EMV & Contactless (Operator Field Manual)
Prerequisites
Before managing EMV/contactless, understand:
- Card-present fraud risks
- Terminal operations management
- Card-present terminal decisions hardware choices
- EMV liability shift rules
EMV chip cards shifted fraud liability to whoever didn't support the chip. Contactless adds speed without sacrificing security. Know the liability rules and keep your terminals compliant.
Last verified: Dec 2025. EMV mandates and contactless limits vary by region; confirm with your acquirer.
What Matters (5 bullets)
- EMV liability shift is live. Non-chip terminals bear fraud liability for chip cards.
- Contactless uses the same chip security. NFC transactions get EMV protections.
- Fallback to swipe creates liability. If chip exists but swipe is used, merchant is liable.
- Contactless limits vary by region. Above-limit requires PIN or device auth.
- Tokenized wallets (Apple Pay, Google Pay) are even more secure. Device-bound, biometric.
EMV Chip Basics
How EMV Works
- Card inserted into terminal (or tapped for contactless)
- Chip generates unique cryptogram for this transaction
- Cryptogram sent with auth request
- Issuer validates cryptogram
- Cryptogram can't be reused (prevents replay attacks)
Why Chip Is Secure
| Magnetic Stripe | EMV Chip |
|---|---|
| Static data | Dynamic cryptogram |
| Easily cloned | Can't be copied |
| No transaction binding | Unique per transaction |
| Counterfeit-prone | Counterfeit-resistant |
Liability Shift
The Rule
When fraud occurs, liability falls on the party that didn't support EMV:
| Card Type | Terminal | Liability |
|---|---|---|
| Chip card | Chip terminal | Issuer |
| Chip card | Swipe-only terminal | Merchant |
| Non-chip card | Any terminal | Issuer |
| Chip card | Chip failed, swipe fallback | Usually merchant |
Key Dates
| Region | Liability Shift Date |
|---|---|
| US (non-fuel) | October 2015 |
| US (fuel/AFD) | April 2021 |
| Europe | 2005-2006 |
| Canada | 2011-2012 |
| Latin America | Varies by country |
What This Means
If you have:
- Chip-enabled terminals: Protected from counterfeit liability
- Swipe-only terminals: Liable for chip card counterfeits
- Fallback transactions: Need to follow proper procedures
Contactless Payments
How Contactless Works
- Card or device tapped on terminal
- NFC communication (short range, under 4cm)
- Same EMV chip technology, wireless
- Cryptogram generated and validated
- Transaction completes in seconds
Contactless Methods
| Method | Technology | Security |
|---|---|---|
| Contactless card | Chip via NFC | EMV cryptogram |
| Apple Pay | Device token + biometric | EMV + device binding |
| Google Pay | Device token + auth | EMV + device binding |
| Samsung Pay | MST or NFC | Varies by mode |
Contactless Transaction Limits
Transactions above certain amounts require additional authentication (PIN or device auth):
| Region | Typical Limit | Notes |
|---|---|---|
| US | No strict limit | CVM threshold varies |
| UK | £100 | Raised from £45 during COVID |
| EU | €50 typical | Varies by country |
| Canada | CAD $250 | Raised during COVID |
| Australia | AUD $200 | Higher than most |
When PIN Is Required
Even on contactless, PIN may be required when:
- Amount exceeds limit
- Cumulative contactless spend exceeds limit
- Random PIN verification (issuer-determined)
- High-risk merchant category
Fallback Procedures
When chip can't be read, fallback to swipe may be allowed, but creates liability.
Proper Fallback Process
- Attempt chip first - Always try chip read
- Second attempt - Try chip again if first fails
- Terminal prompts fallback - Only after chip failures
- Document the reason - Error log for disputes
- Swipe only as last resort - With proper fallback indicator
Fallback Red Flags
Watch for fraud patterns:
- Customer insists on swiping
- Chip "doesn't work" but card looks fine
- Multiple fallback attempts
- High-value fallback transactions
Fallback Liability
- Proper fallback documented: Reduced liability (depends on network)
- Forced fallback without chip attempts: Full merchant liability
- Pattern of fallbacks: May indicate fraud or terminal issues
Terminal Configuration
EMV Certification Requirements
| Requirement | Purpose |
|---|---|
| EMV L1 | Physical contact interface |
| EMV L2 | Application layer protocol |
| EMV L3 | Payment brand certification |
| Contactless L1/L2/L3 | NFC interface certification |
Terminal Checklist
- Chip reader functional
- Contactless reader enabled
- Proper fallback configured
- PIN pad working
- Certification current
- Software up to date
Common Terminal Issues
| Issue | Impact | Fix |
|---|---|---|
| Chip reader dirty | Failed reads, fallback | Clean regularly |
| NFC disabled | No contactless | Enable in settings |
| Old firmware | Security gaps | Update software |
| PIN pad malfunction | No PIN verification | Repair/replace |
Fraud Prevention Impact
EMV Effect on Fraud
| Fraud Type | Before EMV | After EMV |
|---|---|---|
| Counterfeit (CP) | High | Down 75%+ |
| Lost/stolen (CP) | Moderate | Unchanged (need PIN) |
| Card-not-present | Moderate | Up (fraud migration) |
Fraud Migration
EMV reduced card-present fraud but pushed fraudsters to:
- Card-not-present (online) - See CNP fraud prevention
- Account takeover
- Application fraud
- Markets without EMV
Apple Pay / Google Pay
Additional Security
Beyond EMV, mobile wallets add:
| Feature | Security Benefit |
|---|---|
| Device binding | Token only works on that device |
| Biometric auth | Face ID, fingerprint required |
| No card number | Token replaces PAN |
| Transaction limit | Can be unlimited with biometric |
Fraud Rates
Mobile wallet transactions typically see:
- 50%+ lower fraud than raw cards
- Higher approval rates
- Fewer false declines
Merchant Considerations
- Accept Apple Pay / Google Pay (no additional cost)
- Ensure NFC is enabled on terminals
- Train staff on tap-to-pay
- Update signage to show acceptance
Scale Callout
| Volume | Focus |
|---|---|
| Under $100k/mo | Ensure all terminals are EMV-enabled; accept contactless; minimize fallback |
| $100k-$1M/mo | Monitor fallback rate; track counterfeit chargebacks; terminal maintenance schedule |
| Over $1M/mo | Terminal fleet management; fallback analysis by location; contactless adoption metrics |
Where This Breaks
- Swipe-only terminals still in use - Automatic liability for chip card fraud
- Forced fallback by staff - Creates liability, may indicate collusion
- Disabled contactless - Missing easy, secure payment option
- Outdated firmware - Security vulnerabilities
- No PIN preference - Lost/stolen cards easier to use
Test to Run (2 weeks)
- Audit all terminals - Confirm EMV and contactless enabled
- Track fallback rate - Should be under 2% of chip card transactions
- Check contactless adoption - What % of transactions?
- Review counterfeit chargebacks - Are you seeing 10.1/10.2 codes?
- Staff observation - Are proper procedures followed?
Success criteria: Zero non-EMV terminals, fallback under 2%, no terminal-related chargebacks
Related
- Card-Present Fraud - Fraud types overview
- Third-Party Fraud - Stolen card usage
- Authorization & Capture - How card payments work
- Authorization Decisioning - How issuers approve/decline
- Decline Codes - Understanding decline reasons
- Terminal Security - Operations overview
- Visa 10.1 - EMV Counterfeit
- Visa 10.2 - EMV Non-Counterfeit
- Mastercard 4870 - Chip Liability
- Digital Wallets - Apple Pay, Google Pay security
- Card Payments - Card fundamentals
- Chargeback Prevention - Preventing disputes