The Migration to EMV in the USA from a Founders Perspective Philip Andreae Oberthur Technologies
Chip Card Contact multisim Identity Card Passport SIM card Access Control Identity Dual Card Form Factors Transport NFC Mobile Financial Services Increase Efficiency Green Products Form Factors Convergence NFC OUR ENVIRONMENT Banking Card Access Control Chip Card ese multisim Pin Contactless M2M Smart Transactions Chip Digital security ese Chip Card Banking Card Convergence Devices Cloud Green Products Big Data Internet of Things Mobility
Our environment 14 Billion Connected M2M devices in 2020 3 billion payment smart cards Shipped in 2017 75% Of passports will be electronic by 2016 1.2 Billion NFC-Enabled Phones Sold in 2018 Mobile Payment Market $721 Billion in 2017 80% of ID cards are expected to be electronic in 2015
Mobility, at the heart of OT world
Why Are We Here? August 2011: Visa Inc. announced its roadmap June 2012: American Express, Discover and MasterCard agreed to converge on the same common timeline April 2013: Acquirers and processors must support EMV transactions April 21st 2014: Court of Appeal found for the Board of Governors Federal Reserve April 30th: EMF published Debit Technical White Paper October 2015: Liability shift Liability is the responsibility of the party not protecting the transaction Liability remains the issuer s if merchant upgrades to EMV October 2017: Liability shift for gas stations December 2013: Following a number of compromises Target, Neiman Marcus the time has come for the U.S. to embrace EMV
EMV the Global Standard for Credit & Debit Payments In 1993 The International Payment Brands Decided The Long Term Solution To Fraud Was The ICC and Agreed To Develop A Common Specification To Assure Global Interoperability They agreed the requirements and published The Integrated Circuit Card Specifications for Payment Systems EMVCo is owned & staffed by Visa, MasterCard, JCB, American Express, UnionPay and Discover Counterfeit Protection Off/On-line Authentication Lost and Stolen Fraud Cardholder Verification Offline Authorization Cost Reduction Revenue Creation Value Added Services
Is Based On The Classic Smart Card Business Case A CAM to stop counterfeit loses Card Authentication Method A CVM to reduce lost and stolen card fraud Cardholder Verification Method Card Risk Management to assure payment everywhere Support for Value Added Services The Intangible value of Security
One Green Void In a Sea of Color
USA Last to Migrate to EMV Why have US payment card Issuers resisted EMV migration? US has robust 100% online (network) infrastructure employing sophisticated fraud management techniques The US Contactless initiative failed to produce positive revenue The perceived economics haven t justified the investment on the Issuer or Merchant side of the transaction QR Codes require much less investment in terminal hardware Interchange has created opportunities to create Cloud and ACH based alternatives Many ask the question why an old technology EMV when the Cloud and Smart Phones are the future EMV IS A PROVEN SOLUTION TO REDUCE FRAUD AT THE POINT OF SALE. THE TIME HAS COME TO MIGRATE
1,400 1,200 As a result of the data breaches The US market is accelerating beyond expectations Includes estimates for Debit, Credit, PLCC and Prepaid High Base Low An Extrapolation using recent Payment Security Task Force project of 575 Credit and Debit Cards 1,237 1,122 1,000 1,004 800 781 807 875 940 600 638 672 727 400 638 515 300 200 228 165 0 2014 2015 2016 2017 2018
Benefits of EMV to Merchants and Acquirers Acquirer Irrefutability of transaction Reduced costs through offline transactions Reduced cost of handling chargebacks Low value transactions Drives transaction growth New revenue opportunities Rewards Consumer profile Loyalty Other value-added services Merchant Guarantee of payment Reduced costs through offline transactions Opportunity to expand unattended payment locations Enhance efficiencies: Speed and ease of use at the POS Reduce storage of paper receipts Improve dispute procedures Reduces fraud Builds infrastructure for NFC Mobile Commerce
Benefits of EMV to Issuers EMV pro-activity provides a competitive advantage EMV issuance protects the brand Reduced fraud; therefore, less exceptions Liability shift reduces financial exposure of Issuer More secure payment card Unique PINs for each person on account Global interoperability Efficiency in servicing low value transactions Ability to support credit and debit on a card New revenue opportunities Paves way for use of NFC mobile payments
Business Process Implications With the decision to move to EMV, Financial Institutions have decisions to make: Impact of product and EMV program design Inclusion of chip in card design Consumer-selected PIN management Card production and issuance Card/chip lifecycle must be managed Card issuance and replacement Call center representative training Changes to back-office procedures Consumer card usage education Marketing opportunities
Back Office Debit and Credit Systems Many systems require upgrade or replacement Credit card systems must perform online authentication Banking systems must perform online authentication Key management becomes a core competency Integration with card management processes New PIN management techniques required Fraud and risk management systems Card life cycle must be managed Card issuance and replacement
AN EMV PRIMER Authentication, Verification, Authorization and Irrefutability Four Words describe what EMV offers the payment industry
Three Key Capabilities Are Defined by EMV Designed to be Future Proof Based on a stable standard Built on evolving technologies Authentication What you have Offline by Terminal Online on Issuer Host Verification What you know Signature PIN In Chip IN On Host No CVM Offline Issuer Defined Card Risk Management Parameters Authorization You have the funds Online 0 Floor Limit Host Authorized
Field 55 Designed to Support Authentication Merchant Acquiring Bank Payment Switch Issuing Bank Authorization or Financial Request: The ARQC to authenticate the card to the issuer Terminal Interface to chip: Prepare authorization Draft data capture Acquirer Select appropriate route Forward to payment network Payment Network Validate transactions Route to issuer Settle between Issuer and Acquirer Issuer Authenticate ARQC Authorize transaction Prepare ARPC and scripts Return authorization response Settle with Merchant At Completion or end of day Authorization or Financial Response: The ARPC authenticates the issuer to the card A chance to update the card with scripts Clearing and Settlement: The transaction Certification assures Irrefutability Optionally authenticate TC Settle with payment system
EMV Defined Application Selection Issuer Control & Consumer Choice Answer to reset 1. Personal Credit Card 2. Corporate Credit Card 3. Family Debit Card Select AID(s) 4. Personal Debit Card Insert Card Enter 1, 2, 3 or 4 into Develop To select payment Reader method? Candidate AID List Consumer Selection PSE Payment Systems Environment AID Application Identifier
Chip Cards Can Support Various Applications PSE Payment Systems Environment IATA International Air Transport Associations PSE IATA Subscriber Loyalty ID Health Transi t Credit Debit Stored Value Home Banking Payment Guarantee Ticket Itinerary Boarding Pass Frequent Flyer VIP Security Calling Card Parking Cards Fitness Club Library Card Campus Cards Points Rewards Coupons Discounts Punch Card Passport Drivers License Corporate ID National ID Photo Biometrics Pharmacology Emergency Data: Blood type, Donor Status, Allergies Physician s Details Health Insurance Token Tap On Tap Off Senior/Studen t Period Pass Car Key Key uses: Security, Authentication, Identification, and Data Storage
Mobile Devices Solve the Branding Issue EMV Designed to be Future Proof A stable standard Built on evolving technologies NFC & HCE Built on the same Stable standard Employing evolving technologies PSE Payment Systems Environment IATA International Air Transport Associations PSE IATA Subscriber Loyalty ID Health Transi t Credit Debit Stored Value Home Banking Payment Guarantee Ticket Itinerary Boarding Pass Frequent Flyer VIP Security Calling Card Parking Cards Fitness Club Library Card Campus Cards Points Rewards Coupons Discounts Punch Card Passport Drivers License Corporate ID National ID Photo Biometrics Pharmacology Emergency Data: Blood type, Donor Status, Allergies Physician s Details Health Insurance Token Tap On Tap Off Senior/Studen t Period Pass Car Key
Business Relationships and Infrastructure Is Key Card Application Terminal Application Elemetary File EF Master File MF Data File DF Elemetary File EF Data File DF Inter-industry Commands READ BINARY command WRITE BINARY command UPDATE BINARY command ERASE BINARY command READ RECORD(S) command WRITE RECORD command APPEND RECORD command UPDATE RECORD command GET DATA command PUT DATA command SELECT FILE command VERIFY command INTERNAL AUTHENTICATE command EXTERNAL AUTHENTICATE command GET CHALLENGE command MANAGE CHANNEL command GET RESPONSE command ENVELOPE command VPN Host Application
EMV Impacts the Merchant s Systems Payment Switch PED Cash Register Store Server VPN Local Store Replace PIN Pad with EMV PIN Entry Device Upgrade payment software to support EMV Transaction flow and the Payment Networks Add Bit 55 with TLV coded data elements Certify with Acquirer and Payment Networks Debit Networks Acquirer Merchant Data Center
Chip Cards Come In Multiple Form Factors Contact card: 1. One chip connected to external contacts 2. Works only in contact mode Pure contactless card*: 1. One chip connected to the antenna and buried inside plastic body 2. Works only in contactless mode Dual interface card*: 1. One chip embedded with external contacts and antenna connections 2. Works in contact and contactless mode (contactless like US contactless and NFC transactions future proof solution) *Not compatible with foil card designs
The Card Operating System NATIVE Proprietary OS: Supplied by all major vendors Highly secure: Hardware (EAL5+) and software (EAL4+). Dominant smart card technology: Most widely deployed to date Full EMV compatibility for single and multiapplications payment cards Offer best price competitiveness to issuers. Ideal choice for EMV migrating markets and mass volume penetration strategy Optimized OS and applications for best-in-class memory consumption and timing performances Full compatibility with EMV common personalization systems offering issuers multiple sourcing and seamless products migrations (lower switching cost). Many providers competing on performance and security, with multiple silicon providers JAVA Global Platform Industry open standard: Offer the largest multisourcing to issuers High portability and security Open business model: Issuer-centric or multi-issuer Possibility to reuse existing infrastructure (KMS, CA) Java cards can be issued using any global platform compliant infrastructure such as personalization equipment and key management system Healthy competition brings innovation faster to the market place, along with competitive prices for the issuers Applications developed in Java standard language known by most developers Large pool of OS implementers competing on performance and security, with multiple silicon providers
Application, Offline Characteristic and Interface Contact Contactless Dual MChip VSDC AEIPS D-Pas MiFare Date Storage Access PKI RSA TDES Secrets 1.AID(s) 2.Keys 3.Configuration Parameters 4.Card Risk Management Parameters 5.Counters 6.PIN 2 1 2 3 4 5
The Specifications ISO 7816 Smart Card Part 1: Physical characteristics Part 2: Cards with contacts Dimensions and location of the contacts Part 3: Cards with contacts Electrical interface and transmission protocols Part 4: Organization, security and commands for interchange ISO 14443 Contactless Part 1: Physical characteristics Part 2: Radio frequency power and signal interface Part 3: Initialization and anti-collision Part 4: Transmission protocol The industry is awaiting the debit networks To all Publish their network specifications and certification requirements EMV Version 4.3 Contact Book 1: Application independent ICC to terminal interface requirements Book 2: Security and key management Book 3: Application specification Book 4: Cardholder, attendant and acquirer interface requirements EMV Version 2.3 Contactless Book A: Architecture and general requirements Book B: Entry point specification Books C1-6: Kernel specifications Book D: Communications protocol Payment system specifications Operating rules Network requirements AEIPS Card specification AEIPS Terminal Specifications Key management requirements E2E certification requirements
ISO 7816 Defines the Communications Protocol
Today s Track 1 Data Start sentinel 1 byte (the % character) Format code 1 byte alpha (The standard for financial institutions "B") Primary Account number Up to 19 characters. Separator 1 byte (the ^ character) Country code 3 bytes, if used. (The United States is 840) Surname Surname separator (the / character) First name or initial Space (when followed by more data) Middle name or initial Period (when followed by a title) Title (when used) Separator 1 byte (^) Expiration date or separator 4 bytes (YYMM) Discretionary data Optional data can be encoded here by the issuer. End Sentinel 1 byte (the? character) Longitudinal Redundancy Check (LRC) 1 byte.
Today s Track 2 Data Start sentinel Primary Account Number Separator Country code 1 byte (0x0B, or a ; in ASCII) Up to 19 bytes 1 byte (0x0D, or an = in ASCII) 3 bytes, if used. (The United States is 840) This is only used if the account number begins with "59." Expiration date or separator 4 bytes (YYMM) or the one byte separator if a non-expiring card Discretionary data End Sentinel Longitudinal Redundancy Check (LRC) Optional data can be encoded here by the issuer. 1 byte (0x0F, or a? in ASCII) 1 byte.
Data Element Tag Application Selection Indicator Authorisation Response Cryptogram (ARPC) Card Status Update (CSU) Certification Authority Public Key Check Sum Certification Authority Public Key Exponent Certification Authority Public Key Modulus Description as per EMV 4.2 Book 3 Table 33 Or ISO Specification For an application in the ICC to be supported by an application in the terminal, the Application Selection Indicator indicates whether the associated AID in the terminal must match the AID in the card exactly Cryptogram generated by the issuer and used by the card to verify that the response came from the issuer. Contains data sent to the ICC to indicate whether the issuer approves or declines the transaction, and to initiate actions specified by the issuer. Transmitted to the card in Issuer Authentication Data. A check value calculated on the concatenation of all parts of the Certification Authority Public Key (RID, Certification Authority Public Key Index, Certification Authority Public Key Modulus, Certification Authority Public Key Exponent) using SHA-1 Value of the exponent part of the Certification Authority Public Key Bit Map if 55 then only in 55 Included in Tag 91 1 1 0 0 1 1 1 0 1 2 0 0 1 2 1 0 44 P1.8 M EMV & ISO 44 P1.6 M 44 P1.4 M Value of the modulus part of the Certification Authority Public Key 1 3 0 0 1 3 1 0 1 3 2 0 1 3 3 0 1 3 4 0 1 3 5 0 1 4 0 0 1 4 1 0 1 4 2 0 1 4 3 0 Receipt Default Dynamic Data Authentication Data Object List (DDOL) DDOL to be used for constructing the INTERNAL AUTHENTICATE command if the DDOL in the card is not present Shall only contain the Tag and Length for Unpredictable Number (tag 9F37) Default Transaction Certificate Data Object List (TDOL) Enciphered Personal Identification Number (PIN) Data TDOL Data to be used for generating the TC Hash Elements Value if the TDOL in the card is not present No one requires a default be set Transaction PIN enciphered the PIN pad for online N N verification or for offline verification if the PIN pad and 52 C C A A IFD are not a single integrated device C N A C N A Maximum Target Percentage to be used for Biased Random Selection Message Type Personal Identification Number (PIN) Pad Secret Key Value used in terminal risk management for random transaction selection Indicates whether the batch data capture record is a financial record or advice Secret key of a symmetric algorithm used by the PIN pad to encipher the PIN and by the card reader to decipher the PIN if the PIN pad and card reader are not integrated PIX Proprietary Application Identifier Extension Processing Code A set of numbers that describe the type of the transaction as well as the account Proprietary Authentication Data Contains issuer data for transmission to the card in the Issuer Authentication Data of an online transaction. RID Registered Application Provider Identifier 44 p1.1a M Target Percentage to be Used for Random Selection Terminal Action Code Default Value used in terminal risk management for random transaction selection Specifies the acquirer s conditions that cause a transaction to be rejected if it might have been approved online, but the terminal is unable to process the transaction online
Durbin in Context An Industry Seeking Answers
Multi- Access and Multi-Application AID Application Identifier The AID is the name of the directory in the chip that contains the keys, certificates, parameter, counters and identifies the application The AID are registered by the payment networks: Visa (credit or debit) A000000003 1010 Visa Electron A000000003 2010 Visa Interlink A000000003 3010 US Common Debit A000000098 0840 MasterCard A000000004 1010 Maestro Int l A000000004 3060 US Maestro A000000004 2203 Amex A000000025 01XX JCB A000000065 1010 Discover A000000324 1010 DNA Common Debit A000000620 0620 Application The Payment Networks Card and Terminal specifications defines of the software required in the card and how the terminal will employ the EMV tool kit Each Payment Network has invested in in defining, maintaining and certifying implementations of their specifications Amex AEIPS Discover - D-Pas MasterCard MChip Visa VIS The Visa and MasterCard specification define methods of sharing data between two or more AIDs to support US Debit requirements Card and terminal vendors develop and request type approval of their products
Durbin introduced Merchant Choice as a Matter of Law The Durbin amendment changed Debit Cards operations Reduced Interchange fees earned by debit card Issuers Required Issuers to define two unaffiliated routes for each transaction The Federal Reserve issued Regulation ii Reg. ii was implemented October 2011 July 31 st 2013 Judge Richard Leon remanded Regulation II back to the Federal Reserve March 21 st 2014 The Court of Appeal found for the Board of Governors of the Federal Reserve System April 30 th 2014 The EMV Migration Forum Published U.S. Debit EMV Technical Proposal
Much Work Still To Do Debit Networks must define how EMV transactions will be processed Each Debit network must license or develop an EMV application Visa and MasterCard must publish the US Debit specifications Debit Networks must upgrade to support field 55 Merchants, acquirers, POS vendors and processors must implement a Debit solution Merchant and acquiring terminals and Interfaces must be certified The framework for Contactless must be defined Debit Conundrum Score Card Owner Master Card Visa AFFN Alaska Option Allpoint ATH Cirrus MasterCard done done Yes CU-24 done Interlink Visa done done Yes Jeanie Vantiv Maestro MasterCard done done Yes Money Pass Nets NYCE FIS done done Yes Plus Visa done done Yes Presto Pulse Discover done done Yes Shazam done done Star First Data done done The Co-op done The Exchange/Accel Fiserv done done Yes Specs Issued
Dispelling Myths EMV was designed to address counterfeit and lost and stolen fraud in the physical world Proximity (NFC) mobile payments are based on EMV specifications Near Field Communications or NFC is a communication protocol Once EMV is fully deployed it significantly reduces the value of the data that can be acquired by breaking into payment systems To address card not present or shopping on the Internet, an EMV capable card reader (contact or contactless) could be deployed, utilizing 3D-Secure EMV uses cryptography to create dynamic digital signatures the ARQC, ARPC and TC Tokenization, End to End Encryption and EMV compliment each other
EMV Is Driven by Cryptographic Processes At its core EMV is about using cryptography to assure that the card is authentic at both the terminal and when the transaction is seen by the Issuer s host.
The Key to Secure Identification Multi-Factor Authentication Something You Have The Token = Card Something You Know The Secret = PIN Something You Are Biometric = You Offering Issuers Fraud Protection & Future Flexibility
Authentication and Confidentiality Requires Cryptography Symmetric One participant establishes a secret and shares the secret key S with other participants Triple DES algorithm is used for online PIN security EMV employs Triple DES for On-line Authentication Sharing the secret key with too many parties puts the secret key at risk Asymmetric Each participant establishes a unique pair of keys public key P and secret key S Public Key cryptography is used to assure authenticity and security on the Internet EMV employs RSA for Off-line Authentication Each participant has a unique secret key they do not share
Primer in Symmetric Cryptography Online Authentication is based on Triple DES S Secret Key S ecret TDES Sign Signature TDES Verify S ecret Hash Hash Bob DATA DATA FDTS Sally S ecret TDES Encrypt TDES Decrypt S ecret
Primer in Public Key Cryptography Offline Authentication is Based on RSA S Secret Key P Public Key Founders RSA Algorithm Ron Rivest Adi Shamir Leonard Adleman S Bob RSA Sign Signature RSA Verify P Bob Hash Hash Bob DATA DATA FDTS Sally P Sally RSA Encrypt RSA Decrypt S Sally
RSA Issuer Certificate Request Process Oberthur Certification Request From Issuer -BIN -Cert. Exp. Date BIN (Test/Live) Tracking # CertificateA uthority (Visa/MC) Public Key Private Key From Oberthur -Public Key -Hash -Self Signed Certificate BIN Issuer Public Key Certificate