The role of EMVCo
EMVCo is a global technical body owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa. By managing and evolving the EMV® Specifications and related testing processes, EMVCo facilitates the worldwide interoperability and acceptance of secure payment transactions, improves payment security and creates a payment infrastructure that supports emerging technologies.
Reflecting continual changes in the payments landscape, EMVCo’s focus has evolved in the past ten years. The organisation’s scope, which was initially the original EMV Chip Specification, has widened to cover Terminal Type Approval, interoperability, Common Core Definitions, Common Payment Application Specification and Card Type Approval, contactless, mobile, Next Generation and our latest activities, the standardisation of payment tokenisation and 3-D Secure 2.0.
Before this article takes a deep dive into some of these key current priorities, it is important to communicate the global reach and relevance of EMV chip technology. This will provide context and highlight how critical it is for EMVCo to enhance the existing EMV payment infrastructure in order to accommodate the ever-changing needs of payment stakeholders globally.
EMV: The vital statistics
The adoption of EMV Specifications, and associated approval and certification processes, promotes a unified international payments framework, which supports an advancing range of payment methods, technologies and acceptance environments. The specifications are designed to be flexible and can be adapted regionally to meet national payment requirements and accommodate local regulations.
With that in mind, EMVCo recently released some very positive official figures for Q4 2014 (see ‘related links’ below), showing that EMV chip card adoption continues to increase in every region worldwide1. By the end of last year, the number of EMV payment cards in circulation rose by one billion, up 43 percent, to 3.4 billion, from 2.37 billion in Q4 2013. According to these latest statistics, EMV chip card adoption rates had increased in every region worldwide by the end of 2014.
The data also showed that 32 percent of all chip card-present transactions – both contact and contactless - conducted globally between January and December 2014 used EMV chip technology2, up from 29 percent as reported in November 2014 by EMVCo (see EMVCo Press Releases in ‘related links’ below).
Current EMVCo technical priorities:
The next generation of EMV
In 2011, a number of factors led EMVCo to begin the process of identifying business requirements for the next generation of EMV Chip Specifications. Those influencing factors were:
- The continuous expansion of business requirements and payment technologies (e.g. mobile).
- The need to simplify the convergence of contact and contactless solutions across the entire payments ecosystem.
- The evolution of public key cryptography (e.g. Elliptic Curve Cryptography).
- An increased requirement to transport additional ‘value add’ data across the networks.
EMVCo is working with other stakeholders to identify business requirements, define the migration methodology, design the solution and lead specification development. Work continues today to establish a common, robust technology platform that will support contact, contactless and mobile interfaces for both online and offline payments. EMVCo is working to future-proof its EMV Chip Specifications, by incorporating next generation public key infrastructure while employing a layered and modular approach that is flexible to support multiple communications protocols. Additionally, it will simplify device design and integrate a type approval process for contact and contactless. A draft specification is expected this year, with a final specification in 2016.
It is important to note that migration to next generation EMV chip technology will not happen overnight; it will align with new business opportunities and market requirements at the discretion of individual payment systems. EMVCo envisages that cards and terminals based on legacy EMV Chip Specifications could coexist with EMV Next Generation technology for a considerable period of time. This will enable the retention of standard card and terminal replacement cycles.
Additionally, the migration period of each market will vary according to the needs of different geographical markets and its current EMV status. During any transitional period, new terminals will continue to include old as well as new kernels, cards will host old and new applications, and there will be the introduction of new data values / elements. Each market will also investigate strategies to mitigate issues when facilitating the migration.
In January 2014, EMVCo officially announced that its scope had been expanded to lead the payments industry in its work to standardise payment tokenisation. EMVCo was the logical choice to develop the payment tokenisation specification as compatibility with the existing payment infrastructure is essential. In addition, EMVCo has the strategic breadth, industry knowledge and technical depth to develop a holistic specification that will support digital payments.
In March 2014, the body published the EMV Payment Tokenisation Specification - Technical Framework v1.0 (see ‘related links’ below). This specification provides the payments community with a consistent, secure and interoperable environment to make digital payments when using a mobile handset, tablet, personal computer or other smart device.
The document describes the payment tokenisation landscape, the types of entities whose participation is key to supporting payment tokenisation, sufficient detail to implement multiple use cases, and the benefits of adopting a unified approach. From a technical perspective, the document provides an insight into the role the specification will have in facilitating broad-based acceptance of a payment token as a replacement for a traditional card account number. This includes data message formats to ensure the interoperability of tokens and the consistent approach that should be used to route and authenticate a payment token. The framework also explains how security can be improved by limiting payment tokens for use in a specific environment, and how an existing ecosystem can advance to become globally interoperable.
Since the release of this specification, EMVCo has continued to work collaboratively, with both payment community stakeholders and industry bodies, including many merchant groups globally, to understand and support individual sector requirements. EMVCo’s resulting payment tokenisation work accommodates a wide range of use cases and business models. The document has received valuable feedback from a range of stakeholders, which will be collated and addressed in the next specification release, expected later this year.
The new specification from EMVCo will maintain compatibility with the current payment infrastructure and will be complementary to the existing EMV Chip Specifications to ensure consistency across all payment environments. Moving forward, EMVCo will actively solicit industry feedback to support enhancements and inclusion of additional use cases. The specification framework will evolve with industry input collected to broaden its applicability and relevance to marketplace needs.
3-D Secure 2.0
A year after EMVCo communicated its scope expansion to cover payment tokenisation, it made a further announcement in January 2015, that it would lead payment industry efforts to advance the next generation of 3-D Secure (3DS). 3DS is the online authentication protocol, to support new and emerging technologies in the remote payment environment.
3DS was initially invented by Visa to enable PC-based shopping through standard web browsers, supporting authentication between the cardholder and the issuer. Since the commercialisation of 3DS by the major payment brands, however, new consumer devices such as smartphones and in-app purchases have changed how consumers interact online and make purchases. An enhanced industry specification is required to enable the authentication protocol to support and fully optimise new technologies.
EMVCo subsequently became responsible for further developing the EMV 3DS 2.0 Specification and associated certification programme. The enhanced specification will support additional data available during the transaction that will enable more intelligent risk-based decision-making. It will also offer a more seamless consumer experience and reduce reliance on the cardholder to authenticate themselves via a password prompt, better integrating with a merchant’s offering and brand. The specification will also be enriched to support non-payment user identification and verification, as well as country-specific and regulatory requirements regarding cardholder authentication in the card-not-present environment.
The EMV 3DS 2.0 Specification is expected to be published and ready for market deployment in 2016. Visa will continue to maintain sole ownership of the 3DS version 1.0 specifications. When released, the 3DS 2.0 Specification will be operated by EMVCo separately and in parallel with version 1.0. Visa plans to phase out version 1.0 over time once 3DS 2.0 reaches maturity.
Mobile handset approval
EMVCo is working to streamline secure mobile handset certification requirements to ensure smooth and efficient testing, which will reduce product time to market. EMVCo has begun the process for Contactless Level 1 Type Approval for Mobile Handsets (see ‘related links’ below). Currently this type of testing is managed individually by each payment system to their own set of requirements. Migrating the process to EMVCo ensures consistency across the marketplace as well as supporting efficient product launches. Components of the testing programme are already in place and the full implementation is projected by the fourth quarter of 2015.
In addition, EMVCo is working with a number of industry bodies in the mobile payments area to ensure that a workable, efficient and trusted transaction infrastructure is created. This work includes:
1) A cross-industry certification model, which defines the security evaluation necessary for secure elements (SEs) with post-issuance capabilities, to achieve certification from EMVCo and Common Criteria – the international standard for evaluating the security of products and systems. The model developed in association with EMVCo, GSMA and GlobalPlatform will speed up the certification process and simplify the deployment of mobile SEs offering a faster product time to market.
The Composition Model v1.0 has been supported by the Association of French Mobile Operators (AFOM), the European Telecommunications Standard Institute (ETSI) and SIMalliance, and welcomed by the European Payments Council. The document has also received a contribution from the International Security Certification Initiative. It is free to download from www.globalplatform.org.
2) NFC Forum Alignment. The industry bodies agreed to work together to optimise the development and testing process of Near Field Communication (NFC)-enabled mobile devices for vendors, by exploring alignment of the two organisations’ specifications, and test plans. The goal of the collaboration is to establish a framework to synchronise NFC Forum and EMVCo Specifications and test plans. The framework will ultimately streamline the development and testing process of contactless technology for vendors.
In 2013, two draft specification bulletins (SB121 & SB122) were published to align a number of parameters and functional behaviours of the EMV Contactless Specifications Book D version 2.3 with ISO/IEC 14443 and the NFC Forum Digital Protocol Specification. These are now effective and have been incorporated into the latest version of Book D. The test plan has also been updated and is operational.
In 2015, EMVCo expects to finalise its digital specification alignment, continue analogue specification alignment (assessment and modification) and coordinate related test plans.
EMVCo welcomes payment industry participation
EMV Specifications are used by the payments industry as a whole; as such EMVCo aims to ensure the development of a progressive, interoperable and secure transaction framework that meets market needs. EMVCo actively welcomes engagement from payments stakeholders and has created many opportunities for the payment community to become involved in shaping future specifications.
One such industry engagement platform is the EMVCo Associates Programme. This programme allows payment stakeholders worldwide to play an active role in providing input to the strategic and technical direction of EMVCo. It creates unique opportunities for interested organisations, including payment card issuers, acquirers, merchants, merchant aggregators, processors, card and terminal vendors, mobile network operators, networks and their representative associations, to provide input into the evolution of current and new EMV Specifications for payment technologies.
EMV stakeholders can join the programme under one, or both, of the following participation categories:
- Business Associate - participation at this level enables organisations to provide EMVCo with input on strategic business and implementation issues related to the use of the EMV Specifications. To be eligible, an organisation must have a direct business responsibility for an EMV transaction (at any point in the transaction lifecycle).
- Technical Associate - participation at this level enables organisations to provide input and receive feedback on detailed technical and operational issues connected to the EMV Specifications and related processes. Technical Associates engage with all nine of EMVCo's technical Working Groups to receive updates/provide input on their activities.
To complement the Associates Programme, EMVCo also offers a subscriber service, which provides advance notice of pending developments and changes, as well as an opportunity to participate in a more regular and formal dialogue with EMVCo.
In line with advances in EMV chip card adoption through every region worldwide, there is a steadily increasing volume of EMV stakeholders. A corresponding rise in industry participation in the programme over the coming year can be expected. Stakeholder engagement is critical to EMVCo, as the body continues its work to develop a unified international payments framework. The ability of EMVCo to draw on the widest range of industry experience, expertise and knowledge, particularly as it expands its work efforts to support an advancing range of secure payment methods, technologies and acceptance environments will ensure that future specification enhancements and developments meet the needs of all industry stakeholders.
For further detail on the EMVCo Associate Programme and how to join, visit the EMVCo website (see ‘related links’ below).
Jack Pan is Chair of EMVCo’s Board of Managers.
EMVCo Website: The EMVCo Associate Programme and how to join
EMVCo Website: Worldwide EMV deployment statistics
EMVCo Website: Mobile Type Approval Updates
EMVCo Website: EMVCo Press Releases
Related articles in this issue:
Instant Payments at Point of Sale – Overcoming Customer and Merchant Barriers
Realising the European ‘Payments Dream’
A Corporate View of Instant Payments
Highlights of EPC Report to the Euro Retail Payments Board on Instant Payments
Related articles in previous issues:
EPC and Cards Stakeholders Group Publish the SEPA Cards Standardisation Volume Ready for Market Implementation ( Newsletter, Issue 21, January 2014)
EMV Goes Global: The End of an Era for the Magnetic Stripe Payment Card ( Newsletter, Issue 16, October 2012)
1 Latest statistics from EMVCo’s members – American Express, Discover, JCB, MasterCard, UnionPay and Visa – as reported by their members globally.
2 Data represents the most accurate possible data that could be obtained by American Express, Discover, JCB, MasterCard, UnionPay and Visa during the noted period. The transaction data reflects an average of 12 months acquirer-sourced data as reported by all members. To qualify as an ‘EMV transaction’, both the card and terminal used during a transaction must be EMV-enabled. These figures do not include offline transactions, ‘on us’ transactions (defined as a transaction handled exclusively by another processor) and/or transactions processed by non-EMVCo member institutions, such as local schemes.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.