Cards on the table! Bernd Filsinger Payment Technology Services Lead Client Support Services, Europe region
Notice of confidentiality This presentation is furnished to you solely in your capacity as a customer of Visa Inc. and/or a participant in the Visa payments system. By accepting this presentation, you acknowledge that the information contained herein (the Information ) is confidential and subject to the confidentiality restrictions contained in Visa s operating regulations and/or other confidentiality agreements, which limit your use of the Information. You agree to keep the Information confidential and not to use the Information for any purpose other than in your capacity as a customer of Visa Inc. or as a participant in the Visa payments system. The Information may only be disseminated within your organization on a need-to-know basis to enable your participation in the Visa payments system. Please be advised that the Information may constitute material non public information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material non public information would constitute a violation of applicable U.S. federal securities laws. 2
Visa? 3
Visa the payment scheme 3.1 billion Visa cards (Dec 2016) 65 000 txn/second 160 currencies 4
Agenda EMV migration status Card payment technology Contactless The Visa ecosystem Card personalisation & testing Innovation and trends 5
EMV migration status 6
EMV migration Europe - Cards 533 million Visa cards in issuance, of which 445 m are EMV = 83.5 %. 71% are PIN preferring 7
Acceptance in Europe ~90-95% EMV POS terminals 8
EMV migration global terminals 9
EMV migration US 10
EMV migration US 11
EMV migration US 12
Card payment technology 13
Transaction flow 14
What is EMV? Global specification supporting smart card / terminal interoperability and transaction processing of credit and debit cards Non-competitive specification Developed by Europay, MasterCard and Visa (EMV) in 1994 Now owned by Amex, Discover, JCB, MasterCard and Visa EMV Version 3.1.1 in 1998; EMV Version 4 in 2000 EMV Version 4.3 since November 2011 15 Implementing Chip with VSDC January 2009 15
EMV and its Purpose EMV provides international interoperability for chip-based credit and debit Set of functions for Communicating with card (protect card) Framework for card and cardholder authentication Framework for card and terminal risk management It provides Security - ability to keep secrets ; active security; upgradeable Capacity - much more data on the card Data processing - ability to receive, process and supply data Security and Services! 16 Implementing Chip with VSDC January 2009 16
Payment Specifications EMV specification hierarchy within the payment industry NATIONAL (examples) ABI UKIS CB5 JCCA CARD SCHEMES VIS MCHIP AEIPS INDUSTRY WIDE 17 Implementing Chip with VSDC January 2009 17
EMV Specifications Authorisation data - Transactions storage - Communication protocol Transaction flow Data Interface Interfac e& Data - Risk management - Personalisation - Internal functions Not covered by EMV EMV specifications Not covered by EMV 18 Implementing Chip with VSDC January 2009 18
EMV security benefits Type of Fraud Counter-measures Magnetic Stripe VSDC Counterfeit Card Verification Value (CVV) (Online Only) Static Data Authentication (Offline) icvv (Online) Skimming Lost & Stolen PIN Verification Value (PVV) (Online Only) Static Data Authentication (Offline) Dynamic Data Authentication (Offline) + Offline PIN (Offline) OR Card Authentication (Online) 19 Implementing Chip with VSDC January 2009 19
Visa EMV cards VSDC contains the same data as the magnetic stripe and new features/data specific to the chip application Offline and online usage controls The ability to authenticate the card s validity Offline PIN verification The ability to change the card s data after the card has been issued VSDC = Visa Smart Debit/Credit VSDC cards continue to carry a magnetic stripe with the same cardholder information as before Cardholder Name Card Account Number Expiration Date However, the Service Code must be updated to indicate the presence of a chip 20 Implementing Chip with VSDC January 2009 20
Chip transaction data flow Chip Data Acquirer Chip Data Visa Chip Data Issuer $52.95 21 Implementing Chip with VSDC January 2009 21
Chip transaction data flow Application Selection Initiate Application Read Application Data Offline Data Authentication Processing Restrictions Cardholder Verification Card and Issuer Authentication Online Script processing Terminal Risk Management Card Risk Management Online or Offline decision Offline COMPLETE 22 Implementing Chip with VSDC January 2009 22
Cardholder Verification Application Selection Initiate Application Read Application Data Offline Data Authentication Processing Restrictions Cardholder Verification Terminal Risk Management Card Risk Management Issuer decides on their Cardholder Verification Method (CVM) List and personalises it onto the card Online PIN Signature Offline Enciphered PIN Offline Plaintext PIN Approve? Decline? Online? Offline Online Scripts Online Authentication The terminal reviews the card s CVM List and determines which CVM to use for the transaction (based on the CVM supported by the terminal) For Mobile: CDCVM (Cardholder Device CVM) / Passcode 23 Implementing Chip with VSDC January 2009 23
CVM Decision (CVM= Cardholder Verification Method) Card s CVM List Terminal s Supported CVMs Signature Online PIN No CVM X X X Offline Enciphered PIN Offline Plaintext PIN Online PIN Signature No CVM The terminal checks the card s CVM list and the first mutually supported method is selected For this example: Signature 24 Implementing Chip with VSDC January 2009 24
The Cryptogram Authorisation card encrypts data and sends to issuer host for decryption. This is known as online Issuer Authentication and Card Authentication Mechanism (CAM) Network Terminal Acquirer Scheme to issuer 3DES Key 3DES Key ARQC = Authorisation Request Cryptogram (in request) ARPC = Authorisation Response Cryptogram (in response) Note: VisaNet can also validate ARQC and generate ARPC on issuer s behalf (like the VisaNet CVV service) 25 Implementing Chip with VSDC January 2009 25
CVM preferences & Acceptance landscape (CVM= Cardholder Verification Method) Europe: most commonly used CVMs for cards at POS are offline & online PIN. Signature to a much lesser extend. Exceptions are: UK France Finland Ireland Iceland which do NOT support online PIN at POS terminals. US: signature, PIN Online only in US, Europe moving towards more online (ZFL* for contact; ZFL for contactless in selected key countries from 10/2017) * ZFL: zero floor limit ie transaction always goes online 26
Contactless 27
Offline Transaction Risk Management Domestic Offline Value Based Value based limits for transactions carried out in domestic currency. Limits on both accumulated value and single transaction value. Low Value Payment (VLP) option Designed to allow you to limit contactless offline spending on the Visa paywave card independently of any offline risk management or limits for contact transactions. Low Value with Cumulative Total Transaction Amount (CTTA) option Designed to allow you to limit all offline spending on the Visa paywave card (both contact and contactless). New functionality allows support for up to 5 additional currencies which are converted into the domestic currency and treated as domestic. 28 7/18/2017 Visa Europe
Offline Transaction Risk Management Low Value Payment (VLP) option + CTTA CTTA (Cumulative Total Transaction Amount) tracks the cumulative amount of contact and contactless transactions. - Counts up from zero. Required settings: CTTA Limit CTTA Upper Limit CTTAUL 250 CTTAL 200 Available Funds 50 VLP Funds Limit 50 Single Transaction limit 15 VLP Threshold 15 CTTA 0 VLP + CTTA working in parallel 29 7/18/2017 Visa Europe
Our vision making daily life easier with contactless Leave home Pay for the toll Park the car Grab a coffee Lunch Board the train Back on the train Grab a snack Pick up the car Home again 30 Visa Europe Confidential
Visa contactless evolution 2007 2016 Cards only Debit/Credit only Offline only LVP (low value payment) only All form-factors All business lines Online-capable LVP and HVP (low/high value) 31 7/18/2017 Visa Europe
Transport for London 3 million customers every day 3.3bn journeys every year 8.2bn income 2.9bn in fare revenues Multiple modes of transport complex fare model 32 Visa Visa Europe Confidential Confidential 7/18/2017 Visa Europe
Contactless mandates / Contactless market share Terminal mandate: Dec 2015 for new terminals. and by Dec 2019 all terminals must be dual interface Card mandate: Dec 2016 (key markets) 33
The Visa ecosystem Card personalisation & testing 34
Visa Ecosystem where do our rules apply Merchant Acquirer Visa Issuer Store Member Bank Vendors 35 Implementing Chip with VSDC January 2009 35
Innovation process Typically the innovative vendor finds an interested issuer (or vice versa) they approach Visa pilot waiver for trial period if successful, included in BAU rules then available for commercial use New Visa innovation culture: Innovation Centre (Visa European region HQ, London) APIs, SDKs, 36
Testing Principles Card testing at Visa: Level 1 / level 2 testing at EMVCo/Visa-approved lab Personalisation ( application level / level 3 ) testing at Visa (or self-service) General testing principles: Balance efficiency with infrastructure quality Drive self-service / automation Give a role to third parties / testing houses 37
Type approval timeline Chip Bulletin 36: Card Lifecycle Management Policy (Nov 2015) 38
Card products Happy with (and agnostic about) a diversity of chip products (native, JavaCard, jnet, ) CPA: already sunset this year - but continued type approval for the products in the Europe region (Seccos, EMV I 16/20) from London 39
How VPA Bridges The Personalisation Gap (VPA= Visa Personalisation Assistant - a mandated online tool) Bank Step 1: VPA Bank / Bureau Step 2:Data Preparation Data Preparation Module Make VSDC personalisation business decisions Review and confirm business decisions Create output file Provide VPA output file to data preparation Provide VPA output file to personalisation validation Use VPA output file for VSDC parameters Add cardholder specific data (from issuer) Add cryptographic data (e.g., SDA data, DES keys) Create data prep output file 40 7/18/2017 Visa Europe
How VPA Bridges The Personalisation Gap Bank / Bureau Step 3:Personalisation Step 4: Personalisation Validation Use data preparation file to personalise cards VPA output file as personalisation validation profile Validate personalisation settings 41 7/18/2017 Visa Europe
VPA Entry Screen generation of the relevant profile Possible to generate profiles to both VIS 1.4.1 and 1.5.1 specs for contact and VCPS 2.1.1 for contactless. Selection takes place on the VPA Entry Screen 42 7/18/2017 Visa Europe
European issuance landscape Great variety of profiles - too much variety Complex risk management still needed in the new zero-floor limit landscape? New process during 2017: Set of simplified profiles in VPA-SPS Self-service testing for issuers 43
Biometrics 44
Biometrics 45
Biometrics 46
Biometrics 47
Biometrics 48
Biometrics - Specifications Update EMVCo Biometric Terminal Specification (SB-185) Published March 2017. Optional enhancement to EMV terminals. Supports capture on terminal and match on card mode. Supports capture on terminal and match on host mode. Supports Facial, Finger, Iris, Palm and Voice verifications. Defines new CV Methods and defines previously RFU bits in TVR. Support on a terminal requires use of a Biometric Solution ID to identify the biometric solution. If a Biometric Solution ID has not yet been assigned to the biometric solution, this requires registration with EMVCo to obtain a Biometric Solution ID; process being defined in EMVCo. Visa Biometric Card Specification (VBCS) 1.2 Expected to be published in Q2 2017. Supports capture on terminal and match on card mode. Supports Facial, Finger, Iris, Palm and Voice verifications. Supports 1:1 and 1:N matching mechanisms. Applet under development works with a separate biometric matching applet to store reference biometric template and do the biometric comparison 49
Innovation & Trends 50
Card innovation Multi-application products (e.g. debit/credit on the same card) Multichoice cards Issuer Discretionary Data for product differentiation at issuer host level Dynamic CVV2 products in France (Chip Bulletin 40) Fleet card product extra data on the card on the card-terminal interface in the transaction message 51
Microtags 52
Microtags 53
Microtags 54
Microtags and Meta CVM Wearables are complementary to mobile and card challenge in Offline PIN markets Meta CVM refers to a CVM validated elsewhere at the issuer host Meta CVM typically managed by companion app on the mobile phone 55
Mobile The SE (Secure element for mobile payment credentials) where it lived (and still lives) before it moved into the cloud in HCE (Host Cloud Emulation): 56
Tokenisation 57
Tokenisation 58
Tokenisation 59
Tokenisation 60
Terminal innovation mpos ( mobile Point-of-Sale ) devices make use of cardholder device for acceptance Greater variety (e.g. tablet device which is POS, unattended POS, mpos at the same time) 61
Regulatory challenges for European issuance Visa enables issuers to be compliant with regulatory requirements e.g. IFR (Interchange fee regulation) product identification: Mandate to personalise product identifier on the card Guidance to acquirers/retailers/terminal vendors for best-practice implementation of product choice at point-of-sale In practice: little take up by the retailers Further regulatory requirements around CVM 62
Thank you Any questions? filsingb@visa.com