p2pe, emv and tokenization - the holy trinity of payment security

P2PE, EMV & TOKENIZATION

www.GoRSPA.org/Education

The ‘Holy Trinity’ of Payment Security

Jeremy GumbleyCreditcallCTO

@jeremy_gumbley linkedin.com/in/jgumbley

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

EMV is Coming to the U.S.

Long time for EMV to

arrive

Contactless is already

here

U.S. EMV cards do

existjeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

Chip Cards by Numbers575 million EMV cards to be issued by the end of 2015

59% of retail locations will be EMV-compliant by the end of 2015

78,800 EMV chip-activated merchant locations

70% of U.S. credit cards will be issued as EMV cards by the end of 2015

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

Chip Cards by Numbers86% of financial institutions plan on issuing EMV debit cards BY 2015

$3.50 Average cost for issuing a new EMV card

$500 Average cost of an EMV-compliant POS terminal

Sources: Javelin Research & Strategy, Aite Group, 2014 PULSE Debit Issuer Survey

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

Why is EMV Required?

Liability shift Global approach to securityFraud reduction

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

Liability Shift Put Simply

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

EMV

Tokenization

Weapons Against Card Fraud

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

P2PE PCI P2PE (Certified ) P2PE (Non-Certified)P2PE implementation manual for merchant to follow

Mandatory - Merchants must follow PIM to get PCI P2PE protection

Not defined

Secure supply chain Mandatory - Merchants must use scheme defined by solution provider

Not defined

PCI DSS De-scoping Yes - If merchant is only using PCI P2PE certified solution to take card payments; Merchants can complete a PCI DSS SAQ designed for P2PE

No - It remains each processor’s decision as to whether the solution offers any de-scoping of PCI DSS

PINpad key injection cost Yes YesPINpad encryption licence cost

Yes Yes

Solution provider costs to provide encryption

Yes Yes

Certification costs Solution provider has to cover costs of P2PE assessment. Merchant should have lower PCI DSS costs if only using certified solution

Merchant has all the cost of PCI DSS

P2PE vs. PCI P2PE

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

Without P2PE

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

With P2PE

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

P2PE Can Protect Against

Loss of cardholder data

Brand & reputation damage

Loss of revenue

Payment brand penalties

PCI fines

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

DynamicApplication Cryptogram changes with each

transactionEMVStatic

Card data always the same

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

TokenizationTokenization Proprietary Gateway

Scheme Network GeneratedComplexity Simple HardRe-usable for other payments Yes Possibly. Depends on TokenOnline/Offline Online Offline capable Real-time 3rd party dependency (i.e. token service provider)

No Yes

Works with existing magstripe cards

Yes No

Cost None TBCCross gateway compatible No Potentially

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

2 Tokenization3 Processor Interfaces and EMV Messages4 Card Brand Certifications

5 Terminal Management Systems

1 P2PE

Getting a PINpad

Tip of the Iceberg

jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration

If you have any questions, please contact:

Jeremy GumbleyCTO

Creditcall Corp1133 Broadway, Suite 706, New York, 10010

800 868 1832jeremy.gumbley@creditcall.comwww.creditcall.com/emv-migration

@jeremy_gumbley

@Creditcall