EMV Chip Card Payment Standard: Perspective



Similar documents
Visa Recommended Practices for EMV Chip Implementation in the U.S.

M/Chip Functional Architecture for Debit and Credit

The Canadian Migration to EMV. Prepared By:

Euronet s EMV Chip Solutions Superior Protection with Enhanced Security against Fraud

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization

How To Protect A Smart Card From Being Hacked

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

JCB Terminal Requirements

A Guide to EMV Version 1.0 May 2011

EMV Frequently Asked Questions for Merchants May, 2014

EMV : Frequently Asked Questions for Merchants

What Merchants Need to Know About EMV

Payments Transformation - EMV comes to the US

Smart Cards for Payment Systems

American Express Contactless Payments

What is EMV? What is different?

PayPass M/Chip Requirements. 10 April 2014

EMV and Small Merchants:

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

Chip Card (EMV ) CAL-Card FAQs

Your Reference Guide to EMV Integration: Understanding the Liability Shift

welcome to liber8:payment

EMV EMV TABLE OF CONTENTS

A RE T HE U.S. CHIP RULES ENOUGH?

Understand the Business Impact of EMV Chip Cards

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Mitigating Fraud Risk Through Card Data Verification

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

INTRODUCTION AND HISTORY

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

Fundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors

MasterCard Contactless Reader v3.0. INTRODUCTION TO MASTERCARD CONTACTLESS READER v3.0

The EMV Readiness. Collis America. Guy Berg President, Collis America

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE

EMV Implementation for Acquirers: 11 Questions to Answer When Formulating Your EMV Device Budget and Timeline

Mobile Near-Field Communications (NFC) Payments

Common Electronic Purse Specifications. Business Requirements. Version 7.0. March, Copyright CEPSCO 1999 All rights reserved

How to Prepare. Point of sale requirements are changing. Get ready now.

PCI and EMV Compliance Checkup

EMV in Hotels Observations and Considerations

Preparing for EMV chip card acceptance

Security Rules and Procedures Merchant Edition. 5 February 2015

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

U.S. EMV Debit Implementation Guidelines for POS Acquirers

Wayne EMV Solutions. Protect your business with a complete EMV Solution inside and out.

Card Technology Choices for U.S. Issuers An EMV White Paper

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

EMV: A to Z (Terms and Definitions)

Beyond Cards and Terminals: Considerations for Testing Host-to-Host EMV Processing

FAQ EMV. EMV Overview

EMV FOR U.S. ACQUIRERS: SEVEN GUIDING PRINCIPLES FOR EMV READINESS

CITGO CHIP & MOBILE TM. Quick-Start Guide YOUR CUSTOMERS. are

OpenEdge Research & Development Group April 2015

Implication of EMV Migration for the U.S. Transportation Industry. May 1, Implication of EMV Migration for the U.S. Transportation Industry

Euronet s Contactless Solution

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS RULE E1

EMV: Global Framework for Smart Card Payments

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Security Rules and Procedures Merchant Edition

Mobile MasterCard PayPass Testing and Approval Guide. December Version 2.0

EMV Acquiring at the ATM: Early Planning for Credit Unions

Credit Card Processing, Point of Sale, ecommerce

Fall Conference November 19 21, 2013 Merchant Card Processing Overview

Visa Easy Payment Service. Merchant Best Practices

Transaction Processing Rules. 11 December 2014

MasterCard PayPass. M/Chip, Acquirer Implementation Requirements. v.1-a4 6/06

functions and components can be selected and set up at any time by a product engineering team.

EMV and Restaurants What you need to know! November 19, 2014

PayPass - M/Chip Requirements. 5 December 2011

MOBILE CHIP ELECTRONIC COMMERCE: ENABLING CREDIT CARD PAYMENT FOR MOBILE DEVICES

VISA EASY PAYMENT SERVICE MERCHANT BEST PRACTICES

Introductions 1 min 4

Agent Registration. Program Guide. (For use in Asia Pacific, Central Europe, Middle East, Africa)

Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?

EMV and Encryption + Tokenization: A Layered Approach to Security

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Caribbean Electronic Payments

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Questions & Answers clarifying key aspects of the SEPA Cards Framework

Visa Reloadable Frequently Asked Questions. EMV Travel Card

Transcription:

Ellen Walsh Technology Overview 11 June 2002 EMV Chip Card Payment Standard: Perspective Summary EMV is an interoperability and compatibility standard for chip cards that allows cards to operate from any terminal and is used to migrate from magnetic stripe to chip card technology. Table of Contents Technology Basics Operating Requirements Technology Analysis Business Use Benefits and Risks Selection Guidelines Technology Leaders Insight Gartner Entire contents 2002 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

Technology Basics In December 1993 the Europay, MasterCard and Visa (EMV) Group, consisting of representatives from Europay, MasterCard and Visa, was created with the objective of formulating a set of industry specifications that would ensure consistent and secure interoperability of chip cards and devices at the point of sale, regardless of location, financial institution or manufacturer. The groups realized that to achieve widespread acceptance, using chip cards had to work as seamlessly as using the telephone. The EMV infrastructure is based on a common set of technical specifications derived from standards set by the International Organization for Standardization (ISO) for integrated circuit cards and related devices for the payment industry. The group formed the following goals: The card and device can communicate and detect which card and device applications they have in common. The device can run common applications and ensure that minimum standards for risk control and security are applied. The chip-card payment experience performs consistently worldwide, increasing merchant commitment and customer awareness and understanding. In June 1996 EMV published the EMV 96 Specifications, version 3.0. In February 1998 EMV published the EMV 96 Errata, which defined the clarifications and corrections to version 3.0. In May 1998 EMV published version 3.1.1 of the specifications, which incorporates the EMV 96 Errata and version 3. In February 1999 EMVCo was formed by Europay, Visa and MasterCard to manage, maintain and enhance the EMV Integrated Circuit Card Specifications. EMVCo specifications are reviewed on a two-year basis. However, in between releases, bulletins may be issued to deal with technical errors found or to clarify ambiguities. The latest version of EMV specifications, 4.0, was released in December 2000. It reflects changes such as lower voltage cards and chip electronic commerce specifications. EMV is also investigating the possibility of adding specifications to support contactless technology and voltage change requirements. Changes will be published as addenda once completed. There is no mandate from EMVCo for the implementation of EMV 2000 4.0, although the individual payment systems may require the member banks issue EMV 2000-compliant cards. Testing Although testing of EMV2000 is available, testing and approval to EMV96 version 3.1.1 is continuing in parallel during 2002. EMVCo has written and published test requirements and test cases of the terminal chip-card interface (Level 1) and the payment applications (Level 2). EMVCo has accredited testing laboratories to deliver testing services to terminal vendors and application providers. Finally, EMVCo issues services to terminal vendors and application providers. EMVCo also issues a Letter of Approval for approved products. Payment systems members and vendors can choose any laboratory from the list published on the EMVCo Web site to perform testing services for EMV compliance testing. The Level 1 Type Approval process tests compliance with electromechanical characteristics, logical interface and transmission protocol requirements defined in Part 1 of the EMV specifications. Level 2 tests compliance with debit/credit applications requirements defined in the remainder of the EMV specifications. EMV Specification The EMV 4.0 specifications consist of four books: 11 June 2002 2

Book 1 Application Independent ICC to Terminal Interface requirements: This specification describes the minimum functionality required for integrated circuit cards (ICCs) and terminals to ensure correct operation and interoperability, independent of the application to be used. Book 2 Security and Key Management This specification describes the minimum security functionality required of integrated circuit cards and terminals to ensure correct operation and interoperability. Additional requirements and recommendations are provided with respect to the online communication between ICC and issuer and the management of cryptographic keys at terminal, issuer and payment system levels. Book 3 This specification defines the terminal and ICC procedures necessary to effect a payment system transaction in an international interchange environment. Book 4 Cardholder, attendant and acquirer interface requirements are defined. This defines the mandated, recommended and optional terminal requirements necessary to support the acceptance of ICCs in accordance with the other three book specifications. Book 1 Application Independent ICC to Terminal Interface Requirements The Integrated Circuit Card (ICC) Specification for Payment Systems Book 1 describes the minimum functionality required of ICCs and terminals to ensure correct operation and interoperability, independent of the applications to be used. It consists of two parts: Part 1 electromechanical characteristics, voltage levels, signal parameters, logical interface and transmission protocols. Part 2 files, commands and application selection. The logical structure of data and files within the card that is required for the process is specified, as is the terminal logic using the card structure. Book 2 Security Requirements Book 2 of the Integrated Circuit Card (ICC) Specification describes the minimum security functionality required of ICCs and terminals to ensure correct operation and interoperability. Additional requirements and recommendations are provided with respect to the online communications between ICC and issuer and the management of cryptographic keys at terminal, issuer and payment system levels. The book covers the following elements: Offline static data authentication Offline dynamic data authentication Offline personal identification number (PIN) authentication Application cryptogram generation and issuer authentication Secure messaging Public key management policies and principles Terminal security and key management requirements Specification of the security mechanisms and the approved cryptographic algorithms required to implement the specified security functions Book 3 Application Specifications 11 June 2002 3

The Integrated Circuit Card Application Specification for Payment Systems or Application Specification defines the terminal and ICC procedures necessary to effect a payment system transaction in an international interchange environment. The functions described are those necessary to ensure that payment system cards conforming to this specification can perform the set of common core functions in all terminals conforming to this specification. It includes the following elements: Mapping of data elements to files Transaction flow (the sequence of events and the commands issued to the card) Exception processing Coding of specific data objects Definition of data elements and commands as they apply to the exchange of information between an ICC and a terminal Application functions unique to individual payment systems and those functions not performed in interchange are not described, but are not precluded. This specification does not address clearing and settlement of any transactions where the ICC is not present. Book 4 Cardholder, Attendant and Acquirer Interface Requirements The Cardholder, Attendant and Acquirer Interface Requirements for Payment Systems defines the mandatory, recommended and optional terminal requirements necessary to support the acceptance of integrated circuit cards. Software architecture, including software and data management, are covered. Application-specific terminal requirements unique to individual payment systems and those functions not required to support interchange are not covered in this specification. This specification applies to all terminals operating in attended or unattended environments, having offline or online capabilities and supporting transaction types such as purchase of goods, services and cash. Terminals include but are not limited to automated teller machines (ATMs), branch terminals, cardholderactivated terminals, electronic cash registers, personal computers and point-of-service (POS) terminals. This specification does not address cardholder or merchant operating procedures, which are established by individual payment systems. Interoperability EMV achieves interoperability between cards and devices through two key mechanisms: 1. First it defines the minimum requirements that chip cards and card acceptance devices must meet to communicate with one another. These requirements also ensure that the device does not damage the card. These are called EMV Level 1 requirements. 2. EMV Level 2 specifies how debit and credit applications are to be executed once the basic physical contact between the chip and device has been made. In the magnetic stripe world, a single card represented a single payment function, such as access to a savings or checking account (referred to as a debit card) or access to a line of credit (referred to as a credit card). With chip technology, which has processing power and allows more data to be stored on the card, payment cards can now have multiple functions. Because of this, there must be a way for the consumers to be able to see what functions are on the card, to know if the merchant supports those functions and to select the account source for payment. In the chip environment, these payment functions are generally referred to as applications. In order for the payment industry to maintain its level of global 11 June 2002 4

interoperability while migrating debit and credit products from magnetic stripe to chip technology, these two requirements must be met. EMV Level 1 Requirements Level 1 includes requirements for all chip cards and terminals, including physical and electromechanical requirements, logical interface and transmission protocols, to facilitate basic interoperability. It defines the essential requirements that allow chip cards and terminals to communicate with one another. The card and device must be capable of connecting physically to allow the exchange of information. From a card perspective, the size of the card, the position of the chip and the contact of the chip must follow EMV specifications. From a device perspective, the terminal must have the correct size slot for the card to fit into, and its contacts must be in the correct position to make contact with the card. EMV also specifies the voltage that the device must apply to the chip to supply it with the power it needs to participate in a transaction. It also defines the communication protocols for transmitting data between the card and the device, such as the sequence in which the characters are sent and the number of characters sent at a time. Level 2 Requirements The rest of the EMV standard defines the requirements (application selection, data elements, commands, security aspects, etc.) for execution of the functions associated with debit and credit transactions. Once a connection has been established (through EMV Level 1), EMV specifies a mechanism that allows a card and device to determine whether there is any reason to continue with the conversation. The device extracts information from the card on the applications contained in it, and based on cardholder preference or input and whether the same application is present in the terminal, it decides on the application to be used for the specific transaction. This decision-making process is called application selection. After a cardholder inserts a chip card, the device will generate a list of applications that are on both the card and terminal (credit, debit and loyalty) and will present the common applications to the cardholder for selections. The application selection process has been designed to support multiapplication cards. This means that any application that both the card and terminal have in common can be selected by following this process. If the EMV Level 2 requirements are followed, the applications on the card and device will have the same understanding of what particular words or commands mean. Chip Card and Card Reader Dialog EMV facilitates the dialogs between chip cards and devices. At the lowest level are the physical characteristics that make the card acceptable to the device: Is there the ability to carry an electrical current between the chip card and the device? Is there agreement on the timing of the electrical signals between the chip card and the device? The lowest-level dialogs establish and maintain a physical link so that information and communication can flow back and forth. These lower-level dialogs are essential to the transmission of data between device and chip. Without agreement on these dialogs, no transmission could be possible. Payment Application Dialog At the next level is the payment application. Can the card and the device facilitate the processing of an electronic transaction? In the case of chip cards and the devices that read them, the application on the chip has a counterpart on the device. The steps followed when an application is used can be viewed as a series of commands and responses. For example, the device sends a command (i.e., a request to 11 June 2002 5

process online or offline), the application on the chip processes it, and it sends back a response. EMV enables the higher-level dialog between card and device by defining the format for commands and responses. Communicating at the higher levels is beneficial to specific applications that are developed, such as a credit or debit application. A misunderstanding at the application level means that the application program is not executing successfully, not that the device and chip card are incapable of linking and passing data. Operating Requirements EMV migration impacts different aspects of a business: point-of-sale terminals, ATMs, authorization servers, payment terminals and personalization. Personalization EMV migration is an end-to-end process for issuers and bureaus who need to integrate new requirements in terms of production, equipment, facilities and software. Infrastructure Changes To achieve EMV compliance, changes must be made to acquiring systems, issuing systems, terminals, merchant software, cards and in personalization software. Acquirers Acquirers need to change the host systems to be able to accept chip data. The terminals need to be able to record and read the data on the card and transmit this data to the host. This can be done by connecting to one of several networks such as Visanet. As of February 2000, 93 percent of acquirers in Europe have made changes to support EMV. Terminals Point-of-sale terminals and ATMs need to pass EMV Level 2 testing, and many terminal manufacturers have made their terminals EMV-compliant. Merchants Merchants must upgrade terminals to accept chip cards and upgrade software to speak with the chip itself. Some terminals can be upgraded, while others will need to be replaced. Cards Magnetic stripe cards must be reissued to accommodate chips. Most issuers wait until cards have expired to issue chip cards. 60 percent of chip cards in Europe should be EMV-compliant by 2005. Issuers Cards must be personalized. Service Bureaus have to upgrade personalization systems with user data/pin/risk parameters. Online and offline authorization must be programmed, as well as when to fall back to utilizing magnetic stripe. Issuers need to understand what combination of applications will be utilized (debit only, credit only, loyalty or some combination of these three). Issuers must also upgrade their systems to understand the new security parameters and how to utilize cryptographic keys. Technology Analysis Although it varies region by region, the key deadline for EMV implementation is January 2005, when banks will become liable for fraudulent transactions if they have not implemented chips and it can be demonstrated that chips would have prevented the fraudulent transaction from occurring. 11 June 2002 6

Visa Mandates Although global rules have been put in place to guarantee that issuance and acceptance of smart cards meet Visa standards, Visa has not issued a global mandate for chip technologies to be in universal use by a specific date. Each Visa region makes its own decisions on the best way to encourage migration, taking into account local circumstances, opportunities and challenges. Visa Europe The European region is leading the global migration to smart cards, having set aggressive schedules for implementation: As of October 2001, all acquirer systems and networks must be capable of authorizing and clearing EMV data. All new Visa acceptance devices must be EMV- and Visa Integrated Circuit Card Specification (VIS)-complaint. Starting in February 2005, any members both issuers and acquirers that have not implemented chip technology will be liable for all fraud losses that could have been prevented by chip. Acquirers and merchants installing PIN-capable EMV devices will be protected against all fraud losses, except for merchant malpractice. Issuers requesting PIN-based cardholder verification will be protected if the merchant does not support PINs. Issuers currently liable for counterfeit transactions will no longer be liable if the card is EMV-compliant and the device is not. Issuers will be liable for all issuer-authorized transactions if the transaction takes place at an EMV device and the card is EMV-compliant but the chip cannot be read. Visa European Union (EU) expects more than 199 million Visa cards in the region to be carrying an EMV chip by the end of 2004. By then, the manufacture of magnetic stripe-only terminals will be phased out. In February 2001, the Visa EU board allocated $150 million in incentives aimed at helping issuers, acquirers, retailers and technology providers to accelerate chip migration in the EU region. The incentives include: Financial incentives to chip card issuers Vendor support to increase the range of chip products and equipment Point-of-sale technical support Identification of, and help for, acquirers suffering from excessive fraud loss The first countries to implement EMV were France, the U.K., Italy and Spain, representing more than 75 percent of Visa EU s transaction volumes. Around 700,000 POS terminals and other equipment need to be migrated by food, clothing and gasoline retailers, which represent approximately 70 percent of transactions. Approximately 2 million cards, 4 million terminals and 250,000 ATMs will need to be converted to be EMV compliant. As part of the chip incentive program, retailers can install solutions into their electronic point-of-sale (EPOS) systems that have been certified to be Level 1 and Level 2 EMVcompliant. MasterCard/Europay Europe MasterCard has issued guidelines similar to Visa s European guidelines for a liability shift to occur in 2005. France, the U.K., Belgium, Switzerland, Italy, Austria, Finland, Sweden, Slovakia, Estonia and Czechoslovakia have been actively implementing EMV. As of February 2002, MasterCard had more than 90 chip migration implementations in Europe. By 2005, MasterCard expects more than half of the European payment cards to be converted to chip. Over half of the acquiring infrastructure in Europe is expected to be EMV by 2005. 11 June 2002 7

Visa Latin America Latin America is following the global mandates set forth by Visa to guarantee that the issuance and acceptance of smart cards meet Visa standards. MasterCard Latin America In January 2004 a liability shift will go into effect. As of June 2001 all new ATMs and point-of-sale terminals must be chip-capable. In June 2002 acquirers with affiliated merchants in regions with fraud-to-counterfeit ratios exceeding established standards must upgrade to chip. As of June 2004 all ATMs, point-of-sale terminals issued on/after must be EMV-compliant. As of January 2004 all smart cards issued on/after must be EMV-compliant. United States/Canada The United States and Canada currently have no mandates in place for migration to EMV. MasterCard Middle East/Africa In January 2005, a liability shift will go into effect. By January 2001, all new ATMs and point-of-sale terminals must be chip-capable. By January 2005, all ATMs and point-of-sale terminals installed on or after must be EMV-compliant. All smart cards issued on pr after January 2005 must be EMV-compliant. Asia-Pacific Visa Visa has mandated that all new debit and credit cards utilizing chip technology must be EMVcompliant by January 2004. Effective January 2003 all new acquiring bank-owned smart card terminals are required to be compliant with industry-wide EMV specifications and meet Visa s specifications for global interoperability. An interchange incentive of 10 basis points has been established for payment transactions between countries in Asia-Pacific to reward acquiring banks and issuing banks that have invested in smart card technology. Effective January 2002, losses from fraudulent transactions will shift from card issuers to merchant acquirers whenever counterfeit EMV-compliant cards are used at non-emv-compliant terminals between countries in Asia-Pacific. Visa has allocated $25 million to assist in the migration from magnetic stripe payment cards to EMVstandard smart cards. The initiatives include training programs for banks, vendors and industry partners; enhancement of EMV testing facilities and services; and support to vendors to increase their range of EMV products and services. At the country level, a framework has been agreed on and established to address local initiatives such as domestic policies and funding based on market readiness, fraud rates and other parameters. MasterCard Asia-Pacific 11 June 2002 8

Regional rule changes are under consideration, and a country-based liability shift proposal is also under consideration. Japan, Korea, Taiwan and Malaysia have all decided to migrate to chip technology. Visa Programs Visa has developed its customization of the EMV specifications to be used for a Visa credit or debit application on a chip card or in a device. This customization for debit and credit is called the Visa Integrated Circuit Card Specification or VIS. It specifies all the possible functionality that may be used in a Visa credit or debit application and addresses internal card processing and data element requirements for messages transmitted from the device to the acquirer. VIS allows the actual application on the chip to vary in terms of what functions are supported, such as online PIN verification, offline PIN or signature verification. Each device must support the full range of functions, even if they are not utilized. VIS also requires that both the card and the device support the basic signaling and transmission formats specified in EMV. Any deviation could result in a chip application on a card that may not work across different devices. VIS builds on EMV, incorporating some of EMV s optional features, along with Visa Risk Management. Visa Smart Debit/Credit Visa Smart Debit/Credit (VSDC) is the Visa program name for implementing debit or credit applications in a chip environment. Magnetic stripe imaging is a method of replicating the card s magnetic stripe data onto the chip and contains the basic data needed for transaction processing and account access in a chip environment. To reduce the time to market, Visa members can choose between early and full data options when implementing a Visa Smart Debit/Credit program. The early option allows the device infrastructure to be upgraded prior to system changes being made by the issuer and acquirer. The current magnetic stripe message formats are retained while a small number of values are added to existing fields to indicate chip processing. The full option is achieved when the full chip data, including cryptograms, can be passed from the point of transaction to the issuer in both authorization and settlement messages. This requires changes to the issuer and acquirer processing systems. By using chip technology, the VSDC product provides additional functionality while supporting risk control measures. One of these features is offline authorization, which allows transactions to be authorized offline using card and terminal risk-control measures. Another feature allows for either an offline or online PIN, in addition to a signature as a cardholder verification method, which helps to decrease exposure to lost and stolen cards. Additional risk-control enhancements include protection against counterfeit cards (which ensures that the terminal is communicating with a valid card) and the ability of the issuer to change the cardholder s personal information without having to reissue the card. MasterCard M/Chip and M/Chip Lite M/Chip is MasterCard s credit/debit application for chip technology that allows banks to issue chip-based MasterCard, Maestro and Cirrus cards. Members can purchase a pre-coded application directly from MasterCard, or they can build their own application. MasterCard offers a version specifically for MULTOS cards or a platform-neutral version for single application cards known as M/Chip Lite. Business Use EMV enables a greater degree of risk management on behalf of the card issuer. One example is the ability of EMV to limit the number of times a card can be used in an offline fashion before a transaction must be authorized offline, to allow the back-office system to check that the card is still valid. An EMV 11 June 2002 9

card uses a microprocessor chip to manage this data and has greater, more robust intelligence to keep track of how the card is used and whether it is being misused. Many countries have a limited telecommunications infrastructure, and the growth of traditional (magnetic stripe) credit/debit cards has been restricted for this reason, due to the inability to authorize transactions online. With the advent of smart cards and EMV chip terminals (smart card readers in POS devices), it has become possible to have interaction between smart cards and smart card POS devices that is more secure. Transactions that require a card imprint to be taken and a signature verified are much easier to duplicate. There are two main reasons for the migration to credit/debit smart cards: To reduce the level of fraud that is occurring round the world with standard magnetic stripe cards To enable the credit/debit transaction at the point-of-sale device to occur offline from the card issuer or verification organization while maintaining a high degree of security Benefits and Risks Benefits Reduces Processing Costs The chip card allows offline authentication to be done. For example, the chip card may store information that does not mandate a call to be made to the issuer if the transaction is below $20. This saves on phone charges. Reduces Fraud and Chargebacks and Improves Risk Management Unlike the United States, where PIN-based terminals ensure tighter levels of security, most areas of the world have been using magnetic stripe cards. Also, unlike many other areas of the world, the U.S. does not charge for local telecommunications costs. Magnetic stripe cards can be easily copied, increasing fraud. New Applications Digital signatures housed on the cards can open up new uses of the card, such as paying state and local taxes. Authentication can be achieved by using digital signatures, bills can be paid using smart cards, and digital signatures can be utilized for identification to prevent voting fraud. Loyalty Programs Smart cards can hold loyalty card information, and points can be redeemed at the point of sale, rather than having to wait, as in the magnetic stripe world. This increases customer retention. Incentives Offered by Associations Visa has set aside $150 million in incentives in the Europe. Middle East and Africa (EMEA) region and $25 million in Asia-Pacific. This makes it cheaper to make infrastructure upgrades in a timely fashion. International Acceptance/Compliance Since most regions of the world are adopting EMV, chip cards can be utilized internationally. Risks Fraud Risk for Noncompliance 11 June 2002 10

Although it varies by region, Visa is creating a liability shift for fraud costs. On 1 January 2005, fraud costs will be pushed back onto the merchant, not to the card issuer or terminal acquirer. Countries that do not adopt EMV risk fraud liability through chargebacks. Countries that are not switching over to EMV, such as the United States and Canada, run the risk of additional fraud. When it becomes more difficult to perpetuate fraud in EMV-compliant countries, criminals could seek refuge in non-emv-compliant regions, increasing fraud. Also persons travelling in non-emv-compliant regions will expect to be able to utilize EMV cards. These factors will place involuntary pressure on noncompliant EMV regions of the world. Costs The cost of an EMV-compliant chip card can be between $2-$3, depending on personalization and the number of applications on the chip. This is compared to $0.20-$0.30 for magnetic stripe. Card associations are, however, offering incentives to reduce the costs. Visa has negotiated special pricing that brings card costs as low as $0.99 for debit and credit applications from certain vendors. Through incentives, Visa can absorb approximately $0.60-$0.65 per card. Personalization can cost another $0.30. This brings the net difference in cost between magnetic stripe cards and chip cards to $1. EMV-compliant cards are more expensive than traditional magnetic stripe. In Europe, most issuers are starting out with only credit and debit on a single card and will later move to multiple applications. In other countries, such as Japan and the United States, issuers are putting five or six applications on the same card. Compatibility Many acquirers assume that if a card is EMV-compatible and a device is EMV-compatible, then a transaction can be conducted by the two. This is not always the case, since the EMV-compatible software may not contain the applications that are on the card. For example, a cardholder may have a chip card with a Visa credit application on it that can be inserted into a chip-based merchant device that is also EMV-compatible, but which does not have the Visa credit application loaded into its software. In this case, compatibility only means that the card and the device can read one another and that application selection is supported. It does not mean the transaction can be processed as a Visa chip credit transaction. Migration During migration from magnetic stripe to chip, maintaining global acceptance and interoperability is of paramount importance. Issuers will be converting their card base from magnetic stripe and non-emvcompliant chip cards to EMV-compliant chip cards. To support chip technology from a device perspective, acquirers and merchants will either upgrade their existing magnetic stripe equipment or purchase new point-of-sale terminals that are EMV-compliant. Different Applications The different payment applications that may exist on a card and in terminals, and the varying degrees of functionality within those applications, will cause some confusion for cardholders and merchants at the point of sale. Card acceptors will need to manage the new versions of EMV being implemented, the need to accommodate the varying levels of functionality provided by chip terminals, and the need to follow fallback rules when a chip card with the VSDC application cannot be read. EMV Updates Since EMV is an evolving standard and is updated every two years, different versions of EMV will need to coexist. EMVCo puts out update schedules, and all effected parties will need to follow the updates and come up with compliance schedules for upgrades. 11 June 2002 11

Selection Guidelines There are several decisions to make before implementing EMV. Before deciding which technologies to employ, companies must first look at what the business objectives are for EMV. Answering some of the following questions will aid in this process: Will credit/debit only be used or multiple applications? How much memory should be introduced on the card for future applications when will cards be reissued? How much customization for example, post-issuance PIN activation? Does the issuer wish to keep loyalty applications stored in electrically erasable programmable readonly memory (EEPROM) to be activated during the post-issuance life of the card? Can applications be dynamically downloaded after issuance? Will cardholder verification methods such as offline or online verification be needed? What are the local requirements for EMV migration? How much has been allocated for card costs? Does the issuer want to personalize cards itself or use a personalization service bureau? An issuer who is considering moving to smart cards within an EMV chip application (M/Chip or Visa Smart Credit Debit) should be aware of the technology and the processes used to load and personalize the EMV smart cards it wishes to issue. For example, the process of personalizing an EMV smart card is not as simple as taking magnetic stripe data and writing it to a chip. EMV requires a lot of new data to be created, and this data ranges from secret keys through static or dynamic risk parameters. The processes and technology should provide a common approach to EMV loading and personalization. Processes should also support common personalization across different types of card platforms and chip types. Finally, the process should be able to centrally store and manage the EMV chip applications for a specific platform as well as the objects required for the loading and personalization of smart cards (keys, certificates, risk parameters). Knowledge Required for EMV Rollout Detailed knowledge of the scheme being implemented, types of card platforms being issued, applications to be supported such as MasterCard or Visa credit/debit and whatever other applications might be included on the cards if multiapplication smart cards are used. The ability to interface standard platforms and software systems with legacy applications and servers and systems. Tools and toolkits to aid in the development of new applications and services. Network expertise the ability to manage a new smart card issuance network (wide-area and localarea networks, secure firewalls and new smart card systems). Project management expertise and understanding of smart card implementation, planning and support. Security 11 June 2002 12

When producing an EMV credit/debit chip card, there is a need for the generation of a great deal of new data and keys compared to that required for magnetic stripe cards. The data-generation system should be able to interface with the relevant back-end systems or data files to process and format personalization data prior to it being loaded onto a card. The data used in the personalization of smart cards is a complex series of elements, both cryptographic and clear text, that must be generated, assembled and formatted in such a way that must be understood by a smart card chip and its associated applications. Both initial card issuance and post-issuance personalization will require data generation and preparation capability. Three mains stages of personalization include establishing cryptographic keys, file processing and key management. Technology Leaders Below is a sampling of some of the providers of EMV-enabling products: Banksys S.A. DelaRueCardSystems Deibold Inc. Fujitsu Ltd. Gemplus Giesieke & Devrient Hypercom Ingenico Fortronic Keycorp Matsushita Industrial Equipment NCR Financial Solutions NTT Data Corp Oberthur Omron Corporation Proton SchlumbergerSema SCM Microsystems Verifone Insight EMV is an early standard that presents a good framework for terminal and chip interoperability. The standard is designed mostly for magnetic stripe and chip cards to coexist and provides a migration strategy for moving to chip cards. There are other associated expenses, however, such as upgrading terminals to accept chip cards. This will take several years to implement. 11 June 2002 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information