2 Minutes
Briefly Introduce the topics for discussion.
Randy - EMV History / Chip Cards /Terminals 5 Minutes
The EMV specification, originally named for Europay, MasterCard and Visa, is a global standard for interoperable credit and debit payment cards, point-of-sale (POS)
payment terminals and transaction processing networks based on chip card technology.
1965 Eurocard
1992 Merged with Eurocheque to form Europay
In 2002 Europay International merged with MasterCard International to form MasterCard, Inc. Today the company is known as MasterCardWorldwide. JCB (Japan Credit Bureau) 2004
Randy
As these Card Brands (e.g. Visa, Mastercard, etc.) gained prominence in their regions, problems began to arise as these brands began to do business in the international marketplace. Travelers and consumers need to use these cards abroad. Furthermore, as a multitude of new technologies grow, so did the programmatic methodology for using these typs of cards.
Thus, EMVCo was formed.
EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions.
Wherein, each of these brands is a separate entity with the sole purpose of handling payment card transactions, EMVCo is an international standards body, formed by the card brands for the purpose of creating, among other things, operational standards.
Performing security evaluation of hardware
Management of interoperability issues (standardization) Contactless Specifications
Common Payment Application Tokenization
Randy
Chip cards, also known as smart cards, contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. The EMV specifications also provide for new, highly efficient transaction methods that cannot be achieved with traditional magnetic stripe cards. These include contact and contactless transactions as well as mobile payment operations.
Ways to represent an account with allowing only an account number Go Card – Smart Destinations
Advantages: Read Write Access application block application unblock card block
external authenticate (7816-4) generate application cryptogram get data (7816-4)
Randy
What are Chip and Pin Cards?
The chip uses cryptography to talk securely with the credit card terminal and can require a PIN number to complete the transaction. Configured by the issuing bank. Randy to find stats on % pin adoption.
Jerry – discuss the more technical details
Card authentication: Transactions require an authentic card validated either online using a dynamic cryptogram or offline using Static Data Authentication (SDA) or Dynamic Data Authentication (DDA).
Cardholder Verification Method (CVM): The CVM ensures that the person
attempting to make the transaction is the person to whom the card belongs using Online PIN, Offline PIN, Signature, or no CVM.
Randy
Chip Cards can only be processed at an EMV terminal Mag Swipe Backup for non –functioning Chip
In most cases these EMV terminals will support “Contact less” Using NFC (Near Field Communication)
Apple Pay Google Wallet Visa Pay Wave Mastercard Pay Pass
American Express Express Pay Discover Zip
Does anyone in the room have an Integrated Circuit Credit Card? 5% adoption US in 2013
What is my wallet?
Up to 50% adoption by the end of the year? Compare Expiration Dates
Randy
I can give you 4 compelling reasons.
You do not want your attraction to be on this list.
Does anyone know how many Credit cards will stolen during these 4 data breaches? 200 Million Credit Cards were stolen from these 4 companies alone in large card present data breaches
Target over 40 million cards in a breach that lasted under 20 days. Including over 70 million PII records
There were some large card not present breaches as well to Play Station Network and others
Randy
Why else should my attractions care about EMV Remember EMVco?
In 2008, it was estimated that US travelers experienced nearly 10 Million mag swipe related issues when traveling abroad totaling nearly half a billion dollars
Randy
Randy
First, lets talk about Card Present vs Non Card Present fraud UK Stats 2004-2011
73% Drop of counterfeit mag swipe 56% drop from lost or stolen cards 33% Overall drop
Worldwide Credit Card fraud eclipsed $11 Billion in 2012
EMV only protects your attraction from Card Present (CP) fraud and not Card Not Present (CNP) fraud.
In 2012 CP Fraud accounted for almost $800 Million in the United States
Tangent conversation
Source of this fraud came from POS breaches to begin with Cutting off the supply for the fraudsters
Examples in our industry:
Online CNP fraud far outweighs onsite CP fraud: -Russia stolen cards
-lists
Switch speakers to Jerry to hit this home:
- Every time there is a major national data breach, I am talking to 20 customers asking how to get credit cards out of the system.
- -Most attractions just want the data security that comes along with the more secure EMV process
But aside from the primary goal of being able to accept a chip card, there is a second and arguably more important benefit of adopting EMV at POS – data security. Many of the recent data breaches in the U.S. have exploited security weaknesses in the POS system (PC or software) to capture credit card data that had passed through the POS. So, it makes sense that if you can prevent the POS from ever having access to
sensitive card data, there would be nothing for the hackers to gain in the event of a breach. And this is exactly what some implementations of EMV support – the ability to keep all sensitive payment card data out of your system.
Jerry
In order to understand the upcoming liability shift, we need to define some terminology
In order to understand the upcoming liability shift, we need to define some terminology
Jerry
Before we dive into what the liability shift is, let’s ask a question.
At your attraction today, who gets left holding the bag when a fraudulent transaction occurs?
Your Attraction Issuing Bank Card Brand
Jerry Remember:
EMV Liability is only for Card Present (CP) Transactions
Your attraction will only be responsible for fraudulent transactions if a customer presents an EMV Payment Card from an Issuing Bank and fraud occurs on EMV Terminalls
Will Guests arrive with EMV Cards?
Presently there are over 1 Billion Payment Cards in the United States (610 million credit cards, and 520 million debit cards)
Current adoption rate is about 5% of domestic cards
Jerry
What is your current amount of CP chargebacks
What amount of those chargebacks is fraud related– typically about 15% (not friendly fraud 49%)
What is your expected ROI with calculated expected fraud increase vs. cost of implementation, training, sustainment?
Jerry
Jerry
Jerry
Currently, many installations use a basic USB or serially-connected magnetic stripe reader like the one pictured above. Used in the pre-EMV fully-integrated payment solution with a POS or Cash Register, there is nothing specific about the mag stripe reader that limits its use with any particular software, merchant, or payment processor. It is merely a way to get the credit card magnetic stripe track data back into the POS, after which it is sent to your payment processor.
The most common purchase flow is that upon completion of entering the items into the POS transaction, the guest hands the credit card to the POS operator, who swipes the card, and returns it to the guest.
Jerry
Jerry
Going forward, an EMV-compliant payment terminal like the one pictured above will need to be deployed anywhere you take a payment card, which will be a considerable investment for merchants.
Unlike the mag stripe reader, the payment terminal needs to be key-injected by its manufacturer or reseller, and will be configured specifically to work only with a certain merchant, certain encryption keys, and a certain payment processor.
Also unlike the magnetic stripe reader, the EMV-compliant payment terminal is guest-operated. The payment card never leaves the guest’s hands in an EMV transaction.
Jerry
A non-integrated EMV payment solution is one where the POS system and the EMV payment terminal are not connected in any way. In this model, after ringing up a sale on your POS, your POS operator needs to manually enter the requested sale amount on a disconnected payment terminal. The payment terminal has its own network connection, and goes directly to the payment host for authorization. No data flows between the POS and payment terminal, ever. While this is great for insulating your system from sensitive payment card data, it adds a time-consuming and error-prone extra step in your sales process, and provides no journalization in your sales system. In this model, your POS, and the PC it resides on, are thought to be PCI out-of-scope, due to the fact that no sensitive card data is ever exposed to the POS.
Jerry
A semi-integrated EMV payment solution is one where a limited amount of information flows between the POS system and the payment terminal, but the payment terminal will never return sensitive data, like a full credit card number, for example. In this model, your POS operator rings up the sale as normal, and then selects a non-cash Form of Payment (FOP) that requires authorization. The FOP selection causes the POS to send a request to the payment terminal (represented by arrow #1 above), passing it a limited amount of data, such as the requested
transaction amount, the type of transaction (sale, refund), and perhaps a transaction ID. The payment terminal has its own display and prompts the guest to insert their chipped credit card, and then requests authorization directly from the payment host (represented by arrow #2) via the payment terminal’s own network connection. After the payment terminal receives its response from the payment host (arrow #3), a response message is sent to the POS from the payment terminal (arrow #4), but it’s very important to note that the interface back to the POS does not support the ability
Jerry
A fully-integrated EMV payment solution is one where the EMV payment terminal communicates only with the POS system. In this model, the POS uses the EMV payment terminal to read the chip card, but then brings all data back into the POS system, with the requirement that the POS system, and not the payment terminal, contact the payment host for authorization. If you use a mag-stripe reader to process credit cards in POS today, this is an example of a fully-integrated payment solution. And although most fully-integrated EMV solutions provide the ability to encrypt the data at time of capture before sending it to the POS, the POS and the PC running it are now thought to be PCI in-scope. The risk of a breach yielding sensitive card data from a fully-integrated solution is minimized, but not eliminated, by the use of
encryption. Because the POS and its PC now being in PCI scope, the development and certification efforts for POS vendors would be greater, and often will also require our customers to perform merchant-level certifications prior to being allowed to process
Jerry
Encryption utilizes a key to alter data, and in theory, a party would require the matching decryption key to restore the data to its original state. In terms of credit card processing, end to end encryption (E2EE) describes the process whereby card data is encrypted the moment it’s captured by the payment terminal, and it remains encrypted until it arrives at the payment host (e.g. Paymentech). With E2EE, even if a malicious party was able to intercept network traffic, they would still not see any sensitive data in clear text. POS systems are generally not permitted to use encrypted credit card information for the purpose of subsequent sales (e.g. storing encrypted credit card data for recurring payments in a payment plan after the initial down payment).
Tokenization is a representation of sensitive credit card data, allowing subsequent payment authorization requests to be made when the physical card is no longer present. A common use of a payment token is to permit automatic recurring payments, without requiring the guest to be present with their card for those
Jerry
Hardware Costs
The hardware cost to roll-out an EMV terminal everywhere that you can accept a credit card. Final pricing is not yet available on the various payment terminals, but as a very rough rule of thumb, assume a minimum of $500 per payment terminal. If you have 100 POS locations from which you can complete a credit card sale, you’ll likely have a minimum of $50,000 in terminal purchases.
Network
The network infrastructure costs to support separate, secure network access everywhere you plan to deploy an EMV payment terminal.
Credit Card Visibility
EMV, and your security concerns are low, you may decide to delay EMV adoption. Compatibility
Do the terminals work with your POS system, and other systems Terminal Configuration
Pros and Cons table Randy to come up with something 20% of the population will not know their PIN
Pros and Cons table Randy to come up with something 20% of the population will not know their PIN
