Card Acquiring Service:2017 Conversion

Ian Macoy, Fiscal ServiceWinston Wilson, Comerica Bank

Michael Halpin, Vantiv

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 2

1. Card Acquiring Service (CAS): What is it and where we’re goingIan Macoy, AAPDirector, Settlement Services Division; Revenue Collections ManagementBureau of the Fiscal Service

2. Conversion to Our New Financial Agent Comerica: What agencies need to knowWinston WilsonVice PresidentComerica Bank

3. Securing Cardholder Data: Leveraging Conversion for Program Improvements and a Safer EnvironmentMichael HalpinSenior Relationship ManagerVantiv

Agenda

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 3

• A strong understanding of CAS and the future…– How your help with the conversion links to that

future…

• A more in-depth understanding of the CAS conversion and other important initiatives

– How we will be leveraging the conversion to further secure your customers’ data

Learning Objectives

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 4

The Card Acquiring Service: What is it and where we’re going

Ian Macoy, AAPDirector, Settlement Services Division; Revenue Collections ManagementBureau of the Fiscal Service

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 5

What is the Card Acquiring Service? CAS is a Fiscal Service program providing merchant acquirer/payment card acceptance services to federal agency customers.

Services provided: • Enables agency acceptance of credit, debit, electronic benefit transfer (EBT),

and branded stored value (e.g. gift, etc.) cards• Performs payment card authorization, transaction processing, settlement and

customer support functions

Acceptance Points:• Point-of-sale (“card present”)

– Traditional standalone point-of-sale (POS) terminals– Value Added Reseller (VAR)/Integrated POS (iPOS) systems (e.g. electronic

cash registers)– Vantiv Accept (mobile) and kiosks

• Internet-based software applications (“card not present”) through Pay.gov

Financial Agent: Comerica Bank, with Vantiv as merchant acquirer/processor

CAS Program Overview

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 6

Transaction Volume (dollars):• $12.2 billion collected

– POS (standalone and integrated POS systems): 49%

– Pay.gov: 51%– $9.7 billion Credit Card

Of which, Signature Debit $1.9 bil.– $2.5 billion PIN Debit

Transaction Count:• 132.8 million transactions

– POS: 74%– Pay.gov: 26%– 96.0 million Credit Card

Incl. 35.2 million Signature Debit – 36.7 million PIN Debit

Avg. Transaction: $92.38

Key Program Metrics*

*NOTE: As of Calendar Yearend 2016

2016 CAS Program Costs

Interchange

Network Fees

Direct

90+ agencies, bureaus and offices

~ 9,900 Acceptance points• 38% terminals; 40% iPOS; 21% Pay.gov

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 7

• Complete conversion to new Financial Agent– Current processor Vantiv remains, thereby reducing impact to Fiscal

Service and customer agencies– Target completion with agencies for 10/2017

• Further secure cardholder data– Implement tokenization and point-to-point encryption in FY2017

through conversion process with new FA• Technology will protect data at rest and data in transit• Rollout and maintenance costs will be borne by CAS

– Promote agency PCI Data Security Standard (PCI DSS) compliance

• Ensure compliance with card network rules restricting credit card use for loan and other debt payments (“using debt to pay debt”)– Working with impacted agencies to establish debit card-only card

acceptance for debt repayment card cashflows– Credit card acceptance on these will be “turned off” by 12/2017

CAS Roadmap: 2017 Priorities

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 8

• CAS Application - Future State: – Creating a more robust CAS application and automating the review process

• CAS Website re-engineering– All-new Design with modern web standards and readable on more devices– New ways to navigate and new way to enroll in CAS

• CAS Policy UpdatesBackground: The CAS Team conducted a thorough review of chapter 7000 of the TFM and found that several changes/updates were warranted in order to better meet the needs of the program:– Credit Card Limit (incorporating 2015 change)– Clarifying program compliance rules, including prohibitions on “using debt to

pay debt”

Expect publication of changes later in 2017

CAS Future Roadmap (cont.)

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 9

Conversion to Our New Financial Agent Comerica:

What agencies need to know

Winston WilsonVice President

Comerica Bank

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 10

• Conversion to Comerica Bank

• Convert all terminals, software, and hardware

• Reporting

• Tokenization and Encryption

• EMV VAR/ISV compliance

• Enable MasterCard 2 Series BIN Compliance

Objectives

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 11

• Terminal Self-Service Support (Preferred Method) – Terminal Update with new MID data– Requires line connectivity– Dial Line – approx. 10 min, IP Line – approx. 2 min– Vantiv Phone Support for Escalation/Troubleshooting

• Some terminals require replacement • Terminal Coached Support

– Scheduled time with Vantiv rep for walking through update

• VAR Updates– VAR sheet updates processed with new financial agent information– Agency and associated VAR will collaborate with respect to service

agreement and conversion timing

Conversion Options

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 12

Mar April May Jun Jul Aug Sep Oct

2017

Mar 23 - Fiscal Service CAS Conversion Implementation Strategy Webinar

Wave 1: May 1 – July 31

May 1– Wave 1 Overseas Locations – October 15

Wave 2:Aug 7 – Sep 18

Wave 3:Sep 1 – Oct 13

MID Conversion Complete

August 19th: Conversion of Pay.gov MID’s (6:00 pm ET)

Aug 14 -16Gov’t Financial Management Conference

Pay.gov MID Freeze: Aug 7 – 18th

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 13

Securing Cardholder Data:Leveraging Conversion for Program

Improvements and a Safer Environment

Michael HalpinSenior Relationship Manager

Vantiv

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 14

EMV Chip Migration - April 2017*

*Sources: Visa / MARS data as of April 30, 2017*Going forward, card counts will be reported on a quarterly basis. Card count in this report is for Q1 2017 (measured during the last month of the quarter). Card counts are estimates based on the number of active cards during the reporting time period. 1Visa branded transactions processed as chip transactions2Magstripe transactions using a Visa branded chip card in a chip terminal

18.6%US credit card chip on

chip PV adoption

8.2%US debit card chip on

chip PV adoption

2.8%US EMV credit card

fallback rate

5.7%US EMV debit card

fallback rate

80%of US Debit PV on EMV

cards 236.6M active cards*

2.09MUS EMV Visa locations

51% by PV

97%of US Credit PV on EMV

cards 184.5M active cards*

Adoption

Usage1 Fallback2

45%US credit transactions

were chip on chip55% by PV

28%US debit transactions

card chip on chip37% by PV

2.0%US EMV credit card

fallback rate1.7% by PV

2.8%US EMV debit card

fallback rate2.7% by PV

89% of overall US payment volume in April was on EMV cards

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 15

Decrease in counterfeit fraud at U.S. chip-enabled

merchants in January 2017 compared to a year earlier

56%

Decrease in counterfeit fraud for all U.S. merchants in January 2017 compared

to a year earlier

36%Source: Visa Fraud Reporting System (FRS)—”Chip enabled merchants” are those with chip-on-chip PV greater than 80% of total CP PV

Decrease in Counterfeit Fraud

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 16

Key Security-Solution Delivery Objectives

Encryption and Tokenization

Works for large national clients – consistent with their goals, scale, and systems architecture

Can be implemented within our systems– with

minimal operational disruption

Is sustainable and flexible as association

and governing bodies rules evolve

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 17

E2EE and Tokenization are a powerful data

protection combination.

We will provide the latest in secure

technology.

• End-to-End Encryption (E2EE)– Keeps cardholder data secure from inception to completion– Reduces likelihood of thieves obtaining usable card

information if system is compromised

• Tokenization– Replaces card numbers with a substitute value (token)– Prevents the value from being used to originate fraudulent

transactions– Eliminates retention of card data, reducing PCI-related risk

Encryption and Tokenization

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 18

• Encryption without complex key injection

• True end-to-end encryption• Maximum reliability• High volume• Multi-environment encryption:

– Swipe– Key-entered– E-commerce

Risk mitigationPotential PCI scope reduction

– Ability to take components out of scope

Protection of brand reputation Security that is:

– Sustainable– Flexible as rules evolve

• Key Solution Capabilities • Key Customer Benefits

Encryption and Tokenization

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 19

End-to-End Encryption and Tokenization

Merchant completes post-authorization & back-office activities

Auth. approval received,card token generated and submitted back to merchant

Personal Access Number (PAN), Track and Expiration

Data encrypted in device

Encryption transferredfrom merchant’s POS or Host to our data center

We decrypt data and transmit to the networks

Card data is encrypted at the point of capture

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 20

• The Payment Card Industry Data Security Standard (PCI DSS) = industry-accepted minimum security requirements designed to protect cardholder data and prevent breaches.

• Applies to all organizations, systems, networks and applications that process, store or transmit at least the cardholder number.

• Store no cardholder data beyond name, number, expiration date and service code.

PCI DSS Requirements

All merchants are required to comply regardless of size! This includes all U.S. Treasury Agencies that accept cards for payment – even those using Pay.gov!

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 21

PCI DSS Requirements

See Appendix I for more information on PCI compliance and resources

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 22

Contact Information

Fiscal Service ComericaIan Macoy Winston WilsonDirector, RCM Settlement Services VP, Comerica Merchant Servicesian.macoy@fiscal.treasury.gov wawilson@comerica.com202-874-6835 404-547-8015

Richard Yancy VantivCAS Program Manager Mike HalpinRichard.Yancy@fiscal.treasury.gov Senior Relationship Manager, U.S. Treasury202-874-5217 michael.halpin@vantiv.com

513-900-3385

Appendix I

PCI DSS: Compliance Validation Steps

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 24

Compliance vs. Validation

24

Validation: A snapshot of your compliance status• Entails completion of the Self-Assessment

Questionnaire (SAQ) or an On-Site Audit (depending on your merchant level) in order to “validate” that your organization is compliant according to PCI DSS requirements

• Also requires the quarterly submission of External Network Vulnerability Scans

Compliance: Ongoing security controls and procedures that help to protect your business on a 24/7 basis• Entails continual adherence to the PCI

DSS requirements

Validation does not necessarily mean Compliance

However, going through the validation process is the best way to understand whether you are truly compliant.

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 25

Visa & MasterCard Merchant Levels

25

Level 1 merchants have more rigorous compliance validation requirements.

All other merchants, regardless of acceptance channelLevel 4 merchants also have compliance requirements.

Any merchant processing 20,000 to 1 million e-commerce Visa® or MasterCard®

transactions per year

Any merchant, regardless of acceptance channel, processing 1-6 million Visa® or MasterCard®

transactions per year

Any merchant processing 6 million or more Visa® or MasterCard®

transactions/year, regardless of acceptance channel. Also, any merchant the card brands deem Level 1.

Merchant Level

Merchant Level

Merchant Level

Merchant Level

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 26

Merchant Validation

*Note: Due to MasterCard® Site Data Protection (SDP) program rules, all level 1 and 2 merchants that elect to perform their own validation assessments must ensure that the primary internal auditor staff engaged in validating PCI DSS compliance attend merchant training programs offered by the PCI Security Standards Council (PCI SSC) and pass any PCI SSC associated accreditation program annually in order to continue validation in this manner.

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 27

New Visa Small Merchant Mandates

https://usa.visa.com/dam/VCOM/download/merchants/bulletin-small-merchant-security-faq.pdf

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 28

Self-Assessment Questionnaires (SAQ)

28

Appendix I.1

PCI DSS:PCI Assist

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 30

• A set of online data security tools targeted to Level 4 merchants– Helps merchants protect their

businesses with best practices– Provides step-by-step instructions for

completing critical steps required for PCI compliance validation

• A service provided by Trustwave®, the leading provider of PCI DSS compliance services– Uses Trustkeeper® compliance management software

PCI Assist

30

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 31

• Accessed through Trustwave’s portal– https://pci.trustwave.com/fiscalservice

• Includes self-assessment wizard that asks simple questions

• Completes the appropriate SAQ in the background

• Includes an external vulnerability scan for IP connected merchants

PCI Assist

31

Remember: Cardholder data security is a merchant’s responsibility.

Level 4 merchants must validate compliance annually.

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 32

• CAS is covering the cost of participation for level 4 agencies

• To register you will need:– “Company Name” – If you do not have this, call the Federal Agency Support line at

1-866-914-0558 and request the “chain legal name” associated with your account

– One of your merchant ID numbers

– To get started please visit: https://pci.trustwave.com/fiscalservice

CAS Program Information

Appendix I.2

PCI DSS:Service Providers

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 34

Third-Party Compliance

34

Requirement 12.8 – Addresses Third-Party compliance within PCI DSS requirements

Merchant is responsible for monitoring compliance status of Third Parties and ensuring the use of appropriate contractual languageUse of Gateway/Service Provider does not exempt merchant from compliance requirementsPotential to use SAQ A Only IF all storing, processing and transmitting of cardholder

data is fully outsourced to a third party AND merchant is exclusively card-not-present

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 35

Service Provider Levels Validation Actions

Criteria

On Site Security Audit conducted by a QSA

Self –AssessmentQuestionnaire

Network Vulnerability Scans

Level 1 Any processor directly connected to a Visa or MasterCard or any service provider that stores, processes and/or transmits over 300,000 transactions per year

Report on Compliance (ROC) Required Annually

Not Applicable

Required Quarterly

Level 2** Any service provider that stores, processes and/or transmits less than 300,000 transactions per year

Not Applicable

Required Annually

Required Quarterly

**Effective February 1, 2009, Level 2 service providers were no longer listed on Visa’s List of PCI DSS Compliant Service Providers. Entities that wish to be on the List of PCI DSS Compliant Service Providers must validate as a Level 1 provider.

Service Provider Validation

35

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 36

• Where possible, use only providers that have engaged a QSA for validation

• If you have a level 2 service provider that self validated, only accept SAQ D

• Their areas of non-compliance are your risk• If a provider states they cannot afford some aspect

of compliance or validation, you may want to consider one that can

• Carefully review your contracts with service providers

Service Provider Considerations

36

Appendix I.3

PCI DSS:PCI Resources

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 38

• PCI Security Standards Council – www.pcisecuritystandards.org– PCI DSS, PA DSS, PTS, & P2PE Standards– Downloadable Self Assessment Questionnaires– List of ASVs, QSAs, PFIs, PA QSAs, QIRs, etc.– List of PA DSS Validated Payment Applications, validated P2PE solutions,

validated PTS devices– Searchable FAQ Tool– PCI Supporting Documents

• Visa ® CISP website – www.visa.com/cisp– Merchant & Service Provider Levels Defined– List of CISP Compliant Service Providers– Important Alerts, Bulletins and Webinar

• MasterCard® SDP website – www.mastercard.com/sdp– Merchant & Service Provider Levels Defined– List of CISP Compliant Service Providers– PCI 360 Merchant Education Program – on demand educational webinars

Helpful PCI Resources

38

Appendix II

Near Field Communications

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 40

Near-Field Communication (NFC) is a set of standards for smartphones and other mobile devices to establish radio communication with each other by touching them together or bringing them into close proximity usually no more than a few centimeters

What is NFC?

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 41

How does NFC work?

An NFC chip can be on a contactlesscard where the chip is tapped or held near the terminal

- OR -A chip can be inside your smart phone, smart watch, or other device and the device is waived near the terminal

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 42

Providers - NFC Cards

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 43

NFC Providers – Smart Phones & Devices

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 44

How Does an NFC Mobile App Work?

Secure Element and Host Card Emulation

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 45

How Does an NFC Transaction Work?

45

Customer holds their phone

close (1.5 in) to the contactless card reader on the payment

terminal

Their default card will be presented in the mobile app (where another

card can be selected if desired)

They touch their finger to the

Phone's reader to initiate the

transaction with the terminal

The transaction will process like a

normal transaction!Customer signs or

enters a PIN just as the always do

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 46

In addition to the NFC and HCE Visa contactless transactions, Samsung devices can also transact with “magnetic stripe terminals” using Magnetic Secure Transmission™ (MST) technology.

MST payments are face-to-face transactions made with a Samsung mobile device equipped with MST technology capable of wirelessly transmitting the payment information encoded on a card’s magnetic stripe to either a contactless or traditional magnetic stripe terminal.

Magnetic Secure Transmission (MST) Payments

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 47

NFC Adoption: USA vs. The World

EMV pushing NFC

Apart from long term security benefits, EMV migration has the potential to kick-start contactless payments from both a convenience and ubiquity perspective.

Outside of the US, NFC ubiquity driven by EMV terminal migration and the inconvenience of “dip and wait” sparkedcontactless’ “Tap and Go” adoption

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 48

• Ingenico iCT220 with iPP320• EMV Reader• Mag Stripe Reader• Contactless reader in PIN Pad

• VeriFone Vx520 with Vx805• EMV Reader• Mag Stripe reader• Contactless reader in PIN Pad

Available Now!

Standalone Terminals and PIN Pads

L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 49

Next Steps:Your agency will need to confirm with your third party provider if they are Certified with Vantiv for NFC Contactless transaction processing and also if the hardware you have is ‘Contactless Capable’

Vantiv can help!

VAR/ISV Setups