The Green Sheet Online Edition
July 28, 2014 • Issue 14:07:02
Preparing for EMV migration
With the shift in liability from card issuers to retailers and acquirers, the door to Europay/MasterCard/Visa (EMV) adoption in the United States has been pushed ajar. By next year, EMV-enabled cards will be in the hands of consumers, and retailers' terminals will be able to accept these new smart cards.
While EMV cards have been in use in U.K. and Europe for more than a decade, the United States has been late to embrace this technology. Now that we must adopt EMV, how ready are we?
Understanding the technology
The stripe on the back of a mag stripe card contains static information coded in three tracks. A terminal reads this static information during a card swipe and uses it and other POS information to create a payment transaction to send to acquirers. Anybody with access to the mag stripe card information and a card encoder device can replicate the payment card. Hence, a card-skimming device is the tool of choice for fraudsters.
EMV cards differ from mag stripe cards because they contain embedded chips. An EMV chip is like a small microprocessor that can store data and perform functions that create dynamic data during card usage. This ability to process information allows for authenticating that the card is genuine. This reduces potential fraud in a card-present scenario.
Card and terminal interaction
The following generally define the interaction between EMV cards and terminals:
- Initialization: After an EMV card is inserted into an EMV-capable terminal, basic initialization takes place. The device sets the language and country, and offers to select the application from the card. If only one application is in the card, it is selected by default.
- Terminal verification: Following initialization, the terminal and card process the transaction's restrictions, which include the application version, effective and expiry date, and card usage restrictions.
- Transaction initialization: The terminal and card prepare for the actual transaction. Transaction type is set, along with amount and other information. The cardholder verifies transaction amount, ZIP code, and for debit cards, the account type (checking/savings). If a PIN is required, the cardholder's PIN is accepted.
- Offline authorization: Using the terminal data, card data and transaction data, the EMV chip sends an offline response to the terminal. The response could be offline approval, offline decline or online authorization required. The EMV chip also returns fields for the host authorization message.
- Online authorization: If the terminal is connected to the network, an online authorization request is sent to the processor using data sent by the card's EMV chip to the terminal, and an online authorization response is obtained.
- Final decision: The online response is sent to the EMV chip by the terminal, and a final decision is obtained from the card's EMV chip. The chip uses the results from offline and online authorization to submit a final decision.
Flavors of EMV card usage
The most common flavor of EMV card is "chip and PIN." This model was adopted in the U.K. and has gained momentum because it is very secure. The consumer uses the chip card at an EMV terminal and then enters a PIN. The chip authenticates the card as genuine and uses the PIN to authenticate the consumer, thereby reducing the chance of fraud. And the card issuer can control the number and amounts of transactions that can be performed offline before an online "reset" is mandated.
Another flavor of usage is "chip and sign," also called "chip and signature." In this case, the card authentication is done by the chip, but instead of entering a PIN, the consumer signs the receipt from the terminal or POS system to validate himself or herself. Both flavors have proponents in the U.S. market. Most large retailers prefer chip and PIN because it is more secure. Chip and sign proponents argue that it provides a better cardholder experience, as signature remains optional for certain small-value transactions.
EMV cards also have a "contactless" facet. This allows transactions to take place without a consumer having to swipe or insert the card. The card's close proximity to the terminal allows for a secure information exchange between the chip on the card and the terminal. It is a "tap and go" method of payment. With the increased availability of near field communication (NFC) chips on mobile phones, the technology is getting extended to phones, as well. For the U.S. market, networks are encouraging dual support for the terminals, meaning support for both chip card readers and NFC for EMV transactions.
Multiple usage of the same card
Another important feature of the chip card is support for multiple usages of the card. A chip card has the ability to store and support multiple "applications," allowing it to be used for different purposes. A chip card can be a payment card and an identity card, for example. Depending on the terminal, a cardholder may be able to select the application he or she wants to use, and the card will perform according to the rules set in that application.
For the U.S. market, this is significant. Regulations require access to at least two separate debit networks. This can be easily achieved by encoding two or more debit network applications into one chip card for the consumer. While the same goes for credit card and prepaid scenarios, no regulatory mandate exists for embedding multiple applications.
Changes required to support EMV
Support for EMV will be required at practically every step of the transaction food chain. Fortunately, distinct entities own different parts of this food chain, and thus no single party is responsible for all the changes.
The most obvious impact is on card issuers, which have to change the card issuance process to create EMV cards with the appropriate encoded chips. Over the next couple of years, all card issuers will have to reissue new cards to existing mag stripe cardholders. They will also have to educate the consumers about EMV cards and their usage.
Card networks, processors and gateways must also upgrade their systems to support the EMV specifications. While card networks have had support for EMV for a long time, the processors and gateways have to transition to EMV as quickly as possible. Processors and gateways will have to code their systems for the EMV specs and get recertified before support is enabled for the end points.
Terminals and POS systems will have to undergo hardware-level changes to enable acceptance of the EMV cards. These will include the support to interact with chips, preferably using both card-based and NFC-based technology. The applications running on these terminals will have to be upgraded to support chip transactions and be redeployed.
Mobile apps that support card readers will also undergo changes, as they will have to incorporate support for the chip card-enabled card readers.
Impact on CNP transactions
While EMV is a great improvement for card-present transactions, it does little for the card-not-present (CNP) world. To support the existing CNP world, the cards will still have to have the regular card number, expiry date, CVV/CVV2/CID, and be Address Verification Service enabled. While it may appear EMV card rollout will have no impact on CNP transactions, the facts from a U.K. case study of U.K. chip and PIN adoption contradict this.
When the card-present world becomes more secure, fraud moves to the CNP world in a big way. With the rising usage of Internet-based commerce, the potential for fraud in this world is also rising. To prevent fraud losses, the industry must focus on the e-commerce and MO/TO transaction security as well. Solutions like 3D Secure should become a mandate for e-commerce to combat fraud in a holistic manner.
EMV card implementation will have major impacts on the U.S. market. New value-added services will become available to consumers as soon as they become adept at using the EMV cards. Also, EMV adoption will open the doors for better implementation of NFC-based solutions. Of course, our real success will depend on how fast we can close the gap in the e-commerce world to reduce fraud to a minimum in the United States.
Chandan Mukherjee is the co-founder of PayCube Inc., which is a Bay Area, Calif.-based payment consulting and IT services company providing custom software solutions and custom gateways for acquirers, ISOs, retailers and varied organizations in the world of payments and consumer transaction acquiring and management, including prepaid and gift card program, loyalty and promotion, payment start-up, POS solution, mobile payment and e-commerce players. PayCube uses a blend of on-site and offshore delivery capabilities, with a focused staff of retail and payment focused software engineers, architects, project managers, tech leads, quality assurance (QA) automation engineers, QA analysts and systems analysts. More information, email:email@example.com, call 510-545-6854 or visit www.paycubeinc.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.