EMV

EMV stands for Europay, Mastercard, and Visa, the three payment networks that co-developed the global standard for chip-based payment cards. An EMV card contains a small microprocessor chip that generates a unique, one-time cryptographic code for every transaction. That dynamic code cannot be reused or reproduced, which makes EMV cards fundamentally more secure against counterfeit fraud than the static magnetic stripes they replaced. As of 2024, EMV chip cards are the dominant payment card format in more than 80 countries, with over 10.5 billion EMV cards in circulation globally according to EMVCo data.

How EMV Chips Prevent Fraud

A magnetic stripe stores a fixed set of data: your card number, expiration date, and service code. Every swipe sends exactly the same string of numbers. A thief who captures that string once can reproduce it on a blank card and use it indefinitely. That is what made card skimming so lucrative before chip adoption.

An EMV chip works differently. Every time you insert your card, the chip and the terminal run a mutual authentication protocol. The chip generates a cryptogram, a calculation derived from the transaction data and a secret key stored inside the chip that cannot be extracted. The payment network verifies that cryptogram against its own records. If the values do not match, the transaction is declined. Even if someone captures the cryptogram from one transaction, it has zero value for any future transaction.

The Three Authentication Methods in EMV

EMV supports multiple ways of verifying that the person presenting the card is the legitimate cardholder. Which method applies depends on the card issuer's configuration and the terminal's capabilities.

• PIN verification: You enter a personal identification number, which is either verified locally by the chip (offline PIN) or sent to the issuing bank for validation (online PIN). This is the dominant method in Europe and most of the world outside the United States.
• Signature verification: You sign the receipt and the merchant visually compares it to the signature on the back of the card. Less secure than PIN but historically the default in the United States.
• No cardholder verification: Used for low-value tap-to-pay transactions where requiring a PIN or signature would slow down the checkout line unnecessarily.

Chip-and-PIN vs. Chip-and-Signature

The EMV Liability Shift in the United States

Before October 1, 2015, card issuers bore the cost of counterfeit fraud losses in the United States regardless of which party was actually responsible. On that date, the major card networks implemented an EMV liability shift. Any party in a transaction that has not adopted EMV technology bears responsibility for counterfeit fraud losses that EMV would have prevented.

A merchant using an old magnetic stripe terminal who accepts a counterfeit card that an EMV terminal would have declined is now responsible for that fraud loss. This shifted billions of dollars in fraud costs toward merchants who were slow to upgrade their point-of-sale hardware, creating a strong financial incentive to complete the transition.

EMVCo Governs the Standard

EMVCo is the organization jointly owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa that maintains and evolves the EMV specifications. It publishes the technical standards governing chip card design, contactless payment protocols, and 3-D Secure online payment authentication. Terminal and card manufacturers must pass EMVCo certification testing before their products can carry the EMV mark.

EMVCo's scope has expanded well beyond physical chips. The organization now manages specifications for tokenization, which replaces actual card numbers with substitute tokens in digital wallets, and for Secure Remote Commerce, a standardized online checkout experience that reduces card-not-present fraud.

Sources

• https://www.emvco.com/emv-technologies/contact/
• https://www.federalreserve.gov/paymentsystems/
• https://www.pcisecuritystandards.org/document_library/