• No results found

E M V I M P L E M E N TAT I O N T O O L S F O R S U C C E S S, P C I & S E C U R I T Y. February 2014

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "E M V I M P L E M E N TAT I O N T O O L S F O R S U C C E S S, P C I & S E C U R I T Y. February 2014"

Copied!
34
0
0

Loading.... (view fulltext now)

Download now ( 34 Page )

Full text

(1)

EMV IMPLEMENTATION TOOLS

FOR SUCCESS, PCI & SECURITY

(2)

A G E N D A

EMV Overview

EMV Industry Announcements

EMV Transaction Differences, What to Expect

Solution Decisions

VeriFone EMV Solutions

Market Certification Considerations

In-Field Maintenance Requirements

PCI Implications

VeriShield

Questions

(3)

W H AT A R E T H E E M V F U N D A M E N TA L S ?

What is EMV?

– Global Standard for the implementation of chip cards for the purpose of facilitating an electronic payment transaction

– Born out of transit payment programs based in Europe

– An effective technology to protect against duplicate card fraud

How does EMV Protect against

Duplicate Card Fraud?

1) If an EMV Card is presented at an EMV Terminal, the terminal forces it to be inserted.

2) Once card is inserted, PAN and Dynamic CVV are presented to be used in the authorization request. 3) This Dynamic CVV (changes for each

transaction) is validated against what is expected at the host.

Result -> PAN is static yet data

changes on each transaction!

EMV is not…

– Chip and PIN – PIN as a cardholder validation method is only one implementation option of EMV – A Silver Bullet for PCI Compliance – PAN data is

still presented in the clear and valuable for card not present transactions

– Cure All for Chargebacks – The programs put in place will help with duplicate card fraud

(4)

I N T E R A C ® M A R C H 5 , 2 0 1 3 A N N O U N C E M E N T

Interac debit card fraud

skimming losses plummet to

lowest level on record.

Losses down 73 per cent in

last three

years–Interac

Association reported today that Interac debit card fraud losses, as a result of skimming, are the lowest on record since 2003–decreasing to $38.5 million in 2012 from a high of $142 million in 2009. This

represents 0.012 per cent of

domestic Interac debit card volume and the lowest volume of fraud losses since data were recorded in 2003. Further, the number of

cardholders reimbursed fell to 93,800 in 2012 from 238,000 in 2009. Cardholders are protected from losses under the Interac Zero Liability Policy*.

(5)
(6)

R O L E O F E M V C O

EMVCo manages, maintains and enhances the EMV® Integrated Circuit Card Specifications for chip-based payment cards and acceptance devices, including point of sale (POS)

terminals and ATMs. EMVCo also establishes and administers testing and approval

processes to evaluate compliance with the EMV Specifications. EMVCo is currently owned by American Express, JCB, MasterCard and Visa

• Owns, manages, and maintains the

global payment industry specifications to define interoperability requirements

between chip based payment cards and acceptance terminals

• Administers the testing and approval process for both chip payment cards and chip acceptance terminals

EMVCo is not responsible for specific card brand certifications

• EMVCo maintains specifications for both contact and contactless payment schemes

• EMV Contactless specification published to define a common contactless interface to be used by the card brands

• Currently each card brand uses its own proprietary application

• MasterCard M/Chip, Visa qVSDC

• Applications are similar, both follow EMVCo standards

(7)

C A N A D I A N E M V L E A R N I N G S

1.

Industry Adoption

• How was EMV adopted in the Canadian Market?

2.

Customer Impacts

• As a card holder, what can you expect with EMV?

3.

Solution Time to Market

• Payment solutions have new requirements, challenges, how will this impact the number of choices going forward?

4.

Training and Support

• Merchants are self trained now, how did this change?

5.

Card Requirement Changes

(8)

W H AT A B O U T C O N TA C T L E S S ?

E M V C O N T A C T

E M V C O N T A C T L E S S

• Cards are inserted into the chip card (ICC) reader and remain until the transaction is completed

• Different from what consumers are accustomed to today

• Data is read from and written to the chip during a transaction so the card is

updated each time it is used

• Transactions will likely be processed online in the U.S. but offline transaction processing is possible

• Contactless cards must be placed in close proximity to the contactless reader (typically ½ to 3 inches and remain only momentarily

• Transaction is completed after the card has been removed from the contactless field

• Dual interface cards access the same chip for processing via contact or contactless read

• Contactless card usage is typically used for transaction speed and convenience

D I F F E R E N C E S

(9)

W H AT A B O U T N F C ?

• Both use short range wireless technology allowing communication between devices at close proximity

• Contactless is typically a one-way transaction between a passive device (contactless card) and an intelligent

reader (contactless capable POS device)

• NFC-enabled transactions involve two-way communications whereby an NFC capable device (such as a smartphone) exchanges data with an NFC enabled POS device

• NFC Shares a core technology with RFID tags and contactless smartcards, but there are differences

• Multiple ISO standards govern NFC cards

• ISO/IEC 14443 is a group of four

standards covering card type variations – Type A and Type B

• Reader / Writer mode governed by ISO/IEC 14443 standard

• ISO/IEC 18092 – Near Field

Communications Interface and Protocol

• Peer-to-Peer mode governed by ISO/IEC 18092 standard

NFC and EMV Contactless are not synonymous

(10)

U . S . T R A N S A C T I O N V I E W – T O D AY & F U T U R E

EMV CONTACT MAG-STRIPE DELIVERY Response From Host Host Processing Approval/ Decline Message Receipt Printing Mag-stripe Validation Fraud/ Velocity Check Open to Buy Check Card Swipe Clerk Data Entry/ Amt. Other Send to Host EMV CONTACTLESS Terminal Processing Send to Host Response From Host Approval/ Decline Message Receipt Printing Clerk Data Entry/ Amt. Other Card Insert Application Selection Terminal Verification Results (TVR) Offline Data Auth. Processing Restrictions Cardholder Verification CVM) Remove Card Terminal Risk Management Terminal Analysis/ Decision Card Validation Fraud/Velocity Check Open to Buy Check Host Processing Response From Host Approval/ Decline Message Receipt (may not be required) Terminal Analysis/ Decision Card Validation Fraud/Velocity Check Clerk Data Entry/ Amt. Other Card Tap Terminal Verification Results (TVR) Open to Buy Check Host Processing Card Processing Send to Host

(11)

T R A N S A C T I O N T I M E S C O M PA R I S O N

Card Swipe Pre-Dial Clerk UI (Amount) Connect Transmit/Receive Print Receipt Clerk UI/Entry of Data (Amount) Insert Card Dial Connect Transmit/Receive Print Receipt

DIAL

(12)

P R O D U C T D E C I S I O N S F O R T H E U . S .

Stand Alone Devices

Customer total amount verification, EMV card insertion, and Contactless tap

Speed of transaction

Hand over, external pin pad (with Contact/Contactless/Mag-stripe Delivery

support)

Integrated

Customer facing, Communication options, USB, RS232, IP

Register software changes to drive the device differently (Amount first, no

walk up and swipe)

Semi-Integrated

Light cash register integration (SCI-Secure Commerce Interface)

Direct to host for processing, removing register knowledge of EMV or

transaction data

(13)

E M V C A PA B L E D E V I C E S – V

X

& V X E V O L U T I O N S O L U T I O N S

Countertop

series

Portable

series

Consumer Facing

series

Vx 570 Vx 610 Vx 670 Vx 810 VX 520 VX 680 VX 520 VX 820 VX 805

(14)
(15)

E M V C A PA B L E D E V I C E S – M X S E R I E S S O L U T I O N S

MX 800

series

MX 850

MX 900

series

Consumer Facing

series

MX 860 MX 870 MX 880 MX 915 MX 925

(16)

M A R K E T S O L U T I O N C E R T I F I C AT I O N C H A N G E S

Certification Criteria

Level 1, Level 2 Certifications

Brand testing, individual tests vary by scheme

• Each brand has their own specification (based on EMVCo)

Contact and Contactless testing require specialized tools

• Tools updated frequently to provide necessary scheme simulation

Results of New Criteria

Certification will take more time to accomplish at the acquirer levels

Ongoing certification work must be maintained for solutions

Ongoing investment is required to keep up to date on tools and

certification process

Specialized training will be required to accomplish this new solutions

(17)

F I E L D U P G R A D E S , H O W E M V I S D I F F E R E N T

Today

Devices are deployed, and in some cases, not touched for years

Merchants are reluctant to be reprogrammed, to give time for the

activity

Infrastructure (dial lines, ..etc) not setup to handle large downloads

Tomorrow, EMV Challenges (Contact and Contactless)

EMV components, kernels for contact and contactless can and will

change

New cards issued with new functionalities happen, require downloads

to accept the card

Interoperability will be impacted if devices are not kept up to speed

Contactless software components, EMV and for NFC initiatives, will

(18)

F I E L D U P G R A D E S , R E Q U I R E M E N T S

Merchant Device Support

– Need for more frequent download will require more merchant interaction, either in a manual or automated manner

– Devices will need to “phone home” to check for updates at a defined frequency

– Updates can, and should be, delivered to the POS in an automated manner to ease this new market requirement

VeriFone Estate Management Solutions

– VFI can provide end to end solutions for management of these software components, along with other application requirements

– Solutions can be delivered as “host it yourself”, or through VFI Managed Services

• Allowing for management of your own portfolios, maintenance of your portfolios, and real time dashboards of your status

(19)
(20)

P C I D ATA S E C U R I T Y S TA N D A R D S O V E R V I E W

The PCI Security Standards Council offers

comprehensive standards and supporting

materials to enhance payment card data

security

PCI DSS (Data Security Standards)

– Covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security

PCI PIN Transaction Security (PTS)

– A single set of requirements for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads and unattended payment terminals

(21)

P C I P T S C O M P L I A N C E

(22)

P C I P T S C O M P L I A N C E

PCI Security Standards Council

(SSC) analyzes changes in the

threat environment, which typically

occurs every three years

Pre-PCI attended POS PIN entry

devices must be retired by December

31, 2014

PCI PTS Version 1.x devices will expire

on April 30, 2014

Acquirers purchasing devices that are on the list of

devices that will expire will assume liability

(23)

S U N S E T O F P C I P T S 1 . X P I N E N T R Y D E V I C E S

Updated Visa PIN Entry requirements for PCI PTS 1.x devices allow PCI 1.3

devices to be deployed and used after April 30th as long as they were

(24)

P C I C O M P L I A N C E E D U C AT I O N

VeriFone Proactively

Educating our Partners

and Customers on PCI

Compliance

Bulletins/Flyers

Webinars

(25)
(26)

P C I R E S O U R C E S

Visa PIN Entry Device Requirements & FAQ:

http://usa.visa.com/download/merchants/visa-PED-Requirements-2013.pdf

PCI DSS v3.0

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

PCI DSS Summary of Changes v2.0 to v3.0

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summ

ary_of_Changes.pdf

Glossary of Terms, Abbreviations, and Acronyms

https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_

v3.pdf

(27)
(28)

VERISHIELD TOTAL PROTECT

Reduce PCI scope

Minimize risk

Protect sensitive data

Monitor all systems in real time at the device level

VeriShield Total Protect removes the burden of protecting payment card data from the merchant using multiple defense layers: Encryption and Tokenization

ENCRYPTION

Delivers encryption in a way that is transparent

to the merchant’s receiving systems with low disruption / minimal POS system impact

Protect card data from the point of capture to point of decryption

TOKENIZATION

Store tokens rather than card data using random-number tokenization after authorization

(29)

COMBINING

ENCRYPTION AND TOKENIZATION

Payment card data is read at the merchant’s payment device.

1

Primary Account Number (PAN) and other discretionary data are encrypted.

2

Data is decrypted by decryption service and a token is generated by the RSA server.

3

Payment information is passed to the bank for authorization.

4

Transaction authorization is given to the processor.

5

Transaction authorization and token are returned to the merchant.

6

Merchant can safely store the token and re-use for post-authorization activities such as returns.

(30)
(31)

VeriShield Retain AUTHORIZED CERTIFICATE UNAUTHORIZED CERTIFICATE

VERISHIELD RETAIN

BUSINESS PROTECTION

Prevents unauthorized access to payment devices

Accommodate trusted partners and their value-added applications

PROVIDES THE HIGHEST SECURITY

System-level password protection

File authentication to protect merchants against fraud or misuse

EASY TO IMPLEMENT AND CAN BE ADDED TO EXISTING ESTATE

IMPROVES MERCHANT RETENTION ACCOMMODATES AUTHORIZED 3RD

PARTY DEVELOPERS

File authentication software that helps you

retain your merchant estate, keep competitors at bay and protect your business interests.

(32)

S P O N S O R C E R T I F I C AT E F LY E R D E TA I L S

VX Evolution meets the highest security standards. Application certificates, like “keys” are one of the pieces in this solution, which is used to sign (or lock)

applications to be authenticated in order to run. Application certificates have multiple benefits to the ISO and processor.

Retention

– VX allows ISOs to lock their terminal base. Merchants will have to contact the ISO in order to move to a different merchant services relationship.

Superior Security

– VX devices cannot be re-downloaded when sponsor certifications are used. No rogue software can be downloaded. Nothing is more secure.

– To provide the best support and to know if your applications will work properly in an existing merchant’s device review the following steps:

– Identify what certificate is used in the application to be downloaded. You can check your download files if you have your own VeriCentre, or ask your service provider if you use someone else for this.

– Check the merchant’s device before you download. Newer versions of the operating system display the certificate owner when you power cycle the device.

– Error messages may present when the authentication fails due to the device already having a different application certificate compared to what certificates are included in the new application attempting to download. This secure approach allows processors and ISOs to have their own specific application certificate.

– In essence, all of the devices are “locked”. It is just a matter of whether they are locked with a VeriFone certificate or a customer-specific certificate.

(33)

M O R E I N F O R M AT I O N

To learn more about EMV and VeriFone’s hardware,

software, training and support solutions that can smooth

the EMV migration process, please go to

(34)

References

Download now ( PDF - 34 Page - 2.72 MB )

Related documents

Talking Points

Using an uncumbersome, wearable computer to read small, inexpensive, and unpowered RFID tags inconspicuously placed around Ann Arbor, a blind person using this

Responsiveness and minimal important differences after revision total hip arthroplasty

The MID in the HHS pain function, physical function, deformity, and total scores (range from 2.28 to 11.26) are generally higher than those of the SF-36 subscales (range from 12.37

Modifications to advanced Core decompression for treatment of Avascular necrosis of the femoral head

After the same follow-up time, patients treated with the former ACD technique without autologous bone showed a hip survival rate of 67%, which was nearly the same as the survival

Medicare Payments for Common Inpatient Procedures: Implications for Episode Based Payment Bundling

Aiming to align provider incentives toward improving quality and effi- ciency, the Center for Medicare and Medicaid Services is considering broader bundling of hospital and

Consequences of spinal pain: Do age and gender matter? A Danish cross sectional population based study of 34,902 individuals 20 71 years of age

The proportions of individuals with spinal pain in the past year who reduced their physical activity in the past year by age and reported separately for men and women according to

Influence of bi and tri compartmental knee arthroplasty on the kinematics of the knee joint

Methods: In this cadaveric study we investigated rotational and translational tibiofemoral kinematics during simulated weight-bearing flexions of the intact knee, after

Interview with Shirley Villela

Mas enfim, mesmo quando você pensa numa organização assim grande, até o micro, que é uma organização local como a Redes da Maré, você tem dificuldades de trazer o gênero, eu acho

Simon Cymerath interview

This, this you can’t forget because since I started first uh, grade school, we were always… The minute we come… came out from school, they chased us with stones and, you know,