payments technology and security mercury confidential and proprietary - for recipient's...

Payments technology and security

Mercury Confidential and Proprietary - For Recipient's Internal Use Only

Agenda

• Introduction• End-to-end encryption (E2E)• Tokenization• E2E + Tokenization• EMV• Summary


Introduction

• This is an exciting time for the payments industry. There is a steady stream of disruptive technologies and security conformance being injected into the industry. From End-to-end encryption to EMV.

• Today, we will discuss end-to-end encyption, tokenization and EMV technologies and how they impact the small to medium sized merchants.


End-to-end Encryption

Security Breaches

The volume of data breachInvestigations increased 54percent over 2012.

45 percent of data thefts involved non-payment card data

E-commerce made up 54Percent of assets targeted

Weak passwords opened the door for the initial intrusionin 31 percent of compromises.

Source: https://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_Report.pdf


Security Breaches

Every year that we produce the Trustwave Global Security Report, retail, food and beverage and hospitality jostle for position as the most frequently compromised industries.

Retail once again led the pack in 2013 at 35 percent, a decrease of 10 percent over 2012. Food and beverage industry breaches counted for 18 percent of the total, 35% a five percent decrease from 2012.

Source: https://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_Report.pdf


At initial swipe, credit card data is stolen in real time from peripherals and memory even though the transaction is transmitted securely.

Transaction is returned securely as well, but it is too late – the cardholder data has already been stolen.

Computers get infected with malware.!

E2E Encryption – (Protecting data in transit)

Before

Payment Providers suchVantiv, Mercury, FirstData etc.


Only non-sensitive transaction data is returned to the POS.

d5e35c1e081cec7f5dbaddad3e4f5628c65c7e8df63ec1fb275f3231490c716e

7882881fdb02703b0c193f380c7fd0c81784bfac4d5f0a74e3d457f12d82ac7fea3b9d29feb72299fbbb710b1ce0674edbbf952022528abfd72bfa8e7cf08777

At initial swipe, credit card data is encrypted and cannot be stolen. Transaction is sent encrypted to a Payment Provider.

Using an Encryption enabled device such as the Verifone, Infinite Peripherals or Ingenico devices, card data is encrypted at the initial swipe.

E2E Encryption – How it works

After



E2E enabled device examples


At initial swipe, card data is encrypted

d5e35c1e081cec7f5dbaddad3e4f5628c65c7e8df63ec1fb275f3231490c716e7882881fdb02703b0c193f380c7fd0c81784bfac4d5f0a74e3d457f12d82ac7fea3b9d29feb72299fbbb710b1ce0674edbbf952022528abfd72bfa8e7cf08777

1

5

40030001234567820811400300012345783,0811

Paym

ent

Prov

ider 2

3 Get Authorization

from Card Brands

Card Networks: Visa, MasterCard, Amex,

Discover

E2E/

Toke

n Se

rvic

e

4

40030001234567820811400300012345783,0811

E2E transaction flow with Tokenization

Call the E2E/Token Service

Token Service creates token, returns token to Merchant location.

Transaction is sent encrypted to Payment Provider

Point of Sales stores token safely.


®

Tokenization

Capabilities• Replaces non-encrypted card data PAN

with a reference token• Card information is saved with the

payment provider

How It Works• Card number is used in first transaction• Token reference data is created – a unique string

of letters and numbers• Token is returned to the requester along with

authorization• Token can be used to perform subsequent

transactions on the card

Tokenization (Protecting data at rest)

Benefits• Reduced risk• Help merchants with their

PCI compliance

Use Cases• Recurring Billing• Card not present• Tip Modifications• Delayed shipping• Layaway purchases• Voids and returns• Adjustments


Tokenization – How it works

Credit card is initially swiped or keyed, then transmitted securely.

The transaction response is sent back securely with a token.

400300012345678208114003000123456783,08114003000123456784,08114003000123456785,08114003000123456786,08114003000123456787,0811

! Computers can still get infected with malware.



E2E & Tokenization Together

Using an encryption enabled device card data is encrypted at the initial swipe, before sending to the POS.

At initial swipe, credit card data cannot be stolen since it already is encrypted. Transaction is sent encrypted to Mercury.

The transaction response is sent back securely with a token for long term storage.

d5e35c1e081cec7f5dbaddad3e4f5628c65c7e8df63ec1fb275f3231490c716e7882881fdb02703b0c193f380c7fd0c81784bfac4d5f0a74e3d457f12d82ac7fea3b9d29feb72299fbbb710b1ce0674edbbf952022528abfd72bfa8e7cf08777

Card information never exists in a readable format• First transactions• Subsequent transactions

400300012345678208114003000123456783,08114003000123456784,08114003000123456785,08114003000123456786,08114003000123456787,0811



Tokenization:• Ease of integration• Supports recurring billing, tip adjustment,

returns, and more!• Helps merchant to maintain a more secure

payment processing environment• Easier POS Compliance – Fewer PA-DSS

requirements to meet• Tokenization would have prevented many of

the past breaches

E2E:• Ease of integration • Helps developers reduce the costs and

hassle of PA-DSS compliance• Helps merchants achieve PCI compliance• Card data theft is dramatically reduced

SMB Merchant’s using E2E and MToken


What is EMV

• EMV is a set of standards that defines interoperability of secure transactions across the international payments landscape.

• EMV transactions introduce dynamic-data specific to the card and the transaction, with the goal of reducing the risk of counterfeit fraud.

• The computer chip on the card uses cryptography to provide security. In the context of EMV, encryption is only used to protect the PIN.

• EMV is a card present schema only. Does not solve for ecommerce transactions


EMV Transaction Flow: MagStripe vs EMV


U.S Market EMV Update

Significant progress underway*

• Multiple issuing pilots underway,

top issuers

• Up to 2 million EMV ready terminals

installed

• 50-100 million EMV cards issued

• Top acquirers fully certified

• Merchants reinvigorating EMV cert

and security discussions as a result

of 2013 holiday breaches

• Active EMV implementation projects

at many tier 1 merchants

• Wal-Mart® “live” with EMV today* Data is only based on information provided by Mercury’s partners and does not include all international payment systems.


Certification Standards

EMVCo™• Level 1: Certification of the device’s electrical,

mechanical, and communication protocol characteristics

• Level 2: Certification of application software that supports specified EMV functionality

Card Networks• Brand/“Level 3”: Approval of

end-to-end solution• Brand-by-brand testing

requirements


Network Certification Programs

American Express® (30 tests)• American Express ICC Payment Specification (AEIPS)• Expresspay Contactless Specification

Discover® (24 tests)• D-PAS Acquirer-Terminal End-to-End (E2E)

MasterCard® (114 tests)• MasterCard terminal integration process (M-TIP)

Visa® (105 tests)• Acquirer Device Validation Toolkit (ADVT)• Contactless Device Evaluation Toolkit (CDET)• Quick Visa Smart Debit Credit Device Module (qVSDC DM)


Points of pain for Merchants

5

MerchantsMerchant and consumer payment process flow will changeVaried merchant impacts by vertical: pizza delivery, fine dining, unattended kiosk(Car washes)Cost for new EMV enabled hardware/softwareLiability Shift: charge backLine-busting will changeCost vs. Customer impact

CardholdersEMV card never leaves the cardholder’s handContact EMV – dippingContactless EMV – tappingChip and Signature vs Chip and PinRestaurant environments


Thank you!

Thank you!

payments technology and security mercury confidential and proprietary - for recipient's...

Documents

recipients internal

security mercury confidential

endtoend encryption

percent of data thefts

credit card data

e2e encryption

cardholder data

percent decrease