EMV: A Merchant’s Primer
October 1, 2015 marked a major milestone in the US payments landscape, when liability for fraudulent counterfeit credit and debit card transactions shifted from issuers to merchants, unless those merchants migrate to POS technology that accommodates the EMV (Europay/Mastercard/Visa) standard. In this primer, we take a look at what EMV is, what the liability shift is meant to accomplish, how migration will benefit merchants, and what consequences merchants should expect from failure to embrace EMV-compliant technology. We also dispel some of the myths surrounding EMV implementation, lay out the basic groundwork for EMV migration, and explore other technologies that should be implemented in conjunction with EMV as part of a comprehensive data security solution.
Who, What, Where & Why
EMV is an open-standard set of specifications for chip card payments and acceptance devices, developed to define requirements that ensure interoperability between POS terminals and chip-based payment cards. Chip-based payment cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magstripe cards. There are three types:
• Contact: Contact chip cards communicate with the card reader over a contact “plate” that must touch the terminal. Such contact is usually established by inserting the card into a slot in the terminal or ATM.
• Contactless: Contactless cards communicate via radio frequency (RF) technology. As such, they contain an antenna.
• Dual-interface: Dual-interface chip cards combine contact and contactless card technologies. They communicate with the card by touching its plate or in RF mode.
As for EMV specifications, these are managed, maintained and enhanced by EMVCo, which executes testing and other processes related to EMV. Such processes include, but are not limited to, card and terminal evaluation, security evaluation and the handling of interoperability issues. EMVCo’s work is overseen by six member organizations: American Express, Discover, JCB, Mastercard, UnionPay and Visa. Other payments industry stakeholders—including banks, merchants, processors and technology vendors—participate in EMVCo initiatives as technical and business associates. EMVCo is not responsible for individual card brand certifications.
Decreases card fraud.
An EMV-enabled card’s microprocessor chip stores information securely and carries security credentials that are encoded by the card issuer when the card is personalized for an individual cardholder using user-specific keys. The encoding of these credentials helps prevent fraudsters from creating counterfeit cards (“cloning”). Unlike magstripe cards, which are easy to duplicate because they lack the security features of microprocessor chips, EMV cards EMV Handbook: One Year Later cannot be duplicated or used to complete fraudulent transactions. In order to be successfully processed, EMV transactions require an authentic card, validated either online by the issuer using a dynamic cryptogram or offline with the terminal using static data authentication (SDA), dynamic data authentication (DDA) or combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data so that any captured data cannot be used to execute new transactions.
Additionally, EMV reduces fraud resulting from card theft and loss by harnessing enhanced transaction authorization, card authentication and cardholder verification.
• Transaction authorization uses issuer-defined rules to authorize transactions either online or offline. For an online authorization, EMV transactions proceed in the same manner as with magstripe cards: transaction information and a transaction-specific cryptogram are sent to the issuer, which authorizes or declines the transaction. Offline, the card and terminal communicate and use issuer-defined risk parameters to determine whether the transaction can be authorized. Offline transactions are typical in situations where terminals do not have internet connectivity or in countries where telecommunication costs are high.
• Card authentication occurs online via cryptographic processing, which validates the integrity of the card number and certain static and dynamic (live) data used in the transaction, or offline through SDA, DDA or a combination of DDA with CDA. Dynamic data is unique to each transaction, so it can’t be used more than once even if fraudsters manage to steal it. Any attempt to do so would cause that transaction to be declined.
• Cardholder verification ensures that the person attempting to make the transaction is the person to whom the card belongs. It is executed through one of four cardholder verification methods (CVMs) supported by EMV: offline chip and PIN, online chip and PIN, chip and signature, and no CVM (contactless). The choice of CVM depends on the merchant, acquirer, and issuer alike.
Allows interoperability with the global payments infrastructure.
Consumers with EMV-enabled cards can use them on any EMV-compatible payment terminal in the world. Such interoperability is likely to become increasingly important as some nations consider phasing out magstripe cards entirely.
Additional EMV Benefits Meanwhile, although merchants aren’t required to follow an EMV migration path, significant benefits await those that do. By deploying EMV-compliant hardware and software, they can: Avoid major financial repercussions. This is the strongest argument for embracing EMV. Maintaining non-EMV-compliant POS technology leaves merchants responsible for potentially steep costs stemming from fraudulent transactions and chargebacks.
As of EMV Handbook: One Year Later October 2012, Mastercard will exempt merchants from 100% of account data compromise penalties if at least 95% of Mastercard transactions that originate in their stores are handled on EMV-compliant POS terminals. PCI audit relief If more than 75% of merchant Visa and Mastercard transactions since October 1, 2012 originate from EMVcompliant POS terminals that support both contact and contactless transactions, the merchant may apply for relief from the audit requirement for PCI compliance (but is still required to be PCI-compliant). Build a future-proof payment acceptance infrastructure that supports new payment innovations and technologies NFC-enabled (near-field communications) mobile devices that are used to accept mobile contactless payments, as well as other mobile applications (like mobile couponing and loyalty programs), top the list of these options.
EMVCo has been playing a key role in defining the architecture, specifications, requirements, and type approval processes for supporting EMV mobile contactless payments. This helped to facilitate the launch of NFC mobile contactless payments in Europe, where an EMV-based payments infrastructure is already in place. The same is likely to happen in the US.
Take advantage of global interoperability to boost business Many US merchants want to attract to their establishments to visitors from countries where chip cards are the norm. Acquiring EMV-compliant hardware and software prevents merchants from losing business of foreign customers who favor the security afforded by chip cards and are reluctant or unwilling to revert to the use of the magstripe on their cards to process payments. As of October 2015, card brands will hold “the party that is the cause of a chip card transaction not occurring” (i.e., a merchant whose terminals are not EMV-compliant) liable for any resulting card-present counterfeit fraud losses. Review card brand specifics by visiting their websites.