The Migration to EMV in the USA from a Founders Perspective
Philip AndreaeOberthur Technologies
Pass
port
Identity Card
Chip CardBanking Card
Dual
Car
d
Contact
Cont
actle
ss
Chip
Pin
SIM
car
d Form FactorsmultiSIM
NFC
eSE
Identity
Smar
t Tra
nsac
tions
TransportAcce
ss C
ontr
ol
M2M
Mobile Financial ServicesOUR
ENVIRONMENTGreen Products Convergence
Increase Efficiency
Banking Card
Acce
ss C
ontr
olCh
ip C
ard
eSE
Form
Fac
tors
NFC
Chip Card
Green Products multiSIM
Convergence
Devices Clou
d Big DataInternet of Things
Digi
tal s
ecur
ity
Mobility
Our environment
14 BillionConnected
M2M devicesin 2020
3 billionpayment
smart cardsShippedin 2017
75% Ofpassports
will beelectronic
by 2016
1.2 BillionNFC-Enabled
PhonesSold in 2018
MobilePaymentMarket
$721 Billionin 2017
80%of ID cardsare expected
to be electronicin 2015
Mobility, at the heart of OT world
Why Are We Here?
August 2011: Visa Inc. announced its roadmapJune 2012: American Express, Discover and MasterCard agreed to converge on the same common timelineApril 2013: Acquirers and processors must support EMV transactionsApril 21st 2014: Court of Appeal found for the Board of Governors Federal ReserveApril 30th: EMF published Debit Technical White PaperOctober 2015: Liability shift
– Liability is the responsibility of the party not protecting the transaction – Liability remains the issuer’s if merchant upgrades to EMVOctober 2017: Liability shift for gas stationsDecember 2013: Following a number of compromises – Target, Neiman Marcus – the time has come for the U.S. to embrace EMV
EMV the Global Standard for Credit & Debit Payments
In 1993 The International Payment Brands Decided The Long Term Solution To Fraud Was The “ICC” and Agreed To Develop A Common Specification To Assure Global Interoperability
They agreed the requirements and published “The Integrated Circuit Card Specifications for Payment Systems”
EMVCo is owned & staffed by Visa, MasterCard, JCB, American Express, UnionPay and Discover
Lost and Stolen Fraud Cardholder Verification
Revenue CreationValue Added Services
Counterfeit ProtectionOff/On-line Authentication
Offline AuthorizationCost Reduction
The Classic Smart Card Business Case
Is Based On
A CAM to stop counterfeit losesCard Authentication Method
A CVM to reduce lost and stolen card fraudCardholder Verification Method
Card Risk Management to assure payment everywhere
Support for Value Added Services
The Intangible value of Security
One Green Void In a Sea of Color
USA Last to Migrate to EMV…
Why have US payment card Issuers resisted EMV migration?– US has robust 100% online (network) infrastructure employing sophisticated
fraud management techniques – The US Contactless initiative failed to produce positive revenue– The perceived economics haven’t justified the investment on the Issuer or
Merchant side of the transaction– QR Codes require much less investment in terminal hardware– Interchange has created opportunities to create Cloud and ACH based
alternatives– Many ask the question why an old technology “EMV” when the Cloud and
Smart Phones are the futureEMV IS A PROVEN SOLUTION TO REDUCE FRAUD AT THE POINT OF SALE.
THE TIME HAS COME TO MIGRATE
As a result of the data breaches The US market is accelerating beyond expectations
Includes estimates for Debit, Credit, PLCC and Prepaid
300
781
1,004
1,1221,237
228
638
807875 940
165
515 638672
727
0
200
400
600
800
1,000
1,200
1,400
2014 2015 2016 2017 2018
High Base LowAn Extrapolation using recent Payment Security Task Force project of 575 Credit and Debit Cards
Benefits of EMV to Merchants and Acquirers
AcquirerIrrefutability of transactionReduced costs through offline transactionsReduced cost of handling chargebacksLow value transactions
– Drives transaction growthNew revenue opportunities
• Rewards• Consumer profile• Loyalty• Other value-added services
MerchantGuarantee of paymentReduced costs through offline transactionsOpportunity to expand unattended payment locationsEnhance efficiencies:
– Speed and ease of use at the POS– Reduce storage of paper receipts– Improve dispute procedures– Reduces fraud
Builds infrastructure for NFC Mobile Commerce
Benefits of EMV to Issuers
EMV pro-activity provides a competitive advantageEMV issuance protects the brand Reduced fraud; therefore, less exceptionsLiability shift reduces financial exposure of IssuerMore secure payment cardUnique PINs for each person on accountGlobal interoperabilityEfficiency in servicing low value transactionsAbility to support credit and debit on a cardNew revenue opportunitiesPaves way for use of NFC mobile payments
Business Process Implications
With the decision to move to EMV, Financial Institutions have decisions to make:
– Impact of product and EMV program design– Inclusion of chip in card design– Consumer-selected PIN management– Card production and issuance– Card/chip lifecycle must be managed– Card issuance and replacement– Call center representative training– Changes to back-office procedures – Consumer card usage education– Marketing opportunities
Back Office Debit and Credit SystemsMany systems require upgrade or replacement
Credit card systems must perform online authentication
Banking systems must perform online authentication
Key management becomes a core competency
Integration with card management processes
New PIN management techniques required
Fraud and risk management systems
Card life cycle must be managed
Card issuance and replacement
AN EMV PRIMER
Authentication, Verification, Authorization and Irrefutability
Four Words describe what EMV offers the payment industry
Three Key Capabilities Are Defined by EMVDesigned to be Future Proof
• Based on a stable standard• Built on evolving technologies
Offline by TerminalOnline on Issuer Host
“What you have”
Authentication
“What you know”
Verification
“You have the funds”
Authorization
SignaturePIN In ChipIN On HostNo CVM
Online 0 Floor LimitHost Authorized
OfflineIssuer Defined Card Risk
Management Parameters
• Settle with Merchant
Field 55 Designed to Support Authentication
Interface to chip:• Prepare
authorization• Draft data
capture
Terminal
• Select appropriate route
• Forward to payment network
Acquirer
• Validate transactions• Route to issuer• Settle between Issuer
and Acquirer
Payment Network
• Authenticate ARQC• Authorize transaction• Prepare ARPC and scripts• Return authorization
response
Issuer
Authorization or Financial Request:The ARQC to authenticate the card to the issuer
Authorization or Financial Response:The ARPC authenticates the issuer to the card
A chance to update the card with scripts
Clearing and Settlement:The transaction Certification assures
Irrefutability
• Optionally authenticate TC• Settle with payment system
Merchant Acquiring Bank Payment Switch Issuing Bank
At Completion or end of day
Insert Card
into Reader
Answer to reset
Select AID(s)
Develop Candidate AID List
Consumer Selection
1. Personal Credit Card2. Corporate Credit Card3. Family Debit Card4. Personal Debit Card
Enter 1, 2, 3 or 4To select payment method?
EMV Defined Application Selection Issuer Control & Consumer Choice
PSE – Payment Systems EnvironmentAID – Application Identifier
Chip Cards Can Support Various Applications
Credit
Debit
Stored Value
Home Banking
Payment
Guarantee
Ticket
Itinerary
Boarding
Pass
Frequent
Flyer
VIP – Security
Calling Card
Parking Cards
Fitness Club
Library Card
Campus
Cards
Points
Rewards
Coupons
Discounts
Punch Card
Passport
Drivers
License
Corporate ID
National ID
Photo
Biometrics
Pharmacology
Emergency Data:
Blood type, Donor
Status, Allergies
Physician’s Details
Health Insurance
Token
Tap On
Tap Off
Senior/Studen
t
Period Pass
Car Key
PSE IATA Subscriber Loyalty ID Health Transit
Key uses: Security, Authentication, Identification, and Data Storage
PSE – Payment Systems Environment IATA – International Air Transport Associations
Mobile Devices Solve the Branding Issue
Credit
Debit
Stored Value
Home Banking
Payment
Guarantee
Ticket
Itinerary
Boarding
Pass
Frequent
Flyer
VIP – Security
Calling Card
Parking Cards
Fitness Club
Library Card
Campus
Cards
Points
Rewards
Coupons
Discounts
Punch Card
Passport
Drivers
License
Corporate ID
National ID
Photo
Biometrics
Pharmacology
Emergency Data:
Blood type, Donor
Status, Allergies
Physician’s Details
Health Insurance
Token
Tap On
Tap Off
Senior/Studen
t
Period Pass
Car Key
PSE IATA Subscriber Loyalty ID Health Transit
PSE – Payment Systems Environment IATA – International Air Transport Associations
EMVDesigned to be Future Proof
A stable standardBuilt on evolving technologies
NFC & HCE Built on the same
Stable standardEmploying evolving technologies
Business Relationships and Infrastructure Is Key
Elemetary FileEF
Elemetary FileEF
Data FileDF
Data FileDF
Master FileMF
Inter-industry Commands • READ BINARY command• WRITE BINARY command• UPDATE BINARY command• ERASE BINARY command• READ RECORD(S) command• WRITE RECORD command• APPEND RECORD command• UPDATE RECORD command• GET DATA command• PUT DATA command• SELECT FILE command• VERIFY command• INTERNAL AUTHENTICATE command• EXTERNAL AUTHENTICATE command• GET CHALLENGE command• MANAGE CHANNEL command • GET RESPONSE command• ENVELOPE command
VPN
Host Application
Card Application
Terminal Application
Local Store Merchant Data Center
VPN
Payment Switch
Cash Register
PED
EMV Impacts the Merchant’s Systems
Store Server
Acquirer• Replace PIN Pad with EMV PIN Entry Device• Upgrade payment software to support EMV
Transaction flow and the Payment Networks• Add Bit 55 with TLV coded data elements• Certify with Acquirer and Payment Networks Debit
Networks
Chip Cards Come In Multiple Form Factors
*Not compatible with foil card designs
Pure contactless card*:1. One chip connected to the antenna and buried inside plastic body2. Works only in contactless mode
Dual interface card*:1. One chip embedded with external contacts and antenna connections2. Works in contact and contactless mode (contactless like US contactless and
NFC transactions – future proof solution)
Contact card:1. One chip connected to external contacts2. Works only in contact mode
The Card Operating SystemNATIVE JAVA Global Platform
• Proprietary OS: Supplied by all major vendors • Highly secure: Hardware (EAL5+) and software
(EAL4+).• Dominant smart card technology: Most widely
deployed to date• Full EMV compatibility for single and multi-
applications payment cards• Offer best price competitiveness to issuers. Ideal
choice for EMV migrating markets and mass volume penetration strategy
• Optimized OS and applications for best-in-class memory consumption and timing performances
• Full compatibility with EMV common personalization systems offering issuers multiple sourcing and seamless products migrations (lower switching cost).
• Many providers competing on performance and security, with multiple silicon providers
• Industry open standard: Offer the largest multi-sourcing to issuers
• High portability and security• Open business model: Issuer-centric or multi-issuer• Possibility to reuse existing infrastructure (KMS, CA)• Java cards can be issued using any global platform
compliant infrastructure such as personalization equipment and key management system
• Healthy competition brings innovation faster to the market place, along with competitive prices for the issuers
• Applications developed in Java standard language known by most developers
• Large pool of OS implementers competing on performance and security, with multiple silicon providers
Application, Offline Characteristic and Interface1
2
3
4
5
MChip VSDC AEIPSD-Pas
MiFareDate Storage AccessPKI
1.AID(s)2.Keys3.Configuration
Parameters4.Card Risk
Management Parameters
5.Counters6.PIN
RSATDES
SecretsContactContactlessDual
2
The SpecificationsISO 7816 – Smart Card
– Part 1: Physical characteristics – Part 2: Cards with contacts – Dimensions and location
of the contacts – Part 3: Cards with contacts – Electrical interface and
transmission protocols – Part 4: Organization, security and commands for
interchange
ISO 14443 – Contactless– Part 1: Physical characteristics – Part 2: Radio frequency power and signal interface – Part 3: Initialization and anti-collision – Part 4: Transmission protocol
EMV Version 4.3 – Contact– Book 1: Application independent ICC to terminal interface
requirements– Book 2: Security and key management – Book 3: Application specification – Book 4: Cardholder, attendant and acquirer interface
requirementsEMV Version 2.3 – Contactless
– Book A: Architecture and general requirements– Book B: Entry point specification– Books C1-6: Kernel specifications– Book D: Communications protocol
Payment system specifications– Operating rules– Network requirements– AEIPS Card specification– AEIPS Terminal Specifications– Key management requirements– E2E certification requirements
The industry is awaiting the debit networks’ To all Publish their network specifications and
certification requirements
ISO 7816 Defines the Communications Protocol
Today’s Track 1 DataStart sentinel 1 byte (the % character)Format code 1 byte alpha (The standard for financial institutions "B")Primary Account number Up to 19 characters. Separator 1 byte (the ^ character)Country code 3 bytes, if used. (The United States is 840)SurnameSurname separator (the / character)First name or initialSpace (when followed by more data)Middle name or initialPeriod (when followed by a title)Title (when used)Separator 1 byte (^)Expiration date or separator 4 bytes (YYMM)Discretionary data Optional data can be encoded here by the issuer.End Sentinel 1 byte (the ? character)Longitudinal Redundancy Check (LRC) 1 byte.
Today’s Track 2 Data
Start sentinel 1 byte (0x0B, or a ; in ASCII)
Primary Account Number Up to 19 bytes
Separator 1 byte (0x0D, or an = in ASCII)
Country code 3 bytes, if used. (The United States is 840) This is only used if the account number begins with "59."
Expiration date or separator 4 bytes (YYMM) or the one byte separator if a non-expiring card
Discretionary data Optional data can be encoded here by the issuer.
End Sentinel 1 byte (0x0F, or a ? in ASCII)
Longitudinal Redundancy Check (LRC) 1 byte.
Data Element Tag Description as per EMV 4.2 Book 3 Table 33 Or ISO Specification
Bit Map if 55 then
only in 55
1100
1110
1200
1210
1300
1310
1320
1330
1340
1350
1400
1410
1420
1430
Receipt
Application Selection Indicator —
For an application in the ICC to be supported by an application in the terminal, the Application Selection Indicator indicates whether the associated AID in the terminal must match the AID in the card exactly
Authorisation Response Cryptogram (ARPC)
—Cryptogram generated by the issuer and used by the card to verify that the response came from the issuer.
Included in Tag 91
Card Status Update (CSU) —
Contains data sent to the ICC to indicate whether the issuer approves or declines the transaction, and to initiate actions specified by the issuer. Transmitted to the card in Issuer Authentication Data.
Certification Authority Public Key Check Sum
—
A check value calculated on the concatenation of all parts of the Certification Authority Public Key (RID, Certification Authority Public Key Index, Certification Authority Public Key Modulus, Certification Authority Public Key Exponent) using SHA-1
44 P1.8 M
Certification Authority Public Key Exponent
—Value of the exponent part of the Certification Authority Public Key
44 P1.6 M
Certification Authority Public Key Modulus
—Value of the modulus part of the Certification Authority Public Key
44 P1.4 M
Default Dynamic Data Authentication Data Object List (DDOL)
—
DDOL to be used for constructing the INTERNAL AUTHENTICATE command if the DDOL in the card is not present Shall only contain the Tag and Length for Unpredictable Number (tag 9F37)
Default Transaction Certificate Data Object List (TDOL)
—TDOL to be used for generating the TC Hash Value if the TDOL in the card is not present No one requires a default be set
Enciphered Personal Identification Number (PIN) Data
—Transaction PIN enciphered at the PIN pad for online verification or for offline verification if the PIN pad and IFD are not a single integrated device
52 CNA
CNA
CNA
CNA
Maximum Target Percentage to be used for Biased Random Selection
—Value used in terminal risk management for random transaction selection
Message Type —Indicates whether the batch data capture record is a financial record or advice
Personal Identification Number (PIN) Pad Secret Key
—Secret key of a symmetric algorithm used by the PIN pad to encipher the PIN and by the card reader to decipher the PIN if the PIN pad and card reader are not integrated
PIX — Proprietary Application Identifier Extension
Processing Code —A set of numbers that describe the type of the transaction as well as the account
Proprietary Authentication Data —Contains issuer data for transmission to the card in the Issuer Authentication Data of an online transaction.
RID — Registered Application Provider Identifier 44 p1.1a M
Target Percentage to be Used for Random Selection
—Value used in terminal risk management for random transaction selection
Terminal Action Code – Default —
Specifies the acquirer‘s conditions that cause a transaction to be rejected if it might have been approved online, but the terminal is unable to process the transaction online
EMV & ISOData Elements
Durbin in Context
An Industry Seeking Answers
Multi- Access and Multi-Application
AID – Application IdentifierThe AID is the name of the directory in the chip that contains the keys, certificates, parameter, counters and identifies the “application”The AID are registered by the payment networks:
– Visa (credit or debit) A000000003 1010Visa Electron A000000003 2010 Visa Interlink A000000003 3010 US Common Debit A000000098 0840
– MasterCard A000000004 1010Maestro Int’l A000000004 3060US Maestro A000000004 2203
– Amex A000000025 01XX – JCB A000000065 1010– Discover A000000324 1010– DNA Common Debit A000000620 0620
ApplicationThe Payment Networks’ Card and Terminal specifications defines of the software required in the card and how the terminal will employ the EMV tool kitEach Payment Network has invested in in defining, maintaining and certifying implementations of their specifications
– Amex – AEIPS– Discover - D-Pas– MasterCard – MChip– Visa – VIS
The Visa and MasterCard specification define methods of sharing data between two or more AIDs to support US Debit requirementsCard and terminal vendors develop and request type approval of their products
Durbin introduced Merchant Choice as a Matter of Law
The Durbin amendment changed Debit Cards operations
– Reduced Interchange fees earned by debit card Issuers
– Required Issuers to define two unaffiliated routes for each transaction
The Federal Reserve issued Regulation iiReg. ii was implemented October 2011
July 31st 2013 Judge Richard Leon remanded Regulation II back to the Federal ReserveMarch 21st 2014 The Court of Appeal found for the Board of Governors of the Federal Reserve SystemApril 30th 2014 The EMV Migration Forum Published “U.S. Debit EMV Technical Proposal”
Much Work Still To Do
Debit Networks must define how EMV transactions will be processed Each Debit network must license or develop an EMV applicationVisa and MasterCard must publish the US Debit specificationsDebit Networks must upgrade to support field 55Merchants, acquirers, POS vendors and processors must implement a Debit solutionMerchant and acquiring terminals and Interfaces must be certifiedThe framework for Contactless must be defined
Debit Conundrum Score Card Owner
MasterCard Visa
Specs Issued
AFFNAlaska OptionAllpointATHCirrus MasterCard done done YesCU-24 doneInterlink Visa done done YesJeanie VantivMaestro MasterCard done done YesMoney PassNetsNYCE FIS done done YesPlus Visa done done YesPrestoPulse Discover done done YesShazam done doneStar First Data done doneThe Co-op doneThe Exchange/Accel Fiserv done done Yes
Dispelling Myths
EMV was designed to address counterfeit and lost and stolen fraud in the physical worldProximity (NFC) mobile payments are based on EMV specificationsNear Field Communications or NFC is a communication protocolOnce EMV is fully deployed it significantly reduces the value of the data that can be acquired by breaking into payment systemsTo address card not present or shopping on the Internet, an EMV capable card reader (contact or contactless) could be deployed, utilizing 3D-SecureEMV uses cryptography to create dynamic digital signatures – the ARQC, ARPC and TCTokenization, End to End Encryption and EMV compliment each other
EMV Is Driven by Cryptographic Processes
At its core EMV is about using cryptography to assure that the card is authentic at both the
terminal and when the transaction is seen by the Issuer’s host.
The Key to Secure Identification
Multi-Factor Authentication
– Something You Have The Token = Card
– Something You Know The Secret = PIN
– Something You Are Biometric = You
Offering Issuers Fraud Protection & Future Flexibility
Authentication and ConfidentialityRequires Cryptography
Symmetric– One participant establishes a secret
and shares the secret key S with other participants
– Triple DES algorithm is used for on-line PIN security
– EMV employs Triple DES for On-line Authentication
– Sharing the secret key with too many parties puts the secret key at risk
Asymmetric– Each participant establishes a
unique pair of keyspublic key P and secret key S
– Public Key cryptography is used to assure authenticity and security on the Internet
– EMV employs RSA for Off-line Authentication
– Each participant has a unique secret key they do not share
DATAFDTS
Primer in Symmetric CryptographyOnline Authentication is based on Triple DES
DATA
TDESSign
TDESEncrypt
Secret
Secret
TDESVerify
TDESDecrypt
Hash
Signature
Hash
S – Secret Key
Bob
Sally
Secret
Secret
DATAFDTS
Primer in Public Key CryptographyOffline Authentication is Based on RSA
DATA
PSally
RSASign
RSAEncrypt
SBob
SSally
RSAVerify
RSADecrypt
PBob
Hash
Signature
Hash
S – Secret KeyP – Public Key
Founders RSA Algorithm Ron Rivest Adi Shamir Leonard Adleman
Bob
Sally
BIN
Issuer Public Key
…Certificate
RSA Issuer Certificate Request Process
From Issuer-BIN-Cert. Exp. Date
From Oberthur-Public Key-Hash-Self Signed Certificate
BIN (Test/Live)
Tracking #
Public Key
Private Key
CertificateAuthority
(Visa/MC)
Oberthur Certification Request