New Era of Smart Cards – All that You Need to Know about Secure Payments31 minute read
What is EMV?
EMV is the gold standard in credit card security – EMV reduced fraud by 66 percent in less than two years, according to Visa, and that number is only increasing. EMV chip technology is now the best global standard for credit card and debit card payments.
EMV is named after its original developers, Europay, MasterCard and Visa, and its technology features payment instruments (cards, mobile phones, etc.) with embedded microprocessor chips that store and protects cardholder data.
This standard has many names worldwide and may also be referred to as: “chip and PIN” or “chip and signature.”
Chip-enabled cards are standard bank cards that are embedded with a microcomputer chip. Some may require a PIN instead of a signature to complete the transaction process.
A chip transaction adds another layer of security to cards by requiring the chip to produce a single-use code to validate the transaction – this process makes your chip card information more difficult to steal.
The most widely known chips of the EMV standard
- VIS – Visa
- Mastercard chip – Mastercard
- AEIPS – American Express
- UICS – China Union Pay
- J Smart – JCB
- D-PAS – Discover/Diners Club International.
- Rupay – NPCI
Contact. These cards support cryptographic functions to prevent counterfeiting of cards and additional functions that make them more secure than traditional magnetic-stripe cards.
Contactless. These devices allow transactions to be made by waving or tapping on a contactless-enabled terminal. A chip card communicates with a reader through a radio frequency interface. Similar to contact chip cards, they also support cryptographic functions for more secure transactions than with traditional magnetic-stripe cards.
Mobile. This includes mobile devices augmenting or replacing contactless cards as well as an increasing number of mobile devices, with, or without, attachments for card reading and PIN entry, replacing traditional counter based POS devices. In addition to mobile contactless, there is also growing adoption of optical capture solutions for payment which lend themselves to mobile payment as well as remote commerce using mobile devices.
Payment Tokenization. A global ecosystem that overlays and interoperates with existing payment ecosystems to support digital commerce and new methods of payment. Payment Token is a surrogate value that replaces a primary account number (PAN) in the payment ecosystem. Tokenization has a similar goal to encryption but works differently. It substitutes card data with meaningless data or a token that has no value to a hacker. Merchants can use tokens to submit subsequent transactions, process a refund, etc. without needing to store the actual payment card details.
QR codes. The two dominant QR Code payment use cases:
- consumer-presented mode: the customer displays the QR Code on their mobile device and the merchant uses an optical scanner to scan the QR Code;
- merchant-presented mode: the merchant displays the QR Code and the consumer uses their mobile device to scan the QR Code.
2nd Generation. The terminal design supports various transaction environments, transaction flows, and communications protocols, including Interface ID, Cardholder Verification (CV) Method ID, Cardholder Verification Entry Device (CVED) Data Encryption Algorithm ID, Cryptographic Algorithm Suite ID.
Secure Remote Commerce. This mode offers an approach to promote security and interoperability within the card payment experience in a remote payment environment. SRC facilitates checkout through information stored and managed by a payment network in the digital commerce environment. Content includes defined data elements, messages, UI and API guidance.
3D Secure. 3D Secure specification would support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. Supports specific app-based purchases on mobile and other consumer devices, specifies the use of multiple options for step-up authentication, including one-time passcodes, as well as biometrics via out-of-band authentication.
Also enhances functionality that enables merchants to integrate the authentication process into their checkout experiences, for both app and browser-based implementations.
How does chip technology work?
EMV-enabled device communicates with the chip inside the customer’s chip card to determine whether or not the card is authentic. The terminal will prompt the customer to sign or enter a PIN to validate their identity.
Payment data is more secure on a chip-enabled payment card than on a magnetic stripe (magstripe) card – data from a traditional magstripe card can be copied/skimmed.
Today, there are more than 1 billion chip cards used around the world.
What is EMV offline payment?
EMV cards contain microprocessors that can interact with terminals, enabling them to perform offline transaction verification and offline cardholder verification without requiring an online connection to banking sysbr />tems. It means that if you do not have any access via an online connection to your banking systems, the microprocessors interact with the terminals in the EMV cards to verify and accept PIN codes offline.
For an online authorization, transactions proceed as they do with magnetic stripe cards. The transaction information is sent to the issuer, along with a transaction-specific cryptogram, and the issuer either authorizes or declines the transaction.
In an offline EMV transaction, the card and terminal communicate and use issuer-defined risk parameters that are set in the card to determine whether the transaction can be authorized. Offline transactions are used when terminals do not have online connectivity (e.g., at a ticket kiosk).
Offline PIN is a cardholder verification method, unique to EMV cards (magnetic stripe cards do not support offline PIN). When the EMV card is programmed, the offline PIN code is stored within the card’s microprocessor. During an offline PIN cardholder verification, the PIN entered into the terminal or PIN pad is sent to the card. The card’s microprocessor then returns the answer. If the entered PIN and the stored PIN are different, the card sends a failure signal.
What is EMV fallback?
For failed EMV transactions there is an established backup process – “falling back” to a magnetic stripe transaction, or fallback.
A fallback transaction occurs in retail settings when the terminal detects that chip is not being read. Then terminal prompts to swipe the card and the transaction will be processed as magstripe transaction, without chip data and a fallback indicator.
EMV provides three levels of security:
- card authentication
- cardholder authentication
- issuer authentication
Once the chip is damaged at least card authentication and issuer authentication is not performed. Whereas cardholder authentication is still possible for PIN-based transactions only. Card with a damaged chip is as good as holding a magnetic stripe card. Merchants should reject transactions on damaged chip even in the fallback mode, says payment consulting company PayHuddle.
According to EMV-connection.com, in some situations, a fraudster may create a counterfeit card with an intentionally damaged chip in order to invoke this scenario. For this reason, fallback transactions are deemed risky by the payments industry.
Not all fallbacks are related to fraud. They can occur for valid reasons such as a damaged chip, a dirty card reader or staff untrained on processing a chip card correctly.
Damaged chips are a big red flag. You don’t want to lose the sale, but when you bypass the proper EMV procedure, you open your business up to a chargeback.
How EMV helps to reduce chargebacks?
The technology behind EMV is designed to not only cut down on consumer fraud but also limit credit card and bank issuers’ liability for fraudulent payment chargebacks when the payer fraudulently recalls bank transfer after having received goods or services from the payee.
After the adoption of EMV, merchants who have not upgraded to EMV technology usually become liable for chargebacks received (unless others in the payment chain have also not upgraded) even in cases where prior to EMV adoption the merchant would not have been liable. It is the huge win for EMV technology users cause the chargeback process can take up to six weeks or six months.
Taking part in the EMV switch is voluntary, but failing to do so exposes businesses to fraud liability and the loss of customers who prefer to interact with businesses that offer more secure technology.
Why are card-present transactions still vulnerable?
The answer lies in terminals where these cards are used – some merchants have not yet installed a chip-enabled terminal (gas stations have until 2020 to completely move from swiping cards to inserting chip cards). There are small to medium businesses, for which the investment can be a tough hurdle.
Some merchants that have installed a chip-enabled terminal, some have failed to activate all of the chip security features, which is equivalent to letting customers insert their chip card, but then not closing and locking all the gates that would keep that number from reaching the dark web.
According to CreditCards.com, the U.S. market is the No. 1 target for credit card thieves, accounting for 79 percent of the stolen numbers. That’s 60 million American card numbers out of the 75.9 million that were for sale globally during the 12-month period.
Sources: emvco.com, creditcards.com, chase.com, nerdwallet.com, pcisecuritystandards.org, merchantmaverick.com