How EMV technology work and why hasn't it completely eliminated carding? (Chip cards, their advantages and disadvantages)

[Student]

EMV technology (Europay, Mastercard, Visa) is a global standard for payment cards with a microprocessor chip, designed to improve transaction security compared to legacy magnetic stripe cards. In the context of carding (fraud using stolen payment card data), EMV has significantly complicated certain types of attacks, but has not eliminated them completely. For educational purposes, I will examine in detail how EMV works, its advantages and disadvantages, and explain why carding remains a problem, with a focus on fraud methods and their evolution.

How EMV technology works​

EMV is a standard that uses a microprocessor chip embedded in the payment card to process transactions. The chip provides dynamic authentication and cryptographic protection, making it significantly more secure than magnetic stripes, which store static data easily copied by criminals.

The main stages of EMV operation:​

1. Transaction initiation:
   • When you insert a card into the terminal (contact transaction) or tap it for contactless payment (NFC), the terminal establishes communication with the chip.
   • The chip is activated and begins communicating with the terminal via the protocol defined by the EMV standard.
2. Card authentication:
   • The chip uses cryptographic algorithms (usually RSA or 3DES) to create a unique transaction code (Application Cryptogram, AC).
   • This code is unique for each transaction and cannot be reused, unlike magnetic stripe data, which remains unchanged.
   • The terminal verifies the authenticity of the card using the public key embedded in the chip.
3. Cardholder verification:
   • Depending on the type of transaction, you may be required to enter a PIN, provide a signature, or use biometrics (such as a fingerprint in mobile wallets).
   • For contactless transactions of small amounts (for example, up to 1,000 rubles in Russia), a PIN code is often not required, which simplifies payment but creates a vulnerability.
4. Transaction authorization:
   • The terminal sends transaction data (including the cryptogram) to the issuing bank via the payment system (Visa, Mastercard, etc.).
   • The bank checks the card details, balance, and limits, and also analyzes fraud risks (for example, using monitoring systems).
5. Offline and online transactions:
   • Offline: The chip and terminal can complete the transaction without immediately contacting the bank, using pre-set limits (for example, in transport).
   • Online: The transaction is sent to the bank for verification in real time, which is more often used for larger amounts.

Key elements of EMV security:​

• Dynamic Cryptogram: A unique code for each transaction makes data interception useless for reuse.
• Encryption: Data is transmitted between the chip and the terminal in encrypted form.
• PIN or biometrics: An additional layer of security that requires verification of the cardholder's identity.
• Tokenization: Mobile payments (Apple Pay, Google Pay) use tokens instead of real card data, which reduces the risk of leakage.

The benefits of EMV in combating card fraud​

1. Skimming protection:
   • Skimming is the installation of devices on ATMs or terminals to read magnetic stripe data. Since the EMV chip generates dynamic cryptograms, the copied data becomes useless for creating a counterfeit card.
   • For example, in the US, after the implementation of EMV in 2015, fraud with counterfeit cards at the point of sale decreased by 76% by 2020 (Visa data).
2. Reducing fraud in offline transactions:
   • Counterfeiting chip cards requires sophisticated equipment and access to cryptographic keys, making such attacks expensive and rare.
3. Global compatibility:
   • EMV is used in most countries, making it an effective standard for international transactions. This reduces the likelihood of using legacy terminals that only support magnetic stripes.
4. Support for modern technologies:
   • EMV integrates with contactless payments and mobile wallets, enabling the use of tokenization and biometrics, further protecting users.
5. Reducing financial losses:
   • Banks and retailers report reduced losses from fraud at physical points of sale following the transition to EMV.

Disadvantages of EMV in the context of carding​

1. Limited protection in online transactions:
   • EMV does not apply to CNP (Card Not Present) transactions where a physical card is not used (e.g., online purchases). Fraudsters can use stolen card information (number, expiration date, CVV) for such transactions.
   • According to Mastercard, approximately 60% of fraudulent transactions in 2023 were related to CNP.
2. Contactless payment vulnerabilities:
   • Contactless transactions for small amounts often don't require a PIN, allowing a stolen card to be used before it's blocked. For example, in Russia, the limit for contactless payments without a PIN is 1,000 rubles, while in the EU it's around 50 euros.
   • In rare cases, attackers can use powerful NFC readers to intercept data remotely, although this requires specialized equipment.
3. Infrastructure dependency:
   • Not all terminals worldwide support EMV. In countries with low adoption rates (for example, in parts of Asia or Africa), chip-based cards may use a magnetic stripe, making them vulnerable to skimming.
   • Even in developed countries, some terminals may be outdated or compromised.
4. High cost of implementation:
   • Chip card production and terminal upgrades are costly, slowing the transition to EMV in some regions.
   • Small businesses may continue to use old terminals, which creates loopholes for fraudsters.
5. Human factor:
   • Users may inadvertently disclose their PIN or card details (for example, through phishing), which would invalidate EMV security.

Why Hasn't EMV Eliminated Carding?​

Despite a significant reduction in fraud in offline transactions, carding remains a serious problem for the following reasons:

1. Fraudsters' transition to the online environment:
   • After the introduction of EMV, fraudsters switched to CNP transactions. Stolen card data (number, CVV, expiration date) is obtained through:
     • Phishing: Fake websites or emails that trick you into giving up information.
     • Data leaks: Hacking of online store or bank databases.
     • Keyloggers: Malicious software that records the data you type.
   • For example, in 2022, around 40% of all carding cases in Europe were related to online purchases (Europol data).
2. Social engineering:
   • Fraudsters use social engineering techniques to gain access to card details or PINs. Examples:
     • Calls from the "bank's security service" seeking information.
     • Fake websites that imitate the interface of banks or payment systems.
     • Phishing emails asking to "confirm" card details.
3. Terminal compromise:
   • Although the EMV chip is difficult to counterfeit, terminals can be infected with malware (POS malware) that intercepts data before encryption. For example, RAM-scraping attacks allow card data to be read from the terminal's memory.
   • In 2019, several cases of POS terminal infections were reported in the US at major retailers such as Target.
4. Regional differences:
   • In regions with low EMV adoption (such as some countries in Africa or South Asia), fraudsters continue to use skimmers and counterfeit magnetic stripe cards.
   • Even in countries with developed infrastructure, some transactions may fall back to the magnetic stripe if the terminal does not support EMV.
5. Evolution of carding methods:
   • Fraudsters are adapting to new technologies. Examples:
     • Mobile wallet attacks: Hacking devices to steal tokens or biometric authentication data.
     • Deepfake and biometric deception: Using fake videos or voices to bypass biometric systems.
     • Darknet Markets: Platforms like Genesis Market sell stolen card data and even browser fingerprints to mimic legitimate transactions.
6. Supply chain vulnerabilities:
   • Attackers can target banks, processing centers, or card manufacturers, gaining access to customer data before a card is issued.
   • For example, in 2021, a data leak from a bank in India resulted in the compromise of millions of cards.
7. Limited physical theft protection:
   • If a card is stolen, fraudsters can use it to make small contactless payments without a PIN before blocking the card.

Additional measures against carding​

To combat card fraud, banks, payment systems, and users employ additional technologies and practices that complement EMV:

1. 3D-Secure (Visa Secure, Mastercard Identity Check):
   • A protocol that requires additional authentication for online transactions (such as a one-time password sent to a phone, or biometrics).
   • Reduces the risk of fraud in CNP transactions, but does not eliminate it completely, as passwords can be intercepted through phishing.
2. Tokenization:
   • Replacing real card data with unique tokens that are useless outside of a specific device or payment system. Used in Apple Pay, Google Pay, and other mobile wallets.
   • Even if a token is intercepted, it cannot be used for other transactions.
3. Biometric authentication:
   • Using fingerprints, facial recognition, or voice recognition to confirm transactions. This makes it more difficult to use stolen cards, but requires protecting biometric data.
4. Transaction monitoring:
   • Banks use AI-based systems to analyze transactions in real time. Suspicious transactions (such as purchases at unusual locations) can be blocked or require additional confirmation.
5. User education:
   • Raising awareness about phishing, safe card use, and checking websites before entering data.
6. Technologies on the side of retailers:
   • Data encryption at points of sale, use of secure payment gateways and regular terminal updates.

Example of fraud statistics​

To illustrate the scale of the problem, I will provide data from open sources (based on information up to 2025):

• US: Since EMV's introduction in 2015, offline transaction fraud has decreased by 76%, but CNP transactions have increased by 35% by 2023 (Visa).
• Europe: In 2022, around 60% of fraudulent transactions involved CNP, with total losses from carding amounting to over €1.8 billion (Europol).
• Russia: In 2023, the Central Bank of the Russian Federation reported an increase in phishing attacks, despite the widespread implementation of EMV and 3D-Secure.

Conclusion​

EMV technology has significantly improved the security of offline transactions, making card skimming and cloning virtually impossible without significant resources. However, it is not a universal solution against card theft due to:

• Online Transaction Vulnerabilities (CNP).
• Social engineering and data leaks.
• Infrastructure limitations in some regions.
• Fraudsters adapt to new technologies.

To effectively combat carding, a comprehensive approach is required:

• Technological: Use of 3D-Secure, tokenization and biometrics.
• Organizational: Updating terminals, monitoring transactions and protecting data.
• Educational: Raising user awareness of fraudulent practices.

EMV is a powerful tool, but it's only part of the security ecosystem. Fraudsters continue to find new ways to bypass protection, requiring constant technological development and vigilance from users and banks.