Talk:EMV/Archives/2014

Liability Shift

There's a section in "Differences and benefits of EMV" that states the following: "For transactions in which an EMV card is used, the cardholder is assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction, and did not inadvertently assist the transaction through PIN disclosure."

From what I've read this is factually incorrect and may lead consumers reading this article to believe they have no fraud protection when using Chip and Pin systems based on EMV. There is also no citation provided. I feel that this section should be removed immediately unless we can find a proper source.

Aednichols (talk) 21:04, 1 February 2014 (UTC)

Overall Article

This article is absolutely terrible. The tone generally borders on the paranoid and much of the text is taken up not with a discussion of EMV as one would hope or expect, but with a list of alleged security holes, almost all of them derived from Ross Anderson's team at Cambridge. Some balance -- for example, explaining how a typical transaction takes place, the cryptography at each step, why the liability shift was felt necessary and so on, would all be a useful in an article that is, currently, pretty much useless. Robindch (talk) 11:00, 1 June 2010 (UTC)

Merge EMV with Chip and Pin

See also discussion on Talk:Chip and PIN

EMV also stands for Expected Monetary Value — Preceding unsigned comment added by 163.116.6.12 (talk) 09:20, 20 February 2012 (UTC)

EMV also stands of Electro Magnetic Vehicle being developed by ISITEL, INC. as can be seen at: www.isitel.com/emv.htm —Preceding unsigned comment added by 71.138.4.190 (talk) 19:56, 13 September 2007 (UTC)

• I think they should remain separate. One is UK (Chip and PIN) and the other is World wide 'Standard'.

The safety of the PIN method is not related to EMV (Which is a standard), but to the way it is implemented (i.e using PIN as the verification). It could be in either! Ben 16:09, 23 May 2006 (UTC)

Keep seperate. EMV is a technology being deployed worldwide, Chip and PIN is merely the UK implementation of the system. —Preceding unsigned comment added by PhennPhawcks (talk • contribs) 14:58, 13 July 2006

Agreed. (Sorry, I should really sign up but I'm lazy, you'll just have to trust the above poster isn't me too). —Preceding unsigned comment added by 83.216.147.118 (talk • contribs) 16:25, 23 July 2006

The entries should be kept separate because as already stated EMV is deployed world wide, where as Chip and PIN is currently only deployed in the UK. --Mark.s.burgunder 03:47, 28 July 2006 (UTC)

Agreed. CHIP and PIN should not be merged as PIN can exist alone, but CHIP can not exist without PIN. In case of CHIP also we require PIN. —Preceding unsigned comment added by Gauravt168 (talk • contribs) 08:45, 2 August 2006

PIN is not needed for chip payments. If you use a Swedish payphone, Swedish parking meter or a Japanese Lawson convenience store, the chip is read, but there is no kind of verification (neither PIN nor signature). In the case of Lawson, a PIN code is needed if the purchase exceeds a certain amount of yen, though. (212.247.11.153 13:59, 15 August 2007 (UTC))

"CHIP&PIN" (http://www.chipandpin.co.uk/) was an organization and program launched by the Association for Payment Clearing Services (APACS) in the UK in the second phase of the EMV Migration related to PIN management. This organization did the promotion of the deployment of EMV with PIN based authentication, by providing information and support to the retailer, cardholders and banks. Background: The UK Banks under the pressure form the Retail Industry had chosen not to use PIN authentication to release the investements to be done (introduction of a PIN-pad at every acceptance point). Millions of cards were issued before the banks identified that EMV without PIN authentication was not resolving the fraud issue. This was no surprise as the main EMV value is the strong PIN Authentication service. So Yes IMHO, CHIP&PIN is regional (UK) and not directly related to EMV. —Preceding unsigned comment added by 57.67.177.33 (talk • contribs) 14:15, 30 August 2006

The entries should remain separate. EMV is a specific standard narrowing the choices presented in ISO 7816. ISO 7816 would be "chip", while EMV is more specific. EMV implementations support 5 Cardholder Verification Methods (CVMs), of which the PIN implementation (Offline Plaintext PIN)in the UK is just one. Note that France is "chip and PIN" and has been for years, though they are not (yet) EMV (though in the processing of converting). The other EMV CVMs are Offline Enciphered PINs, Online PIN, Signature, and No CVM Required. Further an EMV card can support more than one CVM, in order to ensure acceptance; so if a terminal did not do Offline PIN, the card could request Signature. —Preceding unsigned comment added by 198.241.217.15 (talk • contribs) 22:27, 2 October 2006

Looks like a strong agreement. I'm removing the Merge tag. Zaian 11:34, 19 October 2006 (UTC)

Why does the text use the term "credit cards"?

I wonder why the text uses the term "credit card" all over as if it was the only mode of payment. In fact, credit cards are just one example of payment cards - just like, e.g., debit cards.

I suggest to correct every occurence of credit card to payment card (or, simply, card).

Kacper (talk) 17:26, 6 February 2008 (UTC)

Agreed. Payment card is probably the better term as it explains the function of the card, a card has millions of uses but a payment card really has one use, to facilitate the transfer of payment, be it debit/credit or other versions. --Stalfur (talk) 10:24, 18 July 2008 (UTC)

We should add in a section on why USA does not use this system. It seems pretty popular in Europe but I have yet to see any EMV being used in USA for credit cards. —Preceding unsigned comment added by 78.105.134.113 (talk) 03:17, 2 September 2008 (UTC)

Regarding the adoption of EMV, Europe, Asia, Latin America, Mexico and Canada have or are migrating. The US remains the ONLY "developped" country not to have a plan...

About the references: "What is EMV?" at the end of the page does not seam very pertinent. It is a link to a vendor of EMV software products. The content is not a general introduction to the EMV standard. It really does look like a promotion of EMVX products. 24.37.15.85 (talk) 17:33, 12 October 2009 (UTC) Emmanuel Haydont

PIN verification broken

The fact that the PIN verification is broken appears three times in the article: at the end of the top section (before Contents), at the end of Differences and benefits of EMV, and in a new section EMV security broken. I suggest that some tidying up is required. Mitch Ames (talk) 09:18, 12 February 2010 (UTC)

Agreed. The first mention is a more accurate description. Also, the second reference is linked from the first and could be removed. Corydon76 (talk) 15:41, 15 February 2010 (UTC)

VERIFY-PIN was never broken. Murdoch did never proof this. He did show the tamper only on the terminal in their cafeteria. I suggested him to read the "Common Payment Application Specification" which is part of EMV specification and was not mentioned in his paper. In chapter "15.5.3.4 Terminal Erroneously Considers Offline PIN OK Check" you can find a description why Murdochs attack shall never work on a EMV compliant implementation. The CPA is from 2005! Mr. Murdoch promised to revise his paper. Nothing hapens since beginning 2010. Now you can find a dissertation of Omar S. Choudary, one of his students. You would not find any link to the important part of specification... -- 91.48.20.155 (talk) 15:24, 5 January 2011 (UTC)

Implementation: "Europe" and "United Kingdom"

Why are there separate and contradictory sections for Europe and the UK, which is part of it?

• should it be "Europe except the UK (and perhaps some other countries)" or
• is the information under either heading wrong?

At least for Visa the information explicitly contradicts each other. --86.136.147.164 (talk) 04:04, 28 October 2013 (UTC)

Too long.

This isn't an article, it's a textbook. — Preceding unsigned comment added by 184.147.125.176 (talk) 17:15, 14 November 2013 (UTC)

Still terrible

I come to the Wiki to get a quick overview of how various technical systems work. I'm a pretty technical guy, and I have to say that after reading this article I still have absolutely no idea how EMV works. Much of what passes for the explanation appears to be copied directly from some inside-industry description, filled with jargon and absolutely lacking any attempt to explain any of it. What we need is something more along the lines of the last section of this, which clearly states what data flows where and when.

I'm more than willing to do a re-write if someone can point me to sources that actually explain this stuff.

Maury Markowitz (talk) 12:39, 20 October 2014 (UTC)

At the risk of stating the obvious, the "sources" are those listed in EMV#References and EMV#External links. I'm saying that all of the required information is there, but it should be a good starting point. Of course the definitive source is http://www.emvco.com/, in particular http://www.emvco.com/specifications.aspx. Mitch Ames (talk) 10:05, 21 October 2014 (UTC)

Implementation: United States

This entry requires an update.

The entry states, "Visa,[29] MasterCard[30] and Discover[31] in March 2012 – and American Express[32] in June 2012 – have announced their EMV migration plans for the US. In spite of these announcements, doubts remain over the willingness of merchants to develop the capability to support EMV.[33]"

According to an article (2014-10-20) in The New York Times, "...By next fall, though, American merchants face a deadline to upgrade their credit card terminals to accept E.M.V. — which stands for Europay, MasterCard and Visa — a technology that makes credit transactions more secure for consumers." ^[1]

This indicates a shift since this section was written/last edited.

As well, on 2014-10-17, President Obama issued an executive order, "Improving the Security of Consumer Financial Transactions," which includes chip-and-pin technology as part of the "enhanced security features" for "payment processing terminals and credit, debit, and other payment cards" used for government payments. This would be a driver for wider, quicker adoption of the (existing) EMV standard. (Especially for merchants who accept payment cards used by the "food stamp" program(s)). ^[2]

Hurdingkatz (talk) 22:29, 21 October 2014 (UTC)

1. http://www.nytimes.com/2014/10/21/technology/as-apple-pay-arrives-witnessing-the-next-step-in-money-maybe.html
2. http://www.whitehouse.gov/the-press-office/2014/10/17/executive-order-improving-security-consumer-financial-transactions

Table under Application Selection

There was a table under Application Selection that has no references and has dubious encyclopedic value. An IP user reverted my removal twice, with the second edit summary indicating the table has been there since inception. That reason is irrelevant. If there is no citation within the next week, I will remove again per WP:VER. Bahooka (talk) 23:18, 9 November 2014 (UTC)

I agree with the removal of the table. If it can be sourced, and if it were deemed by consensus to be encyclopedic, it should probably be in a separate article "list of ISO 7816 application identifiers" or similar. Mitch Ames (talk) 12:04, 10 November 2014 (UTC)