EMV & Chip Card Technology: FAQ for Merchants
What is EMV?
EMV stands for EuroPay, MasterCard®, Visa®, the three entities that worked together to create worldwide standards for the chip card to ensure global interoperability. EMV is a payment method that combines a plastic card with an integrated circuit chip (ICC). An EMV card uses the ICC to hold the account number and other sensitive data instead of using a magnetic stripe. The chip also contains logic for transaction processing and risk management.
EMV adoption in the rest of the world has been a gradual process that has taken years to decades to penetrate. The U.S. will need to modify many of its payment processes to fit into the EMV model. EMV chip cards generate a one-time code with every transaction, making it nearly impossible for counterfeiters to duplicate them and use them for in-store fraud. A great source of information on EMV, including historic information and recent announcements, is the EMVCo website.
What are the features of the chip?
The chip stores information, performs processing, contains secure elements which store secret information and performs cryptographic functions.
Chip cards help prevent in-store fraud and are nearly impossible to counterfeit. In 2015, prior to the EMV liability shift, the U.S. accounted for approximately half of the global card fraud while only representing a quarter of the transaction volume. As of the end of 2016, over half of the cards issued in the U.S. contained a chip. EMV also supports enhanced verification methods such as online and offline PIN.
What changes with EMV for a merchant?
Many different parts of the payment process changes when moving from a magnetic stripe transaction to an EMV transaction:
1. The process flow of a transaction changes due to the use of dynamic authentication of the card.
2. To achieve the dynamic authentication, an EMV capable terminal requires an EMV reader. Merchants may also choose to support contactless transactions when updating to an EMV reader.
3. In order to complete a standard EMV transaction, the card will have to stay in the chip reader throughout the transaction. However, all of the global brands have released specifications for implementing faster EMV processing which allows the card to be removed prior to the completion of the transaction.
4. With the addition of dynamic authentication there are new message requirements including Data Element 55 (ISO 8583)which carries the EMV tag data.
When will chip cards start to show up at US merchants?
Now! In addition to the millions of cards being issued in the U.S., there are over 4 billion EMV cards in the world today. While most EMV cards still have a mag-stripe on the back of the card, if a merchant is not able to process transactions using the chip they may be liable for any counterfeit fraud occurring from those transactions
Will cards still be issued with mag stripes and will merchants’ existing equipment still work after the liability shift?
Cards will still be issued with mag stripe for the foreseeable future, but for how long is hard to state with certainty. As an example, EMV is over eight years into its implementation in Canada and banks are still issuing cards with mag stripes. We are confident that the card brands and issuers will give the merchant community sufficient notice if they choose to stop issuing cards with mag-stripe capabilities
What is the transaction flow of a standard EMV transaction?
The following is an overview of the EMV transaction flow:
- Application Selection
- The card and the terminal decide which applications stored on the chip will be used when processing the transaction.
- After all applications are identified the terminal reads all data related to the selected application.
- If the card and terminal support Offline Data Authentication, they work together to validate the authenticity of the card.
- Checks are performed to confirm the chip is allowed to do the transaction requested.
- Cardholder verification is determined based on the card and the terminal. The verification may be offline PIN, online PIN, signature or no CVM.
- The terminal performs several checks (such as floor limit) to determine whether there is a requirement for online processing.
- The terminal will then request to go online or it will request an offline approval.
- The card will decide if it will approve the transaction offline or go online.
- If the chip requests to go online, the terminal builds an online request for authorization and online card authentication; the transaction request is then forwarded to the selected payment authorizer.
- Transaction completed and all issuing scripting back to the card occurs.
Will customers with magnetic stripe cards be able to use EMV terminals?
Yes, the EMV terminals certified by Vantiv will also have a magnetic stripe card reader.
Can an EMV card be used in a magnetic stripe terminal?
Yes, for the foreseeable future, credit and debit cards will be issued with a chip on the front of the card and the familiar magnetic stripe on the back of the card so that chip cards can be backwards compatible with existing non-EMV capable devices. However, merchants may be liable for any counterfeit fraud if they don’t support chip transactions.
Do EMV transactions take longer to process than magnetic stripe transactions?
EMV transaction times are highly dependent on how the issuer has personalized the card and how the merchant configures the terminal. If the card or the terminal has not been configured in an efficient manner, transaction times can increase significantly (several seconds). If the card and terminal are properly “tuned” the actual transaction time will increase by only a few seconds. However, the overall time in lane can increase due to the additional interaction the cardholder has with the transaction.
What are issuer scripts and how will they affect my transaction processing?
Issuer scripts are small files sent from the issuer to the card as part of the authorization response message. These scripts can update certain parameters and values on the card such as the offline PIN or offline counters. They will not affect transaction processing and merchants are not allowed to implement means to prevent them from being sent to the card.
Since the customer has to leave their card in the terminal during the transaction, what can be done to reduce the number of cards forgotten in the terminal?
Vantiv recommends that merchants do not print the customer’s receipt until after the card has been removed from the card reader and/or program the terminal to produce an audible beep when the card should be removed. Also, implementing faster EMV processing (known as Quick Chip and M/Chip Fast) can greatly reduce the amount of time the card is in the reader.
What is a dual-interface card?
A dual-interface card is one that supports both contact (via the chip plate on the front of the card) and contactless transaction processing (via an embedded antenna and transmitter).
If the chip cannot be read, how would the terminal determine if the user attempted to insert the card prior to swiping versus swiping to start with?
The terminal manages the transaction session and will associate the swipe as part of the same session as the insert. The terminal stays on the same transaction until completed or cancelled by user or merchant.
Can an EMV transaction run over a dial-up connection?
While it is possible to run an EMV transaction over a dial-up connection, it is not recommended. The transaction time will increase significantly using dial-up and merchants may even experience time-outs depending on the terminal’s time-out settings.
What happens when consumers have EMV cards, but there’s a resistance to use them? For example, if a consumer has a chip card but insists on swiping the card instead.
As the majority of U.S. cardholders now have at least one chip card in their wallet and many retailers now support EMV, this should be less of an issue than it was a few years ago. EMV terminals can accept both a swipe and a dip. However, if an EMV card is swiped on an EMV terminal, the system will reject the swipe and force the consumer to insert the chip. The swipe capability is meant for those consumers who do not have a chip card. Conversely, if the terminal is not EMV capable (i.e. not set up to accept a dip), then the EMV card may be swiped. In addition, manual entry is available as a backup method on most solutions.
When do I need to be EMV compliant?
While there was no specific mandate from the card brands for merchants to be EMV compliant, merchants needed to be EMV certified (or using pre-certified devices) by October 2015 in order to avoid any impact from the counterfeit fraud liability shift.
What EMV changes are there to the Vantiv authorization and clearing message specifications?
EMV requires additional data elements to be included in the authorization message. The majority of the EMV relevant data is contained in Field 55 of the ISO 8583 message specification (Note: The field name containing the EMV data may vary among different message specs, but “Field 55” is the commonly used term in the industry). There are new values for the POS Entry Mode and Additional POS Data fields. The clearing message will contain new data elements, but the authorization message is the source of this data. The Vantiv message format specifications have been updated to include the requirements of all the networks. Merchants will need to populate the data elements created between the card and the terminal into the message format. Then, they’ll need to pass the entire message to Vantiv and Vantiv will parse out the data to networks.
What is “offline” processing?
There are a few different offline processes that are possible with EMV: offline CAM (card authentication method), offline PIN and offline approval. In offline CAM, the card provides a digital signature that the terminal can verify using public key cryptography to determine if the card is genuine. This is considered offline since the terminal determines the card’s validity without going online to the issuer.
Offline PIN is a cardholder verification method (CVM). Similar to online PIN, it is used to verify the cardholder is a legitimate user of the card. In offline PIN, the card uses a PIN stored in secure memory on the chip to compare to the PIN entered by the cardholder. The PIN may be sent in plain text or encrypted.
In offline approval, the card and the terminal run through a series of risk management steps to determine whether to approve the transaction, decline the transaction or send the transaction online for decisioning. It is anticipated that the majority of implementations in the U.S. will initially not support offline PIN or offline approval and will always go online for PIN verification and approval.
What is “fallback”?
There are two types of fallback: technical fallback and CVM (cardholder verification method) fallback (or PIN bypass). Technical fallback occurs when there is an issue with the card or the terminal that prevents the two from successfully communicating. If the terminal cannot read the chip, the transaction can “fallback” to a magnetic stripe or key-entered transaction. Depending
on how the terminal is configured, multiple attempts to read the chip may be required before fallback is allowed. CVM fallback occurs when the cardholder cancels out of entering their PIN (PIN bypass) in favor of a signature transaction. Whether or not this is allowed depends on the configuration of the card and terminal.
What happens to the terminal verification results during technical fallback?
Technical fallback is based on the terminal and card not being able to communicate. If the terminal cannot read the chip, the terminal will "allow" the card to be swiped. In this case, there would be no TVR since there was no interaction between the chip and the terminal to create the TVR.
Does EMV impact reauthorization?
Reauthorization occurs after the card is no longer in the terminal and the transactions are processed as they are today as key-entered transactions.
Does EMV impact full matching?
Full matching is the process whereby a settlement record is compared to its corresponding authorization request and any missing data in the settlement record is populated from data in the authorization request where available. Full matching will not be supported for EMV transactions.
Does EMV impact least cost routing (BIN matching)?
Transaction routing will still be based on the BIN (or an extended BIN). The debit solution framework released by the EMF allows merchants to continue to enjoy the benefits of least cost routing. However, in order to use the AID of the global brand (the brand on the front of the card), the alternate debit network(s) on the card must sign a licensing agreement with that global brand. At this time, all of the regional debit networks have such licensing agreements in place with the relevant global networks.
Does the adoption of EMV eliminate the need for end-to-end encryption and tokenization
No. To provide the most secure payment experience for you and your customers, it is important to evaluate a layered approach to payments security. EMV is a fraud-reducing technology that can help protect your business and your customers from financial loss if a criminal uses a counterfeit, lost or stolen payment card at your point of sale. Encryption and tokenization provide card data security during a transaction. Encryption protects the data at the POS and throughout the entire transaction process. While tokenization replaces the personal account number (PAN) with a surrogate value that is used during the transaction.
Are tokenization and point-to-point encryption (P2PE) options with EMV?
Yes, Vantiv supports EMV with P2PE and OmniToken secure tokenization.
How does EMV affect interchange?
At this point, EMV has no impact on the interchange qualification of a transaction.
How does EMV impact my card-not-present business?
Card-not-present transactions are currently not in the scope of EMV. Since there is no card-terminal interaction, no cryptogram is created (a cryptogram is a coded alphanumeric value that is the result of data elements entered into an algorithm and then encrypted, commonly used to validate data integrity). However, the industry is exploring options for using EMV features in online/CNP environments.
How does EMV work with tablet-based POS systems?
A wired or wireless PIN pad (WPP) that will accept an EMV card and NFC (Near field communication) for wireless will be connected to the tablet. The purchase amount would be transmitted to the PIN pad, which would, in turn, prompt for card insertion/PIN and communicate the transaction to the Vantiv front end or the merchant’s host depending on how the system is configured.
Does EMV require a PIN be entered on credit as well as debit transactions?
Whether or not PIN is on credit is up to the issuer. Visa has stated that they feel EMV with signature is sufficient, but MasterCard has shown support for PIN. The risk of not supporting PIN is that the merchant could still have chargeback liability if the card supports PIN, but the terminal only supports signature. There is no PIN requirement with the U.S. implementation of the chip, and the issuer will determine if the card will support PIN. Vantiv supports both PIN and signature.
MasterCard, American Express and Discover’s liability shifts are based on the highest security level, which means the liability for lost/stolen fraud will shift if the card supports PIN but the terminal only supports signature.
How does EMV impact PCI requirements?
Merchants are still required to maintain on-going PCI compliance, but may be eligible for a waiver of the annual PCI validation process.
What merchants are eligible for the PCI validation waiver?
MasterCard’s program is open to PCI DSS Level 1 & 2 merchants. Visa, Discover and American Express do not call out specific levels, but the annual validation is only required of Level 1 & 2 merchants. In addition, 75% of the merchant’s transactions must be processed through EMV-enabled terminals. However, this does not mean that 75% of the transactions must be EMV transactions. The transactions, whether EMV or magnetic stripe, just have to process through EMV-enabled terminals. The terminals must also support both contact and contactless transactions.
Are any EMV-specific fields in the scope of PCI?
Tag 57 contains the Track 2 equivalent data, but should not be sent in the transaction message.
Is there a new PCI SAQ version for merchants with EMV-compliant terminals?
At this time, there is no unique SAQ for EMV. However, EMVCo has engaged with the PCI Council to identify areas of collaboration.
How are devices in an integrated environment supported for EMV?
Integrated devices will require the merchant to complete an EMV terminal certification with Vantiv. The merchant will continue to manage the download of applications and updates as they do today. Vantiv worked with the card brands on a streamlined certification program to make the process more manageable for the merchants and their software partners.
How will existing devices be updated to support EMV?
If the terminal is EMV-capable (i.e. it already has an EMV card reader), it can be downloaded with an EMV application once the application is certified. If the terminal is EMV compatible (i.e. it doesn’t have a chip card reader, but can accept an EMV application), the merchant will need a peripheral card reader and download.
Will the magnetic-stripe reader be removed from EMV terminals?
No, for the foreseeable future, mag-stripe reader will continue to be a feature on EMV terminals. This will allow EMV terminals to process transactions from the large base of magnetic stripe cards in the market and support fallback (terminal can’t read the chip) transactions.
What keys are needed for EMV and how are the managed?
EMV uses public key infrastructure for offline data authentication and offline enciphered PIN. Unlike PIN keys, the EMV keys can be downloaded like a terminal parameter. The public keys in the terminal are used to facilitate secure communication with the EMV apps on the cards for offline processing. The terminal may authenticate the card is valid using the certificate authority’s public keys.
The keys are owned and distributed by the card brands so a terminal that supports all four of the major networks would need keys from each one. These keys expire periodically and will need to be removed from the terminals when they do. The payment networks each have a set of keys that include keys of 1152 bits, 1408 bits and 1984 bits in length and the 1984-bit keys represent the maximum size that can be accommodated within the current EMV structure.
For the members of EMVCo, all expected key lengths have been published. If all keys are installed at the time of terminal deployment, it is expected that no further key installation will be required, which reduces the logistics of introducing the longer keys.
When do the keys expire?
EMVCo recommends certificate expiration dates. Networks have accepted these recommendations to date, but could choose their own dates if they so desired.
- 1152-bit keys have an expiry date of 31 December 2017
- 1408-bit keys have an expiry date of 31 December 2024
- 1984-bit keys are recommended to have an anticipated lifetime to at least 31 December 2026 (This date is only an “anticipated lifetime” since EMVCo does not project expiration dates beyond a ten-year horizon).
What terminals does Vantiv support for EMV?
- iCT220 Series
- iWL255 3G
- Ingenico iPP310 and iPP320 PIN Pads paired with an iCT2XX terminal
- Poynt Wi-Fi
- Vx520 Series
- Vx680 3G
- Vx805 and Vx820 PIN Pad paired with Vx520
- The following devices are on the Vantiv roadmap for EMV support:
- Ingenico Tetra Series
- Verifone Carbon Series
- Verifone Engage Series
Are the mobile card readers that Vantiv deploys EMV-compliant?
Yes, ROAMPay/VMA currently supports EMV and SwipeSimple is on the roadmap to be supported.
What EMV certification test kit for merchants does Vantiv offer?
Vantiv offers the closed-loop VIABLE EMV certification tool kit for EMV terminal certifcations.
If a merchant certifies a path and uses the exact same full path in other locations, does the merchant need to recertify the same path?
No, a merchant does not need to recertify if there have been no new changes to the path.
Is Vantiv going to specify which PIN pads/customer facing devices must be used for EMV?
Vantiv will pre-certify a number of devices for small to medium-sized business for countertop use, but will not dictate the device types larger merchants or merchants utilizing payments middleware will use to support EMV. The merchant’s ISV should provide them with a list of supported devices that can be used for EMV in conjunction with their POS path. This will need to be discussed between the ISV and the merchant.
Are there any technical requirements the device must meet in order to be considered eligible for certification with EMV?
Devices must have current EMVCo Level 1 and Level 2 Letters of Approval.
I am an existing merchant and am going to be certifying PIN debit; can I also certify EMV at the same time?
Yes, Vantiv will certify existing merchants for additional features/functionality in conjunction with EMV, but the project will be done in phases to ensure that the base code is working correctly.
How will the eMAF data be changed to include the EMV information?
The eMAF will be updated to include the following data elements:
- EMV-capable card
- EMV-capable terminal
- EMV transaction
- Offline authorized
In addition, two new POS Entry Mode values will be supported:
- 79 – Fallback from EMV to manual entry with voice authorization
- 80 – Fallback from EMV to mag-stripe
What EMV changes are there to iQ or Direct?
- Transaction research pages have been updated to include additional fields/values that will identify:If the card used in the transaction was EMV-capable
- If the terminal used in the transaction was EMV-capable
- If the transaction processed as EMV
- If the transaction was processed “offline”
- If the transaction was processed as “fallback”
What infrastructure changes are needed to support the larger EMV message size?
Due to the increased size of the messages, Vantiv evaluated all aspects of our processing to make sure our systems could handle the increase in data. We looked at everything from the max messages buffer sizes to available disk space and made changes as needed. The exact changes Vantiv made would be specific to our systems and wouldn’t translate to any specific merchant’s system. Each merchant will need to evaluate their systems to determine the impact of the increased amount of data.
Will disputes processors be able to determine if a transaction was EMV or not?
Yes, using the screen changes in Direct, disputes processors will be able to determine if the transaction was processed as EMV, if the card was EMV-capable and if the terminal was EMV-capable. Additional updates to disputes-specific screens may also be made in the future, if needed.