OpenEdge Research & Development Group April 2015

Transcription

1 2015: Development, Merchant Readiness & the Coming Liability Shift OpenEdge Research & Development Group April 2015 openedgepay.com

2 2015: Development, Merchant Table of Contents Executive Summary... The Payments Industry Landscape... 4 Some Background on... 5 Why Now?... 6 The Liability Shift for Transactions... 7 Adoption Challenge... 8 EdgeShield & Edge How Can Benefit Software Developers?...1 What Now?...1 Non 2

3 2015: Development, Merchant Executive Summary, the New Security Standard 2015 is the year the U.S will migrate to the security standard. The technology is based on a microprocessor (or smart chip ) that is virtually impossible to duplicate and will change the credit card purchasing experience. The payments industry is instituting a liability shift in which the party in the payments chain not enabling will be considered responsible if fraud occurs. A More Complicated Integration Software developers offering credit card payments in their applications face a far more complicated integration than was necessary with magnetic stripe technology. certifications are expensive and cumbersome. EdgeShield and Edge The OpenEdge answer to a simplified integration is the EdgeShield security bundle including Edge. Developer benefits include: A pre-certified offering including device management and card brand certifications Supports mobile payments using NFC technology (e.g. Apple Pay) Future proofing: easy addition of hardware devices in the future Encryption, protecting data in transit Tokenization, protecting data at rest in the POS PA-DSS.0 Out-of-Scope and PCI DSS scope minimization Developer Breach Reimbursement Guarantee PCI.0 Out-of- Scope PCI ASSURE Edge Point to Point Encryption Token Vault Breach Reimbursement Guarantee for Developers

4 2015: Development, Merchant The Payments Industry Landscape Card Data Breaches The frequency and impact of card data breaches are increasing. A series of recent high profile breaches at major retailers has provided a decisive impetus for the payments industry to institute the long-planned transition to is the year the U.S. payments industry will migrate to the new standard. Payment Card Fraud The theft of payment card data is a lucrative criminal trade. The magnetic stripe technology on credit and debit cards is notoriously easy to access and counterfeit. Well-organized, sophisticated global criminal networks sell and use the stolen card data, often in other countries, before payment industry participants can act. While U.S. consumers are largely protected against direct financial losses, stolen cards or payment credentials affect everyone through the payment chain: issuing banks, payment processors, and the businesses selling goods and services. Estimated Breaches, Estimated customer records compromised, million Average Cost per Stolen Record $277 Lost Business Accounts for 56% of Data Breach Costs Records compromised since billion+ Source: OpenEdge and PCI SSC Mobile Technologies In addition to traditional credit and debit plastic cards, the public uses smart phones for purchasing goods, paying bills and mobile banking. Consumers and businesses using new cloud and mobile technologies require secure, intuitive, seamless payments. This presents new opportunities and challenges as businesses prepare to take payments using near field communications (NFC), mobile and cloud technologies while protecting against fraud. 4

5 2015: Development, Merchant Some Background on Counterfeit, Lost and Stolen Cards. a microprocessor or smart chip is a fraud-reducing technology that protects against losses from the use of counterfeit cards. It also combats lost and stolen card fraud when using a PIN as a cardholder verification method. cards generate a new code for every transaction, making the card virtually impossible to counterfeit and re-use. When criminals steal card data, they can manufacture new cards with a magnetic stripe, but not with a chip or the unique transaction code. Counterfeit card use will be curtailed with the implementation of devices at merchant purchase locations. Standard The payments industry answer to counterfeit card fraud is the standard. It is nearly impossible to duplicate a chip card. The microprocessor (smart chip) is embedded in cards, interacting with hardware devices and payment networks to ensure the card is authentic. This standard was deployed decades ago and has been widely adopted in Europe and Asia. Major card networks such as Visa, MasterCard, Discover, American Express, JCB and Union Pay maintain the standard though an organization known as Co. My Bank Card Front of Card Back of Card For Customer Service, call Magnetic Stripe Chip Authorized Signature - NOT VALID UNLESS SIGNED Signature VALID THRU My Bank Card Trust This card is the property of My Bank Card. By signing, xnzcb vnbh vygbs vyrgvyu vsdgvh. Vhsdfgvbuy hcywet hwegvh. Vnfjvh mnwetrf, vsdnvbsuh, vbshdvbhj vye vryw y8 fyg hcvbhvbh vhus. Fhsnac yasdcg bgd ye vb. CCA First Bank less Chip & PIN **** Chip & Signature Chip + PIN and Chip + Signature. Chip Only Magnetic Stripe The chip stores data and supports multiple levels of authentication and communication between the card, card reader and payment networks, ensuring the card is legitimate. This technology comes in two flavors, mimicking how U.S. consumers use debit and credit cards today, easing the transition to the standard. CHIP + PIN Chip + PIN requires the cardholder to enter a password to confirm cardholder identity, and presents a strong defense against lost and stolen card fraud. This authentication method is most common with debit cards in the U.S. Contactless Chip & PIN Chip Only Magnetic Stripe CHIP + SIGNATURE **** Chip + Signature requires the cardholder to sign for the transaction at the point-of-purchase. It s frequently used for credit cards. 5

6 2015: Development, Merchant Transactions and the New User Experience Magstripe technology consists of only two back-and-forth communications. Yet, in an transaction, there are now 12 back-and-forth communications between the hardware, POS application, and card networks. The communications deal with card data authentication, cardholder verification, risk management and authorization. The multiple communications result in a new consumer experience and more complicated payment integration. Rather than swiping cards, consumers will insert them into a card reader (many are calling this action dipping ). The user only removes the card after the device indicated the transaction is complete and prompts the consumer. Merchants will need to watch for consumers forgetting cards after the transactions. Drop in Card-Present Fraud Countries adopting the standard have seen a significant drop in card-present fraud. United Kingdom 69% France 5% Canada 0% Australia 15% Source: Federal Reserve Bank Atlanta April 201 Processor Host Compliance Why Now? More High-Profile Breaches With in place in other countries, worldwide counterfeit fraud has shifted, targeting the less secure magnetic stripe standard in the United States. A recent rash of card breaches among large retailers added a sense of urgency for the industry to implement the more secure technology. Card data stolen elsewhere are used for purchases at U.S. merchants because of the lack of chip card safeguards. As becomes common, thieves will concentrate on merchants who do not adopt the new standard. Liability Switch Deadline To motivate a nationwide transition to, card networks will institute a liability switch in October Liability in the payment chain for counterfeit cards will fall on the party with the least degree of security. October 2015 Liability shift begins for Visa, MasterCard, American Express and Discover (Automated Fuel Dispensers are excluded) October 2017 Liability shift begins for Automated Fuel Dispensers Apple Pay and Mobile Payments Payments functionality in smart phones is expanding rapidly. Apple Pay, launched in 2014, uses Near Field Communication technology at NFC-enabled terminals to facilitate payments through mobile phones. Apple Pay NFC purchases carry the lower rates associated with card present purchases and provide fast, convenient transactions. 6

7 2015: Development, Merchant The Liability Shift for Transactions The Liability Shift: Some Facts The key argument the industry uses for persuading businesses to adopt is a liability shift. But what does that mean? Liability for what? To whom is liability shifted, and under what conditions? The short answer: can prevent card-present counterfeit fraud, so merchants processing cards using -enabled card readers and using proper procedures are not liable for losses if counterfeit cards are used. Today, counterfeit card fraud losses are absorbed by issuing banks. Starting October 1st, 2015 D-Day for the liability shift the liability for counterfeit fraud can switch to merchants not adopting. In 2014, transactions using counterfeit cards represented 7% of all US credit card fraud. will eliminate this situation. It is relatively easy to manufacture magnetic stripe cards using card data stolen during breaches, but extremely difficult and impractical to clone the cards with a chip. U.S. Card Fraud by Type, 2014 Other Lost/stolen 4% 14% Counterfeit 7% 45% Source: Aite Group, : Lessons Learned and the U.S. Outlook, June Online (card not present) How Does a Merchant Avoid the Liability from Counterfeit Card Transactions? 1. Acquire -enabled card reader(s) and POS software. The transition will require upgrading software and buying new card readers. 2. Use to complete the transaction. It s not enough to have an payment system. It must be properly used. The transaction has to use the payment flow, in which the customer dips the card and conducts and transaction. When a customer tries to swipe the card, devices will recognize when the card has a chip and prompt the user to dip instead of swipe.. Enable Apple Pay in place of cards. The Rules Following the October deadline set by major U.S. credit card networks (Visa, MasterCard, American Express, Discover), card-present fraud liability will shift to whoever is the least -compliant party in a counterfeit transaction. The key rule is that the party in the transaction chain that prevented the use of (card issuer, merchant or ISO/processor) is responsible should a counterfeit card be used. It will cover both domestic and cross-border (cards issued in other countries) counterfeit transactions. The policy assigns liability for counterfeit fraud to the party that has not made the investment in chip cards (issuers) or terminals (merchants acquirers). The policy encourages wider deployment of cards and terminals. MasterCard supports a liability shift for lost, stolen and never received/issued cards to the party not supporting PIN as a cardholder verification method. If neither party supports PIN, only the counterfeit liability shift rules apply. Apple Pay: Also Shielding Merchants from Counterfeit Fraud Apple Pay is a secure payment system similar to, but uses an ios device (iphone, ipad or Apple Watch) instead of a chip card. The ios device does not store actual card data, but a card token, and generates a unique code for each transaction. The algorithm for the code generation is in a special chip the secure element in the ios device. The token s unique device account number is 16 digits long and handled as if it were a regular credit card number. The secure element takes the role of the chip, generating the one-time use code for each transaction. Apple Pay face-to-face (in store) transactions are considered card present. Merchants require an NFC-enabled terminal (common for card readers). Customers iphones, ipads, and Apple Watches communicate with the NFC terminal to complete the transaction. Note that the card provisioned for Apple Pay does not need to be a chip card. 7

8 estudy 2015: Development, Merchant Card Provisioning and Account Fraud Consumers enable Apple Pay on their mobile devices using their Apple itunes account or by entering card data directly into the device (either by scanning a card with the ios device s camera or keying the card data). The device then sends the data to the card-issuing bank, which verifies user identity and card validity by , text or phone. Once the card and consumer identity are confirmed, the device receives a token that Apple Pay uses for purchases. Because Apple Pay is so secure, the only fraud perpetrated so far has been account fraud using stolen card data to provision Apple Pay, in which a thief impersonates the cardholder when adding a card to his iphone or ipad, or creates a fraudulent itunes account. It is up to the issuing bank to verify authenticity, thus shifting liability back to the issuer. Adoption Challenge Chicken or the Egg? Businesses are not motivated to upgrade their equipment to, as most of their customers do not have chip cards. Issuing banks were not willing to incur the expense of issuing more expensive chip cards because their customers had nowhere to use them. That paradox is evaporating. Visa forecasts that by the end of 2015 over 70% of credit cards and 40% of debit cards in the U.S. will have the chip, and 50% of the merchants will have card readers. and magnetic stripe technology will co-exist for some time; the card readers will accept both payment types. By the end of Complexity The transition to presents a major undertaking for software developers, merchants and 70% 40% processors. Card brands have mandated that payment processors to process of credit must beofable debit transactions, yet processing remains voluntarycards for merchants and payment software cards developers. While software providers are not liable for fraud that is preventable by, not supporting will clearly be a competitive disadvantage for these businesses. To avoid liability, merchants will have to replace their terminals with devices capable of processing transactions,...in the U.S. will have an chip. and obtain -enabled software. & 50% of merchants... By the end of processor x 4 card brands x devices 70% = 12 certifications 40% of credit of debit cards cards &...in the U.S. will have an chip. 50% of merchants... ds x devices = 12 certifications 50% will have card readers. 50% 8 will have card readers.

9 2015: Development, Merchant By the e Certification Challenge Card networks require certification for every instance of the payment process every combination of a payment processor, card network and card reader. For example, software supporting payments through one payment processor, four card brands (Visa, MasterCard, Discover and American Express) and three devices will require twelve certifications. When transaction processes change (POS software updates, new hardware, updated kernels), the software developer must perform certifications again. Clearly, this is too complicated for most developers. In response, some processors are launching simpler, cheaper ways to enable transactions. The approach uses a payment application that isolates the developer s software from payment data, so the POS is not subject to certifications....in 1 processor x 4 card brands x devices = 12 certifications wi 9

10 estudy 2015: Development, Merchant EdgeShield & Edge PCI.0 Out-ofScope Our solution Edge is part of the EdgeShield security bundle. EdgeShield is a set of complementary solutions combining processing, point-to-point (P2P) encryption and tokenization. The goal is to simplify payments integration for software developers and provide a secure payment solution. Edge is an advanced security Edge technology that prevents counterfeit fraud. It includes a pre-certified payment application handling payment data and payment flow, including device driving, so the POS software does not have to (recall that chip card processing is much more complicated than magnetic stripe processing). PCI ASSURE Point to Point Encryption Token Vault Breach Reimbursement Guarantee for Developers : In Scope vs. Out of Scope POS Developer in Scope VISA MASTERCARD DISCOVER AMERICAN EXPRESS DEBIT DEVICE POS REGULAR GATEWAY PROCESSOR POS Developer out of Scope POS PRE-CERTIFIED PAYMENT APPLICATION Only Encryption + Tokenization + Encryption + Tokenization DEVICE PROCESSOR VISA MASTERCARD DISCOVER AMERICAN EXPRESS DEBIT Prevents Counterfeit Fraud Protects Data in Transit Protects Data at Rest

11 2015: Development, Merchant EdgeShield Benefits The benefits for a software developer using EdgeShield include: No certification needed No device driving needed Supports mobile payments using NFC technology (e.g. Apple Pay) Future proofing: easy addition of hardware devices in the future Encryption, protecting data in transit Tokenization, protecting data at rest in the POS PA-DSS.0 Out-of-Scope and PCI DSS scope minimization Developer Breach Reimbursement Guarantee Note that the standard only deals with card and (with PIN) cardholder authentication. It does not address the security of the payment data itself, which could be transmitted in clear text. To protect card data, EdgeShield adds P2P encryption and tokenization. The payment application ensures that card data encrypted at the source is securely delivered to the OpenEdge processing platform so it cannot be stolen and misused by hackers. Vulnerable Systems Some processors may have solutions in which data is not encrypted at the entry point and, therefore, remains vulnerable until encryption occurs within the software. Or, in some gateway software supporting multiple processors, data may be decrypted and re-encrypted in the payment software before reaching the secure environment of a payment processor. 11

12 $20.15 $20.15 estudy 2015: Development, Merchant EdgeShield Architecture There are two ways to implement an pre-certified payment application: Install it on a PC Install it on a card reader software differentiation through payment innovation Payment App on PC vs on Card Reader Controller Residing on a PC Controller Residing on an Device Device + Payment App Device Mobile PAY HERE POS + Payment App PAY HERE POS PAY HERE Non- Devices Kiosk/ Unattended SCALABLE Supports multiple points of interaction Supports multiple devices NOT SCALABLE Does NOT support multiple points of interaction Does NOT support multiple devices The application, when placed on high-end card readers (typically Linux-based), only supports insertion/swipe of the card. If a business needs to support a variety of devices, card insertion/swipe and keyed entry (typically by clerk), having the application on a PC is recommended. It is easier to add future devices when the application is not specific to the device or manufacturer. For these reasons, OpenEdge supports applications installed on the PC. Features EdgeShield Application on Device Supports high-end devices Yes Yes Supports cheap low-end devices Yes No One integration supports both card present (dip or swipe) and keyed transactions Yes No Future proofing: new devices can be easily and quickly added Yes No Developer Support An integral part of the EdgeShield solution is a dedicated support for software developers to provide best practices for integration and security by providing hands-on help with integrating and verifying the payments integration. 12

13 2015: Development, Merchant EdgeShield Summary OpenEdge s EdgeShield simplifies the transition for developers and merchants while reducing developers effort and liability. That results in significant savings in time, effort, and cost initially and for the long term as updates to the POS software or payment devices occur. OpenEdge provides a pre-certified offering for developers, manages device driving and certifications, so developers can implement swiftly with minimal effort. It also takes developers out of PA-DSS scope and minimizes the PCI DSS scope using secure technologies. We are so confident about our security technology that we offer a Developer Breach Reimbursement Guarantee for those integrating EdgeShield payment technology. How Can Benefit Software Developers? Significant Business Opportunity For software developers, migration is a challenge that can be turned into a major business opportunity. They can position themselves as being the most up-to-date, forward-thinking software providers in their fields. New payments functionality may be marketed to new customers, re-invigorating current and past relationships, selling more software upgrades, and improving market competitiveness. What Now? The liability shift starts in October 2015, so start planning your strategy now. Developers should: Contact OpenEdge to get the integration of payment functionality on their roadmaps Communicate plans to customers and prospects Get ready to adopt this new, secure payments technology with minimal disruption About OpenEdge OpenEdge helps software developers and businesses succeed by delivering secure and personalized payment solutions. As the integrated payments division of Global Payments, OpenEdge is driving innovation adapting, scaling and simplifying how payments are processed, across platforms and points-of-interaction, in an increasingly complex landscape. OpenEdge serves more than 2,000 technology partners across 60 industry verticals throughout the United States and Canada OpenEdge, a division of Global Payments, operates through the following entities: OECSA-SD TN Accelerated Payment Technologies is a registered ISO and MSP of HSBC Bank, National Association, Buffalo, NY, a registered ISO and MSP of Wells Fargo Bank, N.A., Walnut Creek, CA, and a registered ISO/MSP of Synovus Bank, Columbus, GA. Accelerated Payment Technologies, A Division of Global Payments. All rights reserved. Payment Processing, Inc. is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA; HSBC Bank USA, National Association, Buffalo, NY; and National Bank of Canada, Montreal, QC. PayPros is a registered trademark of Payment Processing.