How EMV (Chip) Credit Cards Work – Technology & Security

1475223554-6928-chip-emv-credit-card-918x516

Do you use credit cards regularly? Perhaps you have a favorite cash back rewards credit card that offers a small but meaningful return on every dollar you spend. Or maybe you use a travel rewards credit card to earn points or miles that can be redeemed for free or reduced-cost flights, hotel stays, or car rentals.

Whether you’re a habitual credit card user whose wallet is stuffed with plastic, or a judicious spender who keeps a single, lonely square on hand for emergencies only, you’ve probably received correspondence from your issuers about the switch to EMV (chip) technology. You’ve probably received new cards in the mail too, complete with little circuit-like chips on the front face.

The new cards still have magnetic stripes (magstripes), just like the stripe-only versions they replaced, so they can be used at old-fashioned card readers that don’t support chip cards. But the cards’ issuers, as well as the credit card networks that facilitate billions of credit card transactions per day, believe that chip cards represent the future of plastic payment technology.

What was wrong with the old, magstripe-only credit cards? In a nutshell, they (and their issuers) were outmatched by cybercriminals whose increasingly sophisticated and brazen hacking techniques allowed them to steal credit card numbers with impunity, resulting in ever larger, ever more devastating data breaches that affected millions of consumers at a time. These breaches caused serious, lasting reputation problems for huge, respectable retailers like Target and Home Depot, not to mention untold mental pain for the regular Joes and Janes caught up in the turmoil.

The frequency of credit card fraud is staggering too. According to Pymnts.com, the United States is arguably the credit card fraud epidemic’s global epicenter. Despite accounting for just 21.4% of all credit card payments, the U.S. sees nearly 50% of global credit card theft losses. U.S. credit card fraud rates have actually increased in recent years as issuers in other countries switched to more secure EMV cards.

Cybersecurity is an arms race, and the incentives to steal financial information are as powerful as they are undeniable. Therefore, EMV technology won’t completely eliminate credit card theft or large-scale data breaches. Still, it’s likely to help somewhat. And there are some other important reasons for merchants and consumers to adopt EMV technology, from global acceptance, to greater flexibility in low-connectivity environments.

This is what you need to know about EMV (chip) credit card technology’s functionality, history, benefits, and special use cases.

EMV Credit Card Technology – How It Works and How to Use It

EMV stands for “Europay, MasterCard, and Visa.” The technology is named for the three credit card networks that originally developed the protocol. The modern version of EMV is now a global industry standard used by most major credit card issuers and networks, including (importantly for U.S. consumers) American Express. The EMV standard is backed and controlled by EMVCo, an equitable consortium consisting of Discover, American Express, MasterCard, Visa, JCB, and China UnionPay.

According to CreditCards.com, other common names for EMV credit cards include:

  • Chip cards
  • Smart cards
  • Smart chip cards
  • Chip-enabled smart cards
  • Chip-and-PIN cards
  • Chip-and-signature cards
  • Chip-and-choice cards
  • EMV smart cards

Whatever it’s called, here’s how EMV technology works.

1475223554-1952-dipping-credit-card

How EMV Technology Works

Traditional magstripe credit cards are encoded with static payment information. When a magstripe card is stolen, the thief can immediately use it to make unauthorized transactions, then discard it with little risk of detection. The same principle applies to card information stolen by credit card skimmers or computer hacks that unlock massive troves of credit card numbers. Thieves can use these valuable bits of data themselves or reap tidy sums by selling them in bulk to other bad actors, including credit card counterfeiters.

EMV cards contain a computer chip that functions as a miniature processor and transmitter. Unlike traditional magstripe credit cards, the information contained on these chips is dynamic. Each new transaction produces a new, unique transaction code (also known as a “token”) using the principles of cryptography – similar to the complex mathematical architecture behind cryptocurrencies. No two transaction codes are ever repeated, so each code becomes useless following the completion of the transaction it represents. Were a sophisticated thief to steal a particular code from a particular point of sale, the code would have no value at any point in the future, with or without the card that created it.

EMV credit card information can be stored in mobile wallets, such as Apple Pay and Android Pay, and used to make mobile contactless payments. Even though the physical chip is not read as part of the mobile payment process, the stored card nevertheless creates the same unique, secure transaction code for every new transaction.

Offline Payment Processing Capabilities
One of the key differences between EMV and magstripe cards is the timing and nature of the authorization process. Magstripe authorization occurs individually and on the spot, meaning it requires a live telephone or Internet connection at the point of sale.

EMV authorization is more flexible. When an EMV card is inserted into a chip reader, the card essentially tells the reader that it is authentic, and the transaction is processed without any data exchange. Processed transactions are stored up until the end of the business day, at which point the merchant connects to the Internet and authorizes the transactions in a single daily batch. Merchants who operate in remote or low-connectivity areas, such as at rural music festivals, value the flexibility afforded by offline payment processing capabilities.

EMV Credit Card Payment Procedures

For consumers, the experience of paying with an EMV card is noticeably different than the experience of paying with a traditional magstripe card. Instead of quickly swiping your card through the reader, you insert (or “dip”) the chip side of your card into the reader’s narrow end and leave it there for the duration of the authorization process. If your chip card has NFC technology that enables contactless payments, you can simply hold it close to the reader until the authorization process completes.

Nearly half of all EMV cards issued worldwide have contactless (or dual-interface) capabilities. However, dual-interface cards remain rare in the United States.

Chip-and-PIN vs. Chip-and-Choice
Some EMV systems require you to enter a four-digit PIN during authorization, as you would if paying with a debit card. The chip-and-PIN system is especially common overseas. In the United States, it’s more common to sign the POS screen or a printed receipt, as you would in a traditional magstripe transaction. This is known as chip-and-signature.

U.S. issuers are likely to phase in the chip-and-PIN system over a period of several years, with the ultimate goal of putting a chip-and-PIN card in every wallet at some point in the moderately distant future. During the extended transition, credit card readers will be “chip-and-choice,” meaning they’ll accept both chip-and-PIN and chip-and-signature transactions.

Transaction Time
Because EMV payments require constant contact or proximity between the chip and the card reader for the duration of the authorization process, they can feel quite drawn out. However, according to Stephanie Ericksen, a Visa executive who provided background for a New York Times article on EMV cards, EMV technology isn’t actually any slower than old-school stripe technology. It just seems slower because the card must stay in the reader until the authorization process is complete. By contrast, swiping a traditional credit card takes only a moment, and you’re then able to put your card away before the authorization process actually completes.

According to the Times, Visa’s new software fix, QuickChip, allows consumers to remove cards shortly after inserting them, with the transaction completing as they put their cards away and start wrapping up their purchases. It’s not clear when or how widely QuickChip will be adopted, but it’s likely to help address the perception that EMV payments are slow.

1475223554-6637-holding-chip-card

History of EMV Credit Cards

Many Americans are surprised to learn that chip card technology was developed in the 1980s and has been used on commercial scales for years.

Early History and the Creation of the EMV Standard

The technical groundwork for chip cards was laid in the early 1980s, as the semiconductor revolution gathered speed. The first commercially available chip cards debuted in France in 1986, and various banks rolled out their own versions throughout the late 1980s. Worried about worsening credit card fraud in Europe, the European Council for Payment Systems encouraged banks and consumers to adopt chip cards.

By 1992, most French card readers had chip-reading capabilities, and chip cards were widespread and quite familiar to French consumers. However, there was no industry-wide standard for their use. That created compatibility and acceptance issues, especially for foreign consumers whose home banks used different chip standards (or no chips at all).

In 1993 and 1994, Europay (a major European card network at the time) joined forces with Visa and MasterCard to create what was hoped would be a global chip card standard. Philip E. Andreae, then a Europay executive, told BankInfo Security that the EMV project had three main goals:

  1. Fraud Mitigation: The consortium members sought significant security improvements over traditional magstripe cards. At that time, magstripe technology drove a worsening epidemic of credit card fraud in Europe. This is because stolen cards could immediately be used in fraudulent transactions, and magnetic stripes could easily be copied by inexpensive credit card skimmers. They settled on a chip-based dynamic authorization system, which rendered stolen cards useless and which could not be copied or mimicked under realistic circumstances.
  2. Offline Authorization: At the time, telecommunications costs were quite high in continental Europe, and reliable Internet connections that could facilitate cheap, near-instantaneous authorization were still a few years off. According to Andreae, merchants would pay $0.30 or $0.40 per authorization to call the cardholder’s bank and confirm the card’s authenticity. To control this expense, they wouldn’t authorize every single transaction – by the mid-1990s, the French authorization rate had risen to about 40%, compared to 99% or higher in North America. European merchants sought a system that allowed them to pre-authorize without making a phone call or connecting to the Internet.
  3. Stronger Verification: The consortium members agreed that signatures were not sufficiently effective for cardholder verification, especially given the growing volume of cross-border transactions in an ever more connected Europe. They settled on a PIN system, which added a layer of verification that (at least in theory) only cardholders themselves could provide, and which could not be forged like signatures.

Within a few years, the EMV chip-and-PIN method had become the de facto credit card payment regime in France. Over time, it spread throughout Europe, reducing fraud and improving outcomes for merchants and consumers alike. European payment terminals remained backwardly compatible, with stripe readers available for consumers wielding old-fashioned magstripe cards.

U.S. Adoption

Like the metric system, EMV long seemed to be an effective global standard that the United States had no interest in adopting. That finally changed in the early 2010s, when the rising cost of magstripe breaches spurred issuers and card networks to action.

The major U.S. card issuers and networks, including American Express, Visa, MasterCard, and Discover, set October 1, 2015, as the initial deadline for chip card adoption in the United States. Though magnetic stripe credit cards continued to work after that date, merchants were strongly encouraged to be set up with chip readers by then.

They had a financial incentive to do so as well: October 1, 2015, was the date of the dreaded “liability shift” for merchants, when liability for fraudulent in-person transactions devolved from card issuers to the individual merchants that initiated those transactions. Since EMV payments are so much more secure than magstripe payments, the case for making the switch was self-evident. The liability shift hit MasterCard-accepting ATMs in October 2016 and will hit Visa-accepting ATMs a year later. Automated fuel dispensers must switch by 2017 to avoid liability.

According to The Washington Post, the total cost of the EMV transition could exceed $8 billion, thanks in large part to the high cost of manufacturing secure chip cards. Larger issuers had the resources to issue EMV cards early, in some cases well in advance of the October 1, 2015, deadline. Smaller banks and credit unions took longer.

For the foreseeable future, U.S. card readers will be backwardly compatible. Even if your bank takes years to issue chip cards, you’ll still be able to use chip-less cards at your favorite merchants. By the same token, when you try to swipe a chip card in a backwardly compatible reader, you’ll be prompted to insert it instead.

1475223555-2600-chip-credit-card-closeup

Benefits of EMV Credit Cards

Given the scale of the transition from magstripe to EMV in the United States, it’s worth taking a closer look at some of the key benefits of EMV credit cards – lest you wonder why you should bother using the new versions at all.

1. No Phone or Internet Connection Required

No phone or Internet connection is required to authorize EMV credit card transactions. Though a reliable connection is required to actually process the payment, cards can be authorized at the point of sale and processed in batches at the end of the business day, or whenever is convenient for the merchant.

This benefit was originally designed to circumvent high telecommunications costs, but it’s now useful in unconnected or low-connectivity environments such as outdoor markets, festivals, and populated areas with poor communications infrastructure. From the consumer’s perspective, it’s nice not to have to wait for transactions to process over sluggish Internet connections with no guarantee that they’ll eventually go through.

2. The Technology Is Not Necessarily Exclusive

New credit card readers are backwardly compatible, meaning they can read chips and magstripes with equal ease. This is likely to be the case for the foreseeable future, so consumers whose banks drag their feet on adopting EMV don’t have to worry about waking up one day to find their cards useless.

3. Chip Transactions Are More Secure

It’s hard to believe that the U.S. was once regarded as the developed world’s most secure credit card market. As other nations adopted EMV technology, that narrative flipped, and the U.S. has lately been the global laggard in credit card security. EMV adoption is almost certain to reduce U.S. credit card fraud, at least in the short and medium terms – though, in the eternal struggle between fraudsters and the security community, it’s never wise to bet against fraudsters for very long.

4. Chip Cards Are Accepted All Over the World

Prior to 2014 or so, most Americans had little day-to-day contact with chip cards. They only saw chip cards when they went overseas. By the early to mid-2010s, many overseas merchants were only reluctantly – or not at all – accepting stripe card transactions, restricting Americans’ ability to pay with their regular credit cards. Travelers would carry more cash to compensate, heightening the risk and consequences of theft while abroad.

The vast majority of overseas merchants accept U.S.-issued EMV cards. According to CreditCards.com, Visa claims that approximately 97% of “U.S. Visa card transactions conducted overseas” were accepted. If you’re carrying a chip card overseas, especially in well-traveled, well-developed markets such as the Eurozone or Australia, you’re unlikely to have too many payment issues.

Special Considerations for Card Not Present (CNP) Transactions

The biggest chink in EMV cards’ security armor involves card not present (CNP) transactions. Card not present transactions occur when the payment card is not physically in the presence of the merchant. Common examples include online and over-the-phone transactions, where the user types the card number into a digital field or speaks the number to a human clerk or automated payment system.

In card not present transactions, EMV chips are not read, so there’s no way to incontrovertibly confirm that cards are authentic and in the right hands. However, merchants can take steps to reduce the risk of fraud, beyond using SSL certificates to protect the transmission of sensitive data over the Internet.

Three CNP fraud mitigation protocols are worth calling out:

  1. Password-Protected Verification Software: Major card networks, including American Express and Visa, have begun to adopt password-based verification software that requires users to enter unique passwords at each transaction. This system’s effect is similar to that of the chip-and-PIN approach, which is the default standard for in-person transactions in Europe and some other markets. Examples of password-based verification software include American Express SafeKey and Verified by Visa. Merchants and cardholders are strongly encouraged to adopt these measures, though there’s something of a chicken-and-egg problem at play, as a critical mass of cardholders is necessary for merchants to find the measures worthwhile, and vice versa.
  2. Card Verification Value (CVV): The card verification value, or CVV, is the three- or four-digit code on every credit card issued in the U.S. Because CVVs are not encoded in cards’ chips, they remain secret to those without the cards in their actual possession. Requiring buyers to enter their CVV codes is the fastest way for merchants to ensure that they actually have the cards they’re using.
  3. Address Verification Service (AVS): AVS verifies addresses entered by CNP buyers against actual billing addresses on file with card issuers. When addresses fail to match up identically, red flags are raised, and the transactions may be declined as a result.

Online merchants with the resources to implement all three of these fraud mitigation protocols are strongly encouraged to do so. Smaller vendors operating on platforms such as eBay and Etsy typically don’t have to handle all the technical work of implementing these protocols on their own. Those things are taken care of by the platforms themselves, which naturally have an interest in ensuring secure, seamless credit card transactions.

1475223554-4229-padlock-key-credit-card

Final Word

According to The New York Times, mobile wallet and phone-based contactless payment adoption remains thin. In 2015, just 0.2% of all U.S. in-person transactions involved a smartphone. The vast majority went down the traditional way – with a quick swipe of a magstripe credit card.

In the coming years, we know that those swipes will become less and less frequent. They’ll be replaced by the less satisfying click of credit cards being inserted into the narrow end of a reader.

What’s not as clear is whether those clicks have a sell-by date too. As the power of smartphones grows and mobile wallet technology improves further, it’s entirely possible that, one way, mobile contactless payments will be the default payment option for in-person transactions.

Do you use EMV credit cards? Do your favorite merchants accept them?

NO COMMENTS

LEAVE A REPLY