Data Security


For more in-depth treatment of these and other topics, please see Heartland’s EMV Integrator’s Guide.

Merchants have not been mandated to accept EMV cards nor have issuers been mandated to issue EMV cards, so the full migration to EMV will likely take years and perhaps even decades, and therefore EMV chip cards will continue to have magnetic stripes into the foreseeable future so that they can continue to be used at magstripe only terminals.

However, if a card is swiped on an EMV terminal, the terminal software must parse the three-digit service code from the Track 1 or Track 2 data and examine the first digit. If the first digit of the service code is a ‘2’ or a ‘6’ indicating that the card is a chip card, the terminal must not normally allow the transaction to be processed using the magstripe data, but rather must prompt the merchant or customer to insert or tap the card instead.

An appropriate message such as “SWIPE NOT ALLOWED FOR CHIP CARD – INSERT CARD” should be displayed on the terminal. (This message is defined by customer and their POS vendor.)

There are circumstances where swiping an EMV card or manually entering an EMV card number is allowed. If the transaction cannot be completed by reading the chip card, either because the chip or chip reader is inoperable or there are no mutually supported applications between the card and terminal, then the magstripe may be read and used to complete the transaction. If the magstripe cannot be read, then the card number may be manually keyed. Transactions performed in this way are called fallback transactions, and they must always be authorized online and marked as fallback in the authorization request message.

Where possible, it is best practice to prompt for PIN if the card has a PIN associated with it and a PIN CVM is preferred within the card’s CVM list, especially since some card brands have fraud liability shifts tied to PIN entry. However, there are circumstances where not prompting for PIN or allowing for PIN bypass makes business sense.


  • Many merchants only have merchant-facing terminals today, and the cardholder must hand their card over to a clerk or server to process the transaction. PIN entry is not currently possible in these environments, and PIN CVMs would not be enabled on these terminals so that PIN prompting do not occur.
  • Many merchants do not require signature today for low value transactions that qualify for the VISA Easy Payment Service (VEPS), MasterCard Quick Payment Service (QPS), etc. PIN entry is also not required for these transactions, and the terminal must dynamically disable the PIN and signature CVMs for these transactions so that PIN and signature prompting do not occur.

During the early stages of the migration from signature to PIN, many cardholders may not be aware that their credit card has a PIN, or they may just not remember it. In order to avoid unnecessarily hindering card acceptance, terminals may for a limited time support a PIN bypass feature to allow the cardholder to skip the PIN prompt. In this case, the “PIN entry required, PIN pad present, but PIN was not entered” bit in the TVR must be set, so that the issuer can decide whether or not to approve the transaction accordingly.

There are several non-EMV transactions that still use EMV functionality, such as voice authorizations, incremental authorizations, refunds, etc. For these non-EMV transactions, it is not necessary to perform the complete EMV transaction flow, but rather after the Read Application Data step is complete and the Track 2 Equivalent Data (Tag 57) has been obtained from the chip, the terminal aborts the flow by sending the GENERATE AC command to the card to request an AAC.

If desired, the terminal may continue the flow through the Offline Data Authentication, Processing Restrictions, Cardholder Verification, and Terminal Risk Management steps in order to help reduce potentially fraudulent non-EMV transactions. These optional steps normally just set bits in the TVR which is sent to the issuer to determine the disposition of the transaction, but since these are non-EMV transactions, the TVR would not be sent to the issuer. Therefore, a local decision would have to be made as to whether or not to continue with the transactions.

Store and Forward (Deferred Authorization) occurs when an online authorization is performed after the card is no longer available. Merchants performing store and forward authorizations must send the authorization request within 24 hours of the original transaction.

When a chip card is used for a store-and-forward transaction, the POS terminal requests an ARQC. It then informs the chip card that it cannot go online and requests a TC. The chip card will respond with either a TC or an AAC. If the response is a TC, the transaction is offline approved and does not require online authorization, so it is just added to the batch for settlement. If the response is an AAC, the transaction is not offline approved and does require online authorization, so within 24 hours the terminal must send an authorization request that includes the original ARQC rather than the AAC, and if online approved it must be added to the batch for settlement.

In addition to specific card brand receipt requirements, the following are additional items for EMV transactions:

  • APPLICATION PREFERRED NAME (EMV Tag 9F12) if available, or else print APPLICATION LABEL (EMV Tag 50).
  • APPLICATION CRYPTOGRAM type (“TC” or “AAC”) followed by the contents of the APPLICATION CRYPTOGRAM.
  • Printing of the Signature Line is dependent upon CARDHOLDER VERIFICATION method used for the transaction. Print either a Signature Line, “PIN VERIFIED” or “NO SIGNATURE REQUIRED”.
  • Indicate the entry method used: (S) Swiped, (M) Manual, or (C)Chip.

Broadly speaking there are three levels of EMV certification, each which build upon the previous and which have different impacts to different parties in the payments ecosystem. “Level 1” certification as relating to the physical and electro-mechanical interactions between the chip and the device, while “Level 2” certification relates to the EMV kernel which is typically embedded within the device firmware. Level 1 and Level 2 certifications are the concern of the terminal manufacturers. Technically these are the only levels of certification defined by EMVCo, but often times “Level 3” certification will be referenced: Level 3 certification is simply an equivalent if informal term for the card brand certification which is required of the payment application.

Not necessarily. It is expected that the EMV terminal, which is certified as part of a "Level 3" card brand EMV certification, will include support for a kernel configuration without PIN as a supported CVM. This approach would allow a merchant to retain a bill/check presenter model but still receive some benefits from the Counterfeit Fraud Liability Shift.

Primarily the same as they do today. If the CVM is PIN, then the cardholder should be prompted for gratuity just prior to PIN entry. Also, it is still allowable to print tip and signature lines on the receipt even if the CVM was PIN, in case the device doesn’t support tip entry or the merchant just prefers that approach.