Introductions 1 min 4

1

2

1 Minute 3

Introductions 1 min 4

5

2 Minutes Briefly Introduce the topics for discussion. We will have time for Q and A following the webinar. 6

Randy - EMV History / Chip Cards /Terminals 5 Minutes The EMV specification, originally named for Europay, MasterCard and Visa, is a global standard for interoperable credit and debit payment cards, point-of-sale (POS) payment terminals and transaction processing networks based on chip card technology. 1965 Eurocard 1992 Merged with Eurocheque to form Europay In 2002 Europay International merged with MasterCard International to form MasterCard, Inc. Today the company is known as MasterCard Worldwide. JCB (Japan Credit Bureau) 2004 AMEX 2009 China Union Pay 2013 Discovercard Later in 2013 7

Randy As these Card Brands (e.g. Visa, Mastercard, etc.) gained prominence in their regions, problems began to arise as these brands began to do business in the international marketplace. Travelers and consumers need to use these cards abroad. Furthermore, as a multitude of new technologies grow, so did the programmatic methodology for using these typs of cards. Thus, EMVCo was formed. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. Wherein, each of these brands is a separate entity with the sole purpose of handling payment card transactions, EMVCo is an international standards body, formed by the card brands for the purpose of creating, among other things, operational standards. For instance, prior to their existence every different company had a different rollout methodology for EMV cards, and was building their own solution that was not interoperable with other cards. (Wild Wild West) Some of the roles of EMVco are: Payment card and terminal evaluation 8

Performing security evaluation of hardware Management of interoperability issues (standardization) Contactless Specifications Common Payment Application Tokenization Contact Chip Specifications 8

Randy Chip cards, also known as smart cards, contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. The EMV specifications also provide for new, highly efficient transaction methods that cannot be achieved with traditional magnetic stripe cards. These include contact and contactless transactions as well as mobile payment operations. 9

Ways to represent an account with allowing only an account number Go Card Smart Destinations Advantages: Read Write Access application block application unblock card block external authenticate (7816-4) generate application cryptogram get data (7816-4) get processing options internal authenticate (7816-4) PIN change / unblock read record (7816-4) select (7816-4) verify (7816-4). 10

Randy What are Chip and Pin Cards? The chip uses cryptography to talk securely with the credit card terminal and can require a PIN number to complete the transaction. Configured by the issuing bank. Randy to find stats on % pin adoption. Jerry discuss the more technical details Card authentication: Transactions require an authentic card validated either online using a dynamic cryptogram or offline using Static Data Authentication (SDA) or Dynamic Data Authentication (DDA). Cardholder Verification Method (CVM): The CVM ensures that the person attempting to make the transaction is the person to whom the card belongs using Online PIN, Offline PIN, Signature, or no CVM. (Varying degrees of CVM today. 3 or 4 digits numbers CVV, even last 4 digit CVM (not very effective) Online and Offline Authorization: EMV transactions are authorized based on security parameters established by the issuer. 11

Randy Chip Cards can only be processed at an EMV terminal Mag Swipe Backup for non functioning Chip In most cases these EMV terminals will support Contact less Using NFC (Near Field Communication) Apple Pay Google Wallet Visa Pay Wave Mastercard Pay Pass American Express Express Pay Discover Zip 12

Does anyone in the room have an Integrated Circuit Credit Card? 5% adoption US in 2013 What is my wallet? Up to 50% adoption by the end of the year? Compare Expiration Dates 13

14

Randy I can give you 4 compelling reasons. You do not want your attraction to be on this list. Does anyone know how many Credit cards will stolen during these 4 data breaches? 200 Million Credit Cards were stolen from these 4 companies alone in large card present data breaches Target over 40 million cards in a breach that lasted under 20 days. Including over 70 million PII records There were some large card not present breaches as well to Play Station Network and others 15

Randy Why else should my attractions care about EMV Remember EMVco? In 2008, it was estimated that US travelers experienced nearly 10 Million mag swipe related issues when traveling abroad totaling nearly half a billion dollars 16

17

Randy First, lets talk about Card Present vs Non Card Present fraud 18

Randy First, lets talk about Card Present vs Non Card Present fraud UK Stats 2004-2011 73% Drop of counterfeit mag swipe 56% drop from lost or stolen cards 33% Overall drop Worldwide Credit Card fraud eclipsed $11 Billion in 2012 EMV only protects your attraction from Card Present (CP) fraud and not Card Not Present (CNP) fraud. In 2012 CP Fraud accounted for almost $800 Million in the United States EMV Payment Cards protect merchants by making counterfeit cards nearly impossible to manufacture Requires a fraudster to manufacture a legitimate looking physical credit card with Chip Added risk of fraudster presenting such card In 2012, US accounted for 47.3% of the worldwide payment card fraud losses but generated only 23.5% of total volume. 19

Tangent conversation Source of this fraud came from POS breaches to begin with Cutting off the supply for the fraudsters Examples in our industry: Online CNP fraud far outweighs onsite CP fraud: -Russia stolen cards -lists -San Diego Zoo on demand purchase stolen credit card 19

Switch speakers to Jerry to hit this home: - Every time there is a major national data breach, I am talking to 20 customers asking how to get credit cards out of the system. - -Most attractions just want the data security that comes along with the more secure EMV process But aside from the primary goal of being able to accept a chip card, there is a second and arguably more important benefit of adopting EMV at POS data security. Many of the recent data breaches in the U.S. have exploited security weaknesses in the POS system (PC or software) to capture credit card data that had passed through the POS. So, it makes sense that if you can prevent the POS from ever having access to sensitive card data, there would be nothing for the hackers to gain in the event of a breach. And this is exactly what some implementations of EMV support the ability to keep all sensitive payment card data out of your system. 20

Jerry 21

Jerry In order to understand the upcoming liability shift, we need to define some terminology 22

In order to understand the upcoming liability shift, we need to define some terminology 23

Jerry Before we dive into what the liability shift is, let s ask a question. At your attraction today, who gets left holding the bag when a fraudulent transaction occurs? Your Attraction Issuing Bank Card Brand 24

Jerry 25

Jerry 26

Jerry 27

Jerry 28

Jerry 29

Jerry 30

31

Jerry Remember: EMV Liability is only for Card Present (CP) Transactions Your attraction will only be responsible for fraudulent transactions if a customer presents an EMV Payment Card from an Issuing Bank and fraud occurs on EMV Terminalls Will Guests arrive with EMV Cards? Presently there are over 1 Billion Payment Cards in the United States (610 million credit cards, and 520 million debit cards) Current adoption rate is about 5% of domestic cards Cost to issue EMV Payment Cards is expected to be $1.5 Billion 32

Jerry What is your current amount of CP chargebacks What amount of those chargebacks is fraud related typically about 15% (not friendly fraud 49%) What is your expected ROI with calculated expected fraud increase vs. cost of implementation, training, sustainment? Will the fraud go up? Over how many years? Sustainment costs? Other Costs? 33

Jerry What happens if we do not adopt and a Bank issues a non EMV card which has fraud 34

35

Jerry Vs 1.6 Billion from Issuing Banks 36

Jerry 37

Jerry Currently, many installations use a basic USB or serially-connected magnetic stripe reader like the one pictured above. Used in the pre-emv fully-integrated payment solution with a POS or Cash Register, there is nothing specific about the mag stripe reader that limits its use with any particular software, merchant, or payment processor. It is merely a way to get the credit card magnetic stripe track data back into the POS, after which it is sent to your payment processor. The most common purchase flow is that upon completion of entering the items into the POS transaction, the guest hands the credit card to the POS operator, who swipes the card, and returns it to the guest. 38

Jerry Or, a stand alone unit is used without any integration to a POS or a Cash Register. 39

Jerry Going forward, an EMV-compliant payment terminal like the one pictured above will need to be deployed anywhere you take a payment card, which will be a considerable investment for merchants. Unlike the mag stripe reader, the payment terminal needs to be key-injected by its manufacturer or reseller, and will be configured specifically to work only with a certain merchant, certain encryption keys, and a certain payment processor. Also unlike the magnetic stripe reader, the EMV-compliant payment terminal is guestoperated. The payment card never leaves the guest s hands in an EMV transaction. 40

Jerry A non-integrated EMV payment solution is one where the POS system and the EMV payment terminal are not connected in any way. In this model, after ringing up a sale on your POS, your POS operator needs to manually enter the requested sale amount on a disconnected payment terminal. The payment terminal has its own network connection, and goes directly to the payment host for authorization. No data flows between the POS and payment terminal, ever. While this is great for insulating your system from sensitive payment card data, it adds a time-consuming and error-prone extra step in your sales process, and provides no journalization in your sales system. In this model, your POS, and the PC it resides on, are thought to be PCI out-of-scope, due to the fact that no sensitive card data is ever exposed to the POS. 41

Jerry A semi-integrated EMV payment solution is one where a limited amount of information flows between the POS system and the payment terminal, but the payment terminal will never return sensitive data, like a full credit card number, for example. In this model, your POS operator rings up the sale as normal, and then selects a non-cash Form of Payment (FOP) that requires authorization. The FOP selection causes the POS to send a request to the payment terminal (represented by arrow #1 above), passing it a limited amount of data, such as the requested transaction amount, the type of transaction (sale, refund), and perhaps a transaction ID. The payment terminal has its own display and prompts the guest to insert their chipped credit card, and then requests authorization directly from the payment host (represented by arrow #2) via the payment terminal s own network connection. After the payment terminal receives its response from the payment host (arrow #3), a response message is sent to the POS from the payment terminal (arrow #4), but it s very important to note that the interface back to the POS does not support the ability to pass sensitive information. A full credit card number cannot be passed back into the POS. Based on the response message, the POS knows whether the payment request was successful, or if a second payment should be attempted with a different FOP. Similar to the non-integrated model, in this semi-integrated model, your POS, and the PC is resides on, are thought to be PCI out-of-scope, due to the fact that no sensitive card data is ever exposed to the POS. 42

Jerry A fully-integrated EMV payment solution is one where the EMV payment terminal communicates only with the POS system. In this model, the POS uses the EMV payment terminal to read the chip card, but then brings all data back into the POS system, with the requirement that the POS system, and not the payment terminal, contact the payment host for authorization. If you use a mag-stripe reader to process credit cards in POS today, this is an example of a fully-integrated payment solution. And although most fully-integrated EMV solutions provide the ability to encrypt the data at time of capture before sending it to the POS, the POS and the PC running it are now thought to be PCI in-scope. The risk of a breach yielding sensitive card data from a fully-integrated solution is minimized, but not eliminated, by the use of encryption. Because the POS and its PC now being in PCI scope, the development and certification efforts for POS vendors would be greater, and often will also require our customers to perform merchant-level certifications prior to being allowed to process production payment requests. 43

Jerry Encryption utilizes a key to alter data, and in theory, a party would require the matching decryption key to restore the data to its original state. In terms of credit card processing, end to end encryption (E2EE) describes the process whereby card data is encrypted the moment it s captured by the payment terminal, and it remains encrypted until it arrives at the payment host (e.g. Paymentech). With E2EE, even if a malicious party was able to intercept network traffic, they would still not see any sensitive data in clear text. POS systems are generally not permitted to use encrypted credit card information for the purpose of subsequent sales (e.g. storing encrypted credit card data for recurring payments in a payment plan after the initial down payment). Tokenization is a representation of sensitive credit card data, allowing subsequent payment authorization requests to be made when the physical card is no longer present. A common use of a payment token is to permit automatic recurring payments, without requiring the guest to be present with their card for those payments. A token can be used instead of a credit card number, however, tokens are merchant specific, meaning, if a hacker accessed your system and was able to acquire payment tokens, those tokens would be worthless to those attempting to process a payment outside of your merchant system. 44

Jerry Hardware Costs The hardware cost to roll-out an EMV terminal everywhere that you can accept a credit card. Final pricing is not yet available on the various payment terminals, but as a very rough rule of thumb, assume a minimum of $500 per payment terminal. If you have 100 POS locations from which you can complete a credit card sale, you ll likely have a minimum of $50,000 in terminal purchases. Network The network infrastructure costs to support separate, secure network access everywhere you plan to deploy an EMV payment terminal. Credit Card Visibility The effect of not having full credit card data in your system. As an example, do you receive reports from your payment provider regarding fraudulent card usage, and do you have a need to look up other usages of that card in your POS system? Recurring Payments Do you use payment plans for some products, and if so, are those products sold online, in person, or both? Security concerns over keeping card data in your system. Your current fraud losses at the POS. If your losses are lower than the cost to adopt 45

EMV, and your security concerns are low, you may decide to delay EMV adoption. Compatibility Do the terminals work with your POS system, and other systems Terminal Configuration The terminals require code injection to work properly 45

46

Pros and Cons table Randy to come up with something 20% of the population will not know their PIN 47

Pros and Cons table Randy to come up with something 20% of the population will not know their PIN 48

49