EMV

[2][better source needed] Until the introduction of chip & PIN, all face-to-face credit or debit card transactions involved the use of a magnetic stripe or mechanical imprint to read and record account data, and a signature for purposes of identity verification.

The invention of the silicon integrated circuit chip in 1959 led to the idea of incorporating it onto a plastic smart card in the late 1960s by two German engineers, Helmut Gröttrup and Jürgen Dethloff.

The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China UnionPay, and Discover.

[7] EMVCo accepts public comment on its draft standards and processes, but also allows other organizations to become "Associates" and "Subscribers" for deeper collaboration.

[11] There are two major benefits to moving to smart-card-based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of "offline" credit-card transaction approvals.

[1][13][14] The majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a personal identification number (PIN) rather than signing a paper receipt.

Checkout cashiers were expected to thumb through this booklet each and every time a credit card was presented for payment of any amount, prior to approving the transaction, which incurred a short delay.

In addition to mobile-phone-based magnetic readers, merchant personnel can now bring wireless PIN pads to the customer, so the card is never out of the cardholder's sight.

[17] As of 2015, chip and signature cards are more common in the US, Mexico, parts of South America (such as Argentina and Peru) and some Asian countries (such as Taiwan, Hong Kong, Thailand, South Korea, Singapore, and Indonesia), whereas chip and PIN cards are more common in most European countries (e.g., the UK, Ireland, France, Portugal, Finland and the Netherlands) as well as in Pakistan, Iran, Brazil, Colombia, Venezuela, India, Sri Lanka, Canada, Australia and New Zealand.

[21] Because of physical distance, it is not possible for the merchant to present a keypad to the customer in these cases, so alternatives have been devised, including As for which is faster, The New York Times explained that it's a matter of perception: While the chip method requires that the chip stay in the machine until the transaction and the authorization process is completed, the phone swipe method does the authorization in the background; a receipt starts coming out right away.

List of applications: (Eight West African countries: Benin, Burkina Faso, Côte d'Ivoire, Guinea Bissau, Mali, Niger, Senegal, Togo) The terminal sends the get processing options command to the card.

[33][better source needed] When an online-only device performs IAC-Online and TAC-Online processing the only relevant TVR bit is "Transaction value exceeds the floor limit".

During IAC-Denial and TAC-Denial processing, for an online only device, the only relevant Terminal verification results bit is "Service not allowed".

[citation needed] After passing common EMVCo tests, the software must be certified by payment brands to comply with proprietary EMV implementations such as Visa VSDC, American Express AEIPS, Mastercard MChip, JCB JSmart, or EMV-compliant implementations of non-EMVCo members such as LINK in the UK, or Interac in Canada.

[citation needed] APACS, representing the UK payment industry, claimed that changes specified to the protocol (where card verification values differ between the magnetic stripe and the chip – the iCVV) rendered this attack ineffective and that such measures would be in place from January 2008.

[46] Conversation capturing is a form of attack which was reported to have taken place against Shell terminals in May 2006, when they were forced to disable all EMV authentication in their petrol stations after more than £1 million was stolen from customers.

[47] In October 2008, it was reported that hundreds of EMV card readers intended for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been tampered with in China during or shortly after manufacture.

[49] In a February 2008 BBC Newsnight programme Cambridge University researchers Steven Murdoch and Saar Drimer demonstrated one example attack, to illustrate that Chip and PIN is not secure enough to justify passing the liability to prove fraud from banks onto customers.

"[52] They also said that changes to the protocol (specifying different card verification values between the chip and magnetic stripe – the iCVV) would make this attack ineffective from January 2008.

We dispute the assertion by the banking industry that criminals are not sophisticated enough, because they have already demonstrated a far higher level of skill than is necessary for this attack in their miniaturized PIN entry device skimmers."

[56] According to Phil Jones of the Consumers' Association, Chip and PIN has helped to bring down instances of card crime, but many cases remain unexplained.

"[54] At the CanSecWest conference in March 2011, Andrea Barisani and Daniele Bianco presented research uncovering a vulnerability in EMV that would allow arbitrary PIN harvesting despite the cardholder verification configuration of the card, even when the supported CVMs data is signed.

The team demonstrated that it is possible to modify this data to trick the terminal into believing that no PIN is required because the cardholder was verified using their device (e.g. smartphone).

Non-chip-and-PIN cards may also not work in some unattended vending machines at, for example, train stations, or self-service check-out tills at supermarkets.

[65] Chip and PIN was trialled in Northampton, England from May 2003,[73] and as a result was rolled out nationwide in the United Kingdom on 14 February 2006[74] with advertisements in the press and national television touting the "Safety in Numbers" slogan.

During the first stages of deployment, if a fraudulent magnetic swipe card transaction was deemed to have occurred, the retailer was refunded by the issuing bank, as was the case prior to the introduction of Chip and PIN.

[citation needed] The Payment Services Regulations 2009 came into force on 1 November 2009[75] and shifted the onus onto the banks to prove, rather than assume, that the cardholder is at fault.

[58] The Financial Services Authority (FSA) said "It is for the bank, building society or credit card company to show that the transaction was made by you, and there was no breakdown in procedures or technical difficulty" before refusing liability.

After widespread identity theft due to weak security in the point-of-sale terminals at Target, Home Depot, and other major retailers, Visa, Mastercard and Discover[80] in March 2012 – and American Express[81] in June 2012 – announced their EMV migration plans for the United States.

In 2010, a number of companies began issuing pre-paid debit cards that incorporate Chip and PIN and allow Americans to load cash as euros or pound sterling.

An EMV credit card
An EMV credit card
Contact pad for the electrical interface on the front side of a credit card
An EMV chip semiconductor package on the side opposite to its contact pads
View of the chip, a die shot
Green rectangle containing a row of four white asterisks in black squares; the outline of a hand points to and obscures the second asterisk.
Chip and PIN UK logo