I rarely post anything, but I have enough friends, family and acquaintances in the United States ask me what chip cards are. I also have friends and family in Great Britain and Canada confused when I tell them the US is getting chip cards, but generally not chip and PIN.
What is EMV?
We hear a lot lately about fraud, and EMV – aka chip cards – solving fraud. It is important to understand what EMV is, and I’m going to make this short. I could recite hundreds of pages from the EMV books, but I don’t think anyone wants that. Simply put, EMV is a set of standards for smart payment cards. There are a variety of mandatory and optional features. Unlike many believe, PIN support is optional and not mandatory.
The most important thing is that all EMV chip cards reduce counterfeit “card present” fraud by generating a unique cryptogram for each transaction. This is a vast over-simplification, so for those more technical, please forgive me, but essentially what happens is the terminal generates a pseudo-random number when you insert (or “dip”) your chip card. The card has already been programmed with a secret key that it will never, under any circumstances, allow to be read. The bank also knows this key. The terminal sends both your card and your bank the pseudo-random number. Both run a hash function using it and the secret key they both know – the result of this is called a “cryptogram” and there is no way to derive the secret key from the cryptogram.
The cryptogram generated by your card is sent to your bank, who verifies that it is the same as the one they generated using the same pseudo-random number. If it is different, this is a strong indicator that the card is most likely counterfeit and the transaction should not be approved. All EMV cards provide this security, when used at a chip-enabled terminal. A fully chip-enabled terminal that is properly configured will not allow you to swipe a chip card – the stripe has a different “service code” and that says to use the chip when possible. Right now, in the US, there are very few such terminals, but they are expected to quickly grow in popularity before October 2015 when merchants will be held liable for some types of fraud if they are not fully chip-enabled. Many US merchants need only a software upgrade to be fully chip-enabled.
What about the optional features?
EMV allows for optional features that offer great benefits to the cardholder. One of these is PIN support. This is where the term “chip and PIN” comes from. PIN is a type of CVM (Cardholder Verification Method) that requires the cardholder to enter a number on a keypad before their purchase is authorised.
There are several types of PIN: offline plain text PIN, offline enciphered PIN and online PIN. Offline PINs are PINs checked by the card, and online PINs are checked by the bank. It is more complex to implement offline PINs for card issuers, as they must have infrastructure in place to change them. It is more complex for merchants, however, to implement online PIN – thus not all chip and PIN terminals support online PIN. Additionally, there are two more cardholder verification methods: signature and “no CVM”.
Signature is the system people in the United States are generally used to, where they are asked to sign for the goods or services they purchase. For small purchases, no signature is actually required at participating merchants. “No CVM” is an alternative to PIN for unattended merchants (e.g. vending machines) where it is impossible to check signatures. In this case, the transaction goes through with no attempt to verify the cardholder. PIN is the most secure, and it is much quicker than signing.
Unfortunately, most credit cards being issued in the US do not prefer PIN usage. Cards have a “CVM list” and give a preference order for what CVM to use. The issuer can choose to apply some CVM list entries to only certain types of transactions. For example, ATM usage almost always requires online PIN only. Purchases, however, are more flexible. Most US issuers have a CVM list that prefers signature for purchases. Even some cards being sold as “chip and PIN” have signature first, and various types of PIN later in the list. That means you will only be asked for the PIN in a situation where the merchant’s equipment does not support signature checking (such as a ticket machine).
Still other cards do not support PIN at all. Under some circumstances, you may still be asked for a PIN to complete a purchase with such a card, but this practice is to be eliminated in favour of using “No CVM”. There are finally a very few true “chip and PIN” cards available in the US, where PIN usage is preferred. For international travel, these cards would be ideal – unfortunately their availability is extremely limited and one of the most popular chip and PIN cards available in the US charges a foreign transaction fee.
Another nice optional feature is contactless payment support, aka “tap and pay”. With this function, you need only tap the card to the contactless reader. No electrical contact is required. Unfortunately, contactless is not as universally compatible as one would hope. Many contactless-capable terminals in the US simply have the function outright disabled. Still others are not 100% compatible with all contactless cards (and other payment methods, such as phone-based contactless payments) – they will work with some brands or products, but not others.
These cards are also extremely rare in the United States, with most issuers not making them available. They are much more widely available, and accepted, in many other countries. Because contactless transactions are essentially never PIN-based (though this is changing, to allow large purchases), there are often fewer hassles associated with using a contactless card in a country known for “chip and PIN” than there are using a “chip and signature” card in the same country. There is no signature slip to sign, and most importantly – no risk of being hassled.
Major card issuers state that chip and signature cards work almost everywhere, and are easier to use as there is no PIN to remember. Part of this is personal preference, but I do not find remembering a PIN to be terribly difficult. What I do find difficult, however, is spending five minutes while a shopkeeper records my passport details, questions my signature, etc. This experience is far too common with chip and signature cards. Unlike in the US, where shops rarely think twice about signatures, in PIN-preferring countries signature checking is taken extremely seriously. All too often, this extends to requiring ID and even occasionally recording extremely personal details such as your passport number, full name and date of birth.
Since chip and PIN cards are not widely available, a contactless card may be another option to make card use while travelling easier and more convenient. Furthermore, while I do not generally use or recommend cash, cash is a better option than ever. There are several debit cards that offer cash withdrawals from any ATM in the world without a foreign transaction fee. Some of these will even refund any fee charged by the ATM owner, and if they don’t, fee-free ATMs are much more common in other countries. Just like with purchases, you only need to be careful to avoid Dynamic Currency Conversion (DCC, and that is a topic for another day). You will, however, miss out on the rewards, convenience and protections of using a credit card. For me, that trade-off is not worth it, although it may be to you.
I hope that this information was helpful in clarifying some information about EMV cards. Please let me know if there is anything you would like me to cover in the future.