EMV Update: Merchant Education,
Lessons Learned
September 11, 2013
Presented by:
Jeff Ecker, TD Merchant Services Moderated by Kristy Cook, Target
2
Upcoming MAG Educational Opportunities
MAG 2013 Annual Conference-Celebrating 5 Years in the Big Easy!
October 7-9, 2013
Astor Crowne Plaza New Orleans New Orleans, LA
Registration Open Online at www.merchantadvisorygroup.org
WEBINAR: Your Project Plan for Selecting a New Processor (THE RFP Primer)
November 13, 2013- 12:00pm-1:00pm CT
Registration is open online at www.merchantadvisorygroup.org
EMV Migration - Lessons Learned
• EMV Timelines & Learning Curve
• Stakeholder Roadmaps
• Financial Considerations
• Impacts to Store Operations & Back Office
• Other Scope Considerations
• Complexity
• Terminal Compliance
• Testing and Certification
3
The EMV Learning Curve • Ask a lot of questions • Understand the rules of EMV liability • Recognize chip migration is an evolution
• Regulatory environment is dynamic, know the current state
• Learn new EMV terms and abbreviations (i.e. CVM, AAC, TC)
• Fallback: considered a chip transaction • Ensure support for international cards • Understand alignment of EMV and PCI DSS
6
Important Questions • What are the key decision factors regarding an
implementation of EMV?
• How will it impact my business and my checkout experience?
• How much does the project cost?
• How long does the project take?
• What are the steps and in what order?
• How will I know if things are going in the right direction?
• How is the certification process different from magnetic stripe?
7
Start Early • Build Business Case and Project Scope
– Current state is less risk; recognize uncertainty in debit
– Building internal EMV subject matters experts takes time, but very important
• Understand competing priorities & EMV migration
• Choose a compliant device
• Pilots reveal impacts to store operations
• Ensure testing and certification resource availability
8
Stakeholder Roadmaps
Data Centre(s) Gateway(s) Acquire /
Processor Host Store Network
& Security
POS / Payment
Software Devices
It is highly important to understand the EMV roadmap for your key vendors.
Key Questions:
• Have my vendors implemented EMV before?
• What kind of payment devices do I need?
• What type of integration do I have (direct, semi-integrated, or middleware)?
• What testing is required? 9
Financial Considerations • Cost implications of EMV
+ Elimination of yearly PCI DSS assessments and validation • Merchants must remain PCI compliant
+ Avoid Liability Shift • Lower fraud means bearing less financial burden, lower
operational costs
– Cost of upgrading to new terminals – Cost of upgrading to new software and systems ± Process improvement ± Speed at checkout
• EMV does not address Card Not Present transactions • Watch for fraud to shift to ecommerce channel
10
Impacts to Store Operations • Physical
– Device placement and stands
– Accommodation required for elderly and disabled
• Training – Customer-facing staff education
– Consider level of detail and frequency
– Customer education
– Customer confidence
11
Impacts to Store Operations • Procedural
– Card stays inserted in PINpad for duration of transaction • Chip on card makes the final authorization decision • Early removal of a chip card = termination of the transaction • Gives rise to a spike in forgotten cards in store
– Generally takes longer to process an EMV transaction than a magnetic stripe transaction due to additional cryptographic functions and dialogue with chip. • Overall time at the POS should be faster as you do not need to
obtain a signed receipt.
– Signature line prints on merchant copy of receipt for chip & signature cards or fallback transactions
– Exception Processes • Chip cards swiped instead of inserted • Chip cards inserted incorrectly • Fallback
12
Impacts to Store Operations • Chip Card Personalization
– Cardholder Verification Methods (CVM) – PIN Counters – Issuer scripts
• PIN Change • Card Activation • Card Block • PIN Retry Counter Reset
• Contactless – Revert to contact limits
13
Impacts to Back Office • Impact on existing systems and software
• Balancing and reconciliation
• Dispute resolution
• Data and Reporting
• Capacity planning, logging and backing up
11 14
Other Scope Considerations • EMV integration will speed adoption of value-added
features such as mobile and contactless payments and make them more secure.
• Consider if you want to include EMV in an overall payments project? – Emerging payments
– Other system projects
– Point to Point Encryption (P2PE)
– Tokenization
– Contactless
– Mobile
15
Complexity • Uncertainty Regarding the Implementation of EMV
• On-line versus Off-line PIN
• Cardholder Verification Methods (i.e. Chip & PIN, Sig or No CVM)
• EMV and Debit
• Authentication versus authorization
• Card makes the approval / decline decision
• Key Management • Injection
• Rotation / Expiration
16
Terminal Compliance • Terminal configuration and compliance
• Chose the latest PCI PTS 3.0 devices to extend your terminal’s lifecycle
• Device vendors must providing certificates of compliance
• EMV Co. Certification
– EMV Co. Level 1 Certification - Type Approval process tests compliance with the electromechanical characteristics, logical interface, and transmission protocol requirements defined in the EMV Specifications.
– EMV Co. Level 2 Certification - Type Approval tests compliance with the debit/credit application requirements as defined in the EMV Specifications (i.e. EMV Kernel).
• MasterCard M-TIP / Visa VSDC
– Visa and MasterCard have specific requirements for completion and review of test cases defined based on the configuration and functionality of each end-to-end solution.
17
Testing and Certification • Chip card and test case simulation tools are vital
– Certification testing
– Acceptance testing
• Test tool roadmap and compliance – Test tools must be kept current
– Ensure that all stakeholders have similar tools
• Test plans and scripts – Contact, contactless (optional) and magnetic stripe
– Mandatory & optional test cases specified by the brands
– Mandatory & optional test cases may be specified by your processor
18
No Certification Required
Full or Regression Certification
Private and Confidential
Weighing the Impacts to Ongoing Certification
19