EMV
EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.
EMV cards are smart cards, also called chip cards, integrated circuit cards, or IC cards, which store their data on integrated circuit chips, in addition to magnetic stripes for backward compatibility. These include cards that must be physically inserted or "dipped" into a reader, as well as contactless cards that can be read over a short distance using near-field communication technology. Payment cards which comply with the EMV standard are often called chip and PIN or chip and signature cards, depending on the authentication methods employed by the card issuer, such as a personal identification number or electronic signature. Standards exist, based on ISO/IEC 7816, for contact cards, and based on ISO/IEC 14443 for contactless cards.
History
Until the introduction of chip & PIN, all face-to-face credit or debit card transactions involved the use of a magnetic stripe or mechanical imprint to read and record account data, and a signature for purposes of identity verification. The customer hands their card to the cashier at the point of sale who then passes the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the system verifies account details and prints a slip for the customer to sign. In the case of a mechanical imprint, the transaction details are filled in, a list of stolen numbers is consulted, and the customer signs the imprinted slip. In both cases the cashier must verify that the customer's signature matches that on the back of the card to authenticate the transaction.Using the signature on the card as a verification method has a number of security flaws, the most obvious being the relative ease with which cards may go missing before their legitimate owners can sign them. Another involves the erasure and replacement of legitimate signature, and yet another involves the forgery of the correct signature.
The invention of the silicon integrated circuit chip in 1959 led to the idea of incorporating it onto a plastic smart card in the late 1960s by two German engineers, Helmut Gröttrup and Jürgen Dethloff. The earliest smart cards were introduced as calling cards in the 1970s, before later being adapted for use as payment cards. Smart cards have since used MOS integrated circuit chips, along with MOS memory technologies such as flash memory and EEPROM.
The first standard for smart payment cards was the Carte Bancaire B0M4 from Bull-CP8 deployed in France in 1986, followed by the B4B0' deployed in 1989. Geldkarte in Germany also predates EMV. EMV was designed to allow cards and terminals to be backwardly compatible with these standards. France has since migrated all its card and terminal infrastructure to EMV.
EMV stands for Europay, Mastercard, and Visa, the three companies that created the standard. The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China UnionPay, and Discover. EMVCo accepts public comment on its draft standards and processes, but also allows other organizations to become "Associates" and "Subscribers" for deeper collaboration. JCB joined the consortium in February 2009, China UnionPay in May 2013, and Discover in September 2013.
The top vendors of EMV cards and chips are: ABnote, CPI Card Group, IDEMIA, Gemalto Giesecke & Devrient and Versatile Card Technology.
Differences and benefits
There are two major benefits to moving to smart-card-based credit card payment systems: improved security, and the possibility for finer control of "offline" credit-card transaction approvals. One of the original goals of EMV was to provide for multiple applications on a card: for a credit and debit card application or an e-purse. Beginning in 2013, new-issue debit cards in the US contain two applications — a card association application, and a common debit application.EMV chip card transactions improve security against fraud compared to magnetic stripe card transactions that rely on the holder's signature and visual inspection of the card to check for features such as hologram. The use of a PIN and cryptographic algorithms such as Triple DES, RSA and SHA provide authentication of the card to the processing terminal and the card issuer's host system. The processing time is comparable to online transactions, in which communications delay accounts for the majority of the time, while cryptographic operations at the terminal take comparatively little time. The supposed increased protection from fraud has allowed banks and credit card issuers to establish a "liability shift", such that merchants are liable for any fraud that results from transactions on systems that are not EMV-capable. The majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a personal identification number rather than signing a paper receipt. Whether or not PIN authentication takes place depends upon the capabilities of the terminal and programming of the card.
When credit cards were first introduced, merchants used mechanical rather than magnetic portable card imprinters that required carbon paper to make an imprint. They did not communicate electronically with the card issuer, and the card never left the customer's sight. The merchant had to verify transactions over a certain currency limit by telephoning the card issuer. During the 1970s in the United States, many merchants subscribed to a regularly-updated list of stolen or otherwise invalid credit card numbers. This list was commonly printed in booklet form on newsprint, in numerical order, much like a slender phone book, yet without any data aside from the list of invalid numbers. Checkout cashiers were expected to thumb through this booklet each and every time a credit card was presented for payment of any amount, prior to approving the transaction, which incurred a short delay.
Later, terminal equipment at the merchant electronically contacted the card issuer, using information from the magnetic stripe to verify the card and authorize the transaction. This was much faster, but required the transaction to occur in a fixed location. Consequently, if the transaction did not take place near a terminal the clerk or waiter had to take the card away from the customer and to the card machine. It was easily possible for a dishonest employee to swipe the card surreptitiously through a cheap machine that instantly recorded the information on the card and stripe; in fact, even at the terminal, a thief could bend down in front of the customer and swipe the card on a hidden reader. This made illegal cloning of cards relatively easy and a more common occurrence than before.
Since the introduction of payment card chip and PIN, cloning of the chip is not feasible; only the magnetic stripe can be copied, and a copied card cannot be used by itself on a terminal requiring a PIN. The introduction of chip and PIN coincided with wireless data transmission technology becoming inexpensive and widespread. In addition to mobile-phone-based magnetic readers, merchant personnel can now bring wireless PIN pads to the customer, so the card is never out of the cardholder's sight. Thus, both chip and PIN and wireless technologies can be used to reduce the risks of unauthorized swiping and card cloning.
Chip and PIN vis-à-vis chip and signature
Chip and PIN is one of the two verification methods that EMV enabled cards can employ. Rather than physically signing a receipt for identification purposes, the user enters a personal identification number, typically of four to six digits in length. This number must correspond to the information stored on the chip or PIN at Host. Chip and PIN technology makes it much harder for fraudsters to use a found card, inasmuch as if someone steals a card, they are unable to make fraudulent purchases unless they know the PIN.Chip and signature, on the other hand, differentiates itself from chip and PIN by verifying a consumer's identity with a signature.
As of 2015, chip and PIN cards are common in most European countries as well as in Pakistan, Iran, Brazil, Colombia, Venezuela, India, Sri Lanka, Canada, Australia and New Zealand. Chip and signature cards are more common in the US, Mexico, parts of South America and some Asian countries.
Online, phone, and mail order transactions
While EMV technology has helped reduce crime at the point of sale, fraudulent transactions have shifted to more vulnerable telephone, Internet, and mail order transactions—known in the industry as card-not-present or CNP transactions. CNP transactions made up at least 50% of all credit card fraud. Because of physical distance, it is not possible for the merchant to present a keypad to the customer in these cases, so alternatives have been devised, including- Software approaches for online transactions that involve interaction with the card-issuing bank or network's website, such as Verified by Visa and Mastercard SecureCode. 3-D Secure is now being replaced by Strong customer authentication as defined in the European Second Payment Services Directive.
- Creating a one-time virtual card linked to a physical card with a given maximum amount.
- Additional hardware with keypad and screen that can produce a one-time password, such as the Chip Authentication Program.
- Keypad and screen integrated into complex cards to produce a one-time password. Since 2008, Visa has been running pilot projects using the Emue card where the generated number replaces the code printed on the back of standard cards.