EMV is a standard for interoperation of IC cards (”Chip cards”) and IC capable POS terminals and ATM’s, for authenticating credit and debit card payments. The name EMV comes from the initial letters of Europay, MasterCard and VISA, the three companies which originally cooperated to develop the standard. Europay International SA was absorbed into Mastercard in 2002. JCB (formerly Japan Credit Bureau) joined the organisation in December 2004. IC card systems based on EMV are being phased in across the world, under names such as “IC Credit” and “Chip and PIN”. The EMV specification is also the basis of the Chip Authentication Program, where banks give customers hand-held card readers to perform online authenticated transactions.

The EMV standard defines the interaction at the physical, electrical, data and application levels between IC cards and IC card processing devices for financial transactions. Portions of the standard are heavily based on the IC Chip card interface defined in ISO 7816.

The system is not compatible with the original Carte Bancaire smart cards systematically deployed in France since 1992. However, the French Carte Bancaire now also uses the EMV standard.

The most widely known implementations of EMV standard are:

* VSDC - VISA
* MChip - MasterCard
* AEIPS - American Express
* J Smart - JCB

MasterCard has a Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of Modes.

Differences and benefits of EMV

The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant credit card payment terminals throughout the world. There are two major benefits to moving to smart card based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of “offline” credit card transaction approvals.
The goals and benefits of EMV:
- High level standard on terminal↔card API.
- It reduces the cost and time interval of software development (POS, ATM, HSM,…).
- The non EMV payment smart card has its own crypto protections (RSA, DES) and is based on local private standards.

EMV financial transactions are more secure against fraud than traditional credit card payments which use the data encoded in a magnetic stripe on the back of the card. This is due to the use of encryption algorithms such as DES, Triple-DES, RSA and SHA to provide authentication of the card to the processing terminal and the transaction processing center. However, processing is generally slower than an equivalent magnetic stripe transaction. This is due to cryptography overhead and time involved in messages transmissions between the card and the terminal. The increased protection from fraud has allowed banks and credit card issuers to push through a ‘liability shift’ such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.

Although not the only possible method, the majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a PIN (Personal Identification Number) rather than signing a paper receipt. Whether or not PIN authentication takes place depends upon the capabilities of the terminal and programming of the card. For more details of this (specifically, the system being implemented in the UK) see Chip and PIN. In the future, systems may be upgraded to use other authentication systems, such as biometrics, which are generally not considered economical as of 2007[update].

Control of the EMV standard

The first version of EMV standard was published in 1999. Now the standard is defined and managed by the public corporation EMVCo LLC.The current members of EMVCo are JCB International, MasterCard Worldwide, and Visa, Inc. Each of these organizations owns one third of EMVCo and has representatives in the EMVCo organization and EMVCo working groups.

Recognition of compliance with the EMV standard (i.e. device certification) is issued by EMVCo following submission of results of testing performed by an accredited testing house.

EMV Compliance testing has two levels: EMV Level 1 which covers physical, electrical and transport level interfaces, and EMV Level 2 which covers payment application selection and credit financial transaction processing.

After passing a common EMVCo tests the software must be tested to comply with EMV standard (VISA VSDC, MasterCard MChip,…).

List of EMV documents and standards

Since version 4.0, the official EMV standard documents, that define all the components in an EMV payment system, are published as four “books”:

* Book 1 - Application Independent ICC to Terminal Interface Requirement
* Book 2 - Security and Key Management
* Book 3 - Application Specification
* Book 4 - Cardholder, Attendant, and Acquirer Interface Requirements

Versions

First EMV standard came into picture in 1996-EMV ’96 Version 3.1.1 Released another version in December 2000 - EMV 2000 Version 4.0 in May 2004

Version 4.0 became effective in June 2004. Version, 4.1 became effective in June 2007. Version 4.2 was published in June 2008.

Portions of the above definition provided under GNU documentation license. Copyright (c) 2008 3D Merchant Services LLC.
Permission is granted to copy, distribute and/or modify this document ONLY
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

if your company is considering purchasing or leasing new equipment, make sure that it is EMV compliant. The hypercom T7 Plus is just one example of anEMV compliant terminal.

How secure is the credit card data you collect?

In the home repair industry, including alarm systems, air conditioning repair, garage door repairs etc, credit card acceptance has increased dramatically. But how secure is the data collected?

The most common scenario is for the work order to be written up, and the credit card information to then be added to the work order. Sometimes the work order is a carbonless form. The credit card information is then on the customer copy and the merchant copy.

The repairman puts the form in the truck and goes to the next stop. Is the truck locked at ALL TIMES? Or does the driver keep all forms with him in a notebook on each call? If taking on each call, how secure is the information while in the home or business during the repair? Are all forms returned to the home office daily? If not, where are the forms kept until the originals are returned?

The second part of this common scenario is where the data resides- on the work order form. Where are the work orders filed? Who has access?

Creating a policy for Storage of Credit Card Details both on and off your premises is an essential element of PCI Compliance. Your company should have a clear written policy and all employees with access to sensitive information should have the written policy and have had training.

Recommendations:
1. Physical cardholder details must be locked in a secure area, and limited to only those individuals that require access to that data. In addition, access should be restricted to data on a “need to know” basis. If sales orders are kept in an open filing area, then the credit card data collected should not be on the same form.
2. The credit card number should be redacted to include no more than the last four digits. In addition, any Sensitive Cardholder Data should be masked. CVV and PIN data may not be stored.
3. Stored credit card information is to be retained according to data retention policy and only so long as there is a business, legal and/or regulatory purpose.
4. Procedures to follow for masking credit card information when no longer required:
* Blackout credit card number, except last four digits if needed, and any Sensitive Cardholder Data and then photocopy document.
* Cross-cut shred the original immediately.
* Retain, if necessary, copy of document with unreadable credit card information.
* If document design will allow, credit card information should be detached from the form. Immediately cross-cut shred detached credit card information and retain remaining portion.