Embed Size (px)
Citation preview
EMV Payments: Changes at the Point of Sale Greg Boardman SVP Ingenico North America
Table of Contents
Synopsis
The Key Dates Revisited
Merchant Impact Chart
Message Format Changes
Merchant Checklist
EMV / NFC Connection
Merchant Stratificaiton
CDE Mapping
Other Factors
Synopsis
EMV migration can impact a number of areas that link a merchant’s transactions processing infrastructure with the same processing side that has long supported
magstripe card acceptance. A US migration may pose a number of unique challenges, perhaps more than other regional migrations to date.
• The Visa incentives programs expressly imply both contact AND contactless
• This means that support for both technologies should be considered
• The market will still experience a need for supporting magstripe
• A hybrid model would be anticipated
• Acceptance devices will need to support all payment types
• “Fallback” possibilities
• PCI compliance challenges are already straining budgets and tolerance
• P2PE still not pervasive
• PCI PTS evolutions / threat of physical attacks on older devices
Dates VISA MasterCard Discover American Express
Oct 2012 • Technology Innovation Program (TIP) Annual PCI DSS audt relief • 75% Visa trans must come from EMV terminals • Terminals must support contact and c’less + NFC
April 2013
• Acquirers and sub-processors must support EMV (Mandate)
• Acquirers / sub-processors must support • Maestro ATM liability shift1
• Acquirers, sub-processors, direct connect merchants support EMV elements
• Acquirers and sub-processors must support EMV , including mobile (Mandate)
Oct 2013 • Merchant Account Data Compromise(ADC) relief (Phase I)
• PCI audit waivers • 75% of Discover trans on terminals supporting contact and contactless • (PULSE) Direct connect merchants and POS acquirers / processors to support EMV
• PCI DSS relief • 75% of transactions occur on Amex EMV chip-based contact and contactless devices
Oct 2015 • US Liability Shift1 • US Liability Shift2 • Merchant ADC Relief (Phase II)
• US liability shift (+ PULSE)
• US Liability Shift
Oct 2016 • US liability shift for ATM
Oct 2017 • AFD Liability Shift1 • AFD Liability Shift2 • AFD Liability Shift • AFD Liability Shift
"By encouraging investments in EMV contact and contactless chip technology, we will speed up the adoption of mobile payments as well as improve international interoperability and security," ~ Jim
McCarthy, global head of product, Visa Inc.
Merchant Impact Chart
Setup POST Register Controller Switch End to End Cert Processor Impact
HW SW HW SW SW SW SW
Countertop POST Replace w/new POST - - - - - Low
Countertop POST Add all-in-one PINpad - - - - High
Mobile POST Replace w/new POST - - - - - Low
POS w/mag wedge Replace w/CT POST - - - - - Low
POS w/mag wedge Replace w/PINpad - - - Medium
Integrated PINpad Replace w/new PINpad - High
Integrated wedge Replace w/PINpad - High
Smart phone integrated Replace w/EMV dongle - High
Smart phone stand alone Replace w/EMV dongle
- - - - - Low
Message Format Changes Tag Tag Descriptor Functionality Details
9F26 Application cryptogram Card authentication Contains the cryptogram used to authenticate the transaction.
9F36 Application transaction sequence counter
Card authentication Contains the value of the POS terminal transaction sequence counter. The POS terminal maintains a transaction sequence counter and increments the count each time a transaction is initiated.
9F07 Application usage control Card authentication Specifies the issuer’s restrictions on the geographic usage and services allowed for the application.*
9F27 Cryptogram information data Card authentication Indicates the type of cryptogram and the actions to be performed by the terminal.
9F34 CVM results Cardholder verification Identifies how the cardholder was verified at the POS: by cardholder signature, cardholder PIN, or verification not required.
9F0D Issuer action code—default Transaction authorization Specifies issuer conditions that cause a transaction to be rejected if the transaction might have been approved online but the terminal is unable to process it online.*
9F0E Issuer action code—denial Transaction authorization Specifies issuer conditions that cause a transaction to be denied without an attempt to go online.*
9F0F Issuer action code—online Transaction authorization Specifies issuer conditions that cause a transaction to be transmitted online.*
9F10 Issuer application data Card authentication Contains issuer application data transmitted from the chip to the issuer. Is updated by the issuer in the response message.
9F37 Unpredictable number Card authentication Contains the POS terminal unpredictable number value. POS terminal generates the number value that may be used as input to the application cryptogram algorithm.
The EMV payments infrastructure includes a new network message field that transports chip data. In the U.S., this field is often referred to as Field 55.
Field 55 is a generic, flexible, variable length container that conforms to tag-length-value (TLV) encoding. Every data element carried in the field has a specific tag, followed by the length of the data and then the actual data. Each tag is defined by EMV or specified in the relevant payment brand specifications.
Field 23 carries the card sequence number.
Issuers, acquirers, and merchants will all need to change their infrastructure to support Field 55 in the authorization request and response messages and Field 23.
Merchant Checklist
Designated an in-house EMV expert / program owner (critical for large merchants / ISO / Processor)
POS providers / VARS aligned with EMV (including plan and roadmap)
POST that I own or will soon own supports all payment types
Remember: Contact, Contactless / NFC, and magstripe
My NFC support includes mobile wallet (of my choosing)
The device bears all the necessary approvals (Lvl1, Lvl2, C’less approvals, PCI PTS)
Remember that V1 expires in 2014!
Ensure the ability to remotely manage (some peripherals may not accommodate this)…
My EMV migration dates coincide with the association benefits and key dates for compliance
My POS provider can assist in the migration process
My processor / acquirer is available for the migration and planning
I have received my end to end certification process from them (if applicable)
I have all the test tools I need (cards, etc.)
I am developing a training program for my personnel
To understand the new payment types
To understand the changes in consumer behavior at the POS and dispel myths
The EMV / NFC Connection
Remember that the incentives from the card brand associations are predicated on accepting both contact and contactless EMV as well as NFC
• An EMV chip can be on a “contactless” card where the chip is “tapped” or “held” near
the terminal …..or…..
• A chip can be inside your smart phone and the phone is “waived” near the terminal…
• Mobile wallets (eWallets) are rapidly growing in number, which mulBplies the
opportunity for incremental sales for merchants and new revenue opBons for ISOs
Merchant Stratification
Qualification and Grouping
Transaction # Volume Examples
• > 6M Visa tran • Top retailers / Some global • Annual ROC
Extremely high • WalMart • The Home Depot • Target
• 1-6M Visa tran • Annual SAQ High
• Golden Corral • CMT • Academy Sports
• 20K-1M Visa tran • Annual SAQ Medium
• < 1M Visa tran • Annual SAQ
recommended Light • “Mom and Pop”
• Single business
• Not a Visa tier • Very small businesses • Often no merchant
account
Extremely low
• Beginning business
• Babysitters • Service entities
• Not a Visa tier • Sparse payment needs • No merchant account
One time - or –
extremely infrequent
• Garage sales • Personal
purchases
1 Est ~ 125
2 Est ~ 85K merchants
3 Est ~ 750K merchants
4 Est ~ 8M merchants
5 Est ~ 22M merchants
6 No estimates exist
Customer Scope Segments
Small • Typically tier 4 • Simple structure • Small EMV footprint • Easy conversion • Single – several store • Storefront
Mid-‐sized • Typically tier 3 • Small structure • Light EMV footprint • Small conversion • Regional chains • Storefront • E-‐commerce
Large • Tier 2 level merchant • Large structure • Large EMV footprint • Challenging conversion • Regional – nat. chains • Storefront • E-‐commerce • MOTO • Field Services
Super • Tier 1 level merchant • Complex Structure • Huge EMV footprint • Integrated POS • Difficult conversion • National chains • Storefront • E-‐commerce • MOTO • Field Services • Multiple brands
CDE Mapping
Countertop Point of Sale Terminal
At the transaction origin, the EMV chipcard must be inserted into a POS device that has the hardware capability to process it, as well as the necessary software application.
Countertop terminals are the most common among small retailers.
• Many legacy countertop POST in the field do not incorporate EMV readers • Even fewer support NFC and Contactless • Many that do are at or nearing EOL for other reasons (PCI, obsolescence, etc.) • Software updates may not be available for some models
Possible Solutions
The Challenge
• Software update for legacy devices that candidates for migration • All-in-One terminal hardware and software upgrade for non-accepting devices • Bolt-on NFC readers for devices that support EMV, but have no C’less reader
Other Factors
• PCI PTS deadlines • End to End certification should NOT be required by the acquirer • Form factor (2 piece or single device?) • Performance (dial only) • PIN support – international cards still have PIN as a payment form • Does the end to end testing include interoperability?
POS Wedge
At the transaction origin, the EMV chipcard must be inserted into a POS device that has the hardware capability to process it, as well as the necessary software
application. A wedge reader that is configured either as a stand-beside or a fully integrated solution will not satisfy the requirements.
• A typical wedge reader also does not support an EMV card insertion or C’less • These devices are typically stand-beside or integrated to a POS system
The Challenge
Possible Solutions • Replace or supplement with an all-in-one PINpad with EMV and C’less/NFC
Other Factors • PCI PTS deadlines
Retail Point of Sale Terminal
At the transaction origin, the EMV chipcard must be inserted into a POS device that has the hardware capability to process it, as well as the necessary software
application. Retail customer activated devices are widely deployed where a multi-lane style of interaction occurs. Many of these cannot support EMV or C’less.
Possible Solutions
The Challenge
• Software update for legacy devices that candidates for migration • Terminal hardware and software upgrade for non-accepting devices
Other Factors • PCI PTS deadlines • P2PE transitions underway • Other infrastructure changes required (POS register, switch, etc.)
• Many legacy retail POST in the field do not incorporate EMV readers • Even fewer support NFC and Contactless • Many that do are at or nearing EOL for other reasons (PCI, obsolescence, etc.) • Software updates may not be available for some models
Other Impact Areas
Consider semi-integrated approaches to solve for EMV
Beneficial for P2PE, RKI, estate management, etc.
Best time to do it while “the patient is open”
Don’t forget the CDE areas that would escape typical scrutiny
ATM, AFP
Transaction speeds
Card remains in the device
Initial learning curve
Contactless may follow naturally as a faster mode
Other Impact Areas – The Customer
• New payment card types • New payment flows • Card remains in device • Contactless • Use displays for training!
Other Impact Areas – Employees
• Chargeback handling • Return handling • New hire training • SME training
Other Impact Areas – Mechanical
• E2E cert testing • New failure points • Out of band cards • Transactions speeds
Start Planning Today!
969 Days remaining to October, 2015
liability shiQ
“If you haven’t already started planning, you will want to get started in early 2013, or you will be considered already lagging behind….” ~ Rob Hayhow, TD Bank
Smart Card Alliance 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 www.smartcardalliance.org
Greg Boardman [email protected]
