A Roadmap to a Uniform Payments Standard
Deborah Baxley May 10, 2012
Financial Services
Deborah Baxley Principal
Consulting Services
Capgemini Financial Services USA Inc. 623 Fifth Ave., 33rd Fl
New York, NY 10022 USA Mob. +1 914.646.4732 – Fax + 1 845.622.3520
[email protected] Twitter: @debbaxley www.capgemini.com
CE v6.3
Capgemini operates in 40 countries across five industry sectors, including financial services
International thought leadership
Annual World Payments Report
Mobile Payments – Are you ready for the early majority?
Cards CoE
Market capture
Infrastructure
Knowledge Management
Solution development & Innovation
Training & certifications
Associate management
Client delivery
Global Centre of Excellence
Global network of 17,000 FS professionals with >4,000 dedicated in the card payment practice
A snapshot of Capgemini clients in the card payments area
Vendor / Platform analysis
Vendor selection
Sourcing strategy
Platform consolidation
Architecture
Chip & Mobile Strategy
Business & technology strategy
Performance data
Operational partnership
Outsourcing
Distribution models Data conversion
International client portfolio entails cards and payments success stories in business transformations and complex conversion
US$ 12.6 billion 2010 revenue More than 108,000 people worldwide
© 2012 Capgemini – All rights reserved 2
CE v6.3
U.S. payments stakeholders, notably merchants, issuers, and mobile operators are seeking industry consensus on a payments standard
Drivers for Payments Roadmap
Battle for supremacy: NFC vs. cloud-based mobile payments Press-worthy security breaches Tepid adoption of contactless payments Recent EMV announcements from Visa, MasterCard and Discover This talk will discuss potential US payments roadmap, incorporating the sometimes-conflicting views of the Merchant Advisory Group, the Smart Card Alliance, and the payment networks
Introduction
© 2012 Capgemini – All rights reserved 3
“How does the future of payments in the U.S. impact by business? “
“How should I prepare?”
• EMV • Chip & PIN • Signature • Contactless • Cloud vs. NFC • Dynamic security measures
Stakeholder Questions Roadmap Options
CE v6.3
According to Mercator, the U.S. is the “the gray gaping hole in the EMV ship”
Introduction
26.4% of cards 55.6% of terminals
65.4% of cards 84.7% of terminals
13.7% of cards 62.5% of terminals
26.6% of cards 41.6% of terminals
11.5% of cards 61.2% of terminals
EMV Adoption Rates by Region
Source: EMVCo Figures reported as of September, 2010 and represent the latest statistics from American Express, JCB, MasterCard and Visa as reporting by their member financial institutions globally. Figures do not include data from the United States
© 2012 Capgemini – All rights reserved 4
CE v6.3
The term “Chip and PIN” is sometimes misunderstood - PIN is not required by EMV or chip cards
Alternatives supported by EMV standards: • Online PIN: encrypted by PIN pad and sent
online to the issuer host for validation • Offline PIN: sent directly to chip card for
validation by chip – PIN never sent to host, only result is sent
• Signature only: Card determines whether PIN is required based on terminal support and transaction characteristics
ATMs typically require online PIN Chip protects from counterfeit fraud by enabling
card authentication PIN protects from lost and stolen by verifying
correct cardholder is using the card
Source of logo: www.chipandpin.co.uk
EMV Introduction
What About “Chip & PIN”?
© 2012 Capgemini – All rights reserved 5
CE v6.3
U.S. more likely to adopt EMV than ever before
1. Increasing fraud Cross regional fraud migration – from Europe, Latin America, Canada Organized fraud attacks on networks proves that PCI DSS not sustainable
2. Customer and merchant demand U.S. payment card issuers missed out on nearly $4 billion in 2008 charge
volume, ~$78.7 million in interchange fees, because of problems cardholders had with their cards while traveling abroad1
International customers using EMV cards at U.S. merchants and ATMs Large merchants loudly demanding a change
3. Declining costs Cost of conversion dropping rapidly – card level, software, terminals Contactless acceptance and PCI compliance priming the pump NFC mobile payments simultaneously lowers issuer costs and threatens
traditional payments franchise 4. Regulatory incentives Durbin Amendment disadvantages signature vs. PIN debit; fraud and card
reissuance costs unsustainable at lower rates Regulation threatens to step up when industry can’t find a solution on its
own 5. Network announcements on liability shifts
EMV
Five Main Drivers of U.S. EMV Adoption
Source: Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?, A Smart Card Alliance Payments Council White Paper, February, 2011 1 Card Problems Cost U.S. Issuers Hundreds of Millions Overseas,” Digital Transaction News, October 2009
6
"If we want to mitigate the
possibility of the United States being
a centre of card fraud and enable our
consumers and business folks to
travel abroad more easily, it may be time to charge someone in government with developing a well-
thought-out, participatory, multi-year plan to move this country to the emerging global payments card
standard,“ Richard Oliver, Federal
Reserve, Oct. 2010
© 2012 Capgemini – All rights reserved 6
CE v6.3
Several interconnected factors and developments must be considered in the construction of payments standard
Four Major Areas of Choice:
1. Card Interface 2. Card Authentication method 3. Transaction Authorization 4. Cardholder Verification method
Roadmap
Roadmap Considerations
Overall Factors for Consideration:
Current contactless implementation Contact or contactless EMV Options to suit the U.S. environment Convergence with NFC mobile
contactless payments PIN vs. signature CVM
Source: Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?, A Smart Card Alliance Payments Council White Paper, February, 2011
© 2012 Capgemini – All rights reserved 7
CE v6.3
Decision Area 1: Card Interface
Roadmap Option Description
1. Card Interface a) Contact
• Standard EMV chip card. • Requires contact reader.
b) Contactless • RF card, NFC on a mobile phone, or various form factors, including stickers.
• Requires contactless reader. • Leverages second-generation contactless cards
being deployed in the and .
c) Dual interface • Card containing both contact and contactless interface.
• Works with either contact or contactless reader.
Roadmap
8
The first variable is the choice of card interface – this choice impacts interoperability with mobile
© 2012 Capgemini – All rights reserved 8
Source: Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?, A Smart Card Alliance Payments Council White Paper, February, 2011
CE v6.3
Authentication and authorization are closely related and together create a matrix of possible EMV choices
Authentication
Checks the authenticity of the card itself
Authorization
Validates the issuing bank’s approval of a transaction, considering the status of the cardholder’s account and the result of fraud checks
Roadmap
Offl
ine
Onl
ine
Online Offline
SignatureOnline PIN
Offline PINNo CVM
1. C
ard
Auth
entic
atio
n
2. Transaction Authorization
4. C
onta
ct, C
onta
ctle
ss, o
r Du
al C
hip
Inte
rfac
e
9
Source: Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?, A Smart Card Alliance Payments Council White Paper, February, 2011
© 2012 Capgemini – All rights reserved 9
CE v6.3
Decision Area 2-3: Card Authentication and Transaction Authorization
Roadmap Option Description 2. Card Authentication
a) Online • 8-byte Triple DES cryptogram. • No requirement for SDA, DDA, or PKI cryptographic
co-processor2
b) Offline • SDA, DDA and/or CDA and PKI infrastructure. • PKI cryptographic co-processor (for DDA and CDA
only). 3. Transaction Authorization
a) Online • Authorization message sent to issuer as currently implemented for magnetic stripe card transactions
b) Offline • Authorization determined by EMV risk assessment and communication between card and terminal.
• May be forced online, depending on limits and other factors.
Roadmap
2. All microprocessor cards used for EMV include a DES cryptography engine. DES cryptography is employed as a core part of chip security and is used in the personalization process and in any post-issuance EMV scripts from the issuer that are used to change EMV settings on the card.
© 2012 Capgemini – All rights reserved 10
Source: Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?, A Smart Card Alliance Payments Council White Paper, February, 2011
Card authentication and transaction authorization can be online, offline and have varying degrees of dynamic cryptography
CE v6.3
Decision Area 4: Cardholder Verification Roadmap Option Description 4. Cardholder Verification
a) Signature • No special POS requirement
b) Online PIN • Requires POS PIN pad
c) Offline PIN3 • Requires POS PIN pad • SDA for clear text PIN, and/or DDA or CDA and PKI
infrastructure for enciphered PIN • PKI cryptographic co-processor (for DDA and CDA
only)
d) No CVM • No special POS requirement • Usually reserved for low value transactions
Roadmap
3. Offline PIN can be either enciphered or clear text.
© 2012 Capgemini – All rights reserved 11
Source: Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?, A Smart Card Alliance Payments Council White Paper, February, 2011
Finally, cardholder verification can be signature, PIN or “none”
CE v6.3
Chip implementations can range from very basic to highly complex
Roadmap
Chip Deployment Hierarchy
© 2012 Capgemini – All rights reserved 12
CE v6.3
Visa took the lead with its announcement on August 9, 2011, MasterCard and Discover quickly followed suit
EMV
Network EMV Announcements
The three networks harmonized their U.S.-specific compliance and liability shift dates
Awaiting more detailed announcements from American Express, Discover Positioning from debit networks – Pulse, NYCE, etc. – what EMV application, chose before POS
certification/testing starts Question of Cardholder Verification Method – signature vs PIN – and online vs offline transactions How soon should banks start issuing?
Merchants exempt from annual PCI compliance audit if >75%
transactions from EMV-capable POS
Visa announces program to
encourage EMV adoption, including
contactless
Acquirers support chip
data including dynamic
cryptograms
U.S. Counterfeit Liability Shift: when non-compliant party financially liable for card
present fraud losses1
Fraud liability shift for fuel
sellers
8/11 10/12 4/13 10/15 10/17
© 2012 Capgemini – All rights reserved 13
MasterCard announces EMV program with liability hierarchy
1/12
Discover announces intention to harmonize
implementation
3/12
Account Data Compromise
Relief (MasterCard)
1Cross-border liability shifts differ depending on country pairs and technology: mag stripe skimming vs. PIN
CE v6.3
There are some difference in implementation guidelines among the networks
EMV
Variations in Network’s EMV Guidelines
While all support all cardholder verification methods, and both online and offline card authentication and authorization, based on issuer choice…
Visa emphasizes the online-only nature of the U.S. payments market and takes steps to
ready the nation’s payment infrastructure for mobile Visa recommends online-only authorization, online card authentication, online PIN
and signature-preferring cards Requires dual interface POS terminals for PCI audit relief.
MasterCard introduced a hierarchy of liability shift to the party with the higher risk
environment, e.g. mag stripe vs. EMV, PIN vs signature vs. dynamic authorization.
© 2012 Capgemini – All rights reserved 14
CE v6.3
Implications of EMV conversion for international travelers
In 2008, An estimated 9.7 million U.S. cardholders experience magnetic stripe card acceptance issues when they travelled internationally
Small percentage of European offline-only POS terminals will not accept online-only EMV cards
Possibility for offline only locations to increase Critical decisions approaching U.S. issuers:
Roadmap
Decision on International Interoperability
Should they issue online-only EMV cards and accept the risk that their
cards will not work in offline locations?
Should they configure their cards to go online whenever possible and
only allow offline transactions when the terminal indicates that it
cannot go online?
© 2012 Capgemini – All rights reserved 15
CE v6.3
The past few months have witnessed a number of U.S. EMV-enabled product introductions, primarily focused on international travelers
EMV
Other EMV Announcements
“We're investing in you; your security is paramount," Merrill Halpern UNFCU
© 2012 Capgemini – All rights reserved 16
CE v6.3
EMV works in concert with other methods to prevent fraud from various attack points in the payment system
Benefits of EMV
EMV
Fraud Source Prevention Measure Counterfeit and Lost/Stolen Reliable online and offline card authentication
Reliable offline cardholder verification Move to Dynamic Data Authentication (DDA and CDA) PIN = more reliable authentication vs signature PIN blocking, card risk management, and card blocking Offline spending control, card risk management
Transactions at non-EMV POS & ATMs
Skimming protection, PCI DSS Chip-only cards
Card-Not-Presentation; Online Transactions
Skimming protection, PCI DSS CVV, AVS Verified by Visa / MasterCard Secure Code Dynamic authentication and USB readers Transaction alerts
Sources: Inside Fraud, http://www.paymentscardsandmobile.com/, 10/09, http://corporate.visa.com/media-center/press-releases/press1098.jsp
© 2012 Capgemini – All rights reserved 17
CE v6.3
$0
$1
$2
$3
$4
$5
$6
$7
93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09
The ongoing battle against fraud is driving rates downward, but the war continues as absolute losses continue to climb
EMV
Global Card Fraud
Source: The Niilson Report, #951, June, 2010
Tota
l Los
ses
in $
Bill
ions
Cents per $100 in Volume 6.1¢
4.8¢
5.5¢
4.7¢
4.6¢
5.5¢
© 2012 Capgemini – All rights reserved 18
CE v6.3
The UK, with its decade-long history of EMV, illustrates great success, coupled with emerging fraud challenges
Source: FRAUD THE FACTS 2010, http://www.financialfraudaction.org.uk
BY mid-2010, UK Credit card fraud fell to lowest level in a decade, down 20% from 2009
Card fraud loss rate declined 83% from 18 to 10 basis points from 2001 to 2009 While overall card spend doubled, overall card fraud increased only 7% from 2001
to 2009 Fraud types illustrate the ongoing challenge with e-commerce, use of fall-back and
international counterfeit fraud US = #1 fraud market for UK cards
Lost/stolen Mail non-receipt Card-not-present Counterfeit Card ID theft
2001: 0.183%
2009: ~0.10%
UK Card Fraud Losses Split by Type
!
! !
EMV
© 2012 Capgemini – All rights reserved 19
CE v6.3
Across Europe, as ATMs became more EMV-compliant, fraud losses declined dramatically
EMV
Source: European ATM Crime Report, 2010, E.A.S.T.
0%
20%
40%
60%
80%
100%
2005 2006 2007 2008 2009 2010
0
10
20
30
40
50
60
70
European ATMs – Issuer Fraud Losses Fell >40%
ATM Card Skimming Attacks
EMV Compliance
Issuer Domestic Losses € million
% European ATM EMV
Compliance
© 2012 Capgemini – All rights reserved 20
CE v6.3
Chip cards can prevent ecommerce fraud using a USB reader or with a One-Time-Password device
EMV
Examples
MasterCard Chip Authentication Program (CAP) and Visa Dynamic Passcode Authentication (DPA) * Barclay’s PINsentry
SecureKey
*Used by Barclays, Ulster, NatWest, Cooperative Bank, Smile, Royal Bank of Scotland, Lloyds TSB, Nationwide, Nordea Source: Lydian Journal, January, 2011, www.pymnts.com/journal
© 2012 Capgemini – All rights reserved 21
CE v6.3
Retail POS ATM Smart tags
Digital content Parking
Coffee shops C-stores Vending Ticketing Parking Transit
Remote Proximity
Macro
$10-25
Micro
SMS Browser, M-app Contactless, NFC, QR Code P
aym
ent S
ize
Payment Location
Payment Technology
Typical Funding Mechanism Carrier or Cash at agent Bank card / E-Wallet
P2P remittance Donations Mobile top-up
M-commerce Bill payment
Mobile payments can be classified by proximity, size, technology and funding source
Mobile Payments Location, Size, Technology, Funding
Source: Smart Card Alliance, “The Mobile Payments and NFC Landscape: A U.S. Perspective,” September, 2011
Mobile
© 2012 Capgemini – All rights reserved 22
CE v6.3
Comparing mobile payment approaches highlights the distinct advantage of integrated NFC
Comparison of Alternative Mobile Payment Approaches
Integrated NFC MicroSD Stickers,
Fobs Bar Codes Payments in the Cloud SMS
Reliability
Transaction Speed
Security
Ease-of-Use
Wallet Functionality
Acceptance
Device Availability
Additional Value Add Applications
Legend WORST BEST
Source: Smart Card Alliance, “The Mobile Payments and NFC Landscape: A U.S. Perspective,” September, 2011
Mobile
© 2012 Capgemini – All rights reserved 23
CE v6.3
All of these trends suggest a high-level scenario in which NFC and cloud co-exist for the foreseeable future
© 2011 Capgemini – All rights reserved 24
Mag stripe
Potential High-Level Evolution of U.S. Payments
Time Prevalent Spotty Adoption Declining Ending Continuing
Inno
vatio
n
CE v6.3
Approximately $5-6 billion is estimated to convert the U.S. to EMV Illustrative Costs for the EMV Implementation
Conclusions
Cost Magnetic stripe EMV Overall Industry Cost1
Card $1.11 $2.00 to $2.35 for contactless1 $2.4 - $2.8 billion Depending on contact vs dual interface
PKI infrastructure
NA Setup of key management for issuers for SDA and DDA not particularly costly. Most personalization bureaus have
SDA, DDA and CDA as standard functions.
Reader Sunk cost of mandate to support Triple DES Terminals can manage keys and PKI as a standard function Chip reader is minimal incremental (~$101) cost; most
terminals now support both contact chip and magnetic stripe.
$2.4 - $2.6 billion Depending on contact vs contactless mix
ATM $310 million
Source: Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?, A Smart Card Alliance Payments Council White Paper, February, 2011 1 EMV in the USA: Waiting on Debit, a Mandate, or Just the Opportune Moment, 12/10, Mercator Advisory Group
“Depending upon your point of view, the business case for EMV may be very hard to find. Or it may be the obvious ‘right thing to do.’” 1
© 2012 Capgemini – All rights reserved 25
CE v6.3
What are merchants saying?
PCI Angst Compliance not effective end point
in preventing future breaches Resentful for not having say in PCI
rulemaking All stick – no carrot!
Terminal Angst Contactless acceptance business
case not realized Do not want to invest in interim
solutions Want clear migration path to chip &
PIN Interchange Angst
Conflicts are clouding debate about payment fraud
Conclusions
“We are 100% ready for chip & PIN today,” Walmart
“Do away with ‘fraud-prone’ mag-stripe,” Walmart
“We have the technology- it's the right thing to do - move to NFC / EMV," MAG
“PCI certificate not worth 'warm spit' to hacked merchants/processors," MAG
"US spend on PCI would have more than paid for 100% EMV," David Birch
© 2012 Capgemini – All rights reserved 26
CE v6.3
1. Move to Chip & PIN 2. Merchant chooses contact, contactless or both 3. PINs required unless merchant takes risk of not requiring PINs 4. Liability shift to party without Chip & PIN 5. Chip standards governed by open standards body 6. Internet transactions must be addressed concurrently 7. Specific merchant verticals that face unique challenges to move to Chip and PIN
require more time to convert 8. Chip & PIN implementation should not interfere with current transaction routing choices
© 2012 Capgemini – All rights reserved 27
Merchant Advisory Group Chip & PIN Roadmap recommendations
The Merchant Advisory Group has a different view on the proper roadmap
Roadmap
CE v6.3
The Smart Card Alliance advocates a joint stakeholder effort to drive an expedient evolutionary roadmap to chip-enabled payments
Collaborative … Establish joint brand-issuer-merchant effort to agree on roadmap Provide incentives for merchant investment e.g. interchange, PCI waiver
Expedient … Move quickly or risk disintermediation by alternative mobile approaches, e.g.
wifi hotspots, ACH-backed, PayPal Evolutionary … Evolve to convergence with NFC
Transparent … Establish an authority to track, monitor and publish national card fraud statistics
and progress, similar to APACS
Conclusions
Smart Card Alliance Recommendations for U.S. Chip Migration
© 2012 Capgemini – All rights reserved 28
CE v6.3
For more information on these topics, please see these white papers
The Mobile Payments and NFC Landscape: A U.S. Perspective
http://www.smartcardalliance.org/pages/publications-the-mobile-payments-and-nfc-landscape-a-us-perspective
http://www.smartcardalliance.org/pages/publications-card-payments-roadmap-in-the-us
Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure?
Chip-Enabled Mobile Marketing
http://www.smartcardalliance.org/pages/publications-chip-enabled-mobile-marketing
http://www.us.capgemini.com/insights-resources/publications/world-payments-report-2011/
© 2012 Capgemini – All rights reserved 29