EMV is the reason card fraud moved from the physical card to everywhere else. It replaced a copyable magnetic stripe with a chip that signs every transaction. Understand the cryptogram and the kernel and most of the card world stops being mysterious.
EMV — named for the founding scheme trio Europay, Mastercard and Visa — is the global standard for chip-based card payments, both contact (insert) and contactless (tap). It exists to solve one problem: a magnetic stripe is a static, copyable recording. Anyone who reads it can reproduce a working card. Counterfeit fraud was the inevitable result.
The fix is to put a small computer on the card. Instead of replaying a fixed number, the chip generates a unique cryptographic signature for each transaction. Capture it and it is worthless — the next transaction needs a different signature the fraudster cannot compute. EMV did not eliminate card fraud; it pushed it off the counterfeit card and toward card-not-present (online) channels, which is the story of the last fifteen years.
EMV governs the conversation between the chip, the terminal and the issuer. It does not govern the network rails, settlement or interchange — those belong to the schemes. EMV is the handshake at the point of sale.
At tap or insert, the terminal runs an EMV kernel — the software state machine that talks to the chip. It selects the application (a card can hold several, e.g. a debit and a credit AID), reads the data, authenticates the card, and decides how to verify the cardholder.
The card then produces a cryptogram: a message authentication code computed over the transaction data using a key only the card and the issuer share. An ARQC (Authorisation Request Cryptogram) means “send this online to the issuer to approve.” The issuer recomputes the cryptogram; if it matches, the card is genuine and the transaction is authorised, returning an ARPC the card can verify in turn.
| Step | What happens | Who decides |
|---|---|---|
| Application selection | Terminal and card agree which app (AID) to run | Terminal + card |
| Card authentication | SDA/DDA/CDA — offline checks the card is genuine using issuer public keys | Terminal |
| Cardholder verification | CVM list: PIN, signature, on-device (biometric), or no-CVM | Card priority + terminal |
| Terminal risk management | Floor limits, velocity, random selection for online | Terminal |
| Cryptogram generation | ARQC (go online), TC (approve offline), or AAC (decline) | Card |
| Issuer authorisation | Recompute ARQC, apply risk rules, return decision | Issuer |
Contact EMV is the insert-and-leave-it flow: a galvanic connection, the full kernel, and almost always online authorisation in modern markets. Contactless is the tap — an NFC field powers the chip for a fraction of a second, so the kernel is leaner and the data exchange is optimised for speed.
EMVCo historically shipped a contactless kernel per scheme (Visa, Mastercard, Amex, Discover, JCB, UnionPay), which made terminals a patchwork. The newer EMV Contactless Kernel Specification (Book C-8, “Kernel 8”) is a single scheme-agnostic kernel that uses modern cryptography — Elliptic Curve Cryptography and AES — rather than the older RSA approach. Its testing process opened in late 2024; migration of the installed terminal estate is a multi-year affair, so the per-scheme kernels are still very much in the field.
Static data, trivially cloned. Now a fallback only; many markets reject swipe for chip-capable cards.
Full kernel, galvanic contact, robust offline data authentication. The high-value default.
Tap. Leaner flow, speed-optimised, governed by CVM and tap limits below.
Single unified contactless kernel, ECC + AES. Replacing the per-scheme kernel zoo over time.
Contactless uses two distinct limits and people conflate them constantly. The floor limit decides whether the transaction goes online or can be approved offline. The CVM (cardholder verification method) limit decides whether the cardholder must prove identity — typically by entering a PIN. Below the CVM limit you tap and go; above it you tap and then enter your PIN.
Cumulative counters add a third dimension: even small taps under the CVM limit can trigger a step-up to PIN after a number of consecutive taps or a cumulative spend ceiling, to bound the risk of a lost card. A device wallet (Apple/Google Pay) is treated differently — on-device biometric authentication satisfies CVM, so the card CVM limit effectively does not apply.
In South Africa the contactless CVM limit is widely R500 — tap up to R500 without a PIN, above it tap then enter PIN. Implementation varies by issuer: some banks add cumulative counters (e.g. a run of small taps, or a cumulative ceiling around R600, forces a PIN). Always confirm the exact numbers against the issuer and acquirer rules of the day, because banks tune them and the scheme guidance shifts.
Adoption is high — contactless acceptance is effectively universal on modern terminals, and device wallets have ridden in on top of the same NFC rails. Cash remains the elephant, but at the card terminal, tap is now the default gesture.
EMV kills counterfeit-card fraud at the physical point of sale. It does nothing for card-not-present. Markets that chipped saw online fraud rise — the water moved, it did not drain.
Online/offline is one decision; PIN/no-PIN is another. A merchant complaining “why did it ask for a PIN under R500?” is usually hitting a cumulative counter, not the headline limit.
SDA and DDA can be defeated in lab conditions; Combined DDA/Application Cryptogram (CDA) binds card authentication to the cryptogram. Issuing cards or configuring terminals without CDA is leaving a known door open.
EMV Level 1 (hardware/RF) and Level 2 (kernel) certifications expire and are scheme-specific. An estate running lapsed kernel versions can face liability shift exposure even though terminals “work fine.”
Forcing chip-to-magstripe fallback is a classic fraud vector. Acquirers that do not monitor and suppress unnecessary fallback carry the chargebacks.
Use contact chip as the default for higher-value, attended retail. Robust offline data authentication and PIN CVM give you the strongest counterfeit and lost-card protection, and the liability shift sits with you only if you fail to deploy it. If you are an acquirer onboarding card-present merchants, contact EMV with online authorisation is the boring, correct baseline.
Lead with contactless for speed and low-ticket volume — transit, QSR, convenience. The CVM limit is your fraud lever; set it with the issuer’s loss appetite, not the merchant’s convenience wish. Skip the temptation to over-rotate on Kernel 8 right now: it is the right destination, but if your terminals and back end are not certified for it, you gain nothing and add risk. Migrate it as part of a planned estate refresh.
Cost of being wrong: misconfigure CDA or fallback and you eat counterfeit chargebacks you thought EMV had insured you against. Set CVM limits too high and lost-card losses climb; too low and you bleed conversion at the tap. The expensive mistake, though, is believing EMV protects your e-commerce flow — it does not, and the fraud budget you save at the counter you will spend online unless you have separate CNP controls.