1. What is EMV?
6. News Flashes
What is EMV?
EMV is a standard relating to smart payment cards and the terminals where they are processed. EMV stands for Europay, MasterCard, and Visa, the three companies that are behind this technology.
The cards based on EMV are frequently called Chip-and-PIN or Chip-and-Signature cards subject to its means of verification by the card emitter. Chip-and-PIN systems are considered more secure than the chip-and-signature ones. Both types of cards are described as smart because they have an embedded chip where data is stored in integrated circuits along with a magnetic stripe. This makes them safer than cards with a magnetic stripe alone.
Benefits of EMV
EMV chip card transactions improve security against fraud thanks to its requirement of a personal identification number (PIN) as opposed to magnetic stripe cards which require the mere signing of a paper receipt – where the holder’s signature could easily be forged. Moreover, the chip is packed with encryption algorithms which further safeguard the authentication process.
In addition, attempts to copy the card will be useless, as only the magnetic stripes will be copied, but not the chip – which cannot be cloned.
However, PIN authentication will not always occur, as it is incumbent upon the capacity of the terminal and the programming of the card.
EMV cards contain microprocessors that can interact with terminals, enabling them to perform offline transaction verification and offline cardholder verification without requiring an online connection to banking systems. Terminals can be configured to verify and accept PIN codes offline, which was a feature not supported by magnetic stripe cards.
Mobile wallets are one of the major trends in the payment industry. EMV technology enables those transactions, where cardholders can only tap their cards against a terminal. For instance, it allows customers to wave their smart-phones over a terminal rather than dipping or tapping a card.
Steps of an EMV transaction
An EMV transaction takes place in 12 steps:
An application identifier which consists of a registered application provider identifier of five bytes is used to address an application in the card.
Initiate application processing
The terminal sends a command to the card. The card responds with a list of files and records that the terminal needs to read from the card.
Read application data
This command enables the file locator to read EMV data from Smart cards which are stored in files in a particular format.
This step performs three checks (version number, usage control, expiration date) to see if the card should be used. If any of these fail, the card might be declined.
Offline data authentication
The coding of the card is verified to validate the card. One process ensures data read from the card has been signed by the card issuer while a second step provides protection against modification of data and cloning.
This is used to evaluate whether the person presenting the card is the legitimate cardholder, more commonly via a signature or an online PIN.
Terminal risk management
This checks the transaction amount against an offline ceiling limit (above which transactions should be processed on-line)
Terminal action analysis
This is used to determine whether a transaction should be approved offline, sent online for authorization, or declined offline.
First card action analysis
This step gives the card the opportunity to accept the terminal’s action analysis or to decline a transaction or force a transaction on-line.
Online transaction authorization
The card generates a code which the card issuer can check in real time. This provides a strong cryptographic check that the card is genuine
Second card action analysis
The terminal sends data to the card again to let it know the issuer’s response.
Issuer script processing
If a card issuer wants to update a card (such as blocking it, or change its parameters) after having issued it, it can send commands to the card using this process.
The Liability Shift
New rules now cover credit card fraud. The presumed added protection from counterfeiting which EMV technology brings has empowered banks and credit card issuers to come forward with a “liability shift”.
Normally, it is the card issuer who is liable for fraudulent transactions. However, since January 2005 in the EU region and 1 October 2015 in the US, the ATM or merchant’s point of sale terminal – and not the card issuer – is legally responsible for any fraud that results from transactions on systems that are not EMV-capable.
For instance, based on these new liability rules, if a defrauder uses a chip card at a terminal that reads solely the magnetic stripe, the merchant will have to cover the loss because they failed to comply with the EMV standard. From now on, the issuer will cover the loss if the counterfeit card had a chip and was used on an updated terminal – a scenario deemed unlikely however due to the enhanced security.
Other Topic Pages