An Overview of Payments for the Bikeshare Market Provided by North American Bikeshare Association Presented by Mantrana Partners Boulder B-cycle February 18, 2015 1
Presenters Lora Vigil brings over 15 years of technology experience ranging from software development to enterprise architecture, a decade of that was spent in the retail space focusing on order management, payment acceptance, and card issuance. Lora received her MS in Computer Science & Engineering from the University of Washington and a BS in Mechanical Engineering from the University of Kansas. Lora is a member of the Women s Network in Electronic Transactions and co-organizer of the Denver Payments Meetup. Mark Ericksen has two decades of technology experience where he has architected complex e-commerce, payment systems, and computational solutions. He is also a practitioner in credit card and payment processing, EMV migration strategies, and vendor technology selection. Mark received his BS in Computer Science from Pacific Lutheran University. Mark is an active member of the ETA Professional Development Council, ETA Technology Council, and co-organizer of Denver Payments Meetup. Mantrana Partners 800.844.8240 partners@mantranapartners.com February 18, 2015 2
Objectives Gain insight on the payment process from transaction authorization to the receipt of funds Be equipped with knowledge surrounding payments and merchant processing to help grow your organization as payments evolve February 18, 2015 3
Agenda Overview of the Payment Process Security and the Payment Card Industry (PCI) EMV Chip Cards Mobile and Other Forms of Payment Interchange, Fees, & Chargebacks Summary February 18, 2015 4
OVERVIEW OF THE PAYMENT PROCESS BIXI February 18, 2015 5
The Big Scary Payment Picture https://www.payfirma.com/wp-content/uploads/2014/09/payfirma-paymentsecosystem2014.jpg 6
A Simplified Payment Flow Merchant Payment Gateway Merchant Banks Card Brands Issuing Banks February 18, 2015 7
Merchant Accepts Payment Customer Interacts with Merchant Minimize Friction Usability Builds Customer Confidence Balance Fraud & Customer Experience Merchant Payment Gateway Merchant Banks Card Brands Issuing Banks February 18, 2015 8
Payment Gateway Connects Merchants with Banks Buffers Merchant from direct Bank connections Can Provide Security(encryption, tokenization) and Certification Services Merchant Payment Gateway Merchant Banks Card Brands Issuing Banks February 18, 2015 9
Merchant Bank (Acquirer) Routes Transactions to Card Brands Where Payments Are Deposited Processing Services Outsourced or In-House Processing Services Merchant Bank Merchant Payment Gateway Merchant Banks Card Brands Issuing Banks BIN Number Identifies Card Brand February 18, 2015 10
Card Brands Routes to Issuing Banks Open Loop vs. Closed Loop Credit and Debit Networks Signature vs. PIN Debit Merchant Payment Gateway Merchant Banks Card Brands Issuing Banks February 18, 2015 11
Issuing Banks Makes Approval Decisions Liable for Consumer Fraud Processing Services Outsourced or In-House Processing Services Issuing Bank Merchant Payment Gateway Merchant Banks Card Brands Issuing Banks February 18, 2015 12
Authorization Response Merchant Payment Gateway Merchant Banks Card Brands Issuing Banks Approve Transaction Complete Decline Request Alternate Tender Referral Voice Authorization Candidate for Attended Terminals February 18, 2015 13
Clearing and Settlement Terminal Capture Issuing Bank Merchant Sends Capture Request at End of Day Host Capture Processor or Gateway Manage Capture Request Captured Authorizations and Refunds are Cleared and Settled Each Day Funds Paid from Issuing Banks to Merchant Banks Merchant Bank February 18, 2015 14
SECURITY AND THE PAYMENT CARD INDUSTRY (PCI) Sobi Social Bike February 18, 2015 15
Breach Avoidance Cannot Fully Prevent Data Breaches Data Has Value PAN + Expiration Date can be used for online purchases Magstripe data can be used to create counterfeit bankcards Useless Data is Worthless Data Hackers move on if they cannot profit from the stolen data Primary Expiration Account Date Number(PAN) February 18, 2015 16
Encryption & Tokenization Common Encryption Algorithms Triple-DES AES Advanced Encryption Standard DUKPT Derived Unique Key Per Transaction PKI Public Key Infrastructure Common Encryption Uses Example Token Service Provider and Decryption Endpoint (could also be the Acquirer or Card Brand) Debit PIN Digital Certificate Verification NEW: PAN (and discretionary data) Tokenization Substitute for sensitive data Merchant Payment Gateway Merchant Banks Card Brands Issuing Banks Managed by Token Service Provider Clear PAN Encrypted PAN Token February 18, 2015 17
Payment Card Industry (PCI) Created by Card Brands American Express, Discover, JCB, MasterCard, Visa Current Version: PCI DSS 3.0 Objectives 1. Build and Maintain a Secure Network 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy February 18, 2015 18
PCI Scope PCI Protects Data In Transit traversing a network At Rest stored in a database Processed captured at terminal Understand your Cardholder Data Environment (CDE) Know What is In Scope Know What is Out of Scope CDE May Include Your Employees and Vendors Example CDE Scope Boundary Website Office PC Payment Gateway Operator Customer Service PC Admin Portal In Scope Office Database Customer Service Agent Out of Scope Payment Terminal Kiosk Office PC Bikeshare Vendor Payment Vendor February 18, 2015 19
PCI Scope Reduction Understand CDE Boundary Flow of Payment Data Who Can Access Payment Data Storage of Payment Data Vendors & Partners Handling Your Payment Data Reduction Techniques Network Isolation Encryption & Tokens Smart Terminals Before: Example CDE Scope Boundary Vendor Database Bankcard Clear PAN Payment Terminal Kiosk Payment Software Payment Gateway Encrypted PAN Token After: Example CDE Scope Boundary Vendor Database Kiosk Payment Terminal Payment Gateway February 18, 2015 20
PCI Scope Reduction (continued) Browser Downloads JavaScript to Encrypt PAN Downloads JavaScript to request one-time token from Gateway Web Server Performs Authorization with one-time token Before: Example CDE Scope Boundary Customer Browser Web Server Payment Gateway After: Example CDE Scope Boundary Bankcard Clear PAN Encrypted PAN Customer Browser 1 1 Token One-Time Use Token Web Server 1 1 Payment Gateway February 18, 2015 21
Changes in PCI DSS 3.0 Increasingly Restrictive Notable Changes in DSS 3.0 Penetration Testing Component Inventory Vendor Relationships Anti-malware Physical Access PA-DSS for Software Applications Look for PCI Pre-Certified Solutions February 18, 2015 22
PCI Audits Qualified Security Assessor (QSA) Methods of Compliance Reporting Self Assessment Questionnaire (SAQ) Report on Compliance (ROC) Guidance from your Merchant Bank February 18, 2015 23
EMV CHIP CARDS (EUROPAY, MASTERCARD, VISA) capital bikeshare February 18, 2015 24
EMV Around the World First Chip Card 1986 Carte Bancaire February 18, 2015 25
Counterfeit Liability Shift October Merchant PCI Relief for early POS conversion October Liability shift for most merchants October Liability shift for automated fuel dispensers 2012 2013 2014 2015 2016 2017 April Acquirers and processors deadline to process EMV payments October Liability shift for ATM owners, domestic cards February 18, 2015 26
EMV Cards Contact Contactless Dual Interface Contact & Contactless Contactless Logo Microprocessor Chip February 18, 2015 27
How to Use EMV Cards Contact Dip Card into Terminal, Insert Contactless Hold Card near Terminal, Tap Contactless Logo February 18, 2015 28
Chip & PIN vs. Chip & Signature CVM Cardholder Verification Method Chip Cards can Support Multiple CVMs Preference CVM (Simplified) 1 PIN 2 Signature 3 No CVM Merchants Should Accept All(where applicable) February 18, 2015 29
Debit, Fallback, and Certification U.S. EMV Debit Still Rolling Out Fallback to Magstripe EMV Pre-Certified Software and Hardware February 18, 2015 30
MOBILE AND OTHER FORMS OF PAYMENT Hubway February 18, 2015 31
Near Field Communication (NFC) Subset of RFID Terminal Initiator Requires Antenna Card or Phone Target Requires Antenna Proximity Enables Functionality February 18, 2015 32
Mobile Wallet Acceptance NFC Apple Pay Google Wallet SoftCard Requires NFC Terminals QR Codes Popularized by Starbucks CurrentC (MCX) Requires Scanner at POS Changes to Kiosk Terminals NFC antenna for wallets Scanner for CurrentC February 18, 2015 33
In-App Acceptance Card Not Present (CNP) Card on File Cloud Payment Service Automatic In-App Payments for Better Customer Experience February 18, 2015 34
PayPal Acceptance Popular for Online Payments Expanding into Retail Consider Customer Demographics and Demand February 18, 2015 35
Virtual Currency Acceptance Popular Virtual Currencies Bitcoin, Litecoin, Peercoin, Ripple Online Wallets CoinBase, Circle, Coin.mx Associate bank or card account Purchase and sell Bitcoins Retail Acceptance CoinBase, BitPay, Revel February 18, 2015 36
INTERCHANGE, FEES & CHARGEBACKS Divvy February 18, 2015 37
Interchange To Issuing Banks Set by Card Brands From Merchant to Issuing Banks Offsets Fraud Management Costs Cardholder Benefits Transaction % + flat fee e.g. 1.65% + $0.10 Merchant Category Code (MCC) Card Type (Card Brand, Prepaid, Rewards) How Accepted (Swiped, Handkey, E-Commerce) Debit & Durbin 0.05% + $0.22 February 18, 2015 38
Qualified vs Downgraded Transaction is Qualified when it meets requirements (qualifications) for the published interchange rate. Examples: Card was Swiped Settlement Batch Closed Same Day as Auth Settlement Information Contains an Auth Code Auth Amount = Settlement Amount Transaction is Downgraded when requirements are not met and receives a higher interchange rate. Downgrade Visibility Statements February 18, 2015 39
Acquirer Statements Pricing Models Interchange Plus / Interchange Pass-Through Detailed Interchange & Fees Bundled / Tiered Buckets interchange & fees into a small number of categories Qualified or QUAL; Mid-Qualified or MQUAL; Non-Qualified or NQUAL Track your Effective Rate Total Interchange & Fees / Card Sales Volume February 18, 2015 40
Fees Assessments, Network Fees Volume MCC Transaction Type To Card Brands Processing, Markup To Merchant Bank (Acquirer) Volume Transaction Chargebacks, Reporting, Verifications February 18, 2015 41
Fees (continued) Gateway Fees Routing Connectivity To Gateway Services Provider Security Fees Encryption/Decryption Tokens To Security Provider February 18, 2015 42
Interchange & Fees Example Bikeshare Operator Receives $97.85* $$$ Payment Gateway & Security $0.03* Merchant Bank $0.05* Card Brand $100 E-Commerce Bikeshare Transaction $$$ $$$ $0.17* $$$ Issuing Bank $1.90* (CNP, 1.80% + $0.10) * Representative values only Cardholder February 18, 2015 43
Chargebacks A transaction is disputed by cardholder or their bank True Fraud Unrecognized Charge Dissatisfied Buyer Delivery Issue Friendly Fraud Merchants must prove the transaction aligns with card brand rules, pay chargeback fees Chargeback Monitoring Programs Chargeback Management Guidelines February 18, 2015 44
Chargeback Steps & Key Terms 1. First Presentment Transaction to the issuer 2. Retrieval / First Chargeback / Copy Request Seeking proof for disputed transaction 3. Re-Presentment / Second Presentation Transaction documentation to the issuer 4. Second Chargeback / Pre-Arbitration Documentation didn t satisfy customer dispute 5. Arbitration Card brands decide financial liability February 18, 2015 45
Cost Reduction Considerations Speak with your Acquirer MCC CP vs CNP DBA Fields Name, Phone Get to Know Your Statements Monitor Downgrades Know your Effective Rate Interchange Plus vs. Bundled/Tiered February 18, 2015 46
Cost Reduction Considerations Card Present Minimize Handkeys, but when necessary Security Code - CVV/CVC/CID Postal Code - Address Verification (AVS) PIN Debit, Least Cost Routing Level II & III for Corporate Cards EMV Acceptance (October 2015) February 18, 2015 47
Cost Reduction Considerations Card Not Present / E-Commerce Fraud Detection Geolocation, Device Fingerprint, Patterns Consumer Authentication 3-D Secure Verified by Visa, MasterCard SecureCode, American Express SafeKey, Discover Protectbuy Cardholder Enrollment EMVCo Taken Ownership of Specifications Send More Data to the Issuing Bank Address Verification (AVS) Security Code - CVV/CVC/CID Level II & III for Corporate Cards February 18, 2015 48
SUMMARY Nice Ride Minnesota February 18, 2015 49
Key Takeaways Payments is complex with many solutions for acceptance that impact customer experience Bankcard processing involves the Acquiring Bank, Card Brand, and Issuing Bank PCI DSS is a requirement for all businesses accepting bankcards for payment Encryption and Tokenization are emerging security practices to prevent data theft February 18, 2015 50
Key Takeaways (continued) EMV liability shift begins October 2015 Accepting EMV and NFC may require upgrades to kiosk payment terminals Monitor your Downgrades Monitor your Effective Rate Thoughtful selection of vendors and payment partners helps contain costs February 18, 2015 51
For More Information North American Bikeshare Association www.nabsa.net Bill Dossett 612.436.2074 bdossett@niceridemn.org Mantrana Partners www.mantranapartners.com Lora Vigil, Mark Ericksen 800.844.8240 partners@mantranapartners.com February 18, 2015 52
Resources Payment Industry Glossary (provided by First Data) http://www.firstdata.com/downloads/thought-leadership/payments-glossary.pdf Payments Dictionary (provided by Vantiv) http://info.vantiv.com/rs/vantiv/images/payments-dictionary.pdf PCI Security Standards Council https://www.pcisecuritystandards.org/ EMVCo http://www.emvco.com/ Visa TIP Program http://usa.visa.com/merchants/protect-your-business/cisp/merchant-pci-dss-compliance.jsp Near Field Communication http://standards.iso.org/ittf/publiclyavailablestandards/c056692_iso_iec_18092_2013.zip Interchange Rates http://usa.visa.com/merchants/merchant-support/interchange-reimbursement-fees.jsp http://www.mastercard.us/merchants/support/interchange-rates.html Chargeback Guidelines http://usa.visa.com/download/merchants/chargeback-management-guidelines-for-visa-merchants.pdf http://www.mastercard.com/us/merchant/pdf/tb_cb_manual.pdf February 18, 2015 53
THANK YOU! Questions? citi bike NYC Bike Share February 18, 2015 54