EMV

What is EMV? EMV stands for Europay, Mastercard, and VISA. It’s a new type of credit card that provides increased security via a special chip on the card. EMV seems to address fraud for card-present transactions—but at a cost.

EMV cards can make payment in one of two ways, depending on the card and the POS terminal. There is contactless (wave the card near the terminal), and contact (insert the card into the terminal. You can set up your cards to do both (dual-interface), or just contact. Contactless-only cards are not recommended. Presumably, terminals will all be contact-capable, but not all will be contactless-capable.

There are one-time charges for implementation, and recurring costs as EMV cards are more expensive than mag-stripe cards.

EMV deadline and fraud liability shiftEMV is mandatory for everyone involved in VISA credit cards. Issuers and merchants that take the cards. The deadline is October 2015. At that point, issuers who have EMV cards can chargeback any fraud resulting from counterfeit cards created using data from the mag stripe when a merchant does not have an EMV-capable POS terminal. For unattended devices, such as automated fuel dispensers, the deadline is October 2017.

Basically, this means that if your members are using EMV cards in October 2015, then merchants are liable for fraud at POS if they do not have EMV capable POS devices. If they do, you still cover the fraud.

TimeframeRollout of EMV for card-issuers takes 9-12 months in best-case scenarios. If you haven’t already started, you’re already too late to meet the deadline. Which is fine. Nothing really changes for you. You are just still liable for the fraud—which you already are.

You still have to decide when to implement. Sooner may be better, because as more and more cards become more secure, the less-secured cards will probably become the targets of fraud.

Card reissuanceYou have a few options for how you roll your program out to card holders:

All at once: quite expensive; may be better for smaller portfolios; may place burden on customer service channels because of a lot of questions from members at once

Replace cards on normal replacement cycle Hybrid: re-issue some off-cycle (high spenders, affluent cardholders,

frequent travelers), and the rest on-cycle

ConsiderationsAs you roll out your EMV program, you must consider the following decisions:

Contact vs. contactless vs. dual-interface Payment applications Cardholder verification methods Timing Reissuing cycles

3rd party processors do a lot of the work, but if you process in-house, you’ll have to do a lot of the work yourself.

Processing Considerations: Authorization systems Card files for personalization managers Systems that manager cardholder information Reporting services Changes to authorization and clearing systems Changes to rules logic for authorizations and fraud scoring Online card authentication EMV data preparation and key management Changes to issuer’s card management system Updated reporting

EMV Card Fulfillment Considerations A chip with one or more payment applications must be embedded into the

card. Cards must still have mag stripe. Chip type: dual interface or contact-only Chip operating system Chip memory size

Back Office Support Considerations Customer service Fraud management: fraud may shift to non-EMV transactions (ONLINE!!!) Dispute resolution processes Customer and employee education

A few definitionsPayment application: software on the chip that runs the EMV authentication process.

AID: Application Identifier: the networks available on the chip card (must have two as a result of Durbin

CVMs: cardholder verification methods, used to ensure that the valid cardholder is using the card. Can have multiple, prioritized. The terminal and card use the first matching CVM type in the card’s CVM list.

Signature No CVM: must be used in conjunction with at least one other CVM alternative,

usually used for low-dollar transactions Online PIN: stored at issuer host Offline PIN: stored securely on the chip

Task forceVISA recommends having a task force including participants from key areas including:

Products Marketing Legal Technology Operations Risk Customer service

The task force establishes an implementation plan with objectives: Major milestones to be achieved Major issues to be resolved General sequence and timing of key events Logical presentation of what is to be accomplished

Coordinate closely with processors and card vendors from the outset.

ResourcesThe best resources will come from your specific processor. They certainly have everything you’re going to need.

Otherwise, you can get a few excellent resources from CSCU: http://cscu.net/TabbedContent.aspx?CategoryID=294

EMV Implementation Chart

Apple PayThere’s not a ton of information out there on Apple Pay, as it’s still a relatively new development. But here are a few details.

The consumer sideConsumers use Apple Pay by placing their phone next to a POS terminal, and placing their finger on the phone’s home button. The button scans the person’s fingerprint, and in a few moments the transaction is approved or denied. It’s relatively slick.

Of course, before this happens, the consumer must add one or more credit cards to the software on the phone. They may do this by taking a picture of the card, or manually entering the data. Clearly, you want them to enter your card, and to select it as the default card. But, alas, not every card can be added. The issuer must be enrolled in the Apple Pay system.

In addition, when a consumer adds a card to Apple Pay, both Apple and the network run the request through a number of risk parameters to ensure that the requester is indeed the valid owner of the card. If the checks fail, the cardholder goes into a “yellow path” authentication. In this case, the cardholder would need to contact the credit union in order to authenticate the process.

How it works on the back-endApple Pay takes advantage of a process called tokenization. This is supposed to be more secure because the merchant never sees the credit card number, and the card number is only stored with the credit union and the Token Service Provider (TSP). It gets passed through the Acquiring Network.

It’s a 12-step process:1. The phone generates the token and sends it to the merchant.2. The merchant forwards the token on the acquiring network.3. The acquiring network sends the token to the TSP (VISA).4. The TSP sends the PAN (credit card number) back to the network.5. The network sends the PAN to the processor.6. The processor sends the Pan and transaction request to the credit union.7. The credit union sends authorization to the processor.8. The processor sends authorization to the network.9. The network sends authorization to the TSP.10. The TSP sends a token back to the network.11. The network sends the token to the merchant.12. The token is returned to the phone.

Simple enough. Here’s a nifty graphic that shows the process:

Tokens are static but unique to a device, such as a mobile phone. Each unique transaction using a token carries with it a unique cryptogram created by the phone, so even if someone steals the token, it couldn’t be able to be used without the phone.

The good news is that because tokens can be cancelled and each card can have 99 tokens, if a token is compromised, the card does not need to be re-issued. The token is simply deactivated, and a new token is issued.

Issuing tokensIn Apple Pay, the cardholder initiates the request for a token to Apple, which sends the request to VISA. The token is generated based on a token BIN range specific to each issuer and sent back through Apple to be stored on the phone. When a member tries to add a card and some of the security checks fail, the member will need to call the credit union and be authenticated using whatever methods the credit union uses to authenticate members.

This Yellow Path Authentication has been a source of significant fraud via Apple Pay, as some issuers have not done a good enough job ensuring that the person calling in is in fact the legitimate cardholder.

Life Cycle Management portalVISA provides this to issuers, which use this online portal to manage the life cycle statuses of token, such as disabling or resuming tokens.

Tokens can go through various statuses: active, suspended, deleted, and possibly more.

How to enrollYou must enroll with your issuer processor. If you are split-processed, enroll with your signature processor.

As you move forward, 95% of your cards must be eligible. For this reason, issuers are adding credit and debit cards. If you didn’t add one or the other, it’s possible that you won’t meet that 95% rule.

The enrollment process takes 8-10 weeks.

The general process for implementation is: Verify processor readiness Sign Apple agreement Agree to Visa/MasterCard/network fees Agree to processor fees Open implementation project with processor Define parameters for setup Gather card art and logo images Define Terms and Conditions text Network setup (a few weeks) Apple setup (a few weeks) Call center setup Customer notification process setup Apple Pay validation, go/no-go Launch to members

Staffing considerationsStaff will need to be trained, especially on yellow path authentication, deleting tokens, resuming tokens.

CostsThere are upfront costs from Apple and VISA as well as your PIN networks. They are detailed in contracts.

Your core data processor shouldn’t need to do anything right now, but may as functionality is added in the future.

On an ongoing basis, Apple charges 15 basis points for tokenized transactions on a credit card, and $0.005 on a tokenized debit card. The thought is that the cost will be covered by a reduction of fraud losses.

ResourcesGood resource: http://www.co-opfs.org/solutions/card-payments/tokenization-resource-center/

Here is a Co-op timeline: http://www.co-opfs.org/media/201252/apple_pay_implementation_timeline_infographic.pdf