A New Specification Enables a Fast Dip for EMV and Speeds EMV Certification. Here’s How.
Visa introduced Quick Chip on April 19, 2016, and MasterCard quickly followed with the announcement of M/Chip Fast on April 21. On August 3, Visa announced the first implementation implemented by Index, a retail software company, and deployed at New Leaf Community Markets, a supermarket chain on the west coast. The ability to quickly remove the card from the terminal is achieved by eliminating unneeded aspects of the EMV protocol. I explained why the EMV card was stuck in the terminal in a 2014 blog entitled “Why EMV Cards Are Stuck in the POS, Which Makes NFC Look Great!” The present blog looks at the new EMV simplified authorization process, which has two primary benefits: It enables the chip to be removed from the terminal after only a second or two and it significantly reduces the EMV certification effort.
Before this new specification, the purpose for keeping the EMV chip card in the terminal was so the EMV card could verify that the authorization response received from the bank was indeed from the card-issuing bank and not a phony transaction injected by a hacker. This is primarily needed only if the response includes new updates to the chip, and the new standard eliminates that function which is rarely used by EMV cards deployed in the United States (but is more common in other parts of the world that work off-line). The illustration and description below explain how the new process operates and enables removal of the EMV card in just a few seconds:
1. The terminal sends a random number to the EMV chip along with the total dollar value of the transaction, if it is known. The trick here is that the total value is often unknown so early in the checkout process. So to enable the chip card to be removed from the point-of-sale (POS) terminal, the POS provides the chip a “predetermined amount” for that merchant, which is typically the same value for all payment networks. The EMV chip, using the predetermined amount, encrypts the authorization request using its crypto key and delivers this ARQC message to the POS.
2. The POS holds on to that ARQC message and indicates to the EMV chip that this transaction will be conducted as a “deferred authorization.” The EMV chip card can now be removed from the POS. The POS terminal retains the ARQC message until the checkout process has determined the total dollar value of the transaction. At that time the POS constructs an authorization message that includes the ARQC crypto-encoded message (added to Field 55), the final correct dollar value into the non-chip data field (Field 4), as well as all other required data elements. This message is sent to the issuing bank.
3. The issuing bank validates that the ARQC message it received was encoded with the correct crypto key for that card. The issuer then decides if funds are available, not based on the value contained in the encrypted message but based on the value placed in the unencrypted Field 4. The issuer will respond back to the POS with the traditional approved or declined message.
4. The POS posts the approved or declined message and the transaction is complete. No issuer-generated data is sent to the EMV chip, which has likely already been removed from the POS.
5. The process described above is derived from the Visa document “Quick Chip for EMV Specification” and uses the term ARQC for the authorization message. ARQC is defined in the Visa document “Chip Terms Explained: A Guide to Smart Card Terminology”
“ARQC – Authorization Request Cryptogram
A cryptogram used for a process called Online Card Authentication. This cryptogram is generated by the card for transactions requiring online authorization. It is the result of card, terminal, and transaction data encrypted by a DES key. It is sent to the issuer in the authorization or full financial request. The issuer validates the ARQC to ensure that the card is authentic and card data was not copied from a skimmed card.”
In implementing and certifying the Visa Quick Chip at New Leaf Community Grocery, Index indicates that the much more streamlined protocol used for Quick Chip reduced the certification process from roughly 35 use cases to just 11. This is possible because the Quick Chip process eliminates the need to validate functions associated with offline operation, issuer validation, and chip update capabilities. This suggests that the delays that merchants have complained about may be more easily resolved because of Quick Chip, and presumably of M/Chip Fast.