The EMV technology is superior to the magnetic stripe on many different levels. An EMV card is difficult to forge; it allows a variety of reliable cardholder verification methods, including offline PIN validation by the chip on the card; finally, intercepting one or several EMV messages will not help an attacker mimic the actual card (you can read more about EMV in my book).
Furthermore, issuers can send card updates, modify various settings and even propagate PIN changes, owing to the cryptographic protection of the card-issuer communication.
However, superior technology in vitro doesn’t always translate to a good solution in vivo. In smaller markets and those with under-developed electronic card payment infrastructure, EMV technology became ubiquitous very quickly. In the mature market of the United States, adoption of EMV took significantly longer.
EMV Chip Recap
Before the fast and easy “tap-to-pay” contactless payment, cards had to be inserted into the reader chip-first. This method replaced or strived to replace a magnetic stripe swipe. While the latter had numerous security drawbacks compared to the new thing, it had one significant advantage: speed.
Upon insertion of the card into the reader, the chip on the card first negotiates the link-layer protocol. The first response of the card, the Answer-to-Rest, can take up to 40ms (a delay of over 100ms can already feel sluggish for some people).
Then, the chip and the card perform the application selection, followed by the negotiation of various parameters, including cryptographic card authentication, and all that over a half-duplex serial connection with the neck-breaking pace of ~2400 to 14400 baud.
And while the messages are not that big (and, consequently, the terminal-card link capacity is reasonable), this exchange is followed by generating an application cryptogram, ARQC, done by a computationally modest chip. More often than not, the cryptogram had to be sent to the card issuer as part of the authorization. The issuer would respond with an ARPC and possibly send updates, or issuer scripts, to the card. The scripts are processed by the card, the ARPC is validated by the card, and then, finally, the second cryptogram is generated.
The second cryptogram is to be sent to the issuer as part of the clearing record.
Taking a shortcut
Card brands in Europe and some other jurisdictions cut the merchant some slack. While it is still mandatory to process the issuer response, the second cryptogram, under certain conditions, can be discarded instead of forwarded to the issuer.
This simplifies the processing, but for the cardholder, there is no difference: they still have to wait in front of the terminal, with the card inserted into it, until the issuer’s response is received, transmitted to the chip, and processed by it.
Compared to the magstripe swipe, this was a poor consumer experience. And the American market, the only one with enough weight to successfully push against the global card brands, acted accordingly as part of the EMV implementation roadmap.
The result is in the diagram below.
In the United States, it is possible to process EMV chip transactions without waiting for the ARPC to be processed by the chip. Combined with another US-specific feature, the prevalence of signature as the CVM, this shortcut makes a chip transaction almost as fast as a swipe.
Consider the flow: the cardholder inserts the card into the reader, and once the cryptogram has been generated, the card can be pulled out. While the transaction is being sent to the issuer, the cardholder can put the card back in the wallet, gather the purchases, sign the slip, and so on. With this approach, the transition from magstripe to chip is a minor change, not a nuisance.
2nd GAC – a thing of the past?
The world is undoubtedly moving towards payments over the EMV contactless protocol, whether with an actual card, a smartwatch, or a phone.
In Europe and the United Kingdom, an occasional chip insertion may be required due to the demand of the Strong Customer Authentication (SCA) mandate, part of Payment Services Directive 2 (PSD2). Elsewhere, payment with a tap will take over chip payments completely.
In a sense, the EMV contactless protocol tries to achieve the same goal as the “fast EMV”: shorten the interaction to the bare minimum necessary so that the time a card spends in the reader’s electromagnetic field is sufficient to conclude all essential steps of the terminal-card interaction.
Due to this constraint, the EMV contactless protocol doesn’t support issuer authentication or generation of the second application cryptogram. While the cardholder may get accustomed to waiting a second until the card can be pulled out of the slot, they will certainly not hold it near the antenna for that long.
In Europe, most terminals still support card swipe, but the magstripe reader is plastered over in many stores. It is quite possible that one day, we will see the same with the card chip slots.
