2016 – The year we’ll finally learn more about EMV Next Generation
February 22, 2016 - How EMV Next Generation aims to address global interoperability?
Twenty years after its original introduction, EMV can be seen as a success story. Currently, over 2 billion EMV cards are in use globally. With the biggest card payment market, U.S., now finally following suit, this number is expected to grow to 2.5 billion cards in the field within the next years. That is an impressive number, especially when considering that for all these cards EMVCo (along with the individual payment schemes) has managed to ensure a secure globally interoperable eco-system.
However, within twenty years lessons are learned and new technologies and market demands emerge. In the past, this has been handled by ‘minor’ updates of the EMV specifications. However, in 2011 EMVCo recognized that it was time for a major overhaul of the entire specification. This results in the current EMV specifications being declared as ‘Legacy’ and the development of a completely new set of specifications, referred to as ‘EMV Next Gen’. Some of the major drivers for this were:
- Keeping the ecosystem secure for the future: Legacy EMV relies on RSA cryptography to validate the authenticity of the card offline. Over the years, a secure environment is ensured by increasing the length of the RSA keys used. Legacy EMV has technical limitations on the maximum key length used. The security of the key length is determined annually by EMVCo. Last year, it was decided to no longer extend the validity of the second longest key length beyond 2025. The next key length to ‘expire’ will be the 1984-bit key, which is as secure as Legacy EMV will go. Therefore, in order to keep the ecosystem secure for the future, a major overhaul of either the communication protocol or cryptography is necessary.
- Too many kernels and kernel certifications: Contact EMV was developed as a joint effort between the payments schemes, resulting in a single kernel. However, for contactless EMV each scheme developed its own kernel, resulting in seven(!) different contactless kernels. This is a nightmare for terminal manufacturers, especially considering that each kernel needs to be certified separately and re-certification can be necessary if one of the other kernels is changed.
- Market demand to quickly add new functionality: Within the current online world, we observe that consumers (and therefore) merchants, want to have the ability to quickly add new forms of (mobile) payment and loyalty to their cash registers. Any POS solution should allow for a cost and time efficient deployment of new functionality.
Figure 1 shows the timelines EMVCo has given for the EMV Next Gen development. In 2025 the issuance of Legacy EMV cards is planned to be discontinued, so that in 2030 all transactions will be based on the EMV Next Gen specifications. Typically merchants don’t buy new terminals often, because of the costs involved. Therefore, any major changes on the terminal side take time to deploy and need to be prepared well in advance. Given the fact that the average life time of a terminal is around seven years, the first terminal implementations of Next Gen in the market are actually already expected in 2018. Luckily EMVCo has announced the release of the EMV Next Gen specs for 2016, with a Terminal Type Approval procedure following closely in 2017. This should give terminal vendors enough time to develop products according to the new specifications.
Figure 1 - Timelines for EMV Next Gen development
Getting ready for EMV Next Generation
Since timelines are short, it’s important to prepare for EMV Next Gen in time. At the end of 2014 EMVCo published the Kernel Architecture Overview for EMV Next Gen. From that document one can already learn a lot on what to expect.
Figure 2 - Legacy EMV transaction flow (left) and EMV Next Gen Kernel (right)
Figure 2 shows the transaction flow of a legacy EMV transaction on the left and the EMV Next Gen Kernel on the right. Actually, we see much functionality within the EMV kernel staying the same (though we can expect the technical implementation to change significantly). For example:
- The Selection Manager maps to the legacy Select Application step.
- The Cardholder Verification Manager maps to the legacy Cardholder Verification step, though new Cardholder Verification Methods, like biometrics, will be added.
Really new functionality is introduced in the:
- Secure Card Channel Manager: The communication between card and terminal will be encrypted, which EMVCo states prevents Man-in-the-Middle attacks and relaying transactions, even though the terminal still will not authenticate itself to the card. The detailed specifications should provide more details on the mechanisms and strengths and weaknesses of this approach.
- Payment Related Data Manager: This kernel service will allow transferring e.g. transit, loyalty or coupon data between terminal and card.
When we look at other differences between the two diagrams, the legacy transaction flow is quite deterministic. One step leads to the next, without any room for reassessing an earlier decision based on new information. A limited number of steps can be executed in parallel, but are still independent. The Next Gen Kernel shows a much more flexible architecture. The Selection Manager and Transaction Manager orchestrate the current transaction. However, each function has been assigned its own Kernel Service. The Data Communication Manager consolidates all acquired data during the process and is also responsible for any communication to the card. The other kernel services can be invoked as often as necessary by the Transaction Manager (and Data Communication Manager) to determine the transaction outcome. The more detailed Next Gen specifications expected this year, will shed more light to what extent the decision process can indeed benefit from this extended flexibility.
An additional benefit of having the more modular approach is that this should allow EMVCo and the payment schemes to also modularize the associated certifications, allowing a faster time to market for updated products, which is necessary to remain competitive with the fintechs of this world. However, bringing the ‘certification burden’ down comes with a risk: currently it is the only way to truly ensure global interoperability. EMVCo will have to find the correct balance between interoperability and a fast time to market.
Which parties will be impacted by the release of the EMV Next Gen specifications?
Like the legacy EMV specifications, EMV Next Gen will describe the terminal architecture and processing. However, that does not mean that only terminal manufacturers are impacted by the release of the specifications. Apart from having new logic and functionality in terminals and cards, the transaction information shared with the acquirer and issuer will be enhanced. Hosts and networks will have to be updated to process this new information. Actually, most parties in the card payments chain will be impacted by EMV Next Gen. This includes terminal and card manufacturers, personalization bureaus, issuing and acquiring banks, payment schemes and transaction processing networks. All these parties should keep an eye out for the specifications and assess how it impacts and benefits their business.
Even though the timelines for the roll out of EMV Next Gen seem long, in today’s fast-paced world, they are probably necessary to allow EMVCo to offer one of the unique selling points they’ve always had: global interoperability.