2015: Security, Merchant Readiness & the Coming Liability Shift OpenEdge Research & Development Group April 2015 solutions@openedgepay.com openedgepay.com
2015: Security, Merchant Table of Contents The Payments Industry Landscape... 3 Some Background on... 4 Why Now?... 5 The Liability Shift for Transactions... 6 Adoption Challenge... 8 EdgeShield & Edge... 9 Non 2
2015: Security, Merchant The Payments Industry Landscape Card Data Breaches The frequency and impact of card data breaches are increasing. A series of recent high profile breaches at major retailers has provided a decisive impetus for the payments industry to institute the long-planned transition to. 2015 is the year the U.S. payments industry will migrate to the new standard. Payment Card Fraud The theft of payment card data is a lucrative criminal trade. The magnetic stripe technology on credit and debit cards is notoriously easy to access and counterfeit. Well-organized, sophisticated global criminal networks sell and use the stolen card data, often in other countries, before payment industry participants can act. While U.S. consumers are largely protected against direct financial losses, stolen cards or payment credentials affect everyone through the payment chain: issuing banks, payment processors, and the businesses selling goods and services. Estimated Breaches, 2014 950 Estimated customer records compromised, 2014 750 million Average Cost per Stolen Record $277 Lost Business Accounts for 56% of Data Breach Costs Records compromised since 2004 1 billion+ Source: OpenEdge and PCI SSC Mobile Technologies In addition to traditional credit and debit plastic cards, the public uses smart phones for purchasing goods, paying bills and mobile banking. Consumers and businesses using new cloud and mobile technologies require secure, intuitive, seamless payments. This presents new opportunities and challenges as businesses prepare to take payments using near field communications (NFC), mobile and cloud technologies while protecting against fraud. 3
2015: Security, Merchant Some Background on Counterfeit, Lost and Stolen Cards a microprocessor or smart chip is a fraud-reducing technology that protects against losses from the use of counterfeit cards. It also combats lost and stolen card fraud when using a PIN as a cardholder verification method. cards generate a new code for every transaction, making the card virtually impossible to counterfeit and re-use. When criminals steal card data, they can manufacture new cards with a magnetic stripe, but not with a chip or the unique transaction code. Counterfeit card use will be curtailed with the implementation of devices at merchant purchase locations. Standard The payments industry answer to counterfeit card fraud is the standard. It is nearly impossible to duplicate a chip card. The microprocessor (smart chip) is embedded in cards, interacting with hardware devices and payment networks to ensure the card is authentic. This standard was deployed decades ago and has been widely adopted in Europe and Asia. Major card networks such as Visa, MasterCard, Discover, American Express, JCB and Union Pay maintain the standard though an organization known as Co. My Bank Card Front of Card Back of Card For Customer Service, call 1.888.567.8942 Magnetic Stripe Chip Authorized Signature - NOT VALID UNLESS SIGNED Signature VALID THRU My Bank Card Trust This card is the property of My Bank Card. By signing, xnzcb vnbh vygbs vyrgvyu vsdgvh. Vhsdfgvbuy hcywet hwegvh. Vnfjvh mnwetrf, vsdnvbsuh, vbshdvbhj vye vryw y8 fyg hcvbhvbh vhus. Fhsnac yasdcg bgd ye vb. CCA First Bank less Chip & PIN **** Chip & Signature Chip + PIN + Signature Chip Only Magnetic Stripe The chip stores data and supports multiple levels of authentication and communication between the card, card reader and payment networks, ensuring the card is legitimate. This technology comes in two flavors, mimicking how U.S. consumers use debit and credit cards today, easing the transition to the standard. CHIP + PIN Chip + PIN requires the cardholder to enter a password to confirm cardholder identity, and presents a strong defense against lost and stolen card fraud. This authentication method is most common with debit cards in the U.S. Contactless Chip & PIN Chip Only Magnetic Stripe CHIP + SIGNATURE **** Chip + Signature requires the cardholder to sign for the transaction at the point-of-purchase. It s frequently used for credit cards. 4
2015: Security, Merchant Transactions and the New User Experience Magstripe technology consists of only two back-and-forth communications. Yet, in an transaction, there are now 12 back-and-forth communications between the hardware, POS application, and card networks. The communications deal with card data authentication, cardholder verification, risk management and authorization. The multiple communications result in a new consumer experience. Rather than swiping cards, consumers will insert them into a card reader (many are calling this action dipping ). The user only removes the card after the device indicates the transaction is complete and prompts the consumer. Merchants will need to watch for consumers forgetting cards after the transactions. Drop in Card-Present Fraud Countries adopting the standard have seen a significant drop in card-present fraud. United Kingdom 69% France 35% Canada 30% Australia 15% Source: Federal Reserve Bank Atlanta April 2013 Processor Host Compliance Why Now? More High-Profile Breaches With in place in other countries, worldwide counterfeit fraud has shifted, targeting the less secure magnetic stripe standard in the United States. A recent rash of card breaches among large retailers added a sense of urgency for the industry to implement the more secure technology. Card data stolen elsewhere are used for purchases at U.S. merchants because of the lack of chip card safeguards. As becomes common, thieves will concentrate on merchants who do not adopt the new standard. Liability Switch Deadline To motivate a nationwide transition to, card networks will institute a liability switch in October 2015. Liability in the payment chain for counterfeit cards will fall on the party with the least degree of security. October 2015 Liability shift begins for Visa, MasterCard, American Express and Discover (Automated Fuel Dispensers are excluded) October 2017 Liability shift begins for Automated Fuel Dispensers Apple Pay and Mobile Payments Payments functionality in smart phones is expanding rapidly. Apple Pay, launched in 2014, uses Near Field Communication technology at NFC-enabled terminals to facilitate payments through mobile phones. Apple Pay NFC purchases carry the lower rates associated with card present purchases and provide fast, convenient transactions. 5
2015: Security, Merchant The Liability Shift for Transactions The Liability Shift: Some Facts The key argument the industry uses for persuading businesses to adopt is a liability shift. But what does that mean? Liability for what? To whom is liability shifted, and under what conditions? The short answer: can prevent card-present counterfeit fraud, so merchants processing cards using -enabled card readers and using proper procedures are not liable for losses if counterfeit cards are used. Today, counterfeit card fraud losses are absorbed by issuing banks. Starting October 1st, 2015 D-Day for the liability shift the liability for counterfeit fraud can switch to merchants not adopting. In 2014, transactions using counterfeit cards represented 37% of all US credit card fraud. will eliminate this situation. It is relatively easy to manufacture magnetic stripe cards using card data stolen during breaches, but extremely difficult and impractical to clone the cards with a chip. U.S. Card Fraud by Type, 2014 Other Lost/stolen 4% 14% Counterfeit 37% 45% Source: Aite Group, : Lessons Learned and the U.S. Outlook, June 2014. Online (card not present) How Does a Merchant Avoid the Liability from Counterfeit Card Transactions? 1. Acquire -enabled card reader(s) and POS software. The transition will require upgrading software and buying new card readers. 2. Use to complete the transaction. It s not enough to have an payment system. It must be properly used. The transaction has to use the payment flow, in which the customer dips the card and conducts an transaction. When a customer tries to swipe the card, devices will recognize when the card has a chip and prompt the user to dip instead of swipe. 3. Enable Apple Pay in place of cards. 6
2015: Security, Merchant The Rules Following the October deadline set by major U.S. credit card networks (Visa, MasterCard, American Express, Discover), card-present fraud liability will shift to whomever is the least -compliant party in a counterfeit transaction. The key rule is that the party in the transaction chain that prevented the use of (card issuer, merchant or ISO/processor) is responsible should a counterfeit card be used. It will cover both domestic and cross-border (cards issued in other countries) counterfeit transactions. The policy assigns liability for counterfeit fraud to the party that has not made the investment in chip cards (issuers) or terminals (merchants acquirers). The policy encourages wider deployment of cards and terminals. MasterCard, American Express and Discover support a liability shift for lost, stolen and never received/issued cards to the party not supporting PIN as a cardholder verification method. If neither party supports PIN, only the counterfeit liability shift rules apply. Counterfeit Card Fraud Liability Examples Current Mag stripe card and mag stripe terminal Issuer liable Mag stripe card and mag stripe terminal Issuer liable Mag stripe card and chip terminal Issuer liable October 2015 & Beyond Chip card and mag stripe terminal Merchant liable Chip card and chip terminal Issuer liable 7
2015: Security, Merchant Apple Pay: Also Shielding Merchants from Counterfeit Fraud Apple Pay is a secure payment system similar to, but uses an ios device (iphone, ipad or Apple Watch) instead of a chip card. The ios device does not store actual card data, but a card token, and generates a unique code for each transaction. The algorithm for the code generation is in a special chip the secure element in the ios device. The token s unique device account number is 16 digits long and handled as if it were a regular credit card number. The secure element takes the role of the chip, generating the one-time use code for each transaction. Apple Pay face-to-face (in store) transactions are considered card present. Merchants require an NFC-enabled terminal (common for card readers). Customers iphones, ipads, and Apple Watches communicate with the NFC terminal to complete the transaction. Note that the card provisioned for Apple Pay does not need to be a chip card. Card Provisioning and Account Fraud Consumers enable Apple Pay on their mobile devices using their Apple itunes account or by entering card data directly into the device (either by scanning a card with the ios device s camera or keying the card data). The device then sends the data to the card-issuing bank, which verifies user identity and card validity by email, text or phone. Once the card and consumer identity are confirmed, the device receives a token that Apple Pay uses for purchases. Because Apple Pay is so secure, the only fraud perpetrated so far has been account fraud using stolen card data to provision Apple Pay, in which a thief impersonates the cardholder when adding a card to his iphone or ipad, or creates a fraudulent itunes account. It is up to the issuing bank to verify authenticity, thus shifting liability back to the issuer. Adoption Challenge Chicken or the Egg? Businesses are not motivated to upgrade their equipment to, as most of their customers do not have chip cards. Issuing banks were not willing to incur the expense of issuing more expensive chip cards because their customers had nowhere to use them. That paradox is evaporating. Visa forecasts that by the end of 2015 over 70% of credit cards and 40% of debit cards in the U.S. will have the chip, and 50% of the merchants will have card readers. and magnetic stripe technology will co-exist for some time; the card readers will accept both payment types. 8
estudy By the end of 2015... 70% of credit cards Complexity 2015: Security, Merchant 40% of debit cards & The transition to presents a major undertaking for point-of-sale software companies, merchants and processors. Card brands have mandated that payment processors must be able to process transactions, yet processing remains voluntary for merchants and payment software developers. To avoid liability, merchants will to replace their...inhave the U.S. will have an terminals chip. with devices capable of processing transactions, and obtain -enabled software. 50% of merchants... By the end of 2015... 1 processor x 4 card brands x 3 devices 70% = 12 certifications 40% of credit of debit cards cards 50% &...in the U.S. will have an chip. 50% of merchants......will have card readers. EdgeShield & Edge ds x 3 devices = 12 certifications The standard only deals with card authentication (and cardholder authentication when PIN is accepted). It does not address the security of the payment data itself, which could be transmitted in clear text. OpenEdge s...will have card readers. EdgeShield security bundle includes point-to-point encryption and tokenization, on top of the card security benefits present with our solution. Our goal is to simplify payments and to provide the most secure payment environment available for business. PA-DSS 3.0 Out-ofScope 50% PCI ASSURE Point to Point Encryption Token Vault About OpenEdge OpenEdge helps businesses succeed by delivering secure and personalized payment solutions. As the integrated payments division of Global Payments, OpenEdge is driving innovation adapting, scaling and simplifying how payments are processed, across platforms and points-of-interaction, in an increasingly complex landscape. OpenEdge serves more than 100,000 businesses across 60 industry verticals throughout the United States and Canada. 2015 OpenEdge, a division of Global Payments, operates through the following entities: OECSA-Merch-052815-TN Accelerated Payment Technologies is a registered ISO and MSP of HSBC Bank, National Association, Buffalo, NY, a registered ISO and MSP of Wells Fargo Bank, N.A., Walnut Creek, CA, and a registered ISO/MSP of Synovus Bank, Columbus, GA. Accelerated Payment Technologies, A Division of Global Payments. All rights reserved. Payment Processing, Inc. is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA; HSBC Bank USA, National Association, Buffalo, NY; and National Bank of Canada, Montreal, QC. PayPros is a registered trademark of Payment Processing.