Our Blog

US pins its card security on EMV compliance

EMV compliance across the globe has made the easy-to-counterfeit mag stripe system in the US a common target for criminals.

The EU has seen an 80% reduction in credit card fraud since migrating to EMV in 2005 while the U.S. has witnessed a 47% increase.

EMV compliance

In an effort to improve payment card security in the US EMVco – the body that sets the global standards for payment cards – has set the date of October 1, 2015, for US merchants to start accepting EMV chip cards.

Merchants will now have to update their POS terminal card readers so as to comply with this mandate. A merchant’s carrot for compliance is to avoid any fraud liability. Without an EMV-compliant POS terminal fraud liability will switch to the merchant. This means that fraud costs normally picked up by the card issuing bank will become the non-compliant merchant’s responsibility.

In reality it will take years before all the POS terminals in the US are EMV-enabled.

However, the mandate from EMV also includes banks that don’t issue the new EMV cards.

There is an exception for gas station merchants who accept cards via automated fuel dispensers, they have until October 1, 2017, to be compliant.

By the end of 2015, the Aite Group estimates 70% of U.S. credit cards and 41% of debit cards will be converted. That equates to about 650 million payment cards.

By 2017 it is estimated that 98% of payment cards in the US will be EMV chip-enabled.

What does Aviso’s EMV Wrapper do?

Aviso’s EMV Wrapper product achieves EMV migration without wholesale change to a customer’s infrastructure. Crucially, it is cost-effective, quick and simple.

Our EMV Wrapper surrounds the existing payment system and handles the complexity of EMV.

This great product provides EMV compliance without changes to existing applications, significantly reducing our customers’ migration risk. It can sit anywhere in the payment stream to manage EMV compliance for our customers be they merchants, issuers and/or acquirers.

Some merchants may even revert back to cash-only payments if they feel the migration costs are too high. This is where Aviso’s EMV Wrapper comes into its own.

So, how does the EMV card payment system work?

A customer inserts their EMV chip card into an EMV chip-enabled POS device, where it remains for the duration of the transaction. The card and the terminal can actually authenticate each other.

The chip card generates a request cryptogram – this is encrypted data which will allow the issuer to verify that the transaction came from a valid card.

The request that is formatted by the POS device contains this cryptogram as well as other EMV-specific information.

The request is passed to the acquirer and then to the issuer. All stages of the transaction must be capable of reading the EMV message request.

The issuer validates the request cryptogram and may, in turn, generate a response cryptogram that will be sent back to the card in the POS terminal.

The issuer will make its standard authorisation decision and check EMV data. The issuer may also format a command to the response message if they want to change certain data in the card while it is in the field.

The response back to the card will contain new EMV-specific data and possibly a command in addition to the normal response message data.

The response is sent to the acquirer and then to the terminal. At this point the terminal and the card again exchange messages. If the issuer sent a response then the card will attempt to validate it to ensure that the response came from the correct issuer. The card may also execute a command from the issuer if one was sent.

EMV compliance: how secure are EMV chip cards?

Traditional magnetic stripes contain ‘static’ data, such as the PAN and other information; which can be stolen by criminals, often through ‘skimming’. EMV chip cards offer an added layer of security that makes it much harder for criminals to skim cards. The embedded chip allows the card to communicate with the payment terminal so that each can validate the other.

EMV cards use dynamic authentication, so the data changes with every transaction, thus any captured information is effectively useless to criminals. EMV does not solve all fraud problems, data can still be hacked and card details can be used to commit Card Not Present fraud, however, it is a major benefit in reducing card present fraud.

Contact us

For more information on our EMV Wrapper just contact us at info@aviso.io or follow us on Twitter.

Related posts