Updates in June 2017: For more details on updates to EMVLab, including HTTPS and better handling of 3-byte and unknown tags see my blog post. EMV 4.1 Book 3 Application Specification Page vi May 2004 6.3.3 Coding of Parameter Bytes 43 6.3.4 Coding of Data Field Bytes 44 6.3.5 Coding of the Status Bytes 44. What a great idea for leftover food! Check out this website especially if you own a restaurant or know someone who does. Quick Chip is nothing more than a software update, although it’s an important one. It has been introduced by credit card companies as the next iteration of EMV technology. Visa offers this introduction video.

EMV Update – Unattended

The deadline for merchants to bring payment devices into compliance with EMV standards passed more than three years ago, but there are still non-compliant devices in the marketplace.

A year ago, KioskIndustry.org published a piecelooking at the state of adoption of Europay, Mastercard and Visa (EMV) requirements among kiosk deployers in 2018. The bottom-line findings were that while kiosk manufacturers were stressing the need for EMV-compliant solutions for new projects, many deployers planned to keep current non-compliant solutions in the field until the end of their lifespan.

Now that a year has passed since that analysis, has anything changed? Where do things stand now?

EMV Compliance continues to expand

To recap, EMV is defined as “a payment method based upon a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them.” EMV “smart cards” store their data on integrated circuits in addition to the traditional magnetic stripes. According to financial services firm FirstData, EMV chip cards transmit a variable algorithm that changes with each transaction, making the data more secure than what’s found on magnetic stripe cards.

Under EMV standards, merchants had until Oct. 1, 2015, to make their payment processing equipment EMV-complaint. If a fraudulent transaction occurred at a merchant who had not upgraded their equipment, the merchant would eat the cost of that transaction along with any fines or fees that might be assessed.

And while EMV standards were relatively clear for in-person transactions, such as those at an attended checkout register at a grocery store, they were a bit murkier when it came to transactions at an unattended device, such as a self-service kiosk.

Although payment card issuer Visa doesn’t break out kiosk-specific statistics, it does track overall EMV adoption. By most measures, the process seems to be rolling along.

As of December 2018, more than 3.1 million merchants now accept chip cards, according to Visa statistics, compared with just 392,000 merchants as of September 2015. There are now 511 million chip cards in circulation compared with 159 million three years ago. Ninety-eight percent of payments accomplished at the end of 2018 were done using chip cards.

In addition, counterfeit fraud dollars dropped 48 percent over the 39-month period, according to Visa statistics, while that figure was closer to 80 percent for merchants who have completed the upgrade.

Still, that doesn’t mean credit-card fraud is going to disappear. According toresearch by intelligence firm Gemini Advisory, as of November 2018 chip-enabled cards represent 93 percent of the more than 60 million payment cards stolen in the past 12 months, thanks to the lack of U.S. merchant compliance with the EMV implementation.

Other Gemini findings include:

• 45.8 million or 75 percent are Card-Present (CP) records and were stolen at the point-of-sale devices, while only 25% were compromised in online breaches.
• 90% of the CP compromised U.S. payment cards were EMV enabled.
• The United States leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records.
• Financially motivated threat groups are still exploiting the lack of merchant EMV compliance.

In addition, a new type of card fraud is gaining in popularity. Unlike the skimmers fraudsters attached to gas pumps and other devices to capture credit card information (one of the types of fraud EMV was designed to eliminate) a “shimmer,” according to Krebs on Security, fits in the card slot between the chip on the card and the chip reader — recording the data on the chip as it is read by the underlying machine. The fact that the device fits in the slot itself instead of fitting over the card reader, it’s difficult to spot.

Here’s how Krebs described shimming in 2017:

“Data collected by shimmers cannot be used to fabricate a chip-based card, but it could be used to clone a magnetic stripe card. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains additional security components not found on a magnetic stripe.

“One of those is a component known as an integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.” The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.”

The weakness a shimmer exploits lies with the card issuer as opposed to the payment device.

“The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction,” ATM giant NCR Corp. wrote in a 2016 alert to customers. “All issuers MUST make these basic checks to prevent this category of fraud. Card Shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM.”

(If I needed any persuasion that payment card fraud was still a problem, I recently received a call from my bank alerting me that my debit card had been compromised. Someone had used what was obviously a cloned card to withdraw $300 at an ATM 30 miles away from where I live. The bank blocked the card when the fraudster attempted to make a withdrawal at another ATM. A few days later, my son’s debit card was compromised as well. In both cases, the money was refunded to our accounts and the dispute was closed in less than a week. When I posted a comment to the neighborhood Nextdoor social media site about the incident, dozens of people in my area said they had also been victims of payment card fraud. The speculation was that the issue occurred at a nearby convenience store, although nothing was proven.)

The current state of EMV affairs

By all appearances, EMV adoption among kiosk deployers essentially stands where it did a year ago. Deployers seem to be carrying on with existing equipment until the end of its lifespan, with any new deployments.

Part of the reason is likely, as mentioned in last year’s analysis, that the relatively low transaction averaged for many kiosks translates to less overall chargeback risk, which in turn means less incentive to upgrade. Given that risk, it doesn’t make much sense to invest in an upgrade it of the deployer plans to swap it out in a year or two.

“For kiosks we have seen very little in the way of EMV retrofits of fielded kiosks running in mag stripe even though there are surface mount devices well suited to field retrofits available,” said Rob Chilcoat, president, North American Operations with UCP Inc., a provider of EMV-compliant chip-and-pin hardware and payment gateway solutions for attended and unattended card payment terminals in North America.

In addition, some of the concerns about whether a kiosk would be considered attended, “semi-attended” or unattended under EMV requirements may have been overblown.

A Little Update.emv Software Free

“’Semi-attended’ doesn’t exist as far as the PCI Security Council and EMVCo are concerned; a device is either a Cardholder Activated Terminal (CAT) or it isn’t in their eyes,” Chilcoat said.

“This ‘semi-attended’ term was coined by processors to justify using less costly attended devices at self-checkout and other indoor self-service scenarios where the kiosks are being tended to by an employee of the store,” he said. “This PCI gray area still exists and we do see people ordering attended devices from us for this purpose. We advise against it, but we can’t stop them from doing what they want with a terminal. It really comes down to what the merchant’s processor will allow.”

Still, deployers shouldn’t be lulled into a false sense of security by thinking a low transaction amount means they’re insulated from major losses. Yes, if a fraudulent card is used on a small transaction at the kiosk, it can just be considered a cost of doing business. On the other hand, if someone is able to collect cardholder data at the kiosk and then sell it on the dark web causing massive fraudulent transactions elsewhere, and that gets tracked back to a non-EMV compliant kiosk, it won’t be trivial to a kiosk deployer.

But for new projects, EMV is definitely the norm.

“In terms of kiosks, the biggest thing that’s changed is the move from EMV being an optional form of payment to a requirement for our customers,” said Bruce Rasmussen, director of sales with payment technology provider Ingenico Group.

“Currently we do not have any customers in the pre-deployment stage that are not already planning to support EMV now or in the next phase of their project,” Rasmussen said. “Additionally, merchants are continuing to redefine their customer interface to capture a new segment of the market, and payments continues to play a large role in this transformation.”

In particular, he said, there is a growing emphasis on supporting mobile wallets in payment solutions, which in turn drives demand for EMV contactless. With the majority of legacy cashless options only supporting magstripe transactions, merchants are putting updating their payment solutions to accept contactless at the top of their requirements.

“We see growth in contactless card payments and payments via smart phones driving growth in NFC adoption at the kiosk,” Rasmussen said. “The mandate from the card brands to support EMV contactless payments as of October 2019 is driving adoption for EMV since managing a contact and contactless certification may be the most economical and efficient use of resources to achieve a certification.”

Ultimately, although the process continues to be a gradual one, it’s only a matter of time before the vast majority of self-service kiosks in the marketplace are EMV-compliant.

“In terms of new kiosks, we have not shipped anything mag stripe only for a long time,” Chilcoat said. “I think overall EMV migration has hit a tipping point where chip card payments is the expected user experience and kiosk companies are seeing that and including it in their RFP requirements.”

EMV Update Credits and Members:

EMV References and Article

• EMV Coming To Kiosks in 2015
• Ingenico Q&A – Why So Long for EMV Adoption?

By October 1, 2015, most banks and other credit card providers had provided their cardholders with the new EMV chip cards. Merchants had until this same date to transition their POS systems to those with the capacity to read these EMV chip cards.

Emv Chip Reader Writer Software

ATMs represent the final step in this shift.

X2 Emv Software Download

The Liability Shift, Credit Card Machines

The intention of this change was improved protection against credit card fraud. Merchants had no legal requirement to make the change, but they did have incentive in the form of fraud protection.

In the past, credit and debit card providers assumed financial responsibility for fraudulent transactions made with the magnetic stripe cards. If the card provider failed to provide chipped cards by the deadline, they remain responsible for fraudulent activity. However, with implementation of the EMV chip cards, businesses that fail to install compatible credit card machines assume that responsibility.

In the event both parties – the card issuer and the merchant – took equal steps toward security, previous liability applies (meaning that the banks assume responsibility).

Tagxedo turns words - famous speeches, news articles, slogans and themes, even your love letters - into a visually stunning word cloud. Tagxedo Tagxedo is a free, web-based word cloud creator, similar to Wordle. But with Tagxedo, you can place your word cloud in a shape! CLICK HEREto see a sample. Tagxedo creator download free. The following are a few examples to show the versatility of Tagxedo, especially how tightly the words hug the shapes. Feel free to click the pictures and play with them in Tagxedo. If you like these word clouds, you must also check out the Tagxedo Facebook page which has many more candies for your eyes, and read about the 101 Ways to Use Tagxedo.

The Liability Shift, ATMs

The deadline to upgrade ATMs to read EMV chip cards varies by card provider. For MasterCard, the deadline is October 1, 2016, while Visa's deadline is October 1, 2017. As with merchant liability for those failing to upgrade credit card machines, liability for fraudulent transactions shifts to the entity failing to make the EMV switch.

Consumers (people who use ATMs) will likely find fewer ATMs, as smaller operators may choose to pull their machines rather than make the change. They'll also discover changes in how they use the new machines, with different on-screen menus and prompts.

Though the deadlines for upgrading machines are staggered, most ATM owners will perform both upgrades simultaneously as a way to keep transition costs down.

Making the Upgrade

For ADA-compliant ATMs, upgrading requires software and a Level 1 EMV-certified card reader. An upgrade kit consisting of the card reader, bezel, mounting hardware, and various parts averages between $200 and $300.

However, actual costs come in about 10 times that amount, averaging between $2,000 and $4,000. This takes into account the software changes the EMV upgrade requires. The costs seem high, but when you factor in the cost of not performing the upgrade, and therefore assuming fraud liability, the cost is minor.

ATM operators that fail to make the upgrade eat the cost of fraud committed by criminals using counterfeit, magnetic stripe cards. Countries that completed this upgrade years ago, such as those in the European Union and Canada, experienced these issues. At that time, criminals using counterfeit credit and debit cards began targeting smaller ATM providers, such as those located in convenience stores and not anchored to a banking institution.

Free Emv Software Download

The Bottom Line

ATM owners must decide whether the cost of the upgrade is one they can absorb. If not, they must then decide whether the risk of fraud is worth remaining in business. The result may be a decision to close those ATM machines receiving less business, while making the upgrade to those receiving the highest levels of use.