1 The EMV Universe

EMV 101 & Myths of EMV

Itai Sela Vice President B2 Payment Solutions Itai.sela@b2ps.com

2 The EMV Universe

EMVTM 101 – What is EMV?

Name of the standards developed by Europay, MasterCard and Visa in 1993

Currently owned by Visa, MasterCard, JCB and Amex

Designed originally for “card present” contact chip card payment acceptance.

Basis for chip migration by payment schemes in markets around the world

EMV™ is a trademark owned by EMVCo LLC

3 The EMV Universe

EMV 101 EMVCo manages, maintains and enhances the EMV

Specifications to ensure global interoperability and acceptance of chip cards

Also, is responsible for a type approval process for terminal compliance testing (EMV Level 1 and 2)

Level 1 – Terminal hardware components

Level 2 – EMV Kernel – Software (EMV Commands)

Scheme Certification (Visa, MasterCard, Amex etc.)

Level 3 – Payment application level

4 The EMV Universe

EMV 101 EMV was designed to be a comprehensive toolbox that

enables protection against:

Counterfeit and skimming - through the use of cryptography

Offline card authentication

Online card authentication

Lost or Stolen - through the use of offline PIN and/or online PIN

Consumer delinquency through the use of offline risk management

Secure offline transaction processing capability

Over the years evolved to support “card not present” as well (CAP and DPA*)

* CAP – Card Authentication Program (MasterCard), DPA – Dynamic Passcode Authentication (Visa)

5 The EMV Universe

EMV 101 There are 3 main steps to an EMV transaction:

Card Authentication – Card is genuine Offline

Online

Cardholder Verification – Card presented by its rightful owner

Offline PIN (Plaintext/Encrypted)

Online PIN

Signature

Amount Authorization

Offline – using the Issuer counters and limits within the chip

Online – using the Issuer host

6 The EMV Universe

EMV 101 EM

V T

oo

lbo

x

On

line

O

fflin

e

Type of Fraud

Security Method

Counterfeit Card

Skimming Replay

SDA

DDA\CDA

ARQC/ARPC

ATC Variance

✔

✔

✔

✔

✔

✔ ✔

Lost and Stolen

Offline PIN ✔

✔ Offline or Online PIN

7 The EMV Universe

Myth #1: EMV = Old Technology

EMV was developed in 1993 which makes it almost 20 years old

Why should a market implement a technology that is this old? Would we consider it obsolete?

Maybe we should create a new technology to secure transactions moving forward

8 The EMV Universe

Reality #1: EMV Old Technology

Modern cryptography is over 35 years old but we still use it

EMV security relies on cryptographic functions – these evolve together with the evolution of cryptography

In the early years of EMV the challenges have been with the implementations. Now with over 15 years of experience fewer issues occur

There are over 1 Billion EMV Cards issued in the world

9 The EMV Universe

Myth #2: EMV = Chip & PIN

Chip & PIN was the marketing brand used for the UK implementation of EMV

PIN is one of the core EMV security features

PIN only protects against lost and stolen fraud

10 The EMV Universe

Reality #2: EMV Chip & PIN There are EMV cards in the world today that don’t

support PIN (Issuer, Brand and/or Market choice)

It is up to the Issuer to decide if and when it is worth the investment to enable offline PIN as it requires an expensive infrastructure

Canada 2010 – credit card Lost and stolen accounted for only 10% of card fraud*

Once EMV is implemented there is no additional impact for the merchant to implement offline PIN at POS

EMV = Chip & Choice *http://www.rcmp-grc.gc.ca/

11 The EMV Universe

Myth #3: PCI vs. EMV

There are two ways to look at cryptography based security:

Privacy/Secrecy (Encryption)

Authenticity (Digital Signature)

EMV is based on Authenticity

PCI is based on Privacy

EMV Cryptograms ≠ Encryption EMV data is not Encrypted

12 The EMV Universe

Reality#3: PCI & EMV

To protect the “Card Not Present“ environment, card data must be kept secret in the “Card Present” environment

PCI will continue to complement EMV as long as there isn’t a more widely adopted solution for “Card Not Present”

PCI and EMV should be implemented together – Visa will waive PCI audits for the merchant if 75% of the transactions are EMV

13 The EMV Universe

Myth #4: EMV Certification is enough

Interop Functional Purchase Refund Other

Trans

Scripts Performance Destructive

Visa

MasterCard

Amex

14 The EMV Universe

Reality#4:EMV Certification is NOT enough

No performance testing – crucial with EMV

Not enough negative or exception testing

Customer specific testing not included

Consult with your acquirer to receive the full EMV test requirements

15 The EMV Universe

Canadian Company located in the Greater Toronto Area

We provide world class knowledge and training, POS development, products and services for EMV, Contactless, NFC, banking, e-commerce and card payments

B2 is the exclusive distributor for the Collis Payment Products in Canada and the USA

16 The EMV Universe

Thank you

For more information, visit

www.b2ps.com

www.collisamerica.com

www.emv-usa.com

www.actcda.com