deployment guide - emv cards, dual interface cards ... · initial conversation with your card...

DEPLOYMENT GUIDE

It’s time for a new chapter in payment history

Commerce dates back to prehistoric times. So does the concept of payment. At first, people would barter with what goods they had, and, until recently, we have trusted coins and paper as the main carrier of monetary value.

The first charge cards, with embossing only, were issued in 1959. Then, in the 1970s, came the first cards with magnetic-stripes to store card data. In the U.S., many of us are still using both cash, checks and magnetic-stripe cards, but we stand on the threshold to a more secure and more convenient payment paradigm.

As the world leader in digital security, Gemalto has already contributed to the successful implementation of a new digital payment technology in financial institutions through-out the world. Now we would like to share some of our expertise with you.

On the following pages is your step-by-step guide to implementing EMV payment solutions. This is a workbook, designed to help you ask the right questions, make the right choices and allocate the resources and time needed to succeed.

I wish you a pleasant read and great success.

Bertrand Knopf, Senior Vice President, Secure Transactions Gemalto in North America, 2014

0610162024283238

What is EMV?

Why EMV and why now?

What’s in it for you?

Find the right people for the job

The journey to EMV

Contact, contactless or mobile?

Get your customers on board

FAQ

TABLE OF CONTENTS

9

EMV stands for Europay, MasterCard, and Visa. It’s a set of global security standards for smart card payments and acceptance terminals. Instead of a magnetic stripe, EMV cards are equipped with a smart chip to hold the data that is required to process a transaction.

What is EMV?

What does it do?EMV brings increased security and global interoperability to card and mobile payments, even in card-not-present payments, if coupled with a card reader or one-time password. The chip on an EMV card is capable of much more sophisticated authentication than magnetic-stripe cards. Essentially, there is a fully operating computer system embedded in every EMV card. The chip is tamper-proof, making the card nearly impossible to clone.

“...there is a fully operating computer system embedded in every EMV card.”

What is EMV?1

11

“The chip is tamper-proof, making the card nearly impossible to clone.”

What is EMV?

How is it used?EMV can be implemented on credit, debit or prepaid cards. Instead of swiping the card along its magnetic ribbon, the card-holder dips, taps or waves the card chip into/against the POS terminal. Sometimes a pin code or signature is required for authentication. Regardless of what type of EMV you’re using, the payment terminal will prompt you for a signature or PIN code if one is needed.

Contact cardThe card is inserted into the terminal and stays there while the customer types a PIN or writes his/her signature.

Contactless (dual-interface) cardThe card is tapped against the POS terminal, or simply waved in front of it.

Mobile paymentThe smartphone is tapped or waved at the POS terminal, just like a contactless card.

13

Because the magnetic-stripe is not secure enoughMagnetic stripe cards have proven susceptible to counterfeit fraud. In contrast, an EMV chip is extremely difficult to crack. And, stolen card data cannot be used to clone cards, making any stolen data much less valuable to fraudsters. In fact, EMV is the only available technology to prevent card payment fraud from happening in an efficient, systematic and globally interop-erable way.

Wherever EMV has been implemented, fraud has been signifi-cantly reduced. And while the rest of the world has migrated to the more secure EMV solution, fraud has increased in the U.S. – the last major market that still uses magnetic-stripe cards. The last adopters will have the highest rate of fraud.

Because the magnetic-stripe is becoming obsoleteMost of the world’s point-of-sale terminals already accept EMV cards. Over the last few years, millions of U.S. card-holders have experienced that as they travel abroad, their magnetic-stripe cards are often not even accepted anymore.

Although there may be alternatives to EMV, none of them has the global deployment and support base and the maturity of EMV. Adopting the same technology as the rest of the world will increase convenience for consumers as well as for businesses.

Today, EMV is the global standard for secure payments, and it has been deployed in more than 80 countries. However, many in the U.S. are just beginning to learn about it. Why do we need to replace the magnetic-stripe with a smart chip? And why is now the right time to do it?

Why EMV, and why now?

EMV implementation reduced debit card fraud losses in Canada by 79 %.

Source: Interac® 2014

$142 million

$29.5 million

2009 2013


2

14 15

Estimated Mobile EMV payments growth at American retail POS

– eMarketer

2013

1 billion $

2017

58 billion $

U.S. WILL REACH EMV UBIQUITY IN

2018Source: Javelin Strategy & Research 2014

16

”EMV technology has effectively decreased counterfeit card fraud across the globe” Source: Aite Group 2013

Because of the fraud liability shiftTraditionally, the card issuer has held the liability for counter-feit fraud losses. However, as a result of the fraud liability shift, any party that hasn’t implemented EMV may be liable for the fraud that results from a magnetic-stripe payment after October 2015. This shift is a simultaneous initiative from the major card brands – Visa, MasterCard, American Express and Discover – to accelerate EMV adoption in the U.S.

October 2015

October 2017

October 2016

Liability shift for most merchants

Liability shift for automated fuel dispensers

Liability shift for ATM owners, domestic cards

FRAUD LIABILITY SHIFT TIMELINE


Credit card fraud doubled in the U.S. from 2007 to 2014.

– Aite Group 2014

x2

19

As you have seen, most of the world has already made the move from magnetic-stripe to EMV chip. But migrating is not only a matter of following the majority. EMV is set to bring you some real business benefits.


Reduction in fraud lossesEMV is almost one hundred percent effective when it comes to preventing face-to-face (in-store) counterfeit card fraud. When France migrated to EMV in 2005, card fraud nearly disappeared.

Although EMV won’t prevent data breaches (when malware steals card data from retailers’ servers), it should have a posi-tive long-term effect. Since stolen EMV data can’t be used to make counterfeit cards, this data will be less valuable once EMV is widely implemented.

2004

m€

50

0

100

150

200

2005 2006 2007 2008 2009 2010 2011 2012 2013

(Figures in red show percentage change on previous year’s total.)

– Financial Fraud Action UK, Fraud The Facts 2014

Card fraud losses decreased by 72% at UK retailers (face-to-face transactions) 2004–2013.

+23%

-38%

-47% +1%+35%

-27% -6%-36% +26% +11%

219

136

72 73

98

72 67

43 55 61

What’s in it for you?3

20

55% of MasterCard contactless consumer

credit accounts are top of wallet

53% YOY average lift in spend on contactless credit accounts

Source: Mastercard

Increased card spendingThe tap-and-go convenience of a contactless EMV card is likely to make it your customers’ new favorite, leading to increased loyalty and spending on that card. (For an explanation of con-tactless EMV, see illustration on page 10)

Adding contactless capacity has even generated a significant increase in contact transactions made with those cards.

Also, since EMV is the global standard for payments, your new cards can be used everywhere. Today, with magnetic-stripe cards, your customers may not be able to make card payments when they’re travelling internationally. But with EMV, American cardholders will be able to make purchases abroad with reli-ability and convenience.

Cardholders who travel frequently often choose an EMV card as their top-of-wallet choice so they don’t have to worry about switching cards when traveling. As a consequence, EMV cards are used more often than their magnetic-stripe counterparts.

Strengthened customer relationshipsMigrating to EMV is an opportunity to show your customers that you take their security seriously. Do it as soon as possible to let them know that you are on your toes, implementing the technology needed to keep them and their money safe.


”Once the majority of merchant transactions at a retailer are EMV, there will be little value to be gained by data breach because the data would have little value to criminals.”

– Randy Vanderhoof, Smart Card Alliance

23

Let’s say you’re ready to migrate to EMV. The first thing you need to do is create a project team. Identify relevant competences and stakeholders within your organization, and involve them from the very beginning.


One leader to coordinate and motivateEvery team needs a leader. Identify an internal project leader with the ability to understand the task and motivate his or her colleagues. Above all, look for leadership skills. The different areas of expertise will be covered by your team and by your external consultants.

A cross-functional team An EMV implementation project is more than a procurement decision. And it’s more than a financial decision. The team should involve competences from several different departments in order to get everyone on board and provide the necessary range of expertise.

There should be people who can provide input on mobile and technical strategy, as well as on overall strategy for managing your card portfolios. Furthermore, the implementation of EMV in time for the fraud liability shift could lead to reduced chargeback losses, which means that legal aspects and risk assessment must be taken into account. Marketing and com-munication are also part of the process, to make sure that the changes are both adopted and understood.


4

24 25

Take advantage of external competenceNaturally, your processor will need to be involved at a fairly early stage. But other consulting services may be necessary as well. The payment card suppliers and consultants you work with must be specialized in EMV migration, with the necessary expertise and experience from similar implementations. That way, they’ll be able to guide you through key considerations along the way, and offer specialized EMV training to you and your staff.


EMV partners and consultants should be able to help you with…

> Strategy to help get your project off the ground with an optimal time to market.

> Specification, testing, certification and issuance of payment solutions.

> Setting up your personalization requirements correctly.

> Contact and contactless strategy definition, compliance evaluation and issuance process.

> Anticipating future market requirements, giving you the tools for optimal ROI.

> System design including EMV, contactless and mobile payment architecture.

> Providing dedicated studies to validate strategy.“The team should involve competences from several different departments.”

27

Time to get practical! It takes 6–12 months from the initial conversation with your card provider to the actual issuance of your first EMV card. Most of the steps below happen in parallel, so it is not a strictly chronological list. You may think of it as the anatomy of an EMV deployment.

Assess the impact of EMVWhat financial and marketing impact will EMV implementa-tion have on your organization? The answers will guide your strategy going forward.

Press the start buttonEarly on, contact your processor or account manager at your chosen card brand, and have them open an EMV project for you. If you issue cards from multiple brands (Visa, MasterCard, American Express, Discover), you’ll need to open a project with each brand.

Decide on a scheduleWhat portfolios should you transfer to EMV, and when? One possible strategy is to move all of your cards at once, but that might incur higher and unnecessary costs.

Instead, you could minimize costs by strategically changing over cards to EMV as they expire, coordinating the migration with the existing card lifecycles. Another strategy is to move entire portfolios at the same time, starting with high-value portfolios, high-risk portfolios, or frequent travelers.

The journey to EMV

The journey to EMV

28 29

Assess the impact of EMV Press the

start button

Decide on a schedule

Consider additional options

Issuance and cardholder education

Card personalization and card testing

The journey to EMV

Consider additional optionsDetermine how and when you’ll incorporate EMV into your Instant Issuance strategy. Also, many card issuers take this re-issuance opportunity to update the card body or artwork on their cards. Decide about these and prepare new artwork.

Card personalization and card testingAn experienced perso bureau or card provider will have experi-ence issuing EMV cards. They should be able to give guidance on the requirements set by each card brand and set up a specific timeline for your EMV migration.

Your perso bureau will walk you through the necessary deliver-ables, which typically include updated artwork (if you decide to update), connecting with your processor, formatting the input file that contains your cardholders’ data, and choosing the right EMV profile specification.

Issuance and cardholder educationCreate a cardholder education plan and begin internal train-ing of customer-facing employees who will be educating your cardholders, answering customer service calls, etc.

31


EMV supports both contact and contactless (dual-inter-face) transactions, including mobile contactless payment. Should you implement all of them at once or take it one step at a time? First, let’s take a closer look at the options.

Contact EMVContact EMV is the basic level, enough to meet the require-ments of the Fraud Liability Shift. It offers the added security of the EMV chip, making it impossible to create counterfeit cards. Contact cards can be used in all EMV capable POS payment terminals.

However, limiting yourself to contact EMV means setting a new deadline. The global market is moving towards contactless and mobile, so cards without dual-interface will probably feel outdated in the near future.

6


32

Contact EMVBasic necessity

Security

Contactless EMVSecurity and convenience

Future-proof Top of wallet = extra revenues

Mobile EMVIncreased security and convenience

Future-proof Merge online/offline

Contactless EMV This is the level to go for if you want a technology that’s not only convenient and secure, but also future-proof. A contactless card can also be used as a contact card. Then, as more and more merchants activate dual-interface capability in their terminals, your cardholders will be able to use the contactless dual-interface for all their POS payments. Almost all terminals sold today have contactless capability.The slightly higher cost is well compensated by the added pos-sibilities. First, the tap-and-go convenience of dual-interface EMV will make your card top of wallet, which has proven to increase the number of transactions. Second, dual-interface EMV cards can be used for new payment solutions, e.g. in public transportation, replacing cash and raising card volume for issuers.

Mobile EMVWith mobile EMV the customer’s account credentials are loaded directly onto an NFC-enabled cellphone or wearable device. This is just as secure as contactless EMV, but with superior convenience and added opportunities, such as integration of mobile coupons and loyalty programs.

Consumers are quick to adopt contactless EMV as it becomes available, and mobile EMV is the natural next step. A POS ter-minal that accepts contactless cards also accepts NFC mobile payments with cellphones and wearable devices.


EMV penetration of checkout systems will increase from 14% in 2014 to 87% by 2017.

– Aite Group 2013

”Almost 70 million smart wearable devices will be sold in 2017, including smart glasses, enterprise gadgets and health and fitness devices.”

– Juniper Research 2013

34 35

“CONTACTLESS PAYMENTS INCREASED BY 70% DURING THE FIRST YEAR THAT COLES RELEASED ITS CONTACTLESS CARDS.”

– Source: Coles Supermarkets (Australia’s largest supermarket franchise)

37

Build expectationsYour cardholders need to know well ahead of time that some-thing is about to change, for the better. They are familiar with the current magnetic-stripe cards and feel comfortable with them. So, how do you help them understand why you are about to fix something that doesn’t appear to be broken? How can you help them appreciate the coming improvements?

You will need to explain the importance of migrating from magnetic-stripe to EMV. Educate them on what EMV is and how to use it. Try to make them understand that it is a necessary improvement – one that will make their lives both more conve-nient and more secure.

Just like marriages or friendships, customer relation-ships need communication. Especially when there are significant changes in the relationship. How you communicate the EMV migration to your customers will be crucial to helping them understand and appreciate the change.

“...it is a necessary improvement – one that will make their lives both more convenient and more secure.”


7Get your customers on board

38 39


“... customer relationships need communication. “


1. Build expectations.

2. Provide information.

3. Offer support.

4. Listen to your customers

Provide informationWhen the actual cards are distributed, whether through tradi-tional or instant issuance, they will be part of your communica-tion. Considering how seldom some customers actually visit the local branches, the EMV card could very well be a custom-er’s primary physical interaction with your bank.

Along with the card, provide clear information on how to use it – at the ATM, in store, in restaurants and online. Enclose educational material in the package and set up an interactive instruction manual on your website. If questions arise in spite of the provided information, your customer support should be prepared to take over.

Offer supportQuite often, a significant product change will cause the number of support calls to increase. How about now? Will everyone just go to the store and try their EMV card, or will they call your support department? Make sure your help desk is sufficiently staffed, and provide them with the training they need to edu-cate your customers and solve problems that might arise. Every contact is yet another opportunity to show your customers that the EMV migration is for their benefit, and that you are looking out for them.

Listen to your customersYour customers are potential resources for improving your offer. That is, if you listen and act accordingly. You might learn that customers prefer banks who let them choose their own PIN codes. Or that customers prefer to receive their PIN code via SMS rather than by mail.

Establish procedures for storing customer response through customer support. Conduct surveys to get a thorough evalua-tion of the solution itself and of the rollout.

i

As we’ve been working with EMV implementation for several years, we’ve noticed that certain questions appear again and again. These brief answers should be helpful to you as you consider how to get started with your migration to EMV.

1. What is the set-up time for EMV? You can expect about 6–12 months. However, the exact set-up time will be predicated by the card brand and by the processor that you’re using.

2. What are the changes to the merchant chargeback rights with EMV? After the fraud liability shift takes effect, issuers will continue to be liable for fraud unless the merchant has not upgraded the terminal to support chip transactions. According to the card brands, merchants who process transactions using magnetic-stripe, although the card has an EMV chip, will be liable for any counterfeit fraud associated with that transaction.

3. Is there equipment available for merchants to process EMV now?Yes. EMV capable point-of-sale (POS) terminals have been on the market for some time now, and virtually all new payment terminals sold today are EMV and NFC enabled.

4. What should banks do now to get ready for EMV?First, talk to your processor and/or card provider about their EMV service roadmap and level of preparedness. Review your payment brand’s EMV profile recommendations, and consider different options regarding what portfolios to convert first, and whether to start out with contact or go straight to dual-interface.

FAQs about EMV

41

8

FAQs about EMV

9. Can’t the card still be skimmed as long as the magnetic-stripe is still there?While the information on the magnetic-stripe can be stolen, it can’t be loaded onto an EMV chip card. Therefore, it can’t be re-used with a counterfeit card at an EMV terminal. As EMV be-comes the standard, merchants will no longer accept magnet-ic-stripe cards. This is when fraud will drop dramatically.

10. Can we set up a card so that it always requires a PIN for extra security?Card issuers can choose between PIN or signature CVM, but it also depends on what your processor can support, so you’ll need to discuss it with them during the set-up process.

11. What is personalization and why do we need it?Personalization includes putting the cardholder’s name and the card’s expiration date etc. on the card. Without personalization, the card (whether magnetic stripe or EMV) can’t be used. How-ever, EMV personalization is more complex, since it includes loading cryptography onto the chip.

12. Can EMV protect you during online shopping? What about CNP fraud?The EMV standard can be applied to the online shopping experience. However, to guarantee security, the card must be coupled with a card reader, which means the card must require a security PIN.

FAQs about EMV

43

5. Is October 2015 the drop-dead deadline for both Visa and MasterCard?Yes and no. The fraud liability shift does happen in October 2015, for Visa, Mastercard, American Express and Discover. You can migrate to EMV after October 2015, but until you do, you will be more susceptible to fraud, since most merchants will have upgraded their POS terminals, and most top issuers will already have issued EMV cards.

6. What is the cost difference for contact EMV and contactless EMV?The cost for contactless is only slightly higher, although it offers the opportunity to capture a larger share of cash trans-actions, while meeting cardholder requirements for better convenience and security,

7. Does EMV support instant issuance?Yes. Once your printer is EMV ready, and once you’ve gone through an EMV conversion with your processor, you may issue EMV cards at your branch offices or during instant customer acquisition events.

8. How can dual-interface work by only a tap? Doesn’t the chip need to stay engaged? The actual communication between chip and card reader hap-pens very quickly. In addition to the chip, a contactless card has an NFC antenna that communicates wirelessly with the pay-ment terminal when the card is tapped against it.

FAQs about EMV

42

44 45

NotesNotes

46 47

NotesNotes

48 49

NotesNotes

50

Notes

Gemalto has contributed to EMV deployments since the dawn of the technology in nearly each of the 80+ countries that have implemented EMV. From early pilots to large-scale rollouts, we have provided more EMV cards and contactless payment projects than any other provider.

Gemalto is the world leader in digital security, operating out of 74 offices and 14 Research & Development centers in 43 countries, including six production facilities in North America and regional headquarters in Austin, TX. Gemalto is at the heart of our evolving digital society. Billions of people worldwide increasingly want the freedom to communicate, travel, shop, bank, entertain and work – anytime, anywhere – in ways that are convenient, enjoyable and secure. Gemalto delivers on their expanding needs for personal mobile services, identity protection, payment security, authenticated online services, cloud computing access, modern ticketing systems, M2M communication, eHealthcare and

eGovernment services. www.gemalto.com/emv

GEMALTO.COM/EMV

© G

emalto 2015. All rights reserved. G

emalto, the G

emalto logo, are tradem

arks and service marks of G

emalto and are registered in certain countries. N

ovember 2014 B

W

deployment guide - emv cards, dual interface cards ... · initial conversation with your card...

Documents