The EMV 101 series provides go-to-resources for those who are interested in learning more about EMV payment technology and EMV migration in the U.S. This is the fifth entry to this series that outlines security standards of EMV and examines the three distinct aspects of an EMV transaction.
The adoption of EMV (chip) card-standards has proven to be a worthy fraud deterrent around the world, especially when combined with a PIN requirement for card present transactions. After promoting the “I (heart) PIN” campaign in 2004, the UK saw an immediate reduction in card fraud loss. The primary reason for this drop is the increased amount of security that is now part of each transaction.
There are three distinct aspects of an EMV transaction which protect separate parts of that transaction: card authentication, cardholder verification, and transaction authorization.
Card authentication ensures that the card is not counterfeit, and it can be achieved in several ways: online, offline, cardholder, and transaction amount. The EMV chip is a microprocessor capable of making per-transaction decisions based upon the issuer’s risk profiles. Online authentication transactions carry unique data for each transaction that is sent to the card issuer’s authorization system, which verifies the authenticity of the card. Offline authentication uses chip-stored, risk assessment logic to determine authenticity. Cardholder verification requires the card user to provide a signature, or valid PIN (Personal Identification Number), though in some cases (e.g. contactless transactions) no verification is required, especially for small transaction amounts. Lastly, transaction amount authorization ensures that a purchase does not exceed the cardholder’s credit limit and is within other specified limits.
Cardholder verification ensures that the card user is the legitimate cardholder. This verification process can take several forms. Non-chip verification is becoming increasingly less common, as EMV chip cards become the global standard. Chip and signature cards that are EMV enabled, but require only a signature for card holder verification purposes. The highest level of secure verification currently available to card holders is the Chip and PIN option. EMV chip embedded that require a personal identification number for each transaction.
Transaction verification is the process by which each transaction is approved or declined. In the current U.S. system, merchants are the primary targets for fraud. Magnetic stripe data stored in merchant POS devices, networks, and central services is extremely valuable to those engaging in fraudulent activity. But EMV data is different – EMV chip card transactions carry a unique cryptogram for each transaction making any stored information virtually useless to anyone who would gain access to the transaction data. Additionally, encoding chip data onto another card is very complex and requires very specialized equipment, making attempts to produce counterfeit cards impractical.
With the significant number of data breaches, there has been an increased amount of attention paid to data at rest. This is the stored payment information that resides in POS and merchant transaction networks. EMV will certainly will help make this data more secure, but there are additional efforts to remove any useable data from the systems all together. Tokenization is a technology that has been around for some time, but has received a lot of attention since Apple announced it as a core technical component of ApplePay.
Tokenization is a process in which a payment card’s personal/primary account number (PAN) is replaced with a surrogate “token.” The real PAN is stored in a token vault by the token service provider (TSP). When a transaction is attempted, the token is sent to the TSP, which translates this for the payment acquiring system, authorizing the payment credential, which allows the transaction to be completed. By using tokenization, the merchant never has access the “real” PAN, making any information stored in their systems useless to hackers or fraudsters.
A critical part of the transaction is when data is in use. This refers to the data that occupies a computer’s RAM at any given time, and data in motion refers to data that is being sent from one point in a payment to another. Both of these states of data usage can be protected with encryption. Encryption doesn’t fully protect against information theft, but it’s very difficult to decode the message (sealed with a key algorithm). EMV provides security for this data, by adding a unique cryptogram with each transaction in addition to providing encryption for the data transmission. If this data were intercepted, it could not be re-used for another transaction. Every transaction is unique and has no value after the transaction is complete.
EMV security standards protect a cardholder at every state of the card use cycle. Based on the experience of other countries, the U.S. will see a decline in fraud as the adoption of EMV payment standard as a key element of the U.S. payment infrastructure. Adding layers to the current card ecosystem will decrease fraud losses in the U.S., and ultimately protect card issuers and consumers alike. But as with any technology transition, it is critically important for issuers and merchants to do their part to promote and educate consumers to the additional protection provided by this technology. It is also important to continue to push for the use of the full EMV standard, which means requiring a PIN with every transactions. The next big battle will be leveraging this technology to take on card not present fraud, but let’s get through the migration to EMV first.