EMV stands for Europay, Mastercard, and Visa. These were the first three companies to start developing the EMV standard in 1989. In 1994 they created the first EMV standard, however, since 1999 the EMV standards are now administered by EMVCo. EMVCo LLC is a private consortium owned in part by Visa, MasterCard, Discover, JCB, American Express and China UnionPay. Each one holds an equal stake in the company. In order to reduce credit card fraud, they developed a set of detailed technical requirements for a new generation of secure payment options. This is called the EMV standard. Following the EMV standard is EMV compliance.
The EMV standards were developed for electronic payment transactions, using specific technology for use in chip cards and contactless payment options.
EMV Chip cards use a number of technologies developed by the ISO (International Standards Organization) for the use for other smart card applications, such as cell phone SIM cards. EMV chip cards hold secure data and software. When the card is inserted into the chip card terminal (EMVCo calls this “dipping the chip”), the metallized contacts on the card interface with the POS hardware and provide a bridge between the data stored on the card and the payment network.
Chip cards contain a microprocessor, which is like a small computer embedded into the card, providing far more capabilities than a magnetic strip. The EMV chip makes use of a PIN and a security code which is encrypted and sent to the card issuer for payment verification. The systems make use of advanced encryption technology such as 3Des, RES, and SHA to secure data while being transmitted and stored.
When a chip card is inserted into an EMV terminal, the first step is application selection. Every card issuer has a unique application that can be stored on the microprocessor. Once the proper application is selected for the card type, the card gives the terminal access to the files stored on the card. The files are read by the terminal and aid in determining the legitimacy of the transaction.
Next, a security check is performed that includes checking if the card is expired. There are a number of security checks which are performed, and the results are stored in the card’s embedded microprocessor. When the POS terminal contacts the card issuer, this data is sent in a secure stream. The transaction is either authorized or denied, based on the policies set by the card issuer for evaluating transaction risk.
Contactless payment devices can be a card equipped with RFID technology a dedicated contactless payment device such as a key FOB or a mobile phone. Not all chip cards are equipped with contactless payment. This is a common misconception. A contactless payment enabled chip card is usually indicated by a small icon on the card that resembles a wi-fi signal or radio waves. Contactless payment methods such as Apple Pay and Google Wallet tie the user’s account to the SIM card and use the phone’s NFC antenna to communicate with the terminal. Contactless payments are accomplished by holding the device a small distance away from the terminal or holding it against it. Contactless payment is faster than magnetic swipe, inserted EMV chip cards and over 60% faster than cash. Typically contactless systems do not require a PIN number but may have lower limits for maximum transaction size, to mitigate risk.
EMV is a registered trademark of EMVCo LLC and is a constantly evolving technical standard that is updated as new methods of providing secure payment transactions become available. EMVCo is already rolling out next generation standards and adding new specifications, so contact your payment processor for the latest information.
As of October of 2015, liability for payment fraud and chargebacks with non-EMV transactions shifted to the merchant, if they are not EMV (chip card) compliant. Years later, merchants are still in the process of upgrading to EMV compliant hardware and many are still unsure exactly what is EMV compliance.
In order to encourage merchants to rapidly adopt EMV compliant POS systems and reduce fraud, the credit card companies have initiated a liability shift. Merchants who have not deployed EMV compliant POS hardware may be found liable for the cost of fraudulent transactions.
Please keep in mind that industry standards and merchant requirements evolve. The information provided here is designed to summarize the topic and highlight key points. Consult your payment processor for detailed information.
To avoid potential liability, a merchant must deploy EMV compliant systems, including properly configured EMV-enabled POS hardware and software. The merchant also must follow EMV protocol for secure payment authorization. The following informational flow-chart should be taken as a guideline to determining liability under the EMV liability shift.
Evaluating merchant liability begins when a transaction is disputed. The following questions are asked to determine liability:
A fallback transaction is when the customer used the swipe reader or the cashier input the card number manually because the EMV system was either unavailable or the card was damaged. There is a strict protocol for when a use of the fallback method is done properly and when it is not. To avoid liability, merchants need to be sure they are following proper EMV fallback procedure.
Magnetic strips can be easily copied by fraudsters, but EMV chips are extremely secure. So, the credit card issuers look very skeptically at merchants with high rates of fallback use. Over 20% is considered a serious problem and over 50% requires immediate intervention and will likely be initiated by the issuer receiving a high number of fallback transactions from your account.
Common causes of improper use of the magnetic swipe fallback are improperly configured terminals, faulty or damaged equipment or improperly trained employees and poor enforcement by management. Since EMV is still considered new technology, it is important to train your staff to understand the importance of using EMV to combat fraud and be aware that magnetic swipe fallback transactions are a specific target for fraudulent transactions using counterfeit cards.
When the terminal fails to read a chip card, an approval for fallback payment authorization can be sent through an online terminal. An offline terminal can’t authorize a fallback payment. Offline fallback payment is a merchant-liable transaction. If fallback payment is approved online, the issuer is liable for the transaction if there is a chargeback later. It is important that your employees know that if fallback was initiated for ineligible reasons, the system is offline, or fallback payment approval is denied for the card, the merchant is liable for any loss.
Although EMV and PCI are both programs put forward by the credit card companies to combat fraud, they are not the same. PCI comes from the Payment Card Industry Security Standards Council (PCI SSC). EMV comes from EMVCo LLC. While PCI is primarily concerned with how cardmember data is stored and transmitted, EMV is a set of technical specifications for chip and contactless payment cards and devices. PCI compliance requires merchants to adhere to annual reporting and additional requirements. EMV compliance on the part of merchants means deploying EMV compliant hardware and adhering to the EMV transaction protocol.
EMV Compliance and PCI compliance work together to provide a high level of safety for your customer’s card data, combatting fraud and identity theft. To protect yourself from liability and fines, make sure you are following guidelines for both PCI and EMV compliance.