See Your Customers, Not Payment

Transcription

1

2 See Your Customers, Not Payment Types, with PAR Joseph Koenig (Index) Thursday, March 1, 4:30PM

3 Agenda Everything you wanted to know about PAR: What is a PAR? Why was PAR created? Where can PAR be used? How do I get PARs? What s the timeline for PAR availability? How does PAR impact my compliance? How do I add support for PAR? What are some challenges with PAR?

4 What is a PAR? A stable identifier for a payment account regardless of the device or form factor or device being used Standardized via EMVCo Issuers and acquirers must make changes to support it Merchants and VARs get a better, safer value to use as an identifier PAR aims to replace PAN for non-financial uses

5 Why do we need PAR? Reason #1 Tokenization Tokenization is now everywhere Tokens have different PANs than the account tokenized Many tools were built assuming 1 customer = 1 PAN Tokens have short lifecycles when compared to PANs New phone = new PAN for your *Pay With tokenization everywhere, how do you identify customers, not just devices?

6 Why do we need PAR? Reason #2 Security Using the PAN for non-financial purposes is insecure In a mag stripe world, there were not enough characters to encode a safe identifier onto the track The PAN was used as an identifier out of necessity Chip cards have capacity to hold other identifiers PAR replaces PAN wherever it s not necessary to charge or refund accounts

7 What is a PAR? Specifically designed to look different than a PAN Can t be used for any financial purpose BIN controllers are registered with ISO (4 characters) Remaining 25 characters are defined by the controller Tied to the account lifecycle -- persists across re-issue

8 What can I do (or not do) with it? 5 Usage Scenarios are explicitly defined by EMVco - 1. Customer service 2. Analytics 3. Risk & fraud 4. Regulatory compliance (AML, etc.) 5. Loyalty

9 What can I do (or not do) with it? Scenario Customer Service How PAR Helps Lookup all customer s transactions from just their physical card Analytics Aggregate statistics whether the customer pays with card or a *Pay Regulatory Risk & fraud Loyalty Improved AML and anti-terrorist compliance by blocking tokens used by banned persons Apply velocity limits to the full account, including all derivative tokens Buy online/pickup in store for customers using third-party checkouts

10 What (else) can I do (or not do) with it? Some interesting scenarios are not currently sanctioned by EMVCo Open-loop transit: Tag in using your phone, tag out with your physical card PAR provides a more robust, more secure identifier than PAN for most business applications

11 How do I get PARs? Depends on the transaction type Card-present EMV: read off tag 9F24 Card-not-present and non-emv: acquirer response message What about existing applications? Bulk PAN -> PAR lookup through web APIs

12 What s the timeline for PAR? PAR availability varies by brand, issuer, acquirer, and how it is transmitted Visa and MasterCard already return the PAR to an issuer during provisioning There are many dependencies in the end-to-end rollout - - I ll review some of them in the following slides

13 What s the timeline for PAR? If reading the PAR directly from the card: Issuer dependencies - Each network may give a issuer deadline to perso PAR onto new cards No mass reissue planned so availability requires a full reissue cycle Software dependencies - EMV kernel must been certified after Jan 2017 (v 4.3f) when PAR support was added via tag 9F24

14 What s the timeline for PAR? If reading the PAR from the authorization response: Issuers need to add support to get PAR from the token provider Acquirers need to be certified to handle PAR values from issuer Acquirers need to add support and update their platform specifications VARs need to add support for PAR in upcoming certifications

15 How will it impact our compliance? Based on the underlying EMVCo description of PAR and its intended functions including the underlying guidelines for PAR generation, PAR data is not considered to be PCI Account Data and on its own is not subject to the underlying requirements for protecting PCI Account Data as specified in PCI DSS. PCI DSS still applies anywhere PCI Account Data is stored, processed, or transmitted. If any system storing, processing, or transmitting PAR also stores, processes, or transmits Account Data (such as a PAN), or is connected to systems that store, process or transmit Account Data, those systems remain in scope for PCI DSS requirements. - PCI SSC FAQ 1374

16 How do I add support for PAR? Disclaimer: This is not an exhaustive list Supporting PAR will require updates to many components the typical merchant environment Payment terminal: Supported in the EMV kernel POS: Able to return non-strictly-numeric account identifiers Gateway: Certified to handle PAR from the acquirer response Business software: Payment events separated from non-payment tasks; support to handle cards without PAR returned during transition

17 What are some challenges with PAR? We are very early in the adoption process Unresolved regulatory concerns in Europe due to PSD2 Staggered rollout schedule means applications need to support coexistence of both PAR and PAN for a while Reduction in PCI scope only realized once migration is done Merchants without significant tokenization volume benefit less The security improvements are most valuable only in worst-case scenarios

18 About Index Index is a leading retail software company that helps retailers transform their in-store payments and elevate checkout. Index s core payment solution, built upon a semi-integrated payment solution and hosted gateway, includes 1-Second EMV, 2048-bit RSA encryption with no P2PE fees, remote device management, and gateway + deployment tools.

19 About me BS Electrical Engineering and MBA from University of Texas, Austin Prior to Index, I worked at Broadcom as an embedded software engineer and at Apple as a Technical Program Manager in the Worldwide Operations organization At Index, my primary role is to own the relationship and strategy with upstream partners (acquirers and networks), and overall compliance Questions? jrk@index.com