emv payments: changes at the point of sale · 2015-10-07 · emv deployment milestones key dates...
TRANSCRIPT
EMV Payments: Changes at the Point of Sale § Gerry Schoenecker § Regional Product Manager § Ingenico
Table of Contents
Ø Synopsis
Ø The Key Dates Revisited
Ø Merchant Impact Chart
Ø Message Format Changes
Ø Merchant Checklist
Ø EMV / NFC Connection
Ø Merchant Stratification
Ø Card Data Environment (CDE) Mapping
Ø Other Factors
Synopsis
EMV migration can impact a number of areas that link a merchant’s transactions processing infrastructure with the same processing side that has long supported
magstripe card acceptance. A US migration may pose a number of unique challenges, perhaps more than other regional migrations to date.
• The Card Brands have incentive programs for both contact AND contactless
ü This means that support for both technologies should be considered
• EMV countries still experience a need for supporting magnetic stripe
ü A hybrid model is anticipated
ü Acceptance devices will need to support all payment types
ü “Fallback” possibilities
• PCI compliance challenges are already straining budgets and tolerance
ü PCI PTS evolutions / threat of physical attacks on older devices
EMV Deployment Milestones Key Dates Visa MasterCard Discover American
Express Notes
PCI Audit Relief October 2012 Y Y
PCI Audit Relief October 2013 Y Y
POS Acquirer / Processor Compliance April 2013 Y Y Y Y Mandate for POS Acquirers
Maestro ATM Liability Shift April 2013 Y Inter-Regional Maestro Cards at U.S.
ATMs
Visa ATM EMV Mandate April 2015 Y Y Y U.S. Third Party ATM acquirer
processors must be able to support EMV chip data for all Visa and/or PLUS
branded products
POS Counterfeit Liability Shift (Excluding Fuel Dispensers)
October 2015 Y Y Y Liability shift for merchants excluding AFD
POS Lost or Stolen Liability Shift (Excluding Fuel Dispensers)
October 2015 Y Liability shift for merchants excluding AFD
MasterCard ATM Liability Shift October 2016 Y All MasterCard Branded Cards
Visa ATM Liability Shift October 2017 Y Liability shift for all U.S. ATMs for all
Visa and/or PLUS branded products
POS Counterfeit Liability Shift for Fuel Dispensers October 2017 Y Y Y Y Liability shift for AFD
POS Lost or Stolen Liability Shift for Fuel Dispensers October 2017 Y Y Liability shift for AFD
EMV Liability Shift Dates
• Courtesy of Allen Friedman - TSYS Acquiring Solutions
EMV Impacts ALL Merchants
Small • Typically tier 4 • Simple structure • Small EMV footprint • Easy conversion • Single – several store • Storefront
Mid-‐sized • Typically tier 3 • Small structure • Light EMV footprint • Small conversion • Regional chains • Storefront • E-‐commerce
Large • Tier 2 level merchant • Large structure • Large EMV footprint • Challenging conversion • Regional – nat. chains • Storefront • E-‐commerce • MOTO • Field Services
Super • Tier 1 level merchant • Complex Structure • Huge EMV footprint • Integrated POS • Difficult conversion • National chains • Storefront • E-‐commerce • MOTO • Field Services • Multiple brands
Merchant Impact Chart
Setup POST Register Controller Switch End to End Cert Processor Impact
HW SW HW SW SW SW SW
Countertop POST Replace w/new POST ü ü - - - - - ü Low
Countertop POST Add all-in-one PIN pad ü ü - - - - ü ü High
Mobile POST Replace w/new POST ü ü - - - - - ü Low
POS w/mag wedge Replace w/CT POST ü ü - - - - - ü Low
POS w/mag wedge Replace w/PIN pad ü ü - ü - - ü ü Medium
Integrated PIN pad Replace w/new PIN pad ü ü - ü ü ü ü ü High
Integrated wedge Replace w/PIN pad ü ü - ü ü ü ü ü High
Smart phone integrated Replace w/EMV dongle ü ü - ü ü ü ü ü High
Smart phone stand alone Replace w/EMV dongle ü ü - - - - - ü Low
EMV & Semi-Integrated Systems
• Courtesy of Allen Friedman - TSYS Acquiring Solutions
Message Format Changes Tag Tag Descriptor Func1onality Details
9F26 Applica'on cryptogram Card authen'ca'on Contains the cryptogram used to authen'cate the transac'on.
9F36 Applica'on transac'on sequence counter
Card authen'ca'on Contains the value of the POS terminal transac'on sequence counter. The POS terminal maintains a transac'on sequence counter and increments the count each 'me a transac'on is ini'ated.
9F07 Applica'on usage control Card authen'ca'on Specifies the issuer’s restric'ons on the geographic usage and services allowed for the applica'on.*
9F27 Cryptogram informa'on data Card authen'ca'on Indicates the type of cryptogram and the ac'ons to be performed by the terminal.
9F34 CVM results Cardholder verifica'on Iden'fies how the cardholder was verified at the POS: by cardholder signature, cardholder PIN, or verifica'on not required.
9F0D Issuer ac'on code—default Transac'on authoriza'on Specifies issuer condi'ons that cause a transac'on to be rejected if the transac'on might have been approved online but the terminal is unable to process it online.*
9F0E Issuer ac'on code—denial Transac'on authoriza'on Specifies issuer condi'ons that cause a transac'on to be denied without an aLempt to go online.*
9F0F Issuer ac'on code—online Transac'on authoriza'on Specifies issuer condi'ons that cause a transac'on to be transmiLed online.*
9F10 Issuer applica'on data Card authen'ca'on Contains issuer applica'on data transmiLed from the chip to the issuer. Is updated by the issuer in the response message.
9F37 Unpredictable number Card authen'ca'on Contains the POS terminal unpredictable number value. POS terminal generates the number value that may be used as input to the applica'on cryptogram algorithm.
The EMV payments infrastructure includes a new network message field that transports chip data. In the U.S., this field is often referred to as Field 55. Field 55 is a generic, flexible, variable length container that conforms to tag-length-value (TLV) encoding. Every data element carried in the field has a specific tag, followed by the length of the data and then the actual data. Each tag is defined by EMV or specified in the relevant payment brand specifications. Field 23 carries the card sequence number which is part of the secure cryptogram calculation Merchants or their application providers will need to change their infrastructure to support Field 55 in the authorization request and response messages and Field 23.
Merchant Checklist
• Designated an in-house EMV expert / program owner (critical for large merchants / ISO / Processor)
• POS providers / VARS aligned with EMV (including plan and roadmap)
• POST that I own or will soon own supports all payment types
ü Remember: Contact, Contactless / NFC, and magstripe
ü My NFC support includes mobile wallet (of my choosing)
ü Solution bears all the necessary approvals (Lvl1, Lvl2, C’less approvals, PCI PTS)
o Remember that PCI-PTS V1 expires April 30, 2014! ü Ensure the ability to remotely manage (some peripherals may not accommodate this)
• My EMV migration dates coincide with the association benefits and key dates for compliance
• My POS provider can assist in the migration process
• My processor / acquirer is available for the migration and planning
ü I have received my end-to-end certification process from them (if applicable)
ü I have all the test tools I need (cards, etc.)
• I am developing a training program for my personnel
ü To understand the new payment types
ü To understand the changes in consumer behavior at the POS and dispel myths
The EMV / NFC Connection
Remember that the incentives from the card brands are predicated on accepting both contact and contactless EMV as well as NFC
• An EMV chip can be on a “contactless” card where the chip is “tapped” or “held” near
the terminal …..or…..
• A chip can be inside your smart phone and the phone is “waived” near the terminal…
• Mobile wallets (eWallets) are rapidly growing in number, which mul'plies the
opportunity for incremental sales for merchants and new revenue op'ons for ISOs
Card Data Environment Mapping
Countertop Point of Sale Terminal
At the transaction origin, the EMV chip card must be inserted into a POS device that has the hardware capability to process it, as well as the necessary software application.
Countertop terminals are the most common among small retailers.
• Many legacy countertop POS’s in the field do not incorporate EMV readers • Even fewer support NFC and Contactless • Many that do are at or nearing EOL for other reasons (PCI, obsolescence, etc.) • Software updates may not be available for some models
Possible Solutions
The Challenge
• Software update for legacy devices are candidates for migration • All-in-One terminal hardware and software upgrade for non-accepting devices • Bolt-on NFC readers for devices that support EMV, but have no C’less reader
Other Factors
• PCI PTS deadlines • Form factor (2 piece or single device?) • Performance (dial only) EMV will add some time/could be more than a few seconds) • PIN support – International & US issued cards needed
POS Wedge
At the transaction origin, the EMV chip card must be inserted into a POS device that has the hardware capability to process it, as well as the necessary software
application. A wedge reader that is configured either as a stand-beside or a fully integrated solution will not satisfy the requirements.
• A typical wedge reader also does not support an EMV cards or C’less • These devices are typically stand-beside or integrated to a POS system
The Challenge
Possible Solutions • Replace or supplement with an all-in-one PIN pad with EMV and C’less/NFC
Other Factors • PCI PTS deadlines
Retail Point of Sale Terminal
At the transaction origin, the EMV chip card must be inserted into a POS device that has the hardware capability to process it, as well as the necessary software
application. Retail customer activated devices are widely deployed where a multi-lane style of interaction occurs. Many of these cannot support EMV or C’less.
Possible Solutions
The Challenge
• Software update for legacy devices that are candidates for migration • Terminal hardware and software upgrade for non-accepting devices
Other Factors • PCI PTS deadlines • P2PE transitions underway • Other infrastructure changes required (POS register, switch, etc.)
• Many legacy retail POST in the field do not incorporate EMV readers • Even fewer support NFC and Contactless • Many that do are at or nearing EOL for other reasons (PCI, obsolescence, etc.) • Software updates may not be available for some models
Other Impact Areas
• Consider semi-integrated approaches to solve for EMV
ü Beneficial for P2PE, RKI, estate management, etc.
ü Best time to do it while “the patient is open”
• Don’t forget the CDE areas that would escape typical scrutiny
ü ATM, AFP
• Customer experience check-out speed
ü Card remains in the device
ü Initial learning curve
ü Contactless may follow naturally as a faster mode
Other Impact Areas – The Customer
• New payment card types • New payment flows • Card remains in device • Contactless • Use displays for training!
Other Impact Areas – Employees
• Chargeback handling • Return handling • New hire training • SME training
Other Impact Areas – Mechanical
• E2E cert testing • New failure points • Out of band form factors • Transactions speeds
Start Planning Today!
Time remaining to October, 2015 liability shiZ
days remaining
“If you haven’t already started planning, you will want to get started, or you will be considered already lagging behind….” ~ Rob Hayhow, TD Bank
604 13 Days Hours
35 Minutes Seconds
§ Ingenico § 3025 Windward Plaza, Suite 600, Alpharetta, GA 30022 · (800) 252-1140 § www.ingenico.com
Gerry Schoenecker [email protected]