Frequently Asked Questions about the EMV or Chip Cards
Credit & Debit
Secure EMV payments are here!
Payment brands have announced their roadmaps to accelerate adoption through merchant incentives, processing infrastructure migration and fraud liability shift. The migration to EMV will:
- Reduce counterfeit card fraud
- Enable cardholders to use secure EMV payment cards globally
- Prepare for mobile contactless payments
EMV/chip or “smart” cards are credit, debit or prepaid cards that have an embedded microchip in the card. Each microchip generates a dynamic one-time use code, or cryptogram, when they come into contact with specific connection points within an EMV/chip card supporting terminal after insertion. The cryptogram is sent through the card processing system to the processor and ultimately out to the card issuer. This cryptographic exchange, in addition to cardholder verification methods employed (such as online PIN), serve to bolster the payments ecosystem and guard against card-present fraud.
Chip cards are based on a global card payment standard called EMV (Europay, Mastercard & Visa, the three companies that developed the standard in Europe) which is currently used in more than 80 countries. There are more than 3.4 billion chip cards issued across the globe. You can find more details at www.emv-connection.com/consumers.
Chip card transactions offer advanced security in-store and at ATMs by making every transaction unique. In addition, the chip card is more difficult to counterfeit or copy. If the card data and the one-time code are stolen, the information cannot be used to create counterfeit cards and commit fraud.
The chip is located on the front of the card. You will still have a magnetic strip on the back so that you can use it with merchants who don’t accept chip cards yet.
During the transition to chip, you can swipe your card as you normally would and follow the prompts. If the terminal is chip-enabled, it will prompt you to insert it instead. If you already know your chip card works there, start by inserting your card. These basic steps will help ensure successful transactions:
Always remember when you use your chip card to follow the prompts on the terminal and leave your card inserted until prompted to remove it.
Depending on the type of ATM, your experience may differ slightly:
*If your card stays visible, use these basic steps for a successful ATM transaction:
- Insert and remove your card as you normally would. This tells a chip-enabled ATM whether you have a chip card or not. Then follow the prompts.
- If the ATM is chip-enabled, it will prompt you to insert the card again and leave it inserted. The ATM will clamp down on your chip card to hold it in place until the transaction is complete. Do not try to remove your card until prompted by the ATM.
- When the ATM says the transaction is complete, remember to take your card.
*If your card is not visible, a chip-enabled ATM will automatically recognize the chip on your card. If you’re used to an ATM returning your card immediately, note that your chip card will now be returned at the end of the transaction. To complete a transaction, proceed as you normally would and follow the prompts. When the ATM says the transaction is complete, remember to take your card.
At an ATM, start the transaction as you normally would and follow the prompts. A chip-enabled ATM will guide you through the transaction. Depending on the type of ATM, your experience may differ slightly.
Yes, merchants and ATMs will continue to accept magnetic strip cards.
Yes. Your card will have a chip and a magnetic strip to accommodate any situation.
Chip-enabled terminals have all of the features you are used to with a payment terminal, with the addition of a slot to insert your card. The slot is typically located at the bottom or the top of the payment terminal.
During the transition to chip, you can swipe your card as you normally would and follow the prompts. If the terminal is chip-enabled, it will prompt you to insert it instead. If you already know your chip card works there, start by inserting your card.
Cards will still have a magnetic strip on the back, so even if a terminal or ATM is not yet chip-enabled, you can use your card as you do today.
Anywhere. Your card will have a chip and a magnetic strip to accommodate any situation.
Every day more merchants and ATMs are becoming chip-enabled to increase security for in-person card transactions, so you will start to see these terminals and ATMs at many of the stores and financial institutions you visit today. You will continue to be able to pay at both chip-enabled and non-chip-enabled merchants and ATMs with the same card.
No. You will use your chip card for online purchases by following the same process you do today.
Yes. Chip cards are widely used in international markets and are accepted in more than 80 countries. Having a chip card will make it easier for you to make purchases and complete ATM transactions when you travel internationally.
EMV cards are smart payment cards (also called chip cards or IC cards) which store data on integrated circuits rather than magnetic stripes. This creates dynamic data every time you make a transaction, making it nearly impossible for fraudsters to duplicate or clone your card. EMV cards are also capable of storing loyalty program information, allowing you to earn or redeem loyalty points at participating merchants.
This feature provides you with security protection on your everyday purchases. Find out more about consumer safety and security.
Safety tips to keep your card safe:
Your card’s EMV chip adds another layer of security to every payment you make. But there are a few important things you can do to help keep your card secure too.
- Sign your new cards as soon as you receive them.
- Refrain from sharing confidential information like account information and PIN.
- Every now and then, check to make sure none of your cards are missing.
- Look through your bank and card statements when you receive them. Spot any transactions you’re not familiar with.
- If you think there's been suspicious activity in your account, alert your bank immediately.
What Is a Chip Card?
A chip card is a standard-size plastic debit or credit card that contains an embedded microchip as well as a traditional magnetic stripe. The chip encrypts information to increase data security when making transactions at stores, terminals, or automated teller machines (ATMs). Chip cards also are known as smart cards, chip-and-PIN cards, chip-and-signature cards, and the Europay, Mastercard, Visa (EMV) card.
- A chip card is a debit or credit card that contains an embedded microchip along with the traditional magnetic stripe.
- The chip provides consumers with additional security when making transactions at stores, terminals, or ATMs because they're harder to skim.
- A cardholder inserts their card into a chip-enabled terminal where the transaction is either approved or declined.
- Chip-and-PIN and chip-and-signature are two types of chip cards.
How Chip Cards Work
Plastic has been a go-to payment method for quite some time providing consumers with convenience and security over cash payments. Credit cards with revolving credit—like we have today—have been around since the 1950s, while debit cards have been on the market since the late-1960s. Account information such as the cardholder's credit limit, available balance, and transaction limits was stored in the magnetic stripe on the back.
Chip cards became a global standard for debit and credit transactions after the technology was introduced by Europay, Mastercard, and Visa. This is why it's also called an EMV card. Chip cards have a little silver or gold microchip embedded on the front of a debit or credit card. Just like the magnetic stripe, the chip contains information about the account(s) associated with the card. The technology was first used in Europe before becoming a standard around the world. The technology was officially adopted in the United States in October 2015.
In order to use the chip card, the cardholder inserts the card into a chip-enabled terminal such as an ATM or a point-of-sale (POS) terminal. The terminal submits the cardholder's information to the merchant or card provider's site. If the account balance supports the transaction, it is then approved. If not, the terminal rejects the transaction and it does not go through. Some terminals require the cardholder to enter a personal identification number (PIN) or a signature to complete the transaction.
Chip technology may help reduce certain types of fraud resulting from data breaches although it does not actually prevent a data breach from occurring. The enhanced security of the chip itself contains counterfeiting preventive measures.
Despite the efforts of the global financial community to provide a uniform environment for financial transactions, not all card readers are chip-enabled. High costs, the availability of equipment and technology, along with other factors may prevent merchants from implementing chip-enabled technology. When a retailer or other service provider doesn't have a chip reading terminal, cardholders must swipe their cards using the magnetic stripe. Users may be required to enter their PINs or sign to authorize the transaction and complete the purchase.
Types of Chip Cards
In most cases, a cardholder is simply required to enter their chip card into a terminal in order to execute a transaction in the United States. But in other cases—including in other countries—consumers may be required to take additional steps in order to make a purchase or withdraw cash from the ATM using the following cards.
A chip-and-signature card provides a little more security over the traditional magnetic stripe. Rather than using the stripe, the cardholder uses the chip to send data from the terminal to the financial institution. If the transaction is approved, the consumer must provide a signature in order to complete the transaction.
These cards offer the most security for consumers. They work in the same way as a regular chip card, but also require the use of a PIN to complete a transaction. A customer must enter their personal identification number in order to make a purchase or withdraw money from the ATM using their credit or debit card. PINs are commonly used for ATM withdrawals using debit and credit cards in the United States. Consumers in Canada and other countries are required to use their PINs regardless of how or where they use their cards—even if it's a credit card.
Benefits of Chip Cards
Chip card technology provides an additional layer of security when used at a chip-enabled terminal because the cards are more difficult to skim. This encryption security is in addition to the fraud prevention monitoring already offered by card providers. In most cases, purchases have coverage for fraudulent usage. This coverage limits a customer's liability in the event of theft. Embedded chips help merchants avoid card-present fraud, but other lines of protection must come from other methods to prevent card-not-present-fraud.
The chip makes transactions more secure by encrypting information when used at a chip-enabled terminal. Chip card technology is not yet a locator system so you can't find your card using a locator service if you lose it. In this case, you have to request a replacement card from your provider. Until engaged in a reader, the card cannot detect its location for security or advertising purposes. The chip is limited to supporting authentication of card data during purchases. Usually, this type of card is easily replaceable in the event of loss or damage.
Banks monitor the chip card's activity by location use, the purchase amount, and the merchant charging the account. If any deceptive activity is detected, the card provider will attempt to contact the customer. The bank issues a credit to the chip-card account after verification of fraudulent charges.
For the amusement ride vehicle, see enhanced motion vehicle. For the Mexican school, see Escuela Mexicana del Valle. For the Australian agency, see Emergency Management Victoria.
EMV is a payment method based upon a technical standard for smartpayment cards and for payment terminals and automated teller machines which can accept them. EMV originally stood for "Europay, Mastercard, and Visa", the three companies that created the standard.
EMV cards are smart cards, also called chip cards, integrated circuit cards, or IC cards which store their data on integrated circuit chips, in addition to magnetic stripes for backward compatibility. These include cards that must be physically inserted or "dipped" into a reader, as well as contactless cards that can be read over a short distance using near-field communication technology. Payment cards which comply with the EMV standard are often called chip and PIN or chip and signature cards, depending on the authentication methods employed by the card issuer, such as a personal identification number (PIN) or digital signature.
There are standards based on ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards (Mastercard Contactless, Visa PayWave, American Express ExpressPay).
In February 2010, computer scientists from Cambridge University demonstrated that an implementation of EMV PIN entry is vulnerable to a man-in-the-middle attack but only implementations where the PIN was validated offline were vulnerable.
See also: Payment card and Smart card
Until the introduction of Chip & PIN, all face-to-face credit or debit card transactions involved the use of a magnetic stripe or mechanical imprint to read and record account data, and a signature for purposes of identity verification. The customer hands their card to the cashier at the point of sale who then passes the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the system verifies account details and prints a slip for the customer to sign. In the case of a mechanical imprint, the transaction details are filled in, a list of stolen numbers is consulted, and the customer signs the imprinted slip. In both cases the cashier must verify that the customer's signature matches that on the back of the card to authenticate the transaction.
Using the signature on the card as a verification method has a number of security flaws, the most obvious being the relative ease with which cards may go missing before their legitimate owners can sign them. Another involves the erasure and replacement of legitimate signature, and yet another involves the forgery of the correct signature.
The invention of the siliconintegrated circuit chip in 1959 led to the idea of incorporating it onto a plastic smart card in the late 1960s by two German engineers, Helmut Gröttrup and Jürgen Dethloff. The earliest smart cards were introduced as calling cards in the 1970s, before later being adapted for use as payment cards. Smart cards have since used MOS integrated circuit chips, along with MOS memory technologies such as flash memory and EEPROM (electrically erasable programmable read-only memory).
The first standard for smart payment cards was the Carte Bancaire B0M4 from Bull-CP8 deployed in France in 1986, followed by the B4B0' (compatible with the M4) deployed in 1989. Geldkarte in Germany also predates EMV. EMV was designed to allow cards and terminals to be backwardly compatible with these standards. France has since migrated all its card and terminal infrastructure to EMV.
EMV originally stood for Europay, Mastercard, and Visa, the three companies that created the standard. The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China UnionPay, and Discover. EMVCo also refers to "Associates," companies able to provide input and receive feedback on detailed technical and operational issues connected to the EMV specifications and related processes.
JCB joined the consortium in February 2009, China UnionPay in May 2013,Discover in September 2013, and RuPay on 26 March 2012.
Differences and benefits
There are two major benefits to moving to smart-card-based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of "offline" credit-card transaction approvals. One of the original goals of EMV was to provide for multiple applications on a card: for a credit and debit card application or an e-purse. New issue debit cards in the US[when?] contain two applications — a card association (Visa, Mastercard etc.) application, and a common debit application. The common debit application ID is somewhat of a misnomer as each "common" debit application actually uses the resident card association application.
EMV chip card transactions improve security against fraud compared to magnetic stripe card transactions that rely on the holder's signature and visual inspection of the card to check for features such as hologram. The use of a PIN and cryptographic algorithms such as Triple DES, RSA and SHA provide authentication of the card to the processing terminal and the card issuer's host system. The processing time is comparable to online transactions, in which communications delay accounts for the majority of the time, while cryptographic operations at the terminal take comparatively little time. The supposed increased protection from fraud has allowed banks and credit card issuers to push through a "liability shift", such that merchants are now liable (as of 1 January 2005 in the EU region and 1 October 2015 in the US) for any fraud that results from transactions on systems that are not EMV-capable.[promotional source?][promotional source?]
The majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a personal identification number (PIN) rather than signing a paper receipt. Whether or not PIN authentication takes place depends upon the capabilities of the terminal and programming of the card.
When credit cards were first introduced, merchants used mechanical rather than magnetic portable card imprinters that required carbon paper to make an imprint. They did not communicate electronically with the card issuer, and the card never left the customer's sight. The merchant had to verify transactions over a certain currency limit by telephoning the card issuer. During the 1970s in the United States, many merchants subscribed to a regularly-updated list of stolen or otherwise invalid credit card numbers. This list was commonly printed in booklet form on newsprint, in numerical order, much like a slender phone book, yet without any data aside from the list of invalid numbers. Checkout cashiers were expected to thumb through this booklet each and every time a credit card was presented for payment of any amount, prior to approving the transaction, which incurred a short delay.
Later, equipment electronically contacted the card issuer, using information from the magnetic stripe to verify the card and authorize the transaction. This was much faster than before, but required the transaction to occur in a fixed location. Consequently, if the transaction did not take place near a terminal (in a restaurant, for example) the clerk or waiter had to take the card away from the customer and to the card machine. It was easily possible at any time for a dishonest employee to swipe the card surreptitiously through a cheap machine that instantly recorded the information on the card and stripe; in fact, even at the terminal, a thief could bend down in front of the customer and swipe the card on a hidden reader. This made illegal cloning of cards relatively easy, and a more common occurrence than before.
Since the introduction of payment card Chip and PIN, cloning of the chip is not feasible; only the magnetic stripe can be copied, and a copied card cannot be used by itself on a terminal requiring a PIN. The introduction of Chip and PIN coincided with wirelessdata transmission technology becoming inexpensive and widespread. In addition to mobile-phone-based magnetic readers, merchant personnel can now bring wireless PIN pads to the customer, so the card is never out of the cardholder's sight. Thus, both chip-and-PIN and wireless technologies can be used to reduce the risks of unauthorized swiping and card cloning.
Chip and PIN versus chip and signature
Chip and PIN is one of the two verification methods that EMV enabled cards can employ. Rather than physically signing a receipt for identification purposes, the user just enters a personal identification number (PIN), typically of 4 to 6 digits in length. This number must correspond to the information stored on the chip. Chip and PIN technology makes it much harder for fraudsters to use a found card, so if someone steals a card, they can't make fraudulent purchases unless they know the PIN.
Chip and signature, on the other hand, differentiates itself from chip and PIN by verifying a consumer's identity with a signature.
As of 2015, chip and signature cards are more common in the US, Mexico, parts of South America (such as Argentina, Colombia, Peru) and some Asian countries (such as Taiwan, Hong Kong, Thailand, South Korea, Singapore, and Indonesia), whereas chip and PIN cards are more common in most European countries (e.g., the UK, Ireland, France, Portugal, Finland and the Netherlands) as well as in Iran, Brazil, Venezuela, India, Sri Lanka, Canada, Australia and New Zealand.
Online, phone, and mail order transactions
While EMV technology has helped reduce crime at the point of sale, fraudulent transactions have shifted to more vulnerable telephone, Internet, and mail order transactions—known in the industry as card-not-present or CNP transactions. CNP transactions made up at least 50% of all credit card fraud. Because of physical distance, it is not possible for the merchant to present a keypad to the customer in these cases, so alternatives have been devised, including
- Software approaches for online transactions that involve interaction with the card-issuing bank or network's website, such as Verified by Visa and Mastercard SecureCode (implementations of Visa's 3-D Secure protocol). 3-D Secure is now being replaced by Strong Customer Authentication as defined in the European Second Payment Services Directive.
- Creating a one-time virtual card linked to a physical card with a given maximum amount.
- Additional hardware with keypad and screen that can produce a one-time password, such as the Chip Authentication Program.
- Keypad and screen integrated into complex cards to produce a one-time password. Since 2008, Visa has been running pilot projects using the Emue card where the generated number replaces the code printed on the back of standard cards.
ISO/IEC 7816-3 defines the transmission protocol between chip cards and readers. Using this protocol, data is exchanged in application protocol data units (APDUs). This comprises sending a command to a card, the card processing it, and sending a response. EMV uses the following commands:
- application block
- application unblock
- card block
- external authenticate (7816-4)
- generate application cryptogram
- get data (7816-4)
- get processing options
- internal authenticate (7816-4)
- PIN change / unblock
- read record (7816-4)
- select (7816-4)
- verify (7816-4).
Commands followed by "7816-4" are defined in ISO/IEC 7816-4 and are interindustry commands used for many chip card applications such as GSMSIM cards.
An EMV transaction has the following steps:[third-party source needed]
ISO/IEC 7816 defines a process for application selection. The intent of application selection was to let cards contain completely different applications—for example GSM and EMV. However, EMV developers implemented application selection as a way of identifying the type of product, so that all product issuers (Visa, Mastercard, etc.) must have their own application. The way application selection is prescribed in EMV is a frequent source of interoperability problems between cards and terminals. Book 1 of the EMV standard devotes 15 pages to describing the application selection process.
An application identifier (AID) is used to address an application in the card or Host Card Emulation (HCE) if delivered without a card. An AID consists of a registered application provider identifier (RID) of five bytes, which is issued by the ISO/IEC 7816-5 registration authority. This is followed by a proprietary application identifier extension (PIX), which enables the application provider to differentiate among the different applications offered. The AID is printed on all EMV cardholder receipts. Card issuers can alter the application name from the name of the card network. Chase, for example, renames the Visa application on its Visa cards to "CHASE VISA", and the Mastercard application on its Mastercard cards to "CHASE MASTERCARD". Capital One renames the Mastercard application on its Mastercard cards to "CAPITAL ONE", and the Visa application on its Visa cards to "CAPITAL ONE VISA". The applications are otherwise the same.[a]
List of applications:
|Card scheme / Payment Network||RID||Product||PIX||AID|
|Danmønt (Denmark)||A000000001||Cash card||1010||A0000000011010|
|Visa (USA)||A000000003||Visa credit or debit||1010||A0000000031010|
|Mastercard (USA)||A000000004||Mastercard credit or debit||1010||A0000000041010|
|Cirrus ATM card only||6000||A0000000046000|
|Chip Authentication Program Securecode||8002||A0000000048002|
|American Express (USA)||A000000025||American Express||01||A00000002501|
|U.S. Debit (all interbank networks) (USA)||A000000098||Visa-branded card||0840||A0000000980840|
|Menards Credit Card (store card) (USA)||A000000817||002001||A000000817002001|
|LINK ATM network (UK)||A000000029||ATM card||1010||A0000000291010|
|CB (France)||A000000042||CB (credit or debit card)||1010||A0000000421010|
|CB (Debit card only)||2010||A0000000422010|
|JCB (Japan)||A000000065||Japan Credit Bureau||1010||A0000000651010|
|Consorzio Bancomat (Italy)||A000000141||Bancomat/PagoBancomat||0001||A0000001410001|
|Diners Club/Discover (USA)||A000000152||Diners Club/Discover||3010||A0000001523010|
|Banrisul (Brazil)||A000000154||Banricompras Debito||4442||A0000001544442|
|SPAN2 (Saudi Arabia)||A000000228||SPAN||1010||A00000022820101010|
|Interac (Canada)||A000000277||Debit card||1010||A0000002771010|
|EAPS Bancomat (Italy)||A000000359||PagoBancomat||10100380||A00000035910100380|
|The Exchange Network ATM network (Canada/USA)||A000000439||ATM card||1010||A0000004391010|
|Dinube (Spain)||A000000630||Dinube Payment Initiation (PSD2)||0101||A0000006300101|
|MIR (Russia)||A000000658||MIR Debit||2010||A0000006582010|
|Edenred (Belgium)||A000000436||Ticket Restaurant||0100||A0000004360100|
|eftpos (Australia)||A000000384||Savings (debit card)||10||A00000038410|
|Cheque (debit card)||20||A00000038420|
|GIM-UEMOA ||A000000337||Retrait||01 000001||A000000337301000|
|Prepaye Online||01 000004||A000000337101001|
|Prepaye Possibile Offline||01 000005||A000000337102001|
|Porte Monnaie Electronique||01 000006||A000000337601001|
|meeza (Egypt)||A000000732||meeza Card||100123||A000000732100123|
Initiate application processing
The terminal sends the get processing options command to the card. When issuing this command, the terminal supplies the card with any data elements requested by the card in the processing options data objects list (PDOL). The PDOL (a list of tags and lengths of data elements) is optionally provided by the card to the terminal during application selection. The card responds with the application interchange profile (AIP), a list of functions to perform in processing the transaction. The card also provides the application file locator (AFL), a list of files and records that the terminal needs to read from the card.
Read application data
Smart cards store data in files. The AFL contains the files that contain EMV data. These all must be read using the read record command. EMV does not specify which files data is stored in, so all the files must be read. Data in these files is stored in BERTLV format. EMV defines tag values for all data used in card processing.
The purpose of the processing restrictions is to see if the card should be used. Three data elements read in the previous step are checked: Application version number, Application usage control (This shows whether the card is only for domestic use, etc.), Application effective/expiration dates checking.
If any of these checks fails, the card is not necessarily declined. The terminal sets the appropriate bit in the terminal verification results (TVR), the components of which form the basis of an accept/decline decision later in the transaction flow. This feature lets, for example, card issuers permit cardholders to keep using expired cards after their expiry date, but for all transactions with an expired card to be performed on-line.
Offline data authentication (ODA)
Offline data authentication is a cryptographic check to validate the card using public-key cryptography. There are three different processes that can be undertaken depending on the card:
- Static data authentication (SDA) ensures data read from the card has been signed by the card issuer. This prevents modification of data, but does not prevent cloning.
- Dynamic data authentication (DDA) provides protection against modification of data and cloning.
- Combined DDA/generate application cryptogram (CDA) combines DDA with the generation of a card's application cryptogram to assure card validity. Support of CDA in devices may be needed, as this process has been implemented in specific markets. This process is not mandatory in terminals and can only be carried out where both card and terminal support it.
To verify the authenticity of payment cards, EMV certificates are used. The EMV Certificate Authority issues digital certificates to payment card issuers. When requested, the payment card chip provides the card issuer's public key certificate and SSAD to the terminal. The terminal retrieves the CA's public key from local storage and uses it to confirm trust for the CA and, if trusted, to verify the card issuer's public key was signed by the CA. If the card issuer's public key is valid, the terminal uses the card issuer's public key to verify the card's SSAD was signed by the card issuer.
Cardholder verification is used to evaluate whether the person presenting the card is the legitimate cardholder. There are many cardholder verification methods (CVMs) supported in EMV. They are
- Offline plaintext PIN
- Offline enciphered PIN
- Offline plaintext PIN and signature
- Offline enciphered PIN and signature
- Online PIN
- No CVM required
- Consumer Device CVM
- Fail CVM processing
The terminal uses a CVM list read from the card to determine the type of verification to perform. The CVM list establishes a priority of CVMs to use relative to the capabilities of the terminal. Different terminals support different CVMs. ATMs generally support online PIN. POS terminals vary in their CVM support depending on type and country.
For offline enciphered PIN methods, the terminal encrypts the cleartext PIN block with the card's public key before sending it to the card with the Verify command. For the online PIN method, the cleartext PIN block is encrypted by the terminal using its point-to-point encryption key before sending it to the acquirer processor in the authorization request message.
In 2017, EMVCo added support for biometric verification methods in version 4.3 of the EMV specifications
Terminal risk management
Terminal risk management is only performed in devices where there is a decision to be made whether a transaction should be authorised on-line or offline. If transactions are always carried out on-line (e.g., ATMs) or always off-line, this step can be skipped. Terminal risk management checks the transaction amount against an offline ceiling limit (above which transactions should be processed on-line). It is also possible to have a 1 in an online counter, and a check against a hot card list (which is only necessary for off-line transactions). If the result of any of these tests is positive, the terminal sets the appropriate bit in the terminal verification results (TVR).
Terminal action analysis
The results of previous processing steps are used to determine whether a transaction should be approved offline, sent online for authorization, or declined offline. This is done using a combination of data objects known as terminal action codes (TACs) held in the terminal and issuer action codes (IACs) read from the card. The TAC is logically OR'd with the IAC, to give the transaction acquirer a level of control over the transaction outcome.
Both types of action code take the values Denial, Online, and Default. Each action code contains a series of bits which correspond to the bits in the Terminal verification results (TVR), and are used in the terminal's decision whether to accept, decline or go on-line for a payment transaction. The TAC is set by the card acquirer; in practice card schemes advise the TAC settings that should be used for a particular terminal type depending on its capabilities. The IAC is set by the card issuer; some card issuers may decide that expired cards should be rejected, by setting the appropriate bit in the Denial IAC. Other issuers may want the transaction to proceed on-line so that they can in some cases allow these transactions to be carried out.
An online-only device such as an ATM always attempts to go on-line with the authorization request, unless declined off-line due to issuer action codes—Denial settings. During IAC—Denial and TAC—Denial processing, for an online only device, the only relevant Terminal verification results bit is "Service not allowed".
When an online-only device performs IAC—Online and TAC—Online processing the only relevant TVR bit is "Transaction value exceeds the floor limit". Because the floor limit is set to zero, the transaction should always go online and all other values in TAC—Online or IAC—Online are irrelevant. Online-only devices do not need to perform IAC-default processing.
First card action analysis
One of the data objects read from the card in the Read application data stage is CDOL1 (Card Data object List). This object is a list of tags that the card wants to be sent to it to make a decision on whether to approve or decline a transaction (including transaction amount, but many other data objects too). The terminal sends this data and requests a cryptogram using the generate application cryptogram command. Depending on the terminal's decision (offline, online, decline), the terminal requests one of the following cryptograms from the card:
- Transaction certificate (TC)—Offline approval
- Authorization Request Cryptogram (ARQC)—Online authorization
- Application Authentication Cryptogram (AAC)—Offline decline.
This step gives the card the opportunity to accept the terminal's action analysis or to decline a transaction or force a transaction on-line. The card cannot return a TC when an ARQC has been asked for, but can return an ARQC when a TC has been asked for.
Online transaction authorization
Transactions go online when an ARQC has been requested. The ARQC is sent in the authorisation message. The card generates the ARQC. Its format depends on the card application. EMV does not specify the contents of the ARQC. The ARQC created by the card application is a digital signature of the transaction details, which the card issuer can check in real time. This provides a strong cryptographic check that the card is genuine. The issuer responds to an authorization request with a response code (accepting or declining the transaction), an authorisation response cryptogram (ARPC) and optionally an issuer script (a string of commands to be sent to the card).
ARPC processing is not performed in contact transactions processed with Visa Quick Chip for EMV and Mastercard M/Chip Fast, and in contactless transactions across schemes because the card is removed from the reader after the ARQC has been generated.
Second card action analysis
CDOL2 (Card data object list) contains a list of tags that the card wanted to be sent after online transaction authorisation (response code, ARPC, etc.). Even if for any reason the terminal could not go online (e.g., communication failure), the terminal should send this data to the card again using the generate authorisation cryptogram command. This lets the card know the issuer's response. The card application may then reset offline usage limits.
Issuer script processing
If a card issuer wants to update a card post issuance it can send commands to the card using issuer script processing. Issuer scripts are meaningless to the terminal and can be encrypted between the card and the issuer to provide additional security. Issuer script can be used to block cards, or change card parameters.
Issuer script processing is not available in contact transactions processed with Visa Quick Chip for EMV and Mastercard M/Chip Fast, and for contactless transactions across schemes.
Control of the EMV standard
The first version of EMV standard was published in 1995. Now the standard is defined and managed by the privately owned corporation EMVCo LLC. The current members of EMVCo are American Express, Discover Financial, JCB International, Mastercard, China UnionPay, and Visa Inc. Each of these organizations owns an equal share of EMVCo and has representatives in the EMVCo organization and EMVCo working groups.
Recognition of compliance with the EMV standard (i.e., device certification) is issued by EMVCo following submission of results of testing performed by an accredited testing house.
EMV Compliance testing has two levels: EMV Level 1, which covers physical, electrical and transport level interfaces, and EMV Level 2, which covers payment application selection and credit financial transaction processing.
After passing common EMVCo tests, the software must be certified by payment brands to comply with proprietary EMV implementations such as Visa VSDC, American Express AEIPS, Mastercard MChip, JCB JSmart, or EMV-compliant implementations of non-EMVCo members such as LINK in the UK, or Interac in Canada.
List of EMV documents and standards
This section needs to be updated. Please help update this article to reflect recent events or newly available information.(March 2020)
As of 2011, since version 4.0, the official EMV standard documents which define all the components in an EMV payment system are published as four "books" and some additional documents:
The first EMV standard came into view in 1995 as EMV 2.0. This was upgraded to EMV 3.0 in 1996 (sometimes referred to as EMV '96) with later amendments to EMV 3.1.1 in 1998. This was further amended to version 4.0 in December 2000 (sometimes referred to as EMV 2000). Version 4.0 became effective in June 2004. Version 4.1 became effective in June 2007. Version 4.2 is in effect since June 2008. Version 4.3 is in effect since November 2011.
Opportunities to harvest PINs and clone magnetic stripes
In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards, and defective cards. This attack is possible only where (a) the offline PIN is presented in plaintext by the PIN entry device to the card, where (b) magstripe fallback is permitted by the card issuer and (c) where geographic and behavioural checking may not be carried out by the card issuer.
APACS, representing the UK payment industry, claimed that changes specified to the protocol (where card verification values differ between the magnetic stripe and the chip – the iCVV) rendered this attack ineffective and that such measures would be in place from January 2008. Tests on cards in February 2008 indicated this may have been delayed.
Conversation capturing is a form of attack which was reported to have taken place against Shell terminals in May 2006, when they were forced to disable all EMV authentication in their filling stations after more than £1 million was stolen from customers.
In October 2008, it was reported that hundreds of EMV card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been expertly tampered with in China during or shortly after manufacture. For 9 months details and PINs of credit and debit cards were sent over mobile phone networks to criminals in Lahore, Pakistan. United States National Counterintelligence Executive Joel Brenner said, "Previously only a nation state's intelligence agency would have been capable of pulling off this type of operation. It's scary." Data were typically used a couple of months after the card transactions to make it harder for investigators to pin down the vulnerability. After the fraud was discovered it was found that tampered-with terminals could be identified as the additional circuitry increased their weight by about 100 g. Tens of millions of pounds sterling are believed to have been stolen. This vulnerability spurred efforts to implement better control of electronic POS devices over their entire life cycle, a practice endorsed by electronic payment security standards like those being developed by the Secure POS Vendor Alliance (SPVA).
PIN harvesting and stripe cloning
In a February 2008 BBC Newsnight programme Cambridge University researchers Steven Murdoch and Saar Drimer demonstrated one example attack, to illustrate that Chip and PIN is not secure enough to justify passing the liability to prove fraud from the banks onto customers. The Cambridge University exploit allowed the experimenters to obtain both card data to create a magnetic stripe and the PIN.
APACS, the UK payments association, disagreed with the majority of the report, saying "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out." They also said that changes to the protocol (specifying different card verification values between the chip and magnetic stripe – the iCVV) would make this attack ineffective from January 2008. The fraud reported in October 2008 to have operated for 9 months (see above) was probably in operation at the time, but was not discovered for many months.
In August 2016, NCR (payment technology company) computer security researchers showed how credit card thieves can rewrite the code of a magnetic strip to make it appear like a chipless card, which allows for counterfeiting.
2010: Hidden hardware disables PIN checking on stolen card
On 11 February 2010 Murdoch and Drimer's team at Cambridge University announced that they had found "a flaw in chip and PIN so serious they think it shows that the whole system needs a re-write" that was "so simple that it shocked them". A stolen card is connected to an electronic circuit and to a fake card which is inserted into the terminal ("man-in-the-middle attack"). Any four digits are typed in and accepted as a valid PIN.
A team from the BBC's Newsnight programme visited a Cambridge University cafeteria (with permission) with the system, and were able to pay using their own cards (a thief would use stolen cards) connected to the circuit, inserting a fake card and typing in "0000" as the PIN. The transactions were registered as normal, and were not picked up by banks' security systems. A member of the research team said, "Even small-scale criminal systems have better equipment than we have. The amount of technical sophistication needed to carry out this attack is really quite low." The announcement of the vulnerability said, "The expertise that is required is not high (undergraduate level electronics) ... We dispute the assertion by the banking industry that criminals are not sophisticated enough, because they have already demonstrated a far higher level of skill than is necessary for this attack in their miniaturized PIN entry device skimmers." It is not known if this vulnerability has been exploited.
EMVCo disagreed and published a response saying that, while such an attack might be theoretically possible, it would be extremely difficult and expensive to carry out successfully, that current compensating controls are likely to detect or limit the fraud, and that the possible financial gain from the attack is minimal while the risk of a declined transaction or exposure of the fraudster is significant.
When approached for comment, several banks (Co-operative Bank, Barclays and HSBC) each said that this was an industry-wide issue, and referred the Newsnight team to the banking trade association for further comment. According to Phil Jones of the Consumers' Association, Chip and PIN has helped to bring down instances of card crime, but many cases remain unexplained. "What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive."
Because submission of the PIN is suppressed, this is the exact equivalent of a merchant performing a PIN bypass transaction. Such transactions can't succeed offline, as a card never generates an offline authorisation without a successful PIN entry. As a result of this, the transaction ARQC must be submitted online to the issuer, who knows that the ARQC was generated without a successful PIN submission (since this information is included in the encrypted ARQC) and hence would be likely to decline the transaction if it were for a high value, out of character, or otherwise outside of the typical risk management parameters set by the issuer.
Originally, bank customers had to prove that they had not been negligent with their PIN before getting redress, but UK regulations in force from 1 November 2009 placed the onus firmly on the banks to prove that a customer has been negligent in any dispute, with the customer given 13 months to make a claim. Murdoch said that "[the banks] should look back at previous transactions where the customer said their PIN had not been used and the bank record showed it has, and consider refunding these customers because it could be they are victim of this type of fraud."
2011: CVM downgrade allows arbitrary PIN harvest
At the CanSecWest conference in March 2011, Andrea Barisani and Daniele Bianco presented research uncovering a vulnerability in EMV that would allow arbitrary PIN harvesting despite the cardholder verification configuration of the card, even when the supported CVMs data is signed.
The PIN harvesting can be performed with a chip skimmer. In essence, a CVM list that has been modified to downgrade the CVM to Offline PIN is still honoured by POS terminals, despite its signature being invalid.
In 2020, researchers David Basin, Ralf Sasse, and Jorge Toro from ETH Zurich reported a critical security issue affecting Visa contactless cards. The issue consists of lack of cryptographic protection of critical data sent by the card to the terminal during an EMV transaction. The data in question determines the cardholder verification method (CVM, such as PIN verification) to be used for the transaction. The team demonstrated that it is possible to modify this data to trick the terminal into believing that no PIN is required because the cardholder was verified using their device (e.g. smartphone). The researchers developed a proof-of-concept Android app that effectively turns a physical Visa card into a mobile payment app (e.g. Apple Pay, Google Pay) to perform PIN-free, high-value purchases. The attack is carried out using two NFC-enabled smartphones, one held near the physical card and the second held near the payment terminal. The attack might affect cards by Discover and China's UnionPay but this was not demonstrated in practice, in contrast to the case of cards by Visa.
In early 2021, the same team disclosed that Mastercard cards are also vulnerable to a PIN bypass attack. They showed that criminals can trick a terminal into transacting with a Mastercard contactless card while believing it to be a Visa card. This card brand mixup has critical consequences since it can be used in combination with the PIN bypass for Visa to also bypass the PIN for Mastercard cards.
"Complex systems such as EMV must be analyzed by automated tools, like model checkers", researchers point out as the main takeaway of their findings. As opposed to humans, model-checking tools like Tamarin are up to the task since they can deal with the complexity of real-world systems like EMV.
EMV originally stood for "Europay, Mastercard, and Visa", the three companies that created the standard. The standard is now managed by EMVCo, a consortium of financial companies. The most widely known chips of the EMV standard are:[when?]
- VIS: Visa
- Mastercard chip: Mastercard
- AEIPS: American Express
- UICS: China Union Pay
- J Smart: JCB
- D-PAS: Discover/Diners Club International
- Rupay: NPCI
Visa and Mastercard have also developed standards for using EMV cards in devices to support card not present transactions (CNP) over the telephone and Internet. Mastercard has the Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of modes. Visa has the Dynamic Passcode Authentication (DPA) scheme, which is their implementation of CAP using different default values.
In many countries of the world, debit card and/or credit card payment networks have implemented liability shifts. Normally, the card issuer is liable for fraudulent transactions. However, after a liability shift is implemented, if the ATM or merchant's point of sale terminal does not support EMV, the ATM owner or merchant is liable for the fraudulent transaction.
Chip and PIN systems can cause problems for travellers from countries that do not issue Chip and PIN cards as some retailers may refuse to accept their chipless cards. While most terminals still accept a magnetic strip card, and the major credit card brands require vendors to accept them, some staff may refuse to take the card, under the belief that they are held liable for any fraud if the card cannot verify a PIN. Non-chip-and-PIN cards may also not work in some unattended vending machines at, for example, train stations, or self-service check-out tills at supermarkets.
- Mastercard's liability shift among countries within this region took place on 1 January 2006. By 1 October 2010, a liability shift had occurred for all point of sale transactions.
- Visa's liability shift for points of sale took place on 1 January 2006. For ATMs, the liability shift took place on 1 January 2008.
- Mastercard's liability shift took place on 1 January 2005.
- Mastercard's liability shift among countries within this region took place on 1 January 2006. By 1 October 2010, a liability shift had occurred for all point of sale transactions, except for domestic transactions in China and Japan.
- Visa's liability shift for points of sale took place on 1 October 2010. For ATMs, the liability shift date took place on 1 October 2015, except in China, India, Japan, and Thailand, where the liability shift was on 1 October 2017. Domestic ATM transactions in China are not currently not subject to a liability shift deadline.
- Mastercard required that all point of sale terminals be EMV capable by April 2013. For ATMs, the liability shift took place in April 2012. ATMs must be EMV compliant by the end of 2015
- Visa's liability shift for ATMs took place 1 April 2013.
- Malaysia is the first country in the world to completely migrate to EMV-compliant smart cards two years after its implementation in 2005.
- Mastercard required all point of sale terminals to be EMV compliant by 1 July 2011. For ATMs, the liability shift took place in April 2012. ATMs are required to be EMV compliant by the end of 2015.
- Visa's liability shift for ATMs was 1 April 2013.
- Mastercard's liability shift took place on 1 January 2005.
- Visa's liability shift for points of sale took place on 1 January 2006. For ATMs, the liability shift took place on 1 January 2008.
- France has cut card fraud by more than 80% since its introduction in 1992 (see Carte Bleue).
Chip and PIN was trialled in Northampton, England from May 2003, and as a result was rolled out nationwide in the United Kingdom on 14 February 2006 with advertisements in the press and national television touting the "Safety in Numbers" slogan. During the first stages of deployment, if a fraudulent magnetic swipe card transaction was deemed to have occurred, the retailer was refunded by the issuing bank, as was the case prior to the introduction of Chip and PIN. On January 1, 2005, the liability for such transactions was shifted to the retailer; this acted as an incentive for retailers to upgrade their point of sale (PoS) systems, and most major high-street chains upgraded on time for the EMV deadline. Many smaller businesses were initially reluctant to upgrade their equipment, as it required a completely new PoS system—a significant investment.
New cards featuring both magnetic strips and chips are now issued by all major banks. The replacement of pre-Chip and PIN cards was a major issue, as banks simply stated that consumers would receive their new cards "when their old card expires" — despite many people having had cards with expiry dates as late as 2007. The card issuer Switch lost a major contract with HBOS to Visa, as they were not ready to issue the new cards as early as the bank wanted.
The Chip and PIN implementation was criticised as designed to reduce the liability of banks in cases of claimed card fraud by requiring the customer to prove that they had acted "with reasonable care" to protect their PIN and card, rather than on the bank having to prove that the signature matched. Before Chip and PIN, if a customer's signature was forged, the banks were legally liable and had to reimburse the customer. Until 1 November 2009 there was no such law protecting consumers from fraudulent use of their Chip and PIN transactions, only the voluntary Banking Code. There were many reports that banks refused to reimburse victims of fraudulent card use, claiming that their systems could not fail under the circumstances reported, despite several documented successful large-scale attacks.
The Payment Services Regulations 2009 came into force on 1 November 2009 and shifted the onus onto the banks to prove, rather than assume, that the cardholder is at fault. The Financial Services Authority (FSA) said "It is for the bank, building society or credit card company to show that the transaction was made by you, and there was no breakdown in procedures or technical difficulty" before refusing liability.
Latin America and the Caribbean
- Mastercard's liability shift among countries within this region took place on 1 January 2005.
- Visa's liability shift for points of sale took place on 1 October 2012, for any countries in this region that had not already implemented a liability shift. For ATMs, the liability shift took place on 1 October 2014, for any countries in this region that had not already implemented a liability shift.
- Mastercard's liability shift took place on 1 March 2008.
- Visa's liability shift for points of sale took place on 1 April 2011. For ATMs, the liability shift took place on 1 October 2012.
- Mastercard's liability shift took place on 1 October 2008.
- Discover implemented a liability shift on 1 October 2015. For pay at the pump at gas stations, the liability shift was on 1 October 2017.
- Visa's liability shift for points of sale took place on 1 April 2011. For ATMs, the liability shift took place on 1 October 2012.
- Mastercard's liability shift took place on 1 July 2009.
- Mastercard's liability shift among countries within this region took place on 1 January 2006. By 1 October 2010, a liability shift had occurred for all point of sale transactions.
- Visa's liability shift for points of sale took place on 1 January 2006. For ATMs, the liability shift took place on 1 January 2008.
- American Express implemented a liability shift on 31 October 2012.[promotional source?]
- Discover implemented a liability shift on 1 October 2015 for all transactions except pay-at-the-pump at gas stations; those transactions shifted on 1 October 2017.[third-party source needed]
- Interac (Canada's debit card network) stopped processing non-EMV transactions at ATMs on 31 December 2012, and mandated EMV transactions at point-of-sale terminals on 30 September 2016, with a liability shift taking place on 31 December 2015.[failed verification][third-party source needed]
- Mastercard implemented domestic transaction liability shift on 31 March 2011, and international liability shift on 15 April 2011. For pay at the pump at gas stations, the liability shift was implemented 31 December 2012.
- Visa implemented domestic transaction liability shift on 31 March 2011, and international liability shift on 31 October 2010. For pay at the pump at gas stations, the liability shift was implemented 31 December 2012.
- Over a 5-year period post-EMV migration, domestic card-card present fraudulent transactions significantly reduced in Canada. According to Helcim's reports, card-present domestic debit card fraud reduced 89.49% and credit card fraud 68.37%.[promotional source?]
After widespread identity theft due to weak security in the point-of-sale terminals at Target, Home Depot, and other major retailers, Visa, Mastercard and Discover in March 2012 – and American Express in June 2012 – announced their EMV migration plans for the United States. Since the announcement, multiple banks and card issuers have announced cards with EMV chip-and-signature technology, including American Express, Bank of America, Citibank, Wells Fargo, JPMorgan Chase, U.S. Bank, and several credit unions.
In 2010, a number of companies began issuing pre-paid debit cards that incorporate Chip and PIN and allow Americans to load cash as euros or pound sterling.[promotional source?]United Nations Federal Credit Union was the first United States issuer to offer Chip and PIN credit cards. In May 2010, a press release from Gemalto (a global EMV card producer) indicated that United Nations Federal Credit Union in New York would become the first EMV card issuer in the United States, offering an EMV Visa credit card to its customers. JPMorgan was the first major bank to introduce a card with EMV technology, namely its Palladium card, in mid-2012.
As of April 2016, 70% of U.S. consumers have EMV cards and as of December 2016 roughly 50% of merchants are EMV compliant. However, deployment has been slow and inconsistent across vendors. Even merchants with EMV hardware may not be able to process chip transactions due to software or compliance deficiencies. Bloomberg has also cited issues with software deployment, including changes to audio prompts for Verifone machines which can take several months to release and deploy software out. Industry experts, however, expect more standardization in the United States for software deployment and standards. Visa and Mastercard have both implemented standards to speed up chip transactions with a goal of reducing the time for these to be under three seconds. These systems are labelled as Visa Quick Chip and Mastercard M/Chip Fast.
- American Express implemented liability shift for point of sale terminals on 1 October 2015.[promotional source?] For pay at the pump, at gas stations, the liability shift is 16 April 2021. This was extended from 1 October 2020 due to complications from the coronavirus.
- Discover implemented liability shift on 1 October 2015. For pay at the pump, at gas stations, the liability shift is 1 October 2020.
- Maestro implemented liability shift of 19 April 2013, for international cards used in the United States.
- Mastercard implemented liability shift for point of sale terminals on 1 October 2015. For pay at the pump, at gas stations, the liability shift formally is on 1 October 2020. For ATMs, the liability shift date was on 1 October 2016.
- Visa implemented liability shift for point of sale terminals on 1 October 2015. For pay at the pump, at gas stations, the liability shift formally is on 1 October 2020. For ATMs, the liability shift date was on 1 October 2017.
- ^These application names are not found on the Apple Pay versions of these cards. Instead, they retain the original network name.
- ^Chen, Zhiqun (2000). Java Card Technology for Smart Cards: Architecture and Programmer's Guide. Addison-Wesley Professional. pp. 3-4. ISBN .
- ^"A short review of smart cards (2019 update)". Gemalto. 7 October 2019. Retrieved 27 October 2019.
- ^Sorensen, Emily (26 July 2019). "The Detailed History of Credit Card Machines". Mobile Transaction. Retrieved 27 October 2019.
- ^Veendrick, Harry J. M. (2017). Nanometer CMOS ICs: From Basics to ASICs. Springer. p. 315. ISBN .
- ^"EMVCo Members". EMVCo. Retrieved 10 May 2015.
- ^"China UnionPay joins EMVCo" (Press release). Finextra Research. 20 May 2013. Retrieved 10 May 2015.
- ^"Discover Joins EMVCo to Help Advance Global EMV Standards". Discover Network News. 3 September 2013. Retrieved 10 May 2015.
- ^"Rupay international website".
- ^"NPCI's RuPay debit cards to rival Visa and Mastercard". The Economic Times. 27 March 2012. Retrieved 25 July 2019.
- ^"Visa and MasterCard Support Common Solutions to Enable U.S. Chip Debit Routing". Mastercard.
- ^"Shift of liability for fraudulent transactions". The UK Cards Association. Retrieved 10 May 2015.
- ^"Understanding the 2015 U.S. Fraud Liability Shifts"(PDF). www.emv-connection.com. EMV Migration Forum. Archived from the original(PDF) on 19 September 2015. Retrieved 15 November 2015.
- ^"Why You're Still Not Safe From Fraud If You Have a Credit Card With a Chip". ABC News.
- ^"Chip-and-PIN vs. Chip-and-Signature", CardHub.com, retrieved 31 July 2012.
- ^"EMV Update: Discussion with the Federal Reserve"(PDF). Visa. Retrieved 2 January 2017.
- ^Carlin, Patricia (15 February 2017). "How To Reduce Chargebacks Without Killing Online Sales". Forbes.
- ^"BBC NEWS – Technology – Credit card code to combat fraud". bbc.co.uk.
- ^"Visa tests cards with built-in PIN machine". IT PRO.
- ^"How EMV (Chip & PIN) Works – Transaction Flow Chart". Creditcall Ltd. Retrieved 10 May 2015.
- ^ ab"Book 1: Application Independent ICC to Terminal Interface Requirements"(PDF). 4.3. EMVCo. 30 November 2011. Retrieved 20 September 2018.
- ^"MasterCard Product & Services - Documentation". Retrieved 17 April 2017.
- ^"A Guide to EMV Chip Technology"(PDF). EMVCo. November 2014.
- ^"EMV CA". EMV Certificate Authority Worldwide. 20 November 2010. Retrieved 20 March 2020.
- ^"Book 2: Security and Key Management (PDF). 4.3"(PDF). EMVCo. 29 November 2011. Retrieved 20 September 2018.
- ^"ContactlessSpecifications for Payment Systems"(PDF). EMVCo.
- ^EMVCo. "EMVCo Members". Retrieved 1 August 2020.
- ^"Book 2: Security and Key Management"(PDF). 4.3. EMVCo. 29 November 2011. Retrieved 20 September 2018.
- ^"Book 3: Application Specification"(PDF). 4.3. EMVCo. 28 November 2011. Retrieved 20 September 2018.
- ^"Book 4: Cardholder, Attendant, and Acquirer Interface Requirements"(PDF). 4.3. EMVCo. 27 November 2011. Retrieved 20 September 2018.
- ^"SB CPA Specification v1 Plus Bulletins"(PDF). EMVCo. 1 March 2008. Retrieved 20 September 2018.
- ^"EMV® Card Personalization Specification"(PDF). EMVCo. 1 July 2007. Retrieved 20 September 2018.
- ^"Integrated Circuit Card Specifications for Payment Systems". EMVCo. Retrieved 26 March 2012.
- ^"How secure is Chip and PIN?". BBC Newsnight. 26 February 2008.
- ^Saar Drimer; Steven J. Murdoch; Ross Anderson. "PIN Entry Device (PED) vulnerabilities". University of Cambridge Computer Laboratory. Retrieved 10 May 2015.
- ^"Petrol firm suspends chip-and-pin". BBC News. 6 May 2006. Retrieved 13 March 2015.
- ^"Organized crime tampers with European card swipe devices". The Register. 10 October 2008.
- ^"Technical Working Groups, Secure POS Vendor Alliance". 2009. Archived from the original on 15 April 2010.
- ^"Is Chip and Pin really secure?". BBC News. 26 February 2008. Retrieved 2 May 2010.
- ^"Chip and pin". 6 February 2007. Archived from the original on 5 July 2007.
- ^John Leyden (27 February 2008). "Paper clip attack skewers Chip and PIN". The Channel. Retrieved 10 May 2015.
- ^Steven J. Murdoch; Saar Drimer; Ross Anderson; Mike Bond. "EMV PIN verification "wedge" vulnerability". Computer Laboratory, University of Cambridge. Retrieved 12 February 2010.
- ^Susan Watts (11 February 2010). "New flaws in chip and pin system revealed". BBC News. Retrieved 12 February 2010.
- ^"Response from EMVCo to the Cambridge University Report on Chip and PIN vulnerabilities ('Chip and PIN is Broken' – February 2010)"(PDF). EMVCo. Archived from the original(PDF) on 8 May 2010. Retrieved 26 March 2010.
- ^Susan, Watts. "New flaws in chip and pin system revealed (11 February 2010)". Newsnight. BBC. Retrieved 9 December 2015.
- ^ abRichard Evans (15 October 2009). "Card fraud: banks now have to prove your guilt". The Telegraph. Archived from the original on 21 October 2009. Retrieved 10 May 2015.
- ^Andrea Barisani; Daniele Bianco; Adam Laurie; Zac Franken (2011). "Chip & PIN is definitely broken"(PDF). Aperture Labs. Retrieved 10 May 2015.
- ^Adam Laurie; Zac Franken; Andrea Barisani; Daniele Bianco. "EMV – Chip & Pin CVM Downgrade Attack". Aperture Labs and Inverse Path. Retrieved 10 May 2015.
- ^D. Basin, R. Sasse, J. Toro-Pozo. "The EMV Standard: Break, Fix, Verify". 2021 IEEE Symposium on Security and Privacy (SP): 1766–1781.CS1 maint: multiple names: authors list (link)
- ^ abc"The EMV Standard: Break, Fix, Verify".
- ^"US credit cards outdated, less useful abroad, as 'Chip and PIN' cards catch on". creditcards.com.[permanent dead link]
- ^"Visa Australia". visa-asia.com.
- ^Higgins, Michelle (29 September 2009). "For Americans, Plastic Buys Less Abroad". The New York Times. Retrieved 17 April 2017.
- ^ abcdefghi"Chargeback Guide"(PDF). MasterCard Worldwide. 3 November 2010. Retrieved 10 May 2015.
- ^ abc"Operating Regulations"(PDF). Visa International. Archived from the original(PDF) on 3 March 2013.
- ^ abcdefghi"The Journey To Dynamic Data". Visa. Archived from the original on 28 June 2021.
- ^ ab"Visa Expands U.S. Roadmap for EMV Chip Adoption to Include ATM and a Common Debit Solution" (Press release). Foster City, Calif.: Visa. 4 February 2013. Retrieved 10 May 2015.
- ^ ab"MasterCard Announces Five Year Plan to Change the Face of the Payments Industry in Australia". Mastercard Australia. Archived from the original on 28 January 2013.
- ^"Malaysia first to complete chip-based card migration". The Start Online.
- ^"US learns from Malaysia, 10 years later". The Rakyat Post. 14 October 2015.
- ^"Anti-fraud credit cards on trial". BBC Business News. 11 April 2003. Retrieved 27 May 2015.
- ^The UK Cards Association. "The chip and PIN guide"(PDF). Retrieved 27 May 2015.
- ^Foundation, Internet Memory. "[ARCHIVED CONTENT] UK Government Web Archive – The National Archives". Archived from the original on 12 November 2008. Retrieved 17 April 2017.
- ^ abc"Chip Liability Shift". globalpayments. Archived from the original on 30 July 2013.
- ^"Interac - For Merchants". Retrieved 17 April 2017.
- ^"EMV Reduces Card-Present Fraud in Canada (Infographic) - The Official Helcim™ Blog". Retrieved 17 April 2017.
- ^"Discover Implements EMV Mandate for U.S., Canada and Mexico". Archived from the original on 10 May 2012.
- ^"American Express Announces U.S. EMV Roadmap to Advance Contact, Contactless and Mobile Payments" (Press release). New York: American Express. 29 June 2012. Archived from the original on 10 May 2015. Retrieved 10 May 2015.
- ^"EMV's Uncertain Fate in the US". Protean Payment. Archived from the original on 29 September 2013. Retrieved 22 September 2012.
- ^Camhi, Jonathan (3 August 2012). "Wells Fargo Introduces New EMV Card for Consumers". Bank Systems & Technology. Archived from the original on 5 June 2014. Retrieved 10 May 2015.
- ^"Travelex Offers America's First Chip & PIN Enabled Prepaid Foreign Currency Card". Business Wire. Business Wire. 1 December 2010. Retrieved 6 February 2014.
- ^"UNFCU to be first issuer in the US to offer credit cards with a high security chip". United Nations Federal Credit Union.
Enabled atm chip
ATMs now have a new security feature; here's how to use these machines
If you have been to an ATM during the past couple of weeks, you might have noticed that something has changed. Some of you might have had your ATM cards fixed in the card slot till the transaction is complete. The reason behind this is the new EMV chip cards which you have heard about in the past few months.
On orders from the Reserve Bank of India, banks had asked their customers to mandatorily upgrade their older magstripe cards to EMV chip cards by December 31, 2018. Debit and credit cards without the EMV chip have stopped working from January 1, 2019.
The central bank has favoured EMV chip cards for digital transactions due to the additional security they offer in the form of dynamic authentication which makes the card immune to ATM scams like phishing. With these new cards in operations, ATMs have been upgraded too to utilise the EMV chip on debit cards for more secure transactions.
ALSO READ:RBI's 'tokenisation' move to fight rising cyber crimes in India
An ATM which has been upgraded now informs the user that it accepts EMV chip cards. On inserting a debit card, the machine secures the card in place till the money is withdrawn. This is to read the chip on it during the course of transaction, similar to card readers at places of business. The ATM latches on to the card so that customer does not remove it, disrupting the transaction.
So, if the card is fixed in an ATM which accepts EMV chip cards, do not try to force it out as it may damage the card. Even if the card remains intact, excessive force while the ATM is clamping it in place could damage the EMV chip on it.
Most of the public and private sector banks have upgraded their ATMs to accept EMV chip cards. The upgraded ATM usually takes people through the steps of how to use their chip cards. Lenders are also sending messages to inform their customers about this new security feature in the ATMs.
ALSO READ:Assocham meets RBI governor Shaktikanta Das on NBFC, HFC crisis
If you have not received such a message from your bank and are about to use an ATM which accepts chip cards, here's how to use it without damaging your card:1.Insert your card chip-side first into the designated slot of the ATM.
2. Once the ATM reads your card, it will latch on to it and the light near the card slot will turn red. Do not try to take out your card when the red LED is on.
3. Complete the transaction, after which the LED will turn green. Now you can take out your card.
There might be some ATMs which have not been upgraded yet. In this case, insert your ATM card and take it out after the machine reads it, like you used to before.
As for the people who are still using magstripe cards, they might find that their card does not work at ATMs or card machines anymore. This means the card has been permanently blocked by the bank, and they need to contact their home branch for a new EMV chip card.
EMV chip credit card technology in 8 FAQs
Last updated: 03 May 2021 - Estimated reading time: 9 minutes
What does EMV stand for?
EMV is short for Europay, MasterCard, and Visa, the 1994 founders. It commonly refers to a credit card with a smart chip.
The EMV standard is a security technology used worldwide for all payments done with credit, debit, and prepaid EMV smart cards.
The new chip on credit cards means payment security for close to 11 billion cards in early 2021.
It can be used in three forms: contact, contactless, and mobile.
Let's discover why EMV chip cards are conquering the world in 8 points and a video.
#1. What is an EMV chip?
#2. Chip-and-PIN and Chip-and-signature. What's the difference?
#3. Why is EMV more secure?
#4. The meaning of the EMV liability shift (a strong motivation)
#5. The latest EMV deployment stats
#6. What are EMV key features?
#7. The very tangible benefits
#8. EMV for mobile payments too
Let's jump right in.
#1. What is an EMV card?
EMV cards use a smart chip instead of a mag stripe to store the data needed to process a transaction.
EMV® defines a suite of security standards for credit and debit card transactions. EMV can be used for NFC mobile payments as well.
They are also referred to as "EMV cards," "EMV smartcards" or"EMV credit cards," "chip and PIN cards," "Chip and signature cards," or even "IC cards" (for integrated circuit).
Related video: How EMV chips are made
#2. What's the difference between chip and PIN and Chip and signature?
In both cases, the cards are EMV cards.
- Most cards issued in the United States are chip and signature. The EMV payment process requires the cardholder to provide a signature to complete a transaction, just like credit cards traditionally have in the past.
- Outside the United States, chip-and-PIN is more common. The PIN function requires a secret four-digit PIN code known only by the cardholder to validate the EMV payment. It is more secure.
In 2021, most of the ATMs and payment terminals outside the United States have been updated and can detect that your card is EMV compliant, that a PIN wasn’t issued on your card, and validate the transaction.
Anyway, it’s a good idea to travel with a chip card that offers both authentication methods and to carry more than one credit card.
#3. Why are EMV chip cards more secure?
EMV brings increased security and global interoperability to card and mobile payments, even in card-not-present payments, if coupled with a card reader or one-time password device.
The chip* on an EMV card is capable of much more sophisticated authentication than magnetic-stripe cards.
In other words, there is a fully operating computer system embedded in every EMV card.
The chip is tamper-proof, making the card nearly impossible to clone.
With the former technology (the magstripe), invented in the '60s by IBM, a payment card became very easy to duplicate.
*You can find more information on smart card technology here: smart card basics.
#4. What does the EMV liability shift mean?
In the United States, fraud liability shift (aka EMV liability shift) ran into effect in October 2015 for POS (Point Of Sale) devices.
The liability shift for outdoor Automatic Fuel Dispensers was planned for 1 October 2020.
In the face of COVID 19, the card brands (Visa, Mastercard, Discover, American Express, and Voyager) decided to delay the liability shift for Automated Fuel Dispensers (pumps) to 16 April 2021.
Read more: You missed the deadline? Here's is what dot do (CS news 19 April 2021).
However, upgrading to EMV is not a law per se.
But the rules defined by Express, Discover, MasterCard, and Visa (the EMV mandate) clearly state this:
The liability for card-present fraud (typically when you handle your card to the merchant in a store) can now fall on the card-issuing bank or the merchant if the EMV technology is not in place.
That was not the case before.
In other words: the burden of fraud is placed on the merchant side if the card is "swiped" (using the magstripe) instead of "dipped" (using the chip and doing an EMV transaction).
This happens for businesses with an EMV terminal if they don't use it properly and merchants who haven’t upgraded to EMV yet.
At this point, you understand why merchants are motivated to upgrade their payment devices to accept the new cards and why Banks are issuing EMV chip cards.
Needless to say that the EMV migration is now full speed in the U.S.
In August 2015, the Reserve Bank of India (RBI) mandated banks to phase out the magstripe payment cards and migrate to EMV chip cards. RBI set 31 December 2018 as the deadline for the chip and PIN card migration. (Why Indian banks are upgrading your debit, credit cards.)
A transaction at the ATM may be declined due to a non-EMV TXN (TXN is short for a transaction).That means you don't have an EMV card, and you need to get one. This step follows RBI's guidelines to banks for non-EVM transactions.
#5. EMV deployment statistics
There are now over 10.81 billion EMV chip cards in circulation at the end of 2020. This is an increase of close to 10% over 2019.
In Q4 2020, according to information collected from American Express, Discover, JCB, Mastercard, UnionPay, and Visa, 86.1% of all chip card-present transactions in the world(both contact and contactless) - used EMV chip technology.
So, is the transition to EMV complete?
No, not yet in Asia and in the U.S.
More precisely for 2020, total EMV transactions were:
- 98.21% for Africa and the Middle East with 339m cards in circulation
- 81.03% for Asia with 6,88 billion cards
- 95.43% for Latin America, Canada, and the Caribbean with 1,02billion emv cards
- 99.23% for Europe zone 1 with 1,07 billion
- 96.97% for Europe zone 2 with 335m
- 72.83% for the United States with 1,16 billion
Globally in 2020, 66.4% of all issued payment cards in the world were EMV chip-based.
In the United States alone:
- Over one year (2019 to 2020), EMV card-present transactions increased from 62.97% to 72,83%, so +15,6%.
EMV fraud stats
According to a Visa report published in June 2019, U.S. fraud (in value) has been slashed by 87% in March 2019 compared to September 2015.
That means EMV technology is working as planned.
See how EMV chip cards can reduce payment fraud in card-not-present fraud cases as well.
#6. How does EMV work?
The EMV chip
Why do the EMV specs explicitly request a smart chip inside each card?
For one reason - security.
A smart card chip is a small computer with a microprocessor and some memory and application software.
Unlike a magnetic stripe card, a smart card is tough to crack as it's been designed with security in mind.
It also contains a secure vault that holds unique keys specific to each card that protect your transactions.
A Unique Code for Each EMV Payment
EMV cards generate a unique code that your bank validates for each transaction, and the code cannot be re-used.
A fraudster couldn't make a transaction using a fake card with stolen data at an EMV terminal because it wouldn't generate the proper code.
In short, with EMV technology: No rewind, no replay.
EMV security relies on strong cryptography, which generates the unique transaction codes that allow the terminal to authenticate the card.
This cryptography is built on private key infrastructure, meaning that only a personalized chip card with the cardholder's private key during manufacturing can generate a valid transaction.
SDA vs. DDA
Card Authentication Methods (CAMs) were based on Static Data Authentication (SDA).
However, the world has moved on, and the vast majority of payment cards shipped today feature the more sophisticated Dynamic Data Authentication (DDA) or Combined Data Authentication (CDA).
So what is DDA more precisely?
It's a protocol for checking that the EMV card is legitimate.
It's an offline authentication method (so without any network). It uses data from the card to allow the EMV terminal to authenticate the card.
The terminal (POS, for example) comes preloaded with keys. It will check complementary keys on the card for each transaction. It's excellent protection from certificate cloning and card skimming.
Visa and MasterCard have mandated migration to DDA on all EMV smartcards in Europe and Canada, and it is becoming standard in the U.S. too.
EMV Tokenization is a new security standard recently defined by EMVCO to facilitate e-commerce.
Its goal is to secure Card on File payments, e.g., payments using customer card information already stored from a previous transaction.
The EMV tokenization process has been proved to reduce card rejection dramatically.
- This slashes the potential loss of revenue when purchases cannot be completed.
- This improves the user experience (and they won't go to the competition).
#7. What are EMV benefits?
Payment security: EMV chip cut fraud by half in the U.S. the first year.
EMV is one of the most secure forms of payment.
EMV is almost 100% effective in preventing face-to-face (in-store, aka card-present fraud) counterfeit card fraud.
- When France migrated to EMV in 2005, card fraud nearly disappeared.
- The case was replicated in the United Kingdom in 2012 (chip and PIN).
The U.S. began adoption in late 2015, and a study from the (U.S.) Federal Reserve issued in 2018 showed that the amount of card-present fraud in the country declined from $3.68 billion in 2015 to $1.91 billion in 2016.
It's a 48% decrease in ONE year.
Over three years and a half, it's a decrease of 87%, according to the June 2019 Visa report mentioned earlier.
Increased card spending
The tap-and-go convenience of a contactless EMV chip card is likely to make it your customers' new favorite, leading to increased loyalty and spending on that card.
Adding contactless capacity has even generated a significant increase in contact transactions made with those cards.
Global interoperability of the EMV standard
EMV is the worldwide standard for payments. The market penetration of the technology is growing worldwide, particularly the nearly 100% EMV compliance in portions of Europe and Canada.
Today, with magnetic-stripe cards, your customers may not be able to pay with their cards when they're traveling internationally.
In other words: Wherever EMV chip cardholders make purchases, they get reliability and convenience.
Strengthened customer relationships
Migrating to EMV is an opportunity to show your customers that you take their security seriously.
#8. EMV chip for mobile payments too
Contact EMV chip card.
Contact EMV offers the added security of the EMV chip, making it impossible to create counterfeit cards. Contact cards can be used in all EMV capable POS payment terminals.
The card is inserted into the terminal. It stays there while the customer types a PIN or writes his/her signature.
Contactless (dual-interface) EMV card
Contactless is the level to go for if you want a convenient and future-proof, and secure technology.
A country-based contactless limit allows for payments using NFC without the use of a PIN authorization.
The card is tapped against the POS terminal or waved in front of it.
Contactless is a safe option that aligns with social distancing guidance.
Overall contactless usage (card and digital wallet) is growing fast in the U.S., particularly in Q2 2020.
As reported by NFCW on 1 May 2020, the U.S. now has the largest number of contactless cards of any market at 175m.
With mobile EMV, the customer's account credentials are loaded directly onto an NFC-enabled cell phone or wearable device. This process is just as secure as a contactless EMV chip but with superior convenience and added opportunities.
The smartphone is tapped or waved at the POS terminal, just like a contactless card.
More resources on EMV payment
- Innova 3020rs app
- Cylinder ceramic vase
- Makeup revolution candle
- Behr clay
- Chillicothe chevrolet
- Fps rpg 2017
- Destiny 2 lore guide
- Cool plant shelves
- Empty paint strips
- Original ps1 box
- Minecraft skeleton
- Dollar tree christmas light necklace