emv: educating a new payment process
TRANSCRIPT
1 ǀ 10/14/2014
EMV: Educating A New Payment Process Art Harper
Director of Card Payment Solutions Product Management
2 ǀ 10/14/2014 2 ǀ 10/14/2014
Agenda Background PSCU efforts
Industry News
What Is EMV?
Profiles – Online / Offline
Cardholder Verification Methods (CVM’s)
PSCU offerings
Strategies / Recommendations
3 ǀ 10/14/2014
EMVco / EMV Migration Forum
Education Committee
ATM Working Committee
Debit Working Committee
Phase 1 Roll out Committee
PSCU involvement in the EMV Migration Movement
4 ǀ 10/14/2014 4 ǀ 10/14/2014
Breaches in the news
5 ǀ 10/14/2014
Target
Neiman Marcus
Michael’s – (twice)
Sally Beauty Supply
Chicago area taxi system (Yellow and Blue Cabs)
PF Changs
Albertsons / Safeway
Home Depot
Kmart / Dairy Queen
Breaches in the last 9 months
6 ǀ 10/14/2014
While constantly being improved, EMV is a 20-year-old technology. Some justifiably complain that it is all cost and no benefit (to them) and that the adoption of a newer technology would make more sense.
EMV (magic bullet ?)
7 ǀ 10/14/2014 7 ǀ 10/14/2014
What is EMV? EMV: Europay, MasterCard, & Visa
EMV chip cards contain a microprocessor that provides strong transaction security features & additional options that are not possible with magnetic stripe cards.
Ensures interoperability between chip-based payment cards & terminals.
EMVCo manages, maintains, & enhances the specifications.
http://www.emvco.com
8 ǀ 10/14/2014
Application Identifier (AID)- Data label for the application used on a chip card
Application Transaction Counter (ATC)- Counters on a chip card and the master file that provides a sequential reference for each transaction
Cardholder Verification Method (CVM) - The method of authentication to the cardholder
• Offline PIN- uses the PIN housed on the Chip
• Online PIN- uses the PIN housed on the master file Signature
Chip Card- A plastic embedded with an integrated circuit or chip
• AKA - Smart Card, Integrated Circuit Card (ICC), Contactless, Contact Chip Card, or Dual Interface Card (contains Contact & Contactless functionality)
Data Encryption Standard (DES)- Algorithm in which two users share the same key
Data Authentication- Process for authenticating the card during an EMV transaction
• Dynamic Data Authentication (DDA)- uses static and unique elements for authentication
• Static Data Authentication (SDA)- uses static elements for authentication
Glossary of EMV Terms
9 ǀ 10/14/2014
Fallback- Transactions where magstripe is used instead of the chip (typically requires merchant intervention)
Liability Shift- Determining where fraud lies
Near Field Communication (NFC)- Transaction date is transmitted wirelessly
Offline Only Terminal- A terminal that isn’t capable of sending a transaction online
Payment Card Industry Data Security Standard (PCI DSS)- Data security protocol
Personal Identification Number (PIN)
Transaction Authorization
• Offline Authorization - authorization of transaction is performed by the terminal without connecting to the host
• Online Authorization - authorization of transaction is performed by the host
Glossary of EMV Terms (cont’d)
10 ǀ 10/14/2014 10 ǀ 10/14/2014
EMV Current State - Industry
• Global
• U.S.A.
11 ǀ 10/14/2014
EMV Current State – Industry Global
On a global scale, EMV has achieved critical mass:
• 99.9% of terminals in Europe are chip-enabled
• 84.7% of terminals in Canada, Latin America, and the
Caribbean are chip-enabled
• 86.3% of terminals in Africa and the Middle East are chip-
enabled
• 71.7% of terminals in Asia Pacific are chip-enabled
Need Source
12 ǀ 10/14/2014
EMV Current State - Industry U.S.A.
Major issuers have moved from “planning” to actually issuing EMV cards
• Amex
• Bank of America
• Barclaycard
• Capital One
• Citi
• Chase
• Suntrust
• Walmart & Sam’s Club (GE)
• Wells Fargo
• USAA
• US Bank
Source: EMV-Connection.com, July 2014
Current Issuer Forecast for Credit Cards
• 25% 2014
• 70% 2015
• 91% 2016
• 98% 2017
Source: Aite, June 2014
43%
PSCU credit card processing
members issuing or
queued for certification
13 ǀ 10/14/2014 13 ǀ 10/14/2014
Fraud Impact / Info
14 ǀ 10/14/2014
EMV Current State – Industry Global – EMV Impact on Fraud
United Kingdom – 2004 to 2013
• Counterfeit fraud decreased from £130 GPB to £33M GPB
• Lost/Stolen fraud decreased from £114M GPB to £59M GPB
• Card Not Present fraud increased from £151M GPB to £301M GPB
Australia – 2008 to 2012
• Counterfeit fraud (domestic & foreign) decreased $50M AUD to $28M AUD
• Lost/Stolen fraud decreased from $16M AUD to $23M AUD
• Card Not Present fraud increased from $83M AUD to $183M AUD
Canada – 2008 to 2013
• Counterfeit & Lost/Stolen fraud dropped from $254 CAD to $111 CAD
• Card Not Present fraud increased from $128 CAD to $299 CAD
15 ǀ 10/14/2014
EMV Current State – Industry U.S.A.
0.5
1.5
2.5
3.5
4.5
5.5
6.5
7.5
8.5
9.5
2011 2012 2013 2014 2015 2016 2017 2018
Card Not Present
Lost/Stolen
Counterfeit
TOTAL US FRAUD FORECAST
Source: Aite, June 2014
16 ǀ 10/14/2014 16 ǀ 10/14/2014
Value of EMV
17 ǀ 10/14/2014
EMV Current State - Industry Value Summary of Moving to EMV Cards from Mag. Stripe
Fact What this means to the CU
Not all merchants have made the shift to EMV terminals
After October 2015, fraud liability will shift to the merchant when an EMV card is used if they have not enabled EMV terminals
Fraudsters will target Financial Institutions that have not taken the steps to migrate their cards from mag. stripe to EMV
EMV becomes an Insurance Policy for the CU to not only protect them financially but to also protect their brand image from the negative impact of a fraud event
Fraud events are great topics for the evening news – bad publicity on local news channels can negatively impact a CU’s reputation and brand promise
Social Responsibility and Reputation could be tarnished from not ‘doing the right thing’ and protecting their Member’s from fraud in the best ways possible
Consumers need peace of mind from their Financial Institution
Moving to EMV is a way to project Member Loyalty and put their card an top of the Members wallet.
18 ǀ 10/14/2014 18 ǀ 10/14/2014
Profiles
19 ǀ 10/14/2014
Credit Card Profiles
There are two types of profile configurations –
Chip and Signature (Online)
Chip and PIN (Offline)
20 ǀ 10/14/2014
Chip and Signature (Online Profile)
Only allows online authorizations
CH Selected PINs will work with this profile as it will validate the PIN from the host vs. the chip
Recommended for credit unions that
•Have minimal cardholders living or traveling overseas
•Want to allow CH Selected PIN
21 ǀ 10/14/2014
Chip and PIN (Offline Profile)
Includes online and offline authorizations
Additional fees associated with profiles due to public keys for merchants to translate the encrypted chip data
Cannot support CH Selected PINs due to challenges with updating the chip with new offsets
Recommended for credit unions with cardholders living and traveling overseas
22 ǀ 10/14/2014 22 ǀ 10/14/2014
Why is choosing the right profile important?
23 ǀ 10/14/2014
Country Listing of Profiles
24 ǀ 10/14/2014 24 ǀ 10/14/2014
Are the US merchants ready?
Will they be ready by 2015?
25 ǀ 10/14/2014
EMV Current State – Industry U.S.A.
• Merchants are gearing up – top five retailers & more on board
• Walmart & Sam’s Club – 100% EMV enabled
• Kroger
• Costco – EMV capable
• Target – Enablement in process for completion September 2014
• The Home Depot
• Best Buy
Current POS Forecast
• EMV capable POS terminal deployments expected to reach 75% in 2014 and 100% in 2015
• EMV enabled POS terminals lag but enablement can be rapid if market conditions require
26 ǀ 10/14/2014
27 ǀ 10/14/2014 27 ǀ 10/14/2014
Is EMV a requirement for
financial institutions?
28 ǀ 10/14/2014
POS terminals are critical to EMV processing
The liability shift is a merchant issue
There is NO mandate for issuers
The largest U.S. distributor of POS terminals has stated that all terminals shipped in the last two years are EMV and contactless-ready from a hardware standpoint; however, EMV software has not been turned on.
29 ǀ 10/14/2014
EMV Liability Shift Dates
2011 2012 2013 2015 2016 2017 Liability Shift Announcement
Visa & MC waive PCI Data Security Audit Fee for merchants
EMV must be supported by Acquirers & Sub-Processors
Liability Shift: Cards aligned on date Debit/Credit
Shift counterfeit fraud liability to ATM owner for all EMV enabled cards used at U.S. ATMs
Automated Fuel Dispensers liability shift for EMV transactions
Processors support Amex EMV transactions
Merchants eligible for relief from PCI Data Security Standard (DSS)
Fraud Liability Shift (FLS) policy (on issued cards)
Processors & merchants must be EMV certified & support network data in contact & contactless EMV chip card transactions
October 2015, there is a card issuance liability shift
30 ǀ 10/14/2014
Global Brand Position on EMV
In an January 8, 2014 letter to customers, MasterCard’s President of North American Markets Chris McWilton indicates that now is the time for the US to migrate to EMV
• To help maintain the momentum and address the larger fraud threat, they will keep the 2015 liability shift dates
January 30, 2014, Visa Sticks to EMV Deadline; CEO Decries Data-Breach Blame Game and ‘Misinformation’
• Visa Inc. chief executive Charles Scharf on Thursday quelled rumors that the payment network might change its October 2015 liability-shift deadline for Europay-MasterCard-Visa chip card
31 ǀ 10/14/2014 31 ǀ 10/14/2014
What changes in your world with
EMV?
32 ǀ 10/14/2014
• Policies & Procedures
• Contact Center Scripts
• Training
• Marketing
• Fraud
• Card design
• Portfolio clean up
• New Data elements
• New reports / Revised reports
Everything
33 ǀ 10/14/2014
New Reports: CD-3808 AD-148 ED-800 DD-031/DD-031A CD-4260 MM-444M SM-727 EM-821
Changed Reports: CD-031 CM-731 CD-676 CD-1646 CD-1647 CD-1648 SD-119
First Data Reports
34 ǀ 10/14/2014 34 ǀ 10/14/2014
Credit, Debit & ATM
PSCU EMV Solutions
35 ǀ 10/14/2014
Chip and Signature (Online Profile)
Only allows online authorizations
No public keys are required
CH Selected PINs will work with this profile as it will validate the PIN from the host vs. the chip
Recommended for credit unions that
• Have minimal cardholders living or traveling overseas
• Want to allow CH Selected PIN
36 ǀ 10/14/2014
Chip and PIN (Offline Profile)
Includes online and offline authorizations
Additional fees associated with profiles due to public keys for merchants to translate the encrypted chip data
Cannot support CH Selected PINs due to challenges with updating the chip with new offsets
Recommended for credit unions with cardholders living and traveling overseas
37 ǀ 10/14/2014
Credit EMV Card Options (which card type)
Card Types
Contact EMV Card: Insert & leave until transaction complete
Dual Interface EMV Card: Supports contact & contactless payment methods
Transaction Authorization Types Signature Only
Online PIN: Same authorization process used today
Offline PIN: New authorization method
• Adds locations
• Adds complexity to authorization process
Note: All EMV Cards contain chip & magnetic stripe
38 ǀ 10/14/2014
Cardholder Verification Methods
Offline PIN – cardholder is verified by comparing the PIN entered to the PIN securely stored on the chip without going to the issuer host system for authentication
Online PIN – cardholder is verified by comparing the PIN entered to the PIN stored on issuer host system
Signature – cardholder is verified by their signature
No CVM – cardholder verification is not required for transaction
• Below floor limit
• Small dollar transactions (typically less than $25)
39 ǀ 10/14/2014 39 ǀ 10/14/2014
CVM interaction at the POS terminal
40 ǀ 10/14/2014
Cardholder Verification List Operation
CVM 1
CVM 2
CVM 3
CVM 4
CVM 5
Chip and PIN (Offline Profile) with Signature Preferred CVM (PSCU’s Visa Offline Profiles use this CVM priority list)
Online PIN for ATM
Online PIN at POS
Offline PIN at POS
Signature
No CVM
Terminal Capability Profile
POS Terminal
Offline PIN supported
No Match
41 ǀ 10/14/2014
Cardholder Verification Profile
CVM 1
CVM 2
CVM 3
CVM 4
CVM 5
Chip and PIN (Offline Profile) with Offline PIN preferring CVM (PSCU’s MasterCard Profile uses this CVM priority)
Online PIN for ATM
Online PIN at POS
Offline PIN at POS
Signature
No CVM
Terminal Capability Profile
POS Terminal
No online PIN support
No offline PIN support
Signature
No CVM
42 ǀ 10/14/2014
Cardholder Verification Profile
CVM 1
CVM 2
CVM 3
CVM 4
CVM 5
Chip and Signature (Online Profile) with Signature preferring CVM
Online PIN for ATM
Online PIN at POS
Offline at POS
Signature
No CVM
Terminal Capabilities
POS Terminal
Online PIN supported
Offline PIN supported
Signature
No CVM
43 ǀ 10/14/2014 43 ǀ 10/14/2014
Will EMV cards have a magstripe?
Will magstripe go away?
44 ǀ 10/14/2014
Will EMV Cards Have A Magnetic Stripe?
EMV Cards will have a magstripe
EMV cards will have both chip and magnetic stripes
Why?
To assure global acceptance and interoperability
The magnetic stripe contains a service code that indicates to the terminal that a chip is on the card
The liability shift that begins October 2015 is intended to incent both merchant and issuer migration
45 ǀ 10/14/2014
Some basic Credit Card Decision Questions:
What EMV profile will I use? (Profile decision influences CVM) Will the EMV card be contact or dual interface? Do we want to incorporate this into a new program? (Signature/World) Should we set up a new BIN? (Depends on answers to above) How much do we want to change the card design? (Small design changes due to location of chip) Do we offer cardholder selected PIN today? Do we offer on the same BIN? Or set up new Prin under a current BIN?
46 ǀ 10/14/2014 46 ǀ 10/14/2014
Credit, Debit & ATM
PSCU EMV Solutions
47 ǀ 10/14/2014
Visa and First Data Partner on EMV Common Debit Solution
Feb. 26, 2014 – Visa Inc. (NYSE: V) and First Data’s STAR® Network announced an agreement to share Visa’s common debit solution offering issuers, acquirers and merchants a streamlined and cost-effective approach for debit EMV chip adoption. EMV cards contain an embedded computer processor or a chip that generates a one-time code for each transaction making it nearly impossible for criminals to counterfeit.
48 ǀ 10/14/2014
Fiserv and MasterCard Agreement Advances Debit EMV Adoption in the U.S.
March 12, 2014 Fiserv, Inc. (NASDAQ: FISV) and MasterCard (NYSE: MA) today announced an agreement to make MasterCard’s U.S. common debit EMV solution available for the Accel™ debit network.
Under this agreement, MasterCard issuers receive flexibility to select and implement network relationships, while merchants and acquirers will continue to route transactions as they prefer, without introducing multiple applications and complicated technology upgrades. The agreement provides Fiserv clients with access to a broad EMV solution.
49 ǀ 10/14/2014
Debit Solution will contain 2 AID’s
EMV Debit Solution
Global AID
US Common
AID
Online PIN No CVM
Visa or MC rails
50 ǀ 10/14/2014
Debit AID’s = Is there one for us now? AID’s being marketed Description
Visa Common AID MasterCard Common AID Secure Remote Payment Council (SRPc) Common Network AID
One application where transactions route through Visa’s Interlink system. Not Durbin compliant, no other network routing on application.
One application where transactions route through MasterCard’s Maestro system. Not Durbin compliant, no other network routing on application.
Ten (10) debit network members have agreed to adopt a common US debit application identifier (AID) based on Discover’s D-PAS technology. Associations do not approve AID. No International aspect for signature.
The main problem is no association has dual network routing at this time. What does this mean for marketplace?
51 ǀ 10/14/2014
What if a credit union decided to go with one of the Common Debit AID’s now?
The credit union would not be Durbin compliant and would have to reissue all of those plastics once a certified Durbin Debit Solution is approved for the marketplace.
What if a credit union decided to go with one of those AID’s?
52 ǀ 10/14/2014 52 ǀ 10/14/2014
Credit, Debit & ATM
PSCU EMV Solutions
53 ǀ 10/14/2014
Credit Union Responsibility for ATM EMV Readiness
ATM Manufacturer Requirements
NCR Diebold Hyosung Wincor
Aptra-edge 4.0 and AANCD 3.4.2 Verify if the CPU has the memory to handle the new software Verify the card reader can handle / support EMV cards Agilis 3.0 Verify if the CPU has the memory to handle the new software Verify the card reader can handle / support EMV cards 2.03.xx.xx Verify if the CPU has the memory to handle the new software Verify the card reader can handle / support EMV cards Proflex 3.0 Verify if the CPU has the memory to handle the new software Verify the card reader can handle / support EMV cards
PSCU will not be able to support OS2 terminals. These ATMs will need to be upgraded or replaced.
54 ǀ 10/14/2014
Maestro EMV ATM Announcement / PSCU first to offer in US
November 4, 2013: Credit Union Times Tennessee Credit Union First with EMV Test ORNL Federal Credit Union in Oak Ridge, Tenn., will be the first financial institution to conduct an EMV transaction on MasterCard’s Maestro network with PSCU, the payment processing CUSO announced. The 160,000-member, $1.5 billion institution began deploying the technology to read the cards, which rely on an embedded chip for authentication, in September. First Data, the Atlanta-based card processing giant, was certified last week by MasterCard to process Maestro EMV transactions. Initially, the privately held payments network said it will support NCR and Diebold ATMs, with additional hardware manufacturers to follow.
55 ǀ 10/14/2014 55 ǀ 10/14/2014
Key Considerations
EMV Migration
56 ǀ 10/14/2014
Card Design – Start NOW!
The chip must be placed as shown on all cards to ensure interoperability with POS equipment
Will your current design work or do you need a new one?
Plastics cannot be ordered without an approved design so start now
57 ǀ 10/14/2014
Card Design Resource
MemberConnect/Product Resources/EMV/EMV Migration
58 ǀ 10/14/2014
Reissue Strategy
EMV eliminates conversations & investment of resources that happen around a compromise
Blocking cards
Adjusting Falcon strategies
Monitoring
Mass reissue?
Compromises are coming more often and the cost is more than the fraud
59 ǀ 10/14/2014 59 ǀ 10/14/2014
PSCU EMV Resources
60 ǀ 10/14/2014
A microsite was created:
http://www.pscu.com/emv/
Inside the microsite contains:
• Brief history of EMV
• Liability shift timelines
• Glossary of Terms
• Current available PSCU solutions
• FAQs
• Links to EMVco
EMV Training Materials
61 ǀ 10/14/2014 61 ǀ 10/14/2014
https://www.dropbox.com/sh/9zvz6mpao985916/jRzD51RKBW
62 ǀ 10/14/2014
www.pscu.com/emv
www.pscuinsights.com
PSCU Microsite and Blog site
63 ǀ 10/14/2014
1. Will the plastic design need to be changed? Yes, the chip needs to be in a certain location on the plastic.
2. How can I reduce the costs? Extend the expiration date. Roll out EMV in conjunction with Visa Signature or MC World program.
3. Can I issue EMV cards and Magstripe on the same BIN? Yes, once the BIN is certified, helps keep costs down.
See other FAQ’s on the EMV microsite @ www. pscu.com/emv
EMV FAQ’s
64 ǀ 10/14/2014 64 ǀ 10/14/2014
PSCU Strategy Recommendation
65 ǀ 10/14/2014
Issuer EMV Concerns: Adopt Now or Wait?
Do It Now:
Many issuers may wait until closer to the Oct 2015 liability shift, card manufacturers may not be able to keep up with demand
Fraudsters are targeting the U.S. and our magstripe card technology
Lengthy startup timeframe to get EMV cards (6 months or more)
Wait: Will plastic EMV cards be the long-term solution or will some device be the way to go in 2015?
Possible liability shift, date extension for VISA and MasterCard?
66 ǀ 10/14/2014
In Response to Overseas Travel
Create new EMV Credit Card Product
• Min. 150 Day Implementation
• Committed Strategy
• Premium Card (Visa Signature/MC World)
67 ǀ 10/14/2014
Debit EMV Adoption:
Strategy
Understand the Common AIDs being promoted out in the market
Wait until there is a Durbin compliant solution
Work with PSCU on reissue strategy:
• Natural
• Mass
68 ǀ 10/14/2014
ATM EMV Adoption:
Strategy
Complete ATM readiness checklist with ATM manufacturer
Work with PSCU on load images
69 ǀ 10/14/2014 69 ǀ 10/14/2014
Questions?