EMV and Other Credit Card Processing Changes Bret Johnson Sr Director of Sales © 2014 Total System Services, Inc.® All rights reserved worldwide. Chip-enabled EMV Cards • EMV® (Europay, MasterCard®, Visa®) is a global standard for secure and convenient payment using bank cards and the EMV payments infrastructure. EMV began in France in 1992 • The use of EMV contact and contactless cards for secure payments offers multiple benefits: • A common certified standard for processing transactions ensures global interoperability • Better authentication of cardholder data than magnetic stripe cards • Fraud risks are minimized by authenticating during online transactions • Digital seal or signature stored in the card’s chip proves authenticity of the card for offline transactions 2 © 2013 Total System Services, Inc. ® Confidential and proprietary. All rights reserved worldwide. EMV – Counterfeit Card Fraud Elimination Intelligence on the card supports… • Card Authentication Method (CAM) – – • Verifies that the card is authentic; hasn’t been counterfeited SDA, DDA, CDA Cardholder Verification Method (CVM) – – – – – – Verifies the individual using the card Adjustable to all card acceptance environments Online PIN – Verified at the host, just like today Offline PIN – Verified by the card Signature – Verified by the cashier No CVM Required – Just like no-signature and tap-and-go today • The CVM can be affected by other transaction details (e.g. amount) 3 © 2013 Total System Services, Inc. ® Confidential and proprietary. All rights reserved worldwide. Introduction to the AID and Application VISA AID MasterCard AID American Express AID Discover AID Diners AID (International only) AID: Application ID Application: Underlying EMV application on the card • When an EMV terminal encounters an EMV card, it must determine the correct AID and associated application • It is the application on the card that knows how to behave with the terminal and construct the EMV transaction recognized by the Card Network and Card Issuer Affects all “Acquirers” – merchants, merchant processors, ATM acquirers. What AIDs and how many will their devices recognize and support? 4 Affects all “Card Issuers” – What brands and networks do my cards belong to? What AIDs and how many do I need to load onto my cards? What AID/App is supported by my card brands/networks? How will I personalize and configure the card based on functionality I want to offer my cardholders? © 2013 Total System Services, Inc. ® Confidential and proprietary. All rights reserved worldwide. Example: U.S. Credit Card First U.S. EMV Credit Cards • Credit Only Card • Single Brand • Single AID & Associated Application • Single AID and App supports both Domestic and International Credit Example: VISA AID 5 © 2013 Total System Services, Inc. ® Confidential and proprietary. All rights reserved worldwide. Current Mandates / Liability Shifts Published U.S. EMV Mandates and Liability Shifts EMV Deployment Milestones Key Dates Visa MasterCard PCI Audit Relief October 2012 Y Y PCI Audit Relief October 2013 POS Acquirer / Processor Compliance April 2013 Maestro ATM Liability Shift April 2013 Y Discover American Express Y Y Y Y Y Notes Mandate for POS Acquirers Inter-Regional Maestro Cards at U.S. ATMs Y April 2015 Y POS Counterfeit Liability Shift (Excluding Fuel Dispensers) October 2015 Y POS Lost or Stolen Liability Shift (Excluding Fuel Dispensers) October 2015 Y Liability shift for merchants excluding AFD MasterCard ATM Liability Shift October 2016 Y All MasterCard Branded Cards Visa ATM Liability Shift October 2017 Y POS Counterfeit Liability Shift for Fuel Dispensers October 2017 Y POS Lost or Stolen Liability Shift for Fuel Dispensers October 2017 Visa ATM EMV Mandate 6 Y Y Y U.S. Third Party ATM acquirer processors must be able to support EMV chip data for all Visa and/or PLUS branded products Liability shift for merchants excluding AFD Y Liability shift for all U.S. ATMs for all Visa and/or PLUS branded products Y Y Y Y © 2013 Total System Services, Inc. ® Confidential and proprietary. All rights reserved worldwide. Y Liability shift for AFD Liability shift for AFD Pymnts.com Interview Q & A 2. Many countries have already adopted EMV standards, but is EMV’s relevance shifting now that there are many ways to secure data transmitted during a payment? EMV is not really about securing data, it is about authentication. Data on the transaction, generated by the chip, authenticates the card to the issuer, ensuring that it is not a counterfeit or "cloned" card. EMV transactions may also include a PIN, even for credit cards, which authenticates the cardholder to help prevent fraud through lost or stolen cards. EMV is still the best existing technology in use today to authenticate cards and cardholders. Methods of securing data during transmission, such as encryption, help protect the sensitive credit card information, but do nothing to address authentication. 3. The countries that face EMV adoption now are living in a very different world than EMV’s initial adopters. What’s the significance of EMV in a world that’s moving to a cardless environment? One of the major reasons for the initial adoption of EMV in Europe was to provide a way of authenticating cards and cardholders in offline environments when communications were unreliable or prohibitively expensive to authorize every transaction online. 7 © 2013 Total System Services, Inc. ® Confidential and proprietary. All rights reserved worldwide. NFC and Mobile How does NFC relate to EMV? Near Field Communication (NFC) is a complementary technology that EMV can utilize to enable contactless payments such as with mobile wallets. With the anticipated growth of NFC-enabled mobile devices for contactless payments and other applications, EMVCo has been active in defining the processes for supporting EMV mobile contactless payments. Consumers and businesses can benefit from NFC in several ways: • Interactions are initiated by a simple tap of the device • NFC is flexible; it is suitable for a broad range of uses in different industries and environments • NFC technology follows universally implemented ISO, ECMA, and ETSI standards • Transmissions are short range • NFC works with current contactless cards and readers All of the SE technology shown employs the same security and functional architecture of a payment application residing on millions of EMV cards today. Depending on the mobile device and payment model, the secure element may either be hosted in an embedded device, in a removable SIM/UICC or in a separate device (e.g. a microSD card). For more information, visit www.emv-connection.com 8 © 2013 Total System Services, Inc. ® Confidential and proprietary. All rights reserved worldwide. Previous Frequently Asked Questions 1. Why are EMV credit and debit cards and EMV payment transactions secure? • EMV secures the payment transaction with enhanced functionality in three areas: – – – Card authentication, protecting against counterfeit cards. Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards. Transaction authorization, using issuer-defined rules to authorize transactions. EMV cards store payment information in a secure chip rather than a magnetic stripe; the personalization of EMV cards is done using issuer-specific keys. Unlike a magnetic stripe card, it is virtually impossible to create a counterfeit EMV card that can be used to conduct a EMV payment transaction successfully. 2. How does EMV address payments fraud? • First, the EMV card includes a secure microprocessor chip that can store information securely and perform cryptographic processing during a payment transaction • Second, in an EMV transaction, the card is authenticated as being genuine, the cardholder is verified (PIN or Signature), and the transaction includes dynamic data • Third, even if fraudsters are able to steal account data from chip transactions, this data cannot be used to create a fraudulent transaction in an EMV or magnetic stripe environment, since every EMV transaction carries dynamic data • Fourth, EMV methodology can also potentially address card-not-present (CNP) fraud, with cardholders using their EMV cards and individual readers to authenticate Internet transactions 9 © 2013 Total System Services, Inc. ® Confidential and proprietary. All rights reserved worldwide. The Target Breach Will This Speed Up EMV Adoption? © 2014 Total System Services, Inc.® All rights reserved worldwide. The answer is yes, but not for the reason you would probably think. EMV would not have prevented the Target breach. It was caused by lack of network security. However, it did bring light to the problems of credit card data security in the US. There's general agreement that EMV alone would not have prevented the Target breach, in which thieves accessed data from as many as 110 million customer accounts. But EMV would have reduced the value of the information by making it almost impossible to clone the cards. ‹#› © 2013 Total System Services, Inc. ® Confidential and proprietary. All rights reserved worldwide. Why is the US slow in implementing EMV? One reason could be because of cost. Traditional magnetic stripe cards cost about $2.00, chip card can cost between $15-$20. Another problem with improving card security is that new cards will require new readers, and that presents a big expense for merchants. Mag card readers typically cost about $20 in volume purchases while a chip reader costs about $100 © 2014 Total System Services, Inc.® All rights reserved worldwide. More Information-Canada started the EMV conversion in 2003 and is now about 85% complete. Implementation cost in the US estimated to be about $6 billion, 75% will be borne by merchants (Target estimates their cost to be about $100 million) There are 1.1 billion credit and debit cards in circulation, only 15 million chip cards issued in the US © 2014 Total System Services, Inc.® All rights reserved worldwide. More Information-Canada started the EMV conversion in 2003 and is now about 85% complete. Implementation cost in the US estimated to be about $6 billion, 75% will be borne by merchants (Target estimates their cost to be about $100 million) There are 1.1 billion credit and debit cards in circulation, only 15 million chip cards issued in the US © 2014 Total System Services, Inc.® All rights reserved worldwide. If I spend the time and money to upgrade to chip accepting parking equipment, will I get lower interchange rates? While this is the case in Europe and Canada, at this time it does not appear that the card brands are going to do this in the US. © 2014 Total System Services, Inc.® All rights reserved worldwide. Does EMV replace PCI DSS? The answer is no, you will still need to do an annual assessment. PCI DSS is to try to prevent credit card data beaches. EMV is designed to prevent fraud. © 2014 Total System Services, Inc.® All rights reserved worldwide. What do you need to do now? Speak to your equipment companies about their plans for EMV conversion The reality is that parking is a low fraud risk and implementation of EMV may be slow in our industry Be aware, but these is no need to panic © 2014 Total System Services, Inc.® All rights reserved worldwide. Questions © 2014 Total System Services, Inc.® All rights reserved worldwide. Visa Mastercard Settlement Dec 13, 2013 A federal judge gave Visa and MasterCard the go ahead on a $5.7 billion class action lawsuit to resolve merchant complaints regarding the swipes fees they are charged. There is a great deal of dissatisfaction from many retail organizations because the deal does nothing to reduce swipe fees or keep them from rising in the future. © 2014 Total System Services, Inc.® All rights reserved worldwide. The settlement does allow merchants to surcharge if customers use Visa or MasterCard. However, because of competition and all of the regulations regarding surcharging, few merchants are doing this. © 2014 Total System Services, Inc.® All rights reserved worldwide. Merchant Additional Fee Programs January 2014 © 2013 Total System Services, Inc.® All rights reserved worldwide. Agenda Click to edit Master title style Convenience Fees Special Payment Network Programs Merchant Surcharging Programs At-A-Glance 22 © 2013 Total System Services, Inc.® All rights reserved worldwide. Merchant Surcharging © 2013 Total System Services, Inc.® All rights reserved worldwide. Merchant Surcharging Click to edit Master title style Visa and MasterCard modified their rules effective January 27, 2013 to permit surcharging as part of a litigation settlement. • No MCC restrictions. • Not permitted on debit or prepaid activity. • Permitted in all acceptance environments, provided merchant’s state permits surcharging. • Variable or flat/fixed amount permitted; surcharge amount may not exceed 4% or the merchant’s average cost of acceptance, whichever is lower. • Must be included as a part of the total amount of the transaction at time of settlement. – • 24 Several states have laws prohibiting surcharges. Where laws conflict with Visa/MC rules, merchants should adhere to the law. 30 day advance notification / registration required. – Visa – MasterCard – Discover – Acquirer © 2013 Total System Services, Inc.® Proprietary. All rights reserved worldwide. Merchant Surcharging (cont.) Click to edit Master title style Discover modified their Op Regs in Mar. 2013 to include surcharge notification / registration & consumer disclosure criteria which aligns with that of V/MC. • If a merchant elects to surcharge, they must impose surcharge on ALL credit card transactions accepted, regardless of network. • Must not be assessed by any third party. May only be assessed by the merchant that actually provides the goods or services to the cardholder. • Permitted at brand level or product level. • • Permitted on non-U.S. issued credit cards accepted at a U.S. merchant; including U.S. territories. Merchants must surcharge MC & Visa on the same terms and conditions as any equal or higher cost competitor that imposes limits on surcharging. • Surcharging practice disclosure required at point-of-entry and pointof-sale. Transaction receipt must contain a line item with the actual surcharge amount. • 25 Specific fields containing surcharge information must be supplied at the time of transaction and passed through acquirer to Visa and MC. © 2013 Total System Services, Inc.® Proprietary. All rights reserved worldwide. Programs At-A-Glance © 2013 Total System Services, Inc.® All rights reserved worldwide. Programs At-A-Glance Click to edit Master title style Convenience Fees • No MCC restrictions Special Payment Network Programs Surcharging • Restricted to specific government & education MCCs • No MCC restrictions • Single transaction • May be assessed in any environment • Variable or flat/fixed amount • Assessed by merchant of record • Variable or flat/fixed amount • CNP environment only • Flat/fixed amount • Assessed on all payment methods accepted • Separate transaction • Assessed by merchant of record OR 3rd party service provider • May be assessed on all cards • May be assessed in any environment • Single transaction • Assessed by merchant of record • Must not be assessed on debit or prepaid activity • Registration required • Registration required Merchants are not permitted to apply more than one additional fee program to cardholders. 27 © 2013 Total System Services, Inc.® Proprietary. All rights reserved worldwide. Payment Network Rules “No Signature” Programs August 2013 © 2012 Total System Services, Inc.® All rights reserved worldwide. “No Signature” Program Rules Click to edit Master title style • Program Names • MCC Eligibility • Transaction Criteria • Benefits • Resources 29 © 2012 Total System Services, Inc.® All rights reserved worldwide. Program Names Click to edit Master title style • Visa – Visa Easy Payment Service (VEPS) • MasterCard – Quick Payment Service (QPS) • Discover – “No Signature Required” (NSR) Program • American Express – “No Signature” Program 30 © 2012 Total System Services, Inc.® All rights reserved worldwide. MCC Eligibility Click to edit Master title style • Visa – 98% of businesses eligible to accept Visa may participate. Merchants with the following 21 MCCs are ineligible to participate: MCC • MCC MCC Description 4829 Wire Transfer Money Orders 6011 Financial Institutions-Automated Cash Disbursements 5542 Automated Fuel Dispensers 6012 Financial Institutions-Merchandise Svcs 5960 Direct Marketing-Insurance Services 7995 Betting, incl. Lottery Tickets, Casino Gaming Chips, Off Track Betting & Wagers at Race Track 5962 Direct Mktg-Travel Related Arrangement Services 9405 Intra-Government Purchases (Gov. only) 5964 Direct Marketing-Catalog Merchants 9700 Int’l Automated Referral Service (Visa use only) 5965 Direct Marketing-Combination Catalog & Retail Merchants 9701 Visa Credential Server (Visa use only) 5966 Direct Mktg-Outbound Telemarketing Merchants 9702 GCAS Emergency Svcs (Visa use only) 5967 Direct Marketing-Inbound Telemarketing Merchants 9751 UK Supermarkets-Electronic Hot File (Region use only) 5968 Direct Marketing-Continuity / Subscription Merchants 9752 UK Petrol Stations-Electronic Hot File (Region use only) 5969 Direct Marketing/Direct Marketers (NEC) 9950 Intra-Company Purchases 6010 Financial Institutions-Manual Cash Disbursements MasterCard – 31 MCC Description All merchant categories qualify, except quasi-cash, money transfer, direct marketing and gambling. © 2012 Total System Services, Inc.® All rights reserved worldwide. MCC Eligibility (cont.) Click to edit Master title style • Discover – • All businesses eligible to accept Discover may participate, except merchants with the following MCCs: MCC MCC Description MCC MCC Description 4829 Money Transfer – Non-Financial Institution 6531 Payment Service Provider – Money Transfer for a Purchase 6010 Member Financial Institution – Manual Cash Disbursements 6532 Payment Service Provider – Member Financial Institution Financial Institution Payment Transaction 6011 Member Financial Institution – Automated Cash Disbursements 6533 Payment Service Provider – Merchant Payment Transaction 6050 Quasi-Cash – Member Financial Institution 6534 Money Transfer – Member Financial Institution 6051 Quasi-Cash – Non-Financial Institution 7995 Betting (e.g., Lottery Tickets, OTB) American Express – 32 All Industries eligible to accept American Express may participate, except High Risk merchants or merchants placed in Amex’s Fraud Full Recourse Program. Additionally, the following MCCs are excluded from the No Signature Program: MCC MCC Description MCC MCC Description 5542 Automated Fuel Dispensers 7375 Information Retrieval Services 5964 Direct Marketing – Catalog Merchants 7393 Protective Agencies & Security Services © 2012 Total System Services, Inc.® All rights reserved worldwide. Transaction Criteria Click to edit Master title style • Card Present environment • Card-read • Authorization obtained • Transaction amounts: – Visa • MCC 5310 (Discount Stores) & 5411 (Grocery Stores & Supermarkets) - $50 & under • Unattended environment - $15 & under • All other eligible face-to-face environment MCCs - $25 & under – MasterCard • Face-to-face merchant-attended terminal transactions - $50 & under – Discover • $50 & under, including applicable taxes, gratuities & cash over – American Express • $50 & under 33 © 2012 Total System Services, Inc.® All rights reserved worldwide. Benefits Click to edit Master title style • Faster transaction speed – Cardholder does not need to sign transaction receipt. • Cost-savings – Cardholder does not have to be provided with a copy of the transaction receipt unless they request one. • Chargeback protection – On transactions that meet Visa VEPS criteria, chargeback protection exists on reason codes: Illegible Fulfillment (60), Transaction Not Recognized (75) and Fraud-Card Present Environment (81). – On transactions that meet MC QPS criteria, chargeback protection exists for fraud dispute reason codes: Requested/Required Information Illegible or Missing (4802) & No Cardholder Authorization (4837). – On transactions that meet Discover NSR criteria, chargeback protection exists for the merchant’s failure to obtain the cardholder’s signature. – On transactions that meet American Express No Signature criteria, chargeback protection exists for disputes based solely on the merchant’s failure to obtain the cardholder’s signature at the point of sale. 34 © 2012 Total System Services, Inc.® All rights reserved worldwide. Resources Click to edit Master title style • Additional information on certain payment network specific programs can be found as follows: – http://usa.visa.com/merchants/payment_technologies/veps_faq.html – http://usa.visa.com/download/merchants/veps-for-merchants-us.pdf – http://www.mastercard.us/merchants/quick-payment.html – http://www.mastercard.com/us/merchant/pdf/QPS_Manual.pdf 35 © 2012 Total System Services, Inc.® All rights reserved worldwide.