p a y m e n t s o l u t i o n s an introduction to emv presented to: government finance officers...
TRANSCRIPT
P A Y M E N T S O L U T I O N S
An Introduction to EMVAn Introduction to EMV
Presented to: Government Finance Officers Associationof South CarolinaDate: May 4, 2015
Presented to: Government Finance Officers Associationof South CarolinaDate: May 4, 2015
P A Y M E N T S O L U T I O N S 2
First: The Proverbial Question
IssuersAcquirers
P A Y M E N T S O L U T I O N S 3
The Race is On: Agenda
Alphabet Soup: Definitions
Chip Cards, EMV, NFC
EMV: What is Driving Adoption
Statistics, Fraud, Compliance, Innovation
Encryption and Tokenization
P A Y M E N T S O L U T I O N S 4
Alphabet Soup: Definitions
Chip Card
NFC
Chip + PIN
EMV
Smart Card
P A Y M E N T S O L U T I O N S 5
The Card Came First
A chip card is a device that includes a secure, embedded integrated circuit chip (ICC)
Invented in 1977 by Honeywell BullPerforms functions that validate, store, and encrypt data
Data is more secure on a chip-embedded card that utilizes dynamic authentication rather than on a static mag-stripe card
Mag-stripe card can be copied (“skimmed”)Chip technology combats counterfeiting by assigning a
dynamic value for each transaction and preventing copying
P A Y M E N T S O L U T I O N S 6
Form FactorsContact
1. Chip is embedded in a card2. A contact card is inserted into a smart card reader3. The contact points on the chip make contact with
the card reader
Contactless or Near Field Communication (NFC)• The chip may be embedded in cards, key fobs,
stickers, mobile phones, tablets, Apple Pay devices etc.• A contactless chip requires close proximity to a
reader (“tap and go”)• Both the chip and the reader have an antenna and they
use an RF (radio frequency) signal to communicate
P A Y M E N T S O L U T I O N S 7
The Standard Followed EMV was established in 1994 by Europay, MasterCard and Visa
EMVCo’s primary purpose is to define a global standard for credit and debit payment cards based on chip card technology.
Cards can be Contact or Contactless
Four main functions: Card authentication to protect against counterfeit cardsCardholder verification to protect against lost/stolen cardsTerminal authentication to prevent against “Trojan Horse” hacksTransaction authorization using issuer-defined rules
P A Y M E N T S O L U T I O N S 8
EMV Authentication and Verification Authentication and Authorization Methods
• Online requires the transaction to be sent online for the issuer to authenticate the card and authorize the transaction
• Offline is done between the chip card and terminal
Cardholder Verification Methods (CVMs):
• None (usually used for low value transactions)
• Offline PIN (entered and stored PIN are compared offline)
Online PIN (PIN is validated online – like PIN debit)
Signature Verification (requires physical signature comparison)
Visa and MasterCard mandate global interoperability: POS solutions must be able to support all authentication & verification methods Mexico chip card will prompt for signature; UK for PIN
P A Y M E N T S O L U T I O N S 9
Innovation Could Win the Race
NFC (Near Field Communications) is a radio-based interaction protocol compatible with contactless payment standards
NFC chips are embedded in mobile phones (Apple Pay) and allow the phones to act as card
The “promise” of Apple Pay is driving innovation and EMV adoption
P A Y M E N T S O L U T I O N S 10
EMV: What is Driving Adoption?
Fraud
Compliance
Innovation
Statistics
Globalization
P A Y M E N T S O L U T I O N S 11
EMV by the Numbers Worldwide Adoption
1.5 Billion payment cards*20 Million POS terminals*
40% of cards and 70% of terminals are EMV
U.S. Adoption – What it will mean financially15 million point-of-sale devices = $6.75 billion to replace360,000 ATMs = $500 million to upgrade (target date is 10/2016)609.8 million credit cards & 520 million debit cards = $1.4 billion to reissue
(Cost of mag-stripe card = 15 cents vs. EMV card = $2 - $4)
Hence the U.S. “Chicken & Egg” conundrum!Unlike most countries where banks own the terminal assets, the U.S. will require merchants to make the investment
*As of 2011
P A Y M E N T S O L U T I O N S 12
Fraud Migrates to U.S.
41.1% of cards76.7% of terminals
84.4% of cards94.4% of terminals
20.6% of cards75.9% of terminals
28.2% of cards51.4% of terminals
14.5% of cards68.1% of terminals
P A Y M E N T S O L U T I O N S 13
Fraud Reduction Stats: UK Example
Fraud on debit and credit cards fell by more than 25% from 2008 to 2010
Counterfeit card fraud —skimming and cloning—fell by over half
Fraud on lost and stolen cards is at their lowest levels in 10 years
Source: The UK Card Association
P A Y M E N T S O L U T I O N S 14
Key EMV dates from Card Brands
© 2012 VeriFone Systems, Inc.
October 2012: TECH Innovation Program (TIP) - PCI validation relief for Level 1 and Level 2 merchants that adopt dual-interfaced solutions in any year that at least 75% of the merchant transactions originate from a chip-enabled terminal
Note: must be capable of actually processing EMV cards and NFC contactless payments; merchants cannot just install “EMV ready” equipment. . . .so, not really happening!
April 2013: Acquirer Chip Processing Mandate - Acquirers and processors must demonstrate the ability to process EMV transactions and NFC contactless payments
October 2015: Liability Shift from Issuer to Merchant - Merchants of any size will be liable for domestic and cross-border counterfeit fraud committed at the point of sale if they are not using a compliant EMV & NFC POS solution (Automated Fuel merchant liability shift in 2017)
P A Y M E N T S O L U T I O N S 15
“Liability Shift” will Drive Adoption
A non-compliant merchant is liable for fraud that occurs on any chip card used on a magnetic swipe terminal.
A non-compliant issuer is liable for fraud that occurs on any magnetic stripe card used on a chip card-enabled terminal.
P A Y M E N T S O L U T I O N S 16
Liability for the chargeback loss shifts to whichever party hasn’t upgraded to chip, if the use of such a device could have prevented the fraud from occurring
Issuers that have not migrated to EMV will be liable for fraud at EMV devices, including transactions using listed card numbers
Acquirers that have not placed EMV + PIN devices will be liable for fraud on chip cards, including transactions authorized online by the Issuer
Merchants can benefit from liability shift just by installing contact EMV terminals.
No impact on the customer
Fraud impacted by the Liability Shift is called “Designated Card Present Fraud”
The following fraud types are excluded from the liability shift:Card Not Present FraudAccount TakeoverFraudulent Application
What is “Liability Shift”
Source: Oberthur 2010 and “Overview of EMV Chip Impacts on Chargebacks” VISA March, 2011
P A Y M E N T S O L U T I O N S 17
Magnetic Stripe vs EMV TransactionMagnetic Stripe Transaction EMV TransactionCard is swiped, inserted, or dipped, and is returned to cardholder after magnetic stripe data has been read
Card must be inserted and remain in the terminal for the duration of the transaction
There is no interaction between card and terminal after magnetic stripe has been read
Data is exchanged between card and terminal to initiate the transaction
Card does not generate a cryptogram Chip card generates a unique cryptogram which is sent to the host for verification
Online request message contains no EMV-specific data
Additional EMV-specific data is in the online request message
Host does not perform any EMV-related processing
Additional processing is required by host to verify request cryptogram, generate response cryptogram, and interrogate additional EMV-specific fields in the request message
Online response message contains no EMV-specific data
Additional EMV-specific data is in the online response message
There is interaction between card and terminal at the end of the transaction
Data is exchanged between card and terminal at the end of the transaction
P A Y M E N T S O L U T I O N S 18
Elavon Solutions for EMV
P A Y M E N T S O L U T I O N S 19
EMV Terminals: VeriFone VX Evolution
VX520 • Countertop • Dual Comm• Internal PIN pad• MSR• EMV• NFC
VX820• Customer Facing
PIN pad• Vx520• MSR• EMV• NFC
EMV NFCHand-Over Design
P A Y M E N T S O L U T I O N S 20
EMV Terminals: Ingenico Telium2 iCT250
• Countertop
• Dual Comm
• Internal PIN pad
• MSR
• EMV
• NFC
iWL250G• Portable - GPRS
• Internal PIN pad
• MSR
• EMV
• NFC
• 3G Technology
iPP320• Customer Facing
PIN pad• iCT220 or iCT250• MSR• EMV• NFC
iCT220 • Countertop• Dual Comm• Internal PIN pad• MSR• EMV
P A Y M E N T S O L U T I O N S 21
ContactlessEMV Magstripe
Backlit 19 key 18+ LPS printer
Dual IP & Dial Sharp Color Display
Dual Processor Cable Management
NFC
Small Footprint Privacy Shield
iCT250
P A Y M E N T S O L U T I O N S 22
iPP320 Countertop PIN Pad
Connects to Telium Countertop LineEmbedded Contactless
EMV
P A Y M E N T S O L U T I O N S 23
iWL250
Contactless
Small FootprintLightweight
30 LPS ThermalPrinter25mm & 40mmPaper Roll Option
3G Wireless GPRS Dynamic SIM 30 LPSPrinter Contactless Smart Card Li-Ion
Battery Lightweight
Charging & Comms Base
P A Y M E N T S O L U T I O N S 24
Conclusion
P A Y M E N T S O L U T I O N S 25
Points to Remember EMV is a standard that dictates the interaction between a
smart (chip) “card” and a POS payment device The “chip” stores encryption data that is used during the
transaction to prove the card is authentic; it prevents cloning EMV chips can be either contact or contactless and are read &
write capable NFC (Near Field Communications) is a radio-based contactless
interaction protocol that is driving interest in EMV adoption The Card Brands have announced EMV incentives (carrots and
sticks) that encourage issuers, acquirers, and merchants to adopt EMV
© 2012 VeriFone Systems, Inc.
P A Y M E N T S O L U T I O N S 26
EMV Benefits All Parties
26
B E N E F I T S
C A R D H O L D E R• Peace of Mind (fraud reduction)• Never lose sight of their card• Global interoperability
• Fewer fraud-related chargebacks due to stolen cards/skimming
• Increase in international customer satisfaction
M E R C H A N T
I S S U E R• Fraud reduction• Global interoperability• Mobile payments facilitation
P A Y M E N T S O L U T I O N S 27
PCI – Tokenization - Encryption
What is the difference between Security and PCI? PCI-DSS compliance is one aspect of an overall security program but on its own cannot prevent a data breach. Security measures such as encryption andtokenization provide additional layers of protection as part of a security program.
What is “Point-to Point” vs “End-to-End” Encryption? They are really the same and have been used interchangeably. Since P2PE certification is available and Visa has announced their encryption program, some distinction is made in the market. Point to Point refers to encryption at the time of the swipe and decryption at a gateway of payment processor. End-to-End refers to encryption at the time of the swipe anddecryption at the furthest end point in the payment processing stream, i.e. the payment brands data center.
What is Tokenization vs Encryption? Encryption is generally used in card-present situations while tokenization is generally used in card not present scenarios like “card on file” and recurring billing. Encryption scrambles a card number so that the data is not usable to thieves. The card number can only be decrypted bythe holder of the key. Tokenization is an ALIAS or “token” of the card number.
If a customer is using encryption and/or tokenization do they have to be PCI compliant? The short answer is YES utilizing encryption and/or tokenization does not remove the requirement for PCI-DSS compliance. However, depending on the solution implemented, a customer could experience reduced effort, scope and/or cost when they do complete their annual PCI assessment
P A Y M E N T S O L U T I O N S 28
Your EMV Call to Action: Don’t Wait
Read and research to keep up with EMV and NFC trends
• http://www.smartcardalliance.org/
• http://www.emvco.com/
• http://www.cscu.net/index.aspx?CategoryID=294
• http://pymnts.com
P A Y M E N T S O L U T I O N S 29
EMV – Action Required
Effective October 1, 2015, a date that has been determined by the credit card associations (MasterCard/VISA) if your business accepts and processes a counterfeit transaction from an EMV card on a non-EMV enabled terminal, the liability for that transaction is yours.
P A Y M E N T S O L U T I O N S 30
Thank You!Brad Hench
Regional Sales Manager
US Bank Merchant Solutions
678-731-4419
Paul AnatrellaVice President & Relationship ManagerU.S. Bank [email protected]