PaymentsJournal
No Result
View All Result
SIGN UP
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
PaymentsJournal
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
No Result
View All Result
PaymentsJournal
No Result
View All Result

Why EMV Cards Are Stuck in the POS, Which Makes NFC Look Great!

By Tim Sloane
December 23, 2014
in Mercator Insights
0
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

In researching EMV and NFC technologies, Mercator Advisory Group often suggests that Near Field Communication is sure to be adopted after merchants and consumers recognize how cumbersome it is to use EMV, since the card must remain in the point of sale (POS) terminal until the transaction is completed. This made us wonder, “Why must the EMV card stay in the POS for so long?”

The short answer to this question is enhanced card security, but the technical reason is the need for the chip in the card to verify that the authorization response received from the bank was indeed from the card-issuing bank and not a phony transaction injected by a hacker. It is also required so the issuer can update the card with new antifraud parameters included in the authorization request. See the diagram and process description below.

Why EMV Cards Are Stuck in the POS Which Makes NFC Look Great

Process Description:

  1. The terminal sends a random number to the EMV card. The EMV card encrypts the authorization request using its crypto key and delivers this ARQC message to the POS, which sends it to the issuing bank.
  2. The auth request is received by the issuing bank.
  3. The issuing bank validates that the card delivered the correct crypto key. The issuer then decides if funds are available, creates an encrypted response (ARPC) with the issuer’s key, and sends the card commands as needed.
  4. The POS terminal sends the issuer’s Auth Response Cryptogram to the card.
  5. The card validates the issuer created the response by validating the issuer’s cryptogram.
  6. If the issuer sent card commands, the card executes the commands.
  7. If the card is not present in the POS, the POS terminal sends a transaction reversal to the issuer

The process described above uses the term ARQC for the authorization message and ARPC as the term that describes the bank’s response. Below are the definitions for the ARQC and ARPC quoted from the Visa document “Chip Terms Explained: A Guide to Smart Card Terminology”

“ARQC – Authorization Request Cryptogram
A cryptogram used for a process called Online Card Authentication. This cryptogram is generated by the card for transactions requiring online authorization. It is the result of card, terminal, and transaction data encrypted by a DES key. It is sent to the issuer in the authorization or full financial request. The issuer validates the ARQC to ensure that the card is authentic and card data was not copied from a skimmed card.

ARPC – Authorization Response Cryptogram
A cryptogram used for a process called Online Issuer Authentication. This cryptogram is the result of the Authorization Request Cryptogram (ARQC) and the issuer’s authorization response encrypted by a DES key. It is sent to the card in the authorization response. The card validates the ARPC to ensure that it is communicating with the valid issuer.”

EMV brings new terminology and new technology to the United States. In addition, it will force some changes in consumer behavior, particularly at the POS device. One question that is often asked is “Does the chip card really need to stay in the terminal for the duration of the transaction?” When using a contact chip card, the short answer is YES. Continue reading to find out why.

One of the primary business reasons for implementing EMV is that is greatly reduces counterfeit fraud through the use of a unique encrypted value, called an application cryptogram, that is generated by the card for each transaction. To generate this application cryptogram, the card uses (among other things) a special key, which is sometimes called the card master key, which is inserted into the chip when the card is personalized. The card master key is derived from a master key known to the issuer, but the card master key is unique for each card. When a transaction request needs to be sent online to a host system for authorization, the card uses its card master key (among other elements) to generate an Application Request Cryptogram (ARQC). The ARQC is included in the online transaction request to the issuer. By validating the ARQC, the issuer can be assured that the transaction data is from a genuine card, i.e., a card that has not been cloned or counterfeited. The issuer may, in turn, generate an Authorization Response Cryptogram (ARPC) that is sent back to the chip card as part of the response message. By validating the ARPC, the card can be assured that the response came from the true issuer. (A processor or other entity can perform the cryptogram validation and generation on behalf of the issuer if they have the appropriate key.)

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Tags: Banking ChannelsDebitEMVFraud Risk and Analytics

    Get the Latest News and Insights Delivered Daily

    Subscribe to the PaymentsJournal Newsletter for exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    embedded lending

    Embedded Lending as a Growth Strategy for ISVs—How to Maximize Revenue Potential

    June 18, 2025
    merchant ai

    Merchants Find More Use Cases for AI Amid Risks

    June 17, 2025
    prepaid payroll

    Taking the Check Out of Paycheck: The Role of Prepaid in Payroll

    June 16, 2025
    Banking-as-a-service BaaS

    Remodeling Main Street: How Community Banks Can Leverage the Banking-as-a-Service Paradigm

    June 12, 2025
    How Employee Performance Enhances the Customer Experience

    Three Strategies to Maximize Loyalty in the AI-Driven World 

    June 11, 2025
    PFM tools

    How FIs Are Cutting Through Subscription Clutter with PFM Tools

    June 10, 2025
    child identity theft

    Stranger Danger: Protecting Your Children from Identity Theft

    June 9, 2025
    agentic commerce

    The Agentic Advent: How the Next Iteration of AI is Shaping Commerce

    June 6, 2025

    Linkedin-in X-twitter
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter

    ©2024 PaymentsJournal.com |  Terms of Use | Privacy Policy

    • Commercial Payments
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    No Result
    View All Result