Implication of EMV Migration for the U.S. Transportation Industry. May 1, 2015. Implication of EMV Migration for the U.S. Transportation Industry

Similar documents
How To Comply With The New Credit Card Chip And Pin Card Standards

Payments Transformation - EMV comes to the US

EMV and Small Merchants:

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

EMV in Hotels Observations and Considerations

Understand the Business Impact of EMV Chip Cards

Visa Recommended Practices for EMV Chip Implementation in the U.S.

What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization

A Brand New Checkout Experience

A Brand New Checkout Experience

Preparing for EMV chip card acceptance

What Merchants Need to Know About EMV

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

OpenEdge Research & Development Group April 2015

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

PCI and EMV Compliance Checkup

American Express Contactless Payments

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

What is EMV? What is different?

EMV : Frequently Asked Questions for Merchants

Chip Card (EMV ) CAL-Card FAQs

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

A RE T HE U.S. CHIP RULES ENOUGH?

EMV Frequently Asked Questions for Merchants May, 2014

Euronet s EMV Chip Solutions Superior Protection with Enhanced Security against Fraud

welcome to liber8:payment

EMV EMV TABLE OF CONTENTS

A Guide to EMV Version 1.0 May 2011

Mobile Near-Field Communications (NFC) Payments

EMV and Restaurants What you need to know! November 19, 2014

Introductions 1 min 4

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

How to Prepare. Point of sale requirements are changing. Get ready now.

What Merchants Need To Know About The New Credit Card Processing Liability Regulations

Practically Thinking: What Small Merchants Should Know about EMV

NEWS BULLETIN

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

The Canadian Migration to EMV. Prepared By:

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE

Secure Payments Framework Workgroup

E M V I M P L E M E N TAT I O N T O O L S F O R S U C C E S S, P C I & S E C U R I T Y. February 2014

OpenEdge Research & Development Group April 2015

Credit Card Processing, Point of Sale, ecommerce

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

PREPARING FOR THE MIGRATION TO EMV IN

The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses. National Computer Corporation

FAQ EMV. EMV Overview

Planning For EMV Technology. Your Guide to Making the Transition

Changing Consumer Purchasing Patterns. John Mayleben, CPP SVP, Technology and Product Development Michigan Retailers Association

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

Target Security Breach

Euronet s Contactless Solution

Card Technology Choices for U.S. Issuers An EMV White Paper

WHITE PAPER U.S. JOINING WORLDWIDE EMV MOVEMENT

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

Testimony of Scott Talbott, Sr. V.P. for Government Relations, Electronic Transactions Association (ETA)

Prevention Is Better Than Cure EMV and PCI

PREVENTING PAYMENT CARD DATA BREACHES

M/Chip Functional Architecture for Debit and Credit

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Dates VISA MasterCard Discover American Express. support EMV. International ATM liability shift 2

EMV and Encryption + Tokenization: A Layered Approach to Security

American Bankers Association

CITGO CHIP & MOBILE TM. Quick-Start Guide YOUR CUSTOMERS. are

CONTACTLESS INTEROPERABILITY IN TRANSIT

EMV: A to Z (Terms and Definitions)

U.S. House Small Business Committee. On Behalf of the National Grocers Association. October 6, 2015

First Data s Program on EMV

Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE

Your Reference Guide to EMV Integration: Understanding the Liability Shift

How To Protect Your Restaurant From A Data Security Breach

Newtek, The Small Business Authority 855-2thesba thesba.com 855-2thesba

PAGE ONE Economics CLASSROOM EDITION. The Smart-Chip Credit Card: A Current Solution

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Wayne EMV Solutions. Protect your business with a complete EMV Solution inside and out.

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

CPIM Academy. Cash 257 Merchant Services and Revenue Collection

Mitigating Fraud Risk Through Card Data Verification

U.S. EMV Debit Implementation Guidelines for POS Acquirers

Electronic Payments Part 1

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

EMV Chip and PIN. Improving the Security of Federal Financial Transactions. Ian W. Macoy, AAP August 17, 2015

EMV Overview. Get Familiar with EMV & Our Plans to Support it

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

EMV GATHERS STEAM AS U.S. MOVES TOWARD LIABILITY SHIFT

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

How To Protect A Smart Card From Being Hacked

EMV: Background and Implications for Credit Unions

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

EMV: Preparing for the shift

Card Acceptance Best Practices Playing it Safe at the Point of Sale

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

Transcription:

Implication of EMV Migration for the U.S. Transportation Industry 1

Introduction Transportation payment methods are constantly evolving. When cash handling became too expensive and inconvenient, the metal token was introduced, followed by the paper ticket and the magnetic stripe ticket. Every system had the same goal: a secure, efficient and easy-to-use method for consumers to make payments to access transportation. Today, however, the entire U.S. payments industry is migrating to a new technology EMV chip cards. This is the biggest change to the U.S. payments infrastructure since the magnetic stripe card became standard in the 1980s. Merchants in all industries, including U.S. transportation operators, will have to implement EMV chip card payment or face higher fraud losses and other costs starting in October 2015, due to new liability rules from the global payment networks American Express, Discover, MasterCard and Visa. This change affects all transportation operators. All payment devices used in physical locations to purchase fare products to access the transportation system are affected by EMV migration, including ticket vending machines (TVMs), self-service kiosks and point-of-sale (POS) terminals. EMV migration is a completely separate topic from implementing or considering open payment, the acceptance of bank-issued credit and debit cards at fare gates and on buses to directly pay a fare. Open payment is optional, but EMV migration is effectively being mandated for any business that accepts credit or debit card payments. The goal of this paper is to educate the transportation community on the migration to EMV in the U.S. It provides information necessary for agencies to make a smooth transition to accepting and processing EMV payments for both the purchase of fare media and, optionally, for direct fare open payment at a fare payment device. The requirements for both of these processing paradigms differ significantly, however. To avoid confusion, the main sections of the paper will deal only with those topics that affect all operators the implementation of EMV acceptance at TVMs and point-of-sale (POS) terminals for purchasing fare media (closed-loop cards, passes, tokens or other). 2

Cubic Transportation Systems has helped successfully deploy EMV-compliant transportation systems in the U.S., U.K., Australia, Germany and Canada. Transport for London (TfL) is a great example of a transportation fare payment system that has already been implemented and is now using contact and contactless EMV chip cards. Drawing from this experience, we will address necessary upgrades and changes to software and hardware to support EMV in a transportation environment, the benefits and implications of the migration, and best practices for solutions to ease the transition. To introduce the topic in depth, we will first explain what EMV cards are, why the U.S. is migrating and when, and the specifics of the liability shifts being set by MasterCard, Visa, American Express and Discover that are encouraging the transition. If you are already familiar with EMV and the U.S. migration specifics, skip ahead to the recommendations section beginning on page 8. What is a smart card? Smart cards, also known as chip cards, contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. There are three types of chip card interfaces used for payment applications contactless, contact or dual (with both contact and contactless interfaces). Contactless smart cards include a microprocessor computer chip that is completely embedded in the card and is not visible on the surface. They communicate wirelessly via radio frequency (RF) over short distances (less than 2-4 inches). In a contactless payment transaction, the consumer holds the contactless card, device or compatible mobile phone in close proximity to the merchant POS terminal and the payment account information is communicated wirelessly, with no physical contact required. Transportation operators worldwide are already familiar with the contactless smart card technology used in their closed-loop Automated Fare Collection (AFC) systems at transportation entry and exit points, and on buses. Contact chip cards feature a small gold or silver rectangle, the contact, on the front of the card. The microprocessor computer chip is embedded underneath the contact in a protective plastic module. Contact bank cards interact with bank card terminals through the contact. When making payments, a contact chip card is inserted into a smart card reader in the POS terminal. A contact connection is made between the chip and the POS. That enables the secure exchange of payment and security information with the terminal and the network behind it. 3

In contact chip cards, the microprocessor chip is underneath the silver or gold contact interface Image courtesy of the EMV Migration Forum The major difference that consumers will see is that, rather than a swipe, the contact chip card is inserted into the reader and must remain inserted and in contact until the transaction is complete. This provides power to the microprocessor chip in the card and allows constant communication between the chip and the terminal. A crude but useful analogy is that a contact EMV card is like a USB thumb drive it has to stay connected to work. EMV chip cards must be inserted into TVMs and payment terminals, and remain in place until the transaction is finished. This is particularly important with dip type readers that do not pull the card completely into the reader, such as some ATMs and gasoline pumps. With magnetic stripe cards, consumers are used to dipping the card into a reader and then removing it rapidly so the stripe is read. With EMV smart cards, the card must be left in place. Most retail payment terminals do not completely swallow the card, and people must learn to leave it in place during the payment transaction. Smart card technology is not just used for payments. For example, most mobile phones across the globe include a SIM card, a type of smart card. They can also take other forms such as a USB token or a page in a passport book. All U.S. passports, and those of many other countries, contain a contactless smart card chip with special programming to prevent counterfeiting and add additional security. 4

EMV technology: What is it? EMV 1 is an open-standard set of specifications developed to create interoperability for credit and debit payment smart cards and payment devices, and is managed, maintained and enhanced by EMVCo 2. EMV chip cards use smart card chip technology to provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. 3 There are three key security features in EMV chip card transactions that prevent fraud, all using the chip s computing power, secure keys and proven cryptographic processes. EMV transactions distinguish between authentication and authorization. Authentication checks the authenticity of the card itself. Authorization validates the issuing bank s approval of a transaction, considering the status of the cardholder s account (e.g., open to buy balance) and the results of fraud checks, including some that use the chip and EMV payment application software as explained below. The first step is authentication of the card's microprocessor chip, ensuring that the card is an original bankissued card and not a counterfeited duplicate. Some issuers support offline terminal-card authentication, while others depend on an online issuer authentication. The second feature is that the card and each payment transaction are uniquely authorized with a dynamic cryptogram, a type of digital signature generated by the chip. The dynamic cryptogram uses information specific to the transaction and cryptographic keys embedded by the card issuer that cannot be duplicated or copied because it is specific to the card and protected by the smart card security. This gives every transaction a unique cryptogram that proves the original card issued by the bank is being used, not a copy. If a fraudster attempts to use a duplicate card, it will be declined because the issuer will recognize the lack of a legitimate dynamic cryptogram. These methods help to prevent card skimming and card cloning, or making cards using information stolen in a credit card data breach, two of the common ways magnetic stripe cards are compromised and used for fraudulent activity. Some issuers support offline terminal-card authorization for some transactions, while others require on an online authorization. 1 EMV was developed in 1994 by Europay, MasterCard and Visa. These companies recognized the benefits of chip-based payment but also realized that international standards for such payment were needed to help create global interoperability. 2 EMVCo is owned by American Express, Discover, JCB, MasterCard, UnionPay, and Visa, and includes other organizations from the payments industry participating as technical and business associates. More information on EMVCo can be found at www.emvco.com. 3 EMVCo definition 5

EMV chip card security features combat counterfeit card fraud. need to go online for each transaction. Finally, the cardholder can also be verified. There are four possible card verification methods (CVMs): offline PIN, online PIN, signature, or no CVM. PINs directly protect against fraud resulting from lost, stolen and never received cards. Signature verification ensures the signature on the receipt matches the signature on the back of the card. No CVM is typically used for low-value transactions or for transactions at unattended locations such as a transit kiosk. CVMs can drastically reduce lost and/or stolen claims by customers and protect the financial interests of all parties involved, including the merchant, bank and card member, though not all issuers require a PIN or signature. It is important to note that it is the issuer that decides which CVM is appropriate for their cards based on the associated risk of the transaction. Outside of the U.S., most issuers require a PIN entry with chip cards, which is why they are commonly called "chip and PIN" cards. Many transactions in other regions use offline card authentication and transaction authorization as well for some transactions, eliminating the In the U.S., however, most credit card issuers do not plan to add a PIN code to their EMV cards. Where has EMV been implemented? EMV is steadily being adopted as the payment standard for secure transactions worldwide with 80 countries in various stages of implementation. The standard has already been adopted in most of Europe and is widely used in Asia. Canada is in mid-migration and will complete the transition over the next few years. EMVCo estimates 1.6 billion chip cards have been issued globally. Almost 81 percent of Western Europe has adopted EMV cards while nearly 50 percent of cards in Canada, Latin America and the Caribbean are EMV compliant. Africa, the Middle East and Asia Pacific are still under 30 percent adoption. 4 Implementations in the U.K. have caused fraud rates to drop 36 percent from 504.8 million in 2004 to 341 million in 2011, the lowest annual total since 2000. 5 This success has been repeated worldwide and is a major factor in the push for EMV in the U.S. The United States is migrating to EMV Faced with ever-increasing fraud levels, the global payment networks American Express, Discover, Visa and MasterCard have established deadlines by which issuers and merchants need to adopt chip technology or face a liability shift. Starting around October 2015, all U.S. merchants including transportation operators will have an increased risk for fraud losses if they have not upgraded their payment acceptance infrastructure to EMV. (See U.S. EMV Liability Shifts below.) 4 Worldwide EMV Deployment Statistics, EMVCo website, http://www.emvco.com/about_emvco.aspx?id=202 5 Fraud: The Facts 2012, UK Cards Association, http://bit.ly/1bscefn 6

While there are many benefits to EMV migration, greater security for the U.S. payments system is the overriding reason for the decision. Of particular concern has been the rise in counterfeit card fraud, fueled by massive data breaches involving stolen payment account information. In a well-developed global cybercrime black market, hackers sell stolen card data in bulk to other criminals, who in turn make counterfeit cards they can use for fraudulent transactions. The magnetic stripe is the root vulnerability that makes this possible, because cards can be over-written with stolen card data, effectively making a clone of the original card. According to the FBI, the situation has gotten worse. Recently they warned merchants that hackers are using malware that steals magnetic stripe card data from the POS terminal s memory, giving them a perfect copy of the original card including its CVV1 security code. The FBI has uncovered 22 such attacks already and industry security insiders have said this is the attack used in Target s 40 million account data breach. 6 EMV chip cards help turn the tables on these criminals, because the cryptographic keys that secure the cards and transactions cannot be read or copied, making it virtually impossible to clone a chip card. And since each transaction must be digitally signed by the chip, issuers are aware when someone attempts to make fraudulent face-to-face transactions with stolen data. One major benefit is that EMV chip cards reduce the threat of financial cybercrime by removing the economic incentive for criminals. Replacing magnetic stripe payment data with secure EMV chip payment data devalues U.S. payment data in the eyes of criminals because, if stolen, EMV chip payment data cannot be used to create counterfeit payment cards. 7 Other benefits of EMV Card member verification: Reduced chargebacks due to lost and/or stolen cards: the improved card member authentication such as PIN or signature verification reduces the chance and capability for others to misuse cards that are lost or stolen Reduced counterfeit fraud: EMV cards have built in defenses against counterfeit transactions, such as the dynamic verification code associated with individual transactions, making the data less useful when stolen, as well as the option for card member authentication PCI Audit relief: Major card brands have offered incentives to merchants who are migrating to EMV early by offering data breach protection and PCI audit relief. Transportation agencies will need to check with their merchant agreement to see what PCI audit relief they may qualify for. Eligibility requires that 75% of payment transactions originate from an EMV-enabled device (Note, the transactions themselves do not have to be from EMV cards, a further incentive to upgrade payment infrastructures.) NFC and mobile payments: EMV and near-field communication (NFC) mobile payment go hand-in-hand. As the U.S. upgrades its infrastructure to contact EMV, the standard, there is strong interest in adding contactless at the same time. The main reason is that if a merchant accepts contactless transactions it can also accept NFC mobile payments such as Apple Pay. Improved interoperability: International travelers benefit by using EMV technology as many countries have already migrated to EMV offering consistent user interfaces and better protection 6 Liz MacDonald, FBI finds 20 cyberattacks in past year similar to Target, Fox Business News, Jan. 30, 2014, http://video.foxbusiness.com/v/3127616669001/fbi-finds-20-cyber-attacks-in-past-year-similar-to-target/#sp=show-clips 7 Randy Vanderhoof, Can Technology Protect Americans From International Cybercriminals, Smart Card Alliance (testimony before the House Committee on Science, Space and Technology, Subcommittees on Oversight and Research & Technology), Washington D.C., March 4, 2014, p.3 http://docs.house.gov/meetings/sy/sy21/20140306/101839/hhrg- 113-SY21-Wstate-VanderhoofR-20140306.pdf 7

U.S. EMV Implementation: Liability Shifts It is essential to understand how upcoming EMV liability shifts will increase the risk of fraud losses for transportation operators that do not upgrade their payment acceptance infrastructure to EMV. The U.S. is a very competitive and diverse market, and while the global payment networks cannot order issuers and merchants to migrate to EMV, they can influence the market direction with liability shifts: changes in the rules covering who pays for losses when fraud occurs. To encourage the U.S. migration to EMV, the global brands have all announced liability shifts that place financial responsibility for losses due to fraudulent counterfeit card transactions using EMV-enabled cards on the merchant or issuer who does not support EMV, starting in October 2015. For example, imagine someone skims the magnetic stripe of an EMV-enabled bank card and uses that information to produce a counterfeit magnetic stripe card. If the fake card is used for a magnetic stripe transaction to buy $1,000 in fare cards at a non-emv TVM or POS, the transportation operator would be liable for the fraud because that transaction could have been denied at an EMV-ready terminal. Once a transportation operator has the ability to process EMV transactions (i.e., has an EMV capable terminal), then there is no liability shift to the merchant, and the rules are basically the same as they are today. Note that the liability shift does not apply to non-emv contactless transactions. Preparations for EMV chip payments by major payments industry players are well on their way, and the key milestones for Visa, MasterCard, Discover and American Express are summarized below. Visa Effective October 1, 2015, Visa s global counterfeit liability shift will be instituted in the U.S. for POS transactions. On and after this date, the party that is the cause of a chip transaction not occurring (i.e., either the issuer or the merchant s acquirer processor) will be held financially liable for any resulting card present counterfeit fraud losses. The shift helps to better protect all parties by encouraging chip transactions that use unique, dynamic authentication data. 8 MasterCard October 2015, MasterCard liability hierarchies take effect (excluding fuel). October 2016, MasterCard liability hierarchies take effect for all U.S. ATM transactions. 9 American Express Effective October 2015, American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. U.S. fuel merchants will have an additional two years, until October 2017, before the FLS takes effect for transactions generated from automated fuel dispensers. 10 8 Visa U.S. Merchant EMV Chip Acceptance Readiness Guide, Visa, http://usa.visa.com/download/merchants/visamerchant-chip-acceptance-readiness-guide.pdf 9 Progress Against Roadmap, MasterCard website, http://www.mastercard.us/_assets/docs/mastercard_emv_timeline.pdf 10 American Express Announces U.S. EMV Roadmap to Advance Contact, Contactless and Mobile Payments, American Express news release, June 29, 2012 8

Discover Discover is imposing a fraud liability shift for Discover Network (in the U.S., Canada and Mexico) and PULSE (in the U.S.), effective October 1, 2015, at POS terminals and Oct. 1, 2017, at automated fuel dispensers. 11 EMV recommendations for U.S. transportation agencies The table below summarizes the recommendations, which are explained in depth over the next pages. EMV Recommendations at a Glance Topic Minimum Upgrade Advanced - Open Payments Ready Card interface technology Contact Contactless MSD/contactless EMV Card authentication and transaction authorization EMVCo and payment brand testing and certification Ticket vending machines (TVMs) Online Required. Select a partner with EMV certification experience that offers certified readers and software Support contact EMV Offline data authentication and authorization for all four methods. Note: Some issuers may not support offline data authentication Contactless MSD/contactless EMV and compatible NFCenabled mobile devices Employee-operated kiosks Support contact EMV Contactless MSD/contactless EMV and compatible NFCenabled mobile devices Fare gates Back end systems Consumer and staff education and training Payment processing systems to transmit EMV data elements Required Contactless MSD/contactless EMV and NFC-enabled mobile devices Account-based, contactless MSD/contactless EMV and NFC-enabled mobile devices; consider tokenization and pointto-point encryption (P2PE) The U.S. is two years into a planned four-year migration to EMV. As the largest market ever to convert to EMV equivalent to all of Europe migrating at once the time was needed to help all stakeholders jointly work out common issues, make implementation choices for their businesses, and deploy. The first important milestone has already been achieved more than 95% of payment processors have modified their systems to accept EMV transactions. 11 Discover outlines next steps for EMV. ATM Marketplace, Nov. 12, 2012 9

As to EMV chip cards and POS terminals, U.S. adoption is poised for exponential growth in the next year and will go far beyond today s estimated 17 to 20 million EMV chip cards and millions of installed EMV-capable terminals and ATMs, according to industry experts in the EMV Migration Forum. 12 Migration to EMV will affect merchants in all industries, including U.S. transportation operators. EMV-capable technology will be required in all transit vending, reloading and ticket sale operations across the U.S. Like other merchants, transportation operators are not forced to accept EMV cards. There are several reasons why they should, however, and begin the process immediately if not already underway. Liability shift: Transportation merchants who do not migrate to EMV may suffer substantial losses, because they will be liable for any fraudulent and/or counterfeit card losses that EMV would have prevented Fraud concerns: Once EMV migration is underway, experience shows fraudsters concentrate on merchants that have not yet implemented EMV Decreased operating costs: Customers who use their EMV cards elsewhere in the marketplace and become aware of its enhanced security benefits may feel it is less secure to use mag stripe for transportation. This results in higher operating costs due to increases in call volume, visits to attended booths and other payment methods where riders feel more secure about payment Open-loop payments: The migration to EMV can also set the stage for the option of open-loop payments, or payments that enable the use of bank-issued contactless cards for direct transportation fare payments without the need for a separate fare card Three implementation choices that are active discussion topics among all stakeholders also affect transportation operators acceptance decisions card interface technology, CVM and authentication/authorization methods. Card interface technology Transportation operators, like other merchants, need to decide what types of card interfaces to accept. All U.S. EMV chip cards will have a contact interface, the baseline standard for global acceptance. Many U.S. issuers are likely to go beyond this minimum and issue dual interface (contact/contactless) chip cards. Merchants also need to recognize there is a difference between contactless MSD and contactless EMV. The current contactless U.S. bank-issued credit and debit cards and reader infrastructure deployment are based on contactless MSD (magnetic stripe data). The emerging Canadian and European contactless infrastructures are based on contactless EMV, so internationally issued dual technology cards follow this standard. There is no firm plan at this time for the U.S. market to evolve to contactless EMV; however, each brand may have specific requirements around contactless MSD or contactless EMV acceptance. In the U.S., all of these EMV card interface types are likely to be present. For transportation operators, the baseline for migrating to EMV is to accept contact EMV chip cards at TVMs, kiosks and POS terminals. EMV contactless support specific to the transportation industry is essential for open payment, an option that is becoming increasingly attractive as the base of mobile phones grows. In addition, support for contactless EMV should also be considered, especially for agencies that operate in cities that frequently have a high number of foreign visitors. Contact chip cards could not achieve the fast transaction times needed for throughput at transit gates or on buses. 12 EMV Migration Forum Expects Major Increase in U.S. Chip Adoption in Next Year, Defines EMV Debit Framework, EMV Migration Forum news release, April 2, 2014 10

At a minimum, if transportation operators migrating to EMV elect not to support contactless MSD or contactless EMV at this time, they should at least install payment reader hardware that is capable of being upgraded to support either or both contactless standards with only a software change. CVM (Cardholder Verification Methods) Outside of the U.S., most issuers require a PIN entry even with chip credit cards, which is why they are commonly called "chip and PIN" cards. In the U.S., however, we are likely to see all four CVM options: signature, online PIN, offline PIN and no CVM. The latter applies to transactions at or below a specified amount that do not require certain types of merchants to obtain and validate the signature at the POS. No CVM is also used for unstaffed entry devices with strict transaction time requirements. Card Authentication and Transaction Authorization Issuers decide if EMV card authentication will be done online or offline (between the card and the terminal). Cubic recommends that card-accepting devices should be ready to support offline and online using all four methods of the EMV standards: Static Data Authentication (SDA), Dynamic Data Authentication (DDA), or Combined Data Authentication (CDA), and online authentication cryptogram. EMV transactions can be authorized online as magnetic stripe cards are today, but they also offer the option for offline authorization between the card and the terminal. Cubic supports the position of the Smart Card Alliance Transportation Council, which is to support at least offline data authentication, but preferably also offline authorization to help achieve a sub halfsecond transaction time that would benefit open payment implementations in transportation systems by helping reduce boarding times. Currently online transactions average around five seconds, far longer than the maximum transaction time required by transportation agencies. Other EMV best practices Currently, most U.S. ticket vending machines, employee-operated kiosks, fare gates and bank-end systems are not capable of accepting EMV-capable chip cards and will require hardware and software upgrades to meet EMV standards. Though these upgrades may seem like a daunting task, there are existing solution best practices in the industry to make the transition easier. For each topic the required minimum is presented, followed by recommended best implementation practices and options. EMVCo and Payment Brand Testing and Certification Required upgrades: To assure compliance with EMV specifications and payment brand specific functional and security requirements, all card-accepting readers and terminals and the associated payment applications are tested. Evaluations are performed by recognized external security laboratories under the auspices of EMVCo. In addition, individual payment brands American Express, Discover, JCB, MasterCard, and Visa evaluate the implementation of the brand-specific EMV payment application specifications. Following a successful functional and security testing and evaluation, the payment brands issue a type approval letter. A prerequisite for the payment brand evaluation is the EMVCo security evaluation. Best Practices: Select a partner with EMV certification experience that offers certified readers and software. 11

Ticket vending machines Required upgrades: Ticket vending machines (TVMs), where people buy fare media, need to be upgraded to support both contact EMV and magnetic stripe cards, and optionally contactless MSD payment using cards and compatible NFC-enabled mobile devices. Though the goal is to migrate entirely to EMV, maintaining a magnetic stripe option will allow for a smooth transition and will help to create a user-friendly, efficient payment environment. Best Practices: To allow an early schedule start, hardware and software changes can be split into two steps. First upgrade the existing magnetic stripe bank card reader to one that accepts contact EMV cards and retains the magnetic stripe-accepting capability. Leverage the contactless readers on the front door when they exist, or add them when they don t to maximize the range of bank card acceptance that are available. Install the appropriate EMV software upgrades when available. Employee-operated kiosks Required upgrades: Employee-operated kiosks will need capabilities to accept all forms of payment, including EMV-enabled chip cards (both contact and contactless), magnetic stripe cards and cash. Best Practices: As with TVMs, to allow an early schedule start, hardware and software changes can be split into two steps. Install EMV payment terminals or readers that accept contact EMV, contactless MSD or magnetic stripe cards to maximize the range of bank card acceptance that are available. Ensure a software only upgrade path to contactless EMV exists. Install the appropriate EMV software upgrades when available. Fare gates Required upgrades: Fare gates that support payment with bank-issued cards will require contactless readers that can process both EMV and non-emv contactless cards in addition to closed-loop transit cards. Best Practices: Identify proven industry solutions that enable specialized transportation revenue management card readers that accept all forms of contactless payment including branded contactless EMV bank cards, gift cards, prepaid cards, transit tokens and any other contactless payment media. Ensure it processes all forms of industry standard contactless EMV smart cards that meet the financial industry s standard for contactless open payment and has approval from EMVCo, American Express, Discover, MasterCard and Visa to process their branded contactless EMV bank cards for use in public transportation revenue management systems. Use an account-based system that provides support for authenticable non-bankcard tokens linked to a bankcard backed account where the EMV card information could be secured and billed to offline from the instrument presentation at a gate. This option exists for agencies who do not want the PCI exposure at all of the fare payment devices. This would use the same security framework as would be used by the vending devices. Back end systems Required upgrades: Back end systems, responsible for completing the requests from the front end, will require upgrades to the payment processing systems to transmit EMV data elements to banks. Best Practices: Implement an EMV-ready solution that provides a back end system with a certified, secure payment gateway directly to merchant acquiring banks or other financial institutions for credit and debit card transactions. It should be architected to provide optimum performance for securely processing legacy closedloop payments, such as agency-issued transit smart cards, as well as emerging forms of payment including open-loop mobile and EMV payments through bank-issued contactless cards. 12

Look for solutions that include a scheme for tokenizing/detokenizing the sensitive bankcard data such that the back office systems will see no sensitive bankcard data, as well as point-to-point encryption (P2PE), discussed below. Point-to-point encryption (P2PE) and EMV Best Practices: Point-to-point encryption (P2PE) is gaining traction as an additional security layer that is complementary to EMV chip cards. P2PE protects data confidentiality and integrity by encrypting cardholder and transaction data to help prevent intermediaries, such as hackers, Internet providers, or application service providers, from discovering or tampering with the data. In a P2PE implementation, cardholder data is encrypted at the point of acceptance and decrypted at each stop (e.g., merchant to processor, processor to issuer, issuer to merchant). Requirements for P2PE solutions are new and continuing to evolve, and while PCI Security Standards Council certifications are now available, very few organizations have gone through the time and expense of that process. The best practice at this time is to ensure that your EMV payment system does offer some level of P2PE protection, and to continue to monitor developments closely in this rapidly changing technology. Consumer and staff education and training Required upgrades: Consumers and staff will require education on new technologies and system operations. Education plays an important role in ensuring a seamless and effective implementation of any new technology, and the migration to chip-based EMV in the U.S. will be no different. Best Practices: Create educational tools and materials available for consumers use that incorporates clear, uniform terminology and definitions that provide a succinct understanding of EMV and how it makes the payments infrastructure more secure, and how to use it for payments. In addition, training transit staff and employees on best practices regarding EMV will allow for more effective use of the technology. 13

Conclusion The purpose of this brief was to give you an overview of the impact of EMV on the transportation industry and to provide education to all stakeholders. We hope these ideas can help you start planning for EMV. What did you find most useful? What would you like to know more about? We look forward to hearing your feedback and questions. You can contact our team of EMV specialists directly by emailing EMV@cubic.com. Where do you go from here? Start by looking at your own infrastructure and make two lists: What do I have to do to avoid the liability shift? What do I want to do that will be beneficial to the business? We also hope you share this brief with your colleagues. Work with your management to make sure they understand the importance of EMV in the changing world of transportation revenue management and customer service systems. When the time is right, consider contacting us. Cubic Transportation Systems has global EMV experience in the transportation sector and has created a broad portfolio of capabilities, all of which use the techniques and best practices presented here. We would be delighted to make specific recommendations for your situation, and provide you with more detailed information about what we have to offer and how we work. Do not hesitate to contact us in whichever way suits you best. Contact information for our offices worldwide can be found at www.cts.cubic.com. 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information