Upload
truongmien
View
222
Download
1
Embed Size (px)
Citation preview
Strictly Private & Confidential
Troy CullenPresident
EMV TM: What You Need to Know
About Chip Card Issuance
A u g u s t 2 6 , 2 0 1 4
EMV is a trademark owned by EMVCo LLC
Strictly Private & Confidential
1Elan is an Active Participant in the U.S. EMV Migration
Smart Card Alliance EMV Migration Forum ‒ Debit Committee ‒ Communication and Education ‒ Testing and Certification ‒ EMV Deployment‒ ATM Migration‒ Card Not Present
Elan will be fully EMV compliant on or before October 1, 2015
‒ October 1, 2015 – Visa® and MasterCard® Acquirer Fraud Liability Shift, POS ‒ October 1, 2016 – MasterCard® Acquirer Fraud Liability Shift, U.S. ATMs‒ October 1, 2017 – Visa® Acquirer Fraud Liability Shift, ATMs
Note: No announced network mandates for Card Issuers
2
Strictly Private & Confidential
• U.S. Readiness (Q4 2013)– Primarily Credit, followed by Debit in 2015 – EMV Cards: ~17-20 million (< 2% of 1.1 billion cards total)– Adoption Rate: ~1-2%– EMV Capable Terminals: ~2 million (>12 million POS total)
• The critical path for U.S. EMV Debit card adoption includes two key factors: ‒ ability for regional PIN networks to participate in EMV for
Debit card issuance (Durbin)‒ interoperability between largest payment infrastructure of
merchants, issuers, acquirers and sub processors
What is the Current U.S. Chip Migration Status?
3 U.S. Readiness estimates stated from EMV Migration Forum, May 2014
Strictly Private & Confidential
U.S. Issuer Migration
4Source: Aite Group interviews with card executives from 18 of the top 40 U.S. issuers and payment networks, April and May 2014
(9)
(3)
(3)
(2)
Strictly Private & Confidential
Projected U.S. Card Migration
5
4% 0.6%
25%
8%
70%
41%
91%
68%
98% 90%
Percentage of Credit and Debit Cards with EMV Capability, 2012 to e2017
Source: Aite Group interviews with card executives from 18 of the top 40 U.S. issuers and payment networks, April and May 2014
Strictly Private & Confidential
Regional PIN Network Readiness – almost there
• Per Durbin routing rules, Debit cards must include unaffiliated brands.
• VISA and MasterCard ‘US Common Debit AID’ getting adopted by PIN networks, beginning Q1 2014.
• License agreements will allow regional PIN networks access to EMV technology - and merchants unaffiliated brands for routing.
• Two unique AIDs for Debit issuance: one to support PIN networks and other to support global transactions.
• Issuers began Credit issuance in 2014. Debit chip card issuance expected to lag until merchants have ability to support terminal routing.
6
Strictly Private & Confidential
Projected U.S. Merchant Migration
• 53% of all terminals in U.S. expected to be converted by end of 2015 (mostly by large to medium sized merchants)
• Estimated that only 25% of small merchants will be ready
• Small merchants at risk due to October 2015 liability shift– Account for 58% of retailer
establishments – 53% have limited to no
knowledge of EMV – 50% have limited to no
knowledge of upcoming EMV liability shift
Source: Javelin April 2014 EMV IN USA: Assessment of Merchant and Card Issuer Readiness
7
Strictly Private & Confidential
What to Expect in 2015
• Merchants and ATM Acquirers begin to announce their readiness to support EMV at POS and ATM
• POS and ATM Terminal Implementation:‒ Chip capable: terminal hardware is “EMV ready”; software is
not connected‒ Chip enabled: software is connected at the chip terminal
• The ATM kernel (“EMV kernel”) and software is updated to process the encrypted data
• Processors and acquirers will be able to authorize the chip card transaction
8
Strictly Private & Confidential
When Will Elan be Ready?
9
Drop 1: January 2015 • Enablement of MoneyPass Network Certifications
Drop 2: June 2015• Elan’s primary deliverable for processing chip card transactions • Certification of Plus, Cirrus, Visa Debit, MasterCard, Interlink and
Maestro network interfaces• Visa and MasterCard chip card issuance • EMV software go live for Elan North direct attached Diebold ATMs• Back Office system upgrades
Drop 3: October 2015• Further expansion of Elan North ATM Acquiring interfaces • EMV software go live for NCR ATMs (select models)
Strictly Private & Confidential
GLOBAL DRIVERSEMV
10
Strictly Private & Confidential
Global Drivers: Why is the U.S. Moving to EMV?
Security & FraudReduce counterfeit, lost and stolen card fraudUnique microprocessor that prevents card cloning Dynamic data Fraud migrates to the weakest link, which is becoming the U.S. since other major markets have migrated
Global Interoperability
Increasingly difficult for U.S. travelers to use cards Vulnerability of U.S. payments infrastructureForeign visitors will be able to use their chip cards in the U.S.
NFC and MobileAccelerator for EMV in the U.S. to enable acceptance of other form factorsMerchants implementing NFC in combination with enabling of EMV on POS devicesConsumer adoption of contactless cards and mobile payments will continue to grow
Payment Networks
Major card brands are advancing the adoption of EMV through a series of liability shifts and mandates
Source: EMV Migration Forum, 201411
Strictly Private & Confidential
Magnetic Stripe and Chip Card Data
12
Magnetic stripe transactions are STATIC
• HEREISYOURCARDNUMBER^HEREISYOURNAME^EXPIREDATE^SERVICECODE^CVV
Chip transactions are DYNAMIC
12
Strictly Private & Confidential
How Does EMV Protect Against Fraud?
Embedded Microprocessor –Strong Security
Embedded Microprocessor –Strong Security
Secure Storage of Cardholder Data
Secure Storage of Cardholder Data
Dynamic Data Generated by the
Chip for Every Transaction
Dynamic Data Generated by the
Chip for Every Transaction
Stolen Data Cannot be Reusable in a Chip Transaction
Stolen Data Cannot be Reusable in a Chip Transaction
Terminal Device Will Detect Chip Card vs.
Mag Stripe
Terminal Device Will Detect Chip Card vs.
Mag Stripe
13
Strictly Private & Confidential
Will EMV Prevent Data Breaches: The Big Picture
• More than 600 data breaches were reported last year with a 30% increase from 2012 in breaches that exposed card data
• Security executives caution that EMV cards and point-of-sale terminals alone would not have prevented a Target-style breach
• Data can still be transmitted unencrypted, during an EMV transaction
14
Strictly Private & Confidential
EMVCO’s New TokenizationEMVCo plans to establish new tokenization standards
• Tokenization is the process of replacing a card account number with a unique string of characters that is restricted in how it can be used
• Tokens can be assigned for use with a specific device, merchant, transaction type or channel
• Global networks will offer new specifications to complement existing EMV technical specifications
• Point to Point encryption protects against Card Not Present fraud
15
Strictly Private & Confidential
Emerging Mobile Payment Technologies• EMV brings more revenue and increased efficiencies • Mobile = new business models and new players• EMV provides dynamic authentication in an enhanced
contactless environment and paves the way for delivering seamless mobile payments– M-commerce (Mobile Payments)– Near Field Communication (NFC)
16
Strictly Private & Confidential
ISSUER BUSINESS CASEEMV
17
Strictly Private & Confidential
Building Your EMV Business Case
18
2014 Planning
Step 1: Calculate Risk Exposure• Portfolio Segmentation• Determine business need for international travelers
Step 2: Develop a Budget Plan • Terminal upgrades and chip card production costs
Step 3: Choose an EMV Card Profile • Application/AIDs, including US Common Debit AID solution• Authorization/Authentication and Cardholder Verification Methods
Step 4: Marketing and Communications Plan • Financial Institution and Cardholder education
Strictly Private & Confidential
U.S. Chip Card Issuance Best Practices
• Include multiple AIDs, including U.S. Common Debit AID to ensure Durbin compliance• The simplest and least expensive option is to use ‘Signature and No CVM’ as the
baseline for global interoperability• MasterCard prefers Chip & PIN over Chip & Signature for Goods and Services
19
Signature (Goods and Services)
Online PIN (Cash)
No CVM (Unattended/Trans<$50)
Cardholder VerificationMethod List
Card AuthenticationALWAYS ONLINE Uses online cryptogram No offline data authentication
Transaction AuthorizationALWAYS ONLINE Use Global and US Debit AIDs
19
Strictly Private & Confidential
Which Chip Payment Application Should I Use?
EMVCo SpecificationsEMVCo Specifications
VisaVSDCVisa
VSDCMasterCard
M/ChipMasterCard
M/ChipDiscover
DPASDiscover
DPAS
American ExpressAEIPS
American ExpressAEIPS
• Each payment application has its own data formats and proprietary fields.
• Based on ISO/IEC and EMVCo specifications.• Contains risk management parameters and other values
indicating how issuers want the card to act under given situations.
20
Strictly Private & Confidential
Which Chip Application Identifier (AIDs) Should I Use?
21
• The AID acts as a ‘pointer’ that opens the application for interrogation
• The Application and AIDs used depends on the brand on the front of the card
• The U.S. will likely have two AIDs on the chip:‒ 1 Global AID for Signature and International acceptance ‒ 1 U.S. Debit AID for domestic ATM, PIN POS and No CVM
Strictly Private & Confidential
Merchant/Device DifferencesRestaurant• Terminal to table• PIN or signature• No CVM at some quick service restaurants
ATM• Online PIN – required
Automated Fuel Dispensers (AFD)• Pay at pump with PIN• Pay at pump No CVM• Pay inside with PIN or signature
Different merchant and device environments will have unique experiences and timelines for EMV deployment
Source: EMV Migration Forum, 201422
Strictly Private & Confidential
Cardholder Experience: How a chip card works in a mixed acceptance device environment
Magstripe only TerminalSwipe card
Sign Receipt
EMV Chip Card TerminalInsert card and leave in terminal until transaction is complete and you are prompted to remove card
Follow screen prompts to complete transaction
• There are many terminals in market today with the Chip Reader that do not support EMV chip cards. This could cause some cardholder confusion/frustration.
• If a chip card is swiped in a chip card enabled terminal the terminal will prompt the cardholder to insert the card into the reader.
23
Strictly Private & Confidential
Cardholder Education Options Is
suer
s
Statements “Your card is changing”
“What's Different”“How to use”
“How to use”“Benefits”
Welcome Packs “Your new chip card is here”
Call Center/IVR “Your card is changing”
“How to use your card” “Benefits”
Online “Your card is changing”
“How to make internet purchases” “Benefits”
ATM “How to use your card at the ATM” “How to use”
24
Channel Pre-issuance During Issuance
Post Issuance
Source: EMV Migration Forum, 2014
Strictly Private & Confidential
What are the ATM Owner Impacts?
• Visa and MasterCard ATM Acquirer Liability Shift: ATM card reader hardware must be EMV capable or “smart
card” ready Receipt changes Updated messaging on ATM screens It is not clear when, or if, U.S. ATMs will support contactless
technology
• Consumer Education Card must be engaged for
transaction duration… “don’t forget your card!”
25
Strictly Private & Confidential
Click to add titleProcess to a Chip Card Conversion
• Find Out the Readiness of Players Involved – Card Manufacturers – Card Personalization vendors – Regional PIN Network– Processor
• Program Cost – $$$ is determined by chip selection and encryption type– Testing and Certification
• Setting a Target Date to Begin your EMV Transition– 4 - 6 months depending on the U.S. market readiness – 2014 planning and budgeting for 2015 implementation
26
Strictly Private & Confidential
Questions?
Sandy DennlerSenior Product ManagerElan Financial [email protected]
27
Strictly Private & Confidential
APPENDIX
28
Strictly Private & ConfidentialProprietary & Confidential
U.S. Road Map for POS EMV Convers ion
29
Strictly Private & ConfidentialProprietary & Confidential
U.S. ATM EMV Road Map
30
Strictly Private & Confidential
Mandate vs. Liability Shift • A mandate is a directive from the networks to comply with their specific
Operating Rules, with non-compliance resulting in potential fines. – Networks have mandated the processing of chip card transactions
to POS and ATM acquirers and sub processors• A liability shift is not a mandate. • Global networks have stated in cases involving fraudulent cards the
issuer or acquirer with the lowest levels of EMV protection will absorb the fraud liability.
• If an acquirer is not supporting EMV, they will assume the loss for counterfeit fraud transactions. If the acquirer is EMV compliant, the fraud liability remains with the card issuer.
• The following fraud types are excluded from the EMV Liability Shift:– Card-Not Present Fraud– Account Takeover– Lost/Stolen
31
Strictly Private & Confidential
Liability Shift Scenarios
• Non-Compliant Terminal
Card Magnetic Stripe
Terminal Non-EMV Compliant
Terminal Action No Change
Cardholder Experience Card Swipe – Magnetic Stripe
Liability Shift Issuer (BAU)
• Compliant Terminal
Card Magnetic Stripe
Terminal EMV Compliant
Terminal Action No Change
Cardholder Experience Card Swipe – Magnetic Stripe
Liability Shift Issuer (BAU)
Issuer Chooses not to Issue EMV Cards
32
Strictly Private & Confidential
Liability Shift Scenarios
• Non-Compliant Terminal
Card Chip
Terminal Non-EMV Compliant
Terminal Action No Change
Cardholder Experience
Card Swipe – Magnetic Stripe
Liability Shift Merchant or ATM Owner
• Compliant Terminal
Card Chip
Terminal EMV Compliant
Terminal Action
Chip is read successfully. iCVV and Cryptogram data passed to
host. POS entry mode and cryptogram presence identify
this as a chip transaction.
Cardholder Experience
Cardholder inserts card; may be directed to insert card if swiped
first
Liability Shift Issuer (if transaction approved)
Merchant or ATM Acquirer Chooses not to Move to EMV
33
Strictly Private & Confidential
Liability Shift Scenarios
Card Chip
Terminal EMV Compliant
Terminal Action
The terminal creates a magnetic stripe transaction. This is (technical) fallback. CVV is from the mag stripe and there is no
cryptogram present. POS entry mode help identify this as fallback because it indicates the terminal was chip capable but
the chip was not read
Cardholder Experience
Cardholder inserts card. If chip cannot be read the terminal prompts cardholder to swipe card
Liability Shift Merchant or ATM Owner
Technical Fallback Compliant Terminal
34
Strictly Private & Confidential
Magnetic Stripe Card Transaction Flow
35 Source: EMV Migration Forum, 2014
Strictly Private & Confidential
Chip Card Transaction Flow
36 Source: EMV Migration Forum, 2014