Implementing EMV at the ATM: Requirements and Recommendations for the U.S. ATM Community – Version 2

Publication Date: June 2015

The version 2 white paper includes significant new content on the use of the U.S. Common Debit AID in various ATM transaction scenarios.

ATMs are an important component of the move to EMV payment technology, commonly known as “chip” payment technology.

For point-of-sale (POS) devices, the impetus for conversion to chip rests primarily on two foundations: fraud control and multi-application support for value-added functions (such as loyalty programs or vouchers). For ATMs, however, always-online authorization, coupled with the use of a PIN, and the relatively higher security environment, has historically resulted in lower levels of fraud compared to POS. Further, as a financial services machine, the ATM has not been an attractive opportunity to offer extensive value-added functionality.

Both factors are beginning to change for the ATM. Magnetic stripe skimming, combined with PIN capture (via shoulder-surfing, pinhole cameras, and false fronts), has led to rapid increases in ATM fraud rates. In some markets, this rise in fraud has led to aggressive programs for chip migration for ATM transactions. Meanwhile, the migration of ATMs to “kiosks,” offering POS capability in addition to cash dispensing, has increased the potential for value-added functionality in ATMs.

Additionally, Discover, MasterCard, and Visa have published liability shift dates that impact ATM owners. A liability shift is not a mandate; ATM providers and acquirers are not being forced to migrate to EMV. However, the liability shift provides a very strong practical incentive to do so. Further, ATMs are seen as an important component of chip card management. ATMs are generally seen as a safer location to change/unlock PINs; to unblock, add, modify, and delete applications; to manage proprietary applications; and to execute lengthier and more complicated user scripts.

This white paper was developed by the EMV Migration Forum ATM Working Committee to provide guidance to ATM providers, acquirers, processors, and vendors who are preparing to implement EMV at the ATM in the United States. It includes information about which functions must be implemented to provide EMV compliance at the ATM, as well as recommended planning activities for EMV implementation. Technical details about an EMV transaction are also included.

NOTES AND INFORMATION DISCLOSURE This document has been prepared by the EMV Migration Forum ATM Working. The recommendations, suggestions and other guidance and information provided in this document represent the general consensus of the members of the Working Committee, following extensive research and discussion, and are provided solely as a general guide for the convenience of interested ATM industry constituents. In the ATM context, and generally, implementation of EMV ultimately depends on the specific circumstances, environment and business needs of those involved. Prior to implementing EMV, it is therefore assumed (and the EMV Migration Forum strongly encourages and recommends) that implementers will independently and thoughtfully (i) assess their respective environments, requirements, challenges, preferences, business needs and related matters, and how the foregoing may impact their specific EMV implementation(s), (ii) consider the recommendations provided in this document, and (iii) consult with appropriate acquirers, issuers, processors, vendors and payment network partners, and obtain the support and guidance of experienced and qualified professionals where appropriate.

About the EMV Migration Forum

The EMV Migration Forum is a cross-industry body focused on supporting the EMV implementation steps required for global and regional payment networks, issuers, processors, merchants, and consumers to help ensure a successful introduction of more secure EMV chip technology in the United States. The focus of the Forum is to address topics that require some level of industry cooperation and/or coordination to migrate successfully to EMV technology in the United States. For more information on the EMV Migration Forum, please visit http://www.emv-connection.com/us-payments-forum/

Please note: The information and materials available on this web page (“Information”) is provided solely for convenience and does not constitute legal or technical advice. All representations or warranties, express or implied, are expressly disclaimed, including without limitation, implied warranties of merchantability or fitness for a particular purpose and all warranties regarding accuracy, completeness, adequacy, results, title and non-infringement. All Information is limited to the scenarios, stakeholders and other matters specified, and should be considered in light of applicable laws, regulations, industry rules and requirements, facts, circumstances and other relevant factors. Use of or reliance on the Information is at the user’s sole risk, and users are strongly encouraged to consult with their respective payment networks, acquirers, processors, vendors and appropriately qualified technical and legal experts prior to all implementation decisions.

Please note that, on November 2, 2016, staff of the Board of Governors of the Federal Reserve System (the “Board”) released a FAQ relating to Section 235.7(b) of Federal Reserve Regulation II (promulgated by the Board pursuant to the Durbin Amendment to the Dodd-Frank Act), noting that although the FAQ is not an official Board interpretation, “[a] payment card network inhibits a merchant’s ability to route electronic debit card transactions if it, by network rules, standards, specifications, contractual agreements, or otherwise, requires the merchant to allow the cardholder to make the choice of EMV chip application on a debit card, where one application routes only to a single network.” None of the Information should be interpreted or construed to require or promote the establishment of any solution, practice, configuration, rule, requirement or specification inconsistent with applicable legal requirements, including Federal Reserve Regulation II, any of which may change over time. The U.S. Payments Forum assumes no responsibility to support, maintain or update the Information, regardless of any such change.