EMVTM: What You Need to Know About Chip Card Issuance · Strictly Private & Confidential 1 Elan is an Active Participant in the U.S. EMV Migration Smart Card Alliance EMV Migration

Strictly Private & Confidential

Troy CullenPresident

EMV TM: What You Need to Know

About Chip Card Issuance

A u g u s t 2 6 , 2 0 1 4

EMV is a trademark owned by EMVCo LLC


1Elan is an Active Participant in the U.S. EMV Migration

Smart Card Alliance EMV Migration Forum ‒ Debit Committee ‒ Communication and Education ‒ Testing and Certification ‒ EMV Deployment‒ ATM Migration‒ Card Not Present

Elan will be fully EMV compliant on or before October 1, 2015

‒ October 1, 2015 – Visa® and MasterCard® Acquirer Fraud Liability Shift, POS ‒ October 1, 2016 – MasterCard® Acquirer Fraud Liability Shift, U.S. ATMs‒ October 1, 2017 – Visa® Acquirer Fraud Liability Shift, ATMs

Note: No announced network mandates for Card Issuers

2


• U.S. Readiness (Q4 2013)– Primarily Credit, followed by Debit in 2015 – EMV Cards: ~17-20 million (< 2% of 1.1 billion cards total)– Adoption Rate: ~1-2%– EMV Capable Terminals: ~2 million (>12 million POS total)

• The critical path for U.S. EMV Debit card adoption includes two key factors: ‒ ability for regional PIN networks to participate in EMV for

Debit card issuance (Durbin)‒ interoperability between largest payment infrastructure of

merchants, issuers, acquirers and sub processors

What is the Current U.S. Chip Migration Status?

3 U.S. Readiness estimates stated from EMV Migration Forum, May 2014


U.S. Issuer Migration

4Source: Aite Group interviews with card executives from 18 of the top 40 U.S. issuers and payment networks, April and May 2014

(9)

(3)

(3)

(2)


Projected U.S. Card Migration

5

4% 0.6%

25%

8%

70%

41%

91%

68%

98% 90%

Percentage of Credit and Debit Cards with EMV Capability, 2012 to e2017

Source: Aite Group interviews with card executives from 18 of the top 40 U.S. issuers and payment networks, April and May 2014


Regional PIN Network Readiness – almost there

• Per Durbin routing rules, Debit cards must include unaffiliated brands.

• VISA and MasterCard ‘US Common Debit AID’ getting adopted by PIN networks, beginning Q1 2014.

• License agreements will allow regional PIN networks access to EMV technology - and merchants unaffiliated brands for routing.

• Two unique AIDs for Debit issuance: one to support PIN networks and other to support global transactions.

• Issuers began Credit issuance in 2014. Debit chip card issuance expected to lag until merchants have ability to support terminal routing.

6


Projected U.S. Merchant Migration

• 53% of all terminals in U.S. expected to be converted by end of 2015 (mostly by large to medium sized merchants)

• Estimated that only 25% of small merchants will be ready

• Small merchants at risk due to October 2015 liability shift– Account for 58% of retailer

establishments – 53% have limited to no

knowledge of EMV – 50% have limited to no

knowledge of upcoming EMV liability shift

Source: Javelin April 2014 EMV IN USA: Assessment of Merchant and Card Issuer Readiness

7


What to Expect in 2015

• Merchants and ATM Acquirers begin to announce their readiness to support EMV at POS and ATM

• POS and ATM Terminal Implementation:‒ Chip capable: terminal hardware is “EMV ready”; software is

not connected‒ Chip enabled: software is connected at the chip terminal

• The ATM kernel (“EMV kernel”) and software is updated to process the encrypted data

• Processors and acquirers will be able to authorize the chip card transaction

8


When Will Elan be Ready?

9

Drop 1: January 2015 • Enablement of MoneyPass Network Certifications

Drop 2: June 2015• Elan’s primary deliverable for processing chip card transactions • Certification of Plus, Cirrus, Visa Debit, MasterCard, Interlink and

Maestro network interfaces• Visa and MasterCard chip card issuance • EMV software go live for Elan North direct attached Diebold ATMs• Back Office system upgrades

Drop 3: October 2015• Further expansion of Elan North ATM Acquiring interfaces • EMV software go live for NCR ATMs (select models)


GLOBAL DRIVERSEMV

10


Global Drivers: Why is the U.S. Moving to EMV?

Security & FraudReduce counterfeit, lost and stolen card fraudUnique microprocessor that prevents card cloning Dynamic data Fraud migrates to the weakest link, which is becoming the U.S. since other major markets have migrated

Global Interoperability

Increasingly difficult for U.S. travelers to use cards Vulnerability of U.S. payments infrastructureForeign visitors will be able to use their chip cards in the U.S.

NFC and MobileAccelerator for EMV in the U.S. to enable acceptance of other form factorsMerchants implementing NFC in combination with enabling of EMV on POS devicesConsumer adoption of contactless cards and mobile payments will continue to grow

Payment Networks

Major card brands are advancing the adoption of EMV through a series of liability shifts and mandates

Source: EMV Migration Forum, 201411


Magnetic Stripe and Chip Card Data

12

Magnetic stripe transactions are STATIC

• HEREISYOURCARDNUMBER^HEREISYOURNAME^EXPIREDATE^SERVICECODE^CVV

Chip transactions are DYNAMIC

12


How Does EMV Protect Against Fraud?

Embedded Microprocessor –Strong Security

Embedded Microprocessor –Strong Security

Secure Storage of Cardholder Data

Secure Storage of Cardholder Data

Dynamic Data Generated by the

Chip for Every Transaction

Dynamic Data Generated by the

Chip for Every Transaction

Stolen Data Cannot be Reusable in a Chip Transaction

Stolen Data Cannot be Reusable in a Chip Transaction

Terminal Device Will Detect Chip Card vs.

Mag Stripe

Terminal Device Will Detect Chip Card vs.

Mag Stripe

13


Will EMV Prevent Data Breaches: The Big Picture

• More than 600 data breaches were reported last year with a 30% increase from 2012 in breaches that exposed card data

• Security executives caution that EMV cards and point-of-sale terminals alone would not have prevented a Target-style breach

• Data can still be transmitted unencrypted, during an EMV transaction

14


EMVCO’s New TokenizationEMVCo plans to establish new tokenization standards

• Tokenization is the process of replacing a card account number with a unique string of characters that is restricted in how it can be used

• Tokens can be assigned for use with a specific device, merchant, transaction type or channel

• Global networks will offer new specifications to complement existing EMV technical specifications

• Point to Point encryption protects against Card Not Present fraud

15


Emerging Mobile Payment Technologies• EMV brings more revenue and increased efficiencies • Mobile = new business models and new players• EMV provides dynamic authentication in an enhanced

contactless environment and paves the way for delivering seamless mobile payments– M-commerce (Mobile Payments)– Near Field Communication (NFC)

16


ISSUER BUSINESS CASEEMV

17


Building Your EMV Business Case

18

2014 Planning

Step 1: Calculate Risk Exposure• Portfolio Segmentation• Determine business need for international travelers

Step 2: Develop a Budget Plan • Terminal upgrades and chip card production costs

Step 3: Choose an EMV Card Profile • Application/AIDs, including US Common Debit AID solution• Authorization/Authentication and Cardholder Verification Methods

Step 4: Marketing and Communications Plan • Financial Institution and Cardholder education


U.S. Chip Card Issuance Best Practices

• Include multiple AIDs, including U.S. Common Debit AID to ensure Durbin compliance• The simplest and least expensive option is to use ‘Signature and No CVM’ as the

baseline for global interoperability• MasterCard prefers Chip & PIN over Chip & Signature for Goods and Services

19

Signature (Goods and Services)

Online PIN (Cash)

No CVM (Unattended/Trans<$50)

Cardholder VerificationMethod List

Card AuthenticationALWAYS ONLINE Uses online cryptogram No offline data authentication

Transaction AuthorizationALWAYS ONLINE Use Global and US Debit AIDs

19


Which Chip Payment Application Should I Use?

EMVCo SpecificationsEMVCo Specifications

VisaVSDCVisa

VSDCMasterCard

M/ChipMasterCard

M/ChipDiscover

DPASDiscover

DPAS

American ExpressAEIPS

American ExpressAEIPS

• Each payment application has its own data formats and proprietary fields.

• Based on ISO/IEC and EMVCo specifications.• Contains risk management parameters and other values

indicating how issuers want the card to act under given situations.

20


Which Chip Application Identifier (AIDs) Should I Use?

21

• The AID acts as a ‘pointer’ that opens the application for interrogation

• The Application and AIDs used depends on the brand on the front of the card

• The U.S. will likely have two AIDs on the chip:‒ 1 Global AID for Signature and International acceptance ‒ 1 U.S. Debit AID for domestic ATM, PIN POS and No CVM


Merchant/Device DifferencesRestaurant• Terminal to table• PIN or signature• No CVM at some quick service restaurants

ATM• Online PIN – required

Automated Fuel Dispensers (AFD)• Pay at pump with PIN• Pay at pump No CVM• Pay inside with PIN or signature

Different merchant and device environments will have unique experiences and timelines for EMV deployment



Cardholder Experience: How a chip card works in a mixed acceptance device environment

Magstripe only TerminalSwipe card

Sign Receipt

EMV Chip Card TerminalInsert card and leave in terminal until transaction is complete and you are prompted to remove card

Follow screen prompts to complete transaction

• There are many terminals in market today with the Chip Reader that do not support EMV chip cards. This could cause some cardholder confusion/frustration.

• If a chip card is swiped in a chip card enabled terminal the terminal will prompt the cardholder to insert the card into the reader.

23


Cardholder Education Options Is

suer

s

Statements “Your card is changing”

“What's Different”“How to use”

“How to use”“Benefits”

Welcome Packs “Your new chip card is here”

Call Center/IVR “Your card is changing”

“How to use your card” “Benefits”

Online “Your card is changing”

“How to make internet purchases” “Benefits”

ATM “How to use your card at the ATM” “How to use”

24

Channel Pre-issuance During Issuance

Post Issuance



What are the ATM Owner Impacts?

• Visa and MasterCard ATM Acquirer Liability Shift: ATM card reader hardware must be EMV capable or “smart

card” ready Receipt changes Updated messaging on ATM screens It is not clear when, or if, U.S. ATMs will support contactless

technology

• Consumer Education Card must be engaged for

transaction duration… “don’t forget your card!”

25


Click to add titleProcess to a Chip Card Conversion

• Find Out the Readiness of Players Involved – Card Manufacturers – Card Personalization vendors – Regional PIN Network– Processor

• Program Cost – $$$ is determined by chip selection and encryption type– Testing and Certification

• Setting a Target Date to Begin your EMV Transition– 4 - 6 months depending on the U.S. market readiness – 2014 planning and budgeting for 2015 implementation

26


Questions?

Sandy DennlerSenior Product ManagerElan Financial [email protected]

27


APPENDIX

28

Strictly Private & ConfidentialProprietary & Confidential

U.S. Road Map for POS EMV Convers ion

29

Strictly Private & ConfidentialProprietary & Confidential

U.S. ATM EMV Road Map

30


Mandate vs. Liability Shift • A mandate is a directive from the networks to comply with their specific

Operating Rules, with non-compliance resulting in potential fines. – Networks have mandated the processing of chip card transactions

to POS and ATM acquirers and sub processors• A liability shift is not a mandate. • Global networks have stated in cases involving fraudulent cards the

issuer or acquirer with the lowest levels of EMV protection will absorb the fraud liability.

• If an acquirer is not supporting EMV, they will assume the loss for counterfeit fraud transactions. If the acquirer is EMV compliant, the fraud liability remains with the card issuer.

• The following fraud types are excluded from the EMV Liability Shift:– Card-Not Present Fraud– Account Takeover– Lost/Stolen

31


Liability Shift Scenarios

• Non-Compliant Terminal

Card Magnetic Stripe

Terminal Non-EMV Compliant

Terminal Action No Change

Cardholder Experience Card Swipe – Magnetic Stripe

Liability Shift Issuer (BAU)

• Compliant Terminal

Card Magnetic Stripe

Terminal EMV Compliant


Cardholder Experience Card Swipe – Magnetic Stripe

Liability Shift Issuer (BAU)

Issuer Chooses not to Issue EMV Cards

32



• Non-Compliant Terminal

Card Chip

Terminal Non-EMV Compliant


Cardholder Experience

Card Swipe – Magnetic Stripe

Liability Shift Merchant or ATM Owner

• Compliant Terminal

Card Chip


Terminal Action

Chip is read successfully. iCVV and Cryptogram data passed to

host. POS entry mode and cryptogram presence identify

this as a chip transaction.


Cardholder inserts card; may be directed to insert card if swiped

first

Liability Shift Issuer (if transaction approved)

Merchant or ATM Acquirer Chooses not to Move to EMV

33



Card Chip


Terminal Action

The terminal creates a magnetic stripe transaction. This is (technical) fallback. CVV is from the mag stripe and there is no

cryptogram present. POS entry mode help identify this as fallback because it indicates the terminal was chip capable but

the chip was not read


Cardholder inserts card. If chip cannot be read the terminal prompts cardholder to swipe card

Liability Shift Merchant or ATM Owner

Technical Fallback Compliant Terminal

34


Magnetic Stripe Card Transaction Flow

35 Source: EMV Migration Forum, 2014


Chip Card Transaction Flow

36 Source: EMV Migration Forum, 2014

Documents

EMVTM: What You Need to Know About Chip Card Issuance · Strictly Private & Confidential 1 Elan is an Active Participant in the U.S. EMV Migration Smart Card Alliance EMV Migration