Whenever you go into a store or go online to buy something, there are always those few seconds of anticipation after you hand over your credit card or input its details, as you wait for authorization.
What is going on behind the scenes? What “magic” is taking place as the zillions of bits and bytes communicate with each other and carry your payment request, details and codes across oceans and continents along ultra-high-speed internet lines and channels. A process which we all take for granted as credit card and online purchases have become the norm of modern life.
The system being used is called EMV which stands for Europay, MasterCard, and Visa. It is a global standard for inter-operation of "chip cards" (which have replaced the earlier magnetic strip cards), point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions.
EMV was conceived by the Europay, MasterCard and Visa companies to ensure the security and global interoperability of cards. It’s easy to see the benefits of adoption. Security is enhanced and is passed up and down the commerce chain between card holders and financial institutions. This reduces the potential for fraud and minimizes the related expense for retailers, giving them fewer costs to pass on to consumers.
The most widely known chip card implementations of the EMV standard are:
- American Express
- Discover/Diners Club International.
Visa and MasterCard have also developed standards for using EMV cards in devices to support card-not-present transactions over the telephone and Internet.
Here’s a step-by-step look at what is actually happening in a process which probably takes less than 5 seconds to complete, no matter how far away from your issuing bank you may be:
Step 1 At the point of sale, physical or online, you hand over your credit or debit card or enter your card details, and the store clerk or the website payment system initiates the transaction.
Step 2 If you are in a physical store, your card is inserted to PIN Entry Device (PED).
Step 3 The card application is selected, such as local debit and/or credit card.
Step 4 An offline check to validate that the card is genuine takes place.
Step 5 You then enter your PIN code.
Step 6 Terminal Decision: based on the individual device configuration, the terminal decides whether a transaction should go online to the bank or can be authorized offline.
Step 7 Card Decision: EMV ultimately decides whether a transaction should go online or not. It can override the terminals previous decision.
Step 8 If it goes online, an ARQC (Authorization Request Cryptogram) is generated. This is a cryptogram that acts as a digital signature of the Authorization Request.
Step 9 The payment processor and acquiring bank make sure the ARQC gets all the way to the card issuer.
Step 10 The ARQC is verified by the issuing bank, and a risk evaluation is done for the transaction.
Step 11 If approved, the issuer generates an ARPC; an Authorization Response Cryptogram.
Step 12 This is passed back to the terminal and informs the PED and card of the decision.
Step 13 At this point, any issuer scripts (updates to the card) can be written, without the need for the bank to issue a new card to the customer.
Step 14 The card is removed, and the authorization result is passed back to the POS.
Step 15 The transaction is complete!
...and you leave the physical or online store with your new outfit, camera, laptop, shoes or possibly tickets to a faraway, exotic destination!