EMV

EMV transactions can be authorized online or offline. For an online authorization, transaction information is sent to the issuer, along with a transaction-specific cryptogram, and the issuer either authorizes or declines the transaction in real time.

In an offline EMV transaction, the card and terminal communicate and use issuer-defined risk parameters that are set in the card to determine whether the transaction can be authorized. Offline transactions are used when terminals do not have online connectivity (e.g., at a ticket kiosk) or in countries where telecommunications costs are high.

Chip cards can be configured to allow both online and offline authorization, depending on the circumstances. Due to improvements in telecommunications infrastructure worldwide, most EMV transactions are now authorized online.

Cardholder verification authenticates the cardholder. EMV supports four CVMs:

Online PIN, where the PIN is encrypted and verified online by the card issuer

Offline PIN, where the PIN is verified offline by the EMV chip card

Signature verification, where the cardholder signature on the receipt is compared to the signature on the back of the card

No CVM, where none is used (typically for low value transactions or for transactions at unattended POS locations

Depending on payment network rules and issuer preference, chip cards are personalized with one or more CVMs in order to be accepted in as wide a variety of locations as possible. Different terminal types support different CVMs. For example, attended POS devices, in addition to supporting signature, may support online or offline PINs (or both), while some unattended card-activated terminals may support “no CVM.”

First, the EMV chip card includes a secure microprocessor chip that can store information securely and perform cryptographic processing during a payment transaction. Chip cards carry security credentials that are encoded by the card issuer at personalization. These credentials, or keys, are stored securely in the EMV card’s chip and are impervious to access by unauthorized parties. These credentials therefore help to prevent card skimming and card cloning, one of the common ways magnetic stripe cards are compromised and used for fraudulent activity.

Second, in an EMV chip transaction, the card is authenticated as being genuine, the cardholder is verified, and the transaction includes dynamic data and is authorized online or offline, according to issuer-determined risk parameters. As described above, each of these transaction security features helps to prevent fraudulent transactions.

Third, even if fraudsters are able to steal account data from chip transactions, this data cannot be used to create a fraudulent transaction in an EMV chip or magnetic stripe environment, since every EMV transaction carries dynamic data.

EMV secures the payment transaction with enhanced functionality in three areas:

Card authentication, protecting against counterfeit cards. The card is authenticated during the payment transaction, protecting against counterfeit cards. Transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.

Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards. Cardholder verification ensures that the person attempting to make the transaction is the person to whom the card belongs. EMV supports four cardholder verification methods (CVM): offline PIN, online PIN, signature, or no CVM. The issuer prioritizes CVMs based on the associated risk of the transaction (for example, no CVM is used for unattended devices where transaction amounts are typically quite low).

Transaction authorization, using issuer-defined rules to authorize transactions. The transaction is authorized either online and offline. For an online authorization, transactions proceed as they do today in the U.S. with magnetic stripe cards. The transaction information is sent to the issuer, along with a transaction-specific cryptogram, and the issuer either authorizes or declines the transaction. In an offline EMV transaction, the card and terminal communicate and use issuer-defined risk parameters that are set in the card to determine whether the transaction can be authorized. Offline transactions are used when terminals do not have online connectivity (e.g., at a ticket kiosk) or in countries where telecommunications costs are high.

EMV cards store payment information in a secure chip rather than on a magnetic stripe and the personalization of EMV cards is done using issuer-specific keys. Unlike a magnetic stripe card, it is virtually impossible to create a counterfeit EMV card that can be used to conduct an EMV payment transaction successfully.

The biggest benefit of EMV is the reduction in card-present card fraud resulting from counterfeit, lost and stolen cards. EMV also provides interoperability with the global payments infrastructure – consumers with EMV chip payment cards can use their card on any EMV-compatible payment terminal. EMV technology also supports enhanced cardholder verification methods.

That small, metallic square on your card is a computer chip. The magnetic stripes on traditional credit and debit cards store contain unchanging data. Whoever accesses that data gains the sensitive card and cardholder information necessary to make purchases. That makes unchipped cards prime targets for counterfeiters, who convert stolen card data to cash. Unlike magnetic-stripe cards, every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again.