Data Security

EMV 101


EMV is a set of standards for the use of payment chip cards (those with an embedded microprocessor). The standards were originally developed by Europay, MasterCard, and Visa in the 1990s and are now issued and maintained by EMVCo, LLC, an organization jointly owned and operated by all of the major payment card brands.

The microprocessor within a payment chip card provides strong security features and other capabilities not possible with traditional magnetic stripe cards. By using cryptographic technology such as public-key infrastructure (PKI) and RSA algorithms, EMV prevents criminals from counterfeiting the chip data and assures the card issuer that the consumer’s card is physically present at the merchant point of sale.

Traditional magnetic stripe cards are very easily counterfeited once the magnetic stripe data is obtained. Chip cards cannot be easily counterfeited because there is not a feasible way to obtain the private key data secured within the microprocessor. This is one of the primary drivers for implementation of EMV in the United States, where card fraud resulted in $11.27 billion in losses during 2012. Card issuers incurred 63% of those losses, and the other 37% were paid by merchants. For these unfortunate merchants most of the losses were from card not present transactions (e-Commerce or mail order), while issuer losses primarily occurred due to counterfeit cards being used at the point of sale. (Source: Nilson Report, Aug 2013)

Because of these massive losses, card issuers and the entire payments industry are pushing to bring EMV to the US. To that end, the four major card brands – Visa, MasterCard, American Express, and Discover – have announced a chip card “liability shift” effective October 1, 2015. This policy simply means that if a merchant accepts a counterfeit magnetic stripe card for a fraudulent purchase, but that fraud could have been avoided if the merchant had upgraded to EMV technology, then the merchant and not the issuer is liable for the chargeback. MasterCard, American Express, and Discover have implemented an additional liability shift for lost/stolen fraud: if the chip card presented prefers PIN entry as its cardholder verification method, and the merchant device was not PIN-capable, then any fraudulent transactions performed while the card was lost/stolen may also be charged back to the merchant.

While EMV support is not mandatory, every merchant who accepts payment cards should carefully consider the potential liability impacts to their business if they choose not to invest in updating their technology to accept EMV. Some merchants may determine that their business is not a likely target for fraudsters to use counterfeit cards - for instance certain restaurants - while others who sell larger ticket retail items are certainly targets. Additionally, criminals will eventually seek out merchants who do not support EMV in order to perpetuate their fraud. Long-term data from other countries that have implemented EMV also shows migration of the majority of fraudulent activity to e-Commerce and online payment channels.

EMV technology by itself does not protect all of the sensitive data elements on the chip card: it only ensures the card’s authenticity. EMV is thus only one component of a full payments security solution, which also needs to address the protection of data in motion as well as data at rest: Heartland Secure is a comprehensive security suite which provides these solutions by using End-to-End Encryption (E3) and tokenization, in conjunction with EMV, to effect the strongest payments security system available.

Want to learn more?


Sign in or register to read our EMV whitepapers.

Register Now