In most other countries, card-present fraud has been virtually eliminated by the widespread implementation of EMV; as a result, that fraud has moved to the U.S., where magnetic stripe technology prevails. Adopting EMV will require operational changes for the Issuer, the Merchant, the Processor and the Acquirer. Here are a few of the things everyone in the industry should understand about implementing EMV:
Why is the mag-stripe technology more susceptible to fraud?
Magnetic stripe data is static – the same information is sent on every transaction. Because magnetic stripe cards have no reliable means of authentication, cardholder authentication is limited to:
- signature comparison, which is notoriously subjective and inaccurate, or
- ZIP code verification (in some cases), which will not necessarily cause a transaction to decline because it is not specific to an individual cardholder.
How does EMV help prevent fraud?
Each EMV card contains an embedded microprocessor (the “chip” of chip and PIN) that is programmed by the issuer to create a unique cryptogram – a secret code – on each individual transaction, based on dynamic data that includes a randomly generated numeral provided by the POS terminal and the dollar amount entered by the cashier.
In addition, the chip and terminal actively evaluate the risk on each transaction based on issuer- and acquirer-set parameters.
The chip determines if the transaction should proceed, and if so, what type of cardholder verification is required for authentication: PIN entry; Signature; or No CVM (customer verification method). If communication to the issuer is unavailable, the chip determines whether the transaction may be processed offline. Only once these determinations have been made does the transaction proceeds to its next step:
- If online, combined data from the chip, the terminal, and the transaction generates a unique cryptogram, which the issuer uses to confirm that the card is genuine/not a counterfeit.
- If a PIN is entered, it may be validated offline against the PIN on the chip, or it can be validated online with the issuer, depending on issuer preferences.
In either case, although not all issuers will require a PIN, merchants can expect a higher percentage of PIN-validated transactions, which reduces the likelihood of accepting a stolen card.
Do EMV receipts look different?
Somewhat. An EMV-authenticated receipt typically includes the application name, the terminal verification results, and the AID (application identifier) number in addition to the purchase amount and details. This additional EMV information on the receipt could be useful in the case of a chargeback.
What happens if a customer can’t remember his or her PIN?
Some EMV cards may allow a PIN to be bypassed a specified number of times, as do some POS applications. It is important to be aware that allowing PIN bypass on your merchant POS could have serious liability consequences that you should discuss with your acquirer.
What happens if a customer removes the card out before the transaction is complete?
If the card is removed prior to the removal prompt, the transaction will be aborted and possibly reversed. The cardholder will then be able to start again with a new transaction.
What happens if a customer leaves the card in the reader and departs the store?
Customers’ forgetting to remove the card from the reader has been a problem in other countries, although most commonly during the first six months of EMV implementation. Some devices, including Ingenico’s, provide an audible alert to remind the customer to withdraw the card. If the alert fails to get the customer’s attention and the card is left behind, keep the card in a secure location until the cardholder returns to retrieve it. If he or she doesn’t return, call the number on the back of the card to ask the issuer for instructions on how to proceed.
How does EMV work in unattended locations like parking lots or vending?
EMV card readers are ideal for unattended environments and are widely used in Europe for parking, transit tickets, even bicycle rental. While these transactions are usually for small amounts that qualify for No CVM (customer verification method), many unattended devices also include PIN pads, just like at an outdoor ATM.
Does EMV work for mobile POS payments?
Contactless EMV already exists on a variety of cards, key fobs, jewelry, etc., and there is an applicable EMV standard already in use for contactless payments. Mobile phones and mobile wallets are also likely to adopt EMV standards for card authentication. In either case, any POS device that accepts contactless payment will work with any mobile device that uses NFC (Near Field Communication) or legacy RFID (Radio Frequency Identification) contactless technology.
Does EMV work when online payments are made through a website?
EMV activates when the EMV chip comes in contact with (or proximity to) the card reader. Because the card is not present for online web payments, EMV does not usually apply. While it’s possible that future NFC, Bluetooth, or other contactless technology may be integrated into consumer web access devices, for now, encryption and tokenization technologies are the preferred methods for securing sensitive online data.
How does EMV work if customers pay in person the first time, then receive a monthly bill?
The initial transaction will be a card-present, EMV-authenticated transaction. Recurring payments should be protected by complementary security technology such as tokenization.
Like any kind of change, the shift to EMV processing is likely to be somewhat disruptive, but the potential for confusion can be minimized with planning, training, and patience.
How is your business preparing? What other questions do you – or your customers – have about EMV?
Allen Friedman serves as Director of Payment Solutions at Ingenico Group, North America.