Moving Forward with EMV

Andy Brown

Payments Industry Consultant

Tuesday, February 16, 2010

“I think the report from the University of Cambridge is very interesting and raises some very valid points, despite the fact that it is quite theoretical and could only work in a specific set of circumstances.

There are a number of options that the banking community has to prevent fraud of this nature.

1. Do not allow EMV cards to be verified by signature, unless there are specific circumstances such as the card-holder is travelling overseas, or if signature is required because a physical disability means PIN isn’t an option. This could be rolled out by the banks checking the Card Verification Results during the authorisation process. (Card Verification Results are unaffected by this attack and give a true report of whether the offline PIN was verified by the card.)

2. The report suggests comparing the Cardholder Verification Method Results (CVMR) with the data contained within the Card Verification Results (CVR) file, to ensure they report the same verification method. Currently the CVMR data doesn’t always get passed from the acquirer to the issuer, however if it were mandated by the card schemes, this could come into effect quite quickly. For the issuing banks, once they have all the information, it is a simple job to add one more step in the authorisation process to compare the files.

3. Again, by checking the CVR information, banks can implement a ‘floor limit’ for all EMV transactions that haven’t been PIN verified, so there is a cap on the amount that could ever be spent

As an industry we often talk about trying to keep up with the fraudsters but many banks have done little with EMV since their initial implementations. A full review of the capabilities available particularly in authorisations and risk will mean it is the fraudsters who will be playing catch up as the industry identifies and blocks further potential holes before fraudsters even know they exist.”

Andy Brown

Payments Industry Consultant

Contact us

Add your comment


  • Rustam
    Saturday, August 31, 2013

    Well, I guess if you like the confined feielng of a jail cell, go ahead and lie. But, remember, when you logged onto that gambling site, they recorded your IP# LOL There are ways to trace that it was YOU who used the card. And, to top it off, online gambling is illegal in the US. Go ahead and lie then white knuckle it while you wonder when they will be sending over the sheriff to take you away.

  • Alex
    Saturday, September 07, 2013

    Very well said (or doubted) Thomas ! It's aawyls better to be paranoid than sorry.Your first query on which is the target market, I guess it could be anyone with a mobile phone. Or rather, it should be because with increasing requirement of stringent KYC norms, the traditional banking and credit card channels are retracing their earlier extended outreach after having burnt their fingers due to that indiscretion. But I have a concern here. The mobile phone user should not be asked to remember a login and a password which will be difficult for the householder because she already has too many passwords to remember. It should be something as simple as having to dial a 5 digit number, amount and click `pay'. That way, she may not have to expose her phone to a cloning machine or other such crafty con that cleans up her (husband's) bank account.The above as well answers your second question. It's not dependent on the merchant using a high end smartphone at all. The merchant just need have an exclusive five digit number that enables him to receive money in his bank account when the shopper clicks `pay'. So is the case of Pin&Chip or EMV or such alphabet soup. Never bother the merchant or shopper with all these mumbo jumbo. You as an enabler, take care of all the boring tech stuff at your back end and just offer up a five digit number to dial. And then come and tell me if it's worth the go. It's all about making things simple, Thomas. Never make the mistake your predecessors made and bog down the user with a login and a password. We've to move beyond Userid and Pw. Just give them a number to dial, period. After all, that's what a phone has been for in the first place. All music and camera came much later. Keep it simple.

  • Marilyn
    Tuesday, October 29, 2013

    Neither.Debt consolidation only ceghans the names of your creditors. Or worse, with a new HELOC, you've just promised to give away the house if you miss a payment.Credit Counseling acts as a bankruptcy on your credit report, and there are more scam artists than legit conselling companies.If you feel like you're going in circles, then what you should do is buy a 12 month calendar or day-planner, and every two weeks, write down exactly how much you still owe on all of them. If you're making payments, you will see progress, you just have to track it.I would suggest you make a written budget, so that every dollar you make next month is spent on paper this month.That way, you'll be able to see what you can cut back on.Personally, I'm looking at $33,000 in Visa balances.This past Christmas was where am I going to find the money to fly to visit my parents for Christmas, when all my cards are maxed out and I got turned down for a new card .I've heard enough about Dave Ramsey's approach that I'll give it a try. Nothing else has worked.