How Do EMV Chips Work? Do They Really Protect Cardholders Against Fraud?
Just when folks got used to the idea of swiping a credit or debit card to make a purchase, along came a card that must be inserted (or “dipped”) into a card reader.
Seems it took no time at all to transition from “Please remove card quickly” to “Do not remove card.” But why the change?
EMV (or “chip”) payment cards have become the world’s standard. Still, many people really don’t understand them. In this post, we’ll examine EMV chip technology and how it works. We’ll also explore some of the benefits and challenges of its use.
Recommended reading
- What is EMV Bypass Cloning? Are Chip Cards Still Secure?
- Dispute Apple Pay Transaction: How Does The Process Work?
- Terminal ID Number (TID): What is it? What Does it Do?
- How Do Credit Card Numbers Work? What do the Numbers Mean?
- What is PSD2? How it Impacts Banks, Businesses & Consumers
- P2P Payment Use in eCommerce Jumps 66% in 2024
What Is EMV Chip Technology?
- EMV Chip
EMV refers to a type of payment technology first developed in the mid-1990s. EMV-enabled payment cards — also known as “EMV chip cards“ — have a built-in microchip that stores information, encrypts transactions, and facilitates transaction processing.
[noun]/ē • em • vē • CHip/For many years, a magnetic stripe was the standard way of storing personal data on credit cards. While most cards still have that stripe, chances are that the credit and debit cards you use most often also feature a square “chip” on the front.
That square is actually a computer chip that offers greater security and the option for contactless payments. The letters “EMV” are simply an acronym representing the three companies that created the standard: Europay, Mastercard, and Visa. However, EMV is often used as shorthand for the technology that powers these chips and allows for chip-enabled payments to work (we’ll explore this in a little more detail below).
EMV card chips were designed to decrease consumer fraud while also limiting banks’ liability for fraud chargebacks. EMV-enabled cards can be used for either “chip and PIN” or “chip and signature” transactions. It depends on whether the merchant requires a personal identification code or a signature as a secondary buyer verification. Here’s a look at how they differ:
Chip-and-signature cards
Cardholder provides a signature on the receipt or on a digital display.
Less secure; merchants don’t always confirm a signature match.
Chip-and-PIN cards
Cardholder inputs PIN on the card terminal.
More secure as it requires a PIN number to complete the transaction.
How Do EMV Chip Cards Work?
The main difference between EMV chips and magnetic stripes is that, with the latter technology, cardholder data is permanently stored on the physical card. With an EMV chip card, the cardholder creates a unique encrypted code for each transaction.
Magnetic stripe cards work by using optical technology to read the data stored on the card. The card reader then transmits the cardholder information directly. In contrast, chip cards have to be inserted into the terminal.
When inserted into the terminal, the chip connects to the reader and generates a one-time-use token. This token serves as a stand-in for the cardholder’s personal information.
The terminal transmits the one-time-use token in place of the actual cardholder data. No actual cardholder data ever gets transmitted. As a result, the cardholder avoids exposing their information to potential hackers or data thiefs. And, because chips generate a unique marker for each transaction, it’s virtually impossible to create a usable counterfeit EMV credit card.
Chip cards also offer the ability to make contactless payments. Instead of the card being dipped or swiped, it can be tapped on a specially equipped scanner and read using near-field communication (NFC) technology. This is the same technology used by mobile wallet apps to make contactless payments.
The EMV Chip Transaction Process
Completing a purchase with a chip card typically takes about 7 to 10 seconds. Numerous actions occur during that short span of time, though, both physically and digitally. Here’s a look at a typical process flow:
- At checkout, the customer inserts their card into the reader. In the case of online purchases, the buyer enters their card details into a virtual system.
- The terminal identifies whether the card is a debit or credit card (or both).
- Validation of the card is established through an offline check, and the identity of the user is confirmed using a PIN code or signature.
- The terminal decides whether the transaction should be sent offline for authorization based on the floor limit (the maximum amount of money that can be charged to that card prior to authorization).
- Using issuer rules, the card performs its own risk assessment, deciding whether to complete the sale online or offline (or to reject the transaction altogether).
As we said earlier, all of this happens in the span of a few seconds. From there, a transaction request is transmitted to the payment authorizer, along with transaction specifics. This involves the creation of an Authorization Request Cryptogram (ARQC) that acts as a digital signature. The ARQC is verified and sent back to the terminal.
As we can see, the data is always encrypted at every phase of the transmission. This makes the process more secure than other methods of payment.
What Are the Benefits of EMV Transactions?
Chip cards have a lot to offer both merchants and consumers:
Finally, remember that EMV chip cards still sport a magnetic stripe as well for the time being. This means they can still be swiped for use with non-EMV terminals if necessary. This can be an easy fix if the card is declined because of a problem with the card chip.
Can Fraud Still Happen While Using an EMV Chip Card?
The short answer: yes. Even with EMV technology in place, fraud can still occur.
In the last few years, researchers have noted a rise in chip card cloning. With the right tools, data can be extracted from an EMV chip. With a simple device known as a card shimmer (as opposed to a magstripe skimmer), fraudsters can pull data from an EMV chip. This data can then be used to create a magnetic stripe version of the same card.
The perpetrator can use this card at any card-present merchant by simply claiming that the card issuer didn’t provide them with an EMV-enabled card. It's a simple scheme, but it works.
Shimming devices are a fast-growing threat. Even without these device, though, merchants may still be subject to fraud liability if they conduct a magstripe-facilitated purchase using an EMV chip card, as we'll discuss in the next section.
Who is Liable When EMV Fraud Occurs?
Here in the US, an event called the EMV Liability Shift occurred back in October 2015. Prior to this, banks bore financial responsibility for counterfeit card transactions. After the shift, liability now passes to wherever is the most technologically vulnerable point in the transaction process. This typically means the merchant.
The card networks reasoned that since chip cards are so much more secure, it wasn’t fair to punish the bank if the merchant didn’t upgrade. They decided it was more equitable if the liability shifted to the least-secure party.
Now, if a merchant completes a transaction using less-secure magnetic stripe technology, and that transaction turns out to be fraudulent, the merchant will be responsible for reimbursing the cardholders. The networks even created new chargeback reason codes specifically for this type of fraud:
- Visa Chargeback Reason Code 10.1 — EMV Liability Shift Counterfeit Fraud
- Visa Chargeback Reason Code 10.2 — EMV Liability Shift Non-Counterfeit Fraud
- Mastercard Chargeback Reason Code 4870 — Chip Liability Shift
- Mastercard Chargeback Reason Code 4871 - Chip Liability Shift – Stolen Card
- Amex Reason Code F30 — EMV Counterfeit
- Amex Reason Code F31 — EMV List/Stolen/Non-received
- Discover Reason Code UA05 — Fraud/Counterfeit Chip Transaction
- Discover Reason Code UA06 — Fraud/Chip-and-Pin Transaction
The new rules apply both to merchants who have an EMV-enabled system and those who haven’t switched over yet. Merchants with chip-capable systems are still responsible for making sure cards are dipped whenever possible. However, if the merchant has an EMV system, and it was used during the fraudulent transaction, liability shifts back to the issuer.
Are There Any Downsides to EMV Cards?
Despite the plethora of pros, EMV chip cards are not perfect. There are still a few downsides to consider, including:
The Future of EMV Cards
EMV payment cards represent the future of payment processing. Increased security and more options benefit both consumers and merchants. Fewer fraudulent transactions mean retailers save money, and those savings should trickle down to shoppers in the form of lower pricing.
Also, the potential of EMV technology is far from fully realized. The next generation of chip cards will likely include a variety of possible features, from personalized couponing to loyalty programs built right into the card.
Exciting as that may be, however, there is the chargeback issue to consider. Chip cards simply aren’t designed to prevent customer disputes. Effective fraud management requires a comprehensive strategy that involves both prevention and revenue recovery. For more information, contact Chargebacks911 today.
FAQs
What is the meaning of an EMV chip?
EMV refers to a type of payment system developed jointly by Europay, MasterCard and Visa in the mid-1990s. EMV-enabled payment cards – also known as “chip cards“ – have a built-in microchip that stores information, encrypts transactions, and facilitates transaction processing.
How do EMV chips work?
With an EMV card, the embedded microchip creates a unique code for each transaction. The payment is processed using this one-use-only code, rather than the card number printed on the card. This is a practice called tokenization.
Are all chip cards EMV?
Yes. No matter what terminology banks or merchants may use — EMV card, chip card, smart card, etc. — they’re all different names for the same thing. Any payment card with an embedded chips is using EMV technology
Is EMV the same as RFID?
No. Most EMV chip cards require physical contact with a payment terminal. Radio Frequency Identification (RFID) cards only have to be near the terminal. Depending on signal strength, they may not even need to be removed from a purse or wallet.
Some modern EMV cards are integrating NFC technology, which can be used for contactless payments as well, offering the best of both worlds.
Can EMV chips be hacked or cloned?
Technically yes, but only the information from the magnetic stripe can be captured. That means any clone of the card would only work with non-EMV-enabled readers.