7.1 EMV(TM) regulatory framework

7.1.1 Business objectives

First, the payment system operator defines the types of payment services supported by his network (e.g., ATM cash dispensing, POS payments, electronic purse loading, loyalty schemes support).

Second, the payment system operator defines the processing features available for the chip support, which are offered to both acquirers and issuers to implement a certain type of service. Some of these processing features are listed below, ordered according to their increasing complexity:

1. Identification of the transactions carried out at an EMV ¢ -enabled terminal, which is a terminal that can read an EMV ¢ chip card and complete the associated transaction profile. This identification is possible regardless of the actual method used at the point of service to capture the financial data of the card;

2. Identification of the transactions carried out with an EMV ¢ chip card at an EMV ¢ -enabled terminal;

3. Support of off-line PIN verification as CVM at the point of service;

4. Support of the chip-related data in the authorization and financial messages, allowing on-line dynamic CAM and issuer script processing;

5. Support of off-line authorization below floor limits through subsequent clearing messages/transactions;

6. Support of post-processing advice messages concerning the allowable number of PIN tries exceeded and the result of the issuer script processing.

Note that not all the services need all the aforementioned processing features. For example, a POS payment service needs processing feature 5 listed above, since local authorization below floor limits is supported. However, an ATM service that authorizes all the money withdrawal transactions on-line does not need it.

Third, the payment system operator redefines its interchange fee strategy to take into account the following two factors:

1. The influence of the chip-related data's size in interchange messages;

2. The promotion of stimulating interchange fees during the process of the chip migration, for the early acceptance of the EMV ¢ chip technology by acquirers and issuers.

The first factor reflects the modification of the amount of data exchanged between acquirer and issuer in case a transaction is completed with the chip. Chip transactions may determine the increase of the data interchange. Indeed, data interchange increases whenever data related to the on-line dynamic CAM is sent from the acquirer to the issuer in the authorization request message and whenever issuer authentication data and issuer scripts are sent from the issuer to the acquirer in the authorization response message. The amount of data exchanged between the acquirer and the issuer can decrease in chip transactions in case the CVM at the point of service is modified from on-line PIN verification to off-line PIN verification. It is also important to notice that the chip transactions may determine additional messages to be exchanged between the issuer and the acquirer, which can also result in the increase of the data interchange.

The second factor implies the reduction of the interchange fees for acquirers, whenever they cannot prove that a transaction was completed at an EMV ¢ -enabled terminal. In order to obtain the highest exchange fee for a transaction, the acquirer must adapt his terminals to be EMV ¢ compatible. The acquirer must also upgrade its network to support at least the first three processing features listed above, allowing mainly the identification of all the transactions initiated at an EMV ¢ -compatible terminal.

7.1.2 Functional requirements

A flexible way to define the regulatory framework consists of specifying a minimal set of functional requirements, concerning both issuers' chip cards and acquires' terminals (accepting chip cards).

• Minimal card requirements: This is an issuers' concern when designing the layout of the card files and the functions that must be implemented in the EMV ¢ chip cards. These minimal card requirements determine the appropriate level of security and availability with respect to financial transactions like cash withdrawal, payments for goods and services at POS terminals, and anticipated payments for incremental amounts (phone calls, fuel stations ) at various types of terminals (on-line, off-line, off-line with on-line capability). Issuers claiming the compliance of their chip cards with the minimal card requirements must pass a card type approval [1], which is a procedure defined by each individual payment system. Independent certification laboratories appointed by the payment system operator perform the type approval process. The minimal card requirements impact the definition of the ICC specification by the issuer, as it will be presented in Section 7.2.

• Minimal terminal requirements: This is an acquirers' concern when adapting the terminals to EMV ¢ compatibility. The acquirer has to install new terminals or upgrade the existing ones such that the Terminal Type approval levels 1 [2] and 2 [3] are obtained. Note that EMVCo elaborates upon these approval procedures for terminals. EMVCo is an organization formed by Europay International, MasterCard International, and Visa International to manage, maintain, and enhance the EMV ¢ Integrated Circuit Card Specifications. In addition, EMVCo organizes and coordinates the EMV ¢ level 1 and level 2 type approval activities. Certification laboratories assigned by EMVCo perform these approval processes. When referring to the generic EMV ¢ communication protocol stack described in Figure 4.1, EMV level 1 compatibility means the adaptation of the terminals' communication subsystem, while EMV level 2 compatibility means the adaptation of the software at the application level to support the EMV ¢ selection mechanism, the debit/credit transaction flow, and security aspects. EMV level 1 is concerned with the adaptation of both the communication protocol and the corresponding hardware (from the viewpoint of the electrical signals and of the mechanical aspects). A terminal certified EMV level 1 allows the correct communication with the EMV ¢ card, after the ATR sequence.

Besides the minimal card requirements that must be observed for the issuance of chip cards, the impact of the EMV ¢ chip migration on issuers is reflected also in the adaptation of the processing performed by the IH. The IH has to be able to correctly evaluate the authorization/financial requests, which include chip-related data, and to provide adequate responses. The requests are received from terminals that accept the EMV ¢ card application proposed by the issuer, while the responses are elaborated by the IH and sent back to the terminal.

Moreover, the issuer must comply to fallback requirements, which state that an EMV ¢ chip card must be issued with a magnetic stripe for storing the financial data of the cardholder. The magnetic stripe should allow the completion of a transaction in case the chip fails [4].

From the point of view of the acquirer, the implementation of an EMV ¢ payment system means both the adaptation of terminals towards EMV ¢ compatibility, according to the minimal terminal requirements, and the adaptation of the acquirer network. The network of the acquirer connects EMV ¢ terminals in the field with the AH, and the latter with the AN provided by the payment system operator as an entry point in its payment network. The acquirer network can be adapted in two separate stages, with an increasing degree of complexity.

In the first stage, the network can be modified for partial chip support only, meaning that the messages received from the terminals carry enough data elements that allow:

• Identifying the possibilities of the terminal regarding what kind of data capturing it is able to perform, including the possibility of reading an EMV ¢ chip;

• Identifying the actual method of data capturing, including the reading of the chip, as used by the terminal in the current transaction;

• Identifying the result of an off-line PIN cardholder verification method.

An acquirer providing partial chip support fulfills the criteria of the payment system operator for obtaining the highest interchange fee, as explained in Section 7.1.1.

In the second stage, the acquirer's network can be completed for full chip support, which also allows:

• The support of ICC-related data in the authorization/financial request and response, which allows on-line CAM, issuer authentication, and issuer script processing;

• The support of off-line CAM in transactions involving amounts below floor limits, with the processing of subsequent financial advice messages for clearing.

• Post-processing advice messages on allowable number of PIN tries (off-line PIN validation), issuer authentication result, and issuer script results.

Note that the acquirer can directly adapt his network for the full chip support. The main stimulus for the full chip support is the liability policy established by the payment system operator, as it is explained in Section 7.1.3.

The EMV ¢ terminals at the point of service must be adapted such that the additional ICC-related data elements are transferred in the authorization/financial messages exchanged between the terminal and the AH, and vice-versa. This implies the modification of the existing terminal to the AH interface. The AH has to be modified to support the processing determined by the presence of the ICC-related data in the payment messages received from terminals.

The acquirer must also comply with fallback requirements, which state that an EMV ¢ compatible terminal must be equipped with a magnetic stripe reader. The magnetic stripe reader should allow the capturing of the card's financial data from its magnetic stripe, in case the card does not contain a chip or the chip is not functional.

7.1.3 Security politics

Security politics are part of the EMV ¢ regulatory framework defined by the payment system operator. They include guidelines for both issuers and acquirers concerning the choice of the most appropriate CAM and CVM to be implemented in chip cards and terminals in order to counter both counterfeit and fraudulent transactions. A counterfeit transaction is a transaction performed with a card that is not genuine , which is also referred to as a counterfeit card. A fraudulent transaction is a transaction involving a different user of the card than the legitimate cardholder to whom the card was issued. The guidelines concerning the choice of the appropriate CAM/CVM depend on the type of service implemented in a chip card application, and they also depend on the type of terminal and the type of card application that is actually used at the point of service.

The security politics further determine the security policies adopted by both issuers and acquirers in terms of controlling risk and reducing fraud while increasing the availability of the financial service for the cardholder and reducing the costs of the transactions through off-line completion. Security policies pertain to both the card and the terminal in terms of multiapplication support policies, CAM policies, CVM policies, and risk management policies, to name only the most representative.

An important chapter of the security politics is the distribution of liabilities between issuers and acquirers in case disputes are generated by fraudulent and counterfeit transactions. In general, within the boundaries of an EMV ¢ payment system, the politic is to hold liable for both fraudulent and counterfeit transactions that party (issuer or acquirer) that did not complete the EMV ¢ chip migration. It is also common practice to hold liable for counterfeit/fraudulent transactions the party that fails to process an EMV ¢ transaction correctly. Thus, an acquirer is responsible for his terminals when they provide incorrect data and processing decisions to the chip card. In the same way, the issuer is responsible for the value of the personalization parameters and processing options available in a chip card.

The liability distribution in case of counterfeit transactions can be based on some of the following principles:

• An acquirer is liable for the counterfeit transactions authorized online using the financial data stored on the magnetic stripe of a card, in case the card contained an EMV ¢ chip and the terminal is not EMV ¢ compatible. This encourages the acquirer to accelerate the replacement of all the terminals with EMV ¢ compatible terminals that have obtained the Terminal Type approval level 1 and 2.

• The acquirer is responsible for all the counterfeit transactions authorized off-line for transaction amounts below the Terminal Floor Limit when the terminal is not EMV ¢ compatible and the card contains a chip. The same liability rule can be enforced when the terminal is EMV ¢ compatible, the card contains a chip, the reading of the chip data failed, and the terminal did not forward the transaction for authorization to the issuer.

• An acquirer is responsible for counterfeit transactions authorized on-line, in case both the terminal is EMV ¢ compatible and the card is an EMV ¢ chip card, but the Application Cryptogram (ARQC) of the card could have not been included in the authorization/financial request towards the issuer. This liability decision could encourage the acquirer to upgrade his network to provide full chip support.

• An issuer is liable for any counterfeit transactions authorized on-line whenever the terminal is EMV ¢ compatible but the financial data of the card was captured from the magnetic stripe of the card. This can happen either when the card contains no chip or when it contains a chip that is not functioning properly. This encourages the issuer to migrate to EMV ¢ chip cards that have obtained appropriate card type approval.

• An issuer is responsible for all the counterfeit transactions authorized off-line for transaction amounts below the Terminal Floor Limit when the terminal is EMV ¢ compatible and the card does not contain a chip.

The liability distribution in case of fraudulent transactions can be based on some of the following principles:

• An acquirer is responsible for any fraudulent transaction held in the following circumstances. The card contains a chip, and the CVM List indicates the preference of the issuer for either an off-line or on-line PIN verification. The terminal is either not equipped with a chip reading device or it is equipped with a chip reading device but its PIN pad does not conform to the minimal terminal requirements.

• An acquirer is responsible for fraudulent transactions completed offline whenever the CVM chosen by the terminal is neither among those listed in the CVM List of the chip card nor the off-line PIN verification.

• The issuer is liable for any fraudulent transactions, even if the respective cards where blacklisted to terminals, whenever they are conducted on EMV ¢ -compatible terminals equipped with secure PIN pad but the card does not contain a chip with an appropriate card application. This is encouraging the issuer to migrate to EMV ¢ chip cards that have obtained the card type approval.

• The issuer is responsible for any fraudulent EMV ¢ transaction completed off-line, whenever the following conditions are simultaneously observed. The terminal chooses correctly the off-line completion of an EMV ¢ transaction according to the decision of the terminal risk management procedure. This decision is based on transaction amounts lower than the Terminal Floor Limit. The identity of the cardholder is verified with a CVM that is indicated in the CVM List personalized by the issuer or with an off-line PIN verification.

While the reduction of interchange fees can encourage acquirers to complete the partial chip upgrading of their networks, the liability politics can encourage both the chip migration of the issuer and the full chip upgrading of the acquirer's network. This is mainly due to the reduction of losses when processing counterfeit transactions and when disputes arise with the cardholder due to fraudulent transactions.