By Vladimir Collak
On October 1st, United States will be the last G20 country that transitions to EMV. Known by its “chip cards”, this technology specification named after EuroPay, MasterCard and Visa was built to significantly curb credit card fraud. Instead of leveraging decades old magnetic stripe cards, EMV uses smartchips that are supposed to be much more difficult to counterfeit . This article addresses implications of this technology for merchants, covers some of its technical details, as well as explores its potential benefits and pitfalls.
To start, let me address EMV adoption thus far. To date, the highest acceptance of this technology is in Western and Central Europe where over 96% of credit card transactions are processed using EMV. Not far behind are Canada and Latin America with 85% adoption followed by Africa and the Middle East with adoption rates of 80%. Other parts of the world only leverage it for 27-58% of transactions and United States is far behind with only about 0.12% . However, that’s about to change since all major payment networks including Visa, MasterCard, Discover and American Express are taking aggressive measures to make sure the technology is rolled out and adopted.
Specifically, on October 1st they are shifting liability for counterfeit credit cards to any party that has yet to adopt EMV. For example, if the issuer (a bank for instance) provides its customers with an EMV card (aka chipped card), but the merchant does not upgrade its payment terminals, the merchant will be liable. On the other hand, if the merchant upgrades its terminals, but the issuer does not issue chipped cards, the issuer is liable. This only applies to in-store transactions while ATM as well as fuel dispenser transactions are exempt until October 2017. The liability shift also does not apply to “card not present” transactions such as online purchases, nor does it apply to fraud committed because of a stolen or lost credit card . It may seem that payment networks are strong-arming everyone, but considering that almost half of world’s credit card fraud happens in the United States even though it only represents quarter of all credit card transactions, perhaps such an aggressive push is understandable. Despite these liability shifts, according to Forrester Research, EMV will not see a broad adoption in the United States until 2020 .
To understand EMV, one should first consider how the “old” magstripe technology works. The magnetic stripe on a back of a card comes with several pieces of data encoded on it. It contains card holder’s name and a card number as well as expiration date and the CVV (Card Verification Value). When a consumer swipes his or her card, the reader extracts this data and sends it for validation to the issuer system (such as a bank). The request is actually not sent directly to the issuer, but is often passed through several systems including merchant’s point-of-sale system (and often their back-office), merchant acquirer systems such as First Data or Heartland (and sometimes their third party processors), and payment networks such as Visa or Mastercard .
However, there are several security flaws with this design. First, private data including the card number (aka the PAN) is stored on the card in clear text. Anyone with rudimentary tools and very little knowledge can extract these data from a card. Also, merchants often store PANs on their POS and back-office systems unencrypted, which could enable hackers to potentially steal them as well. Further, transactions are sometimes transmitted unencrypted (in clear text) over the Internet and potentially vulnerable to theft. Because of these various flaws, it’s possible for criminals to potentially steal consumers’ card data and either leverage them to create cloned cards or simply use them online. In a fuel retail environment thieves could for instance get access to fuel dispenser’s internal electronics (by simply opening the dispenser with a common key), insert a skimming device and record the data as cards are being swiped.
In addition to a magnetic stripe, the current generation of EMV cards comes with a chip. The chip is actually a microcontroller, which not only stores data, but also executes logic–like a computer would. As a card is inserted into a chip reader (terminal), it essentially runs a program that performs certain actions while communicating with the reader. In case of “online” transactions (those that are immediately validated by the issuer), the chip first generates a cryptogram called ARQC. This cryptogam is basically a digital signature that insures the card is valid (and not cloned) and that the message has not been altered. The cryptogram is then sent to the issuer along with some additional data. When the ARQC is validated by the issuer, the issuer then responds with a cryptogram of its own (ARPC), which is in turn validated by the chip on the card. This exchange typically occurs for merchants who are “connected” to issuers and are “online.”
As with magnetic stripe cards, data actually passes through several entities including merchant acquirers and payment networks. In scenarios where merchants are not online, cards are still validated. This validation occurs only between the card and the payment terminal. It is accomplished by using digital certificates where the issuers and payment networks generate a certificate, which is then put on the card’s chip. Payment terminals then validate this certificate to insure the card is legitimate and not cloned. . As one can see, unlike traditional magnetic cards, the chip cards are actually checked for validity, which makes them much more difficult to clone. One cannot simply create a copy of a chipped card with ease and expect to use it for fraudulent purchases. In cases where cards are stolen, the usual signature verification still applies in United States. In Europe, EMV uses chip-and-PIN, which means that instead of asking for a signature the terminal will ask the user for a PIN.