EMV White Paper
EMV: Global Framework for Smart
Card Payments
Europay, MasterCard, and
Visa cooperated to
establish the EMV
specifications, which
provide a flexible
framework to support the
growth of smart card-based
payment applications
C o n t e n t s
3 EMV specifications open the door for smart cards in payment 4 The evolution of smart cards
6 The ABC’s of EMV
9 Sweeping changes required to leverage full benefits
10 EMV-certified terminals and other solutions designed for a demanding environment 12 Making smart choices about the future
O v e r v i e w
EMV specifications open the door for smart cards in
payment
Since their introduction more than a decade ago, smart cards have been seen as the heir apparent to magnetic-stripe cards used for credit and debit applications. These plastic cards, which are embedded with a computer chip, offer a number of significant benefits to financial institutions, retailers, and cardholders—ranging from improved security to a host of innovative new features.
But while smart card usage has been exploding thanks to a diverse set of applications from wireless telephones to loyalty programs, the predicted mass migration of payment applications from traditional mag-stripe cards to smart cards has not yet materialized.
One of the biggest obstacles has been financial institutions’ concern that without some sort of guidelines, smart cards would not be universally accepted for payment. According to industry sources, the number of mag-stripe cards currently in use around the globe is approaching two billion. This represents a huge entrenched base that must be won over. Further, well-established specifications for mag-stripe cards allow these cards to be used in virtually any card-based POS device worldwide.
In 1994, three of the leading card associations—Europay, MasterCard, and Visa (EMV)—began working on specifications for smart card-based debit and credit payments. First released in 1996, the EMV specifications provide a strong, yet flexible framework—opening the door to the widespread use of smart cards in payment.
VeriFone has been an enthusiastic supporter of the drive toward standards for smart card-based debit and credit payments. In addition, the company is committed to creating payment devices and solutions that fully conform to all EMV specifications as they are released.
This white paper will examine the present environment for smart card-based payment applications, offer insight into the EMV specifications and what their impact will be, and explore the key requirements for effective, cost-efficient smart card solutions—now and in the future.
B u s i n e s s E n v i r o n m e n t
The evolution of smart cards
When smart cards were first introduced, financial applications were expected to be the main drivers of growth. Until recently, this has not proven to be the case. Smart card-based credit and debit applications comprise less than 10% of the total market for smart card applications. Instead, other industries—ranging from telecommunications to retailing—have embraced the versatility and robustness of these cards.
For example, in telecommunications, smart cards have been used for a broad spectrum of applications. A relatively simple application is the phone card, used to store a fixed amount of calling time on a smart card. Hundreds of millions of these calling cards have been issued by phone companies around the globe. At the other end of the spectrum are Subscriber Identity Module (SIM) smart cards, which are at the heart of telephones used over the hugely successful, European-originated GSM (Global System for Mobile telecommunications) wireless network. The SIM provides outstanding security and flexibility in controlling access to network services, including subscriber authentication, voice encryption, roaming, and account administration—maximizing the network’s performance and functionality.
Another fast-growing application is the use of smart cards to support retail loyalty programs. Retailers use loyalty programs to strengthen customer relationships and promote specific products or services. Customers enjoy the special discounts and higher service levels that frequent shopper programs provide. In countries such as the United Kingdom and Japan, smart card -based loyalty schemes have led the way in building consumer and retailer acceptance for smart cards. Besides enabling the usual program features, smart cards outperform mag-stripe cards by delivering superior off-line security, reducing telecommunications costs through the use of off-line authorizations, offering greater capacity for storing information on cardholder preferences and buying habits, and providing additional speed and functionality.
Smart cards are also increasingly being used for health care programs, government-funded benefits programs, transportation services, and more. Now, the financial industry is beginning to follow the lead of these other business sectors in implementing smart card-based payment solutions.
Intelligent arguments for smart cards in payment
As previously noted, the primary arguments against using smart cards for debit and credit payments have been the large existing base of mag-stripe cards and a lack of global standards. Cost has also been an issue because chip -embedded smart cards are more expensive than mag-stripe cards. Counterbalancing these concerns has been a lengthening list of benefits in using smart cards for payment.
First is the increased security that chip cards offer. Fraud can be dramatically reduced because chip cards are much more difficult to counterfeit than magnetic stripe cards. In addition, the chip itself can be used to store information that positively identifies the cardholder and presents a major obstacle for would-be thieves. Visa has estimated that counterfeiting can be decreased by at least 70% with a switch to smart cards. According to Visa, up to 90% of fraud from lost or stolen cards could be eliminated if cardholders were also required to use personal identification numbers (PINs) when making purchases.
Second, processing and telecommunications costs can be significantly lowered as well. With mag-stripe cards, most transactions require a call to an authorization center for online approval. The enhanced security provided by smart cards will allow many of these transactions to be approved offline. For example, card issuers could require online authorizations only when the purchase amount exceeded a certain level. In Europe, which has relatively high
telecommunication costs compared to other regions of the world, the ability to allow offline transactions without excessive risk represents a real money-saver.
Third, the memory and embedded processing power offered by smart cards allow financial institutions to easily add new features and support multiple value-added applications on the same card, which helps attract and retain cardholders and can generate substantial additional fee income. The potential for smart card usage is in its infancy today, with considerable room to grow.
Fastest acceptance in countries with higher fraud
Not surprisingly, the most rapid acceptance of both smart cards and the EMV specifications has occurred in countries experiencing the largest fraud losses or rising operating costs. This includes a significant portion of Europe, as well as countries in Latin America, Asia, and Africa.
For instance, in the United Kingdom where financial institutions witnessed big jumps in fraud in the mid-1990s, the financial industry was one of the first to endorse the EMV specifications and begin conversion of its entire base of mag-stripe debit and credit cards to smart cards. The majority of the UK’s bank-issued POS cards have now been converted to EMV-compliant smart cards.
E M V S p e c i f i c a t i o n s
The ABC’s of EMV
In May 1998, Europay, MasterCard and Visa published EMV 3.1.1, which defines the specifications for smart card-based d ebit and credit transactions. By creating a much-needed base for interoperability between chip cards and terminals on a global basis, these specifications provide a reliable global framework for the growth of smart card payment applications. In addition, EMV-based smart cards offer a solid foundation for a broad selection of payment-related and non-payment applications such as stored value, e-purse, and loyalty. Over time, these value-added applications promise to deliver greater financial benefits in new revenues than the savings available from the reduction in fraud.
The EMV specifications focus on the interactions between smart cards and payment terminals. (Note—The specifications do not address the exchange of information between POS terminals and the host computers at processing centers.) The specifications are designed to apply to a variety of terminals and devices, such as bank automated teller machines (ATMs), POS terminals, electronic cash registers, and PCs. EMV specifications cover elements such as general physical characteristics of terminals, the terminal–card interface, transaction processing, data management, and of course—data security requirements.
In 1999, the three card associations founded EMVCo as an independent organization that will continue to manage and enhance the EMV specifications as technology advances and the implementation of chip card programs becomes more prevalent. EMV 4.0 or EMV 2000—published in December 2000—clarifies and enhances the original specifications, as well as adding new guidelines for recent developments such as low-voltage smart cards and cards with faster chip clock speeds for improved response times.
EMVCo has established a single approval process for POS terminals and ATMs to ensure cross-payment system interoperability through compliance with the EMV specifications.
Two levels of Type Approval
Interoperability is achieved by granting two levels of “Type Approval”: • Level 1—Applies to the mechanical, electrical, and logical interfaces
• Level 2—Governs all application software. The EMV specifications envision that there likely will be multiple payment, payment-related, and even non-payment applications on each chip card —ranging from traditional debit and credit applications to other value-added solutions.
EMVCo has accredited a growing list of labs worldwide—such as Cetecom in Germany, Delta in Denmark, FIME in France and Taiwan, LGAI in Spain, RFI in the UK, and TUV in both Japan and the UK—to handle testing for EMV Type Approval. Most EMVCo-accredited labs can test for both Level 1 and Level 2 compliance.
The labs test hardware devices and application functionality for both EMV 3.1.1 and 4.0 in parallel—providing reports to EMVCo, which then issues Type Approval letters bas ed on these reports. Parallel testing under the two specifications will continue until March 2004.
VeriFone receives early EMV approvals
VeriFone was among the first to receive Type Approval specifying that its payment devices and solutions conform to EMV specifications for hardware and software, with Omni 3350 and Omni 3750 countertop terminals and Omni 3600 wireless portables certified under EMV Level 1 and 2.
VeriFone’s Verix EMV Module handles all the necessary EMV application functions, so programmers don’t need to worry about creating custom EMV code. The Type Approved module can be “plugged in” and used as is, without the need for any modifications or updates that would necessitate going through the Type Approval process again. This enables developers to quickly and easily implement smart card-supported payment applications for issuers and retailers as required.
The SC 5000 programmable PINpad and smart card reader/writer is Level 1 Type Approved, and the EMV application developed for the peripheral has received Level 2 Type Approval This makes the SC 5000 with its EMV
application the ideal way to upgrade older terminals to handle EMV-based smart card solutions, or to connect with electronic cash registers (ECRs) to extend EMV support.
Timeline for adoption around the world
EMV specifications are being adopted in phases in various countries around the world.
As previously mentioned, the United Kingdom was one of the first to begin implementing EMV, starting in early 1999—with the goal of converting all of that country’s approximately 80 million credit and debit cards, as well as all POS
terminals and bank ATMs to EMV-compliant smart cards and devices. The UK was followed by the Czech Republic, Poland, Slovakia, Brazil, Israel, France, and Japan. Other countries in Europe, Central and South America, Asia, and the Middle East are continuing to migrate to the EMV specifications for smart card.
Even in countries such as the United States and Canada—where conversion to EMV has been considerably slower and will be driven more by the potential for new sources of revenue than by fraud reduction—progress is being made. To-date, four large issuers have distributed approximately 10 million smart cards.
To encourage the continued rapid adoption of the EMV specifications, a number of mandates have been issued by the various card associations. In addition, card associations in most regions are offering significant financial incentives, such as reductions in the standard interchange rate, to retailers that upgrade their terminals to accept chip cards.
For instance, in the Asia/Pacific region Visa now requires that all new stand-alone POS terminals and ATMs must be EMV-compliant Liability for fraud losses that could have been prevented under EMV guidelines will shift to acquiring banks in January 2006.
Visa EU—which guides financial institutions in Western Europe—has declared that all new smart card payment devices must be EMV-compliant by January 1, 2005. Acquiring banks not supporting EMV transactions could be subject to financial penalties at that time. Visa CEMEA, which oversees Central and Eastern Europe, the Middle East, and Africa has also mandated that all new chip card terminals and card readers must be EMV-compliant. Financial liability for losses due to fraud in the CEMEA region will be shifted from the card issuers to the banks that have not implemented EMV, starting January 1, 2006. Visa International estimates that more than 70 million Visa EMV smart cards had been issued by the end of 2002.
In addition, MasterCard has set a variety of conversion deadlines in the various regions of the world, and after those dates, any banks that issue smart cards or acquire transactions will assume full financial liability for fraud or other losses that could have been avoided by using an EMV-compliant smart card solution.
Only in the U.S. and Canada are EMV deadlines not yet firmly established, as the card associations time their efforts to the emergence of demand for value-added applications, which will drive the implementation of EMV in those countries.
P r o d u c t E v o l u t i o n
Sweeping changes required to leverage full benefits.
The adoption of EMV specifications will require significant changes for banks, retailers, and solution vendors worldwide. These changes include eventual replacement of all mag-stripe debit and credit cards, as well as non-EMV-compliant smart cards. EMV will also necessitate the upgrading of bank ATMs and POS terminals, and could require increases in processing capacity—both on the front-end devices and on back-end host computers —to handle more information-intensive smart card transactions. Let’s take a closer look at some of these requirements.
To begin, banks and retailers will need to invest in new POS terminals designed to accept EMV-compliant cards. Because EMV will open the door to placing a wide variety of applications on a single chip card, it is critical that EMV-compliant terminals offer the processing power, application separation, and other features necessary to support an efficient, secure multi-application environment.
Banks will also need additional processing power to handle the sophisticated cryptography used to protect EMV-compliant smart card transactions. While most of these transactions will necessitate greater processing power in the terminals, they may not contribute to increased data center workloads or higher telecommunications costs. That’s because many EMV authorizations could take place offline.
Overall, the economics for the two types of cards is very different. For mag-stripe cards, there is a low cost of distribution, but a relatively high cost of operations due to online authorizations and fraud. For EMV-compliant chip cards, the cost-per-wallet may be higher, but the long-term cost of operations— after a significant investment in the technology infrastructure needed to support smart cards—should prove to be substantially lower. Further, smart cards can be expected to generate significantly higher revenues per card by supporting innovative customer programs that can be precisely targeted and cost-effectively implemented.
V e r i F o n e ’ s E M V -C e r t i f i e d T e r m i n a l s
EMV -certified terminals and other solutions designed for a
demanding environment
VeriFone offers a broad spectrum of POS terminals, PINpads, and other solutions that allow acquirers and retailers to take full advantage of EMV smart card-based solutions. These devices include the Omni 3700 family (Omni 3720 and Omni 3750), Omni 3350, Omni 7000MPD modular payment devices for multi-lane retailers, Omni 3600 portable wireless terminals, and SC 5000 programmable PINpads with smart card reader/writer.
Power and performance
All of the Omni terminals listed above incorporate 32-bit processing that is essential to efficiently handle the demanding cryptography and authentication requirements of EMV, including DDA. Many vendors are implementing EMV using 16-bit or even 8-bit processors. While these may technically be EMV-compliant solutions, from a practical standpoint, the solutions would simply not be very effective.
The Omni 3700 family, Omni 3350, and Omni 3600 terminals take full advantage of VeriFone’s powerful and versatile Verix operating environment, which provides multi-tasking capability to efficiently tackle growing workloads. In addition, the terminals offer innovative multi-application support, so retailers can securely run multiple payment and value-added applications on a single, stand-alone device.
These terminals also deliver a full suite of security features, including Triple DES (3DES) encryption, Master/Session and DUKPT (Derived Unique Key Per Transaction) key-management methods, and VeriShield file authentication, as well as Visa PED compliance for PIN-based transactions. Optional Security Access Modules (SAMs) further protect financial data and support multiple smart card schemes.
Modularity provides added flexibility
The Omni 7000MPD and Omni 3700 family also provide unprecedented flexibility to enable acquirers and retailers to keep pace with change. The Omni 7000’s EMV-certified hardware module can be added at any time – either at the time of purchase or after the device is put into use. Other modules support signature
The Omni 3700 family also brings the benefits of modularity to retailers that rely on stand-alone terminals. A choice of communications modules including dial-up to 14.4 kbps, ISDN, and Ethernet—the latter of which provides access to high-speed IP-based networks, including DSL, broadband cable, T1 or T3 lines, or Ethernet-based LANs.
For wireless POS processing, the Omni 3600 portable connects with any IP-based wireless service including GSM/GPRS and CDMA 1X, and with 802.11a and 802.11b wireless LANs.
All three families of terminals feature VeriFone’s intuitive user-friendly interface to minimize training, reduce clerk errors, and decrease help desk time.
Faster time-t o-market and reduced development expenses
VeriFone is also taking the lead in streamlining the development process for Level 2 Type Approved applications. Banks and processors can rely on VeriFone’s Verix EMV Module to handle all EMV functions for SoftPay and non-SoftPay applications, eliminating the need to obtain separate Level 2 Type Approvals every time a new application is developed. This can save months of effort and tens of thousands of dollars in programming costs.
In addition, processors can use VeriFone’s VeriCentre Download
Management Module to manage full or partial downloads of new applications to hundreds of terminals simultaneously—saving additional time and money.
E M V -compliant PINpad
VeriFone’s SC 5000 is a programmable smart card PINpad that packs support for EMV smart card transactions, debit, electronic benefits transfer (EBT), and stored value transactions, into a sleek, stylish device that fits comfortably in the palm of your hand. With an EMV Level 2 Type Approved application, the SC 5000 provides the fastest, easiest way to upgrade terminals or electronic cash registers to support global smart card solutions based on EMV specifications.
The SC 5000 is Visa PED-certified and supports 3DES encryption standards. Further, like Omni terminals, the PINpad’s 32-bit processor delivers exceptional performance for the most complex EMV cryptography requirements.
The SC 5000 features an integrated smart card reader with support for 2 or 4 optional SAM slots to run a broad range of smart card -based loyalty and electronic purse schemes. An optional, built-in magnetic-stripe card reader is also available with the device.
S u m m a r y
Making smart choices about the future.
Smart cards are gaining global payment acceptance. EMV is clearly acting as a catalyst for this groundbreaking shift.
During the transitional period of moving from mag-stripe to smart cards, the payment environment will continue to change rapidly. New kinds of smart card-based payment, payment-related, and value-added applications will be
introduced to respond to market opportunities and meet competitive challenges. Financial institutions and retailers alike need a payment platform that offers multi-application support, power, flexibility, and security.
VeriFone’s Omni 3750, Omni 3350, Omni 3600 wireless terminals, and Omni 7000MPD deliver exceptional performance and adaptability, multi-faceted security protection, unsurpassed reliability, and true ease of use—in an EMV-certified solution. Further, the powerful SC 5000 PINpad provides the fastest method to upgrade to an EMV-compliant solution. VeriFone is committed to ensuring that all new payment devices comply with the latest revisions of the EMV
specifications going forward. All of which makes VeriFone a very smart choice for an unpredictable future.
Note: EMVCo approval of the interface module (EMV Application Kernel) contained in this terminal shall mean only that the EMV Application Kernel has been tested in accordance and for sufficient conformance with the EMV Specifications, Version 3.1.1, as of the date of testing. EMVCo approval is not in any way an endorsement or warranty regarding the completeness of the approval process or the functionality, quality or performance of any particular product or service. EMVCo does not warrant any products or services provided by third parties, including, but not limited to, the producer or provider of the EMV Application Kernel and the EMVCo approval does not under any circumstances in clude or imply any product warranties from EMVCo, including, without limitation, any implied warranties of merchantability, fitness for purpose, or non-infringement, all of which are expressly disclaimed by EMVCo. All rights and remedies regarding products and services which have received EMVCo approval shall be provided by the party providing such products or services, and not by EMVCo and EMVCo accepts no liability whatsoever in connection therewith.
© 2003 VeriFone, Inc. All rights reserved. VeriFone, the VeriFone logo, Omni, SoftPay, VeriCentre, VeriShield, and Verix are either trademarks or registered trademarks of VeriFone in the United States and/or other countries. All other trademarks or brand names are the properties of their respective holders. All features and specifications are subject to change without notice.
