THE CASE FOR IN-SOURCING EMV ISSUING, PROCESSING AND SHAPING YOUR MOBILE PAYMENTS DESTINY PROXAMA.COM Copyright Proxama 2016
THE CASE FOR IN-SOURCING EMV Date Author May 2016 Nigel Beatty Vice President of Business Development at Proxama PROXAMA.COM Copyright Proxama 2016
Introduction The move to EMV in the US has shifted the dynamics of card issuing and the other activities within the card payments business. Things were easier back in the days of magnetic stripe cards an issuing bank or credit union had to give little thought, if any, to the content of the mag stripe and the information embossed on the card; it was all standard and it was all simple. The biggest headache was getting a new card s artwork approved. It s a different story with EMV cards. Getting the right information and settings into an EMV chip and then processing the data that s created when that chip card makes a purchase introduces a quantum leap in complexity. So it s not surprising that many card issuers took the path of least resistance to comply with card network requirements and to avoid the liability shift. That most often meant outsourcing card production to a bureau or processor, and either using an existing processor s EMV transaction processing upgrade or delegating EMV authentication to the networks. While that can be a convenient approach with a short time to market, there are downsides over the longer term, especially when it comes to extending your product offering to mobile payment, both to meet your customers demands and reap the rewards that the mobile platform promises. Here we spell out the advantages of in-house processing, of bringing outsourced or delegated processing back in-house, and how an integrated approach to physical and digital card issuing and processing will deliver cost savings and hand you back control of your digital destiny. 3
The EMV Challenge With margins falling and costs increasing, migrating the US payment card business to the EMV standard was probably the last thing the industry wanted. But with the US rapidly becoming the focus of global card fraud displaced from other territories by EMV and other fraud prevention strategies, that move was inevitable. The benefit of greater convenience for international travelers was hailed as justification, although in reality this was a by-product. As Proxama described in its well-received webinar of May 2015 EMV The Stepping Stone To Mobile *, the real goal being pursued by the international card networks was the establishment of an EMV-compliant, contactless acceptance infrastructure (i.e. NFC-capable POS terminals), an essential precursor to the introduction of NFC-based mobile payments. The extra incentives offered to merchants and acquirers to deploy contactless terminals confirm this. That was of small comfort to card issuers who now faced the challenge of migrating their cardbases to the EMV standard within the liability shift deadlines imposed by the networks. Their choices, to an extent defined by their existing operations, were limited. For card production, those with in-house card printing facilities confined mostly to Tier 1 banks and other high-volume issuers could acquire an EMV data preparation and key management solution and integrate this into their existing operation, together with personalization machine upgrades for writing to EMV chips. Or they could elect to perform EMV data preparation in-house and feed EMV perso data out to one or more perso bureaus the route chosen, for example, by Proxama customer Navy Federal Credit Union for their debit portfolio. The majority of issuers, however, who had pre-existing relationships with card bureaus and/or processors, simply outsourced EMV data prep and key management to those partners a relatively quick and cost-effective short-term tactic. With EMV transaction processing, specifically the verification of new security and other information in authorization messages that confirms the authenticity of the card, small and medium issuers choices were similarly constrained. The natural route for issuers with outsourced authorization was to accept the EMV extensions introduced by their processor or service provider. Those with third-party in-house authorization systems could take their vendor s EMV upgrade, usually requiring migration to the latest product release with the consequent (and costly) retro-fitting of customizations and end-to-end regression testing, while those with home-grown authorization systems could design and build their own upgrades; a risky and complex approach given the scarcity of EMV expertise in the industry. With the exception of those that deployed Proxama s EMV Transaction Manager, the only independent cross-platform EMV transaction processing extension in the market (as selected by Fiserv Inc. across all their auth platforms), the only remaining option for in-house processors was to delegate EMV authentication to the on-behalf-of services offered by the card networks. * https://www.youtube.com/watch?v=i39uulip7_k 4
Short Term Gain, Long Term Pain Outsourced and on-behalf-of (OBO) EMV solutions for issuing and processing have the short-term advantages of low start-up costs and relatively quick launch times, but come with medium-to-long term downsides. Some or all of these may apply to an issuing organization: Product differentiation outsourced and OBO services require you to fit with the service offered rather than the service being specified by you to meet your customers needs, or even tailored for you; Security using outsourced or OBO services entails delegating the creation (and therefore ownership) or the sharing with external third parties of critical business security assets the EMV Master Keys that guarantee the integrity of your cards and their transactions; Time-to-market as the client of a service provider rather than the owner of the service provided, you ll take your place in line for the development and launch of new products and services behind larger clients with more influence; Cost start-up costs of outsourced, and particularly of OBO services, may be attractive, but as volumes grow and a greater proportion of cards and transactions move to EMV, those costs start to spiral; Lock-in once in a dependent relationship with a service provider, it can be complex and costly to extricate yourself, and the longer it continues, the harder it becomes and the less resilient you can be when faced with the cost increases that will inevitably follow. These are good reasons in themselves to plan strategically for in-house EMV card data preparation and transaction authentication, even if your initial deployment is outsourced. As we ll discuss below, the case becomes overwhelming when the move to mobile payments is considered. 5
How do Issuers Move to Mobile? Despite the card networks Grand Plans for ensuring NFC mobile payments based on contactless EMV adoption used their network rails, certain third parties threw a wrench in the works with the launch of Apple Pay, the announcement of Android Pay and the other open-loop X-Pay models. While the card networks had effectively cut mobile telcos out of the value chain with the adoption of Host Card Emulation (HCE) as their preferred technology, the power and influence of the digital giants caused a re-think that has led to the current fragmented picture in the NFC mobile payment marketplace. One can imagine that the threats represented by the digital giants ability to do something even more disruptive were real enough to guarantee the card networks cooperation in the X-Pay models that we have today. Nevertheless, the X-Pays provided a relatively quick and minimally disruptive route for issuers to offer mobile payments to their customers, but with a similar set of constraints to those we see in the physical card outsourcing and OBO markets. However, the current X-Pay models take this further by prescribing the channels that issuers must use to access these services the mobile provisioning and tokenization services operated by the card networks themselves. The knock-on effect is that all transaction traffic generated by the X-Pays has to flow through and be processed by the OBO services within the network rails. Slam-dunk? Market sewn up? Maybe not. HCE, in its new guise of Cloud Based Payments (CBP) is still out there and issuers are beginning to recognize the appeal of a mobile payment model that does not restrict choice and require dependency on a cabal of service providers (see Lock-in above) as a condition of access. CBP can be operated by an issuer or processor independently of the card networks OBO services and even their network rails, as tokenization and provisioning, and transaction processing and authentication can all be performed in-house. The benefits are clear: Cost the networks have announced that tokenization services are free so far so good, but as with OBO services, there is a fee for authenticating each transaction and, where card numbers are tokenized, for de-tokenizing transactions to enable processing in the issuer s authorization system (and free today does not mean free tomorrow); with CBP the costs are predictable and under the issuer s control; Differentiation the debate over digital wallets, who owns them and what can be stored in them has largely died down, and the X-Pays have closed down further debate by providing no choice Apple Pay works exclusively in Apple Wallet, Android Pay works in Google Wallet etc.; with CBP a mobile payment SDK can be integrated with an app of the issuer s choosing, allowing a mobile banking app, for example, to be enabled for mobile payment, driving customer usage and stickiness in the issuer-customer relationship; Control risk management based on CBP usage is implemented in-house and can be tailored to the issuer s own fraud and risk policies, which can control how the payment app is managed, potentially integrating novel features such as customer messaging that are not supported in the X-Pay models; Security all key management and cryptographic processing is performed in-house; no keys or other security assets need be shared with third parties; Network independence with no OBO processes being performed within any networks, transactions for international and domestic card brands can be routed over networks of acquirers and issuers choosing, resulting in lower network costs. 6
In-House EMV Delivers Card and Mobile Benefits Offering mobile payment services to customers should not need a fundamental change in issuing and authorization processes. Whether a card is physical or digital, tokenized or not, can all be driven from the same platform. If, as an issuer, your issuing and processing services are outsourced to a service provider and/or delegated to one or more card networks, the combined benefits of in-house card and mobile operation will provide a rapid return on investment. Proxama s Digital Enablement Platform is a self-contained solution for EMV card and CBP mobile payments that can be delivered as components or as a software appliance, and is easily integrated into an existing back office infrastructure. Proxama DEP is based on our core EMV processing components as deployed by Fiserv and Navy Federal CU for their EMV card operations, and adds an EMVCo-compliant Token Server, HCE-specific credential management and a certified HCE mobile payment SDK to provide an end-to-end solution. There s more; industry and regulator pressure will mean that over time, the X-Pays will open their channels to third-party and individual issuer tokenization and provisioning services. Proxama DEP has been architected to provide access to these channels when they become available, delivering to issuers and processors the ability to manage physical cards, cloud based payments and X-Pay models from a single platform, with on-going compliance and compatibility guaranteed by Proxama. We have demonstrated for many customers that there is a positive business case for in-sourcing EMV card issuing and processing and we have case studies that back this up. Contact us today to find out how your business will benefit from taking control of your card and digital destiny. 7
Proxama is a global payments and proximity marketing software business based in London, with offices in New York and representation around the world. Our legacy reaches back to the origins of EMV in Europe and we have been helping card issuing businesses migrate to EMV for more than ten years. We have customers in the US, Europe, Africa, Middle East and Asia and our solutions are responsible for the issuance and management of hundreds of millions of EMV cards. Our EMV heritage now positions us to be a leader in NFC mobile payments with solutions based on our proven industrial-strength software components for physical and digital card issuing, tokenization, credential management and transaction processing. About the Author Nigel Beatty has over 30 years experience in the card payments business and is a recognized expert and thought-leader on smart card and EMV implementation. In addition to serving with a number of blue-chip card issuers, Nigel held the post of Technical Manager of Switch, the UK s national debit card scheme and was responsible for its migration to EMV. Nigel was also Programme Manager for the introduction of EMV cards into Hong Kong. Nigel was with Aconite for over 10 years prior to its recent acquisition by Proxama, and is now responsible for global business development, with particular focus on the United States. www.proxama.com hellopayments@proxama.com US +1 646 931 0870 UK +44 (0)203 688 2888