the road to u.s. emv migrationsf.csiweb.com/.../whitepapers/wp_pp_emvmigrationgen.pdfthe road to...

Advancements in technological capabilities, along with increasing levels of counterfeit fraud, led the payments industry to develop both chip card technology and global EMV specification for payments. EMV is designed to leverage the advanced processing capabilities of chip card technology in securely storing and transmitting card payment credentials.

The card payments industry in the United States is one of the last to enable EMV. But the card brands have announced plans—and increasing risks associated with compromised merchants resulting in counterfeit card fraud have accelerated efforts—to enhance the U.S. payment infrastructure to support EMV-based payments.

This white paper aims to educate individuals about EMV, and focuses on its deployment in the U.S., as well as considerations for ATM terminal owners and important business considerations for issuers.

THE ROAD TO U.S. EMV MIGRATIONInformation and Strategies to Help Your Institution Make the Change

T h e R o a d t o U . S . E M V M i g r a t i o n

C S I W H I T E P A P E R

EMV SPECIFICATION

EMV is the chip card payment specification standard that was developed by Europay, MasterCard and Visa (from which the specification gets its name). The standard is managed by EMVCo, which is owned by American Express, JCB, MasterCard and Visa.

EMV’s objective is to facilitate the global interoperability and security of chip cards and acceptance terminals, as well as provide certifications for issuer card programs and terminal devices.

CHIP CARD TECHNOLOGY

Embedded in the plastic of chip cards is an

Integrated Circuit Card (ICC) microprocessor.

The chip functions similarly to a computer: it

has an operating system, communication

protocols, applications and a secure element.

While the secure element actually is the memory

storage area of the chip, many publications use

the term secure element to refer to the entirety

of the microprocessor.

EMV SECURITY

EMV defines the communication protocols by which payment credentials can be provisioned to the chip and cryptographically stored and encrypted. A portion of the payment credentials stored in the chip is a group of unique cryptographic keys used to establish and encrypt the communication protocols when the credentials are transmitted from the chip card to the terminal chip card reader. The credentials that are transmitted, unlike mag-stripe payment credentials, use the card’s unique cryptographic keys to generate dynamic cryptograms for each transaction. Dynamic cryptograms prevent the ability to clone the EMV credentials, which aids in protecting against skimming and counterfeit fraud.

2

DRIVING U.S. EMV MIGRATION

There is no mandate from any network or regulatory agency in the U.S. payments industry that requires issuers or merchants to upgrade their cards or terminals to EMV. However, several driving forces are pushing issuers and merchants to enable EMV.

One of the major driving forces is the prevention of counterfeit fraud. Counterfeit fraud is increasing, with high-profile merchant security compromises of mag-stripe card data becoming more common. Mag-stripe counterfeit fraud is expected to continue to grow, as fraudsters migrate to those countries that have yet to enable EMV. This includes the U.S., one of the last EMV holdouts.

And increasingly, U.S. consumers are likely to encounter problems with their U.S.-issued, mag-stripe-only cards being accepted at merchants in those countries that have migrated to EMV.

Another major driving force is the shift in fraud liability. Visa, MasterCard and Pulse have announced plans to accelerate EMV migration in the U.S. (see page 3), and an integral part of the plan is the decision to shift fraud liability from the party—either the merchant or issuer—that enabled their device for EMV to the party that did not enable EMV. The general concept is that whoever enables the more secure technology passes the liability for fraud to the less secure party. In the event both parties have enabled EMV, the issuer is held liable.



3

The chart below outlines various liability scenarios–descending from most secure to least secure.

TRANSACTION TYPE ISSUER MERCHANT/ATM PROCESSED AS LIABILITY

Card Present EMV EMV EMV Issuer

Card Present EMV Mag-stripe Mag-stripe Merchant/ATM Owner

Card Present Mag-stripe EMV Mag-stripe Issuer

Card Present Mag-stripe Mag-stripe Mag-stripe Issuer

The following chart outlines the dates of the liability shifts.

LIABILITY SHIFT DATES VISA MASTERCARD PULSE

October 2015 POS Counterfeit POS Counterfeit POS Counterfeit

October 2016 ATM Liability*

October 2017 ATM Liability

October 2017 POS Fuel Dispensers POS Fuel Dispensers POS Fuel Dispensers NYCE, Shazam, Nets and Star have not announced liability shift dates.*ATM Liability Shift for Maestro Cross-Border has already taken effect.

PAYMENT ECOSYSTEM AND EMV

All stakeholders in the card payment ecosystem, including issuers, processors, networks, acquirers, merchants, terminal manufacturers and card fulfillment vendors, are affected by EMV. The changes necessary to implement EMV require most of the existing processes to be updated in order to support the issuance, transmission and acceptance of EMV. This is further complicated by the size and complexities of the U.S. payments industry.



4

REGULATION II (AKA THE DURBIN AMENDMENT) AND EMV

One such complexity of the U.S. payments industry is the impact of Regulation II on EMV. Regulation II requires that debit cards maintain a minimum of two unaffiliated payment network options that are available to a merchant for use in processing.

With EMV, the ability to route the transaction depends on the payment applications that can be loaded to the chip and selected for use during processing. While Visa and MasterCard have EMV applications, the regional or pinned networks—which most issuers enable as a secondary unaffiliated network—have neither an EMV application nor the infrastructure immediately available to support EMV. This complication prevents issuers from obtaining the ability to begin rolling out “Durbin-compliant” debit chip cards.

Also, in order to support debit EMV, U.S. payment terminals must have the ability to deal with an EMV card that has multiple payment applications; however, most are designed to only support a single payment application per chip card.

Recently, the traditional pinned networks have started cross-licensing Visa and MasterCard EMV applications. They also are creating new network specifications that debit issuers, processors and acquirers will use to begin certification to eventually enable a Durbin-compliant debit chip card.

MAG-STRIPE STILL ON EMV CHIP CARDS

During the migration from mag-stripe to EMV, issued cards will have both EMV and mag-stripes to allow transaction activity at all devices. During the transition, EMV will be the first authentication method that’s used for terminals equipped with EMV technology. For terminals not equipped with EMV technology, mag-stripe will be the default authorization method, and the liability will be defined by network rules.

It is important to note that the mag-stripe on EMV cards is still at risk of being compromised. If the card is used for transactions at non–EMV devices, and if this merchant or device is compromised, those mag-stripe credentials can then be used to create counterfeit cards and commit fraud. In all likelihood, the issuer would want to issue a new card number and replace the EMV/mag-stripe card.



EMV ACQUIRING AT ATMSWhile much of the EMV discussion focuses on chip cards, the deployment of advanced terminals and readers that are capable of interfacing and receiving the credentials from these cards is equally important in the enablement of EMV. In order to ensure interoperability, these more advanced terminals must go through rigorous testing and certification. For financial institutions electing to enable EMV acceptance at their fleet of ATMs, there are specific hardware and software requirements, timeframes and costs to consider.

FRAUD LIABILITY SHIFT AND BANK ATMS

Again, with the deployment of EMV in the U.S., fraud liability passes from the party that has enabled the more secure technology (EMV transaction processing) to the less secure party (mag-stripe transaction processing).

Today, with a mag-stripe ATM transaction, the card issuer is liable for fraudulent activity. However, impending fraud liability shifts will change that responsibility. While the general point-of-sale (POS) fraud liability shift is scheduled for October 2015, ATMs have a later date scheduled: the EMV fraud liability shift for MasterCard ATM transactions is Oct. 1, 2016, while the EMV fraud liability shift for Visa ATM transactions is Oct. 1, 2017. This graduated schedule for the ATM fraud liability shift gives financial institutions additional time to consider their strategies and implementation timeframes.

Following these EMV fraud liability shift dates, the bank ATM owner will be liable for any fraudulent activity occurring on any EMV-enabled chip cards (both internationally and domestically issued) if the ATM is not EMV-enabled. While ATM-related fraud remains relatively low and is not currently the responsibility of the ATM owner, financial institutions should consider the possibility of these related fraud losses before upgrading or enabling EMV acceptance at their ATMs.

EMV TERMINAL REQUIREMENTS

ATMs require card readers that are capable of interfacing with the EMV chip. EMV card readers primarily interface with cards by maintaining physical contact with the chip on the front of the card while it is inserted, as opposed to reading the “swiped” mag-stripe on cards currently in use. EMV optionally supports a wireless or contactless form of interface leveraging near-field communication (NFC) to transmit and receive credentials.

ATM software from the terminal vendor is required to have received Level 2 certification from EMVCo, which manages EMV standards. ATM hardware that interfaces with the chip card requires Level 1 certification. These certifications will take place with the hardware/software manufacturer and terminal drivers, who will work with the appropriate parties to ensure that these certification levels are met.

5



BUSINESS CONSIDERATIONS

Industry research suggests that the cost to upgrade the U.S. ATM fleet to accept EMV-enabled cards could be upward of $500 million. Banks that need to upgrade their ATMs should look to do so now to ensure resource availability. Banks that are in the process of updating their ATMs, or are considering doing so, should contact their terminal vendors to ascertain potential options and costs.

For ATMs that have existing card readers in need of replacement, you should consider the customer experience. There are two types of card readers capable of EMV: motorized-insertion readers and “dip-and-clip” readers. Motorized-insertion readers will continue to operate as they do today. With dip-and-clip readers, the customer will remove their card and receive instructions to re-insert and leave their card in the reader during the entire transaction. This change will require customer re-training, because if the customer forcibly removes the card after re-insertion, the clip could be damaged.

ISSUING EMV CHIP CARDSFor institutions that are considering issuing EMV chip cards, the implications are significant in terms of the complexities, timing and costs of implementation.

FRAUD LIABILITY SHIFT AND BANK DEBIT CARDS

With today’s mag-stripe transactions, fraud liability for card-present transactions is the responsibility of the card issuer. However, if both parties—issuers and merchants—have enabled EMV, then transaction fraud liability still remains with the card issuer, albeit for significantly more secure transactions.

For card-present transactions, there is only one situation in which liability will switch to the merchant: the shift occurs when the card issuer has given its customer an EMV chip card, but the merchant has not yet enabled EMV acceptance. In this scenario, the issuer has chargeback rights to recover these specific fraud losses.

It will take merchants years to update their point-of-sale terminals to support EMV, with smaller merchants projected to take the longest. In the meantime, many merchants will still be using the mag-stripe to process EMV cards. This practice will still expose EMV cards to potential fraud well into the future. So, until the market reaches the point at which EMV cards can be processed without the use of mag-stripe functionality, banks will be placed in a situation of having to reissue the now more expensive EMV debit card should its mag-stripe become compromised.

6



7

transaction. This connection enables the chip to get power from, and exchange data with, the terminal. This is often referred to as “dip” to pay.

Dual-interface cards include both the contact interface and the contactless interface. Contactless EMV works by holding a contactless chip-enabled card, which also contains an integrated antenna that’s placed in the border of the card, within proximity of a contactless-capable EMV reader. The reader wirelessly powers the chip embedded in the card and allows exchange of data via NFC. This is often referred to as “tap” to pay, because the card never has to leave the customer’s possession.

Contact-only EMV cards are the most common form of EMV implementation, due in large part to costs with issuing the more expensive dual-interface cards and the lack of NFC-enabled terminals.

EMV ISSUANCE IN THE U.S.EMV chip cards use sophisticated technology that features many different options and configuration profiles. Several of these options were developed to support offline functionality, in which the chip on the card performs various functions that, in the U.S., would be the responsibility of the issuer’s online authentication system to conduct. Without the need to enable offline functionality, EMV deployment from an options and profile perspective narrows fundamentally to one decision: to include contactless interface with each card or not.

EMV CARD INTERFACE OPTIONS

EMV chip cards are typically deployed in one of two forms: contact only or dual interface. With contact-only cards, the metallic area on the front of the card is its contact plate. A microprocessor chip is embedded directly behind the contact plate. With an EMV contact transaction, the card is inserted into a card acceptance device (e.g., a payment terminal). The card reader must maintain physical contact with the plate and chip for the duration of the



EMV ROLL-OUT STRATEGY

After your bank’s card program has been upgraded to begin issuing EMV cards, there are several approaches to consider when rolling them out to your existing card base.

One approach is to reissue the entire existing card base at one time. However, this approach results in fairly significant upfront costs, as well as a steeper learning curve for consumers and branch staff alike, which slows the overall experience of working with EMV transaction data.

The generally accepted industry approach is to upgrade your existing card base as cards expire. Spreading the costs out, while both building on EMV experiences and working to educate cardholders on its use, allows banks to take a more systematic, successful approach to EMV migration. Additionally, with this approach, banks can still target specific customer segments that would be inclined toward EMV-enabled cards.

For example, consumers who frequently travel internationally will increasingly be challenged when attempting to use a non-EMV debit card, as most of the rest of the world has already adopted EMV. In order to continue to support these valued customers, the bank can preemptively identify these travelers and reissue/upgrade their existing cards to include EMV chip functionality.

Estimated EMV-Related Costs for Bank Consideration

• EMV-Related Setup Costs: $5,000-$10,000

• Program Setups

• Testing and Certifications

• EMV Chip Cards: $3-$7 per card

• Monthly Support Costs: $50-$250

• EMV Transaction Cryptogram Validation Costs: $0.005-$0.05 per transaction

8



EMV AND PLASTIC CARD LAYOUT AND ART

With the embedded EMV chip, banks will need to work with card issuers to redesign their card layout and art. That’s because the EMV chip placement is on the front of the card, to the left above the PAN (see images below).

FRONT OF THE CARD

The placement of the chip significantly reduces the area available for the issuer’s logo, and requires issuers to reevaluate their logo placement as part of the overall card design. Banks should strongly consider moving the brand hologram to the back of the card, as pictured in layouts 2 and 3.

BACK OF THE CARD

The placement of the chip makes a similar impact to the back of the card, reducing the area for the signature and CVV2/CVC2. The bank verbiage can be placed to the right of the hologram, and banks also should consider shortening the verbiage as a result of the limited space and the requirement to list the bank’s phone number (not a third party) on the card.

PURPLE: Issuer Logo

BLUE: Verbiage

RED: Logo (primary network)

GREEN: Logo (secondary network)

9



CSI EMV ISSUER ROADMAP

CSI currently is certifying EMV-capable ATMs. For those ATMs that meet the minimum requirements, CSI intends to support banks’ ability to accept EMV in the first quarter of 2016. We also continue to work with card vendors and networks to certify EMV chip card issuance readiness, and anticipate the ability to support upgrading card programs for EMV in the first quarter of 2016.

CONCLUSIONMany banks are still in the discovery phase regarding EMV technology, as well as weighing the benefits of implementing an EMV-enabled card program. While each day brings news of another data breach related to card fraud, which results in both monetary and reputational risks, banks also face the cost of putting EMV cards in rotation and maintaining them well ahead of most merchants.

The most important question for a bank surrounds timing: “When should my bank jump in?” The answer will vary for each bank, as each institution considers market conditions, card replacement strategies and customer demographics. And the upcoming fraud liability shifts should be considered as a factor in the decision as well.

Regardless of the timing your bank chooses, launching an EMV card program will benefit your institution and its customers. Though it is not without increased costs in terms of plastics and processing, EMV is a more secure technology that will greatly reduce counterfeit card fraud. As you weigh the pros and cons on issuing EMV cards, consider not only the operational costs, but also the reputational benefits that may come from customers who recognize EMV as the more secure card option. These customers will likely reach for their EMV-enabled card more often than their non-EMV cards, even if they are using them at terminals not yet equipped for EMV technology.

ABOUT CSIComputer Services, Inc. (CSI) delivers core

processing, managed services, mobile and

Internet solutions, payments processing, print

and electronic distribution, and regulatory

compliance solutions to financial institutions

and corporate customers across the nation.

Exceptional service, dynamic solutions and

superior results are the foundation of CSI’s

reputation and have resulted in the company’s

inclusion in such top industry-wide rankings

as the FinTech 100, Talkin’ Cloud 100 and

MSPmentor Top 501 Global Managed Service

Providers List. CSI’s stock is traded on OTCQX

under the symbol CSVI. For more information

about CSI, visit www.csiweb.com

10

K Y _ 1 1 0 5 1 4 _ 2 0 1 _ V 2

the road to u.s. emv migrationsf.csiweb.com/.../whitepapers/wp_pp_emvmigrationgen.pdfthe road to...

Documents