1 The EMV Universe EMV 101 & Myths of EMV Itai Sela Vice President B2 Payment Solutions [email protected]
1 The EMV Universe
EMV 101 & Myths of EMV
Itai Sela Vice President B2 Payment Solutions [email protected]
2 The EMV Universe
EMVTM 101 – What is EMV?
Name of the standards developed by Europay, MasterCard and Visa in 1993
Currently owned by Visa, MasterCard, JCB and Amex
Designed originally for “card present” contact chip card payment acceptance.
Basis for chip migration by payment schemes in markets around the world
EMV™ is a trademark owned by EMVCo LLC
3 The EMV Universe
EMV 101 EMVCo manages, maintains and enhances the EMV
Specifications to ensure global interoperability and acceptance of chip cards
Also, is responsible for a type approval process for terminal compliance testing (EMV Level 1 and 2)
Level 1 – Terminal hardware components
Level 2 – EMV Kernel – Software (EMV Commands)
Scheme Certification (Visa, MasterCard, Amex etc.)
Level 3 – Payment application level
4 The EMV Universe
EMV 101 EMV was designed to be a comprehensive toolbox that
enables protection against:
Counterfeit and skimming - through the use of cryptography
Offline card authentication
Online card authentication
Lost or Stolen - through the use of offline PIN and/or online PIN
Consumer delinquency through the use of offline risk management
Secure offline transaction processing capability
Over the years evolved to support “card not present” as well (CAP and DPA*)
* CAP – Card Authentication Program (MasterCard), DPA – Dynamic Passcode Authentication (Visa)
5 The EMV Universe
EMV 101 There are 3 main steps to an EMV transaction:
Card Authentication – Card is genuine Offline
Online
Cardholder Verification – Card presented by its rightful owner
Offline PIN (Plaintext/Encrypted)
Online PIN
Signature
Amount Authorization
Offline – using the Issuer counters and limits within the chip
Online – using the Issuer host
6 The EMV Universe
EMV 101 EM
V T
oo
lbo
x
On
line
O
fflin
e
Type of Fraud
Security Method
Counterfeit Card
Skimming Replay
SDA
DDA\CDA
ARQC/ARPC
ATC Variance
✔
✔
✔
✔
✔
✔ ✔
Lost and Stolen
Offline PIN ✔
✔ Offline or Online PIN
7 The EMV Universe
Myth #1: EMV = Old Technology
EMV was developed in 1993 which makes it almost 20 years old
Why should a market implement a technology that is this old? Would we consider it obsolete?
Maybe we should create a new technology to secure transactions moving forward
8 The EMV Universe
Reality #1: EMV Old Technology
Modern cryptography is over 35 years old but we still use it
EMV security relies on cryptographic functions – these evolve together with the evolution of cryptography
In the early years of EMV the challenges have been with the implementations. Now with over 15 years of experience fewer issues occur
There are over 1 Billion EMV Cards issued in the world
9 The EMV Universe
Myth #2: EMV = Chip & PIN
Chip & PIN was the marketing brand used for the UK implementation of EMV
PIN is one of the core EMV security features
PIN only protects against lost and stolen fraud
10 The EMV Universe
Reality #2: EMV Chip & PIN There are EMV cards in the world today that don’t
support PIN (Issuer, Brand and/or Market choice)
It is up to the Issuer to decide if and when it is worth the investment to enable offline PIN as it requires an expensive infrastructure
Canada 2010 – credit card Lost and stolen accounted for only 10% of card fraud*
Once EMV is implemented there is no additional impact for the merchant to implement offline PIN at POS
EMV = Chip & Choice *http://www.rcmp-grc.gc.ca/
11 The EMV Universe
Myth #3: PCI vs. EMV
There are two ways to look at cryptography based security:
Privacy/Secrecy (Encryption)
Authenticity (Digital Signature)
EMV is based on Authenticity
PCI is based on Privacy
EMV Cryptograms ≠ Encryption EMV data is not Encrypted
12 The EMV Universe
Reality#3: PCI & EMV
To protect the “Card Not Present“ environment, card data must be kept secret in the “Card Present” environment
PCI will continue to complement EMV as long as there isn’t a more widely adopted solution for “Card Not Present”
PCI and EMV should be implemented together – Visa will waive PCI audits for the merchant if 75% of the transactions are EMV
13 The EMV Universe
Myth #4: EMV Certification is enough
Interop Functional Purchase Refund Other
Trans
Scripts Performance Destructive
Visa
MasterCard
Amex
14 The EMV Universe
Reality#4:EMV Certification is NOT enough
No performance testing – crucial with EMV
Not enough negative or exception testing
Customer specific testing not included
Consult with your acquirer to receive the full EMV test requirements
15 The EMV Universe
Canadian Company located in the Greater Toronto Area
We provide world class knowledge and training, POS development, products and services for EMV, Contactless, NFC, banking, e-commerce and card payments
B2 is the exclusive distributor for the Collis Payment Products in Canada and the USA
16 The EMV Universe
Thank you
For more information, visit
www.b2ps.com
www.collisamerica.com
www.emv-usa.com
www.actcda.com