What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization



Similar documents
FAQ EMV. EMV Overview

Visa Recommended Practices for EMV Chip Implementation in the U.S.

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

Payments Transformation - EMV comes to the US

A Guide to EMV Version 1.0 May 2011

EMV and Small Merchants:

American Express Contactless Payments

A RE T HE U.S. CHIP RULES ENOUGH?

What is EMV? What is different?

Card Technology Choices for U.S. Issuers An EMV White Paper

EMV: A to Z (Terms and Definitions)

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

Euronet s EMV Chip Solutions Superior Protection with Enhanced Security against Fraud

What Merchants Need to Know About EMV

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

Implication of EMV Migration for the U.S. Transportation Industry. May 1, Implication of EMV Migration for the U.S. Transportation Industry

EMV : Frequently Asked Questions for Merchants

How To Protect A Smart Card From Being Hacked

EMV Frequently Asked Questions for Merchants May, 2014

EMV and Restaurants What you need to know! November 19, 2014

Mobile Near-Field Communications (NFC) Payments

The Canadian Migration to EMV. Prepared By:

A Brand New Checkout Experience

A Brand New Checkout Experience

PREPARING FOR THE MIGRATION TO EMV IN

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

EMV in Hotels Observations and Considerations

OpenEdge Research & Development Group April 2015

Chip Card (EMV ) CAL-Card FAQs

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Understand the Business Impact of EMV Chip Cards

Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

How To Comply With The New Credit Card Chip And Pin Card Standards

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Your Reference Guide to EMV Integration: Understanding the Liability Shift

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

WHITE PAPER U.S. JOINING WORLDWIDE EMV MOVEMENT

How to Prepare. Point of sale requirements are changing. Get ready now.

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

welcome to liber8:payment

Mitigating Fraud Risk Through Card Data Verification

Electronic Payments Part 1

NEWS BULLETIN

U.S. EMV Debit Implementation Guidelines for POS Acquirers

M/Chip Functional Architecture for Debit and Credit

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Credit Card Processing, Point of Sale, ecommerce

EMV EMV TABLE OF CONTENTS

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

Apple Pay. Frequently Asked Questions UK Launch

Fundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

EMV: Background and Implications for Credit Unions

Apple Pay. Frequently Asked Questions UK

JCB Terminal Requirements

Practically Thinking: What Small Merchants Should Know about EMV

The EMV Readiness. Collis America. Guy Berg President, Collis America

EMV Chip and PIN. Improving the Security of Federal Financial Transactions. Ian W. Macoy, AAP August 17, 2015

Introductions 1 min 4

PayPass M/Chip Requirements. 10 April 2014

Euronet s Contactless Solution

Inside the Mobile Wallet: What It Means for Merchants and Card Issuers

EMV Chip Card Payment Standard: Perspective

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

Dates VISA MasterCard Discover American Express. support EMV. International ATM liability shift 2

EMV 101: Everything you need to know about EMV

Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

EMV Acquiring at the ATM: Early Planning for Credit Unions

Fiscal Service EMV Education Series EMV-Compliant Point-of-Sale Card Acceptance for Federal Agencies. Fiscal Service / Vantiv July 27, 2015

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

EMV and Encryption + Tokenization: A Layered Approach to Security

First Data s Program on EMV

Fall Conference November 19 21, 2013 Merchant Card Processing Overview

PCI and EMV Compliance Checkup

Smart Tiger STARCHIP SMART TIGER PAYMENT PRODUCT LINE. Payment. STiger SDA. STiger DDA. STiger DUAL

Guide to Data Field Encryption

Plotting a Course for EMV Compliance

FUTURE PROOF TERMINAL QUICK REFERENCE GUIDE. Review this Quick Reference Guide to. learn how to run a sale, settle your batch

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

OpenEdge Research & Development Group April 2015

PREVENTING PAYMENT CARD DATA BREACHES

Preparing for EMV chip card acceptance

U.S. House Small Business Committee. On Behalf of the National Grocers Association. October 6, 2015

Agent Registration. Program Guidelines. (For use in Asia Pacific, Central Europe, Middle East and Africa)

Mobile Payment: The next step of secure payment VDI / VDE-Colloquium. Hans-Jörg Frey Senior Product Manager May 16th, 2013

The Migration to EMV Chip Technology

OT PRODUCTS AND SOLUTIONS EMV-IN-A-BOX

Smart Cards for Payment Systems

EMV FOR U.S. ACQUIRERS: SEVEN GUIDING PRINCIPLES FOR EMV READINESS

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Open Payment Fare Systems Save money through operational efficiencies.

EMV GATHERS STEAM AS U.S. MOVES TOWARD LIABILITY SHIFT

Transcription:

Frequently Asked Questions What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization Issuers across the United States are beginning to embark in the planning and execution phase of one of their largest projects the implementation of an EMV card program. For many years, the U.S. payments sector has resisted growing pressure for the adoption of EMV, but due to recent announcements by Visa, MasterCard, Discover, and American Express a migration timeline has been set for the United States Region. Issuers will undoubtedly experience change in nearly every facet of their organization including operations, card management and issuance, risk management and customer support. In order to achieve a successful implementation, it is critical that issuers undergo adequate planning and education, addressing all vital components such as ATM machines, transmission of EMV data, obtaining association certification, the issuance of EMV chip cards and educating consumers. This document addresses frequently asked questions posed by financial institutions in regards to the manufacturing and personalization of EMV chip cards. While collaborating with numerous processors and network providers, Card Production Services at Fiserv is ready to assist clients in the planning and execution of their EMV card programs. Top 25 Questions The following Top 25 questions highlight issues related to EMV chip card manufacturing and personalization. Issuers should consult their processor and network provider for further guidance. Question 1: How does an EMV transaction work? There is a fundamental difference between a magnetic stripe and EMV chip transaction. With a magnetic stripe card, the stripe stores data that is read by a terminal. The terminal reads the magnetic stripe and initiates an online credit, debit, or prepaid transaction. Subsequently, the transaction is routed to/through branded payment networks and/or various payment processors for authorization. The physical card and stripe no longer play a role in the transaction once the initial data is read. During an EMV transaction, the chip is capable of processing information and actually determines some of the rules for the payment. The terminal helps enforce the rules set by the issuer. These rules can include performing offline data authentication, defining cardholder verification methods including PIN or signature, requiring online authorization and more. It is up to the issuing bank in collaboration with their payment processor to define which of these services is required for the current transaction, via the rules placed on the chip. All credit, debit, or prepaid point-of-sale transactions will either be online or no authorization transactions for the United States Region. All ATM transactions are online transactions using an online PIN just as they are today. Question 2: What is the additional cost to implement an EMV program? The cost of an EMV program consists of varying components. Card production costs include plastic (with chip), development and testing, and issuance. The cost of these components will depend on quantity and complexity of the program. Pricing for plastic and personalization is available from your Fiserv Sales and Account Executive team. EMV chip cards typically cost more

than magnetic stripe cards, but many issuers find that this cost is offset by a decrease in card-present fraud. Since the widespread implementation of chip and pin technology in the U.K., domestic fraud losses on U.K-issued cards has been reduced by 34 percent and fraud losses from counterfeit cards are down 63 percent. 1 Question 3: Do I need to switch from magnetic stripe cards and issue EMV cards? What is the liability/penalty if I choose not to issue EMV by a card association s deadline? All four major card associations have announced plans for accelerating infrastructure readiness for acquirers and direct connect merchants to be EMV compliant by April 2013, thus forcing processor compliancy as well. a. In August 2011, Visa announced an initiative that includes waiving the Visa portion of PCI compliance cost if 75% of terminals are capable of EMV transactions. This incents processors to support EMV by 2013 and shifts fraud liability to the merchant and merchant acquirer in 2015 if a fraudulent EMV chip card transaction is accepted by a merchant that has not upgraded its POS devices to be EMV compatible. b. In January 2012, MasterCard announced its EMV adoption citing an immediate focus by acquirers for infrastructure readiness by April 2013 which solidified the importance of EMV as the foundation for next generation payments. c. In March 2012, Discover announced a 2013 target date for EMV compliance in the U.S., Canada and Mexico. Discover s plan is based on D-PAS, its EMV-compliant payment specification for acquirers and direct connect merchants. d. In June 2012, American Express stated it will work alongside other industry participants to drive interoperability across the U.S. and other countries to support EMV. Its key requirements and dates mirror Visa s. Question 4: Do I need to have my current processor involved in the EMV implementation? To ensure successful card program implementation, plan to include your card scheme, payment processor, and Fiserv Card Production Services as members of your EMV implementation team. Question 5: Do I have to implement a Chip-and-PIN approach to EMV? The card brands or schemes will continue to support a range of cardholder verification methods (CVM) in the U.S. CVMs include signature, online PIN and no signature for low-value, low-risk transactions. Stakeholders will have the flexibility to choose which CVMs to support; however, processors may drive the decision for issuers. Cardholder verification methods are defined during the personalization process and must be consistent with those required by the card brand. In the U.S. nearly 100 percent of magnetic stripe transactions are authorized online in real time, and EMV chip card transactions will leverage this robust infrastructure for authorization and authentication. Many issuers use host-based fraud detection tools to manage risk in real time. EMV enables offline transaction authorization for low value point-of-sale transactions. A small number of offline POS devices continue to be in use in the Euro Area; however, they are rapidly being replaced by online devices just as used in the United States. 1 Retail Payments Risk Forum Working Paper, Federal Reserve Bank of Atlanta, Jan. 2012. 2

Card Design Proof Approval Estimated timeline for EMV Chip Card Issuance* Test Phase Final Testing by client, processor and Association Association Certification Request and Process Begins Order Plastic *subject to change based on technology availability Production of Test Cards Association Certification Approval Question 6: How long will it take to issue EMV cards? The end-to-end process is estimated to take up to 13 weeks and the readiness of each vendor in the supply chain may vary. Once certification is achieved on your initial EMV issue, subsequent EMV chip issuance will not take as long. Question 7: Do we need a new BIN for EMV cards? How do we tell the difference if we use the same BIN for a product and issue both magnetic stripe and EMV? No. Issuers may use the same BIN for both magnetic stripe and EMV chip cards. BINs are assigned by your network or processor and you should refer to them for additional direction. All options are available to issuers including new BINs or an extended BIN(s) if preferred. Question 8: How do I find out which merchants in my institution s footprint support EMV? Today, many merchants, like McDonalds, CVS or Taco Bell have contactless-enabled terminals; however, a contact terminal is required for an EMV transaction. Retail giants Wal-Mart, Best Buy and Home Depot have installed EMV-readable terminals at their stores located on the U.S. borders of Canada and Mexico. Your card association can provide you with a complete list of EMV-ready merchants. Also, terminal capabilities are defined in data elements of the online request and advice/clearing messages. This information may prove useful for chargeback or dispute processing. Question 9: Are there advantages to supporting Dual Interface cards when I migrate my card program to EMV? All EMV chip cards contain a magnetic stripe in addition to the chip. The advantage of supporting Dual Interface cards is that a consumer would be able to transact using the magnetic stripe, the contactless chip or the contact chip depending on the terminal installed at the merchant location. Dual Interface cards have dual technology (contactless chip and contact chip) and are more expensive. Question 10: How does the contact chip alter the design of my cards? Are there specific branding specifications that I need to follow regarding the placement of the contact chip? Yes. The placement of the contact chip on the front of the card is consistent on all EMV and Dual Interface plastic. The Fiserv procurement team will work with you to ensure product specifications are met. Question 11: What are the options for chip memory? Memory options will be provided based on the type of plastic selected contact, Dual Interface or contactless. This is dependent on the operating system and available card authentication methods. 3

Question 12: What is the minimal functionality I need in EMV processing that will still provide the advantages of increased security for my cardholders? Because there are varying functionalities available for smart card processing, your processor is in the best position to answer this question. Question 13: What are the applications that I may want on the chip? Chip cards can contain multiple applications such as rewards, loyalty or healthcare, but today most applications are related to financial payments. The issuer will need to determine which applications it wants to support, what its processor can support for authentication, authorization and transactions and what applications its personalization bureau can personalize. You may discover that mandates from your card association or regional switch network may largely determine the applications you must have on your chip cards. Question 14: How involved am I in the key management process? Card Production Services at Fiserv will work with your key custodians and initiate a key ceremony. There are new keys required for EMV (for example, issuer master key or icvv). Question 15: Can an EMV card be personalized with the cardholder s own photo? Edge-to-edge or personalization of the entire front of the card is an option that will be available in our Phase II rollout of EMV chip cards but is not currently available. Question 16: Will Fiserv support EMV for all my card programs? EMV personalization is available for debit, credit and prepaid cards. Question 17: Can my network or association handle the EMV data and verification for our programs? Your processor can assist in this area. Question 18: How does EMV work with Internet purchases? An EMV card does not inherently mean that an Internet purchase or card-not-present transaction -- will have any additional security than a traditional magnetic stripe card. However, the potential to increase authentication is available with the use of additional equipment/readers that would provide a single, one-time password (OTP) to validate the card-not-present purchase. These devices are currently in use in other countries. Through the use of MasterCard s Chip Authentication Program (CAP) and Visa s Dynamic Passcode Authentication (DPA) the EMV smart card is used to authenticate the user and verify the cardholder s PIN while offline. The cardholder inserts the card into a small hand-held device that generates the one-time password and is displayed directly on the device. During the online transaction, the cardholder transmits this OTP to the issuing bank who can then verify it using its EMV back-end authentication system. The user may also have a card that has an integrated keyboard directly in the card which creates the OTP and is shown on a mini display embedded in the card. Both of these methods constitute two-factor authentication (2FA) something the user knows (i.e. PIN) and something the user has (i.e. smart card). It is noted that handheld readers have been distributed to tens of millions of cardholders in Europe and Asia, but consumers have complained that it s inconvenient to have a card reader in hand to do online transactions. Other forms of two-factor authentication are surfacing such as mobile phone-based 2FA, and we will likely see other methods developed as technology advances. 4

Question 19: What is the difference between the Operating Systems options Java/Global Platform Native, and Multos? Which of these will Fiserv support? Which is recommended and why? JAVA/Global Platform is the suggested operating system in the U.S. to support payment applications. Multos is most often used overseas to support payment and other applications such as transit or loyalty. Native is a custom operating system for all other applications. Fiserv will support all of these operating systems and has successfully tested Java/Global. Question 20: Will the EMV chip replace the magnetic stripe on the card? The magnetic stripe will continue to be the required baseline card-reading format and must be supported on both contact-only and Dual-Interface cards. Question 21: Is offline or online better? Online only or online preferring card products make the most sense for nearly all issuers. Refer to your processor for additional guidance. DDA (Dynamic Data Authentication) can be used by the issuer. Question 22: Is the RFID Label required on EMV cards? Visa currently requires the RFID label on Contactless & Dual Interface cards. This requirement will be removed in 2015 when all Visa branded cards will no longer be allowed to be issued with MSD (Magnetic Stripe Data) but will instead use full EMV cryptogram methodology. The label is not required on Visa contact cards. MasterCard currently has no requirement for the label. Question 23: What are the benefits of EMV cards? Although EMV payment cards gained adoption primarily because of industry mandates and the promise to combat card-present fraud globally, chip-based cards also offer the flexibility to store multiple applications, enabling greater value and improved service to consumers. (Noting that multiple application chip cards will be more expensive to issue.) Question 24: What would be a possible roadblock to the U.S. migrating to EMV? Merchants or merchant acquirers will likely upgrade their point-of-sale systems to be EMV compatible consistent with inplace terminal replacement cycles. Many of the country s largest merchants have already completed the re-teriminalization process. Absent national law or regulatory changes, issuers are not required to migrate their card bases to be EMV compatible. Nonetheless, over the next 3-4 years we expect 60% to 70% of United States card bases to complete EMV migrations. Question 25: Is Card Production Services at Fiserv ready to personalize EMV cards today? Yes. Today, Fiserv is positioned to assist our clients with the procurement and personalization of EMV compliant cards. We continue partnership with the leading card brands and the Smart Card Alliance to support and continue development of a worldwide interoperable smart card infrastructure. We will strive to be a valued source of information to our clients as they analyze and set their strategies for EMV. Connect With Us For more information on EMV chip card plastic and personalization, please contact 866-963-4877 or visit www.fiserv.com About Fiserv Fiserv is driving innovation in Payments, Processing Services, Risk & Compliance, Customer & Channel Management and Insights & Optimization, and leading the transformation of financial services technology to help our clients change the way financial services are delivered. Visit www.fiserv.com for a look at what s next, right now. 5

Table 1 Roadmap Options 2 Roadmap Option 1. Chip Interface a) Contact Standard EMV chip card. Requires contact reader. Description b) Contactless RF card, NFC on a mobile phone, or various form factors, including stickers. Requires contactless reader. Leverages EMV-based contactless cards being deployed in the U.S. and Canada. Inability to inject scripts post-issuance, except with second tap, or using over-the-air capabilities with mobile devices. c) Dual Interface Card containing both contact and contactless interfaces. Works with either contact or contactless reader. 2. Card Authentication a) Online Uses symmetric cryptography for the cryptogram (such as Triple DES). For online-only contact card, no requirement for SDA, DDA, or PKI cryptographic co-processor.* b) Offline Uses SDA, DDA and/or CDA. Requirement for PKI cryptographic co-processor (for DDA and CFA only). 3. Transaction Authorization 4. Cardholder Verification a) Online Authorization message, including Field 55, is sent to issuer. b) Offline Terminal and card negotiate the method for authorization based on the acquirer, issuer and payment brand risk management parameters. The issuer (card) makes the final decision. May be forced online, depending on limits and other factors. a) Signature No special POS requirement beyond current requirements. b) Online PIN Requires POS PIN pad, secure access module (SAM) linked to hardware security modules (HSM) at every network node, and network capable of supporting PIN block. Not readily supported by credit card standard messages. 3 c) Offline PIN Requires POS key pad. 4 Two types of offline PIN: plain text and enciphered. Requirement for PKI cryptographic co-processor for enciphered PIN. Requires ability to synchronize offline and online PIN. d) No Card Verification Method (CVM) No special POS requirement. Usually reserved for low value transactions and unattended terminals. * All microprocessor cards used for EMV support the appropriate symmetric cryptography algorithm and keys. Symmetric cryptography is employed as a core part of chip security and is used in the personalization process and in any post-issuance EMV scripts from the issuer that are used to change EMV settings on the card. Offline PIN can be either enciphered or plain text. 2 Smart Card Alliance, Roadmap White Paper, 09/2012. 3 Standard credit card message 1100 does not support the field required for online PIN support 4 See PCI specification for POS PIN support requirements for online and offline PIN, https://www.pcisecuritystandards.org/security_standards/documents.php?association=pts Fiserv, Inc. 255 Fiserv Drive Brookfield, WI 53045 800-872-7882 262-879-5322 getsolutions@fiserv.com www.fiserv.com 2013, 2012 Fiserv, Inc. or its affiliates. All rights reserved. Fiserv is a registered trademark of Fiserv, Inc. Other products referenced in this material may be trademarks or registered trademarks of their respective companies. 06-GG-08-7/12; Updated 1/13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information