A Merchant s Path to EMV Understanding Impacts To Your Business Georgia Fiscal Management Council June 23, 2015 EMV is a registered trademark in the U.S. and other countries, and an unregistered trademark elsewhere. EMV is a registered trademark owned by EMVCo LLC.
Disclosures This presentation is provided as a courtesy and is to be used for general information purposes only. Bank of America Merchant Services shall not be responsible for any inaccurate or incomplete information. The matters contained herein are subject to change. Individual circumstances may vary and procedures may be amended or supplemented as appropriate. This is not intended to be a complete listing of all applicable procedures. No information contained herein alters any existing contractual obligations between Bank of America Merchant Services and its clients. This presentation may not be copied, reproduced or distributed in any manner whatsoever without the express written consent of Bank of America Merchant Services. 2
Contents EMV Overview How Does EMV Work? EMV Implementation and Implications To Your Business Next Steps EMV is a registered trademark in the U.S. and other countries, and an unregistered trademark elsewhere. EMV is a registered trademark owned by EMVCo LLC. 3
EMV Overview 4
Data Breaches And Incidents Are Costly And On The Rise $150 BILLION Estimated annual losses to business from data and identity theft** $1.5 MILLION Average cost of post breach response activities * $5.4 MILLION Average cost of a data breach* $201 Average cost of a compromised record* Fines for PCI non-compliance examples: Visa (pre breach) $5K-$25K per month MasterCard (related to breach) $100K for each PCI violation Publicized breaches of personal information: 2011 2012 1,097 1,631 2013 $3 MILLION Estimated business loss 1390 per incident* *Source: Ponemon Institute s 2013 Annual Study: U.S. Cost of a Data Breach **Source: McAfee 2013 Study: The Economic Impact of Cybercrime and Cyber Espionage 5
Overall Security Strategy is Critical for an Organization Merchant Security Securing Consumer Data Reducing Fraud* Merchant Benefits Protects firm s reputation and image Remove Card Data from Merchant Environment TransArmor Enhanced Authentication EMV Merchant Benefits Reduction in Counterfeit Fraud Industry Benefits Less card data in market to be used for fraud PCI Requirements Logging and Monitoring, Network Access, etc. Fraud Mitigation Tools ecommerce Fraud Tools 3D Secure Industry Benefits Devalues stolen card data * Enhanced authentication and fraud products are being developed in the industry for mobile and ecommerce e.g., device ID, Payment Tokens, risk scores. 6
What is EMV? EMV = global interoperable standard for chip-based payment cards Created by Europay, MasterCard, Visa Now maintained by EMVCo, LLC, owned by American Express, JCB, MasterCard, Visa, Discover and China Union Pay EMV Chip EMV is a payment application that resides in a secure computer chip embedded into a payment device EMV supported in Card Present environments only EMV standards support existing and emerging payment technologies - Contact (insert), Contactless (tap), Mobile Phones, Watches, Key FOBs 7
Layered Approach to Security = Encryption + Tokenization + EMV Help protect data while it is in motion with encryption - Encrypts the data at the point it is captured and renders the card account number unreadable - Can only be unencrypted by the approved party with the decryption code who receives it Help protect data while it is at rest with tokenization - Replace cardholder data (account number) with a Token - Eliminates the storage of cardholder card account number and replaces with the Token EMV Chip Technology (Chip and PIN) - Help provides assurance that the credit card is authentic and not a cloned counterfeit - Merchants must have EMV-enabled equipment to accept EMV cards - October 2015 Liability Shift 8
What is an EMV Chip Card? Smarter Technology Computer Microchip: Computer chip securely stores the card data. Nearly impossible to counterfeit. Unique Cryptogram: The computer chip enables more secure processing and by producing a one-time use code for each transaction. Mobile Shopping: EMV technology will also enable a one-time use code for mobile transactions. Added Security Difficult to Counterfeit. Because EMV chip cards use cryptograms that are unique to each transaction, stolen chip card data cannot be used to create counterfeit cards. Less risk of Fraud. The added layers of security helps make debit and credit card data much less valuable. Zero Liability. With EMV chip cards, cardholders are still protected from fraudulent purchases. Used Worldwide Wide Adoption. There are approximately 2.37 billion EMV payment cards in circulation and 36.9 million EMV terminals active worldwide.* *Source: Chip-Based Payments Cards Continue Massive Growth With More Than 2.3 Billion Chip Cards Now in Circulation Globally; SmartMetric, Inc. February 20, 2015 9
Magnetic Stripe vs. EMV: Key Differences Magnetic Stripe Limited magnetic stripe data Easily counterfeited by criminals No microprocessor or memory Cards are written once and re-issuing of cards is common EMV Extensive data on chip Computer microchip Helps protects against face-to-face counterfeit fraud and lost stolen charge backs Issuer scripting - Block/Unblock card - PIN updates and resets - Offline transaction limits EMV Chip 10
Why EMV for Merchants? Helps reduce chargeback liability and associated oversight costs of fraudulent transactions Helps to enable you to speed up checkout lanes with contactless transactions, such as ApplePay Driver for mobile payments Dual-interface chips (contact and contactless) Lets consumers pay the way they want card, phone, insert, wave/tap Contactless may help drive loyalty and repeat business by pushing offers out to mobile phones and redeeming them through POS devices Helps to enable payments from international travelers using EMV payment cards Apple is a trademark of Apple Inc., registered in the U.S. and other countries. Apple Pay is a trademark of Apple Inc. 11
How EMV Helps Prevent Face to Face Counterfeit EMV payment chip cards improve security over magnetic stripe technology - Validates the card is legitimate, helping protect against counterfeit cards - Cardholder authentication that helps reduce fraud from lost and stolen cards - Authentication that can be Chip and PIN or Chip and Signature or none; determined by issuing bank EMV fraud prevention features Card authentication Cardholder Verification Method (CVM) Transaction authorization Functionality Helps protect against face-to-face counterfeit fraud Transactions require an authentic card that is validated either online or offline Helps combat lost and stolen card fraud, particularly with cardholder PIN Helps ensure that the person attempting to make the transaction is the person to whom the card belongs Options include Offline PIN, Online PIN, Signature or no CVM Combats counterfeit card fraud and fraudulent use of lost/stolen cards EMV transactions are authorized by the issuer based on security parameters they have established 12
EMV Around the World Europe is the leader in EMV adoption. The US is moving forward with EMV now. 70% of US credit cards and 41% of debit cards will be EMV enabled by the end of 2015* *Source EMVCo - http://www.emvco.com/documents/emvco_worldmap2.png 13
International Experience Lessons Learned Fraud expected to shift to retail merchants that do not support EMV 0% Decrease in Counterfeit Fraud* Global experience demonstrates adoption of chip technology can reduce fraud at POS but can drive higher card not present (CNP) fraud* -20% -40% -60% -80% -77% -54% -56% U.K. Canada Australia Merchants should leverage CNP fraud tools - Tokenization - 3D Secure (i.e. Verified by Visa, MasterCard Secure-Code ) - Fraud scoring tools, IP Geo-location, Device Fingerprinting 140% 120% 100% 80% 60% 40% 20% 0% 66% *AITE Report EMV: Lessons Learned and the U.S. Outlook June 2014 Increase in CNP Fraud* 133% 86% U.K. Canada Australia 14
How Does EMV Work? 15
How EMV Works The chip is protected by various security features to help make it tamper-resistant The security credentials help prevent card cloning -- chip card-based payment account information cannot be skimmed if the chip card is properly used The computer chip helps enable more secure processing by producing a one-time use code for each transaction Contact Transaction Insert Card Instead of swiping, card is inserted in terminal Leave Card In Card stays in terminal for duration of transaction Sign Receipt or Enter PIN Sign receipt or enter PIN to complete transaction Remove Card Remove Card when the purchase is complete Contactless Transaction Tap Card Instead of swiping, card is tapped on terminal Sign Receipt or Enter PIN Sign receipt or enter PIN to complete transaction 16
EMV Process Flow 17
Cardholder Verification Methods (CVM) Used to help evaluate whether the person presenting the card is the legitimate cardholder Primarily to help protect against fraud using lost or stolen cards Options Available - Online PIN - Offline PIN - Signature - No CVM The payment acceptance device uses a CVM List from the card to determine the type of verification able to be performed 18
EMV Implementation And Implications For Your Business 19
EMV Key Dates 10/12 10/13 04/13 10/13 10/15 10/15 10/15 10/17 10/17 PCI audit relief took effect Acquirers and sub-processor mandate to fully process EMV transactions Account Data Compromise (ADC) Fee Relief Counterfeit fraud liability shift takes effect (excluding petro) Lost/stolen fraud liability shift takes effect (excluding petro) Counterfeit fraud liability shift takes effect (petro) Lost stolen fraud Liability shift takes effect (petro) Y Y N Y N Y N Y Y Y¹ Y Y Y Y Y Y N Y Y Y Y Y Y N Y Y Y Y ¹ MasterCard has stated that it will provide a 50% ADC relief in 2013 and 100% ADC relief pending certain % of terminals support EMV Clients that do not support EMV by Oct 1, 2015 will be liable for fraud transactions and transactions using lost and stolen cards. 20
Implications For Your Business - Liability Shifts Clients that do not support EMV may be liable for potential counterfeit and transactions using lost or stolen cards as of Oct 1, 2015 Visa Oct 1, 2015 MasterCard Oct 1, 2015 Liability will fall on the entity that has not upgraded to chip, whether it s the issuer or the retailer If both have chip, then the issuer will be responsible, in most cases If the issuer has upgraded and the retailer has not, the retailer will bear the liability costs Liability shifts to merchants who have not upgraded their POS terminals to process EMV card transactions and fraud occurs. Whichever party (issuer or merchant) offers the least secure cardholder verification method (CVM) will be held liable for a fraudulent transaction in most cases Mag-stripe card is least secure Chip-and-PIN is most secure Discover Oct 1, 2015 American Express Oct 1, 2015 Fraud Liability Shift for Discover Network (in the U.S., Canada and Mexico) and PULSE (in the U.S.) Policy will be a risk-based payments hierarchy that benefits the entity that leverages the highest level of available payments security Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology Implementation 21
EMV Chip Cards are Being Issued U.S. credit and debit card issuers who are issuing or announced plans to issue EMV payment cards include * : American Express Andrews Federal Credit Union Bank of America Chase JPMorgan Palladium Card JP Morgan Select Visa Signature Card Chase Hyatt Visa Signature Credit Card Chase British Airways Visa Signature Credit Card Citi Citi Commercial Cards Citi ExecutiveSM / AAdvantage Card Fifth Third Bank Jack Henry & Associates Payment Processing Solutions PSCU Financial Services Silicon Valley Bank Star One Credit Union State Employees Credit Union Travelex Cash Passport United Nations Federal Credit Union U.S. Bank Wells Fargo In 2015, about 578 million chip are expected to be delivered in the US.** * EMV Connection, A Smart Card Alliance Site, http://www.emv-connection.com/u-s-emv-issuers/ **Digital Transactions, http://digitaltransactions.net/news/story/5095 22
Merchant considerations when implementing EMV Implementing EMV in a merchant s environment can be challenging: Terminal hardware and software upgrades - Understand what hardware options will be available Speak to third-party POS software providers to understand their strategy to become EMV compliant - Be prepared to potentially upgrade to a new POS software solution Understand the differences between a full EMV certification vs. UAT project - Be prepared for a lengthy and complex EMV certification - Identify potential re-certification events (i.e. kernel expirations) Understand the potential fraud liability impacts with not supporting EMV EMV projects can be costly understand all costs Take advantage of new product opportunities (i.e. TransArmor, Dynamic Currency Conversion) Incorporate EMV as a part of your next generation POS solution The majority of merchants in the U.S. will support a certified EMV solution as opposed to performing a full EMV certification. Reasons are due to cost, complexity and on-going support requirements.* *Based upon Bank of America Merchant Services experience with merchant clients using semiintegrated vs. EMV certification process. 23
Types of POS systems that merchants will use to support EMV 1) Standalone terminals Standalone terminals include First Data Series terminals No EMV certification is required First Data Series terminals are deployed as plug and play Simplest of all EMV implementations 2) Vendor certification 3 rd party vendor certified by First Data for EMV Testing not required Limited to the features and functionality supported by 3 rd party provider Client typically able to implement within a few months 3) Full EMV Certification Client / vendor required to perform a full EMV certification and code to First Data message specifications Requires utilization of CertPro Solution Typically utilized by merchants that have very complex POS systems The most complex of all EMV implementations 24
Consumer Education and Customer Support Help employees learn to think chip cards, mobile phones, contact, and contactless: Chip cards vs. current magnetic stripe Changes to transaction handling How to answer consumer questions about EMV Consider consumer-facing educational materials Promote EMV payments accepted here Reminder to leave card inside reader during the entire transaction Prompt to take card out of reader when transaction is complete 25
Next Steps 26
Action Items for Georgia Fiscal Management Council Review your terminals and POS Systems for EMV capability and EMV enabled status Review your policy for fraud exposure and determine liability shift adoption Schedule time to review equipment with your Merchant partner for upgrade options or replacement needs Review POS Systems with the Vendor for their strategy to upgrade to EMV 27
If you have questions about EMV, contact Michelle Whalen; michelle.whalen@bankofamericamer chant.com; 941 896 8881. 2015 Banc of America Merchant Services, LLC. All rights reserved. All trademarks, service marks and trade names referenced in this material are the property of and licensed by their respective owners. Merchant Services are provided by Bank of America, N.A. and its representative Banc of America Merchant Services, LLC. Banc of America Merchant Services, LLC is not a bank, does not offer bank deposits, and its services are not guaranteed or insured by the FDIC or any other governmental agency. 28