Talk:EMV

From Wikipedia, the free encyclopedia
Jump to: navigation, search
          This article is of interest to the following WikiProjects:
WikiProject Business (Rated Start-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Business, a collaborative effort to improve the coverage of business articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
 
WikiProject Finance (Rated Start-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Finance, a collaborative effort to improve the coverage of articles related to Finance on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
 

Liability Shift[edit]

There's a section in "Differences and benefits of EMV" that states the following: "For transactions in which an EMV card is used, the cardholder is assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction, and did not inadvertently assist the transaction through PIN disclosure."

From what I've read this is factually incorrect and may lead consumers reading this article to believe they have no fraud protection when using Chip and Pin systems based on EMV. There is also no citation provided. I feel that this section should be removed immediately unless we can find a proper source.

Aednichols (talk) 21:04, 1 February 2014 (UTC)

Overall Article[edit]

This article is absolutely terrible. The tone generally borders on the paranoid and much of the text is taken up not with a discussion of EMV as one would hope or expect, but with a list of alleged security holes, almost all of them derived from Ross Anderson's team at Cambridge. Some balance -- for example, explaining how a typical transaction takes place, the cryptography at each step, why the liability shift was felt necessary and so on, would all be a useful in an article that is, currently, pretty much useless. Robindch (talk) 11:00, 1 June 2010 (UTC)

Merge EMV with Chip and Pin[edit]

See also discussion on Talk:Chip and PIN

EMV also stands for Expected Monetary Value — Preceding unsigned comment added by 163.116.6.12 (talk) 09:20, 20 February 2012 (UTC)

EMV also stands of Electro Magnetic Vehicle being developed by ISITEL, INC. as can be seen at: www.isitel.com/emv.htm —Preceding unsigned comment added by 71.138.4.190 (talk) 19:56, 13 September 2007 (UTC)

  • I think they should remain separate. One is UK (Chip and PIN) and the other is World wide 'Standard'.

The safety of the PIN method is not related to EMV (Which is a standard), but to the way it is implemented (i.e using PIN as the verification). It could be in either! Ben 16:09, 23 May 2006 (UTC)

Keep seperate. EMV is a technology being deployed worldwide, Chip and PIN is merely the UK implementation of the system. —Preceding unsigned comment added by PhennPhawcks (talkcontribs) 14:58, 13 July 2006
Agreed. (Sorry, I should really sign up but I'm lazy, you'll just have to trust the above poster isn't me too). —Preceding unsigned comment added by 83.216.147.118 (talkcontribs) 16:25, 23 July 2006
The entries should be kept separate because as already stated EMV is deployed world wide, where as Chip and PIN is currently only deployed in the UK. --Mark.s.burgunder 03:47, 28 July 2006 (UTC)
Agreed. CHIP and PIN should not be merged as PIN can exist alone, but CHIP can not exist without PIN. In case of CHIP also we require PIN. —Preceding unsigned comment added by Gauravt168 (talkcontribs) 08:45, 2 August 2006
PIN is not needed for chip payments. If you use a Swedish payphone, Swedish parking meter or a Japanese Lawson convenience store, the chip is read, but there is no kind of verification (neither PIN nor signature). In the case of Lawson, a PIN code is needed if the purchase exceeds a certain amount of yen, though. (212.247.11.153 13:59, 15 August 2007 (UTC))

"CHIP&PIN" (http://www.chipandpin.co.uk/) was an organization and program launched by the Association for Payment Clearing Services (APACS) in the UK in the second phase of the EMV Migration related to PIN management. This organization did the promotion of the deployment of EMV with PIN based authentication, by providing information and support to the retailer, cardholders and banks. Background: The UK Banks under the pressure form the Retail Industry had chosen not to use PIN authentication to release the investements to be done (introduction of a PIN-pad at every acceptance point). Millions of cards were issued before the banks identified that EMV without PIN authentication was not resolving the fraud issue. This was no surprise as the main EMV value is the strong PIN Authentication service. So Yes IMHO, CHIP&PIN is regional (UK) and not directly related to EMV. —Preceding unsigned comment added by 57.67.177.33 (talkcontribs) 14:15, 30 August 2006

The entries should remain separate. EMV is a specific standard narrowing the choices presented in ISO 7816. ISO 7816 would be "chip", while EMV is more specific. EMV implementations support 5 Cardholder Verification Methods (CVMs), of which the PIN implementation (Offline Plaintext PIN)in the UK is just one. Note that France is "chip and PIN" and has been for years, though they are not (yet) EMV (though in the processing of converting). The other EMV CVMs are Offline Enciphered PINs, Online PIN, Signature, and No CVM Required. Further an EMV card can support more than one CVM, in order to ensure acceptance; so if a terminal did not do Offline PIN, the card could request Signature. —Preceding unsigned comment added by 198.241.217.15 (talkcontribs) 22:27, 2 October 2006

Looks like a strong agreement. I'm removing the Merge tag. Zaian 11:34, 19 October 2006 (UTC)

Why does the text use the term "credit cards"?[edit]

I wonder why the text uses the term "credit card" all over as if it was the only mode of payment. In fact, credit cards are just one example of payment cards - just like, e.g., debit cards.

I suggest to correct every occurence of credit card to payment card (or, simply, card).

Kacper (talk) 17:26, 6 February 2008 (UTC)

Agreed. Payment card is probably the better term as it explains the function of the card, a card has millions of uses but a payment card really has one use, to facilitate the transfer of payment, be it debit/credit or other versions. --Stalfur (talk) 10:24, 18 July 2008 (UTC)

We should add in a section on why USA does not use this system. It seems pretty popular in Europe but I have yet to see any EMV being used in USA for credit cards. —Preceding unsigned comment added by 78.105.134.113 (talk) 03:17, 2 September 2008 (UTC)


Regarding the adoption of EMV, Europe, Asia, Latin America, Mexico and Canada have or are migrating. The US remains the ONLY "developped" country not to have a plan...

About the references: "What is EMV?" at the end of the page does not seam very pertinent. It is a link to a vendor of EMV software products. The content is not a general introduction to the EMV standard. It really does look like a promotion of EMVX products. 24.37.15.85 (talk) 17:33, 12 October 2009 (UTC) Emmanuel Haydont

PIN verification broken[edit]

The fact that the PIN verification is broken appears three times in the article: at the end of the top section (before Contents), at the end of Differences and benefits of EMV, and in a new section EMV security broken. I suggest that some tidying up is required. Mitch Ames (talk) 09:18, 12 February 2010 (UTC)

Agreed. The first mention is a more accurate description. Also, the second reference is linked from the first and could be removed. Corydon76 (talk) 15:41, 15 February 2010 (UTC)
VERIFY-PIN was never broken. Murdoch did never proof this. He did show the tamper only on the terminal in their cafeteria. I suggested him to read the "Common Payment Application Specification" which is part of EMV specification and was not mentioned in his paper. In chapter "15.5.3.4 Terminal Erroneously Considers Offline PIN OK Check" you can find a description why Murdochs attack shall never work on a EMV compliant implementation. The CPA is from 2005! Mr. Murdoch promised to revise his paper. Nothing hapens since beginning 2010. Now you can find a dissertation of Omar S. Choudary, one of his students. You would not find any link to the important part of specification... -- 91.48.20.155 (talk) 15:24, 5 January 2011 (UTC)

Implementation: "Europe" and "United Kingdom"[edit]

Why are there separate and contradictory sections for Europe and the UK, which is part of it?

  • should it be "Europe except the UK (and perhaps some other countries)" or
  • is the information under either heading wrong?

At least for Visa the information explicitly contradicts each other. --86.136.147.164 (talk) 04:04, 28 October 2013 (UTC)

Too long.[edit]

This isn't an article, it's a textbook. — Preceding unsigned comment added by 184.147.125.176 (talk) 17:15, 14 November 2013 (UTC)

Misuse of source which isn't particularly useful anyway[edit]

As I explained in my original edit summary [1] which was partially cut off but still IMO contained sufficient info to establish the reasons for my removal there are serious problems with both the source and our reporting of it that I don't think there is anything redeemable from the removed content.

Firstly, the source doesn't even support the claim

whereas chip-and-PIN cards are more common in other European countries (e.g., the UK, Ireland, France and the Netherlands) as well as in Canada.

A cursory check of the source will easily confirm this. The UK, Ireland and France are not mentioned at all. Netherlands is only mentioned in relation to a manufacturer. Canada is only mentioned as having chip based cards without clarification on what kind. There is some mentioned of Netherlands, the UK, France but not Canada or Ireland in the comments, but as I said, comments to a page are not a reliable source and it isn't even clearly stated in the comments that any of these generally use chip and pin.

The claim

chip-and-signature cards are more common in the US, Australia, New Zealand and some European countries (such as Germany and Austria)

is only partially supported by the source and we are reporting the source is a highly misleading way.

The source does say

First you'd notice Austria isn't in this list. Germany, Australia and New Zealand are. The rest of source does support the US bit. Next notice that even for Germany, Australia and New Zealand, we've missed out a key point the source mentioned, "chip-and-signature or online PIN technology". The part of my comment which was partially cut off illustrated why this is highly problematic.

While this is pure OR (although I suspect I could easily find sources at least as good as the source we are using if I looked hard enough which more or less supports my claims), signatures are very rarely used in NZ. A large percentage of NZ transactions are electronic and although a fair few of these are EFTPOS, there are also many credit card ones. I probably spend too much time in supermarkets and stuff than is good for me but the last time I saw anyone sign anything for a credit card transaction is a year or more ago.

New Zealand has been using PIN almost exclusively for a very long time long time (at least since I came to NZ over 12 years ago and I don't think it was new then) long before we had chipped cards which came here rather late compared to most of the world except the US. Surprisingly those few times I've seen someone sign, there doesn't seem to have been any problem, perhaps because they do have some experience, partially since they do often get people to sign something if getting cash out with EFTPOS. I do know at least one store who says they will only accept PIN.

Technically these cards may be considered card and signature by some since I don't know they support any offline pin verification which it sounds like is partially what the source is getting at. I believe online PIN must be what everyone is using here since most info I've seen suggest the reason why some terminals are so slow is because the location just has some crappy dial up connection. And as I mentioned, PIN here is somewhat of a legacy of the EFTpos system which continues to largely use magnetic stripe cards & for which I know a connection has generally been required. In fact, at least with my bank, I'm not sure they support offline PIN at all without getting the bank to do something since you don't need to visit the bank to activate the PIN in the first place. You can do it purely over the internet if you have 2 factor authentication. So unless ordinary POS terminals are able to add the PIN when you make a transaction (which seems a security risk), I don't see how the card ever gets an offline PIN stored.

However as I mentioned earlier, we don't discuss online pin at all in the sentence I removed. In fact earlier we say

Other EMV cards are either signature-only or prefer signature over PIN in their CVM list (i.e., signature at the POS, but PIN at unattended terminals or ATMs). These are often called "chip and signature" cards.

But as I've said this isn't the case in NZ, signature is not preferred over online PIN (whether this is because of the card or because of the terminal I don't know).

And actually I just found [2] which suggests signature may not even be accepted anymore for Visa (I was under the impression you could simply click okay without a PIN and it would ask for signature but it seems this may no longer be the case). Also whatever some others may call them, they aren't called chip and signature here as the source attests and isn't surprising considering no one uses signatures. I would add that think most of what I said applies to Australia as well but I don't have enough confidence to say that for sure.

And I don't see any way to simply reword the paragraph I removed. The trouble is failing to differentiate between chip and signature and online PIN is inherently confusing and since our source doesn't there's no way we can as long as we use it. (I mentioned this in my original edit summary but it was cut off.)

Also, although the source is used in several other places and I'm not planning to remove it, I think we should use it with care. I'm not convinced it cuts it as a WP:RS. Do the people behind it have a reputation for fact checking and accuracy? I'm not sure and it doesn't help that the source appears to be written from a US POV and is mostly intending to help US credit card users abroad rather than a general info source.

Nil Einne (talk) 13:35, 18 August 2014 (UTC)

If the IP is really so desperate for the sentence, I'd accept it being added back without any examples. I object to adding any of the examples for the reasons give above. Note that in any case, the only valid examples are Germany and the USA. New Zealand and Australia shouldn't be used because online PIN is (NZ) or is likely (Australia) used there, not signatures. Austria isn't source at all so we shouldn't be using it. And as I've established, we have no sourcing for any of the chip and pin countries. (From our article chip and PIN, I'm fairly sure chip and PIN is used in the UK but we still need sources.)
And we still don't know if they use online PIN or signature in Germany. The fact that the IP is from Germany and so desperate to keep this sentence seems to imply that they do use signature in Germany, but even if so, we still need a source which clearly establishes this is the case, not our current dubious source which only establishes Germany either uses online PIN or signatures.
As for the US, I'm not sure they belong at all. As the source itself establishes and our article somewhat discusses in other sections, chip and signature is actually not the norm in the US. It's apparently the norm for chip cards, but most cards still aren't chipped so it's confusing for us to say "chip-and-signature cards are more common in the US" without further clarification. We earlier mention "Chip-and-PIN cards have not been adopted in the US" which IMO is sufficient info about the US combined with the info for later.
Of course, if the IP is able to allay my concerns over the source and the examples, I'm willing to listen.
P.S. If you want further evidence of the problems with the source, it also mentions South-East Asia as a chip and signature place. While it's been a few years, my memory of the situation in Malaysia suggests this is misleading. While this was with a local Visa Debit rather than a CC, I'm pretty sure they are handled the same (attempts at local debit card systems never really seemed to succeed so debit cards are just the debit versions of CC). IIRC, it was in fact quite common for POS terminals to ask for the PIN but you'd also have to sign. I guess this was an offline PIN since verification seemed to happen quite fast and our article seems to suggest there's no such thing as online PIN with signature.
This example further illustrates the problem with the source. It's treating things as a binary when the CWM list itself illustrates there are multiple different options which seem to vary depending on a variety of local and historic issues.
Nil Einne (talk) 05:38, 20 August 2014 (UTC)
From discussion elsewhere, I came across [3] which suggests I was partially wrong about the situation in Australia. Actually signatures were much more common there (compared to in NZ) until recently, evidently representing about half of transactions. However as with here in NZ, this is being or has been phased out in favour of requiring signatures.
The situation in NZ is definitely different. It seems in Australia you were actually asked if you wanted PIN or signature there [4] before whereas here your asked for the PIN but I believe you are or were allowed to just push okay and the card will ask for signature. I found [5] which says it's only 4% or so of Visa transactions use signature and it sounds like that's including tourists which probably explains why any education and news on the change to PIN only is so limited compared to what it sounds like it is in Australia.
Either way though, my point stands, in both Australia and New Zealand, chip and signature is not the norm and has probably never been the norm. In Australia it was evidently generally the consumers choice whether to use signature or PIN with about half using each. In NZ, it may have also been the consumers choice, but PIN was the norm by far.
From the discussion elsewhere, it does sound like signature is the norm in Austria, but we still don't have a source for this claim as with Germany.
Nil Einne (talk) 14:54, 20 August 2014 (UTC)
Visa provided a list of chip and signature countries in a meeting with the Federal Reserve: http://www.federalreserve.gov/newsevents/rr-commpublic/visa-meeting-20140305.pdf. The presentation also has reasons why the US isn't adopting PIN at the present time.
Mind21 98 (talk) 19:53, 6 September 2014 (UTC)

Still terrible[edit]

I come to the Wiki to get a quick overview of how various technical systems work. I'm a pretty technical guy, and I have to say that after reading this article I still have absolutely no idea how EMV works. Much of what passes for the explanation appears to be copied directly from some inside-industry description, filled with jargon and absolutely lacking any attempt to explain any of it. What we need is something more along the lines of the last section of this, which clearly states what data flows where and when.

I'm more than willing to do a re-write if someone can point me to sources that actually explain this stuff.

Maury Markowitz (talk) 12:39, 20 October 2014 (UTC)

At the risk of stating the obvious, the "sources" are those listed in EMV#References and EMV#External links. I'm saying that all of the required information is there, but it should be a good starting point. Of course the definitive source is http://www.emvco.com/, in particular http://www.emvco.com/specifications.aspx. Mitch Ames (talk) 10:05, 21 October 2014 (UTC)

Implementation: United States[edit]

This entry requires an update.

The entry states, "Visa,[29] MasterCard[30] and Discover[31] in March 2012 – and American Express[32] in June 2012 – have announced their EMV migration plans for the US. In spite of these announcements, doubts remain over the willingness of merchants to develop the capability to support EMV.[33]"

According to an article (2014-10-20) in The New York Times, "...By next fall, though, American merchants face a deadline to upgrade their credit card terminals to accept E.M.V. — which stands for Europay, MasterCard and Visa — a technology that makes credit transactions more secure for consumers." [1]

This indicates a shift since this section was written/last edited.

As well, on 2014-10-17, President Obama issued an executive order, "Improving the Security of Consumer Financial Transactions," which includes chip-and-pin technology as part of the "enhanced security features" for "payment processing terminals and credit, debit, and other payment cards" used for government payments. This would be a driver for wider, quicker adoption of the (existing) EMV standard. (Especially for merchants who accept payment cards used by the "food stamp" program(s)). [2]

Hurdingkatz (talk) 22:29, 21 October 2014 (UTC)

Table under Application Selection[edit]

There was a table under Application Selection that has no references and has dubious encyclopedic value. An IP user reverted my removal twice, with the second edit summary indicating the table has been there since inception. That reason is irrelevant. If there is no citation within the next week, I will remove again per WP:VER. Bahooka (talk) 23:18, 9 November 2014 (UTC)

I agree with the removal of the table. If it can be sourced, and if it were deemed by consensus to be encyclopedic, it should probably be in a separate article "list of ISO 7816 application identifiers" or similar. Mitch Ames (talk) 12:04, 10 November 2014 (UTC)