Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
December 19, 2011
The many flavors of EMV
As 2011 comes to an end, EMV (Europay, MasterCard, and Visa) transactions are still the exception in the United States. However, the United States has made some progress towards an EMV migration—several financial institutions are now issuing EMV cards for select portfolios. Also, on the acquiring side, some large merchants voiced strong opinions during the year about adopting the EMV standard. And towards the end of summer, Visa announced details of its "chip migration and adoption of mobile payments acceleration plan."
The perceived cost of a full EMV migration has been a great barrier for the U.S. payments industry. Further complicating the migration are the different ways issues and merchants can implement EMV. In particular, the various transaction authorization processes of card authentication, cardholder verification, and payment authorization take place in an online or offline environment or a combination of the two.
This week's post highlights the differences between offline and online transactions and the implications for U.S. migration to EMV-supported card payments.
Prior to the introduction of chip cards in the United Kingdom, cards used the same magnetic stripe technology that is currently the standard in the United States. However, the difference is that in the United Kingdom most card transactions were authorized offline. In an offline authorization environment, card transactions are batched over a given time period and then transmitted to issuers, usually at the close of business, for authorization. Because the offline authorization environment does not permit real-time authentication, fraud rates were significantly higher than in markets using online authorization. To mitigate the additional risk inherent in the offline environment, the United Kingdom adopted the EMV standard—more specifically, chip and PIN.
In an offline EMV chip-and-PIN transaction, the payment terminal communicates with the integrated circuit card (ICC), or chip, embedded in the payment card rather than using telecommunications to connect and communicate with the issuing bank. This communication between the ICC and terminal allows for real-time card authentication, cardholder verification, and payment authorization. However, because most payment terminals (not unattended terminals) now support online authorization, payment authorization usually occurs online while card authentication and cardholder verification usually take place offline.
In contrast to the United Kingdom's predominately offline authorization experience, nearly all card transactions in the United States are authorized online. This environment allows issuers to authorize transactions at the time of sale using multiple fraud and risk parameters.
In an online EMV transaction, the ICC-embedded card generates a cryptogram that is authenticated by the issuer during the authorization request. Assuming the card is authenticated and the merchant requires cardholder verification, either the terminal transmits the cardholder's encrypted PIN to the card issuer for verification or the merchant verifies the customer's signature to the signature on the card. Finally, for payment authorization, the terminal transmits payment-related information and a transaction-specific cryptogram to the issuer, which then authorizes or declines the transaction. This online payment authorization process is the same process that magnetic stripe cards currently use.
What does this mean for a U.S. EMV migration?
Unfortunately, the many methods for card authentication, cardholder verification, and payment authorization that EMV supports could lead to many different implementations in the United States. The few EMV-issuing financial institutions in the United States have reached no consensus when it comes to cardholder verification methods. Some issuers support offline PIN, others support online PIN, and still others support signature-only verification. Perhaps most critical to the EMV discussion is whether to support online or offline transactions, or both.
The costs associated with an offline implementation are higher. First, ICCs in an offline environment require an additional processor on the card—to support dynamic data authentication—that ICCs in an online environment do not. Second, PIN management in the offline environment involves manipulation of the PIN resident within the ICC, a process that requires issuers to purchase technologies they do not need in the online environment.
From a risk standpoint, both offline and online EMV card authentication support dynamic data and offer superior protection against counterfeit fraud compared to the magnetic stripe. For PIN cardholder verification, offline and online PIN offer the same protection against lost or stolen card fraud.
Offline EMV implementations were necessary in many markets around the globe because of a lack of telecommunications access at the payment terminals. Because the United States already operates in an online environment and the costs to implement an offline adoption are higher, the business case for an online EMV implementation is stronger than an offline adoption. Further, with most payment terminals in the world now supporting online transactions, global interoperability of online-only EMV cards is not the barrier that it was in the past.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The many flavors of EMV:
- EMV Comments That Make Me Cringe
- Taking a Quantum Leap into Payment Security
- Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud