Smart Card Alliance : Slideshows : What Are Chip-Enabled EMV Payment Cards?
What Are Chip-Enabled EMV Payment Cards?
The Smart Card Alliance Payments Council explains EMV payment cards and looks at deployment options for chip cards in the U.S.
What is EMV?
The EMV specification, originally named for Europay, MasterCard and Visa, is a global standard for interoperable credit and debit payment cards, point-of-sale (POS) payment terminals and transaction processing networks based on chip card technology.
Chip cards, also known as smart cards, contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. The EMV specifications also provide for new, highly efficient transaction methods that cannot be achieved with traditional magnetic stripe cards. These include contact and contactless transactions as well as mobile payment operations, although today U.S. contactless cards do not use the EMV specification.
EMV Around the World
Since the first version in 1996, EMV has become the de-facto global standard for payment cards worldwide in developed countries other than the United States. According to EMVco, the organization responsible for managing the EMV specifications, approximately one billion EMV cards have been issued globally and 15.4 million POS terminals accept EMV cards, representing 65% of payment terminals worldwide excluding the U.S. EMVCo is jointly owned by America Express, JCB, MasterCard and Visa.
A map of EMV global card and payment terminal penetration is available at EMVCo.com.
EMV in the United States
EMV cards have not replaced magnetic stripe cards in the U.S. in part because the payments industry relies on online authorization and fraud detection by the issuer authorization systems. Smart card-based contactless payment card acceptance has also been growing rapidly, and there is widespread interest in mobile payment, which can use the same contactless payment terminal infrastructure.
Now EMV payment cards are getting a closer look here too. Some organizations, notably Wal-Mart, a merchant association known as the Merchant Advisory Group (MAG), and some in the U.S. Federal Reserve system are advocating chip cards to reduce merchant fraud losses and consumer complaints. Identity theft, including credit card theft and fraud, has been the #1 consumer complaint to the Federal Trade Commission for more than 10 years.
International Travelers and EMV
One of the issues attracting support for increased EMV issuance in the United States is the growing incompatibility between traditional magnetic stripe payment cards still used in the U.S. and widespread EMV acceptance abroad. Non-EMV cards are viewed as more of a risk for fraud especially in Europe.
In a research report on international traveler acceptance issues, Aite Group estimated that 9.7 million U.S. cardholders experienced magnetic stripe card acceptance issues when they travel internationally in 2008, costing banks $447 million in lost revenue.
Why is EMV More Secure
The secure chip microprocessor on the EMV payment card contains the information needed for payment and additional protection features, making it significantly more secure than a traditional magnetic stripe card.
EMV also improves the security of payment transactions with added functionality in three areas:
- Card authentication: Transactions require an authentic card validated either online using a dynamic cryptogram or offline using Static Data Authentication (SDA) or Dynamic Data Authentication (DDA).
- Cardholder Verification Method (CVM): The CVM ensures that the person attempting to make the transaction is the person to whom the card belongs using Offline PIN, Online PIN, Signature, or no CVM.
- Online and Offline Authorization: EMV transactions are authorized based on security parameters established by the issuer.
EMV Implementation Options for U.S. Issuers
Many interconnected drivers and industry developments must be taken into account for a U.S. roadmap, including the current contactless implementation, use of contact vs. contactless EMV, selection of options from the EMV standard to suit the U.S. environment, convergence with NFC mobile contactless payments, and the use of PIN vs. signature.
Each represents an independent choice, many of which overlap, and some of which dynamically vary depending on the circumstances. The result is a multitude of implementation options as shown here. The implications of these choices for U.S. issuers are considered in the next slides.
Considerations of EMV Chip Interface for the U.S.
The EMV standard allows for both contact and contactless interfaces. The two can be independent or combined, and in all cases are supplemented with a magnetic stripe for compatibility with the existing infrastructure.
Whether the industry will evolve toward contact or contactless EMV is an open question. Contactless cards can leverage current investment in contactless terminals and cards and prepare the industry to support NFC mobile contactless payments. On the other hand, since the rest of the world has implemented contact EMV, a U.S. contactless EMV chip card infrastructure would be incompatible. Selecting a dual contact/contactless interface card would allow the same card to be used both at U.S. contactless payment terminals and contact POS outside of North America.
Offline and Online Card Authentication
Card authentication protects the payment system against counterfeit cards. Card authentication methods are defined in the EMV and associated payment-brand chip specifications. Card authentication can take place online, offline, or both.
Online card authentication typically takes place using symmetric key technology. The card generates a cryptogram using a shared secret key, and this cryptogram is validated by the issuer during the online authorization request.
Offline card authentication involves the EMV card and EMV terminal using public key technology. Offline capability is designed into EMV to address environments where reliable online communication is not available or is expensive.
Offline and Online Authorization
The EMV standard supports online and offline transaction authorization. Online authorization transactions would proceed much as they do today. Transaction information is sent to the issuer with the added security of a transaction-specific cryptogram. This prevents the use of stolen payment account information at merchant locations and opens the opportunity to eventually use EMV cards to prevent eCommerce fraud.
In an offline EMV transaction, the card and payment terminal communicate and use issuer-defined risk parameters stored in the card, such as a cumulative offline “floor limit” or consecutive transaction limit, to determine if the transaction can be authorized offline. Offline transactions are used with terminals that do not have online connectivity, or in countries where telecommunications costs are high. Offline transactions are also typically for low-value amounts.
Cardholder Verification and Transaction Authorization Implications for U.S. Issuers
Depending on payment brand rules and the issuer preference, chip cards are personalized with one or more cardholder verification methods (CVM) so that they can be accepted in as wide a variety of locations as possible. These include offline PIN, online PIN, signature and no CVM.
At the card issuer’s discretion, EMV chip cards can require online authorization and no PIN, a fact that many U.S. issuers and acquirers do not know. Support for offline EMV transactions is an option, not a requirement, under the control of the card issuer.
EMV is designed so that both offline and online authorization can be used depending on the circumstances. In a virtually 100% online environment like United States, it is expected that any chip implementation would continue to require online authorization for every transaction.
EMV Chip & PIN Cardholder Verification
When EMV cards use a PIN for cardholder verification, the PIN can be verified offline or online.
An online PIN is not stored on the card. Once the cardholder enters the PIN at the POS terminal, the PIN is encrypted by the PIN pad and sent online to the host for validation, similar to how PIN debit transactions are authorized in the U.S. today.
Offline PIN is the only CVM supported by EMV that is not available with magnetic stripe cards. The offline PIN is stored securely on the chip card and during a transaction, when the cardholder enters the PIN, the POS terminal sends the PIN to the chip card for verification. The cardholder verification therefore takes place within the chip card.
Neither online nor offline PIN are required by the EMV specifications and can be combined with other methods based on issuer preference.
EMV in the U.S.
Planning a roadmap to EMV for the U.S. requires choice of card interface (contact, contactless or dual), card authentication method, transaction authorization method, and cardholder verification method. The U.S. may evolve to a hybrid combination of options to best support venue, transaction type, and compatibility with the rest of the world.
Although the enormous size of the U.S. payment industry makes widespread change costly and difficult, the true cost of fraud is increasing and threatens to damage the industry’s reputation. This damage could accelerate as criminals move to the U.S. as the “weakest link,” now that EMV cards are in use in most other regions of the world.
Various options are available for the U.S. payments industry to migrate to EMV. Due to the maturity and wide availability of EMV technology and products, migration will be less complicated than it would have been a decade ago.