EMV stands for Europay, MasterCard, Visa, and represents a global standard for credit and debit payment cards based on chip-card technology. EMV chip-based payment cards, popularly known as ‘smart cards’ contain an embedded microprocessor chip, a type of small computer. This micro-chip contains the information needed to use the card for payment, and is protected by advanced security features that make them a more secure upgrade to traditional magnetic stripe payment cards.
The U.S. is one of the last countries to adopt EMV. Over eighty countries globally are already in various stages of EMV chip migration including Canada, Latin America, and many European countries. Over 1.55 billion EMV cards have been issued globally, along with over 22 million POS terminals accepting EMV cards.
The secure micro-chip embedded in the plastic is the distinguishing feature in EMV cards. The EMV payment application and information can also be placed in a personal electronic device such as a mobile smartphone. The chip provides three key elements – it can store information, perform processing functions, and secretly store, and encrypt personal information securely. The combination of these features make chip-based cards a more secure processing method over magnetic stripe cards.
In order to execute a payment, a chip card must connect to a chip reader in an EMV acceptance terminal. Two forms of connection are possible; contact or contactless. With contact, the chip must come into physical contact with the chip reader for the transaction to occur. With contactless, the chip can simply be waved, or hovered within sufficient proximity to the terminal reader for the flow of data to jump from the card to the acceptance terminal. This contactless method of transferring sensitive data is made possible by Near Field Communication (NFC) technologies. This technology can be used between contactless terminals and smartphones or tablet devices. NFC utilizes electromagnetic radio fields to facilitate the transfer of data, and is specifically designed for use by devices within close proximity to each other.
Why EMV Matters
EMV is designed to significantly improve the security of consumer card payments. With credit card fraud of magnetic stripe cards rising steadily, customers have moved into a mode of high awareness concerning their card information. EMV provides advanced security features for reducing fraudulent payments result from counterfeit or lost and stolen cards.
Counterfeit or lost and stolen card fraud represents significant cost to all participants in the payment process, including merchants, banks, card processors, card issuers, and consumers. Card fraud is a lose-lose situation for everyone involved – except the data thief. Even worse, card fraud raises costs beyond the amount of money stolen from the cardholder. Processing of cardholder disputes, research into suspect transactions, constant replacement of cards that have been counterfeited or reported lost, and inherent liability costs for the potential fraudulent payment itself. Adopting EMV offers real benefits to merchants, acquirers, and card issuers alike by helping significantly reduce card fraud.
How EMV Helps Prevent Fraud
The micro-chip makes all the difference when it comes to processing securely. The chip can store information securely and perform advanced encryption functions during transactions. EMV cards carry security credentials that are encoded by the card issuer. These credentials, or keys, are stored securely in the EMV card’s chip and are impervious to access by unauthorized parties. This helps prevent card skimming and card cloning – the two most common ways magnetic stripe cards are compromised and used for a fraudulent transaction.
In an EMV transaction, the card is authenticated as being genuine (not counterfeit), the cardholder is verified, and the transaction includes dynamic data and is authorized online or offline. The best part about the EMV card processing protocol is the dynamic data – even if fraudsters were able to steal account data from a chip transaction, this data cannot be used to create a fraudulent transaction since every EMV transaction transmits using dynamic data. This carries over into the world of Internet transactions as well, where EMV also helps address card-not-present fraud using the same authentication and security measures.
Advanced EMV features:
1. Authentication of chip card – to verify that the card is genuine to protect against counterfeit-fraud for both online and in-store transactions. The chip generates an Authorization Request Cryptogram (ARQC) and the cryptogram that is produced when a chip approves the payment. The chip-generated ARQC is sent in the authorization request when an EMV payment transaction moves online to the issuer host. The ARQC can be verified by the issuer and this confirms that the chip is not counterfeit.
2. Risk management parameters – define the conditions under which the issuer will permit the chip card to be used and force transactions online for authorization under certain conditions such as offline limits being exceeded. EMV provides the issuing bank with controls at the point of sale which help reduce exposure to fraud and credit risk for offline and below floor limit transactions. The issuing bank is able to set limits in the chip card that restrict the number of consecutive offline transactions that may be processed. Furthermore, EMV provides controls that can be returned to the chip card in an online authorization response that allows the issuer to change the card limits, even reducing them to zero in the case of a confirmed high risk profile transaction. This is great news for online retailers who do not have the ability to visually profile a purchase transaction or its cardholder for suspicious activity.
3. Transaction integrity – digitally signing payment data in offline environments. EMV allows use of an offline PIN, making it possible to use an EMV chip card to verify a PIN entered into the terminal PIN pad by the cardholder offline. Having a PIN based cardholder verification method available for online and offline transaction environments is a huge help to merchants in an effort to provide seamless, hassle-free service to customers.
4. Cardholder verification – EMV provides more robust features to protect against fraud from lost or stolen cards. New features allow greater flexibility and clarity in determining and enforcing methods for verifying the cardholder is the actual owner of the card during payment.
What Are The Requirements and Deadlines?
Visa, MasterCard, AMEX, and Discover all have deadlines that indicate a shift in liability that merchants need to know about. All timelines have a consistent date of April 2013 for acquirers and sub-processors to be ready to fully process EMV transactions. PCI audit relief programs are available for most merchants who process 75% of transactions on EMV enabled terminals that accept contact and contactless payments. The shift in liability is across the board for all merchants by October 2015, with the exception of fuel dispensers that have a deadline of October 2017.
This October 2015 deadline means after this date, any fraudulent transaction claims will be absorbed by the merchant. Your credit card bank will not hold any responsibility for fraudulent charges beyond this date. Currently all merchants are required to remain PCI compliant and adhere to security best practices to protect their card holder data.
Visa’s PCI audit relief program – called TIP (Technology Innovation Program) is eligible to merchants with 75% of more Visa transactions originating from chip-enabled terminals that support both contact, and contactless chip payments. Merchants are still responsible for protecting sensitive data in their care, ensuring their systems do not store track data, security codes, PIN’s, as well as other PCI DSS standards. The complete liability shift to merchants will happen in October 2015, where any contact chip card presented to a merchant who has not adopted EMV terminals, the full liability for counterfeit fraud will be on the merchant.
MasterCard provides PCI audit relief incentives exactly like Visa’s described above. But MC also has an ATM liability shift for cross boarder Maestro ATMs that are not enabled for EMV. October 2015 is also the liability shift date for MasterCard (see timeline below).
Discover’s plan echoes the same key deadlines from MC and Visa with one distinct difference. Discover has not announced whether or not they support waiving any annual validation of PCI compliance for merchants, stating that Discover ‘will consider doing so if it benefits a merchant.’
The Bottom Line
All U.S. merchants are responsible for making hardware and/or software upgrades necessary to support the new EMV technology. The consensus among the major card issuers is a push for increased security of data which translates into less vulnerability to data breaches and the costs associated with card fraud. Protecting consumer data is everyone’s responsibility and in the best interest of your customer. Most businesses cannot afford the damaged reputation and drop in sales that result from a data breach and scammed customers. Many vendors are ready with equipment that will accommodate both old and new EMV technology, and here at MBN we have the solutions and expertise to help you make the transition smoothly without breaking the bank.
Give us a call with any questions about your EMV options at 1-877-871-4629.
Your MBN Team