EMV


EMV is a payment method based upon a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV originally stood for "Europay, Mastercard, and Visa", the three companies which created the standard.
EMV cards are smart cards, also called chip cards, integrated circuit cards, or IC cards which store their data on integrated circuit chips, in addition to magnetic stripes for backward compatibility. These include cards that must be physically inserted or "dipped" into a reader, as well as contactless cards that can be read over a short distance using near-field communication technology. Payment cards which comply with the EMV standard are often called Chip and PIN or Chip and Signature cards, depending on the authentication methods employed by the card issuer, such as a personal identification number or digital signature.
There are standards based on ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards.
In February 2010, computer scientists from Cambridge University demonstrated that an implementation of but only implementations where the PIN was validated offline were vulnerable.

History

Until the introduction of Chip & PIN, all face-to-face credit or debit card transactions involved the use of a magnetic stripe or mechanical imprint to read and record account data, and a signature for purposes of identity verification. The customer hands their card to the cashier at the point of sale who then passes the card through a magnetic reader or makes an imprint from the raised text of the card. In the former case, the system verifies account details and prints a slip for the customer to sign. In the case of a mechanical imprint, the transaction details are filled in, a list of stolen numbers is consulted, and the customer signs the imprinted slip. In both cases the cashier must verify that the customer's signature matches that on the back of the card to authenticate the transaction.
Using the signature on the card as a verification method has a number of security flaws, the most obvious being the relative ease with which cards may go missing before their legitimate owners can sign them. Another involves the erasure and replacement of legitimate signature, and yet another involves the forgery of the correct signature on the card. More recently, technology has become available on the black market for both reading and writing the magnetic stripes, making cards easy to clone and use without the owner's knowledge.
The invention of the silicon integrated circuit chip in 1959 led to the idea of incorporating it onto a plastic smart card in the late 1960s by two German engineers, Helmut Gröttrup and Jürgen Dethloff. The earliest smart cards were introduced as calling cards in the 1970s, before later being adapted for use as payment cards. Smart cards have since used MOS integrated circuit chips, along with MOS memory technologies such as flash memory and EEPROM.
The first standard for smart payment cards was the Carte Bancaire M4 from Bull-CP8 deployed in France in 1986, followed by the B4B0' deployed in 1989. Geldkarte in Germany also predates EMV. EMV was designed to allow cards and terminals to be backwardly compatible with these standards. France has since migrated all its card and terminal infrastructure to EMV.
EMV originally stood for Europay, Mastercard, and Visa, the three companies that created the standard. The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China UnionPay, and Discover.
The EMV standard was initially written in 1993 and 1994 by Mallissa Rosemon McPherson. JCB joined the consortium in February 2009, China UnionPay in May 2013, and Discover in September 2013.

Differences and benefits

There are two major benefits to moving to smart-card-based credit card payment systems: improved security, and the possibility for finer control of "offline" credit-card transaction approvals. One of the original goals of EMV was to provide for multiple applications on a card: for a credit and debit card application or an e-purse. New issue debit cards in the US contain two applications — a card association application, and a common debit application. The common debit application ID is somewhat of a misnomer as each "common" debit application actually uses the resident card association application.
EMV chip card transactions improve security against fraud compared to magnetic stripe card transactions that rely on the holder's signature and visual inspection of the card to check for features such as hologram. The use of a PIN and cryptographic algorithms such as Triple DES, RSA and SHA provide authentication of the card to the processing terminal and the card issuer's host system. The processing time is comparable to online transactions, in which communications delay accounts for the majority of the time, while cryptographic operations at the terminal take comparatively little time. The supposed increased protection from fraud has allowed banks and credit card issuers to push through a "liability shift", such that merchants are now liable for any fraud that results from transactions on systems that are not EMV-capable.
The majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a personal identification number rather than signing a paper receipt. Whether or not PIN authentication takes place depends upon the capabilities of the terminal and programming of the card.
When credit cards were first introduced, merchants used mechanical rather than magnetic portable card imprinters that required carbon paper to make an imprint. They did not communicate electronically with the card issuer, and the card never left the customer's sight. The merchant had to verify transactions over a certain currency limit by telephoning the card issuer. During the 1970s in the United States, many merchants subscribed to a regularly-updated list of stolen or otherwise invalid credit card numbers. This list was commonly printed in booklet form on newsprint, in numerical order, much like a slender phone book, yet without any data aside from the list of invalid numbers. Checkout cashiers were expected to thumb through this booklet each and every time a credit card was presented for payment of any amount, prior to approving the transaction, which incurred a short delay.
Later, equipment electronically contacted the card issuer, using information from the magnetic stripe to verify the card and authorize the transaction. This was much faster than before, but required the transaction to occur in a fixed location. Consequently, if the transaction did not take place near a terminal the clerk or waiter had to take the card away from the customer and to the card machine. It was easily possible at any time for a dishonest employee to swipe the card surreptitiously through a cheap machine that instantly recorded the information on the card and stripe; in fact, even at the terminal, a thief could bend down in front of the customer and swipe the card on a hidden reader. This made illegal cloning of cards relatively easy, and a more common occurrence than before.
Since the introduction of payment card Chip and PIN, cloning of the chip is not feasible; only the magnetic stripe can be copied, and a copied card cannot be used by itself on a terminal requiring a PIN. The introduction of Chip and PIN coincided with wireless data transmission technology becoming inexpensive and widespread. In addition to mobile-phone-based magnetic readers, merchant personnel can now bring wireless PIN pads to the customer, so the card is never out of the cardholder's sight. Thus, both chip-and-PIN and wireless technologies can be used to reduce the risks of unauthorized swiping and card cloning.

Chip and PIN versus chip and signature

Chip and PIN is one of the two verification methods that EMV enabled cards can employ. Rather than physically signing a receipt for identification purposes, the user just enters a personal identification number, typically of 4 to 6 digits in length. This number must correspond to the information stored on the chip. Chip and PIN technology makes it much harder for fraudsters to use a found card, so if someone steals a card, they can't make fraudulent purchases unless they know the PIN.
Chip and signature, on the other hand, differentiates itself from chip and PIN by verifying a consumer's identity with a signature.
As of 2015, chip and signature cards are more common in the US, Mexico, parts of South America and some Asian countries, whereas chip and PIN cards are more common in most European countries as well as in Iran, Brazil, Venezuela, India, Sri Lanka, Canada, Australia and New Zealand.

Online, phone, and mail order transactions

While EMV technology has helped reduce crime at the point of sale, fraudulent transactions have shifted to more vulnerable telephone, Internet, and mail order transactions — known in the industry as card-not-present or CNP transactions. CNP transactions made up at least 50% of all credit card fraud. Because of physical distance, it is not possible for the merchant to present a keypad to the customer in these cases, so alternatives have been devised, including
-3 defines the transmission protocol between chip cards and readers. Using this protocol, data is exchanged in application protocol data units. This comprises sending a command to a card, the card processing it, and sending a response. EMV uses the following commands:
Commands followed by "7816-4" are defined in ISO/IEC 7816-4 and are interindustry commands used for many chip card applications such as GSM SIM cards.

Transaction flow

An EMV transaction has the following steps:
defines a process for [|application selection]. The intent of application selection was to let cards contain completely different applications—for example GSM and EMV. However, EMV developers implemented application selection as a way of identifying the type of product, so that all product issuers must have their own application. The way application selection is prescribed in EMV is a frequent source of interoperability problems between cards and terminals. Book 1 of the EMV standard devotes 15 pages to describing the application selection process.
An application identifier is used to address an application in the card or Host Card Emulation if delivered without a card. An AID consists of a registered application provider identifier of five bytes, which is issued by the ISO/IEC 7816-5 registration authority. This is followed by a proprietary application identifier extension, which enables the application provider to differentiate among the different applications offered. The AID is printed on all EMV cardholder receipts.
List of applications:
Card scheme / Payment NetworkRIDProductPIXAID
Danmønt A000000001Cash card1010A0000000011010
Visa A000000003Visa credit or debit1010A0000000031010
Visa A000000003Visa Electron2010A0000000032010
Visa A000000003V Pay2020A0000000032020
Visa A000000003Plus8010A0000000038010
Mastercard A000000004Mastercard credit or debit1010A0000000041010
Mastercard A000000004Mastercard9999A0000000049999
Mastercard A000000004Maestro3060A0000000043060
Mastercard A000000004Cirrus ATM card only6000A0000000046000
MastercardA000000005Maestro UK
0001A0000000050001
American Express A000000025American Express01A00000002501
LINK ATM network A000000029ATM card1010A0000000291010
CB A000000042CB 1010A0000000421010
CB A000000042CB 2010A0000000422010
JCB A000000065Japan Credit Bureau1010A0000000651010
Dankort A000000121Dankort1010A0000001211010
Dankort A000000121VisaDankort4711A0000001214711
Dankort A000000121Dankort 4711A0000001214712
Consorzio Bancomat A000000141Bancomat/PagoBancomat0001A0000001410001
Diners Club/Discover A000000152Diners Club/Discover3010A0000001523010
Banrisul A000000154Banricompras Debito4442A0000001544442
SPAN2 A000000228SPAN1010A00000022820101010
Interac A000000277Debit card1010A0000002771010
Discover A000000324ZIP1010A0000003241010
UnionPay A000000333Debit010101A000000333010101
UnionPay A000000333Credit010102A000000333010102
UnionPay A000000333Quasi-credit010103A000000333010103
UnionPay A000000333Electronic cash010106A000000333010106
ZKA A000000359Girocard1010028001A0000003591010028001
EAPS Bancomat A000000359PagoBancomat10100380A00000035910100380
Verve A000000371Verve0001A0000003710001
The Exchange Network ATM network A000000439ATM card1010A0000004391010
RuPay A000000524RuPay1010A0000005241010
Dinube A000000630Dinube Payment Initiation 0101A0000006300101
MIR A000000658MIR Debit2010A0000006582010
MIR A000000658MIR Credit1010A0000006581010
Edenred A000000436Ticket Restaurant0100A0000004360100
eftpos A000000384Savings 10A00000038410
eftpos A000000384Cheque 20A00000038420
GIM-UEMOA
A000000337Retrait01 000001A000000337301000
GIM-UEMOA
A000000337Standard01 000002A000000337101000
GIM-UEMOA
A000000337Classic01 000003A000000337102000
GIM-UEMOA
A000000337Prepaye Online01 000004A000000337101001
GIM-UEMOA
A000000337Prepaye Offline01 000005A000000337102001
GIM-UEMOA
A000000337Porte Monnaie Electronique01 000006A000000337601001
meeza A000000732meeza Card100123A000000732100123

Initiate application processing

The terminal sends the get processing options command to the card. When issuing this command, the terminal supplies the card with any data elements requested by the card in the processing options data objects list. The PDOL is optionally provided by the card to the terminal during application selection. The card responds with the application interchange profile, a list of functions to perform in processing the transaction. The card also provides the application file locator, a list of files and records that the terminal needs to read from the card.

[|Read application data]

s store data in files. The AFL contains the files that contain EMV data. These all must be read using the read record command. EMV does not specify which files data is stored in, so all the files must be read. Data in these files is stored in BER TLV format. EMV defines tag values for all data used in card processing.

Processing restrictions

The purpose of the processing restrictions is to see if the card should be used. Three data elements read in the previous step are checked: Application version number, Application usage control, Application effective/expiration dates checking.
If any of these checks fails, the card is not necessarily declined. The terminal sets the appropriate bit in the terminal verification results, the components of which form the basis of an accept/decline decision later in the transaction flow. This feature lets, for example, card issuers permit cardholders to keep using expired cards after their expiry date, but for all transactions with an expired card to be performed on-line.

[|Offline data authentication] (ODA)

Offline data authentication is a cryptographic check to validate the card using public-key cryptography. There are three different processes that can be undertaken depending on the card:
To verify authenticity of payment cards, EMV certificates are used. EMV Certificate Authority issues digital certificates for payment card issuers. The payment card provides the issuer certificate to the ATM along with the CA public key, SDA signature and card data. This enables the ATM to retrieve the CA public key from the ATM storage, use the CA public key to verify the issuer RSA key, and use the issuer RSA key to decrypt the SDA signature and verify that the signature matches the submitted card data.

[|Cardholder verification]

Cardholder verification is used to evaluate whether the person presenting the card is the legitimate cardholder. There are many cardholder verification methods supported in EMV. They are
The terminal uses a CVM list read from the card to determine the type of verification to perform. The CVM list establishes a priority of CVMs to use relative to the capabilities of the terminal. Different terminals support different CVMs. ATMs generally support online PIN. POS terminals vary in their CVM support depending on type and country.

[|Terminal risk management]

Terminal risk management is only performed in devices where there is a decision to be made whether a transaction should be authorised on-line or offline. If transactions are always carried out on-line or always off-line, this step can be skipped. Terminal risk management checks the transaction amount against an offline ceiling limit. It is also possible to have a 1 in an online counter, and a check against a hot card list. If the result of any of these tests is positive, the terminal sets the appropriate bit in the terminal verification results.

Terminal action analysis

The results of previous processing steps are used to determine whether a transaction should be approved offline, sent online for authorization, or declined offline. This is done using a combination of data objects known as terminal action codes held in the terminal and issuer action codes read from the card. The TAC is logically OR'd with the IAC, to give the transaction acquirer a level of control over the transaction outcome.
Both types of action code take the values Denial, Online, and Default. Each action code contains a series of bits which correspond to the bits in the Terminal verification results, and are used in the terminal's decision whether to accept, decline or go on-line for a payment transaction. The TAC is set by the card acquirer; in practice card schemes advise the TAC settings that should be used for a particular terminal type depending on its capabilities. The IAC is set by the card issuer; some card issuers may decide that expired cards should be rejected, by setting the appropriate bit in the Denial IAC. Other issuers may want the transaction to proceed on-line so that they can in some cases allow these transactions to be carried out.
An online-only device such as an ATM always attempts to go on-line with the authorization request, unless declined off-line due to issuer action codes—Denial settings. During IAC—Denial and TAC—Denial processing, for an online only device, the only relevant Terminal verification results bit is "Service not allowed".
When an online-only device performs IAC—Online and TAC—Online processing the only relevant TVR bit is "Transaction value exceeds the floor limit". Because the floor limit is set to zero, the transaction should always go online and all other values in TAC—Online or IAC—Online are irrelevant. Online-only devices do not need to perform IAC-default processing.

First card action analysis

One of the data objects read from the card in the Read application data stage is CDOL1. This object is a list of tags that the card wants to be sent to it to make a decision on whether to approve or decline a transaction. The terminal sends this data and requests a cryptogram using the generate application cryptogram command. Depending on the terminal's decision, the terminal requests one of the following cryptograms from the card:
This step gives the card the opportunity to accept the terminal's action analysis or to decline a transaction or force a transaction on-line. The card cannot return a TC when an ARQC has been asked for, but can return an ARQC when a TC has been asked for.

Online transaction authorization

Transactions go online when an ARQC has been requested. The ARQC is sent in the authorisation message. The card generates the ARQC. Its format depends on the card application. EMV does not specify the contents of the ARQC. The ARQC created by the card application is a digital signature of the transaction details, which the card issuer can check in real time. This provides a strong cryptographic check that the card is genuine. The issuer responds to an authorisation request with a response code, an authorisation response cryptogram and optionally an issuer script.

Second card action analysis

CDOL2 contains a list of tags that the card wanted to be sent after online transaction authorisation. Even if for any reason the terminal could not go online, the terminal should send this data to the card again using the generate authorisation cryptogram command. This lets the card know the issuer's response. The card application may then reset offline usage limits.

Issuer script processing

If a card issuer wants to update a card post issuance it can send commands to the card using issuer script processing. Issuer scripts are encrypted between the card and the issuer, so are meaningless to the terminal. Issuer script can be used to block cards, or change card parameters.

Control of the EMV standard

The first version of EMV standard was published in 1995. Now the standard is defined and managed by the privately owned corporation EMVCo LLC. The current members of EMVCo are American Express, Discover Financial, JCB International, Mastercard, China UnionPay, and Visa Inc. Each of these organizations owns an equal share of EMVCo and has representatives in the EMVCo organization and EMVCo working groups.
Recognition of compliance with the EMV standard is issued by EMVCo following submission of results of testing performed by an accredited testing house.
EMV Compliance testing has two levels: EMV Level 1, which covers physical, electrical and transport level interfaces, and EMV Level 2, which covers payment application selection and credit financial transaction processing.
After passing common EMVCo tests, the software must be certified by payment brands to comply with proprietary EMV implementations such as Visa VSDC, American Express AEIPS, Mastercard MChip, JCB JSmart, or EMV-compliant implementations of non-EMVCo members such as LINK in the UK, or Interac in Canada.

List of EMV documents and standards

As of 2011, since version 4.0, the official EMV standard documents which define all the components in an EMV payment system are published as four "books" and some additional documents:
The first EMV standard came into view in 1995 as EMV 2.0. This was upgraded to EMV 3.0 in 1996 with later amendments to EMV 3.1.1 in 1998. This was further amended to version 4.0 in December 2000. Version 4.0 became effective in June 2004. Version 4.1 became effective in June 2007. Version 4.2 is in effect since June 2008. Version 4.3 is in effect since November 2011.

Vulnerabilities

Opportunities to harvest PINs and clone magnetic stripes

In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards, and defective cards. This attack is possible only where the offline PIN is presented in plaintext by the PIN entry device to the card, where magstripe fallback is permitted by the card issuer and where geographic and behavioural checking may not be carried out by the card issuer.
APACS, representing the UK payment industry, claimed that changes specified to the protocol rendered this attack ineffective and that such measures would be in place from January 2008. Tests on cards in February 2008 indicated this may have been delayed.

Successful attacks

Conversation capturing is a form of attack which was reported to have taken place against Shell terminals in May 2006, when they were forced to disable all EMV authentication in their filling stations after more than £1 million was stolen from customers.
In October 2008, it was reported that hundreds of EMV card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been expertly tampered with in China during or shortly after manufacture. For 9 months details and PINs of credit and debit cards were sent over mobile phone networks to criminals in Lahore, Pakistan. United States National Counterintelligence Executive Joel Brenner said, "Previously only a nation state's intelligence agency would have been capable of pulling off this type of operation. It's scary." Data were typically used a couple of months after the card transactions to make it harder for investigators to pin down the vulnerability. After the fraud was discovered it was found that tampered-with terminals could be identified as the additional circuitry increased their weight by about 100 g. Tens of millions of pounds sterling are believed to have been stolen. This vulnerability spurred efforts to implement better control of electronic POS devices over their entire life cycle, a practice endorsed by electronic payment security standards like those being developed by the Secure POS Vendor Alliance.

PIN harvesting and stripe cloning

In a February 2008 BBC Newsnight programme Cambridge University researchers Steven Murdoch and Saar Drimer demonstrated one example attack, to illustrate that Chip and PIN is not secure enough to justify passing the liability to prove fraud from the banks onto customers. The Cambridge University exploit allowed the experimenters to obtain both card data to create a magnetic stripe and the PIN.
APACS, the UK payments association, disagreed with the majority of the report, saying "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out." They also said that changes to the protocol would make this attack ineffective from January 2008. The fraud reported in October 2008 to have operated for 9 months was probably in operation at the time, but was not discovered for many months.
In August 2016, NCR computer security researchers showed how credit card thieves can rewrite the code of a magnetic strip to make it appear like a chipless card, which allows for counterfeiting.

2010: Hidden hardware disables PIN checking on stolen card

On 11 February 2010 Murdoch and Drimer's team at Cambridge University announced that they had found "a flaw in chip and PIN so serious they think it shows that the whole system needs a re-write" that was "so simple that it shocked them". A stolen card is connected to an electronic circuit and to a fake card which is inserted into the terminal. Any four digits are typed in and accepted as a valid PIN.
A team from the BBC's Newsnight programme visited a Cambridge University cafeteria with the system, and were able to pay using their own cards connected to the circuit, inserting a fake card and typing in "0000" as the PIN. The transactions were registered as normal, and were not picked up by banks' security systems. A member of the research team said, "Even small-scale criminal systems have better equipment than we have. The amount of technical sophistication needed to carry out this attack is really quite low." The announcement of the vulnerability said, "The expertise that is required is not high ... We dispute the assertion by the banking industry that criminals are not sophisticated enough, because they have already demonstrated a far higher level of skill than is necessary for this attack in their miniaturized PIN entry device skimmers." It is not known if this vulnerability has been exploited.
EMVCo disagreed and published a response saying that, while such an attack might be theoretically possible, it would be extremely difficult and expensive to carry out successfully, that current compensating controls are likely to detect or limit the fraud, and that the possible financial gain from the attack is minimal while the risk of a declined transaction or exposure of the fraudster is significant.
When approached for comment, several banks each said that this was an industry-wide issue, and referred the Newsnight team to the banking trade association for further comment. According to Phil Jones of the Consumers' Association, Chip and PIN has helped to bring down instances of card crime, but many cases remain unexplained. "What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive."
Because submission of the PIN is suppressed, this is the exact equivalent of a merchant performing a PIN bypass transaction. Such transactions can't succeed offline, as a card never generates an offline authorisation without a successful PIN entry. As a result of this, the transaction ARQC must be submitted online to the issuer, who knows that the ARQC was generated without a successful PIN submission and hence would be likely to decline the transaction if it were for a high value, out of character, or otherwise outside of the typical risk management parameters set by the issuer.
Originally, bank customers had to prove that they had not been negligent with their PIN before getting redress, but UK regulations in force from 1 November 2009 placed the onus firmly on the banks to prove that a customer has been negligent in any dispute, with the customer given 13 months to make a claim. Murdoch said that " should look back at previous transactions where the customer said their PIN had not been used and the bank record showed it has, and consider refunding these customers because it could be they are victim of this type of fraud."

2011: CVM downgrade allows arbitrary PIN harvest

At the CanSecWest conference in March 2011, Andrea Barisani and Daniele Bianco presented research uncovering a vulnerability in EMV that would allow arbitrary PIN harvesting despite the cardholder verification configuration of the card, even when the supported CVMs data is signed.
The PIN harvesting can be performed with a chip skimmer. In essence, a CVM list that has been modified to downgrade the CVM to Offline PIN is still honoured by POS terminals, despite its signature being invalid.

Implementation

EMV originally stood for "Europay, Mastercard, and Visa", the three companies that created the standard. The standard is now managed by EMVCo, a consortium of financial companies. The most widely known chips of the EMV standard are:
Visa and Mastercard have also developed standards for using EMV cards in devices to support card not present transactions over the telephone and Internet. Mastercard has the Chip Authentication Program for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of modes. Visa has the Dynamic Passcode Authentication scheme, which is their implementation of CAP using different default values.
In many countries of the world, debit card and/or credit card payment networks have implemented liability shifts. Normally, the card issuer is liable for fraudulent transactions. However, after a liability shift is implemented, if the ATM or merchant's point of sale terminal does not support EMV, the ATM owner or merchant is liable for the fraudulent transaction.
Chip and PIN systems can cause problems for travellers from countries that do not issue Chip and PIN cards as some retailers may refuse to accept their chipless cards. While most terminals still accept a magnetic strip card, and the major credit card brands require vendors to accept them, some staff may refuse to take the card, under the belief that they are held liable for any fraud if the card cannot verify a PIN. Non-chip-and-PIN cards may also not work in some unattended vending machines at, for example, train stations, or self-service check-out tills at supermarkets.

Africa

Chip and PIN was trialled in Northampton, England from May 2003, and as a result was rolled out nationwide in the United Kingdom on 14 February 2006 with advertisements in the press and national television touting the "Safety in Numbers" slogan. During the first stages of deployment, if a fraudulent magnetic swipe card transaction was deemed to have occurred, the retailer was refunded by the issuing bank, as was the case prior to the introduction of Chip and PIN. On January 1, 2005, the liability for such transactions was shifted to the retailer; this acted as an incentive for retailers to upgrade their point of sale systems, and most major high-street chains upgraded on time for the EMV deadline. Many smaller businesses were initially reluctant to upgrade their equipment, as it required a completely new PoS system—a significant investment.
New cards featuring both magnetic strips and chips are now issued by all major banks. The replacement of pre-Chip and PIN cards was a major issue, as banks simply stated that consumers would receive their new cards "when their old card expires" — despite many people having had cards with expiry dates as late as 2007. The card issuer Switch lost a major contract with HBOS to Visa, as they were not ready to issue the new cards as early as the bank wanted.
The Chip and PIN implementation was criticised as designed to reduce the liability of banks in cases of claimed card fraud by requiring the customer to prove that they had acted "with reasonable care" to protect their PIN and card, rather than on the bank having to prove that the signature matched. Before Chip and PIN, if a customer's signature was forged, the banks were legally liable and had to reimburse the customer. Until 1 November 2009 there was no such law protecting consumers from fraudulent use of their Chip and PIN transactions, only the voluntary Banking Code. While this code stated that the burden of proof is on the bank to prove negligence or fraud rather than the cardholder having to prove innocence, there were many reports that banks refused to reimburse victims of fraudulent card use, claiming that their systems could not fail under the circumstances reported, despite several documented successful large-scale attacks.
The Payment Services Regulations 2009 came into force on 1 November 2009 and shifted the onus onto the banks to prove, rather than assume, that the cardholder is at fault. The Financial Services Authority said "It is for the bank, building society or credit card company to show that the transaction was made by you, and there was no breakdown in procedures or technical difficulty" before refusing liability.

Latin America and the Caribbean

Canada

After widespread identity theft due to weak security in the point-of-sale terminals at Target, Home Depot, and other major retailers, Visa, Mastercard and Discover in March 2012 – and American Express in June 2012 – announced their EMV migration plans for the United States. Since the announcement, multiple banks and card issuers have announced cards with EMV chip-and-signature technology, including American Express, Bank of America, Citibank, Wells Fargo, JPMorgan Chase, U.S. Bank, and several credit unions.
In 2010, a number of companies began issuing pre-paid debit cards that incorporate Chip and PIN and allow Americans to load cash as euros or pound sterling. United Nations Federal Credit Union was the first United States issuer to offer Chip and PIN credit cards. In May 2010, a press release from Gemalto indicated that United Nations Federal Credit Union in New York would become the first EMV card issuer in the United States, offering an EMV Visa credit card to its customers. JPMorgan was the first major bank to introduce a card with EMV technology, namely its Palladium card, in mid-2012.
As of April 2016, 70% of U.S. consumers have EMV cards and as of December 2016 roughly 50% of merchants are EMV compliant. However, deployment has been slow and inconsistent across vendors. Even merchants with EMV hardware may not be able to process chip transactions due to software or compliance deficiencies. Bloomberg has also cited issues with software deployment, including changes to audio prompts for Verifone machines which can take several months to release and deploy software out. Industry experts, however, expect more standardization in the United States for software deployment and standards. Visa and Mastercard have both implemented standards to speed up chip transactions with a goal of reducing the time for these to be under three seconds. These systems are labelled as Visa Quick Chip and Mastercard M/Chip Fast.