{"id":5740,"date":"2019-03-01T11:00:50","date_gmt":"2019-03-01T05:30:50","guid":{"rendered":"https:\/\/gtm360.com\/blog\/?p=5740"},"modified":"2022-02-25T13:37:40","modified_gmt":"2022-02-25T08:07:40","slug":"emv-compliance-usa-versus-rest-of-world","status":"publish","type":"post","link":"https:\/\/gtm360.com\/blog\/2019\/03\/01\/emv-compliance-usa-versus-rest-of-world\/","title":{"rendered":"EMV Compliance &#8211; USA Versus Rest Of World"},"content":{"rendered":"<p>My personal experience with EMV payment cards goes back over 15 years.<\/p>\n<p>Credit cards and debit cards were both EMV-compliant in Germany when I was there in the early 2000s. They had a chip and required the entry of PIN on the POS terminal to complete a payment.<\/p>\n<p>Ditto in UK when I was there in 2006-8.<\/p>\n<p>Likewise in India for the last couple of years.<\/p>\n<p>Last year, I had made the following observation about EMV in USA in\u00a0<a href=\"https:\/\/gtm360.com\/blog\/2018\/11\/02\/winners-dont-let-security-screw-up-user-experience\/\" target=\"_blank\" rel=\"noopener\"><strong>Winners Don&#8217;t Let Security Screw Up User Experience<\/strong><\/a>:<\/p>\n<blockquote><p>The EMV migration deadline has come and gone over a year ago in USA, still fewer than one-third of US retailers have implemented Chip and PIN technologies.<\/p><\/blockquote>\n<p>This topic came up recently during a customer engagement.<\/p>\n<p>Since the aforementioned post is a bit dated, I thought I&#8217;ll do a reality check of the current status of EMV rollout in the USA.<\/p>\n<p><a href=\"https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2019\/02\/emv-chip-pin-credit-card-fi.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-5765 size-full\" src=\"https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2019\/02\/emv-chip-pin-credit-card-fi.jpg\" alt=\"\" width=\"630\" height=\"280\" srcset=\"https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2019\/02\/emv-chip-pin-credit-card-fi.jpg 630w, https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2019\/02\/emv-chip-pin-credit-card-fi-200x89.jpg 200w\" sizes=\"auto, (max-width: 630px) 100vw, 630px\" \/><\/a><\/p>\n<p>I conducted a &#8220;quick-and-dirty&#8221; poll of a few contacts in USA, who include <a href=\"https:\/\/www.linkedin.com\/in\/ronshevlin\/\" target=\"_blank\" rel=\"noopener\"><strong>Ron Shevlin<\/strong><\/a>, <a href=\"https:\/\/www.linkedin.com\/in\/pareshbanerjee\/\" target=\"_blank\" rel=\"noopener\"><strong>Paresh Banerjee<\/strong><\/a>, <a href=\"https:\/\/www.linkedin.com\/in\/prashantkhambekar\/\" target=\"_blank\" rel=\"noopener\"><strong>Prashant Khambekar<\/strong><\/a>, <a href=\"https:\/\/www.linkedin.com\/in\/sohag-desai-5435a64\/\" target=\"_blank\" rel=\"noopener\"><strong>Sohag Desai<\/strong><\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/in\/jawahar-desai\/\" target=\"_blank\" rel=\"noopener\"><strong>Jawahar Desai<\/strong><\/a>, and one more person who wishes to go by their initial MA.<\/p>\n<p>This is what I learned (context: instore credit card payments, unless noted otherwise):<\/p>\n<ul>\n<li>Almost all credit cards are Chip cards<\/li>\n<li>Swipe has virtually ended; you dip your credit card into the POS terminal at over 80% of merchants<\/li>\n<li>But there&#8217;s no PIN entry anywhere, with one sorta exception that I&#8217;ll come to in a moment<\/li>\n<li>Credit card payments below a certain value &#8211; which varies from merchant to merchant but is typically $50 &#8211; at supermarkets go through without any further step after inserting the card in the POS terminal. For transactions above the threshold, signature is required, which is typically done with a stylus on a digital tablet<\/li>\n<li>For credit card payments at a restaurant, the staff hands over a printed chargeslip, which the customer signs in wet ink<\/li>\n<li>At gas stations where customers pump their own fuel &#8211; which is the normal practice in all but three states of the USA &#8211; customers dip the credit card in the card reader at the forecourt and enter their billing address zip code by way of authentication. Zip code is more like a passphrase known to some others rather than a PIN \/ password that&#8217;s supposed to be kept confidential and not disclosed to anyone else<\/li>\n<li>At gas stations in New Jersey, which is one of the three states which don&#8217;t have self-pumping, you hand over the credit card to the staff. That&#8217;s it &#8211; no PIN or signature required.<\/li>\n<\/ul>\n<p>Just for the record, when it comes to debit cards, a\u00a04-6 digit PIN is required to withdraw cash from ATM via debit card. None of the people I polled use debit cards at POS to make purchases, so I couldn&#8217;t find out whether PIN is required in that context or not.<\/p>\n<p>I&#8217;ve skipped online payments because they are not affected in any way by EMV cards compared to magstripe cards.<\/p>\n<p><a href=\"https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2019\/02\/pin-pad-pos-terminal.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-5741 size-medium alignleft\" src=\"https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2019\/02\/pin-pad-pos-terminal-200x112.jpg\" alt=\"\" width=\"200\" height=\"112\" srcset=\"https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2019\/02\/pin-pad-pos-terminal-200x112.jpg 200w, https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2019\/02\/pin-pad-pos-terminal.jpg 300w\" sizes=\"auto, (max-width: 200px) 100vw, 200px\" \/><\/a>Going by my exposure to EMV in Germany, UK and India, EMV has always meant chip, which has always meant PIN. So, I tend to think of EMV interchangeably as &#8220;Chip and PIN&#8221;.<\/p>\n<p>Whereas, in the USA, EMV is &#8220;Chip but no PIN&#8221;.<\/p>\n<hr style=\"width: 70%;\" \/>\n<p>I couldn&#8217;t make out whether the US implementation is fully EMV compliant. I did a deep dive on the topic with the aforementioned credit card industry professional Paresh Banerjee.<\/p>\n<p>I gathered that full EMV compliance entails the use of technology to drive three goals before a payment is deemed complete. Without going too deeply into the underlying technologies, the goals are:<\/p>\n<ol>\n<li>Authenticate the card to the card issuer, so the card can&#8217;t be cloned<\/li>\n<li>Authenticate the card issuer to the card, so a man-in-the-middle attack will fail<\/li>\n<li>Authenticate the user of the card as the legitimate owner of the card, so there&#8217;s no chance of fraud.<\/li>\n<\/ol>\n<p>The American implementation of EMV achieves the first two goals.<\/p>\n<p>When it comes to the third goal, opinion is divided.<\/p>\n<ul>\n<li>Since signature is a valid Cardholder Verification Method (CVM) per <a href=\"https:\/\/en.wikipedia.org\/wiki\/EMV#Cardholder_verification\" target=\"_blank\" rel=\"noopener\"><strong>EMV specs<\/strong><\/a>, some people argue that USA is fully EMV compliant.<\/li>\n<li><a href=\"https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2016\/05\/credit-cards-04-fi.jpg\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-3219 size-medium\" src=\"https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2016\/05\/credit-cards-04-fi-200x89.jpg\" alt=\"\" width=\"200\" height=\"89\" srcset=\"https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2016\/05\/credit-cards-04-fi-200x89.jpg 200w, https:\/\/gtm360.com\/blog\/wp-content\/uploads\/2016\/05\/credit-cards-04-fi.jpg 630w\" sizes=\"auto, (max-width: 200px) 100vw, 200px\" \/><\/a>Others, typically diehard EMV practitioners, point out that the <a href=\"https:\/\/en.wikipedia.org\/wiki\/EMV\" target=\"_blank\" rel=\"noopener\"><strong>majority of EMV implementations confirm the identity of the card user by requiring entry of PIN<\/strong><\/a>, so dismiss the PIN-less US implementation as non-compliant.<\/li>\n<\/ul>\n<p>From a practical standpoint, the US EMV implementation fulfills at least two out of the aforementioned three prerequisites of EMV, so I&#8217;d call it &#8220;mostly compliant&#8221;.<\/p>\n<hr style=\"width: 70%;\" \/>\n<p>In a follow-on post, I&#8217;ll speculate on why the US has skipped the PIN requirement. (Spoiler Alert: It reinforces my long held belief that <a href=\"https:\/\/gtm360.com\/blog\/2018\/11\/02\/winners-dont-let-security-screw-up-user-experience\/\" target=\"_blank\" rel=\"noopener\"><strong>Winners Don&#8217;t Let Security Screw Up User Experience<\/strong><\/a>.)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>My personal experience with EMV payment cards goes back over 15 years. Credit cards and debit cards were both EMV-compliant in Germany when I was there in the early 2000s. They had a chip and required the entry of PIN on the POS terminal to complete a payment. Ditto in UK when I was there &#8230; <a title=\"EMV Compliance &#8211; USA Versus Rest Of World\" class=\"read-more\" href=\"https:\/\/gtm360.com\/blog\/2019\/03\/01\/emv-compliance-usa-versus-rest-of-world\/\" aria-label=\"Read more about EMV Compliance &#8211; USA Versus Rest Of World\">Read more<\/a><\/p>\n","protected":false},"author":4,"featured_media":5765,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,6,13,7,1],"tags":[],"class_list":["post-5740","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-b2-product-v-services","category-bfsi","category-product","category-retail","category-mandatory-category"],"_links":{"self":[{"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/posts\/5740","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/comments?post=5740"}],"version-history":[{"count":9,"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/posts\/5740\/revisions"}],"predecessor-version":[{"id":9233,"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/posts\/5740\/revisions\/9233"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/media\/5765"}],"wp:attachment":[{"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/media?parent=5740"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/categories?post=5740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gtm360.com\/blog\/wp-json\/wp\/v2\/tags?post=5740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}