EMV – Learning the Basics

EMV stands for EuroPay® MasterCard® Visa®, the three entities that originally worked together to create worldwide standards for the chip card to ensure global interoperability. Today, EMV has more members, including Discover®. EMV is a payment method that combines a plastic card with an integrated circuit chip (ICC). The primary purpose for using an EMV chip card is to help reduce card theft by including a mechanism to validate the identity of the user.

An EMV card uses the integrated circuit chip (ICC) to hold the account number and other sensitive data instead of using a magnetic stripe. The chip also contains logic for transaction processing and risk management. It is important to note that this data is not encrypted; it is all in clear text.

EMV adoption around the world has been a gradual process over several decades. The U.S. is one of the last countries to adopt EMV cards, and will need to modify many of its payment processes to fit into the EMV model. Additionally, EMV cards are more expensive to produce – about 22 cents per card, vs. 1.5 cents for a magnetic stripe card.

Here’s the basic process for how EMV cards are used:

1. Cards are inserted, not swiped

EMV cards are inserted into the payment device, which is referred to as “dipping.” When the card is inserted it undergoes an authentication and application selection process (e.g., “should this transaction be processed as a credit, debit, or ATM transaction?”). Then the device asks for a card authentication called the CVM (card verification method). Authentication can be PIN entry (most secure), signature, or none. This requirement is programmed onto the card, so some cards may require a PIN and some may not. Note that “signature” means signing a paper receipt, not a digital signature. Dipping an EMV card is unlike the “swipe” that cardholders are accustomed to today – the cardholder must not remove their card from the card entry device when “dipped” until this information is exchanged and the transaction is processed.

2. PIN or Signature?

Chip + PIN and Chip + Signature are both methods used with EMV cards. Chip + PIN is similar to PIN debit, like what is used at an ATM. Of course, the obvious difference is validating who you are by PIN entry vs. a signature. Both options offer enhanced security against counterfeiting compared to traditional magnetic stripe cards. The difference with Chip + PIN is that it protects against lost and stolen cards. Payment card issuers will ultimately decide which CVM they will use. If the card issuer allows multiple options, the payment application will automatically prompt for the selected CVM. Chip + PIN is more widely used internationally, and in some cases is the only method allowed.

3. Better authorization security

EMV authorization differs from magnetic stripe authorization. Magnetic stripe authorization transactions are “one way,” meaning the data on the stripe is read by a payment entry device, then packaged and sent on for processing the transaction. EMV on the other hand is “two-way.” Data is exchanged between the integrated circuit chip (ICC) and the payment entry device to verify that the card is not fraudulent, and then the transaction information is processed. The verification step allows for fraudulent transactions to be stopped before they are processed.

EMV is not the end-all solution for secure payments.

What is EMV?

EMV is a fraud-reducing technology that can help protect your business and your customers from financial loss if a criminal uses a counterfeit, lost or stolen payment card at your point of sale. In other words, the primary purpose of EMV is to make sure the card being used is the original card issued and not a duplicate. Implementing this technology is one of various security measures that merchants can take to help reduce payment fraud. EMV only applies to card-present technology. It does not take the place of PCI compliance, nor does it protect card data from hackers/breaches.

EMV is a payment method that combines a plastic card with an integrated circuit chip (ICC). The primary purpose for using an EMV chip card is to help reduce card theft by including a mechanism to validate the identity of the user. The user’s account information is securely stored on the chip. During an EMV transaction, encryption is used to generate the cryptogram. There are two types of EMV cards: chip and PIN, or chip and signature.

If you are considering adding EMV terminals to your point of sale (POS) system, here are three things to keep in mind:

1. EMV is one element of a complete solution to reduce credit card fraud.

EMV does not protect card information during processing in the POS system, nor does EMV protect against transactions made with a stolen card for card not-present payments, such as an online payments, unless it is also a [Chip + PIN] type EMV card. (Note that most implementations of EMV in the U.S. are planned to be [Chip + Signature] implementations.)

2. EMV does not always protect against stolen cards.

If an EMV payment card is stolen, and the owner has not yet deactivated the account with the issuing bank, the card can be used with a forged signature. EMV cards come in two usage formats: a) Chip + PIN, and b) Chip + Signature. The majority of cards will be Chip + Signature, with some Chip + PIN. This means that the EMV implementation does not protect against the theft of actual credit cards.

3. EMV with end-to-end (E2E) encryption is a better solution.

Without E2E encryption, card account information could still be stolen while being processed. In other words, if a card device (including both mag stripe readers and EMV devices) does not encrypt the card information, then malware infecting a local network can easily read the card data on the local network. However, the use of an encrypted card device keeps the card data encrypted from the local network.

End-to-end (E2E) encryption encrypts data on a payment device and sends it to the card processor without the point of sale terminal ever seeing or storing the unencrypted data.

In addition to further secure single transactions, recurring billing is also safer and seamless. The card information is first encrypted and sent to the card processor. Then the card processor sends back a token representing the card on file. That token can be used in subsequent transactions or for recurring billing, and can only be used by that specific merchant.

With Paladin Point of Sale, your business is secure. Paladin supports E2E encryption, which protects your card account information from being stolen while in the midst of processing. Curious about how secure Paladin Point of Sale is? Give us a call at 800-725-2346.

EuroPay®, Visa®, MasterCard®, are registered marks belonging to one or more unaffiliated third parties that do not endorse or sponsor Mercury Payment Systems, LLC or Paladin Data Corporation.

Portions of information in the article are provided by Mercury Payment Systems, LLC in documents MEV001 11.15 and MEV003 11.15.