EMV (Europay MasterCard Visa), is a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV cards are smart cards (also called chip cards or IC cards) which store their data on integrated circuits rather than magnetic stripes, although many EMV cards also have stripes for backward compatibility. They can be contact cards which must be physically inserted (or "dipped") into a reader, or contactless cards which can be read over a short distance using radio-frequency identification technology. Payment cards which comply with the EMV standard are often called chip-and-PIN or chip-and-signature cards, depending on the exact authentication methods required to use them.
EMV stands for Europay, MasterCard, and Visa, the three companies which originally created the standard. The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China UnionPay, and Discover.[1]
There are standards based on ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards (PayPass, PayWave, ExpressPay).
The most widely known chip card implementations of EMV standard are:
- VSDC – Visa
- M/Chip – MasterCard
- AEIPS – American Express
- CUP - China Union Pay
- J Smart – JCB
- D-PAS – Discover/Diners Club International.
Visa and MasterCard have also developed standards for using EMV cards in devices to support card-not-present transactions over the telephone and Internet. MasterCard has the Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of modes. Visa has the Dynamic Passcode Authentication (DPA) scheme, which is their implementation of CAP using different default values.
In February 2010, computer scientists from Cambridge University demonstrated that an implementation of EMV PIN entry is vulnerable to a man-in-the-middle attack; however, the way PINs are processed depends on the capabilities of the card and the terminal.
History
editUntil the introduction of Chip and PIN, all face-to-face credit or debit card transactions used a magnetic stripe or mechanical imprint to read and record account data, and a signature for verification. Under that system, the customer hands their card to the clerk at the point of sale, who either "swipes" the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the system verifies account details and prints a slip for the customer to sign. In the case of a mechanical imprint, the transaction details are filled in and the customer signs the imprinted slip. In either case, the clerk verifies that the customer's signature matches that on the back of the card to authenticate the transaction.
This system has a number of security flaws, including the ability to steal a card in the post,[citation needed] or to learn to forge the signature on the card. More recently,[clarification needed] technology has become available on the black market for both reading and writing the magnetic stripes, making cards easy to clone and use without the owner's knowledge.
The first standard for smart payment cards was the Carte Bancaire M4 from Bull-CP8 deployed in France in 1986, followed by the B4B0' (compatible with the M4) deployed in 1989. Geldkarte in Germany also predates EMV. EMV was designed to allow cards and terminals to be backwardly compatible with these standards. France has since migrated all its card and terminal infrastructure to EMV.
The EMV standard was initially written in 1993 and 1994.[2] JCB joined the consortium in February 2009, China UnionPay in May 2013,[3] and Discover in September 2013.[4]
Differences and benefits of EMV
editThere are two major benefits to moving to smart-card-based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of "offline" credit-card transaction approvals. One of the original goals of EMV was to allow for multiple applications to be held on a card: for a credit and debit card application or an e-purse. With current processing regulations in the USA, new issue debit cards contain two applications — a card association (Visa, MasterCard etc.) application, and a common debit application. The common debit application ID is somewhat of a misnomer as each "common" debit application actually uses the resident card association application.
EMV chip card transactions improve security against fraud compared to magnetic stripe card transactions that rely on the holder's signature and visual inspection of the card to check for features such as hologram. The use of a PIN and cryptographic algorithms such as Triple-DES, RSA and SHA provide authentication of the card to the processing terminal and the card issuer's host system. The processing time is comparable to online transactions, in which communications delay accounts for the majority of the time, while cryptographic operations take comparatively little time. The supposed increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.[5]
Although not the only possible method, the majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a personal identification number (PIN) rather than signing a paper receipt. Whether or not PIN authentication takes place depends upon the capabilities of the terminal and programming of the card. For more details of this (specifically, the system being implemented in the UK) see Chip and PIN.
Under the old system, a customer typically had to hand their card to a sales clerk to pay for a transaction. When credit cards were first introduced, merchants used offline portable card imprinters (mechanical rather than magnetic). They did not connect to the card issuer, and the card never left the customer's sight. The merchant had to verify transactions over a certain limit by telephoning the card issuer.
Later, equipment electronically contacted the card issuer, using information from the magnetic stripe to verify the card and authorise the transaction. This was much faster, but had to be in a fixed location. Consequently, if the transaction did not take place near a terminal (in a restaurant, for example) the clerk or waiter had to take the card away from the customer to the card machine. It was easily possible at any time for a dishonest employee to swipe the card surreptitiously through a cheap machine that instantly recorded the information on the card and stripe; in fact, even at the terminal, the criminal could bend down in front of the customer and swipe the card on a hidden reader. This made illegal cloning of cards easy, and a common occurrence.
Since the introduction of Chip and PIN, cloning of the chip is not feasible; only the magnetic stripe can be copied, and a copied card cannot be used on a PIN terminal. The introduction of chip and PIN coincided with wireless data communications technology becoming inexpensive and widespread. Merchant personnel can now bring wireless PIN pads to the customer, so the card is never out of the cardholder's sight. (This would have been possible with magnetic stripe cards had the technology been available.) Chip and PIN and wireless together reduce the risk of cloning of cards by surreptitious swiping
- ^ "EMVCo Members". EMVCo. Retrieved 10 May 2015.
- ^ Kitten, Tracy (7 March 2011). "EMV Roots Go Deep in Europe: Global Shifts, New Headaches for U.S. Issuers". BankInfoSecurity. Retrieved 2015-06-07.
- ^ "China UnionPay joins EMVCo" (Press release). Finextra Research. 20 May 2013. Retrieved 10 May 2015.
- ^ "Discover Joins EMVCo to Help Advance Global EMV Standards". Discover Network News. 3 September 2013. Retrieved 10 May 2015.
- ^ "Shift of liability for fraudulent transactions". The UK Cards Association. Retrieved 10 May 2015.