1 - nasact
advertisement
New EMV Chip Technology and Compliance Mandate: Are You Ready? Moderator: Richard Ellis – State Treasurer, State of Utah Julie Tvedt – Sr. Global Product Manager, Commercial Payments, U.S. Bank Orson Morgan – Sr. Account Executive, Public Sector, Visa Proprietary and Confidential usbpayment.com/emv 1 What, When and Why EMV 101 Proprietary and Confidential usbpayment.com/emv 2 What is EMV? EMV is named after its original developers (Europay, MasterCard® and Visa®) EMV is a global standard for chip cards featuring embedded microprocessor chips that store and protect cardholder data. Microchip generates a dynamic one-time use code (cryptogram) with every transaction Prevents the data from being re-used to create counterfeit cards Proprietary and Confidential usbpayment.com/emv 3 Worldwide EMV Deployment and Adoption Region EMV Cards Adoption Rate EMV Terminals Adoption Rate Western Europe 794M 81.6% 12.2M 99.9% Canada, Latin America and 471M the Caribbean 54.2% 7.1M 84.7% Africa and Middle East 77M 38.9% 699K 86.3% Eastern Europe 84M 24.4% 1.4M 91.2% Asia Pacific 942M 17.4% 15.6M 71.7% Figures reported in Q4 2013 and represent the latest statistics from American Express, Discover, JCB, MasterCard, UnionPay and Visa, as reported by their member institutions globally. Region EMV Cards Adoption Rate EMV Terminals Adoption Rate United States [estimates] ~17-20M ~1-2% ~2M ~20% Source: Estimates stated from The Smart Card Alliance/EMV Migration Forum, May 2014 Proprietary and Confidential usbpayment.com/emv 4 When is EMV Coming to the U.S.? OCT OCT 2015 2017 Fraud Liability Shift for NonGasoline Retailers Fraud Liability Shift for Gasoline Retailers Proprietary and Confidential usbpayment.com/emv 5 Why Chip and Why Now? Global Interoperability Security and Fraud Mobile Payments Proprietary and Confidential usbpayment.com/emv 6 EMV Technology Trends The U.S. market will see rapid adoption of EMV technology over the next 3 years 70% U.S. Credit Cards migrated to EMV - by end of 2015 FORECASTED1 47% U.S. Activated Terminals migrated to EMV – by end of 2015 FORECASTED1 Sources: Current cards per Operating Certificates as of 30-Sep-14; credit card forecast per Aite Report – EMV: Lessons Learned and the U.S. Outlook (June 2014); activated terminal forecast per Payment Security Taskforce Acquirer projections press release (October 2014) ¹Forecast based on information currently available to Visa. Proprietary and Confidential usbpayment.com/emv 7 Cardholder Experience Non EMV Terminal Cardholder swipes card at the POS terminal Transaction processing per existing process takes place Cardholder provides signature verification EMV Enabled Terminal Cardholder inserts (“dips”) card; OR swipes card, and is then prompted to insert card Transaction complete; cardholder removes card from terminal Card Stays in the Terminal Cardholder inserts card in the POS terminal Proprietary and Confidential Cardholder provides signature or PIN verification usbpayment.com/emv 8 EMV – What it is… and What it isn’t EMV will: Prevent counterfeit fraud at the point of sale Protect against card-notpresent fraud Protect against counterfeiting cards Prevent data breaches Create a different point-of-sale experience (“dip” vs “swipe”) Store cardholder data on a chip EMV will not: Always require a PIN Be vulnerable to wireless interception of data Require a new card Eliminate the need for magnetic stripe See growing adoption in the U.S. in the next 12-18 months Be universally adopted in the U.S. for 3-4 years Proprietary and Confidential usbpayment.com/emv 9 Key Points Education!!! Commercial Card Programs • Liability shift does not impacted cardholders as they are not liable for fraud • No cost for EMV plastic • Know your PIN, in case you are prompted • PINS do NOT mean cardholder has access to cash • Program authorization controls untouched Proprietary and Confidential usbpayment.com/emv 10 Notice of confidentiality This presentation is furnished to you solely in your capacity as a Visa employee. By accepting this presentation, you acknowledge that the information contained herein (the “Information”) is confidential and subject to Visa’s confidentiality restrictions. You agree to keep the Information confidential and not to use the Information for any purpose other than in your capacity as a Visa employee. You may disseminate the information to other Visa employees only on a need-to-know basis. Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. 11 Visa Confidential Forward-looking statements and disclaimer This presentation may contain forward-looking statements within the meaning of the U.S. Private Securities Litigation Reform Act of 1995. These statements can be identified by the terms “objective,” “goal,” “strategy,” “opportunities,” “continue," “can,” "will" and other similar references to the future. Examples of such forward-looking statements may include, but are not limited to, statements we make about our corporate strategy and product goals, plans and objectives. By their nature, forward-looking statements: (i) speak only as of the date they are made, (ii) are neither statements of historical fact nor guarantees of future performance and (iii) are subject to risks, uncertainties, assumptions and changes in circumstances that are difficult to predict or quantify. Therefore, actual results could differ materially and adversely from those forward-looking statements because of a variety of factors, including the following: macroeconomic and industry factors such as currency exchange rates, global economic, political, health and other conditions, competitive pressure on customer pricing and in the payments industry generally, material changes in our customers' performance compared to our estimates; systemic developments such as disruption of our transaction processing systems or the inability to process transactions efficiently, account data breaches involving card data stored by us or third parties, increased fraudulent and other illegal activity involving our cards; and the other factors discussed under the heading "Risk Factors” in our most recent Annual Report on Form 10-K and our most recent Quarterly Reports on Form 10-Q. You should not place undue reliance on such statements. Unless required to do so by law, we do not intend to update or revise any forward-looking statement, because of new information or future developments or otherwise. Studies, survey results, research, recommendations, and opportunity assessments are provided for informational purposes only and should not be relied upon for marketing, legal, regulatory or other advice. Recommendations and opportunities should be independently evaluated in light of your specific business needs and any applicable laws and regulations. Visa is not responsible for your use of any studies, survey results, research, recommendations, opportunity assessments, or other information, including errors of any kind, or any assumptions or conclusions you might draw from their use. Except where statistically significant differences are specifically noted, survey results should be considered directional only. 12 Visa Confidential How Does a Transaction Work? 13 Visa Confidential Fraud Landscape Today Counterfeit fraud represents 70% of card-present fraud and grew 27% in 2014 Card-present fraud Total fraud by type Other Lost/ 5% stolen 12% Counterfeit 39% Other 9% Lost/ stolen 21% Counterfeit 70% Card not present 44% EMV chip will significantly reduce card-present counterfeit fraud Source: Visa Fraud Reporting System (FRS) and Enterprise Data Warehouse (EDW); CY 2014; U.S. Issued / U.S. Acquired 14 Visa Confidential U.S. EMV Migration − Client readiness report Credit Debit • 117.1 million EMV chip cards issued, 78.1 million of which are credit • 39 million EMV debit cards issued; a 33% increase from May to June • Over a quarter of US credit cards have a chip on them today • U.S. EMV Chip Migration Forecast1 Acquirers / Terminals Credit cards 70% Debit cards 41% Activated terminals 47% • A few hundred EMV terminals are now capable of routing PIN debit EMV transactions using the common debit AID Domestic EMV PV increased 42% from $1.3B in May to $1.9B in June By the End of 2015 • Debit issuance continues to outpace credit issuance. 7 of the top 10 Visa debit issuers are now issuing EMV debit cards Merchant s • 247 thousand EMV chip activated merchant locations, a 15% increase from May to June • Visa has partnered with a number of merchants to deploy point-ofsale decals to help train customers on how to conduct chip transactions Sources: Current cards based on MARS data through June 30, 2015; credit / debit card forecast per Aite Report – EMV: Lessons Learned and the U.S. Outlook (June 2014); activated terminal forecast per Payment Security Taskforce Acquirer projections press release (October 2014) ¹Forecast based on information currently available to Visa. Actual results may vary significantly. 15 Visa Confidential Where We’re Going in 20151 EMV chip as % of U.S. total Liability shift 80% Issuers begin mass issuance 60% Significant ramp up in Q3 2015 Merchants begin activating terminals 40% 70% credit cards 47% activated terminals 41% debit cards 29% chip-on-chip transactions 20% 0% Jan-15 Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15 Aug-15 Sep-15 Oct-15 Nov-15 Dec-15 Sources: June 2014 operating certificates; VisaNet data as of March 2014; cards per Aite Report – EMV: Lessons Learned and the U.S. Outlook (June 2014); terminals per Payment Security Taskforce Acquirer projections press release (October 2014) ¹Forecast based on information currently available to Visa. Actual results may vary significantly. 16 Visa Confidential Top 20 US Cities by EMV Cards in Market Chip card transactions at Mag Stripe or EMV terminals (based on 201 service code). Based on US VisaNet data (Feb – May 2015) for merchant geo enriched city fields. 17 Visa Confidential How does EMV chip technology work? Because the cryptogram changes with every transaction, even if the card data is stolen, the information can’t be used to create counterfeit cards because the cryptogram would have already “expired” 4 0 0 0 1 2 3 4 5 6 7 ^ J OHNDOE^ 0 1 2 0 1 2^ 1 0 1 ^ 2 1 7 ^… Card number Name Expiry CVV Service code (STATIC) 4 0 0 0 1 2 3 4 5 6 7^ J OHN DOE^ 0 1 2 0 1 2^ 2 0 1^ 3 8 6 ^ 5 98 8 1 2 4 3 23 1 5 3 6 4 06 6 8 1 7 9 88 3 4 0 2 9 1 71 1 3 4 5 32 0 8 6 5 2 97 4 0 8 1 3 1 ^… 4 2 3 9 0 8 Card number Name Expiry Service code iCVV Cryptogram (DYNAMIC) 4 0 0 0 1 2 3 4 5 6 7 ^ J O HN D OE^ 0 1 2 0 1 2^ 2 0 1^ 3 8 6 ^ 7 93 8 1 2 4 3 22 1 5 6 4 05 6 8 1 7 9 86 6 3 4 0 2 9 1 70 8 1 3 4 5 30 1 8 6 5 2 23 9 4 8 1 3 1 ^… 4 2 7 9 0 8 Card number 18 Name Visa Confidential Expiry Service code iCVV Cryptogram (DYNAMIC) Chip Impact on Counterfeit Fraud in Asia Pacific Malaysia • Since 2004, EMV chip implementation has led to more than two-thirds reduction in counterfeit fraud across Asia Pacific • Counterfeit fraud liability shift effective date in Asia Pacific was January 1, 2006, but EMV chip migration started at different times in each country • Malaysia was the first country to mandate EMV technology in 2005 Hong Kong 94% decrease since 2005 Start chip migration 2004 2005 2006 2007 2008 2009 2010 Thailand 2011 2012 2013 99% decrease since 2007 77% decrease since 2006 Start chip migration Start chip migration 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2004 Source: Visa Fraud Reporting System, issuer-reported annual domestic counterfeit fraud volume 19 Visa Confidential 2005 2006 2007 2008 2009 2010 2011 2012 2013 Impacts on Fraud • EMV combats counterfeit fraud, which represents 39% of total US issued fraud and is growing at 27% per year • In an EMV environment, PIN addresses lost/stolen fraud, which represents 13% of total US issued fraud. However, many low-value, low-risk transactions will continue to be authorized with no CVM CVM Performance by Transaction Band 40.0 Fraud bps 30.0 No CVM Limits 20.0 EMV solves for counterfeit fraud 10.0 Signature - Counterfeit Signature - Lost/Stolen PIN 0.0 $0-25 $25-50 $50-100 $100-250 Over $250 Transaction Dollar Value Source: Visa Fraud Reporting System; US domestic Visa and Interlink; CY2013; including POS, cashback and ATM (Visa has limited visibility into domestic ATM volume and fraud) 20 Visa Confidential PIN solves for lost/stolen fraud EMV and CVM in Other Large Markets Chip and … Key Countries Rationale Argentina Colombia Hong Kong Indonesia (credit) Mexico1 Peru (credit) Singapore South Korea1 Taiwan Thailand (credit) Venezuela Offline PIN Brazil (credit) Canada France Japan S. Africa UK2 Online PIN Australia2 Brazil (debit) Chile Germany Italy India2 Indonesia (debit) Kuwait New Zealand2 Peru (debit) Saudi Arabia Spain Thailand (debit) UAE Signature 1Considering/beginning 2Migrated 21 migration to PIN to PIN after initial EMV migration Visa Confidential • Cultural norms / mimicked CVM usage on prior magnetic stripe only products • Lack of infrastructure support / business case to build out PIN acceptance • High legacy telecom/online authorization costs • Cultural norms / mimicked CVM usage on prior magnetic stripe only products Path Forward Chip Migration Contactless Evolution • Installation of NFC hardware as part of chip upgrades lays foundation for broader contactless acceptance • Will take several years for U.S. to reach full chip adoption • On average, it took Brazil, Canada and Australia 6 years to reach 90%+ chip penetration after the liability shift date • F2F counterfeit fraud tends to decrease by two-thirds or more Removing Static Data • Concerns over speed at the POS likely to drive issuance and acceptance of contactless technology following chip migration Road to Dynamic Data • New authentication technologies likely to displace traditional static methods, specifically PIN Tokenized Chip Cards • Exploring new ways to merge chip technology with tokenization • Dynamic data sources such as mobile geolocation provides more powerful real-time predictive analytics capabilities • Removing static PAN provides merchant environment additional protection from data breach • Biometric authentication of mobile payments adds additional layer of security 22 • Mobile payment technology also driving demand for contactless acceptance • Streamlines payment security investments, effectively removing need for encryption solutions Visa Confidential Marketing and Communications 23 Chip Education for All Stakeholders Industry Collaboration is Needed to Optimize Chip Education Across Stakeholders Stakeholder needs: 24 Client Consumer Merchant • Educate about benefits of chip • Turnkey tools for cardholder education • Educate about chip usage • Reach consumers at “moments that matter” • Educate about chip adoption and usage • Reach merchants at “moments that matter” Visa Confidential Policy Influencers • Educate about chip in context of security • Reach influencers through third parties and directly Key Activities Underway Educating stakeholders, influencing policy 25 • 20 city Small Business tour kicked off Mar 13 in Austin • EMF/Payments Security Taskforce (PST) industry-wide efforts toward EMV migration and the consumer experience, microsite to launch April • www.visachip.com microsite for issuers, acquirers, processors, merchants and consumers with FAQs, videos, links to more resources • Turnkey materials card carriers, POS materials • Merchant implementation toolkit an online, standalone kit with tips and resources and turnkey tools to educate consumers at the POS • Search & Social campaigns running through end of September on Google, Yahoo, Bing for those using search terms such as “Visa chip card” or “chip credit card” • Media outreach to consumers about chip via mainstream media and viral content • Policy influencers - PR, high-profile articles, hill engagements, Bloomberg Digital Trust series, Hill Lunch and Learns, speaking events, agenda-setting industry reports Visa Confidential Visa in Action Credit card giant moves to devalue hacked data Visa Steps Up with EMV Education with City-by-City Tour Payment card giant Visa will announce Friday at the White House Cybersecurity Summit a move to make hacked credit card data far less valuable to hackers. -February 12, 2015 20-city tour designed to help small businesses understand how and why they should prepare for accepting chip payment cards. -March 13, 2015 “Technology mandates not only become obsolete in a short matter of time, but they tend to weaken the security landscape and inhibit innovation because companies may hesitate to deploy new tools that do not meet specific statutory mandates even though such tools may better meet evolving threats and are more consumer-protective.“ March 24, 2015 Letter from Information Technology Industry Council to House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade “In the U.S., the infrastructure to support PINs across the ecosystem for purchases is not operational for credit, and more than two-thirds of U.S. retailers are not currently equipped to accept PIN transactions (even in the absence of chip). For many types of merchants, such as restaurants, accepting PINs is impractical; plus, it adds additional merchant costs to protect them within their computer systems. . . even if the entire industry agreed to adopt PIN or it was mandated by the government, it technically wouldn’t be operational for several years.” February 3, 2015 Letter from Charlie Scharf to Sen. Warner (D-VA) “In our role as supervisor, the Federal Reserve does not mandate use of a specific technological approach to payment card security in recognition of the evolving nature of payment card fraud threats and of the variety of tools that can be employed to address these threats. “ March 5, 2015 Letter from Federal Reserve Chair Janet Yellen to Sen. Warner (D-VA) 26 Visa Confidential Visit www.visachip.com Online destination for merchants, acquirers, issuers and consumers 27 Visa Confidential Video • http://visatv.trusted.visa.com/viewerportal/webcast/home.vp?programId=esc_program:7513&contentAssociationId=association:18347 • https://www.youtube.com/watch?v=tUkdqDARuEU • https://www.youtube.com/watch?v=Nw2iTbEptHI 28 Visa Confidential Thank you 29 Visa Confidential
