U.S. Bank Payment Solutions
advertisement
PAYMENT SOLUTIONS An Introduction to EMV Presented to: Government Finance Officers Association of South Carolina Date: May 4, 2015 First: The Proverbial Question Issuers PAYMENT SOLUTIONS Acquirers 2 The Race is On: Agenda Alphabet Soup: Definitions Chip Cards, EMV, NFC EMV: What is Driving Adoption Statistics, Fraud, Compliance, Innovation Encryption and Tokenization PAYMENT SOLUTIONS 3 Alphabet Soup: Definitions Chip Card EMV Smart Card NFC Chip + PIN PAYMENT SOLUTIONS 4 The Card Came First A chip card is a device that includes a secure, embedded integrated circuit chip (ICC) Invented in 1977 by Honeywell Bull Performs functions that validate, store, and encrypt data Data is more secure on a chip-embedded card that utilizes dynamic authentication rather than on a static mag-stripe card Mag-stripe card can be copied (“skimmed”) Chip technology combats counterfeiting by assigning a dynamic value for each transaction and preventing copying PAYMENT SOLUTIONS 5 Form Factors Contact 1. 2. 3. Chip is embedded in a card A contact card is inserted into a smart card reader The contact points on the chip make contact with the card reader Contactless or Near Field Communication (NFC) • • • The chip may be embedded in cards, key fobs, stickers, mobile phones, tablets, Apple Pay devices etc. A contactless chip requires close proximity to a reader (“tap and go”) Both the chip and the reader have an antenna and they use an RF (radio frequency) signal to communicate PAYMENT SOLUTIONS 6 The Standard Followed EMV was established in 1994 by Europay, MasterCard and Visa EMVCo’s primary purpose is to define a global standard for credit and debit payment cards based on chip card technology. Cards can be Contact or Contactless Four main functions: Card authentication to protect against counterfeit cards Cardholder verification to protect against lost/stolen cards Terminal authentication to prevent against “Trojan Horse” hacks Transaction authorization using issuer-defined rules PAYMENT SOLUTIONS 7 EMV Authentication and Verification Authentication and Authorization Methods • Online requires the transaction to be sent online for the issuer to authenticate the card and authorize the transaction • Offline is done between the chip card and terminal Cardholder Verification Methods (CVMs): • None (usually used for low value transactions) • Offline PIN (entered and stored PIN are compared offline) Online PIN (PIN is validated online – like PIN debit) Signature Verification (requires physical signature comparison) Visa and MasterCard mandate global interoperability: POS solutions must be able to support all authentication & verification methods Mexico chip card will prompt for signature; UK for PIN PAYMENT SOLUTIONS 8 Innovation Could Win the Race NFC (Near Field Communications) is a radiobased interaction protocol compatible with contactless payment standards NFC chips are embedded in mobile phones (Apple Pay) and allow the phones to act as card The “promise” of Apple Pay is driving innovation and EMV adoption PAYMENT SOLUTIONS 9 EMV: What is Driving Adoption? Statistics Fraud Compliance Innovation Globalization PAYMENT SOLUTIONS 10 EMV by the Numbers Worldwide Adoption 1.5 Billion payment cards* 20 Million POS terminals* 40% of cards and 70% of terminals are EMV U.S. Adoption – What it will mean financially 15 million point-of-sale devices = $6.75 billion to replace 360,000 ATMs = $500 million to upgrade (target date is 10/2016) 609.8 million credit cards & 520 million debit cards = $1.4 billion to reissue (Cost of mag-stripe card = 15 cents vs. EMV card = $2 - $4) Hence the U.S. “Chicken & Egg” conundrum! Unlike most countries where banks own the terminal assets, the U.S. will require merchants to make the investment PAYMENT SOLUTIONS 11 *As of 2011 Fraud Migrates to U.S. 84.4% of cards 94.4% of terminals 14.5% of cards 68.1% of terminals 28.2% of cards 51.4% of terminals 20.6% of cards 75.9% of terminals 41.1% of cards 76.7% of terminals PAYMENT SOLUTIONS 12 Fraud Reduction Stats: UK Example Fraud on debit and credit cards fell by more than 25% from 2008 to 2010 Counterfeit card fraud —skimming and cloning—fell by over half Fraud on lost and stolen cards is at their lowest levels in 10 years Source: The UK Card Association PAYMENT SOLUTIONS 13 Key EMV dates from Card Brands October 2012: TECH Innovation Program (TIP) - PCI validation relief for Level 1 and Level 2 merchants that adopt dual-interfaced solutions in any year that at least 75% of the merchant transactions originate from a chipenabled terminal Note: must be capable of actually processing EMV cards and NFC contactless payments; merchants cannot just install “EMV ready” equipment. . . .so, not really happening! April 2013: Acquirer Chip Processing Mandate - Acquirers and processors must demonstrate the ability to process EMV transactions and NFC contactless payments October 2015: Liability Shift from Issuer to Merchant - Merchants of any size will be liable for domestic and cross-border counterfeit fraud committed at the point of sale if they are not using a compliant EMV & NFC POS solution (Automated Fuel merchant liability shift in 2017) © 2012 VeriFone Systems, Inc. PAYMENT SOLUTIONS 14 “Liability Shift” will Drive Adoption A non-compliant merchant is liable for fraud that occurs on any chip card used on a magnetic swipe terminal. A non-compliant issuer is liable for fraud that occurs on any magnetic stripe card used on a chip card-enabled terminal. PAYMENT SOLUTIONS 15 What is “Liability Shift” Liability for the chargeback loss shifts to whichever party hasn’t upgraded to chip, if the use of such a device could have prevented the fraud from occurring Issuers that have not migrated to EMV will be liable for fraud at EMV devices, including transactions using listed card numbers Acquirers that have not placed EMV + PIN devices will be liable for fraud on chip cards, including transactions authorized online by the Issuer Merchants can benefit from liability shift just by installing contact EMV terminals. No impact on the customer Fraud impacted by the Liability Shift is called “Designated Card Present Fraud” The following fraud types are excluded from the liability shift: Card Not Present Fraud Account Takeover Fraudulent Application Source: Oberthur 2010 and “Overview of EMV Chip Impacts on Chargebacks” VISA March, 2011 PAYMENT SOLUTIONS 16 Magnetic Stripe vs EMV Transaction Magnetic Stripe Transaction Card is swiped, inserted, or dipped, and is returned to cardholder after magnetic stripe data has been read There is no interaction between card and terminal after magnetic stripe has been read Card does not generate a cryptogram Online request message contains no EMVspecific data Host does not perform any EMV-related processing Online response message contains no EMV-specific data There is interaction between card and terminal at the end of the transaction PAYMENT SOLUTIONS EMV Transaction Card must be inserted and remain in the terminal for the duration of the transaction Data is exchanged between card and terminal to initiate the transaction Chip card generates a unique cryptogram which is sent to the host for verification Additional EMV-specific data is in the online request message Additional processing is required by host to verify request cryptogram, generate response cryptogram, and interrogate additional EMV-specific fields in the request message Additional EMV-specific data is in the online response message Data is exchanged between card and terminal at the end of the transaction 17 Elavon Solutions for EMV PAYMENT SOLUTIONS 18 EMV Terminals: VeriFone VX Evolution VX820 VX520 • • • • • • Hand-Over Design PAYMENT SOLUTIONS • Customer Facing Countertop Dual Comm Internal PIN pad MSR EMV NFC • • • • EMV 19 NFC PIN pad Vx520 MSR EMV NFC EMV Terminals: Ingenico Telium2 iCT250 iPP320 • Countertop • Dual Comm • Internal PIN pad • MSR • EMV • NFC • Customer Facing PIN pad • iCT220 or iCT250 • MSR • EMV • NFC iWL250G • Portable - GPRS • Internal PIN pad • MSR • EMV • NFC • 3G Technology PAYMENT SOLUTIONS 20 iCT220 • Countertop • Dual Comm • Internal PIN pad • MSR • EMV iCT250 EMV Magstripe Contactless Backlit 19 key 18+ LPS printer Dual IP & Dial Dual Processor PAYMENT SOLUTIONS 21 Cable Management Small Footprint NFC Sharp Color Display Privacy Shield iPP320 Countertop PIN Pad EMV Embedded Contactless Connects to Telium Countertop Line PAYMENT SOLUTIONS 22 iWL250 Small Footprint Lightweight Charging & Comms Base 30 LPS Thermal Printer 25mm & 40mm Paper Roll Option Contactless 3G Wireless GPRS PAYMENT SOLUTIONS Dynamic SIM 30 LPS Printer Contactless 23 Smart Card Li-Ion Battery Lightweight Conclusion PAYMENT SOLUTIONS 24 Points to Remember EMV is a standard that dictates the interaction between a smart (chip) “card” and a POS payment device The “chip” stores encryption data that is used during the transaction to prove the card is authentic; it prevents cloning EMV chips can be either contact or contactless and are read & write capable NFC (Near Field Communications) is a radio-based contactless interaction protocol that is driving interest in EMV adoption The Card Brands have announced EMV incentives (carrots and sticks) that encourage issuers, acquirers, and merchants to adopt EMV © 2012 VeriFone Systems, Inc. PAYMENT SOLUTIONS 25 EMV Benefits All Parties MERCHANT • Fewer fraud-related chargebacks due to stolen cards/skimming • Increase in international customer satisfaction BENEFITS ISSUER • Fraud reduction • Global interoperability • Mobile payments facilitation CARDHOLDER • Peace of Mind (fraud reduction) • Never lose sight of their card • Global interoperability P A Y M E 26 NT SOLUTIONS 26 PCI – Tokenization - Encryption What is the difference between Security and PCI? PCI-DSS compliance is one aspect of an overall security program but on its own cannot prevent a data breach. Security measures such as encryption and tokenization provide additional layers of protection as part of a security program. What is “Point-to Point” vs “End-to-End” Encryption? They are really the same and have been used interchangeably. Since P2PE certification is available and Visa has announced their encryption program, some distinction is made in the market. Point to Point refers to encryption at the time of the swipe and decryption at a gateway of payment processor. End-to-End refers to encryption at the time of the swipe and decryption at the furthest end point in the payment processing stream, i.e. the payment brands data center. What is Tokenization vs Encryption? Encryption is generally used in card-present situations while tokenization is generally used in card not present scenarios like “card on file” and recurring billing. Encryption scrambles a card number so that the data is not usable to thieves. The card number can only be decrypted by the holder of the key. Tokenization is an ALIAS or “token” of the card number. If a customer is using encryption and/or tokenization do they have to be PCI compliant? The short answer is YES utilizing encryption and/or tokenization does not remove the requirement for PCI-DSS compliance. However, depending on the solution implemented, a customer could experience reduced effort, scope and/or cost when they do complete their annual PCI assessment PAYMENT SOLUTIONS 27 Your EMV Call to Action: Don’t Wait Read and research to keep up with EMV and NFC trends • http://www.smartcardalliance.org/ • http://www.emvco.com/ • http://www.cscu.net/index.aspx?CategoryID=294 • http://pymnts.com PAYMENT SOLUTIONS 28 EMV – Action Required Effective October 1, 2015, a date that has been determined by the credit card associations (MasterCard/VISA) if your business accepts and processes a counterfeit transaction from an EMV card on a non-EMV enabled terminal, the liability for that transaction is yours. PAYMENT SOLUTIONS 29 Thank You! Brad Hench Regional Sales Manager US Bank Merchant Solutions 678-731-4419 Bradford.hench@usbank.com Paul Anatrella Vice President & Relationship Manager U.S. Bank 704-335-2825 Paul.anatrella@usbank.com PAYMENT SOLUTIONS 30
