The Smart Card Alliance Payments Council explains EMV payment cards and looks at deployment options for chip cards in the U.S.
The EMV specification, originally named for Europay, MasterCard and Visa, is a global standard for interoperable credit and debit payment cards, point-of-sale (POS) payment terminals and transaction processing networks based on chip card technology.
Chip cards, also known as smart cards, contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. The EMV specifications also provide for new, highly efficient transaction methods that cannot be achieved with traditional magnetic stripe cards. These include contact and contactless transactions as well as mobile payment operations.
The secure microprocessor chip on the EMV payment card contains the information needed for payment and additional protection features, making it significantly more secure than a traditional magnetic stripe card.
EMV improves the security of payment transactions with added functionality in three areas:
Card authentication protects the payment system against counterfeit cards. Card authentication methods are defined in the EMV and associated payment-brand chip specifications. Card authentication can take place online, offline, or both.
Online card authentication typically takes place using symmetric key technology. The card generates a cryptogram using a shared secret key, and this cryptogram is validated by the issuer during the online authorization request.
Offline card authentication involves the EMV card and EMV terminal using public key technology.
Offline capability is designed into EMV to address environments where reliable online communication is not available or is expensive.
The EMV standard supports online and offline transaction authorization. Online authorization transactions would proceed much as they do today. Transaction information is sent to the issuer with the added security of a transaction-specific cryptogram. This prevents the use of stolen payment account information at merchant locations and opens the opportunity to eventually use EMV cards to prevent eCommerce fraud.
In an offline EMV transaction, the card and payment terminal communicate and use issuer-defined risk parameters stored in the card, such as a cumulative offline “floor limit” or consecutive transaction limit, to determine if the transaction can be authorized offline. Offline transactions are used with terminals that do not have online connectivity, or in countries where telecommunications costs are high. Offline transactions are also typically for low-value amounts.
Depending on payment brand rules and issuer preference, chip cards are personalized with one or more CVMs in order to be accepted in as wide a variety of locations as possible.
Online PIN or offline PIN CVMs directly protect against fraud resulting from lost, stolen, and never-received cards.
Signature verification requires a written signature at the POS, as is currently required with magnetic stripe cards. Validation occurs when the signature on the receipt is compared to and matches the signature on the back of the card.
EMV also supports transactions that require “no CVM.” No CVM is typically used for low value transactions or for transactions at unattended POS locations.
When EMV cards use a PIN for cardholder verification, the PIN can be verified offline or online.
An online PIN is not stored on the card. Once the cardholder enters the PIN at the POS terminal, the PIN is encrypted by the PIN pad and sent online to the host for validation, similar to how PIN debit transactions are authorized in the U.S. today.
Offline PIN is the only CVM supported by EMV that is not available with magnetic stripe cards. The offline PIN is stored securely on the chip card and during a transaction, when the cardholder enters the PIN, the POS terminal sends the PIN to the chip card for verification. The authorization for the transaction therefore takes place within the chip card.
Neither online nor offline PIN are required by the EMV specifications and can be combined with other methods based on issuer preference.
Since the first version in 1996, EMV has become the de-facto global standard for payment cards worldwide in developed countries other than the United States. According to EMVco, the organization responsible for managing the EMV specifications, over 1.5 billion EMV cards have been issued globally and 21.9 million POS terminals accept EMV cards, representing 76.4% of payment terminals worldwide excluding the U.S. EMVCo is jointly owned by America Express, JCB, MasterCard and Visa.
A map of EMV global card and payment terminal penetration is available at EMVCo.com.
The United States is one of the last countries to migrate to EMV, but this is about to change, as recently American Express, Discover, MasterCard and Visa unveiled their plans for EMV in the U.S.
Why the change now? One issue: growing incompatibility between traditional magnetic stripe payment cards still used in the U.S. and widespread EMV acceptance abroad. Non-EMV cards are viewed as more of a risk for fraud especially in Europe. The other issue is the risk of fraud migrating to the U.S. from other countries that use more secure EMV technology.
U.S. credit and debit card issuers issuing or planning to issue EMV payment cards include: American Express; Andrews Federal Credit Union; Bank of America; Chase (multiple cards); Citi (multiple cards); Jack Henry & Associates Payment Processing Solutions; PSCU Financial Services; Silicon Valley Bank; Star One Credit Union; State Employees Credit Union; Travelex; United Nations Federal Credit Union; U.S. Bank; Wells Fargo
In August 2011, Visa announced a three-part plan to accelerate the migration to EMV chip technology and the adoption of mobile payments:
MasterCard announced its plans for EMV in the United States in late January 2012, defining these roadmap elements:
In March, 2012, Discover announced its plan to implement a 2013 EMV mandate for acquirers and direct-connect merchants in the U.S., as well as Canada and Mexico. This plan will include its payment businesses consisting of Discover Network, PULSE, and Diners Club International.
Discover says that its approach to EMV is “both universal and choice-centric,” meaning the company will not restrict any channel, verification process or transaction type, supporting:
American Express joined the other payment brands and announced its U.S. EMV roadmap in June 2012. The company’s key policy requirements and dates are:
The roadmaps to EMV from American Express, Discover, MasterCard, and Visa give issuers the flexibility to choose the selection of options from the EMV standard that suits their business and the U.S. environment best.
Each represents an independent choice, many of which overlap, and some of which dynamically vary depending on the circumstances. The result is a multitude of implementation options as shown here.
Depending on the preference of the issuer, chip cards in the U.S. can be personalized with one or more cardholder verification methods (CVM) so that they can be accepted in as wide a variety of locations as possible. These include online PIN, offline PIN, signature and no CVM.
At the card issuer’s discretion, EMV chip cards can require online authorization and no PIN. Support for offline EMV transactions is an option, not a requirement, under the control of the card issuer.
EMV is designed so that both offline and online authorization can be used depending on the circumstances. In a virtually 100% online environment like United States, it is expected that any chip implementation would continue to require online authorization for every transaction.
Based on the recent announcements from American Express, Discover, MasterCard and Visa one thing is clear: EMV chip technology is coming to the United States. Issuers will have to choose card interface (contact, contactless or dual), card authentication method, transaction authorization method, and cardholder verification method. It is likely that we will see the U.S. evolve to a hybrid combination of options to best support venue, transaction type, and compatibility with the rest of the world.