Introduction to EMVCo

EMVCo Presentation – Mobey Forum

Bastien Latgé, EMVCo Director of Technology

September 2018

Copyright ©2017 EMVCo 2Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 2

Agenda

Introduction to EMVCo

• EMV 3-D Secure Transaction Flows

• How does EMV 3-D Secure Support PSD2

EMV® 3-D Secure

EMV Secure Remote Commerce

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

Introduction to EMVCo


Definition of EMV®

EMV is a technology toolbox that enables

globally interoperable secure payments

across face-to-face and remote environments

EMV Payment Token

EMV Contact

EMV Contactless EMV Mobile

EMV QR Codes

EMV 3-D Secure

EMV 2nd Generation

EMV Secure Remote Commerce

Face to face Remote

Options Future proof

Wearable Device

Software Based Mobile PaymentsCDCVM


EMVCo’s Mission and the Value of EMV®

Facilitate the worldwide interoperability of secure payment transactions by publishing the EMV Specifications and their related testing processes

EMV adoption enables the payments community to: • Support payment security and transaction risk

management

• Enhance security, interoperability and

acceptance of EMV based payments globally

• Deliver innovative payment solutions

EMV Specifications are made available on a royalty-free basis


Roles of EMVCo and Payment Networks

What EMVCo Does

Create and publish EMV® Specifications

Facilitate testing and approval of EMV elements of products and solutions

Enhance payment security

Support specifications and testing for emerging payment technologies

What EMVCo Does Not Do (Managed by Global, Regional and Domestic Payment

Networks)

Product development and implementation certification

Mandates or compliance

Commercial incentives

Fraud liability shift policy

EMV® 3-D Secure


EMV® 3-D Secure - Initiative Overview

• 3DS provides a secure communication channel between the Cardholder, Merchant and Issuer.

• A means of securely identifying the cardholder in an online transaction.

• A messaging protocol which enables Issuers to authenticatetheir Cardholder before transaction authorisation.

Definition

• Remote commerce is a growing segment. Transactions occurring on multiple platforms – phone, tablets, PCs.

• Merchant almost always carries the fraud liability.

• Current solutions have high degree of transaction friction.

Opportunity

• Specification that supports secure e-commerce transactions in a globally interoperable manner.

• Enhances and maintainsspecification based on industry feedback.

• Administers testing and approval process to ensure global interoperability.

EMVCo’s Role


The additional security layer reduces fraudulent use of online credit and debit transactions by…

… preventing unauthorised use of cards online

… and protecting merchants from exposure to fraud-related

chargebacks

Three-Domain Secure (3DS) is a messaging protocol which enables Issuers to authenticate consumers during online shopping

Overview of 3DS

Three domains consist of:

Merchant / acquirer domain

Interoperability domain

Issuer domain

Authentication Messages


• In-app purchases (covers all connected device purchases)

Support non-browser e-commerce transactions

• Enabling a smooth process for the challenge response that does not interrupt the merchant’s check-out experience

Better integration with a merchant’s offering

• Encourage frictionless authentication (where possible)

• Better use of dynamic one-time-passwords

Facilitate a cleaner experience without sacrificing security

Why a New Version of the 3DS Specification is Required


Deliver web-based service messaging to be used across multiple platforms

Offer advance intelligent risk-based decisioning

Add support for non-payment authentication and digital wallet in addition to enriching current payment authentication flows

Align to country-specific and regulatory requirements

Additional Benefits of New Specification


Application Based Use Case Example – Challenge / Response Flow

ACS

Issuer Payment Network

A

Acquirer

DS

Directory Server

Challenge Request/Response

Access ControlServer

AuthorisationMessage

AuthorisationMessage

MI APIs/Payment Requests

Note: Dashed arrows and Merchant Server are not part of 3DS specification and are shown for clarity only

AuthenticationRequest/Response

ResultsRequest/Response

AuthenticationRequest/Response

ResultsRequest/Response

Merchant Environment

MerchantServer3DS

SDKMerchant/MI APIs/Browser Interaction

3DS

3DS Server3DS ClientChallenge / Response Flow


Acquirer BIN

Acquirer Merchant ID

Cardholder Account Number

DS URL

Message, Extension, Version

Acquirer BIN

Acquirer Merchant ID

Card Expiry Date

Cardholder Account Number

DS URL

Merchant Country Code

Message Category, Extension, Type, Version

Purchase Amount, Currency, Date & Time

Recurring Expiry, Frequency

More than 10 X Data

Browser User-Agent

Browser User-Agent

IP address

Browser Time Zone

Cardholder Email Address, Home Phone Number, Mobile Phone Number, Work Phone Number

Cardholder Name

SDK App ID, SDK Encrypted Data, Ephemeral Public Key

SDK Reference Number, SDK Transaction ID

3DS Requestor URL

Browser Accept Headers

Cardholder Account Information (Account Age,

Change, Password Change, Number of Transactions per Day / Year,

Shipping Name Indicator, Suspicious Activity, Payment Account Age etc.)

Cardholder Account Identifier, Billing Address

Cardholder Shipping Address

Transaction Type

Account Type

Browser Time Zone

DS Reference Number, Transaction ID

EMV Payment Token Indicator

Purchase Date & Time

Recurring Expiry, Frequency

3DS Server Reference Number, Operator ID, Transaction ID, URL

Address Match Indicator

Device Channel, Device Information, Rendering Options

Supported

Message Category, Type

Merchant Name

Merchant Country Code

Merchant Category Code

Merchant Risk Indicator (Delivery Timeframe, Re-order, Pre-order, Gift Card)

3DS Requestor Authentication Information (Method), Challenge Indicator, ID, Initiated

Indicator

3DS Requestor Name, Non-payment Indicator, Prior Transaction Authentication information Instalment Payment Data

Browser Java Enabled, Language, Screen Color Depth, Height, Width

3DS 1.0 Data (Initial Message – VEReq) EMV® 3-D Secure Data (Initial Message – AReq)

Application Based Use Case Example – Challenge / Response Flow


The capability to trigger a Strong Customer Authentication (SCA) when needed

Built-in support for Transaction Risk Analysis – more than 100 data elements provided

Optional indicator available to allow the requestor to indicate its preference or not for a challenge (SCA)

How does EMV® 3-D Secure support PSD2


EMV® 3-D Secure - Future Changes for PSD2

Changes currently under consideration:

• New data element to indicate current whitelisting status (Ares and Areq)

• Ability for Merchants to communicate that their Acquirer has met either the SCA or TRA Exemption prior to submitting their 3DS Message (AReq)

• A new Transaction Status indicator (I) to indicate the ACS has received the data but authentication was not performed (Ares)

EMV® Secure Remote Commerce

Copyright ©2017 EMVCo 17Copyright ©2018 EMVCo – Confidential 17

EMV® Secure Remote Commerce - Initiative Overview

• EMV Secure Remote Commerce (EMV SRC) is an evolution of remote commerce

• EMV SRC enables secure and interoperable payment acceptance from browsers or applications

• EMV SRC enables a merchant (or their agent) to receive a common payload based on dynamic data to process an e-commerce transaction

• Scope: Scenarios in which there is no face to face transaction

Definition

• Introduce dynamic data to e-commerce

• Introduce common and interoperable card payment specification for web based payments

• Simplify integration for merchants and commerce platforms

Opportunity

• Engage with industry stakeholders to create specifications that provide interoperable interfaces for the ecosystem

• Provide a common data definition and methodology to exchange a payment payload to streamline merchant integration and to support a consistent consumer experience

EMVCo’s Role


Physical Payments

The Evolution of Payments

BAU AuthorisationOnline Payments

Secure Remote Commerce

Issuing Bank

Merchant andIntermediaries

Acquiring Bank

SRC System

Payment Network

Payment Card

Payment Information

10100

Physical Terminal

Consumer Interaction

Payment Information

Digital Card Selection

Merchant Website

Merchant Website

Cardholder

Payment Card

Secure Remote Commerce establishes the framework to deliver a common Consumer Checkout while increasing Simplicity and Security


EMV® Secure Remote Commerce Roles

EMV SRC Role Description

SRC System• Orchestration of all technical and business relationships

between participants of an individual SRC System

Digital Shopping Application (DSA)

• Integrate SRC Common Software into their consumer checkout experience

Digital Card Facilitator

(DCF)

• Facilitate the storage and display of Digital Card data for selection (card art, descriptor and others)

SRC Initiator

• Distributes code to DSA and manages the API integration with the SRC System

• Provide checkout data to the SRC System at the time of a transaction

SRC ParticipatingIssuer (SRC PI)

• Enrolment of cardholder and source of Digital Card data including card art and cardholder assurance

• Optionally create and validate dynamic data


Fragmented Potential-Risk Lack of ScaleOne-off

Solutions

Common Secure Scalable 360o Solution

Varied Experiences PAN Exposure Single Provider Merchant by Merchant

Common ExperienceDynamic Data;

AssuranceUbiquitous Consistent

Implementation

Current Gaps

EMV SRC Achieves

---

+ + +

Higher Cart Conversion &

More Engagement

Higher Authorisation Rates &

Low Fraud Losses

Lower Cost of Integration & Higher

Acceptance Rates Higher Adoption

• Scale is fundamental to the effectiveness of solutions• Innovation in payment technologies mostly affects merchant-facing functions in the value chain• Integration of each new data source is resource and time consuming• Convenience over security is not an acceptable tradeoff for consumers and all want access to all their existing cards

EMV® SRC Addresses Gaps of Many Single Provider Solutions


SRC in Context of Merchant Environment version 1.0

Merchant experience varies by channel (web, mobile application, other technology)

SRC experience facilitated by SRC system

IdentityCard

SelectionAssurance & Verification

Payment Tokenisation

3-D SecureRequired

Optional

Shipping Payment & Billing

Order & Review

ConfirmationCheckout PageProduct Page

3DS Authorisation

FOR ILLUSTRATIVE PURPOSES ONLY

NOTE: The SRC Specification does not mandate use or limit implementations to a “Single Button”.


Thank you!For more information www.emvco.com

Official specification & supporting material portal

FAQs general & technical

Seminar & meetings details

EMVCo approved products & accredited labs

White papers & best practice guides

or join us on LinkedIn.

http://www.emvco.com/

Documents

Introduction to EMVCo