to continue

to grow, as fraudsters migrate to those countries

that have yet to enable EMV. This includes the U.S.,

one of the last EMV holdouts.

And increasingly, U.S. consumers are likely to

encounter problems with their U.S.-issued,

mag-stripe-only cards being accepted at merchants

in those countries that have migrated to EMV.

Another major driving force is the shift in

fraud liability. Visa, MasterCard and Pulse have

announced plans to accelerate EMV migration in

the U.S. (see page 3), and an integral part of the

plan was the decision to shift fraud liability from the

party—either the merchant or issuer—that enabled

their device for EMV to the party that did not enable

EMV. The general concept is that whoever enables

the more secure technology passes the liability

for fraud to the less secure party. In the event both

parties have enabled EMV, the issuer is held liable.



3

The chart below outlines various liability scenarios–descending from most secure to least secure.

TRANSACTION TYPE ISSUER MERCHANT/ATM PROCESSED AS LIABILITY

Card Present EMV EMV EMV Issuer

Card Present EMV Mag-stripe Mag-stripe Merchant/ATM Owner

Card Present Mag-stripe EMV Mag-stripe Issuer

Card Present Mag-stripe Mag-stripe Mag-stripe Issuer

The following chart outlines the dates of the liability shifts.

LIABILITY SHIFT DATES VISA MASTERCARD PULSE

October 2015 POS Counterfeit POS Counterfeit POS Counterfeit

October 2016 ATM Liability*

October 2017 ATM Liability

October 2017 POS Fuel Dispensers POS Fuel Dispensers POS Fuel Dispensers NYCE, Shazam, Nets and Star have not announced liability shift dates.*ATM Liability Shift for Maestro Cross-Border has already taken effect.

PAYMENT ECOSYSTEM AND EMV

All stakeholders in the card payment ecosystem,

including issuers, processors, networks, acquirers,

merchants, terminal manufacturers and card

fulfillment vendors, are affected by EMV. The

changes necessary to implement EMV require most

of the existing processes to be updated in order to

support the issuance, transmission and acceptance

of EMV. This is further complicated by the size and

complexities of the U.S. payments industry.



4

REGULATION II (AKA THE DURBIN

AMENDMENT) AND EMV

One such complexity of the U.S. payments industry

is the impact of Regulation II on EMV. Regulation II

requires that debit cards maintain a minimum of

two unaffiliated payment network options that are

available to a merchant for use in processing.

With EMV, the ability to route the transaction

depends on the payment applications that can

be loaded to the chip and selected for use during

processing. While Visa and MasterCard have

EMV applications, the regional or pinned

networks—which most issuers enable as a

secondary unaffiliated network—have neither an

EMV application nor the infrastructure immediately

available to support EMV. This complication

prevents issuers from obtaining the ability to begin

rolling out “Durbin-compliant” debit chip cards.

Also, in order to support debit EMV, U.S. payment

terminals must have the ability to deal with an

EMV card that has multiple payment applications;

however, most are designed to only support a single

payment application per chip card.

Recently, the traditional pinned networks have

started cross-licensing Visa and MasterCard EMV

applications. They also are creating new network

specifications that debit issuers, processors and

acquirers will use to begin certification to eventually

enable a Durbin-compliant debit chip card.

MAG-STRIPE STILL ON EMV CHIP CARDS

During the migration from mag-stripe to EMV,

issued cards will have both EMV and mag-stripes

to allow transaction activity at all devices. During

the transition, EMV will be the first authentication

method that’s used for terminals equipped with

EMV technology. For terminals not equipped with

EMV technology, mag-stripe will be the default

authorization method, and the liability will be

defined by network rules.

It is important to note that the mag-stripe on EMV

cards is still at risk of being compromised. If the

card is used for transactions at non–EMV devices,

and if this merchant or device is compromised,

those mag-stripe credentials can then be used to

create counterfeit cards and commit fraud. In all

likelihood, the issuer would want to issue a new

card number and replace the EMV/mag-stripe card.



5

While EMV adoption is starting to accelerate in the

U.S., banks still have time to consider and evaluate

strategic options unique to their institution. And

the time couldn’t be more appropriate, as each

day brings news of a data breach or card fraud

committed by savvy cybercriminals. EMV is a more

secure payment standard designed to curtail this

rising increase of card fraud. Further, its adoption

is being motivated by the impending card fraud

liability shifts from the card associations.

EMV is a major industry undertaking that will

affect the entire payment ecosystem. But it’s also

crucial to remember that EMV technology alone

won’t eradicate fraud: it doesn’t remove the risk

of counterfeit fraud when the mag-stripe is used,

and many merchants will take years to implement

POS acceptance devices. As they develop their EMV

strategies, banks should keep these issues in mind.

The second installment of this white paper will explore the ATM requirements needed to support EMV, while the final installment will outline considerations, timelines and options that CSI will bring to the market.

NEXT STEPS

K Y _ 1 1 0 5 1 4 _ 2 0 1 _ P T 1 _ V 1

INTRODUCTION

The United States migration to EMV is beginning

to accelerate. To help financial institutions

understand this emerging technology, CSI is

publishing a three-part white paper that explains

EMV specifications, enablement and adoption.

Our first installment provided an introduction to

EMV deployment in the U.S., while Part 2 examines

ATM requirements that support EMV.

While much of the EMV discussion focuses on chip

cards, the deployment of advanced terminals and

readers that are capable of interfacing and

receiving the credentials from these cards is

equally important in the enablement of EMV.

In order to ensure interoperability, these more

advanced terminals must go through rigorous

testing and certification. For financial institutions

electing to enable EMV acceptance at their fleet of

ATMs, there are specific hardware and software

requirements, timeframes and costs to consider.

CSI EMV WHITE PAPER SERIESPart 2 of 3: EMV Acquiring at ATMs

C S I E M V W h i t e P a p e r S e r i e s | P a r t 2 o f 3 : E M V A c q u i r i n g a t A T M S


FRAUD LIABILITY SHIFT AND BANK ATMS

With the deployment of EMV in the U.S., fraud

liability passes from the party that has enabled

the more secure technology (EMV transaction

processing) to the less secure party (mag-stripe

transaction processing).

Today, with a mag-stripe ATM transaction, the

card issuer is liable for fraudulent activity.

However, impending fraud liability shifts will

change that responsibility. While the general

point-of-sale (POS) fraud liability shift is

scheduled for October 2015, ATMs have a later

date scheduled: the EMV fraud liability shift for

MasterCard ATM transactions is Oct. 1, 2016,

while the EMV fraud liability shift for Visa ATM

transactions is Oct. 1, 2017. This graduated

schedule for the ATM fraud liability shift gives

financial institutions additional time to consider

their strategies and implementation timeframes.

Following these EMV fraud liability shift dates, the

bank ATM owner will be liable for any fraudulent

activity occurring on any EMV-enabled chip cards

(both internationally and domestically issued) if

the ATM is not EMV-enabled. While ATM-related

fraud remains relatively low and is not currently

the responsibility of the ATM owner, financial

institutions should consider the possibility of

these related fraud losses before upgrading or

enabling EMV acceptance at their ATMs.

EMV TERMINAL REQUIREMENTS

ATMs require card readers that are capable of

interfacing with the EMV chip. EMV card readers

primarily interface with cards by maintaining

physical contact with the chip on the front of the

card while it is inserted, as opposed to reading the

“swiped” mag-stripe on cards currently in use. EMV

optionally supports a wireless or contactless form

of interface leveraging near-field communication

(NFC) to transmit and receive credentials.

ATM software from the terminal vendor is

required to have received Level 2 certification

from EMVCo, which is owned by American Express,

JCB, MasterCard and Visa, and manages EMV

standards. ATM hardware that interfaces with

the chip card requires Level 1 certification.

These certifications will take place with the

hardware/software manufacturer and terminal

drivers like CSI. As EMV implementation occurs,

CSI will work with the appropriate parties to ensure

that these certification levels are met.

2



3

VENDOR OS TERMINAL SOFTWARE EMV SOFTWARE HARDWARE

Diebold Win 7 Agilis 3.0 SP3 EMV Solution 5.0 (Kernel) EMV Capable Card Reader

NCR Win 7 APTRA Advance NDC 4.01.0 APTRA EMV Kernel 3.0 EMV Capable Card Reader

NCR Win 7 APTRA Edge 5.0 APTRA EMV Kernel 3.0 EMV Capable Card Reader

Hyosung Win 7 MoniPlus2 v02.03.x EMV Kernel 5.5 EMV Capable Card Reader

Triton Windows Triton Software Triton Software EMV Capable Card Reader Embedded (contains Kernel)

CSI TERMINAL REQUIREMENTS FOR EMV SUPPORT

In order for CSI to support EMV acceptance at

your ATMs, the following minimum configurations

are required. CSI does not track all software

and hardware changes made to ATMs, and will

need to be informed when your terminals meet

these requirements.

BUSINESS CONSIDERATIONS

Industry research suggests that the cost to upgrade

the U.S. ATM fleet to accept EMV-enabled cards

could be upward of $500 million. Banks that need

to upgrade their ATMs should look to do so now to

ensure resource availability. Banks that are in the

process of updating their ATMs, or are considering

doing so, should contact their terminal vendors

to ascertain potential options and costs. When

planning ATM upgrades, CSI will be available to

assist and support you.

For ATMs that have existing card readers in need

of replacement, you should consider the customer

experience. There are two types of card readers

capable of EMV: motorized-insertion readers and

“dip-and-clip” readers. Motorized-insertion readers

will continue to operate as they do today. With

dip-and-clip readers, the customer will remove

their card and receive instructions to re-insert

and leave their card in the reader during the entire

transaction. This change will require customer

re-training, because if the customer forcibly

removes her card after re-insertion, the clip

could be damaged.



4

CSI EMV ATM ROADMAPCSI currently is certifying EMV-capable ATMs. For

those ATMs that meet the minimum requirements,

CSI intends to support your bank’s ability to accept

EMV in the first quarter of 2016. As we move closer

to liability shift and implementation dates for EMV

at ATMs, CSI will continue to provide updates.

Our next installment in this white paper series will detail the process of issuing chip cards to be used at EMV-enabled terminals.

K Y _ 1 1 0 5 1 4 _ 2 0 1 _ P T 2 _ V 1

INTRODUCTION

While no mandate exists that requires banks

to issue EMV chip cards, the debate for the U.S.

market adoption of EMV has largely ended.

This is due, in large part, to the increasing

frequency of large merchant data breaches of

stored mag-stripe card data and the subsequent

fraud losses that follow them, as well as the

approaching fraud liability shift dates set by the

various card associations and networks.

For institutions that are considering issuing EMV

chip cards, the implications are significant in

terms of the complexities, timing and costs

of implementation.

This final installment in CSI’s EMV white paper

series aims to educate individuals on card

production requirements, as well as the business

decisions that should be considered before banks

can issue EMV chip cards and the efforts underway

at CSI to support banks in issuing these cards.

CSI EMV WHITE PAPER SERIESPart 3 of 3: Issuing EMV Chip Cards

C S I E M V W h i t e P a p e r S e r i e s | P a r t 3 o f 3 : I s s u i n g E M V C h i p C a r d s


FRAUD LIABILITY SHIFT AND BANK DEBIT CARDS

With the deployment of EMV in the U.S., liability

passes from the party that has enabled the more

secure technology to the less secure party. With

today’s mag-stripe transactions, fraud liability for

card-present transactions is the responsibility of the

card issuer. However, if both parties—issuers and

merchants—have enabled EMV, then transaction

fraud liability still remains with the card issuer,

albeit for significantly more secure transactions.

For card-present transactions, there is only

one situation in which liability will switch to the

merchant: the shift occurs when the card issuer

has given its customer an EMV chip card, but the

merchant has not yet enabled EMV acceptance. In

this scenario, the issuer has chargeback rights to

recover these specific fraud losses.

It will take merchants years to update their

point-of-sale terminals to support EMV, with smaller

merchants projected to take the longest. In the

meantime, many merchants will still be using the

mag-stripe to process EMV cards. This practice will

still expose EMV cards to potential fraud well into

the future. So, until the market reaches the point at

which EMV cards can be processed without the use

of mag-stripe functionality, banks will be placed

in a situation of having to reissue the now more

expensive EMV debit card should its mag-stripe

become compromised.

EMV ISSUANCE IN THE U.S.

EMV chip cards use sophisticated technology that

features many different options and configuration

profiles. Several of these options were developed

to support offline functionality, in which the chip

on the card performs various functions that, in the

U.S., would be the responsibility of the issuer’s

online authentication system to conduct. Without

the need to enable offline functionality, EMV

deployment from an options and profile perspective

narrows fundamentally to one decision: to include

contactless interface with each card or not.

2



3

EMV CARD INTERFACE OPTIONS

EMV chip cards are typically deployed in one of

two forms: contact only or dual interface. With

contact-only cards, the metallic area on the front of

the card is its contact plate. A microprocessor chip

is embedded directly behind the contact plate. With

an EMV contact transaction, the card is inserted into

a card acceptance device (e.g., a payment terminal).

The card reader must maintain physical contact

with the plate and chip for the duration of the

transaction. This connection enables the chip to get

power from, and exchange data with, the terminal.

This is often referred to as “dip” to pay.

Dual-interface cards include both the contact

interface and the contactless interface. Contactless

EMV works by holding a contactless chip-enabled

card, which also contains an integrated antenna

that’s placed in the border of the card, within

proximity of a contactless-capable EMV reader.

The reader wirelessly powers the chip embedded

in the card and allows exchange of data via near

field communication, or NFC. This is often referred

to as “tap” to pay, because the card never has to

leave the customer’s possession.

Contact-only EMV cards are the most common form

of EMV implementation, due in large part to costs

with issuing the more expensive dual-interface

cards and the lack of NFC-enabled terminals.

CSI EMV CARD PROGRAM UPGRADES

For CSI customers interested in migrating to EMV

chip cards, CSI will support the upgrade of your

existing card programs for the respective card

associations in which you already participate.

The choice then becomes: does the bank want

to offer EMV debit cards with the contact-only

interface, or does the bank want to enable the

optional contactless interface and give their

customer an EMV chip card with dual interface?

• Visa – EMV Debit Card – Contact Only

• Visa – EMV Debit Card – Dual Interface

• MasterCard – EMV Debit Card – Contact Only

• MasterCard – EMV Debit Card – Dual Interface



4

EMV ROLL-OUT STRATEGY

After your bank’s card program has been upgraded

to begin issuing EMV cards, there are several

approaches to consider when rolling them out to

your existing card base.

One approach is to reissue the entire existing card

base at one time. However, this approach results

in fairly significant upfront costs, as well as a

steeper learning curve for consumers and branch

staff alike, which slows the overall experience of

working with EMV transaction data.

The generally accepted industry (and

CSI-recommended) approach is to upgrade your

existing card base as cards expire. Spreading the

costs out, while both building on EMV experiences

and working to educate cardholders on its use,

allows banks to take a more systematic, successful

approach to EMV migration. Additionally, with this

approach, banks can still target specific customer

segments that would be inclined toward

EMV-enabled cards.

For example, consumers who frequently travel

internationally will increasingly be challenged

when attempting to use a non-EMV debit card, as

most of the rest of the world has already adopted

EMV. In order to continue to support these valued

clients, the bank can preemptively identify these

travelers and reissue/upgrade their existing cards

to include EMV chip functionality.

Estimated EMV-Related Costs for Bank

Consideration

• EMV-Related Setup Costs: $5,000-$10,000

• Program Setups

• Testing & Certifications

• EMV Chip Cards: $3-$7 per card

• Monthly Support Costs: $50-$250

• EMV Transaction Cryptogram Validation Costs:

$0.005-$0.05 per transaction



EMV AND PLASTIC CARD LAYOUT AND ART

With the embedded EMV chip, banks will need to work with card

issuers to redesign their card layout and art. That’s because the EMV

chip placement is on the front of the card, to the left above the PAN

(see images below).

FRONT OF THE CARD

The placement of the chip significantly reduces the

area available for the issuer’s logo, and requires

issuers to reevaluate their logo placement as part

of the overall card design. Banks should strongly

consider moving the brand hologram to the back of

the card, as pictured in layouts 2 and 3.

BACK OF THE CARD

The placement of the chip makes a similar impact

to the back of the card, reducing the area for the

signature and CVV2/CVC2. The bank verbiage can

be placed to the right of the hologram, and banks

also should consider shortening the verbiage as a

result of the limited space and the requirement to

list the bank’s phone number (not a third party) on

the card.

PURPLE: Issuer Logo

BLUE: Verbiage

RED: Logo (primary network)

GREEN: Logo (secondary network)

5



CSI EMV ISSUER ROADMAP

CSI continues to work with card vendors and

networks to certify EMV chip card issuance

readiness. CSI anticipates the ability to support

upgrading card programs for EMV in Q1 2016.

CONCLUSION

Many banks are still in the discovery phase

regarding EMV technology, as well as weighing the

benefits of implementing an EMV-enabled card

program. While each day brings news of another

data breach related to card fraud, which results in

both monetary and reputational risks, banks also

face the cost of putting EMV cards in rotation and

maintaining them well ahead of most merchants.

The most important question for a bank surrounds

timing: “When should my bank jump in?” The answer

will vary for each bank, as each institution considers

market conditions, card replacement strategies and

customer demographics. And the upcoming fraud

liability shifts should be considered as a factor in the

decision as well.

Regardless of the timing your bank chooses,

launching an EMV card program will benefit your

institution and its customers. Though it is not

without increased costs in terms of plastics and

processing, EMV is a more secure technology that

will greatly reduce counterfeit card fraud. As you

weigh the pros and cons on issuing EMV cards,

consider not only the operational costs, but also

the reputational benefits that may come from

customers who recognize EMV as the more secure

card option. These customers will likely reach for

their EMV-enabled card more often than their

non-EMV cards, even if they are using them at

terminals not yet equipped for EMV technology.

When determining the best time to migrate toward EMV, keep this in mind: Your EMV strategy should be balanced between what’s appropriate for your bank and what’s best for your customers.

6

K Y _ 1 1 0 5 1 4 _ 2 0 1 _ P T 3 _ V 1

Documents

CSI EMV WHITE PAPER SERIES - sf.csiweb.comsf.csiweb.com/uploads/96568/Content/WhitePapers/WP... · CSI EMV White Paper Series Part 1 of 3: Introduction to EMV. CSI WHITE PAPER. 3