|· EMV: The Journey From Mag-Stripe to Chip Cards|
|In 1994, representatives of Europay International, MasterCard, and Visa created a working group whose goal was to increase the security level of credit/debit cards by replacing smart cards with traditional magnetic stripe cards. |
"EMV" (Europay International, MasterCard, Visa) and created a specification which describes how EMV-compliant smart cards must behave when used at a POS (Point of Sale) terminal or ATM (Automated Teller Machine). (The three original companies have been reduced to two: a MasterCard/Europay merger - in the works for almost a year - was completed at the end of June 2002.)
The main reason driving migration to EMV smart cards is combating fraud. Magnetic stripe cards are relatively easy to clone, copy, or skim. According to Technology in Banking and Finance magazine (www.t-b-f.com), credit card fraud in the UK, for example, increased by 40% in 2001, reaching £400 million. £160 million of this was due to counterfeit cards alone. The second reason for migration is to enable POS transactions to be completed offline in a secure manner, eliminating the necessity for these to always be authorized online, as is currently the case.
The shift in liability to the so-called "chip-non-supporting" party by January 1, 2005 has been agreed to in principle, and is facilitating EMV Migration in Europe. After this deadline, a "chip-non-supporting" party will be liable for any fraudulent transactions - which could include banks or merchants.
Various migration speeds
The transition to EMV cards is based on individual migration plans for different geographic regions. Europe is the frontrunner; countries such as France, the UK, and Germany are taking the lead, with many other EU members close behind. Greece is making a major effort to have its EMV infrastructure up and running for the 2004 Olympic Games. In Asia, Japan, Taiwan, and Korea are well into the migration process, having started it as early as 1998. Experts say that other countries, such as Malaysia, are rapidly following suit. MasterCard just held its first EMV training sessions for Malaysian banks in August 2002, and that country is poised to play a leading role in the migration process.
While migration in Europe and Asia is well underway, the USA is lagging far behind; many Americans have never seen or used a "smart" credit/debit card - unthinkable for Europeans. We will briefly discuss this issue at the end of this article. Before this, however, we will raise some of the technological issues as well as companies involved in this immense project.
It's not just about cards…
The changeover from magnetic stripe to EMV smart cards involves complex technologies, infrastructures, and processes. In some cases, "chicken-and-egg" debates have arisen: should EMV cards be issued first or should POS and ATM terminals be upgraded first? It is proving practical to push both. While card issuers are now issuing large numbers of EMV-compliant cards throughout the world, terminal manufacturers are working full speed ahead to produce the terminals necessary for reading the cards (also known as Electronic Fund Transfer Point of Sale terminals - EFTPoS for short), and MasterCard and Visa are offering businesses a variety of incentives to sweeten the investments they must make to complete the migration process.
Cards and personalization
Compared to "prehistoric" magnetic stripe cards, EMV smart cards are rocket science. Whereas only a comparatively small amount of data can actually be stored on a magnetic stripe, smart cards can - and must - store much more data, including cryptographic keys required for securing cards and transactions.
An EMV-compliant smart card has four application layers. The lowest layer is the secure microprocessor itself, i.e. the actual silicon chip. For the chip to communicate with the outside world, it needs the next layer, or chip operating system (OS). On top of this is the actual EMV application, which complies with EMV specs but may also include issuer-specific features such as loyalty schemes or other functionality. The top layer contains cryptographic keys and user data. Because so many different players are involved here, chip manufacturers, card-OS manufacturers, and personalization application providers must all work together closely to keep up on innovations and developments in each others' fields and guarantee interoperability at all times.
To attain the high security level required for EMV cards, an elaborate personalization process is required. The two major steps of this process are:
Generating data for the EMV card, and
Loading this data onto the card itself.
The data generation process is twofold; it must (among other things) provide watertight verification of both the card issuer as well as the cardholder through Public Key Infrastructure (PKI), [link to Silicon Trust Site glossary definition!] structures. Data generation processes include the following steps:
||Setup of bank-ID and application-ID information as well as all control files specifying how the card data is to be processed.|
||Generation and certification of cryptographic keys needed to verify the issuer. This is the typical procedure required by all PKI solutions: after a key pair has been generated, it must be certified, i.e. signed by a Certification Authority's (CA) private key, after which it is returned to the user - in this case, the issuer - as an official Issuer Certificate. All terminals in which the issuer's cards will be accepted will be able to verify the issuer by means of this process.|
||Supplementation of old data (i.e. from magnetic stripe applications) with the additional data needed for the smart card to be made. Any system used to generate EMV card data should be capable of ensuring that this data is backwards-compatible, i.e. readable by terminals which are not (yet) EMV-enabled.|
Once the data is generated, it must be loaded to user cards using a dedicated hardware/software infrastructure. Steps include:
||Hardware setup so that input files created in the process described above can be read by all hardware modules.|
||Installation of all keys necessary to "unlock" both the data which has been created as well as the card onto which this data is to be entered.|
||Strict auditing of all procedures to track exactly what data has been entered onto which card, and to whom this card (will) belong(s).|
Cards can also be personalized after issue - a process which cardholders may also be able to do themselves, i.e. via Internet, depending on the card issuer's program. To enable this, card issuers must have robust smart card lifecycle management systems (SCMS).
PIN-at-the-POS and other functionality
Consumers who constantly use debit cards at ATMs won't necessarily notice much difference when they finally get EMV-enabled cards - they already have to verify themselves to the ATM with their PIN. EMV cards will let consumers pay retailers using the same procedure, i.e. they will have to enter their PIN number on a card reader when paying for retail purchases with the EMV card, instead of hand-signing a receipt. A retailer's terminal can also verify the card in an offline mode, though a card will still have to be verified online every set number of uses.
This latter point is crucial to the security of EMV cards. There are currently two competing data authentication procedures issuers can use: Secure Data Authentication (SDA) and Dynamic Data Authentication (DDA). The former method is cheaper, but not as secure. An EMV-compliant POS terminal would only need to verify that the contents of an SDA card had not been changed, based on the card's digital signature. A DDA card, on the other hand, generates a different digital signature for every transaction. A cloned card would be rejected at the terminal because its digital signature would have been previously used. DDA technology will eventually prevail, but card issuers are first issuing SDA cards while they wait for the cost of DDA cards to fall.
There's no end to new functionality issuers are developing for EMV cards and related payment functions. Concrete examples include:
||Loyalty programs built into EMV cards which might have members-only packages or give cardholders the chance to enter drawings and contests.|
||E-purse (micropayment) functionality, due to the fact that EMV specification requires cards to include both debit and credit functions. If issuing banks enable cards to be automatically reloaded, consumers would be spared the inconvenience of manually loading them.|
||EMV and PKI functionality on the same card - a sort of "super-card" consumers could use to digitally sign documents as well as make payments.|
||EMV-compliant terminals are being developed for television set-top boxes, which would allow consumers to pay for many types of products and services. John Elliott, Principal Consultant of Hyperion Consult, estimates that there may be ten times as many televisions able to accept EMV cards as POS-terminals in shops, by the time EMV migration is complete!|
At the beginning of this article we noted that adoption is not at the same level in all countries. This is of course a normal characteristic of wide-scale migration to new technologies. What's surprising in this case, however, is that while Europe and Asia, and at least one African country (South Africa) are well along in the process, the USA is lagging far behind. Why?
Absence of Business Case?
One US American expert, John Butterworth, President of Security Sciences International, says that the USA is "treating [EMV migration] as though it's [mandated for the year] 2803!" Butterworth is not only astounded at the lack of infrastructure and applications, but also at the lack of understanding for the benefits EMV standards will provide. He sees American resistance partially as the attitude "if we didn't invent it, it can't be good." He also points to figures stating that 82% of Americans have no access to a checking account or credit cards, with 60% living at the poverty level. There are efforts underway to introduce smart cards with credit/debit functions for certain groups of "bankless" Americans in the form of so-called "plastic paychecks" - smart cards on which a person's salary could be loaded and which could be used to pay for goods and services. These include only a fraction of full EMV functionality, however.
Experts from Visa and MasterCard are concerned with developing business cases that would succeed in the United States. They are working with issuers, for example, to let these define the functionality they want to provide their customers. Such functionality might even be based on limited regional or target-group requirements - not a "one-size-fits-all" approach taken on other continents. It seems that although Americans find security important, this issue is not significant enough to drive widespread smart card / EMV card acceptance in the USA; smart cards will only succeed if the future income streams they promise are enticing enough to financial institutions.
The two major credit card institutions are instituting similar EMV card programs with slightly different flavors. Visa is highlighting "advanced" services for the US: consolidation of many store and discount cards filling the American consumer's wallet, secure Internet payments using smart card readers, access to "smart Space, an exclusive Web site for smart Visa cardholders with the latest in entertainment, incredible shopping deals, unbelievable travel discounts, and unique auction items." MasterCard's palette is similar: "chip-based credit and debit, personal data storage, digital ID and security, loyalty, e-ticketing, e-couponing and stored value" which issuers will be able to pick and choose among to offer their customers. But EMV migration is proving to be a tough fight in gaining consumer trust - or just plain EMV-card-using consumers - in the USA.
Different technology flavors
With few differences as to the value they can offer consumers, Visa and Mastercard often focus on the different technologies they use to provide their services. MasterCard says it supports "all major smart card environments (MULTOS, JavaCard, and proprietary platforms). Members are also free to choose the size of the chip [i.e. 16 or 32K], the technology platform employed, and any enhanced security features they wish to add to the card." Visa says that its technology strategy is different from MasterCard's in that it uses open, not proprietary, standards.
Important field for Silicon Trust Partners
Datacard, Giesecke & Devrient, and Secartis are three Silicon Trust partners who provide sophisticated goods and services for financial institutions wishing to migrate to EMV. In June 2002, Datacard announced its new alliance with MasterCard, in which Datacard would supply MasterCard members with comprehensive solutions for developing, testing, personalizing, and managing smart cards. Datacard consultants will also help train MasterCard members in a wide spectrum of card-related processes. The company's solutions for MasterCard include its Affina™ Platform Management Architecture, a card lifecycle management solution. Datacard (together with IBM and STMicroelectronics) has also developed a personalization system for Visa "low-cost" cards (cost between $ .99 and $1.99 as opposed to $3.00; deployed by Visa as a transitional card to be used during the migration process).
Giesecke & Devrient provides chips, cards, card operating systems, and applications required by the EMV scheme. It has a complete line of these for both Visa and MasterCard programs, and also provides custom-tailored solutions for various national schemes (e.g. Italy's Progetto Microcircuito and the UK's UKIS [United Kingdom Integrated Circuit Card Specification]) which are subsets of the worldwide EMV program. Giesecke & Devrient has also been awarded major contracts in other European countries as well as in the Asia-Pacific region. Secartis, the Giesecke & Devrient spinoff, is working hand-in-hand with Giesecke & Devrient in the Visa Pacific Chip Migration Partner Program.
It is difficult to predict when EMV specifications will actually be in place throughout the world. But major players such as Oberthur Card Systems and Gemplus are optimistic, expecting the market for such advanced financial services to grow well, albeit in different waves. The future is definitely in smart cards, and at some point, magnetic stripe cards will only exist in museums.
www.emvco.com (EMV standards)
www.mastercardintl.com/newtechnology/ (Information on MasterCard smart card programs)
www.international.visa.com/fb/main.jsp (Information on VISA smart card programs)
Silicon Trust Partners mentioned in article:
Other companies/organizations mentioned in article: