p2pe, emv and tokenization - the holy trinity of payment security
Post on 15-Apr-2017
859 Views
Preview:
TRANSCRIPT
P2PE, EMV & TOKENIZATION
www.GoRSPA.org/Education
The ‘Holy Trinity’ of Payment Security
Jeremy GumbleyCreditcallCTO
@jeremy_gumbley linkedin.com/in/jgumbley
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
EMV is Coming to the U.S.
Long time for EMV to
arrive
Contactless is already
here
U.S. EMV cards do
existjeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
Chip Cards by Numbers575 million EMV cards to be issued by the end of 2015
59% of retail locations will be EMV-compliant by the end of 2015
78,800 EMV chip-activated merchant locations
70% of U.S. credit cards will be issued as EMV cards by the end of 2015
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
Chip Cards by Numbers86% of financial institutions plan on issuing EMV debit cards BY 2015
$3.50 Average cost for issuing a new EMV card
$500 Average cost of an EMV-compliant POS terminal
Sources: Javelin Research & Strategy, Aite Group, 2014 PULSE Debit Issuer Survey
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
Why is EMV Required?
Liability shift Global approach to securityFraud reduction
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
Liability Shift Put Simply
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
EMV
Tokenization
Weapons Against Card Fraud
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
P2PE PCI P2PE (Certified ) P2PE (Non-Certified)P2PE implementation manual for merchant to follow
Mandatory - Merchants must follow PIM to get PCI P2PE protection
Not defined
Secure supply chain Mandatory - Merchants must use scheme defined by solution provider
Not defined
PCI DSS De-scoping Yes - If merchant is only using PCI P2PE certified solution to take card payments; Merchants can complete a PCI DSS SAQ designed for P2PE
No - It remains each processor’s decision as to whether the solution offers any de-scoping of PCI DSS
PINpad key injection cost Yes YesPINpad encryption licence cost
Yes Yes
Solution provider costs to provide encryption
Yes Yes
Certification costs Solution provider has to cover costs of P2PE assessment. Merchant should have lower PCI DSS costs if only using certified solution
Merchant has all the cost of PCI DSS
P2PE vs. PCI P2PE
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
Without P2PE
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
With P2PE
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
P2PE Can Protect Against
Loss of cardholder data
Brand & reputation damage
Loss of revenue
Payment brand penalties
PCI fines
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
DynamicApplication Cryptogram changes with each
transactionEMVStatic
Card data always the same
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
TokenizationTokenization Proprietary Gateway
Scheme Network GeneratedComplexity Simple HardRe-usable for other payments Yes Possibly. Depends on TokenOnline/Offline Online Offline capable Real-time 3rd party dependency (i.e. token service provider)
No Yes
Works with existing magstripe cards
Yes No
Cost None TBCCross gateway compatible No Potentially
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
2 Tokenization3 Processor Interfaces and EMV Messages4 Card Brand Certifications
5 Terminal Management Systems
1 P2PE
Getting a PINpad
Tip of the Iceberg
jeremy.gumbley@creditcall.com @jeremy_gumbley www.creditcall.com/emv-migration
If you have any questions, please contact:
Jeremy GumbleyCTO
Creditcall Corp1133 Broadway, Suite 706, New York, 10010
800 868 1832jeremy.gumbley@creditcall.comwww.creditcall.com/emv-migration
@jeremy_gumbley
@Creditcall
top related