2

What are the problems that Chip card technology solve? and what are the problems EMV solve?

I understand that EMV is a standard where as chip card is a technology, It's pretty hard to tell them apart (can we refer to EMV & Chip Card as the same thing?)

What are the problems that having a chipcard or an EMV standard complianced card solve?

How do they solve the problems of other technologies such as proximity cards (Can't proximity cards have processors embed with them? )

what about magnetic strip cards (least of my worries cus it's been answered by other posts!)?

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
Brandon Seet
  • 61
  • 3

3 Answers3

4

A chip card (or smart card) is generic term for cards containing a microprocessor. You can think of it as a highly embedded computer. They might even run their own operating system.

EMV on the other hand refers to a certain standard for these kind of cards for payment transactions. Note, however, that smart cards can also be used for different applications, e.g. they are used quite heavily in the Pay-TV sector - at least here in Europe. Another field of application is the corporate environment, where smart cards may be required for logging into some services.

Smart cards are usually used for authentication. More specifically you prove to the other party that you are in possession of some sort of secret. The advantage over purely passive hardware (e.g. a magnetic stripe) is that the secret itself is never revealed. It is only used as a basis for all sorts of (cryptographic) operations, e.g. digitally signing a transaction. Furthermore these cards are usually built in a way that they can't be tampered with, at least not without spending a lot of time, money and effort.

Karol Babioch
  • 1,247
  • 8
  • 10
1

EMV is simply the standard that chip & pin cards must implement to inter-operate with point of sales terminals. It is the standard that makes it so your chip and pin card works regardless of which retailer you go to, which bank issued your card or which manufacturer produced the actual card.

The point of a chip card is to solve the problem of magnetic stripe cards revealing the secret needed to authorize a purchase. With a magnetic card, the magnetic strip's value never changes and is all that is needed. It is read directly by a point of sale terminal and can be cloned by anyone who scans it with an untrustworthy Point of Sale terminal.

Chip and pin on the other hand does not use the credit card number for authorizing a purchase. Instead, the point of sale terminal provides a unique challenge to the card. The chip takes that challenge and generates a response to prove that the card was present for the transaction, but the information needed to respond to the challenge is never revealed.

Since the point of sale never has access to the information needed to respond to another challenge, it isn't possible to clone the card since the next transaction would have a different challenge and the proper response would be unknown.

This system has a number of flaws though as it doesn't work well for things like online purchases where the card isn't available, though use of a local reader on the consumer's computer could eventually deal with this.

As another note, this isn't an RFID technology, but rather a smart card technology. It works by actually making contact with the little chip in the card, however NFC does support a similar type of contactless payment where the same negotiation occurs without needing direct contact.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Except: all information available on the magnetic stripe can be read from the chip too... A "chip&pin" transaction is secured, but for some reason they (Visa,MC) decided to also include a readable version of PAN, expiry, card holder etc... – KristoferA Mar 20 '14 at 06:58
  • @KristoferA - what does it matter if the PAN is provided if it can't be used? If they scanned the card, they could have captured the magnetic strip anyway. You can't clone a chip with just the information on the magnetic strip. What matters is the private key that is unique to the card which must sign the challenge to prove the card was present. This is never revealed. – AJ Henderson Mar 20 '14 at 13:12
  • Correct, but if they wanted to move from unsecure to secure they should leave that data off the chip, remove the embossed PAN, and get rid of the magnetic strip... – KristoferA Mar 20 '14 at 15:06
  • @KristoferA - for there purposes it is still secure as soon as magnetic strips go away. If you can't make a purchase by knowing just the card number and other mag-stripe details, then it is no security issue for them to be known but still lets the vendor track the purchase more clearly. Until we get rid of mag stripes, it doesn't matter since the stripe is needed for compatibility with mag stripe only readers. – AJ Henderson Mar 20 '14 at 15:37
  • @AJHenderson Hey AJ, i've got a question then, why is it difficult to clone the whole chip on the chip card onto another card. All its details and RSA keys on the genuine card can be replicated on a fake card and someone else can use it. Could it be possibly due to the difficulty of cloning the applications that both the chip & POS have to decide on before approving the card's authenticity? – Brandon Seet Mar 24 '14 at 06:56
  • @BrandonSeet - but they can't. At least not easily. The whole point is that the chip never discloses the key that it stores. The memory that holds the key isn't accessible without dissolving protective layers on the card by just the right amount and directly analyzing the storage circuitry. Since the card is designed to be tamper proof, this is extremely difficult to do and not at all cost effective. The point is that cloning or altering the application on the chip or POS don't matter because you can't get the private key from the real card. – AJ Henderson Mar 24 '14 at 13:07
1

can we refer to EMV & Chip Card as the same thing?

For practical purposes, you can if it's your industry. I've found that retailers undergoing a shift in payment technology may refer to them as EMV cards, or chip cards, or smart cards, regardless of whether or not the terminology is correct.

What are the problems that having a chipcard or an EMV standard complianced card solve?

Compliance with the EMV standard means that different chips made by different foundries, cards created by different manufacturers, and cards issued by different banks can all interact with many different payment terminals made by different companies and installed at different retailers. EMV is the protocol that binds them all together.

An EMV transaction is a defined flow of information between the retailer, the retailer's terminal, the card, the cardholder, and the bank. The cardholder inserts the card in the terminal. The retailer's terminal exchanges data with the card. The terminal prompts the user to enter their PIN, and passes the PIN into the card; the card exchanges signed and/or encrypted data with the bank, and ultimately the card provides a digitally signed authorization to the retailer that says "yes, I approve this transaction for $100". The trick is that the card contains a secret key, put there by the bank, and that key is inaccessible to anyone else. Only that secret key plus the secret PIN associated with that key can properly generate the needed valid digital signatures on the approval data. The retailer won't accept the transaction unless it's properly signed.

This entire interaction is governed by the EMV standards, and is already implemented in millions of POS terminals and billions of smart cards. The EMV standards enable more manufacturers, more banks, more retailers, and more customers all to exchange payments for goods and services.

How do they solve the problems of other technologies such as proximity cards (Can't proximity cards have processors embed with them? )

Many cards have processors embedded in them, and there are many wired and wireless technologies for communicating with these smart cards. Some of these other technologies have some superior features -- RF cards are immune to dust, for example -- and some of them have drawbacks -- NFC cards can be read through your pocket and clothing on a bus or subway, and all wireless cards have extra circuitry that the EMV cards don't need. Many of those technologies weren't present when EMV was first defined, so EMV may not be able to work with all of them yet. Some of those other technologies may have other failings that make them undesirable for EMV.

EMV contact cards are among the more secure technologies, especially given the many limitations on smart cards: they have to be super cheap to distribute to thousands of customers, the readers have to be fairly affordable, they have to be extremely secure, they have to work in many different environments, they have to be reliable, and they still have to be super cheap. It's not that other technologies can't or won't work; it's that EMV is an international standard that's been in use for over a decade, and is already installed in millions of retail establishments around the globe.

what about magnetic strip cards (least of my worries cus it's been answered by other posts!)?

Mag stripe cards have never been secure. They are static: they always return the same data, read after read. You can copy the data from them and reuse it. A smart card, on the other hand, generates a dynamic digital signature every time you use it, assuring you that this is a card that knows the secret. And that secret is never revealed outside of the card environment. This makes them very difficult to clone. Plus, an attack on one card is slow and hard, and it teaches you nothing about the secrets inside the next card. That means attacking one card does not give you any information about attacking the next card. But if you are in a place where you can attack and copy one mag stripe card, copying 100 is just as easy.

John Deters
  • 33,650
  • 3
  • 57
  • 110