EMV Myths Debunked / Fact vs. Fiction

Fact vs. Fiction / EMV Myths Debunked

SEPTEMBER 23, 2015

1 Welcome

Agenda

Introduction & objective

About Ingenico Group

EMV defined

EMV myths debunked

Overview of Ingenico Group’s EMV-ready solutions

Q&A

4

Speaker Introduction

Greg Burch

VP of Mobility and Business Development

Ingenico Group / North America

Allen Friedman

VP of Payment Solutions

Ingenico Group / North America

Fact vs. Fiction / EMV Myths Debunked - 10/1/2015

5

Objective

To finally put an end to all the confusion around EMV, and give you the

facts. We will answer common questions such as:

Can EMV prevent

data breaches?

Does EMV ensure PCI compliance?

What does it take to become EMV-ready?

What is EMV?

When is the deadline?

What happens after the deadline?What does

“liability shift”

mean?


6

PollWhen is the EMV deadline?

A) October 1st

B) October 15th

C) October 16th

D) All of the above


About

Ingenico

Group2

8

Global footprint / multi-local solutions

$1.8Bin 2015

88sites across

the world

35years of

payment

expertise

global reach

170countries

78nationalities

5.5Kemployees


9

• Security-focused / EMV, NFC, P2PE

• Seamless experience / in-store, out of store and onboard

• Innovative solutions / across industries and use cases

• Trusted partner / unmatched service and support

Ingenico Group U.S. / at a glance


10

Trusted partner / from small merchants to global brands

Network of

1,000+financial

institutions

Partner with

70%of the Top 30

leading retail

brands

250K+ merchants

connected to our

platforms

Accepting

300+payment methods


3What is

EMV?

12

EMV defined / what does EMV stand for?

E

M

V

EMV is a technical payments standard. It stands for Euro Pay,

MasterCard and Visa.


13

EMV defined / who manages it?

EMV is now managed by EMVCo, a consortium split among:

• Visa

• MasterCard

• JCB

• American Express

• China UnionPay

• Discover

In 2006, EuroPay was acquired by MasterCard.


14

EMV defined / how it works

EMV involves using smart cards to process payment that integrate a microprocessor

chip rather than magstripe

Cards must be physically inserted or “dipped” into smart terminal OR contactless

cards can be used, which can be read over a short distance

Also called “chip card” or “smart card”


15

EMV defined / how it works


16

Most of the world has

migrated to the EMV

standard.

The U.S. is one of the

few countries still yet to

fully migrate.

EMV defined / world overview


17

EMV Defined / World overview

Generally, a migration to EMV standards results in a large reduction in card-

present fraud.

• Chip-enabled cards are very difficult to physically reproduce or misuse, so stolen and

counterfeit cards become significantly less valuable to fraudsters in EMV dominant

payment ecosystems

• This trend causes physical card fraud to move to countries where EMV is less

dominant

25%

75%

Share of Global Transactions

U.S. Rest of the World

47%53%

Global Credit Card Fraud

U.S. Rest of the World

18

EMV defined / major stakeholders


Card Manufacturers

Card Issuers

Cardholders

Merchants

Acquirer & Payment

Processors

ISVs & VARs

19

Definition / EMV common terms


AID – Application ID. Term used in reference to

applications which reside on a chip card. The

AID must be known by the terminal and card.

Card types – Issuers provide either contact,

contactless or dual interface cards and cards

are manufactured by many approved around

the world. All cards have only one chip and

continue to also have a magstripe on the back.

CVM – Cardholder Validation Method – PIN,

Signature, No CVM.

Dual Interface – contact and contactless

combined on card using one chip.

Dynamic Kernel –a smarter kernel which

applies business logic to the interaction

between the terminal and the card.

EMV – Europay, MasterCard, VISA.

EMVCo – Owns, manages, and maintains

global payment specifications to define

requirements between chip-based payment

cards and acceptance terminals.

Kernel – Software component that lives on the

payment terminal, which controls the interaction

between the terminal and the card.

PIN-Preferring – A merchant who has PIN CVM

as a priority.

EMV Dictionary

Fact vs.

FictionEMV Myths Debunked

4

21

Myth #1 / “The deadline occurs any date in October”


22

Myth #1 DEBUNKED / The deadline is October 1st

…and October 15th and October 16th

EMV

Liability

Deadline


EMV

Liability

Deadline

EMV

Liability

Deadline

23

Myth #1 DEBUNKED / October EMV timeline


• Europay, MasterCard & Visa issue first EMV specification.

1995

• Large retailer partners with Visa to push for more smart chip cards to be used in the US.

• Efforts halt due to cost.

2001• MasterCard,

Visa and Discover announce roadmaps to bring EMV to U.S.

2011

• Acquirer & sub-processors deadline to process EMV payments

April, 2013 • U.S. EMV liability

shift deadline for merchants

Oct. 1, 2015

• U.S. liability shift for ATMs and domestic cards

Oct. 1, 2016

Petroleum Liability

Shift Deadline

Oct. 2017

24

Myth #2 / “EMV is only necessary for major retailers”


25

Myth #2 DEBUNKED / EMV is for all merchants –

big & small


Small merchants need to know that

criminals are not just looking for the big

fish.

• As big merchants upgrade their payments

to accept EMV chip cards, the fraudsters

are going to migrate to smaller merchants

• Small fraudulent transactions can have

BIG negative affects to the health of a

small merchant

26

Myth #3 / “Implementing EMV is a government

requirement”


27

Myth #3 DEBUNKED / EMV is NOT a requirement –

government or otherwise


No government agency or industry

association is requiring you to

implement EMV.

• You will not be fined

• It is your decision

28

Myth #3 DEBUNKED / EMV is NOT a requirement, it’s a

liability shift


Counterfeit card fraud Liability Shift

• Liability for counterfeit fraud – applies to Visa, MasterCard, American Express and

Discover

• Post-Oct., if a merchant receives a counterfeit magstripe card (created from an EMV

chip card or transaction data), at a terminal that is not POS ready, then the merchant

is liable for the chargeback resulting from the fraud

29

Myth #3 DEBUNKED / EMV is NOT a requirement, it’s a

liability shift


Stolen card fraud liability shift

• The liability shift for stolen cards applies to MasterCard, American Express and

Discover

• Post Oct., if a merchant accepts a stolen EMV chip card that requires a PIN –

using a terminal that doesn’t support EMV with PIN entry, the merchant will be

liable for the chargeback resulting from the fraud

30

Myth #4 / “EMV is needed to comply with PCI standards”


Merchants believe they must

implement EMV to be compliant with

PCI Data Security Standards.

31

Myth #4 DEBUNKED / EMV is not needed to comply

with PCI standards


You don’t need to implement EMV to

be compliant with PCI Data Security

Standards.

• While EMV can be one component of

your data security strategy, it’s not

required nor mandated by PCI

• Likewise, implementing EMV will NOT

make you PCI compliant

32

Myth #5 / “Magstripes will no longer be accepted”


Merchants think that once they

implement EMV, they will not be able

to accept credit cards with magnetic

stripes.

33

Myth #5 DEBUNKED / Magstripes cards will be

accepted after Oct.


Magnetic stripes are not going anywhere, anytime soon.

• 53.6% of consumers have not received their EMV cards yet1

• As the migration continues, all EMV chip cards will still have magstripes on the back

• When using an EMV-ready smart terminal, a customer who does not have the chip can still swipe their card on an EMV-ready smart terminal

• If a customer who does have a chip tries to swipe the card, the smart terminal will alert the cashier/customer to have the customer dip/insert the card into the smart terminal

• Regardless if you are EMV-ready, you can still accept magstripe cards

1 Data from Harbortouch survey

34

EMV Myth #6 / “EMV will never take hold in the U.S.“


35

EMV Myth #6 DEBUNKED / U.S. EMV migration is

happening

The U.S. migration is in full swing

• Millions of cards have been issued over

the past few years

• The majority of new POS smart

terminals have default EMV capabilities

• Several data processing infrastructures

have been upgraded to handle the new

data generated for EMV transactions


36

EMV Myth #6 DEBUNKED / U.S. EMV migration is

happening

The United States of EMV | By the Numbers:

90% U.S. cards that will have an EMV chip by

2016 – USA Today 2014

5,000 U.S. VISA EMV cards issued daily – VISA

2013

3.5M VISA EMV cards issued in the US. from

Aug. to May 2013 – VISA 2013


500K Estimated number of merchant locations

who are EMV-ready

37

There is some debate about EMV

payments vs. mobile payments

EMV Myth #7 / “It’s best to just jump to mobile

payments”


38

EMV and mobile payments are

complementary technologies

• Cards aren’t going away, so we

need to secure them

• Many smart terminals that accept

EMV contactless cards also

accept NFC mobile payments –

it’s the same technology

• It’s best to accept both in order

to future-proof your POS

EMV Myth #7 DEBUNKED / EMV & NFC mobile go

hand in hand


39

EMV Myth #8 / “EMV is useless because it doesn’t

address CNP fraud”

EMV is useless since it doesn’t

protect against card-not-present

fraud

• If the card isn’t present, there are

still vulnerabilities to fraud

• Online and e-commerce fraud are

still at risk

• EMV is only good for card-present

fraud reduction


40

Although it doesn’t completely protect against it, EMV adds security measures that help prevent CNP fraud

• EMV chip cards enable additional authentication security features such as one-time passwords, on-card PIN codes, and personal card readers

• Banks and merchants need to implement these authentication tools/features

• The European Union (EU) has seen an 80% reduction in credit card fraud since migrating to EMV

EMV Myth #8 DEBUNKED / EMV cards are very

successful at helping prevent CNP fraud


41

EMV could have prevented the

2013 card data breach at Target.

• This type of data breach occurs when

cyber criminals are able to access

weakly secured information on a

merchant’s system during data

transmission or storage

EMV Myth #9 / “EMV protects against data breaches”


42

EMV alone will not protect data

from being hacked and would not

have singularly prevented the

Target breach

• The major goal of EMV is to combat

credit card fraud

• EMV still sends card data in the clear

EMV Myth #9 DEBUNKED / EMV does NOT protect

against data breaches

Source: Hacking the Point of Sale, Slava

Gomzin, 2014


43

EMV offers a good start to enhancing data

security, with:

• Card authentication

• Cardholder verification

• Transaction authorization

But a multi-layered security approach

that includes encryption and tokenization

provides makes the data less valuable to

criminals, safeguarding both merchants and

their customers




44



EMV must be a part of a multi-layered security to ensure complete data

protection:

• EMV for card authentication – protect against fraudulent cards

• Point-to-point encryption (P2PE) – no clear card data outside

secure POI

• Tokenization – Protect card data at rest

With these security measures in place, if there is a successful attack on

the POS, it will not yield data that can be monetized


45



Multi-layered security protects against all threats:

Threats Protection

Card Present Card-Not-Present

EMV Encryption Tokenization EMV Encryption Tokenization

Counterfeit cards

Lost & stolen cards1

Reusing stolen data

Stealing data in transit

Stealing data in rest

1 When used with PIN CVM


46

EMV Myth 10# / “Migrating to EMV is scary, complex

and expensive”


47

EMV Myth #10 DEBUNKED / migrating to EMV

doesn’t have to be complex

5 easy steps to EMV migration

1. Choose the right technology partner

2. Build a project roadmap

3. Assess acquirer relationships

4. Design and implement

5. Test and certify


48

EMV Myth #10 DEBUNKED / migrating to EMV

doesn’t have to be complex

Consider a semi-integrated payments solution to:

Simplify EMV Migration

Leverage “pre-certified”

solutions

Minimize upgrades required to POS

& back office systems

Reduce costs of EMV migration

PCI Scope Reduction

Reduce footprint where sensitive

data passes through

Opportunity for PA-DSS removal

Lower cost of PCI compliance

Increase chance of audit success

Improvements to Security

Limit attack surface

Avoid breaches commonly occurring

in the POS

Simplify path to add point-to-point

encryption (P2PE) & tokenization

Avoid EMV Certification Bottleneck

Bypass the backlog of merchants

simultaneously looking for

certifications

Skip the long and expensive process


49

EMV Myth # 10 DEBUNKED / EMV payment

technology is cheaper and easier to install than ever

We’ve learned lessons from other countries.

There are incentives from various payment brands.

By upgrading to a “one size fits all” smart terminal, merchants see huge savings

with scalable, flexible payment solutions:

• Contact chip card

• Contactless card acceptance

• Mobile payments

• Traditional


EMV

Migration

Time to get ready

5

51

EMV-ready / Ingenico Group Solutions

Leverage our global EMV expertise to get EMV-ready.

• Ingenico Group is the global leader in world-wide EMV deployments

• Ingenico Group streamlines your EMV implementation by helping you

identify the appropriate EMV-compliant solutions to meet your business

model’s specific needs

• We offer future-proof payment solutions that accept:

• EMV Chip & PIN

• EMV Chip & Signature

• Contactless (NFC) – Android Pay & Apple Pay


52

EMV-ready / Ingenico Group Solutions

Our diverse suite of EMV-ready smart terminals and mobile solutions can fit

your business model:


iPP 310

iSC Touch 480

iSMP for

iPhone® &

iPod

touch®

iCT 250

53

EMV / resources

Learn more:

• Download our EMV ebook: http://info.ingenico.us/emv-ebook-registration

• View our EMV webinars:

1. http://info.ingenico.us/semi-integrated-recorded-webinar-registration

2. https://event.webcasts.com/viewer/event.jsp?ei=1069764

• Visit these EMV websites:

• Go Chip Card Information

• EMVCo

• EMV Migration Forum

• EMV USA

• Smart Card Alliance

• Links will be emailed post webinar


http://info.ingenico.us/emv-ebook-registration

http://info.ingenico.us/semi-integrated-recorded-webinar-registration

https://event.webcasts.com/viewer/event.jsp?ei=1069764

Questions?www.ingenico.us

Thank You

Retail

EMV Myths Debunked / Fact vs. Fiction