EMV Credit Card Security Implementation

Presented By:

Mike Hughes, North American Strategic PartnershipsMoneris Solutions

• U.S. EMV Migration Update

• Lessons learned from the Canadian EMV Migration

• EMV Upgrades: Roles and Responsibilities

• Value of End-2-End Encryption

• Key Functionalities for Parking

• EMV Use Cases

Largest electronic payment processor in Canada, 6th largest in North America

Source: USA Visa August 2016 Chip Update Infographic

5

CAN V/MC

Domestic

Liability Shift

Mar 31st

2011

CAN AFD

Liability Shift

Mar 31st

2012

CAN Visa Intl.

Liability Shift

Oct 31st

2010

6

7 7

EMVCo sets the “Standards”, but it is the Brands who determine what, and how, these standards are “Implemented”.

Layers Management Functions Certification Entity

Level 1 - Physical Protocols between the chip card and the PED

EMVCo

Level 2 - Software (Kernel)

EMV application selection, EMV command set, and the EMV transaction steps

EMVCo

PED Payment Application

EMV command/response mgmt., encryption, communication protocols

Acquirer on behalf of brands

8

9

Visa Quick Chip enables deploying an online only configuration (zero floor limit)

Source: Visa September 2016 EMV Newsletter, Visa Quick Chip Implementation Steps

Reducing PCI Scope

• End-to-End Encryption solutions manage all aspects of the transaction requiring clear-text account data (BIN lookup, PIN block, etc.), and…

• End-to-End Encryption prevents the release of clear-text account data into the merchant’s environment, thus…

• The “edge” of the Payment Entry Device (PED) becomes the boundary of the merchant’s Cardholder Data Environment (CDE) completely removing the POS from PCI PA-DSS compliance scope

Effective 1 October 2012, Visa’s Technology Innovation Program (TIP) rewards U.S. merchants

that have invested in EMV technology by eliminating the PCI DSS validation requirement for any

year in which at least 75 percent of the eligible merchant’s Visa transactions originate from dual

interface EMV chip-enabled terminals.

Source: Visa Data Security Program Keeping Cardholder Data Safe

• EMV Credit• PIN Debit / Interac• E2E Encryption• Hashing (Card-in/Card-Out)• Whitelisting of 3rd Party Cards

(unencrypted non-bankcard)• Use of Pin Pad for Non-Payment Data Entry

• Store and Forward• Tokenization / Recurring• Remote Download • Contactless Credit / Debit• Progress Tokens / Key Echoing• Card Reader Only Configuration

(No Pin Pad)

13

• 20 VenTek International Pay Stations

• Solar Battery Powered

• Cellular Modem 3G or 4G Connection

14

VenTek Paystation Internal Network

MonerisUX300

Secure CardReader

TAPReader

PINPad

VenTekAuxiliary

Control Unit(acting as Router)

VenTekC1100

PaystationController

CellularModem

(3G or 4G)

May also be Wi-Fior Ethernet

Paystation Cabinet

VenTek DataCenter

andMoneris

15 https://youtu.be/BMAm7zCTij0

WMATA NEPP Pilot• 10 fare gates• 50 buses• 2 parking lanes• 2,000+ customers

16

ICS Car Wash• 5,000+ U.S. Kiosks• EMV Certified in CAN and US• ISO and Proprietary Gift• Tokenization / Recurring

• Direct Vs. Pre-Certified Solution

• Functionality and Future Proofing

• Physical and Environmental Impacts

• Cost, Timeline, and PCI Security

Thank You!

Michael.Hughes@Moneris.com

18