EMV

J Smart JCB

For the amusement ride vehicle, see enhanced motion

vehicle. For the Mexican school known as EMV, see
Escuela Mexicana del Valle.
EMV is a technical standard for smart payment cards

D-PAS Discover/Diners Club International.

Visa and MasterCard have also developed standards for
using EMV cards in devices to support card not present
transactions over the telephone and Internet. MasterCard
has the Chip Authentication Program (CAP) for secure
e-commerce. Its implementation is known as EMV-CAP
and supports a number of modes. Visa has the Dynamic
Passcode Authentication (DPA) scheme, which is their
implementation of CAP using dierent default values.
In February 2010, computer scientists from Cambridge
University demonstrated that an implementation of EMV
PIN entry is vulnerable to a man-in-the-middle attack;
however, the way PINs are processed depends on the capabilities of the card and the terminal.

A credit card issued by Japan Airlines and Visa, showing the

square, gold-colored chip.

and for payment terminals and automated teller machines that can accept them. EMV cards are smart
cards (also called chip cards or IC cards) that store their
data on integrated circuits in addition to magnetic stripes
(for backward compatibility). These include cards that
must be physically inserted (or dipped) into a reader
and contactless cards that can be read over a short distance using radio-frequency identication (RFID) technology. Payment cards that comply with the EMV standard are often called Chip and PIN or Chip and Signature cards, depending on the authentication methods
employed by the card issuer.

1 History
Until the introduction of Chip & PIN, all face-to-face
credit or debit card transactions used a magnetic stripe
or mechanical imprint to read and record account data,
and a signature for verication. Under that system, the
customer hands their card to the clerk at the point of sale,
who either swipes the card through a magnetic reader
or makes an imprint from the raised text of the card. In
the former case, the system veries account details and
prints a slip for the customer to sign. In the case of a mechanical imprint, the transaction details are lled in and
the customer signs the imprinted slip. In either case, the
clerk veries that the customers signature matches that
on the back of the card to authenticate the transaction.

EMV stands for Europay, MasterCard, and Visa, the

three companies that originally created the standard. The
standard is now managed by EMVCo, a consortium
with control split equally among Visa, MasterCard, JCB,
American Express, China UnionPay, and Discover.[1]
This system has a number of security aws, including the
There are standards based on ISO/IEC 7816 for con- ability to steal a card in the post, or to learn to forge the
tact cards, and standards based on ISO/IEC 14443 for signature on the card. More recently, technology has becontactless cards (MasterCard Contactless, PayWave, come available on the black market for both reading and
writing the magnetic stripes, making cards easy to clone
ExpressPay).
and use without the owners knowledge.
The most widely known chip card implementations of the
The rst standard for smart payment cards was the Carte
EMV standard are
Bancaire M4 from Bull-CP8 deployed in France in 1986,
followed by the B4B0' (compatible with the M4) de VIS Visa
ployed in 1989. Geldkarte in Germany also predates
Master/Chip MasterCard
EMV. EMV was designed to allow cards and terminals to
be backwardly compatible with these standards. France
AEIPS American Express
has since migrated all its card and terminal infrastructure
UICS - China Union Pay
to EMV.
1

3 CHIP AND PIN VERSUS CHIP AND SIGNATURE

The EMV standard was initially written in 1993 and

1994.[2] JCB joined the consortium in February 2009,
China UnionPay in May 2013,[3] and Discover in September 2013.[4]

in the United States, many merchants subscribed to a

regularly-updated list of stolen or otherwise invalid credit
cards numbers. This list was commonly printed in booklet form on newsprint, in numerical order, much like a
slender phone book, yet without any data aside from the
list of invalid numbers. Checkout cashiers were expected
to thumb through this booklet each and every time a credit
2 Dierences and benets of EMV card was presented for payment of any amount, prior to
approving the transaction, which incurred a short delay.
There are two major benets to moving to smart-card- This pause generally did not endear the credit card user
based credit card payment systems: improved security to those waiting in line behind them.
(with associated fraud reduction), and the possibility Later, equipment electronically contacted the card issuer,
for ner control of oine credit-card transaction ap- using information from the magnetic stripe to verify the
provals. One of the original goals of EMV was to pro- card and authorize the transaction. This was much faster
vide for multiple applications on a card: for a credit than before, but required the transaction to occur in a
and debit card application or an e-purse. With current xed location. Consequently, if the transaction did not
processing regulations in the United States, new issue take place near a terminal (in a restaurant, for examdebit cards contain two applications a card association ple) the clerk or waiter had to take the card away from
(Visa, MasterCard etc.) application, and a common debit the customer and to the card machine. It was easily
application. The common debit application ID is some- possible at any time for a dishonest employee to swipe
what of a misnomer as each common debit application the card surreptitiously through a cheap machine that inactually uses the resident card association application.
stantly recorded the information on the card and stripe; in
EMV chip card transactions improve security against fact, even at the terminal, a thief could bend down in front
fraud compared to magnetic stripe card transactions that of the customer and swipe the card on a hidden reader.
rely on the holders signature and visual inspection of the This made illegal cloning of cards relatively easy, and a
card to check for features such as hologram. The use of more common occurrence than before.
a PIN and cryptographic algorithms such as Triple DES,
RSA and SHA provide authentication of the card to the
processing terminal and the card issuers host system. The
processing time is comparable to online transactions, in
which communications delay accounts for the majority of
the time, while cryptographic operations at the terminal
take comparatively little time. The supposed increased
protection from fraud has allowed banks and credit card
issuers to push through a liability shift, such that merchants are now liable (as of 1 January 2005 in the EU
region and 1 October 2015 in the US) for any fraud that
results from transactions on systems that are not EMVcapable.[5][6]

Since the introduction of payment card Chip and PIN,

however, cloning of the chip is not feasible; only the
magnetic stripe can be copied, and a copied card cannot be used by itself on a terminal requiring a PIN. The
introduction of Chip and PIN coincided with wireless
data transmission technology becoming inexpensive and
widespread. In addition to mobile-phone-based magnetic
readers like those from Square, merchant personnel can
now bring wireless PIN pads to the customer, so the card
is never out of the cardholders sight. Thus, both chipand-PIN and wireless technologies can be used to reduce
the risks of unauthorized swiping and card cloning.

Although not the only possible method, the majority of

implementations of EMV cards and terminals conrm
the identity of the cardholder by requiring the entry of 3 Chip and PIN versus chip and
a personal identication number (PIN) rather than signsignature
ing a paper receipt. Whether or not PIN authentication
takes place depends upon the capabilities of the terminal
and programming of the card. For more details of this Chip and PIN is one of the two verication methods that
(specically, the system being implemented in the UK) EMV enabled cards can employ. Rather than physically
signing a receipt for identication purposes, the user just
see Chip and PIN, below.
Under the previous system, a customer typically had to enters a personal identication number (PIN), typically of
hand their card to a sales clerk to pay for a transaction. 4 - 6 digits in length. This number must correspond to the
When credit cards were rst introduced, merchants used information stored on the chip. Chip and PIN technology
mechanical (rather than magnetic) portable card imprint- makes it much harder for fraudsters to replicate the card,
ers that required carbon paper to make an imprint. They so if someone steals a card, they can't make fraudulent
did not communicate electronically with the card issuer, purchases unless they know the four-digit PIN.
and the card never left the customers sight. The mer- Chip and Signature, on the other hand, dierentiates itself
chant had to verify transactions over a certain currency from Chip and PIN by verifying a consumers identity with
limit by telephoning the card issuer. During the 1970s a signature.[7]

3
As of 2015, chip and signature cards are more common
in the USA, Mexico, the Philippines and some European countries (such as Germany and Austria), whereas
Chip and PIN cards are more common in other European
countries (e.g., the UK, Ireland, France, Finland and the
Netherlands) as well as in Canada, Australia and New
Zealand.[8]

Online, phone, and mail order

transactions

generate application cryptogram

get data (7816-4)
get processing options
internal authenticate (7816-4)
PIN change / unblock
read record (7816-4)
select (7816-4)

verify (7816-4).
While EMV technology has helped reduce crime at the
point of sale, fraudulent transactions have shifted to more Commands followed by 7816-4 are dened in ISO/IEC
vulnerable telephone, Internet, and mail order transac- 7816-4 and are interindustry commands used for many
tions known in the industry as card-not-present or chip card applications such as GSM SIM cards.
CNP transactions. as of May 2009 CNP transactions
made up at least 50% of all credit card fraud.[9] Because
of physical distance, it is not possible for the merchant to 6 Transaction ow
present a keypad to the customer in these cases, so alternatives have been devised, including
An EMV transaction has the following steps:[12]
Software approaches for online transactions that involve interaction with the card-issuing bank or networks web site, such as Veried by Visa and MasterCard SecureCode (implementations of Visas 3D Secure protocol).

Initiate application processing

Read application data

Creating a one-time virtual card backed to a physical

card with a given maximum amount.

Processing restrictions

Additional hardware with keypad and screen that

can produce a one-time password, such as the Chip
Authentication Program.

Cardholder verication

Keypad and screen integrated into the card to produce a one-time password. Since 2008, Visa has
been running pilot projects using the Emue card,[10]
where the generated number replaces the code
printed on the back of standard cards.[11]

Application selection

Commands

Oine data authentication

Terminal risk management

Terminal action analysis
First card action analysis
Online transaction authorisation (only carried out if
required by the result of the previous steps; mandatory in ATMs)
Second card action analysis

Issuer script processing.

ISO/IEC 78163 denes the transmission protocol between chip cards and readers. Using this protocol, data
is exchanged in application protocol data units (APDUs).
6.1 Application selection
This comprises sending a command to a card, the card
processing it, and sending a response. EMV uses the folISO/IEC 7816 denes a process for application seleclowing commands:
tion. The intent of application selection was to let cards
contain completely dierent applicationsfor example
application block
GSM and EMV. EMV however took application selection to be a way of identifying the type of product, so that
application unblock
all product issuers (Visa, MasterCard, etc.) must have
their own application. The way application selection is
card block
prescribed in EMV is a frequent source of interoperabil external authenticate (7816-4)
ity problems between cards and terminals. Book 1 of the

6 TRANSACTION FLOW

EMV standard devotes 15 pages to describing the appli- 6.5 Oine data authentication
cation selection process.
An application identier (AID) is used to address an ap- Oine data authentication is a cryptographic check to
plication in the card. An AID consists of a registered ap- validate the card using public-key cryptography. There
plication provider identier (RID) of ve bytes, which is are three dierent processes that can be undertaken deissued by the ISO/IEC 7816-5 registration authority. This pending on the card:
is followed by a proprietary application identier extension (PIX), which enables the application provider to differentiate among the dierent applications oered. The
AID is printed on all EMV cardholder receipts.
List of applications:

Static data authentication (SDA) ensures data read

from the card has been signed by the card issuer.
This prevents modication of data, but does not prevent cloning.

6.2

Dynamic data authentication (DDA) provides protection against modication of data and cloning.

Initiate application processing

The terminal sends the get processing options command

to the card. When issuing this command, the terminal
supplies the card with any data elements requested by the
card in the processing options data objects list (PDOL).
The PDOL (a list of tags and lengths of data elements)
is optionally provided by the card to the terminal during application selection. The card responds with the application interchange prole (AIP), a list of functions to
perform in processing the transaction. The card also provides the application le locator (AFL), a list of les and
records that the terminal needs to read from the card.

6.3

Read application data

6.4

Processing restrictions

Combined DDA/generate application cryptogram

(CDA) combines DDA with the generation of a
cards application cryptogram to assure card validity. Support of CDA in devices may be needed, as
this process has been implemented in specic markets. This process is not mandatory in terminals and
can only be carried out where both card and terminal
support it.

6.6 Cardholder verication

Cardholder verication is used to evaluate whether the

person presenting the card is the legitimate cardholder.
Smart cards store data in les. The AFL contains the les There are many cardholder verication methods (CVMs)
that contain EMV data. These all must be read using the supported in EMV. They are
read record command. EMV does not specify which les
data is stored in, so all the les must be read. Data in
Signature
these les is stored in BER TLV format. EMV denes
tag values for all data used in card processing.
Oine plaintext PIN

The purpose of the processing restrictions is to see if the

card should be used. Three data elements read in the previous step are checked.
Application version number
Application usage control (This shows whether the
card is only for domestic use, etc.)
Application eective/expiration dates checking.
If any of these checks fails, the card is not necessarily
declined. The terminal sets the appropriate bit in the
terminal verication results (TVR), the components of
which form the basis of an accept/decline decision later in
the transaction ow. This feature lets, for example, card
issuers permit cardholders to keep using expired cards after their expiry date, but for all transactions with an expired card to be performed on-line.

Oine enciphered PIN

Oine plaintext PIN and signature
Oine enciphered PIN and signature
Online PIN
No CVM required
Fail CVM processing
The terminal uses a CVM list read from the card to determine the type of verication to perform. The CVM
list establishes a priority of CVMs to use relative to the
capabilities of the terminal. Dierent terminals support
dierent CVMs. ATMs generally support online PIN.
POS terminals vary in their CVM support depending on
type and country.

6.10

Online transaction authorization

6.7

Terminal risk management

Terminal risk management is only performed in devices

where there is a decision to be made whether a transaction
should be authorised on-line or oine. If transactions
are always carried out on-line (e.g., ATMs) or always oline, this step can be missed. Terminal risk management
checks the transaction amount against an oine ceiling
limit (above which transactions should be processed online). It is also possible to have a 1 in an online counter,
and a check against a hot card list (which is only necessary for o-line transactions). If the result of any of these
tests is positive, the terminal sets the appropriate bit in the
terminal verication results (TVR).

6.8

Terminal action analysis

The results of previous processing steps are used to determine whether a transaction should be approved ofine, sent online for authorization, or declined oine.
This is done using a combination of Terminal action
codes (TACs) held in the terminal and Issuer action codes
(IACs) read from the card.

5
Application Authentication Cryptogram (AAC)
Oine decline.
This step gives the card the opportunity to accept the terminals action analysis or to decline a transaction or force
a transaction on-line. The card cannot return a TC when
an ARQC has been asked for, but can return an ARQC
when a TC has been asked for.

6.10 Online transaction authorization

Transactions go online when an ARQC has been requested. The ARQC is sent in the authorisation message.
The card generates the ARQC. Its format depends on the
card application. EMV does not specify the contents of
the ARQC. The ARQC created by the card application
is a digital signature of the transaction details, which the
card issuer can check in real time. This provides a strong
cryptographic check that the card is genuine. The issuer responds to an authorisation request with a response
code (accepting or declining the transaction), an authorisation response cryptogram (ARPC) and optionally an
issuer script (a string of commands to be sent to the card).

An online-only device such as an ATM always attempts to

go on-line with the authorization request, unless declined
o-line due to Issuer action codesDenial settings. Dur- 6.11 Second card action analysis
ing IACDenial and TACDenial processing, for an
online only device, the only relevant Terminal verica- CDOL2 (Card data object list) contains a list of tags that
tion results bit is Service not allowed.
the card wants to be sent after online transaction authoWhen an online-only device performs IACOnline and risation (response code, ARPC, etc.). Even if for any
TACOnline processing the only relevant TVR bit is reason the terminal could not go online (e.g., communiTransaction value exceeds the oor limit. Because the cation failure), the terminal should send this data to the
oor limit is set to zero, the transaction should always go card again using the generate authorisation cryptogram
online and all other values in TACOnline or IAC command. This lets the card know the issuers response.
The card application may then reset oine usage limits.
Online are irrelevant.
Online-only devices do not need to perform IAC-default
processing.
6.12

Issuer script processing

If a card issuer wants to update a card post issuance it can

send commands to the card using issuer script processing.
Issuer scripts are encrypted between the card and the isOne of the data objects read from the card in the Read suer, so are meaningless to the terminal. Issuer script can
application data stage is CDOL1 (Card Data object List). be used to block cards, or change card parameters.
This object is a list of tags that the card wants to be
sent to it to make a decision on whether to approve or
decline a transaction (including transaction amount, but
many other data objects too). The terminal sends this 7 Control of the EMV standard
data and requests a cryptogram using the generate application cryptogram command. Depending on the termi- The rst version of EMV standard was published in 1995.
nals decision (oine, online, decline), the terminal re- Now the standard is dened and managed by the privately
quests one of the following cryptograms from the card:
owned corporation EMVCo LLC. The current members
of EMVCo are JCB International, American Express,
MasterCard, China UnionPay, Discover Financial and
Transaction certicate (TC)Oine approval
Visa Inc. Each of these organizations owns an equal share
Authorization Request Cryptogram (ARQC) of EMVCo and has representatives in the EMVCo orgaOnline authorization
nization and EMVCo working groups.

6.9

First card action analysis

9 VULNERABILITIES

Recognition of compliance with the EMV standard (i.e.,

device certication) is issued by EMVCo following submission of results of testing performed by an accredited
testing house.

Version 4.3 is in eect since November 2011.[15]

9 Vulnerabilities

EMV Compliance testing has two levels: EMV Level 1,

which covers physical, electrical and transport level inter- 9.1
faces, and EMV Level 2, which covers payment application selection and credit nancial transaction processing.
After passing common EMVCo tests, the software must
be certied by payment brands to comply with proprietary EMV implementations such as Visa VSDC, American Express AEIPS, MasterCard MChip, JCB JSmart, or
EMV-compliant implementations of non-EMVCo members such as LINK in the UK, or Interac in Canada.
The EMVCo standards have been integrated into the
broader electronic payment security standards being developed by the Secure POS Vendor Alliance, with a
specic eort to develop a common interpretation of
EMVCos place relative to, and interactions with, other
existing security standards, such as Payment Card Industry Data Security Standard (PCI-DSS).[14]

List of EMV documents and

standards

Opportunities to harvest PINs and

clone magnetic stripes

In addition to the track-two data on the magnetic stripe,

EMV cards generally have identical data encoded on the
chip, which is read as part of the normal EMV transaction
process. If an EMV reader is compromised to the extent
that the conversation between the card and the terminal is
intercepted, then the attacker may be able to recover both
the track-two data and the PIN, allowing construction of
a magnetic stripe card, which, while not usable in a Chip
and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing
for foreign customers without chip cards, and defective
cards. This attack is possible only where (a) the oine
PIN is presented in plaintext by the PIN entry device to
the card, where (b) magstripe fallback is permitted by
the card issuer and (c) where geographic and behavioural
checking may not be carried out by the card issuer.

It was claimed that changes specied to the protocol

(specifying dierent card verication values between the
chip and magnetic stripe the iCVV) rendered this atSince version 4.0, the ocial EMV standard documents tack ineective. APACS (the UK Payments Association)
that dene all the components in an EMV payment sys- stated that such measures would be in place from January
tem are published as four books and some additional 2008, although tests on cards in February 2008 indicated
documents:
this may have been delayed.[16]
Book 1 Application Independent ICC to Terminal
9.1.1 Successful attacks
Interface Requirements
Book 2 Security and Key Management
Book 3 Application Specication
Book 4 Cardholder, Attendant, and Acquirer Interface Requirements
Common Payment Application Specication
EMV Card Personalisation Specication.

8.1

Versions

First EMV standard came into view in 1995 as EMV 2.0.

This was upgraded to EMV 3.0 in 1996 (sometimes referred to as EMV '96) with later amendments to EMV
3.1.1 in 1998. This was further amended to version 4.0 in
December 2000 (sometimes referred to as EMV 2000).
Version 4.0 became eective in June 2004
Version 4.1 became eective in June 2007
Version 4.2 is in eect since June 2008

Conversation capturing is the form of attack that was reported to have taken place against Shell terminals in May
2006, when they were forced to disable all EMV authentication in their lling stations after more than 1 million
was stolen from customers.[17]
In October 2008 it was reported that hundreds of EMV
card readers for use in Britain, Ireland, the Netherlands,
Denmark, and Belgium had been expertly tampered with
in China during or shortly after manufacture. For 9
months details and PINs of credit and debit cards were
sent over mobile phone networks to criminals in Lahore,
Pakistan. United States National Counterintelligence Executive Joel Brenner said, Previously only a nation state's
intelligence agency would have been capable of pulling
o this type of operation. Its scary. Data were typically used a couple of months after the card transactions
to make it harder for investigators to pin down the vulnerability. After the fraud was discovered it was found
that tampered-with terminals could be identied as the
additional circuitry increased their weight by about 100
g. Tens of millions of pounds sterling are believed to
have been stolen.[18] This vulnerability spurred eorts to

9.3

2011: CVM downgrade allows arbitrary PIN harvest

implement better control of electronic POS devices over

their entire life cycle, a practice endorsed by electronic
payment security standards like those being developed by
the Secure POS Vendor Alliance (SPVA).[19]

said, The expertise that is required is not high (undergraduate level electronics) ... We dispute the assertion
by the banking industry that criminals are not sophisticated enough, because they have already demonstrated a
far higher level of skill than is necessary for this attack in
their miniaturized PIN entry device skimmers. It is not
9.1.2 Demonstration of PIN harvesting and stripe known if this vulnerability has been exploited.
cloning
EMVCo disagreed and published a response saying that,
while such an attack might be theoretically possible, it
Cambridge University researchers Steven Murdoch and
would be extremely dicult and expensive to carry out
Saar Drimer demonstrated in a February 2008 BBC
successfully, that current compensating controls are likely
Newsnight programme one example attack, to illustrate
to detect or limit the fraud, and that the possible nanthat Chip and PIN is not secure enough to justify passcial gain from the attack is minimal while the risk of
ing the liability to prove fraud from the banks onto
a declined transaction or exposure of the fraudster is
customers.[20][21] The Cambridge University exploit alsignicant.[25]
lowed the experimenters to obtain both card data to creWhen approached for comment, several banks (Coate a magnetic stripe and the PIN.
operative Bank, Barclays and HSBC) each said that this
APACS, the UK payments association, disagreed with
was an industry-wide issue, and referred the Newsnight [26]
the majority of the report, saying The types of attack
team to the banking trade association for further comon PIN entry devices detailed in this report are dicult
ment. According to Phil Jones of the Consumers Assoto undertake and not currently economically viable for
ciation, Chip and PIN has helped to bring down instances
a fraudster to carry out.[22] They also said that changes
of card crime, but many cases remain unexplained What
to the protocol (specifying dierent card verication valwe do know is that we do have cases that are brought forues between the chip and magnetic stripe the iCVV)
ward from individuals which seem quite persuasive.
would make this attack ineective from January 2008.
The fraud reported in October 2008 to have operated for Because submission of the PIN is suppressed, this is the
9 months (see above) was probably in operation at the exact equivalent of a merchant performing a PIN bypass
transaction. Such transactions can't succeed oine, as
time, but was not discovered for many months.
a card never generates an oine authorisation without a
In August 2016, NCR (payment technology company)
successful PIN entry. As a result of this, the transaction
computer security researchers showed how credit card
ARQC must be submitted online to the issuer, who knows
thieves can rewrite the code of a magnetic strip to make
that the ARQC was generated without a successful PIN
it appear like a chipless card, which allows for countersubmission (since this information is included in the enfeiting.
crypted ARQC) and hence would be likely to decline the
transaction if it were for a high value, out of character, or
otherwise outside of the typical risk management param9.2 2010: Hidden hardware disables PIN eters set by the issuer.

checking on stolen card

On 11 February 2010 Murdoch and Drimers team at

Cambridge University announced that they had found a
aw in chip and PIN so serious they think it shows that
the whole system needs a re-write that was so simple
that it shocked them.[23][24] A stolen card is connected
to an electronic circuit and to a fake card that is inserted
into the terminal ("man-in-the-middle attack"). Any four
digits are typed in and accepted as a valid PIN.
A team from the BBCs Newsnight programme visited a
Cambridge University cafeteria (with permission) with
the system, and were able to pay using their own cards
(a thief would use stolen cards) connected to the circuit,
inserting a fake card and typing in 0000 as the PIN.
The transactions were registered as normal, and were not
picked up by banks security systems. A member of the
research team said, Even small-scale criminal systems
have better equipment than we have. The amount of technical sophistication needed to carry out this attack is really quite low. The announcement of the vulnerability

Originally, bank customers had to prove that they had not

been negligent with their PIN before getting redress, but
UK regulations in force from 1 November 2009 placed
the onus rmly on the banks to prove that a customer has
been negligent in any dispute, with the customer given
13 months to make a claim.[27] Murdoch said that "[the
banks] should look back at previous transactions where
the customer said their PIN had not been used and the
bank record showed it has, and consider refunding these
customers because it could be they are victim of this type
of fraud.

9.3 2011: CVM downgrade allows arbitrary PIN harvest

At the CanSecWest conference in March 2011, Andrea
Barisani and Daniele Bianco presented research uncovering a vulnerability in EMV that would allow arbitrary
PIN harvesting despite the cardholder verication conguration of the card, even when the supported CVMs data

10 IMPLEMENTATION

is signed.[28]

will be 1 October 2017.[36] Domestic ATM transactions in China are not currently not subject to a
liability shift deadline.

The PIN harvesting can be performed with a chip skimmer. In essence, a CVM list that has been modied to
downgrade the CVM to Oine PIN is still honoured by
POS terminals, despite its signature being invalid.[29]
10.3

10

Implementation

Australia

MasterCard required that all point of sale terminals

be EMV capable by April 2013. For ATMs, the liability shift took place in April 2012. ATMs must
be EMV compliant by the end of 2015[37]

In many countries of the world, debit card and/or credit

card payment networks have implemented liability shifts.
Visas liability shift for ATMs took place 1 April
Normally, the card issuer is liable for fraudulent transac2013.[35]
tions. However, after a liability shift is implemented, if
the ATM or merchants point of sale terminal does not
support EMV, the ATM owner or merchant is liable for 10.4 Canada
the fraudulent transaction.
American Express implemented a liability shift on
Chip and PIN systems can cause problems for travellers
31 October 2012.[38]
from countries that do not issue Chip and PIN cards
as some retailers may refuse to accept their chipless
Discover implemented a liability shift on 1 October
cards.[30] While most terminals still accept a magnetic
2015. For pay at the pump at gas stations, the liabilstrip card, and the major credit card brands require venity shift is 1 October 2017.[39]
dors to accept them,[31] some sta may refuse to take
the card, under the belief that they are held liable for
Interac (Canadas debit card network) stopped proany fraud if the card cannot verify a PIN. Non-chip-andcessing non-EMV transactions at ATMs on 31 DePIN cards may also not work in some unattended vending
cember 2012, and will no longer process non-EMV
machines at, for example, train stations, or self-service
transactions at point of sale terminals on 30 Septemcheck-out tills at supermarkets.[32]
ber 2016, though a liability shift takes place on 31
December 2015.[40]

10.1

Africa

MasterCards liability shift among countries within

this region took place on 1 January 2006.[33] By 1
October 2010, a liability shift had occurred for all
point of sale transactions.[34]
Visas liability shift for points of sale took place on
1 January 2006. For ATMs, the liability shift took
place on 1 January 2008.[35]
10.1.1

South Africa

MasterCards liability shift took place on 1 January

2005.[33]

10.2

MasterCard implemented domestic transaction liability shift on 31 March 2011, and international liability shift on 15 April 2011. For pay at the pump at
gas stations, the liability shift was implemented 31
December 2012.[38]
Visa implemented domestic transaction liability
shift on 31 March 2011, and international liability
shift on 31 October 2010. For pay at the pump at
gas stations, the liability shift was implemented 31
December 2012.[38]
Over a 5-year period post EMV migration, domestic card-card present fraudulent transactions significantly reduced in Canada. According to Helcim's
reports, card-present domestic debit card fraud reduced 89.49% and credit card fraud 68.37%.[41]

Asian/Pacic countries

MasterCards liability shift among countries within

this region took place on 1 January 2006.[33] By 1
October 2010, a liability shift had occurred for all
point of sale transactions, except for domestic transactions in China and Japan.[34]
Visas liability shift for points of sale took place on 1
October 2010.[35] For ATMs, the liability shift date
took place on 1 October 2015, except in China, India, Japan, and Thailand, where the liability shift

10.5 Europe
MasterCards liability shift took place on 1 January
2005.[33]
Visas liability shift for points of sale took place on
1 January 2006. For ATMs, the liability shift took
place on 1 January 2008.[35]
France has cut card fraud by more than 80% since
its introduction in 1992 (see Carte Bleue).

10.6
10.5.1

Latin America and the Caribbean

United Kingdom

9
lent use of their Chip and PIN transactions, only the voluntary Banking Code. While this code stated that the burden of proof is on the bank to prove negligence or fraud
rather than the cardholder having to prove innocence,[44]
there were many reports that banks refused to reimburse
victims of fraudulent card use, claiming that their systems
could not fail under the circumstances reported, despite
several documented successful large-scale attacks.
The Payment Services Regulations 2009 came into force
on 1 November 2009[45] and shifted the onus onto the
banks to prove, rather than assume, that the cardholder is
at fault.[27] The Financial Services Authority (FSA) said
It is for the bank, building society or credit card company to show that the transaction was made by you, and
there was no breakdown in procedures or technical diculty before refusing liability.

10.6 Latin America and the Caribbean

Chip and PIN UK logo

MasterCards liability shift among countries within

this region took place on 1 January 2005.[33]

Visas liability shift for points of sale took place on

1 October 2012, for any countries in this region that
Chip and PIN was trialled in Northampton, England from
had not already implemented a liability shift. For
May 2003,[42] and as a result was rolled out nationwide in
ATMs, the liability shift took place on 1 October
the United Kingdom on 14 February 2006[43] with adver2014, for any countries in this region that had not
tisements in the press and national television touting the
already implemented a liability shift.[35]
Safety in Numbers slogan. During the rst stages of deployment, if a fraudulent magnetic swipe card transaction
was deemed to have occurred, the retailer was refunded
10.6.1 Brazil
by the issuing bank, as was the case prior to the introduction of Chip and PIN. On January 1, 2005, the liabil MasterCards liability shift took place on 1 March
ity for such transactions was shifted to the retailer; this
2008.[33]
acted as an incentive for retailers to upgrade their point
Visas liability shift for points of sale took place on 1
of sale (PoS) systems, and most major high-street chains
April 2011. For ATMs, the liability shift took place
upgraded on time for the EMV deadline. Many smaller
on 1 October 2012.[35]
businesses were initially reluctant to upgrade their equipment, as it required a completely new PoS systema signicant investment.
10.6.2 Colombia
New cards featuring both magnetic strips and chips are
MasterCards liability shift took place on 1 October
now issued by all major banks. The replacement of pre2008.[33]
Chip and PIN cards was a major issue, as banks simply stated that consumers would receive their new cards
when their old card expires despite many people hav10.6.3 Mexico
ing had cards with expiry dates as late as 2007. The card
issuer Switch lost a major contract with HBOS to Visa,
Discover implemented a liability shift on 1 October
as they were not ready to issue the new cards as early as
2015. For pay at the pump at gas stations, the liabilthe bank wanted.
ity shift is 1 October 2017.[39]
The Chip and PIN implementation was criticised as de Visas liability shift for points of sale took place on 1
signed to reduce the liability of banks in cases of claimed
April 2011. For ATMs, the liability shift took place
card fraud by requiring the customer to prove that they
on 1 October 2012.[35]
had acted with reasonable care to protect their PIN and
card, rather than on the bank having to prove that the signature matched. Before Chip and PIN, if a customers 10.6.4 Venezuela
signature was forged, the banks were legally liable and
MasterCards liability shift took place on 1 July
had to reimburse the customer. Until 1 November 2009
2009.[33]
there was no such law protecting consumers from fraudu-

10

10.7

12

Middle East

MasterCards liability shift among countries within

this region took place on 1 January 2006.[33] By 1
October 2010, a liability shift had occurred for all
point of sale transactions.[34]
Visas liability shift for points of sale took place on
1 January 2006. For ATMs, the liability shift took
place on 1 January 2008.[35]

10.8

New Zealand

MasterCard required all point of sale terminals to be

EMV compliant by 1 July 2011. For ATMs, the liability shift took place in April 2012. ATMs are required to be EMV compliant by the end of 2015.[37]
Visas liability shift for ATMs was 1 April 2013.[35]

REFERENCES

Maestro implemented its liability shift of 19 April

2013, for international cards used in the United
States.[56]
MasterCard implemented its liability shift for point
of sale terminals on 1 October 2015.[55] For pay at
the pump, at gas stations, the liability shift is 1 October 2017. For ATMs, the liability shift date is on
1 October 2016.[57][58]
Visa implemented its liability shift for point of
sale terminals on 1 October 2015. For pay at the
pump, at gas stations, the liability shift is 1 October 2017.[59] For ATMs, the liability shift date is 1
October 2017.[36]

11 See also
Contactless payment

10.9

United States

After widespread identity theft due to weak security in

the Point-of-Sale terminals at Target, Home Depot, and
other major retailers, Visa, MasterCard and Discover[46]
in March 2012 and American Express[47] in June 2012
announced their EMV migration plans for the United
States.[48] Since the announcement, multiple banks and
card issuers have announced cards with EMV chip-andsignature technology, including American Express, Bank
of America, Citibank, Wells Fargo,[49] JPMorgan Chase,
U.S. Bank, and several credit unions.[50]

Supply chain attack

Two-factor authentication

12 References
[1] EMVCo Members. EMVCo. Retrieved 10 May 2015.
[2] Kitten, Tracy (7 March 2011). EMV Roots Go Deep in
Europe: Global Shifts, New Headaches for U.S. Issuers.
BankInfoSecurity. Retrieved 2015-06-07.

In 2010, a number of companies began issuing pre-paid

debit cards that incorporate Chip and PIN and allow
Americans to load cash as euros or pound sterling.[51]
United Nations Federal Credit Union was the rst United
States issuer to oer Chip and PIN credit cards.[52]

[3] China UnionPay joins EMVCo (Press release). Finextra

Research. 20 May 2013. Retrieved 10 May 2015.

In May 2010, a press release from Gemalto (a global

EMV card producer) indicated that United Nations Federal Credit Union in New York would become the rst
EMV card issuer in the United States, oering an EMV
Visa credit card to its customers.[53]

[5] Shift of liability for fraudulent transactions. The UK

Cards Association. Retrieved 10 May 2015.

JPMorgan was the rst major bank to introduce a card

with EMV technology, namely its Palladium card, in mid2012.[50]
As of October 2015, 40% of U.S. consumers have
EMV cards and roughly 25% of merchants are EMV
compliant.[54]
American Express implemented its liability shift for
point of sale terminals on 1 October 2015.[55] For
pay at the pump, at gas stations, the liability shift is
1 October 2017.
Discover implemented its liability shift on 1 October 2015. For pay at the pump, at gas stations, the
liability shift is 1 October 2017.[39]

[4] Discover Joins EMVCo to Help Advance Global EMV

Standards. Discover Network News. 3 September 2013.
Retrieved 10 May 2015.

[6] Understanding the 2015 U.S. Fraud Liability Shifts

(PDF). www.emv-connection.com. EMV Migration Forum. Retrieved 15 November 2015.
[7] Chip-and-PIN vs. Chip-and-Signature. Card Hub. Retrieved 2016-04-21.
[8] Chip-and-PIN vs. Chip-and-Signature, CardHub.com,
retrieved 31 July 2012.
[9] BBC NEWS - Technology - Credit card code to combat
fraud. bbc.co.uk.
[10] "... a revolution in authentication. emue.com.
[11] Visa tests cards with built in PIN machine. IT PRO.
[12] How EMV (Chip & PIN) Works - Transaction Flow
Chart. Creditcall Ltd. Retrieved 10 May 2015.
[13] PayPass Implementation Guides

11

[14] SPVA Launch Presentation. Secure POS Vendor Alliance. 2009. Archived from the original on 21 January
2016.
[15] Integrated Circuit Card Specications for Payment Systems. EMVCo. Retrieved 26 March 2012.

[33] Chargeback Guide (PDF). MasterCard Worldwide. 3

November 2010. Retrieved May 10, 2015.
[34] Operating Regulations (PDF). Visa International.
Archived from the original (PDF) on 3 March 2013.
[35] The Journey To Dynamic Data (PDF). Visa.

[16] Saar Drimer; Steven J. Murdoch; Ross Anderson. PIN

Entry Device (PED) vulnerabilities. University of Cambridge Computer Laboratory. Retrieved 10 May 2015.
[17] Petrol rm suspends chip-and-pin. BBC News. 6 May
2006. Retrieved 13 March 2015.
[18] Organized crime tampers with European card swipe devices. The Register. 10 October 2008.
[19] Technical Working Groups, Secure POS Vendor Alliance. 2009. Archived from the original on 15 April
2010.
[20] Is Chip and Pin really secure?". BBC News. 26 February
2008. Retrieved 2 May 2010.
[21] Chip and pin. 6 February 2007. Archived from the original on 5 July 2007.
[22] John Leyden (27 February 2008). Paper clip attack
skewers Chip and PIN. The Channel. Retrieved 10 May
2015.
[23] Steven J. Murdoch; Saar Drimer; Ross Anderson; Mike
Bond. EMV PIN verication wedge vulnerability.
Computer Laboratory, University of Cambridge. Retrieved 2010-02-12.
[24] Susan Watts (11 February 2010). New aws in chip and
pin system revealed. BBC News. Retrieved May 2015.
Check date values in: |access-date= (help)
[25] Response from EMVCo to the Cambridge University Report on Chip and PIN vulnerabilities ('Chip and PIN is
Broken' February 2010)" (PDF). EMVCo. Retrieved
2010-03-26.
[26] Susan, Watts. New aws in chip and pin system revealed
(11 February 2010)". Newsnight. BBC. Retrieved 9 December 2015.
[27] Richard Evans (15 October 2009). Card fraud: banks
now have to prove your guilt. The Telegraph. Retrieved
10 May 2015.
[28] Andrea Barisani; Daniele Bianco; Adam Laurie; Zac
Franken (2011). Chip & PIN is denitely broken
(PDF). Aperture Labs. Retrieved 10 May 2015.
[29] Adam Laurie; Zac Franken; Andrea Barisani; Daniele
Bianco. EMV - Chip & Pin CVM Downgrade Attack.
Aperture Labs and Inverse Path. Retrieved 10 May 2015.
[30] US credit cards outdated, less useful abroad, as 'Chip and
PIN' cards catch on. creditcards.com.
[31] Visa Australia. visa-asia.com.
[32] For Americans, Plastic Buys Less Abroad

[36] Visa Expands U.S. Roadmap for EMV Chip Adoption

to Include ATM and a Common Debit Solution (Press
release). Foster City, Calif.: Visa. 4 February 2013. Retrieved 10 May 2015.
[37] MasterCard Announces Five Year Plan to Change the
Face of the Payments Industry in Australia. Mastercard
Australia.
[38] Chip Liability Shift. globalpayments. Archived from
the original on 30 July 2013.
[39] Discover to enforce EMV liability shift by 2015 (Press
release). Finextra Research. 12 November 2012. Retrieved 10 May 2015.
[40] Interac - For Merchants
[41] https://www.helcim.com/blog/articles/
infographic-lessons-from-the-canadian-emv-migration/
[42] Anti-fraud credit cards on trial. BBC Business News.
2003-04-11. Retrieved 2015-05-27.
[43] The UK Cards Association. The chip and PIN guide
(PDF). Retrieved 2015-05-27.
[44] Is chip and PIN safe?". This is Money. 2004-11-03. Retrieved 2015-05-27.
[45] FSA: Payment Services Regulations 2009, in force from
1 November 2009
[46] Discover Implements EMV Mandate for U.S., Canada
and Mexico. Archived from the original on 10 May 2012.
[47] American Express Announces U.S. EMV Roadmap to
Advance Contact, Contactless and Mobile Payments
(Press release). New York: American Express. 29 June
2012. Retrieved 10 May 2015.
[48] EMVs Uncertain Fate in the US. Protean Payment. Retrieved 22 September 2012.
[49] Camhi, Jonathan (3 August 2012). Wells Fargo Introduces New EMV Card for Consumers. Bank Systems &
Technology. Retrieved 10 May 2015.
[50] Paul Riegler (25 July 2013). Chip-and-Pin and Chipand-Signature Credit Card Primer for 2013. Frequent
Business Traveler. Retrieved 10 May 2015.
[51] Travelex Oers Americas First Chip & PIN Enabled
Prepaid Foreign Currency Card. Business Wire. Business
Wire. 1 December 2010. Retrieved 6 February 2014.
[52] UNFCU to be rst issuer in the US to oer credit cards
with a high security chip. United Nations Federal Credit
Union.

12

13

[53] Ray Wizbowski (13 May 2010). United Nations Federal

Credit Union Selects Gemalto for First U.S. Issued Globally Compliant Payment Card (Press release). Austin,
Texas: Gemalto. Retrieved 10 May 2015.
[54] http://www.usatoday.com/story/money/personalfinance/
2015/09/30/chip-credit-card-deadline/73043464/
[55] Cathy Medich (July 2012). EMV Migration Driven by
Payment Brand Milestones. Retrieved 10 May 2015.
[56] David Heun (10 September 2012). MasterCard Brings
EMV Chip-Card Liability Policy to U.S. ATMs. SourceMedia. Retrieved 10 May 2015.
[57] Beth Kitchener (10 September 2012). MasterCard Extends U.S. EMV Migration Roadmap to ATM Channel
(Press release). Purchase, N.Y.: Mastercard. Retrieved
10 May 2015.
[58] EMV For U.S. Acquirers: Seven Guiding Principles for
EMV Readiness
[59] Visa Announces U.S. Participation in Global Point-ofSale Counterfeit Liability Shift (PDF) (Press release).
Visa. 9 August 2011. Retrieved 10 May 2015.

13

External links

EMVCo, the organization responsible for developing and maintaining the standard
Chip and SPIN, discussion of some security aspects
of EMV, from members of the University of Cambridge Security Group
Cryptography of EMV cards, an explanation of
EMV card cryptography
EMV Accepted Here, a crowdsourced database
tracking EMV adoption by merchants
Please note that Cardnet and Nor

EXTERNAL LINKS

13

14
14.1

Text and image sources, contributors, and licenses

Text

EMV Source: https://en.wikipedia.org/wiki/EMV?oldid=737841239 Contributors: NathanBeach, The Anome, Rbrwr, Edward, Mcarling,
CesarB, Plop, IMSoP, WhisperToMe, David.Monniaux, Bearcat, Robbot, Chealer, Nurg, Rfc1394, Holizz, Jfdwol, Rchandra, Mckaysalisbury, PeterC, Beland, Karl-Henner, Damieng, Discospinster, Rich Farmbrough, FT2, Qutezuce, LindsayH, ClementSeveillac, Guy
Harris, Stephan Leeds, Versageek, Woohookitty, Aerowolf, Uncle G, Pol098, Mike Moreton, BD2412, Edison, The wub, Lotu, LoneStarNot, Pathoschild, Glatk, Bgwhite, Siddhant, Hairy Dude, Hydrargyrum, Barefootguru, Logi~enwiki, Bovineone, Anomalocaris, Jaywalker, Voidxor, Rwalker, Zr2d2, Matthewsmith, Peyna, MrC~enwiki, Buybooks Marius, Kiv, BonsaiViking, SmackBot, Nil Einne, Mauls,
Grandmartin11, Gilliam, Chris the speller, Robindch, Zaian, Joshua 70448, Ktremain, Feldon23, Kuru, Stefan2, Loadmaster, Arkrishna,
SmitherIsGod, Noleander, Dl2000, Iridescent, NessBird, Aurorasophia, Hopkapi, Steel, DumbBOT, Cancun771, FF7Sephiroth, Thijs!bot,
Nachdenklich, Greatslovakia, OwenS, Prolog, Bliksim, Alphachimpbot, Barek, Albany NY, H3llbringer, Toutoune25, Olipro, JamesBWatson, Muzsicman, Tonyfaull, ForthOK, Nigel Jewell, Web-Crawling Stickler, Jeremy.gumbley, CommonsDelinker, Herbythyme, Johnnaylor,
Ilgicioglu, Sertmann, KylieTastic, Funandtrvl, Corydon76, Tburket, Melsaran, CharlieMG, VISIONTEKTELE, Optimisteo, HiDrNick,
Michael Frind, Aednichols, MikeKn, Frispar, Pawlov, Yintan, Jojalozzo, Daculas, Hordaland, HairyWombat, Hadseys, ImageRemovalBot, Quidnam, The Thing That Should Not Be, Deedub1983, Wrsoley, Unbuttered Parsnip, Drmies, Niceguyedc, Alexbot, Socrates2008,
SchreiberBike, Apparition11, Thelegend2101, Dgwbirch, Mitch Ames, Addbot, Yousou, Atethnekos, Download, Guydrawers, Lightbot, Luckas-bot, Yobot, Legobot II, MarioS, Vlk, AnomieBOT, Materialscientist, Davidsteed, FrescoBot, Lonaowna, EMVSupporter,
DivineAlpha, Jfroli, Banej, Leeatcookerly, DarlArthurS, RjwilmsiBot, Sargdub, John of Reading, Rasg81, Dewritech, Mye en, EMVCo
Board of Managers, Achogyoji, Jasonanaggie, ZroBot, SporkBot, Halpernsiegel, Sbmeirow, Neil P. Quinn, ClueBot NG, Delusion23, Helpful Pixie Bot, Richieb799, BG19bot, Dc352, Shujenchang, MusikAnimal, Jdh245, Wikih101, MrBill3, Emasnz, ABonisoli, Cyberbot II,
ChrisGualtieri, SwissMissTravel, Alkibiades14, Chour, Cerabot~enwiki, Johnfreilly, Jayabalrajesh, Cmckain14, Tentinator, ThomasPopp,
Karenmkrohn, Bahooka, Marshell2, LeighGarner, Npwzyl, Jeremyb-phone, Dja852, Reclusive123, Spinalgr1990, Filedelinkerbot, KonstantinYan, Fish storm, Katalava, VegasCasinoKid, KH-1, PotatoNinja, Ste-X, No Funny Money, Hybridace101, Jmahoney1, Itsinfo,
TheRokh, Aktetreault, Omni Flames, Besottrio, GreenC bot, Dom2436, Hooo21, MyCrimeIsCuriosity and Anonymous: 240

14.2

Images

File:ChipAndPin.svg Source: https://upload.wikimedia.org/wikipedia/en/c/c9/ChipAndPin.svg License: Fair use Contributors:

The logo is from the http://www.chipandpin.co.uk/ website. Original artist: ?
File:JGC_VISA01s.jpg Source: https://upload.wikimedia.org/wikipedia/commons/6/60/JGC_VISA01s.jpg License: Public domain
Contributors: Own work Original artist: 663highland
File:Wikinews-logo.svg Source: https://upload.wikimedia.org/wikipedia/commons/2/24/Wikinews-logo.svg License: CC BY-SA 3.0
Contributors: This is a cropped version of Image:Wikinews-logo-en.png. Original artist: Vectorized by Simon 01:05, 2 August 2006 (UTC)
Updated by Time3000 17 April 2007 to use ocial Wikinews colours and appear correctly on dark backgrounds. Originally uploaded by
Simon.

14.3

Content license

Creative Commons Attribution-Share Alike 3.0