Frequently Asked Questions
What Issuers Need to Know – Top 25 Questions
on EMV Chip Cards and Personalization
Issuers across the United States are beginning to embark in the planning and execution phase of
one of their largest projects – the implementation of an EMV card program. For many years, the
U.S. payments sector has resisted growing pressure for the adoption of EMV, but due to recent
announcements by Visa®, MasterCard®, Discover®, and American Express® a migration timeline has
been set for the United States Region. Issuers will undoubtedly experience change in nearly every
facet of their organization including operations, card management and issuance, risk management
and customer support. In order to achieve a successful implementation, it is critical that issuers
undergo adequate planning and education, addressing all vital components such as ATM machines,
transmission of EMV data, obtaining association certification, the issuance of EMV chip cards and
educating consumers.
This document addresses
Top 25 Questions
frequently asked questions
posed by financial
institutions in regards
to the manufacturing
and personalization of
EMV chip cards. While
The following Top 25 questions
highlight issues related to EMV chip card
manufacturing and personalization. Issuers
should consult their processor and network
provider for further guidance.
collaborating with
numerous processors
and network providers,
Card Production Services
at Fiserv is ready to assist
clients in the planning
and execution of their
EMV card programs.
Question 1: How does an EMV
transaction work?
There is a fundamental difference between
a magnetic stripe and EMV chip transaction.
With a magnetic stripe card, the stripe
stores data that is read by a terminal.
The terminal reads the magnetic stripe
and initiates an online credit, debit, or
prepaid transaction. Subsequently, the
transaction is routed to/through branded
payment networks and/or various payment
processors for authorization. The physical
card and stripe no longer play a role in the
transaction once the initial data is read.
During an EMV transaction, the chip is
capable of processing information and
actually determines some of the rules
for the payment. The terminal helps
enforce the rules set by the issuer. These
rules can include performing offline
data authentication, defining cardholder
verification methods including PIN or
signature, requiring online authorization
and more. It is up to the issuing bank in
collaboration with their payment processor
to define which of these services is
required for the current transaction, via the
rules placed on the chip. All credit, debit, or
prepaid point-of-sale transactions will either
be online or “no authorization” transactions
for the United States Region. All ATM
transactions are online transactions using
an online PIN just as they are today.
Question 2: What is the additional cost
to implement an EMV program?
The cost of an EMV program consists of
varying components. Card production costs
include plastic (with chip), development
and testing, and issuance. The cost of
these components will depend on quantity
and complexity of the program. Pricing for
plastic and personalization is available from
your Fiserv Sales and Account Executive
team. EMV chip cards typically cost more
than magnetic stripe cards, but many
issuers find that this cost is offset by a
decrease in card-present fraud. Since the
widespread implementation of chip and pin
technology in the U.K., domestic fraud
losses on U.K-issued cards has been
reduced by 34 percent and fraud losses
from counterfeit cards are down 63 percent.1
Question 3: Do I need to switch from
magnetic stripe cards and issue EMV
cards? What is the liability/penalty if
I choose not to issue EMV by a card
association’s deadline?
All four major card associations have
announced plans for accelerating
infrastructure readiness for acquirers and
direct connect merchants to be EMV
compliant by April 2013, thus forcing
processor compliancy as well.
a.In August 2011, Visa announced an
initiative that includes waiving the
Visa portion of PCI compliance cost if
75% of terminals are capable of EMV
transactions. This incents processors to
support EMV by 2013 and shifts fraud
liability to the merchant and merchant
acquirer in 2015 if a fraudulent EMV
chip card transaction is accepted by a
merchant that has not upgraded its POS
devices to be EMV compatible.
b.In January 2012, MasterCard announced
its EMV adoption citing an immediate
focus by acquirers for infrastructure
readiness by April 2013 which solidified
the importance of EMV as the foundation
for next generation payments.
c.In March 2012, Discover announced
a 2013 target date for EMV compliance
in the U.S., Canada and Mexico. Discover’s
plan is based on D-PAS, its EMV-compliant
payment specification for acquirers and
direct connect merchants.
d.In June 2012, American Express stated
it will work alongside other industry
participants to drive interoperability across
the U.S. and other countries to support
EMV. Its key requirements and dates
mirror Visa’s.
Question 4: Do I need to have my
current processor involved in the EMV
implementation?
To ensure successful card program
implementation, plan to include your card
scheme, payment processor, and Fiserv
Card Production Services as members of
your EMV implementation team.
Question 5: Do I have to implement a
Chip-and-PIN approach to EMV?
The card brands or schemes will continue
to support a range of cardholder verification
methods (CVM) in the U.S. CVMs include
signature, online PIN and no signature
for low-value, low-risk transactions.
Stakeholders will have the flexibility to
choose which CVMs to support; however,
processors may drive the decision for
issuers. Cardholder verification methods
are defined during the personalization
process and must be consistent with
those required by the card brand. In the
U.S. nearly 100 percent of magnetic stripe
transactions are authorized online in real
time, and EMV chip card transactions
will leverage this robust infrastructure for
authorization and authentication. Many
issuers use host-based fraud detection
tools to manage risk in real time. EMV
enables offline transaction authorization
for low value point-of-sale transactions.
A small number of offline POS devices
continue to be in use in the Euro Area;
however, they are rapidly being replaced
by online devices just as used in the
United States.
Retail Payments Risk Forum Working Paper, Federal Reserve
Bank of Atlanta, Jan. 2012.
1
2
Estimated timeline for EMV Chip Card Issuance*
Final Testing by
Test client, processor
Phase and Association
Card Design
Proof Approval
Order Plastic
Association
Certification
Request and
Process Begins
Production of
Test Cards
Association
Certification
Approval
*subject to change based on technology availability
Question 6: How long will it take to issue
EMV cards?
The end-to-end process is estimated to take
up to 13 weeks and the readiness of each
vendor in the supply chain may vary. Once
certification is achieved on your initial EMV
issue, subsequent EMV chip issuance will
not take as long.
Question 7: Do we need a new BIN for
EMV cards? How do we tell the difference
if we use the same BIN for a product and
issue both magnetic stripe and EMV?
No. Issuers may use the same BIN for both
magnetic stripe and EMV chip cards. BINs
are assigned by your network or processor
and you should refer to them for additional
direction. All options are available to issuers
including new BINs or an extended BIN(s)
if preferred.
Question 8: How do I find out which
merchants in my institution’s footprint
support EMV?
Today, many merchants, like McDonalds,
CVS or Taco Bell have contactless-enabled
terminals; however, a contact terminal is
required for an EMV transaction. Retail
giants Wal-Mart, Best Buy and Home Depot
have installed EMV-readable terminals at
their stores located on the U.S. borders of
Canada and Mexico. Your card association
can provide you with a complete list of
EMV-ready merchants. Also, terminal
capabilities are defined in data elements
of the online request and advice/clearing
messages. This information may prove
useful for chargeback or dispute processing.
Question 9: Are there advantages to
supporting Dual Interface cards when I
migrate my card program to EMV?
All EMV chip cards contain a magnetic
stripe in addition to the chip. The advantage
of supporting Dual Interface cards is that a
consumer would be able to transact using
the magnetic stripe, the contactless chip or
the contact chip depending on the terminal
installed at the merchant location. Dual
Interface cards have “dual” technology
(contactless chip and contact chip) and are
more expensive.
Question 10: How does the contact chip
alter the design of my cards? Are there
specific branding specifications that I
need to follow regarding the placement
of the contact chip?
Yes. The placement of the contact chip on
the front of the card is consistent on all
EMV and Dual Interface plastic. The Fiserv
procurement team will work with you to
ensure product specifications are met.
Question 11: What are the options for
chip memory?
Memory options will be provided based on
the type of plastic selected – contact, Dual
Interface or contactless. This is dependent
on the operating system and available card
authentication methods.
3
Question 12: What is the minimal
functionality I need in EMV processing
that will still provide the advantages of
increased security for my cardholders?
Because there are varying functionalities
available for smart card processing, your
processor is in the best position to answer
this question.
Question 13: What are the applications
that I may want on the chip?
Chip cards can contain multiple applications
such as rewards, loyalty or healthcare,
but today most applications are related
to financial payments. The issuer will
need to determine which applications it
wants to support, what its processor can
support for authentication, authorization
and transactions and what applications its
personalization bureau can personalize. You
may discover that mandates from your card
association or regional switch network may
largely determine the applications you must
have on your chip cards.
Question 14: How involved am I in the
key management process?
Card Production Services at Fiserv will
work with your key custodians and initiate
a key ceremony. There are new keys
required for EMV (for example, issuer
master key or iCVV).
Question 15: Can an EMV card be
personalized with the cardholder’s
own photo?
Edge-to-edge or personalization of the
entire front of the card is an option that will
be available in our Phase II rollout of EMV
chip cards but is not currently available.
Question 16: Will Fiserv support EMV
for all my card programs?
EMV personalization is available for debit,
credit and prepaid cards.
Question 17: Can my network or
association handle the EMV data and
verification for our programs?
Your processor can assist in this area.
Question 18: How does EMV work with
Internet purchases?
An EMV card does not inherently mean that
an Internet purchase – or card-not-present
transaction -- will have any additional
security than a traditional magnetic stripe
card. However, the potential to increase
authentication is available with the use of
additional equipment/readers that would
provide a single, one-time password
(OTP) to validate the card-not-present
purchase. These devices are currently in
use in other countries. Through the use of
MasterCard’s Chip Authentication Program
(CAP) and Visa’s Dynamic Passcode
Authentication (DPA) the EMV smart card
is used to authenticate the user and verify
the cardholder’s PIN while offline. The
cardholder inserts the card into a small
hand-held device that generates the
one-time password and is displayed directly
on the device. During the online transaction,
the cardholder transmits this OTP to the
issuing bank who can then verify it using
its EMV back-end authentication system.
The user may also have a card that has an
integrated ‘keyboard’ directly in the card
which creates the OTP and is shown on a
mini display embedded in the card. Both
of these methods constitute two-factor
authentication (2FA) – something the
user knows (i.e. PIN) and something the
user has (i.e. smart card). It is noted that
handheld readers have been distributed to
tens of millions of cardholders in Europe
and Asia, but consumers have complained
that it’s inconvenient to have a card reader
in hand to do online transactions. Other
forms of two-factor authentication are
surfacing such as mobile phone-based
2FA, and we will likely see other methods
developed as technology advances.
4
Question 19: What is the difference
between the Operating Systems
options – Java/Global Platform Native,
and Multos? Which of these will Fiserv
support? Which is recommended
and why?
JAVA/Global Platform is the suggested
operating system in the U.S. to support
payment applications. Multos is most often
used overseas to support payment and
other applications such as transit or loyalty.
Native is a custom operating system for
all other applications. Fiserv will support
all of these operating systems and has
successfully tested Java/Global.
Question 20: Will the EMV chip replace
the magnetic stripe on the card?
The magnetic stripe will continue to be the
required baseline card-reading format and
must be supported on both contact-only
and Dual-Interface cards.
Question 21: Is offline or online better?
Online only or online preferring card
products make the most sense for nearly
all issuers. Refer to your processor for
additional guidance. DDA (Dynamic Data
Authentication) can be used by the issuer.
Question 22: Is the RFID Label required
on EMV cards?
Visa currently requires the RFID label on
Contactless & Dual Interface cards. This
requirement will be removed in 2015 when
all Visa branded cards will no longer be
allowed to be issued with MSD (Magnetic
Stripe Data) but will instead use full EMV
cryptogram methodology. The label is not
required on Visa contact cards. MasterCard
currently has no requirement for the label.
Question 23: What are the benefits
of EMV cards?
Although EMV payment cards gained
adoption primarily because of industry
mandates and the promise to combat
card-present fraud globally, chip-based
cards also offer the flexibility to store
multiple applications, enabling greater
value and improved service to consumers.
(Noting that multiple application chip
cards will be more expensive to issue.)
Question 24: What would be a possible
roadblock to the U.S. migrating to EMV?
Merchants or merchant acquirers will likely
upgrade their point-of-sale systems to
be EMV compatible consistent with inplace terminal replacement cycles. Many
of the country’s largest merchants have
already completed the re-teriminalization
process. Absent national law or regulatory
changes, issuers are not required to migrate
their card bases to be EMV compatible.
Nonetheless, over the next 3-4 years we
expect 60% to 70% of United States’ card
bases to complete EMV migrations.
Question 25: Is Card Production Services
at Fiserv ready to personalize EMV
cards today?
Yes. Today, Fiserv is positioned to assist
our clients with the procurement and
personalization of EMV compliant cards.
We continue partnership with the leading
card brands and the Smart Card Alliance
to support and continue development
of a worldwide interoperable smart card
infrastructure. We will strive to be a valued
source of information to our clients as they
analyze and set their strategies for EMV.
Connect With Us
For more information on EMV chip card
plastic and personalization, please contact
866-963-4877 or visit www.fiserv.com
About Fiserv
Fiserv is driving innovation in Payments,
Processing Services, Risk & Compliance,
Customer & Channel Management and
Insights & Optimization, and leading
the transformation of financial services
technology to help our clients change the
way financial services are delivered. Visit
www.fiserv.com for a look at what’s next,
right now.
5
Table 1 – Roadmap Options2
Roadmap Option
1. Chip Interface
Description
a) Contact
• Standard EMV chip card.
• Requires contact reader.
b) Contactless
• RF card, NFC on a mobile phone, or various form factors, including stickers.
• Requires contactless reader.
• Leverages EMV-based contactless cards being deployed in the U.S. and Canada.
• Inability to inject scripts post-issuance, except with second tap, or using
over-the-air capabilities with mobile devices.
c) Dual Interface
• Card containing both contact and contactless interfaces.
• Works with either contact or contactless reader.
a) Online
• Uses symmetric cryptography for the cryptogram (such as Triple DES).
• For online-only contact card, no requirement for SDA, DDA, or PKI
cryptographic co-processor.*
b) Offline
• Uses SDA, DDA and/or CDA.
• Requirement for PKI cryptographic co-processor (for DDA and CFA only).
3. Transaction
Authorization
a) Online
• Authorization message, including Field 55, is sent to issuer.
b) Offline
• Terminal and card negotiate the method for authorization based on the acquirer,
issuer and payment brand risk management parameters. The issuer (card) makes
the final decision.
• May be forced online, depending on limits and other factors.
4. Cardholder
Verification
a) Signature
• No special POS requirement beyond current requirements.
b) Online PIN
• Requires POS PIN pad, secure access module (SAM) linked to hardware
security modules (HSM) at every network node, and network capable of
supporting PIN block.
• Not readily supported by credit card standard messages.3
c) Offline PIN§
• Requires POS key pad.4
• Two types of offline PIN: plain text and enciphered. Requirement for PKI
cryptographic co-processor for enciphered PIN.
• Requires ability to synchronize offline and online PIN.
d) No Card
Verification
Method (CVM)
• No special POS requirement.
• Usually reserved for low value transactions and unattended terminals.
2. Card Authentication
* All microprocessor cards used for EMV support the appropriate symmetric cryptography algorithm and keys. Symmetric cryptography is employed as a core part of
chip security and is used in the personalization process and in any post-issuance EMV scripts from the issuer that are used to change EMV settings on the card.
§
Offline PIN can be either enciphered or plain text.
2
Smart Card Alliance, Roadmap White Paper, 09/2012.
3
Standard credit card message 1100 does not support the field required for online PIN support
4
See PCI specification for POS PIN support requirements for online and offline PIN, https://www.pcisecuritystandards.org/security_standards/documents.php?association=PTS
Fiserv, Inc.
255 Fiserv Drive
Brookfield, WI 53045
800-872-7882
262-879-5322
[email protected]
www.fiserv.com
© 2013, 2012 Fiserv, Inc. or its affiliates. All rights reserved. Fiserv is a registered trademark of Fiserv, Inc. Other products referenced in this material
may be trademarks or registered trademarks of their respective companies.
06-GG-08-7/12; Updated 1/13