OpenEdge Research & Development Group April 2015

855.443.8377

[email protected]

openedgepay.com

Development,

Merchant Readiness

& the Coming

Liability Shift

OpenEdge Research & Development Group

2

855.443.8377

Table of Contents

Executive Summary ... 3

The Payments Industry Landscape ... 4

Some Background on EMV ... 5

Why EMV Now? ... 6

The Liability Shift for EMV Transactions ... 7

EMV Adoption Challenge ... 8

EdgeShield & Edge EMV ... 10

How Can EMV Benefit Software Developers?...13

What Now? ...13

EMV Non EMV

Executive Summary

EMV, the New Security Standard

2015 is the year the U.S will migrate to the EMV security standard. The technology is based on a microprocessor (or ‘smart chip’) that is virtually impossible to duplicate and will change the credit card purchasing experience. The payments industry is instituting a liability shift in which the party in the payments chain not enabling EMV will be considered responsible if fraud occurs.

A More Complicated Integration

Software developers offering credit card payments in their applications face a far more complicated integration than was necessary with magnetic stripe technology. EMV certifications are expensive and cumbersome.

EdgeShield and Edge EMV

The OpenEdge answer to a simplified EMV integration is the EdgeShield security bundle including Edge EMV. Developer benefits include:

• A pre-certified EMV offering including device management and card brand certifications • Supports mobile payments using NFC technology (e.g. Apple Pay)

• Future proofing: easy addition of hardware devices in the future • Encryption, protecting data in transit

• Tokenization, protecting data at rest in the POS

• PA-DSS 3.0 Out-of-Scope and PCI DSS scope minimization • Developer Breach Reimbursement Guarantee

Token

Vault

Point to

Point

Encryption

PCI

ASSURE

PCI 3.0

Out-of-Scope

Breach

Reimbursement

Guarantee for

Developers

Edge

EMV

4

855.443.8377

The Payments Industry Landscape

Card Data Breaches

The frequency and impact of card data breaches are increasing. A series of recent high profile breaches at major retailers has provided a decisive impetus for the payments industry to institute the long-planned transition to EMV. 2015 is the year the U.S. payments industry will migrate to the new standard.

Payment Card Fraud

The theft of payment card data is a lucrative criminal trade. The magnetic stripe technology on credit and debit cards is notoriously easy to access and counterfeit. Well-organized, sophisticated global criminal networks sell and use the stolen card data, often in other countries, before payment industry participants can act. While U.S. consumers are largely protected against direct financial losses, stolen cards or payment credentials affect everyone through the payment chain: issuing banks, payment processors, and the businesses selling goods and services.

Mobile Technologies

In addition to traditional credit and debit plastic cards, the public uses smart phones for purchasing goods, paying bills and mobile banking. Consumers and businesses using new cloud and mobile technologies require secure, intuitive, seamless payments. This presents new opportunities and challenges as businesses prepare to take payments using near field communications (NFC), mobile and cloud technologies while protecting against fraud.

Estimated Breaches, 2014

950

Average Cost per Stolen Record

$277

750 million

56%

1 billion+

Some Background on EMV

Counterfeit, Lost and Stolen Cards.

EMV – a microprocessor or ‘smart chip’ – is a fraud-reducing technology that protects against losses from the use of counterfeit cards. It also combats lost and stolen card fraud when using a PIN as a cardholder verification method. EMV cards generate a new code for every transaction, making the card virtually impossible to counterfeit and re-use. When criminals steal card data, they can manufacture new cards with a magnetic stripe, but not with a chip or the unique transaction code. Counterfeit card use will be curtailed with the implementation of EMV devices at merchant purchase locations.

EMV Standard

The payments industry answer to counterfeit card fraud is the EMV standard. It is nearly impossible to duplicate a chip card. The microprocessor (smart chip) is embedded in EMV cards, interacting with hardware devices and payment networks to ensure the card is authentic. This standard was deployed decades ago and has been widely adopted in Europe and Asia. Major card networks such as Visa, MasterCard, Discover, American Express, JCB and Union Pay maintain the EMV standard though an organization known as EMVCo.

Chip + PIN and Chip + Signature.

The EMV chip stores data and supports multiple levels of authentication and communication between the card, card reader and payment networks, ensuring the card is legitimate. This technology comes in two flavors, mimicking how U.S. consumers use debit and credit cards today, easing the transition to the EMV standard.

CHIP + PIN

Chip + PIN requires the cardholder to enter a password to confirm cardholder identity, and presents a strong defense against lost and stolen card fraud. This authentication method is most common with debit cards in the U.S.

CHIP + SIGNATURE

Chip + Signature requires the cardholder to sign for the transaction at the point-of-purchase. It’s frequently used for credit cards.

VALID THRU

My Bank Card

My Bank Card Trust

This card is the property of My Bank Card. By signing, xnzcb vnbh vygbs vyrgvyu vsdgvh. Vhsdfgvbuy hcywet hwegvh. Vnfjvh mnwetrf, vsdnvbsuh, vbshdvbhj vye vryw y8 fyg hcvbhvbh vhus. Fhsnac yasdcg bgd ye vb.

Authorized Signature - NOT VALID UNLESS SIGNED

CCA First Bank

EMV Chip

Signature Magnetic

Stripe

Front of Card Back of Card

Chip Only ****

Chip & PIN

Contactless Magnetic Stripe

Chip & Signature

Chip Only ****

Chip & PIN

Contactless Magnetic Stripe

6

855.443.8377

EMV Transactions and the New User Experience

Magstripe technology consists of only two back-and-forth communications. Yet, in an EMV transaction, there are now 12 back-and-forth communications between the hardware, POS

application, and card networks. The communications deal with card data authentication, cardholder verification, risk management and authorization. The multiple communications result in a new consumer experience and more complicated payment integration. Rather than swiping cards, consumers will insert them into a card reader (many are calling this action “dipping”). The user only removes the card after the device indicated the transaction is complete and prompts the consumer. Merchants will need to watch for consumers forgetting cards after the EMV transactions.

Drop in Card-Present Fraud

Countries adopting the EMV standard have seen a significant drop in card-present fraud.

Why EMV Now?

More High-Profile Breaches

With EMV in place in other countries, worldwide counterfeit fraud has shifted, targeting the less secure magnetic stripe standard in the United States. A recent rash of card breaches among large retailers added a sense of urgency for the industry to implement the more secure technology. Card data stolen elsewhere are used for purchases at U.S. merchants because of the lack of chip card safeguards. As EMV becomes common, thieves will concentrate on merchants who do not adopt the new standard.

Liability Switch Deadline

To motivate a nationwide transition to EMV, card networks will institute a liability switch in October 2015. Liability in the payment chain for counterfeit cards will fall on the party with the least degree of security.

Apple Pay and Mobile

Payments

Payments functionality in smart phones is expanding rapidly. Apple Pay, launched in 2014, uses Near Field Communication technology at NFC-enabled terminals to facilitate payments through mobile phones. Apple Pay NFC purchases carry the lower rates associated with

“card present” purchases and provide fast, convenient transactions.

Source: Federal Reserve Bank Atlanta

15%

Australia

30%

Canada

35%

France

69%

United

Kingdom

April 2013

Processor Host

Compliance

October 2015

Liability shift begins for

Visa, MasterCard, American

Express and Discover

(Automated Fuel

Dispensers are excluded)

October 2017

Liability shift begins

for Automated

Fuel Dispensers

The Liability Shift for EMV Transactions

The Liability Shift: Some Facts

The key argument the industry uses for persuading businesses to adopt EMV is a “liability shift.” But what does that mean? Liability for what? To whom is liability shifted, and under what conditions? The short answer: EMV can prevent card-present

counterfeit fraud, so merchants processing cards using EMV-enabled card readers and using proper procedures are not liable for losses if counterfeit cards are used. Today, counterfeit card fraud losses are absorbed by issuing banks. Starting October 1st, 2015 – D-Day for the liability shift – the liability for counterfeit fraud can switch to merchants not adopting EMV.

In 2014, transactions using counterfeit cards represented 37% of all US credit card fraud. EMV will eliminate this situation. It is relatively easy to manufacture magnetic stripe cards using card data stolen during breaches, but extremely difficult and impractical to clone the cards with a chip.

The Rules

Following the October deadline set by major U.S. credit card networks (Visa, MasterCard, American Express, Discover), card-present fraud liability will shift to whoever is the least EMV-compliant party in a counterfeit transaction. The key rule is that the party in the transaction chain that prevented the

use of EMV (card issuer, merchant or ISO/processor) is responsible should a counterfeit card be used. It will cover both domestic and cross-border (cards issued in other countries) counterfeit transactions.

The policy assigns liability for counterfeit fraud to the party that has not made the investment in EMV chip cards (issuers) or terminals (merchants’ acquirers). The policy encourages wider deployment of EMV cards and terminals. MasterCard supports a liability shift for lost, stolen and never received/issued cards to the party not supporting PIN as a cardholder verification method. If neither party supports PIN, only the counterfeit liability shift rules apply.

Apple Pay:

Also Shielding Merchants from Counterfeit Fraud

Apple Pay is a secure payment system similar to EMV, but uses an iOS device (iPhone, iPad or Apple Watch) instead of a chip card. The iOS device does not store actual card data, but a card token, and generates a unique code for each transaction. The algorithm for the code generation is in a special chip – the “secure element” – in the iOS device. The token’s unique device account number is 16 digits long and handled as if it were a regular credit card number. The secure element takes the role of the chip, generating the one-time use code for each transaction.

Apple Pay face-to-face (in store) transactions are considered “card present.” Merchants require an NFC-enabled terminal (common for EMV card readers). Customers’ iPhones, iPads, and Apple Watches communicate with the NFC terminal to complete the

transaction. Note that the card provisioned for Apple Pay does not need to be a chip card.

How Does a Merchant

Avoid the Liability

from Counterfeit Card

Transactions?

1. Acquire EMV-enabled card reader(s) and POS software.

The EMV transition will require upgrading software and buying new card readers.

2. Use EMV to complete the transaction.

It’s not enough to have an EMV payment system. It must be properly used. The transaction has to use the EMV payment flow, in which the customer dips the card and conducts and EMV transaction. When a customer tries to swipe the card, EMV devices will recognize when the card has a chip and prompt the user to dip instead of swipe.

3. Enable Apple Pay in place of EMV cards.

Source: Aite Group, “EMV: Lessons Learned and the U.S. Outlook,” June 2014.

U.S. Card Fraud by Type, 2014

Online

(card not

present)

Other

Lost/stolen

Counterfeit

14%

4%

45%

37%

8

855.443.8377

Card Provisioning and Account Fraud

Consumers enable Apple Pay on their mobile devices using their Apple iTunes account or by entering card data directly into the device (either by scanning a card with the iOS device’s camera or keying the card data). The device then sends the data to the card-issuing bank, which verifies user identity and card validity by email, text or phone. Once the card and consumer identity are confirmed, the device receives a token that Apple Pay uses for purchases.

Because Apple Pay is so secure, the only fraud perpetrated so far has been “account fraud” using stolen card data to provision Apple Pay, in which a thief impersonates the cardholder when adding a card to his iPhone or iPad, or creates a fraudulent iTunes account. It is up to the issuing bank to verify authenticity, thus shifting liability back to the issuer.

EMV Adoption Challenge

Chicken or the Egg?

Businesses are not motivated to upgrade their equipment to EMV, as most of their customers do not have chip cards. Issuing banks were not willing to incur the expense of issuing more expensive chip cards because their customers had nowhere to use them. That paradox is evaporating. Visa forecasts that by the end of 2015 over 70% of credit cards and 40% of debit cards in the U.S. will have the chip, and 50% of the merchants will have EMV card readers. EMV and magnetic stripe technology will co-exist for some time; the card readers will accept both payment types.

EMV Complexity

The transition to EMV presents a major undertaking for software developers, merchants and processors. Card brands have mandated that payment processors must be able to process EMV transactions, yet EMV processing remains voluntary for merchants and payment software developers. While software providers are not liable for fraud that is preventable by EMV, not supporting EMV will clearly be a competitive disadvantage for these businesses. To avoid liability, merchants will have to replace their terminals with devices capable of processing EMV transactions, and obtain EMV-enabled software.

By the end of 2015...

...in the U.S. will have an EMV chip.

40%

of debit

cards

70%

of credit

cards

&

1 processor x 4 card brands x 3 devices = 12 EMV certifications

50% of merchants...

will have EMV card readers.

50%

EMV

Certified CertifiedEMV CertifiedEMV

EMV

Certified CertifiedEMV CertifiedEMV

EMV

Certified CertifiedEMV CertifiedEMV

EMV

Certified CertifiedEMV CertifiedEMV

By the end of 2015...

...in the U.S. will have an EMV chip.

40%

of debit

cards

70%

of credit

cards

&

1 processor x 4 card brands x 3 devices = 12 EMV certifications

50% of merchants...

will have EMV card readers.

50%

EMV

Certified CertifiedEMV CertifiedEMV

EMV

Certified CertifiedEMV CertifiedEMV

EMV

Certified CertifiedEMV CertifiedEMV

EMV

EMV Certification Challenge

Card networks require EMV certification for every instance of the payment process – every combination of a payment processor, card network and card reader. For example, software

supporting payments through one payment processor, four card brands (Visa, MasterCard, Discover and American Express) and three devices will require twelve EMV certifications.

When transaction processes change (POS software updates, new hardware, updated kernels), the software developer must perform certifications again. Clearly, this is too complicated for most developers. In response, some processors are launching simpler, cheaper ways to enable EMV transactions. The approach uses a payment application that isolates the developer’s software from payment data, so the POS is not subject to EMV certifications.

...in the U.S. will have an EMV chip.

of debit

cards

of credit

cards

&

1 processor x 4 card brands x 3 devices = 12 EMV certifications

50% of merchants...

will have EMV card readers.

50%

EMV

Certified CertifiedEMV CertifiedEMV

EMV

Certified CertifiedEMV CertifiedEMV

EMV

Certified CertifiedEMV CertifiedEMV

EMV

10

855.443.8377

EdgeShield & Edge EMV

Our EMV solution – Edge EMV – is part of the EdgeShield security bundle. EdgeShield is a set of complementary solutions combining EMV processing, point-to-point (P2P) encryption and tokenization. The goal is to simplify EMV payments integration for software developers and provide a secure payment solution. Edge EMV is an advanced security technology that prevents counterfeit fraud. It includes a pre-certified payment application handling

payment data and payment flow, including

device driving, so the POS software does not have to (recall that chip card processing is much more complicated than magnetic stripe processing).

EMV DEVICE PROCESSOR VISA MASTERCARD DISCOVER AMERICAN EXPRESS DEBIT

POS

POS Developer

out of EMV Scope

POS

POS Developer in EMV Scope

EMV: In Scope vs. Out of Scope

PRE-CERTIFIED PAYMENT APPLICATION Prevents Counterfeit Fraud Protects Data in Transit Protects Data at Rest EMV Only

3

7

7

7

3

3

EMV + Encryption + Tokenization

3

3

3

Token Vault Point to Point Encryption PCI ASSURE PCI 3.0 Out-of-Scope Breach Reimbursement Guarantee for Developers Edge EMV

EdgeShield Benefits

The benefits for a software developer using EdgeShield include: • No EMV certification needed

• No device driving needed

• Supports mobile payments using NFC technology (e.g. Apple Pay) • Future proofing: easy addition of hardware devices in the future • Encryption, protecting data in transit

• Tokenization, protecting data at rest in the POS

• PA-DSS 3.0 Out-of-Scope and PCI DSS scope minimization • Developer Breach Reimbursement Guarantee

Note that the EMV standard only deals with card and (with PIN) cardholder authentication. It does not address the security of the payment data itself, which could be transmitted in clear text. To protect card data, EdgeShield adds P2P encryption and tokenization. The payment application ensures that card data – encrypted at the source – is securely delivered to the OpenEdge processing platform so it cannot be stolen and misused by hackers.

Vulnerable Systems

Some processors may have solutions in which data is not encrypted at the entry point and, therefore, remains vulnerable until encryption occurs within the software. Or, in some gateway software supporting multiple processors, data may be decrypted and re-encrypted in the payment software before reaching the secure environment of a payment processor.

12

855.443.8377

EdgeShield Architecture

There are two ways to implement an EMV pre-certified payment application: • Install it on a PC

• Install it on a card reader software differentiationthrough payment innovation

Payment App

on PC

vs on Card Reader

EMV Controller Residing on a PC EMV Controller Residing on an EMV Device

PAY HERE

$20.15 $20.15

POS + Payment App

POS

PAY HERE

PAY HERE EMV Device Mobile

Kiosk/ Unattended EMV Device + Payment App Non-EMV Devices SCALABLE

SCALABLE NOT SCALABLE

Supports multiple points of interaction

Supports multiple devices Does NOT support multiple points of interactionDoes NOT support multiple devices

The application, when placed on high-end card readers (typically Linux-based), only supports insertion/swipe of the card. If a business needs to support a variety of devices, card insertion/swipe and keyed entry (typically by clerk), having the EMV application on a PC is recommended. It is easier to add future devices when the application is not specific to the device or manufacturer. For these reasons, OpenEdge supports EMV applications installed on the PC.

Features EdgeShield Application

on Device

Supports high-end devices Yes Yes

Supports cheap low-end devices Yes No

One integration supports both card present

(dip or swipe) and keyed transactions Yes No Future proofing: new devices can be easily

and quickly added Yes No

Developer Support

An integral part of the EdgeShield solution is a dedicated support for software developers to provide “best practices” for integration and security by providing hands-on help with integrating and verifying the payments integration.

© 2015 OpenEdge, a division of Global Payments, operates through the following entities: OEEMVCSA-SD-042015-TN Accelerated Payment Technologies is a registered ISO and MSP of HSBC Bank, National Association, Buffalo, NY, a registered ISO and MSP of Wells Fargo Bank, N.A., Walnut Creek, CA, and a registered ISO/MSP of Synovus Bank, Columbus, GA. Accelerated Payment Technologies™_{, A Division of Global Payments. All rights reserved.}

Payment Processing, Inc. is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA; HSBC Bank USA, National Association, Buffalo, NY; and National Bank of Canada, Montreal, QC. PayPros® is a registered trademark of Payment Processing.

EdgeShield Summary

OpenEdge’s EdgeShield simplifies the EMV transition for developers and merchants while reducing developers’ effort and liability. That results in significant savings in time, effort, and cost – initially and for the long term as updates to the POS software or payment devices occur.

OpenEdge provides a pre-certified EMV offering for developers, manages device driving and

certifications, so developers can implement EMV swiftly with minimal effort. It also takes developers out of PA-DSS scope and minimizes the PCI DSS scope using secure technologies. We are so confident about our security technology that we offer a Developer Breach Reimbursement Guarantee for those integrating EdgeShield payment technology.

How Can EMV Benefit Software Developers?

Significant Business Opportunity

For software developers, EMV migration is a challenge that can be turned into a major business opportunity. They can position themselves as being the most up-to-date, forward-thinking software providers in their fields. New EMV payments functionality may be marketed to new customers, re-invigorating current and past relationships, selling more software upgrades, and improving market competitiveness.

What Now?

The liability shift starts in October 2015, so start planning your EMV strategy now. Developers should:

• Contact OpenEdge to get the integration of EMV payment functionality on their roadmaps • Communicate EMV plans to customers and prospects

• Get ready to adopt this new, secure payments technology with minimal disruption

About OpenEdge

OpenEdge helps software developers and businesses succeed by delivering secure and personalized payment solutions. As the integrated payments division of Global Payments, OpenEdge is driving innovation – adapting, scaling and simplifying how payments are processed, across platforms and points-of-interaction, in an increasingly complex landscape. OpenEdge serves more than 2,000 technology partners across 60 industry verticals throughout the United States and Canada.