Security Corner

Jan 29 2015   1:36AM GMT

EMV is coming to America

Ken Harthun Ken Harthun Profile: Ken Harthun

Tags:
Authentication
Credit Card Fraud
Credit cards
EMV
Security
Smart Cards

emv_card_300wOn October 1, 2015, the liability for fraudulent, in-person payments will begin to shift to the merchant. If an EMV card is used in a transaction at a business that does not accept chip and pin payments the merchant can be liable for the transaction.

What is EMV, you ask?

Named for Europay, MasterCard,® and Visa,® EMV is a new US card payment technology with a chip designed to enhance security and decrease fraud. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards.

This is a big step toward making it nearly impossible for criminals to clone cards and will reduce the fraud from lost or stolen cards through the cardholder verification method (CVM). According to Wikipedia:

Cardholder verification is used to evaluate whether the person presenting the card is the legitimate cardholder. There are many cardholder verification methods (CVMs) supported in EMV. They are:

  • Signature
  • Offline plaintext PIN
  • Offline enciphered PIN
  • Offline plaintext PIN and signature
  • Offline enciphered PIN and signature
  • Online PIN
  • No CVM required
  • Fail CVM processing.

The terminal uses a CVM list read from the card to determine the type of verification to be performed. The CVM list establishes a priority of CVMs to be used relative to the capabilities of the terminal.

You’ve probably heard the term “chip and PIN” bandied about in conversations about this technology. These are cards that require the cardholder to enter a four- to six-digit Personal Identification Number when making a purchase at terminals that have such capability. The chips in these cards have PIN listed as a priority for CVM and usually also specify a fallback to signature if the terminal isn’t equipped for PIN use.

One of the interesting aspects of these “smart cards” is that the issuer can send commands to them. The commands can be used to update cards, change PINs, block cards, etc.

It’s a fascinating technology and we’ll be hearing more about it as it passes into general use. Probably the best source of information about the EMV standard and its implementation is the Smart Card Alliance site. You might want to check out their white paper, Technologies for Payment Fraud Prevention: EMV, Encryption and Tokenization.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: