EMVWhat It Can and It Cannot Do

March 10, 2015

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Presenters

PAGE | 2

Mansour A. Karimzadeh

Mansour applies nearly 25 years of experience to his leadership role at SCIL. His background includes

payment and transaction processing systems in the financial industry, an in-depth understanding of how

to create new businesses and drive demand for emerging products and technologies. He has been

instrumental in implementing many large card and payment processing projects worldwide specializing

in smart cards and EMV systems - including projects in the UK, Canada, USA, Latin America, Middle East

and Australia. He served as a Board member of Global Platform and Chair of its Marketing Center.

He previously managed a smart card consultancy and software company that was acquired by ACI

Worldwide. At ACI he served as VP of Operations and Director of Smart Cards Unit.

Susan Matt

Susan has over 25 years of business experience. She began her career as a CPA at Deloitte public

accounting firm serving a variety of clients in such industry sectors as financial, manufacturing, non

profit and legal. Using her public accounting knowledge, she moved into the private sector as an

international auditor and forensic financial specialist then to RBS Worldpay/Lynk Systems as the VP of

Regulatory & Compliance. In 2007, leveraging her years of experience, she founded ThoughtKey - a

consulting firm focused on guiding clients to preserve profit while managing industry risk.

She served on the MAC Board as CFO and ATMIA US Board of Directors as Chairperson.

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Agenda

• EMV Intent

• EMV Infrastructure – The Complexities Unveiled

• EMV Impact (on my world)

• Risk Landscape - Watch out for Changes

• Hidden Agenda? (“Conspiracy Theory”)

PAGE | 3

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

EMV Intent

PAGE | 4

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

EMV Intent

• Defines the interaction between a “smart-card” and a terminal device using 2 characteristics:

physical characteristics - layout and chip placement on the card AND

software characteristics - secure communication protocols and encryption algorithms

used when the terminal connects and communicates with the smart card chip

1. GOAL:

Secure exchange of sensitive user data to complete a

credit/debit transaction

Allow issuers instant risk management capability

2. ULTIMATE GOAL:

Reduce/Eliminate counterfeit fraud (& reduce/eliminate

lost/stolen fraud (only when PIN Used))

PAGE | 5

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

What it does and does not

Does

Reduce Counterfeit (CP) Fraud

Reduce Liability

Allow Issuers Manage Card Dynamic Risk

Require Infrastructure

Change

Doesn’t

Reduce CNP Fraud

Eliminate Liability

Eliminate Acquirer Fraud

Monitoring

Work w/o Change

PAGE | 6

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

What it does and does not (Cont.)

Does

Improve transaction

security

Potentially reduce PCI

Risk

Work in concert

w/P2PE & Tokens

Doesn’t

Eliminate security requirements

Eliminate PCI mandate

Eliminate need for P2PE &

Tokens

PAGE | 7

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

EMV Infrastructure –

The Complexities Unveiled

PAGE | 8

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

How does an EMV card work?

Power is applied to

the chip by the card

reader here

A continuous clock is

applied to the chip by

the card reader here

And then streams of

serial data like

01101011010101110

come in and out of

this contact here

Applying power “wakes up” the

simple operating system on the chip

and allows the card reader to begin

the conversation - verification,

decryption and extraction of the card

data

PAGE | 9

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Chip Card Technology

• Compare your computer to a chip

PAGE | 10

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Chip Card Technology

• The chip can

Store more data than a magnetic stripe

Store data securely

Accept commands from terminal and send responses to

terminal

Encrypt and decrypt data using cryptographic modules

House multiple programs (applications), each with its own set

of processing parameters

Make risk management decisions

Support read and write functions

Update data in card after issuance

PAGE | 11

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

How does an EMV transaction work?

A clerk enters the

relevant sale

information here as

usual

The customer (usually) inserts

the EMV card into the terminal

much like how ATMs work

today...or, actually, yesterday :)

The customer is

(usually) presented

with a PIN pad to

unlock the EMV card

so the terminal can

communicate with it.

The terminal “holds” the card during

the transaction because it is supplying

power to the chip in order for it

browse its file system and decrypt the

necessary account information.

PAGE | 12

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Magnetic Stripe Transaction Flow

PAGE | 13

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

31

EMV Transaction Flow

PAGE | 14

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Detailed EMV Transaction Flow

PAGE | 15

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

EMV Impact

(on my world)

PAGE | 16

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Acquiring System Changes due to EMV

PAGE | 17

• Device Management:

PoS and ATM

Key Distribution

Software for non-EMV applications?

• Acquirer Host Systems:

Device and Network Messaging Protocols

Authorization Delegation and Stand-In

• Clearing:

New data to be processed and stored

• Back Office:

Chargebacks, Reporting etc.

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

EMV Acquirer Considerations

PAGE | 18

Card Interface EMV - Contact EMV Contactless Contactless MSD

New Data for

Processing

• DE 55

• POS Entry Mode

• Card Sequence no.

• EMV Settlement data

• dCVV/CVC3

• ATC

• POS Entry Mode

• Terminal capability

New Support for

Processing

• Online PIN

• Send DE 55 data

• Process ARQC

• Process ARPC

• Process chip

update scripts

• Support batch

processing for

offline

• Process ARQC

• Send DE 55

No change

New Hardware PIN PAD

Contact Reader

• Contactless Reader

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Acquirer New Tasks

PAGE | 19

• Public Key Management – to distribute CA Public Keys to Terminals

• Offline Card Authentication (CAM)

• Offline PIN at Point of Interactions

• Terminal Risk Management

• To provide Card Data in the Clearing Message to the Issuer (Mandatory)

• To carry Card Data in the Authentication Request Cryptogram message

• PIN Pad management

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Processing Systems

Affected by Card Scheme Mandates – includes systems that: Receive/monitor transactions

Route transactions via different networks to the Issuing host

Stand in and provide processing in cases when the Issuer is not capable of processing EMV or is off-line

Perform Authorization

All risk & transaction systems – including monitoring, chargebacks, adjustments, settlement

PAGE | 20

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Risk Landscape -

Watch out for Changes

PAGE | 21

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

UK Fraud Facts 2014

PAGE | 22

Financial Fraud Action UK

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Fraud Facts (Continued)

PAGE | 23

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

US Liability Shift Migration Timelines

American Express and Discover have also adopted liability shifts effective October 2015 : • Amex shifts liability away from party with the "most secure form of EMV technology” • Discover assigns liability to the party that has “done the least”

Additionally, Amex offers PCI relief similar to both Visa and MasterCard’s if POS terminals where 75% of transactions occur are EMV enabled

PCI Audit relief takes effect

Acquirer & processor mandate to fully

process EMV

ADC relief takes effect (100%)

Liability Hierarchy takes effect

(excluding fuel)

Liability Hierarchy takes effect for fuel

operators

ATMLiability Hierarchy

takes effect

ADC relief takes effect (50%)Interregional Maestro liability

shift

ATM ProcessingATM acquirer

processors and sub-processors must

support EMV chip data and ATMs

Tech Innovation Program (TIP)

PCI Validation relief for merchants that adopt dual

interface terminals

Acquirer Chip Processing

Require acquirer processor support for chip processing

Liability Shift For debit and credit domestic and cross border counterfeit

liability shifts at all POS excluding AFD

Liability Shift Expanded liability shifts

to include automated fuel dispensers (AFD)

October 2012 April 2013 Apr|Oct 2015 Oct 2017Oct 20162014

PAGE | 24

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

PAGE | 25

Acquirer Risk Composition Changes

• New order in Liability - Generally the stakeholder with least security is liable for fraud

• Gradually all transactions will be EMV – if Acquirer not upgraded will lose fees

• Reduction/elimination of counterfeit fraud

• Reduction/elimination of chargebacks

• Card Not Present (CNP) fraud has increased in other EMV markets. CNP transactions need additional fraud monitoring.

• Need for review of CNP devices and procedures.

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Hidden Agenda

(“the Conspiracy Theory”)

PAGE | 26

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Issuers vs Acquirers

PAGE | 27

Issuer Acquirer

The Winner?

It is not that simple

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

• Requires (proper) hardware, software and process changes in

the EMV communication chain and back office systems

supporting the transaction/settlement

• Shifts liability to the least secure technology channel

• Secure CAM reduces counterfeit fraud

• Secure CVM can help control lost, stolen and Card Not Present

fraud

• Benefits mostly for Issuers:

Issuers can set/change card parameters to quickly control risks by

each card. Combined with Auth and Card Management System – cut

fraud, credit control and bad debt

New revenue streams by issuing cards to less creditworthy, because

of tighter control and misuse – but may cause an increase in “friendly

fraud”

(c) Copyright SCIL 2012

Key Points

PAGE | 28

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

How is PCI Compliance Affected by EMV?

PAGE | 29

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

PCI DSS and EMV

Acceptance environments that effectively utilize EMV can substantially reduce CP fraud but...• EMV by itself does not protect NPII/CHD

• In EMV environments - PAN is processed by POS as clear text (same for expiry date and other cardholder data elements).

• Most EMV environments are hybrids - both EMV and non-EMV transactions (also means legacy/storage data problems)

• Most EMV cards contain a mag stripe for 1) backwards compatibility in non-EMV environments or 2.) “fallback”

EMV + PCI DSS = Security

PAGE | 30

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

Summary

Does

Reduce Counterfeit (CP) Fraud

Reduce Liability

Allow Issuers Manage Card Dynamic Risk

Requires Infrastructure

Change

Doesn’t

Reduce CNP Fraud

Eliminate Liability

Eliminate Acquirer Fraud

Monitoring

Work w/o Change

PAGE | 31

Does

Improve transaction

security

Potentially reduces PCI

Risk

Work in concert w/P2PE

& Token

Doesn’t

Eliminate security requirements

Eliminate PCI mandate

Eliminate need for P2PE & Token

©2

01

5 S

CIL

All

Rig

hts

Re

se

rve

d.

CONTACTS

www.scilemvacademy.com

www.scil.us

Mansour A. Karimzadeh, Managing Director & CTO, SCIL-EMV Academy

516-338-8880 aaron@scil.us

Susan Matt, CEO, ThoughtKey

678-522-2466 susan@thoughtkeyinc.com

PAGE | 32