April 17, 2015

EMV: What It Is and What It’s Not

EMV: What It Is and What It’s Not

EMV: What It Is and What It’s Not

U.S. EMV is coming. Are you prepared? In the simplest terms, EMV is a special chip embedded on a credit or debit card that helps to prevent card-present fraud. The EMV chip prevents counterfeiting, skimming, and the use of lost or stolen credit or debit cards. The specification for EMV chips was first created in 1994 by the credit card brands Europay, MasterCard, and Visa (EMV) and is now owned by American Express, JCB, MasterCard, UnionPay, and Visa. For more than two decades, EMV chip cards have been in use in every major market in the world – except the U.S.

What It Is:
More specifically, EMV defines how a payment terminal interacts with a chip card. The EMV chip, which is similar to a cell phone SIM card, is embedded on a credit card. When properly implemented, the EMV card will authenticate each transaction, preventing card-present fraud. In the U.S., each credit card brand has developed its own chip-functionality specifications and theoretically, for the convenience of both consumers and merchants, U.S. EMV chip cards will retain a magnetic stripe for a few years until EMV adoption is 100%. But note, even in areas where EMV has been implemented for years, not a single EMV-compliant country has reached 100% adoption.

While most global markets have required that EMV cards be issued with PINs (known as chip and PIN), the U.S. market is unregulated and the credit card issuers may adopt signature verification at the point of sale, known as chip and signature, instead of a PIN. This has benefits in terms of not requiring consumers to memorize another PIN and not requiring PIN devices at restaurants, but it also has major drawbacks, namely that a PIN is a much more secure verification of a cardholder than a signature.

However, the largest benefit of EMV is in its ability to allow an EMV-capable device to write a security code to an EMV chip whenever a transaction is completed. This technology allows for any unusual activity in the card’s card-present transaction history to disable the card, which will prevent fraudulent card-present transactions from taking place. Another benefit is that because EMV chips are used worldwide, issuing EMV chip cards in the U.S. will allow for improved global credit card acceptance.

What It’s Not:
EMV is not a cure-all for security – Merchants will still need to foster daily security practices and implement layered security with technologies like our True P2PE™ and TrueTokenization® solutions to protect their environment from fraud and breaches.

EMV is not a new technology – EMV has been in use for more than 20 years and as of the end of 2013, according to EMVCo, more than 2 billion EMV cards were already in use worldwide prior to the start of U.S. EMV migration.

EMV is not a foolproof solution for preventing fraud – Has credit card fraud disappeared from those countries? Actually, no. Card-present fraud has been greatly reduced, but because EMV is not universally accepted and does not secure card-not-present fraud, EMV is no silver bullet for preventing fraud. In countries where EMV has been implemented, the frequency of card-not-present fraud has risen.

EMV is not a complete replacement for the magnetic stripe – Payments industry experts predict that the EMV migration in the U.S. won’t be completed until 2020. Even in areas where EMV has been implemented since 1994, there is still not 100% market saturation. This means that there are still many places where non-EMV cards are accepted.

EMV is not a method for preventing breaches – EMV is specifically a tool to help prevent card-present fraud. Most EMV-capable payment devices still output clear text data, which means that your environment is just as susceptible to breaches after implementing EMV – unless technologies like True P2PE and TrueTokenization are in use.

EMV is not a mandate – There is not a requirement that merchants become EMV compliant. Unlike the PCI DSS and PA-DSS, which are PCI requirements for merchants who want to accept credit and debit cards, the EMV specification is a capability for card acceptance recommended by the card brands. This recommendation involves a shift in liability that will make the “weak link in the EMV capability chain” liable for any fraudulent transactions that are not processed according to the EMV specification, meaning that instead of the banks being liable for instances of fraud, it may shift to the bank, processor, or merchant, if those organizations do not have EMV in place.

Shift4 Provides Security Beyond Compliance®
Shift4 supports EMV. And, combined with our True P2PE and TrueTokenization solutions, our merchant customers never store, process, or transmit payment card data from any entry point into their environment, reducing PCI scope and leaving nothing for hackers to steal. They Can’t Steal What You Don’t Have®.

Connect With Shift4

Check back for regular updates as we continue to prepare our merchant customers and business partners for the migration to U.S. EMV. And, if you have any questions, contact Shift4 today.