Quick Chip & M/Chip Fast – The magstripe experience with the security of EMV
In October 2015 the EMV liability shift was introduced in the United States – the last major market in the world to adopt EMV as the industry standard. Over half a year on from this shift and people are still apprehensive to move away from magnetic stripe. One of the main causes for this apprehension is consumers and stores are unhappy with the perceived longer transaction times of EMV at point of sale (POS) systems. In a bid to counteract this issue, whilst still continuing the shift towards EMV, card brands have developed a way for EMV transactions to be not only quicker at the checkout but also be more in line with the traditional payment experience that U.S. consumers are familiar with.
Individual card brands have given their own names to this new process (which are detailed below), however for the purpose of explanation it will be referred to as ‘Quick EMV’. Quick EMV can only be implemented on POS systems; therefore ATMs will not be eligible for this upgrade. Whilst maintaining the security of EMV and having no impact on the merchant liability, Quick EMV enables customers to enter their card at any point during the checkout process, even if the final amount of the goods/services is not yet known. Not only will customers be able to insert their card at any point, they will also be able to remove their card before the transaction outcome is known; meaning that customer’s cards will spend more time in their pockets and less time in payment terminals. Being able to pay for the goods whilst they are still being scanned should allow for a greater throughput at checkout lanes.
What is ‘Quick EMV’?
Quick EMV only differs very slightly compared with a standard EMV transaction; the primary difference occurs after the terminal has requested to go online. Instead of waiting for the transaction amount, a nominal amount is sent to the EMV card, meaning that the card can be ‘dipped’ into the reader at the checkout prior to the amount being known. This means the card read can take place whilst the cashier is still scanning items, as was customary for magstripe transactions. It should be noted that if a nominal amount is used, then this should not be displayed to the cardholder at card insertion or for PIN Entry (if that is the chosen cardholder verification method or CVM).
The conditions of the transaction should be set up so that the transaction will always request to go online (an ARQC at the first Generate AC command). This could be achieved by setting a zero floor limit and using a nominal amount above zero; Visa has mandated that it can only be implemented on online only terminals for their solution. If the card responds with a decline Application Authentication Cryptogram (AAC) then the transaction is declined. Alternatively if the card returns with an Authorization Request Cryptogram (ARQC) requesting to go online, the terminal immediately informs the EMV Kernel that it was unable to go online and requests the card to decline with an AAC, it does this by sending the Authoriation Response Code (Tag 8A) with the value Z3. The authorisation request should be saved by the terminal; this should include the EMV data and the generated cryptogram. Despite the EMV kernel reporting that the transaction is declined because of the AAC, it should not be treated as a decline and the terminal prompts should be adjusted so that they do not display a ‘Declined’ message. At this point the card can be removed from the terminal and it will not be required to be re-inserted during the remainder of the transaction. This differs from a standard EMV transaction where the card will have to remain in the terminal until the authorisation response – indicating the transaction outcome – has been received.
Once the final amount is known, the terminal goes online as a deferred authorisation; sending the nominal amount and the final amount in the authorisation request as Field 55 (ICC Data) and Field 4 (Transaction Amount) respectively. An Authorisation Response should be returned immediately indicating the transaction outcome. The cardholder’s account will be charged with the amount indicated in Field 4 and not the nominal amount used for generating the cryptogram in Field 55. As the card will already be removed at this stage there cannot be any post-authorisation card processing, such as Issuer Scripts.
Although the specific Quick EMV transaction flow does not differ greatly from that of a standard EMV transaction, the changes that have been made are significant in allowing U.S consumers to have a quicker and a more familiar checkout experience. More information, regarding the implementation of Quick EMV, is detailed below:
The card schemes and their relative Quick EMV brands are:
Quick EMV should not require a change to the EMV Kernel or require a L2 re-certification. For the current implementations, an update to the terminal’s payment application software should be all that is required for a merchant to upgrade their existing terminals. For Quick EMV to work successfully, merchants may have to adjust the terminal configurations slightly to ensure it requests to go online.
M/Chip Fast and Quick Chip Transactions should work with existing host systems as they are likely to be treated as a standard EMV transaction that has deferred authorisation. One thing for host systems to note is that there may be different values for the amount fields in the authorisation message.
New terminals wishing to implement Quick EMV will be required to a do a full certification which – due to transaction steps such as post-authorisation processing not being performed – should require significantly less testing. Although the process required for upgrading existing terminals will vary between the card schemes, it seems that some form of regression testing may be required in order to successfully implement their individual solutions. Each of the card schemes have stated that it is not mandatory to support this solution and that it should not incur any fees if merchants do wish to implement it. For more information regarding the certification process required to implement Quick EMV solutions, it is recommended that you contact your local representative for Visa, MasterCard or American Express.