Prevention Is Better Than Cure EMV and PCI

Size: px
Start display at page:

Download "Prevention Is Better Than Cure EMV and PCI"

Transcription

1 Prevention Is Better Than Cure EMV and PCI

2 Prevention Is Better Than Cure An independent view on the effectiveness of EMV and PCI in case of large-scale card compromise. Over the past couple of months, millions of consumers in the United States fell victim to a so-called payment card data breach. A payment card data breach is the situation where fraudsters are able to gain access on a large scale - to the information stored on debit or credit cards with the aim to sell this information on the black market or to directly perform fraudulent transactions. Exactly how and when consumers become victim of a payment card data breach depends on how attackers plot their attack. If a particular merchant chain is compromised, all consumers that used their payment card at these retail locations are at risk. Worse still, if a payment processing company is compromised then the transactions at thousands of individual retail locations from a variety of chains can be at risk. A payment card breach usually goes unnoticed to consumers until the moment foreign transactions start to appear on the card statement. The 'realistic worst-case scenario' Even though the way in which data breaches are plotted and executed may differ from case to case, the nature of the (card) data that fraudsters are able to exfiltrate is often the same: Fraudsters are able to obtain full Track II data of every card that was swiped at the compromised PoS device Fraudsters were able to record encrypted PIN data for every card transaction that was PIN-based, however fraudsters are however not able to break the encryption and subsequently get access to actual PIN numbers 1 What the fraudsters can and cannot do with the stolen data Fraudsters can use the stolen card data to create a counterfeit copy of the original card. However whether this card can be successfully used in fraudulent transaction, depends on the kind of card that was compromised as well as the usage environment where the fraudulent card is used: Type of card compromised, and Usage environment where fraudster will subsequently attempt to commit fraud This yields the following matrix: page 2 1. In theory fraudsters can get access to actual PIN numbers by breaking DUKPT-based Triple DES cryptography, by installing spy cams, or by attacking and breaking into PIN pad devices. However based on UL s professional expertise, none of these attacks is viable enough for a large-scale, nationwide compromise of consumer s PIN numbers.

3 The use of EMV technology in ATMs, PoS devices, and cards makes transactions less susceptible to fraud through skimming and digital pickpocketing. Until the moment where all ATMs, PoS devices and cards have been made EMV compliant, the industry is still at risk. The extent of this risk is shown here, where a payment card (as shown horizontally) falls victim to digital pickpocketing at a non-emv compliant PoS device. Depending on the usage environment of the stolen card data (vertically), there may be a certain degree of risk involved. Scenario 1: swipe and PIN transaction was compromised. Fraud is attempted at Magstripe PoS device This will be the most likely form of fraud resulting from large-scale PoS compromise. A fraudster is able to create a copy of the compromised card and to use in Card Present situations using his own signature. Issuer will have no way of telling page 3

4 the difference between a transaction with the genuine card or with the cloned card. Issuer will be liable for fraud, however may seek to shift liability to the merchant that was the source of the card data compromise. Acquirers can take additional measures to limit exposure to this kind of fraud. For instance, PoS software can be modified to require merchants to enter the last four digits of the embossed PAN prior to authorization as this makes it more difficult for a fraudster to create a cloned card using compromised card data, although it is relatively easy nowadays for fraudsters to obtain embossing equipment. Another fraud mitigation method is to ask customers for photo-id to check against the name on the supplied card, but of course, this can slow down the transaction time and therefore a is a direct cost to the business. Scenario 2: swipe and PIN transaction was compromised. Fraud is attempted at Magstripe PoS device In this scenario, the ability for the fraudster to commit fraud depends on the card type and issuer rules. As the PIN has not been compromised, the fraudster must use signature based, or no CVM, transactions. Some issuers do allow their debit cards to be authorized using signature, or to be authorized without PIN or signature (no CVM, for low ticket transactions). In those circumstances, the transaction is at risk. 2 Scenario 3: transaction with EMV card was compromised. Fraud is attempted at Magstripe PoS device In this scenario, whether or not a fraudster can commit fraud is determined by the issuer of the card. The issuer will be able to detect, based on the POS Entry mode data element in Field 55, that the card is used in a Magstripe-only terminal. Since this was originally an EMV card, this transaction may fall under the EMV liability shift regime (depending on region). The issuer may choose to decline the transaction, in which case no fraudulent transaction takes place. If the issuer chooses to approve the transaction, fraud occurs and local liability shift rules determine whether issuer or acquirer is liable for fraud. Scenario 4: swipe and signature transaction was compromised. Fraud is attempted at EMV compliant PoS device This case follows the same rationale as Scenario 2. The fraudulent card can be successfully used, even though the PoS device is EMV compliant. Scenario 5: swipe and PIN transaction was compromised. Fraud is attempted at EMV compliant PoS device In this case, the same rationale as Scenario 1 applies, under the assumption that the EMV compliant PoS device is still capable of reading magstripe. Depending on the allowed CVM s on a debit or credit card, transactions with a fraudulent card can potentially be authorized. 3 Scenario 6: transaction with EMV card was compromised. Fraud is attempted at EMV-compliant PoS terminal Whether or not a fraudster is able to successfully commit fraud depends on regional fallback rules. To the EMV PoS device, the fraudulent card will look like an EMV card of which the chip is damaged (service code on Magstripe Track II indicates the presence of a chip. However the PoS device is not able to read a chip, hence the transaction may qualify for fallback under appropriate fallback rules). If fallback is not allowed, the fraudster will not be able to complete the transaction. If fallback is allowed, the transaction will be authorized by the issuer given there is sufficient funds available on the account. If fallback is going to be allowed in North America during the initial stages of EMV migration, scenario 6 should be colored orange (potentially at risk). Scenarios 7, 8, and 9 (ATM usage) The fraudster will not be able to successfully use the cloned card at an ATM as this requires a correct PIN number to be entered. In theory, a fraudster has three PIN attempts per compromised card. Because of the impractical nature of such attempted ATM fraud, it is fair to assume that large-scale card compromise is not going to cause an increase in fraudulent cash withdrawals. page 4 2. Issuers may have legacy fraud controls implemented, such as the time and geo-location at which two subsequent transactions with the same card number take place. 3. In mature EMV markets, support for magstripe acceptance is sometimes no longer allowed. In North America there will be a transition period in which acceptance devices will support magstripe as well as EMV technologies.

5 Scenarios 10, 11, and 12 (Internet Card Not Present usage) In theory, the data that is stolen from cards by compromising a PoS device cannot be used for Card Not Present internet purchases.this is because a compromised PoS device only gives access to Magstripe Track II data, which does not contain the so-called security code (referred to as CVV2 or CVC2 data) printed on the signature panel of the card. However reality shows that under certain circumstances, a fraudster will be able to successfully commit fraud with the data gathered through large-scale PoS compromise: In some cases, the web merchant that accepts card payments does not require entry of a Security Code in order to complete a transaction. A fraudster will be able to successfully use compromised card data for purchases. Since the merchant does not provided all the data that it is supposed to (CVC2), liability is with the merchant in this case. which gives a fraudster a chance of around 0.3% per card for a successful CNP transaction. In case the data of millions of payment cards is stolen, fraudsters have a large statistical chance of committing fraud in CNP environments. In this case, the issuer is liable for transaction fraud however will seek means to shift liability to the merchant where the large-scale PoS compromise took place. Could EMV have prevented this large-scale compromise? EMV is a digital transaction protocol and as such is not a measure that prevents fraudsters from gaining access to PoS devices and installing malicious software. The EMV transaction protocol however introduces a cryptographically secured means of determining authenticity of debit and credit cards. PoS device and / or card issuer will always be able to detect attempted card cloning. The EMV transaction protocol takes place between an EMV-compliant card (debit or credit) and an EMV-compliant PoS device or ATM. For reasons of backwards compatibility, non-emv compliant cards can be used on EMV-compliant acceptance infrastructure. For a similar reason, EMV-compliant cards can be used on Magstripe-only acceptance devices. Therefore the following points are worth noting: Merchants that have EMV-enabled their PoS acceptance infrastructure can still be a source of card data compromise in case a fraudster manages to gain access to PoS software code. EMV compliance provides protection against EMV liability shift however EMV compliance does not provide protection against card compromise liability. Merchants that have EMV-enabled their PoS acceptance infrastructure can still unknowingly acquire card fraud. See scenario s 4, 5, and 6. As long as this merchant was not the source of large-scale card compromise, this merchant will not be held liable for this acquired fraud. Some issuers do not validate the value of the CVC2 data. Also here, fraudster will be able to successfully use compromised card data for CNP purchases. In this case, the issuer will have no means to shift liability to another party. Also a statistical attack vector exists in case of large-scale PoS compromise. The CVC2 code is a three digit numerical value, giving it 1,000 possible values. Most issuers allow for three subsequent CVC2 validation attempts before fraud is suspected and authorization is declined, page 5

6 What is the role of PCI here? PPCI DSS controls have been designed to prevent and/or detect a large-scale compromise To commit any such fraud, the criminals need a point of ingress to allow for the wide-scale delivery of a compromise, a known vulnerability in the system to allow for the compromise, and a point of egress for the exfiltration of the collected data. These points are directly addressed by the PCI DSS requirements, and although compliance is not an absolute guarantee of prevention of such a compromise, it would not be unexpected to find that any such compromise has resulted from a lack of rigor around one or more of the PCI DSS controls. In case fraudsters manage to collect card data directly from the PoS device, it can be expected that use of encryption of all cardholder data at the POI the PIN Entry Devices themselves, prior to the data being passed into the PC based POS systems would have largely mitigated this form of compromise. Therefore, compliance to the PCI P2PE requirements or even just correct use of SRED approved POI devices, to remove all cardholder data from the POS environment is likely the largest single step that any retailer can take to protect their customers card data. Conclusion As presented in this memo, an acquiring infrastructure that is compliant with applicable and up-to-date PCI standards (PCI DSS, PA-DSS, PTS etc.) should provide sufficient end to end protection against card account compromise. In a similar fashion, EMV compliance will ensure that the card account information that flows through such acquiring infrastructure is genuine and can be authenticated. The combination of PCI and EMV compliance provides a robust framework against card fraud in the card present as well as card not present domain. In case the US had already migrated to EMV, the consequences of large-scale card compromise such as the ones recently reported would have been less severe (see scenario 6). For now, the US payments industry is implementing remedial actions to avoid fraud resulting from data breaches. UL foresees (a combination of) the following remedial actions: Want to know more? UL's EMV, PCI and security experts are happy to assist. Reissuance of those cards that may have been subject to fraud, plus blacklisting of compromised card ranges (issuer action) Tightened spending controls for those cards that may have been subject to fraud (issuer action) Disabling Card Not Present authorizations for those cards that may have been compromised (issuer action) Requiring CVC2 entry for Point Of Sale purchases (has impact on the issuing as well as acquiring side) Requiring the merchant to enter the last four digits of the PAN during a PoS transaction (acquirer action) Requiring the merchant to verify the (part of the) PAN which is printed on the receipt with the PAN embossed engraved on the card. Please visit our website for locations and contact details or info@ul-ts.com. page 6

PREVENTING PAYMENT CARD DATA BREACHES

PREVENTING PAYMENT CARD DATA BREACHES NEW SCIENCE TRANSACTION SECURITY ARTICLE PREVENTING PAYMENT CARD DATA BREACHES DECEMBER 2014 UL.COM/NEWSCIENCE NEW SCIENCE TRANSACTION SECURITY OVERVIEW From research on the latest electronic transaction

More information

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

EMV's Role in reducing Payment Risks: a Multi-Layered Approach EMV's Role in reducing Payment Risks: a Multi-Layered Approach April 24, 2013 Agenda EMV Rationale Why is this worth the effort? Guides how we implement it EMV Vulnerability at the POS EMV Impact on CNP

More information

PCI PA-DSS Requirements. For hardware vendors

PCI PA-DSS Requirements. For hardware vendors PCI PA-DSS Requirements For hardware vendors PCI security services UL's streamlined PCI PA-DSS certification services get your product to market faster. UL is world leader in advancing safety. Through

More information

Payments Transformation - EMV comes to the US

Payments Transformation - EMV comes to the US Accenture Payment Services Payments Transformation - EMV comes to the US In 1993 Visa, MasterCard and Europay (EMV) came together and formed EMVCo 1 to tackle the global challenge of combatting fraudulent

More information

How To Comply With The New Credit Card Chip And Pin Card Standards

How To Comply With The New Credit Card Chip And Pin Card Standards My main responsibility as a Regional Account Manager for IMD is obtain the absolute lowest possible merchant fees for you as a business. Why? The more customers we can save money, the more volume of business

More information

EMV Frequently Asked Questions for Merchants May, 2014

EMV Frequently Asked Questions for Merchants May, 2014 EMV Frequently Asked Questions for Merchants May, 2014 Copyright 2014 Vantiv All rights reserved. Disclaimer The information in this document is offered on an as is basis, without warranty of any kind,

More information

What Merchants Need to Know About EMV

What Merchants Need to Know About EMV Effective November 1, 2014 1. What is EMV? EMV is the global standard for card present payment processing technology and it s coming to the U.S. EMV uses an embedded chip in the card that holds all the

More information

EMV : Frequently Asked Questions for Merchants

EMV : Frequently Asked Questions for Merchants EMV : Frequently Asked Questions for Merchants The information in this document is offered on an as is basis, without warranty of any kind, either expressed, implied or statutory, including but not limited

More information

PCI and EMV Compliance Checkup

PCI and EMV Compliance Checkup PCI and EMV Compliance Checkup ATM Security Jim Pettitt Director, ATM Security Diebold Incorporated Agenda ATM threats today Top of mind risk PCI Impact on Security U.S. EMV Migration Conclusions / recommendations

More information

Mitigating Fraud Risk Through Card Data Verification

Mitigating Fraud Risk Through Card Data Verification Risk Management Best Practices 11 September 2014 Mitigating Fraud Risk Through Card Data Verification AP, Canada, CEMEA, LAC, U.S. Issuers, Processors With a number of cardholder payment options (e.g.,

More information

EMV and Restaurants: What you need to know. Mike English. October 2014. Executive Director, Product Development Heartland Payment Systems

EMV and Restaurants: What you need to know. Mike English. October 2014. Executive Director, Product Development Heartland Payment Systems October 2014 EMV and Restaurants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service marks

More information

A Brand New Checkout Experience

A Brand New Checkout Experience A Brand New Checkout Experience EMV Transformation EMV technology is transforming the U.S. payment industry, bringing a whole new experience to the checkout counter. Introduction What is EMV? It s 3 small

More information

A Brand New Checkout Experience

A Brand New Checkout Experience A Brand New Checkout Experience EMV Transformation EMV technology is transforming the U.S. payment industry, bringing a whole new experience to the checkout counter. Introduction What is EMV? It s 3 small

More information

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1 Payment Card Industry (PCI) Data Security Standard PCI DSS Applicability in an EMV Environment A Guidance Document Version 1 Release date: 5 October 2010 Table of Contents 1 Executive Summary... 3 1.1

More information

EMV and Small Merchants:

EMV and Small Merchants: September 2014 EMV and Small Merchants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service

More information

What is EMV? What is different?

What is EMV? What is different? U.S. consumers are receiving new debit and credit cards with embedded chip technology that better stores and protects cardholder information. These new chip cards are part of the new card standard, Europay,

More information

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper 2014. Executive Director, Product Development

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper 2014. Executive Director, Product Development A Heartland Payment Systems White Paper 2014 Heartland Secure. By: Michael English Executive Director, Product Development 2014 Heartland Payment Systems. All trademarks, service marks and trade names

More information

The need for a secure & trusted payment instrument in e-commerce. Ali AlMeshal

The need for a secure & trusted payment instrument in e-commerce. Ali AlMeshal The need for a secure & trusted payment instrument in e-commerce Ali AlMeshal In Physical/Real World Hand over card Visual check Swipe in POS Online authorization Receipt with signature panel Sign or Pin

More information

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc. Payment Methods The cost of doing business Michelle Powell - BASYS Processing, Inc. You ve got to spend money, to make money Major Industry Topics Industry Process Flow PCI DSS Compliance Risks of Non-Compliance

More information

EMV EMV TABLE OF CONTENTS

EMV EMV TABLE OF CONTENTS 2 TABLE OF CONTENTS Intro... 2 Are You Ready?... 3 What Is?... 4 Why?... 5 What Does Mean To Your Business?... 6 Checklist... 8 3 U.S. Merchants 60% are expected to convert to -enabled devices by 2015.

More information

Credit Card Processing Overview

Credit Card Processing Overview CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new

More information

Visa global Compromised Account

Visa global Compromised Account Visa global Compromised Account RECOVERY PROGRAM WHAT EVERY MERCHANT SHOULD KNOW ABOUT GCAR WHAT EVERY MERCHANT SHOULD KNOW ABOUT GCAR WHAT The Visa Global Compromised Account Recovery (GCAR) program offers

More information

CardControl. Credit Card Processing 101. Overview. Contents

CardControl. Credit Card Processing 101. Overview. Contents CardControl Credit Card Processing 101 Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new and old

More information

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon UMACHA Navigating Payments 2014 October 8, 2014 Who We Are Claudia

More information

EMV and Restaurants What you need to know! November 19, 2014

EMV and Restaurants What you need to know! November 19, 2014 EMV and Restaurants What you need to know! Mike English Executive Director of Product Development Kristi Kuehn Sr. Director, Compliance November 9, 204 Agenda EMV overview Timelines Chip Card Liability

More information

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance Allegiance Merchant Services is committed to assisting you in navigating through the various considerations that you may face

More information

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP WHERE IS THE U.S. PAYMENT CARD INDUSTRY NOW? WHERE IS IT GOING? Today, payment and identification cards of all types (credit

More information

welcome to liber8:payment

welcome to liber8:payment liber8:payment welcome to liber8:payment Our self-service kiosks free up staff time and improve the overall patron experience. liber8:payment further enhances these benefits by providing the convenience

More information

PAYMENT SECURITY. Best Practices

PAYMENT SECURITY. Best Practices PAYMENT SECURITY Best Practices At VeriFone, the protection of cardholder information is a top priority. To ensure merchants have secure payment solutions for their customers, and to help protect merchants

More information

Figure 1: Attacker home-made terminal can read some data from your payment card in your pocket

Figure 1: Attacker home-made terminal can read some data from your payment card in your pocket A Touchy Subject There are increasingly frequent claims that contactless smart payment cards are insecure because they can be read while in your wallet or pocket. Can this really be true? And if so, is

More information

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means EMV and Chip Cards Key Information On What This Is, How It Works and What It Means Document Purpose This document is intended to provide information about the concepts behind and the processes involved

More information

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE December 2015 English_General This presentation was prepared exclusively for the benefit and internal use of the J.P. Morgan client or potential client to

More information

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance Payment Security White Paper Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance Breaches happen across all industries as thieves look for vulnerabilities.

More information

How to Prepare. Point of sale requirements are changing. Get ready now.

How to Prepare. Point of sale requirements are changing. Get ready now. How to Prepare for EMV Point of sale requirements are changing. Get ready now. The EMV mandate is fast approaching. Now is the time to plan a strategy to prepare for this change. 2 EMV: The Backstory 3

More information

How To Spot & Prevent Fraudulent Credit Card Activity

How To Spot & Prevent Fraudulent Credit Card Activity Datalink Bankcard Services How To Spot & Prevent Fraudulent Credit Card Activity White Paper 2013 According to statistics from the U.S. Department of Justice and the Consumer Sentinel Network, credit card

More information

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change Advancements in technological capabilities, along with increasing levels of counterfeit fraud, led the

More information

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE A Mercator Advisory Group Research Brief Sponsored by FICO January 2014 Table of Contents Introduction...3 The EMV Standard and What It Does...3

More information

Target Security Breach

Target Security Breach Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected

More information

Identifying Security. Payment System. Federal Reserve Bank. Ellen Richey Chief Enterprise Risk Officer Visa Inc. Visa Public

Identifying Security. Payment System. Federal Reserve Bank. Ellen Richey Chief Enterprise Risk Officer Visa Inc. Visa Public Identifying Security Issues in the Retail Payment System Federal Reserve Bank Chicago Ellen Richey Chief Enterprise Risk Officer Visa Inc. June 5, 2008 Agenda 1. The Data Security Landscape 2. Recent Trends

More information

Acceptance to Minimize Fraud

Acceptance to Minimize Fraud Best Practices for Credit Card Acceptance to Minimize Fraud By implementing best practices in credit card processing, you decrease the likelihood of fraudulent transactions and chargebacks. In general,

More information

EMV in Hotels Observations and Considerations

EMV in Hotels Observations and Considerations EMV in Hotels Observations and Considerations Just in: EMV in the Mail Customer Education: Credit Card companies have already started customer training for the new smart cards. 1 Questions to be Answered

More information

Card Acceptance Best Practices Playing it Safe at the Point of Sale

Card Acceptance Best Practices Playing it Safe at the Point of Sale White Paper Card Acceptance Best Practices Playing it Safe at the Point of Sale Fraudulent activity costs U.S. businesses billions. And that is just lost revenue. When you consider the associated damage

More information

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011 Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011 On 5 th March 2010, The Association of Banks in Singapore announced key measures to adopt a holistic

More information

Visa Recommended Practices for EMV Chip Implementation in the U.S.

Visa Recommended Practices for EMV Chip Implementation in the U.S. CHIP ADVISORY #20, UPDATED JULY 11, 2012 Visa Recommended Practices for EMV Chip Implementation in the U.S. Summary As issuers, acquirers, merchants, processors and vendors plan and begin programs to adopt

More information

Data Security Basics for Small Merchants

Data Security Basics for Small Merchants Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided

More information

PCI Security Standards Council

PCI Security Standards Council PCI Security Standards Council Bob Russo, General Manager 2013 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI Council Open, global forum Founded 2006 Guiding open standards for

More information

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating Given recent payment data breaches, clients are increasingly demanding robust security and fraud solutions; and Financial institutions continue to outsource and leverage technology providers given their

More information

FAQ on EMV Chip Debit Card and Online Usage

FAQ on EMV Chip Debit Card and Online Usage FAQ on EMV Chip Debit Card and Online Usage Security enhancement on HSBC India Debit Card A Secure Debit Card HSBC India Debit Cards are more secure and enabled with the Chip and PIN technology? You can

More information

A Guide to EMV. Version 1.0 May 2011. Copyright 2011 EMVCo, LLC. All rights reserved.

A Guide to EMV. Version 1.0 May 2011. Copyright 2011 EMVCo, LLC. All rights reserved. A Guide to EMV Version 1.0 May 2011 Objective Provide an overview of the EMV specifications and processes What is EMV? Why EMV? Position EMV in the context of the wider payments industry Define the role

More information

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015 PCI compliance: v3.1 Key Considerations Corbin Del Carlo Director, National Leader PCI Services October 5, 2015 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice

More information

NEWS BULLETIN 2015-16

NEWS BULLETIN 2015-16 NEWS BULLETIN Maine Automobile Dealers Association 180 Civic Center Drive P. O. Box 2667 Augusta, Maine 04338-2667 DIAL 623-3882 e-mail:info@maineautodealers.com FAX 623-2318 DISTRIBUTION General Manager

More information

An Oracle White Paper July 2010 U.S. CARD FRAUD

An Oracle White Paper July 2010 U.S. CARD FRAUD An Oracle White Paper July 2010 U.S. CARD FRAUD Contents Card fraud can be placed into six categories:... 3 2 Card fraud costs the U.S. card payments industry an estimated US$8.6 billion per year. Although

More information

EMV FAQs for developers

EMV FAQs for developers EMV FAQs for developers You accept the Information presented herein as is, without any representation as to its accuracy or completeness. What are the three levels of EMV certification? There are three

More information

Preparing for EMV chip card acceptance

Preparing for EMV chip card acceptance Preparing for EMV chip card acceptance Ben Brown Vice President, Regional Sales Manager, Wells Fargo Merchant Services Lily Page Vice President, Wholesale ereceivables, Wells Fargo Merchant Services June

More information

How to Help Prevent Fraud

How to Help Prevent Fraud TD Canada Trust How to Help Prevent Fraud Merchant Services tips to help protect your business Fraud Awareness All credit cards issued in Canada are designed with special security features to help deter

More information

Introductions 1 min 4

Introductions 1 min 4 1 2 1 Minute 3 Introductions 1 min 4 5 2 Minutes Briefly Introduce the topics for discussion. We will have time for Q and A following the webinar. 6 Randy - EMV History / Chip Cards /Terminals 5 Minutes

More information

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com Flexible and secure payment solution acceo tender retail payment solution tender-retail.acceo.com Take control of your payment transactions ACCEO Tender Retail is a specialized middleware that handles

More information

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows: What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers

More information

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009 AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application

More information

Effectively Managing Data Breaches

Effectively Managing Data Breaches Effectively Managing Data Breaches May 27, 2015 Stoddard Lambertson Cyber Intelligence and Investigations Justina Jow Cyber Intelligence and Investigations Disclaimer The information or recommendations

More information

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed

More information

OpenEdge Research & Development Group April 2015

OpenEdge Research & Development Group April 2015 2015: Development, Merchant Readiness & the Coming Liability Shift OpenEdge Research & Development Group April 2015 developers@openedgepay.com openedgepay.com 2015: Development, Merchant Table of Contents

More information

Dates VISA MasterCard Discover American Express. support EMV. International ATM liability shift 2

Dates VISA MasterCard Discover American Express. support EMV. International ATM liability shift 2 Network Updates Summer 2013 We are committed to working closely with you on achieving your business goals. As a part of this commitment, we carefully monitor Network changes and summarize them for your

More information

UCSD Credit Card Processing Policy & Procedure

UCSD Credit Card Processing Policy & Procedure UCSD Credit Card Processing Policy & Procedure The Payment Process UCSD accepts Visa, MasterCard, American Express and Discover credit cards. We perform credit transactions only, no debit sales with cash

More information

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00 PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)

More information

OpenEdge Research & Development Group April 2015

OpenEdge Research & Development Group April 2015 2015: Security, Merchant Readiness & the Coming Liability Shift OpenEdge Research & Development Group April 2015 solutions@openedgepay.com openedgepay.com 2015: Security, Merchant Table of Contents The

More information

Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation

Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation Your Single Source for credit, debit and pre-paid services Fraud Risk and Mitigation Agenda Types of Fraud Fraud Identification Notifications Next Steps 11/8/2013 2 Types of Fraud Lost and Stolen Cards

More information

Langara College PCI Awareness Training

Langara College PCI Awareness Training Langara College PCI Awareness Training Have you heard of PCI? Due to the increase of credit card fraud and identity theft, major credit card companies like Visa, MasterCard and Amex have formed a security

More information

EMV and Encryption + Tokenization: A Layered Approach to Security

EMV and Encryption + Tokenization: A Layered Approach to Security EMV and Encryption + Tokenization: A Layered Approach to Security 2012 First Data Corporation. All trademarks, service marks and trade names referenced in this material are the property of their respective

More information

Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009

Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009 Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009 The guide describes how you can make sure your business does not store sensitive cardholder data Contents 1 Contents

More information

Payment Card Industry Data Security Standard PCI DSS

Payment Card Industry Data Security Standard PCI DSS Payment Card Industry Data Security Standard PCI DSS What is PCI DSS? Requirements developed by the five card brands: VISA, Mastercard, AMEX, JCB and Discover. Their aim was to put together a common set

More information

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance Emerging Technology Whitepaper Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance For Transmissions of Cardholder Data and Sensitive Authentication Data Program Guide Version

More information

A Guide to EMV Version 1.0 May 2011

A Guide to EMV Version 1.0 May 2011 Table of Contents TABLE OF CONTENTS... 2 LIST OF FIGURES... 4 1 INTRODUCTION... 5 1.1 Purpose... 5 1.2 References... 5 2 BACKGROUND... 6 2.1 What is EMV... 6 2.2 Why EMV... 7 3 THE HISTORY OF EMV... 8

More information

Testimony of Scott Talbott, Sr. V.P. for Government Relations, Electronic Transactions Association (ETA)

Testimony of Scott Talbott, Sr. V.P. for Government Relations, Electronic Transactions Association (ETA) Testimony of Scott Talbott, Sr. V.P. for Government Relations, Electronic Transactions Association (ETA) House Small Business Committee Hearing on the EMV Deadline and What It Means for Small Business

More information

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants Appendix 2 PCI DSS Payment Card Industry Data Security Standard Merchant compliance guidelines for level 4 merchants CONTENTS 1. What is PCI DSS? 2. Why become compliant? 3. What are the requirements?

More information

BWA Merchant Services. Credit Card Fraud Protection User Guide

BWA Merchant Services. Credit Card Fraud Protection User Guide 1 BWA Merchant Services Credit Card Fraud Protection User Guide 2 Contents: 1. How to reduce the risk of card present fraud... 3 2. How to reduce the risk of card not present fraud... 5 3. Delivering the

More information

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council Version 1.0 Date: Author: PCI Security Standards Council Executive Summary The time to migrate is now. For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used

More information

REGULATIONS FOR SALES PAID BY CARD SALES IN SHOP (Card Present) (May 2015)

REGULATIONS FOR SALES PAID BY CARD SALES IN SHOP (Card Present) (May 2015) REGULATIONS FOR SALES PAID BY CARD SALES IN SHOP (Card Present) (May 2015) These regulations, the "Shop Regulations", apply to sales paid by Card through the use of a Terminal. The Shop Regulations comprise

More information

PCI Security Standards Council

PCI Security Standards Council PCI Security Standards Council Jeremy King, European Director 2013 Why PCI Matters Applying PCI How You Can Participate Agenda 2 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI

More information

FAQ EMV. EMV Overview

FAQ EMV. EMV Overview FAQ EMV EMV Overview What are the benefits of EMV cards? A: Several factors are driving the U.S. card market to migrate to chip-based cards using the EMV specifications. EMV offers advantages for consumers,

More information

Chip and PIN is Broken a view to card payment infrastructure and security

Chip and PIN is Broken a view to card payment infrastructure and security Date of Acceptance Grade Instructor Chip and PIN is Broken a view to card payment infrastructure and security Petri Aaltonen Helsinki 16.3.2011 Seminar Report Security Testing UNIVERSITY OF HELSINKI Department

More information

Suzanne Lynch Professor of Practice Economic Crime Utica College sl6-15 1

Suzanne Lynch Professor of Practice Economic Crime Utica College sl6-15 1 Suzanne Lynch Professor of Practice Economic Crime Utica College sl6-15 1 The most significant trend is decreasing paper payments and increasing electronic payments. Many organizations are also seeing

More information

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page

More information

Implication of EMV Migration for the U.S. Transportation Industry. May 1, 2015. Implication of EMV Migration for the U.S. Transportation Industry

Implication of EMV Migration for the U.S. Transportation Industry. May 1, 2015. Implication of EMV Migration for the U.S. Transportation Industry Implication of EMV Migration for the U.S. Transportation Industry 1 Introduction Transportation payment methods are constantly evolving. When cash handling became too expensive and inconvenient, the metal

More information

Securing the Payments System. The facts about fraud prevention

Securing the Payments System. The facts about fraud prevention Securing the Payments System The facts about fraud prevention Contents Introduction 3 Visa s Security Programme 4 Fraud Types and Threats 6 Fraud Statistics and Research 7 Visa s Security Agenda for New

More information

PREPARING FOR THE MIGRATION TO EMV IN

PREPARING FOR THE MIGRATION TO EMV IN PREPARING FOR THE MIGRATION TO EMV IN THE U.S. A Mercator Advisory Group Research Brief Sponsored by Merchant Warehouse 2010 Mercator Advisory Group, Inc. 8 Clock Tower Place, Suite 420 Maynard, MA 01754

More information

Plotting a Course for EMV Compliance

Plotting a Course for EMV Compliance Plotting a Course for EMV Compliance Plotting a Course for EMV Compliance PCI compliance...emv compliance by now, you ve heard repeatedly that your store or restaurant must be EMV-compliant by the recently

More information

EMV FAQs. Contact us at: CS@VancoPayments.com. Visit us online: VancoPayments.com

EMV FAQs. Contact us at: CS@VancoPayments.com. Visit us online: VancoPayments.com EMV FAQs Contact us at: CS@VancoPayments.com Visit us online: VancoPayments.com What are the benefits of EMV cards to merchants and consumers? What is EMV? The acronym EMV stands for an organization formed

More information

How To Protect Your Restaurant From A Data Security Breach

How To Protect Your Restaurant From A Data Security Breach NAVIGATING THE PAYMENTS AND SECURITY LANDSCAPE Payment disruptions impacting restaurant owners today An NCR Hospitality white paper Almost every month we hear a news story about another data breach that

More information

Security Rules and Procedures Merchant Edition. 5 February 2015

Security Rules and Procedures Merchant Edition. 5 February 2015 Security Rules and Procedures Merchant Edition 5 February 2015 Notices Notices Proprietary Rights The information contained in this document is proprietary and confidential to MasterCard International

More information

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014 PCI Data Security Standards Presented by Pat Bergamo for the NJTC February 6, 2014 Introduction 3/3/2014 2 Your Speaker Patrick Bergamo, CISSP Director of Information Security & Delivery Delta Corporate

More information

Fall Conference November 19 21, 2013 Merchant Card Processing Overview

Fall Conference November 19 21, 2013 Merchant Card Processing Overview Fall Conference November 19 21, 2013 Merchant Card Processing Overview Agenda Industry Definition Process Flows Processing Costs Chargeback's Payment Card Industry (PCI) Guidelines for Convenience Fees

More information

Franchise Data Compromise Trends and Cardholder. December, 2010

Franchise Data Compromise Trends and Cardholder. December, 2010 Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee

More information

Security Rules and Procedures Merchant Edition

Security Rules and Procedures Merchant Edition Security Rules and Procedures Merchant Edition 31 March 2016 SPME Contents Contents Chapter 1: Customer Obligations... 7 1.1 Compliance with the Standards...8 1.2 Conflict with Law...8 1.3 The Security

More information

A multi-layered approach to payment card security.

A multi-layered approach to payment card security. A multi-layered approach to payment card security. CARD-NOT-PRESENT 1 A recent research study revealed that Visa cards are the most widely used payment method at Canadian websites, on the phone, or through

More information

The Canadian Migration to EMV. Prepared By:

The Canadian Migration to EMV. Prepared By: The Canadian Migration to EMV Prepared By: December 1993 Everyone But The USA Is Migrating The international schemes decided Smart Cards are the way forward Europay, MasterCard & Visa International Produced

More information

Merchant Services. How to help protect your business

Merchant Services. How to help protect your business Please immediately report any suspicious activity involving credit card or debit card use to TD Merchant Services at 1-800-6-116 For more information, visit www.tdmerchantservices.com Merchant Services

More information

EMV: Background and Implications for Credit Unions

EMV: Background and Implications for Credit Unions 900 Elkridge Landing Road Suite 400 Linthicum, Maryland 21090 410-855-8500 FAX 410-855-8599 www.firstannapolis.com EMV: Background and Implications for Credit Unions November 2012 TABLE OF CONTENTS EXECUTIVE

More information

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data PCI Training for Retail Jamboree Staff Volunteers Securing Cardholder Data Securing Cardholder Data Introduction This PowerPoint presentation is designed to educate Retail Jamboree Staff volunteers on

More information