EMV 101 & Myths of EMV Itai Sela Vice President B2 Payment Solutions [email protected]

The EMV Universe

1

EMVTM 101 – What is EMV? Name of the standards developed by Europay, MasterCard and Visa in 1993  Currently owned by Visa, MasterCard, JCB and Amex  Designed originally for “card present” contact chip card payment acceptance.  Basis for chip migration by payment schemes in markets around the world 

EMV™ is a trademark owned by EMVCo LLC

The EMV Universe

2

EMV 101 EMVCo manages, maintains and enhances the EMV Specifications to ensure global interoperability and acceptance of chip cards  Also, is responsible for a type approval process for terminal compliance testing (EMV Level 1 and 2) 

 



Level 1 – Terminal hardware components Level 2 – EMV Kernel – Software (EMV Commands)

Scheme Certification (Visa, MasterCard, Amex etc.) 

Level 3 – Payment application level

The EMV Universe

3

EMV 101 

EMV was designed to be a comprehensive toolbox that enables protection against: 

Counterfeit and skimming - through the use of cryptography  

 

Lost or Stolen - through the use of offline PIN and/or online PIN Consumer delinquency through the use of offline risk management 



Offline card authentication Online card authentication

Secure offline transaction processing capability

Over the years evolved to support “card not present” as well (CAP and DPA*)

* CAP – Card Authentication Program (MasterCard), DPA – Dynamic Passcode Authentication (Visa) The EMV Universe

4

EMV 101 

There are 3 main steps to an EMV transaction: 

Card Authentication – Card is genuine  





Offline Online

Cardholder Verification – Card presented by its rightful owner  Offline PIN (Plaintext/Encrypted)  Online PIN  Signature Amount Authorization  Offline – using the Issuer counters and limits within the chip  Online – using the Issuer host

The EMV Universe

5

EMV 101 Type of Fraud

Offline

SDA

✔

DDA\CDA

✔

ARQC/ARPC ATC Variance Offline or Online PIN

Lost and Stolen

Replay

✔ ✔

Offline PIN Online

EMV Toolbox

Security Method

Counterfeit Skimming Card

✔

✔ ✔

✔

✔

The EMV Universe

6

Myth #1: EMV = Old Technology EMV was developed in 1993 which makes it almost 20 years old  Why should a market implement a technology that is this old? Would we consider it obsolete?  Maybe we should create a new technology to secure transactions moving forward 

The EMV Universe

7

Reality #1: EMV Old Technology Modern cryptography is over 35 years old but we still use it  EMV security relies on cryptographic functions – these evolve together with the evolution of cryptography  In the early years of EMV the challenges have been with the implementations. Now with over 15 years of experience fewer issues occur  There are over 1 Billion EMV Cards issued in the world 

The EMV Universe

8

Myth #2: EMV = Chip & PIN Chip & PIN was the marketing brand used for the UK implementation of EMV  PIN is one of the core EMV security features  PIN only protects against lost and stolen fraud 

The EMV Universe

9

Reality #2: EMV Chip & PIN There are EMV cards in the world today that don’t support PIN (Issuer, Brand and/or Market choice)  It is up to the Issuer to decide if and when it is worth the investment to enable offline PIN as it requires an expensive infrastructure  Canada 2010 – credit card Lost and stolen accounted for only 10% of card fraud*  Once EMV is implemented there is no additional impact for the merchant to implement offline PIN at POS 

EMV = Chip & Choice *http://www.rcmp-grc.gc.ca/

The EMV Universe

10

Myth #3: PCI vs. EMV 

There are two ways to look at cryptography based security:

 

Privacy/Secrecy (Encryption) Authenticity (Digital Signature)

EMV is based on Authenticity  PCI is based on Privacy 

EMV Cryptograms ≠ Encryption 

EMV data is not Encrypted

The EMV Universe

11

Reality#3: PCI & EMV To protect the “Card Not Present“ environment, card data must be kept secret in the “Card Present” environment  PCI will continue to complement EMV as long as there isn’t a more widely adopted solution for “Card Not Present”  PCI and EMV should be implemented together – Visa will waive PCI audits for the merchant if 75% of the transactions are EMV 

The EMV Universe

12

Myth #4: EMV Certification is enough Interop

Functional

Purchase

Refund

Other Trans

Scripts

Performance

Destructive

Visa

















MasterCard

















Amex

















The EMV Universe

13

Reality#4:EMV Certification is NOT enough No performance testing – crucial with EMV  Not enough negative or exception testing  Customer specific testing not included  Consult with your acquirer to receive the full EMV test requirements 

The EMV Universe

14

Canadian Company located in the Greater Toronto Area  We provide world class knowledge and training, POS development, products and services for EMV, Contactless, NFC, banking, e-commerce and card payments  B2 is the exclusive distributor for the Collis Payment Products in Canada and the USA 

The EMV Universe

15

Thank you 

For more information, visit www.b2ps.com www.collisamerica.com www.emv-usa.com www.actcda.com

The EMV Universe

16