Editor’s note: This is part of an ongoing series of blog posts that will address the questions of Why, When, Who, What and How as they relate to the EMV chip card migration in the United States. Tweet using the hashtag #AskOT if you have questions for our experts. Or submit your question to Ask OT here.
The EMV standard blocks criminals from misusing payment card data by safeguarding four operations that occur in the background of every electronic transaction: identification, authentication, verification and authorization.
Think of it as the Big Four of EMV.
- “Identification” starts with the presentation of the identifier or primary account number or “PAN” – the 16 digits on the front of the card. The first six of those numbers contain the bank identification number or BIN. Of those six, the first identifies the card network, such as Visa = 4 or MasterCard = 5. The remaining five digits identify the financial institution that issued the card. The middle nine digits designate the cardholder’s account number, while the final digit assures that the number has been read correctly. We also identify the cardholder by name and by the card’s expiration date.
- “Authentication” determines whether the card carrying the identification is the genuine card and not a counterfeit or fake. The terminal can authenticate the card using a methodology described in EMV as offline data authentication. As part of the authorization process the issuing bank’s host can also authenticate the card using a cryptogram or digital signature resulting from the interaction of the card and the terminal at the point of sale. This cryptogram, the ARQC, is created when the card signs merchant, card and transaction data. The cryptogram and the data that was signed, is sent to the issuer in what payment professionals call the Authorization Request. Once received, the issuer determines that a card it issued is at that merchant by performing online data authentication.
- “Verification” is a process that proves that the person using the card is the right person. Within EMV, four mechanisms can be employed on a global scale. First is the continued use of signature as a means of cardholder verification. The next two introduce PIN as the means of verification. Online PIN verification starts when the terminal prompts the cardholder to enter a PIN. The terminal then encrypts the PIN and sends it through the network in the authorization request to the issuer. The issuer verifies that the PIN entered matches the PIN they originally registered to that card. If it matches, it can then consider approving the transactions. Chip or offline PIN verification starts with the terminal prompting the consumer to enter a PIN. It then uses the EMV “Verify” command to ask the card/chip to verify the PIN. The final form of verification is, in fact, not to require cardholder verification. No CVM is typically used for low-value transaction, where speed is the requirement and the risk of lost and stolen fraud is insignificant.
- “Authorization” is the process that confirms that the holder has certain rights or privileges – like a drivers license conveys the right to drive a car or a company identification card conveys the right to enter our place of employment or a restricted area within that building. In a payment transaction the card and the authorization request are used to assure the merchant that a customer has sufficient funds or credit to pay for the goods or services. Again, EMV defines two methods of authorization: online and offline authorization. Online authorization, is what typically happens today, requires the merchants to ask the issuer to authorize the transaction “online.” EMV introduced a new method of allowing the issuer to authorize the transaction by creating a concept called card risk management. Card risk management allows the issuer to establish parameters the chip can use to determine if it can authorize or approve a transaction. For example, the issuer can set a value of say $10, below which the card could approve the transaction. The issuer can combine that with other parameters, such as setting the maximum number of transactions the card could approve. The goal is to allow the chip to decide if it can approve the transaction or if the merchant must ask the issuer’s host to approve the transaction. To give the issuer ultimate control, EMV also defined a method to allow the issuer to modify the parameters during the life of the card. Be it online or offline, the decision to approve a transaction is always the issuer’s.
And there you have it – the Big Four operations designed to protect electronic transactions with the help of EMV.
Philip Andreae, Vice President, Field Marketing, Payment, North America at Oberthur Technologies
At Oberthur Technologies, Philip Andreae, Vice President, Field Marketing, Financial Services Institutions, North America, provides clients an in-depth understanding of EMV and what it takes to introduce EMV in the U.S. Over the last 20-plus years, Philip has been actively involved in the payment industry including driving the creation of the consortium that developed the EMV specification.