ization Gregory H. Soule, CPA, CISA, CISSP, CFE Senior Manager Andrews Hooper Pavlik PLC 1
Agenda and Implementation EMV, Encryption, ization Apple Pay Google Wallet Recent Trends Resources Agenda and Implementation 2
EMV Encryption ization How do these three technologies work together to secure payments? How do these technologies facilitate mobile payments? EMV Europay, Mastercard, Visa Global standard for the use of integrated circuit (i.e., chip) cards and applicable card readers Contact and contact-less POS terminals Authentication for physical transactions Standards managed by EMVCo LLC Magnetic Stripe = data store EMV Chip = data processing capabilities 3
EMV EMV chip, PAN, and POS terminal generate a security key (i.e., application cryptogram) Cryptogram is sent through the payments system to the issuer to process the transaction Issuer responds with a separate cryptogram Encryption Transforming plaintext data into ciphertext using a key / algorithm Encryption of primary account number (PAN) upon presentation (i.e., at the POS terminal) Point to point encryption data is encrypted at POS terminal and decrypted by provider / processor / acquirer Various methods and solutions Applies to magnetic stripe, EMV, card-not present (CNP), and tokenized transactions 4
ization The process of substituting a sensitive data element with a non-sensitive data element, referred to as a token, that has no extrinsic or exploitable meaning or value ization Removes account data from the environment and replaces it with data that is meaningless outside of that environment Not a new technology Gateway-side tokenization Network-side tokenization Current standard issued by EMVCo in March 2014 5
Layers of Data Security PIN-based transactions Must know PIN for card to work at POS, ATM, etc. PINs are static data, PANs are still used Encryption Protects data in transit PAN, token is encrypted Spans other methods Layers of Data Security EMV Chip Unique information generated for each transaction EMV chip provides authentication to the POS terminal and processing system ization is used in place of the PAN is sent to tokenization system to detokenize to PAN 6
Benefits of ization Security Logical separation Data de-valuation Can be applied to multiple types of data SSN, drivers license, health Reduced PCI scope Less cardholder data Invisible to the consumer Objections Cost New systems Analytics Buyer behavior and trends Sales analysis Demographics 7
Gateway-Side ization Initial tokenization technology Merchants data storage Single pay tokens = One token for one transaction Multiple pay tokens = One token for many transactions Subsequent transactions Returns, future purchases Gateway-Side ization Card is presented PAN is encrypted and sent to Acquirer Acquirer passes PAN through payment network to Issuer for authorization Acquirer also tokenizes PAN and stores PAN- mapping in a secure token vault Issuer provides authorization back to Acquirer Authorization and token are returned to merchant is stored in all places where PAN would reside 8
Consumer - authenticated through EMV Card Present Transaction Payment Network Auth + Acquirer Auth Merchant Encrypted PAN Encrypted PAN Issuer Auth Stored ized PAN Created Gateway-Side ization Particularly valuable in CNP and ecommerce transactionsti Encrypted card data previously was stored and submitted to the acquirer for each transaction With tokenization, the e-tailor can now store and submit multiple pay tokens to the acquirer The acquirer then de-tokenizes and sends the PAN to the issuer for authorization 9
Consumer - authenticated through other mechanisms (user credentials, etc) Card Not Present Transaction Payment Network Auth Acquirer Auth Merchant is submitted Encrypted PAN Issuer Auth Stored De-tokenized into the PAN Key Players Consumer Merchant Acquirer Payment networks Issuer is tied to acquirer Random string of numbers, formatted unique to the acquirer 10
Network-Side ization New model, based on EMVCo s ization Standards Introduces new parties into payments system Requestor Service Provider Instead of tokens issued/managed by acquirer or gateway, they are managed by the payment networks s look just like PANs (i.e., 16 digits) Compatible with existing payment infrastructure ization phases provisioning Payment process using tokens lifecycle 11
Authenticated Consumer enters PAN into app or secure wallet PAN Requestor PAN Provisioning Service Provider Issuer PAN Approval is created and stored in secure token vault Consumer Auth Merchant Payment Process Service Provider Acquirer Auth De-tokenize to PAN Vault PAN Payment Network Auth PAN + Issuer Auth 12
lifecycle Updates to the PAN / token mapping Initiated by either token requestor or issuer Consumer driven Examples of token service providers Mastercard Digital Enablement Service Visa Service American Express Service Other items One PAN can have multiple tokens Merchant App (i.e., Starbucks) Apple Pay Google Wallet vault Fully PCI compliant Maintained by the payment networks use If the tokenized PAN is used outside of the token ecosystem, it will be recognized by the Service Provider (based on the cryptogram) and rejected 13
Agenda Apple Pay Google Wallet Android HCE Softcard Recent Trends 14
Apple Pay Secure Element Dedicated d chip built into iphone 6d devices that t stores tokens Physically separate from other storage areas on the device s stored within the iphone s secure element are called the Device Account Number ization based on EMVCo standard Supports in-app payments Device Account Number Does not change over the life of the card it represents 16 digits similar to normal PAN Issued by Service Provider Cryptogram One-time number Created at time of transaction based on data provided by the POS terminal, the tokenized PAN stored on the secure element, and a derived key created when the token is issued Apple Transaction-specific dynamic security code 15
Provisioning Consumer enters card info into iphone s Passbook Use the device s camera or manually enter This data is encrypted and sent to Apple, who functions as the Requester This data is then passed to the Service Provider (TSP), depending on which card is used (i.e., Visa, Mastercard, AMEX) The TSP contacts the issuing bank for approval to issue a token A token is generated by the TSP and mapped to the PAN in the token vault The token is passed back to Apple and to the device to store in the secure element Provisioning Apple does not store the PAN Apple does not store the token (or Device Account Number) This is stored on the device, in the secure element vault maintains the mapping between token and PAN Apple does not store transaction details Recent purchases are maintained in Passbook, however The merchant does not see the PAN Merchant does have access to the DAN 16
Consumer enters card info into Passbook Provisioning PAN Service Provider Requestor PAN PAN Issuer Approval is created and stored in secure token vault Transactions Using contactless NFC reader iphone is held near the NFC reader Device can be locked and screen off Default card will appear on the screen Provide Touch ID or passcode The device will vibrate and the reader will beep If enabled, a notification will appear on the lock screen confirming the transaction Authentication Provided by Touch ID or Passcode Nothing for the merchant cashier to verify May need to sign receipt 17
Payment Process Consumer DAN Merchant Service Provider Acquirer Auth De-tokenize to PAN Vault PAN Payment Network Auth PAN + Issuer Auth Google Wallet HCE Host Card Emulation Android multiple device manufacturers, software developers Who owns / controls the secure element or SIM card? Will the carriers allow access to the secure element or SIM card? Solution: To the cloud 18
Google Wallet Card data stored in the cloud Consumer provides PAN detail to Google Wallet Google Wallet creates Google Wallet Virtual Card (GWVC), which is essentially a virtual prepaid debit card issued by Google s partner, Bancorp Bank Google Wallet Virtual Card is provided to merchants during NFC transactionsti Google then requests funds from the original issuer PAN is not stored on the device, but is stored by Google Google Wallet Allows person-to-person payments through GMail Users can obtain a physical Google Wallet Card that functions as a debit Mastercard connected to their Wallet Balance Can also be used at ATMs For NFC payments, the device must be awake and screen unlocked Google provides fraud protection Google stores transaction details 19
PAN + GWVC Funds requested Original PAN Issuer GWVC Funds GWVC Merchant Merchant Acquirer GWVC Issuer Bancorp Bank GWVC is stored on the device Contactless terminal Softcard Joint venture between AT&T, T-Mobile, and Verizon Initially, carrier response to Google Wallet Fully released in 2013 Used NFC communication for contact-less payments Acquired by Google in February 2015 Carriers will now include Google Wallet app on supported Android devices 20
Samsung Pay Announced in March 2015 Samsung Galaxy S6 Uses tokenized transactions with information stored on the device Authentication is provided by fingerprint reader on the device Supports NFC-based payments Also supports magnetic stripe-based payments Samsung Pay Samsung acquired LoopPay LoopPay developed Magnetic Secure Transmission (MST) which uses magnets to emulate a magnetic stripe card as it is swiped through a reader Users place the Galaxy S6 near a standard magstripe reader, and the transaction will be read like a normal card transaction To be released with firmware update to supported Galaxy devices this summer 21
Others: CurrentC Developed by Merchant Customer Exchange Merchant-owned Uses QR codes, either on the merchant s screen and scanned by the user; or on the user s device and scanned by the merchant Connected to bank account, not credit card Others: Coin, Wocket, Plastc Pre-release or invite based Physical card that stores multiple cards Credit/debit cards Gift cards Proxmity-based door swipe cards Cards connected to mobile device using Bluetooth Comes with reader to swipe existing physical cards Includes charging method 22
Agenda Resources \ Resources EMVCo LLC: A Guide to EMV Chip Technology, November 2014 Payment isation Specification Technical Framework, March 2014 Smart Card Alliance: Technologies for Payment Fraud Prevention: EMV, Encryption, and ization October 2014 American Bankers Association Vendor-Specific: Visa, MasterCard, American Express First Data Apple, Google 23
Questions? \ Contact Information Gregory H. Soule CPA, CISA, CISSP, CFE Senior Manager Andrews Hooper Pavlik PLC 691 N. Squirrel Road, Suite 280 Auburn Hills, MI 48326 p: 248-340-6050 f: 248-340-6104 e: gregory.soule@ahpplc.com www.ahpplc.com 24
Thank You \ This presentation was produced in connection with an educational and informational program. It represents the statements and views of the author(s) alone and does not necessarily represent the official policies or positions of Andrews Hooper Pavlik PLC, its partners, or any sponsor of this program. This presentation is not intended to be, nor should it be construed as constituting tax, accounting, auditing, security, or consulting advice with regard to specific cases, transactions, or situations used by the author(s). Any accounting, business, or tax advice contained in this presentation, including attachments and enclosures, is not intended as a thorough analysis of specific issues, nor a substitute for a formal opinion, nor was it written to be used to avoid tax related penalties. Any brand names and/or logos displayed or discussed in this presentation are the property of their respective owners, are used for identification purposes only, and do not imply endorsement by or affiliation with AHP. 25