top of page

Defining EMV Security

Merchant Warehouse - October 8, 2014

 

Starting in October 2015, all four major card brands will shift financial liability for fraudulent transactions to the entity that’s responsible for a card present payment transaction not being processed via an EMV chip card.

 

That means that if fraud occurs based on a consumer card that is only enabled with a mag-stripe, the card issuer may be liable.

 

But that liability could shift to the merchant if the issuer is enabled with an EMV chip (contact or contactless) and the merchant didn’t have the necessary equipment to process that transaction.

 

The guidelines vary by brand, but the message behind it is clear – it’s vital to upgrade equipment to accept these new chip cards and train staff to be knowledgeable and pro-active about the transaction.

 

This could mean ensuring that the chip card reader is prominently displayed facing the customer to encourage use as well as educating cashiers to have them insert their cards to pay with chip when ready.

 

That will help prevent scenarios where liability shift could be tricky if both the cardholder and merchant are enabled for EMV acceptance, but for some reason the transaction is initiated via the mag-stripe.

 

With MasterCard and Visa projecting over 575 million chip enabled cards by end of 2015, it’s definitely worth the time and effort protect yourself.

 

So with all the headlines of merchants falling victim to data breaches where millions of consumer account numbers have been compromised, how does EMV help solve this?

 

In a nutshell EMV has 3 distinct features that make it harder for hackers to re-use compromised card holder data. The first is related to CVV value on a card. With EMV the CVV value on the chip differs from the CVV on the mag-stripe or what’s printed on the card itself. That means the card issuer can better detect and prevent fraud by seeing if the CVV value matches how the card was presented for a particular transaction (i.e. hackers can’t put EMV data on a mag-stripe and get approved transactions).

 

The next layer is a security system where the chip in the card communicates with a chip on the EMV acceptance device and authenticates itself as valid.  Without going into too much technical detail, a trust chain is created by the card brands where they issue certificates to each approved issuing bank. In turn the issuing bank places an encryption key on each card that can be matched against technology stored securely in the terminal. With the advancements in security the key length can be quite complex to the point it becomes cost prohibitive for hackers to monetize the data, as it would take hundreds of years and a lot of cost to break the system and generate counterfeit EMV cards.

 

Finally the last feature is a cryptogram, which is basically a unique number generated for each transaction that can be validated by the card issuer. This unique card number is based on complex algorithm that includes parts of the key described in previous paragraph, details of the transaction and a random number to provide a guarantee that the card is authentic. Because the issuer can offer a corresponding message that can be validating by the EMV terminal, one can essentially guarantee that the transaction was unaltered through the approval process. 

 

In addition to those 3 features, the EMV transaction includes more data elements than a mag-stripe transaction related to transaction counters and card verification results that can be matched to help validate transaction data matches what’s on the card to what is expected at the card issuer.

 

So what does that mean for data breaches?

 

EMV is definitely a deterrent to hackers, as it makes it harder to monetize the stolen account data as the card itself is being authenticated as valid, it’s important to note that once it enters the payment environment it is still sensitive account data that should be secured via PCI-DSS best practices. PCI offers guidance for how best to secure data ranging from hardware requirements for PIN entry devices to payment software and protecting data through the lifecycle of a transaction (including storing authorization response data).  In these cases it’s important to use a Point-to-Point Encryption (P2PE) solution based upon industry standards that helps ensure that the card holder data is encrypted when it goes out for authorization and any data that is stored locally be tokenized in a format that can’t be converted back to the account number.

 

This will help ensure that if your point of sale or payment system does get compromised it’s in a format that is unusable to the hackers. As indicated earlier EMV provides strong authentication to prevent someone from creating a counterfeit card, it is not meant to solve for card-not-present and online transactions.

 

Thus while it does a great deal to reduce counterfeit fraud in markets where it’s implemented, it should be considered one part of a multi-faceted approached to security where we all do our part to ensure that any data that is obtained by inappropriate methods be useless when someone tries to use for monetary gain.

 

 

NORTH BUSINESS SERVICES

NORTH BUSINESS SERVICES

Payment possibilities for small business owners. Gain competitive advantage with CAYAN™ Genius Platform™ and, HARBORTOUCH® Point of Sale

Wavespot ~ Loyalty made easy

Wavespot ~ Loyalty made easy

Intelligent Social WiFi Influence a larger audience today with Wavespot by Keystone

Wavespot by Keystone

Wavespot by Keystone

Intelligent WiFi for today's world

CAYAN™

CAYAN™

The Payments Possibilities Company™ Capital Bankcard ~Reseller of the CAYAN™ Genius Platform™

Harbortouch® POS

Harbortouch® POS

The Point of Sale System that will Revolutionize Your Business FOR FREE!

What is EMV?

What is EMV?

Euro, MasterCard & Visa the new standard for Debit & Credit Card Acceptance in the U.S.A. and the shift of responsibility if FRAUD hits your business as of October of 2015. Get EMV ready today!

CAYAN™ - Genius Platform™

CAYAN™ - Genius Platform™

The Payments Possibilities Company™ Future-Proof your business with the Genius Platform™ as the re-seller for CAYAN™ you can accept all payment types and let the customer decide and control the payment with one Customer Engagement Device sitting on your counter.

LevelUp

LevelUp

Smart payments, powerful loyalty, ZERO credit card fees, loyalty that rewards your best customer and expands your customer base

Apple Pay™

Apple Pay™

Attention Small Business Owners It's time to bring digital payments to your counter. Apple Pay™ is a necessary addition to your business!

Genius Platform™

Genius Platform™

Reach out and invite customers on the street to come in to visit your business! Ask about Direct Marketing & Geo-Fencing

Perkwave

Perkwave

Pay-At-The-Table, Powered by Perkwave™ and Apple Pay™ for your restaurant business. Allow customers to pay at the table quickly, easily and securely.

Tabbedout

Tabbedout

Open your restaurant tab, see it on your Apple™ or, Android™ device “live”, and close out your bill at your table! Tabbedout® Increases the efficiency of a restaurant, and builds your brand, and also allows for Direct, and instant customer feed-back, and restaurant marketing.

Smart Transaction Systems

Smart Transaction Systems

Powerful Loyalty and Gift Card programs offered by Capital Bankcard & STS

Valuetec

Valuetec

Customer Loyalty & Gift cards that give a company better brand recognition and the ability to build repeat business and new business

Small Business Cash Advance

Small Business Cash Advance

This is not a small business loan, it's a cash advance. Borrow without interest against your future credit card sales. Get cash now and get back on a comfortable footing!

bottom of page