EMV
The abbreviation EMV ( Europay International, MasterCard and VISA) describes a specification for payment cards, which are equipped with a processor chip, and for the associated smart card devices (POS- terminals and ATMs ). The letters EMV stand for the three companies that developed the standard: Europay International (now MasterCard Europe ), MasterCard and VISA.
Chip instead of a magnetic strip
In the second half of the 1990s, debit cards were equipped with micro chip to card transactions no longer have to process over the technically obsolete magnetic strips in several European countries. These chips were all proprietary and aligned to the needs of each country. The shortage can not be used across borders to, was quickly identified and corrected by the EMV standard.
The main advantages of chip technology and therefore reasons for the replacement of the magnetic stripe through the chip are:
- The chip can be in contrast to the magnetic strip protected by technical methods effective against duplication or alteration. The chip can perform encryption without a secret key value could be read.
- With the use of smart cards to detect the authenticity card ( Card Authentication ) and examination of the PIN ( Card Holder Verification) can take place even without an online connection.
- In contrast to the magnetic strip which simply acts as a passive data storage, a chip is a miniature computer with a computing power comparable to a PC from the 1980s, with protected data areas and application of cryptographic techniques. This also additional features such as an electronic wallet and regular clients programs are possible. However, the specification of these additional applications is not part of EMC, as EMC limited to payment applications.
The EMV standard
Europay International, MasterCard and VISA as the largest payment card organizations developed jointly named after them EMV standard. The first stable release of the EMV chip specifications was the EMV'96 Integrated Circuit Card Specification, Version 3.1.1. , Which was published despite its name until 1998. The newly structured, revised and expanded EMV 2000 Integrated Circuit Card Specification, Version 4.0, was released in late 2000. This specification applies to all payment cards ie both debit cards as well as credit cards. EMC 4.1 represents only a revision of the standard EMV 4.0 and was released in June 2004.
The EMV standard is based on the principles of interoperability and flexibility substantially. Interoperability means that the same system and transnational card and terminal utilization, available at the magnetic stripe technology is also present in the chip card technology. Flexibility means that each payment system must have the ability to realize individual needs beyond interoperability. The default EMC 4.1 is divided into four so-called " books" ( books). Book 1 defines the interface between the card and terminal ( mechanical behavior, electrical behavior, transport protocol ) and the Application Selection ( application selection; same for all cards and all terminals); Book 2 deals with " Security and Key Management" ( security and key - handling), Book 3, "Application Specification" ( application specification) and Book 4, "Interface Requirements" ( interface requirements ). From the Toolbox of EMC standards, the system operator ( payment systems ) can choose their options, the basic idea is that the terminal must support all of these options and the map individual options can only be used.
For the development of common standards and its development was supported by the EMC eponyms a separate company, EMVCo LLC, was founded. The EMV standard has been defined by this society and further developed by her. EMVCo LLC checks and also certified to use the manufacturer of EMV -enabled devices such as ATMs and POS terminals, EMC technique. For application that extend beyond the individual needs of payment systems they are responsible.
EMC payments
In an EMV payment application is selected on the EMV chip. This is an identifier that is printed on the customer receipt. The identifier is application identifier (AID or AppID ) called and consists of a 5 -byte registered application provider identifier (RID ) and a 2 to 5 -byte proprietary application identifier extension (PIX ). The RID of the pressure group The German banking industry is A000000359 and the PIX girocard is 1,010,028,001th follows that on almost every EC- Slip the AID A0000003591010028001.
Migration to EMV
For the realization of the chip technique, the Europay/MasterCard- and the VISA organization have created a migration plan, according to which by 2005 all European payment cards have an EMV chip and all European terminals ( cashless outlets and ATMs ) should be EMV chip capable. Financial incentives should thereby promote the conversion. So at Europay International / MasterCard International is the terminal migration and rewards the issuance of EMV-compliant cards VISA EU. On January 1, 2005, there were in addition to the so-called liability shift. That is, if a value based on maps forgery damage occurs, ( the contractual affiliation without breaking bank ) or the "Issuer " ( the issuing bank ) that are not supported on the terminal side and the card side EMC liable to the " acquirer ".
It was expected that the chip technology with all these measures on cards and terminals quickly (for now) propagating parallel to the magnetic stripe technology and these then replaced in a smooth transition. In fact, however, were still in Germany in 2008, almost all credit cards without EMV chip output, while on the market debit cards ( EC cards ) are equipped to approximately 70% with an EMV chip. ATMs are in mid-2009 to 92% EMC compatible both in Germany and in Europe.
After Visa, MasterCard and Discover have published their migration plans for the United States in early 2012, a transition from magnetic stripe to EMV chip technology in the coming years in the United States is very likely.
2010 Bug
On January 1, 2010, there was in Germany at around 30 million older debit and credit cards with EMV chip processing difficulties because the microchips had been programmed incorrectly. This affected only the cards, which were equipped with a chip module manufacturer Gemalto. This meant that the affected customers could not withdraw cash from ATMs or POS terminals to make cashless payments ( using EMC transaction).
Since this led to considerable problems in payment transactions, but the banks concerned were trying to do from time and cost, any exchange of the defective cards, the software of ATMs and payment terminals was temporarily reconfigured as a consequence. At ATMs already in EMC provided for defective cards fallback was used in the short term. In this case "falls" from the transaction secure chip back on the magnetic stripe. Since the MM- security feature is required on the magnetic stripe of payment cards and ATM in German payments, the transaction security was guaranteed. An electronic cash terminals, the flow was configured on the affected into the chip card yet switched over existing old national electronic cash chip use and protect the malfunctioning EMV application of the smart card has not been used. These emergency measures were completed within a week.
Thereafter, an update system for adjusting the erroneous data elements is implemented in the card, which is performed the reconfiguration of the CDOL1 on the chip card. For the data relevant to the CDOL1 were required in a different order, in which the bow 2010 no longer occurs. For the recording of the updates had to be a transaction without payment. Customers were drawn to the reconfiguration of the card on the terminal after a successful update.
Security
On 11 February 2010, a group of computer scientists from the University of Cambridge has released an effective man-in -the -middle attack against a POS terminal, the in-house cafeteria Cambridge, which was certified to British Standard Chip Authentication Program (CAP). The attack allows you to confirm by entering any PIN transaction. In this attack, a wrong card is inserted in the terminal, which is connected to a real map. The message of the terminal to the smart card that contains the PIN to be inspected is captured and responded to with a message "PIN OK". The terminal believes, therefore, that the correct PIN has been entered while the card is assumed that was paid with a signature. This attack works because the response message does not need to be protected cryptographically. In Germany, work v5 the attack only when using the obsolete German chip operating system SECCOS for which now the transitional period has expired. According to the German Banking Industry Committee (formerly the Central Credit Committee, CCC) is Germany therefore not affected by the problem.
The EMV specification " Common Payment Application Specification" of 2005 provides in section " 15.5.3.4 Terminal erroneously Considers Offline PIN OK Check" for the case of falsely adopted by the positive terminal PIN verification mandatory before an exam. The same chapter is also found as a section " 5.2.5.5.3 Terminal erroneously Considers Offline PIN OK Check" in the German CCC specification "Interface Specifications for the SECCOS ICC - EMC Commands" from 2007.
The bit " PIN verification by ICC Performed " on the Cardholder Verification Method - Results ( 9F34 ) from the terminal is Technically after the command VERIFY PIN at 1st GENERATE APPLICATION CRYPTO GRAM in CDOL1 also transferred to the card. The card must check this and then demand that went online or the transaction is aborted. At least here the hack would therefore have to fail in the UK.