EMV Software Guide

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and ATMs that can accept them. Initially, EMV meant “Europay, Mastercard and Visa”, the three companies that created the standard.

EMV cards are smart cards, also called chip cards, integrated circuits, or IC cards, that store their data on integrated circuits in addition to magnetic strips for backward compatibility. It is necessary to physically install a “load” into the reader, as well as contactless cards that can be read at a short distance using near-field technology. Payment cards conforming to the EMV standard are often called chip and PIN or chip and signature, depending on the authentication methods used by the card issuer, for example, a personal number (PIN) or digital signature.

There are standards based on ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards (Mastercard Contactless, Visa payWave, American Express ExpressPay).

In February 2010, computer scientists from the Cambridge Regime used that the PIN code entry implementation is vulnerable to an “attacker in the middle” attack, but only the implementation verified by the PIN code. offline mode. they were vulnerable.

History

Prior to the introduction of the chip and PIN, all personal transactions or debit cards involved the use of a magnetic stripe or mechanical fingerprint to read and write account data, as well as signatures to verify identity. The customer passes his card to the cashier at the point of sale, who passes the card through a magnetic reader or makes an impression from the convex text on the card. In the first case, the system checks the account details and prints a receipt for signature by the client. In the case of a mechanical impression of the transaction, the list of stolen numbers is viewed, and the buyer signed the form. In both cases, the cashier must make sure that the buyer’s signature matches the signature on the back of the card to confirm the transaction.

Using the signature on the card of their verification methods has a number of security flaws, the most obvious of the most obvious of the most relative ease, using the card can disappear before the rightful owners sign. The other involves erasing and replacing a legitimate signature, and the third involves forging the correct signature on the card.

The invention of the silicon chip in 1959 led to the idea of embedding it into a plastic smart card in the late 1960s by two German engineers, Helmut Grottrup and Jurgen Detloff. The very first smart cards were introduced as telephone cards in the 1970s, and then were adapted for use as payment cards. Since then, smart cards have used MOS chips-integrated circuits, as well as MOS-, such as flash memory and EEPROM (electrically erasable programmable permanent memory).

The first standard for smart payment cards was the Carte Bancaire M4 from Bull-CP8, deployed in France in 1986, followed by B4B0′ (compatible with M4), deployed in 1989. Geldkart in Germany is also preceded by EMV. EMV was designed to make the cards and terminals backward compatible with the specified standards.

Originally, EMV control meant Europay, Mastercard and Visa, the three companies that created the standard are now managed by EMVCo, a consortium divided equally between Visa, Mastercard, JCB, American Express, China UnionPay and Discover.

JCB joined the consortium in February 2009, China UnionPay in May 2013 and opened in September 2013.

Differences and advantages

Switching to a smart card-based credit card provides two main advantages. Paid systems: enhanced security (with reduced fraud) and precise control of “offline” confirmations of credit card transactions. One of the original goals of EMV was to provide multiple applications on the card: a credit and debit card application, an application or an electronic wallet. Debit cards of the new issue in the USA contain two applications – an application for the association of cards (Visa, Mastercard, etc.) and a standard debit application. The identifier of the general debit application is somewhat erroneous, since the “normal” debit application uses resident card bindings.

Transactions with EMV chip cards increase protection against fraud on magnetic stripe cards, which depend on the signature and visual inspection of the card to verify the presence of features such as a hologram. The use of PIN code and cryptographic algorithms such as Triple DES, RSA and SHA, verification of card authentication for the processing terminal and the host system of the card issuer. Processing time is comparable to large transactions, which delay is part of the time, while cryptographic operations on the terminal take relatively little time. The alleged increased fraud protection for banks and credit card issuers to carry out a “liability shift”, so that sellers are now liable (from January 1, 2005 in the EU region and from October 1, 2015 in the USA) for any fraud that occurs in the USA. the result of transactions in systems that do not contain EMV.

Most card implementations and EMV terminals confirm the identity of the cardholder by requiring the entry of a personal identification number (PIN) instead of signing a paper receipt. Whether PIN authentication will occur depends on the capabilities of the terminal and the programming of the card.

When credit cards were first introduced, sellers used portable mechanical rather than magnetic card imprinters, which required carbon paper to leave an imprint. They did not communicate electronically with the card issuer, and the card never left the client’s field of view. The merchant must have a transaction exceeding a certain currency limit by calling the card issuer. During the 1970s, a list of many merchants subscribed to a regularly updated list of stolen or otherwise invalid credit card numbers. This list was usually printed as a booklet on newsprint in numerical order, like in a thin telephone book, but without any data other than a list of invalid numbers. It was assumed that cashiers would leaf through this booklet every time they presented a credit card to pay any amount before the transaction, which entails a slight delay.

Later, the equipment contacted the card issuer electronically, using information from the magnetic stripe to verify the card and authorize the transaction. This was much faster than before, but required the transaction to take place in a fixed location. Therefore, if the transaction was not carried out near the terminal (for example, in a restaurant), the employee or waiter had to take the card from the customer and transfer it to the ATM. It was easy for a dishonest employee to secretly pass a card through a cheap one at any moment, which instantly recorded the information on the card and strip; In fact, even at the terminal, the thief could bend down in front of the client and the card using a hidden reader. This illegal card cloning is more common than before.

Since the introduction of the Chip and the PIN code of the payment card, cloning is not possible; only the magnetic stripe can be copied, the copied card cannot be used separately on a terminal that requires a PIN code. The advent of the chip and PIN coincided with the fact that wireless data transmission technology has become inexpensive and widespread. In addition to magnetic readers on mobile phones, sales staff can now bring wireless PIN tablets to customers, so that the card never disappears from the field of view of the card holder. Thus, to reduce the risks of unauthorized card reading and cloning, both chip and PIN code and wireless technologies are used.

Chip and PIN code instead of chip and signature

Chip and PIN are one of the two verification methods that EMV-enabled cards can use. Instead of physically signing the receipt for identification purposes, the user simply enters a personal identification number (PIN), usually 4 to 6 digits long. This number must correspond to the information stored on the chip. The technology of the chips and the PIN code has made it much more difficult for committed fraudsters to use the found cards, so they cannot be used for fraudulent purchases if the PIN codes are not known.

The chip and signature, on the other hand, differ from the chip and the PIN code of identity verification using the signature.

As of 2015, chips and signature cards are more common in the USA, Mexico, some parts of South America (for example, Argentina, Colombia, Peru) and some Asian countries (for example, Taiwan, Hong Kong, Thailand, South Korea, Singapore and Indonesia), whereas cards with a chip and PIN code They are more common in European countries (for example, in the UK, Ireland, France, Portugal, Finland and the Netherlands), as well as in Iran, Brazil, Venezuela, India, Sri Lanka, Canada, Australia and New Zealand.

Transactions online, by phone and by mail

Although EMV technology has helped reduce point-of-sale crime, fraudulent transactions have become more vulnerable to telephone transactions, Internet and postal transfers – known in the industry as cardless transactions or CNP. CNP transactions accounted for at least 50% of credit card fraud cases. Alternatives have been developed in these programs, including

  • software approaches for online transactions, including interaction with the issuing bank of the card or the network. a website, for example Verified by Visa and Mastercard SecureCode (implementation of the Visa 3-D Secure protocol).
  • Creating a one-time virtual card linked to a physical card with a specified maximum amount.
  • Additional equipment with a keyboard and a screen that can issue a one-time password, for example, an authentication program.
  • Keyboard and screen integrated into the card to create a one-time password. Since 2008, Visa has been launching pilot projects using the Emue card, where the generated number replaces the code printed on the back of standard cards.

Commands

ISO/IEC 7816-3 define the transfer protocol between the card chip and the readers. Using this protocol, data is exchanged in Application Protocol Blocks (APDU). This includes sending a command to the map, processing it, and sending a response. EMV uses the following commands:

  • application block
  • unlocking the app
  • map block
  • external authentication (7816-4)
  • generate application cryptogram
  • get data (7816-4)
  • get processing parameters
  • internal authentication (7816-4)
  • changing/unlocking the PIN code
  • read record (7816-4)
  • select (7816-4)
  • verify (7816-4).

The commands followed by the chip “7816-4” are ISO/IEC 7816-4 resistant and are cross-industry commands used for many card applications such as GSM SIM cards.

An EMV transaction consists of the following steps:

  • Application Selection
  • Initiating application processing
  • Reading Application data
  • Processing Restrictions
  • Offline data authentication
  • Certificates
  • Checking the card holder
  • Terminal Risk Management
  • Analysis of terminal actions
  • Analysis of the first card action
  • Online transaction authorization (performed only if the result of the previous steps requires it; mandatory for ATMs)
  • Analysis of the actions of the second card
  • Processing of the issuer’s scenario.

Application Selection

ISO/IEC 7816 define the application selection process. The purpose of the choice was to call different applications to the cards, for example, GSM and EMV. However, EMV developers have implemented application selection as a way to determine the type of product, so that all product issuers (Visa, Mastercard, etc.) must have their own application. The way the choice of applications is prescribed in EMV is a frequent compatibility issue between cards and terminals. In Book 1 of the EMV standard, 15 pages are devoted to describing the application selection process.

The application Identifier (AID) is used to address the application on the card or to emulate the host card (HCE) if it is delivered without a card. The AID consists of a registered mobile application (RID) of five bytes, which is issued by the ISO/IEC 7816-5 registration authority. This is followed by a proprietary application extension (PIX), which allows the application provider to distinguish between the various applications offered. AID is printed on all receipts of EMV cardholders.

Start application processing

The terminal sends a request for processing parameters to the card. When issuing this command, the terminal supplies the card with any data elements requested by the card in the list of processing options objects (PDOL). PDOL (a list of tags and long data items) is also used by kartalu during the selection application. The card responds with an Application Exchange Profile (AIP), a list of functions performed during transaction processing. The card also provides an Application File Index (AFL), a list of files and records that the terminal should read from the card.

Reading application data

Smart cards store data in files. AFL contains files containing EMV data. All of them must be read using the read write command. EMV does not specify which files the data is stored in, so all files must be read. The data in these files is stored in the BER TLV format. EMV defines tag values for all data used in card processing.

Processing Restrictions

The purpose of the restriction is to determine whether the card should be used. Three elements are checked, the application version is used, application usage monitoring (whether the card shows only for home, etc.), checking the date of validity/expiration of the application.

If any of these checks fail, the card is not rejected. The terminal sets the appropriate bits in the terminal Verification results (TVR), which form the basis for making decisions about acceptance/rejection in the transaction flow. This feature allows, for example, card issuers to allow cardholders to continue using expired cards after their expiration date, but all transactions with an expired card must be online.

Offline Data Authentication (ODA)

Offline data authentication is a cryptographic verification to validate a card using public key cryptography. There are three different processes in the different process maps:

  • Static Data Authentication (SDA) ensures that the data read from the card has been signed by the card issuer. This prevents data modification, but does not prevent cloning.
  • Dynamic Data Authentication (DDA) provides protection against data modification and cloning.
  • Combined DDA/Cryptogram Application Generation (CDA) combines DDA with cryptogram generation of the card application to confirm the validity of the card. Maybe to support the CDA in the ways this process is implemented in the markets of the markets. This process is not mandatory in terminals and can only be where its process is both a card and a terminal.

EMV Certificates

EMV certificates are used to verify the authenticity of payment cards. The EMV Certification Authority issues digital certificates to payment card issuers. Upon request, the payment card chip will provide the card issuer’s public key certificate and SSAD to the terminal. The terminal extracts the public key of the CA from the local storage and uses it to confirm the trust for the CA and, if it trusts, to verify that the card issuer’s public key has been signed by the CA. If the card issuer’s public key is valid, the terminal uses the card issuer’s public key to verify that the card’s SSAD has been signed by the card issuer.

Checking the card holder

Verification of the cardholder is used to assess whether the person who presented the card is really the legal owner of the card. EMV supports a set of cardholder verification methods (CVM).

  • Signature
  • PIN code with clear text
  • PIN code with offline encryption
  • PIN code and signature in clear form in offline mode
  • PIN code with offline encryption and signature
  • Online PIN0601
  • CVM is not required
  • CVM processing error

The terminal uses the CVM list read from the card to determine the type of check to be performed. The CVM list sets the priority of using the CVM relative to the probability of the terminal. Different terminals have different CVMs. ATMs are usually online by PIN. POS terminals differ in CVM support depending on the type and country.

Terminal Risk Management

Terminal risk management is performed only on the device, it is necessary to decide whether to authorize the transaction online or offline. If transactions are always performed online (for example, ATMs) or always offline, you can skip this step. Terminal Risk Management checks the transaction limit that exceeds the limit of the offline ceiling (above which it works online). It is possible to have 1 in the online counter and check the list of hot cards (which is only necessary for offline transactions). If the result of any of these tests is positive, the terminal sets the corresponding bits in the terminal test results (TVR).

Analysis of terminal actions

The results of the previous processing steps are used to determine whether the transaction should be approved offline, sent online for authorization, or rejected offline. This is done using a combination of data objects known as Terminal Action Codes (TAC) stored in the terminal and Issuer Action Codes (IAC) read from the card. TAC is logically combined with OR with IAC to give the transaction buyer a level of control over the transaction outcome.

Both types of action code take the values Denial, Online and Default. Each code contains a series of bits that correspond to the bits in the terminal verification results (TVR), and are used by the terminal to decide whether to accept or switch to decision-making mode for a payment transaction. The TAC is set by the card acquirer; in practice, the schemes recommend using the TAC, which should be used for a specific type of terminal, depending on its capabilities. The IAC is set by the card issuer; Some card issuers may decide that expired cards should be rejected by setting the appropriate bits in the Denial IAC. In some cases, allow transactions to be executed interactively.

An online-only device, such as an ATM, always tries to connect to the Internet with an authorization request, unless it is rejected offline due to the issuer’s action codes – refusal parameters. During IAC-failure and TAC-failure processing for an online device, the only relevant bit of the terminal check results is “Service not allowed”.

When the device is only online in IAC —Online and TAC – Online processing, the only relevant bit of TVR is “Transaction value exceeding the minimum limit”. The lower limit of the set value of the transaction should always go online, all others in TAC – Online IAC – Online do not matter. Online-only devices should not perform IAC processing by default.

Analysis of the action of the first card

One of the data objects read from the map in the Read Data application stage is CDOL1 (List of Map Data Objects). This object is a list of tags that the card wants to send to it in order to decide whether to approve or reject the transaction (including the transaction amount, but also other objects). The terminal sends this data and requests a cryptogram using the application cryptogram creation command. Depending on the terminal’s decision (offline, online, refusal), the terminal requests cards of one of the following cryptograms:

  • Transaction Certificate (TC) – Offline confirmation
  • Authorization Request Cryptogram (ARQC) – online authorization
  • Application Authentication Cryptogram (AAC) – Offline failure.

This step allows the transaction to be interactively executed. The card cannot return TC when ARQC was requested, but can return ARQC when TC was requested.

Online transaction authorization

Transactions go online when ARQC has been requested. ARQC is sent in an authorization message. The map generates ARQC. Its format depends on the map application. EMV does not define the contents of ARQC. ARQC, the created application, is a digital signature of transaction details that the card issuer can verify in real time. This ensures reliable cryptographic authentication of the card. The issuer responds to the request (execution of the response or rejection of the transaction) with a cryptogram (ARPC) and optionally with the issuer’s script (a string of commands sent to the card).
Analysis of map actions

CDOL2 (list of map objects) contains a list of tags that can be sent after authorization of an online transaction (response code, ARPC, etc.). Even if for some reason the terminal cannot go online (for example, communication failure), the terminal must send this data to the card again using the generation command authorization cryptograms. This allows the card to find out the issuer’s response. After that, the maps app can reset the offline usage limit.

Processing of the issuer’s scenario

If the card issuer wants to update the post-issue card, they can send a command to the card using the issuer’s script. The issuer’s scripts are encrypted between the card and the issuer, so they do not make sense for the terminal. The issuer’s script may intervene to block cards or alter the card.

Management of the EMV standard

The first version of the EMV Standard was published in 1995. Now the standard is defined and managed by the private corporation EMVCo LLC. Currently, American Express, Discover Financial, JCB International, Mastercard, China UnionPay, and Visa Inc. can be named on EMV. Each of these organizations has equal shares in EMVCo and has representatives in EMVCo organizations and EMVCo working groups.

Recognition of compliance with the EMV standard (i.e. certification of the device) is issued by EMVCo after the presentation of the test results conducted by an accredited testing laboratory.

EMV compliance testing has two layers: 1 EMV, which covers the physical, electrical and transport layer interface, and 2 EMV layer, which covers application selection and credit transaction processing.

After passing the general EMV tests, the software must be certified by payment brands for the relevant EMV implementations, such as Visa VSDC, American Express AEIPS, Mastercard MChip, JCB JSmart, or an EMV-compliant implementation of non-EMVCo participants, such as LINK in the UK or Interac in Canada.

List of EMV documents and standards

As of 2011, starting with version 4.0, the official standard EMV documents that define all components of the EMV payment system, published in the form of four “books” and some additional:

  • Book 1: Application Requirements for the ICC and Terminal Interface
  • Book 2: Security and Key Management
  • Book 3: Application Specification
  • Book 4: Requirements for the interface of the cardholder operator and acquirer
  • General specification of the payment application
  • Specification of EMV card personalization

Versions

In 1995, the first EMV standard appeared as EMV 2.0. It was updated to EMV 3.0 in 1996 (sometimes called EMV ’96) with later amendments to EMV 3.1.1 in 1998. This was further fixed to version 4.0 in December 2000 (sometimes referred to as EMV 2000). Version 4.0 came into force in June 2004. Version 4.1 came into force in June 2007. Version 4.2 has been in effect since June 2008. Version 4.3 has been in effect since November 2011.

Vulnerabilities

Possibilities of harvesting PIN codes and cloning of magnetic strips. In addition to the second track data on the magnetic stripe, EMV cards usually contain identical data encoded on the chip, which is read as part of the normal EMV transaction process. If the EMV reader is compromised to such an extent that the conversation between the card and the terminal is intercepted, then an attacker can recover both the track-two data and the PIN code, which will create a card with a magnetic stripe, which, while it cannot be used in a terminal with a chip and PIN code, can It can be used, for example, in terminal devices that allow a return to magnetic stripe processing for foreign customers without chip cards and faulty cards. This attack is possible only if (a) the offline PIN code is presented in plain text by the PIN code input device on the card, (b) the backup version of the magnetic stripe is allowed by the card issuer, and (c) if geographical and behavioral verification cannot be performed by the card issuer.

APACS, representing the UK payment industry, stated that the changes specified in the protocol (where the card verification values differ between the magnetic stripe and the iCVV chip) made this attack ineffective and that such measures will be applied from January 2008. Tests on the cards in February 2008 showed that this could have been postponed.

Successful attacks

Conversation hijacking is a form of attack that was reportedly launched by the site against Shell terminals in May 2006, when they were forced to disable all EMV authentication at their gas stations after more than £1 million was stolen from customers.

In October 2008, it was reported that hundreds of EMV card readers for use in the UK, Ireland, the Netherlands, Denmark and Belgium were artfully forged in China during or shortly after production. For 9 months, credit and debit card data and PIN codes were sent over a mobile phone network to criminals in Lahore, Pakistan. Joel Brenner, executive director of the US National Counterintelligence Service, said: “Previously, only a nation-state intelligence agency was capable of conducting such an operation. It’s scary.” The data was usually used a couple of months after the card transaction. After the fraud was discovered, it was discovered that the hacked terminals could be identified, as additional schemes increased their weight by about 100 g. Tens of millions of pounds are believed to have been stolen. This vulnerability has prompted efforts to implement better control over electronic POS systems throughout their entire lifecycle, which is confirmed by electronic system security standards, such as those developed by the Secure POS Vendor Alliance (SPVA).

Collecting and deleting PIN codes cloning

In February 2008, in the BBC Newsnight program, Cambridge University researchers Stephen Murdoch and Saar Dreamer poured one example to check that the chip and PIN code are not secure enough to justify the transfer of responsibility for fraud proof from banks to customers. The operation of Cambridge University allowed experimenters to obtain card data to create a magnetic stripe and PIN code.

APACS, the UK payment association, disagreed with much of the report, saying: “The types of attacks on PIN input devices detailed in this report are difficult to undertake, and it is currently economically unprofitable for fraudsters to carry them out.. ” They also stated that changes in the protocol (indicating different card verification values for the chip and magnetic stripe – iCVV) would make this attack ineffective since January 2008. In October 2008, a fraud was reported that had been in effect for 9 months (see above). probably in operation at that time, but not found for many months.

In August 2016, computer security researchers at NCR (a payment technology company) used, like credit card thieves, to rewrite the magnetic stripe code so that it looked like a card without a chip, which allows forgery.
2010: Hidden hardware disables PIN verification on stolen card

On February 11, 2010, Murdoch and Dreamer’s team at Cambridge University announced that they had presented “such a serious bug in the chip and PIN code that they think it shows that the whole system needs to be rewritten”, which was “so simple that it shocked them”. The stolen card is connected to an electronic circuit and a fake card that is inserted into the terminal (“man-in-the-middle attack”). Any four digits are entered, which are accepted as a valid PIN code.

The BBC Newsnight program team visited the Cambridge University cafeteria (with permission) with the system and was able to make the payment using their own cards (a thief can use stolen cards) connected to the circuit by inserting a fake card and entering “0000” into the PIN code. Transactions were registered in the usual mode and the banks’ security systems were not recorded. A member of the research team said, “Even small criminal systems have better equipment than we do. The level of technical complexity required to carry out this attack is really quite low.” The vulnerability announcement stated: “The required experience is low (electronics at the undergraduate level)… We challenge the banking sector’s claim that criminals are not experienced enough because they already have a higher level of skills. than it is necessary for this attack, in their miniature skimmers for entering a PIN code.” It is unknown if this vulnerability was present.

When the possible financial benefit from an attack is minimal, it can be very difficult and expensive to carry out successfully. We have been contacted for comments, several banks (Co-op Bank, Barclays and HSBC) have stated that this is an industry-wide problem, and have sent a Newsnight team to support banking trading for additional comments., chip and PIN helped reduce the number of card crimes, but many cases remain unexplained. “What we do know is that we have cases that come from individuals that seem quite convincing.”

PIN code delivery, this is the exact equivalent of what a merchant transaction bypasses a PIN code.. Such transactions cannot be successful offline because the card does not generate offline authorization without entering a PIN code. As a result of this transaction, the ARQC must be sent online to the issuer, who knows that the ARQC was generated without successfully sending the PIN (since this information is included in the encrypted ARQC) and, therefore, can reject the transaction if it was due to high cost, inconsistency of nature or otherwise beyond the scope of typical management parameters risks, by the issuer.

Initially, the bank’s customers had to prove that they had not been negligent with their PIN before receiving compensation, but UK rules in force since November 1, 2009 place the burden on banks to prove the customer’s negligence in any dispute, with the customer being given 13 months to file a claim. “[Banks] should look back at the previous transactions that were used, so that the customer said that his PIN was not used, the bank record that this was the case, and consider reimbursing these customers as they could have been victims of this type of fraud. “
2011: Upgrade to an earlier version of CVM allows arbitrary PIN code collection

At the CanSecWest conference in March 2011, Andrea Barisani and Daniele Bianco presented a study revealing a vulnerability in EMV that allows arbitrary PIN collection, despite the cardholder. The configuration of the card verification, even if the data of the supported CVMs is signed.

PIN code collection can be done using a chip skimmer. downgrading the CVM to an autonomous PIN code is still respected by POS terminals, despite the fact that its signature is invalid.

Realization

Initially, EMV meant “Europay, Mastercard and Visa” – three companies created by the standard. The standard is now managed by EMVCo, a consortium of financial companies. The most widely known chips are EMV standard:

  • VIS: Visa
  • Mastercard Chip: Mastercard
  • AEIPS: American Express
  • UICS: China Union Pay
  • J Smart: JCB
  • D-PAS: Discover / Diners Club International
  • Rupay: NPCI
  • Verve

Visa and Mastercard have also developed standards for the use of EMV cards in devices to support non-presentation of cards (CNP) transactions over the phone and over the Internet. Mastercard has a Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports multiple modes. Visa has a Dynamic Password Authentication Scheme (DPA), which is their implementation of CAP with different default values.

In many countries of the world, debit and/or credit card payment systems have introduced a shift in responsibility. Usually, the card issuer is responsible for fraudulent transactions. However, after the implementation of the liability shift, if the ATM or merchant’s trading terminal does not support EMV, the ATM owner or seller is responsible for the fraudulent transaction.

Chip and PIN systems can cause problems for travelers from countries that do not issue chip and PIN cards, as some retailers may refuse to accept their chipless cards. Although most terminals still accept magnetic stripe cards for merchants to accept them, some employees accept the cards, believing that they are responsible for any fraud if the card cannot verify the PIN. Cards without a chip and PIN code can also work in some unattended vending machines, for example, at train stations or at self-service ticket offices in supermarkets.

Africa

Mastercard’s shift Between January 1, 2006, there was a shift in Visa’s responsibility for all operations at retail outlets.
On January 1, 2006, there was a shift in Visa’s responsibility in relation to retail outlets. the shift of responsibility occurred on January 1, 2008.

South Africa

Mastercard’s shift of responsibility occurred on January 1, 2005.

Countries of the Asia-Pacific region

The transfer of Mastercard’s responsibility between countries in this region occurred on January 1, 2006. By October 1, 2010, there was a shift in responsibility for all operations at points of sale, with the exception of domestic operations in China and Japan.
Visa’s responsibility for points of sale changed on October 1, 2010. For ATMs, the shift of responsibility took place on October 1, 2015, with the exception of China, India, Japan and Thailand, where the shift of responsibility occurred on October 1, 2017. Domestic ATMs in China are currently not subject to the liability shift deadline.

Australia

Mastercard requires that all Point of Sale Terminals must be closed with EMV by April 2013. The shift of responsibility for ATMs occurred in April 2012. ATMs must meet EMV requirements by the end of 2015
Visa’s change of responsibility for ATMs took place on April 1, 2013.

Malaysia

Malaysia became the first country in the world to fully switch to EMV-compatible smart cards two years after its introduction in 2005.

Mastercard required all point-of-sale terminals to be detected with EMV on July 1, 2011. With regard to ATMs, the shift in responsibility occurred in April 2012. ATMs should be closed with EMV by the end of 2015.
The change in Visa’s responsibility for ATMs occurred on April 1, 2013.

New Zealand

Mastercard required all point-of-sale terminals to be detected with EMV on July 1, 2011. With regard to ATMs, the shift in responsibility occurred in April 2012. ATMs should be closed with EMV by the end of 2015.
The change in Visa’s responsibility for ATMs occurred on April 1, 2013.

Europe

The change in Mastercard’s responsibility occurred on January 1, 2005.
Visa’s change of responsibility for the point of sale took place on January 1, 2006. For ATMs, the shift in responsibility occurred on January 1, 2008.
France has reduced the number of card fraud cases by more than 80% since its introduction in 1992 (see Carte Bleue).

United Kingdom

A green rectangle containing a row of four white stars in black squares; the outline of the hand points to the second star and darkens it. Chip and PIN code UK logo

The chip and PIN were tested in Northampton, England with “Security in Numbers”, and as a result were implemented nationwide in the United Kingdom on February 14, 2006 with advertisements in the press and on national television advertising the slogan “Security in Numbers”. On January 1, 2005, a fraudulent transaction with a magnetic card occurred, as it was before the introduction of the chip and PIN code. Point of sale (PoS) systems, and major retail chains were upgraded in time for the EMV deadline. Many small businesses initially did not want to upgrade their equipment, because they needed a completely new PoS system – large investments.

New cards with magnetic stripes and chips are now issued by all major banks. Replacing cards with a pre-chip and PIN was a serious problem, as banks simply stated that users would receive new cards “upon expiration of their old card” – despite the fact that many people had cards with an expiration date back in 2007. Switch to a major contract with HBOS and Visa, as they were not ready to issue new cards as early as the bank required.

The introduction of the chip and PIN has been criticized for being designed to reduce liability in cases of alleged card fraud by requiring the customer to prove that they acted “with reasonable care” for their PIN and card, and not than on the bank to prove that the signature matches. Before the chip and PIN appeared, if the customer’s signature was fake, banks were legally responsible. Until November 1, 2009, there was no such law protecting against fraudulent use of their chips and PIN codes, only a voluntary bank code. There have been many reports of banks refusing to reimburse victims of card fraud, claiming despite several documented successful large-scale attacks.

The Law came into force on November 1, 2009. and shifted the burden to the banks to prove, rather than assume, that the cardholder is to blame. The Financial Services Authority (FSA) stated that “a bank, building society or credit card company assume that the transaction was conducted by you and there were no failures in procedure or technical difficulties” before denying liability.

Latin America and the Caribbean

The change in Mastercard’s responsibilities between countries in this region occurred on January 1, 2005.
Visa’s change of responsibility for points of sale occurred on October 1, 2012. any countries in this region that have not yet implemented the shift of responsibility. For ATMs, the shift in responsibility occurred on October 1, 2014 for all countries in the region.

Brazil

Mastercard’s shift of responsibility occurred on March 1, 2008.
Visa’s responsibility for points of sale changed on April 1, 2011. For ATMs, the change of responsibility occurred on October 1, 2012.

Colombia

The change in Mastercard’s responsibility occurred on October 1, 2008.

Mexico

Discover implemented the shift of responsibility on October 1, 2015. To pay for refueling at gas stations, the shift of responsibility occurred on October 1, 2017.
Visa’s shift of responsibility for points of sale took place on April 1, 2011. For ATMs, the shift of responsibility occurred on October 1, 2012.

Venezuela

Mastercard’s change of responsibility occurred on July 1, 2009.

Middle East

The change of Mastercard’s responsibility between countries in this region occurred on January 1, 2006. By October 1, 2010, there was a shift in obligations for all operations in retail outlets. p.
Visa’s responsibility for points of sale changed on January 1, 2006. For ATMs, the change of responsibility occurred on January 1, 2008.

Canada

On October 31, 2012, American Express implemented a shift of responsibility.
Discover the shift of responsibility on October 1, 2015 for all transactions except payment at gas stations; these transactions were postponed on October 1, 2017.
Interac (Canadian network of debit cards) stopped processing non-EMV transactions in vending machines on December 31, 2012 and introduced mandatory EMV transactions in retail outlets on September 30, 2016, the change of obligations will take place on December 31, 2015.
Mastercard performed a shift of obligations for the internal transaction on March 31, 2011 and a shift for the international transaction on April 15, 2011. For payment at the gas station at the gas stations, the shift of responsibility was introduced on December 31, 2012.
On March 31, 2011, Visa implemented a shift of obligations for domestic operations, and on October 31, 2010 – a shift of international obligations. For the payment of gas stations, the shift of responsibility was introduced on December 31, 2012.
Over the 5-year period after the transition to EMV, the number of fraudulent transactions using internal cards and cards in Canada has sharply decreased. According to reports, fraud with internal debit cards with the presentation of the card decreased by 89.49%, credit card fraud by 68.37%.

USA

After widespread identity theft due to lax security at checkout terminals at Target, Home Depot and other major retailers, Visa, Mastercard and Discover in March 2012 – and American Express in June 2012 – announced their plans to switch to EMV for the US. Since the announcement, several banks and card issuers have announced cards with EMV chip and signature technology, including American Express, Bank of America, Citibank, Wells Fargo, JPMorgan Chase, US Bank and several credit unions..

In 2010, a number of companies began issuing prepaid debit cards with a chip and PIN code, allowing Americans to load cash in the amount of euros or pounds sterling. Was the first issuer in the USA to use credit cards with a chip and PIN code. In May 2010, a press release from Gemalto (a global EMV card manufacturer) indicated that New York would become an EMV card issuer in the United States offering its customers an EMV Visa credit card. JPMorgan was the first bank to introduce a card with EMV technology, this Palladium card, in mid-2012.

As of April 2016, 70% of consumers in the United States had EMV cards, and as of December 2016, approximately 50% of sellers meet EMV requirements. However, the deployment from different vendors was slow and inconsistent. Even vendors with EMV hardware may not be able to process chip transactions due to software flaws or compliance issues. Bloomberg also pointed out problems with software deployment, including changes to audio prompts for Verifone computers, it may take several months for the software to be released and deployed. However, industry experts expect greater standardization of software deployment and standards in the US. Visa and Mastercard have implemented standards to speed up chip transactions in order to reduce the time they spend to less than three seconds. These systems are labeled as Visa Quick Chip and Mastercard M/Chip Fast.