Title

WHAT IS EMV?Europay, MasterCard and Visa (EMV®) is a global fraud reduction standard for credit and debit payment cards based on chip card technology. This technology is used to combat fraud and protect sensitive payment data in card-present environments. Chip cards, or Integrated Circuit Cards (ICC), are standard bank cards that look like traditional cards, but have an embedded chip in addition to the standard magnetic stripe on the back of the card.

Unlike swiping a payment card with a magnetic stripe, EMV uses dynamic authentication that is unique for each transaction. Magnetic stripe transactions use static authentication data which is easy to copy and prone to skimming.

The roll out of Europay, MasterCard, and Visa (EMV®) chip card technology is underway. As you prepare for adopting this technology, this eGuide can help you along your way.

47% of the world’s credit card fraud happens in the United States. -Barclays

REDUCE CARD-PRESENT FRAUD WITH EMV®

GET READY FOR EMV

GET TO KNOW EMV

What is it? › Global fraud reduction

standard› The standard is managed by

EMVCo

Stands for: › Europay, MasterCard, & Visa › The three companies that

created the standard

AKA: › Chip card › Smart card› IC card

Globally, 32% of card-present transactions are EMV.1

1EMVCo

Title

HOW DOES IT WORK? EMV card chips create a unique transaction code for each transaction that cannot be reused. Every chip card transaction contains dozens of pieces of information that are exchanged between the chip, the EMV-enabled Point of Sale (POS) device, and the acquiring bank or processor’s host. This makes it nearly impossible to create counterfeit cards.

There are two methods of processing EMV transactions.

Contact — Consumer inserts or ‘dips’ the chip card into the terminal and a signature may be obtained from the consumer for verification.

Contactless — Consumer ‘taps’ or waves their chip card against an EMV, NFC capable payment terminal. The majority of cards in the U.S. will be contact cards.

Customer experience

Customers will insert their card (dip) or wave it in front of the device. If inserted, the card stays in reader for duration of transaction. Customers may be prompted to sign for verification. With EMV transactions, customers may experience a minimally slower process.

Things to consider:

» Customers may inadvertently leave their card in the reader. Train employees and have a plan in place.

» What happens if the chip card cannot be read? A “fallback” transaction will take place by swiping the magnetic stripe.

Is EMV mandated? Will it reduce all fraud? Does EMV replace encryption?

No. EMV is not mandated. It is a merchant’s choice if and when to support EMV chip cards.

It is important to understand what the Liability Shift, which takes place October 1, 2015, really means to your organization.

Things to consider:

» Amount of fraud that currently occurs in your card-present environment.

» If card present fraud is minimal today, then it may not be worth going through the expense of an EMV upgrade immediately.

EMV technology aims to reduce card-present fraud resulting from counterfeit cards.

EMV will not reduce online or other types of fraud.

With tighter card-present security, fraud will likely migrate online. Therefore, merchants should tighten card-not-present security and controls.

EMV does not replace encryption or tokenization, but should be used in addition.

EMV’s main purpose is to provide mechanisms to authenticate and validate cards, preventing thieves from duplicating or counterfeiting cards.

An EMV card does not safeguard the PAN information contained on it.

COMMON MYTHS

Title

October 1, 2015 - Liability Shift

Why is this date significant? Simply put, as of this date, the liability will shift to the entity that is the least EMV-compliant in a fraudulent transaction.

DECONSTRUCTING THE LIABILITY SHIFT

The Liability Shift applies only to counterfeit cards,

not lost or stolen cards.

UNDERSTANDING LIABILITYEMV functionality is not required or mandated. It is a choice. However, after the October 1, 2015 Fraud Liability Shift, liability will shift to the party not leveraging EMV technology.

Today, if an in-store transaction is conducted using a counterfeit, stolen or otherwise compromised card, consumer losses from that transaction fall back on the merchant bank, depending on the card’s terms and conditions.

After the Liability Shift, the party that is the cause of a chip transaction not being conducted will be held financially liable for any resulting card-present counterfeit fraud losses.

The Liability Shift applies only to counterfeit cards, not lost or stolen cards.

DO YOU NEED TO ADOPT EMV?Here are some considerations for adopting EMV:

Do you accept card-present payments?

» EMV functionality is for POS/card-present transactions only.

» Card-not-present transactions do not need EMV-capable devices.

Do you experience high levels of card-present fraud?

» Calculate your chargeback ratio.

» If you do not experience high levels of card-present fraud, implementing EMV may not be urgent. 

Understanding your return on investment may help guide your timeline for adopting EMV.

WHAT IS INVOLVED IN AN EMV CERTIFICATION?In order to migrate to EMV, merchants will need to certify their payment solution with EMVCo, or use a certified third-party solution, for each desired card brand. Keep the following in mind:

» Systems under test are end-to-end, from device to first-party platform.

» Expenses include system changes, EMV capable devices, test harness and certification.

» Recertification is required if any individual system kernel in the transaction chain changes.

Title

KEY TERMS EMV chip technology comes with its own language. Grow your vocabulary with these terms.

Term Definition

Chip and PIN Customer enters a PIN to validate the transaction. A PIN is a secret number that an individual memorizes and uses to authenticate his or her identity for card use.

Chip and Signature Customer signs to validate the transaction.

Cardholder Verification Method (CVM)

The method used to authenticate that the person presenting the card is the valid cardholder. EMV supports four CVMs:• Offline PIN (offline enciphered & plain text)• Online PIN• Signature verification• No CVMAll CVMs can be available on all payment types (credit, debit, and prepaid) as defined by the issuer. The merchant chooses which CVMs they will support. The issuer sets a prioritized list of methods on the chip to verify the cardholder.

EMV Compliant Cards and terminals that meet security, interoperability, and functionality requirements outlined by EMVCo.

Fallback or Fallback Transaction

When a transaction is initiated between a chip card and a chip terminal, but chip technology is not used and the transaction is completed via magnetic stripe or key entry.

Integrated Circuit Card (ICC)

A card that has an embedded circuit, such as a computer chip. Integrated Circuit Cards are made of plastic or a similar material, and are most often associated with EMV credit cards.

Offline Authorization Authorizing or declining a payment transaction through communication between the ICC and the EMV-enabled device. This function uses issuer-defined risk parameters set in the Integrated Circuit Card (ICC) to determine whether the transaction can be authorized without going online to the issuer host system.

Online Authorization Authorizing or declining a payment transaction by sending transaction information to the issuer and requesting a real-time response.

PCI DSS A framework developed by the Payment Card Industry Security Standards Council for developing a robust payment card data security process – including prevention, detection and appropriate reaction to security incidents. EMV does not replace PCI DSS compliance.

By the end of 2014, an estimated 120 million chip cards had been issued. This figure is expected to increase to 600 million by the end of 2015.2

2EMV Migration Forum

Title

ABOUT TRUSTCOMMERCETrustCommerce is a leading technology and solutions provider in the Electronic Payment & Risk Management (EPRM) industry, providing services to some of the largest HealthCare Providers, Insurance Companies, State Transportation Agencies, Municipalities, and Fortune 500 companies in the United States. TrustCommerce offers a wide range of products and services that protect and serve customers with a focus on security, data protection, and risk mitigation.

TrustCommerce was one of the first to introduce the tokenization model for subscription-based merchants, which

replaced cardholder data with a Billing ID. As one of the early adopters of tokenization to remove stored data from a merchant’s environment, we remain focused on protecting cardholder data as it flows through the payment lifecycle. Whether processing in a face-to-face retail environment, or as a card-not-present E-Commerce environment, TrustCommerce products protect our partners and reduce their risk.

TRUSTCOMMERCE IS THE LEADING PROVIDER OF SECURE PAYMENT SOLUTIONS SERVING THESE AND OTHER KEY INDUSTRIES:

› Healthcare› Retail & e-commerce› Parking› Education› Municipalities› Insurance› Non-profit

For more information on TrustCommerce solutions or to become a partner, please visit TrustCommerce.com/contact-us/

TrustCommerce | 800.915.1680 | trustcommerce.com