Card Payment acceptance at Common Use positions at airports

Similar documents
Understanding the 2015 U.S. Fraud Liability Shifts

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

EMV and Educational Institutions:

Is Your Organization Ready for the EMV Challenge?

EMV: Facts at a Glance

EMV is coming. Here s how to stay ahead of the trend. Presented by CO-OP Financial Services

Top 5 Facts Merchants Need To Know About EMV

E M V O V E R V I E W. July 2014

EMV: Frequently Asked Questions for Merchants

PayPass M/Chip Requirements. 3 July 2013

EMV Just the Facts. Ozarks Association of Government Accountants

EMV & Fraud POS Fraud Mitigation Tips for Merchants First Data Corporation. All Rights Reserved.

EMV is coming. But it s ever changing.

EMV: The Journey Begins October 1st

EMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team

ATM Webinar Questions and Answers May, 2014

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will fnd: Explaining Chip Card Technology (EMV)

EMV Adoption in the U.S.

The Future of Payment Security in Canada

Visa Minimum U.S. Online Only Terminal Configuration

esocket POS Integrated POS solution Knet

I N T E R A C. The Faster, More Convenient Way. Small Value Purchases

Contactless Toolkit for Acquirers

Pinless Transaction Clarifications

Cards on the table! Bernd Filsinger Payment Technology Services Lead Client Support Services, Europe region

EMVCo: Operating Principles

Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?

Technology Developments in Card-Based Payments WACHA Payments 2013

Optimizing Transaction Speed at the POS

Acquirer JCB EMV Test Card Set Summary

Gemalto Consulting Services. Take control of your smart card implementation

Canada EMV Test Card Set Summary

EMV: Coming Soon to a Card Near You

EMV Migration for the US Parking Industry EMV and the Parking Industry

EMV * Contactless Specifications for Payment Systems

Collis/B2 EMV & Contactless Offering

EMV Migration. What You Need to Know about the Technology, the Security Protection it Provides, and When to Implement

FTFS. Fault Tolerant Financial Systems

USA EMV Test Card Set Summary

EMV IN THE U.S. HOW FAR HAVE WE COME AND WHERE ARE WE GOING? Andy Brown

Tokenization April Tokenization. Gregory H. Soule, CPA, CISA, CISSP, CFE Senior Manager. Andrews Hooper Pavlik PLC

Visa Digital Solutions. Rocio Beckham Community Issuers

Instant issuance in retail breaks new ground for banks

payshield 9000 The hardware security module securing the world s payments

Tokenization: What, Why and How

Topics. First Data and STAR Network overview. Competitive advantage. Fraud in emerging payments. Fraud innovation what s coming

Merchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!

EMV : One year later. Merchants take steps to adapt and address challenges in the year following the shift to EMV technology at the point of sale

Policies and Procedures

The Shared Electronic Banking Services Company (KNET) Knet securing E-payment for EGOV

Seeds of Change in Debit

Merchant Trading Name: Merchant Identification Number: Terminal Identification Number: ANZ CONTACTLESS EFTPOS MERCHANT OPERATING GUIDE

Maximize the use of your HSM 8000

JTC Resource Bulletin. EMV and Credit Card Liability: What Courts Need to Know

PCI BLOG. P2PE, EMV, Tokenization, Oh My!

MOBILE CHECKOUT SOLUTION

EMVCo s Contactless Indicator Trademark - Acceptable Use Cases

Quick Guide. Token Service Provider

The October 1 EMV Liability Shift: Everything You Need to Know

A Guide to. US EMV Migration

EMV. When to Wait and When to Move

Smart Cards and EMV Adoption in China

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B Guide

A Merc r ator r Adv d i v sory y Gr G oup Re R search h Br B ief S p S onsored d by J nu n a u ry

WHITE PAPER. Focus on value added services by network companies a paradigm shift. Rahul Kaushal, Ramakant Mittal

Quick Guide. Token Service Provider

PCI DSS practical guide for Travel Agents

Ensuring the Safety & Security of Payments. Faster Payments Symposium August 4, 2015

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) A GUIDE

EMVCo Type Approval. Terminal ESD Evaluation Administrative Process. Version 2.3. July 2014

3.17 Payment Card Industry (PCI) Compliance Policy

Horizontal Integration in the Payments Industry

Threat Landscape: Skimming In a Changing Environment

Verifone MX 915/925 Payment Devices. with KWI 6.x POS Registers: What s New?

EMV 3-D Secure Press Kit Q&A

Security enhancement on HSBC India Debit Card

Helping merchants automate testing practices.

CONVEGO. Platforms and Applications

Mobile Payment Platforms For The Artist

A Conversation with Visa on Consumer Debit Growth Connie Davis FIS Global Retail Payments Greg Borchardt Visa Consumer Debit Products

Straight Answers on PCI and EMV

International Processing for the Financial Industry

PIN Issuance & Management

Re: EMVCo Letter of Approval - Contact Terminal Level 2

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS RULE E4

CONTRACTUAL COMPLIANCE DEADLINE COMPOUNDED FINES FOR MISSING THE REVIEW APPROACHING DEADLINES

Protecting Your Swipe Devices from Illegal Tampering. Point of Sale Device Protection. Physical Security

eftpos CB Certification services

Digital Wallet: Requirements and Challenges

Point-of-Sale Terminals

EMV ESSENTIALS EMV U.S. ISSUERS FOR AND MERCHANTS. Essentials for U.S. Issuers and Merchants A Mercator Advisory Group Whitepaper Sponsored by SHAZAM

Virtual Terminal User Guide

Protecting Your Future

At a Glance: The Payment Ecosystem. Powering Subscription Success

Securing Card Payments Challenges & Opportunities. Julie Hanson Senior Vice President, Card & Payment Products ICBA Bancard & TCM Bank, NA

PAYMENT EXPRESS EFTPOS GETTING STARTED GUIDE. Version 0.2

HEADLINE INSIGHTS ON HERE EMV TRANSACTION SPEED PERFORMANCE OPTIMIZATION

NetSuite Integration for CyberSource. Getting Started Guide

The Migration to EMV in the USA from a Founders Perspective. Philip Andreae Oberthur Technologies

PCI DSS Security Awareness Training. The University of Tennessee and The University of Tennessee Foundation. for Credit Card Merchants at

Transcription:

Card Payment acceptance at Common Use s at airports Business requirements Version 1, published in June 2016 Preamble Common Use (CU) touchpoints (self-service s such as self-service kiosks or bag drops, and agent s such as check-in desks, bag drops, gate s) are increasingly called to perform sales transactions, which requires the acceptance of a payment instrument if the transaction is to be performed end-to-end at the CU. Card payment is presently the payment instrument of choice for the passengers and for the airlines. However, accepting card payment at CU s is practiced only by some airlines in some regions, hence it is currently conducted in very disparate ways. The card industry is progressively rolling out EMV chip cards, which substitute chip to magnetic stripe acceptance. In addition, there is an over-riding demand that card payment acceptance be conducted with strict PCI DSS compliance, in order to safeguard customer s data and merchant s reputation. While some airlines process CU transactions as Card Not Present, the business trend is to move towards Card Present. Consequently, the industry has been reviewing how card payment acceptance should be conducted at CU s, and there is an increasing demand for guidance on what are the desirable components of a solution that would support the unique multimerchants/multi-acquirers business model of CU s which are shared by several airlines. The following business requirements stream from the on-going discussions held at industry forums and represent recommendations that airports and/or airlines should consider when drawing up their own business requirements. They do not recommend any technology or provider, and only seek to establish the key components of an effective industry card payment for this specific environment. Disclaimer: The information contained in this document is subject to constant review in light of changing requirements and regulations. No reader should act on the basis of any such information without referring to applicable laws and regulations and without taking appropriate professional advice. Although every effort has been made to ensure that the information in this document is accurate and current, IATA shall not be held responsible for loss or damage caused by errors, omissions, misprints or misinterpretation of the content hereof. Furthermore, IATA expressly disclaims all and any liability to any person in respect of anything done or omitted, and the consequences of anything done or omitted, by any such person in reliance on the contents hereof. 1

1. A few definitions The card industry is in the process of conducting a world-wide technology migration of the face-to-face, card and cardholder present sales, moving from magnetic stripe (magstripe) to EMV chip. The following seeks to clarify terms and some of the key business principles that drive the ensuing business requirements for an effective industry card payment solution for CU s. 1.1. Stakeholders Because of the complex multi-merchants, multi-acquirers nature of Common Use payments in an airport environment, as many as thirteen different stakeholders could be contracted to deliver services for the overall solution. For the purpose of this document, three categories of stakeholders have been defined below. Merchant The merchant of record is the entity that is selling the product or service to the cardholder, and collecting the produce of the card sale. A merchant is contractually responsible vis-à-vis the acquirer for the PCI DSS compliance of the entire transaction lifecycle. When an airline contracts an airport and the airport contracts in turn a vendor to provide card payment services related to CU environment, PCI DSS demands that the roles and responsibilities of each entity in terms of safeguarding sensitive card data be specified. Acquirer The acquirer, or acquiring bank, is the financial entity that has entered into a bilateral card acceptance merchant agreement with the merchant (see merchant s definition) selling products or services to the cardholder. The acquirer is chosen by the merchant. The acquirer is operating under a license, or other form of agreement, from a scheme, which has similar arrangements with the issuer who services the cardholder (see issuer s definition). For some card brands, the card scheme may also operate as the acquirer and/or issuer, and supports directly the merchant and/or the cardholder. Issuer The issuer, or issuing bank, is the financial entity that has entered into a bilateral agreement with the cardholder. The issuer is operating under a license, or other form of agreement, from a card scheme, which has similar arrangements with the acquirer who services the merchant (see acquirer and merchant s definitions). For some card brands, the card scheme may also operate as the acquirer and/or issuer, and supports directly the merchant and/or the cardholder. 2

1.2. Further definitions Card Authentication Method (CAM) It describes how the card interacts with the card acceptance device, and how it is recognized by the terminal as a valid card. While the worldwide EMV migration is on-going, cards continue to retain their magnetic strip feature for the time being. At the time the present document is written, the current EMV Chip specification is EMV 4.3 from November 2011. More information on EMV can be found at http://www.emvco.com/ Cardholder Verification Method (CVM) A method used to verify whether the person using the card application is the legitimate cardholder. The following CVMs exist: - No CVM Required - Signature 1 1 - On-line PIN validation: the PIN is encrypted and transported in the authorization request, in order to be verified by the issuer, and the verification result is sent back within the authorization response message. - Off-line PIN validation: the PIN is verified off-line by the chip. A chip card may be programmed by the issuer: - To demand that a PIN validates all purchases, or only purchases above a certain amount. This is referred to as chip and PIN. - Not to demand a PIN for any purchase, which is then validated by the signature, as for magstripe-only cards. This is referred to as chip and signature. Issuers are free to decide if they want to issue chip and PIN or chip and signature cards. In the US, the expression chip and choice is commonly used to describe a situation where the issuers are releasing both chip and PIN and chip and signature cards, which may also be called PIN preferring and signature preferring. 1 No self-service terminal can support signature-verification as this function can only be performed by a sales attendant. 3

Chargeback rules A chargeback is a function initiated by the issuer requesting the acquirer to credit the issuer for the amount in question of a given transaction. Chargeback rules materialize the exact measure of protection (or left over risk) that the merchant bears. Rules can be defined at: - National level (where both the card and the place of transaction are from the same country) - Intra regional level (where the card and the place of transaction are from two different countries belonging both to the same region) - Inter regional level (the card and the place of transaction are from two different countries belonging to two different regions) As a consequence, the protection the merchant has against fraud chargebacks may differ depending on the geographic location of the transaction. It is up to each merchant to analyse with its acquirers the exact chargeback rules applying to his business, per card brand and per country of origin of the card. (Fraud) liability shift Under the terms of the merchant agreement, a merchant attains some level of protection against the consequences of fraud (i.e. the fraud chargebacks) depending on the capability of the card acceptance device. As a rule, the merchant deploying the highest capability for secure card payment acceptance attains the highest level of protection, even if the card or the issuer do not match that highest level of security. As an example, a chip and PIN terminal will usually protect the merchant against any fraud that can be perpetrated against a magstripe-only credit card, as the card has no chip (to prevent Counterfeit fraud) and does not support PIN validation for purchase (to prevent Lost and Stolen fraud). The fraud liability shift principles are translated into the chargeback rules of each card scheme, which define the exact measure of protection, or left over risk that the merchant bears. PCI DSS compliance The Payment Card Industry Data Security Standard (PCI DSS) is composed of the joint set of technical requirements of American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. data security compliance programs. The 4

international card schemes each enforce compliance with the standards in their respective network. Card payment sales conducted at CU s fall in the scope of each airline s own PCI DSS obligations, though they are conducted at shared airport infrastructure (CU, airport network) which are not under the direct control of a single airline. There is no PCI DSS certification for a payment acceptance terminal, as PCI DSS compliance is evaluated for the complete end-to-end transaction environment, from the customer-facing device to the card remittance file delivered to the acquirer. However, a Payment Application certification process called PA-DSS helps the software vendor to develop payment applications that will help the merchant in obtaining a PCI-DSS certification for its end-to-end card transaction environment. At the time the present document is written, the current PCI DSS specification is PCI DSS v3.2 from April 2016. More information can be found at: https://www.pcisecuritystandards.org/document_library Self-service terminals Self-Service unattended acceptance terminals 2 exist in many retail sectors and designate an unattended Point Of Sale (POS) System (e.g. vending machine, checkout kiosk) where the cardholder conducts the transaction at the Point Of Interaction without the participation of an attendant, and where some security verifications cannot be performed (such as if the card appears to be genuine, or if the signature matches the one on the panel on the back of the card). Terminal Type Approval Type Approval is a process that a product or solution must undergo in order to obtain the authorization for deployment from a given card payment scheme or Approval Body. EMV Co Type Approval testing is divided into two levels: - The Level 1 Type Approval process tests compliance with the electromechanical characteristics (contact) or the analog characteristics (contactless) and logical protocol requirements defined in the EMV Specifications. - The Level 2 Type Approval process tests compliance with the application requirements as defined in the EMV Specifications. 2 Depending on the card schemes, self-service/unattended acceptance terminals could be referred to as Customer Activated Terminals (CAT) or Self-Service Terminals (SST). 5

2. Scope of the business requirements for CU s Both self-service and agent s are in scope. During the meeting in September 2015 of the Passenger Experience Management Group (PEMG) 13, it was agreed that there was no immediate need to take payments at a CU self-service bag drop because of the long processing time and resulting queues 3. 3. Business requirements for CU s The airlines have defined the following business requirements for self-service and for agent s, in order to assist both airlines and airports in searching for alignment on solutions that can be implemented globally, thus easing the investment and roll out burden on all stakeholders. The solution must enable the merchant to achieve and maintain PCI DSS Compliance Transaction type Self-service Agent Ticket sale Nice to have Ancillary sale Visa Card payment brand Card Authentication Method (CAM) MasterCard American Express Other card brands As per the appreciation of the group of airline users of the CU As per the appreciation of the group of airline users of the CU Magnetic stripe 4 EMV chip 3 This can be reviewed at a later date. 4 The categorization is for both self-service and agent s in order to support the current environment. 6

100% on line authorization for magstripe transactions Self-service Agent EMV Co Level 1 type approval Certification EMV Co Level 2 type approval PA DSS v3.1 Nice to have Nice to have Contactless 5 Cardholder Validation Method (CVM) Capable Enabled No CVM Signature On line PIN Off line PIN No airline merchant dependency on a single payment provider (processor or acquirer) Number of supported merchant airlines Must be capable of supporting multiple merchants of record Must fit the number of airlines sharing a CU Must fit the number of airlines sharing a CU Card retention capability Provision of a receipt 6 Not required Highly recommended Highly recommended For any comments or questions, please contact: pci@iata.org. 5 MasterCard Global Operations Bulletin 11, 3 rd Nov 2014, demands that as of Jan 1 st 2016, all newly installed terminals with contactless capability be contactless-enabled. Visa Europe has the same mandate as MasterCard Europe, according to Payment Cards and Mobile (10 12 2015). 6 Subject to eventual local requirements that a paper receipt be provided. 7

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback