| Magnetic Stripe Card | EMV Chip Card |
| 1. Data in Magnetic Stripe Card are not in Encrypted format. | 1. Cards cannot be cloned as it uses Encrypted technology. Two totally independent encrypted value fields, Triple DES encryption. |
| 2. If scratched or bent it can easily damaged. (Additional replacement cost) | 2. High durable than Magnetic Stripe Card.Two totally independent encrypted value fields, Triple DES encryption. |
| 3. Easily affected by Magnetic field. Even by magnet of motor, speaker, or other magnetic cards in same wallet. | 3. Triple DES encryption. Not affected by magnetic fields. |
| 4. No such option available. | 4. Oncard security traps & Card is password protected. |
| 5. Each reader installation requires at least one dedicated leased data line to off premises server or dial-up connection to validate. (extra cost) | 5. Data is stored on card, no need to connect to transaction processor for “transaction approval”. |
| 6. Each card needs to be validated on the host. Requires at least a minimum of 1 modem per location, (10 to 30 seconds + the cost of the call). | 6. Data is stored on card, no need to connect to transaction processor for “transaction approval”. (< 5 seconds) |
| 7. Each time card is used, extra cost per transaction. | 7. Data is stored on card, no need to connect to processor for “transaction approval”. |
| 8. Upgrading cost for old ATM and POS machine is higher in which has only Magnetic Stripe reader. | 8. Dual function smart card and magnetic-stripe readers are cheaper. |
| 9. Lower physical card cost. | 9. Higher physical card cost. |
EMV Terminal
• The issuing bank defines the processing rules via parameters on the chip
• The chip on the card processes transactions information and determines how to apply the rules for processing
• The terminal helps enforce the rules on the chip
• If terminal is unable to provide the services requested by the chip, the issuer may set rules that will result in the chip declining the transaction.
EMV Transaction Flow
1. Card is inserted into EMV Terminal
2. First Half of EMV Transaction Protocol
a. Application Selection
b. Read Application Data
c. Offline Data Authentication
d. Processing Restrictions
e. Cardholder Verification
f. Terminal Risk Management
g. Terminal Action Analysis
h. Card Action Analysis
3. Online Authorization Request from Card to Terminal
4. Authorization Request from Terminal to Vantiv
5. Authorization Request from Vantiv to Issuer
6. Authorization Response from Issuer to Vantiv
7. Authorization Response from Vantiv to Terminal
8. Completion and script processing. If Issuer approved but card denied transaction a reversal is produced
9. Card is removed from EMV Terminal
EMV Introduces New Security Functions:
Card Authentication Security, Cardholder Verification options, Authorization options , Contact/Contactless & Mobile Technology
EMV Card Authentication:
A) Online Card Authentication:
• Card: Generates an EMV Dynamic Cryptogram
• Issuer Host: Host Validates the EMV Dynamic Cryptogram
B) Offline Card Authentication (optional)
• Card provides the terminal a dynamic security certificate
• Terminal validates the dynamic security certificate
• Online Authorization
Cardholder Verification (CVM) :
• More than one CVM is supported on a card
• Issuers choose what CVMs to support
• Issuer chooses the priority order of the CVMs
EMV CVM List
• Signature
• Online PIN
• Offline PIN
• No CVM
Online vs. Offline PIN
EMV Online PIN
• Works the same as mag stripe host based PIN
• All EMV cards use online PIN for ATM
• No system changes required
• The U.S. is an online market
EMV Offline PIN
• Most Offline PIN transactions go online for authorization
• Changes required:
a. PIN selection/activation process
b. Customer PIN Communications
c. Offline PIN change process
d. Synchronization with the online PIN
e. Add ability to send PIN and PIN counter updates to the card
EMV Authorization/Approval
(1) Online Authorization
Works much like a magnetic stripe card transaction
• New EMV data is sent to the host
• Dynamic authentication technology is used
• New risk assessment rules are followed
(2) Offline Authorization (Optional)
The card authorizes the transaction
• No communication with a host system for authorization
• Card contains offline authorization criteria and counters
EMV requires certification and validation
A) Terminal
• EMVCo terminal type approval – hardware and logic testing
• Payment network brand testing for each brand supported
B) Acquirer
• Processor Network Host Certification
• Host certification already completed by EMV Service Provider
C) Chip
• EMV Chip application certification (Before they can be sold)
• Card Personalization validation (For each product issued)
Magnetic Stripe Terminal :
• Card is simply a static storage device that is read by the terminal
• The terminal performs card swipe, PIN encryption and signature capture (integrated environments) functions
Terminal Mag Stripe Transaction Flow
1. Card is swiped through Terminal
2. Authorization Request from Terminal to Acquirer
3. Authorization Request from Acquirer to Issuer
4. Authorization Response from Issuer to Acquirer
5. Authorization Response from Acquirer to Terminal
