Date post: | 13-Apr-2017 |
Category: |
Technology |
Upload: | creditcall |
View: | 658 times |
Download: | 1 times |
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
17 November 2015 | 1
Dave Witts President US Payment Services, Creditcall
Philip Yu Director of Product Management, T2 Systems
EMV, P2PE & Tokenization
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Agenda
• Current EMV statistics in the US• Weapons against fraud – EMV, P2PE & Tokenization• What happens during a EMV certification, what’s required?• The current state of EMV certifications in the US• What happens during a P2PE certification, what’s required• What has caused the delays?
17 November 2015 | 2
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Current EMV Statistics
17 November 2015 | 3
575 million EMV cards to be issued by the end of 2015
59% of retail locations will be EMV-compliant by the end of 2015
78,800 EMV chip-activated merchant locations
70% of U.S. credit cards will be issued as EMV cards by the end of 2015
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Current EMV Statistics
17 November 2015 | 4
86% of financial institutions plan on issuing EMV debit cards BY 2015
$3.50 Average cost for issuing a new EMV card
$500 Average cost of an EMV-compliant POS terminal
Sources: Javelin Research & Strategy, Aite Group, 2014 PULSE Debit Issuer Survey
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
17 November 2015 | 5
Weapons Against Card Fraud
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
17 November 2015 | 6
Without P2PE
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
17 November 2015 | 7
With P2PE
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
P2PE PCI P2PE (Certified ) P2PE (Non-Certified)P2PE implementation manual for merchant to follow
Mandatory - Merchants must follow PIM to get PCI P2PE protection
Not defined
Secure supply chain Mandatory - Merchants must use scheme defined by solution provider
Not defined
PCI DSS de-scoping Yes - If merchant is only using PCI P2PE certified solution to take card payments; Merchants can complete a PCI DSS SAQ designed for P2PE
No - It remains each processor’s decision as to whether the solution offers any de-scoping of PCI DSS
PINpad key injection cost Yes YesPINpad encryption licence cost Yes Yes
Solution provider costs to provide encryption
Yes Yes
Certification costs Solution provider has to cover costs of P2PE assessment. Merchant should have lower PCI DSS costs if only using certified solution
Merchant has all the cost of PCI DSS
P2PE vs. PCI P2PE
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Tokenization
• “The replacement of a credit card number and expiry date with a non-sensitive equivalent that has no exploitable value.”
• A Payment Gateway organisation would return a token of
the card number and expiry date for every transaction authorization received. This can be stored by the merchant with no special precautions, and used in place of the actual card number for any subsequent transaction.
17 November 2015 | 9
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Key Benefits of Tokenization
• Improved customer experience in e-Commerce.
• Saves having to ask cardholder to re-enter card number and expiry date.
• Far more secure than the merchant storing actual card details.
17 November 2015 | 10
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
17 November 2015 | 11
Tokenization Proprietary Gateway SchemeComplexity Simple
Re-usable for other payments Yes
Online/Offline Online
Real-time 3rd party dependency (i.e. token service provider)
No
Works with existing magstripe cards Yes
Cost None
Cross gateway compatible No
Tokenization
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
What Happens During EMV Certification – Typically up to 16 Months
1) Select an EMV Card Reader – 3 Months• A card reader is where a large part of an EMV transaction takes place
through a complex dialogue between the chip card and the reader.
• Integration must invest time in learning about EMV (e.g. Application
Selection, Data Authentication, Online Processing and Issuer Script
Processing), transaction flows, transaction logic and of course, exception
handling when an inevitable error occurs in the transaction.
17 November 2015 | 12
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
What Happens During EMV Certification – Typically up to 16 Months
2) Processor Interfaces and EMV Messages – 6 Months• Different processors require every interface will need to be modified to
support the new EMV data fields and process flows.
• Most interfaces are based on legacy code developed many years ago, the
addition of new features such as EMV becomes an increasingly difficult task.
• Processors will have scaled their integration support sufficiently to cope with
the mass of other integrators who will be following the same path.
17 November 2015 | 13
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
What Happens During EMV Certification – Typically up to 16 Months
3) Card Brand Certifications – 4 months• Once processor interfaces have been updated, the complex task of end-
to-end testing and certification begins.
• M-TIP/ADVT/AEIPS/DPAS are the 4 different testing types required.
• Processors have not been able to cope with the volume of certifications
required before the October 2015 Liability Shift and continue to struggle.
• This is NOT a one-time process – it must be repeated every three years
when the EMV Kernel certification on the card reader expires.
17 November 2015 | 14
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
What happens during EMV certification – Typically 16 months
4) Terminal Management System – 3 months • It is essential that any EMV solution deployed has access to a
TMS platform for efficient and timely deployment of updates.
• Without a TMS platform, there is a risk of having card readers
without current software or the latest configuration.
17 November 2015 | 15
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Current State of US EMV Certifications
• Unattended certifications have been delayed due to
attended taking priority by the processors.
• Attended has larger $$ volumes that concern processors
• Unattended certifications are scheduled to start in Q4
2015 with a 3-4 month window of completion.
• If certification fails at any stage, must start from the
beginning, important that all is ready before certification.
17 November 2015 | 16
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Current State of US EMV Certifications
VeriFone VX820 for attended transactions currently EMV certified
with First Data and Chase. EMV certification with Elavon expected
Q4 2015, Global Payments & TSYS Q1 2016, Heartland Q2 2016.
Globalcom BV1000 for unattended transactions has EMV
scheduled certifications with First Data, Chase, Elavon, Global
Payments, Vantiv, & TSYS Q2 2016 , Heartland scheduled for Q3
2016.
17 November 2015 | 17
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
17 November 2015 | 18
What is P2PE Certification
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
What is P2PE Certification
It is a solution comprising of components that store, processes and
transmit account data as part of a payment authorization or
settlement, while performing cryptographic key management
functions.
Every transaction is uniquely encrypted at source and only
decrypted once in the secure Payment Gateway for processor
authorization.
17 November 2015 | 19
?!@#
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
What is P2PE Certification
The solution is deployed and maintained in a fully traceable, and secure
manner with clearly defined roles and responsibilities for all parties
involved throughout the life of the product thus ensuring compliance
integrity.
The PCI SSC certify that the solution meets the PCI P2PE standards
and list the solution on the PCI website:
17 November 2015 | 20
https://www.pcisecuritystandards.org/approved_companies_providers/validated_p2pe_solutions.php
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Key Benefits of P2PE
Implementation of a PCI certified P2PE solution may reduce PCI DSS assessment scope for merchants.
Is the highest level of cardholder data security available.
Simplified payment processing architecture.
17 November 2015 | 21
17 November 2015 | [email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Manufacturers PCI PTS
PIN Entry Devices
Software Developers
PCI PA-DSS Payment
Application Vendors
Acquirers, Payment
Gateways, Software
Developers & KIFs PCI P2PE
Security Standard
Merchant & Processors PCI DSS
Data Security Standard
Pot
entia
lly
Red
uced
The PCI Family & Relationship
17 November 2015 | [email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Review of P-RoV by the PCI SSC
The P2PE Assessor determines the scope and assesses key-injection facilities, Certification Authorities, device, applications, deployment and merchant support
mechanisms. They prepare the P-RoV and submit to the PCI SSC for review
The P2PE Solution Provider the provides access to the P2PE solution to the Assessor
The P2PE Solution Provider Selects a P2PE Assessor • Solution Provider must have confidence of compliance before starting the assessment.
• The assessment is completed by a independent PCI approve QSA assessor.
• Involves evidence gathering and potentially multiple site visits to produce a P2PE Report of Validation (P-RoV)
• PCI SSC review and listing timescales determined by the quality of the P-RoV and the PCI SSC workload.
The P2PE Assessment Process
[email protected] www.Creditcall.com/[email protected] www.T2Systems.com
Delays we are Seeing in the Parking Industry
• Attended vs Unattended
• Delays in device manufacturers being ready to certify
• Processors not prepared for volumes
• Delivery times for devices
17 November 2015 | 24
If you have any questions, please contact:
Dave WittsPresident of US Payment Systems
Creditcall Corporation1133 Broadway, Suite 706, New York, NY 10010
609 339 [email protected]
If you have any questions, please contact:
Philip YuDirector, Product Management
T2 Systems8900 Keystone Crossing, Suite 700, Indianapolis, Indiana 46240
317 524 [email protected]