OpenEdge Research & Development Group April 2015



Similar documents
OpenEdge Research & Development Group April 2015

OpenEdge Research & Development Group May 2015

EMV and Small Merchants:

Preparing for EMV chip card acceptance

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Payments Transformation - EMV comes to the US

Understand the Business Impact of EMV Chip Cards

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

EMV in Hotels Observations and Considerations

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

Chip Card (EMV ) CAL-Card FAQs

Practically Thinking: What Small Merchants Should Know about EMV

What Merchants Need to Know About EMV

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

EMV and Restaurants What you need to know! November 19, 2014

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

A Brand New Checkout Experience

A Brand New Checkout Experience

EMV EMV TABLE OF CONTENTS

A RE T HE U.S. CHIP RULES ENOUGH?

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

What is EMV? What is different?

How To Comply With The New Credit Card Chip And Pin Card Standards

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

Secure Payments Framework Workgroup

Changing Consumer Purchasing Patterns. John Mayleben, CPP SVP, Technology and Product Development Michigan Retailers Association

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

How to Prepare. Point of sale requirements are changing. Get ready now.

CITGO CHIP & MOBILE TM. Quick-Start Guide YOUR CUSTOMERS. are

CPIM Academy. Cash 257 Merchant Services and Revenue Collection

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

EMV: Preparing for the shift

SellWise User Group. Thursday, February 19, 2015

Card Acceptance Best Practices Playing it Safe at the Point of Sale

PCI and EMV Compliance Checkup

American Bankers Association

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE

Healthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

How To Protect Your Restaurant From A Data Security Breach

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses. National Computer Corporation

U.S. House Small Business Committee. On Behalf of the National Grocers Association. October 6, 2015

What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Apple Pay. Frequently Asked Questions UK Launch

Suzanne Lynch Professor of Practice Economic Crime Utica College sl6-15 1

Implication of EMV Migration for the U.S. Transportation Industry. May 1, Implication of EMV Migration for the U.S. Transportation Industry

Apple Pay. Frequently Asked Questions UK

What Merchants Need To Know About The New Credit Card Processing Liability Regulations

PAGE ONE Economics CLASSROOM EDITION. The Smart-Chip Credit Card: A Current Solution

welcome to liber8:payment

Introductions 1 min 4

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Cash 257 Merchant Services and Revenue Collection

EMV : Frequently Asked Questions for Merchants

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Version 7.4 & higher is Critical for all Customers Processing Credit Cards!

Credit Card Processing, Point of Sale, ecommerce

Planning For EMV Technology. Your Guide to Making the Transition

Credit Card Processing Overview

White Paper: Are there Payment Threats Lurking in Your Hospital?

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE

Testimony of Scott Talbott, Sr. V.P. for Government Relations, Electronic Transactions Association (ETA)

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

Newtek, The Small Business Authority 855-2thesba thesba.com 855-2thesba

American Express Contactless Payments

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

AUSTRALIAN PAYMENTS FRAUD DETAILS AND DATA

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

Target Security Breach

CardControl. Credit Card Processing 101. Overview. Contents

EMV Frequently Asked Questions for Merchants May, 2014

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

Written Testimony of. Jason Oxman, CEO The Electronic Transactions Association

The Canadian Migration to EMV. Prepared By:

EMV Chip and PIN. Improving the Security of Federal Financial Transactions. Ian W. Macoy, AAP August 17, 2015

Payment Card Industry Data Security Standard (PCI DSS)

SETUP GUIDE. Thank you for your purchase of Hamilton products! In this handy guide, you will discover: ADDITIONAL REQUIREMENTS SETUP HOW IT WORKS

PREPARING FOR THE MIGRATION TO EMV IN

EESTEL. Association of European Experts in E-Transactions Systems. Apple iphone 6, Apple Pay, What else? EESTEL White Paper.

Your Reference Guide to EMV Integration: Understanding the Liability Shift

EMV 101: Everything you need to know about EMV

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

Plotting a Course for EMV Compliance

Fiscal Service EMV Education Series EMV-Compliant Point-of-Sale Card Acceptance for Federal Agencies. Fiscal Service / Vantiv July 27, 2015

Sage Payment Solutions. Reduce Your PCI Liability with Integrated Payment Solutions

WHITE PAPER U.S. JOINING WORLDWIDE EMV MOVEMENT

Online Payment Processing What You Need to Know. PayPal Business Guide

EMV GATHERS STEAM AS U.S. MOVES TOWARD LIABILITY SHIFT

Frequently asked questions - Visa paywave

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Digital Payment Solutions TSYS Enterprise Tokenization:

EMV and Encryption + Tokenization: A Layered Approach to Security

How Secure are Contactless Payment Systems?

Euronet s EMV Chip Solutions Superior Protection with Enhanced Security against Fraud

Transcription:

2015: Security, Merchant Readiness & the Coming Liability Shift OpenEdge Research & Development Group April 2015 solutions@openedgepay.com openedgepay.com

2015: Security, Merchant Table of Contents The Payments Industry Landscape... 3 Some Background on... 4 Why Now?... 5 The Liability Shift for Transactions... 6 Adoption Challenge... 8 EdgeShield & Edge... 9 Non 2

2015: Security, Merchant The Payments Industry Landscape Card Data Breaches The frequency and impact of card data breaches are increasing. A series of recent high profile breaches at major retailers has provided a decisive impetus for the payments industry to institute the long-planned transition to. 2015 is the year the U.S. payments industry will migrate to the new standard. Payment Card Fraud The theft of payment card data is a lucrative criminal trade. The magnetic stripe technology on credit and debit cards is notoriously easy to access and counterfeit. Well-organized, sophisticated global criminal networks sell and use the stolen card data, often in other countries, before payment industry participants can act. While U.S. consumers are largely protected against direct financial losses, stolen cards or payment credentials affect everyone through the payment chain: issuing banks, payment processors, and the businesses selling goods and services. Estimated Breaches, 2014 950 Estimated customer records compromised, 2014 750 million Average Cost per Stolen Record $277 Lost Business Accounts for 56% of Data Breach Costs Records compromised since 2004 1 billion+ Source: OpenEdge and PCI SSC Mobile Technologies In addition to traditional credit and debit plastic cards, the public uses smart phones for purchasing goods, paying bills and mobile banking. Consumers and businesses using new cloud and mobile technologies require secure, intuitive, seamless payments. This presents new opportunities and challenges as businesses prepare to take payments using near field communications (NFC), mobile and cloud technologies while protecting against fraud. 3

2015: Security, Merchant Some Background on Counterfeit, Lost and Stolen Cards a microprocessor or smart chip is a fraud-reducing technology that protects against losses from the use of counterfeit cards. It also combats lost and stolen card fraud when using a PIN as a cardholder verification method. cards generate a new code for every transaction, making the card virtually impossible to counterfeit and re-use. When criminals steal card data, they can manufacture new cards with a magnetic stripe, but not with a chip or the unique transaction code. Counterfeit card use will be curtailed with the implementation of devices at merchant purchase locations. Standard The payments industry answer to counterfeit card fraud is the standard. It is nearly impossible to duplicate a chip card. The microprocessor (smart chip) is embedded in cards, interacting with hardware devices and payment networks to ensure the card is authentic. This standard was deployed decades ago and has been widely adopted in Europe and Asia. Major card networks such as Visa, MasterCard, Discover, American Express, JCB and Union Pay maintain the standard though an organization known as Co. My Bank Card Front of Card Back of Card For Customer Service, call 1.888.567.8942 Magnetic Stripe Chip Authorized Signature - NOT VALID UNLESS SIGNED Signature VALID THRU My Bank Card Trust This card is the property of My Bank Card. By signing, xnzcb vnbh vygbs vyrgvyu vsdgvh. Vhsdfgvbuy hcywet hwegvh. Vnfjvh mnwetrf, vsdnvbsuh, vbshdvbhj vye vryw y8 fyg hcvbhvbh vhus. Fhsnac yasdcg bgd ye vb. CCA First Bank less Chip & PIN **** Chip & Signature Chip + PIN + Signature Chip Only Magnetic Stripe The chip stores data and supports multiple levels of authentication and communication between the card, card reader and payment networks, ensuring the card is legitimate. This technology comes in two flavors, mimicking how U.S. consumers use debit and credit cards today, easing the transition to the standard. CHIP + PIN Chip + PIN requires the cardholder to enter a password to confirm cardholder identity, and presents a strong defense against lost and stolen card fraud. This authentication method is most common with debit cards in the U.S. Contactless Chip & PIN Chip Only Magnetic Stripe CHIP + SIGNATURE **** Chip + Signature requires the cardholder to sign for the transaction at the point-of-purchase. It s frequently used for credit cards. 4

2015: Security, Merchant Transactions and the New User Experience Magstripe technology consists of only two back-and-forth communications. Yet, in an transaction, there are now 12 back-and-forth communications between the hardware, POS application, and card networks. The communications deal with card data authentication, cardholder verification, risk management and authorization. The multiple communications result in a new consumer experience. Rather than swiping cards, consumers will insert them into a card reader (many are calling this action dipping ). The user only removes the card after the device indicates the transaction is complete and prompts the consumer. Merchants will need to watch for consumers forgetting cards after the transactions. Drop in Card-Present Fraud Countries adopting the standard have seen a significant drop in card-present fraud. United Kingdom 69% France 35% Canada 30% Australia 15% Source: Federal Reserve Bank Atlanta April 2013 Processor Host Compliance Why Now? More High-Profile Breaches With in place in other countries, worldwide counterfeit fraud has shifted, targeting the less secure magnetic stripe standard in the United States. A recent rash of card breaches among large retailers added a sense of urgency for the industry to implement the more secure technology. Card data stolen elsewhere are used for purchases at U.S. merchants because of the lack of chip card safeguards. As becomes common, thieves will concentrate on merchants who do not adopt the new standard. Liability Switch Deadline To motivate a nationwide transition to, card networks will institute a liability switch in October 2015. Liability in the payment chain for counterfeit cards will fall on the party with the least degree of security. October 2015 Liability shift begins for Visa, MasterCard, American Express and Discover (Automated Fuel Dispensers are excluded) October 2017 Liability shift begins for Automated Fuel Dispensers Apple Pay and Mobile Payments Payments functionality in smart phones is expanding rapidly. Apple Pay, launched in 2014, uses Near Field Communication technology at NFC-enabled terminals to facilitate payments through mobile phones. Apple Pay NFC purchases carry the lower rates associated with card present purchases and provide fast, convenient transactions. 5

2015: Security, Merchant The Liability Shift for Transactions The Liability Shift: Some Facts The key argument the industry uses for persuading businesses to adopt is a liability shift. But what does that mean? Liability for what? To whom is liability shifted, and under what conditions? The short answer: can prevent card-present counterfeit fraud, so merchants processing cards using -enabled card readers and using proper procedures are not liable for losses if counterfeit cards are used. Today, counterfeit card fraud losses are absorbed by issuing banks. Starting October 1st, 2015 D-Day for the liability shift the liability for counterfeit fraud can switch to merchants not adopting. In 2014, transactions using counterfeit cards represented 37% of all US credit card fraud. will eliminate this situation. It is relatively easy to manufacture magnetic stripe cards using card data stolen during breaches, but extremely difficult and impractical to clone the cards with a chip. U.S. Card Fraud by Type, 2014 Other Lost/stolen 4% 14% Counterfeit 37% 45% Source: Aite Group, : Lessons Learned and the U.S. Outlook, June 2014. Online (card not present) How Does a Merchant Avoid the Liability from Counterfeit Card Transactions? 1. Acquire -enabled card reader(s) and POS software. The transition will require upgrading software and buying new card readers. 2. Use to complete the transaction. It s not enough to have an payment system. It must be properly used. The transaction has to use the payment flow, in which the customer dips the card and conducts an transaction. When a customer tries to swipe the card, devices will recognize when the card has a chip and prompt the user to dip instead of swipe. 3. Enable Apple Pay in place of cards. 6

2015: Security, Merchant The Rules Following the October deadline set by major U.S. credit card networks (Visa, MasterCard, American Express, Discover), card-present fraud liability will shift to whomever is the least -compliant party in a counterfeit transaction. The key rule is that the party in the transaction chain that prevented the use of (card issuer, merchant or ISO/processor) is responsible should a counterfeit card be used. It will cover both domestic and cross-border (cards issued in other countries) counterfeit transactions. The policy assigns liability for counterfeit fraud to the party that has not made the investment in chip cards (issuers) or terminals (merchants acquirers). The policy encourages wider deployment of cards and terminals. MasterCard, American Express and Discover support a liability shift for lost, stolen and never received/issued cards to the party not supporting PIN as a cardholder verification method. If neither party supports PIN, only the counterfeit liability shift rules apply. Counterfeit Card Fraud Liability Examples Current Mag stripe card and mag stripe terminal Issuer liable Mag stripe card and mag stripe terminal Issuer liable Mag stripe card and chip terminal Issuer liable October 2015 & Beyond Chip card and mag stripe terminal Merchant liable Chip card and chip terminal Issuer liable 7

2015: Security, Merchant Apple Pay: Also Shielding Merchants from Counterfeit Fraud Apple Pay is a secure payment system similar to, but uses an ios device (iphone, ipad or Apple Watch) instead of a chip card. The ios device does not store actual card data, but a card token, and generates a unique code for each transaction. The algorithm for the code generation is in a special chip the secure element in the ios device. The token s unique device account number is 16 digits long and handled as if it were a regular credit card number. The secure element takes the role of the chip, generating the one-time use code for each transaction. Apple Pay face-to-face (in store) transactions are considered card present. Merchants require an NFC-enabled terminal (common for card readers). Customers iphones, ipads, and Apple Watches communicate with the NFC terminal to complete the transaction. Note that the card provisioned for Apple Pay does not need to be a chip card. Card Provisioning and Account Fraud Consumers enable Apple Pay on their mobile devices using their Apple itunes account or by entering card data directly into the device (either by scanning a card with the ios device s camera or keying the card data). The device then sends the data to the card-issuing bank, which verifies user identity and card validity by email, text or phone. Once the card and consumer identity are confirmed, the device receives a token that Apple Pay uses for purchases. Because Apple Pay is so secure, the only fraud perpetrated so far has been account fraud using stolen card data to provision Apple Pay, in which a thief impersonates the cardholder when adding a card to his iphone or ipad, or creates a fraudulent itunes account. It is up to the issuing bank to verify authenticity, thus shifting liability back to the issuer. Adoption Challenge Chicken or the Egg? Businesses are not motivated to upgrade their equipment to, as most of their customers do not have chip cards. Issuing banks were not willing to incur the expense of issuing more expensive chip cards because their customers had nowhere to use them. That paradox is evaporating. Visa forecasts that by the end of 2015 over 70% of credit cards and 40% of debit cards in the U.S. will have the chip, and 50% of the merchants will have card readers. and magnetic stripe technology will co-exist for some time; the card readers will accept both payment types. 8

estudy By the end of 2015... 70% of credit cards Complexity 2015: Security, Merchant 40% of debit cards & The transition to presents a major undertaking for point-of-sale software companies, merchants and processors. Card brands have mandated that payment processors must be able to process transactions, yet processing remains voluntary for merchants and payment software developers. To avoid liability, merchants will to replace their...inhave the U.S. will have an terminals chip. with devices capable of processing transactions, and obtain -enabled software. 50% of merchants... By the end of 2015... 1 processor x 4 card brands x 3 devices 70% = 12 certifications 40% of credit of debit cards cards 50% &...in the U.S. will have an chip. 50% of merchants......will have card readers. EdgeShield & Edge ds x 3 devices = 12 certifications The standard only deals with card authentication (and cardholder authentication when PIN is accepted). It does not address the security of the payment data itself, which could be transmitted in clear text. OpenEdge s...will have card readers. EdgeShield security bundle includes point-to-point encryption and tokenization, on top of the card security benefits present with our solution. Our goal is to simplify payments and to provide the most secure payment environment available for business. PA-DSS 3.0 Out-ofScope 50% PCI ASSURE Point to Point Encryption Token Vault About OpenEdge OpenEdge helps businesses succeed by delivering secure and personalized payment solutions. As the integrated payments division of Global Payments, OpenEdge is driving innovation adapting, scaling and simplifying how payments are processed, across platforms and points-of-interaction, in an increasingly complex landscape. OpenEdge serves more than 100,000 businesses across 60 industry verticals throughout the United States and Canada. 2015 OpenEdge, a division of Global Payments, operates through the following entities: OECSA-Merch-052815-TN Accelerated Payment Technologies is a registered ISO and MSP of HSBC Bank, National Association, Buffalo, NY, a registered ISO and MSP of Wells Fargo Bank, N.A., Walnut Creek, CA, and a registered ISO/MSP of Synovus Bank, Columbus, GA. Accelerated Payment Technologies, A Division of Global Payments. All rights reserved. Payment Processing, Inc. is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA; HSBC Bank USA, National Association, Buffalo, NY; and National Bank of Canada, Montreal, QC. PayPros is a registered trademark of Payment Processing.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information