Encryption, EMV, and Biometrics: New Superheroes of Payments Fraud

Encryption, EMV, and Biometrics: New Superheroes of Payments Fraud
Posted: Feb 10, 2016
Comments: 0
Author: Lou Grilli

Part 2 of a 3-Part Series

This is article 2 of 3 in the series “Tokenization, Encryption, EMV, and Biometrics: The New Superheroes of Payment Fraud.” In Part 1, we reviewed tokenization, its background, and how it is now being used in mobile wallets. It is also good to gain a deeper understanding of EMV and its use of encryption to protect payment credentials. EMV is a technology and a solution designed to prevent card counterfeit fraud.

Encryption and EMV

EMV was designed in Europe about 20 years ago as a standard for the chip card and the terminal to authenticate themselves to each other. The primary goal of EMV was to prevent the easy counterfeiting of the magnetic stripe.

The data stored on the card is not a token. The PAN (the same one stored on the magnetic stripe) is stored, securely on the chip, along with some anti-counterfeiting pieces of data including a dynamic CVV (versus the static one printed on the back of the card) and a unique transaction number that is updated for each use, which explains the need to keep the card in the terminal for the duration of the authorization.

The authorization request in an EMV transaction is made up of card data—both static and dynamic—as well as data derived from the terminal (amount, date, etc.) communicated between the chip and the terminal upon insert. This entire bundle, called the Authorization Request Cryptogram (ARQC), is sent encrypted end to end from the terminal to the issuer. Some merchants may encrypt at the processor rather than the terminal for further actions. The ARQC is evaluated by the issuer, and the response, the Authorization Response Cryptogram (ARPC) is evaluated by the card. The chip on the card is powered by the reader or by a battery on the card. Unique encryption keys are downloaded to the POS terminal upon EMV setup just for this purpose, and are updated remotely. Additionally, if the transaction is a PIN transaction (debit PIN and some MasterCard credit PIN) then the PIN is sent separately, encrypted using a different key.

So where does NFC Fit In?

While the EMV chip card communicates with the terminal via direct contact with the chip (that is, the card is inserted in to the terminal reader at the point of sale), a Mobile Payments app communicates with the terminal using a protocol called Near Field Communications (NFC). This requires the phone to be within a few inches. Since the phone is close to, but not touching the terminal, this is called a Proximity Payment. An additional layer of security for mobile payments on top of the tokenized PAN comes in the form of required biometric scan (finger scan) or passcode to access the Mobile Pay app.

NFC is also used for contactless cards—these are credit cards that are EMV, but do not need to be inserted in the terminal—these cards communicate with the terminal using NFC, similar to the mobile payment apps. Contactless cards are rarely seen in the U.S. but are somewhat common in the U.K. and other countries. Like the standard contact-required chip card, the contactless card does not use tokenized payment credentials, but uses all the same encryption as any other EMV card transactions.

Be on the lookout for Part 3 of this 3-part series on “The New Superheroes of Payment Fraud,” where we will take a closer look at tokenization, its on-going battle vs. fraud and some of the potential challenges it creates for merchants.


Lou Grilli

Lou GrilliLou Grilli

Lou is the AVP of Product Development & Thought Leadership at Trellance. In this role, he is responsible for managing the organization’s product portfolio, as well as providing leadership on industry trends related to data analytics and payments.

Other posts by Lou Grilli

Full biography , Contact author

Please login or register to post comments.


Featured Stories