We get asked a lot of questions about EMV. As larger numbers of cards start rolling out with chips in the coming months, here’s everything you need to know about EMV.
EMV stands for “Europay, MasterCard, and Visa.” A relatively new concept here in the U.S., EMV refers to a set payment security principles and standards that were first introduced in Europe in the 80’s and 90’s to combat “card-present” fraud – fraud involving use of a stolen or duplicated card at a physical store location.
EMV cards, which contain visible contact pads connected to a computer chip, work with special terminals that are designed to read chips. At every transaction, the chip generates a unique code, or “cryptogram” that is used to verify a card’s authenticity. The chip electronically submits this unique code to the terminal along with standard, unencrypted card account information, including the cardholder’s 16 digit account number and his/her first and last name.
But the chipped card alone is just one option for EMV, as the technology is a foundation for other, more secure payment solutions beyond the chip. For example, this created the possibility for contactless NFC devices, such as Apple Pay, that utilize tokenization and transmits a ‘token’ as a secure substitute for a user’s actual account number.
EMV transactions can be completed by “dipping” the chip card into an EMV card reader, or by waiving an NFC enabled EMV card or device within a couple inches of compatible readers. A large majority of new, EMV enabled terminals are designed to support chip-based and contactless/NFC based forms of EMV. In the U.S., the initial focus will be on an easier to implement chip and signature system that utilizes a less secure version of EMV technology, rather than the more secure chip and pin technology used in Europe and elsewhere.
When EMV was introduced in central Europe in the 1990’s, it quickly brought under control surging card-present fraud rates and was widely heralded a success. Poor telecommunications infrastructure in Europe in that era created a need for strong physical security at the point of purchase. EMV served this need. Over the past two decades, countries globally have followed Europe’s lead and implemented chip card technology.
The U.S. long stood as an exception to this trend. The U.S. banking system has historically imposed a “zero floor limit” on card transactions – meaning that all transactions are monitored for fraud in real time. This has kept fraud rates low and weakened the business case for EMV. By 2010, industry analysts had begun questioning whether EMV would ever take root in the U.S.; they asked whether the 15 year old standard would be leapfrogged by newer standards better suited to mobile payment and other, newer payment applications.
The momentum started to shift in 2011 when Visa, MasterCard and Amex each announced 5-6 year initiatives to rollout EMV across the U.S., with strong incentives for all relevant verticals - merchants, issuers, acquirers, processors - to get on board with the plan. Initially, the news went unnoticed by consumers and generally was received unfavorably by large retailers who viewed supporting EMV as a costly distraction with not enough benefit in fraud reduction. Meanwhile, credit/debit networks bickered over how technical details of the rollout would be administered. As late as 2013, there was talk of pushing back deadlines and legitimate uncertainty over whether the EMV rollout would pull together at all.
The momentum changed drastically over the course of 2014, which saw a rash of highly publicized merchant data security breaches that put millions of Americans’ card information at risk. Following these events, merchants and issuers were compelled to adopt more pro-active payment security strategies, with EMV front and center. The migration to EMV in the U.S. is now fully under way, and while the transition will extend several more years, ATMs have until October 2016 and gas stations have until October 2017, most Americans will have their first experience dipping cards this fall.
Implementing EMV in the U.S. is a step in the right direction toward more secure payment. However, this is just step one. As highlighted recently in the Washington Post, the most significant security vulnerabilities remain unaddressed by EMV alone.
What is most significant about EMV is not actually EMV chipped cards as is currently being implemented, but the groundwork EMV has laid for a more robust, adaptable payment infrastructure that will continue to evolve over time. While mainstream media is talking about EMV and what changes we will be seeing at merchants in the coming months, the industry has already shifted the focus to a host of new, powerful technologies that are being layered on top of EMV and that will meaningfully address the security holes facing payments today.
Card networks are pro-actively looking to support and collaborate with technology companies to drive this innovation faster and further. Their goal is to ensure they are staying relevant by pro-actively cultivating the next generation in payment technology to give consumers a more secure, more powerful payment experience. Examples include Apple Pay, Samsung Pay,and Android Pay that all use network based next generation tokenized security.
NFC or EMV contactless systems that utilize tokenization, where a new “token” or a one time passcode is created for each transaction, or biometrics with fingerprints or retinal scans to confirm identity will ultimately become the long term goal. The U.S. payments industry is entering an exciting time, change that was long overdue is finally occurring, but it’s not enough to sit back and say job well done.
As for Stratos and EMV, the second version of the Stratos Card under development includes an NFC interface that opens up safer options to process payments beyond the chip technology being rolled out in the U.S. and available around the world. As a connected device, the Stratos Card will help bring tokenization to the card form over NFC and loading tokens onto our dynamically changing magstripe. Stratos is introducing the new levels of security made possible by EMV, such as those seen in Apple Pay/Android pay, to card payment anywhere.