EMV, P2PE and Tokenization - T2 Connect 2015

[email protected] www.Creditcall.com/[email protected] www.T2Systems.com

17 November 2015 | 1

Dave Witts President US Payment Services, Creditcall

Philip Yu Director of Product Management, T2 Systems

EMV, P2PE & Tokenization


Agenda

• Current EMV statistics in the US• Weapons against fraud – EMV, P2PE & Tokenization• What happens during a EMV certification, what’s required?• The current state of EMV certifications in the US• What happens during a P2PE certification, what’s required• What has caused the delays?



Current EMV Statistics


575 million EMV cards to be issued by the end of 2015

59% of retail locations will be EMV-compliant by the end of 2015

78,800 EMV chip-activated merchant locations

70% of U.S. credit cards will be issued as EMV cards by the end of 2015


Current EMV Statistics


86% of financial institutions plan on issuing EMV debit cards BY 2015

$3.50 Average cost for issuing a new EMV card

$500 Average cost of an EMV-compliant POS terminal

Sources: Javelin Research & Strategy, Aite Group, 2014 PULSE Debit Issuer Survey



Weapons Against Card Fraud



Without P2PE



With P2PE


P2PE PCI P2PE (Certified ) P2PE (Non-Certified)P2PE implementation manual for merchant to follow

Mandatory - Merchants must follow PIM to get PCI P2PE protection

Not defined

Secure supply chain Mandatory - Merchants must use scheme defined by solution provider

Not defined

PCI DSS de-scoping Yes - If merchant is only using PCI P2PE certified solution to take card payments; Merchants can complete a PCI DSS SAQ designed for P2PE

No - It remains each processor’s decision as to whether the solution offers any de-scoping of PCI DSS

PINpad key injection cost Yes YesPINpad encryption licence cost Yes Yes

Solution provider costs to provide encryption

Yes Yes

Certification costs Solution provider has to cover costs of P2PE assessment. Merchant should have lower PCI DSS costs if only using certified solution

Merchant has all the cost of PCI DSS

P2PE vs. PCI P2PE

https://www.creditcall.com/?utm_source=smart%20card%20alliance&utm_medium=ppt&utm_campaign=payments%20summit%202015


Tokenization

• “The replacement of a credit card number and expiry date with a non-sensitive equivalent that has no exploitable value.”

• A Payment Gateway organisation would return a token of

the card number and expiry date for every transaction authorization received. This can be stored by the merchant with no special precautions, and used in place of the actual card number for any subsequent transaction.



Key Benefits of Tokenization

• Improved customer experience in e-Commerce.

• Saves having to ask cardholder to re-enter card number and expiry date.

• Far more secure than the merchant storing actual card details.

17 November 2015 | 10


17 November 2015 | 11

Tokenization Proprietary Gateway SchemeComplexity Simple

Re-usable for other payments Yes

Online/Offline Online

Real-time 3rd party dependency (i.e. token service provider)

No

Works with existing magstripe cards Yes

Cost None

Cross gateway compatible No

Tokenization


What Happens During EMV Certification – Typically up to 16 Months

1) Select an EMV Card Reader – 3 Months• A card reader is where a large part of an EMV transaction takes place

through a complex dialogue between the chip card and the reader.

• Integration must invest time in learning about EMV (e.g. Application

Selection, Data Authentication, Online Processing and Issuer Script

Processing), transaction flows, transaction logic and of course, exception

handling when an inevitable error occurs in the transaction.

17 November 2015 | 12



2) Processor Interfaces and EMV Messages – 6 Months• Different processors require every interface will need to be modified to

support the new EMV data fields and process flows.

• Most interfaces are based on legacy code developed many years ago, the

addition of new features such as EMV becomes an increasingly difficult task.

• Processors will have scaled their integration support sufficiently to cope with

the mass of other integrators who will be following the same path.

17 November 2015 | 13



3) Card Brand Certifications – 4 months• Once processor interfaces have been updated, the complex task of end-

to-end testing and certification begins.

• M-TIP/ADVT/AEIPS/DPAS are the 4 different testing types required.

• Processors have not been able to cope with the volume of certifications

required before the October 2015 Liability Shift and continue to struggle.

• This is NOT a one-time process – it must be repeated every three years

when the EMV Kernel certification on the card reader expires.

17 November 2015 | 14


What happens during EMV certification – Typically 16 months

4) Terminal Management System – 3 months • It is essential that any EMV solution deployed has access to a

TMS platform for efficient and timely deployment of updates.

• Without a TMS platform, there is a risk of having card readers

without current software or the latest configuration.

17 November 2015 | 15


Current State of US EMV Certifications

• Unattended certifications have been delayed due to

attended taking priority by the processors.

• Attended has larger $$ volumes that concern processors

• Unattended certifications are scheduled to start in Q4

2015 with a 3-4 month window of completion.

• If certification fails at any stage, must start from the

beginning, important that all is ready before certification.

17 November 2015 | 16


Current State of US EMV Certifications

VeriFone VX820 for attended transactions currently EMV certified

with First Data and Chase. EMV certification with Elavon expected

Q4 2015, Global Payments & TSYS Q1 2016, Heartland Q2 2016.

Globalcom BV1000 for unattended transactions has EMV

scheduled certifications with First Data, Chase, Elavon, Global

Payments, Vantiv, & TSYS Q2 2016 , Heartland scheduled for Q3

2016.

17 November 2015 | 17


17 November 2015 | 18

What is P2PE Certification



It is a solution comprising of components that store, processes and

transmit account data as part of a payment authorization or

settlement, while performing cryptographic key management

functions.

Every transaction is uniquely encrypted at source and only

decrypted once in the secure Payment Gateway for processor

authorization.

17 November 2015 | 19

?!@#



The solution is deployed and maintained in a fully traceable, and secure

manner with clearly defined roles and responsibilities for all parties

involved throughout the life of the product thus ensuring compliance

integrity.

The PCI SSC certify that the solution meets the PCI P2PE standards

and list the solution on the PCI website:

17 November 2015 | 20

https://www.pcisecuritystandards.org/approved_companies_providers/validated_p2pe_solutions.php






Key Benefits of P2PE

Implementation of a PCI certified P2PE solution may reduce PCI DSS assessment scope for merchants.

Is the highest level of cardholder data security available.

Simplified payment processing architecture.

17 November 2015 | 21

17 November 2015 | [email protected] www.Creditcall.com/[email protected] www.T2Systems.com

Manufacturers PCI PTS

PIN Entry Devices

Software Developers

PCI PA-DSS Payment

Application Vendors

Acquirers, Payment

Gateways, Software

Developers & KIFs PCI P2PE

Security Standard

Merchant & Processors PCI DSS

Data Security Standard

Pot

entia

lly

Red

uced

The PCI Family & Relationship

17 November 2015 | [email protected] www.Creditcall.com/[email protected] www.T2Systems.com

Review of P-RoV by the PCI SSC

The P2PE Assessor determines the scope and assesses key-injection facilities, Certification Authorities, device, applications, deployment and merchant support

mechanisms. They prepare the P-RoV and submit to the PCI SSC for review

The P2PE Solution Provider the provides access to the P2PE solution to the Assessor

The P2PE Solution Provider Selects a P2PE Assessor • Solution Provider must have confidence of compliance before starting the assessment.

• The assessment is completed by a independent PCI approve QSA assessor.

• Involves evidence gathering and potentially multiple site visits to produce a P2PE Report of Validation (P-RoV)

• PCI SSC review and listing timescales determined by the quality of the P-RoV and the PCI SSC workload.

The P2PE Assessment Process


Delays we are Seeing in the Parking Industry

• Attended vs Unattended

• Delays in device manufacturers being ready to certify

• Processors not prepared for volumes

• Delivery times for devices

17 November 2015 | 24

If you have any questions, please contact:

Dave WittsPresident of US Payment Systems

Creditcall Corporation1133 Broadway, Suite 706, New York, NY 10010

609 339 [email protected]

If you have any questions, please contact:

Philip YuDirector, Product Management

T2 Systems8900 Keystone Crossing, Suite 700, Indianapolis, Indiana 46240

317 524 [email protected]

Technology

EMV, P2PE and Tokenization - T2 Connect 2015