EMV: Past, Present and Future

EMV Basics

CONFIDENTIAL AND PROPRIETARY

© Copyright 2015 Vantiv, LLC. All rights reserved. Vantiv, the Vantiv logo, and all other Vantiv product or service names and logos are

registered trademarks or trademarks of Vantiv, LLC in the USA and other countries. ® indicates USA registration.

z z

2

Disclaimer: This communication, including any content herein and/or

attachments hereto, is provided as a convenience only, does not constitute legal advice

and does not create and attorney client relationship. Because of the generality of this

communication, the information provided herein may not be applicable in all situations

and does not constitute a comprehensive list of issues that could impact your business.

As such and to understand how the information in this communication may impact your

business, you are encouraged to seek the advice from your legal counsel, compliance

and/or other subject matter expert based on the facts and circumstances of your

organization’s particular situation.

3

Agenda

• What EMV is

• Global Impact

• How EMV Works

• Network Rules

• EMVCo Initiatives

What is EMV?

z z

5

Brief History of Chip Cards

• Chip-based payment cards introduced in the 1980’s

› High communications costs and unreliable service

› Offline processing susceptible to fraud

• Specifications developed country by country

› Interoperability issues

• Europay, MasterCard and Visa

› Joint effort to develop common specification

› EMVCo formed in 1999

• Now includes Amex, Discover, JCB and CUP

6

What is EMV?

• International standard defining interoperability of secure transactions

› Introduces dynamic data and cryptography to the transaction

› Devalues transaction data; reducing risk of counterfeit fraud

• World-wide adoption including U.S. neighbors, Canada and Mexico

› Effecting U.S. multi-national retailers

• Enabler of future payments types

› Contactless, Mobile

• Chip & PIN ≠ EMV

7

• Chip on card uses cryptography to provide security

• Utilizes 2 forms of cryptography

› Digital signatures – ensures data is authentic

› Encryption – ensures data is kept confidential

• Digital signature devalues the data

› Even if data is intercepted, signature cannot be replicated

• Encryption is only used to protect the PIN

› EMV does not encrypt all transaction data

What is EMV?

FraudTheft

Physical

Attacks

System

Breach

Account

Data

Compromise

Counterfeit

Cards

Lost/

Stolen

Cards

P2PE /

Tokens

EMV

Chip

EMV

PINPolicy &

Inspection

EMV in the Security Equation

8

Global Impact of EMV

z z

10

• Counterfeit, Lost and Stolen Fraud Losses

› Today, Issuers are liable for counterfeit fraud-related losses

› Liability will shift to merchant if not EMV enabled

› PIN protects against lost and stolen fraud

• Global interoperability of chip cards and payment

devices

› Worldwide standard used by most developed economies

› Support for international commerce

• Contactless and Mobile payment schemes

Market Drivers for EMV

11

Counterfeit Fraud Volume

(Visa only)

Europe (Liability Shift in

2005)

Asia Pacific (Liability Shift in

2006)

U.S. (Liability Shift in

2015)

- 56%

- 52%

+ 307%

2011

2004

U.S. $5.3B ROW

$5.9B

U.S. $5.1T

ROW $16.5T

U.S. and Rest

of World Sales

Volume

2012

U.S. and Rest

of World Fraud

Volume

2012

Global Fraud Trends

12

2008-2010

HOLIDAY FRAUD PEAKS

2011

HOLIDAY

FRAUD

SIGNIFICANTLY

REDUCED

Canadian Fraud Trends

13

As EMV migration nears

completion in Canada,

Europe and parts of Asia….

U.S. cross-border counterfeit fraud shows significant

growth

U.S. Fraud Trends

$0

$20,000,000

$40,000,000

$60,000,000

$80,000,000

$100,000,000

$120,000,000

$140,000,000

$160,000,000

2009

2010

2011

Visa US Domestic Counterfeit Fraud Source: Visa

14

What’s the Risk?

15

Impact on Card Not Present

• Increase in CNP fraud is driving other solutions

› 3-D Secure

› Tokenization

› Chip authentication devices * Retail Payments Risk Forum Working Paper Federal Reserve Bank of Atlanta January 2012

*

16

Region

Canada and LAC

Asia Pacific

Africa & the Middle East

Europe Zone 1

Europe Zone 2

United States2

Totals3

Cards Rate Terminals Rate

471M

942M

77M

794M

84M

17M

2.37B

54.2%

17.4%

38.9%

81.6%

24.4%

<2.0%

7.1M

15.6M

0.7M

12.2M

1.4M

2M

37M

84.7%

71.7%

86.3%

99.9%

91.2%

~20%

1Figures reported in Q4 2013 and represent the latest statistics from American Express, Discover, JCB, MasterCard, UnionPay and

Visa, as reported by their member financial institutions globally 2US Figures are EMF estimates for 2013 3Totals does not included data from the US

EMV Around the World1

z z

How EMV works

Contact EMV, Part 1

18

• An EMV card is inserted into a terminal

› Application Selection

• The chip in the card contains the account data

› Initiate Application Processing

• Chip data is accessed by the terminal

› Read Application Data

• Chip creates a unique code,

or “cryptogram”, and sends

to the issuer (or not)

› Offline Authentication

Contact EMV, Part 2

19

• Cardholder is verified by the card (or not)

› Cardholder Verification

• Terminal determines need to process online

› Terminal Risk Mgmt & Terminal Action Analysis

• Card decides to approve or go online

› Card Action Analysis

• If card approves, complete transaction

› Completion

Contact EMV, Part 3

20

• If online, issuer validates the cryptogram and PIN

› Issuer Authentication

• Transaction is approved by the issuer and sends

response cryptogram

› Completion

• Issuer scripts processed by card

› Script Processing

› Tags 71 and 72, <= 128 bytes

• The card is removed when

the transaction is completed

21

And now a word on Fallback

• Technical Fallback

› Terminal cannot read chip

› Terminal prompts cardholder to swipe card

• CVM Fallback

› PIN Try Counter on card is exceeded

› PIN Entry Bypass is used

› Issuer personalizes the card to decide:

• Decline

• Fallback to Signature

• No CVM

22

• A chip can be on a contactless card

• A chip can be in a smart phone

• Device is tapped or held near the terminal

• Cardholder experience

similar to today

Contactless and Mobile

23

011010100100101011010100100101

Card

Authentication

Security 1 Cardholder

Verification

Options 2

Authorization

Options 3

4 Contact,

Contactless,

and Mobile

Technology

EMV Introduces New Security Functions

24

1 Online Card Authentication

Offline Card Authentication (optional)

Generates an EMV Dynamic Cryptogram

Host Validates the EMV Dynamic Cryptogram

CARD ISSUER HOST

Card provides the terminal a dynamic security certificate

Terminal validates the dynamic

security certificate

Online

Authorization

2 1

CARD TERMINAL

1 2 3

EMV Card Authentication

25

2

Is the cardholder the

right person?

EMV CVM List • Signature • Online PIN • Offline PIN • No CVM

• More than one CVM supported on card

• Issuers choose CVMs to support

• Issuer chooses the priority of CVMs

} Cardholder Verification (CVM)

26

2

Issuer Host

PIN stored and validated

at host

4653

PIN stored and validated on chip

4653

Works same as mag stripe host-based PIN

All EMV cards use online PIN for ATM

Most Offline PIN transactions go online for authorization

Changes required:

PIN selection/activation process

Customer PIN Communications

Offline PIN change process

Synchronization with online PIN

Add ability to send PIN and PIN counter updates to card

No system changes required

U.S. is an online market

Encrypted PIN

EMV Online PIN EMV Offline PIN

Online vs. Offline PIN

3

27

Transaction

approval process

Issuers can make better decisions with risk data provided in EMV

transactions

(1) Online Authorization (2) Offline Authorization (Optional)

The card authorizes transaction

• No communication with host

system for authorization

• Card contains offline authorization

criteria and counters

Works much like magnetic stripe transaction

• New EMV data is sent to host

• Dynamic authentication technology is used

• New risk assessment rules are enabled

EMV Authorization/Approval

z z

Liability Shifts, PCI Validation Waivers and Account Data Compromise Relief

April 2013 Processors must

support EMV

April 2015 3rd party ATM

must support EMV

October 2015 Liability shift of

counterfeit transactions

October 2017 Liability shift for AFD

Liability shift for ATM

April 2013 Processors must

support EMV

International ATM

liability shift

October 2015 Liability shift of

counterfeit transactions

October 2016 Liability shift for ATM

October 2017 Liability shift for AFD

April 2013 Processors must

support EMV

October 2015 Liability shift of

counterfeit transactions

October 2017 Liability shift for AFD

April 2013 Processors must

support EMV

October 2015 Liability shift of

counterfeit transactions

October 2017 Fuel liability shift

29

A Durbin-compliant debit solution has been released by the EMV Migration Forum

Brand Roadmaps

30

• Counterfeit fraud liability is assigned to least secure party

• Standard rules apply when both are equal

• Inclusion of PIN adds Lost/Stolen shift

EMV w/PIN > EMV w/Sig > Mag stripe

• Visa only states that the party not using EMV technology is liable

Liability Shift

31

• PCI Validation waiver (October 2012)

› Visa, MasterCard

• PCI Validation waiver (October 2013)

› Discover, American Express

› 75% of transactions must originate from EMV enabled terminals

› Must support both contact and contactless transactions

› Exempts eligible merchants from annual PCI DSS

validation requirement

• For MasterCard, “eligible” merchants are Level 1/Level 2 merchants

› All merchants are required to maintain ongoing PCI DSS

compliance

PCI Validation Waiver

32

• October 2013

› MasterCard allows for account data compromise relief if

75% of transactions from compliant terminals

› 50% relief on fines and repayment to issuers for breached

accounts

• October 2015

› MasterCard allows for account data compromise relief if

95% of transactions from compliant terminals

› 100% relief on fines and repayment to issuers for breached

accounts

Program only covers operational and fraud recovery portion of breached

merchant’s liability. Does not apply to investigation costs, remediation

expenses or non-compliance fines

MasterCard Account Data Compromise Relief

z z

EMVCo

34

• EMV Next Generation

› Contact/Contactless convergence

› Simplified terminal implementations

› Cryptography (ECC)

• Mobile & mPOS

› Guidance for mPOS development

• Tokenization

› Develop spec to support secure/interoperable

transactions

EMVCo Initiatives

z z

Questions