Payment Security Spotlight: EMV

We’re putting the spotlight on EMV this week in part two of our “Payment Security Spotlight” blog series.  As we make our way past the one-year mark of the EMV liability shift in the U.S., we’re seeing a lot of discussion on how far we’ve come since last October, and how far we still have to go.  While many complain that EMV transactions are too slow, this won’t always be the case, and the security benefits are well worth it.  That minimal lag time will soon disappear as the industry continues to advance EMV technology and improve adoption.

With the shift, the entity that is the least EMV compliant becomes liable for the fraud.  Before this, the credit card issuers were generally responsible in the event of fraud.  Now, if a merchant does not have a terminal that accepts EMV and a customer uses a chip card, the merchant becomes responsible if fraud occurs.  This creates an increased incentive for merchants to update their terminals and become EMV compliant.  If the merchant has an EMV enabled terminal, but the bank hasn’t issued the customer a chip card, then the bank is liable in the event of fraud.  When both parties are EMV compliant (merchant and card issuer), it is the card issuer who bears responsibility for reimbursement in the event of fraud, just as it was before the mandate.  EMV adoption ultimately provides a strong line of defense for merchants, helping to decrease incidences of fraud and security breaches from the point of sale in both attended and unattended applications.  Who would think that one little chip could do so much!

It isn’t magic.  At the point of transaction, the microprocessor chip in the EMV card generates a unique encrypted code.  This code is sent from the transaction location to the bank with details on the transaction.  The code is then decoded, authenticated, and sent securely back to the merchant, signaling that the transaction is approved.

These encrypted codes are one-time use codes, generated every time an EMV transaction takes place.  The data is rendered useless to those who try to commit fraud with it, because the code can only be used once, and can’t be traced back to the card number.  This is good for both the merchant and the cardholder, essentially anonymizing data as it passes through the transaction and protecting it from would-be thieves.  Before the EMV transition, when magnetic strips were the primary credit card format, fraudsters could easily attain card data.  With magnetic strips, card number data is static, meaning that it is the same for every transaction, making it more susceptible to fraud.

At Apriva, we recognize the importance of EMV technology, and have invested a considerable amount of time, money and resources into EMV development, testing and certification acumen—from a dedicated certification team, to training and tools for engineering, and development resources.  Our aggregated corporate EMV acumen has increased one-thousand fold over the past year and we have over 20 EMV certification projects across multiple processors either currently being worked or in the queue.

While EMV is a great step for us in security, it’s just one weapon in the arsenal to protect both merchants and cardholders from card fraud.  Combined with tokenization and end-to-end encryption, merchants should take a long-term, holistic view of security and be proactive in considering protection of payment card and customer data.  New technologies in both protection and hacking are brought forth every day, so vigilance is critical to maintain security across payments.  We will discuss other parts in the chain of payments in future posts, so be sure to check back in with us for part three of our Payment Security Spotlight series. 

~ Russ Palay, Senior Director, Product Management