p a y m e n t s o l u t i o n s an introduction to emv presented to: government finance officers...

30
P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015

Upload: charlotte-warner

Post on 22-Dec-2015

214 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S

An Introduction to EMVAn Introduction to EMV

Presented to: Government Finance Officers Associationof South CarolinaDate: May 4, 2015

Presented to: Government Finance Officers Associationof South CarolinaDate: May 4, 2015

Page 2: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 2

First: The Proverbial Question

IssuersAcquirers

Page 3: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 3

The Race is On: Agenda

Alphabet Soup: Definitions

Chip Cards, EMV, NFC

EMV: What is Driving Adoption

Statistics, Fraud, Compliance, Innovation

Encryption and Tokenization

Page 4: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 4

Alphabet Soup: Definitions

Chip Card

NFC

Chip + PIN

EMV

Smart Card

Page 5: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 5

The Card Came First

A chip card is a device that includes a secure, embedded integrated circuit chip (ICC)

Invented in 1977 by Honeywell BullPerforms functions that validate, store, and encrypt data

Data is more secure on a chip-embedded card that utilizes dynamic authentication rather than on a static mag-stripe card

Mag-stripe card can be copied (“skimmed”)Chip technology combats counterfeiting by assigning a

dynamic value for each transaction and preventing copying

Page 6: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 6

Form FactorsContact

1. Chip is embedded in a card2. A contact card is inserted into a smart card reader3. The contact points on the chip make contact with

the card reader

Contactless or Near Field Communication (NFC)• The chip may be embedded in cards, key fobs,

stickers, mobile phones, tablets, Apple Pay devices etc.• A contactless chip requires close proximity to a

reader (“tap and go”)• Both the chip and the reader have an antenna and they

use an RF (radio frequency) signal to communicate

Page 7: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 7

The Standard Followed EMV was established in 1994 by Europay, MasterCard and Visa

EMVCo’s primary purpose is to define a global standard for credit and debit payment cards based on chip card technology.

Cards can be Contact or Contactless

Four main functions: Card authentication to protect against counterfeit cardsCardholder verification to protect against lost/stolen cardsTerminal authentication to prevent against “Trojan Horse” hacksTransaction authorization using issuer-defined rules

Page 8: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 8

EMV Authentication and Verification Authentication and Authorization Methods

• Online requires the transaction to be sent online for the issuer to authenticate the card and authorize the transaction

• Offline is done between the chip card and terminal

Cardholder Verification Methods (CVMs):

• None (usually used for low value transactions)

• Offline PIN (entered and stored PIN are compared offline)

Online PIN (PIN is validated online – like PIN debit)

Signature Verification (requires physical signature comparison)

Visa and MasterCard mandate global interoperability: POS solutions must be able to support all authentication & verification methods Mexico chip card will prompt for signature; UK for PIN

Page 9: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 9

Innovation Could Win the Race

NFC (Near Field Communications) is a radio-based interaction protocol compatible with contactless payment standards

NFC chips are embedded in mobile phones (Apple Pay) and allow the phones to act as card

The “promise” of Apple Pay is driving innovation and EMV adoption

Page 10: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 10

EMV: What is Driving Adoption?

Fraud

Compliance

Innovation

Statistics

Globalization

Page 11: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 11

EMV by the Numbers Worldwide Adoption

1.5 Billion payment cards*20 Million POS terminals*

40% of cards and 70% of terminals are EMV

U.S. Adoption – What it will mean financially15 million point-of-sale devices = $6.75 billion to replace360,000 ATMs = $500 million to upgrade (target date is 10/2016)609.8 million credit cards & 520 million debit cards = $1.4 billion to reissue

(Cost of mag-stripe card = 15 cents vs. EMV card = $2 - $4)

Hence the U.S. “Chicken & Egg” conundrum!Unlike most countries where banks own the terminal assets, the U.S. will require merchants to make the investment

*As of 2011

Page 12: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 12

Fraud Migrates to U.S.

41.1% of cards76.7% of terminals

84.4% of cards94.4% of terminals

20.6% of cards75.9% of terminals

28.2% of cards51.4% of terminals

14.5% of cards68.1% of terminals

Page 13: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 13

Fraud Reduction Stats: UK Example

Fraud on debit and credit cards fell by more than 25% from 2008 to 2010

Counterfeit card fraud —skimming and cloning—fell by over half

Fraud on lost and stolen cards is at their lowest levels in 10 years

Source: The UK Card Association

Page 14: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 14

Key EMV dates from Card Brands

© 2012 VeriFone Systems, Inc.

October 2012: TECH Innovation Program (TIP) - PCI validation relief for Level 1 and Level 2 merchants that adopt dual-interfaced solutions in any year that at least 75% of the merchant transactions originate from a chip-enabled terminal

Note: must be capable of actually processing EMV cards and NFC contactless payments; merchants cannot just install “EMV ready” equipment. . . .so, not really happening!

April 2013: Acquirer Chip Processing Mandate - Acquirers and processors must demonstrate the ability to process EMV transactions and NFC contactless payments

October 2015: Liability Shift from Issuer to Merchant - Merchants of any size will be liable for domestic and cross-border counterfeit fraud committed at the point of sale if they are not using a compliant EMV & NFC POS solution (Automated Fuel merchant liability shift in 2017)

Page 15: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 15

“Liability Shift” will Drive Adoption

A non-compliant merchant is liable for fraud that occurs on any chip card used on a magnetic swipe terminal.

A non-compliant issuer is liable for fraud that occurs on any magnetic stripe card used on a chip card-enabled terminal.

Page 16: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 16

Liability for the chargeback loss shifts to whichever party hasn’t upgraded to chip, if the use of such a device could have prevented the fraud from occurring

Issuers that have not migrated to EMV will be liable for fraud at EMV devices, including transactions using listed card numbers

Acquirers that have not placed EMV + PIN devices will be liable for fraud on chip cards, including transactions authorized online by the Issuer

Merchants can benefit from liability shift just by installing contact EMV terminals.

No impact on the customer

Fraud impacted by the Liability Shift is called “Designated Card Present Fraud”

The following fraud types are excluded from the liability shift:Card Not Present FraudAccount TakeoverFraudulent Application

What is “Liability Shift”

Source: Oberthur 2010 and “Overview of EMV Chip Impacts on Chargebacks” VISA March, 2011

Page 17: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 17

Magnetic Stripe vs EMV TransactionMagnetic Stripe Transaction EMV TransactionCard is swiped, inserted, or dipped, and is returned to cardholder after magnetic stripe data has been read

Card must be inserted and remain in the terminal for the duration of the transaction

There is no interaction between card and terminal after magnetic stripe has been read

Data is exchanged between card and terminal to initiate the transaction

Card does not generate a cryptogram Chip card generates a unique cryptogram which is sent to the host for verification

Online request message contains no EMV-specific data

Additional EMV-specific data is in the online request message

Host does not perform any EMV-related processing

Additional processing is required by host to verify request cryptogram, generate response cryptogram, and interrogate additional EMV-specific fields in the request message

Online response message contains no EMV-specific data

Additional EMV-specific data is in the online response message

There is interaction between card and terminal at the end of the transaction

Data is exchanged between card and terminal at the end of the transaction

Page 18: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 18

Elavon Solutions for EMV

Page 19: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 19

EMV Terminals: VeriFone VX Evolution

VX520 • Countertop • Dual Comm• Internal PIN pad• MSR• EMV• NFC

VX820• Customer Facing

PIN pad• Vx520• MSR• EMV• NFC

EMV NFCHand-Over Design

Page 20: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 20

EMV Terminals: Ingenico Telium2 iCT250

• Countertop

• Dual Comm

• Internal PIN pad

• MSR

• EMV

• NFC

iWL250G• Portable - GPRS

• Internal PIN pad

• MSR

• EMV

• NFC

• 3G Technology

iPP320• Customer Facing

PIN pad• iCT220 or iCT250• MSR• EMV• NFC

iCT220 • Countertop• Dual Comm• Internal PIN pad• MSR• EMV

Page 21: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 21

ContactlessEMV Magstripe

Backlit 19 key 18+ LPS printer

Dual IP & Dial Sharp Color Display

Dual Processor Cable Management

NFC

Small Footprint Privacy Shield

iCT250

Page 22: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 22

iPP320 Countertop PIN Pad

Connects to Telium Countertop LineEmbedded Contactless

EMV

Page 23: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 23

iWL250

Contactless

Small FootprintLightweight

30 LPS ThermalPrinter25mm & 40mmPaper Roll Option

3G Wireless GPRS Dynamic SIM 30 LPSPrinter Contactless Smart Card Li-Ion

Battery Lightweight

Charging & Comms Base

Page 24: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 24

Conclusion

Page 25: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 25

Points to Remember EMV is a standard that dictates the interaction between a

smart (chip) “card” and a POS payment device The “chip” stores encryption data that is used during the

transaction to prove the card is authentic; it prevents cloning EMV chips can be either contact or contactless and are read &

write capable NFC (Near Field Communications) is a radio-based contactless

interaction protocol that is driving interest in EMV adoption The Card Brands have announced EMV incentives (carrots and

sticks) that encourage issuers, acquirers, and merchants to adopt EMV

© 2012 VeriFone Systems, Inc.

Page 26: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 26

EMV Benefits All Parties

26

B E N E F I T S

C A R D H O L D E R• Peace of Mind (fraud reduction)• Never lose sight of their card• Global interoperability

• Fewer fraud-related chargebacks due to stolen cards/skimming

• Increase in international customer satisfaction

M E R C H A N T

I S S U E R• Fraud reduction• Global interoperability• Mobile payments facilitation

Page 27: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 27

PCI – Tokenization - Encryption

What is the difference between Security and PCI? PCI-DSS compliance is one aspect of an overall security program but on its own cannot prevent a data breach. Security measures such as encryption andtokenization provide additional layers of protection as part of a security program.

What is “Point-to Point” vs “End-to-End” Encryption? They are really the same and have been used interchangeably. Since P2PE certification is available and Visa has announced their encryption program, some distinction is made in the market. Point to Point refers to encryption at the time of the swipe and decryption at a gateway of payment processor. End-to-End refers to encryption at the time of the swipe anddecryption at the furthest end point in the payment processing stream, i.e. the payment brands data center.

What is Tokenization vs Encryption? Encryption is generally used in card-present situations while tokenization is generally used in card not present scenarios like “card on file” and recurring billing. Encryption scrambles a card number so that the data is not usable to thieves. The card number can only be decrypted bythe holder of the key. Tokenization is an ALIAS or “token” of the card number.

If a customer is using encryption and/or tokenization do they have to be PCI compliant? The short answer is YES utilizing encryption and/or tokenization does not remove the requirement for PCI-DSS compliance. However, depending on the solution implemented, a customer could experience reduced effort, scope and/or cost when they do complete their annual PCI assessment

Page 28: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 28

Your EMV Call to Action: Don’t Wait

Read and research to keep up with EMV and NFC trends

• http://www.smartcardalliance.org/

• http://www.emvco.com/

• http://www.cscu.net/index.aspx?CategoryID=294

• http://pymnts.com

Page 29: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 29

EMV – Action Required

Effective October 1, 2015, a date that has been determined by the credit card associations (MasterCard/VISA) if your business accepts and processes a counterfeit transaction from an EMV card on a non-EMV enabled terminal, the liability for that transaction is yours.

Page 30: P A Y M E N T S O L U T I O N S An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 Presented

P A Y M E N T S O L U T I O N S 30

Thank You!Brad Hench

Regional Sales Manager

US Bank Merchant Solutions

678-731-4419

[email protected]

Paul AnatrellaVice President & Relationship ManagerU.S. Bank [email protected]