MAG Insights

Announcements from the MAG & Featured Articles

MAG Sponsor Spotlight: Visa Quick Chip and MasterCard M/Chip Fast - Overview and Effects (MAG Quarterly- Volume Four, Issue Two)

By Roger Applewhite, Vice President of Strategic Initiatives at MagTek, Inc., & Chief Operating Officer of MagTek's payment processing subsidiary, Magensa LLC

June 2, 2016

As with many processes governed both by standards and corporations, EMV, while ostensibly stable and predictable, has been subject to numerous changes as participants in its use have gained experience in real-world situations. It is one such situation that has recently motivated Visa and now MasterCard to adjust the canonical US realization of the EMV transaction, in essentially the same way. This, in response to perceived cardholder dissatisfaction with the checkout experience. Namely, it takes too long, is not cardholder-initiated, and requires the card itself to be out of the possession of the cardholder, at least for a period of time. These are all experiences that run counter to what the cardholder has been taught and come to expect from magstripe.

To understand the change these card brands have offered, it’s useful to restate the rudiments of an EMV transaction. First, the cardholder must wait until the checkout process is complete and a final amount tallied. It is only at this point that the transaction can begin, as standard EMV requires the final amount be presented to the card’s chip at the beginning of the transaction cycle. While the cardholder could insert their card in the terminal before this point, it has little meaning as nothing can begin until the amount is presented.

Then, the card and the terminal perform a complex series of interactions, many involving the cardholder, such as amount verification, application selection (generally credit or debit) and presentation of a Cardholder Verification Method, or CVM (PIN, signature or nothing). When this is complete, the card generally creates an Application Request Cryptogram (ARQC) whose essential purpose is to provide the issuing bank a means to verify the authenticity of the card and the final amount. After the bank receives the ARQC through the traditional processing channels, and validates it, the bank creates an Authorization Response Cryptogram (ARPC) which is returned to the chip. The chip can then do the same as the bank did with the ARQC, namely authenticate the bank and its authorization response.

During this process, which experience has shown can take from 5 – 30 seconds, the cardholder must wait with the card securely inserted in the terminal. Again, this in contrast to a 2 second swipe of a magstripe that can occur any time after the checkout process has started. This inconvenience appears to be the motivation for Visa Quick Chip and MasterCard M/Chip Fast, which purport to make the EMV transaction experience more “magstripe-like”.

How is this done? By altering some of the transaction cycle steps listed above and removing another altogether. First, the requirement for the presentation of the final amount has been altered. Now, a “plug” amount may be used in its place. This amount could potentially be anything, though there is a catch discussed later in the document. Since this amount is known ahead of checkout time, the EMV cycle can be started by the merchant immediately, and the cardholder can now insert the card when they want, just as with magstripe. Once inserted, the cycle with the card continues normally except that the plug amount is not displayed by the terminal, nor does the terminal ask for the amount to be verified. Continuing to the point just after the presentation by the chip of the ARQC, we alter the cycle again by indicating to the cardholder they may remove the card from terminal at this step. This is possible because the presentation of the ARPC from the bank to the chip is removed altogether as a step. The end result, therefore, is a “dip and pull” at about the same speed as a “swipe”.

In general, a reasonable evaluation of this new method would indicate an improved experience for the cardholder, bringing them back from what they might have felt they lost with magstripe. However, there are implications to this change worth considering:

  1. To date, only Visa and MasterCard have provided specific direction concerning this option, and they recommend that it only be used in “high-traffic” environments. This naturally leads to a hybrid environment where some retailers will use this method with some of the cards presented. This could have two deleterious effects:
    • Cardholders will be faced with performing different behaviors at different merchants with different cards. This is made especially problematic as cardholders have yet to become completely familiar with EMV in the first place.
    • Merchants will either have to determine which card will be used before the transaction cycle begins, or re-program their terminals to detect cards and follow different processing behavior accordingly. If the other major card brands follow Visa and MasterCard’s lead, this issue will be obviated.
  2. Terminals must be re-programmed to perform the new behavior. Specifically, they must;
    • Accept or create a plug amount[1],
    • Not display the amount or ask for a confirmation,
    • Ask the cardholder to remove the card after the presentation of ARQC by the chip,
    • Not return the ARPC to the chip (as the card will be gone).
  3. Re-programmed terminals may require recertification, depending on how the new behavior is realized in software or firmware:
    • If the terminal is a PCI PTS PED, a re-certification may be required.
    • The merchant processor’s EMV certification (sometimes known as “L3”) may be affected.
    • A terminal’s L2 EMV certification should NOT be affected, as long as the new transaction behavior described here is not mediated by the kernel.

Finally, it is worth noting that Quick Chip and M/Chip Fast explicitly remove two security features that were long touted as part of the benefit of transitioning to EMV: integrity of the transaction amount, and the chip’s ability to validate, and hence report to the merchant, the authenticity of the issuing bank. Curiously, both Visa and MasterCard have provided their fast transaction options as ready for use now, implying the issuing banks are already able to accept it. This might lead one to wonder if these two security features were ever extant in the US market.

Roger Applewhite is Vice President of Strategic Initiatives at MagTek, Inc., and Chief Operating Officer of MagTek’s payment processing subsidiary, Magensa LLC. MagTek is a leading provider of card reading, security, and authentication technology, serving the merchant community since 1972.

[1] The plug amount must be chosen carefully so that the CVM behavior the merchant expects is achieved. For instance, the card may force a signature if the plug amount is over $50 (Easy Pay, QPS).