EMV

Frequently Asked Questions

What is EMV?
EMV is an open-standard set of specifications that ensures functionality between smart chip cards and payment terminals. EMV
originated as a joint effort among Europay, MasterCard® and Visa® to improve payment safety through better card security and
improved standards. Today, EMVco is owned by Visa, UnionPay, MasterCard, JCB, Discover and American Express. Payments industry
organizations participate with EMVco as technical and business associates. Worldpay is a business associate in EMVco. Find more
information at www.emvco.com

How are chip cards different from existing magnetic stripe card technology?
The EMV “chip” is a secure microprocessor built into a card or other payment devices (e.g. mobile wallet on smart phone). The chip
generates a unique number for each sales transaction, making it extremely difficult to use a cloned card fraudulently on a card-present
transaction. Magnetic stripe cards use static cardholder data that remains the same for every transaction, which makes them attractive
targets for theft, cloning and use in card fraud.

In addition to strong security features, chip technology includes other capabilities—like Near Field Communications (NFC)
technology—which lets merchants accommodate both contact and contactless payments.

Why are EMV chip cards being promoted as a payment standard in the US?
EMV chip cards are already well-established outside the US, particularly in Europe. Crime migrates to the easiest targets, which right
now includes the US. Upgrading to the EMV standard is anticipated to greatly reduce card fraud here in the US.

Why will more US merchants move to the EMV standard in 2015?

Beginning October 1, 20151, the major card networks agreed to shift financial responsibility for losses due to counterfeit card-present
card fraud to the party using the least secure technology. Merchants that want to avoid this liability should implement EMV chip
technology in their point-of-sale (POS) devices before the deadline.

Chip and PIN payment devices are deemed most secure for card-present transactions. Ask Worldpay if you need help making decisions
about EMV POS device purchases.

What does the financial liability shift mean and how will that affect my business?
Merchants who don’t use EMV capable—and enabled—POS equipment after October 1, 20151 will be responsible for card-present fraud
losses in the following instances:

• Counterfeit EMV card: Visa, MasterCard, Discover and American Express move liability to the merchant
• Lost or stolen card: American Express, Discover and MasterCard move liability to the merchant; Visa keeps liability with the issuer
Please note a chip and PIN terminal provides the most secure transaction environment available today.

© Worldpay 2014. All rights reserved. Worldpay, the logo and any associated brand names are trademarks of the
Worldpay group of companies. Worldpay US, Inc. is a registered ISO/MSP of Citizens Bank, N.A.
10/14
EMV Frequently Asked Questions

What makes EMV transactions secure?

Card authentication, cardholder verification and transaction authorization processes are all enhanced with EMV. Specifically:

Card Authentication: Is the card real? Unique data for each transaction travels between card, the POS device and issuer to ensure
authenticity. EMV transactions also create unique transaction data, making captured transaction data incapable of being used to
execute additional, new transactions.

Cardholder Verification Method (CVM): This step validates the cardholder as the legitimate owner of the card, using
verification parameters set up by the issuer. The issuer of the card determines which of the following four methods will be required for a
particular transaction: online PIN, offline PIN, signature or no CVM required. EMV supports each of these four verification methods.

Transaction Authorization: Like today’s magnetic stripe transactions, transaction information is sent to the issuer for approval.
What’s different is a transaction-specific cryptogram (code) is also sent to the issuer who then either approves or declines the
transaction and sends a unique response cryptogram back to the POS device for the card to interpret and validate the transaction.

The dynamic exchange of information needed to execute each transaction provides the extra security missing from the static, old
technology used in magnetic stripe transactions.

How many US credit cards will be EMV-enabled by the end of 2015?

The Aite Group predicts 70% of US credit cards will be EMV-enabled by the end of 2015. It also predicts there will be 4.5 million EMV-
capable payment terminals in the US market by the end of 2014, and growing to nearly 7 million terminals by end of 2015. (The Aite
Group, LLC, is an organization that provides research and advisory services focused on business, technology, and regulatory issues and
their impact on the financial services industry.)

What are the key benefits of moving to the EMV standard?

• Improves transaction security for credit and debit card-present environments
• Creates common cardholder experience globally
• Supports multiple methods of cardholder verification (signature, pin, etc.), providing flexibility of payment acceptance without
sacrificing security
• Bundles emerging technologies--POS devices with chip technology are often grouped with NFC (contactless) and mobile; EMV
adoption accelerates merchant capabilities to accept payments in new ways

When can US businesses expect customers to begin presenting EMV chip cards
for payment?
Now. The Smart Card Alliance/EMV Migration Forum in May 2014 estimated chip cards in the US total between 17 and 20 million. It’s
important for businesses to develop EMV POS equipment adoption plans now.

Should merchants upgrade or buy new POS hardware and PIN pad devices?
Review existing POS equipment or systems to learn if upgrades are possible or whether new EMV-compatible POS hardware must be
purchased.

Standalone POS. The only job of stand-alone POS is to authorize and clear payment card transactions and it is the easiest EMV
solution to implement.

• Is your POS device EMV compatible? (Does it have a slot for EMV cards? EMV-compatible terminals have a slot, typically located
at the bottom of the terminal, into which the EMV chip card is inserted and read; this slot is different from the side swipe used
with magnetic stripe cards.)
• If POS EMV compatible, will you need to schedule a service call to have EMV software installed or will a remote software download
be available? (Ask your payment processor—which is Worldpay if we do your payment processing)
• Worldpay’s standalone EMV solutions: POS VX 520 terminal and VX 680 wireless terminal. A remote EMV software download will
be scheduled before the October 1, 2015, liability shift.

© Worldpay 2014. All rights reserved. Worldpay, the logo and any associated brand names are trademarks of the
Worldpay group of companies. Worldpay US, Inc. is a registered ISO/MSP of Citizens Bank, N.A.
10/14
EMV Frequently Asked Questions

Should merchants upgrade or buy new POS hardware and PIN pad devices? (Cont.)
Integrated POS systems. Merchants using an integrated POS system should contact the independent software vendor (ISV) that
supports the merchants’ business applications and POS system.
• Learn if the ISV has contacted the merchant’s payment processor (like Worldpay) to do EMV testing and certification
• The processor will inform ISVs or POS vendors what testing tools they will need to obtain before testing can occur
• Worldpay is currently working with its POS vendors and ISVs on testing and certifications for every currently certified POS method
• We anticipate Worldpay’s major certifications will be completed by the end of 2015. Worldpay will continue to work with all our
supported ISVs to add EMV functionality as quickly as possible. In some instances, EMV support may not be available until after
the October 1, 2015, deadline. Worldpay customers may contact a Worldpay representative to determine the exact roadmap of the
POS system used at their location.

How does EMV apply to payment gateways?

Some merchants connect to their payment processor through a payment gateway. Gateways used for card-present transactions will
also need to undergo EMV testing and certification. Note that eCommerce payment gateways, which operate in a card-not-present
environment, will not need changes for EMV.

What should merchants consider before making a POS device purchase?

Merchants should understand EMV-compatible POS device capabilities. POS devices that incorporate the EMV standard will be able to
use up to four cardholder verification methods:

• Signature
• Online PIN
• Offline PIN
• No CVM
Determine if the new POS device that you’re considering will have contactless payment capabilities. Many POS devices bundle EMV-
capable and contactless (NFC) payment features. This may allow you not only more secure transactions but also more ways to accept
payments in the manner your customers want to pay.

What is my timeline for establishing EMV acceptance?

The payment network rules do not require you to switch to an EMV card acceptance process; however, if you do not switch to an EMV
card acceptance process by October 1, 20151, you will be held responsible for the costs associated with use of a counterfeit EMV card in
a card present transaction at your location.

We recommend that businesses upgrade their POS equipment to a version that is EMV “future ready.”

• For most merchants October 1, 2015, is the deadline for EMV acceptance capabilities
• For petroleum merchants using automated fuel dispensers (AFDs) October 1, 2017, is the deadline for EMV acceptance capabilities

How can a Non-EMV-compatible device accept an EMV card for payment?

EMV cards issued to US cardholders will be hybrid versions, meaning the card will have a magnetic stripe on back and chip on front. As
a result, EMV cards presented for payment can still be accepted at a non-EMV-compatible POS device (payment terminal).

Is PCI DSS compliance still necessary after EMV POS devices are implemented in my
business?
Yes. PCI DSS examine the payment environment and evaluate how your business accesses, transports or even stores cardholder data.
PCI DSS compliance will remain a requirement.

© Worldpay 2014. All rights reserved. Worldpay, the logo and any associated brand names are trademarks of the
Worldpay group of companies. Worldpay US, Inc. is a registered ISO/MSP of Citizens Bank, N.A.
10/14
EMV Frequently Asked Questions

Is end-to-end encryption (E2EE) still relevant with the introduction of EMV chip
cards?
Yes. The chip in an EMV card protects individual transactions by adding a secret number only the card issuer knows, which verifies
that the transaction is legitimate through an EMV-compatible POS device. However, EMV is not designed to encrypt the sensitive card
information (Account Number, Exp. Date, etc.). Therefore, it is still possible for thieves to duplicate card data and create counterfeit
cards that can be swiped for use at businesses that haven’t upgraded to EMV-compatible or EMV-enable POS devices or could be
used with online retailers. Encryption removes this cardholder data for your POS device, which simplifies the scope of your PCI DSS
obligations.

Merchants who participate in Worldpay’s E2EE program receive an indemnity waiver of up to $100,000 in total—which includes up
to $30,000 in approved compromise associated costs, such as forensic audits and fines, as part of Worldpay’s PCI Program , plus an
additional $70,000 if you experience a compromise as a result of the failure of Worldpay’s E2EE equipment to encrypt when used
properly. Note, not all card transaction types are available for the E2EE service, and additional terms and conditions apply so contact
your Worldpay representative if you are interested in learning more.

EMV capabilities along with E2EE are a great combination for highly secure payment acceptance.

What role will EMV have in payments for the online, card-not-present environment?
(Internet purchases)
Currently, the EMV standard exists solely for the card-present, face-to-face environment. Worldpay will work closely with the card
associations to monitor any new requirements for card-not-present transactions.

What is Worldpay’s EMV status?

• Worldpay completed certification with all major card brand networks in 2013 (Visa, MasterCard, Discover & American Express)
• Worldpay back-office systems incorporated EMV updates into the October 2014 Fall Release system updates
• Worldpay’s EMV-compatible standalone POS device solutions are available now and incorporate NFC (contactless) capabilities
too: VX 520 and VX 680 (wireless terminal). Software to enable EMV will be released by Worldpay before the October 1, 2015,
deadline
• Testing and certification with Worldpay POS vendors is under way

If you have additional questions, contact a Worldpay representative. We’re happy to help.

1
For petroleum merchants using automated fuel dispensers (AFDs), October 1, 2017, is the deadline for EMV acceptance capabilities. ATMs have different
deadlines from the card networks, the earliest of which is MasterCard’s liability shift deadline in October 2016.

This content is not intended to provide a complete explanation of applicable laws, rules, or regulations. It should not be considered legal or compliance
advice. Individual situations will differ, and any questions or concerns should be discussed with your own lawyers and advisors.

© Worldpay 2014. All rights reserved. Worldpay, the logo and any associated brand names are trademarks of the
Worldpay group of companies. Worldpay US, Inc. is a registered ISO/MSP of Citizens Bank, N.A.
10/14