Seminar on Demand

by ISG Learning

Seminar on Demand: Study Guide.

Study Guides are designed to accompany Seminar on Demand
presentations by providing a useful reference resource that combines the
presenters slides and transcript in a single document.

__________________________________________________________

EMV Overview
By Colin Davis

Duration: 23 minutes
Released: March, 2002
Updated: August, 2009
__________________________________________________________

Abstract:

In this presentation Colin Davis explains the background,

goals, implementation hurdles and the benefits of the Europay
MasterCard Visa smart card standards.

Key points discussed by Colin are:

 Background, where has EMV come from

 The Goals of the EMV standard
 How those Goals will be delivered
 What hurdles stand in the way of implementing the EMV
standards in an ATM environment
 What benefits will financial institutions get from
implementing EMV

In his presentation, Colin helps you to gain a better

understanding of this important new smart card standard.

__________________________________________________

NCR Confidential - Use Pursuant to Company Instructions

Page 1 of 8
 Seminar on Demand
by ISG Learning

(Slide 1)
Hi I’m Colin Davis and I want to provide you
with a background knowledge of EMV.
Regardless of what self-service software
you are using, I think that you will find this
seminar useful as general background
information.

(Slide 2)
What I will do first of all, is give you a
background to where EMV has come from
and where it is going; then we are going to
look at the specifications for EMV and the
various certification levels. Next we will list
some of the features of the EMV standard,
in terms of what it can do for us. We’ll also
look at some of the implementation hurdles
that stand between you and being able to
put the EMV standard out in the field and
finally some of the benefits to offset those
hurdles.

(Slide 3)
So, starting off with the background.
Europay, MasterCard and Visa created
EMV. They got together, to reduce the fraud
in the market place which cost them a lot of
money, and they believed that Smart Card,
or more specifically Integrated Chip Card
(ICC) technology will meet those needs.
Europay has since been bought by
MasterCard and JCB has joined the
consortium.
Integrated chip card technology has the
capability to hold data securely and, thanks
to the mobile phone industry, it is readily available and relatively low cost.
The reason they got together was because they wanted to ensure industry wide
interoperability; by developing the standard collectively they exert enough clout on the
entire market place that they could pretty much push the standard across the entire
industry and get it delivered. Had it just been one of them then it would have been a lot
harder for anything to happen because it would have just been seen as a single card
scheme’s proprietary standard.

NCR Confidential - Use Pursuant to Company Instructions

Page 2 of 8
 Seminar on Demand
by ISG Learning

(Slide 4)
The first version of EMV that anyone was
really working with was EMV 3.0 that came
out in 1996. This was followed later in 1999
by EMV 3.11, which is what NCR’s first fully
released solutions were based on. In the
year 2000, they released EMV 4, otherwise
referred to as EMV 2000, and this has been
developed over the years to EMV 4.2.
Europay, MasterCard and Visa started
these standards but, having got some
industry acceptance, what they wanted to
do then, was stand back from it a bit and
allow EMV to be independent of any one
issuer so that it could become a true standard; a standard that no one card scheme could
have too much of an undue influence over. So they set up EMV Co. in 1999. EMV Co. is
responsible for managing and maintaining the specifications.
However, to further make life interesting we have the EMV standards, but then on top of
that each card scheme, Visa, MasterCard etc. has their own implementation specifications
that define how they specifically want you to interpret the EMV standards. This is an
added level of complexity for the application developer who has to ensure that their
solution supports both of the Visa and MasterCard specifications. Now the purpose of
these card scheme specifications was because EMV in itself allows you quite a broad
scope of what you can do, it’s really a tool kit for achieving certain things. Now that’s fine
in itself but it meant that the EMV standard was open to a lot of interpretation about things
which are optional, shall I do them or shan’t I. So along came Visa and MasterCard and
said well no, it may be optional in EMV but it is mandatory under our card scheme, you
must do this, you must do that, and they wanted to make sure that people implemented
EMV in the way that they wanted.

NCR Confidential - Use Pursuant to Company Instructions

Page 3 of 8
 Seminar on Demand
by ISG Learning

(Slide 5)
To ensure that everyone is compatible,
EMVCo put in place a certification scheme
that principally comes in two levels. There
is Level 1 which really addresses the
hardware so you are talking about the card
reader and the terminal hardware itself; and
then there is Level 2, which is your terminal
application. But on top of that along comes
Visa and MasterCard with their own
scheme approval tests. Now again this is a
bit strange because at the end of the day if
they are all compatible on their
implementation specifications then surely it would be possible to have one industry wide
certification saying this terminal is compatible regardless of which card scheme it has.
Once you get into card schemes, they want the look and feel, the branding and this sort of
thing to be observed so that is really what this scheme approval is about. It also tends to
test to a higher level, because level 2 is the application, but it is taken in isolation from it’s
environment of use, so they will look at the ATM and say, yes, the ATM performs this,
where as with scheme approvals they try and encompass more of the end to end piece
and what the host does as well. The EMV/CAM2 Exits for Advance NDC product NCR
has got Level 2 approval.

(Slide 6)
Well, having established where it has come
from, what goals do they have for this
standard? Well, first thing they wanted EMV
to do is to reduce counterfeiting. Magnetic
stripe technology is just so open for abuse
because at the end of the day it is a very
passive technology, it’s just a piece of data
written on a stripe. ICC or Smart Card
technology allows the card to play an active
role in the whole credit process.
Firstly the card must authenticate itself to
the terminal using RSA encryption
techniques with Public key / Secret key
pairs and Certificate Authorities to sign keys that can be verified using the CA public key.
The CA will only sign Public keys of valid issuers thus eliminating counterfeit cards.
Then we have fraud losses and costs; Off-line PIN is what people refer to as PIN at Point-
of-Sale or Chip and PIN. The idea here is that you’re going to have a PIN stored securely
on the card which authenticates the user at the point of use, and should the user not be
genuine then we would expect that they will not know the PIN and thus, too many wrong
PINs the application gets blocked, effectively making it unusable, thus reducing those
frauds. Between the card and the terminal, logic can decide between the cardholder’s PIN
being authenticated on-line or offline and whether the cardholders signature is required.
The ATM involvement here is really because of the fact that the ATM is being looked at as
mechanism for providing PIN management. The network is already there, it’s readily
available, people are familiar with the ATM as a place to change their PIN, and so it
makes a logical place to manage your off-line PIN. The ATM itself though would not

NCR Confidential - Use Pursuant to Company Instructions

Page 4 of 8
 Seminar on Demand
by ISG Learning

generally be using the off-line PIN, certainly not in the NDC environment, but it is possible
in the future that, maybe for instance in the off-premise market, that off-line PIN is looked
upon as a possible way of doing cash withdrawals, reducing the amount of times you go
on-line.
Next we have the Offline Transaction Authorisation. The card itself can now decline
transactions based on the card data, as we mentioned earlier, is actively participating in
the credit process, it knows things like, when was the last time it went on-line. What you
have got is a number called the velocity limit stored on the card, this velocity limit is an
indication as to how often the card should go on-line to authorise a transaction. So if a
particularly risky customer is constantly abusing their credit cards, then what you can do is
change the velocity limit, forcing the card to go on-line every single transaction or every
other transaction. But if you have got a good, solid customer who rarely goes anywhere
near their credit limit for example, you can reduce the number of times they go on-line.
You have got a lot more control, you can set limits and the card does Risk Management
so it can say whether to decline or accept a transaction.
EMV ICC applications are all about card, cardholder and transaction authentication. But to
help ensure worldwide adoption of EMV, they have used well established standards such
as ISO 7816 to ensure the technology is well proven and low cost. And they haven’t
closed the standard to other technologies either. Providing it’s well behaved, applications
like electronic purse (Mondex and CEPS) and loyalty schemes, passbooks , medical and
identity applications, can sit along side the EMV application on the same card. There are
some countries that already have their own non EMV applications on smart cards, so
these are the sort of things that will need to co-exist. Any application that you want to put
on an EMV card should be ISO7816 compatible and, providing the application can follow
the standard mechanisms for finding and selecting an application then they can normally
co-exist happily.
Future proofing of EMV applications is improved further by the ability to update data on
cards remotely - this could be to change card limits, activate a new cardholder verification
method, change PIN numbers etc. and EMV also has future proofing built into its
architecture through the use of expandable data structures and lists. All implementations
will have to impose their own limits for practical reasons and you should keep an eye open
for what these limits are.
The main thing is that all the EMV Certification versions so far are both forwards and
backwards compatible. So an EMV 3.11 card will work in an EMV 4.2 terminal and visa
versa.

(Slide 7)
There are always going to be hurdles in the
way of implementing any new technology.
In terms of implementing EMV and ICC
technology firstly there is the question of
local industry and legislative rules. in the
UK we are quite fortunate; we have less of
an issue with domestic specifications
compared to some countries such as
Germany for instance, they have quite a
strict domestic rules that get involved far
more in the operations of an ATM, the way
it operates and the user interfaces.
The really big hurdle is the cost of upgrading, there is a of a lot of things that need to be

NCR Confidential - Use Pursuant to Company Instructions

Page 5 of 8
 Seminar on Demand
by ISG Learning

upgraded; from the card itself all the way back up through to the issuer. Every system that
sits in between is going to have some sort of upgrade and the ATM is just a small part of
that.
Then you’ve got hurdles such as other projects. PCI DSS is a particularly pertinent one at
the moment, a lot of work is required, there are a lot of mandated dates that you must
meet to deliver certain things and you only have a finite resource and so you are going to
have to prioritise.
Then there is the learning curve to understanding EMV. The changes involved are going
to affect everyone. The cardholder will have more choices to make; they may have to
enter a PIN when buying goods or choose which application to use on a multi-application
card for example. The issuers’ staff will also need educating, from the implementers who
will need an in-depth understanding of EMV right down to the branch and support staff
who will be helping cardholders through the transition.
Finally there is Industry Acceptance. The banks and issuers are a small part of the
change, all of the large retailers that own their own equipment will need to upgrade,
anyone that operates a switch or a gateway may have to upgrade to support larger
messages for example.
So will EMV be worth it?

(Slide 8)
The UK implemented EMV from 2001 to
2004 and in certain areas it has proven to
be an undoubted success.
Face-to-face card fraud now represents just
16% of total card fraud losses (down from
59% from 1996), despite the number of
cards in issue increasing by approximately
77% over the same period, and the number
of shop terminals nearly doubling over the
same time period.
Chip and PIN has meant that card fraud
losses in the UK high street have declined
by 55% since peaking at £218.8 million in
2004. However, there was a 35% increase
in this type of fraud in 2008, mainly driven
by the increase in account takeover, leading
to criminals fraudulently using genuine cards and PINs in retail locations within the UK.
Account Takeover involves a criminal fraudulently using another person’s credit or debit
card account, first by gathering information about the intended victim, then contacting their
bank or credit card issuer, masquerading as the genuine cardholder. The criminal will then
change the address on the account and ask for replacement cards to be sent to the new
address.
Thanks to the introduction of chip and PIN fraud on lost and stolen cards is now at its
lowest level since the UK started keeping records in 1991.
Fraud losses on cards being stolen whilst in transit, after card companies send them out
and before the genuine cardholders receive them, are at their lowest level for more than
ten years and are 86% lower than in 2004.
Although there was a 31% increase in ATM fraud in 2008, it is still significantly lower than
in 2004, the peak year when losses totalled £74.6 million. The rise in 2008 is partly down
to the increase in account takeover, leading to criminals fraudulently using genuine cards

NCR Confidential - Use Pursuant to Company Instructions

Page 6 of 8
 Seminar on Demand
by ISG Learning

and PINs at UK cash machines. The majority of cash machine fraud is still the result of
cardholders keeping their PIN written down in their purse or wallet, which is then stolen.
Mainly due to the continuing success of chip and PIN in the UK, fraudsters are now
targeting environments that do not yet use chip and PIN, such as the internet, and
particularly countries overseas that have not yet upgraded to EMV.

(Slide 9)
Whilst card usage and transaction volumes
continue to grow, card fraud losses against
total turnover for 2008 is only 0.124%,
significantly less than in 2001 (before the
introduction of chip and PIN) when fraud-to-
turnover was 0.183%. So whilst this graph
shows a return to an upward trend,
remember that the number and value of
transactions is also increasing year on year.
Had the pre 2001 trend, before EMV was
introduced, continued, fraud would have
been several times higher than it is today.
Almost £610 million of fraud is out of £603 billion worth of transactions made on UK issued
cards in 2008. The two main areas of fraud in 2008 in the UK were on transactions not
protected by chip and PIN: specifically internet, phone and mail order fraud; and fraud
abroad - committed by criminals using stolen UK card details in countries yet to upgrade
to chip and PIN.
The successful introduction of chip and PIN in the UK means that fraudsters are
increasingly being driven overseas to commit card fraud in those countries that have not
yet rolled it out. Criminals steal the magnetic stripe details from UK cards to make fake
magnetic stripe cards for use overseas, in countries yet to upgrade to EMV. At £230.1
million, fraud abroad now accounts for 38% of total card fraud losses.
The countries where fraud is occurring on UK-issued cards has changed markedly over
the past four years, moving away from countries that have implemented EMV. For
instance, there has been a marked decline in skimmed UK cards being used in France,
which has also completed its chip and PIN rollout. Instead, fraud on UK-issued cards
being used in the USA has increased by 181% since 2005, to £31.7 million in 2008. It is
now the top country for fraud abroad committed on UK-issued cards. Canada has now
moved into the top three, and joins Australia, with fraud losses in both countries standing
at £10.8 million.
As more and more countries around the world progress their chip and PIN rollouts, it is
expected that fraud will continue to shift towards countries such as the USA, which as yet
has no plans to implement EMV.

NCR Confidential - Use Pursuant to Company Instructions

Page 7 of 8
 Seminar on Demand
by ISG Learning

(Slide 10)
In addition to saving money by reducing
fraud, don’t forget that you’ve got other
things like reduction of processing costs.
This may be more from a retailer angle, but
also for the issuer the fact is that if you’re
processing fewer transactions on-line at
peak times, then you can reduce the
amount of equipment, manpower etc. that
sits behind the scenes to handle these on-
line transactions.
There will also be some advantages from
the reciprocity fees because what is going
to happen is that if you’re not doing chip transactions; your transactions are going to
become more expensive.
The thing that is going to make the institutions move to EMV is going to be the liability
shift. The card schemes mandate key dates for each region and country including liability
shift.
If you are not processing smart cards by that date and a fraud is committed through your
terminal, then it is the non-chip party that will pay for the losses. The card issuer will no
longer be picking up those losses; it is the party that hasn’t implemented EMV that will not
get paid.
The final possible benefit for moving to EMV is potential incentive schemes. Some of the
card schemes like Visa were offering incentives for institutions who were going to be
classed as early deployers, so if you are going to be one of the first in your geographic
region to deploy EMV, it might be worth seeing if there are any incentive schemes still on
offer. Visa in particular were putting up quite a lot of money in each region to encourage
people to move to EMV, and that may manage to offset some of the costs of
implementing.

(Slide 11)
Hopefully I have shown you where EMV
has come from and why it is so important to
implement. There may be a few hurdles to
overcome to make this a worldwide
standard but there are some major cost
savings to be made by moving to chip and
PIN. Until every country has implemented
EMV then we will not see the full benefits,
but any reduction in fraud is a good thing.

//End of Presentation//

NCR Confidential - Use Pursuant to Company Instructions

Page 8 of 8