EMV IMPLEMENTATION TOOLS

FOR SUCCESS, PCI & SECURITY

February 2014

A G E N D A

EMV Overview

EMV Industry Announcements

EMV Transaction Differences, What to Expect

Solution Decisions

VeriFone EMV Solutions

Market Certification Considerations

In-Field Maintenance Requirements

PCI Implications

VeriShield

Questions

2

W H AT A R E T H E E M V F U N D A M E N TA L S ?

What is EMV?

– Global Standard for the implementation of chip

cards for the purpose of facilitating an electronic

payment transaction

– Born out of transit payment programs based in

Europe

– An effective technology to protect against

duplicate card fraud

3

How does EMV Protect against

Duplicate Card Fraud?

1) If an EMV Card is presented at an

EMV Terminal, the terminal forces it to

be inserted.

2) Once card is inserted, PAN and

Dynamic CVV are presented to be

used in the authorization request.

3) This Dynamic CVV (changes for each

transaction) is validated against what

is expected at the host.

Result -> PAN is static yet data

changes on each transaction!

EMV is not…

– Chip and PIN – PIN as a cardholder validation

method is only one implementation option of EMV

– A Silver Bullet for PCI Compliance – PAN data is

still presented in the clear and valuable for card

not present transactions

– Cure All for Chargebacks – The programs put in

place will help with duplicate card fraud

chargebacks, but will not impact others

I N T E R A C ® M A R C H 5 , 2 0 1 3 A N N O U N C E M E N T

4

Interac debit card fraud

skimming losses plummet to

lowest level on record.

Losses down 73 per cent in

last three years–Interac

Association reported today that

Interac debit card fraud losses, as a

result of skimming, are the lowest

on record since 2003–decreasing to

$38.5 million in 2012 from a high of

$142 million in 2009. This

represents 0.012 per cent of

domestic Interac debit card volume

and the lowest volume of fraud

losses since data were recorded in

2003. Further, the number of

cardholders reimbursed fell to

93,800 in 2012 from 238,000 in

2009. Cardholders are protected

from losses under the Interac Zero

Liability Policy*.

U S K E Y D AT E S – C A R D N E T W O R K S

5

R O L E O F E M V C O

EMVCo manages, maintains and enhances the EMV® Integrated Circuit Card Specifications

for chip-based payment cards and acceptance devices, including point of sale (POS)

terminals and ATMs. EMVCo also establishes and administers testing and approval

processes to evaluate compliance with the EMV Specifications. EMVCo is currently owned by

American Express, JCB, MasterCard and Visa

6

• Owns, manages, and maintains the

global payment industry specifications to

define interoperability requirements

between chip based payment cards and

acceptance terminals

• Administers the testing and approval

process for both chip payment cards and

chip acceptance terminals

• EMVCo is not responsible for specific

card brand certifications

• EMVCo maintains specifications for both

contact and contactless payment schemes

• EMV Contactless specification published to

define a common contactless interface to

be used by the card brands

• Currently each card brand uses its own

proprietary application

• MasterCard M/Chip, Visa qVSDC

• Applications are similar, both follow

EMVCo standards

W H O I S E M V C O ?

C A N A D I A N E M V L E A R N I N G S

1. Industry Adoption

• How was EMV adopted in the Canadian Market?

2. Customer Impacts

• As a card holder, what can you expect with EMV?

3. Solution Time to Market

• Payment solutions have new requirements, challenges, how will this impact

the number of choices going forward?

4. Training and Support

• Merchants are self trained now, how did this change?

5. Card Requirement Changes

• How did new card products change the landscape?

7

W H AT A B O U T C O N TA C T L E S S ?

E M V C O N TA C T E M V C O N TA C T L E S S

• Cards are inserted into the chip card

(ICC) reader and remain until the

transaction is completed

• Different from what consumers are

accustomed to today

• Data is read from and written to the chip

during a transaction so the card is

updated each time it is used

• Transactions will likely be processed

online in the U.S. but offline transaction

processing is possible

• Contactless cards must be placed in

close proximity to the contactless reader

(typically ½ to 3 inches and remain only

momentarily

• Transaction is completed after the

card has been removed from the

contactless field

• Dual interface cards access the same

chip for processing via contact or

contactless read

• Contactless card usage is typically used

for transaction speed and convenience

D I F F E R E N C E S

8

How does EMV Contactless differ from EMV Contact?

W H AT A B O U T N F C ?

• Both use short range wireless technology

allowing communication between devices

at close proximity

• Contactless is typically a one-way

transaction between a passive device

(contactless card) and an intelligent

reader (contactless capable POS device)

• NFC-enabled transactions involve two-

way communications whereby an NFC

capable device (such as a smartphone)

exchanges data with an NFC enabled

POS device

• NFC Shares a core technology with RFID

tags and contactless smartcards, but

there are differences

• Multiple ISO standards govern NFC cards

• ISO/IEC 14443 is a group of four

standards covering card type variations –

Type A and Type B

• Reader / Writer mode governed by

ISO/IEC 14443 standard

• ISO/IEC 18092 – Near Field

Communications Interface and Protocol

• Peer-to-Peer mode governed by

ISO/IEC 18092 standard

NFC and EMV Contactless are not synonymous

E M V C O N TA C T L E S S V S . N F C

9

U . S . T R A N S A C T I O N V I E W – T O D AY & F U T U R E

10

EMV CONTACT

MAG-STRIPE DELIVERY

Response

From Host

Host Processing

Approval/

Decline

Message

Receipt

Printing

Mag-stripe

Validation

Fraud/

Velocity

Check

Open to

Buy Check

Card

Swipe

Clerk Data

Entry/ Amt.

Other

Send to

Host

EMV CONTACTLESS

Terminal Processing

Send to

Host

Response

From Host

Approval/

Decline

Message

Receipt

Printing

Clerk Data

Entry/ Amt.

Other

Card

Insert

Application

Selection

Terminal Verification

Results (TVR)

Offline

Data Auth. Processing

Restrictions

Cardholder

Verification

CVM)

Remove

Card

Terminal

Risk

Management

Terminal

Analysis/

Decision

Card

Validation

Fraud/Velocity

Check

Open to Buy

Check

Host Processing

Response

From Host

Approval/

Decline

Message

Receipt

(may not be

required)

Terminal

Analysis/

Decision

Card

Validation

Fraud/Velocity

Check

Clerk Data

Entry/ Amt.

Other

Card

Tap

Terminal

Verification

Results (TVR)

Open to Buy

Check

Host Processing Card Processing

Send to

Host

T R A N S A C T I O N T I M E S C O M PA R I S O N

Card Swipe

Pre-Dial

Clerk UI (Amount)

Connect

Transmit/Receive

Print Receipt

Clerk UI/Entry of Data (Amount)

Insert Card

Dial

Connect

Transmit/Receive

Print Receipt

DIAL

DIAL WITH EMV

11

P R O D U C T D E C I S I O N S F O R T H E U . S .

Stand Alone Devices

– Customer total amount verification, EMV card insertion, and Contactless tap

– Speed of transaction

– Hand over, external pin pad (with Contact/Contactless/Mag-stripe Delivery support)

Integrated

– Customer facing, Communication options, USB, RS232, IP

– Register software changes to drive the device differently (Amount first, no walk up and swipe)

Semi-Integrated

– Light cash register integration (SCI-Secure Commerce Interface)

– Direct to host for processing, removing register knowledge of EMV or transaction data

12

E M V C A PA B L E D E V I C E S – V X & V X E V O L U T I O N S O L U T I O N S

Countertop

series

Portable

series

Consumer Facing

series

Vx 570

Vx 610 Vx 670

Vx 810

VX 520

VX 680 VX 520

13

VX 820 VX 805

O R A D D P P 1 0 0 0 S E T O A V X O R V X D E V I C E

14

E M V C A PA B L E D E V I C E S – M X S E R I E S S O L U T I O N S

MX 800

series

MX 850

MX 900

series

15

Consumer Facing

series MX 860

MX 870 MX 880

MX 915

MX 925

M A R K E T S O L U T I O N C E R T I F I C AT I O N C H A N G E S

Certification Criteria

– Level 1, Level 2 Certifications

– Brand testing, individual tests vary by scheme

• Each brand has their own specification (based on EMVCo)

– Contact and Contactless testing require specialized tools

• Tools updated frequently to provide necessary scheme simulation

Results of New Criteria

– Certification will take more time to accomplish at the acquirer levels

– Ongoing certification work must be maintained for solutions

– Ongoing investment is required to keep up to date on tools and

certification process

– Specialized training will be required to accomplish this new solutions

delivery

16

F I E L D U P G R A D E S , H O W E M V I S D I F F E R E N T

Today

– Devices are deployed, and in some cases, not touched for years

– Merchants are reluctant to be reprogrammed, to give time for the activity

– Infrastructure (dial lines, ..etc) not setup to handle large downloads

Tomorrow, EMV Challenges (Contact and Contactless)

– EMV components, kernels for contact and contactless can and will change

– New cards issued with new functionalities happen, require downloads to accept the card

– Interoperability will be impacted if devices are not kept up to speed

– Contactless software components, EMV and for NFC initiatives, will require updates and changes to remain field-ready for new cards

17

F I E L D U P G R A D E S , R E Q U I R E M E N T S

Merchant Device Support

– Need for more frequent download will require more merchant interaction, either in a

manual or automated manner

– Devices will need to “phone home” to check for updates at a defined frequency

– Updates can, and should be, delivered to the POS in an automated manner to ease

this new market requirement

VeriFone Estate Management Solutions

– VFI can provide end to end solutions for management of these software

components, along with other application requirements

– Solutions can be delivered as “host it yourself”, or through VFI Managed Services

• Allowing for management of your own portfolios, maintenance of your portfolios, and real

time dashboards of your status

– VeriCentre & VHQ look and feel can be provided to ease adoption

18

PCI COMPLIANCE

P C I D ATA S E C U R I T Y S TA N D A R D S O V E R V I E W

The PCI Security Standards Council offers

comprehensive standards and supporting

materials to enhance payment card data

security

PCI DSS (Data Security Standards)

– Covers a broad base of technologies and processes such as encryption,

access control, and vulnerability scanning to offer a sound baseline of

security

PCI PIN Transaction Security (PTS)

– A single set of requirements for all personal identification number (PIN)

terminals, including POS devices, encrypting PIN pads and unattended

payment terminals

20

P C I P T S C O M P L I A N C E

Why is PCI PTS Compliance important?

21

P C I P T S C O M P L I A N C E

PCI Security Standards Council

(SSC) analyzes changes in the

threat environment, which typically

occurs every three years

Pre-PCI attended POS PIN entry

devices must be retired by December

31, 2014

PCI PTS Version 1.x devices will expire

on April 30, 2014

Acquirers purchasing devices that are on the list of

devices that will expire will assume liability

22

S U N S E T O F P C I P T S 1 . X P I N E N T R Y D E V I C E S

23

Updated Visa PIN Entry requirements for PCI PTS 1.x devices allow PCI 1.3

devices to be deployed and used after April 30th as long as they were

purchased from the manufacturer prior to the expiration date

P C I C O M P L I A N C E E D U C AT I O N

24

VeriFone Proactively

Educating our Partners

and Customers on PCI

Compliance

– Bulletins/Flyers

– Webinars

– Industry Events

W O R L D W I D E P C I P T S T I M E L I N E

25

P C I R E S O U R C E S

Visa PIN Entry Device Requirements & FAQ: http://usa.visa.com/download/merchants/visa-PED-Requirements-

2013.pdf

PCI DSS v3.0 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

PCI DSS Summary of Changes v2.0 to v3.0 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summ

ary_of_Changes.pdf

Glossary of Terms, Abbreviations, and Acronyms https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_

v3.pdf

26

VERISHIELD TOTAL PROTECT

VERISHIELD TOTAL PROTECT

Reduce PCI scope

Minimize risk

Protect sensitive data

Monitor all systems in real time at the device level

VeriShield Total Protect removes the burden of protecting payment card data from the

merchant using multiple defense layers: Encryption and Tokenization

ENCRYPTION Delivers encryption in a way that is transparent

to the merchant’s receiving systems with low

disruption / minimal POS system impact

Protect card data from the point of capture to point

of decryption

TOKENIZATION Store tokens rather than card data using random-number

tokenization after authorization

28

COMBINING ENCRYPTION AND TOKENIZATION

Payment card data is

read at the merchant’s

payment device. 1

Primary Account

Number (PAN) and

other discretionary

data are encrypted. 2

Data is decrypted by

decryption service and

a token is generated by

the RSA server. 3 Payment information

is passed to the bank

for authorization. 4

Transaction

authorization is given

to the processor. 5 Transaction

authorization and

token are returned

to the merchant. 6

Merchant can safely store

the token and re-use for

post-authorization

activities such as returns. 7

29

VERISHIELD RETAIN

30

VeriShield

Retain

AUTHORIZED

CERTIFICATE

UNAUTHORIZED

CERTIFICATE

VERISHIELD RETAIN

BUSINESS PROTECTION Prevents unauthorized access to

payment devices

Accommodate trusted partners and their

value-added applications

PROVIDES THE HIGHEST SECURITY System-level password protection

File authentication to protect merchants

against fraud or misuse

EASY TO IMPLEMENT AND CAN BE

ADDED TO EXISTING ESTATE

IMPROVES MERCHANT RETENTION

ACCOMMODATES AUTHORIZED 3RD

PARTY DEVELOPERS

File authentication software that helps you

retain your merchant estate, keep competitors

at bay and protect your business interests.

31

S P O N S O R C E R T I F I C AT E F LY E R D E TA I L S

VX Evolution meets the highest security standards. Application certificates, like

“keys” are one of the pieces in this solution, which is used to sign (or lock)

applications to be authenticated in order to run. Application certificates have

multiple benefits to the ISO and processor.

Retention

– VX allows ISOs to lock their terminal base. Merchants will have to contact the ISO in order to move to a different

merchant services relationship.

Superior Security

– VX devices cannot be re-downloaded when sponsor certifications are used. No rogue software can be downloaded.

Nothing is more secure.

– To provide the best support and to know if your applications will work properly in an existing merchant’s device review

the following steps:

– Identify what certificate is used in the application to be downloaded. You can check your download files if you have

your own VeriCentre, or ask your service provider if you use someone else for this.

– Check the merchant’s device before you download. Newer versions of the operating system display the certificate

owner when you power cycle the device.

– Error messages may present when the authentication fails due to the device already having a different application

certificate compared to what certificates are included in the new application attempting to download. This secure

approach allows processors and ISOs to have their own specific application certificate.

– In essence, all of the devices are “locked”. It is just a matter of whether they are locked with a VeriFone certificate or a

customer-specific certificate.

32

M O R E I N F O R M AT I O N

To learn more about EMV and VeriFone’s hardware,

software, training and support solutions that can smooth

the EMV migration process, please go to

www.verifone.com/emv-us and www.verifonezone.com

33

QUESTIONS