The article provides instruction and information on the following:
EMV – Learning the Basics
EMV stands for EuroPay® MasterCard® Visa®, the three entities that originally worked together to create worldwide standards for chip cards to ensure global interoperability. EMV also has more members, including Discover®. EMV is a payment method that combines a plastic card with an integrated circuit chip (ICC). The primary purpose for using an EMV chip card is to help reduce card theft by including a mechanism to validate the identity of the user.
An EMV card uses the integrated circuit chip (ICC) to hold the account number and other sensitive data instead of using a magnetic stripe. The chip also contains logic for transaction processing and risk management.
Note: Data is not encrypted; it is all in clear text.
This section covers the following:
Cards are inserted, not swiped
EMV cards are inserted into the payment device, which is referred to as “dipping.” When the card is inserted, it undergoes an authentication and application selection process (e.g., “should this transaction be processed as a credit, debit, or ATM transaction?”). Then, the device asks for a card authentication called the CVM (card verification method). Authentication can be PIN entry (most secure), signature, or none. This requirement is programmed onto the card; so, some cards may require a PIN, and some may not.
Note: “Signature” means signing a paper receipt, not a digital signature. Dipping an EMV card is unlike the “swipe” that cardholders are accustomed to; the cardholder must not remove their card from the card entry device when “dipped” until information is exchanged and the transaction is processed.
PIN or Signature?
Chip + PIN and Chip + Signature are both methods used with EMV cards. Chip + PIN is similar to PIN debit used at an ATM. The difference is validating who you are by PIN entry vs. a signature. Both options offer enhanced security against counterfeiting compared to traditional magnetic stripe cards. The difference with Chip + PIN is that it protects against lost and stolen cards. Payment card issuers will ultimately decide which CVM they will use. If the card issuer allows multiple options, the payment application automatically prompts for the selected CVM. Chip + PIN is more widely used internationally, and in some cases, is the only method allowed.
Better authorization security
EMV authorization differs from magnetic stripe authorization. Magnetic stripe authorization transactions are “one way”, meaning the data on the stripe is read by a payment entry device and then packaged and sent on for processing the transaction. EMV, on the other hand, is “two-way.” Data is exchanged between the integrated circuit chip (ICC) and the payment entry device to verify that the card is not fraudulent, then the transaction information is processed. The verification step allows for fraudulent transactions to be stopped before they are processed.
What is EMV?
EMV is a fraud-reducing technology that can help protect your business and your customers from financial loss if a criminal uses a counterfeit, lost, or stolen payment card at your point of sale. In other words, the primary purpose of EMV is to make sure the card being used is the original card issued and not a duplicate. Implementing this technology is one of various security measures merchants can take to help reduce payment fraud. EMV only applies to card-present technology. It does not take the place of PCI compliance, nor does it protect card data from hackers/breaches.
EMV is a payment method that combines a plastic card with an integrated circuit chip (ICC). The primary purpose for using an EMV chip card is to help reduce card theft by including a mechanism to validate the identity of the user. The user’s account information is securely stored on the chip. During an EMV transaction, encryption is used to generate the cryptogram. There are two types of EMV cards: chip and PIN, or chip and signature.
The areas covered in this section provide information to aid in your decision to apply EMV to your credit card processing.
This section covers the following:
- EMV is one element of a complete solution to reduce credit card fraud
- EMV does not always protect against stolen cards
- EMV with end-to-end (E2E) encryption is a better solution
EMV is one element of a complete solution to reduce credit card fraud
EMV does not protect card information during processing in a point of sale system, nor does EMV protect against transactions made with a stolen card for card not-present payments, such as an online payments, unless it is also a [Chip + PIN] type EMV card.
Note: Most implementations of EMV in the U.S. are planned to be [Chip + Signature] implementations.
EMV does not always protect against stolen cards
If an EMV payment card is stolen, and the owner has not yet deactivated the account with the issuing bank, the card can be used with a forged signature. EMV cards come in two usage formats: a) Chip + PIN, and b) Chip + Signature. The majority of cards will be Chip + Signature, with some Chip + PIN. This means that the EMV implementation does not protect against the theft of actual credit cards.
EMV with end-to-end (E2E) encryption is a better solution
Without E2E encryption, card account information can still be stolen while being processed. In other words, if a card device (including both mag stripe readers and EMV devices) does not encrypt the card information, then malware infecting a local network can easily read the card data on the local network. However, the use of an encrypted card device keeps the card data encrypted from the local network.
End-to-end (E2E) encryption encrypts data on a payment device and sends it to the card processor without the point of sale terminal ever seeing or storing the unencrypted data.
In addition to further secure single transactions, recurring billing is also safer and seamless. The card information is first encrypted and sent to the card processor. Then, the card processor sends back a token representing the card on file. That token can be used in subsequent transactions, or for recurring billing, and can only be used by that specific merchant.
With Paladin, your business is secure. Paladin supports E2E encryption, which protects your card account information from being stolen during processing. Curious about how secure Paladin is? Give us a call at 800-725-2346.
EuroPay®, Visa®, MasterCard®, are registered marks belonging to one or more unaffiliated third parties that do not endorse or sponsor Mercury Payment Systems, LLC or Paladin Data Corporation.
Portions of information in the article are provided by Mercury Payment Systems, LLC in documents MEV001 11.15 and MEV003 11.15.
If you have questions or suggestions about this information, contact support@paladinpos.com.
