EMV is set to become the next big trend in the United States payments ecosystem. It is already the standard for the major nations and in last couple years it has barged into U.S. after the October 2015 Liability shift. Here's a quick background on what is happening with global EMV adoption, this chart below was prepared by EMV Co., the international technical body which facilitates the worldwide interoperability and acceptance of secure payment transactions. It shows the regions of the world that are implementing EMV technology. It also shows the percent adoption of cards and terminals that have been achieved in different regions by the end of Q1 2019.
In 2013, excluding the US, over 2.37 billion EMV cards have been issued globally and 36.9 million EMV terminal were active worldwide. What's probably obvious is the green area on far left that's the US where the statistics show 53.5% of transactions as opposed to to 68.2% of transaction in Asia on far right. This indicates that merchants have invested rigorously over the past few years in the hardware upgrades to accept EMV knowing the benefits such as added security against certain types of fraud (e.g. counterfeit and lost/stolen), and support of enhanced cardholder verification methods. Many have also upgraded to accept contactless and mobile transactions as well.
There are a lot of layers, technical details and complexities involved in an EMV transaction. As part of this article, I'm excited to share my knowledge base and I would like to cover -
The application fundamentals
Basics for the operation
New Functions that are provided with EMV
Impact from the terminal perspective and,
Some details about migration of EMV in the US marketplace
EMV is in fact a complete transaction framework. It is not merely a single entity or a single component within the payment transaction framework. It has ideally replaced the legacy framework that was followed with the traditional magnetic stripe credit cards.
When people think about EMV they frequently think about the chip on the card and the fact that there's additional data on the card but there's a lot more to EMV. In fact, EMV requires changes to every aspect of the payment system framework. It starts at the card but those changes need to be implemented so that the terminal can handle those card changes and so there would be messaging changes, along with application logic and configuration changes not only to the card but to the terminal to the acquiring systems and to the issuing system. So, in summary, this new chip on the card and the changes impacts the whole payment system.
If we look at the magnetic stripe transaction first just to have a baseline, why is that we're looking to move to chip technology so the first reason is that magnetic stripe technology uses will refer to a static data authentication which means the way this card is uses data doesn't always change. It's the same data all the time for every transaction - the same basic data that you used on all the cards. When the card is inserted the terminal really doesn't have the ability to do a lot of risk assessment simply because it isn't given a lot of information then finally the transaction information is sent up through the acquiring network through payment networks finally to the issuer who has to perform an authorization. Then the transaction data that's been passed is often times in the clear and again the core data that's used by the issuer for the authorization and authentication is static data. When the issuer receives that information the risk assessment is performed at this level, which is the host system and the data assessment is performed based on static data. They have minimal ways or let's say non-sophisticated ways are to perform any type of counterfeit card checking.
When it comes to an EMV transaction, it really is a paradigm on how things are done. First of all you know how is the risk assessed, where is the risk assessed and the fact that the terminal really becomes what I consider a workflow engine, it needs to follow the instructions of the card that is inserted into it. Let's look at this step by step -
First of all when the chip is inserted in to the terminal a risk assessment is performed based on how the issuer has programmed the chip in the beginning (before they issued the card)
Then the terminal performs its risk assessment and the two compare their two risk assessments
Approval/Decline Mechanism - determination to go online is contingent on the outcome of that comparison. When it goes online the data is put into Field 55 or DE 55.
In DE 55 field, the messaging consists of EMV related transaction data, which is then, passed all the way up through the authorization system.
Now in the authorization system, the issuer has new data, basically dynamic data and this is the "new how" paradigm-shift in EMV
Instead of static data there is a dynamic cryptogram (ARQC - Application Response Cryptogram) generated from the transaction data that changes for every single transaction therefore if information has ever taken that information is useless when trying to make a counterfeit card
The fact that the risk assessment now can be performed also at the terminal or the terminal can play a greater role in that risk assessment and the fact that the card can play a greater role in that risk assessment is another paradigm shift. And finally, since the terminal is now going to need to follow the instructions that will vary card by card to perform the transaction.
Something that's very different about chip technology is that in the MagStripe world, every transaction that is being performed has static data information and when you swipe the card, the terminal knows the data that it is going to get after the card-terminal interaction. With EMV technology, there's different chip applications that can be on the card, which the terminal needs to identify -
Do I recognize the application on the card in order to process the transaction?
To facilitate that recognition, there is something called an AID (Application Identifier.) This is used to address an application on the chip in the card. An AID consists of two components.
The first component is a registered application provider identifier (RID) of five bytes, which is issued by the ISO/IEC 7816-5 registration authority.
The second component is a proprietary application identifier extension (PIX) which enables the application provider to differentiate between the different applications offered.
So every time, whether it's MasterCard, Visa or any payment network out there or anybody else that establish a application that might reside on a chip, they register for a Application ID and what that does is - it basically acknowledges from an International perspective, who is the owner of that application? and what is the application logic on that card? So that when the terminal sees an AID and if it also has that AID as a checklist configuration, it knows it could process that card. Hence, the role of the AID is to identify what application is on the card and also what operating rules is can follow based on that AID.
For more details: Visit EMV Fundamentals - Part II
Comments