What You Need to Know about the Technology, the Security Protection it Provides, and When to Implement
According to a 2016 TSYS study identifying consumer payment preferences, 40 percent of Americans prefer using credit cards, 35 percent prefer debit cards and 11 percent prefer cash1. With U.S. consumers eight times more likely to reach for plastic over cash, the ongoing migration to EMV chip technology impacts millions - card issuers, merchants and consumers alike. Since more and more government agencies and government benefit programs are implementing debit card programs, the EMV conversion is beginning to impact the public sector as well.
While EMV chip technology has long been the global standard for credit card and debit card payments, the US has only recently begun the process of embracing it. Still, enormous progress has been made nationwide migrating cards to EMV. The Strawhecker Group reports that 52 percent of merchants today are enabled to accept chip payments. But that number doesn’t tell the whole story. While 63 percent of all cards in the market are chip cards, the type of cards converted is not at parity: 81 percent of credit cards are converted to chip, but only 46 percent of debit cards converted to chip, per Glenbrook Partners2 .
In this paper, we’ll discuss the technology behind EMV and review some misconceptions about EMV security in terms of what is protected by EMV and what is not. We’ll also share some insights into how to determine the best time for your program to implement EMV, depending on your unique circumstances.
What is EMV and why the migration now?
EMV stands for Europay, MasterCard and Visa, named after the three companies that created the standard. It is an open-standard set of specifications for smart card payments that includes requirements to ensure interoperability between payment cards and point of sale (POS) terminals.
The chip in an EMV chip card contains a microprocessor that supports functionality well beyond that of a traditional magnetic stripe card, including strong transaction security. When using an EMV-enabled card at an EMV-enabled terminal, the cardholder doesn’t swipe the card as is done today for a magnetic stripe transaction. Instead, the card is inserted into a reader in the payment device. Some EMV cards are also available with contactless functionality, which enables the chip to be read over a short distance using radio-frequency identification (RFID) technology.
So why has the U.S. only recently begun a conversion that the rest of the world undertook years ago? One of the main reasons for the delay in the U.S. is the sheer volume of those impacted by the changeover. The U.S. has more banks, card issuers, merchants and consumers using payment cards than any other country, which equates to a massive and complicated coordination between numerous parties.
Additionally, adopting the new technology means card issuers must create and issue new cards to consumers and merchants must update payment terminals with both new hardware and software, all of which is expensive. EMV cards can cost upwards of one dollar more per card than traditional magnetic stripe-only cards. While the estimated cost of replacing the 15 million point-of-sale terminals with chip card compliant machines is $6.75 billion with an average cost of $500 - $1000 per terminal3.
In 2011, after some very public data breaches impacting millions of cardholders nationwide, the payment networks (MasterCard, Visa, American Express and Discover) began to announce their roadmaps for EMV implementation in the United States. The announcements contained important fraud liability shift milestones to ensure incentives for both issuers and merchants to convert to EMV. The most impactful shift occurred in October 2015 when a fraudulent transaction at a point of sale location became the responsibility of the party that was least EMV-compliant. In October 2016, fraud shifted to the least-EMV compliant party for ATM transactions routing over the Mastercard Cirrus ATM network. For other networks, such as the Visa Plus ATM network, the fraud liability shift will take effect in October 2017.
The final fraud liability shift will take place in October 2020 for gas station owners running Automated Fuel Dispensers (AFDs). Originally given a deadline of October 2017, AFD owners have been granted a 3-year extension to implement EMV technology due to the cost and complexity of the changes required.To explain a little further, the October 2015 POS liability shift date meant that the least secure party – or the one not capable of performing an EMV transaction – would now be responsible for any counterfeit fraud occurring during the transaction. Prior to the shift, the POS counterfeit fraud was largely absorbed by the card issuer. This type of liability shift is adding incentives and motivation for merchants to update payment terminals to be EMV-compatible.
One thing to keep in mind as we consider the current state of transition in the market: magnetic stripe cards have been the standard for card payments for decades and, even with the introduction of EMV, the magnetic stripe is not fully going away. Cards issued with EMV technology also have magnetic stripe capabilities, so consumers still have the ability to pay via magnetic stripe if they encounter a payment terminal without EMV capability.
A key difference between the use of the EMV chip and the magnetic stripe on the security front is EMV’s use of dynamic data during a transaction. Each transaction carries a unique ‘stamp’ which prevents the transaction data itself from being fraudulently reused, even if the cardholder data in compromised.
Overall, EMV secures the payment transaction with enhanced functionality in three areas (see new comment):
1. Card authentication: The card itself is validated typically by the issuer during a payment transaction. Also, during the transaction, the chip creates unique transaction data, which means that any captured data during the transaction cannot be used to create counterfeit cards and execute new transactions.
2. Cardholder verification: This is the process by which the issuer verifies the person attempting the transaction is actually the person to whom the card was issued. In the US, cards typically support online PIN, signature, and no cardholder verification (which is typically used for low risk and low dollar transactions).
3. Transaction authorization: Similar to the authorization process used for magneticstripe only cards, issuers use issuer-defined rules to decision transactions. However, with EMV transactions, additional transaction data, including the transaction-specific cryptogram, is available. This enables the issuer to make more robust authorization and decline decisions on each transaction.
Through the use of advanced encryption, embedded card risk analysis capabilities, and online authentication, most of the traditional methods used to steal card data or to clone cards using magnetic stripe technology are ineffective, or at the very least, very difficult to accomplish.