Professional Documents
Culture Documents
J Smart JCB
and for payment terminals and automated teller machines that can accept them. EMV cards are smart
cards (also called chip cards or IC cards) that store their
data on integrated circuits in addition to magnetic stripes
(for backward compatibility). These include cards that
must be physically inserted (or dipped) into a reader
and contactless cards that can be read over a short distance using radio-frequency identication (RFID) technology. Payment cards that comply with the EMV standard are often called Chip and PIN or Chip and Signature cards, depending on the authentication methods
employed by the card issuer.
1 History
Until the introduction of Chip & PIN, all face-to-face
credit or debit card transactions used a magnetic stripe
or mechanical imprint to read and record account data,
and a signature for verication. Under that system, the
customer hands their card to the clerk at the point of sale,
who either swipes the card through a magnetic reader
or makes an imprint from the raised text of the card. In
the former case, the system veries account details and
prints a slip for the customer to sign. In the case of a mechanical imprint, the transaction details are lled in and
the customer signs the imprinted slip. In either case, the
clerk veries that the customers signature matches that
on the back of the card to authenticate the transaction.
3
As of 2015, chip and signature cards are more common
in the USA, Mexico, the Philippines and some European countries (such as Germany and Austria), whereas
Chip and PIN cards are more common in other European
countries (e.g., the UK, Ireland, France, Finland and the
Netherlands) as well as in Canada, Australia and New
Zealand.[8]
verify (7816-4).
While EMV technology has helped reduce crime at the
point of sale, fraudulent transactions have shifted to more Commands followed by 7816-4 are dened in ISO/IEC
vulnerable telephone, Internet, and mail order transac- 7816-4 and are interindustry commands used for many
tions known in the industry as card-not-present or chip card applications such as GSM SIM cards.
CNP transactions. as of May 2009 CNP transactions
made up at least 50% of all credit card fraud.[9] Because
of physical distance, it is not possible for the merchant to 6 Transaction ow
present a keypad to the customer in these cases, so alternatives have been devised, including
An EMV transaction has the following steps:[12]
Software approaches for online transactions that involve interaction with the card-issuing bank or networks web site, such as Veried by Visa and MasterCard SecureCode (implementations of Visas 3D Secure protocol).
Processing restrictions
Cardholder verication
Keypad and screen integrated into the card to produce a one-time password. Since 2008, Visa has
been running pilot projects using the Emue card,[10]
where the generated number replaces the code
printed on the back of standard cards.[11]
Application selection
Commands
6 TRANSACTION FLOW
EMV standard devotes 15 pages to describing the appli- 6.5 Oine data authentication
cation selection process.
An application identier (AID) is used to address an ap- Oine data authentication is a cryptographic check to
plication in the card. An AID consists of a registered ap- validate the card using public-key cryptography. There
plication provider identier (RID) of ve bytes, which is are three dierent processes that can be undertaken deissued by the ISO/IEC 7816-5 registration authority. This pending on the card:
is followed by a proprietary application identier extension (PIX), which enables the application provider to differentiate among the dierent applications oered. The
AID is printed on all EMV cardholder receipts.
List of applications:
6.2
Dynamic data authentication (DDA) provides protection against modication of data and cloning.
6.3
6.4
Processing restrictions
6.10
6.7
6.8
The results of previous processing steps are used to determine whether a transaction should be approved ofine, sent online for authorization, or declined oine.
This is done using a combination of Terminal action
codes (TACs) held in the terminal and Issuer action codes
(IACs) read from the card.
5
Application Authentication Cryptogram (AAC)
Oine decline.
This step gives the card the opportunity to accept the terminals action analysis or to decline a transaction or force
a transaction on-line. The card cannot return a TC when
an ARQC has been asked for, but can return an ARQC
when a TC has been asked for.
6.9
9 VULNERABILITIES
9 Vulnerabilities
8.1
Versions
Conversation capturing is the form of attack that was reported to have taken place against Shell terminals in May
2006, when they were forced to disable all EMV authentication in their lling stations after more than 1 million
was stolen from customers.[17]
In October 2008 it was reported that hundreds of EMV
card readers for use in Britain, Ireland, the Netherlands,
Denmark, and Belgium had been expertly tampered with
in China during or shortly after manufacture. For 9
months details and PINs of credit and debit cards were
sent over mobile phone networks to criminals in Lahore,
Pakistan. United States National Counterintelligence Executive Joel Brenner said, Previously only a nation state's
intelligence agency would have been capable of pulling
o this type of operation. Its scary. Data were typically used a couple of months after the card transactions
to make it harder for investigators to pin down the vulnerability. After the fraud was discovered it was found
that tampered-with terminals could be identied as the
additional circuitry increased their weight by about 100
g. Tens of millions of pounds sterling are believed to
have been stolen.[18] This vulnerability spurred eorts to
9.3
said, The expertise that is required is not high (undergraduate level electronics) ... We dispute the assertion
by the banking industry that criminals are not sophisticated enough, because they have already demonstrated a
far higher level of skill than is necessary for this attack in
their miniaturized PIN entry device skimmers. It is not
9.1.2 Demonstration of PIN harvesting and stripe known if this vulnerability has been exploited.
cloning
EMVCo disagreed and published a response saying that,
while such an attack might be theoretically possible, it
Cambridge University researchers Steven Murdoch and
would be extremely dicult and expensive to carry out
Saar Drimer demonstrated in a February 2008 BBC
successfully, that current compensating controls are likely
Newsnight programme one example attack, to illustrate
to detect or limit the fraud, and that the possible nanthat Chip and PIN is not secure enough to justify passcial gain from the attack is minimal while the risk of
ing the liability to prove fraud from the banks onto
a declined transaction or exposure of the fraudster is
customers.[20][21] The Cambridge University exploit alsignicant.[25]
lowed the experimenters to obtain both card data to creWhen approached for comment, several banks (Coate a magnetic stripe and the PIN.
operative Bank, Barclays and HSBC) each said that this
APACS, the UK payments association, disagreed with
was an industry-wide issue, and referred the Newsnight [26]
the majority of the report, saying The types of attack
team to the banking trade association for further comon PIN entry devices detailed in this report are dicult
ment. According to Phil Jones of the Consumers Assoto undertake and not currently economically viable for
ciation, Chip and PIN has helped to bring down instances
a fraudster to carry out.[22] They also said that changes
of card crime, but many cases remain unexplained What
to the protocol (specifying dierent card verication valwe do know is that we do have cases that are brought forues between the chip and magnetic stripe the iCVV)
ward from individuals which seem quite persuasive.
would make this attack ineective from January 2008.
The fraud reported in October 2008 to have operated for Because submission of the PIN is suppressed, this is the
9 months (see above) was probably in operation at the exact equivalent of a merchant performing a PIN bypass
transaction. Such transactions can't succeed oine, as
time, but was not discovered for many months.
a card never generates an oine authorisation without a
In August 2016, NCR (payment technology company)
successful PIN entry. As a result of this, the transaction
computer security researchers showed how credit card
ARQC must be submitted online to the issuer, who knows
thieves can rewrite the code of a magnetic strip to make
that the ARQC was generated without a successful PIN
it appear like a chipless card, which allows for countersubmission (since this information is included in the enfeiting.
crypted ARQC) and hence would be likely to decline the
transaction if it were for a high value, out of character, or
otherwise outside of the typical risk management param9.2 2010: Hidden hardware disables PIN eters set by the issuer.
10 IMPLEMENTATION
is signed.[28]
will be 1 October 2017.[36] Domestic ATM transactions in China are not currently not subject to a
liability shift deadline.
The PIN harvesting can be performed with a chip skimmer. In essence, a CVM list that has been modied to
downgrade the CVM to Oine PIN is still honoured by
POS terminals, despite its signature being invalid.[29]
10.3
10
Implementation
Australia
10.1
Africa
South Africa
10.2
MasterCard implemented domestic transaction liability shift on 31 March 2011, and international liability shift on 15 April 2011. For pay at the pump at
gas stations, the liability shift was implemented 31
December 2012.[38]
Visa implemented domestic transaction liability
shift on 31 March 2011, and international liability
shift on 31 October 2010. For pay at the pump at
gas stations, the liability shift was implemented 31
December 2012.[38]
Over a 5-year period post EMV migration, domestic card-card present fraudulent transactions significantly reduced in Canada. According to Helcim's
reports, card-present domestic debit card fraud reduced 89.49% and credit card fraud 68.37%.[41]
Asian/Pacic countries
10.5 Europe
MasterCards liability shift took place on 1 January
2005.[33]
Visas liability shift for points of sale took place on
1 January 2006. For ATMs, the liability shift took
place on 1 January 2008.[35]
France has cut card fraud by more than 80% since
its introduction in 1992 (see Carte Bleue).
10.6
10.5.1
9
lent use of their Chip and PIN transactions, only the voluntary Banking Code. While this code stated that the burden of proof is on the bank to prove negligence or fraud
rather than the cardholder having to prove innocence,[44]
there were many reports that banks refused to reimburse
victims of fraudulent card use, claiming that their systems
could not fail under the circumstances reported, despite
several documented successful large-scale attacks.
The Payment Services Regulations 2009 came into force
on 1 November 2009[45] and shifted the onus onto the
banks to prove, rather than assume, that the cardholder is
at fault.[27] The Financial Services Authority (FSA) said
It is for the bank, building society or credit card company to show that the transaction was made by you, and
there was no breakdown in procedures or technical diculty before refusing liability.
10
10.7
12
Middle East
10.8
New Zealand
REFERENCES
11 See also
Contactless payment
10.9
United States
12 References
[1] EMVCo Members. EMVCo. Retrieved 10 May 2015.
[2] Kitten, Tracy (7 March 2011). EMV Roots Go Deep in
Europe: Global Shifts, New Headaches for U.S. Issuers.
BankInfoSecurity. Retrieved 2015-06-07.
11
[14] SPVA Launch Presentation. Secure POS Vendor Alliance. 2009. Archived from the original on 21 January
2016.
[15] Integrated Circuit Card Specications for Payment Systems. EMVCo. Retrieved 26 March 2012.
12
13
13
External links
EMVCo, the organization responsible for developing and maintaining the standard
Chip and SPIN, discussion of some security aspects
of EMV, from members of the University of Cambridge Security Group
Cryptography of EMV cards, an explanation of
EMV card cryptography
EMV Accepted Here, a crowdsourced database
tracking EMV adoption by merchants
Please note that Cardnet and Nor
EXTERNAL LINKS
13
14
14.1
EMV Source: https://en.wikipedia.org/wiki/EMV?oldid=737841239 Contributors: NathanBeach, The Anome, Rbrwr, Edward, Mcarling,
CesarB, Plop, IMSoP, WhisperToMe, David.Monniaux, Bearcat, Robbot, Chealer, Nurg, Rfc1394, Holizz, Jfdwol, Rchandra, Mckaysalisbury, PeterC, Beland, Karl-Henner, Damieng, Discospinster, Rich Farmbrough, FT2, Qutezuce, LindsayH, ClementSeveillac, Guy
Harris, Stephan Leeds, Versageek, Woohookitty, Aerowolf, Uncle G, Pol098, Mike Moreton, BD2412, Edison, The wub, Lotu, LoneStarNot, Pathoschild, Glatk, Bgwhite, Siddhant, Hairy Dude, Hydrargyrum, Barefootguru, Logi~enwiki, Bovineone, Anomalocaris, Jaywalker, Voidxor, Rwalker, Zr2d2, Matthewsmith, Peyna, MrC~enwiki, Buybooks Marius, Kiv, BonsaiViking, SmackBot, Nil Einne, Mauls,
Grandmartin11, Gilliam, Chris the speller, Robindch, Zaian, Joshua 70448, Ktremain, Feldon23, Kuru, Stefan2, Loadmaster, Arkrishna,
SmitherIsGod, Noleander, Dl2000, Iridescent, NessBird, Aurorasophia, Hopkapi, Steel, DumbBOT, Cancun771, FF7Sephiroth, Thijs!bot,
Nachdenklich, Greatslovakia, OwenS, Prolog, Bliksim, Alphachimpbot, Barek, Albany NY, H3llbringer, Toutoune25, Olipro, JamesBWatson, Muzsicman, Tonyfaull, ForthOK, Nigel Jewell, Web-Crawling Stickler, Jeremy.gumbley, CommonsDelinker, Herbythyme, Johnnaylor,
Ilgicioglu, Sertmann, KylieTastic, Funandtrvl, Corydon76, Tburket, Melsaran, CharlieMG, VISIONTEKTELE, Optimisteo, HiDrNick,
Michael Frind, Aednichols, MikeKn, Frispar, Pawlov, Yintan, Jojalozzo, Daculas, Hordaland, HairyWombat, Hadseys, ImageRemovalBot, Quidnam, The Thing That Should Not Be, Deedub1983, Wrsoley, Unbuttered Parsnip, Drmies, Niceguyedc, Alexbot, Socrates2008,
SchreiberBike, Apparition11, Thelegend2101, Dgwbirch, Mitch Ames, Addbot, Yousou, Atethnekos, Download, Guydrawers, Lightbot, Luckas-bot, Yobot, Legobot II, MarioS, Vlk, AnomieBOT, Materialscientist, Davidsteed, FrescoBot, Lonaowna, EMVSupporter,
DivineAlpha, Jfroli, Banej, Leeatcookerly, DarlArthurS, RjwilmsiBot, Sargdub, John of Reading, Rasg81, Dewritech, Mye en, EMVCo
Board of Managers, Achogyoji, Jasonanaggie, ZroBot, SporkBot, Halpernsiegel, Sbmeirow, Neil P. Quinn, ClueBot NG, Delusion23, Helpful Pixie Bot, Richieb799, BG19bot, Dc352, Shujenchang, MusikAnimal, Jdh245, Wikih101, MrBill3, Emasnz, ABonisoli, Cyberbot II,
ChrisGualtieri, SwissMissTravel, Alkibiades14, Chour, Cerabot~enwiki, Johnfreilly, Jayabalrajesh, Cmckain14, Tentinator, ThomasPopp,
Karenmkrohn, Bahooka, Marshell2, LeighGarner, Npwzyl, Jeremyb-phone, Dja852, Reclusive123, Spinalgr1990, Filedelinkerbot, KonstantinYan, Fish storm, Katalava, VegasCasinoKid, KH-1, PotatoNinja, Ste-X, No Funny Money, Hybridace101, Jmahoney1, Itsinfo,
TheRokh, Aktetreault, Omni Flames, Besottrio, GreenC bot, Dom2436, Hooo21, MyCrimeIsCuriosity and Anonymous: 240
14.2
Images
14.3
Content license