EMV in Hotels Observations and Considerations Just in: EMV in the Mail Customer Education: Credit Card companies have already started customer training for the new smart cards. 1
Questions to be Answered What is EMV? What does the October Mandate mean? What will EMV look like? How does EMV help? Will EMV cost me more? How does EMV help with security and with my PCI Audit? Should I implement EMV sooner than later? Glossary of Terms EMV = Europay, MasterCard and Visa EMV Dip = the insertion of the chip card into the new card readers CVM = card verification method Chip and PIN = dipping the EMV card and entering your PIN Chip and Signature = dipping your EMV card and sampling signing the receipt Smart cards = EMV cards Card Present = credit card transactions when the credit card is physically in hand Card Not Present = any other transaction where the credit card is physically not present P2PE = Point to Point Encryption prevents both manual and swiped credit card data from being stolen Tokenization = replaces credit card numbers in databases with values that only the hotel system can understand and use 2
What is EMV? EMV started in France in about 1992, when 3 organization came together to create a standard for credit card payments designed to: combat fraud process offline EMV was legally mandated and adopted in Europe in 2005. EMV utilizes an embedded chip on the card rather than the magnetic stripe on the back of the credit card. EMV transactions involve inserting the payment card into a slot on the payment terminal and allowing the applications on the card s chip to interact with the applications on the payment terminal in some cases, communication to the outside world is not needed. EMV transaction involves verifying not only that the card is valid, but the cardholder is valid as well. What is the U.S. October 2015 Mandate? The U.S. mandate is not a legal mandate rather it is a set of merchant incentives that encourage merchants to adopt the chip technology There are no fines or penalties associated with EMV deployment yet There are some real benefits for hoteliers for implementing EMV Chargeback liability relief Limited credit card breach protection Opportunity to upgrade to newer terminals that can do more 3
October 2015 and Liability Benefits Visa MasterCard American Express Discover October 2015 October 2015 The party that is the cause of a contact chip transaction not occurring will be financially liable for any resulting card present counterfeit fraud losses. Does not include automated fuel dispensers (AFD). MC ADC relief takes effect (100%). If at least 95% of MasterCard transactions originate from EMV compliant POS terminals, the merchant is relieved of 100% of ADC penalties. MC liability hierarchy takes effect (excluding AFD). October 2015 American Express will institute a fraud liability shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. October 2015 Discover will institute a FLS. This FLS policy will be a risk based payments hierarchy that benefits the party that leverages the highest level of available payments security. What does EMV do? The Chip Technology accomplishes several basic things: Better authenticates the card and the cardholder (especially if PINs are used) Better Supports Offline Processing Prevents Fraudulent Card Duplication Forces upgrades to old technology 4
EMV Fraud Behavior Shifts 2012 2005 2015 Credit fraudsters will always look for the weakest link to try to ply their trade. 2010 Chip and PIN vs Chip and Signature Chip and PIN: card insertion + PIN input (more secure) Chip and Signature: card insertion receipt signature (either electronic or paper signature) [less secure] Most of the world s EMV implementations operate in Chip and PIN mode. The US will implement both, but most card brands are expected to be primarily Chip and Signature, so Chip and Choice. The decision whether a consumer is to use Chip and PIN or Signature is made by a number of factors: A. The Issuing Bank Decides the CVM embedded in the card s chip B. The merchant who deploys the terminals that can take a PIN C. The Gateway (if applicable) who is the liaison between the merchant and the banking networks 5
Why Chip and Choice? The Durbin Amendment to the Dodd Frank Financial Reform Act requires that a choice be given to merchants on how they wish to process debit transactions. Debit transactions are very close to EMV transactions, therefore, Chip and Choice. Resetting of the PIN In most of the rest of the world, Chip and PIN started with the ATM infrastructure. This allowed cardholders to reset their PIN numbers easily at the ATM if and when they needed to do it for a myriad of reasons. Payment experience in many locations. Customer familiarity and convenience vs EMV security. EMV Devices choices 6
EMV Players What s Taking So Long? EMV Certifications are lengthy there are approximately 2500 individual tests that need to be run and passed to become validated As the deadline approaches and the technology players finish their sprints to meet customer demand, the certifications queues are filling up and many companies are in line waiting for certification resources Each EMV certification requires each card type to be certified with each device with each processor (and gateway if applicable). Any changes to hardware or software in the EMV transaction path require full recertification. Many industry experts assumed that the U.S. would mimic Europe and Canada and defer the EMV mandate for several years, apparently that is not happening so the is on. EMV Integrated vs Stand Alone Stand Alone Many banks offer stand alone or stand beside terminals to process EMV. These devices are sold by the credit processor and the EMV transaction would connect directly Devices and direct processing is typically cheaper (fees and hardware) Terminals are not integrated so a manual porting over of data into the PMS would need to occur Stand alone terminals tend to lock in a merchant with their credit processor since moving to another process might be more difficult Credit processors may typically only offer limited device choice Credit processors tend to treat everyone like retail and do not typically offer Hotel grade security products Integrated Integrated solutions tend to require a gateway in between the PMS and the credit processor Gateways tend to make function and reporting more seamless to the users Gateways also tend to offer more choice of credit processors, better and more tailored security, better and more tailored support, and a variety of devices choices Disadvantages of gateways are that they tend to increase costs and dictate when choices are available 7
Will EMV Cost More? Yes. Costs will definitely increase. Fact: everyone s costs are expected to increase. Banks chip cards cost more to produce Credit processors the processing infrastructure needs to accommodate the new data and support Gateways processing infrastructure, equipment deployment, configuration, support, and training Device manufacturers new terminals are more powerful and can do more. Example, NFC, scrolling advertisements, and offline. Property management system manufacturers supporting EMV might require a version upgrade, installation and configuration costs, network configuration and maintenance, and training No one is expected to eat the increased costs which will likely result in an increase of fees and service charges Hidden costs? New Security Measures keeping a safe at the front desk? EMV in Hotels What does it look like? EMV will require new credit card devices on the front desk. Affixed to the front desk or tethered behind counter? EMV and Mobile. Networking, Bluetooth vs Wi Fi, device addressing will require significant thought and configuration EMV and Speed. The EMV authorization process is slower than today s magstripe authorization due to conversation or prompting between the device and the customer Hotel and Fraud. Hotels generally do not have a card present fraud problem (someone checking in with a counterfeit plastic credit card). Recent published hotel fraud rates are less than a basis point. Front Desk Future? EMV is technology to enhance a process the hotel industry has been trying to get rid of for decades the front desk check in process 8
Hotels Are Generally NOT Card Present Card Not Present CRS Reservations Card on File authorizations Batching/Settlements Call Center reservations Hotel Website reservations Incremental authorizations Authorization reversals Advance Deposits Back office accounting Refunds Loyalty/Membership signups Card Present Check in swiped or EMV dipped Check in manual card entry EMV Eligible Card Not Present 9% 67% Magstripe or manual entry 24% EMV s Effect on PCI Both Visa and MasterCard have offered programs to promote early adoption of EMV. These programs, while not eliminating any of the requirements of PCI, do provide merchants with latitude on validating their requirements. In order to qualify a hotelier must have: o an EMV solution fully implemented for both contact and contactless cards o the bulk of the merchant s card present transactions must originate through dual interface chip enabled terminals. The exact percentage of transactions is available on the Visa and MasterCard websites. While the merchant can gain some relief in the validation process, these programs in no way affect the base merchant requirement to maintain a fully PCI compliant payment card environment. 9
The Role of Current PCI Technologies Tokenization replaces card numbers in databases with tokens Point to Point Encryption from the point of contact with the card reading device, the card data is wrapped in encrypted technology Hosted Payment Pages Direct posting of credit card on websites for tokenization Reservation Tokenization Tokenizing directly with reservation systems Call Center and Accounting Encryption deploying cheap encrypting keyboard pads to encrypt manual input of credit cards for call centers, reconciliation centers, accounting, etc Email and Paper Fax Tokenization scrubbing emails and faxes of credit card numbers (sales and catering bookings, room bookings from third parties, etc ) Corporate Card Reporting Tokenization tokenizing the corporate card files that are transmitted to companies that specialize in processing those files + EMV? (why not?) EMV will add to the security mix, but is not by itself the security magic bullet Where Are Breaches Happening? RESTAURANTS OTHER RETAIL QSR'S B2B SUPERMARKETS LODGING 2011 2012 2013 Jun 14 * Courtesy of Visa 10
The Hotel Omni Channel Security Challenge PRE TOKENIZATION AND OTHER SECURITY TECHNOLOGIES Call Center Reservations Sales & Catering Spa Loyalty and Membership GDS/ADS Golf Hotel PMS Hotel Website Ecommerce Corporate Card Reporting Back Office Retail Restaurant Direct Reservations The Hotel Omni Channel Security Challenge AND WHAT CURRENT SECURITY TECHNOLOGIES + EMV SOLVE Call Center Reservations Sales & Catering Spa Loyalty and Membership GDS/ADS Golf Hotel PMS Hotel Website Ecommerce Corporate Card Reporting Back Office Retail Restaurant Direct Reservations 11
EMV Is it too late? EMV is being mandated by October of 2015, but is it too late? There are a myriad of competing technologies emerging. How much technology are merchants, especially hoteliers willing to support and spend for? Why you should deploy EMV NOW? EMV will help reduce your card present fraud You will play your part in preventing others from being victims of card fraud You will get chargeback relief and in some cases breach protection (MasterCard if PIN is supported) The credit industry and government may someday force you to. Currently, there are incentives to implement EMV. However, if Europe is an example, retailers did not truly invest into the technology until fines and penalties were involved. Are we any different? Brand reputation there is so much misinformation out there about what EMV does that not implementing it may lead your guests to think you don t care about security There might be residual PCI benefits 12
Hoteliers why you should wait on EMV? The October Liability shift doesn t do much for hotels since they don t have a fraud problem in the first place The longer hotels wait to deploy EMV, the: greater device choice hotels will have greater credit processor choices hotels will have greater competition will be among gateways and processors which in turn is expected to drive costs down Adoption will consumers embrace the new process? The 2015 usage of EMV chip cards is expected to be pathetically low. 2016 will increase exponentially, but will the usage outweigh the costs of deploying the new technology? In the scramble to get EMV out will the industry get it right? EMV in the hotel world is still relatively new especially in an integrated fashion and especially in a market as big as the U.S. What YOU should do? Fact: you are going to have to support this technology someday Some may have no choice but to implement EMV (corporate mandates are an example) Find trusted advisors and ask tough questions Perform cost/benefit analysis of implementing or not Inform yourself read security blogs, opinion articles, ask vendors serious questions on implementation timing, device availability, costs, support, and training Understand what happens if you decide to delay or defer Don t panic 13