There are two major benefits to moving to smart-card-based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of "off-line" credit-card transaction approvals. One of the original goals of EMV was to allow for multiple applications to be held on a card: for a credit and debit card application or an e-purse. With current processing regulations in the USA, new issue debit cards contain two applications â€” a card association (Visa, MasterCard etc.) application, and a common debit application. The common debit application ID is somewhat of a misnomer as each "common" debit application actually uses the resident card association application.
EMV chip card transactions improve security against fraud compared to magnetic stripe card transactions that rely on the holder's signature and visual inspection of the card to check for features such as hologram. The use of a PIN and cryptographic algorithms such as Triple-DES, RSA and SHA provide authentication of the card to the processing terminal and the card issuer's host system. The processing time is comparable to online transactions, in which communications delay accounts for the majority of the time, while cryptographic operations take comparatively little time. The supposed increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.
Although not the only possible method, the majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a personal identification number (PIN) rather than signing a paper receipt. Whether or not PIN authentication takes place depends upon the capabilities of the terminal and programming of the card. For more details of this (specifically, the system being implemented in the UK) see Chip and PIN.
Under the old system, a customer typically had to hand their card to a sales clerk to pay for a transaction. When credit cards were first introduced, merchants used offline portable card imprinters (mechanical rather than magnetic). They did not connect to the card issuer, and the card never left the customer's sight. The merchant had to verify transactions over a certain limit by telephoning the card issuer.
Later, equipment electronically contacted the card issuer, using information from the magnetic stripe to verify the card and authorize the transaction. This was much faster, but had to be in a fixed location. Consequently, if the transaction did not take place near a terminal (in a restaurant, for example) the clerk or waiter had to take the card away from the customer to the card machine. It was easily possible at any time for a dishonest employee to swipe the card surreptitiously through a cheap machine that instantly recorded the information on the card and stripe; in fact, even at the terminal, the criminal could bend down in front of the customer and swipe the card on a hidden reader. This made illegal cloning of cards easy, and a common occurrence.
Since the introduction of Chip and PIN, cloning of the chip is not feasible; only the magnetic stripe can be copied, and a copied card cannot be used on a PIN terminal. The introduction of chip and PIN coincided with wireless data communications technology becoming inexpensive and widespread. Merchant personnel can now bring wireless PIN pads to the customer, so the card is never out of the cardholder's sight. (This would have been possible with magnetic stripe cards had the technology been available.) Chip and PIN and wireless together reduce the risk of cloning of cards by surreptitious swiping.