Anda di halaman 1dari 29

Minimum EMV Chip Card and Terminal Requirements

Intended Audience

This document is intended for use by U.S. issuers, merchants, acquirers, processors and vendor
Introduction

Some U.S. payment networks are implementing EMV liability shifts effective October 2015. A
What are the minimum requirements that we need to consider as we deploy chip for my organ

To help merchants, acquirers, processors and issuers develop their strategies for EMV implemen
create a document presenting minimum requirements for EMV chip deployment across each pa
minimum requirements of EMV chip implementation and deployment for those payment networ
Jeanie, MasterCard, NYCE, PULSE, SHAZAM, STAR and Visa reflected in the document, so that
While the document addresses minimum EMV chip requirements of the respective networks, de
of considerations, such as business needs and preferences, deployment timing, complexity and

The document focuses on the minimum card and terminal EMV requirements for the U.S. payme
Discover, Jeanie, MasterCard, NYCE, PULSE, SHAZAM, STAR and Visa in the context of the U.S. e
documented their respective minimum card and terminal configurations for EMV compliance. So
functionalities that are beyond each networks minimum requirements, such as offline PIN supp
individual business requirements against the potential additional functionalities and their assoc
the expected volume of issuers that may support them, and issuers should evaluate these func

Issuers and merchants that choose to deploy EMV solutions are encouraged to work directly wit
approved EMVCo configurations offered that best satisfy their business needs. Approved EMVCo
including in the U.S.

How to Use the Minimum Requirements Matrix


The Minimum Requirements Matrix is an Excel document consisting of an introduction tab, five
glossary:

Introduction
Cards - Credit
Cards - Debit U.S. Common AID
Cards - Debit Brand AID
Terminals - Point-of-Sale (POS)
Terminals - ATM
Glossary

Within each tab, the left vertical columns B and C list the available capabilities for cards or term
participants in the matrix: American Express, Armed Forces Financial Network (AFFN), China Un

For each participant, a checkmark signifies those attributes that are minimum requirements for

Cards - Debit Brand AID


Terminals - Point-of-Sale (POS)
Terminals - ATM
Glossary

Within each tab, the left vertical columns B and C list the available capabilities for cards or term
participants in the matrix: American Express, Armed Forces Financial Network (AFFN), China Un

For each participant, a checkmark signifies those attributes that are minimum requirements for
participant, and not required. In some cases, participants have added comments regarding part

Legal Notice

This document provides an overview of each participating payment network minimum card and
to help stakeholders understand the minimum requirements of chip deployment for each paym
requirements as the fraud liability shift approaches.

This document describes each participants minimum EMV requirements in the context of the U
independently by the respective networks, and are subject to change. Issuers and merchants ar
business needs, and to work directly with card and terminal vendors to determine the approved
great effort has been made to ensure that the information in this document and the Minimum R
purpose, whether statutory, regulatory, contractual or otherwise and all warranties of any kind a
reliance on the information set forth in either document. Any person that uses or otherwise reli

If a network is not included in the matrix, issuers and merchants should directly contact their re
debit networks.

About U.S. EMV Chip Migration

Commonly used globally in place of magnetic stripe technology, EMV chip technology helps to r
enables safer transactions across contact and contactless channels. Chip implementation was in
announced their roadmaps for supporting a chip-based payments infrastructure. Acquirer proce
managing fraud risk in a face-to-face environment set for 2015.

About the EMV Migration Forum

The EMV Migration Forum is a cross-industry body focused on supporting the EMV implementati
consumers to help ensure a successful introduction of more secure EMV chip technology in the
and/or coordination to migrate successfully to chip technology in the U.S. For more information

uirers, processors and vendors who are planning deployments of their respective EMV chip programs in the U.S.

s effective October 2015. As U.S. issuers, merchants, acquirers and processors plan for these liability shifts, m
we deploy chip for my organization?

strategies for EMV implementation, several payment network participants in the EMV Migration Forum have co
p deployment across each payment network. The primary goal of this document is to help stakeholders understa
ent for those payment networks Accel, American Express, Armed Forces Financial Network (AFFN), China Union
cted in the document, so that stakeholders can work with their partners to develop a strategy to meet those req
f the respective networks, decisions regarding deployment of chip technology will differ by stakeholder and invo
ment timing, complexity and associated initial and future costs.

quirements for the U.S. payment networks Accel, American Express, Armed Forces Financial Network (AFFN), Chi
a in the context of the U.S. electronic payments marketplace and the October 2015 liability shifts. These partici
ations for EMV compliance. Some issuers and merchants, as they evaluate their business needs, may consider a
ents, such as offline PIN support and offline data authentication. All issuers and merchants should carefully eval
unctionalities and their associated costs and complexities. In addition, merchants should evaluate these functio
s should evaluate these functionalities against the expected volume of merchants that may support them.

couraged to work directly with their card and terminal vendors, payment networks and processing partners to d
ness needs. Approved EMVCo terminal configurations (e.g. chip reader and chip software) are a global industry

g of an introduction tab, five tabs for chip card and acceptance terminal requirements for each network, and on

capabilities for cards or terminals within the EMV standard (called attributes in the matrix). The horizontal ro
cial Network (AFFN), China UnionPay, Discover, Jeanie, MasterCard, NYCE, PULSE, SHAZAM, STAR and Visa.

e minimum requirements for that participant. If an attribute is left blank, it means that the attribute is optional

t network minimum card and terminal requirements for chip deployment. The information is publicly available,
p deployment for each payment network so they can work with their partners to determine their best strategy t

ments in the context of the U.S. marketplace. It should be noted, however, that specific requirements are determ
nge. Issuers and merchants are therefore strongly encouraged to evaluate these requirements against their own
rs to determine the approved EMVCo configurations that satisfy the relevant minimum card and terminal requir
document and the Minimum Requirements Matrix is accurate and current, neither document should be relied on
nd all warranties of any kind are disclaimed, including all warranties relating to or arising in connection with the
on that uses or otherwise relies in any manner on the information set forth in the documents does so at his or h

hould directly contact their respective networks and acquirers regarding minimum card and terminal requireme

MV chip technology helps to reduce card fraud in a face-to-face card-present environment; provides global inter
s. Chip implementation was initiated in the U.S. in 2011 and 2012 when American Express, Discover, MasterCar
nfrastructure. Acquirer processor readiness mandates to support chip were established for 2013, with liability s

porting the EMV implementation steps required for global and regional payment networks, issuers, processors, m
e EMV chip technology in the U.S. The focus of the Forum is to address topics that require some level of industry
he U.S. For more information on the EMV Migration Forum, please visit http://www.emv-connection.com/emv-mig

hip programs in the U.S.

or these liability shifts, many are asking:

Migration Forum have collaborated to


elp stakeholders understand the
work (AFFN), China UnionPay, Discover,
rategy to meet those requirements.
r by stakeholder and involve a balancing

ncial Network (AFFN), China UnionPay,


bility shifts. These participants have
ss needs, may consider added
nts should carefully evaluate their
d evaluate these functionalities against
may support them.

processing partners to determine the


re) are a global industry requirement,

or each network, and one tab for a

matrix). The horizontal row 4 lists the U.S.


AM, STAR and Visa.

the attribute is optional for that

ion is publicly available, and is provided


mine their best strategy to meet

requirements are determined


ements against their own specific
card and terminal requirements. While
ment should be relied on for any legal
g in connection with the use of or
ments does so at his or her sole risk.
and terminal requirements for regional

ent; provides global interoperability; and


ess, Discover, MasterCard and Visa
for 2013, with liability shifts for

ks, issuers, processors, merchants, and


re some level of industry cooperation
connection.com/emv-migration-forum/.

Note:

Card: U.S. Credit Configuration - Brand AID

P = indicates requirement

Attribute

Visa
Minimum Requirement
Online

Requirement relating to Lost/Stolen


Liability

MasterCard
Comments

Authorization

Minimum Requirement

Requirement relating to Lost/Stolen


Liability

Offline authentication not required or


recommended due to online-only environment
in U.S.

DDA
CDA
ARQC

Issuer authentication (ARPC)

Online PIN

Required if card not configured as online-only

Requirement relating to Lost/Stolen


Liability

American Express
Comments

Minimum Requirement

Requirement relating to Lost/Stolen


Liability

Discover
Comments

Minimum Requirement

Requirement relating to Lost/Stolen


Liability

Comments

Required if card not configured as online-only

Required if card not configured as online-only

P
Not recommended, could lead to unnecessary
reversals; only needed to reset offline counters

For ATM cash transactions only, not required


for purchase transactions

Optional to Issuers

For Signature Cards: Required for ATM and


unattended terminals (CAT 1)

Application Cryptogram is mandatory

Only for ATM

P
CVM

Minimum Requirement

Not allowed

SDA1

Authentication

China UnionPay
Comments

P
Not required or recommended due to onlineonly environment in U.S.

Offline

Online or Offline PIN

Online or Offline PIN

PIN required for ATM cash transactions only,


not mandatory for purchase transactions
Online or Offline PIN

Offline PIN

Signature

No CVM

Offline PIN block


Offline PIN change
Scripting

Application block/unblock
EMV scripting
Counter reset

Note: 1. Visa to discontinue SDA for new and replacement Visa contact chip only cards that support offline authorization, effective 1 Oct 2015

Scripting is not necessary due to online-only


environment in U.S.

UPI standards support scripting, and is optional


for issuer

Scripting will be dependent on personalization,


all must be supported by the chip application

Discover supports issuer scripting, it is the


issuer's choice whether to utilize this
functionality

Note:

Card: U.S. Debit Configuration - Common AID

P = indicates requirement

Attribute
Minimum Requirement
Online

Visa
Comments

Minimum Requirement

MasterCard
Comments

Minimum Requirement

China UnionPay
Comments

Accel
Minimum Requirement

Comments

Minimum Requirement

PULSE
Comments

Minimum Requirement

NYCE
Comments

Minimum Requirement

STAR Network
Comments

Minimum Requirement

AFFN
Comments

Minimum Requirement

Jeanie
Comments

Minimum Requirement

SHAZAM
Comments

Authorization
Offline

SDA

Not allowed

DDA

Required if card not configured as online-only

CDA
Authentication

ARQC

Online PIN

ODA (offline data authentication) can be


optionally supported

Required if card not configured as online-only

P
Not recommended, could lead to unnecessary
reversals; only needed to reset offline counters

Issuer authentication (ARPC)

Offline PIN

STAR will pass the ARPC back in the online


message for approved transactions to support
Issuer ARPC if implemented

SHAZAM will pass the ARPC back in the online


message for approved transactions to support
Issuer ARPC if implemented

Not Supported

P
Not supported at this time

CVM
Signature
No CVM

Supported via No CVM

Supported via No CVM

Supported via No CVM

Supported via No CVM

Supported via No CVM

Supported via No CVM

Supported via No CVM

Supported via No CVM

Offline PIN block


Offline PIN change
Scripting

Application block/unblock
EMV scripting
Counter reset

Scripting is not necessary due to online-only


environment in U.S.

UPI standards support scripting, and is optional


for issuer

Issuer option; Accel will pass the data in the


message if the Issuer has opted to utilize this
functionality.

Issuer scripting supported, it is the issuer's


choice whether to utilize this functionality

Issuer scripting supported, it is the issuer's


choice whether to utilize this functionality

If the issuer supports scripting STAR will pass in


the message. Issuer's choice whether to utilize
this functionality

Scripting not supported at this time

If the issuer supports scripting SHAZAM will


pass in the message. Issuer's choice whether
to utilize this functionality

Note:

Card: U.S. Debit Configuration - Brand AID

P = indicates requirement
Visa

Attribute
Minimum Requirement
Online

Requirement relating to Lost/Stolen


Liability

MasterCard
Comments

Minimum Requirement

Requirement relating to Lost/Stolen


Liability

China UnionPay
Comments

Minimum Requirement

Requirement relating to Lost/Stolen


Liability

Discover
Comments

Minimum Requirement

Requirement relating to Lost/Stolen


Liability

Comments

Authorization
Offline

SDA

Not allowed

DDA

Authentication

Required if card not configured as online-only

CDA
ARQC

Required if card not configured as online-only

Issuer authentication (ARPC)

Not recommended, could lead to unnecessary


reversals; only needed to reset offline counters

Required for cash transactions

ODA can be optionally supported

P
Optional to Issuers

For Signature Cards: Required for ATM and


unattended terminals (CAT 1)

Signature

No CVM

Online PIN

CVM

Offline PIN

Offline PIN block


Offline PIN change
Scripting

Application block/unblock
EMV scripting
Counter reset

Scripting is not necessary due to online-only


environment in U.S.

UPI standards support scripting, and is optional


for issuer

Issuer scripting supported, it is the issuer's


choice whether to utilize this functionality

Note:

U.S. EMV POS Terminal- Basic Configuration

P = indicates requirement

Attribute

Visa
Description

MasterCard
Comments

Description

Visa Credit/ Debit


Visa Electron

MasterCard

Optional

Interlink
Visa U.S. Common Debit

Maestro
U.S. Maestro (Common AID)

Terminal type

Any device supporting online authorization

Terminal floor limit

Required

China UnionPay
Comments

Description

American Express
Comments

UnionPay Credit/Debit/Quasi Credit/Common AID

Discover

Description

Comments

Description

American Express

Must support partial AID

D-PAS Proprietary , U.S. Common AID, Zip AID

Comments

Application AIDs supported

Including 21, 24 (Tag '9F 35') terminal types

Acquirer / merchant choice whether to support


Common AID

Any device supporting online authorization

Any device supporting online authorization

Terminal Type and Floor Limit

Attribute

Visa
Minimum Requirement
Online authorization

Authorization & Settlement

Requirement relating to
Lost/Stolen Liability

MasterCard
Comments

Minimum Requirement

Requirement relating to
Lost/Stolen Liability

Acquirers must identify floor limit under the max amount


allowed by DFS Operating Regulations (for offline capable
terminals)

China UnionPay
Comments

Minimum Requirement

Requirement relating to
Lost/Stolen Liability

American Express
Comments

Minimum Requirement

Requirement relating to
Lost/Stolen Liability

Discover
Comments

Minimum Requirement

Requirement relating to
Lost/Stolen Liability

Comments
Online and offline authorization supported within
risk management parameters

Offline authorization

Optional, can be used in merchant stand-in

Offline clearing, settlement


Recommended for temporary communication
outages

Deferred authorization

Optional, dependent on industry etc.

SDA
Offline Data Authentication (ODA)

DDA

Required if terminal supports offline CAM or


offline enciphered PIN

CDA

Required if terminal supports offline CAM or


offline enciphered PIN

Magnetic stripe

IC with contacts

When the chip terminal integrates such magnetic


stripe hardware

P
P

Recommended at POS if accepting Online PIN for


mag-stripe

Online enciphered PIN


Terminal Capabilities & CVM

P
P

Offline PIN
Signature
No CVM

Optional

Not allowed

P
P

(at attended POS only)


(at unattended POS only)

Required at attended POS only


Required at unattended POS only

P
P

P
P

Required if Online PIN is supported

Recommended, Offline plaintext PIN only

P
P

Online or Offline PIN

Either PIN method satisfies the requirement for


protection from lost/stolen fraud. We recommend
merchants certify for both PIN methods.

(at attended POS only)

Required at attended POS only

(at unattended POS only)

Required at unattended POS only, optional at


attended POS

Required if Offline PIN is supported

Required if Online PIN is supported

Cash back

PIN Pad

Optional

Goods

Services

Receipt capabilities

Transaction Types and Requirements

POS PIN pad

P
P

Clearing, settlement

If offline authorization supported, chip data is


required

Returns

Chip data not required

Support / carry chip data

Scripting

Optional for Issuer to send chip data in response

Authorization request / response

Required if terminal supports offline CAM or


offline enciphered PIN
Optional

Required at unattended POS only

(at unattended POS only)

Required if terminal supports offline enciphered


PIN

Required if Offline PIN is supported

Required at attended POS only

(at attended POS only)

Required if terminal supports offline CAM

Not required

AID in authorization message

PIN block

PIN change

Application block/unblock

EMV scripting

Counter reset

Optional

P
P
All scripting must be supported by the terminal

Terminal will support scripting if Issuers sends


scripts

Note:

U.S. EMV ATM Terminal - Basic Configuration

P = indicates requirement

Attribute

Visa
Description
Required

Application AIDs supported

Terminal Type and Floor Limit

Description

Visa U.S. Common Debit

Terminal type

Any device supporting online authorization

Terminal floor limit

Including 14 (Tag '9F 35') terminal type

Online authorization

Description

Any device supporting online authorization for cash


disbursement

Any device supporting online authorization

0
MasterCard

Minimum Requirement

Description

American Express
Comments

American Express Global AID

Any device supporting online authorization

Comments

China UnionPay
Comments

UnionPay Credit/Debit/Quasi Credit/Common AID

Discover
Description

Comments

D-PAS Proprietary and U.S. Common AID

Acquirer /ATM driver choice whether to support


Common AID

U.S. Maestro (Common AID)

Visa
Minimum Requirement

MasterCard
Comments

MasterCard
Maestro
Cirrus

Optional

Attribute

Authorization & Settlement

Comments

Visa Credit/ Debit


Visa Electron
Plus

Comments

Devices certified for track 1 and track 2 EMV data

0
China UnionPay

Minimum Requirement

Comments

Any device supporting online authorization


0

American Express
Minimum Requirement

Comments

Discover
Minimum Requirement

Comments

Offline authorization
Offline clearing, settlement
Prohibited
Prohibited

SDA
Offline Data Authentication (ODA)

DDA

Prohibited

CDA

Prohibited

Magnetic stripe

IC with contacts

Online enciphered PIN

Cash

Receipt capabilities

ATM PIN pad

Authorization request / response

AID in authorization message

PIN block

P
P
P
P
P

Terminal Capabilities & CVM


Offline PIN
Signature
No CVM

Transaction Types and Requirements

PIN Pad

Optional for Issuer to send chip data in response

P
P

Support / carry chip data

PIN change
Scripting

Application block/unblock
EMV scripting
Counter reset

Optional

P
P
P
P
P

Not normally performed by scripting

P
P
P
P
P

P
P
P
P
P

Optional

P
P
P
P
P

Glossary
Term

Application Identifier (AID)

Authorization Request Cryptogram (ARQC)

Authorization Response Cryptogram (ARPC)

Card Risk Management

Cardholder Verification Method (CVM)

CDA (Combined DDA/ Application CDA Cryptogram Generation)

DDA (Dynamic Data Authentication)

Deferred Authorization

EMV Chip Card

EMV Terminal

Floor Limit

ICC

Issuer Script

Lost/Stolen Liability Shift

Magnetic Stripe Card

No CVM

Offline Authorization

Offline Clearing, Settlement

Offline Data Authentication (ODA)

Offline Enciphered PIN

Offline PIN

Offline Plaintext PIN

Online Authorization

Online PIN

PIN Management

SDA (Static Data Authentication)

Signature

Definition

An alpha numeric representation of the application defined within ISO 7816. A data label that differen
payment systems and products. The card issuer uses the data label to identify an application on the c
terminal. Cards and terminals use AIDs to determine which applications are mutually supported, as bo
the card and the terminal must support the same AID to initiate a transaction. Both cards and termina
may support multiple AIDs. An AID consists of two components, a registered application identifier (RID
a propriety application identifier extension (PIX).

A cryptogram generated by the card at the end of the first round of card action analysis, which is inclu
in the authorization request sent to the card issuer and which allows the issuer to verify the validity of
card and message.

A cryptogram generated by the issuer and sent in the authorization response back to the terminal. Th
terminal provides this cryptogram back to the card which allows the card to verify the validity of the is
response.

Issuer defined risk parameters and authorization controls programmed into the chip application enabl
the card to act on the issuers behalf at the point of transaction to determine if the transaction should
sent online, approved offline or declined offline. These controls aid issuers in managing their below-flo
limit exposure to fraud and credit losses. They may be tailored to the risk level of individual cardholde
groups of cardholders.

In the context of a transaction, the method used to authenticate that the person presenting the card i
valid cardholder. EMV supports four CVMs: offline personal identification number (PIN) (offline enciphe
plain text), online encrypted PIN, signature verification, and no CVM. The issuer decides which CVM
methods are supported by the card and the merchant chooses which CVMs are supported by the term
The issuer sets a prioritized list of methods on the chip for verification of the cardholder.

A card authentication technique used in online and offline chip transactions that combines dynamic da
authentication (DDA) functionality with the application cryptogram used by the issuer to authenticate
card.

A card authentication technique used in offline chip transactions that requires the card to digitally sign
unique data sent to it from the terminal. DDA protects against card skimming and counterfeiting.

Also known as "store and forward." Deferred Authorization occurs when an online authorization is
performed after the card is no longer available. The time delay may be brief, such as for a temporary
communications failure or where the merchant simply wishes to speed processing. The time delay ma
extended, as when a ferry is out of range of shore, for in-flight sales, or when the device does not hav
online capability (for example, unattended kiosks where the transactions are offloaded nightly to a se
and submitted in batches).

A device that includes an embedded secure integrated circuit that can be either a secure microcontro
equivalent intelligence with internal memory, or a secure memory chip alone. The card connects to a
reader with direct physical contact or with a remote contactless radio frequency interface. With an
embedded microcontroller, chip cards have the unique ability to securely store large amounts of data,
out their own on-card functions (e.g., encryption and mutual authentication), and interact intelligently
a card reader. All EMV cards are chip cards.

Point-of-sale (POS) device or ATM that is able to process chip transactions.

A currency amount that is established for single transactions, above which an online authorization is
required.

Integrated Circuit Card, EMV chip card, Contact chip card

A process by which an issuer can update securely the contents digitally stored on chip cards without
reissuing the cards. Examples of issuer scripts include blocking and unblocking an account, blocking t
entire card, changing and unblocking the cardholders personal identification number (PIN), and chang
the cardholders offline authorization controls (ACs).

(Applicable to MasterCard, American Express and Discover) Beginning Oct. 1, 2015, if a merchant acc
PIN-preferring (both online and offline) chip card that has been stolen (not a copy or counterfeit) and
presented at a terminal that does not support either online or offline PIN, allowing the card to be proce
as signature, the merchant will be liable for the chargeback resulting from the fraud. This process doe
include No CVM (Cardholder Verification Method) transactions that meet the No CVM requirements of
card brand or network.

A plastic card that uses a band of magnetic material to store data. Data is read by a mag stripe reade

A cardholder verification method (CVM) supported by EMV in which the cardholder is not required to
provide a signature or enter a PIN.

Authorizing or declining a payment transaction through card-to-terminal communication, using issuerdefined risk parameters that are set in the card to determine whether the transaction can be authoriz
without going online to the issuer host system.

Clearing and settlement of offline-approved transactions.

A process whereby the card is validated at the point of transaction, using RSA public key technology t
protect against counterfeit or skimming. Three forms of offline data authentication are defined by EMV
Static (SDA), Dynamic (DDA) and Combined DDA/Application Cryptogram (CDA).

Personal identification number (PIN) processing in which the PIN entered by the cardholder is encrypte
using public key cryptography at the PIN pad and then sent to the chip card where it is decrypted insid
the chip and verified.

The personal identification number (PIN) stored on the chip card (versus a PIN stored at the host). In a
transaction using offline PIN, the PIN entered at the terminal is compared with the PIN stored securely
the chip card without going online to the issuer host for the comparison. Only the result of the compar
is passed to the issuer host system. Two types of offline PIN are enciphered and plaintext.

Offline personal identification number (PIN) processing in which the PIN entered by the cardholder is s
unencrypted, in plaintext, from the PIN pad to the chip card for verification.

Authorizing or declining a payment transaction by sending transaction information to the issuer and
requesting an authorization response from the issuer usually in real time.

In a chip transaction, the process of comparing the cardholder's entered personal identification numbe
(PIN) with the PIN stored on the issuer host system. The PIN is encrypted by the terminal PIN pad befo
being passed to the acquirer system. The PIN is then decrypted and re-encrypted as it passes between
each party on its way to the issuer. This is supported today with mag-stripe.

The process of using issuer scripts to securely update personal identification number (PIN) data stored
the card. PIN management includes PIN change and PIN unblock.

A card authentication technique used in offline chip transactions that uses signed static data element
With SDA, the data used for authentication is staticthe same data is used at the start of every
transaction. This prevents modification of data, but does not prevent the data in an offline trans-action
from being replicated.

A cardholder verification method (CVM) supported by EMV in which the cardholder provides signature
verification.