What Is EMV and Why Do I Need It?
EMV is a new standard for credit-card payments that is meant to make credit transactions more secure throughout the globe.
The EMV standard can be used in traditional card transactions as well as “contactless” transactions, wherein a customer can tap a card or NFC processor against a terminal and wirelessly transmit its data.
EMV has already been implemented in most developed countries around the world. As one of the final major markets to make the move, businesses across the U.S. are now scrambling to initiate and finalize the transition before the October 1, 2015, deadline, which denotes a major shift in liability.
For a better understanding on how it works and how it benefits your business and its customers, read through this guide. To jump right in to the actual process, check out our step-by-step guide to EMV migration.
Where Does the EMV Name Come From?
“EMV” is an acronym for Europay, MasterCard and Visa, the three founding members of EMVCo, which is the group that administers the chip’s standard and deployment.
Is “EMV” Synonymous With “Smart Chip?”
While it’s tempting to make these terms interchangeable, the truth is that they are not. EMV payments can be made using an embedded chip or wirelessly through terminals that support “contactless” EMV payments.
For accuracy, it’s best to call the chip itself an “EMV chip.”
Okay, So What’s the Deal With EMV Chips?
In one word, security.
EMV chips have been used to substantially reduce counterfeit credit-card fraud in major markets over the past decade.
For example, the United Kingdom has been very successful at reducing credit-card fraud since its own EMV migration. Since introducing EMV-chipped cards into its market, face-to-face credit-card fraud has dropped a whopping 72%. A similar trend took place in Canada, where, between 2011 and 2013 (the years immediately following Canada’s migration to EMV-chipped cards), domestic counterfeit fraud dropped 42%.
So as EMV chips went into markets, counterfeiters made their way into unprotected markets, mainly the U.S. In 2013, global credit-card fraud totaled $14 billion, of which the U.S.’ portion was 51%. U.S. credit-card fraud also increased at a higher rate than the rest of the globe (29% compared with 11%, respectfully).
Most experts agree that counterfeiting operations moved to the U.S. because the less-secure, older magnetic-stripe interface is still king and just as exploitable as it was before EMV hit overseas markets.
Since the United States is the last major market where EMV chips are being introduced, the hope is that the EMV migration will cut U.S. credit-card fraud substantially.
What Makes EMV So Secure?
To understand what makes EMV transactions more secure than conventional magnetic-stripe transactions, it’s necessary to know what happens in each transaction.
In a normal magnetic-stripe transaction, a credit-card stripe is swiped through a terminal. That stripe typically includes a cardholder’s entire credit-card number, its “confirmation” code and other relevant pieces of information.
This information never changes and is transmitted to a number of parties in clear view of any party that eavesdrops on the transaction. Eavesdroppers can collect this information at any point in the transaction and later use it for unauthorized purchases, whether it’s implemented on a counterfeit card or manually entered online.
An EMV chip contains the same information found on a magnetic stripe and more, but the chip is much more secure than a stripe.
Once an EMV chip is inserted into a terminal, it must remain there for the duration of the transaction. To begin the transaction, the chip and terminal send an outgoing cryptogram with a one-time, unique digital signature that accompanies the outgoing transaction request, based on randomly selected information from the chip.
Throughout the request, the signature is authorized against security certificates and digital keys along the transaction chain, including those hosted by payment processors, acquirers, the issuers themselves and other parties. Once authorized by all parties, the transaction request is granted, and the customer can remove the card.
It’s important to note that the digitally signed signature is sent in clear view of any party, just like a magnetic-stripe transaction. The big difference, however, is that the signature is valid only for the life of its originating transaction. Once the transaction is completed, the signature won’t be accepted again.
So if this information was to be intercepted, and an attempt was made to use it for an unauthorized transaction at an EMV-equipped terminal or point-of-sale (POS), the transaction would be denied. This is opposed to information harvested from a magnetic-stripe card without an EMV chip, which could be used until it is suspected of fraud.
So Why Is This Happening Now and Not Earlier?
There are two reasons why this migration has been delayed in the United States: implementation costs and the unique composition of the U.S. payments market.
In other nations, the number of banks and card brands can usually be counted on one hand. In fact, the phrase “national bank” is sometimes more than just a marketing tagline, as many overseas governments actually own the banks, the acquirers, issuing bodies and even payment processors that dictate the shift. That makes implementing a new standard like EMV quicker because there are fewer independent parts on the payment chain.
When you compare this with the U.S. market, it’s easy to see why the migration has taken so long.
As of February 2015, there are nearly 6,800 commercial banks responsible for issuing over 1.2 billion credit cards. These banks work with at least nine prominent acquirers, who in turn work with nine specialized payment processors, who in turn work with literally hundreds of different technology providers and ISVs.
With a market this large and relatively fragmented, EMV implementation is going to take time and money. With that said, the U.S. payments industry has already worked hard to migrate much of its infrastructure to the EMV standard, and the merchants (i.e. you, the business owners) are the last in line to do it.
How Do Customers Verify a Purchase Using EMV?
Chip-and-PIN is one of the best-known customer verification methods (CVMs) supported by EMV. Here’s a list of all supported transactions by EMV technology:
- Chip-and-PIN: Customer inputs a PIN to confirm a transaction.
- Chip-and-Signature: Customer writes a signature to confirm.
- Offline Chip-and-PIN: Customer inputs a PIN while the terminal isn’t directly connected to a connection.
- No CVM: In the event a purchase amount is considered too low to require confirmation, the terminal may not ask for a CVM. This threshold, if any, is set by the issuer.
Which of These Methods Will Be Used in the U.S.?
Due to the belief that U.S. consumers are accustomed to signing for credit-card purchases already, many issuing banks have elected to implement Chip-and-Signature as their preferred CVM.
This may change in the future, however, with increased adoption of PIN-capable EMV terminals. But because this migration is only now starting to reach consumers, it appears that Chip-and-Signature may be the CVM of choice for the immediate future.
Tell Me About This So-Called “Liability Shift”
With the current magnetic-stripe cards, card brands place any liability costs resulting from lost, stolen or counterfeit credit cards with the credit-card issuer. This policy has cost issuers and their brands upwards of $7 billion, a sum that the entire payments industry is keen to bring down as quickly as possible.
The most readily available and globally proven solution is EMV. With that in mind, the big four card brands want EMV in the U.S. marketplace as soon as possible.
In order to spur EMV adoption, they have set October 1, 2015, as the date when fraud liability shifts to the party with the least-secure means of accepting payments. This means that the party without EMV-capable payment processing will be liable for counterfeit fraud.
Since virtually all issuers, acquirers and processors have become EMV-compliant, your business is likely the last part of the chain to convert.
The Next Steps
Now that you know what EMV is all about, let’s talk about business adoption. There’s a lot to look out for, but it isn’t difficult. To see if you’re ready for the migration, check out our quiz on the process. If you think you’re ready to make the move, see our step-by-step guide to EMV migration.
Fred Badlissi is an in-house writer and editor for Intuit. His previous experience includes years as a business journalist, covering topics like China’s ascent as a world power, the business of public and private water treatment, and the financial implications of the 2009 American Recovery and Reinvestment Act. He also edited and co-wrote The Freelancer’s Playbook.