E - B O O K : Everything you need to know about Diamond Business Services, Inc. Attn: Charlia Pence 723 SW. 7th Ave. Amarillo, TX 79 806-373-4148 800-749-9025 Charlia@diamondbusiness.net www.diamondbusiness.net www.emvsherpa.com
TO USE THIS E-BOOK Introduction This e-book breaks down to six questions: who, what, where, when, why, and how. These topics can help you figure out what s going on, who it will affect, when to expect changes, why this is all necessary, and how to get started. The introductory chapter, : The Five Ws, goes through each W question in a brief overview, and each subsequent chapter goes in-depth on one question. Whether your questions are general or specific, macro or micro, can get you answers. Use this chip graphic to jump to the in-depth chapter of any topic, or to go back to the intro chapter. The Glossary of Terms provides a quick reference tool for navigating the many technical terms and abbreviations brought up when discussing. WHAT Lessons Learned provides a comprehensive look at economies around the world where migrations are currently underway or are complete. Experiences from other countries can provide valuable insights for everyone involved in the US migration. The Migration Timeline traces the history of co standards, and outlines when migration steps will take effect in the US. Behind the Transaction provides a more indepth look at why adding layers of security to our current payment ecosystem can benefit everyone within it. Key Players takes a closer look at everyone who is involved in the US migration, and how each group can be best prepared for the shift. The Checklist provides a step-by-step analysis to help you evaulate your current infrastructure and prepare for migration. 1
: THE FIVE Ws This intro chapter is a brief introduction to all things, and answers the five classic questions: Who? What? Where? When? & Why?
: THE FIVE Ws Where is the US payment card industry now? Today, payment and identification cards of all types (credit cards, gift cards, loyalty cards, membership cards, etc.) are encoded with the cardholder s information on the back of the card using a strip of magnetic tape, also known as the magnetic stripe. When a consumer swipes a standard magnetic stripe card at a retailer s point of sale (POS) terminal, or inserts it into an ATM, the data on the magnetic stripe is captured for transmission to an authorization system. Fraudsters have been able to put skimmers at these locations to capture the data from the magnetic stripe, and in more sophisticated attacks, install malware on computers connected to the POS terminal to capture the data. The prevalence of magnetic stripe cards in the US makes card skimming and card copying easy and lucrative. In 2012, the US accounted for 47% of global credit card fraud while only being responsible for 23% of total global credit card use. Chip cards are different from traditional magnetic stripe cards in the way they communicate with card reader devices. Rather than the classic swipe-to-scan method, chip cards have an embedded integrated circuit chip which connects to the POS terminal s chip card reader. This chip is a 23% US Share of Global Credit Transactions US Share of Global Credit Fraud 47% (Nilson Report, 2014) 3
microprocessor, which is essentially a very small computer, with the capability to encrypt transaction data dynamically for each purchase. Because the card has a microprocessor embedded, it has the ability to make some payment-related decisions without the need to connect to the network. That is why this type of card is often referred to as a smart card. With over 1 billion cards in use, is already a burgeoning global reality. Contact Chip: Card & Reader Contact Chip Cards can be distinguished by their square metallic contact pads. These cards are inserted into a POS terminal which has an integrated chip card reader; much like a microsd card or flash drive is inserted into a computer. The card stays inserted in the POS terminal until the transaction is complete. Chip cards are only activated when connected to a reader, which provides the power source for communication. Chip cards do not have batteries and do not need to be charged. Contactless Chip: Card & Reader Additionally, Contactless Chip Cards do not require an internal power source. Embedded in the plastic of a contactless card is an antenna. Using radio waves, the card communicates with a reader that emits a specific radio frequency. This frequency is harnessed to power the electronic chip. Contactless cards are especially advantageous for use as payment cards because they need only a moment to tap or wave the card near a reader to complete the communication. Recent pilots and rollouts indicate contactless chip cards will be widely utilized for transit payments. Hybrid or Dual Interface cards include both a contact pad and an internal antenna. They can be tapped, waved or inserted into many different chip card readers. What is? is an acronym for the founding companies who came together to build a common specification: Europay (now part of Visa), MasterCard, Visa. These companies formed Co in order to 4
administer international standards to champion global interoperability for chip-based payment cards. This includes, but is not limited to, card and terminal evaluation, security evaluation and management of interoperability issues. Today, there are specifications based on contact chip, contactless chip, common payment application (CPA), card personalization and tokenization. These specifications and requirements were developed with a mission to increase payment security and efficiency, and to ensure global interoperability amid payment ecosystems. A globally accepted card with an associated PIN empowers cardholders to take out cash from an ATM in Hong Kong, buy lunch at a deli in New York, or buy a train ticket from a Deutsche Bahn kiosk in Munich all with the same card. specifications regarding chip size, card size, electrical use, and security features all help make this possible. Chip cards are already widely used in Europe, Asia and other regions. The transition of the US payment card market from magnetic stripe cards to chip cards is referred to as the US migration. Co is the association that manages, maintains and enhances chip card specifications. Co has expanded its sponsoring organizations and is comprised of six backing members American Express, Discover, JCB, MasterCard, UnionPay, and Visa and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as Co Associates. 5
Who will be affected by migration? Cardholders will have to adapt to new ways of interacting with ATMs and POS terminals. Consumers using contact chip cards will have to insert their card for the duration of the transaction, and those using contactless cards will have to tap or wave their card over the designated area. Also, depending on how the chip card is configured and the capabilities of the POS terminal, cardholders may have to verify they are the actual cardholder by entering a PIN instead of verifying by signature. Card Issuers will have their operation costs go up, as the new cards are more expensive to produce and replace. They will also have to work with acquirers to update their payment processing and authentication infrastructures. Merchants will have to upgrade and certify their POS terminals so that they can communicate with chip cards. As mobile payments rise in popularity, more and more apps will adapt to enable mobile phones to communicate with POS terminals. Today, there are many apps and mobile phones which can communicate with POS terminals. 6
APRIL 2014 Acquirer Compliance Accept Chip-Based Payments OCT 2015 Merchant Fraud Liability Shift When is migration happening? Now, slowly but surely, major card providers in the US are beginning to offer chip-based payment cards. Some cards are requiring PIN entry for cardholder verification, and others are requiring a signature for cardholder verification. The US is the last major economy in the world to implement chip-based payment technology, and in an effort to encourage deployment, the US card brands have instituted a fraud liability shift beginning October of 2015. This means that after October 2015, all parties that make an investment in technology will be protected from being financially liable for any potential fraud losses. In 2016 this will include ATMs for MasterCard branded cards, and in 2017 it extends to automated fuel dispensers, and ATM transactions with Visa branded cards. The liability shift is NOT a mandate. Merchant Migration requires upgrading and certifying their point of sale devices, and training their cashiers to use the new payment method. OCT 2017 Automated Fuel Dispenser Liability Shift Card Issuer Migration requires providing their cardholders with chip cards and educating the issuer s employees and their customers about the chip cards, what they are capable of, and how to use them. Cardholder Migration requires consumers to apply for chip cards, or request chip cards from their current card provider. Over time, cardholders will receive chip cards as part of new card issuance or through the normal renewal process. Cardholders will also have to adjust to new methods of using their card with card readers. 7
Why migrate now? provides better protection for cardholders. Card fraud is a huge problem in the US, largely due to the prevalence of magnetic stripe swipe cards, which are easy to counterfeit. cards remove most opportunities for card skimming, where a magnetic stripe is scanned without the cardholder s consent for fraudulent use. Opportunities for card transplant fraud, where stolen card information from markets is printed onto a magnetic stripe card and used in non- markets, will be greatly reduced as more markets embrace technology. In the event that data is stolen from an card, or during a transaction initiated from an card, the value of that data for counterfeiting purposes is greatly limited. Mobile markets are also on the rise, and the current transition to chip cards will make the next transition to mobile payments safer and easier by protecting and enabling consumers. Today, fraud risk is making headlines like never before. Recent notable retailer data breaches have affected millions of American consumers, and have brought credit security issues to the forefront of public debate. Thieves have successfully stolen customer card information by observing and taking advantage of how data is stored and moved between different areas of the payment environment. Valuable cardholder information can be compromised not due to one weak link in the transaction cycle, but due to joint weaknesses in the current payment system as a whole. chip card ubiquity in the US will dramatically decrease the options fraudsters will have to use stolen account data, and it will enable cardholders to embrace new ways of making payments by protecting and informing them. Updating the US payment system infrastructure to support will take time, investment and careful planning. It will require merchants, issuers, acquirers and processors to evaluate and update their current security precautions. Migration will not correct every weakness within the US payment system, but it is the first clear step in a long process of ushering the payment business into the digital age. 8
: MIGRATION TIMELINE This chapter provides some historical background on payment standards, and outlines major dates and deadlines to come.
: MIGRATION TIMELINE : MIGRATION TIMELINE 23% US Share of Global Credit Transactions US Share of Global Credit Fraud 47% All regional debit networks to enter into agreements with MasterCard and Visa to integrate data routing 2014 In an effort to improve security, a larger retailer partners with Visa to push for more smart chip cards to be used in the US. Efforts halt due to cost management setbacks JCB (Japan Credit Bureau) joins co Fortune 1000 Financial processor company card data breach affects 134 million accounts US accounts for 23% of global credit card transactions and 47% of global credit fraud. Analysts blame the shift in fraud towards the US on the comparative lack of security in magnetic strip cards and terminals vs. cards and terminals Large retail customer data breach affects over 100 million cards. Attention on US migration heightened during the aftermath MasterCard liability shift for ATMs 2001-05 2004 2008 2012 2014 2016 1995 Europay, MasterCard and Visa issue the first specification 1999 Europay, MasterCard and Visa form co 2002 Europay is acquired by MasterCard 2005 EU mandates fraud liability shift, placing pressure on card issuers and merchants to migrate to 2009 American Express joins co 2010 Global circulation of cards hits 1 billion 2010 UK credit card fraud rates at lowest since 1999 2011 MasterCard and Visa mandate fraud liability shift in Canada co publishes specifications version 4.3 MasterCard, Visa and Discover announce roadmaps to bring to the US 2013 Discover and China Union Pay join co US acquirer processors and sub-processor service providers are required to support, accept and process smart chip transactions Visa, Mastercard and Discover introduce merchant/acquirer regulations 2015 US implements fraud liability shift so that the party that has made an investment in deployment is protected from financial liability for fraud losses 2014-2015 Regional debit networks conduct testing and certification 2017 US fraud liability shift mandate extends to fuel dispenser machines Visa liability shift for ATMs 2019 Projected ubiquity in the US Loss per 100 0.14 FRAUD LOSS RATE UK-ISSUED PAYMENT CARDS 0.12 0.10 0.08 0.06 0.04 CHIP AND PIN DEPLOYMENT 0.02 0.00 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 10
: LESSONS LEARNED FROM GLOBAL MIGRATION This chapter provides a more in-depth look at economies around the world where migrations are currently underway or are complete. Experiences from other countries can provide valuable insights for everyone involved in the US migration.
LESSONS LEARNED FROM GLOBAL MIGRATION National Migration, Global Results Today, card technology has fully replaced traditional magnetic stripe cards in virtually all developed countries except the US. Most large economies are either fully migrated to standards, or are somewhere along a migration path. Throughout every major country s migration, each domestic policy change affected fraud landscapes both at home and throughout the world. As the US payment ecosystem gears up for a smart card migration, it is valuable to look back at how other large economies made the shift, and compare how different migration patterns and policies have affected fraud rates around the world. Fraud When measuring fraud-prevention methods, especially standards, it is highly important to consider the effects policies have had on different types of fraud, and to understand the different ways card fraud is measured. This chapter will discuss global trends following migrations for several different types of card fraud, and different methods for measuring it: FRAUD RATES are measured in incidences. Either one fraudulent transaction, or one cardholder affected by a fraudulent transaction equals one incident. Fraud rate is a relatively inaccurate and sometimes deceiving method of measuring fraud, but it is the favored method by journalists and surveyors for its consumer-focused mass appeal. FRAUD LOSSES are measured in currency. This statistic totals all the money lost by cardholders, issuers, acquirers and merchants due to fraudulent transactions over a period of time. FACE-TO-FACE FRAUD OR CARD-PRESENT FRAUD consists of a fraudster finding a card, stealing a card, or counterfeiting a card and physically using it at a store. CARD-NOT-PRESENT (CNP) FRAUD consists of a fraudster obtaining cardholder information, and using it to perform fraudulent transactions without the use of a physical card. Often, CNP fraud is performed online. CROSS-BORDER FRAUD is where a card issued in one country is fraudulently used in another country. 12
Cartes à Puces in France France was the first large economy to embrace smart card technology. In the mid-1980s, the fraud rate in France was extremely high, and in response, French banks began issuing chip-embedded cards in 1986. France s major national card program is Carte Bleue, which is run by the six major French banks in association with Visa. Beginning in 1992, Carte Bleue issued only smart chip cards (cartes à puce). In the early 90s, France was the only country widely using smart cards, and the immediate result was a drastic drop in overall fraud. When the UK began to embrace standards, France followed suit with a national rollout of chip-and-pin in 2003. Results: Migration to smart cards caused an immediate decrease in card-present fraud losses in France. However, fraud losses have increased every year since the national shift to standards took place. Card-present losses stayed low, but card-not-present fraud losses increased in France, and have continued to do so, with a significant spike in losses caused by non-domestic fraudsters. CREDIT CARD FRAUD IN FRANCE 2003-2011 Fraud Losses In Millions EUR 250.00 200.00 150.00 100.00 50.0 0.00 2003 2004 2005 2006 2007 2008 2009 2010 2011 Card-not-Present Fraud (CNP) Card-Present Fraud Other (Fraud Application, ID Theft. etc) Note: Cards issued in France only. Smart card solution launched in 1992. 13
Chip and PIN in the United Kingdom Not far behind France, the UK was one of the first large economies to embrace technology. The banking industries in the UK and Ireland branded their migration efforts as Chip and PIN chip referring to the computer chip embedded into the new cards, and PIN referring to the personal identification number that is required to authentically identify cardholders before each transaction (requiring PIN authentication for a smart card purchase is an optional security feature, which the UK largely favored.) After several successful trial programs launched in the mid-90s, APACS (the Association for Payment Clearing Services) a group of financial institutions and payment companies introduced a national campaign in 2002, which gained serious traction in 2004. A liability shift was put in place on Jan. 1st of 2005, and by the end of August 2006, the UK reached a near-complete migration (99.8% of chip transactions were PIN-verified.) Results: Overall, fraud losses in the UK have seen a significant decline. Card-present fraud loss has decreased dramatically and stayed low, however, card-not-present (CNP) fraud loss has seen steady increases since the rollout. A large portion of UK CNP fraud is cross-border fraud, where UKissued cards are used in payment networks that do not require PIN verification. CREDIT CARD FRAUD RATES IN THE U.K. 2001-2012 70% 60% 50% 40% 30% Card-not-Present Counterfeit Card-Present Lost/Stolen Card-Present 20% 10% 0% 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 liability shift 14
in Australia Australia s shift resembles the US migration in its gradual and reluctant approach. Both countries have seen massive spikes in fraud from abroad, due to the stricter policies adopted throughout Europe, and both economies have a complex payment ecosystem based on magnetic stripe cards. Major financial institutions in both Australia and the US act without much influence from a common governing body. Australian migration slowly began in 2007, and in 2009, a major industry deadline to implement PIN-only transactions was missed due to fears over consumer preparedness. Alongside the US, Australia has lately suffered a disproportionate share of global fraud. Liability shifts were set for 2012 and 2013, and signature verification is currently being phased out with good results, so far. Results: One result of the gradual migration approach in Australia is that positive results have been modest in some categories, and non-existent in others. Card-present fraud is slightly down (about a 15% decrease from 2008-2010), but CNP fraud has surged (a 70% increase during the same period). CREDIT CARD FRAUD IN AUSTRALIA 2006-2012 Fraud Losses In Millions AUD 350.00 300.00 250.00 200.00 150.00 100.00 50.0 Card-not-Present (CNP) Card-Present 0.00 2006 2007 2008 2009 2010 2011 2012 Issuance ramped up 15
Chip Cards in Canada Interac, the national PIN-debit network in Canada, allowed major banks and transaction processors to work together throughout the migration process, which began in 2007 with a pilot program launched in Ontario. This pilot program offered important insights, and is lauded as one reason why Canada s migration went faster and smoother, compared to other countries. The trial run alerted the national migration effort to the lag in consumer readiness for contact cards which was remedied by embracing NFC-powered contactless mobile payments. Results: Canada has seen triumphant results in reducing card-present fraud losses, especially those produced by card skimming and cloning. In March 2013, fraud loss from skimming was at its lowest since 2003. Like other migrated nations, however, Canada has also seen a spike in CNP fraud. CREDIT CARD FRAUD IN CANADA 2008-2010 Fraud Losses In Millions CAD $250.00 $200.00 $150.00 $100.00 $50.0 Card-not-Present Card-Present Fraud losses from counterfeit and lost or stolen credit cards is down 30% since the national rollout of chip-and-pin in 2008. Since the national rollout of chip-and-pin in late 2008, card-not-present fraud on Canadian-issued credit cards is up 37%. $0.00 2008 2009 2010 16
Sources: http://blog.unibulmerchantservices.com/ adoption-of-chip-based-credit-cards-pushes-up-ecommerce-fraud/ http://digitaltransactions.net/news/story/canada- Puts-Down-Chip-Card-Roots http://news.alaric.com/industry-news/payments/ closing-the-emv-gap-in-australia/ Lessons Learned France s experience displays an exaggerated trend seen in most countries after migration: a dramatic decrease in card-present fraud, followed by a significant move from card-present fraud to card-not-present fraud alongside a shift from domestic fraud to cross-border fraud. The French migration shows us that standards are very effective at eliminating certain types of fraud, but are not a solution to eliminate fraud completely. France s migration story also highlights the importance of ubiquity for maximum security and interoperability. If all economies had migrated when France did, the opportunity for cross-border fraud would have been unavailable. http://en.wikipedia.org/wiki/chip_and_pin Chip-and-PIN: Success and Challenges in Reducing Fraud Douglas King Retail Payments Risk Forum Working Paper Federal Reserve Bank of Atlanta, January 2012 Adoption and Its Impact on Fraud Management Worldwide: A whitepaper prepared exclusively for FICO Mercator Advisory Group, Jan 2014 In the UK, PIN cardholder verification was an excellent policy for reducing card-present transaction fraud, but fraudsters will look elsewhere for vulnerabilities, and a spike in card-not-present fraud will likely follow a switch to safer cardholder verification measures. Australia s migration proves that the more you wait around, stall or disregard industry deadlines, the larger the target on your back grows for fraudsters around the globe. As other economies crack down on pushing for modernized cardholder verification methods, outdated methods become weaker and weaker in comparison. Canada can teach the US that whether they are from a domestic pilot program, or from a deep analysis of other country s migration attempts gathering as many migration insights as possible is an absolute must. Consumer and merchant education is of great importance for a smooth migration. If brands come together and agree on common timelines, merchants will be more likely to embrace earlier on. Working together can greatly reduce unexpected migration setbacks. 17
: ADOPTION RATES BY REGION UK Generally, a migration to standards results in CANADA National migration began in 2008 Between 2008 and 2010, fraud losses from lost/stolen cards fell over 30% National migration began in 2004 Between 2004 and 2010, card-present fraud fell 69% FRANCE National migration began in 2004 Between 2004 and 2010, card-present fraud fell 50% a large reduction in card-present fraud. Chip-enabled cards are very difficult to physically reproduce or misuse, so stolen and counterfeit cards become significantly less valuable to fraudsters in dominant payment ecosystems. This trend causes physical card fraud to move to countries where is less dominant. US From 2004-2010, the fraud rate increased by over 70% Between 2007 and 2010, the portion of fraud due to card-present fraud increased by 20% AUSTRALIA National migration began in 2008 Between 2008 and 2010, card present fraud fell 15% 76.7% TERMINALS 84.4% TERMINALS 20.6% TERMINALS 14.5% TERMINALS 28.2% TERMINALS One of the biggest advantages of is the CANADA, LATIN AMERICA & THE CARIBBEAN 41.1% CARDS EUROPE ZONE 1 94.4% CARDS 75.9% CARDS EUROPE ZONE 2 68.1% CARDS 51.4% CARDS convenience of global interoperability for card users. For a cardholder abroad, performing a transaction with a non- payment card in a region where is dominant is more difficult, slower to process, and -Enabled Cards and Terminals by Region sometimes not an option at all. 18
: THE KEY PLAYERS This chapter takes a look at how migration will affect each party within the current US payment ecosystem.
0000 0000 0000 0000 WHAT KEY PLAYERS Key Player: The Industry Payment Network The major US payment networks (Visa, MasterCard, American Express and Discover) are the main drivers of the migration. Europay (since acquired by MasterCard), MasterCard and Visa jointly conceived the specification, and have played major roles in migrations all over the world. The payment networks partner with many players throughout the US payment ecosystem, and therefore are the ultimate champions of interoperability and cooperation. Their wide influence makes them the go-to leaders in this large national migration push. Key Player: The Cardholder BANK Cardholders will begin to receive new chip cards in the mail as replacement cards to their current magnetic stripe cards. It will be critical for issuers to educate their cardholders on how to use the new cards at point-of-sale (POS) terminals. Other national migrations (those in Canada and Australia, for example) have experienced set backs and even missed big industry deadlines due to concerns about cardholder readiness. After the adoption of, the way consumers physically use payment cards will be different. Not all smart cards are the same; but they can be easily categorized into three main groups contact cards, contactless cards and dual interface cards. With contact chip cards, the chip is embedded into the actual cardstock material, under a contact which is physically visible. Instead of swiping, contact chip cards are inserted into the POS terminal for the duration of the transaction. The cardholder will typically be required to verify their identity one of two ways: by entering in a PIN number, which must be memorized, or by providing a signature. With contactless chip cards, the chip is embedded into the actual cardstock material and is not physically visible. Contactless chip cards are tapped or waved over or near a receptor space marked on the POS terminal to complete the transaction, which only takes a moment. Cardholders might be required to verify identity by entering their signature for contactless chip transactions. Many times now verification will be required. Dual interface 20
0000 0000 0000 0000 WHAT cards include both contact and contactless technologies and can therefore be used to complete transactions through either inserting the card or waving the card over the POS terminal. Not all card programs will require that their cardholders use a PIN to verify their identity, but in terms of overall security, PIN verification is the best practice. As the US begins its shift to, all of the smart chip cards issued will also have a magnetic stripe on the back. This way, should a cardholder encounter a POS terminal that has not yet been upgraded by the merchant to support ; the cardholder can simply swipe their card the way we do today. One of the primary goals of the switch to standards is interoperability. We want to enable all payment cards to safely work with all POS terminals across the globe. Key Player: The Card Issuer BANK Financial card issuers are vital to a smooth migration. Throughout the entire migration process, educating cardholders and merchant clients about the system and its standards will fall largely on issuers shoulders. Becoming well versed in specifications and migration education strategies is in every issuer s advantage. will not only change the way we physically use cards; it will change the way card programs run behind the scenes as well. Each step in the payment process from a card starting out as a plain piece of plastic, to being a list of successful transactions on a statement will include new security features and processes. For each of those steps, issuers will need to evaluate their current technologies and infrastructures, and invest in the necessary upgrades including hardware and software to manage the chip card personalization, issuance, delivery and operational processes. 21
0000 0000 0000 0000 0000 0000 0000 0000 WHAT Key Player: The Merchant To most merchants, the switch to seems like a costly technology upgrade that their businesses will not directly benefit from. POS terminals will need to be upgraded to meet specifications, BANK 0000 0000 0000 0000 BANK and back-end systems must be updated and certified to be able to accept payments from the new cards. Employees will also need to be trained to use the new technology. These integral steps come at no small cost, and generally, merchants are the least eager key players to migrate. Financial pressures such as card brand-enforced fraud liability shifts aim to get merchants more on board. upgrades will directly benefit their customers, which makes them a good investment; however, can also introduce many new (and potentially lucrative) payment, loyalty, marketing and mobile commerce opportunities into the shopping landscape possibilities that merchants should assess and leverage early on to stay competitive in the transforming payment market. Key Players: The Card Manufacturer and The Software Developer BANK It s up to software developers and card manufacturers to make cards as efficiently and costeffectively as possible. Applications for the card chips, POS terminals, processors, ATMs and mobile devices will have to be written and maintained to ensure secure, reliable interoperability across channels to meet standards. 22
Key Players: The Acquirer & Payment Processor The US migration to means that the entire industry is taking some time to evaluate current payment processing and authentication infrastructures, in order to make plans and upgrades for meeting specifications. Because the market is on the cusp of a major transition, industry leaders like Visa and MasterCard are spearheading efforts that can make the payment ecosystem even more secure, on top of the security benefits that will come with implementation. One example of this is the possible implementation of tokenization technologies alongside upgrades. Tokenization is a practice that removes important cardholder data (i.e. the PAN) from the servers of retailers, while still allowing them to access it if required (for a return, or a subscription). Tokenization removes the incentive for hackers to steal card information in the thousands from retailers, because the tokenized data which the hacker might capture would be meaningless to them. To learn more about it, read our next chapter. 23
: BEHIND THE TRANSACTION This chapter traces the path that payment data will take under the new standards.
: BEHIND THE TRANSACTION The adoption of payment systems has proven to be a worthy card fraud deterrent for card-present transactions in every region where it has been embraced. In 2004, the UK launched a vigorous, nationwide Chip and PIN card program, and 2010 marked a ten-year low in UK payment card fraud losses. In recognition of positive fraud-reduction rates elsewhere, the major card brands have declared as one way to move forward and secure the US payment infrastructure. The US is the largest payment market where has not been adopted, making it a target for card fraud opportunities that are not viable elsewhere. Anatomy of an Chip Card Payment Transaction There are three distinctive aspects of an transaction which if implemented helps secure different aspects of that transaction: card authentication, cardholder verification and transaction authorization. payment processes can happen online (processes are performed by computers elsewhere on the payment network) and/or offline (processes are performed between the point of sale (POS) terminal and the card s chip). Loss per 100 0.14 FRAUD LOSS RATE UK-ISSUED PAYMENT CARDS 0.12 0.10 0.08 0.06 0.04 CHIP AND PIN DEPLOYMENT 0.02 0.00 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 25
PAYMENT TERMINAL 1 Card authentication ensures that a payment card is not counterfeit. There are two ways a chip card can be verified for authenticity; online or offline. 5 Online card authentication transactions carry dynamic data that is sent to the card issuer s 2 ARQC ARPC 4 authorization system which checks the authenticity of the card. Offline card authentication uses chip-stored, risk assessment logic to determine if a card is authentic. Cardholder verification ensures that the card user is the legitimate cardholder. Cardholder verification requests that the card user provide either a signature, a valid PIN (Personal Identification Number), or in some cases (e.g. contactless transactions) no verification is required. PAYMENT BRAND Like card authentication techniques, PINs can be stored for verification either online in an issuer authentication server, or offline on the chip. 3 ARQC ARPC 4 Transaction amount authorization ensures that a purchase does not exceed the cardholder s issued credit limit and is within other specified limits (e.g. domestic or international purchases). As with card authentication and cardholder verification, this authorization can also be processed online or 4 offline. Offline risk assessment logic offers chip cards unique protections against fraud and credit overruns. ISSUER 1. Based on issuer qualifications, risk assessment is performed by both the POS terminal and the chip on the card. A dynamic ARQC (Authorization Request Cryptogram) is written. 2. The ARQC is sent via the acquirer to the payment brand. 3. The payment brand then sends the ARQC to the issuer. 4. The issuer makes an authorization decision to validate the request, and responds with an ARPC (Authorization Response Cryptogram), which goes through the same channels back to the point of sale device. 5. If the chip s request is validated, the POS terminal will request verification from the cardholder in the form of a signature, entry of a PIN, or in some cases no verification. Within the current US payment system, merchants are the primary targets for fraudsters, who covet the large amounts of cardholder data used, moved and stored through merchant POS devices, networks and central servers. A truly formidable payment security standard will protect sensitive cardholder data in each of its three states: data at rest, data in use and data in motion. 26
Within a payment ecosystem, data at rest is cardholder information stored in central servers by card issuers, for card functionality and reissuance, but also by merchants, for use in refunds, returns, recurring charges and sales reports. Data at rest can be protected by tokenization, a process where a payment card s personal account number (PAN) is replaced with surrogate token values, and stored with reduced risk. A stolen or breached token number cannot be used to perform an outside transaction, but can be used by the merchant for returns, future charges, etc. Data in use refers to the data that occupies a computer s (or POS terminal s) RAM (Random Access Memory) at any given time. This is the space a computer uses to store data that it will need to perform a task. Data in motion is data being sent from one point in a payment network to another. Data in use and in motion can be protected with encryption, where computer algorithms transform information from readable plain text to unreadable cipher text. Encryption does not altogether prevent information theft, but it does reduce the likelihood that the thief would ever be able to successfully use the stolen information. To decrypt the message, the reader must use a key algorithm, without which the data cannot be used. Encryption and tokenization are two security measures that collaborate with and complement security standards for protecting cardholder data in every stage of its use cycle. 27
: CHECKLIST This chapter outlines a plan of action for a successful migration.
: MIGRATION ACTION CHECKLIST Migration Action Checklist is the future of payment; and migrating your offerings to include is key to remaining relevant in the payment card market. We want to help you capitalize on the changes ahead. Not sure where to begin? Start by taking a phased approach to your migration. Phase one of any migration should focus on getting familiar with standards at every level. There s a whole new landscape of technologies, security features, best practices and interoperability standards out there, and understanding all of your options and constraints is key. Solid comprehensive knowledge of can be leveraged to make smarter strategic decisions about how and when to migrate. This strategic planning makes up the focus of phase two. Evaluate your current card portfolio and technology infrastructure. Which programs would benefit from first? Which card layouts are affected? What are your budget constraints leading up to the liability shift? Are your solutions -ready? Phase three is all about action. It s the time to make all the necessary upgrades to start bringing the benefits of to your cardholders. If you re an existing Datacard CardWizard software customer, use this checklist as your phase three itinerary, and Entrust Datacard as your trusted guide. If you re migrating central issuance operations or starting from scratch, you ll find the answers you need from one of our global consultants. 29
1. Assess your technology infrastructure Perform an audit of your existing hardware and software versions. card programs require the latest upgrades to prepare for everyday issuance. What version of Datacard CardWizard software are you running? What Windows operating system do you have installed? How many remote locations do you need to track and does every device you own have a license for card personalization? 2. Review your card gallery Many card designs need to be altered to accommodate the placement of the chip. standards will require redesigns and layout changes within your card setups. What card designs will you carry over for your new program? How will the chip impact existing designs? 3. Evaluate your data center Migrating to card issuance will likely introduce changes within your IT infrastructure. card issuance might require changes to your host and/or switch environment to handle the additional data, security protocols and processing. Will -related data elements be transmitted between your host and CardWizard software? Will CardWizard software send -related data to your switch? 30
4. Determine if you have the right Hardware Security Module (HSM) Ensure the latest version of CardWizard software works with your HSM since this is a critical step in the production process. What is the model of your HSM? Is it internal or external? Is it FIPs Certified? 5. Upgrade your instant issuance systems Not all instant issuance systems are -ready. issuance will require an instant issuance system equipped with a contact and contactless smart card encoder. Which card personalization systems do you currently use? 31
: GLOSSARY OF TERMS This chapter defines a set of standard terminology and enable clear understanding of all things.
GLOSSARY OF TERMS SOURCES http://blog.unibulmerchantservices. com/adoption-of-chip-basedcredit-cards-pushes-up-ecommerce-fraud/ http://digitaltransactions.net/news/ story/canada-puts-down-chip- Card-Roots http://news.alaric.com/industrynews/payments/closing-the-emvgap-in-australia/ http://en.wikipedia.org/wiki/chip_ and_pin Chip-and-PIN: Success and Challenges in Reducing Fraud Douglas King Retail Payments Risk Forum Working Paper Federal Reserve Bank of Atlanta January 2012 INDUSTRY TERMS Acquirer The acquirer is the party recognized by the network as the financial sponsor for a merchant (typically a regulated financial institution like a bank). The network holds the acquiring processor financially responsible for transactions processed by the merchant and helps ensure that the merchant operates under the rules laid out by the network. Examples: Bank of America Merchant Services, First Data, Wells Fargo, Vantiv, SHAZAM/ITS Inc. Acquiring Processor Acquiring Processors are third-party service providers that acquire and process payment transactions for merchants, manage the relationship with the global and regional payment networks on the merchant s behalf (including interchange qualifying, chargeback disputes and fees to networks and issuers), and manage the transaction database. The acquiring processor connects merchant transactions to payment networks by (1) providing the POS device; and/or (2) securely routing the transaction from the POS device or from the POS payment gateway to the payment network; (3) managing transactions from authorization to clearing to settlement. Application Authentication Cryptogram (AAC) A cryptogram generated by the card at the end of offline and online declined transactions. It can be used to validate the risk management activities for a given transaction. Adoption and Its Impact on Fraud Management Worldwide: A whitepaper prepared exclusively for FICO, Mercator Advisory Group Jan 2014 33
Application Cryptogram (AC) A cryptogram generated by the card in response to a GENERATE AC command, providing the card decision on the transaction. The AC is used to validate that the card has genuinely generated the response. The three types of cryptograms are Transaction Certificate (TC), Authorization Request Cryptogram (ARQC), and Application Authentication Cryptogram (AAC). The creation and validation of the cryptogram enables dynamic authentication. Application Identifier (AID) Application Identifiers are data labels that differentiate payment systems and products. The card issuer uses the data label to identify an application on the card or terminal. Cards and terminals use AIDs to determine which applications are mutually supported, as both the card and the terminal must support the same AID to initiate a transaction. Both cards and terminals may support multiple AIDs. An AID consists of two components, a Registered Application Identifier (RID) and a Proprietary Application Identifier Extension (PIX). Authorization Response Cryptogram (ARPC) Used during online issuer authentication, the ARPC is a cryptogram generated by the issuer and sent in the authorization response back to the terminal. The terminal sends this cryptogram to the card, which allows the card to verify the validity of the issuer response, and go ahead with the transaction. (See ARPCs in action in : Behind the Transaction) Authorization Request Cryptogram (ARQC) This cryptogram is also used during online card authentication. It is generated by the card and sent to the issuer in the authorization or full financial request. The issuer validates the ARQC to ensure that the card is authentic and card data was not copied from a skimmed card. (See ARQCs in action in : Behind the Transaction) Cardholder Verification Method (CVM) Different cards use different methods to authenticate that the person presenting the card is the valid cardholder. supports four CVMs: offline Personal Identification Number (PIN) (offline enciphered & plain text), online encrypted PIN, signature verification, and no CVM. 34
Certificate An electronic document binding some pieces of information together, such as a user s identity and public encryption key. The digital certificate is used to prove to the data recipient the origin and integrity of the data. Contactless Chip Card A chip card that communicates with a reader through a radio frequency interface, usually through a wave or tap of the card on the designated area on the terminal. A contactless chip card will have an antennae embedded in the card s plastic. Certificate Authority (CA) A trusted central administration that issues and revokes certificates and is willing to act as a guarantor for the identities of those to whom it issues certificates and their association with a given key. Certificate Authority Public Key (CAPK) In order to support data authentication or offline enciphered PIN, the terminal must store one or more public keys for each RID. When required, the card will supply a CAPK index which is used to identify which of these keys should be used for that transaction. Contact Chip Card A chip card is a card that communicates with a reader through a contact plate. The plate must come into contact with a terminal, usually through a chip reader into which the card is inserted. Communication is defined by ISO 7816. Data Encryption Standard (DES) Data Encryption Standard is a symmetric-key algorithm for encryption of electronic data. Dual Interface Chip Card A chip card that has both contact and contactless interfaces, enabling a payment transaction with either interface. Dynamic vs. Static Dynamic data has the ability to change or update. For example, a dynamic card security code changes for each transaction. Static or persistent data is unchangeable. For example, the personal account number programmed into a smart chip card cannot be changed after the card is personalized. 35
Electronically Erasable Programmable Read-Only Memory (EEPROM) EEPROM is digital memory that can be erased and reused, but does not require electrical power to maintain data. It is used to store information that will change, such as transaction counters. It is possible to load new data elements and applications into EEPROM after a card has been issued. Generally after personalization and issuance, limited application data can be updated. This is linked to card security requirements. Migration Forum (EMF) The Migration Forum is an independent, cross-industry body created by the Smart Card Alliance to address issues that require broad cooperation and coordination across many constituents in the payments space to promote the efficient, timely, and effective migration to -enabled cards, devices, and terminals in the United States. (Europay, MasterCard, and Visa) Developed by Europay, MasterCard, and Visa, refers to a body of specifications set to ensure interoperability between payment chip cards and terminals. Formally known as the Integrated Circuit Card Specifications for Payment Systems and owned by Co. Co Co was formed in February of 1999 by Europay International, MasterCard International, and Visa International to manage, maintain, and enhance integrated circuit card specifications for payment systems. Co is currently, and equally, owned by American Express, Discover, JCB, MasterCard Worldwide, Union Pay and Visa, Inc. GlobalPlatform A cross-industry membership organization created to advance standards for multiple application smart card growth. A major goal of GlobalPlatform is the definition of specifications and infrastructure for multi-application smart cards, including cards, terminals and back-end host systems. The GlobalPlatform Specifications are based on the Open Platform Specifications, which were donated to the consortium by Visa. International Standards Organization (ISO) The ISO is a global institution that maintains over 13,000 international standards for business, government and society. 36
Issuer Issuers are the entities that issue payment cards to customers and perform many activities that could include, but are not limited to, the following list. It is important to note that the issuer may choose to outsource some, or all, of these activities: Cardholder customer service Data preparation Configuration set-up Fulfillment of personalized chip card, with all paper inserts; preparation for mailing to customer Define card profile, including risk parameters Receive and manage card records and keys to form a personalization record Generate personalization script Key management activities for, CVV/CVC, and PINs between card manufacturer and personalization bureau and between issuer and personalization bureau. Issuer Action Codes (IACs) IACs are codes placed on the card by the issuer during card personalization. These codes indicate the issuer s preferences for approving transactions offline, declining transactions offline, and sending transactions online to the issuer based on the risk management performed. Issuing Processor Issuing processors facilitate card issuance activities on behalf of an issuer, such as process payment transactions, card enrollment, preparing and sending the card personalization information to the card vendor, and maintaining the cardholder database. The issuer processor may provide other ancillary services as well (e.g., web front-end administrative and cardholder account management applications, customer service, settlement and clearing, chargeback processing) Liability Shift When card fraud occurs, one party involved in the transaction (the cardholder, merchant, issuer, processor, etc.) is found liable, or at fault. A liability shift is a change in the rules that guide which party is liable for card fraud, should it occur. Each brand defines the rules around their liability structure. Magnetic Stripe Card These plastic payment cards use a band of magnetic material to store data. Data is stored by modifying the magnetism of magnetic particles on the magnetic material, which is read by swiping the magnetic stripe through a mag stripe reader. 37
Near Field Communication (NFC) NFC is a standards-based wireless communication technology that allows data to be exchanged two ways between devices that are a few centimeters apart. NFC-enabled mobile phones incorporate smart chips (called secure elements) that allow the phones to securely store the payment application and consumer account information and to use the information as a virtual payment card. Offline vs. Online In the context of an transaction, offline refers to actions and processes that are performed by the card s chip and the point of sale terminal alone, using applications stored on one/ both devices. An online action or process includes data that is sent out to other computers managed by payment processors, issuers, or card brands. Payment Card Industry Data Security Standard (PCI DSS) PCI DSS is a framework developed by the Payment Card Industry Security Standards Council for developing a robust payment card data security process including prevention, detection and appropriate reaction to security incidents. Payment Network A payment network provides POS and ATM services for credit, debit, ATM and prepaid card issuers and corresponding transaction acquirers. It establishes participation requirements, operating rules and technical specifications under a common brand(s) for the purpose of receiving, routing, securing authorization for, settling and reporting domestic and international payment transactions. Each payment network determines the types of transactions, payment devices and terminals that are permitted in its respective network. Personalization Personalization is the process by which the elements specific to the issuer and cardholder are added to the payment card s magnetic stripe and/or chip. Personal Account Number (PAN) Often referred to as the primary account number, or the bank card number. The PAN is often embossed onto the front or back of a credit or debit card. The PAN is commonly 16 digits, but can be up to 19 digits in length. 38
Personal Identification Number (PIN) A PIN is an alphanumeric code of 4 to 12 characters that is used to identify cardholders at a customer-activated PIN pad. PINs can be verified online or offline. Online PIN verification occurs when the PIN is securely transmitted to an issuer s authorization system during a transaction, with that authorization confirming whether or not the entered PIN is correct. Offline PIN verification occurs between the chip and the POS terminal. Point of Sale (POS) A point of sale terminal is a machine where card-present credit transactions occur. POS terminals come in many varieties, and are often embedded into automated vending machines. Random Access Memory (RAM) RAM is a direct-access form of computer storage. When data is required to perform a computational task it is moved into RAM for the duration of the task. Read Only Memory (ROM) ROM is permanent memory that cannot be changed once it is programmed. It is used to store chip operating systems and permanent data. Static vs. Dynamic Static or persistent data is unchangeable. For example, the personal account number programmed into a smart chip card cannot be changed after the card is personalized. Dynamic data has the ability to change or update. For example, a dynamic card security code changes for each transaction. Transaction Certificate (TC) TCs are cryptograms generated by the card at the end of all approved transactions. The cryptogram is the result of card, terminal, and transaction data encrypted by a DES key. The TC provides information about the actual steps and processes executed by the card, terminal, and merchant during a given transaction and can be used during dispute processing. Triple DES (TDES, 3DES) TDES is a sophisticated implementation of DES, in which the procedure for encryption is the same but repeated three times. First, the DES key is broken into three sub keys. Then the data is encrypted with the first key, decrypted with the second key and encrypted again with the third key. Triple DES (sometimes abbreviated TDES or 3DES) offers much stronger encryption than DES. 39
CONNECT WITH US EVERY www.datacard.com/emv-solutions 2015 Entrust Datacard Corporation. All rights reserved.