1 ǀ 10/14/2014

EMV: Educating A New Payment Process Art Harper

Director of Card Payment Solutions Product Management

2 ǀ 10/14/2014 2 ǀ 10/14/2014

Agenda Background PSCU efforts

Industry News

What Is EMV?

Profiles – Online / Offline

Cardholder Verification Methods (CVM’s)

PSCU offerings

Strategies / Recommendations

3 ǀ 10/14/2014

EMVco / EMV Migration Forum

Education Committee

ATM Working Committee

Debit Working Committee

Phase 1 Roll out Committee

PSCU involvement in the EMV Migration Movement

4 ǀ 10/14/2014 4 ǀ 10/14/2014

Breaches in the news

5 ǀ 10/14/2014

Target

Neiman Marcus

Michael’s – (twice)

Sally Beauty Supply

Chicago area taxi system (Yellow and Blue Cabs)

PF Changs

Albertsons / Safeway

Home Depot

Kmart / Dairy Queen

Breaches in the last 9 months

6 ǀ 10/14/2014

While constantly being improved, EMV is a 20-year-old technology. Some justifiably complain that it is all cost and no benefit (to them) and that the adoption of a newer technology would make more sense.

EMV (magic bullet ?)

7 ǀ 10/14/2014 7 ǀ 10/14/2014

What is EMV? EMV: Europay, MasterCard, & Visa

EMV chip cards contain a microprocessor that provides strong transaction security features & additional options that are not possible with magnetic stripe cards.

Ensures interoperability between chip-based payment cards & terminals.

EMVCo manages, maintains, & enhances the specifications.

http://www.emvco.com

8 ǀ 10/14/2014

Application Identifier (AID)- Data label for the application used on a chip card

Application Transaction Counter (ATC)- Counters on a chip card and the master file that provides a sequential reference for each transaction

Cardholder Verification Method (CVM) - The method of authentication to the cardholder

• Offline PIN- uses the PIN housed on the Chip

• Online PIN- uses the PIN housed on the master file Signature

Chip Card- A plastic embedded with an integrated circuit or chip

• AKA - Smart Card, Integrated Circuit Card (ICC), Contactless, Contact Chip Card, or Dual Interface Card (contains Contact & Contactless functionality)

Data Encryption Standard (DES)- Algorithm in which two users share the same key

Data Authentication- Process for authenticating the card during an EMV transaction

• Dynamic Data Authentication (DDA)- uses static and unique elements for authentication

• Static Data Authentication (SDA)- uses static elements for authentication

Glossary of EMV Terms

9 ǀ 10/14/2014

Fallback- Transactions where magstripe is used instead of the chip (typically requires merchant intervention)

Liability Shift- Determining where fraud lies

Near Field Communication (NFC)- Transaction date is transmitted wirelessly

Offline Only Terminal- A terminal that isn’t capable of sending a transaction online

Payment Card Industry Data Security Standard (PCI DSS)- Data security protocol

Personal Identification Number (PIN)

Transaction Authorization

• Offline Authorization - authorization of transaction is performed by the terminal without connecting to the host

• Online Authorization - authorization of transaction is performed by the host

Glossary of EMV Terms (cont’d)

10 ǀ 10/14/2014 10 ǀ 10/14/2014

EMV Current State - Industry

• Global

• U.S.A.

11 ǀ 10/14/2014

EMV Current State – Industry Global

On a global scale, EMV has achieved critical mass:

• 99.9% of terminals in Europe are chip-enabled

• 84.7% of terminals in Canada, Latin America, and the

Caribbean are chip-enabled

• 86.3% of terminals in Africa and the Middle East are chip-

enabled

• 71.7% of terminals in Asia Pacific are chip-enabled

Need Source

12 ǀ 10/14/2014

EMV Current State - Industry U.S.A.

Major issuers have moved from “planning” to actually issuing EMV cards

• Amex

• Bank of America

• Barclaycard

• Capital One

• Citi

• Chase

• Suntrust

• Walmart & Sam’s Club (GE)

• Wells Fargo

• USAA

• US Bank

Source: EMV-Connection.com, July 2014

Current Issuer Forecast for Credit Cards

• 25% 2014

• 70% 2015

• 91% 2016

• 98% 2017

Source: Aite, June 2014

43%

PSCU credit card processing

members issuing or

queued for certification

13 ǀ 10/14/2014 13 ǀ 10/14/2014

Fraud Impact / Info

14 ǀ 10/14/2014

EMV Current State – Industry Global – EMV Impact on Fraud

United Kingdom – 2004 to 2013

• Counterfeit fraud decreased from £130 GPB to £33M GPB

• Lost/Stolen fraud decreased from £114M GPB to £59M GPB

• Card Not Present fraud increased from £151M GPB to £301M GPB

Australia – 2008 to 2012

• Counterfeit fraud (domestic & foreign) decreased $50M AUD to $28M AUD

• Lost/Stolen fraud decreased from $16M AUD to $23M AUD

• Card Not Present fraud increased from $83M AUD to $183M AUD

Canada – 2008 to 2013

• Counterfeit & Lost/Stolen fraud dropped from $254 CAD to $111 CAD

• Card Not Present fraud increased from $128 CAD to $299 CAD

15 ǀ 10/14/2014

EMV Current State – Industry U.S.A.

0.5

1.5

2.5

3.5

4.5

5.5

6.5

7.5

8.5

9.5

2011 2012 2013 2014 2015 2016 2017 2018

Card Not Present

Lost/Stolen

Counterfeit

TOTAL US FRAUD FORECAST

Source: Aite, June 2014

16 ǀ 10/14/2014 16 ǀ 10/14/2014

Value of EMV

17 ǀ 10/14/2014

EMV Current State - Industry Value Summary of Moving to EMV Cards from Mag. Stripe

Fact What this means to the CU

Not all merchants have made the shift to EMV terminals

After October 2015, fraud liability will shift to the merchant when an EMV card is used if they have not enabled EMV terminals

Fraudsters will target Financial Institutions that have not taken the steps to migrate their cards from mag. stripe to EMV

EMV becomes an Insurance Policy for the CU to not only protect them financially but to also protect their brand image from the negative impact of a fraud event

Fraud events are great topics for the evening news – bad publicity on local news channels can negatively impact a CU’s reputation and brand promise

Social Responsibility and Reputation could be tarnished from not ‘doing the right thing’ and protecting their Member’s from fraud in the best ways possible

Consumers need peace of mind from their Financial Institution

Moving to EMV is a way to project Member Loyalty and put their card an top of the Members wallet.

18 ǀ 10/14/2014 18 ǀ 10/14/2014

Profiles

19 ǀ 10/14/2014

Credit Card Profiles

There are two types of profile configurations –

Chip and Signature (Online)

Chip and PIN (Offline)

20 ǀ 10/14/2014

Chip and Signature (Online Profile)

Only allows online authorizations

CH Selected PINs will work with this profile as it will validate the PIN from the host vs. the chip

Recommended for credit unions that

•Have minimal cardholders living or traveling overseas

•Want to allow CH Selected PIN

21 ǀ 10/14/2014

Chip and PIN (Offline Profile)

Includes online and offline authorizations

Additional fees associated with profiles due to public keys for merchants to translate the encrypted chip data

Cannot support CH Selected PINs due to challenges with updating the chip with new offsets

Recommended for credit unions with cardholders living and traveling overseas

22 ǀ 10/14/2014 22 ǀ 10/14/2014

Why is choosing the right profile important?

23 ǀ 10/14/2014

Country Listing of Profiles

24 ǀ 10/14/2014 24 ǀ 10/14/2014

Are the US merchants ready?

Will they be ready by 2015?

25 ǀ 10/14/2014

EMV Current State – Industry U.S.A.

• Merchants are gearing up – top five retailers & more on board

• Walmart & Sam’s Club – 100% EMV enabled

• Kroger

• Costco – EMV capable

• Target – Enablement in process for completion September 2014

• The Home Depot

• Best Buy

Current POS Forecast

• EMV capable POS terminal deployments expected to reach 75% in 2014 and 100% in 2015

• EMV enabled POS terminals lag but enablement can be rapid if market conditions require

26 ǀ 10/14/2014

27 ǀ 10/14/2014 27 ǀ 10/14/2014

Is EMV a requirement for

financial institutions?

28 ǀ 10/14/2014

POS terminals are critical to EMV processing

The liability shift is a merchant issue

There is NO mandate for issuers

The largest U.S. distributor of POS terminals has stated that all terminals shipped in the last two years are EMV and contactless-ready from a hardware standpoint; however, EMV software has not been turned on.

29 ǀ 10/14/2014

EMV Liability Shift Dates

2011 2012 2013 2015 2016 2017 Liability Shift Announcement

Visa & MC waive PCI Data Security Audit Fee for merchants

EMV must be supported by Acquirers & Sub-Processors

Liability Shift: Cards aligned on date Debit/Credit

Shift counterfeit fraud liability to ATM owner for all EMV enabled cards used at U.S. ATMs

Automated Fuel Dispensers liability shift for EMV transactions

Processors support Amex EMV transactions

Merchants eligible for relief from PCI Data Security Standard (DSS)

Fraud Liability Shift (FLS) policy (on issued cards)

Processors & merchants must be EMV certified & support network data in contact & contactless EMV chip card transactions

October 2015, there is a card issuance liability shift

30 ǀ 10/14/2014

Global Brand Position on EMV

In an January 8, 2014 letter to customers, MasterCard’s President of North American Markets Chris McWilton indicates that now is the time for the US to migrate to EMV

• To help maintain the momentum and address the larger fraud threat, they will keep the 2015 liability shift dates

January 30, 2014, Visa Sticks to EMV Deadline; CEO Decries Data-Breach Blame Game and ‘Misinformation’

• Visa Inc. chief executive Charles Scharf on Thursday quelled rumors that the payment network might change its October 2015 liability-shift deadline for Europay-MasterCard-Visa chip card

31 ǀ 10/14/2014 31 ǀ 10/14/2014

What changes in your world with

EMV?

32 ǀ 10/14/2014

• Policies & Procedures

• Contact Center Scripts

• Training

• Marketing

• Fraud

• Card design

• Portfolio clean up

• New Data elements

• New reports / Revised reports

Everything

33 ǀ 10/14/2014

New Reports: CD-3808 AD-148 ED-800 DD-031/DD-031A CD-4260 MM-444M SM-727 EM-821

Changed Reports: CD-031 CM-731 CD-676 CD-1646 CD-1647 CD-1648 SD-119

First Data Reports

34 ǀ 10/14/2014 34 ǀ 10/14/2014

Credit, Debit & ATM

PSCU EMV Solutions

35 ǀ 10/14/2014

Chip and Signature (Online Profile)

Only allows online authorizations

No public keys are required

CH Selected PINs will work with this profile as it will validate the PIN from the host vs. the chip

Recommended for credit unions that

• Have minimal cardholders living or traveling overseas

• Want to allow CH Selected PIN

36 ǀ 10/14/2014

Chip and PIN (Offline Profile)

Includes online and offline authorizations

Additional fees associated with profiles due to public keys for merchants to translate the encrypted chip data

Cannot support CH Selected PINs due to challenges with updating the chip with new offsets

Recommended for credit unions with cardholders living and traveling overseas

37 ǀ 10/14/2014

Credit EMV Card Options (which card type)

Card Types

Contact EMV Card: Insert & leave until transaction complete

Dual Interface EMV Card: Supports contact & contactless payment methods

Transaction Authorization Types Signature Only

Online PIN: Same authorization process used today

Offline PIN: New authorization method

• Adds locations

• Adds complexity to authorization process

Note: All EMV Cards contain chip & magnetic stripe

38 ǀ 10/14/2014

Cardholder Verification Methods

Offline PIN – cardholder is verified by comparing the PIN entered to the PIN securely stored on the chip without going to the issuer host system for authentication

Online PIN – cardholder is verified by comparing the PIN entered to the PIN stored on issuer host system

Signature – cardholder is verified by their signature

No CVM – cardholder verification is not required for transaction

• Below floor limit

• Small dollar transactions (typically less than $25)

39 ǀ 10/14/2014 39 ǀ 10/14/2014

CVM interaction at the POS terminal

40 ǀ 10/14/2014

Cardholder Verification List Operation

CVM 1

CVM 2

CVM 3

CVM 4

CVM 5

Chip and PIN (Offline Profile) with Signature Preferred CVM (PSCU’s Visa Offline Profiles use this CVM priority list)

Online PIN for ATM

Online PIN at POS

Offline PIN at POS

Signature

No CVM

Terminal Capability Profile

POS Terminal

Offline PIN supported

No Match

41 ǀ 10/14/2014

Cardholder Verification Profile

CVM 1

CVM 2

CVM 3

CVM 4

CVM 5

Chip and PIN (Offline Profile) with Offline PIN preferring CVM (PSCU’s MasterCard Profile uses this CVM priority)

Online PIN for ATM

Online PIN at POS

Offline PIN at POS

Signature

No CVM

Terminal Capability Profile

POS Terminal

No online PIN support

No offline PIN support

Signature

No CVM

42 ǀ 10/14/2014

Cardholder Verification Profile

CVM 1

CVM 2

CVM 3

CVM 4

CVM 5

Chip and Signature (Online Profile) with Signature preferring CVM

Online PIN for ATM

Online PIN at POS

Offline at POS

Signature

No CVM

Terminal Capabilities

POS Terminal

Online PIN supported

Offline PIN supported

Signature

No CVM

43 ǀ 10/14/2014 43 ǀ 10/14/2014

Will EMV cards have a magstripe?

Will magstripe go away?

44 ǀ 10/14/2014

Will EMV Cards Have A Magnetic Stripe?

EMV Cards will have a magstripe

EMV cards will have both chip and magnetic stripes

Why?

To assure global acceptance and interoperability

The magnetic stripe contains a service code that indicates to the terminal that a chip is on the card

The liability shift that begins October 2015 is intended to incent both merchant and issuer migration

45 ǀ 10/14/2014

Some basic Credit Card Decision Questions:

What EMV profile will I use? (Profile decision influences CVM) Will the EMV card be contact or dual interface? Do we want to incorporate this into a new program? (Signature/World) Should we set up a new BIN? (Depends on answers to above) How much do we want to change the card design? (Small design changes due to location of chip) Do we offer cardholder selected PIN today? Do we offer on the same BIN? Or set up new Prin under a current BIN?

46 ǀ 10/14/2014 46 ǀ 10/14/2014

Credit, Debit & ATM

PSCU EMV Solutions

47 ǀ 10/14/2014

Visa and First Data Partner on EMV Common Debit Solution

Feb. 26, 2014 – Visa Inc. (NYSE: V) and First Data’s STAR® Network announced an agreement to share Visa’s common debit solution offering issuers, acquirers and merchants a streamlined and cost-effective approach for debit EMV chip adoption. EMV cards contain an embedded computer processor or a chip that generates a one-time code for each transaction making it nearly impossible for criminals to counterfeit.

48 ǀ 10/14/2014

Fiserv and MasterCard Agreement Advances Debit EMV Adoption in the U.S.

March 12, 2014 Fiserv, Inc. (NASDAQ: FISV) and MasterCard (NYSE: MA) today announced an agreement to make MasterCard’s U.S. common debit EMV solution available for the Accel™ debit network.

Under this agreement, MasterCard issuers receive flexibility to select and implement network relationships, while merchants and acquirers will continue to route transactions as they prefer, without introducing multiple applications and complicated technology upgrades. The agreement provides Fiserv clients with access to a broad EMV solution.

49 ǀ 10/14/2014

Debit Solution will contain 2 AID’s

EMV Debit Solution

Global AID

US Common

AID

Online PIN No CVM

Visa or MC rails

50 ǀ 10/14/2014

Debit AID’s = Is there one for us now? AID’s being marketed Description

Visa Common AID MasterCard Common AID Secure Remote Payment Council (SRPc) Common Network AID

One application where transactions route through Visa’s Interlink system. Not Durbin compliant, no other network routing on application.

One application where transactions route through MasterCard’s Maestro system. Not Durbin compliant, no other network routing on application.

Ten (10) debit network members have agreed to adopt a common US debit application identifier (AID) based on Discover’s D-PAS technology. Associations do not approve AID. No International aspect for signature.

The main problem is no association has dual network routing at this time. What does this mean for marketplace?

51 ǀ 10/14/2014

What if a credit union decided to go with one of the Common Debit AID’s now?

The credit union would not be Durbin compliant and would have to reissue all of those plastics once a certified Durbin Debit Solution is approved for the marketplace.

What if a credit union decided to go with one of those AID’s?

52 ǀ 10/14/2014 52 ǀ 10/14/2014

Credit, Debit & ATM

PSCU EMV Solutions

53 ǀ 10/14/2014

Credit Union Responsibility for ATM EMV Readiness

ATM Manufacturer Requirements

NCR Diebold Hyosung Wincor

Aptra-edge 4.0 and AANCD 3.4.2 Verify if the CPU has the memory to handle the new software Verify the card reader can handle / support EMV cards Agilis 3.0 Verify if the CPU has the memory to handle the new software Verify the card reader can handle / support EMV cards 2.03.xx.xx Verify if the CPU has the memory to handle the new software Verify the card reader can handle / support EMV cards Proflex 3.0 Verify if the CPU has the memory to handle the new software Verify the card reader can handle / support EMV cards

PSCU will not be able to support OS2 terminals. These ATMs will need to be upgraded or replaced.

54 ǀ 10/14/2014

Maestro EMV ATM Announcement / PSCU first to offer in US

November 4, 2013: Credit Union Times Tennessee Credit Union First with EMV Test ORNL Federal Credit Union in Oak Ridge, Tenn., will be the first financial institution to conduct an EMV transaction on MasterCard’s Maestro network with PSCU, the payment processing CUSO announced. The 160,000-member, $1.5 billion institution began deploying the technology to read the cards, which rely on an embedded chip for authentication, in September. First Data, the Atlanta-based card processing giant, was certified last week by MasterCard to process Maestro EMV transactions. Initially, the privately held payments network said it will support NCR and Diebold ATMs, with additional hardware manufacturers to follow.

55 ǀ 10/14/2014 55 ǀ 10/14/2014

Key Considerations

EMV Migration

56 ǀ 10/14/2014

Card Design – Start NOW!

The chip must be placed as shown on all cards to ensure interoperability with POS equipment

Will your current design work or do you need a new one?

Plastics cannot be ordered without an approved design so start now

57 ǀ 10/14/2014

Card Design Resource

MemberConnect/Product Resources/EMV/EMV Migration

58 ǀ 10/14/2014

Reissue Strategy

EMV eliminates conversations & investment of resources that happen around a compromise

Blocking cards

Adjusting Falcon strategies

Monitoring

Mass reissue?

Compromises are coming more often and the cost is more than the fraud

59 ǀ 10/14/2014 59 ǀ 10/14/2014

PSCU EMV Resources

60 ǀ 10/14/2014

A microsite was created:

http://www.pscu.com/emv/

Inside the microsite contains:

• Brief history of EMV

• Liability shift timelines

• Glossary of Terms

• Current available PSCU solutions

• FAQs

• Links to EMVco

EMV Training Materials

61 ǀ 10/14/2014 61 ǀ 10/14/2014

https://www.dropbox.com/sh/9zvz6mpao985916/jRzD51RKBW

62 ǀ 10/14/2014

www.pscu.com/emv

www.pscuinsights.com

PSCU Microsite and Blog site

63 ǀ 10/14/2014

1. Will the plastic design need to be changed? Yes, the chip needs to be in a certain location on the plastic.

2. How can I reduce the costs? Extend the expiration date. Roll out EMV in conjunction with Visa Signature or MC World program.

3. Can I issue EMV cards and Magstripe on the same BIN? Yes, once the BIN is certified, helps keep costs down.

See other FAQ’s on the EMV microsite @ www. pscu.com/emv

EMV FAQ’s

64 ǀ 10/14/2014 64 ǀ 10/14/2014

PSCU Strategy Recommendation

65 ǀ 10/14/2014

Issuer EMV Concerns: Adopt Now or Wait?

Do It Now:

Many issuers may wait until closer to the Oct 2015 liability shift, card manufacturers may not be able to keep up with demand

Fraudsters are targeting the U.S. and our magstripe card technology

Lengthy startup timeframe to get EMV cards (6 months or more)

Wait: Will plastic EMV cards be the long-term solution or will some device be the way to go in 2015?

Possible liability shift, date extension for VISA and MasterCard?

66 ǀ 10/14/2014

In Response to Overseas Travel

Create new EMV Credit Card Product

• Min. 150 Day Implementation

• Committed Strategy

• Premium Card (Visa Signature/MC World)

67 ǀ 10/14/2014

Debit EMV Adoption:

Strategy

Understand the Common AIDs being promoted out in the market

Wait until there is a Durbin compliant solution

Work with PSCU on reissue strategy:

• Natural

• Mass

68 ǀ 10/14/2014

ATM EMV Adoption:

Strategy

Complete ATM readiness checklist with ATM manufacturer

Work with PSCU on load images

69 ǀ 10/14/2014 69 ǀ 10/14/2014

Questions?