Perhaps the most glaringly obvious security flaw in EMV is the CVM called “Offline Plaintext PIN”. The PIN is transmitted to the card for verification in the clear which places the burden of security (and cost) on the terminal Vendor and therefore the Merchant.

A large part of PCI PED for example deals with the PIN entry security environment. An attacker merely has to “sniff” the card IO pin to pull all manner of cardholder information from the transaction including the PIN. Some would argue that the compensating control for this is the fact that PIN pads are tamper responsive and evident but why take the risk when you have a much better CVM in “Offline Enciphered PIN”? The PIN is securely encrypted in the PIN pad using the card RSA Public Key and transmitted to the card for verification which is infinitely more secure.

Of course the next step would be to encrypt all the information that passes between the terminal and card using a similar mechanism but that’s a discussion for another day.

In summary, it’s clear that the weaknesses of SDA have been exploited and damaged the reputation of the EMV standard so surely it’s time we acknowledge the obvious – both SDA and Offline Plaintext PIN have had their day, it’s time they were put out to pasture.

MasterCard is planning to deliver an improved customer experience in-store, online, at ATMs and on mobiles giving consumers greater security and control of their payment choices. They will do this by helping to build out the EMV POS infrastructure by April 2013. The roadmap also envisages reduced fraudulent transactions, and financial benefits to merchants using EMV compatible terminals.

Chris McWilton, President, U.S. Markets, MasterCard  explained, “We’re moving toward a world beyond plastic, where consumers will shop and pay in a way that best fits their needs and lifestyles with a simple tap, click or touch in-store, online or on a mobile device”. He continues “Our roadmap represents a transformational shift in the approach to payments and is not simply about EMV, chip and PIN. We’re focused on readying the ecosystem to drive future innovation and provide new consumer experiences to enhance the value of electronic payments. “

MasterCard is part of the original group that created the global EMV standard for credit and debit cards based on chip card technology which included Europay, MasterCard and Visa. It is now owned by American Express, JCB, MasterCard and Visa. Click here for the latest EMV deployment and adoption figures.

If you are a terminal manufacturer and want to find out more how you can reduce risk, cost and time to market of your EMV Migration project, call us for free on 800.868. 1832 or email enquiries(at)level2kernel(dot)com.

The EMVCo published EMV deployment figures for Q3 2011 represent the latest statistics from American Express, JCB, MasterCard and Visa, as reported by their member financial institutions globally. More than 1.3 billion EMV cards and over 20 million EMV terminals are now in circulation.

Source: EMVCo EMV deployment figures Q3 2011

The statistics do not include data from the United States which currently uses magnetic stripe and signature for payment authorisation. This will soon change as Visa and MasterCard have now published their own guidelines for migration from magnetic stripe to EMV technology in the US.

Source: EMVCo EMV deployment figures Q3 2011

EMVCo are set to see another boost of its standard once the US have deployed the more secure and fraud-resistant EMV payment standard.

As we suggested, Visa are recommending that initially merchants in the USA should concentrate on online-only EMV solutions that do not need to support EMV offline PIN (where the PIN is checked by the card rather than the bank’s online host) – so whereas the rest of the world has typically implemented “Chip & PIN” solutions, in the USA it may be “Chip & Signature” instead.

We can help you reduce complexity, cost and time-to-market, to smoothly implement EMV in the U.S. Our EMV level 2 kernels are fully compliant with all the latest industry requirements for online or offline authorisation. They provide a simple but powerful way to add EMV level 2 functionality to attended (POS terminals, ticketing machines) and unattended (parking, vending, ATMs) card payment devices.

Check out www.level2kernel.com for more details or get in touch if you have any questions.

EMV System Components

A typical “EMV terminal” (which can be any EMV-capable device, including self-service kiosks, ATMs and retail PoS [points-of-sale]) consists of a number of software and hardware components that interact in order to process an EMV card transaction.

EMV Approved Hardware

An EMVCo level 1 approved Interface Device (IFD) is required to communicate with the chip card and, depending on the operating environment of the terminal, the IFD may be an integrated part of the terminal’s hardware or an external device. The IFD will contain a card reader and may also include a PIN-pad that can be used for secure PIN entry, if that Cardholder Verification Method (CVM) is supported by the terminal. Alternatively, if a PIN-pad is required then this may be a separate piece of hardware attached to the terminal. Note that PIN-pads used for EMV PIN Entry will also need to be compliant with the PCI standards.

Authorisation and Clearing

The terminal will also need to have a mechanism for submitting approved transactions to the acquiring bank so that the payments can be cleared. If the terminal is fitted with communications equipment then this can be used to send the transactions to the bank, and it may also be used for online authorisation of transactions to allow the card issuer to check whether to allow a particular transaction to be accepted. If there is no communications available, or the terminal supports the ability to authorise transactions without going online, the terminal must be able to securely store completed transactions for later submission to the bank.

Receipting, User Interface and User Interactions

In addition, if merchant or customer receipts are required then the terminal will also need to be fitted with a printer, and there will normally also be a visual display that can used to inform the merchant and customer of the transaction progress and any other information that may be required. If the customer needs to enter data or select options during the transaction, then an additional keypad or function keys may also be fitted.

EMV Level 2 Kernel Software

Finally, and most importantly, at the heart of any EMV terminal is the EMV level 2 kernel, which is usually a distinct software component that contains all the EMVCo-defined processing logic required to perform a transaction. This generates all the EMV commands to send to the card via the IFD and processes all the card’s responses, together with configuration data stored in the terminal, in order to perform the necessary steps required to complete an EMV transaction.

CreditCall’s EMV level 2 kernels are fully compliant with all the latest industry requirements, and provide a simple but powerful way to add EMV level 2 functionality to payment devices. Check out www.level2kernel.com for further details of these EMV kernels.

At the same time, an updated version of the “EMVCo Type Approval Terminal Level 2 Test Cases”, which is used for EMVCo certification of EMV level 2 kernels, has come into effect and all new EMV level 2 certifications will now be performed using v4.3a of the test cases.

The EMV 4.3 Specifications consist of four books, and are available for view or download from EMVCo.

CreditCall’s family of EMV kernels are maintained to the very latest EMV level 2 and industry standards, so you can be certain that they will provide the best EMV solutions both now and in the future.

Check out www.level2kernel.com for further details of these EMV level 2 kernels.

Although the roll-out of EMV in Australia has already seen the upgrading of Point-of-Sale devices and the issuance of EMV-capable bank cards, the country’s ATM estate has not kept pace with these developments. This has meant that the magnetic-stripe on bank cards has still had to be used for cash withdrawals, which is much less secure than the EMV chip on the card and is open to fraudulent usage as card skimming can be used to create fraudulent “cloned” magnetic-stripe cards.

It is important when a market undergoes EMV migration it is widely adopted across all market sectors to ensure that the new technology has the greatest exposure and is welcomed by consumers as a positive change, and to prevent fraudsters from continuing to exploit any weak link (i.e. the devices that have not yet been upgraded to support EMV). Hopefully, Commonwealth Bank’s competitors will take note and make a similar investment in their own ATM networks.

Damaged chip card or dirty card reader

Even if both the terminal and card are fully EMV-compliant, it may not be possible for the EMV card reader to communicate with the chip, for example if the chip on the card has become accidentally damaged or if the contacts on the card or reader are dirty.

Partly chip card migration

A card may also be used at a terminal that does not support any of the payment applications on the chip, for example if not all card schemes have migrated to chip card technology in that market.

Interoperability issues

Finally, interoperability issues may prevent the EMV payment being completed, if the terminal’s EMV kernel or the chip has incorrectly implemented certain aspects of EMV processing, or if they support different versions of the EMV specifications. Although EMVCo has an extensive testing regime to reduce the probability of this, a small number of interoperability issues have arisen over the years.

Beware of fraudsters

Any of these cases would prevent the chip from being used to complete the transaction. In order to allow the merchant to still receive payment, technology “fallback” – where the magnetic stripe is used instead of the chip – may be permitted.
Merchants need to be extra vigilant, as some fraudsters may deliberately disable the chip to try and circumvent the ability to verify the cardholder using their PIN. All fallback transactions must be marked accordingly during the payment clearing process, as the liability for any fraudulent transactions may differ when fallback technology is used.

Unattended terminals

Unattended devices are not generally permitted to support fallback transactions, as there is no merchant present to check the card for damage that the card user may have done to deliberately sabotage the chip in an effort to force the magnetic stripe to be used and to circumvent the ability to verify the cardholder’s PIN.

Want to migrate to EMV?

CreditCall’s EMV kernels are fully compliant with all the latest industry requirements, and provide a simple but powerful way to add EMV level 2 to payment devices. Check out www.level2kernel.com for further details on certified EMV level 2 kernels.

Prior to EMV migration in the United Kingdom, most transactions were verified by checking the cardholder’s signature, but the introduction of EMV allowed the chip on the card to be used for cardholder verification by “offline PIN” (without the need to upgrade the online infrastructure to support “online PIN” checking).

However, as the United States already supports online PIN (where the transaction is securely sent to the card issuer’s bank to be checked) there would not necessarily be a need for American merchants to also support offline PIN checking when undergoing EMV migration. Therefore to add support for EMV they could potentially upgrade their existing hardware by just fitting an additional EMV level 1 compliant card reader and then upgrade their software by adding an EMV level 2 kernel.

CreditCall’s EMV level 2 kernels are fully compliant with all the latest industry requirements, and provide a simple but powerful way to add EMV level 2 functionality to payment devices. Check out www.level2kernel.com for further details of these EMV kernels.

One key factor of their announcement was that they plan to introduce a U.S. liability shift from 1st October 2015 for all American merchants. This could potentially have a significant impact on merchants as Visa’s press release states that “with the liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant’s acquirer”.

Other markets such as Europe have already undergone the liability shift during their EMV migration programmes, and this has lead to high-levels of EMV chip card acceptance across the continent, both by major chains and by small single-site merchants.

Due to the complexity of the EMV specifications, many system providers that have already undergone EMV migration have chosen to license the use of a third party EMV kernel, such as CreditCall’s EMV kernels.