Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
411 of EMV
Presenters
• Robin Trickel
• Phil Schwartz
• Carl Bayer
2
Agenda
• Housekeeping
• 411 of EMV
• Conexxus
• Q & A
• Closing Thoughts
The 411 of EMV
June 19, 2014
5
Agenda
EMV overview
Timelines
Liability shifts – demystified
Considerations Chip Card
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
6
EMV Overview
Improved security =
Decreased fraud
Building block for
future technology
EMVCo Owned & operated by
Global payment standard =
consistent experience worldwide
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
7
What EMV is not…
EMV ≠ Mandated / required Merchant choice to implement!
EMV ≠ Protection against all chargebacks Liability shift is for counterfeit & lost/stolen only.
EMV ≠ Secure cardholder data EMV does not protect or encrypt card numbers.
EMV ≠ PCI DSS EMV protects against fraud, PCI focuses on security of sensitive data.
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
8
Debit Routing
Agreements signed to date
Network MasterCard Visa
ACCEL
AFFN
ALASKA OPTION
ATH
CO-OP
CU24
INTERLINK
JEANIE
MAESTRO
NETS
NYCE
PRESTO
PULSE
SHAZAM
STAR
EMV is proprietary
Regional debit networks must license MasterCard and/or Visa
technology
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
9
EMV News: Projections
“Only about 1% of the 1-billion-plus credit, debit and prepaid cards in the United
States currently have an EMV chip.” 1
“By the end of 2015, 70% of U.S. credit cards and 41% of U.S. debit cards will be
EMV enabled, says Aite Group.”2
1 http://www.digitaltransactions.net/news/story/EMV-Commercial-Card-Issuers-May-Herald-PIN-Dominance-With-Consumers 2 http://www.finextra.com/news/announcement.aspx?pressreleaseid=55560&topic=payments 3 Data from EMV Migration Forum, May 2014 meeting
0
2
4
6
8
10
12
0
200
400
600
800
1000
2013 2014 2015 2016
EMV Migration Forum Projections3 M M
Cards POS
Proprietary – do not copy
10
EMV Progress
References: http://www.banktech.com/payments-cards/3-trends-in-emv-adoption-in-the-us/240165510 http://www.pymnts.com/news/2014/sams-clubs-emv-transition/ http://www.nerdwallet.com/blog/top-credit-cards/nerdwallets-best-emv-chip-credit-cards/ http://www.usatoday.com/story/money/business/2014/04/29/target-mastercard-emv-partnership/8453783/
EMV card acceptance
Walmart (enabled)
Sears1
Target1
CVS1 1Announced accelerated roll-out (i.e.
before October 2015)
EMV card issuance Sam’s Club MasterCard
Bank of America
Barclaycard (Arrival Plus World Elite)
MasterCard
Chase (British Airways, Hyatt, Select,
Palladium, Sapphire, Marriott) Visa
Citi (AAdvantage, Hhonors) MasterCard
Target REDcard MasterCard
USAA
Wells Fargo Platinum
State Employee’s Credit Union (NC)
United Nations Federal Credit Union Proprietary – do not copy
11
AFD: Automated Fuel Dispenser Visa GCAR: Global Compromised Account Recovery MasterCard ADC: Account Data Compromise
1 Applies to Level 1 & Level 2 merchants where 75% of transactions come from a dual interface, chip-enabled, terminal
U.S. EMV Timelines
2012 2013 2015 2017
Oct-2012 PCI validation relief1
Apr-2013 Processor support for chip
processing
Oct-2015 Non-AFD liability shift Oct-2017
AFD liability shift
2016
Oct-2016 MC ATM
liability shift
Oct-2013 MC ADC relief takes
effect (50%)
2014
Oct-2015 MC ADC
relief (100%)
Oct-2017 Visa ATM
liability shift
April-2014 Visa unattended liability shift
Oct-2016 Visa GCAR relief
Proprietary – do not copy
12
Liability Shift = Potential Chargebacks
There is no mandate for merchants to implement EMV!
Counterfeit
Lost / stolen
1 Counterfeit liability shift is the same for both MasterCard & Visa. 2 Visa does not have a liability shift for attended related to lost / stolen for EMV.
Liability Shifts
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
13
Liability Shift – Counterfeit
Visa & MasterCard
Current Oct-2015
Oct-2017 for AFDs
Issuer liable1
For chip cards, Merchant liable,
If non-chip terminal
1A variety of factors play into liability, such as if the full track data was provided, but for simplicity purposes using the current general scenario.
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
14
1Same applies for both Visa & MasterCard. 2Oct-2017 for AFD
3With or without PIN capabilities
Liability Shift – Counterfeit
Example1
Current
Oct-20152
& Beyond
Mag stripe terminal
Mag stripe card + = Issuer
liable
Mag stripe terminal
Mag stripe card + = Issuer
liable
Chip3
terminal Mag stripe
card + = Issuer liable
Chip3
terminal Chip3
card + = Issuer liable
Mag stripe terminal
Chip3
card + = Merchant liable
Proprietary – do not copy
15
1Same applies for both Visa & MasterCard. 2Oct-2017 for AFD
3With or without PIN capabilities
Liability Shift – Counterfeit
Example1
Current
Oct-20152
& Beyond
Mag stripe terminal
Mag stripe card + = Issuer
liable
Mag stripe terminal
Mag stripe card + = Issuer
liable
Chip3
terminal Mag stripe
card + = Issuer liable
Chip3
terminal Chip3
card + = Issuer liable
Mag stripe terminal
Chip3
card + = Merchant liable
To summarize… Liability for fraud shifts
to the merchant when a
counterfeit chip card is used at a
mag stripe terminal after Oct-2015/2017
Proprietary – do not copy
16
Liability Shift – Lost / Stolen
MasterCard
1A variety of factors play into liability, such as if the full track data was provided, but for simplicity purposes using the current general scenario.
Attended / Unattended
Current October 2015
October 2017 for AFD
Attended Issuer liable1 For chip cards, Merchant liable,
If terminal is less secure (CVM hierarchy applies) Unattended Merchant liable1
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
17
Mag stripe terminal
Mag stripe card + = Issuer
liable
Oct-2015
& Beyond
Current Mag stripe terminal
Mag stripe card + = Issuer
liable
Chip terminal
Mag stripe card + = Issuer
liable
Chip & PIN terminal
Chip & Sig card + = Issuer
liable
Chip & PIN terminal
Chip & PIN card + = Issuer
liable
Mag stripe terminal
Chip card + = Merchant
liable
Chip & Sig terminal
Chip & PIN card + = Merchant
liable
Liability Shift – Lost / Stolen
MasterCard Non-AFD Example
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
18
Mag stripe terminal
Mag stripe card + = Issuer
liable
Oct-2015
& Beyond
Current Mag stripe terminal
Mag stripe card + = Issuer
liable
Chip terminal
Mag stripe card + = Issuer
liable
Chip & PIN terminal
Chip & Sig card + = Issuer
liable
Chip & PIN terminal + Chip & PIN
card = Issuer liable
Mag stripe terminal
Chip card + = Merchant
liable
Chip & Sig terminal
Chip & PIN card + = Merchant
liable
Liability Shift – Lost / Stolen
MasterCard Non-AFD Example
To summarize… Liability for fraud shifts
to the merchant when a
lost or stolen chip card is used at a
less secure terminal after Oct-2015
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
19
Mag stripe terminal
Mag stripe card + = Merchant
liable
Oct-2017
& Beyond
Current Mag stripe terminal
Mag stripe card + = Merchant
liable
Chip terminal
Mag stripe card + = Issuer
liable
Chip & PIN terminal
Chip & Sig card + = Issuer
liable
Chip & PIN terminal
Chip & PIN card + = Issuer
liable
Mag stripe terminal
Chip card + = Merchant
liable
Chip & no-PIN terminal
Chip & PIN card + = Merchant
liable
Liability Shift – Lost / Stolen
MasterCard AFD Example
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
20
Mag stripe terminal
Mag stripe card + = Merchant
liable
Oct-2017
& Beyond
Current Mag stripe terminal
Mag stripe card + = Merchant
liable
Mag stripe terminal
Chip card + = Merchant
liable
Chip & no-PIN terminal
Chip & PIN card + = Merchant
liable
Liability Shift – Lost / Stolen
MasterCard AFD Example
Chip terminal
Mag stripe card + = Issuer
liable
Chip & PIN terminal
Chip & Sig card + = Issuer
liable
Chip & PIN terminal
Chip & PIN card + = Issuer
liable
To summarize… Liability for fraud shifts
to the issuer when a
lost or stolen card is used at a
more secure AFD terminal after Oct-2017
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
21
Liability Shift – Lost / Stolen
Visa
Current Apr-2014
Attended Issuer liable1 No Change
Unattended Merchant liable1
For chip cards, Issuer liable,
If chip terminal 1A variety of factors play into liability, such as if the full track data was provided, but for simplicity purposes using the current general scenario.
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
22
1With or without PIN capabilities
Liability Shift – Lost / Stolen
Visa Unattended Example
Current
Apr-2014
& Beyond
Mag stripe terminal
Mag stripe card + = Merchant
liable
Mag stripe terminal
Mag stripe card + = Merchant
liable
Mag stripe terminal
Chip1
card + = Merchant liable
Chip1
terminal Mag stripe
card + = Merchant liable
Chip1
terminal Chip1
card + = Issuer liable
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
23
1With or without PIN capabilities
Liability Shift – Lost / Stolen
Visa Unattended Example
Current
Apr-2014
& Beyond
Mag stripe terminal
Mag stripe card + = Merchant
liable
Mag stripe terminal
Mag stripe card + = Merchant
liable
Mag stripe terminal
Chip1
card + = Merchant liable
Chip1
terminal Mag stripe
card + = Merchant liable
Chip1
terminal Chip1
card + = Issuer liable
To summarize… Liability for fraud shifts
to the issuer when a
lost or stolen chip card is used at a
chip AFD terminal
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
24
POS Considerations
EMV
Chip based authentication is used to eliminate counterfeit, lost and stolen fraud.
Encryption
End-to-end encryption is used to protect sensitive card data in transit or at rest.
Tokenization
Tokenization of card data allows for loss prevention, analytics, and loyalty.
Supported Cardholder Verification Method (CVM)
Signature
PIN
No CVM (i.e. no signature required)
Contactless Support
EMV with Encryption & Tokenization
EMV + Encryption & Tokenization
Proprietary – do not copy
25
Process Adjustments
Staff training
Customer-facing PIN pad
Cardholder training Tap, swipe or insert? Forgotten cards
Additional time per transaction
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
26
Next Steps
Monitor industry news
Seek education from… Processor
Fuel supplier
Terminal / dispenser provider
Industry associations {Conexxus, NACS, EMV Migration Forum (EMF)}
Evaluate existing environment POS
Location
Chargeback ratios
Start thinking about budget
Proprietary – do not copy: Please contact Robin Trickel for permission for use.
Conexxus
About Conexxus . . . • We set standards…
– Data exchange
• Systems, B2B, payments
– Security
• Systems, data, cyber-risk
– Mobile commerce standards
• Payments, promotion, loyalty
• We provide vision
– Identify emerging tech/trends
• We advocate for our members
– Technology is policy
Conexxus
Data Security Committee
• We Care
– Eight point data security plan
– Employee data security training guide
– Remote access management guide
– Guide to Simple Network Design
• PCI DSS 3.0
• Anti-skimming best practices
• NACS magazine Bits & Bytes articles
• Security incident reporting database
• Security webinar series
QUESTIONS?
Further Questions? Contact Us…
Robin Trickel
Heartland Payment Systems
Phil Schwartz
Valero
Carl Bayer Conexxus