You are on page 1of 29

Minimum EMV Chip Card and Terminal Requirements

Intended Audience

This document is intended for use by U.S. issuers, merchants, acquirers, processors and vendor
Introduction

Some U.S. payment networks are implementing EMV “liability shifts” effective October 2015. A
“What are the minimum requirements that we need to consider as we deploy chip for my organ

To help merchants, acquirers, processors and issuers develop their strategies for EMV implemen
create a document presenting minimum requirements for EMV chip deployment across each pa
minimum requirements of EMV chip implementation and deployment for those payment networ
Jeanie, MasterCard, NYCE, PULSE, SHAZAM, STAR and Visa – reflected in the document, so that
While the document addresses minimum EMV chip requirements of the respective networks, de
of considerations, such as business needs and preferences, deployment timing, complexity and

The document focuses on the minimum card and terminal EMV requirements for the U.S. payme
Discover, Jeanie, MasterCard, NYCE, PULSE, SHAZAM, STAR and Visa in the context of the U.S. e
documented their respective minimum card and terminal configurations for EMV compliance. So
functionalities that are beyond each network’s minimum requirements, such as offline PIN supp
individual business requirements against the potential additional functionalities and their assoc
the expected volume of issuers that may support them, and issuers should evaluate these func

Issuers and merchants that choose to deploy EMV solutions are encouraged to work directly wit
approved EMVCo configurations offered that best satisfy their business needs. Approved EMVCo
including in the U.S.

How to Use the Minimum Requirements Matrix
The Minimum Requirements Matrix is an Excel document consisting of an introduction tab, five
glossary:






Introduction
Cards - Credit
Cards - Debit U.S. Common AID
Cards - Debit Brand AID
Terminals - Point-of-Sale (POS)
Terminals - ATM
Glossary

Within each tab, the left vertical columns B and C list the available capabilities for cards or term
participants in the matrix: American Express, Armed Forces Financial Network (AFFN), China Un

For each participant, a checkmark signifies those attributes that are minimum requirements for




Cards - Debit Brand AID
Terminals - Point-of-Sale (POS)
Terminals - ATM
Glossary

Within each tab, the left vertical columns B and C list the available capabilities for cards or term
participants in the matrix: American Express, Armed Forces Financial Network (AFFN), China Un

For each participant, a checkmark signifies those attributes that are minimum requirements for
participant, and not required. In some cases, participants have added comments regarding part

Legal Notice

This document provides an overview of each participating payment network minimum card and
to help stakeholders understand the minimum requirements of chip deployment for each paym
requirements as the fraud liability shift approaches.

This document describes each participants’ minimum EMV requirements in the context of the U
independently by the respective networks, and are subject to change. Issuers and merchants ar
business needs, and to work directly with card and terminal vendors to determine the approved
great effort has been made to ensure that the information in this document and the Minimum R
purpose, whether statutory, regulatory, contractual or otherwise and all warranties of any kind a
reliance on the information set forth in either document. Any person that uses or otherwise reli

If a network is not included in the matrix, issuers and merchants should directly contact their re
debit networks.

About U.S. EMV Chip Migration

Commonly used globally in place of magnetic stripe technology, EMV chip technology helps to r
enables safer transactions across contact and contactless channels. Chip implementation was in
announced their roadmaps for supporting a chip-based payments infrastructure. Acquirer proce
managing fraud risk in a face-to-face environment set for 2015.

About the EMV Migration Forum

The EMV Migration Forum is a cross-industry body focused on supporting the EMV implementati
consumers to help ensure a successful introduction of more secure EMV chip technology in the
and/or coordination to migrate successfully to chip technology in the U.S. For more information

and on capabilities for cards or terminals within the EMV standard (called “attributes” in the matrix). as they evaluate their business needs. payment networks Accel. it means that the attribute is optional . Armed Forces Financial Network (AFFN).S. five tabs for chip card and acceptance terminal requirements for each network. s” effective October 2015. quirements for the U. couraged to work directly with their card and terminal vendors. several payment network participants in the EMV Migration Forum have co p deployment across each payment network. Chi a in the context of the U. If an attribute is left blank.g. NYCE.uirers. MasterCard. electronic payments marketplace and the October 2015 liability shifts. Approved EMVCo terminal configurations (e. m we deploy chip for my organization?” strategies for EMV implementation. As U. such as offline PIN support and offline data authentication. PULSE. merchants. merchants should evaluate these functio s should evaluate these functionalities against the expected volume of merchants that may support them.S. chip reader and chip software) are a global industry g of an introduction tab. All issuers and merchants should carefully eval unctionalities and their associated costs and complexities. American Express. so that stakeholders can work with their partners to develop a strategy to meet those req f the respective networks. These partici ations for EMV compliance. Discover. China UnionPay. Armed Forces Financial Network (AFFN).S. American Express. Jeanie. In addition.S. decisions regarding deployment of chip technology will differ by stakeholder and invo ment timing. The primary goal of this document is to help stakeholders understa ent for those payment networks – Accel. The horizontal ro cial Network (AFFN). processors and vendors who are planning deployments of their respective EMV chip programs in the U. STAR and Visa. acquirers and processors plan for these liability shifts. complexity and associated initial and future costs. Some issuers and merchants. SHAZAM. payment networks and processing partners to d ness needs. e minimum requirements for that participant. may consider a ents. issuers. China Union cted in the document.

please visit http://www. p deployment for each payment network so they can work with their partners to determine their best strategy t ments in the context of the U.emv-connection. m e EMV chip technology in the U. processors. including all warranties relating to or arising in connection with the on that uses or otherwise relies in any manner on the information set forth in the documents does so at his or h hould directly contact their respective networks and acquirers regarding minimum card and terminal requireme MV chip technology helps to reduce card fraud in a face-to-face card-present environment. For more information on the EMV Migration Forum. issuers. neither document should be relied on nd all warranties of any kind are disclaimed.S. Issuers and merchants are therefore strongly encouraged to evaluate these requirements against their own rs to determine the approved EMVCo configurations that satisfy the relevant minimum card and terminal requir document and the Minimum Requirements Matrix is accurate and current. provides global inter s.com/emv-mig . in 2011 and 2012 when American Express. MasterCar nfrastructure. with liability s porting the EMV implementation steps required for global and regional payment networks. however. that specific requirements are determ nge. Discover. The information is publicly available.S. marketplace. Chip implementation was initiated in the U.S. Acquirer processor readiness mandates to support chip were established for 2013. It should be noted.t network minimum card and terminal requirements for chip deployment.S. The focus of the Forum is to address topics that require some level of industry he U.

Discover. the attribute is optional for that . or these liability shifts. STAR and Visa. AM. rategy to meet those requirements.hip programs in the U. bility shifts. China UnionPay. China UnionPay. These participants have ss needs.S. The horizontal row 4 lists the U. r by stakeholder and involve a balancing ncial Network (AFFN).S. processing partners to determine the re) are a global industry requirement. many are asking: Migration Forum have collaborated to elp stakeholders understand the work (AFFN). or each network. may consider added nts should carefully evaluate their d evaluate these functionalities against may support them. and one tab for a matrix).

merchants. Discover. with liability shifts for ks. processors. . MasterCard and Visa for 2013. While ment should be relied on for any legal g in connection with the use of or ments does so at his or her sole risk.ion is publicly available. and terminal requirements for regional ent. issuers. and ess. and re some level of industry cooperation connection. and is provided mine their best strategy to meet requirements are determined ements against their own specific card and terminal requirements.com/emv-migration-forum/. provides global interoperability.

S. it is the issuer's choice whether to utilize this functionality .Brand AID P = indicates requirement Attribute Visa Minimum Requirement Online Requirement relating to Lost/Stolen Liability MasterCard Comments P Authorization Minimum Requirement Requirement relating to Lost/Stolen Liability Offline authentication not required or recommended due to online-only environment in U. could lead to unnecessary reversals.S. only needed to reset offline counters P For ATM cash transactions only. Offline P Online or Offline PIN P Online or Offline PIN PIN required for ATM cash transactions only. and is optional for issuer Scripting will be dependent on personalization. not required for purchase transactions P Optional to Issuers For Signature Cards: Required for ATM and unattended terminals (CAT 1) Application Cryptogram is mandatory P Only for ATM P P P P P P P P P P CVM Minimum Requirement Not allowed SDA1 Authentication China UnionPay Comments P Not required or recommended due to onlineonly environment in U. Credit Configuration . UPI standards support scripting. Visa to discontinue SDA for new and replacement Visa contact chip only cards that support offline authorization. all must be supported by the chip application Discover supports issuer scripting. DDA CDA ARQC P Issuer authentication (ARPC) Online PIN P Required if card not configured as online-only Requirement relating to Lost/Stolen Liability American Express Comments Minimum Requirement P P P P P P Requirement relating to Lost/Stolen Liability Discover Comments Minimum Requirement Requirement relating to Lost/Stolen Liability Comments P Required if card not configured as online-only Required if card not configured as online-only P Not recommended.Note: Card: U. effective 1 Oct 2015 Scripting is not necessary due to online-only environment in U.S. not mandatory for purchase transactions Online or Offline PIN Offline PIN Signature P No CVM P P P P Offline PIN block Offline PIN change Scripting Application block/unblock EMV scripting Counter reset Note: 1.S.

Issuer's choice whether to utilize this functionality Scripting not supported at this time If the issuer supports scripting SHAZAM will pass in the message. it is the issuer's choice whether to utilize this functionality Issuer scripting supported.S. Debit Configuration .Note: Card: U. it is the issuer's choice whether to utilize this functionality If the issuer supports scripting STAR will pass in the message. Accel will pass the data in the message if the Issuer has opted to utilize this functionality. could lead to unnecessary reversals. only needed to reset offline counters Issuer authentication (ARPC) P Offline PIN STAR will pass the ARPC back in the online message for approved transactions to support Issuer ARPC if implemented P P SHAZAM will pass the ARPC back in the online message for approved transactions to support Issuer ARPC if implemented Not Supported P Not supported at this time CVM Signature No CVM Supported via No CVM P Supported via No CVM P P P Supported via No CVM P Supported via No CVM P Supported via No CVM P Supported via No CVM P Supported via No CVM P Supported via No CVM P Offline PIN block Offline PIN change Scripting Application block/unblock EMV scripting Counter reset Scripting is not necessary due to online-only environment in U. and is optional for issuer Issuer option. Issuer's choice whether to utilize this functionality .S.Common AID P = indicates requirement Attribute Minimum Requirement Online Visa Comments P Minimum Requirement MasterCard Comments P Minimum Requirement China UnionPay Comments Accel Minimum Requirement Comments Minimum Requirement P P P P P P P PULSE Comments Minimum Requirement NYCE Comments Minimum Requirement P P P P P P P P STAR Network Comments Minimum Requirement AFFN Comments Minimum Requirement Jeanie Comments Minimum Requirement P P P P P P P P SHAZAM Comments Authorization Offline SDA Not allowed DDA Required if card not configured as online-only CDA Authentication ARQC Online PIN ODA (offline data authentication) can be optionally supported Required if card not configured as online-only P P Not recommended. Issuer scripting supported. UPI standards support scripting.

it is the issuer's choice whether to utilize this functionality .Brand AID P = indicates requirement Visa Attribute Minimum Requirement Online Requirement relating to Lost/Stolen Liability MasterCard Comments P Minimum Requirement Requirement relating to Lost/Stolen Liability China UnionPay Comments P Minimum Requirement Requirement relating to Lost/Stolen Liability Discover Comments P Minimum Requirement Requirement relating to Lost/Stolen Liability Comments P Authorization Offline SDA Not allowed DDA Authentication Required if card not configured as online-only CDA ARQC Required if card not configured as online-only P Issuer authentication (ARPC) P Not recommended. Debit Configuration . only needed to reset offline counters P Required for cash transactions P ODA can be optionally supported P P Optional to Issuers P For Signature Cards: Required for ATM and unattended terminals (CAT 1) P P Signature P P P P No CVM P P P P Online PIN CVM P P Offline PIN Offline PIN block Offline PIN change Scripting Application block/unblock EMV scripting Counter reset Scripting is not necessary due to online-only environment in U.Note: Card: U.S. could lead to unnecessary reversals. and is optional for issuer Issuer scripting supported.S. UPI standards support scripting.

optional at attended POS P P P Required if Offline PIN is supported P Required if Online PIN is supported Cash back PIN Pad Optional Goods P P P P P Services P P P P P Receipt capabilities P P P P Transaction Types and Requirements P POS PIN pad P P P P P P P P Clearing. U. Maestro (Common AID) Terminal type Any device supporting online authorization Terminal floor limit 0 Required China UnionPay Comments Description American Express Comments UnionPay Credit/Debit/Quasi Credit/Common AID Discover Description Comments Description American Express Must support partial AID D-PAS Proprietary . settlement If offline authorization supported.Note: U.S.S. dependent on industry etc. 24 (Tag '9F 35') terminal types Acquirer / merchant choice whether to support Common AID Any device supporting online authorization Any device supporting online authorization 0 0 Terminal Type and Floor Limit Attribute Visa Minimum Requirement Online authorization Authorization & Settlement Requirement relating to Lost/Stolen Liability MasterCard Comments P Minimum Requirement Requirement relating to Lost/Stolen Liability Acquirers must identify floor limit under the max amount allowed by DFS Operating Regulations (for offline capable terminals) 0 China UnionPay Comments P Minimum Requirement Requirement relating to Lost/Stolen Liability American Express Comments P Minimum Requirement Requirement relating to Lost/Stolen Liability Discover Comments Minimum Requirement Requirement relating to Lost/Stolen Liability Comments Online and offline authorization supported within risk management parameters P Offline authorization Optional. can be used in merchant stand-in Offline clearing. EMV POS Terminal. Common Debit Maestro U.Basic Configuration P = indicates requirement Attribute Visa Description MasterCard Comments Description Visa Credit/ Debit Visa Electron MasterCard Optional Interlink Visa U. Zip AID Comments Application AIDs supported Including 21. Offline plaintext PIN only P P Online or Offline PIN Either PIN method satisfies the requirement for protection from lost/stolen fraud. settlement Recommended for temporary communication outages Deferred authorization Optional. chip data is required P P P P Returns Chip data not required Support / carry chip data Scripting P Optional for Issuer to send chip data in response Authorization request / response Required if terminal supports offline CAM or offline enciphered PIN Optional P P Required at unattended POS only (at unattended POS only) Required if terminal supports offline enciphered PIN P Required if Offline PIN is supported Required at attended POS only (at attended POS only) Required if terminal supports offline CAM P Not required AID in authorization message P PIN block P P P P PIN change P P P P Application block/unblock P P P P EMV scripting P P P P P Counter reset P P P P P Optional P P All scripting must be supported by the terminal P Terminal will support scripting if Issuers sends scripts .S. (at attended POS only) Required at attended POS only P P (at unattended POS only) Required at unattended POS only.S. We recommend merchants certify for both PIN methods. Common AID. SDA Offline Data Authentication (ODA) DDA P Required if terminal supports offline CAM or offline enciphered PIN CDA P Required if terminal supports offline CAM or offline enciphered PIN Magnetic stripe P IC with contacts P When the chip terminal integrates such magnetic stripe hardware P P Recommended at POS if accepting Online PIN for mag-stripe Online enciphered PIN Terminal Capabilities & CVM P P Offline PIN Signature No CVM Optional Not allowed P P (at attended POS only) (at unattended POS only) Required at attended POS only Required at unattended POS only P P P P P P P P P Required if Online PIN is supported Recommended.

S. settlement Prohibited Prohibited SDA Offline Data Authentication (ODA) DDA Prohibited CDA Prohibited Magnetic stripe P P P P P IC with contacts P P P P P Online enciphered PIN P P P P P Cash P P P P P Receipt capabilities P P P P P ATM PIN pad P P P P Authorization request / response P P P P AID in authorization message P PIN block P P P P P Terminal Capabilities & CVM Offline PIN Signature No CVM Transaction Types and Requirements PIN Pad Optional for Issuer to send chip data in response P P Support / carry chip data PIN change Scripting Application block/unblock EMV scripting Counter reset Optional P P P P P Not normally performed by scripting P P P P P P P P P P Optional P P P P P .S.S.S.Basic Configuration P = indicates requirement Attribute Visa Description Required Application AIDs supported Terminal Type and Floor Limit Description Visa U. Maestro (Common AID) Visa Minimum Requirement MasterCard Comments MasterCard Maestro Cirrus Optional Attribute Authorization & Settlement Comments Visa Credit/ Debit Visa Electron Plus Comments Devices certified for track 1 and track 2 EMV data 0 China UnionPay Minimum Requirement Comments Any device supporting online authorization 0 American Express Minimum Requirement Comments Discover Minimum Requirement P P P P Comments Offline authorization Offline clearing. Common Debit Terminal type Any device supporting online authorization Terminal floor limit 0 Including 14 (Tag '9F 35') terminal type Online authorization Description Any device supporting online authorization for cash disbursement P Any device supporting online authorization 0 MasterCard Minimum Requirement Description American Express Comments American Express Global AID Any device supporting online authorization 0 Comments China UnionPay Comments UnionPay Credit/Debit/Quasi Credit/Common AID Discover Description Comments D-PAS Proprietary and U. EMV ATM Terminal . Common AID Acquirer /ATM driver choice whether to support Common AID U.Note: U.

.

.

.

.

.

.

Glossary Term Application Identifier (AID) Authorization Request Cryptogram (ARQC) Authorization Response Cryptogram (ARPC) Card Risk Management Cardholder Verification Method (CVM) .

CDA (Combined DDA/ Application CDA Cryptogram Generation) DDA (Dynamic Data Authentication) Deferred Authorization EMV Chip Card EMV Terminal .

Floor Limit ICC Issuer Script Lost/Stolen Liability Shift Magnetic Stripe Card .

Settlement Offline Data Authentication (ODA) Offline Enciphered PIN .No CVM Offline Authorization Offline Clearing.

Offline PIN Offline Plaintext PIN Online Authorization Online PIN PIN Management .

SDA (Static Data Authentication) Signature .

. EMV supports four CVMs: offline personal identification number (PIN) (offline enciphe plain text). and no CVM. signature verification. Both cards and termina may support multiple AIDs. They may be tailored to the risk level of individual cardholde groups of cardholders. the method used to authenticate that the person presenting the card i valid cardholder. These controls aid issuers in managing their below-flo limit exposure to fraud and credit losses. In the context of a transaction.Definition An alpha numeric representation of the application defined within ISO 7816. A data label that differen payment systems and products. which is inclu in the authorization request sent to the card issuer and which allows the issuer to verify the validity of card and message. Issuer defined risk parameters and authorization controls programmed into the chip application enabl the card to act on the issuer’s behalf at the point of transaction to determine if the transaction should sent online. A cryptogram generated by the issuer and sent in the authorization response back to the terminal. The issuer decides which CVM methods are supported by the card and the merchant chooses which CVMs are supported by the term The issuer sets a prioritized list of methods on the chip for verification of the cardholder. approved offline or declined offline. a registered application identifier (RID a propriety application identifier extension (PIX). Th terminal provides this cryptogram back to the card which allows the card to verify the validity of the is response. online encrypted PIN. An AID consists of two components. as bo the card and the terminal must support the same AID to initiate a transaction. Cards and terminals use AIDs to determine which applications are mutually supported. A cryptogram generated by the card at the end of the first round of card action analysis. The card issuer uses the data label to identify an application on the c terminal.

chip cards have the unique ability to securely store large amounts of data. or a secure memory chip alone. The time delay may be brief. A device that includes an embedded secure integrated circuit that can be either a secure microcontro equivalent intelligence with internal memory. The card connects to a reader with direct physical contact or with a remote contactless radio frequency interface. or when the device does not hav online capability (for example.A card authentication technique used in online and offline chip transactions that combines dynamic da authentication (DDA) functionality with the application cryptogram used by the issuer to authenticate card. as when a ferry is out of range of shore. The time delay ma extended.." Deferred Authorization occurs when an online authorization is performed after the card is no longer available. unattended kiosks where the transactions are offloaded nightly to a se and submitted in batches). . such as for a temporary communications failure or where the merchant simply wishes to speed processing. out their own on-card functions (e. for in-flight sales. With an embedded microcontroller. DDA protects against card skimming and counterfeiting. encryption and mutual authentication). and interact intelligently a card reader. All EMV cards are chip cards. Also known as "store and forward. Point-of-sale (POS) device or ATM that is able to process chip transactions.g. A card authentication technique used in offline chip transactions that requires the card to digitally sign unique data sent to it from the terminal.

Examples of issuer scripts include blocking and unblocking an account. Data is read by a mag stripe reade . Contact chip card A process by which an issuer can update securely the contents digitally stored on chip cards without reissuing the cards. American Express and Discover) Beginning Oct. EMV chip card. blocking t entire card. the merchant will be liable for the chargeback resulting from the fraud. allowing the card to be proce as signature. Integrated Circuit Card. 2015. above which an online authorization is required.A currency amount that is established for single transactions. changing and unblocking the cardholder’s personal identification number (PIN). This process doe include No CVM (Cardholder Verification Method) transactions that meet the No CVM requirements of card brand or network. if a merchant acc PIN-preferring (both online and offline) chip card that has been stolen (not a copy or counterfeit) and presented at a terminal that does not support either online or offline PIN. 1. A plastic card that uses a band of magnetic material to store data. and chang the cardholder’s offline authorization controls (ACs). (Applicable to MasterCard.

A cardholder verification method (CVM) supported by EMV in which the cardholder is not required to provide a signature or enter a PIN. . Authorizing or declining a payment transaction through card-to-terminal communication. A process whereby the card is validated at the point of transaction. Clearing and settlement of offline-approved transactions. using RSA public key technology t protect against counterfeit or skimming. using issuerdefined risk parameters that are set in the card to determine whether the transaction can be authoriz without going online to the issuer host system. Three forms of offline data authentication are defined by EMV Static (SDA). Dynamic (DDA) and Combined DDA/Application Cryptogram (CDA). Personal identification number (PIN) processing in which the PIN entered by the cardholder is encrypte using public key cryptography at the PIN pad and then sent to the chip card where it is decrypted insid the chip and verified.

This is supported today with mag-stripe. Authorizing or declining a payment transaction by sending transaction information to the issuer and requesting an authorization response from the issuer usually in real time. in plaintext. In a chip transaction. from the PIN pad to the chip card for verification. Two types of offline PIN are enciphered and plaintext. the process of comparing the cardholder's entered personal identification numbe (PIN) with the PIN stored on the issuer host system. The PIN is encrypted by the terminal PIN pad befo being passed to the acquirer system. In a transaction using offline PIN. Only the result of the compar is passed to the issuer host system. The PIN is then decrypted and re-encrypted as it passes between each party on its way to the issuer. the PIN entered at the terminal is compared with the PIN stored securely the chip card without going online to the issuer host for the comparison. The process of using issuer scripts to securely update personal identification number (PIN) data stored the card. Offline personal identification number (PIN) processing in which the PIN entered by the cardholder is s unencrypted.The personal identification number (PIN) stored on the chip card (versus a PIN stored at the host). PIN management includes PIN change and PIN unblock. .

but does not prevent the data in an offline trans-action from being replicated. . the data used for authentication is static—the same data is used at the start of every transaction.A card authentication technique used in offline chip transactions that uses signed static data element With SDA. A cardholder verification method (CVM) supported by EMV in which the cardholder provides signature verification. This prevents modification of data.