EMV
What Is EMV? Definition and How It Works
Definition
EMV is the global technical standard for chip-based payment cards and terminals, developed by Europay, Mastercard, and Visa, that uses cryptographic authentication to verify card legitimacy at the point of sale and enables the EMV liability shift for counterfeit card fraud.
How it works
EMV chip cards store card credentials on an embedded microchip that performs dynamic cryptographic authentication. Unlike magnetic stripe cards, which encode static data that can be copied by a skimmer, EMV chips generate a unique cryptogram for each transaction. This transaction-specific cryptogram cannot be replicated to create a usable counterfeit card.
During an EMV chip transaction, the terminal and chip engage in a mutual authentication process. The terminal reads the chip, the chip generates a transaction-specific application cryptogram using the card's private key and transaction data, and the issuer (or the chip itself in offline scenarios) verifies the cryptogram. The process confirms the card is genuine and the terminal is authorised to process it.
EMV contact transactions require inserting the card into a chip reader. EMV contactless transactions use near-field communication (NFC) to perform the same chip authentication wirelessly, without physical card insertion. Both use the same underlying cryptographic authentication, contactless is a delivery method, not a separate security standard.
EMV 3DS (sometimes called EMV 3-D Secure or 3DS 2.x) is the online extension of EMV authentication: it applies similar principles, rich data exchange between merchant, network, and issuer, to card-not-present transactions to provide the equivalent of chip-level authentication for e-commerce.
Why it matters
The EMV liability shift fundamentally changed fraud economics: before EMV adoption, card networks allocated counterfeit card fraud losses between issuers and merchants based on specific rules. After the liability shift (US: October 2015; other markets earlier), liability for counterfeit card fraud at a chip-enabled terminal moved to the party that did not support EMV, if the terminal did not accept chip but the card had a chip, the merchant bore the fraud liability.
Merchants without chip terminals still bear EMV liability shift consequences: a merchant using a magnetic-stripe-only terminal for a chip card transaction is liable for counterfeit fraud on that transaction, regardless of fault. Physical merchants operating outdated POS hardware carry this exposure.
EMV does not address card-not-present fraud: EMV chip authentication only applies at physical POS. Online transactions cannot use the physical chip. This is why card-not-present fraud rates increased after physical counterfeit fraud was reduced by EMV adoption, fraudsters shifted channels.
EMV contactless has higher transaction limits in most markets: contactless transactions above a defined threshold require PIN entry or cardholder verification. These limits vary by country and are set by card schemes and regulators. Merchants accepting contactless at high average transaction values should verify the applicable limits for their market.
With PXP
PXP supports full EMV chip and contactless acceptance through its acquiring infrastructure. For card-not-present transactions, PXP's 3DS 2.x integration provides the online equivalent of EMV-level authentication, supporting liability shift on authenticated e-commerce transactions.
Frequently asked questions
What is the EMV liability shift?
The EMV liability shift is a card scheme rule that changed who bears financial responsibility for counterfeit card fraud at point of sale. Before the shift, fraud losses were allocated between issuers and merchants based on existing rules. After the shift, when a counterfeit card is used at a terminal: if the terminal is chip-capable and the card has a chip, and the chip was used, the issuer bears fraud liability. If the terminal is not chip-capable for a chip card, the merchant bears the fraud liability.
Does EMV apply to online transactions?
Standard EMV chip authentication does not apply to online card-not-present transactions because the physical chip is not present. The online equivalent is EMV 3DS (3DS 2.x), which uses a similar data-rich authentication exchange between the merchant, card network, and issuer to provide cryptographic authentication confidence for e-commerce. Merchants implementing 3DS 2.x for online transactions achieve the functional equivalent of EMV-level authentication with associated liability shift benefits.
What is the difference between EMV contact and EMV contactless?
EMV contact requires the cardholder to insert the chip card into a card reader, where the terminal makes direct electrical contact with the chip for authentication. EMV contactless uses NFC to transmit the authentication data wirelessly, with the card or device tapped near the reader. Both use the same underlying chip cryptography and provide equivalent fraud protection; contactless is a faster user experience that applies the same EMV authentication wirelessly.
Why did card-not-present fraud increase after EMV adoption?
EMV adoption effectively eliminated counterfeit card fraud at physical POS by making copied card data unusable without the chip's cryptographic function. Fraudsters who previously profited from physical counterfeit cards shifted their operations to card-not-present channels (online) where EMV chip authentication does not apply. This displacement effect is well-documented and is one of the drivers behind the emphasis on 3DS adoption for online merchants.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started