References


References

  1. EMVCo, EMV 2000 Integrated Circuit Card Specification for Payment Systems, BOOK 3 ”Application Specification , Version 4.0, December 2000, http://www.emvco.com/specifications.cfm.

  2. EMVCo, EMV 2000 Integrated Circuit Card Specification for Payment Systems, BOOK 2 ”Security and Key Management , Version 4.0, December 2000, http://www.emvco.com/specifications.cfm.

  3. EMVCo, EMV 2000 Integrated Circuit Card Specification for Payment Systems, BOOK 4 ”Cardholder, Attendant, and Acquirer Interface Requirements , Version 4.0, December 2000, http://www.emvco.com/specifications.cfm.

  4. ISO/IEC 8583:1993, "Financial Transaction Card Originated Messages ”Interchange Message Specifications", 1995.

  5. ISO/IEC 3166, "Codes for the Representation of Names of Countries", 1997.



Chapter 7: EMV ¢ Chip Migration Issues

Overview

There are many aspects that advocate for the migration from magnetic stripe “based payment systems towards EMV ¢ chip solutions:

  • Increased security of the EMV ¢ CAMs, both in on-line and off-line operation, due to the implementation of dynamic authentication mechanisms using the computational power of the EMV ¢ chip;

  • Support for off-line PIN verification at the attended point of service, instead of either on-line PIN verification or handwritten signatures, using the tamper-resistance storage offered by the chip card;

  • Increased data storage capacity and security of the chip when compared with a magnetic stripe;

  • The possibility of EMV ¢ chip cards to accommodate multiple applications at the same time, and to offer supplementary services other than those related to effecting payments.

Consequently, there is a good expectation that payment system operators and their clients , both issuers and acquirers , are going to adopt this technology on a large scale.

While the previous chapter concentrated on presenting the technical aspects related to the EMV ¢ standard, this chapter focuses on management and organizational issues concerning the EMV ¢ chip migration. In this context we analyze the impact of the chip migration on the roles involved in the implementation of the payment system infrastructure ”namely, the payment system operator, the issuer, and the acquirer. We identify the responsibilities of each role and we summarize the actions to be taken for accomplishing these responsibilities. The main task of the payment system operator is to provide the adequate payment network that supports the EMV ¢ transactions. The payment system must also define an appropriate regulatory framework that establishes the requirements that must be fulfilled by issuers and acquirers to connect to this network. The main responsibility of the issuer is to design the appropriate EMV ¢ chip cards and to implement the authorization rules in its host computer, following the minimum requirements stated in the payment system's regulatory framework. The task of the acquirer is to adapt his terminals to support the EMV ¢ chip transaction at the point of service, and its network to convey the supplementary chip related data from the point of service to the issuer, via the payment system's network, and vice-versa. Note that throughout this chapter the term "chip" designates an EMV ¢ chip, unless otherwise explicitly stated.

The chapter is organized as follows . Section 7.1 outlines the definition of an EMV ¢ regulatory framework and its impact on the issuers and acquires participating in the EMV ¢ payment system. Starting with Section 7.2, we focus on some ICC design issues. First, we present the process of defining ICC specifications by issuers, observing the boundaries established by the EMV ¢ regulatory framework. Section 7.3 presents criteria for choosing an ICC chip platform. Section 7.4 identifies a number of principles concerning the design of multiapplication cards. Section 7.5 outlines the issuer's business case for an EMV ¢ debit/credit card application. Section 7.6 presents a design example of adaptive initialization of the application processing. Section 7.7 discusses the choice of the CAM methods, and Section 7.8 outlines the choice of CVM methods , according to the type of payment service supported by a certain EMV ¢ card application. Section 7.9 outlines the definition of the processing restrictions of a card application. Finally, Section 7.10 analyzes card risk management, which is an essential component of the trade-off between security and availability of the payment service during the processing of a transaction.