Hot Topics in Payments

Dallas AFPOct. 16, 2014

Matt Davies, AAP, CTP, CPPFederal Reserve Bank of Dallas

1

EMV

“EMV” = Europay, MasterCard, and Visa

1994: Founded the global standard for credit and debit payments based on chip card technology.

Today, EMV standards are set by EMVCo, a joint venture of Visa, MC, AmEx, JCB, Discover and UnionPay.

2

EMV

“Chip cards,” “chip and PIN cards,” and “smart cards” are used interchangeably.– Plastic cards that contain a microchip that sends a dynamic

protected value unique to each transaction

Though “chip and PIN” is often used with EMV, the standards allow for cardholder verification via signature (PIN is most common in other countries).

U.S. implementation: “chip and choice”

3

EMV

EMV standards have been adopted in many other countries

U.S. is one of the last developed nations to implement– Reluctance due to high cost of upgrading payment

terminals, or buying new ones, to accept chip payments.

– Card issuers must reissue all credit and debit cards

– Cost of terminal and card migration may be as high as $12bn (Javelin).

4

EMV

Two Ways of Accepting Chip Card Payments

Contact (“dipping” the card): Cardholder inserts card into POS device. Card remains in device until completion of the transaction. If customer removes card before the charge is approved, the transaction will fail and the customer will be required to provide the card again.

Contactless (“tap-and-go”): Cardholder waves the card by the chip card-enabled POS device to provide payment information. Once the transaction has been authorized, customer might then be prompted to enter PIN or sign a receipt.

Dynamic Authentication

When traditional mag-stripe cards are swiped at POS terminal, data, such as primary account number (PAN) and expiration date, are transmitted to the card issuer.

The data—known as static data—remains the same for each transaction.

EMV relies on dynamic authentication: chip generates data unique to each individual card transaction.

Dynamic Authentication

In EMV transactions that use dynamic auth., the chip is a mini computer that generates a unique cryptogram using transaction data each time the card is inserted into the chip terminal.

The cryptogram is sent to the card issuer, which uses its keys and codes to calculate a cryptogram based on the same transaction data.

If the two cryptograms match, the issuer knows the data is from a valid card.

Effectively, you have a different number being sent each time.

Dynamic auth. makes the chip almost impossible to counterfeit.

Card Associations & EMV

Visa roadmap to EMV (August 2011)– Expand TIP: Visa will expand its Technology Innovation

Program (TIP) to merchants in the U.S. • TIP ends the mandate for merchants to validate compliance with the PCI

Data Security Standard (PCI DSS) for any year in which 75% of the merchant’s Visa transactions stem from chip-based terminals.

• To accommodate the Visa mandate, merchants must use terminals that support both contact and contactless chip technology.

• “Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable.”

8

Card Associations & EMV

Liability Shift: Visa will institute a U.S. liability shift for counterfeit card-present POS transactions, eff. Oct. 1, 2015. – MasterCard, AmEx and Discover have adopted the same date

– Currently, POS counterfeit fraud is largely absorbed by card issuers

– After liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant’s acquirer.

– The acquirer will likely shift that liability down to the merchant.

9

Liability Shift

Fuel-selling merchants have until Oct. 1, 2017, before liability shift takes effect for transactions at automated fuel dispensers, due to the added expense of updating.

NACS (2012): Average card fraud costs at fuel pumps at each store, about $700 a year, but PCI security standards costs were rising to about $2,000 a year.

Average cost of EMV conversion per pump: $6-10k

David Heun, “Gas Stations Face EMV Sticker Shock,” PaymentsSource, Oct. 7, 2014

Card Associations & EMV

Liability shift to be introduced for ATM transactions in the U.S. – MasterCard Oct. 2016; Visa Oct. 2017

– All ATMs need to be EMV compliant

– After October 2016/2017, FIs can hold ATM operators liable for fraudulent withdrawals and cash advances from debit and credit cards.

Approximately $2,000 to upgrade an ATM to be EMV-capable (Aite)– Some ATMs will not take the upgrade for EMV and/or Windows

(move from XP); 35k+ for a new ATM

Card Issuers & EMV

Some U.S. card issuers began by issuing cards to frequent international travelers, corporate cardholders, T&E

Only 1.5% of an estimated 1.2 billion payment cards in the US have an EMV chip

Javelin predicts that, in Dec. 2015, only 29% of credit cards and 17% of debit and prepaid cards will be EMV-enabled.– At that time, Javelin predicts 53% of POS terminals will support

EMV.

Card Issuers & EMV

JPMC– First major card issuer to adopt chip-and-signature model for U.S. cards

– Announced 2/25/2014 that it would begin issuing chip-and-PIN cards this year. Will others follow suit?

– Expects most of its debit cards to be chip-enabled by EOY 2015

BofA– Has been issuing chip credit cards (consumer, commercial, and corporate)

since 2012

– 9/30/2014: Announced it will begin issuing chip debit cards to new customers in Oct.; cards for existing accountholders issued as these cards expire or are replaced

– Plans to have the majority of its cards converted by late 201513

Card Issuers & EMV

Wells Fargo: “Testing chip technology with its debit cards and plans to issue them ‘on a broad scale’ in the coming year.”

Citibank– Will begin issuing chip debit cards in 2015

– All of its new consumer credit cards are issued with chip technology

– Should have half of its portfolio of consumer credit cards chip-enabled by EOY 2014.

– Most customers can go online or call customer service to request a chip credit card.

14

Merchants & EMV

Many merchants support elimination of signatures as a verification method in U.S., but Visa and MC will continue to support signature (“chip and choice”).

Merchants tend to favor PIN due to lower fraud rates than signature transactions.

Visa and MC will also support transactions with no cardholder verification for low-value, low-risk transactions like payments at quick service restaurants (QSRs) and parking meters.

“The ROI is simply not there without a PIN requirement. The signature card has by far has outlived its usefulness. It’s not the mag-stripe that’s the problem, it’s the signature that’s the problem.”—Mark Horwedel, Merchant Advisory Group (MAG)

15

Merchants & EMV

Only about 10% of the POS terminals in the U.S. are EMV-ready; mostly in “big-box” stores (Javelin) Wal-Mart has turned on EMV acceptance at about 4,000 of its

5,000 stores

Javelin predicts 53% of POS terminals will support EMV in Dec. 2015.

Wal-Mart, Home Depot and AMC Theaters all prefer PIN over signature

16

Merchants, Consumers & EMV

Issue: Consumer Awareness– If a cardholder tries to swipe a chip card at a terminal as he

would normally swipe a mag-stripe card, at a store where EMV acceptance has been enabled, the terminal prompts the cardholder to insert the card in the device so that it reads the chip.

– Solution: Advertising and education by card networks and banks?• e.g., “Don’t remove your EMV card too quickly, but don’t leave it in the

terminal either!• FRB Dallas Video

Issues

EMV’s age

EMV is a proprietary standard– Governments and other entities around the world are

looking for open, non-proprietary standards

International interoperability?

Issuers, merchants, or processors object that they have not had a say in how the standard works or how it is being implemented in the U.S.

Issues

Durbin Amendment: merchant choice when routing debit transactions– Resolved by “common application identifier” (AID)

– In the EMV specification, the AID is a string of characters that identifies the network brand and the specific type of card, e.g., credit or debit.

But…One potential problem in the U.S.: “Glitches in routing EMV transactions over PIN-debit networks as required by the…Durbin Amendment, despite accords the networks have reached with Visa and MC this year designed to facilitate smooth routing.”

Jim Daly, “Warning: The EMV Chip Card Conversion Will Be Slow and Fraught With Peril,” Digital Transactions News, Oct. 7, 2014

Issues: Fraud

Potential increase in international fraud– Might offset or exceed the decrease in counterfeit fraud wrought by EMV.

E.g., in Canada, largely stemming from fraud on mag stripes still included on EMV cards, used in cases where merchants have not upgraded terminals, or EMV functionality of terminal is not working

Mag stripes can be skimmed (e.g. at ATMs) and data used to commit card fraud in the US

To eliminate such fraud, Interac (Canada’s debit network) plans to eliminate next year the option of reverting to the magnetic stripe.

Beyond EMV?

Tokenization

Point-to-Point Encryption

3DSecure (online)

Tokenization

In a card transaction, tokenization replaces the primary account number (PAN) with a string of numbers.

Tokens are not mathematically derived from information associated with the card (unlike encryption).

The card issuer can re-associate the tokenized number with the PAN for authorization and other purposes

The tokenized number is otherwise worthless to hackers.

Apple Pay

iPhone 6 (available Sept. 19) and a new smart watch, Apple Watch (available early 2015)

Uses near field communication (NFC) technology to facilitate “contactless” (a.k.a. “tap-and-go”) payments at the point of sale (POS), as well as online payments through in-app solutions.

There will be an NFC antenna across the top of the phone.

The NFC protocol has encryption built into it.

Apple Pay

Uses the iPhone’s TouchID fingerprint scanner (introduced in the previous iPhone model, the 5s, and built into the iPhone’s home button) as a form of authentication.

iPhone 6 has a new chip called a secure element (SE) in the phone handset that stores the holder’s payment information (though not the actual card number).

Apple Pay

Apple Pay will automatically use the card(s) on file for the customer with Apple’s iTunes as the default payment account.– iPhone 6 users with iTunes accounts will just need to enter the card

security code (typically referred to as the CVV or CVC) to get started.

Users can add additional cards by taking pictures of them with the phone’s camera, or by typing the card details into Passbook.

Apple verifies the account data with the card issuers and places digital renderings of the cards in Apple’s Passbook wallet app.

Apple Pay

Apple Pay uses tokenization to remove payment card numbers from the transaction process.– When a user adds a credit card, Apple does not store the actual

card number; instead, it creates a “device-only” account number for each card and stores it in the phone’s SE

– Each time Apple Pay is used, Apple uses a one-time payment number, along with a dynamic security code, essentially creating a one-time card use system and eliminating the need for the static security code (CVV/CVC) on the plastic card.

– The merchant never sees the cardholder’s name, card number or security code.

Apple Pay

To make a payment using his default card, the user does not need to open an app or “wake” the phone’s display, because of the NFC antenna.

He will simply hold the iPhone near the merchant’s contactless card reader, and use the Touch ID (home) button to authenticate himself by fingerprint.

A subtle vibration and beep lets him know the payment information has been sent. If he wants to pay with a card other than his default card, he must first open the Passbook app and select an alternate card.

If an iPhone owner loses his phone, he does not have to cancel his credit cards. He can use the “Find My iPhone” app and suspend all payments from that phone.

Apple Pay

For those with privacy concerns: Apple will not collect any transaction data (how much consumers spent, what they bought, etc.).– “Apple doesn't know what you bought, where you bought

it or how much you paid for it. The transaction is between you, the merchant and your bank.”—Eddy Cue, SVP, Apple

Note that the Apple Watch also enables payments, but it must be paired with the phone to do so.

Apple Pay

Apple has reached agreements with:– Card networks: Visa, MasterCard, and American Express (in discussions

with Discover)

– 11 large credit card issuers (with more to be added): BofA, Chase, Citi, AmEx, Wells Fargo, Capital One, U.S. Bank, Navy FCU, USAA, PNC, Barclays.• These issuers represent 83% of U.S. card transaction volume.• Reports indicate that the card-issuing banks have agreed to pay a per-transaction fee to Apple

to be included on the phone. These fees to Apple may be offset by the number of transactions that consumers make with Apple Pay, as the banks collect interchange fees (levied on merchants) on all credit and debit card transactions.

– Merchants, including (in addition to Apple’s own stores): Walgreen’s, McDonald’s, Disney, Macy’s and Bloomingdales, Staples, Subway, Starbucks, Whole Foods, Groupon, Uber, Panera, OpenTable and Tickets.com

Mobile Wallets

Background: Mobile Wallet Competition

Generally, consumer adoption of mobile wallets to date has been limited.– Much of this is due to the fact that mobile wallets don’t

necessarily solve a problem for consumers; swiping a credit card is not really that difficult!

Because of low consumer adoption, and the proliferation of multiple vendors and offerings, retailers have not invested heavily in the new (or upgraded) POS terminals that will allow them to accept mobile payments.

Mobile Wallets

Other players in the mobile wallet space include:

Google Wallet: Originally used NFC, but as of Sept. 2013, allows for storage of card credentials in the cloud. Google added Host Card Emulation (HCE) to Android 4.4, which allows Google Wallet to bypass the SIM card for NFC transactions.

Softcard: Until recently known as Isis Mobile Wallet. Joint venture of AT&T, Verizon and T-Mobile; has 20,000 new activations of its app daily, according to the company.

MCX: Merchant-driven. Members include 7-Eleven, Southwest Airlines, Wal-Mart, Target, and many others. In development for more than two years; now testing its mobile wallet, CurrentC. No launch date yet announced, and few details have been provided as to how its technology will work.

Amazon: Testing a mobile wallet.

Future?

Number of iPhones in consumers’ hands

8 million POS in the U.S.– About 220k of those are NFC-enabled

– Many of those are vending machines

Will “a rising tide lift all boats”?– Will uptake of Apple Pay also encourage merchant acceptance of

Google Wallet and MCX/CurrentC?

What role for community banks and CUs?

Interchange?

Corporate Account Takeover

Experi-Metal v. Comerica

Patco Construction v. People’s United

Choice Escrow vs. BancorpSouth

2010: Choice Escrow & Land Title, victim of hackers who obtained its online banking details using malware and wired $440,000 to a bank in Cyprus.

Choice sued BancorpSouth for failing to provide “commercially reasonable security”

2012: Bank filed counter-suit US district court in Missouri dismissed the bank’s

counter-claim, though judge said it was a “very close call.”

Choice Escrow vs. BancorpSouth

March 2013: U.S. District Court rejected Choice’s suit against BSB.

Based on the fact that Choice declined to use security measures BSB had encouraged it to use.

When Choice adopted online banking (2009), BSB usually required that customers use dual control

Choice declined dual control on two different occasions; it was convenient, as their employee who handled wire transfers was often in the office by herself.

Choice Escrow appealed; verdict upheld in favor of Bank (+ legal fees!)

Dual Control

Alternatives for customers that are too small to have dual custody?– E.g., Wells Fargo has a feature called secure validation.

– When a customer submits a payment, the bank can text or call the user’s mobile device and provide a number that the customer then has to enter in a field on the site.

“Digital Disbursements”

Future best practice for combatting check fraud?

BofA’s Digital Disbursements– “Alias-based B2C payments solution”

– Allows corporate customers to pay consumers digitally.• e.g., payments are directly routed to a customer’s bank account using the

customer’s e-mail or mobile phone number

– Available to middle-market, large corporate and public sector clients

– Supports B2C payments including rebates, refunds and claims

– Fewer checks mailed = fewer opportunities for fraud

“Digital Disbursements”

BofA’s Digital Disbursements (cont.)– Customers don’t have to wait for a check via mail.

– Corporate can reduce end-to-end disbursement costs as much as 75% (acc. to BofA), compared to a paper check.

– Merchants could potentially save more than $1b annually by eliminating disbursement checks (Aite)

– Corporate customers don’t need to maintain a consumer’s personal bank account information.• Recent FRB study: 85% of consumers, 81% of businesses prefer not to provide

bank account info to the payee when making a payment.

Source: Evan Nemeroff, “BofA Introduces Digital Disbursements,” AmericanBanker.com, Oct. 1, 2014

Questions?

Matt Davies, AAP, CTP, CPPPayments Outreach Officer

Federal Reserve Bank of DallasPhone: 214-922-5259

E-mail: matt.davies@dal.frb.org

Follow us on:

@DallasFed DallasFed