What is EMV?
Named after the three organisations that developed the specifications – Europay, MasterCard and Visa – EMV is the global benchmark for credit and debit cards that incorporate chip technology. EMV cards have embedded microprocessors that make them much more secure than traditional magnetic stripe cards.
Who uses EMV?
According to EMVCo, more than 80 countries are migrating to EMV chip cards or are already fully compliant. More than 3.4 billion chip cards are in circulation and approximately 30 per cent of all card transactions globally are now EMV.
How do EMV cards work?
EMV cards contain a microprocessor chip that securely holds information and performs cryptographic processing during a transaction.
What are the benefits of EMV?
The key benefit of EMV is to reduce fraud from counterfeit, lost and stolen cards. EMV also supports advanced cardholder verification methods not possible with mag stripe cards. Unlike mag stripe cards, it is almost impossible to create a counterfeit EMV card to use fraudulently.
After EMV chip-and-PIN cards were widely adopted in the UK in 2004, counterfeit fraud declined by more than 63 per cent in the ensuing years.
But additional benefits apply such as the ability to hold more than one product type in the chip on the card. That could be to make the card both credit and debit or other functionality like using the credentials on the chip to generate one time passwords for an internet banking sign on.
Why are EMV cards more secure?
Card authentication is stronger. Payment data is more secure on EMV chip cards than on a magnetic stripe card because it supports Dynamic Data Authentication (DDA), in addition to Static Data Authentication. These dynamic values exist within the chip itself to ensure the authenticity of the card.
EMV cards can also support Combined DDA with application cryptogram (AC) generation (CDA). This combines a request for dynamic signature calculation and application cryptogram in one command, which provides an extra layer of security. CDA is often used for offline contactless transactions.
Cardholder verification is stronger. EMV supports four types of cardholder verification methods (CVMs): offline PIN, online PIN, signature, or no CVM. Different terminals support different CVMs. The decision of which CVM to use is often risk-based; for example contactless transactions typically do not require a CVM as transaction limits are very low. Once chip cards have been established then it is possible to then move onto another CVM instead of PIN perhaps one related to biometrics (LINK to another blog?)
Transaction authorisation is stronger as cards use issuer-defined rules to authorise transactions. This can be done online or offline. For online authorisation, the transaction data is sent to the issuer, along with a transaction-specific cryptogram for authorisation. For offline authorisation, the card communicates with the terminal and issuer-defined risk parameters held in the card’s chip are used to determine whether to authorise the transaction.
What’s the difference between EMV cards and magstripe cards?
The biggest difference is the online card authentication process. Because there is a small computer on the card then encrypted security information can be transmitted in the transaction to help the issuer validate that the genuine card is being used for the transaction.
Chip cards use symmetric key technology to generate an application cryptogram (AC). This cryptogram type, known as the Authorization Request Cryptogram (ARQC), is validated by the issuer during the authorisation request.
“The ARQC is the dynamic data that makes an EMV transaction unique and provides card-present fraud protection against counterfeiting and skimming. The chip generates this cryptogram by applying a cryptographic algorithm to data provided by the card and the acceptance device, as well as transaction specific data. The process of cryptogram generation uses a symmetric algorithm (such as Triple DES),” the Smart Card Alliance explains in a whitepaper.
Every EMV card uses a derived unique key that is only known to the issuer host system. The issuer host derives each key from a master key using the primary account number (PAN) as diversification data, which means it does not need to store the keys for each card.
Some of the data used in cryptogram generation is different for each transaction, which means the cryptogram is unique for each transaction.
Are there any deficiencies about EMV?
EMV cards are not a silver bullet for card fraud. Data is still contained in the magnetic stripe, which means they can still be skimmed and the information used to carry out transactions where the actual physical card is not required, such as online.
Nevertheless, EMV can reduce card-not-present (CNP) fraud, as issuers can provide customers with individual readers to authenticate internet transactions. These readers are used to verify online banking transactions, reducing the potential for fraud in this sector.