April 2010 – EMV® is a global standard for credit and debit payment cards based on chip card technology. As of Q1 2008, there were more than 730 million EMV-compliant payment cards in use worldwide.
Payment chip cards contain an embedded microprocessor, a type of small computer that provides strong security features and other capabilities not possible with traditional magnetic stripe cards.
The gold square on the front of the card is known as the card’s contact. A microprocessor chip is embedded in a small cavity directly behind the gold contact plate, protected by a thin resin capsule. When inserted into a card acceptance device, the contact allows the chip to connect to a reader. This connection enables the chip to get power from and exchange data with the terminal. This is called contact chip card technology.
Another type of chip card technology used for payment is called contactless. It works by holding the contactless chip card within a couple of inches of a contactless-capable reader. The reader energizes the chip embedded in the card and allows exchange of data via radio frequency without the card ever leaving the cardholder’s possession. Research has shown that a contactless transaction is approximately 53 percent faster than a traditional magnetic stripe credit card transaction and 63 percent faster than using cash. EMVCo has created specifications that define the communications protocol between contactless cards and merchant payment terminals, and the method for selecting the contactless application to use.
Advantages of EMV Contact and Contactless Payment Cards
• More secure against credit card fraud than cards that rely only on data encoded in a magnetic stripe on the back of the card
• A transaction-unique digital seal or signature in the chip proves its authenticity in an offline environment and prevents criminals from using fraudulent payment cards
• Can be used to secure online payment transactions and protect cardholders, merchants and issuers against fraud through a transaction-unique online cryptogram
• Supports enhanced cardholder verification methods
• Stores considerably more information than magnetic stripe cards
EMV Standard and EMVCo
The EMV standards are a series of specifications and testing procedures for EMV chip payment cards and card accepting devices, such as point of sale (POS) terminals and ATMs. A primary goal of the EMV standards, and EMVCo as an organisation, is to help facilitate the global interoperability and compatibility of chip-based payment cards and payment terminals. This role extends to new forms of payment as well, including contactless payment and mobile payment.
Thanks to the EMV standards, chip card issuers have a uniform standard to help them ensure that the payment cards they give their cardholders will work in EMV compliant acceptance infrastructures anywhere in the world. Merchants and banks can invest in chip card acceptance infrastructures knowing EMV compliant cards have been developed based on uniform standards. Cardholders can feel more confident knowing the security advantages of EMV will help protect them against the risk of fraud anywhere EMV is implemented.
The EMV standard encompasses specifications, test procedures and compliance processes managed by EMVCo, LLC, an organisation jointly owned and operated by American Express, JCB, MasterCard and Visa.
The EMV Specifications are based on the ISO 7816 standard and define the physical, electrical, data and application levels between chip cards and chip card-processing devices for financial payment transactions. Through payment systems representatives, EMVCo promotes and complements the ongoing standardization efforts by vigorously contributing to the ISO standards drafting process in order to guarantee continued compatibility between the ISO standards and the EMV Specifications.
Chip card platforms can also allow for other applications beyond debit or credit card functionality, but these are beyond the current scope of EMV.
Smart Card Security
Many banks and other major payment transaction organisations throughout the world recognize the advantages of chip cards over magnetic stripe cards. The microprocessor embedded in a chip payment card contains the information needed to use the card for payment and a multitude of protection features, making it significantly more secure than a traditional magnetic stripe card.
Magnetic stripe cards can be susceptible to fraud through skimming, where a card is swiped through a magnetic stripe reader to record the information needed to use the card for payment. The cardholder gets the card back and is unaware of the risk of fraud. The data stolen from the card can be written to another magnetic stripe card, effectively creating a duplicate that can be swiped to make a fraudulent purchase at an unsuspecting merchant.
Correctly employed, EMV chip card payment provides security benefits in the following areas:
• With online authorization, a dynamic cryptogram protects against the use of skimmed data and stolen account data
• Card usage restrictions such as international use prohibitions are systematically enforced
• With offline authorization, a PIN capability protects against lost and stolen card fraud
• With offline authorization, data authentication protects against counterfeit cards
• Limits on offline activity protects against credit overruns and fraud
Chip cards offer opportunities for multiple applications on a single card with maximum levels of security.
History and Today
The EMV name comes from Europay, MasterCard and Visa, the companies that in 1994 initiated development of the EMV Specifications. Europay International SA became part of MasterCard in 2002. JCB joined EMVCo in 2004, and American Express in 2009.
At the time, many banks recognized the benefits of chip-based payment but also realized that international standards for such payment were needed to help foster global interoperability. The EMV Specifications were created to fill that void.
The first version of the EMV Specifications was published in 1996, as version 3.1.1. The most recent version, EMV 4.2, was published in June 2008.
Today EMVCo manages, maintains and enhances the EMV Integrated Circuit Card Specifications to help facilitate global interoperability and compatibility of payment system integrated circuit cards and acceptance devices. EMVCo maintains and extends specifications, provides testing methodology and oversees the testing and approval process.
EMV chip-based payment card systems are now utilized in numerous countries around the world.
Thales and EMV
Thales provide products for EMV solution such as :
1) Thales’s P3™
Personalization Preparation Process – makes it easy to create and issue EMV smart cards without sacrificing control.
• Generate and manage your cryptographic data in-house, right out of the box
• Fully scalable
• Uses a robust, highly secure hardware cryptographic module
Developed in conjunction with MasterCard and Visa, the world’s best-selling EMV data preparation solution gives you everything you need to generate and manage your cryptographic data in-house, right out of the box.
Two P3 solutions are available, each supporting a full range of contact and contactless chip applications from all the global card associations. Both support a range of smart card platforms, including MULTOS, GlobalPlatform, TIBC, and proprietary systems.
2) Thales’s host security module (HSM)
HSM 8000 technology has already been adopted by every major card scheme and is currently protecting 70 percent of the world’s card transactions.
Easy to customise and capable of delivering unrivalled protection for ATM, POS, corporate banking, card issuing, funds transfer, and share trading technology, the HSM 8000 is a tamper-resistant device that provides the powerful cryptographic facilities that are needed to secure financial transactions.
Fully compliant with the financial industry’s security audit requirements and incorporating a design certified to FIPS 140-2 Level 3, the HSM 8000 product range is ideal for acquirers, switches, and issuers for the processing of magnetic stripe and chip card transactions (EMV).
Reference: www.emvco.com, iss.thalesgroup.com