I spend a lot of time talking about the benefits to banks of migrating from magnetic stripe to chip technology for payment cards. As the banking industry, we often talk in terms of protection from fraud, and shifting the liability for any fraud to the non chip enabled party.
All of this is true. However recently I have started to think about the differences between EMV and magnetic stripe from a slightly different perspective.
In the magnetic stripe world, the card is not able to tell the terminal what rules the issuing bank wants enforced at the point of sale. Of course, we can carry some information on the magnetic stripe, but not enough, and not with sufficient security, to be confident that the requirements of the issuing bank will be enforced, or that the issuer will take liability for setting the rules. So the way we apply rules for the acceptance of cards in the magnetic stripe world is for the terminal to enforce those rules. This means we end up with one set of rules per card type that apply to all issuing banks.
As an example, consider Australian EFTPOS. The agreed rules for the acceptance of an Australian domestic EFTPOS card are 100% online authorised, with PIN. A terminal recognises an Australian EFTPOS card when the cardholder pushes the cheque or savings button for account selection on the terminal, and this then allows the terminal to enforce the agreed rules for an EFTPOS payment. The cardholder must enter a PIN, and the terminal must send an authorisation online to the issuing bank. The point is that the terminal enforces these same rules for all Australian EFTPOS cards, no matter which bank issues the card.
This same model applies to the acceptance of all magnetic stripe cards irrespective of the scheme, domestic EFTPOS, international credit and so on. The issuing bank must accept the standards and rules of acceptance that are enforced by the terminals for the particular scheme.
When we migrate to EMV chip, we now have a device on the card capable of securely storing and processing information. This includes the rules that the issuing bank wants to enforce at the point of sale. The terminal is no longer the enforcer of the rules, rather it becomes a supplier of services from which the chip card can choose based on the profile the issuer sets in the card. In the EMV chip world, those services that the terminal provides can include offline card authentication, verifying the cardholder identity via PIN, or signature, online authorisation and so on. It is up to the issuing bank to say which of these services they want to use for the current transaction, via the rules placed on the chip.
If the terminal is unable to provide the services requested by the card, the issuer can set rules that will result in the chip card declining the transaction.
One bank might set rules on their chip cards to require signature, and allow the card to be used in offline only environments (parking meters, vending machines, duty free shopping on planes). Another bank may issue a chip card under the same scheme branding, but always require PIN and online authorisation (no shopping on planes).
To my mind, this is the fundamental difference between magnetic stripe cards and EMV chip cards. It is the shift in function and power from the terminal to the chip in terms of who calls the shots, and who enforces the rules. The result is that rather than all cards being treated equally with the same set of rules enforced by the terminal as for magnetic stripe, the rules for each transaction can vary by card as determined by the issuer.
Of course this also means that the issuing banks must take liability for the rules that they set on their chip cards. No longer can the issuing bank charge the liability for the transaction back to the acquiring bank if the terminal does not correctly enforce the rules.
With EMV chip, a potential benefit that we have not fully explored yet is the ability for each bank to differentiate their own card products by defining different rules on the chip card. In the future, the domestic EFTPOS chip card issued by one bank may look very different to that of another. In fact a single bank could differentiate cards right down to customer level, depending upon the needs and risk profile of an individual customer. We cannot do that with magnetic stripe!
If you would like to provide feedback on this, or any previous blogs, you are welcome to email us at firstname.lastname@example.org