cardholder verification methods concepts implementations and impacts is presented

by the communication and education working committee of the EMV migration forum.
this presentation was created in response to the many questions the committee has
received about cardholder verification methods what are they how are they
implemented and how do they impact issuers ATM owners, merchants and card holders.
This presentation focuses on US implementations and use of contact chip cards and
contact chip readers. Although this presentation covers common scenarios it is
important for each industry stakeholder to confer with their payment network
representative processor card personalization bureau and other partners when making
decisions related to cardholder verification methods since business requirements
and specific implementations may vary.
In this presentation we will review some basic concepts issuer implementation
considerations terminal implementation considerations and the cardholder experience
as it relates to cardholder verification methods we will summarize the presentation
by providing some resources and references and by acknowledging the project team.
In the context of a transaction the cardholder verification method or CVM is used
to evaluate whether the person presenting a payment instrument such as a payment
card is the legitimate cardholder an understanding of CVMs is critical to all
stakeholders in the payments ecosystem.
Issuers need to understand CVMs so they can decide which CVMs to support in their
chip cards and in what priority order based on their business needs.
Merchants need to ensure that their terminals can support the minimum CVM
requirements for the major payment networks. merchants also need to ensure that
their staff can assist customers at the point-of-sale.
Acquirers, processors and value-added resellers need to ensure that their terminals
support the minimum CVM requirements for the major payment networks.
There are three categories of CVMs: pin, signature and no CVM required. The pin can
be either online pin or offline pin. These are not the only CVMs that are available
but these are the most common ones.
Let's look at each of these CVMs in more detail.
We are all familiar with the concept of online pin, when using a chip enabled debit
or credit card at an ATM the cardholder enters their PIN and selects the
transaction they wish to perform, the pin is encrypted and the encrypted pin block
is sent online to a host system, the host performs pin verification and transaction
authorization and returns the response. we are using an ATM transaction in this
example because we are all accustomed to entering our pin at the ATM it is also
possible to use a pin at the point-of-sale if both the card and the terminal
support pin. With EMV it is possible to have the pen verified between the chip card
and a chip enabled POS terminal this is known as offline pin verification. the
cardholder enters their pin at the POS terminal with offline pin verification the
pin is captured by the POS pin pad and verified by the chip card before the
transaction goes online to the host, let's say that the cardholder enters the
correct pin and it is verified successfully. when the transaction goes online for
authorization the request will not include the encrypted pin but will indicate that
offline pin verification was successful the host will approve or decline the
transaction taking into consideration the result of offline pin verification
provided by the terminal and the transaction response will be returned to the
terminal.
We are also familiar with signature as a CVM, the transaction request is sent
online to the host and the host authorized the transaction the response is sent
back to the terminal the cardholder then signs an electronic signature pad or a
paper receipt the merchant may or may not verify the signature.
Merchants may allow card holders to pay for their purchase without entering a pen
or providing a signature in other words no form of cardholder verification is
required. no CVM is typically used for low value transactions it is also frequently
used at unattended point-of-sale terminals. the only CVM that is allowed at u.s.
ATMs today is online pin this is still true when using a contact chip card at a
chip enabled ATM as we will see during this presentation both chip cards and chip
enabled point-of-sale terminals can and usually do support multiple CVMs although
the CVMs listed here are technically possible at point-of-sale terminals it is not
required or even likely that every u.s. POS terminal will support every possible
CVM.
Chip cards and chip-enabled terminals can support more than one application
identifier or AID, each AID in the chip card uses a CVM list to indicate the CVMs
that are applicable to that AID and AID can support more than one CVM. Not all AIDs
support all or even the same CVMs, the cvm list is included in the chip card as
part of the card personalization process. chip-enabled terminals can support
multiple AIDs, each of those AIDs can support multiple CVMs. Now let's look at some
considerations for issuers as they begin their chip card implementations u.s.
issued credit cards will typically have one AID at this time the CVM list for that
AID will indicate whether the AID is signature preferring or pin preferring at the
point of sale by preferring we mean whether the signature of CVM or a pin CVM is
higher in the CVM list. U.s. issued debit cards will typically have 2 AIDs each AID
will have a different profile with each profile having its own CVM list we will
show another example of a US issued debit card later in this presentation for more
information about u.s. issued debit cards refer to the EMV migration forum
presentation implementing EMV in the US how the u.s. common debit AIDs facilitate
debit transaction routing and ensure Durbin compliance. This presentation can be
found on the EMV migration forums website using the link shown here.
Now let's review the logic that is used to decide what CVMs can be implemented on a
chip card and the order of the CVMs in the CVM list on the card. In this example
our card will be used only at ATMs the first step is to look at all of the
potential CVMs listed here vertically and determine which one should be the first
CVM in the list. since online PIN is the only CVM allowed at an ATM, online pin is
the CVM that will be first in the CVM list. Next we need to indicate the conditions
under which that CVM will be used all of the potential conditions are listed
vertically the only condition in this list that is appropriate at an ATM is for
unattended cash so that is the condition we will select.
Now we need to indicate what should happen if that CVM is unsuccessful there are
two options shown here in the third column since online pen is the only CVM allowed
at an ATM we cannot allow the cardholder to try a different CVM if the first one
fails so we must fail cardholder verification if this CVM is unsuccessful. we now
have our first CV rule for an AID on this chip card since this AID is only going to
support the online pin CVM our CVM list for this AID is complete. if the AID needed
to support additional CVMs this three-step process would be repeated for each
individual cvm that will be associated with that AID. after all of the cv rules
have been built the individual cv rules are then combined to create a cvm list that
is personalized on the chip card, each unique AID on the card can have its own
discrete cvm list.
the chip card provides information about the cvm list to the chip enabled terminal
during the transaction so the terminal is aware of the cvms the card supports the
conditions under which each cvm is to be used and the processing logic the terminal
should follow if a cvm is unsuccessful, it is important to note that although the
card provides instructions to the terminal on what to do if no cvm a method is
successful cvm failure does not and should not result in an automatic decline
instead the terminal should follow the issuers instructions about what to do when
the CVM is unsuccessful as configured in the chip, processing the CVM is only one
step in the transaction how the cvm results are interpreted is also critical to a
successful EMV implementation. here is an example of cvm list, this chip card
supports online pin at the ATM for all other conditions this card prefers signature
at the point of sale but also supports no CVM when requested by the terminal. here
is another example of a CVM list, the CVM list in this chip card also supports
online pin at the ATM for all other conditions the card prefers offline pin when
offline pin is supported by the POS terminal then online pin then signature then no
CVM in that order. A u.s. issued payment network branded debit chip card will
typically have 2 AIDs a global AID and a US common debit AID there will be two CVM
lists one / AID. this example shows a debit chip card with 2 AIDs as you can see
the CVM list for the global AID is different from the CVM list for the u.s. common
debit AID, note that for a u.s. common debit AID a licensing agreement may require
that the CVM list contain a specific set of CVMs in a specific order which may not
be changed by the issuer. The major payment networks have established the minimum
requirements for US issued chip cards and chip enabled terminals from the issuers
perspective this means that at a minimum the chip card must support the CVMs listed
here, for example all of the major payment networks require that a global credit
AID support signature and no CVM at the point-of-sale this does not preclude the
issuer from adding other CVMs to meet their business needs, this chart is just a
baseline refer to the minimum EMV chip card and terminal requirements white paper
from the EMV migration forum for more information. U.S issuers have several
important business decisions to make when selecting the CVMs for their cards, the
card must meet the minimum requirements we saw in an earlier slide, the card must
adhere to payment network rules issuers should consider how and where the card will
be used for example if the card will only be used at ATMs an issuer might consider
supporting CVMs over and above the minimum requirements based on the portfolio or
other business needs, EMV architecture provides a secure way for an issuer to
update certain fields in a chip card post issuance while the card is in the field
without having to reissue the card, not all processors support scripting check with
your payment network and processor for more information on this topic. Whether a
chip card should be pin preferring or a signature preferring is the choice of the
issuer when considering whether to support additional CVMs it is important to
carefully evaluate business requirements against the cost and complexity of
implementing and maintaining those CVMs and the expected volume of merchants that
may support those cvm, for example over 50% of us POS terminals do not support
online pin today, we will talk more about this when we cover terminal requirements
work closely with your payment network and issuer processor to understand all of
the implications related to cvm support, for example adding the pin CVM is not a
trivial undertaking, here are just a few of the things you will want to consider
when making this decision, does the payment network have a lost and stolen
liability shift if so and the POS terminal supports pin but the chip card is not
pin preferring the issuer will not be able to shift the liability for lost and
stolen fraud, is the card portfolio experiencing a high amount of lost and stolen
fraud, does the card portfolio include international travelers or military
personnel who may frequently use their card at terminals that accept a pin, is your
organization able to support pin this involves more than just the ability to carry
the pin in the online transaction request and verify the pin during the
authorization process, you will need to support customers that forget their PIN
there may be no your customer challenges for setting the pin for authorized users
you will need to provide a way for customers to change their pin either at the ATM
in the branch through IVR or other methods you will need to understand the various
payment network requirements related to online pin and offline pin including
offline pin management and of course you will want to consider the customer
experience. Now let's look at CVMs from the perspective of the terminal as
previously noted the major payment networks have established the minimum
requirements for US issued chip cards and chip enabled terminals from the terminal
owners perspective this means that at a minimum the chip enabled terminal must
support the CVMs listed here, as an example for attended point-of-sale signature
must be supported support for pin or no CVM is optional at attended point of sale,
the decision about which CVMs to support is made by the acquirer processor and the
merchants, at unattended point-of-sale the terminal must support no CVM and ATMs
must support online pin, this does not preclude that POS terminal owner from
supporting additional CVMs to meet their business needs, this chart is just a
baseline, refer to the minimum EMV chip card and terminal requirements white paper
from the EMV migration forum for more information. also check with the various
payment networks and your other partners for their suggestions and recommendations.
Let's walk through an example of how the CVM that will be used for a transaction is
actually selected when a chip card is used at a chip enabled POS terminal, at this
point in the transaction the AID to use for the transaction has already been
selected, the card in our example has 4 CVMs in its CVM list for AID1. the terminal
supports signature and no CVM. The first CVM in the cards CVM list is online pin
for unattended cash in other words hat an ATM but we are at a POS terminal which
does not support this CVM so this CVM cannot be used for this POS transaction, the
terminal then looks at the second CVM in the cards CVM list which is signature, the
terminal does support signature so there is no need for the terminal to look
further down the cards CVM list, signature will be used for this transaction,
remember that although the card provides instructions to the terminal on what to do
if no CVM method is successful, CVM failure does not and should not result in an
automatic decline. instead the terminal should follow the issuer's instructions
about what to do when the CVM is unsuccessful as configured in the chip. processing
the CVM is only one step in the transaction how the CVM results are interpreted is
also critical to a successful EMV implementation. Let's use the same cart again you
stopped to buy a cup of coffee on your way to work, for certain low value
transactions the POS terminal may default to no CVM if no CVM is supported by the
terminal, for attended point-of-sale terminals the decision to default to no CVM
for low value transactions is the choice of either the merchant or the merchant
acquirer, a merchant that supports pin may allow a cardholder the opportunity to
opt out of entering their PIN for example if the cardholder has forgotten their
PIN, this is known as pin bypass, for more information about pin bypass please
refer to the EMV migration forums white paper on this topic which will be available
shortly on the EMV migration forum website. Merchant considerations related to
which CVMs to support may vary by industry vertical by customer needs and by
interchange considerations although interchange fees and rates do not change for
EMV. Merchants need to understand that some payment networks have a lost and stolen
liability shift, if the chip card prefers pin but the terminal does not support pin
and the transaction is later deemed to be lost or stolen fraud the merchant or the
acquirer may be liable for the fraud, merchants will need to assess their level of
risk. Restaurants may not wish to support pin unless they have pay at the table
capability, consider the feasibility of having a PIN pad available for the
customer, there are many things a merchant will need to consider if they do not
support pin today but are thinking about supporting pin in the future, the merchant
must consider the requirements of the various payment networks they are affiliated
with, the terminal must be upgraded to add a pin pad internal testing and
recertification will be required, clerks must be trained to assist customers and
each merchant must define their PIN bypass policy. Now let's talk for a moment
about the cardholder experience. The cardholder experience at the ATM does not
change as far as the CVM that will be used online pin is still the only CVM allowed
at ATMs at the point-of-sale the customer will be prompted if a signature or PIN is
required this is based on the CVM that is selected according to the CVMs that the
chip card and the chip enabled terminal support, for low value transactions no CVM
may be required, it will be important for card holders to watch the terminal screen
for messages and prompts that will guide them through the transaction, additional
information about the cardholder experience can be found on www.gochipcard.com . We
hope this presentation has been helpful we realize that some of the concepts
presented here are complex for
more information about the topics we have discussed please refer to any of the
sites listed here. The EMV migration forum wishes to thank the project team and
others who contributed to this presentation. thank you for watching this
presentation to learn more about the EMV migration forum please contact us.