Sunday, September 18, 2016

EMV

Traditionally, a debit or credit card contains magnetic stripes that hold data necessary for performing a transaction. But, the system had a number of security flaws. Many a times those cards used to get compromised or forged. And, to address that concern, EMV is developed.

What is EMV actually? How is it different from using debit or credit cards containing magnetic stripes only? And, how does it enhance security?

Let’s understand that in more details.





What is EMV


EMV is a global technology standard that deals with processing of credit and debit card payments using a card that contains a smart chip, instead of magnetic stripes.

The word ‘EMV’ stands for Europay, MasterCard and Visa – the three companies that originally created the standard. The standard is now managed by EMVCo with its six member organizations – American Express, Discover, JCB, MasterCard, UnionPay and Visa.


EMV cards use a smart chip instead of magnetic stripes to hold data that is required to process a transaction. The smart chip is basically a microprocessor that can run applications to perform authentication and hold encrypted data. It can also generate a unique code for each transaction which cannot be used for more than one transaction and thus prevent fraud.


Why EMV


Until the introduction of EMV cards, credit or debit cards used to use magnetic stripes to verify a transaction. Magnetic stripes in a card would typically contain data like card number, expiry date etc and a signature from the cardholder used to be used to verify the authenticity of the cardholder.

Customers would typically give the card to a clerk in the POS, who would swipe it through a magnetic reader. Information stored in the magnetic stripes of the card would get accessed which would verify the account details. Then the cardholder would sign a printed slip to verify its authenticity.


But, this system had a numb er of security flaws. Criminals can read and write magnetic stripes with technology available in the black market. Magnetic stripe cards can easily be cloned and used without the user’s knowledge. Moreover, signature on the card also can be forged. And, to address all these security flaws, EMV is used.


How does EMV work



A payment transaction using EMV typically follows the following steps:


  • After a crad is read by an appropriate device terminal, an application is selected using which the payment is processed. Application Identifier for an application typically consists of a registered application provider identifier, which is issued by a registered authority and a proprietary application identifier extension which differentiates the different applications offered by the application provider.


  • The terminal then send some commands to the card asking for a list of functions to perform in processing the transaction. The card also provides a list of files and records that the terminal needs to read from the card in order to obtain data necessary for the transaction. This list of files contain the EMV data.


  • Next, it is checked whether the card can be used. Information like application version number, application usage control that specifies whether the card is for domestic use only etc and application expiration dates are checked. Based on these information, the transaction can be declined later.


  • Next, the card is validated using public key cryptography. There can be three types of authentication for this purpose:

    Static Data Authentication or SDA – It ensures the data read from the card is signed by the card issuer, which can prevent fraudulent modification of data. However, it cannot prevent cloning.

    Dynamic Data Authentication or DDA – It can protect against modification of data and cloning.

    Combined DDA/Application Cryptogram Generation or CDA – It combines DDA with the generation of a card’s application cryptogram to assure card validity.



  • Next, it is checked whether the person holding the card is the legitimate cardholder. This can be done in a number of ways:

    - using Signature of the cardholder
    - using a PIN
    - using PIN as well as signature

    The terminal reads data from the card to determine the type of verification it needs to perform.



  • Next, terminal risk management is performed to determine whether a transaction should be authorized on-line or offline. If the transactions ate always carried out online or always offline, this step cam be skipped.



  • Next, it is checked whether a transaction should be approved offline, sent online for authorization or declined offline.


  • Next, appropriate data along with the transaction amount is sent to the card to make a decision on whether to approve or decline the transaction.



  • The card generates a digital signature of the transaction. This provides a strong cryptographic check that the card is genuine.


  • The card issuer then sends a response code indicating acceptance or declination of the transaction. It can optionally send a issuer script also. An issuer script is basically a set of commands sent by the issuer to the card and it can be used to block cards or change card parameters. The issue scripts are encrypted and hence, cannot be read by the terminal.



Acceptance of EMV


EMV has been implemented in more than 80 countries worldwide. As of 2015, 40% of US consumers have EMV cards and roughly 25% of merchants are EMV compliant. American Express, Discover, Maestro, MasterCard and Visa have implemented their liability shift for POS terminals. And, by 2017 the liability shift will be implemented at various places like pump, gas stations and ATMs.


So, let’s not debate on whether EMV can make card payments completely secure, but this technology no doubt can prevent frauds up to a great extent. So, be aware of various technology and stay safe, stay secured.