Upload
lamphuc
View
216
Download
2
Embed Size (px)
Citation preview
Advancements in technological capabilities, along with increasing levels of counterfeit fraud, led the
payments industry to develop both chip card technology and global EMV specification for payments.
EMV is designed to leverage the advanced processing capabilities of chip card technology in securely
storing and transmitting card payment credentials.
The card payments industry in the United States is one of the last to enable EMV. But the card brands have
announced plans—and increasing risks associated with compromised merchants resulting in counterfeit card
fraud have accelerated efforts—to enhance the U.S. payment infrastructure to support EMV-based payments.
This three-part white paper aims to educate individuals about EMV and the efforts underway at CSI
to support EMV payments. Our first installment focuses on its deployment in the United States, while part
two will address considerations for ATM terminal owners and part three will highlight important
business considerations for issuers.
CSI EMV WHITE PAPER SERIESPart 1 of 3: Introduction to EMV
C S I E M V W h i t e P a p e r S e r i e s | P a r t 1 o f 3 : I n t r o d u c t i o n t o E M V
C S I W H I T E P A P E R
EMV SPECIFICATION
EMV is the chip card payment specification standard
that was developed by Europay, MasterCard and Visa
(from which the specification gets its name). The
standard is managed by EMVCo, which is owned by
American Express, JCB, MasterCard and Visa.
EMV’s objective is to facilitate the global
interoperability and security of chip cards
and acceptance terminals, as well as provide
certifications for issuer card programs and
terminal devices.
CHIP CARD TECHNOLOGY
Embedded in the plastic of chip cards is an
Integrated Circuit Card (ICC) microprocessor.
The chip functions similarly to a computer: it
has an operating system, communication
protocols, applications and a secure element.
While the secure element actually is the memory
storage area of the chip, many publications use
the term secure element to refer to the entirety
of the microprocessor.
EMV SECURITY
EMV defines the communication protocols by which
payment credentials can be provisioned to the
chip and cryptographically stored and encrypted.
A portion of the payment credentials stored in
the chip is a group of unique cryptographic keys
used to establish and encrypt the communication
protocols when the credentials are transmitted
from the chip card to the terminal chip card
reader. The credentials that are transmitted, unlike
mag-stripe payment credentials, use the card’s
unique cryptographic keys to generate dynamic
cryptograms for each transaction. Dynamic
cryptograms prevent the ability to clone the EMV
credentials, which aids in protecting against
skimming and counterfeit fraud.
2
DRIVING U.S. EMV MIGRATION
There is no mandate from any network or
regulatory agency in the U.S. payments industry
that requires issuers or merchants to upgrade
their cards or terminals to EMV. However, several
driving forces are pushing issuers and merchants
to enable EMV.
One of the major driving forces is the prevention of
counterfeit fraud. Counterfeit fraud is increasing,
with high-profile merchant security compromises
of mag-stripe card data becoming more common.
Mag-stripe counterfeit fraud is expected to continue
to grow, as fraudsters migrate to those countries
that have yet to enable EMV. This includes the U.S.,
one of the last EMV holdouts.
And increasingly, U.S. consumers are likely to
encounter problems with their U.S.-issued,
mag-stripe-only cards being accepted at merchants
in those countries that have migrated to EMV.
Another major driving force is the shift in
fraud liability. Visa, MasterCard and Pulse have
announced plans to accelerate EMV migration in
the U.S. (see page 3), and an integral part of the
plan was the decision to shift fraud liability from the
party—either the merchant or issuer—that enabled
their device for EMV to the party that did not enable
EMV. The general concept is that whoever enables
the more secure technology passes the liability
for fraud to the less secure party. In the event both
parties have enabled EMV, the issuer is held liable.
C S I E M V W h i t e P a p e r S e r i e s | P a r t 1 o f 3 : I n t r o d u c t i o n t o E M V
C S I W H I T E P A P E R
3
The chart below outlines various liability scenarios–descending from most secure to least secure.
TRANSACTION TYPE ISSUER MERCHANT/ATM PROCESSED AS LIABILITY
Card Present EMV EMV EMV Issuer
Card Present EMV Mag-stripe Mag-stripe Merchant/ATM Owner
Card Present Mag-stripe EMV Mag-stripe Issuer
Card Present Mag-stripe Mag-stripe Mag-stripe Issuer
The following chart outlines the dates of the liability shifts.
LIABILITY SHIFT DATES VISA MASTERCARD PULSE
October 2015 POS Counterfeit POS Counterfeit POS Counterfeit
October 2016 ATM Liability*
October 2017 ATM Liability
October 2017 POS Fuel Dispensers POS Fuel Dispensers POS Fuel Dispensers NYCE, Shazam, Nets and Star have not announced liability shift dates.*ATM Liability Shift for Maestro Cross-Border has already taken effect.
PAYMENT ECOSYSTEM AND EMV
All stakeholders in the card payment ecosystem,
including issuers, processors, networks, acquirers,
merchants, terminal manufacturers and card
fulfillment vendors, are affected by EMV. The
changes necessary to implement EMV require most
of the existing processes to be updated in order to
support the issuance, transmission and acceptance
of EMV. This is further complicated by the size and
complexities of the U.S. payments industry.
C S I E M V W h i t e P a p e r S e r i e s | P a r t 1 o f 3 : I n t r o d u c t i o n t o E M V
C S I W H I T E P A P E R
4
REGULATION II (AKA THE DURBIN
AMENDMENT) AND EMV
One such complexity of the U.S. payments industry
is the impact of Regulation II on EMV. Regulation II
requires that debit cards maintain a minimum of
two unaffiliated payment network options that are
available to a merchant for use in processing.
With EMV, the ability to route the transaction
depends on the payment applications that can
be loaded to the chip and selected for use during
processing. While Visa and MasterCard have
EMV applications, the regional or pinned
networks—which most issuers enable as a
secondary unaffiliated network—have neither an
EMV application nor the infrastructure immediately
available to support EMV. This complication
prevents issuers from obtaining the ability to begin
rolling out “Durbin-compliant” debit chip cards.
Also, in order to support debit EMV, U.S. payment
terminals must have the ability to deal with an
EMV card that has multiple payment applications;
however, most are designed to only support a single
payment application per chip card.
Recently, the traditional pinned networks have
started cross-licensing Visa and MasterCard EMV
applications. They also are creating new network
specifications that debit issuers, processors and
acquirers will use to begin certification to eventually
enable a Durbin-compliant debit chip card.
MAG-STRIPE STILL ON EMV CHIP CARDS
During the migration from mag-stripe to EMV,
issued cards will have both EMV and mag-stripes
to allow transaction activity at all devices. During
the transition, EMV will be the first authentication
method that’s used for terminals equipped with
EMV technology. For terminals not equipped with
EMV technology, mag-stripe will be the default
authorization method, and the liability will be
defined by network rules.
It is important to note that the mag-stripe on EMV
cards is still at risk of being compromised. If the
card is used for transactions at non–EMV devices,
and if this merchant or device is compromised,
those mag-stripe credentials can then be used to
create counterfeit cards and commit fraud. In all
likelihood, the issuer would want to issue a new
card number and replace the EMV/mag-stripe card.
C S I E M V W h i t e P a p e r S e r i e s | P a r t 1 o f 3 : I n t r o d u c t i o n t o E M V
C S I W H I T E P A P E R
5
While EMV adoption is starting to accelerate in the
U.S., banks still have time to consider and evaluate
strategic options unique to their institution. And
the time couldn’t be more appropriate, as each
day brings news of a data breach or card fraud
committed by savvy cybercriminals. EMV is a more
secure payment standard designed to curtail this
rising increase of card fraud. Further, its adoption
is being motivated by the impending card fraud
liability shifts from the card associations.
EMV is a major industry undertaking that will
affect the entire payment ecosystem. But it’s also
crucial to remember that EMV technology alone
won’t eradicate fraud: it doesn’t remove the risk
of counterfeit fraud when the mag-stripe is used,
and many merchants will take years to implement
POS acceptance devices. As they develop their EMV
strategies, banks should keep these issues in mind.
The second installment of this white paper will explore the ATM requirements needed to support EMV, while the final installment will outline considerations, timelines and options that CSI will bring to the market.
NEXT STEPS
K Y _ 1 1 0 5 1 4 _ 2 0 1 _ P T 1 _ V 1
INTRODUCTION
The United States migration to EMV is beginning
to accelerate. To help financial institutions
understand this emerging technology, CSI is
publishing a three-part white paper that explains
EMV specifications, enablement and adoption.
Our first installment provided an introduction to
EMV deployment in the U.S., while Part 2 examines
ATM requirements that support EMV.
While much of the EMV discussion focuses on chip
cards, the deployment of advanced terminals and
readers that are capable of interfacing and
receiving the credentials from these cards is
equally important in the enablement of EMV.
In order to ensure interoperability, these more
advanced terminals must go through rigorous
testing and certification. For financial institutions
electing to enable EMV acceptance at their fleet of
ATMs, there are specific hardware and software
requirements, timeframes and costs to consider.
CSI EMV WHITE PAPER SERIESPart 2 of 3: EMV Acquiring at ATMs
C S I E M V W h i t e P a p e r S e r i e s | P a r t 2 o f 3 : E M V A c q u i r i n g a t A T M S
C S I W H I T E P A P E R
FRAUD LIABILITY SHIFT AND BANK ATMS
With the deployment of EMV in the U.S., fraud
liability passes from the party that has enabled
the more secure technology (EMV transaction
processing) to the less secure party (mag-stripe
transaction processing).
Today, with a mag-stripe ATM transaction, the
card issuer is liable for fraudulent activity.
However, impending fraud liability shifts will
change that responsibility. While the general
point-of-sale (POS) fraud liability shift is
scheduled for October 2015, ATMs have a later
date scheduled: the EMV fraud liability shift for
MasterCard ATM transactions is Oct. 1, 2016,
while the EMV fraud liability shift for Visa ATM
transactions is Oct. 1, 2017. This graduated
schedule for the ATM fraud liability shift gives
financial institutions additional time to consider
their strategies and implementation timeframes.
Following these EMV fraud liability shift dates, the
bank ATM owner will be liable for any fraudulent
activity occurring on any EMV-enabled chip cards
(both internationally and domestically issued) if
the ATM is not EMV-enabled. While ATM-related
fraud remains relatively low and is not currently
the responsibility of the ATM owner, financial
institutions should consider the possibility of
these related fraud losses before upgrading or
enabling EMV acceptance at their ATMs.
EMV TERMINAL REQUIREMENTS
ATMs require card readers that are capable of
interfacing with the EMV chip. EMV card readers
primarily interface with cards by maintaining
physical contact with the chip on the front of the
card while it is inserted, as opposed to reading the
“swiped” mag-stripe on cards currently in use. EMV
optionally supports a wireless or contactless form
of interface leveraging near-field communication
(NFC) to transmit and receive credentials.
ATM software from the terminal vendor is
required to have received Level 2 certification
from EMVCo, which is owned by American Express,
JCB, MasterCard and Visa, and manages EMV
standards. ATM hardware that interfaces with
the chip card requires Level 1 certification.
These certifications will take place with the
hardware/software manufacturer and terminal
drivers like CSI. As EMV implementation occurs,
CSI will work with the appropriate parties to ensure
that these certification levels are met.
2
C S I E M V W h i t e P a p e r S e r i e s | P a r t 2 o f 3 : E M V A c q u i r i n g a t A T M S
C S I W H I T E P A P E R
3
VENDOR OS TERMINAL SOFTWARE EMV SOFTWARE HARDWARE
Diebold Win 7 Agilis 3.0 SP3 EMV Solution 5.0 (Kernel) EMV Capable Card Reader
NCR Win 7 APTRA Advance NDC 4.01.0 APTRA EMV Kernel 3.0 EMV Capable Card Reader
NCR Win 7 APTRA Edge 5.0 APTRA EMV Kernel 3.0 EMV Capable Card Reader
Hyosung Win 7 MoniPlus2 v02.03.x EMV Kernel 5.5 EMV Capable Card Reader
Triton Windows Triton Software Triton Software EMV Capable Card Reader Embedded (contains Kernel)
CSI TERMINAL REQUIREMENTS FOR EMV SUPPORT
In order for CSI to support EMV acceptance at
your ATMs, the following minimum configurations
are required. CSI does not track all software
and hardware changes made to ATMs, and will
need to be informed when your terminals meet
these requirements.
BUSINESS CONSIDERATIONS
Industry research suggests that the cost to upgrade
the U.S. ATM fleet to accept EMV-enabled cards
could be upward of $500 million. Banks that need
to upgrade their ATMs should look to do so now to
ensure resource availability. Banks that are in the
process of updating their ATMs, or are considering
doing so, should contact their terminal vendors
to ascertain potential options and costs. When
planning ATM upgrades, CSI will be available to
assist and support you.
For ATMs that have existing card readers in need
of replacement, you should consider the customer
experience. There are two types of card readers
capable of EMV: motorized-insertion readers and
“dip-and-clip” readers. Motorized-insertion readers
will continue to operate as they do today. With
dip-and-clip readers, the customer will remove
their card and receive instructions to re-insert
and leave their card in the reader during the entire
transaction. This change will require customer
re-training, because if the customer forcibly
removes her card after re-insertion, the clip
could be damaged.
C S I E M V W h i t e P a p e r S e r i e s | P a r t 2 o f 3 : E M V A c q u i r i n g a t A T M S
C S I W H I T E P A P E R
4
CSI EMV ATM ROADMAPCSI currently is certifying EMV-capable ATMs. For
those ATMs that meet the minimum requirements,
CSI intends to support your bank’s ability to accept
EMV in the first quarter of 2016. As we move closer
to liability shift and implementation dates for EMV
at ATMs, CSI will continue to provide updates.
Our next installment in this white paper series will detail the process of issuing chip cards to be used at EMV-enabled terminals.
K Y _ 1 1 0 5 1 4 _ 2 0 1 _ P T 2 _ V 1
INTRODUCTION
While no mandate exists that requires banks
to issue EMV chip cards, the debate for the U.S.
market adoption of EMV has largely ended.
This is due, in large part, to the increasing
frequency of large merchant data breaches of
stored mag-stripe card data and the subsequent
fraud losses that follow them, as well as the
approaching fraud liability shift dates set by the
various card associations and networks.
For institutions that are considering issuing EMV
chip cards, the implications are significant in
terms of the complexities, timing and costs
of implementation.
This final installment in CSI’s EMV white paper
series aims to educate individuals on card
production requirements, as well as the business
decisions that should be considered before banks
can issue EMV chip cards and the efforts underway
at CSI to support banks in issuing these cards.
CSI EMV WHITE PAPER SERIESPart 3 of 3: Issuing EMV Chip Cards
C S I E M V W h i t e P a p e r S e r i e s | P a r t 3 o f 3 : I s s u i n g E M V C h i p C a r d s
C S I W H I T E P A P E R
FRAUD LIABILITY SHIFT AND BANK DEBIT CARDS
With the deployment of EMV in the U.S., liability
passes from the party that has enabled the more
secure technology to the less secure party. With
today’s mag-stripe transactions, fraud liability for
card-present transactions is the responsibility of the
card issuer. However, if both parties—issuers and
merchants—have enabled EMV, then transaction
fraud liability still remains with the card issuer,
albeit for significantly more secure transactions.
For card-present transactions, there is only
one situation in which liability will switch to the
merchant: the shift occurs when the card issuer
has given its customer an EMV chip card, but the
merchant has not yet enabled EMV acceptance. In
this scenario, the issuer has chargeback rights to
recover these specific fraud losses.
It will take merchants years to update their
point-of-sale terminals to support EMV, with smaller
merchants projected to take the longest. In the
meantime, many merchants will still be using the
mag-stripe to process EMV cards. This practice will
still expose EMV cards to potential fraud well into
the future. So, until the market reaches the point at
which EMV cards can be processed without the use
of mag-stripe functionality, banks will be placed
in a situation of having to reissue the now more
expensive EMV debit card should its mag-stripe
become compromised.
EMV ISSUANCE IN THE U.S.
EMV chip cards use sophisticated technology that
features many different options and configuration
profiles. Several of these options were developed
to support offline functionality, in which the chip
on the card performs various functions that, in the
U.S., would be the responsibility of the issuer’s
online authentication system to conduct. Without
the need to enable offline functionality, EMV
deployment from an options and profile perspective
narrows fundamentally to one decision: to include
contactless interface with each card or not.
2
C S I E M V W h i t e P a p e r S e r i e s | P a r t 3 o f 3 : I s s u i n g E M V C h i p C a r d s
C S I W H I T E P A P E R
3
EMV CARD INTERFACE OPTIONS
EMV chip cards are typically deployed in one of
two forms: contact only or dual interface. With
contact-only cards, the metallic area on the front of
the card is its contact plate. A microprocessor chip
is embedded directly behind the contact plate. With
an EMV contact transaction, the card is inserted into
a card acceptance device (e.g., a payment terminal).
The card reader must maintain physical contact
with the plate and chip for the duration of the
transaction. This connection enables the chip to get
power from, and exchange data with, the terminal.
This is often referred to as “dip” to pay.
Dual-interface cards include both the contact
interface and the contactless interface. Contactless
EMV works by holding a contactless chip-enabled
card, which also contains an integrated antenna
that’s placed in the border of the card, within
proximity of a contactless-capable EMV reader.
The reader wirelessly powers the chip embedded
in the card and allows exchange of data via near
field communication, or NFC. This is often referred
to as “tap” to pay, because the card never has to
leave the customer’s possession.
Contact-only EMV cards are the most common form
of EMV implementation, due in large part to costs
with issuing the more expensive dual-interface
cards and the lack of NFC-enabled terminals.
CSI EMV CARD PROGRAM UPGRADES
For CSI customers interested in migrating to EMV
chip cards, CSI will support the upgrade of your
existing card programs for the respective card
associations in which you already participate.
The choice then becomes: does the bank want
to offer EMV debit cards with the contact-only
interface, or does the bank want to enable the
optional contactless interface and give their
customer an EMV chip card with dual interface?
• Visa – EMV Debit Card – Contact Only
• Visa – EMV Debit Card – Dual Interface
• MasterCard – EMV Debit Card – Contact Only
• MasterCard – EMV Debit Card – Dual Interface
C S I E M V W h i t e P a p e r S e r i e s | P a r t 3 o f 3 : I s s u i n g E M V C h i p C a r d s
C S I W H I T E P A P E R
4
EMV ROLL-OUT STRATEGY
After your bank’s card program has been upgraded
to begin issuing EMV cards, there are several
approaches to consider when rolling them out to
your existing card base.
One approach is to reissue the entire existing card
base at one time. However, this approach results
in fairly significant upfront costs, as well as a
steeper learning curve for consumers and branch
staff alike, which slows the overall experience of
working with EMV transaction data.
The generally accepted industry (and
CSI-recommended) approach is to upgrade your
existing card base as cards expire. Spreading the
costs out, while both building on EMV experiences
and working to educate cardholders on its use,
allows banks to take a more systematic, successful
approach to EMV migration. Additionally, with this
approach, banks can still target specific customer
segments that would be inclined toward
EMV-enabled cards.
For example, consumers who frequently travel
internationally will increasingly be challenged
when attempting to use a non-EMV debit card, as
most of the rest of the world has already adopted
EMV. In order to continue to support these valued
clients, the bank can preemptively identify these
travelers and reissue/upgrade their existing cards
to include EMV chip functionality.
Estimated EMV-Related Costs for Bank
Consideration
• EMV-Related Setup Costs: $5,000-$10,000
• Program Setups
• Testing & Certifications
• EMV Chip Cards: $3-$7 per card
• Monthly Support Costs: $50-$250
• EMV Transaction Cryptogram Validation Costs:
$0.005-$0.05 per transaction
C S I E M V W h i t e P a p e r S e r i e s | P a r t 3 o f 3 : I s s u i n g E M V C h i p C a r d s
C S I W H I T E P A P E R
EMV AND PLASTIC CARD LAYOUT AND ART
With the embedded EMV chip, banks will need to work with card
issuers to redesign their card layout and art. That’s because the EMV
chip placement is on the front of the card, to the left above the PAN
(see images below).
FRONT OF THE CARD
The placement of the chip significantly reduces the
area available for the issuer’s logo, and requires
issuers to reevaluate their logo placement as part
of the overall card design. Banks should strongly
consider moving the brand hologram to the back of
the card, as pictured in layouts 2 and 3.
BACK OF THE CARD
The placement of the chip makes a similar impact
to the back of the card, reducing the area for the
signature and CVV2/CVC2. The bank verbiage can
be placed to the right of the hologram, and banks
also should consider shortening the verbiage as a
result of the limited space and the requirement to
list the bank’s phone number (not a third party) on
the card.
PURPLE: Issuer Logo
BLUE: Verbiage
RED: Logo (primary network)
GREEN: Logo (secondary network)
5
C S I E M V W h i t e P a p e r S e r i e s | P a r t 3 o f 3 : I s s u i n g E M V C h i p C a r d s
C S I W H I T E P A P E R
CSI EMV ISSUER ROADMAP
CSI continues to work with card vendors and
networks to certify EMV chip card issuance
readiness. CSI anticipates the ability to support
upgrading card programs for EMV in Q1 2016.
CONCLUSION
Many banks are still in the discovery phase
regarding EMV technology, as well as weighing the
benefits of implementing an EMV-enabled card
program. While each day brings news of another
data breach related to card fraud, which results in
both monetary and reputational risks, banks also
face the cost of putting EMV cards in rotation and
maintaining them well ahead of most merchants.
The most important question for a bank surrounds
timing: “When should my bank jump in?” The answer
will vary for each bank, as each institution considers
market conditions, card replacement strategies and
customer demographics. And the upcoming fraud
liability shifts should be considered as a factor in the
decision as well.
Regardless of the timing your bank chooses,
launching an EMV card program will benefit your
institution and its customers. Though it is not
without increased costs in terms of plastics and
processing, EMV is a more secure technology that
will greatly reduce counterfeit card fraud. As you
weigh the pros and cons on issuing EMV cards,
consider not only the operational costs, but also
the reputational benefits that may come from
customers who recognize EMV as the more secure
card option. These customers will likely reach for
their EMV-enabled card more often than their
non-EMV cards, even if they are using them at
terminals not yet equipped for EMV technology.
When determining the best time to migrate toward EMV, keep this in mind: Your EMV strategy should be balanced between what’s appropriate for your bank and what’s best for your customers.
6
K Y _ 1 1 0 5 1 4 _ 2 0 1 _ P T 3 _ V 1