EMV is a standard for interoperation of IC cards (“Chip cards”) and IC capable POS terminals and ATM’s, for authenticating credit and debit card payments. The name EMV comes from the initial letters of Europay, MasterCard and VISA, the three companies which originally cooperated to develop the standard. Europay International SA was absorbed into Mastercard in 2002. JCB (formerly Japan Credit Bureau) joined the organisation in December 2004. IC card systems based on EMV are being phased in across the world, under names such as “IC Credit” and “Chip and PIN”. The EMV specification is also the basis of the Chip Authentication Program, where banks give customers hand-held card readers to perform online authenticated transactions.
The EMV standard defines the interaction at the physical, electrical, data and application levels between IC cards and IC card processing devices for financial transactions. Portions of the standard are heavily based on the IC Chip card interface defined in ISO 7816.
The system is not compatible with the original Carte Bancaire smart cards systematically deployed in France since 1992. However, the French Carte Bancaire now also uses the EMV standard.
The most widely known implementations of EMV standard are:
* VSDC – VISA
* MChip – MasterCard
* AEIPS – American Express
* J Smart – JCB
MasterCard has a Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of Modes.
Differences and benefits of EMV
The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant credit card payment terminals throughout the world. There are two major benefits to moving to smart card based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of “offline” credit card transaction approvals.
The goals and benefits of EMV:
– High level standard on terminal card API.
– It reduces the cost and time interval of software development (POS, ATM, HSM,…).
– The non EMV payment smart card has its own crypto protections (RSA, DES) and is based on local private standards.
EMV financial transactions are more secure against fraud than traditional credit card payments which use the data encoded in a magnetic stripe on the back of the card. This is due to the use of encryption algorithms such as DES, Triple-DES, RSA and SHA to provide authentication of the card to the processing terminal and the transaction processing center. However, processing is generally slower than an equivalent magnetic stripe transaction. This is due to cryptography overhead and time involved in messages transmissions between the card and the terminal. The increased protection from fraud has allowed banks and credit card issuers to push through a ‘liability shift’ such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.
Although not the only possible method, the majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a PIN (Personal Identification Number) rather than signing a paper receipt. Whether or not PIN authentication takes place depends upon the capabilities of the terminal and programming of the card. For more details of this (specifically, the system being implemented in the UK) see Chip and PIN. In the future, systems may be upgraded to use other authentication systems, such as biometrics, which are generally not considered economical as of 2007[update].
Control of the EMV standard
The first version of EMV standard was published in 1999. Now the standard is defined and managed by the public corporation EMVCo LLC.The current members of EMVCo are JCB International, MasterCard Worldwide, and Visa, Inc. Each of these organizations owns one third of EMVCo and has representatives in the EMVCo organization and EMVCo working groups.
Recognition of compliance with the EMV standard (i.e. device certification) is issued by EMVCo following submission of results of testing performed by an accredited testing house.
EMV Compliance testing has two levels: EMV Level 1 which covers physical, electrical and transport level interfaces, and EMV Level 2 which covers payment application selection and credit financial transaction processing.
After passing a common EMVCo tests the software must be tested to comply with EMV standard (VISA VSDC, MasterCard MChip,…).
List of EMV documents and standards
* Book 1 – Application Independent ICC to Terminal Interface Requirement
* Book 2 – Security and Key Management
* Book 3 – Application Specification
* Book 4 – Cardholder, Attendant, and Acquirer Interface Requirements
Version 4.0 became effective in June 2004. Version, 4.1 became effective in June 2007. Version 4.2 was published in June 2008.
* [ EMVCo], the organisation responsible for developing and maintaining the standard
Portions of the above definition provided under GNU documentation license. Copyright (c) 2008 3D Merchant Services LLC.
Permission is granted to copy, distribute and/or modify this document ONLY
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.