411 of EMV - Conexxus · The 411 of EMV June 19, 2014 . 5 Agenda EMV overview Timelines Liability shifts – demystified Considerations Chip Card Proprietary – do not copy: Please

411 of EMV

Presenters

• Robin Trickel

• Phil Schwartz

• Carl Bayer

2

Agenda

• Housekeeping

• 411 of EMV

• Conexxus

• Q & A

• Closing Thoughts

The 411 of EMV

June 19, 2014

5

Agenda

EMV overview

Timelines

Liability shifts – demystified

Considerations Chip Card

Proprietary – do not copy: Please contact Robin Trickel for permission for use.

6

EMV Overview

Improved security =

Decreased fraud

Building block for

future technology

EMVCo Owned & operated by

Global payment standard =

consistent experience worldwide


7

What EMV is not…

EMV ≠ Mandated / required Merchant choice to implement!

EMV ≠ Protection against all chargebacks Liability shift is for counterfeit & lost/stolen only.

EMV ≠ Secure cardholder data EMV does not protect or encrypt card numbers.

EMV ≠ PCI DSS EMV protects against fraud, PCI focuses on security of sensitive data.


8

Debit Routing

Agreements signed to date

Network MasterCard Visa

ACCEL

AFFN

ALASKA OPTION

ATH

CO-OP

CU24

INTERLINK

JEANIE

MAESTRO

NETS

NYCE

PRESTO

PULSE

SHAZAM

STAR

EMV is proprietary

Regional debit networks must license MasterCard and/or Visa

technology


9

EMV News: Projections

“Only about 1% of the 1-billion-plus credit, debit and prepaid cards in the United

States currently have an EMV chip.” 1

“By the end of 2015, 70% of U.S. credit cards and 41% of U.S. debit cards will be

EMV enabled, says Aite Group.”2

1 http://www.digitaltransactions.net/news/story/EMV-Commercial-Card-Issuers-May-Herald-PIN-Dominance-With-Consumers 2 http://www.finextra.com/news/announcement.aspx?pressreleaseid=55560&topic=payments 3 Data from EMV Migration Forum, May 2014 meeting

0

2

4

6

8

10

12

0

200

400

600

800

1000

2013 2014 2015 2016

EMV Migration Forum Projections3 M M

Cards POS

Proprietary – do not copy

10

EMV Progress

References: http://www.banktech.com/payments-cards/3-trends-in-emv-adoption-in-the-us/240165510 http://www.pymnts.com/news/2014/sams-clubs-emv-transition/ http://www.nerdwallet.com/blog/top-credit-cards/nerdwallets-best-emv-chip-credit-cards/ http://www.usatoday.com/story/money/business/2014/04/29/target-mastercard-emv-partnership/8453783/

EMV card acceptance

Walmart (enabled)

Sears1

Target1

CVS1 1Announced accelerated roll-out (i.e.

before October 2015)

EMV card issuance Sam’s Club MasterCard

Bank of America

Barclaycard (Arrival Plus World Elite)

MasterCard

Chase (British Airways, Hyatt, Select,

Palladium, Sapphire, Marriott) Visa

Citi (AAdvantage, Hhonors) MasterCard

Target REDcard MasterCard

USAA

Wells Fargo Platinum

State Employee’s Credit Union (NC)

United Nations Federal Credit Union Proprietary – do not copy

11

AFD: Automated Fuel Dispenser Visa GCAR: Global Compromised Account Recovery MasterCard ADC: Account Data Compromise

1 Applies to Level 1 & Level 2 merchants where 75% of transactions come from a dual interface, chip-enabled, terminal

U.S. EMV Timelines

2012 2013 2015 2017

Oct-2012 PCI validation relief1

Apr-2013 Processor support for chip

processing

Oct-2015 Non-AFD liability shift Oct-2017

AFD liability shift

2016

Oct-2016 MC ATM

liability shift

Oct-2013 MC ADC relief takes

effect (50%)

2014

Oct-2015 MC ADC

relief (100%)

Oct-2017 Visa ATM

liability shift

April-2014 Visa unattended liability shift

Oct-2016 Visa GCAR relief


12

Liability Shift = Potential Chargebacks

There is no mandate for merchants to implement EMV!

Counterfeit

Lost / stolen

1 Counterfeit liability shift is the same for both MasterCard & Visa. 2 Visa does not have a liability shift for attended related to lost / stolen for EMV.

Liability Shifts


13

Liability Shift – Counterfeit

Visa & MasterCard

Current Oct-2015

Oct-2017 for AFDs

Issuer liable1

For chip cards, Merchant liable,

If non-chip terminal

1A variety of factors play into liability, such as if the full track data was provided, but for simplicity purposes using the current general scenario.


14

1Same applies for both Visa & MasterCard. 2Oct-2017 for AFD

3With or without PIN capabilities


Example1

Current

Oct-20152

& Beyond

Mag stripe terminal

Mag stripe card + = Issuer

liable

Mag stripe terminal


liable

Chip3

terminal Mag stripe

card + = Issuer liable

Chip3

terminal Chip3


Mag stripe terminal

Chip3

card + = Merchant liable


15

1Same applies for both Visa & MasterCard. 2Oct-2017 for AFD



Example1

Current

Oct-20152

& Beyond

Mag stripe terminal


liable

Mag stripe terminal


liable

Chip3

terminal Mag stripe


Chip3

terminal Chip3


Mag stripe terminal

Chip3


To summarize… Liability for fraud shifts

to the merchant when a

counterfeit chip card is used at a

mag stripe terminal after Oct-2015/2017


16

Liability Shift – Lost / Stolen

MasterCard

1A variety of factors play into liability, such as if the full track data was provided, but for simplicity purposes using the current general scenario.

Attended / Unattended

Current October 2015

October 2017 for AFD

Attended Issuer liable1 For chip cards, Merchant liable,

If terminal is less secure (CVM hierarchy applies) Unattended Merchant liable1


17

Mag stripe terminal


liable

Oct-2015

& Beyond

Current Mag stripe terminal


liable

Chip terminal


liable

Chip & PIN terminal

Chip & Sig card + = Issuer

liable

Chip & PIN terminal

Chip & PIN card + = Issuer

liable

Mag stripe terminal

Chip card + = Merchant

liable

Chip & Sig terminal

Chip & PIN card + = Merchant

liable


MasterCard Non-AFD Example


18

Mag stripe terminal


liable

Oct-2015

& Beyond



liable

Chip terminal


liable

Chip & PIN terminal


liable

Chip & PIN terminal + Chip & PIN

card = Issuer liable

Mag stripe terminal


liable

Chip & Sig terminal


liable


MasterCard Non-AFD Example


to the merchant when a

lost or stolen chip card is used at a

less secure terminal after Oct-2015


19

Mag stripe terminal

Mag stripe card + = Merchant

liable

Oct-2017

& Beyond



liable

Chip terminal


liable

Chip & PIN terminal


liable

Chip & PIN terminal


liable

Mag stripe terminal


liable

Chip & no-PIN terminal


liable


MasterCard AFD Example


20

Mag stripe terminal


liable

Oct-2017

& Beyond



liable

Mag stripe terminal


liable

Chip & no-PIN terminal


liable


MasterCard AFD Example

Chip terminal


liable

Chip & PIN terminal


liable

Chip & PIN terminal


liable


to the issuer when a

lost or stolen card is used at a

more secure AFD terminal after Oct-2017


21


Visa

Current Apr-2014

Attended Issuer liable1 No Change

Unattended Merchant liable1

For chip cards, Issuer liable,

If chip terminal 1A variety of factors play into liability, such as if the full track data was provided, but for simplicity purposes using the current general scenario.


22



Visa Unattended Example

Current

Apr-2014

& Beyond

Mag stripe terminal


liable

Mag stripe terminal


liable

Mag stripe terminal

Chip1


Chip1

terminal Mag stripe


Chip1

terminal Chip1



23



Visa Unattended Example

Current

Apr-2014

& Beyond

Mag stripe terminal


liable

Mag stripe terminal


liable

Mag stripe terminal

Chip1


Chip1

terminal Mag stripe


Chip1

terminal Chip1



to the issuer when a

lost or stolen chip card is used at a

chip AFD terminal


24

POS Considerations

EMV

Chip based authentication is used to eliminate counterfeit, lost and stolen fraud.

Encryption

End-to-end encryption is used to protect sensitive card data in transit or at rest.

Tokenization

Tokenization of card data allows for loss prevention, analytics, and loyalty.

Supported Cardholder Verification Method (CVM)

Signature

PIN

No CVM (i.e. no signature required)

Contactless Support

EMV with Encryption & Tokenization

EMV + Encryption & Tokenization


25

Process Adjustments

Staff training

Customer-facing PIN pad

Cardholder training Tap, swipe or insert? Forgotten cards

Additional time per transaction


26

Next Steps

Monitor industry news

Seek education from… Processor

Fuel supplier

Terminal / dispenser provider

Industry associations {Conexxus, NACS, EMV Migration Forum (EMF)}

Evaluate existing environment POS

Location

Chargeback ratios

Start thinking about budget


Conexxus

About Conexxus . . . • We set standards…

– Data exchange

• Systems, B2B, payments

– Security

• Systems, data, cyber-risk

– Mobile commerce standards

• Payments, promotion, loyalty

• We provide vision

– Identify emerging tech/trends

• We advocate for our members

– Technology is policy

Conexxus

Data Security Committee

• We Care

– Eight point data security plan

– Employee data security training guide

– Remote access management guide

– Guide to Simple Network Design

• PCI DSS 3.0

• Anti-skimming best practices

• NACS magazine Bits & Bytes articles

• Security incident reporting database

• Security webinar series

QUESTIONS?

Further Questions? Contact Us…

Robin Trickel

Heartland Payment Systems

[email protected]

Phil Schwartz

Valero

[email protected]

Carl Bayer Conexxus

[email protected]

Documents

411 of EMV - Conexxus · The 411 of EMV June 19, 2014 . 5 Agenda EMV overview Timelines Liability shifts – demystified Considerations Chip Card Proprietary – do not copy: Please