EMV

EMV is a standard for interoperation of IC cards ("Chip cards") and IC capable "POS terminals" and ATM's, for authenticating credit and debit card payments. The name EMV comes from the initial letters of Europay, MasterCard and VISA, the three companies which originally cooperated to develop the standard. Europay International SA was absorbed into Mastercard in 2002. JCB (formerly Japan Credit Bureau) joined the organisation in December 2004. IC card systems based on EMV are being phased in across the world, under names such as "IC Credit" and "Chip and PIN". The EMV specification is also the basis of the Chip Authentication Program, where banks give customers hand-held card readers to perform online authenticated transactions.

The EMV standard defines the interaction at the physical, electrical, data and application levels between IC cards and IC card processing devices for financial transactions. Portions of the standard are heavily based on the IC Chip card interface defined in ISO 7816.

The system is not compatible with the original Carte Bancaire smart cards systematically deployed in France since 1992. However, the French Carte Bancaire now also uses the EMV standard.

The most widely known implementations of EMV standard are:
* VSDC - VISA
* MChip - MasterCard
* AEIPS - American Express
* J Smart - JCB

MasterCard has a Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of Modes.

Differences and benefits of EMV

The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant credit card payment terminals throughout the world. There are two major benefits to moving to smart card based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of "offline" credit card transaction approvals. The goals and benefits of EMV: High level standard on terminal↔card API. It reduces the cost and time interval of software development (POS, ATM, HSM,...).The non EMV payment smart card has its own crypto protections (RSA, DES) and is based on local private standards.

EMV financial transactions are more secure against fraud than traditional credit card payments which use the data encoded in a magnetic stripe on the back of the card. This is due to the use of encryption algorithms such as DES, Triple-DES, RSA and SHA to provide authentication of the card to the processing terminal and the transaction processing center. However, processing is generally slower than an equivalent magnetic stripe transaction. This is due to cryptography overhead and time involved in messages transmissions between the card and the terminal. The increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.

Although not the only possible method, the majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a PIN (Personal Identification Number) rather than signing a paper receipt. Whether or not PIN authentication takes place depends upon the capabilities of the terminal and programming of the card. For more details of this (specifically, the system being implemented in the UK) see Chip and PIN. In the future, systems may be upgraded to use other authentication systems, such as biometrics, which are generally not considered economical as of 2007.

Control of the EMV standard

The first version of EMV standard was published in 1999. Now the standard is defined and managed by the public corporation [http://www.emvco.org EMVCo] . Recognition of compliance with the EMV standard (i.e. device certification) is issued by EMVCo following submission of results of testing performed by an accredited testing house.

EMV Compliance testing has two levels: EMV Level 1 which covers physical, electrical and transport level interfaces, and EMV Level 2 which covers payment application selection and credit financial transaction processing.

After passing a common EMVCo tests the software must be tested to comply with EMV standard (VISA VSDC, MasterCard MChip,...).

List of EMV documents and standards

Since version 4.0, the official EMV standard documents, that define all the components in an EMV payment system, are published as four "books":

* Book 1 - Application Independent ICC to Terminal Interface Requirement
* Book 2 - Security and Key Management
* Book 3 - Application Specification
* Book 4 - Cardholder, Attendant, and Acquirer Interface Requirements

Versions

First EMV standard came into picture in 1996-EMV ’96 Version 3.1.1Released another version in December 2000 - EMV 2000 Version 4.0in May 2004-, Latest is Version 4.1 in June 2007

Version 4.0 became effective in June 2004. The current version, 4.1, became effective in June 2007.

External links

* [http://www.emvco.com EMVCo] , the organisation responsible for developing and maintaining the standard
* [http://www.chipandpin.co.uk/ Chip and PIN] , site run by the Association For Payment Clearing Services (APACS), the UK's central coordinating authority for the implementation of EMV
* [http://www.chipandspin.co.uk/ Chip and SPIN] , discussion of some security aspects of EMV, from members of the University of Cambridge Security Group
* [http://www.creditcall.co.uk/payment_software.shtml EmvX Software EMV Kernel] , a software EMV Level 2 Kernel for Windows