EMV………..Conforming to the global standard
EMV obviously helps to alleviate fraud at the POS, but it does not safeguard cardholder data once the payment method and consumer are confirmed. The cardholder and the card itself have now been validated through EMV but the actual card data is sent in the clear unless the merchant has layered on an encryption and tokenization solution to protect and remove sensitive card data from the merchant environment. A layered approach to fraud and security is the only way to truly be protected. Two important layers include: Card data security – A strong encryption and tokenization solution can bolster the security of the entire payment transaction and reduce PCI compliance efforts and Card fraud protection – Layer EMV with encryption and tokenization plus online fraud and verification tools
For a chip-based transaction, it’s possible to authorize the payment using either an online or offline process. When online authorization is used, transaction information is sent to the card issuer for approval. If an offline process is used, the transaction information is transferred from terminal directly to the chip card itself for authorization by the chip. Transaction authorization is then determined by issuer-defined risk parameters stored in the chip, rather than direct approval by the issuer. A hybrid process is also possible, whereby cardholder verification is conducted via offline PIN, and the transaction itself is authorized through online communication.
Making use of both online and offline authorization options both has lots of advantages. The online authorization allows for an additional layer of security and fraud protection, since most fraud mitigation tools function online, in real-time. Online authorization also simplifies chip production, encryption key management and merchant infrastructure, and it saves cost and reduces overall complexity.
The main advantage of allowing offline authorization is that it is consistent with global standards, ensuring compatibility and interoperability with international issuers’ payment devices. In addition, it also allows for transaction authorization functionality even in the absence of online connectivity as in Europe where almost 7 percent of all transactions rely on offline authorization.
For some issuers that choose to verify cardholders using an offline PIN validation process, there are several items to consider pertaining to PIN management. The issuer must provide a process for customers to change their offline PINs (which could involve using ATMs, IVR, merchants’ POS and/or in-branch services. If a card supports both online and offline PIN validation methods (as is the case for cards in most EMV countries), then separate online and offline PINs could exist. In this scenario, the issuer must either provide customer education on PIN management, or ensure that the PINs are synchronized to avoid cardholder confusion.