Why to implement EMV when Mobile NFC payments are coming in?

The discussions regarding the EMV migration in the US are ongoing and I did realize that NFC technology is sometimes thought of being a replacement technology for EMV. Why to hurry with the EMV migration, when there is something new and better coming in? In reality EMV technology enables NFC and thus implementing EMV is mandatory for the NFC functionality. Anyway there is just subset of EMV implementation really needed to get NFC working. But the cost of not implementing the whole EMV might be high.  And all this will be a topic for this article.

EMV stands for Europay, MasterCard and Visa. These three international card-issuing companies joined their efforts in development of the global standard for credit and debit payment cards based on chip card technology. Later on the Europay was acquired by MasterCard, but the group was enforced by further big ones as JCB (2004) and AMEX (2009). The standards prepared were intended to increase security and enable global interoperability between these card issuers.

EMV is a general framework defining how terminals or ATMs communicate with your card, regardless whether it is a ICC or contactless card. EMV enables extending payment services with additional functionalities. These might be related to security, business or information. Security for example; all payment transactions are being ‘signed’ by an cryptogram generated by your card, making security almost impossible to infringe. Unique cryptograms are being calculated based on certain transaction fields, transaction amount, your PIN and card’s Master key. Trying to copy your card without amending the card’s Master key or transaction would result in transaction being declined as cryptogram validation would fail. Also stealing your card and trying to reveal your PIN would give three tries only. After that your card’s chip will be blocked and won’t allow any further transactions to be signed.

Card applications are an important piece in the mosaic and are provided by the card issuers. These applications are following EMV standard and going even further, providing specialized processing and card’s customized configuration. They are actively participating in the approval process and can for example approve your payment offline as its being within floor limits and card verification results are indicating that it is safe to do so. Applications are also holding the information about card holder details such as PAN, Track2, number of transactions carried, number of PIN tries and more. Sometimes I’m getting a feeling that major card issuers are convinced that their implementation is the sacred one, not looking what others do, causing a real pain for any engineer who challenges implementing them into any part of the payment system.

But how does NFC and mobile payments fit into this picture? Contact-less services are represented again just by card’s applications, following issuer specific behavior as PayPass (MasterCard), PayWave (Visa) or ExpressPay (AMEX).

There are also a number of differences between ICC cards and contact-less cards handling. Traditional ICC card processing is well protected having a card plugged into the payment device, contactless cards are exposing their RFID communication outside, introducing some possible security issues. Another limitation comes with short time available for contactless payment processing. While a contact card can stay ‘locked’ in a terminal until ordering customer to removes it, contact-less card is expected to carry on much faster. The implementation have to count with a time needed for caring a complex cryptography and for transaction post-processing as issuer script handling. These operations common for contact cards are much simplified for their contactless relatives. Anyway as an implication of these changes, you won’t be asked to enter the PIN to authorize your payment till some certain amount and your account won’t be ‘suddenly debited’, while traveling with public transport.

It does not matter whether we are calling it NFC, contact-less or mobile payment, financial transactions are based on interaction between card’s chip and a payment device. These interactions are based on EMV standards and therefore implementing EMV is an important requirement for NFC. Question is whether a whole EMV have to be implemented? No, not at all. Implementing just mandatory part of EMV, to have mobile payments working, may result in serious cost-savings across the whole business. Hidden cost of this approach, which doesn’t have to be immediately obvious, might be loosing that interoperability advantage brought by EMV. The local card’s won’t have to be accepted abroad (and vice versa), limiting payment network usage to local customers only. This might be issue for today’s world based on globalization and importance of traveling workforce.

Every coin has two sides, so I believe that the path will be found in the best direction for all involved.