EMV – a security standard coming soon (?) to a credit card near you

Linda Musthaler
By | January 20, 2012

Posted in: Network Security Trends

In my last post , “U.S. clings to insecure magnetic stripe cards — what’s the attraction?” I talked about a security standard for credit and debit cards that is used virtually everywhere in the world except the United States. This standard, called EMV, uses a smart chip embedded in the plastic card or token to securely store the extremely sensitive customer account information that is used in our payment transactions. EMV has been very successful at vastly reducing the fraudulent use of credit cards when they are presented in person (called Card Present). Here’s a quick overview of how they work and why we need this standard in the U.S. sooner rather than later.

EMV is an open standard set of specifications for smart cards and other acceptance devices. EMV stands for Europay, MasterCard and Visa—the three companies that originally developed the standard in 1994. Today, the EMV standard is managed by EMVCo LLC, which is equally owned by American Express, JCB, MasterCard and Visa. The four organizations make every decision on a consensus basis to assure card infrastructure uniformity throughout the world. Information about EMV and technical specifications are available on www.emvco.com.

To appreciate the advantages of EMV, it’s important to understand the current state of credit card authentication in the U.S. Most of our payment cards today still use a static magnetic stripe, where sensitive data is encoded (but not encrypted). Among the data are the primary account number (PAN), card expiration date and various bits of information that are important to the global payment networks. When a person swipes his card at a point of sale (POS), a device called a card reader extracts all that information from the magstripe and uses it to conduct a transaction. The problem is that it’s extremely easy to use an illicit card reader to steal the data and print it on counterfeit cards or use it over the Internet to commit fraud. This technology is more than 40 years old—unbelievable for a security technology.

In contrast, the EMV standard uses a smart chip to hold all the sensitive information plus much more information that is used to authenticate both the card and the legitimate card owner. The distinguishing feature of EMV is that the consumer payment application is resident in the secure chip. This isn’t possible with a magstripe card, because there are no embedded processing capabilities.

The smart chip provides three key elements: it can store information; it can perform processing and, because it is a secure element, it is able to store secret information securely and perform cryptographic processing. These combined capabilities provide the means for secure consumer payments.

In order to execute a payment, the chip must connect to a chip reader in an acceptance terminal. This connection can be either contact or contactless. With contact, the chip must come into physical contact with the chip reader for the payment transaction to occur. With contactless, the chip must come within sufficient proximity of the reader for information to flow between the chip and the acceptance terminal.

Chips that are embedded in form factors such as plastic payment cards may support only a contact interface, only a contactless interface, or both contact and contactless. When the chip is installed inside a non-card form factor, such as a mobile phone, contactless is typically the only option for connection to the acceptance terminal.

When a chip-based card is presented at a POS, the cardholder is frequently required to enter a PIN, which is checked against a PIN value stored on the card. This prevents someone from stealing the card and using it unless he also knows the legitimate card owner’s PIN.

Unlike the magstripe cards, it’s not possible to read the data embedded in a chip and use it to create a counterfeit chip card. It may be possible, however, to use that data in a Card Not Present situation, such as over the Internet, or to create a counterfeit magnetic stripe card. This is one reason why EMV is reducing fraud in countries that employ the technology and increasing fraud in countries that don’t. (That would be the United States.)

The collective payment card industry in the U.S. is considering how to deploy EMV here. It will take years and cost billions of dollars, but there’s little doubt it will eventually happen. This is one instance where we must play catch-up with the rest of the world in our security standard.

You May Also Be Interested In: