Embed Size (px)
DESCRIPTION
A helpful overview of the basic considerations for EMV implementation.
Citation preview
EMV 101: Everything you need to know about EMV
E - B O O K
1
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
The Glossary of Terms provides a quick reference tool for navigating the many technical terms and abbreviations brought up when discussing EMV.
The Migration Timeline traces the history of EMVco standards, and outlines when migration steps will take effect in the US.
Lessons Learned provides a comprehensive look at economies around the world where EMV migrations are currently underway or are complete. Experiences from other countries can provide valuable insights for everyone involved in the US EMV migration.
Behind the Transaction provides a more in-depth look at why adding layers of security to our current payment ecosystem can benefit everyone within it.
Key Players takes a closer look at everyone who is involved in the US EMV migration, and how each group can be best prepared for the shift.
The EMV Checklist provides a step-by-step analysis to help you evaulate your current infrastructure and prepare for migration.
HOW TO USE THIS E-BOOK
Use this EMV chip graphic to jump to the in-depth chapter of any topic, or to go back
to the intro chapter.
IntroductionThis e-book breaks EMV down to six questions: who, what, where, when, why, and how. These topics can help you figure out what’s going on, who it will affect, when to expect changes, why this is all necessary, and how to get started. The introductory chapter, EMV 101: The Five Ws, goes through each “W” question in a brief overview, and each subsequent chapter goes in-depth on one question. Whether your EMV questions are general or specific, macro or micro, EMV 101 can get you answers.
This intro chapter is a brief introduction to all
things EMV, and answers the five classic questions:
Who? What? Where? When? & Why?
EMV 101: THE FIVE Ws
3
Where is the US payment card industry now?
Today, payment and identification cards of all types (credit cards, gift cards, loyalty cards,
membership cards, etc.) are encoded with the cardholder’s information on the back of the card
using a strip of magnetic tape, also known as the magnetic stripe.
When a consumer swipes a standard magnetic stripe card at a retailer’s point of sale (POS)
terminal, or inserts it into an ATM, the data on the magnetic stripe is captured for transmission to
an authorization system. Fraudsters have been able to put skimmers at these locations to capture
the data from the magnetic stripe, and in more sophisticated attacks, install malware on computers
connected to the POS terminal to capture the data. The prevalence of magnetic stripe cards in the
US makes card skimming and card copying easy and lucrative. In 2012, the US accounted for 47% of
global credit card fraud while only being responsible for 23% of total global credit card use.
Chip cards are different from traditional magnetic stripe cards in the way they communicate with
card reader devices. Rather than the classic swipe-to-scan method, chip cards have an embedded
integrated circuit chip which connects to the POS terminal’s chip card reader. This chip is a
EMV 101: THE FIVE Ws
23%
47%
US Share of Global Credit Transactions
US Share ofGlobal Credit Fraud
(Nilson Report, 2014)
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
4
microprocessor, which is essentially a very small computer, with the capability to encrypt transaction
data dynamically for each purchase. Because the card has a microprocessor embedded, it has the
ability to make some payment-related decisions without the need to connect to the network. That
is why this type of card is often referred to as a “smart card.” With over 1 billion cards in use, EMV is
already a burgeoning global reality.
Contact Chip Cards can be distinguished by their square metallic contact pads. These cards are
inserted into a POS terminal which has an integrated chip card reader; much like a microSD card
or flash drive is inserted into a computer. The card stays inserted in the POS terminal until the
transaction is complete. Chip cards are only activated when connected to a reader, which provides
the power source for communication. Chip cards do not have batteries and do not need to be
charged.
Additionally, Contactless Chip Cards do not require an internal power source. Embedded in the
plastic of a contactless card is an antenna. Using radio waves, the card communicates with a reader
that emits a specific radio frequency. This frequency is harnessed to power the electronic chip.
Contactless cards are especially advantageous for use as payment cards because they need only a
moment to tap or wave the card near a reader to complete the communication. Recent pilots and
rollouts indicate contactless chip cards will be widely utilized for transit payments.
Hybrid or Dual Interface cards include both a contact pad and an internal antenna. They can be
tapped, waved or inserted into many different chip card readers.
What is EMV?
EMV is an acronym for the founding companies who came together to build a common specification:
Europay (now part of Visa), MasterCard, Visa. These companies formed EMVCo in order to
Contactless Chip:EMV Card & Reader
Contact Chip:EMV Card & Reader
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
5
administer international standards to champion global interoperability for chip-based payment
cards. This includes, but is not limited to, card and terminal evaluation, security evaluation and
management of interoperability issues. Today, there are EMV specifications based on contact chip,
contactless chip, common payment application (CPA), card personalization and tokenization. These
specifications and requirements were developed with a mission to increase payment security and
efficiency, and to ensure global interoperability amid payment ecosystems. A globally accepted EMV
card with an associated PIN empowers cardholders to take out cash from an ATM in Hong Kong, buy
lunch at a deli in New York, or buy a train ticket from a Deutsche Bahn kiosk in Munich — all with the
same card. EMV specifications regarding chip size, card size, electrical use, and security features all
help make this possible. Chip cards are already widely used in Europe, Asia and other regions. The
transition of the US payment card market from magnetic stripe cards to chip cards is referred to as
the US EMV migration.
EMVCo is the association that manages, maintains and enhances EMV chip card specifications.
EMVCo has expanded its sponsoring organizations and is comprised of six backing members —
American Express, Discover, JCB, MasterCard, UnionPay, and Visa — and supported by dozens of
banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo
Associates.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
6
Who will be affected by EMV migration?
Cardholders will have to adapt to new ways of interacting with ATMs and POS terminals. Consumers
using contact chip cards will have to insert their card for the duration of the transaction, and those
using contactless cards will have to tap or wave their card over the designated area. Also, depending
on how the chip card is configured and the capabilities of the POS terminal, cardholders may have to
verify they are the actual cardholder by entering a PIN instead of verifying by signature.
Card Issuers will have their operation costs go up, as the new cards are more expensive to produce
and replace. They will also have to work with acquirers to update their payment processing and
authentication infrastructures.
Merchants will have to upgrade and certify their POS terminals so that they can communicate with
chip cards. As mobile payments rise in popularity, more and more apps will adapt to enable mobile
phones to communicate with POS terminals. Today, there are many apps and mobile phones which
can communicate with POS terminals.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
7
When is migration happening? Now, slowly but surely, major card providers in the US are beginning to offer chip-based payment
cards. Some cards are requiring PIN entry for cardholder verification, and others are requiring a
signature for cardholder verification.
The US is the last major economy in the world to implement chip-based payment technology, and
in an effort to encourage EMV deployment, the US card brands have instituted a fraud liability shift
beginning October of 2015. This means that after October 2015, all parties that make an investment
in EMV technology will be protected from being financially liable for any potential fraud losses. In
2016 this will include ATMs for MasterCard branded cards, and in 2017 it extends to automated fuel
dispensers, and ATM transactions with Visa branded cards. The liability shift is NOT a mandate.
Merchant Migration requires upgrading and certifying their point of sale devices, and training their
cashiers to use the new payment method.
Card Issuer Migration requires providing their cardholders with chip cards and educating the issuer’s
employees and their customers about the chip cards, what they are capable of, and how to use
them.
Cardholder Migration requires consumers to apply for chip cards, or request chip cards from their
current card provider. Over time, cardholders will receive chip cards as part of new card issuance or
through the normal renewal process. Cardholders will also have to adjust to new methods of using
their card with card readers.
OCT 2017Automated Fuel
Dispenser Liability Shift
OCT 2015Merchant FraudLiability Shift
APRIL 2014Acquirer Compliance
Accept Chip-BasedPayments
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
8
Why migrate now?
EMV provides better protection for cardholders. Card fraud is a huge problem in the US, largely
due to the prevalence of magnetic stripe swipe cards, which are easy to counterfeit. EMV cards
remove most opportunities for card skimming, where a magnetic stripe is scanned without the
cardholder’s consent for fraudulent use. Opportunities for card transplant fraud, where stolen
card information from EMV markets is printed onto a magnetic stripe card and used in non-EMV
markets, will be greatly reduced as more markets embrace EMV technology. In the event that data
is stolen from an EMV card, or during a transaction initiated from an EMV card, the value of that
data for counterfeiting purposes is greatly limited. Mobile markets are also on the rise, and the
current transition to chip cards will make the next transition to mobile payments safer and easier by
protecting and enabling consumers.
Today, fraud risk is making headlines like never before. Recent notable retailer data breaches have
affected millions of American consumers, and have brought credit security issues to the forefront of
public debate. Thieves have successfully stolen customer card information by observing and taking
advantage of how data is stored and moved between different areas of the payment environment.
Valuable cardholder information can be compromised not due to one weak link in the transaction
cycle, but due to joint weaknesses in the current payment system as a whole.
EMV chip card ubiquity in the US will dramatically decrease the options fraudsters will have to use
stolen account data, and it will enable cardholders to embrace new ways of making payments by
protecting and informing them. Updating the US payment system infrastructure to support EMV
will take time, investment and careful planning. It will require merchants, issuers, acquirers and
processors to evaluate and update their current security precautions. EMV Migration will not correct
every weakness within the US payment system, but it is the first clear step in a long process of
ushering the payment business into the digital age.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
This chapter provides some historical background
on EMV payment standards, and outlines major
dates and deadlines to come.
EMV 101: MIGRATION TIMELINE
10
EMV 101: MIGRATION TIMELINE
1995Europay, MasterCard and Visa issue the first EMV specification
2001-05
In an eort to improve security, a larger retailer partners with Visa to push for more
smart chip cards to be used in the US. Eorts halt due to cost management setbacks
1999Europay is acquired by MasterCard
2002
JCB (Japan Credit Bureau) joins EMVco
2005EU mandates fraud liability shift, placing pressure on card issuers and merchants to migrate to EMV
2008
Fortune 1000 Financial processor company card data breach aects 134 million accounts
2009American Express joins EMVco
2010Global circulation of EMV cards hits 1 billion
2010UK credit card fraud rates at lowest since 1999
2011MasterCard and Visa mandate fraud liability shift in CanadaEMVco publishes EMV specifications version 4.3
MasterCard, Visa and Discover announce roadmaps to bring EMV to the US
2012
US accounts for 23% of global credit card transactions and 47% of global credit
fraud. Analysts blame the shift in fraud towards the US on the comparative lack
of security in magnetic strip cards and terminals vs. EMV cards and terminals
2013Discover and China Union Pay join EMVco
US acquirer processors and sub-processor service providers are required to support, accept and process smart chip transactions
Visa, Mastercard and Discover introduce merchant/acquirer regulations
2015US implements fraud liability shift so that the party that has made an investment in EMV deployment is protected from financial liability for fraud losses
2014
Large retail customer data breach aects over 100 million
cards. Attention on US EMV migration heightened during
the aftermath
2017US fraud liability shift mandate extends to fuel dispenser machines
Visa liability shift for ATMs
2019Projected EMV ubiquity in the US
EMV 101: MIGRATION TIMELINE
Loss per £100
FRAUD LOSS RATE UK-ISSUED PAYMENT CARDS
2000£0.00
£0.02
£0.04
£0.06
£0.08
£0.10
£0.12
£0.14
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
CHIP AND PINDEPLOYMENT
2004
Europay, MasterCard and Visa form EMVco
2016
MasterCard liability shift for
ATMs
23%
47%
US Share of Global Credit Transactions
US Share ofGlobal Credit Fraud
2014
All regional debit networks to enter into agreements
with MasterCard and Visa to integrate data routing
2014-2015Regional debit networks conduct testing and certification
This chapter provides a more in-depth look
at economies around the world where EMV
migrations are currently underway or are
complete. Experiences from other countries can
provide valuable insights for everyone involved in
the US EMV migration.
EMV 101: LESSONS LEARNED FROM GLOBAL MIGRATION
12
National Migration, Global Results
Today, EMV card technology has fully replaced traditional magnetic stripe cards in virtually all
developed countries except the US. Most large economies are either fully migrated to EMV standards,
or are somewhere along a migration path. Throughout every major country’s EMV migration, each
domestic policy change affected fraud landscapes both at home and throughout the world.
As the US payment ecosystem gears up for a smart card migration, it is valuable to look back at how
other large economies made the shift, and compare how different migration patterns and policies
have affected fraud rates around the world.
Fraud 101
When measuring fraud-prevention methods, especially EMV standards, it is highly important to consider the effects EMV policies have had
on different types of fraud, and to understand the different ways card fraud is measured. This chapter will discuss global trends following
EMV migrations for several different types of card fraud, and different methods for measuring it:
FRAUD RATES are measured in incidences. Either one
fraudulent transaction, or one cardholder affected by a
fraudulent transaction equals one incident. Fraud rate is a
relatively inaccurate and sometimes deceiving method of
measuring fraud, but it is the favored method by journalists
and surveyors for its consumer-focused mass appeal.
FRAUD LOSSES are measured in currency. This statistic
totals all the money lost by cardholders, issuers, acquirers
and merchants due to fraudulent transactions over a period
of time.
FACE-TO-FACE FRAUD OR CARD-PRESENT FRAUD
consists of a fraudster finding a card, stealing a card, or
counterfeiting a card and physically using it at a store.
CARD-NOT-PRESENT (CNP) FRAUD consists of a fraudster
obtaining cardholder information, and using it to perform
fraudulent transactions without the use of a physical card.
Often, CNP fraud is performed online.
CROSS-BORDER FRAUD is where a card issued in one
country is fraudulently used in another country.
LESSONS LEARNED FROM GLOBAL MIGRATION
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
13
Cartes à Puces in FranceFrance was the first large economy to embrace smart card technology. In the mid-1980s, the fraud
rate in France was extremely high, and in response, French banks began issuing chip-embedded
cards in 1986. France’s major national card program is “Carte Bleue,” which is run by the six major
French banks in association with Visa. Beginning in 1992, Carte Bleue issued only smart chip cards
(cartes à puce). In the early 90s, France was the only country widely using smart cards, and the
immediate result was a drastic drop in overall fraud. When the UK began to embrace EMV standards,
France followed suit with a national rollout of chip-and-PIN in 2003.
Results: Migration to smart cards caused an immediate decrease in card-present fraud losses in
France. However, fraud losses have increased every year since the national shift to EMV standards
took place. Card-present losses stayed low, but card-not-present fraud losses increased in France,
and have continued to do so, with a significant spike in losses caused by non-domestic fraudsters.
CREDIT CARD FRAUD IN FRANCE 2003-2011
2003
Card-not-Present Fraud (CNP)
Card-Present Fraud
Other (Fraud Application, ID Theft. etc)
Note: Cards issued in France only.Smart card solution launched in 1992.
£0.00
£50.0
£100.00
£150.00
£200.00
£250.00
2004 2005 2006 2007 2008 2009 2010 2011
Frau
d Lo
sses
In
Mill
ions
EU
R
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
14
Chip and PIN in the United Kingdom Not far behind France, the UK was one of the first large economies to embrace EMV technology. The
banking industries in the UK and Ireland branded their migration efforts as “Chip and PIN” — “chip”
referring to the computer chip embedded into the new cards, and “PIN” referring to the personal
identification number that is required to authentically identify cardholders before each transaction
(requiring PIN authentication for a smart card purchase is an optional security feature, which
the UK largely favored.) After several successful trial programs launched in the mid-90s, APACS
(the Association for Payment Clearing Services) — a group of financial institutions and payment
companies — introduced a national EMV campaign in 2002, which gained serious traction in 2004. A
liability shift was put in place on Jan. 1st of 2005, and by the end of August 2006, the UK reached a
near-complete migration (99.8% of chip transactions were PIN-verified.)
Results: Overall, fraud losses in the UK have seen a significant decline. Card-present fraud loss has
decreased dramatically and stayed low, however, card-not-present (CNP) fraud loss has seen steady
increases since the EMV rollout. A large portion of UK CNP fraud is cross-border fraud, where UK-
issued cards are used in payment networks that do not require PIN verification.
CREDIT CARD FRAUD RATES IN THE U.K. 2001-2012
2006
EMV liability shift
0%
10%
20%
30%
50%
40%
70%
60%
2007 2008 20092001 2002 2003 2004 2005 2010 2011 2012
Card-not-Present
CounterfeitCard-Present
Lost/StolenCard-Present
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
15
EMV in AustraliaAustralia’s EMV shift resembles the US migration in its gradual and reluctant approach. Both
countries have seen massive spikes in fraud from abroad, due to the stricter EMV policies adopted
throughout Europe, and both economies have a complex payment ecosystem based on magnetic
stripe cards. Major financial institutions in both Australia and the US act without much influence
from a common governing body. Australian migration slowly began in 2007, and in 2009, a major
industry deadline to implement PIN-only transactions was missed due to fears over consumer
preparedness. Alongside the US, Australia has lately suffered a disproportionate share of global
fraud. Liability shifts were set for 2012 and 2013, and signature verification is currently being phased
out — with good results, so far.
Results: One result of the gradual migration approach in Australia is that positive results have been
modest in some categories, and non-existent in others. Card-present fraud is slightly down (about a
15% decrease from 2008-2010), but CNP fraud has surged (a 70% increase during the same period).
CREDIT CARD FRAUD IN AUSTRALIA 2006-2012
2006
Card-not-Present (CNP)
Card-Present
EMV Issuance ramped up
£0.00
£50.0
£100.00
£150.00
£250.00
£200.00
£350.00
£300.00
2007 2008 2009 2010 2011 2012
Frau
d Lo
sses
In
Mill
ions
AU
D
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
16
Chip Cards in CanadaInterac, the national PIN-debit network in Canada, allowed major banks and transaction processors
to work together throughout the migration process, which began in 2007 with a pilot program
launched in Ontario. This pilot program offered important insights, and is lauded as one reason why
Canada’s migration went faster and smoother, compared to other countries. The trial run alerted the
national migration effort to the lag in consumer readiness for contact cards — which was remedied
by embracing NFC-powered contactless mobile payments.
Results: Canada has seen triumphant results in reducing card-present fraud losses, especially those
produced by card skimming and cloning. In March 2013, fraud loss from skimming was at its lowest
since 2003. Like other migrated nations, however, Canada has also seen a spike in CNP fraud.
CREDIT CARD FRAUD IN CANADA 2008-2010
2008$0.00
$50.0
$100.00
$150.00
$250.00
$200.00
2009 2010
Card-not-Present
Card-Present
Fraud losses from counterfeit and lost or stolen credit cards is down 30% since the national rollout of chip-and-PIN in 2008.
Since the national rollout of chip-and-PIN in late 2008, card-not-present fraud on Canadian-issued credit cards is up 37%.Fr
aud
Loss
es I
n M
illio
ns C
AD
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
17
Lessons Learned
France’s experience displays an exaggerated trend seen in most countries after EMV migration: a
dramatic decrease in card-present fraud, followed by a significant move from card-present fraud
to card-not-present fraud alongside a shift from domestic fraud to cross-border fraud. The French
EMV migration shows us that EMV standards are very effective at eliminating certain types of
fraud, but are not a solution to eliminate fraud completely. France’s migration story also highlights
the importance of EMV ubiquity for maximum security and interoperability. If all economies had
migrated when France did, the opportunity for cross-border fraud would have been unavailable.
In the UK, PIN cardholder verification was an excellent policy for reducing card-present transaction
fraud, but fraudsters will look elsewhere for vulnerabilities, and a spike in card-not-present fraud will
likely follow a switch to safer cardholder verification measures.
Australia’s migration proves that the more you wait around, stall or disregard industry deadlines,
the larger the target on your back grows for fraudsters around the globe. As other economies crack
down on pushing for modernized cardholder verification methods, outdated methods become
weaker and weaker in comparison.
Canada can teach the US that — whether they are from a domestic pilot program, or from a deep
analysis of other country’s migration attempts — gathering as many EMV migration insights as
possible is an absolute must. Consumer and merchant education is of great importance for a smooth
migration. If brands come together and agree on common timelines, merchants will be more likely to
embrace EMV earlier on. Working together can greatly reduce unexpected migration setbacks.
Sources:
http://blog.unibulmerchantservices.com/
adoption-of-chip-based-credit-cards-pushes-up-e-
commerce-fraud/
http://digitaltransactions.net/news/story/Canada-
Puts-Down-Chip-Card-Roots
http://news.alaric.com/industry-news/payments/
closing-the-emv-gap-in-australia/
http://en.wikipedia.org/wiki/Chip_and_PIN
Chip-and-PIN: Success and Challenges in
Reducing Fraud
Douglas King
Retail Payments Risk Forum Working Paper
Federal Reserve Bank of Atlanta, January 2012
EMV Adoption and Its Impact on Fraud
Management Worldwide: A whitepaper prepared
exclusively for FICO
Mercator Advisory Group, Jan 2014
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
18
National EMV migration began in
2008
Between 2008 and 2010, fraud losses from lost/stolen
cards fell over
30%
CANADANational EMV
migration began in
2004
Between 2004 and 2010, card-present fraud fell
69%
UK
National EMV migration began in
2004
Between 2004 and 2010, card-present fraud fell
50%
FRANCE
From 2004-2010, the fraud rate
increased by over
70%Between 2007 and 2010, the
portion of fraud due to card-present fraud
increased by
20%
US
National EMV migration began in
2008
Between 2008 and 2010, card present fraud fell
15%
AUSTRALIA
EMV-Enabled Cards and Terminals by Region
Generally, a migration to EMV standards results in
a large reduction in card-present fraud.
Chip-enabled cards are very di�cult to physically
reproduce or misuse, so stolen and counterfeit
cards become significantly less valuable to
fraudsters in EMV dominant payment ecosystems.
This trend causes physical card fraud to move to
countries where EMV is less dominant.
One of the biggest advantages of EMV is the
convenience of global interoperability for card users.
For a cardholder abroad, performing a transaction
with a non-EMV payment card in a region where EMV
is dominant is more di�cult, slower to process, and
sometimes not an option at all.
41.1%CARDS
76.7%TERMINALS
CANADA, LATIN AMERICA & THE CARIBBEAN
94.4%CARDS
84.4%TERMINALS
EUROPE ZONE 1
68.1%CARDS
14.5%TERMINALS
EUROPE ZONE 2
75.9%CARDS
20.6%TERMINALS
51.4%CARDS
28.2%TERMINALS
EMV 101: EMV ADOPTION RATES BY REGION
This chapter takes a look at how EMV migration
will affect each party within the current
US payment ecosystem.
EMV 101: THE KEY PLAYERS
20
Key Player: The Industry Payment Network
The major US payment networks (Visa, MasterCard, American Express and Discover) are the main
drivers of the EMV migration. Europay (since acquired by MasterCard), MasterCard and Visa jointly
conceived the EMV specification, and have played major roles in EMV migrations all over the world.
The payment networks partner with many players throughout the US payment ecosystem, and
therefore are the ultimate champions of interoperability and cooperation. Their wide influence
makes them the go-to leaders in this large national migration push.
Key Player: The Cardholder
Cardholders will begin to receive new EMV chip cards in the mail as replacement cards to their
current magnetic stripe cards. It will be critical for issuers to educate their cardholders on how to
use the new cards at point-of-sale (POS) terminals. Other national EMV migrations (those in Canada
and Australia, for example) have experienced set backs and even missed big industry deadlines due
to concerns about cardholder readiness.
After the adoption of EMV, the way consumers physically use payment cards will be different. Not
all smart cards are the same; but they can be easily categorized into three main groups — contact
cards, contactless cards and dual interface cards. With contact chip cards, the chip is embedded into
the actual cardstock material, under a contact which is physically visible. Instead of swiping, contact
chip cards are inserted into the POS terminal for the duration of the transaction. The cardholder will
typically be required to verify their identity one of two ways: by entering in a PIN number, which
must be memorized, or by providing a signature. With contactless chip cards, the chip is embedded
into the actual cardstock material and is not physically visible. Contactless chip cards are tapped or
waved over or near a receptor space marked on the POS terminal to complete the transaction, which
only takes a moment. Cardholders might be required to verify identity by entering their signature
for contactless chip transactions. Many times now verification will be required. Dual interface
KEY PLAYERS
BANK
0000 0000 0000 0000
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
21
cards include both contact and contactless technologies and can therefore be used to complete
transactions through either inserting the card or waving the card over the POS terminal. Not all card
programs will require that their cardholders use a PIN to verify their identity, but in terms of overall
security, PIN verification is the best practice.
As the US begins its shift to EMV, all of the smart chip cards issued will also have a magnetic
stripe on the back. This way, should a cardholder encounter a POS terminal that has not yet been
upgraded by the merchant to support EMV; the cardholder can simply swipe their card the way we
do today. One of the primary goals of the switch to EMV standards is interoperability. We want to
enable all payment cards to safely work with all POS terminals across the globe.
Key Player: The Card Issuer
Financial card issuers are vital to a smooth EMV migration. Throughout the entire migration process,
educating cardholders and merchant clients about the EMV system and its standards will fall
largely on issuers’ shoulders. Becoming well versed in EMV specifications and migration education
strategies is in every issuer’s advantage.
EMV will not only change the way we physically use cards; it will change the way card programs
run behind the scenes as well. Each step in the payment process — from a card starting out as a
plain piece of plastic, to being a list of successful transactions on a statement — will include new
security features and processes. For each of those steps, issuers will need to evaluate their current
technologies and infrastructures, and invest in the necessary upgrades including hardware and
software to manage the chip card personalization, issuance, delivery and operational processes.
BANK
0000 0000 0000 0000
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
22
Key Player: The Merchant
To most merchants, the switch to EMV seems like a costly technology upgrade that their businesses
will not directly benefit from. POS terminals will need to be upgraded to meet EMV specifications,
and back-end systems must be updated and certified to be able to accept payments from the new
cards. Employees will also need to be trained to use the new technology.
These integral steps come at no small cost, and generally, merchants are the least eager key
players to migrate. Financial pressures such as card brand-enforced fraud liability shifts aim to get
merchants more on board. EMV upgrades will directly benefit their customers, which makes them a
good investment; however, EMV can also introduce many new (and potentially lucrative) payment,
loyalty, marketing and mobile commerce opportunities into the shopping landscape — possibilities
that merchants should assess and leverage early on to stay competitive in the transforming
payment market.
Key Players: The Card Manufacturer and The Software Developer
It’s up to software developers and card manufacturers to make EMV cards as efficiently and cost-
effectively as possible. Applications for the card chips, POS terminals, processors, ATMs and mobile
devices will have to be written and maintained to ensure secure, reliable interoperability across
channels to meet EMV standards.
BANK
0000 0000 0000 0000
BANK
0000 0000 0000 0000
BANK
0000 0000 0000 0000
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
23
Key Players: The Acquirer & Payment Processor
The US migration to EMV means that the entire industry is taking some time to evaluate current
payment processing and authentication infrastructures, in order to make plans and upgrades for
meeting EMV specifications. Because the market is on the cusp of a major transition, industry
leaders like Visa and MasterCard are spearheading efforts that can make the payment ecosystem
even more secure, on top of the security benefits that will come with EMV implementation. One
example of this is the possible implementation of tokenization technologies alongside EMV
upgrades. Tokenization is a practice that removes important cardholder data (i.e. the PAN) from the
servers of retailers, while still allowing them to access it if required (for a return, or a subscription).
Tokenization removes the incentive for hackers to steal card information in the thousands from
retailers, because the tokenized data which the hacker might capture would be meaningless to
them. To learn more about it, read our next chapter.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
EMV 101: BEHIND THE TRANSACTION
This chapter traces the path that payment data
will take under the new EMV standards.
25
The adoption of EMV payment systems has proven to be a worthy card fraud deterrent for
card-present transactions in every region where it has been embraced. In 2004, the UK
launched a vigorous, nationwide “Chip and PIN” card program, and 2010 marked a ten-year
low in UK payment card fraud losses. In recognition of positive EMV fraud-reduction rates
elsewhere, the major card brands have declared EMV as one way to move forward and secure
the US payment infrastructure. The US is the largest payment market where EMV has not
been adopted, making it a target for card fraud opportunities that are not viable elsewhere.
Anatomy of an EMV Chip Card Payment Transaction
There are three distinctive aspects of an EMV transaction which if implemented helps
secure different aspects of that transaction: card authentication, cardholder verification
and transaction authorization. EMV payment processes can happen online (processes are
performed by computers elsewhere on the payment network) and/or offline (processes are
performed between the point of sale (POS) terminal and the card’s chip).
EMV 101: BEHIND THE TRANSACTION
Loss per £100
FRAUD LOSS RATE UK-ISSUED PAYMENT CARDS
2000£0.00
£0.02
£0.04
£0.06
£0.08
£0.10
£0.12
£0.14
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
CHIP AND PINDEPLOYMENT
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
26
ISSUER
PAYMENTBRAND
24
AR
QC
AR
PC
AR
QC
AR
PC3
4
4
1
5
PAYMENTTERMINAL
Card authentication ensures that a payment card is not counterfeit. There are two ways a chip card
can be verified for authenticity; online or offline.
Online card authentication transactions carry dynamic data that is sent to the card issuer’s
authorization system which checks the authenticity of the card. Offline card authentication uses
chip-stored, risk assessment logic to determine if a card is authentic.
Cardholder verification ensures that the card user is the legitimate cardholder. Cardholder
verification requests that the card user provide either a signature, a valid PIN (Personal
Identification Number), or in some cases (e.g. contactless transactions) no verification is required.
Like card authentication techniques, PINs can be stored for verification either online in an issuer
authentication server, or offline on the chip.
Transaction amount authorization ensures that a purchase does not exceed the cardholder’s issued
credit limit and is within other specified limits (e.g. domestic or international purchases). As with
card authentication and cardholder verification, this authorization can also be processed online or
offline. Offline risk assessment logic offers chip cards unique protections against fraud and credit
overruns.
Within the current US payment system, merchants are the primary targets for fraudsters, who covet
the large amounts of cardholder data used, moved and stored through merchant POS devices,
networks and central servers. A truly formidable payment security standard will protect sensitive
cardholder data in each of its three states: data at rest, data in use and data in motion.
1. Based on issuer qualifications, risk assessment is performed by both the POS terminal and the chip on the card. A dynamic ARQC (Authorization Request Cryptogram) is written.
2. The ARQC is sent via the acquirer to the payment brand.
3. The payment brand then sends the ARQC to the issuer.
4. The issuer makes an authorization decision to validate the request, and responds with an ARPC (Authorization Response Cryptogram), which goes through the same channels back to the point of sale device.
5. If the chip’s request is validated, the POS terminal will request verification from the cardholder in the form of a signature, entry of a PIN, or in some cases no verification.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
27
Within a payment ecosystem, data at rest is cardholder information stored in central servers by
card issuers, for card functionality and reissuance, but also by merchants, for use in refunds, returns,
recurring charges and sales reports. Data at rest can be protected by tokenization, a process where
a payment card’s personal account number (PAN) is replaced with surrogate “token” values, and
stored with reduced risk. A stolen or breached token number cannot be used to perform an outside
transaction, but can be used by the merchant for returns, future charges, etc.
Data in use refers to the data that occupies a computer’s (or POS terminal’s) RAM (Random
Access Memory) at any given time. This is the space a computer uses to store data that it will
need to perform a task. Data in motion is data being sent from one point in a payment network to
another. Data in use and in motion can be protected with encryption, where computer algorithms
transform information from readable plain text to unreadable cipher text. Encryption does not
altogether prevent information theft, but it does reduce the likelihood that the thief would ever be
able to successfully use the stolen information. To decrypt the message, the reader must use a key
algorithm, without which the data cannot be used.
Encryption and tokenization are two security measures that collaborate with and complement EMV
security standards for protecting cardholder data in every stage of its use cycle.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
EMV 101: CHECKLIST
This chapter outlines a plan of action for a
successful EMV migration.
29
Migration Action Checklist
EMV is the future of payment; and migrating your offerings to include EMV is key to
remaining relevant in the payment card market. We want to help you capitalize on the
changes ahead. Not sure where to begin? Start by taking a phased approach to your
migration.
Phase one of any EMV migration should focus on getting familiar with EMV standards
at every level. There’s a whole new landscape of technologies, security features, best
practices and interoperability standards out there, and understanding all of your options and
constraints is key. Solid comprehensive knowledge of EMV can be leveraged to make smarter
strategic decisions about how and when to migrate.
This strategic planning makes up the focus of phase two. Evaluate your current card portfolio
and technology infrastructure. Which programs would benefit from EMV first? Which card
layouts are affected? What are your budget constraints leading up to the liability shift? Are
your solutions EMV-ready?
Phase three is all about action. It’s the time to make all the necessary upgrades to start
bringing the benefits of EMV to your cardholders. If you’re an existing Datacard® CardWizard®
software customer, use this checklist as your phase three itinerary, and Entrust Datacard as
your trusted guide. If you’re migrating central issuance operations or starting from scratch,
you’ll find the answers you need from one of our global EMV consultants.
EMV 101: MIGRATION ACTION CHECKLIST
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
30
1. Assess your technology infrastructure
Perform an audit of your existing hardware and software versions. EMV card programs
require the latest upgrades to prepare for everyday issuance.
• What version of Datacard® CardWizard® software are you running?
• What Windows operating system do you have installed?
• How many remote locations do you need to track and does every device you own have a
license for EMV card personalization?
2. Review your card gallery
Many card designs need to be altered to accommodate the placement of the chip. EMV
standards will require redesigns and layout changes within your card setups.
• What card designs will you carry over for your new program?
• How will the chip impact existing designs?
3. Evaluate your data center Migrating to EMV card issuance will likely introduce changes within your IT infrastructure.
EMV card issuance might require changes to your host and/or switch environment to
handle the additional data, security protocols and processing.
• Will EMV-related data elements be transmitted between your host and CardWizard®
software?
• Will CardWizard® software send EMV-related data to your switch?
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
31
4. Determine if you have the right Hardware Security Module (HSM)
Ensure the latest version of CardWizard® software works with your HSM since this is a
critical step in the production process.
• What is the model of your HSM?
• Is it internal or external?
• Is it FIPs Certified?
5. Upgrade your instant issuance systems
Not all instant issuance systems are EMV-ready. EMV issuance will require an instant
issuance system equipped with a contact and contactless smart card encoder.
• Which card personalization systems do you currently use?
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
EMV 101: GLOSSARY OF TERMS
This chapter defines a set of standard terminology
and enable clear understanding of all things EMV.
33
SOURCES
http://blog.unibulmerchantservices.
com/adoption-of-chip-based-
credit-cards-pushes-up-e-
commerce-fraud/
http://digitaltransactions.net/news/
story/Canada-Puts-Down-Chip-
Card-Roots
http://news.alaric.com/industry-
news/payments/closing-the-emv-
gap-in-australia/
http://en.wikipedia.org/wiki/Chip_
and_PIN
Chip-and-PIN: Success and
Challenges in Reducing Fraud
Douglas King
Retail Payments Risk Forum
Working Paper Federal Reserve
Bank of Atlanta
January 2012
EMV Adoption and Its Impact on
Fraud Management Worldwide:
A whitepaper prepared exclusively
for FICO, Mercator Advisory Group
Jan 2014
INDUSTRY TERMS
Acquirer
The acquirer is the party recognized by the network as the financial sponsor for a merchant
(typically a regulated financial institution like a bank). The network holds the acquiring
processor financially responsible for transactions processed by the merchant and helps ensure
that the merchant operates under the rules laid out by the network. Examples: Bank of America
Merchant Services, First Data, Wells Fargo, Vantiv, SHAZAM/ITS Inc.
Acquiring Processor
Acquiring Processors are third-party service providers that acquire and process payment
transactions for merchants, manage the relationship with the global and regional payment
networks on the merchant’s behalf (including interchange qualifying, chargeback disputes and
fees to networks and issuers), and manage the transaction database. The acquiring processor
connects merchant transactions to payment networks by (1) providing the POS device; and/or
(2) securely routing the transaction from the POS device or from the POS payment gateway to
the payment network; (3) managing transactions from authorization to clearing to settlement.
Application Authentication Cryptogram (AAC)
A cryptogram generated by the card at the end of offline and online declined transactions.
It can be used to validate the risk management activities for a given transaction.
GLOSSARY OF TERMS
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
34
Application Cryptogram (AC)
A cryptogram generated by the card in response to a
GENERATE AC command, providing the card decision on
the transaction. The AC is used to validate that the card has
genuinely generated the response.
The three types of cryptograms are Transaction Certificate
(TC), Authorization Request Cryptogram (ARQC), and
Application Authentication Cryptogram (AAC). The
creation and validation of the cryptogram enables dynamic
authentication.
Application Identifier (AID)
Application Identifiers are data labels that differentiate
payment systems and products. The card issuer uses the data
label to identify an application on the card or terminal. Cards
and terminals use AIDs to determine which applications are
mutually supported, as both the card and the terminal must
support the same AID to initiate a transaction. Both cards and
terminals may support multiple AIDs. An AID consists of two
components, a Registered Application Identifier (RID) and a
Proprietary Application Identifier Extension (PIX).
Authorization Response Cryptogram (ARPC)
Used during online issuer authentication, the ARPC is
a cryptogram generated by the issuer and sent in the
authorization response back to the terminal. The terminal
sends this cryptogram to the card, which allows the card to
verify the validity of the issuer response, and go ahead with
the transaction. (See ARPCs in action in EMV 101: Behind the
Transaction)
Authorization Request Cryptogram (ARQC)
This cryptogram is also used during online card authentication.
It is generated by the card and sent to the issuer in the
authorization or full financial request. The issuer validates the
ARQC to ensure that the card is authentic and card data was
not copied from a skimmed card. (See ARQCs in action in EMV
101: Behind the Transaction)
Cardholder Verification Method (CVM)
Different cards use different methods to authenticate that
the person presenting the card is the valid cardholder. EMV
supports four CVMs: offline Personal Identification Number
(PIN) (offline enciphered & plain text), online encrypted PIN,
signature verification, and no CVM.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
35
Certificate
An electronic document binding some pieces of information
together, such as a user’s identity and public encryption key.
The digital certificate is used to prove to the data recipient the
origin and integrity of the data.
Certificate Authority (CA)
A trusted central administration that issues and revokes
certificates and is willing to act as a guarantor for the identities
of those to whom it issues certificates and their association
with a given key.
Certificate Authority Public Key (CAPK)
In order to support data authentication or offline enciphered
PIN, the terminal must store one or more public keys for each
RID. When required, the card will supply a CAPK index which
is used to identify which of these keys should be used for that
transaction.
Contact Chip Card
A chip card is a card that communicates with a reader through
a contact plate. The plate must come into contact with a
terminal, usually through a chip reader into which the card is
inserted. Communication is defined by ISO 7816.
Contactless Chip Card
A chip card that communicates with a reader through a radio
frequency interface, usually through a wave or tap of the card
on the designated area on the terminal. A contactless chip card
will have an antennae embedded in the card’s plastic.
Data Encryption Standard (DES)
Data Encryption Standard is a symmetric-key algorithm for
encryption of electronic data.
Dual Interface Chip Card
A chip card that has both contact and contactless interfaces,
enabling a payment transaction with either interface.
“Dynamic” vs. “Static”
“Dynamic” data has the ability to change or update. For
example, a dynamic card security code changes for each
transaction. “Static” or “persistent” data is unchangeable.
For example, the personal account number programmed
into a smart chip card cannot be changed after the card is
personalized.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
36
Electronically Erasable Programmable
Read-Only Memory (EEPROM)
EEPROM is digital memory that can be erased and reused,
but does not require electrical power to maintain data.
It is used to store information that will change, such as
transaction counters. It is possible to load new data elements
and applications into EEPROM after a card has been
issued. Generally after personalization and issuance, limited
application data can be updated. This is linked to card
security requirements.
EMV Migration Forum (EMF)
The EMV Migration Forum is an independent, cross-industry
body created by the Smart Card Alliance to address issues
that require broad cooperation and coordination across many
constituents in the payments space to promote the efficient,
timely, and effective migration to EMV-enabled cards, devices,
and terminals in the United States.
EMV (Europay, MasterCard, and Visa)
Developed by Europay, MasterCard, and Visa, EMV refers to a
body of specifications set to ensure interoperability between
payment chip cards and terminals. Formally known as the EMV
Integrated Circuit Card Specifications for Payment Systems and
owned by EMVCo.
EMVCo
EMVCo was formed in February of 1999 by Europay
International, MasterCard International, and Visa International
to manage, maintain, and enhance integrated circuit card
specifications for payment systems. EMVCo is currently, and
equally, owned by American Express, Discover, JCB, MasterCard
Worldwide, Union Pay and Visa, Inc.
GlobalPlatform
A cross-industry membership organization created to advance
standards for multiple application smart card growth. A major
goal of GlobalPlatform is the definition of specifications and
infrastructure for multi-application smart cards, including cards,
terminals and back-end host systems. The GlobalPlatform
Specifications are based on the Open Platform Specifications,
which were donated to the consortium by Visa.
International Standards Organization (ISO)
The ISO is a global institution that maintains over 13,000
international standards for business, government and society.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
37
Issuer
Issuers are the entities that issue payment cards to customers
and perform many activities that could include, but are not
limited to, the following list. It is important to note that the
issuer may choose to outsource some, or all, of these activities:
• Cardholder customer service
• Data preparation
• Configuration set-up
• Fulfillment of personalized chip card, with all paper inserts;
preparation for mailing to customer
• Define card profile, including risk parameters
• Receive and manage card records and keys to form a
personalization record
• Generate personalization script
• Key management activities for EMV, CVV/CVC, and PINs
between card manufacturer and personalization bureau and
between issuer and personalization bureau.
Issuer Action Codes (IACs)
IACs are codes placed on the card by the issuer during card
personalization. These codes indicate the issuer’s preferences
for approving transactions offline, declining transactions offline,
and sending transactions online to the issuer based on the risk
management performed.
Issuing Processor
Issuing processors facilitate card issuance activities on behalf
of an issuer, such as process payment transactions, card
enrollment, preparing and sending the card personalization
information to the card vendor, and maintaining the cardholder
database. The issuer processor may provide other ancillary
services as well (e.g., web front-end administrative and
cardholder account management applications, customer
service, settlement and clearing, chargeback processing)
Liability Shift
When card fraud occurs, one party involved in the transaction
(the cardholder, merchant, issuer, processor, etc.) is found
liable, or at fault. A liability shift is a change in the rules that
guide which party is liable for card fraud, should it occur. Each
brand defines the rules around their liability structure.
Magnetic Stripe Card
These plastic payment cards use a band of magnetic material
to store data. Data is stored by modifying the magnetism of
magnetic particles on the magnetic material, which is read by
“swiping” the magnetic stripe through a mag stripe reader.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
38
Near Field Communication (NFC)
NFC is a standards-based wireless communication technology
that allows data to be exchanged two ways between devices
that are a few centimeters apart. NFC-enabled mobile phones
incorporate smart chips (called secure elements) that allow
the phones to securely store the payment application and
consumer account information and to use the information as a
“virtual payment card”.
“Offline” vs. “Online”
In the context of an EMV transaction, “offline” refers to actions
and processes that are performed by the card’s chip and the
point of sale terminal alone, using applications stored on one/
both devices. An “online” action or process includes data that is
sent out to other computers managed by payment processors,
issuers, or card brands.
Payment Card Industry Data Security
Standard (PCI DSS)
PCI DSS is a framework developed by the Payment Card
Industry Security Standards Council for developing a robust
payment card data security process — including prevention,
detection and appropriate reaction to security incidents.
Payment Network
A payment network provides POS and ATM services for
credit, debit, ATM and prepaid card issuers and corresponding
transaction acquirers. It establishes participation requirements,
operating rules and technical specifications under a common
brand(s) for the purpose of receiving, routing, securing
authorization for, settling and reporting domestic and
international payment transactions. Each payment network
determines the types of transactions, payment devices and
terminals that are permitted in its respective network.
Personalization
Personalization is the process by which the elements specific
to the issuer and cardholder are added to the payment card’s
magnetic stripe and/or chip.
Personal Account Number (PAN)
Often referred to as the primary account number, or the bank
card number. The PAN is often embossed onto the front or
back of a credit or debit card. The PAN is commonly 16 digits,
but can be up to 19 digits in length.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
39
Personal Identification Number (PIN)
A PIN is an alphanumeric code of 4 to 12 characters that is
used to identify cardholders at a customer-activated PIN
pad. PINs can be verified “online” or “offline”. Online PIN
verification occurs when the PIN is securely transmitted to an
issuer’s authorization system during a transaction, with that
authorization confirming whether or not the entered PIN is
correct. Offline PIN verification occurs between the chip and
the POS terminal.
Point of Sale (POS)
A point of sale terminal is a machine where card-present credit
transactions occur. POS terminals come in many varieties, and
are often embedded into automated vending machines.
Random Access Memory (RAM)
RAM is a direct-access form of computer storage. When data is
required to perform a computational task it is moved into RAM
for the duration of the task.
Read Only Memory (ROM)
ROM is permanent memory that cannot be changed once it is
programmed. It is used to store chip operating systems and
permanent data.
“Static” vs. “Dynamic”
“Static” or “persistent” data is unchangeable. For example, the
personal account number programmed into a smart chip card
cannot be changed after the card is personalized. “Dynamic”
data has the ability to change or update. For example, a
dynamic card security code changes for each transaction.
Transaction Certificate (TC)
TCs are cryptograms generated by the card at the end of all
approved transactions. The cryptogram is the result of card,
terminal, and transaction data encrypted by a DES key. The
TC provides information about the actual steps and processes
executed by the card, terminal, and merchant during a given
transaction and can be used during dispute processing.
Triple DES (TDES, 3DES)
TDES is a sophisticated implementation of DES, in which the
procedure for encryption is the same but repeated three times.
First, the DES key is broken into three sub keys. Then the data
is encrypted with the first key, decrypted with the second key
and encrypted again with the third key. Triple DES (sometimes
abbreviated TDES or 3DES) offers much stronger encryption
than DES.
EMV101
WHAT
WHEN
WHO
WHERE
WHY
HOW
©2015 Entrust Datacard Corporation. All rights reserved.
CONNECT WITH US EVERYWHERE
www.datacard.com/emv-solutions
