Defining EMV Security

Merchant Warehouse - October 8, 2014

 

Starting in October 2015, all four major card brands will shift financial liability for fraudulent transactions to the entity that’s responsible for a card present payment transaction not being processed via an EMV chip card.

 

That means that if fraud occurs based on a consumer card that is only enabled with a mag-stripe, the card issuer may be liable.

 

But that liability could shift to the merchant if the issuer is enabled with an EMV chip (contact or contactless) and the merchant didn’t have the necessary equipment to process that transaction.

 

The guidelines vary by brand, but the message behind it is clear – it’s vital to upgrade equipment to accept these new chip cards and train staff to be knowledgeable and pro-active about the transaction.

 

This could mean ensuring that the chip card reader is prominently displayed facing the customer to encourage use as well as educating cashiers to have them insert their cards to pay with chip when ready.

 

That will help prevent scenarios where liability shift could be tricky if both the cardholder and merchant are enabled for EMV acceptance, but for some reason the transaction is initiated via the mag-stripe.

 

With MasterCard and Visa projecting over 575 million chip enabled cards by end of 2015, it’s definitely worth the time and effort protect yourself.

 

So with all the headlines of merchants falling victim to data breaches where millions of consumer account numbers have been compromised, how does EMV help solve this?

 

In a nutshell EMV has 3 distinct features that make it harder for hackers to re-use compromised card holder data. The first is related to CVV value on a card. With EMV the CVV value on the chip differs from the CVV on the mag-stripe or what’s printed on the card itself. That means the card issuer can better detect and prevent fraud by seeing if the CVV value matches how the card was presented for a particular transaction (i.e. hackers can’t put EMV data on a mag-stripe and get approved transactions).

 

The next layer is a security system where the chip in the card communicates with a chip on the EMV acceptance device and authenticates itself as valid.  Without going into too much technical detail, a trust chain is created by the card brands where they issue certificates to each approved issuing bank. In turn the issuing bank places an encryption key on each card that can be matched against technology stored securely in the terminal. With the advancements in security the key length can be quite complex to the point it becomes cost prohibitive for hackers to monetize the data, as it would take hundreds of years and a lot of cost to break the system and generate counterfeit EMV cards.

 

Finally the last feature is a cryptogram, which is basically a unique number generated for each transaction that can be validated by the card issuer. This unique card number is based on complex algorithm that includes parts of the key described in previous paragraph, details of the transaction and a random number to provide a guarantee that the card is authentic. Because the issuer can offer a corresponding message that can be validating by the EMV terminal, one can essentially guarantee that the transaction was unaltered through the approval process. 

 

In addition to those 3 features, the EMV transaction includes more data elements than a mag-stripe transaction related to transaction counters and card verification results that can be matched to help validate transaction data matches what’s on the card to what is expected at the card issuer.

 

So what does that mean for data breaches?

 

EMV is definitely a deterrent to hackers, as it makes it harder to monetize the stolen account data as the card itself is being authenticated as valid, it’s important to note that once it enters the payment environment it is still sensitive account data that should be secured via PCI-DSS best practices. PCI offers guidance for how best to secure data ranging from hardware requirements for PIN entry devices to payment software and protecting data through the lifecycle of a transaction (including storing authorization response data).  In these cases it’s important to use a Point-to-Point Encryption (P2PE) solution based upon industry standards that helps ensure that the card holder data is encrypted when it goes out for authorization and any data that is stored locally be tokenized in a format that can’t be converted back to the account number.

 

This will help ensure that if your point of sale or payment system does get compromised it’s in a format that is unusable to the hackers. As indicated earlier EMV provides strong authentication to prevent someone from creating a counterfeit card, it is not meant to solve for card-not-present and online transactions.

 

Thus while it does a great deal to reduce counterfeit fraud in markets where it’s implemented, it should be considered one part of a multi-faceted approached to security where we all do our part to ensure that any data that is obtained by inappropriate methods be useless when someone tries to use for monetary gain.