EMV and NFC: Keeping these technologies straight

You’ve probably heard the terms “EMV” and “NFC” with increasing frequency over the past couple years, whether it’s your issuer explaining why your card now has a chip on the front, or Apple touting its new mobile payment solution.

Philip Andreae of Oberthur Technologies takes our NFC and EMV questions.

Philip Andreae of Oberthur Technologies takes our NFC and EMV questions.

So how do EMV and NFC differ – and how will they fit together as mobile wallets take off?

We posed those questions to Philip Andreae, vice president of field marketing for Oberthur Technologies. Back in 1993, while working for Europay International, he was part of the team that created EMV (Europay is the ‘E’ in that acronym, while MasterCard and Visa represent the ‘M’ and ‘V’). He helped lead the launch of EMV in Canada (while working for Visa) in 2003. And, as a consultant, he’s helped businesses adapt to emerging technologies, including contactless and mobile payments.

EMV? NFC?

If those are your first questions, here’s a primer:

chip and pin on cardEMV: Many people understand EMV as the technology behind the little gold or silver chip that’s appearing on more of their credit cards as an alternative to magnetic (mag) stripe. It’s really a payment protocol that uses dynamic, one-use data generated for each transaction, which makes information stolen by a hacker useless for cloning cards. For EMV to take hold, issuers must upgrade their cards, and merchants have to upgrade their terminals to receive those upgraded cards.

EMV is being rolled out in the U.S. thanks to the liability shift which will occur in October 2015. Currently, the card networks (Visa, MasterCard, American Express and Discover) hold issuers (not merchants) liable for fraudulent transactions. After October 2015, whichever party hasn’t upgraded to EMV (merchant or issuer) will be held responsible.

NFC symbolNFC: NFC, meanwhile, is often understood as the technology that allows you to make purchases with your phone – or a watch, a contactless card or another sort of dongle. NFC stands for near field communication, and Softcard (formerly Isis), Google Wallet and Apple Pay all use it to enable mobile wave-and-pay phone payments at the register. NFC allows two devices to communicate via radio waves when they’re close to each other, and it’s a means of communications capable of supporting more than just payments.

Do EMV and NFC compete? Or do they work together?

So are EMV and NFC competitors or allies?

As Andreae explains it, NFC enables two devices, a master device (a payment terminal, for example) and a slave device (a phone, for example) to communicate at a short distance — 4 centimeters to be precise. EMV, meanwhile, “defines how the master communicates with the slave and how the slave will respond to the master,” Andreae says.

Let’s take a closer look: EMV is a standardized set of rules (divided into
13 “books”, which are NOT light reading) that define the electrical, physical and security aspects of payment transactions.

Those rules apply to contact EMV (when you insert your EMV chip card into the slot on the payment terminal) and contactless EMV (when you wave a dongle, card or phone in front of a payment terminal). NFC transactions that follow these standards can therefore also be called contactless EMV.

While the action of paying may look quite different (inserting a card vs. waving a payment device), contact and contactless EMV both utilize a tool honed by secret agents: cryptography. The payment credentials traditionally stored on the magnetic stripe (account number, expiration date, etc.) will undergo cryptographic processes to make them extremely difficult to clone.

The bottom line: Put simply (and perhaps over-simply), NFC is a vehicle for payments. Assuming that vehicle follows the EMV rules of the road, and the merchant has upgraded its interface to the payment systems to allow EMV, you’re making an EMV payment when you use a mobile wallet. EMV chip cards, meanwhile, are simply other vehicles that follow the same EMV road rules.

Can I use a non-EMV card in an NFC mobile wallet?

Let’s say your issuer hasn’t given you a card with an EMV chip yet, but you want to add that magnetic-stripe card to an NFC mobile wallet like Apple Pay. How will your magnetic-stripe card within the mobile wallet be processed?

“It will become an EMV transaction,” Andreae says.

When you add a card to your wallet, Apple gets a token (a string of 15 or 16 numbers that is NOT your actual card number) from the card’s network to represent that card in the phone’s secure element. During that process, “They will load into the Apple Pay secure element the right stuff to do an EMV transaction,” Andreae says.

There’s one possible caveat though, and that lies within the merchant’s equipment.

“If you look at a point-of-sale device, there are two sides to it,” Andreae says. “There’s the side that faces the payment credentials carried in a card or mobile device. And there’s the side that faces the network. The important part is the side that faces the network and the banks.”

Some terminals haven’t been upgraded on that network side to transmit EMV-compliant data when they reach out to the issuer to request authorization. The consumer-facing side will communicate with your phone just fine, and your account will be charged. Your payment just won’t go through as an EMV transaction from start to finish. Apple has been saying that more than 200,000 merchants have terminals that can accept contactless NFC payments, but many of those, Andreae says, currently won’t process them as true EMV transactions from end to end. Those merchants would be held liable under the liability shift, but consumers’ data will be almost as secure as it would be in true EMV transaction.

“Basically, your card or phone knows how to talk EMV, but does the terminal? That’s the question,” Andreae says.

Merchants upgrading their terminals for EMV means that more of them will accept NFC payments, right?

Photo courtesy of Verifone

Photo courtesy of Verifone

Possibly.

The EMV liability shift certainly gives merchants a financial impetus to upgrade their point of sale equipment. And it’s likely that their new terminals will have contact-EMV and contactless (NFC) capabilities.

“If you buy a terminal today, it is extremely likely that by default, the manufacturer has installed the hardware for contact and installed the hardware for contactless,” Andreae says.

That said, merchants who upgrade their terminals to accept contact EMV payments (using cards with chips) may not always turn on the contactless EMV capability – meaning you won’t be able to pay with an NFC-based mobile wallet.

Why? Take Wal-Mart for example. You may have noticed that many if not all of its terminals already accept EMV chip cards. However, Wal-Mart has firmly and publicly said no to NFC. That’s because it, along with several dozen other businesses, has formed CurrentC, a competing mobile payment option that relies not on NFC, but on scanned barcodes.

So, while Wal-Mart and other CurrentC merchants may have terminals that would allow NFC-based transactions, they have “turned off the switch” for NFC, Andreae says.

“You need a piece of software that wants to talk to that antenna,” Andreae says. “But Wal-Mart told the software designer, ‘Turn off that switch. Don’t talk to that antenna because we don’t want to.’ ”

CurrentC aside, allowing NFC payments can be pricey for merchants. Software that allows a payment terminal to read magnetic stripes only is less expensive than software that does mag stripe and contact EMV – which, in turn, is less expensive than software that does mag stripe, contact EMV and contactless EMV (NFC).

“Each merchant will develop a business plan to decide if it’s worth turning on NFC,” Andreae says. “It’s like when you buy a new car. Do you want navigation or not?”

I’ve heard EMV called ‘chip and PIN’ or ‘chip and signature.’ Does that mean I’m going to have to sign or enter a PIN for my mobile wallet payments?

If you saw Apple’s latest product announcement, you may remember the blink-and-you’ll-miss-it video demonstrating how paying with Apple Pay requires no more than a wave and a finger tap (so that Touch ID can read your fingerprint).

Softcard and Google Wallet have similarly touted speed when advertising their wallets. But what happens after the EMV liability shift? EMV is often referred to as “chip and PIN” and “chip and signature,” and those very names suggest there might be more steps involved.

PIN and signature are two of the types of cardholder verification methods (CVMs) supported by EMV. Other parts of the world have mostly gone PIN. The U.S., meanwhile, is going “chip and choice,” with issuers choosing either PIN or signature. Most of them are choosing signature so far, though, and Andreae sites the difficulties of memorizing PINs for all the cards in our wallets (a “consumer nightmare”) and the challenge of building an infrastructure that would allow consumers to change their PINs (an “expensive nightmare”) as possible reasons.

In any case, chip-and-signature EMV will likely be the norm when EMV rolls out here, but that demo video didn’t show the consumer signing anything.

That’s because many everyday mobile wallet transactions will not require a signature, even after EMV rolls out. You already don’t sign for card purchases under a certain amount. That threshold is set by the card networks and varies by merchant (it’ll probably be higher at a high-end clothing store than at a coffee shop, for example). As long as you don’t exceed that amount, no signature is required.

The same goes for the contactless EMV payments you’ll make with mobile wallets and the contact EMV transactions you make with a chip card. EMV supports a third CVM for small-dollar transactions called “No CVM,” which is exactly what it sounds like – if the transaction is below the amount set by the card network for that merchant, no CVM (PIN or signature) is required. You will need to use the verification measures required by the wallet itself (Touch ID for Apple Pay and passcodes for Google Wallet and Softcard), but the merchant won’t ask for anything more unless the transaction is large.

“Let’s say you’re buying a really expensive bottle of wine,” Andreae says. “That merchant is probably going to want you to sign that transaction no matter what you do. Or he’s going to want you to enter a PIN, no matter what you do.”

 
Comments
The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.

The new proposed EMV cards will also have the magstripe. So what security vulnerability will still remain on the card – same as earlier?

I’m starting to understand, it’s not about security of the nfc technology it’s about getting a piece of the pie.