What is the point of using chip cards and EMV-capable terminals if EMV technology does not ultimately protect cardholder data and identity? In this article we are going to try to answer this question as well as look at some of the common misconceptions and misunderstandings.
In essence, the problem is as follows. Every EMV chip contains a primary account number (PAN) data on it. When an EMV transaction is conducted, the PAN data is transmitted between the terminal and the processing application. Consequently, at some point, it can be stolen, captured, and subsequently used somewhere as part of fraudulent online transaction.
So why switch to EMV, if the technology does not allow cardholders and merchants to solve this fundamental problem? To answer this question, let us take a quick look at the history of EMV technology, and at the benefits that it offers.
The EMV technology dates back to mid-eighties. In many countries of the world (US not included) EMV has been the dominant card format for at least ten years now. The US economy was largely based on magnetic stripe cards and card readers/swipers, so it is only now that the transition is due to take place.
When the EMV technology was created, it was mostly targeted at retail businesses and transactions. The point was to protect these businesses from card forgery (magnetic swipe card is, in fact, much easier to forge, than an EMV card). Although at the time of the technology’s initial development online fraud was not as prevalent as it is now, beside protection against forgery, chip (EMV) cards have several additional advantages over magnetic swipe cards even in today’s world.
Advantages of EMV cards
- Larger capacity. The first advantage is that you can write much more information to a chip, than to a magnetic stripe. Additional information can be recorded onto a chip. Various scripts can be executed to modify the content of the chip.
- Interactive mini-application. As there is more space available on the chip, an interactive mini-application can be recorded on it. The mini-application will be able to customize user experience, based not only on the card issuer, but also based on place, where the card is used (supermarket vs gas pump). When a card is inserted into a terminal, the terminal can review available applications and interact with the one that is most compatible with it. This allows card issuers to embed specific logic that might improve user experience in different contexts, such as specific types of supermarkets, at the gas pump, at the pharmacy etc.
- Point encryption addition. While point-to-point encryption is not a part of the EMV standard, it has become a commonplace practice to include this mechanism into all of the new EMV terminal implementations. As a result, while EMV itself does not protect PAN data, almost all of the solutions that involve EMV, and, therefore, all the new terminals that are being deployed in the US right now, have this added capability. Consequently, in essence, with EMV comes point-to-point encryption, which does provide better levels of protection, than regular swipers.
- Data flow reduction. Due to complex EMV certification requirements most people try to reduce and simplify the data flow between the terminal and the card processor or gateway. Previously, in the “swipers’ world” the data from the card would often go to the POS application, which then sent it to the gateway for processing. Today, due to EMV certification, everyone is trying to exclude all the intermediary applications (such as POS applications) from the process, so that the card data bypasses them, and goes straight to the gateway. This results in fewer places which can be compromised and fewer ways to steal PAN data.
If you are familiar with the key advantages, which EMV technology offers, transition of your business to EMV cards and terminals will be an informed and conscious choice. As of today, the deadline, set by associations for merchants to be able to accept EMV cards, is October 2015.