The Changing Landscape of Card Acceptance Troy Byram Vice-President Sr. E-Receivables Consultant February 6, 2015 Agenda EMV (Chip and Pin) PCI Compliance and Data Security New Regulations for Municipalities New Payment Technology Trends 2 EMV (Chip and PIN) 3 1
Retail payments continue to shift to electronic means Number of Transactions by Payment Type 2000-2012 Billions 50 45 40 35 30 25 20 15 10 5 0 Debit cards Credit cards Checks ATM Withdrawals EBT/Prepaid 2000 2003 2006 2009 2012 Payments landscape has seen dramatic changes in the past decade Proxy measures for cash (e.g., ATM transactions) are largely stable How does cash fit into this evolving landscape? 4 What is EMV and how does it work? EMV is a global payment standard for chip-based payments created by Europay, MasterCard, Visa EMV payment cards improve security over magnetic strip technology through an embedded computer chip Validates the card is legitimate Cardholder verification (PIN) authenticates the cardholder Authentication can be "chip & PIN or "chip & signature EMV standards support existing and emerging payment technologies Contact (insert), Contactless (tap) or Dual (both) Mobile Phones or Fobs (contactless) 5 Why Should Merchants Care? How does EMV protect me? EMV cannot prevent information breaches like the one Target experienced last year. What EMV can control is what can be done with the breached data. EMV technology provides dynamic (ever changing) data fields in the transaction This technology prevents thieves from using copied card data onto a fraudulent chip card. 6 2
Timeline and Impact October 2015 Target date for retailers to be able to accept EMV transactions Requires new equipment at point of sale Requires certification of software solutions Impact Liability shift for merchants without EMV capabilities In the event of fraudulent transaction, the merchant may assume responsibility and financial liability for counterfeit transactions 7 PCI Compliance and Data Security 8 What is PCI-DSS? Payment Card Industry Data Security Standards Industry tools and measurements to ensure the safe handling of sensitive information Applies to ALL merchants and third party service providers 9 3
When does PCI & PA-DSS apply? Processing Storing Transmitting 10 66% Breaches identified by external parties* 64% Breaches that go undetected for months* 63% Data breaches that involved a third Party responsible for system support* *Verizon 2013 Data Breach investigations report 11 Can your business survive a data breach or privacy loss The number of data breaches, as well as the costs of complying with customer notification requirements and restoring compromised systems, continues to increase steadily. Even companies with strong security and privacy controls are not immune to the actual theft or damage of data by external or even internal parties. The average cost of a data breach in the U.S. was $5.4 million in 2012 Estimated cost of the Target data breach tops $200 million The average cost per compromised record in 2012 reached $188 Direct Cost of $23 includes discovery and forensics Victim Cost of $38 includes notification, call center and identity monitoring Indirect costs of $127 legal fees, regulatory fines and reputational damage Lost Laptops account for 35% of data breaches 12 4
PCI DSS validation requirements Compliance Classification Level Annual submission of compliant PCI DSS Report on Compliance (ROC) Annual submission of compliant Self Assessment Questionnaire (SAQ) Quarterly Network Scan Level 1 >6 MM annual transactions (Any payment network) Level 2* 1 MM to 6 MM annual transactions (Any payment network) Merchant can do either ROC or SAQ Level 3 20K to 1 MM annual transactions (Any payment network) ecommerce only Level 4 (recommended) < 20K e-commerce < 1MM annual transactions *Level 2 merchant Self Assessment Questionnaire (SAQ) must be completed by an ISA (Internal Security Assessor) 13 PCI: Validation versus compliance Validation Compliance Strategy (BAU) Data security Reactive Monitoring security controls Proactive 14 Protective measures: Evolving requirements Monitor changesmonitor Monitor activities changes Test protection measures Rigorous penetration testing Work with Staff responsibilities your service Work with providers your service providers Leverage encryption and tokenization Test protection measures Educate your Rigorous Goal is to protect employees your infrastructure penetration testing 15 5
New Regulations for Municipalities 16 Convenience Fees Flat fee charged on a non face-to-face transaction only when the payment method is a true convenience for the customer. -In an alternative channel outside the customary payments channel Charging as a percentage of the transaction amount is not permitted No registration is required Requires disclosure to card holder Applies to any card payment - Visa requires the fee to be applied to all payment types in that channel, such as ACH Example: A $5 fee to pay a power bill on-line 17 Government and Higher Education Allows participating merchant to assess fees on approved transaction types - Visa refers to this as a service fee - MasterCard refers to this as a convenience fee Applies to Debit and Credit transactions May be variable or tiered Requires - Registration with the payment networks - Disclosure of fees to the cardholder - Card products must be accepted in all channels where payments are accepted Example: A 2% fee charged for tuition payment via credit or debit card 18 6
MCC Codes-Visa Government 9311-Tax payments 9222- Fines 9211-Court costs 9399-Misc Gov t Services Tuition Payments 8220-College Tuition 8244-Business Schools 8249-Trade Schools 19 MCC Codes-MasterCard Government - 9311-Tax payments - 9222- Fines - 9211-Court costs - 9399-Misc Gov t Services Higher Education Payments - 8211-Schools - 8220-Colleges, Universities - 8249-Trade Schools 20 Surcharge Fee added to the cost of a purchase when a customer uses a payment card Percentage based fee for credit, not debit cards Result of the Interchange settlement with Visa and MasterCard -Does not apply to Discover and American Express -Cannot be imposed by merchants who accept all card brands Example: A wholesaler charges a 2% surcharge for payments via credit card. Debit/ACH/Check have no fee Outlawed by many States and growing 21 7
New Payment Technology Trends 22 Mobile Payments Utilizing smart devices Phones, tablets, laptops Requires card swipe accessory Benefits Mobility in retail environment Capture cards in the field Card present Interchange Real-time authorization 23 Advanced Gateway Solutions Omni Channel solutions Internet: Hosted and API Virtual Terminal IVR Retail Mobile Additional Capabilities Data storage, recurring payments Multiple payment types accepted International currencies Advanced reporting System integration Advanced fraud tools 24 8
Apple Pay What is it? Payment method using encrypted data stored on your iphone or Apple Watch Uses a dynamic, one-time security code Mobile application Hold the iphone near payment capture hardware (NFC) Uses fingerprint for authentication Removes need for credit card and PIN Card Not Present application Use in apps Virtual button and finger print authentication 25 Questions? Thank you for your time. 26 9