EMV Update: Merchant Education,

Lessons Learned

September 11, 2013

Presented by:

Jeff Ecker, TD Merchant Services Moderated by Kristy Cook, Target

2

Upcoming MAG Educational Opportunities

MAG 2013 Annual Conference-Celebrating 5 Years in the Big Easy!

October 7-9, 2013

Astor Crowne Plaza New Orleans New Orleans, LA

Registration Open Online at www.merchantadvisorygroup.org

WEBINAR: Your Project Plan for Selecting a New Processor (THE RFP Primer)

November 13, 2013- 12:00pm-1:00pm CT

Registration is open online at www.merchantadvisorygroup.org

EMV Migration - Lessons Learned

• EMV Timelines & Learning Curve

• Stakeholder Roadmaps

• Financial Considerations

• Impacts to Store Operations & Back Office

• Other Scope Considerations

• Complexity

• Terminal Compliance

• Testing and Certification

3

US EMV Migration Timeline

4

EMV Migration Timing (Canada)

5

The EMV Learning Curve • Ask a lot of questions • Understand the rules of EMV liability • Recognize chip migration is an evolution

• Regulatory environment is dynamic, know the current state

• Learn new EMV terms and abbreviations (i.e. CVM, AAC, TC)

• Fallback: considered a chip transaction • Ensure support for international cards • Understand alignment of EMV and PCI DSS

6

Important Questions • What are the key decision factors regarding an

implementation of EMV?

• How will it impact my business and my checkout experience?

• How much does the project cost?

• How long does the project take?

• What are the steps and in what order?

• How will I know if things are going in the right direction?

• How is the certification process different from magnetic stripe?

7

Start Early • Build Business Case and Project Scope

– Current state is less risk; recognize uncertainty in debit

– Building internal EMV subject matters experts takes time, but very important

• Understand competing priorities & EMV migration

• Choose a compliant device

• Pilots reveal impacts to store operations

• Ensure testing and certification resource availability

8

Stakeholder Roadmaps

Data Centre(s) Gateway(s) Acquire /

Processor Host Store Network

& Security

POS / Payment

Software Devices

It is highly important to understand the EMV roadmap for your key vendors.

Key Questions:

• Have my vendors implemented EMV before?

• What kind of payment devices do I need?

• What type of integration do I have (direct, semi-integrated, or middleware)?

• What testing is required? 9

Financial Considerations • Cost implications of EMV

+ Elimination of yearly PCI DSS assessments and validation • Merchants must remain PCI compliant

+ Avoid Liability Shift • Lower fraud means bearing less financial burden, lower

operational costs

– Cost of upgrading to new terminals – Cost of upgrading to new software and systems ± Process improvement ± Speed at checkout

• EMV does not address Card Not Present transactions • Watch for fraud to shift to ecommerce channel

10

Impacts to Store Operations • Physical

– Device placement and stands

– Accommodation required for elderly and disabled

• Training – Customer-facing staff education

– Consider level of detail and frequency

– Customer education

– Customer confidence

11

Impacts to Store Operations • Procedural

– Card stays inserted in PINpad for duration of transaction • Chip on card makes the final authorization decision • Early removal of a chip card = termination of the transaction • Gives rise to a spike in forgotten cards in store

– Generally takes longer to process an EMV transaction than a magnetic stripe transaction due to additional cryptographic functions and dialogue with chip. • Overall time at the POS should be faster as you do not need to

obtain a signed receipt.

– Signature line prints on merchant copy of receipt for chip & signature cards or fallback transactions

– Exception Processes • Chip cards swiped instead of inserted • Chip cards inserted incorrectly • Fallback

12

Impacts to Store Operations • Chip Card Personalization

– Cardholder Verification Methods (CVM) – PIN Counters – Issuer scripts

• PIN Change • Card Activation • Card Block • PIN Retry Counter Reset

• Contactless – Revert to contact limits

13

Impacts to Back Office • Impact on existing systems and software

• Balancing and reconciliation

• Dispute resolution

• Data and Reporting

• Capacity planning, logging and backing up

11 14

Other Scope Considerations • EMV integration will speed adoption of value-added

features such as mobile and contactless payments and make them more secure.

• Consider if you want to include EMV in an overall payments project? – Emerging payments

– Other system projects

– Point to Point Encryption (P2PE)

– Tokenization

– Contactless

– Mobile

15

Complexity • Uncertainty Regarding the Implementation of EMV

• On-line versus Off-line PIN

• Cardholder Verification Methods (i.e. Chip & PIN, Sig or No CVM)

• EMV and Debit

• Authentication versus authorization

• Card makes the approval / decline decision

• Key Management • Injection

• Rotation / Expiration

16

Terminal Compliance • Terminal configuration and compliance

• Chose the latest PCI PTS 3.0 devices to extend your terminal’s lifecycle

• Device vendors must providing certificates of compliance

• EMV Co. Certification

– EMV Co. Level 1 Certification - Type Approval process tests compliance with the electromechanical characteristics, logical interface, and transmission protocol requirements defined in the EMV Specifications.

– EMV Co. Level 2 Certification - Type Approval tests compliance with the debit/credit application requirements as defined in the EMV Specifications (i.e. EMV Kernel).

• MasterCard M-TIP / Visa VSDC

– Visa and MasterCard have specific requirements for completion and review of test cases defined based on the configuration and functionality of each end-to-end solution.

17

Testing and Certification • Chip card and test case simulation tools are vital

– Certification testing

– Acceptance testing

• Test tool roadmap and compliance – Test tools must be kept current

– Ensure that all stakeholders have similar tools

• Test plans and scripts – Contact, contactless (optional) and magnetic stripe

– Mandatory & optional test cases specified by the brands

– Mandatory & optional test cases may be specified by your processor

18

No Certification Required

Full or Regression Certification

Private and Confidential

Weighing the Impacts to Ongoing Certification

19

Q&A

20