emv - merchant acquirers' committee what it can and cannot do.pdf · emv intent •defines the...
Post on 09-Apr-2018
220 Views
Preview:
TRANSCRIPT
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
Presenters
PAGE | 2
Mansour A. Karimzadeh
Mansour applies nearly 25 years of experience to his leadership role at SCIL. His background includes
payment and transaction processing systems in the financial industry, an in-depth understanding of how
to create new businesses and drive demand for emerging products and technologies. He has been
instrumental in implementing many large card and payment processing projects worldwide specializing
in smart cards and EMV systems - including projects in the UK, Canada, USA, Latin America, Middle East
and Australia. He served as a Board member of Global Platform and Chair of its Marketing Center.
He previously managed a smart card consultancy and software company that was acquired by ACI
Worldwide. At ACI he served as VP of Operations and Director of Smart Cards Unit.
Susan Matt
Susan has over 25 years of business experience. She began her career as a CPA at Deloitte public
accounting firm serving a variety of clients in such industry sectors as financial, manufacturing, non
profit and legal. Using her public accounting knowledge, she moved into the private sector as an
international auditor and forensic financial specialist then to RBS Worldpay/Lynk Systems as the VP of
Regulatory & Compliance. In 2007, leveraging her years of experience, she founded ThoughtKey - a
consulting firm focused on guiding clients to preserve profit while managing industry risk.
She served on the MAC Board as CFO and ATMIA US Board of Directors as Chairperson.
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
Agenda
• EMV Intent
• EMV Infrastructure – The Complexities Unveiled
• EMV Impact (on my world)
• Risk Landscape - Watch out for Changes
• Hidden Agenda? (“Conspiracy Theory”)
PAGE | 3
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
EMV Intent
• Defines the interaction between a “smart-card” and a terminal device using 2 characteristics:
physical characteristics - layout and chip placement on the card AND
software characteristics - secure communication protocols and encryption algorithms
used when the terminal connects and communicates with the smart card chip
1. GOAL:
Secure exchange of sensitive user data to complete a
credit/debit transaction
Allow issuers instant risk management capability
2. ULTIMATE GOAL:
Reduce/Eliminate counterfeit fraud (& reduce/eliminate
lost/stolen fraud (only when PIN Used))
PAGE | 5
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
What it does and does not
Does
Reduce Counterfeit (CP) Fraud
Reduce Liability
Allow Issuers Manage Card Dynamic Risk
Require Infrastructure
Change
Doesn’t
Reduce CNP Fraud
Eliminate Liability
Eliminate Acquirer Fraud
Monitoring
Work w/o Change
PAGE | 6
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
What it does and does not (Cont.)
Does
Improve transaction
security
Potentially reduce PCI
Risk
Work in concert
w/P2PE & Tokens
Doesn’t
Eliminate security requirements
Eliminate PCI mandate
Eliminate need for P2PE &
Tokens
PAGE | 7
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
How does an EMV card work?
Power is applied to
the chip by the card
reader here
A continuous clock is
applied to the chip by
the card reader here
And then streams of
serial data like
01101011010101110
come in and out of
this contact here
Applying power “wakes up” the
simple operating system on the chip
and allows the card reader to begin
the conversation - verification,
decryption and extraction of the card
data
PAGE | 9
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
Chip Card Technology
• Compare your computer to a chip
PAGE | 10
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
Chip Card Technology
• The chip can
Store more data than a magnetic stripe
Store data securely
Accept commands from terminal and send responses to
terminal
Encrypt and decrypt data using cryptographic modules
House multiple programs (applications), each with its own set
of processing parameters
Make risk management decisions
Support read and write functions
Update data in card after issuance
PAGE | 11
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
How does an EMV transaction work?
A clerk enters the
relevant sale
information here as
usual
The customer (usually) inserts
the EMV card into the terminal
much like how ATMs work
today...or, actually, yesterday :)
The customer is
(usually) presented
with a PIN pad to
unlock the EMV card
so the terminal can
communicate with it.
The terminal “holds” the card during
the transaction because it is supplying
power to the chip in order for it
browse its file system and decrypt the
necessary account information.
PAGE | 12
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
Acquiring System Changes due to EMV
PAGE | 17
• Device Management:
PoS and ATM
Key Distribution
Software for non-EMV applications?
• Acquirer Host Systems:
Device and Network Messaging Protocols
Authorization Delegation and Stand-In
• Clearing:
New data to be processed and stored
• Back Office:
Chargebacks, Reporting etc.
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
EMV Acquirer Considerations
PAGE | 18
Card Interface EMV - Contact EMV Contactless Contactless MSD
New Data for
Processing
• DE 55
• POS Entry Mode
• Card Sequence no.
• EMV Settlement data
• dCVV/CVC3
• ATC
• POS Entry Mode
• Terminal capability
New Support for
Processing
• Online PIN
• Send DE 55 data
• Process ARQC
• Process ARPC
• Process chip
update scripts
• Support batch
processing for
offline
• Process ARQC
• Send DE 55
No change
New Hardware PIN PAD
Contact Reader
• Contactless Reader
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
Acquirer New Tasks
PAGE | 19
• Public Key Management – to distribute CA Public Keys to Terminals
• Offline Card Authentication (CAM)
• Offline PIN at Point of Interactions
• Terminal Risk Management
• To provide Card Data in the Clearing Message to the Issuer (Mandatory)
• To carry Card Data in the Authentication Request Cryptogram message
• PIN Pad management
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
Processing Systems
Affected by Card Scheme Mandates – includes systems that: Receive/monitor transactions
Route transactions via different networks to the Issuing host
Stand in and provide processing in cases when the Issuer is not capable of processing EMV or is off-line
Perform Authorization
All risk & transaction systems – including monitoring, chargebacks, adjustments, settlement
PAGE | 20
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
US Liability Shift Migration Timelines
American Express and Discover have also adopted liability shifts effective October 2015 : • Amex shifts liability away from party with the "most secure form of EMV technology” • Discover assigns liability to the party that has “done the least”
Additionally, Amex offers PCI relief similar to both Visa and MasterCard’s if POS terminals where 75% of transactions occur are EMV enabled
PCI Audit relief takes effect
Acquirer & processor mandate to fully
process EMV
ADC relief takes effect (100%)
Liability Hierarchy takes effect
(excluding fuel)
Liability Hierarchy takes effect for fuel
operators
ATMLiability Hierarchy
takes effect
ADC relief takes effect (50%)Interregional Maestro liability
shift
ATM ProcessingATM acquirer
processors and sub-processors must
support EMV chip data and ATMs
Tech Innovation Program (TIP)
PCI Validation relief for merchants that adopt dual
interface terminals
Acquirer Chip Processing
Require acquirer processor support for chip processing
Liability Shift For debit and credit domestic and cross border counterfeit
liability shifts at all POS excluding AFD
Liability Shift Expanded liability shifts
to include automated fuel dispensers (AFD)
October 2012 April 2013 Apr|Oct 2015 Oct 2017Oct 20162014
PAGE | 24
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
PAGE | 25
Acquirer Risk Composition Changes
• New order in Liability - Generally the stakeholder with least security is liable for fraud
• Gradually all transactions will be EMV – if Acquirer not upgraded will lose fees
• Reduction/elimination of counterfeit fraud
• Reduction/elimination of chargebacks
• Card Not Present (CNP) fraud has increased in other EMV markets. CNP transactions need additional fraud monitoring.
• Need for review of CNP devices and procedures.
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
Issuers vs Acquirers
PAGE | 27
Issuer Acquirer
The Winner?
It is not that simple
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
• Requires (proper) hardware, software and process changes in
the EMV communication chain and back office systems
supporting the transaction/settlement
• Shifts liability to the least secure technology channel
• Secure CAM reduces counterfeit fraud
• Secure CVM can help control lost, stolen and Card Not Present
fraud
• Benefits mostly for Issuers:
Issuers can set/change card parameters to quickly control risks by
each card. Combined with Auth and Card Management System – cut
fraud, credit control and bad debt
New revenue streams by issuing cards to less creditworthy, because
of tighter control and misuse – but may cause an increase in “friendly
fraud”
(c) Copyright SCIL 2012
Key Points
PAGE | 28
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
PCI DSS and EMV
Acceptance environments that effectively utilize EMV can substantially reduce CP fraud but...• EMV by itself does not protect NPII/CHD
• In EMV environments - PAN is processed by POS as clear text (same for expiry date and other cardholder data elements).
• Most EMV environments are hybrids - both EMV and non-EMV transactions (also means legacy/storage data problems)
• Most EMV cards contain a mag stripe for 1) backwards compatibility in non-EMV environments or 2.) “fallback”
EMV + PCI DSS = Security
PAGE | 30
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
Summary
Does
Reduce Counterfeit (CP) Fraud
Reduce Liability
Allow Issuers Manage Card Dynamic Risk
Requires Infrastructure
Change
Doesn’t
Reduce CNP Fraud
Eliminate Liability
Eliminate Acquirer Fraud
Monitoring
Work w/o Change
PAGE | 31
Does
Improve transaction
security
Potentially reduces PCI
Risk
Work in concert w/P2PE
& Token
Doesn’t
Eliminate security requirements
Eliminate PCI mandate
Eliminate need for P2PE & Token
©2
01
5 S
CIL
All
Rig
hts
Re
se
rve
d.
CONTACTS
www.scilemvacademy.com
www.scil.us
Mansour A. Karimzadeh, Managing Director & CTO, SCIL-EMV Academy
516-338-8880 aaron@scil.us
Susan Matt, CEO, ThoughtKey
678-522-2466 susan@thoughtkeyinc.com
PAGE | 32
top related