Post on 29-Jun-2020
transcript
EMV: Past, Present and Future
EMV Basics
CONFIDENTIAL AND PROPRIETARY
© Copyright 2015 Vantiv, LLC. All rights reserved. Vantiv, the Vantiv logo, and all other Vantiv product or service names and logos are
registered trademarks or trademarks of Vantiv, LLC in the USA and other countries. ® indicates USA registration.
z z
2
Disclaimer: This communication, including any content herein and/or
attachments hereto, is provided as a convenience only, does not constitute legal advice
and does not create and attorney client relationship. Because of the generality of this
communication, the information provided herein may not be applicable in all situations
and does not constitute a comprehensive list of issues that could impact your business.
As such and to understand how the information in this communication may impact your
business, you are encouraged to seek the advice from your legal counsel, compliance
and/or other subject matter expert based on the facts and circumstances of your
organization’s particular situation.
3
Agenda
• What EMV is
• Global Impact
• How EMV Works
• Network Rules
• EMVCo Initiatives
What is EMV?
z z
5
Brief History of Chip Cards
• Chip-based payment cards introduced in the 1980’s
› High communications costs and unreliable service
› Offline processing susceptible to fraud
• Specifications developed country by country
› Interoperability issues
• Europay, MasterCard and Visa
› Joint effort to develop common specification
› EMVCo formed in 1999
• Now includes Amex, Discover, JCB and CUP
6
What is EMV?
• International standard defining interoperability of secure transactions
› Introduces dynamic data and cryptography to the transaction
› Devalues transaction data; reducing risk of counterfeit fraud
• World-wide adoption including U.S. neighbors, Canada and Mexico
› Effecting U.S. multi-national retailers
• Enabler of future payments types
› Contactless, Mobile
• Chip & PIN ≠ EMV
7
• Chip on card uses cryptography to provide security
• Utilizes 2 forms of cryptography
› Digital signatures – ensures data is authentic
› Encryption – ensures data is kept confidential
• Digital signature devalues the data
› Even if data is intercepted, signature cannot be replicated
• Encryption is only used to protect the PIN
› EMV does not encrypt all transaction data
What is EMV?
FraudTheft
Physical
Attacks
System
Breach
Account
Data
Compromise
Counterfeit
Cards
Lost/
Stolen
Cards
P2PE /
Tokens
EMV
Chip
EMV
PINPolicy &
Inspection
EMV in the Security Equation
8
Global Impact of EMV
z z
10
• Counterfeit, Lost and Stolen Fraud Losses
› Today, Issuers are liable for counterfeit fraud-related losses
› Liability will shift to merchant if not EMV enabled
› PIN protects against lost and stolen fraud
• Global interoperability of chip cards and payment
devices
› Worldwide standard used by most developed economies
› Support for international commerce
• Contactless and Mobile payment schemes
Market Drivers for EMV
11
Counterfeit Fraud Volume
(Visa only)
Europe (Liability Shift in
2005)
Asia Pacific (Liability Shift in
2006)
U.S. (Liability Shift in
2015)
- 56%
- 52%
+ 307%
2011
2004
U.S. $5.3B ROW
$5.9B
U.S. $5.1T
ROW $16.5T
U.S. and Rest
of World Sales
Volume
2012
U.S. and Rest
of World Fraud
Volume
2012
Global Fraud Trends
12
2008-2010
HOLIDAY FRAUD PEAKS
2011
HOLIDAY
FRAUD
SIGNIFICANTLY
REDUCED
Canadian Fraud Trends
13
As EMV migration nears
completion in Canada,
Europe and parts of Asia….
U.S. cross-border counterfeit fraud shows significant
growth
U.S. Fraud Trends
$0
$20,000,000
$40,000,000
$60,000,000
$80,000,000
$100,000,000
$120,000,000
$140,000,000
$160,000,000
2009
2010
2011
Visa US Domestic Counterfeit Fraud Source: Visa
14
What’s the Risk?
15
Impact on Card Not Present
• Increase in CNP fraud is driving other solutions
› 3-D Secure
› Tokenization
› Chip authentication devices * Retail Payments Risk Forum Working Paper Federal Reserve Bank of Atlanta January 2012
*
16
Region
Canada and LAC
Asia Pacific
Africa & the Middle East
Europe Zone 1
Europe Zone 2
United States2
Totals3
Cards Rate Terminals Rate
471M
942M
77M
794M
84M
17M
2.37B
54.2%
17.4%
38.9%
81.6%
24.4%
<2.0%
7.1M
15.6M
0.7M
12.2M
1.4M
2M
37M
84.7%
71.7%
86.3%
99.9%
91.2%
~20%
1Figures reported in Q4 2013 and represent the latest statistics from American Express, Discover, JCB, MasterCard, UnionPay and
Visa, as reported by their member financial institutions globally 2US Figures are EMF estimates for 2013 3Totals does not included data from the US
EMV Around the World1
z z
How EMV works
Contact EMV, Part 1
18
• An EMV card is inserted into a terminal
› Application Selection
• The chip in the card contains the account data
› Initiate Application Processing
• Chip data is accessed by the terminal
› Read Application Data
• Chip creates a unique code,
or “cryptogram”, and sends
to the issuer (or not)
› Offline Authentication
Contact EMV, Part 2
19
• Cardholder is verified by the card (or not)
› Cardholder Verification
• Terminal determines need to process online
› Terminal Risk Mgmt & Terminal Action Analysis
• Card decides to approve or go online
› Card Action Analysis
• If card approves, complete transaction
› Completion
Contact EMV, Part 3
20
• If online, issuer validates the cryptogram and PIN
› Issuer Authentication
• Transaction is approved by the issuer and sends
response cryptogram
› Completion
• Issuer scripts processed by card
› Script Processing
› Tags 71 and 72, <= 128 bytes
• The card is removed when
the transaction is completed
21
And now a word on Fallback
• Technical Fallback
› Terminal cannot read chip
› Terminal prompts cardholder to swipe card
• CVM Fallback
› PIN Try Counter on card is exceeded
› PIN Entry Bypass is used
› Issuer personalizes the card to decide:
• Decline
• Fallback to Signature
• No CVM
22
• A chip can be on a contactless card
• A chip can be in a smart phone
• Device is tapped or held near the terminal
• Cardholder experience
similar to today
Contactless and Mobile
23
011010100100101011010100100101
Card
Authentication
Security 1 Cardholder
Verification
Options 2
Authorization
Options 3
4 Contact,
Contactless,
and Mobile
Technology
EMV Introduces New Security Functions
24
1 Online Card Authentication
Offline Card Authentication (optional)
Generates an EMV Dynamic Cryptogram
Host Validates the EMV Dynamic Cryptogram
CARD ISSUER HOST
Card provides the terminal a dynamic security certificate
Terminal validates the dynamic
security certificate
Online
Authorization
2 1
CARD TERMINAL
1 2 3
EMV Card Authentication
25
2
Is the cardholder the
right person?
EMV CVM List • Signature • Online PIN • Offline PIN • No CVM
• More than one CVM supported on card
• Issuers choose CVMs to support
• Issuer chooses the priority of CVMs
} Cardholder Verification (CVM)
26
2
Issuer Host
PIN stored and validated
at host
4653
PIN stored and validated on chip
4653
Works same as mag stripe host-based PIN
All EMV cards use online PIN for ATM
Most Offline PIN transactions go online for authorization
Changes required:
PIN selection/activation process
Customer PIN Communications
Offline PIN change process
Synchronization with online PIN
Add ability to send PIN and PIN counter updates to card
No system changes required
U.S. is an online market
Encrypted PIN
EMV Online PIN EMV Offline PIN
Online vs. Offline PIN
3
27
Transaction
approval process
Issuers can make better decisions with risk data provided in EMV
transactions
(1) Online Authorization (2) Offline Authorization (Optional)
The card authorizes transaction
• No communication with host
system for authorization
• Card contains offline authorization
criteria and counters
Works much like magnetic stripe transaction
• New EMV data is sent to host
• Dynamic authentication technology is used
• New risk assessment rules are enabled
EMV Authorization/Approval
z z
Liability Shifts, PCI Validation Waivers and Account Data Compromise Relief
April 2013 Processors must
support EMV
April 2015 3rd party ATM
must support EMV
October 2015 Liability shift of
counterfeit transactions
October 2017 Liability shift for AFD
Liability shift for ATM
April 2013 Processors must
support EMV
International ATM
liability shift
October 2015 Liability shift of
counterfeit transactions
October 2016 Liability shift for ATM
October 2017 Liability shift for AFD
April 2013 Processors must
support EMV
October 2015 Liability shift of
counterfeit transactions
October 2017 Liability shift for AFD
April 2013 Processors must
support EMV
October 2015 Liability shift of
counterfeit transactions
October 2017 Fuel liability shift
29
A Durbin-compliant debit solution has been released by the EMV Migration Forum
Brand Roadmaps
30
• Counterfeit fraud liability is assigned to least secure party
• Standard rules apply when both are equal
• Inclusion of PIN adds Lost/Stolen shift
EMV w/PIN > EMV w/Sig > Mag stripe
• Visa only states that the party not using EMV technology is liable
Liability Shift
31
• PCI Validation waiver (October 2012)
› Visa, MasterCard
• PCI Validation waiver (October 2013)
› Discover, American Express
› 75% of transactions must originate from EMV enabled terminals
› Must support both contact and contactless transactions
› Exempts eligible merchants from annual PCI DSS
validation requirement
• For MasterCard, “eligible” merchants are Level 1/Level 2 merchants
› All merchants are required to maintain ongoing PCI DSS
compliance
PCI Validation Waiver
32
• October 2013
› MasterCard allows for account data compromise relief if
75% of transactions from compliant terminals
› 50% relief on fines and repayment to issuers for breached
accounts
• October 2015
› MasterCard allows for account data compromise relief if
95% of transactions from compliant terminals
› 100% relief on fines and repayment to issuers for breached
accounts
Program only covers operational and fraud recovery portion of breached
merchant’s liability. Does not apply to investigation costs, remediation
expenses or non-compliance fines
MasterCard Account Data Compromise Relief
z z
EMVCo
34
• EMV Next Generation
› Contact/Contactless convergence
› Simplified terminal implementations
› Cryptography (ECC)
• Mobile & mPOS
› Guidance for mPOS development
• Tokenization
› Develop spec to support secure/interoperable
transactions
EMVCo Initiatives
z z
Questions