emv implementation tools for success, pci &...
TRANSCRIPT
EMV IMPLEMENTATION TOOLS
FOR SUCCESS, PCI & SECURITY
February 2014
A G E N D A
EMV Overview
EMV Industry Announcements
EMV Transaction Differences, What to Expect
Solution Decisions
VeriFone EMV Solutions
Market Certification Considerations
In-Field Maintenance Requirements
PCI Implications
VeriShield
Questions
2
W H AT A R E T H E E M V F U N D A M E N TA L S ?
What is EMV?
– Global Standard for the implementation of chip
cards for the purpose of facilitating an electronic
payment transaction
– Born out of transit payment programs based in
Europe
– An effective technology to protect against
duplicate card fraud
3
How does EMV Protect against
Duplicate Card Fraud?
1) If an EMV Card is presented at an
EMV Terminal, the terminal forces it to
be inserted.
2) Once card is inserted, PAN and
Dynamic CVV are presented to be
used in the authorization request.
3) This Dynamic CVV (changes for each
transaction) is validated against what
is expected at the host.
Result -> PAN is static yet data
changes on each transaction!
EMV is not…
– Chip and PIN – PIN as a cardholder validation
method is only one implementation option of EMV
– A Silver Bullet for PCI Compliance – PAN data is
still presented in the clear and valuable for card
not present transactions
– Cure All for Chargebacks – The programs put in
place will help with duplicate card fraud
chargebacks, but will not impact others
I N T E R A C ® M A R C H 5 , 2 0 1 3 A N N O U N C E M E N T
4
Interac debit card fraud
skimming losses plummet to
lowest level on record.
Losses down 73 per cent in
last three years–Interac
Association reported today that
Interac debit card fraud losses, as a
result of skimming, are the lowest
on record since 2003–decreasing to
$38.5 million in 2012 from a high of
$142 million in 2009. This
represents 0.012 per cent of
domestic Interac debit card volume
and the lowest volume of fraud
losses since data were recorded in
2003. Further, the number of
cardholders reimbursed fell to
93,800 in 2012 from 238,000 in
2009. Cardholders are protected
from losses under the Interac Zero
Liability Policy*.
U S K E Y D AT E S – C A R D N E T W O R K S
5
R O L E O F E M V C O
EMVCo manages, maintains and enhances the EMV® Integrated Circuit Card Specifications
for chip-based payment cards and acceptance devices, including point of sale (POS)
terminals and ATMs. EMVCo also establishes and administers testing and approval
processes to evaluate compliance with the EMV Specifications. EMVCo is currently owned by
American Express, JCB, MasterCard and Visa
6
• Owns, manages, and maintains the
global payment industry specifications to
define interoperability requirements
between chip based payment cards and
acceptance terminals
• Administers the testing and approval
process for both chip payment cards and
chip acceptance terminals
• EMVCo is not responsible for specific
card brand certifications
• EMVCo maintains specifications for both
contact and contactless payment schemes
• EMV Contactless specification published to
define a common contactless interface to
be used by the card brands
• Currently each card brand uses its own
proprietary application
• MasterCard M/Chip, Visa qVSDC
• Applications are similar, both follow
EMVCo standards
W H O I S E M V C O ?
C A N A D I A N E M V L E A R N I N G S
1. Industry Adoption
• How was EMV adopted in the Canadian Market?
2. Customer Impacts
• As a card holder, what can you expect with EMV?
3. Solution Time to Market
• Payment solutions have new requirements, challenges, how will this impact
the number of choices going forward?
4. Training and Support
• Merchants are self trained now, how did this change?
5. Card Requirement Changes
• How did new card products change the landscape?
7
W H AT A B O U T C O N TA C T L E S S ?
E M V C O N TA C T E M V C O N TA C T L E S S
• Cards are inserted into the chip card
(ICC) reader and remain until the
transaction is completed
• Different from what consumers are
accustomed to today
• Data is read from and written to the chip
during a transaction so the card is
updated each time it is used
• Transactions will likely be processed
online in the U.S. but offline transaction
processing is possible
• Contactless cards must be placed in
close proximity to the contactless reader
(typically ½ to 3 inches and remain only
momentarily
• Transaction is completed after the
card has been removed from the
contactless field
• Dual interface cards access the same
chip for processing via contact or
contactless read
• Contactless card usage is typically used
for transaction speed and convenience
D I F F E R E N C E S
8
How does EMV Contactless differ from EMV Contact?
W H AT A B O U T N F C ?
• Both use short range wireless technology
allowing communication between devices
at close proximity
• Contactless is typically a one-way
transaction between a passive device
(contactless card) and an intelligent
reader (contactless capable POS device)
• NFC-enabled transactions involve two-
way communications whereby an NFC
capable device (such as a smartphone)
exchanges data with an NFC enabled
POS device
• NFC Shares a core technology with RFID
tags and contactless smartcards, but
there are differences
• Multiple ISO standards govern NFC cards
• ISO/IEC 14443 is a group of four
standards covering card type variations –
Type A and Type B
• Reader / Writer mode governed by
ISO/IEC 14443 standard
• ISO/IEC 18092 – Near Field
Communications Interface and Protocol
• Peer-to-Peer mode governed by
ISO/IEC 18092 standard
NFC and EMV Contactless are not synonymous
E M V C O N TA C T L E S S V S . N F C
9
U . S . T R A N S A C T I O N V I E W – T O D AY & F U T U R E
10
EMV CONTACT
MAG-STRIPE DELIVERY
Response
From Host
Host Processing
Approval/
Decline
Message
Receipt
Printing
Mag-stripe
Validation
Fraud/
Velocity
Check
Open to
Buy Check
Card
Swipe
Clerk Data
Entry/ Amt.
Other
Send to
Host
EMV CONTACTLESS
Terminal Processing
Send to
Host
Response
From Host
Approval/
Decline
Message
Receipt
Printing
Clerk Data
Entry/ Amt.
Other
Card
Insert
Application
Selection
Terminal Verification
Results (TVR)
Offline
Data Auth. Processing
Restrictions
Cardholder
Verification
CVM)
Remove
Card
Terminal
Risk
Management
Terminal
Analysis/
Decision
Card
Validation
Fraud/Velocity
Check
Open to Buy
Check
Host Processing
Response
From Host
Approval/
Decline
Message
Receipt
(may not be
required)
Terminal
Analysis/
Decision
Card
Validation
Fraud/Velocity
Check
Clerk Data
Entry/ Amt.
Other
Card
Tap
Terminal
Verification
Results (TVR)
Open to Buy
Check
Host Processing Card Processing
Send to
Host
T R A N S A C T I O N T I M E S C O M PA R I S O N
Card Swipe
Pre-Dial
Clerk UI (Amount)
Connect
Transmit/Receive
Print Receipt
Clerk UI/Entry of Data (Amount)
Insert Card
Dial
Connect
Transmit/Receive
Print Receipt
DIAL
DIAL WITH EMV
11
P R O D U C T D E C I S I O N S F O R T H E U . S .
Stand Alone Devices
– Customer total amount verification, EMV card insertion, and Contactless tap
– Speed of transaction
– Hand over, external pin pad (with Contact/Contactless/Mag-stripe Delivery support)
Integrated
– Customer facing, Communication options, USB, RS232, IP
– Register software changes to drive the device differently (Amount first, no walk up and swipe)
Semi-Integrated
– Light cash register integration (SCI-Secure Commerce Interface)
– Direct to host for processing, removing register knowledge of EMV or transaction data
12
E M V C A PA B L E D E V I C E S – V X & V X E V O L U T I O N S O L U T I O N S
Countertop
series
Portable
series
Consumer Facing
series
Vx 570
Vx 610 Vx 670
Vx 810
VX 520
VX 680 VX 520
13
VX 820 VX 805
O R A D D P P 1 0 0 0 S E T O A V X O R V X D E V I C E
14
E M V C A PA B L E D E V I C E S – M X S E R I E S S O L U T I O N S
MX 800
series
MX 850
MX 900
series
15
Consumer Facing
series MX 860
MX 870 MX 880
MX 915
MX 925
M A R K E T S O L U T I O N C E R T I F I C AT I O N C H A N G E S
Certification Criteria
– Level 1, Level 2 Certifications
– Brand testing, individual tests vary by scheme
• Each brand has their own specification (based on EMVCo)
– Contact and Contactless testing require specialized tools
• Tools updated frequently to provide necessary scheme simulation
Results of New Criteria
– Certification will take more time to accomplish at the acquirer levels
– Ongoing certification work must be maintained for solutions
– Ongoing investment is required to keep up to date on tools and
certification process
– Specialized training will be required to accomplish this new solutions
delivery
16
F I E L D U P G R A D E S , H O W E M V I S D I F F E R E N T
Today
– Devices are deployed, and in some cases, not touched for years
– Merchants are reluctant to be reprogrammed, to give time for the activity
– Infrastructure (dial lines, ..etc) not setup to handle large downloads
Tomorrow, EMV Challenges (Contact and Contactless)
– EMV components, kernels for contact and contactless can and will change
– New cards issued with new functionalities happen, require downloads to accept the card
– Interoperability will be impacted if devices are not kept up to speed
– Contactless software components, EMV and for NFC initiatives, will require updates and changes to remain field-ready for new cards
17
F I E L D U P G R A D E S , R E Q U I R E M E N T S
Merchant Device Support
– Need for more frequent download will require more merchant interaction, either in a
manual or automated manner
– Devices will need to “phone home” to check for updates at a defined frequency
– Updates can, and should be, delivered to the POS in an automated manner to ease
this new market requirement
VeriFone Estate Management Solutions
– VFI can provide end to end solutions for management of these software
components, along with other application requirements
– Solutions can be delivered as “host it yourself”, or through VFI Managed Services
• Allowing for management of your own portfolios, maintenance of your portfolios, and real
time dashboards of your status
– VeriCentre & VHQ look and feel can be provided to ease adoption
18
PCI COMPLIANCE
P C I D ATA S E C U R I T Y S TA N D A R D S O V E R V I E W
The PCI Security Standards Council offers
comprehensive standards and supporting
materials to enhance payment card data
security
PCI DSS (Data Security Standards)
– Covers a broad base of technologies and processes such as encryption,
access control, and vulnerability scanning to offer a sound baseline of
security
PCI PIN Transaction Security (PTS)
– A single set of requirements for all personal identification number (PIN)
terminals, including POS devices, encrypting PIN pads and unattended
payment terminals
20
P C I P T S C O M P L I A N C E
Why is PCI PTS Compliance important?
21
P C I P T S C O M P L I A N C E
PCI Security Standards Council
(SSC) analyzes changes in the
threat environment, which typically
occurs every three years
Pre-PCI attended POS PIN entry
devices must be retired by December
31, 2014
PCI PTS Version 1.x devices will expire
on April 30, 2014
Acquirers purchasing devices that are on the list of
devices that will expire will assume liability
22
S U N S E T O F P C I P T S 1 . X P I N E N T R Y D E V I C E S
23
Updated Visa PIN Entry requirements for PCI PTS 1.x devices allow PCI 1.3
devices to be deployed and used after April 30th as long as they were
purchased from the manufacturer prior to the expiration date
P C I C O M P L I A N C E E D U C AT I O N
24
VeriFone Proactively
Educating our Partners
and Customers on PCI
Compliance
– Bulletins/Flyers
– Webinars
– Industry Events
W O R L D W I D E P C I P T S T I M E L I N E
25
P C I R E S O U R C E S
Visa PIN Entry Device Requirements & FAQ: http://usa.visa.com/download/merchants/visa-PED-Requirements-
2013.pdf
PCI DSS v3.0 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
PCI DSS Summary of Changes v2.0 to v3.0 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summ
ary_of_Changes.pdf
Glossary of Terms, Abbreviations, and Acronyms https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_
v3.pdf
26
VERISHIELD TOTAL PROTECT
VERISHIELD TOTAL PROTECT
Reduce PCI scope
Minimize risk
Protect sensitive data
Monitor all systems in real time at the device level
VeriShield Total Protect removes the burden of protecting payment card data from the
merchant using multiple defense layers: Encryption and Tokenization
ENCRYPTION Delivers encryption in a way that is transparent
to the merchant’s receiving systems with low
disruption / minimal POS system impact
Protect card data from the point of capture to point
of decryption
TOKENIZATION Store tokens rather than card data using random-number
tokenization after authorization
28
COMBINING ENCRYPTION AND TOKENIZATION
Payment card data is
read at the merchant’s
payment device. 1
Primary Account
Number (PAN) and
other discretionary
data are encrypted. 2
Data is decrypted by
decryption service and
a token is generated by
the RSA server. 3 Payment information
is passed to the bank
for authorization. 4
Transaction
authorization is given
to the processor. 5 Transaction
authorization and
token are returned
to the merchant. 6
Merchant can safely store
the token and re-use for
post-authorization
activities such as returns. 7
29
VERISHIELD RETAIN
30
VeriShield
Retain
AUTHORIZED
CERTIFICATE
UNAUTHORIZED
CERTIFICATE
VERISHIELD RETAIN
BUSINESS PROTECTION Prevents unauthorized access to
payment devices
Accommodate trusted partners and their
value-added applications
PROVIDES THE HIGHEST SECURITY System-level password protection
File authentication to protect merchants
against fraud or misuse
EASY TO IMPLEMENT AND CAN BE
ADDED TO EXISTING ESTATE
IMPROVES MERCHANT RETENTION
ACCOMMODATES AUTHORIZED 3RD
PARTY DEVELOPERS
File authentication software that helps you
retain your merchant estate, keep competitors
at bay and protect your business interests.
31
S P O N S O R C E R T I F I C AT E F LY E R D E TA I L S
VX Evolution meets the highest security standards. Application certificates, like
“keys” are one of the pieces in this solution, which is used to sign (or lock)
applications to be authenticated in order to run. Application certificates have
multiple benefits to the ISO and processor.
Retention
– VX allows ISOs to lock their terminal base. Merchants will have to contact the ISO in order to move to a different
merchant services relationship.
Superior Security
– VX devices cannot be re-downloaded when sponsor certifications are used. No rogue software can be downloaded.
Nothing is more secure.
– To provide the best support and to know if your applications will work properly in an existing merchant’s device review
the following steps:
– Identify what certificate is used in the application to be downloaded. You can check your download files if you have
your own VeriCentre, or ask your service provider if you use someone else for this.
– Check the merchant’s device before you download. Newer versions of the operating system display the certificate
owner when you power cycle the device.
– Error messages may present when the authentication fails due to the device already having a different application
certificate compared to what certificates are included in the new application attempting to download. This secure
approach allows processors and ISOs to have their own specific application certificate.
– In essence, all of the devices are “locked”. It is just a matter of whether they are locked with a VeriFone certificate or a
customer-specific certificate.
32
M O R E I N F O R M AT I O N
To learn more about EMV and VeriFone’s hardware,
software, training and support solutions that can smooth
the EMV migration process, please go to
www.verifone.com/emv-us and www.verifonezone.com
33
QUESTIONS