Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER SHAZAM, Senior Vice President
Agenda The Ugly Fraud The Bad EMV? The Good Tokenization and Other Emerging Payment Options
The Ugly Fraud
Alarming (but not Surprising) Stats Regional banks and credit unions were targeted by onequarter of all phishing volume in December, 2014 Nearly 439 million records were stolen in the past 6 months FBI Nearly 519 million records were stolen in the past 12 months FBI About 110 million Americans, equivalent to about 50% of U.S. adults, have had their personal data exposed in some form in 2014
Alarming (but not Surprising) Stats About 80% of hacking victims in the business community didn't even realize they'd been hacked until they were told by government investigators, vendors or consumers Verizon About 35% of the thefts were from website breaches, 22% were from cyberespionage, 14% occurred at the point of sale when someone bought something at a retail store, and 9% came when someone swiped a credit or debit card FBI
Top Data Breaches in 2014 Security Week ebay information of 145 million users JPMorgan records of 76 million household customers and 7 million business customers The Home Depot 56 million customer payment cards and 53 million customer email addresses Community Health Systems information of 4.5 million patients Staples 1.16 million payment cards
MasterCard Global Fraud Statistics 4Q 2014 $350,000,000 $300,000,000 $250,000,000 $200,000,000 $150,000,000 US Worldwide $100,000,000 $50,000,000 $0 Lost Stolen NRI Fraud App Counterfeit Acct Takeover CNP
Visa Global Fraud Statistics 4Q 2014 $900,000,000 $800,000,000 $700,000,000 $600,000,000 $500,000,000 $400,000,000 US Worldwide $300,000,000 $200,000,000 $100,000,000 $0 Lost Stolen NRI Fraud App Counterfeit Acct Takeover CNP
SHAZAM Fraud Trending 2014 0.07000% SHAZAM Network Fraud Rate Trending PIN Signature 0.06000% 0.05000% 0.04000% 0.03000% 0.02000% 0.01000% 0.00000% Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Emerging Risks Compromises are no longer about the immediate theft and use of the data Thieves are installing key loggers, and rats, among other items and letting them simmer for months before using There s not a single security approach or technology that ll prevent the value of stealing account and card data as long as transactions can occur without authentication malware,
New Challenges Mobile devices Cloud computing and personal usage exploding Alternative payment apps
The Bad EMV?
EMV What is EMV? EMV stands for Europay, MasterCard, and Visa Chip and PIN card The chip stores cardholder and application data more securely protection against card reproduction fraud Contact or contactless
Chip Card Card Same size as mag stripe card Chip Embedded microprocessor (a small computer)
Contact vs. Contactless Contact The card is inserted into the terminal The terminal can communicate with the card via the metal face of the chip Contactless The card is tapped against the contactless card reader The contactless EMV interface is the same one used for smartphones equipped with NFC readers
Advantages of EMV Better security for card-present situations Card skimming is more difficult PIN with payment card reduces fraud EMV payment credentials are dynamic
Why EMV is Only Part of the Solution Most retailers are not EMV-enabled Chip cards still have magnetic stripes Data from magnetic stripe-read transactions can be used to create counterfeit cards EMV fraud savings realized when at least 80% of terminals have migrated to EMV
Why EMV is Only Part of the Solution Card number, expiration date and cardholder name sent in the clear from chip card to terminal Skimmer software can steal the data elements Data can be used for purchases on websites, over the phone or through the mail
Why EMV is Only Part of the Solution Are issuers required/mandated to issue EMV cards? There is no mandate for issuers to issue EMV cards. The mag stripe will still be on cards for the foreseeable future. Until that time, the magnetic stripe is still subject to counterfeit fraud.
Why EMV is Only Part of the Solution How much less fraud can I expect with EMV cards? In looking at fraud trends worldwide, upgrading to EMV causes fraud to migrate to other channels, but doesn t eliminate it.
Why EMV is Only Part of the Solution Counterfeit 38% Lost 8% Stolen 8% Card Not Present 41% Non Receipt of Card 1% Fraud App 2% Acct Takeover 2%
Liability Shift The party that hasn t upgraded to chip technology will be liable for card-present fraud (counterfeit) that could ve been prevented by the use of chip technology
Liability Shift Liability Condition Counterfeit Mag stripe only card Mag stripe only terminal Chip card Mag stripe only terminal Mag stripe only card Chip terminal Chip card Chip terminal Before Liability Shift Issuer Issuer Issuer Issuer After Liability Shift Issuer Merchant Issuer Issuer
Industry Caution The payment ecosystem is made up of hundreds, if not, thousands of connections that enable authorizations to route through 18 competitive debit networks The ability to process EMV will not be supported by everyone at the same time Other countries have taken nearly ten years to fully deploy chip technology Solution must satisfy U.S. law Acquirer processor challenges
Industry Status Big box retailers accepting EMV credit Clarity just beginning to form on debit Acquirers in the industry still working on how to provide routing choice Rumblings of changes to EMV cards to support tokenization Significant rhetoric and positioning being done in the industry
The Good Tokenization and Other Emerging Payment Options
Tokenization
Tokenization What is tokenization?
Tokenization Replacing sensitive data with unique identification symbols that retain all essential information without compromising its security Helps minimize the amount of data a business needs to keep on hand Enhances the security of cardpresent and card-not-present transactions and minimizes the cost and complexity of compliance.
Tokenization Process Secure token vault with link between card and token numbers Card Data 5678 9876 1234 0987 Tokenized Number 982340976126346
Why Tokenize? Protects real card data at point of capture in a transaction Addresses potential for fraud in card-not-present scenario within online/mobile channel Token used throughout the payment chain and real PAN known only to Token Service Provider (TSP), issuer and cardholder
Tokenization Scenarios ecommerce Merchant NFC and Chip Digital Wallet / HCE QR and Bar Code Merchant uses tokens instead of PANs in card-on-file database Tokenized account number in NFC or chip device Tokenized account number in the Cloud QR or bar code supplier put a bar code in front of card on file
Tokenization Challenges Currently NO Industry Standards SHAZAM s working hard to highlight the need for a common standard in the industry DNA is pushing the topic of tokenization in the EMV Migration Forum The Merchant Advisory Group (MAG) Secure Remote Payment Council (SRPc) This battle is just forming!
Other Emerging Payment Options
Apple Pay Fundamentals Apple s version of a mobile wallet Uses near field communication (NFC) technology Wave your iphone 6 model over a contactless reader with your finger on the TouchID No need to open an app Requires an initial enrollment process using the Passbook app Uses tokenization for added payment security
Apple Pay Enrollment
Apple Pay Users Source Copyright Phoenix Marketing International 2015
Apple Pay Acceptance Source Copyright Phoenix Marketing International 2015
Apple Pay Future Potential Apple s brand loyalty and strong reputation will definitely add legitimacy to the mobile wallet As merchants upgrade equipment for EMV, they will likely include NFC compatibility, too Apple Pay s fingerprint ID and tokenization to address security Apple Pay reinforces support for NFC and EMV contactless in the marketplace
Samsung Pay Galaxy S6 and Galaxy S6 edge models only Conducts wireless payments without NFC Utilizes LoopPay relying on a technology called Magnetic Secure Transmission o o o Broadcasts data magnetically Allows users to pay at almost any mag stripe terminal Sends payment by tapping your phone on side of terminal
Samsung Pay No additional tech required by vendor Users can store multiple cards in the app o Switch back and forth with a tap Because Samsung Pay will work just about anywhere mag strip readers are used Samsung Pay has a much wider reach than its rivals.
Google Wallet / Android Pay Google Wallet P2P app for Android and ios Android Pay in-store and in-app payments Purchased Softcard Operating system controls 78.9 percent of market o Any Android phone from any wireless carrier o All versions of Android operating system back to KitKat o Better position to challenge Apple Pay
Google Wallet / Android Pay Cloud based unlike hardware based Apple Pay Ability to make a contactless payment without opening app New features including fingerprint recognition for in-store and in-app payments Can also power third-party apps
MCX and CurrentC Merchant-owned mobile commerce network New CEO Will simplify and expedite the customer checkout process by applying qualifying: o Offers and coupons o Merchant rewards o Loyalty programs o Membership accounts
MCX and CurrentC Uses barcode system (digital QR codes) and cloud based technologies, not NFC o This allows consumers to be able to use the smartphone they currently have No card data stored on phone, remains in cloud and generates token to verify consumer s identity Underwhelming soft launch last year
Thank you! QUESTIONS?