EMV and Chip Card Processing: A Refresher Course

October 1 marked a big anniversary for the U.S. payment landscape. On that date three years ago, liability for fraudulent card-present credit and debit card transactions shifted from card issuers to merchants, unless these merchants have implemented point-of-sale technology that accommodates the EMV (Europay/Mastercard/Visa) standard and, as a result, accepts transactions completed with chip cards.

There’s no question that EMV and the use of chip cards is taking hold in the U.S. Consider statistics from EMVCo, the body that handles point-of-sale (POS) equipment testing, certification, and other processes related to EMV. According to EMVCo, the percentage of U.S. transactions executed using chip cards, rather than traditional magnetic stripe cards, rose from 18.6% for the period spanning January through December 2016 to 41.21% for the period spanning January through December 2017. Of all credit and debit cards issued in the U.S. as of December 2017, 58.5% were chip cards, up from 52.2% as of December 2016 and 26.4% as of December 2015.

Consumers have come to favor chip cards because of the added security they provide. So, too, have merchants that want to avoid liability for fraudulent transactions by accepting chip cards. However, we can’t be too clear about chip cards, how they are processed, and how they differ from magnetic stripe cards. So here, we present a refresher course.

The ‘What’: Chip cards are cards into which a microprocessor chip has been embedded. They come in three “flavors”: contact, contactless, and dual-interface. Contact chip cards communicate with a card reader over a contact “plate” that must touch the terminal in order to be processed. Contact between the card and the plate is usually made by inserting the card into a slot in the terminal (or ATM). Contactless cards have an antenna and communicate with the card reader via radio-frequency (RF) technology. Dual-interface cards incorporate contact and contactless technologies. They communicate with the card by touching its plate or in RF mode.

The ‘How”: Chip card processing involves multiple steps. After the transaction is initiated by the POS terminal, contact between the card and the card reader is established in contact or contactless mode depending on the type of card (contact, contactless, or dual-interface). Next, the card application is selected; it’s important to note that chip cards can run multiple applications—for example, local debit and Visa credit. The terminal reads the data from the application, and the data is authenticated to ensure that the card is not counterfeit. The transaction and the chip are confirmed, and cardholder verification is done using a PIN, a signature, or cardholder verification method (CVM). Once the fact that the cardholder possesses sufficient open credit or checking account funds to cover the transaction has been verified, the terminal requests approval and approval occurs either online or offline. An online authorization request and authorization are completed, and the transaction is finalized.

The ‘Why’ (More Details About Chip Card Processing): The way in which chip card transactions are processed enables them to prevent card fraud in a way that is completely impossible with traditional magnetic stripe cards. One reason this is so is the chip itself. The chip is designed to securely store cardholder data and carries security credentials that have been encoded into it by the issuer with user-specific “keys.” Encoding the credentials this way makes it difficult, if not impossible, for fraudsters to create counterfeit cards.

Then, there are the enhanced, highly secure validation and card authentication processes.  Validation can happen online, with the issuer using a dynamic cryptogram, or offline, with the terminal using static data authentication (SDA), dynamic data authentication (DDA) or combined DDA with application cryptogram generation (CDA). Every EMV transaction generates unique transaction data, meaning that it’s impossible for anyone to utilize captured data to complete fraudulent transactions.

Meanwhile, card authentication occurs online through cryptographic processing (validating the integrity of the card number and certain static and dynamic, i.e. live, data used in the transaction) or offline. Dynamic data is unique to each transaction and, as a result, cannot be used more than once even in the event that it is stolen. Why? Because any attempt at data theft causes the transaction to be declined.

Want to know more about what E-Complish can do to help you navigate the ins and outs of EMV and reap the benefits of chip card acceptance? Contact us here.