payments technology and security mercury confidential and proprietary - for recipient's...
TRANSCRIPT
Payments technology and security
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
Agenda
• Introduction• End-to-end encryption (E2E)• Tokenization• E2E + Tokenization• EMV• Summary
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
Introduction
• This is an exciting time for the payments industry. There is a steady stream of disruptive technologies and security conformance being injected into the industry. From End-to-end encryption to EMV.
• Today, we will discuss end-to-end encyption, tokenization and EMV technologies and how they impact the small to medium sized merchants.
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
End-to-end Encryption
Security Breaches
The volume of data breachInvestigations increased 54percent over 2012.
45 percent of data thefts involved non-payment card data
E-commerce made up 54Percent of assets targeted
Weak passwords opened the door for the initial intrusionin 31 percent of compromises.
Source: https://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_Report.pdf
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
Security Breaches
Every year that we produce the Trustwave Global Security Report, retail, food and beverage and hospitality jostle for position as the most frequently compromised industries.
Retail once again led the pack in 2013 at 35 percent, a decrease of 10 percent over 2012. Food and beverage industry breaches counted for 18 percent of the total, 35% a five percent decrease from 2012.
Source: https://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_Report.pdf
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
At initial swipe, credit card data is stolen in real time from peripherals and memory even though the transaction is transmitted securely.
Transaction is returned securely as well, but it is too late – the cardholder data has already been stolen.
Computers get infected with malware.!
E2E Encryption – (Protecting data in transit)
Before
Payment Providers suchVantiv, Mercury, FirstData etc.
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
Only non-sensitive transaction data is returned to the POS.
d5e35c1e081cec7f5dbaddad3e4f5628c65c7e8df63ec1fb275f3231490c716e
7882881fdb02703b0c193f380c7fd0c81784bfac4d5f0a74e3d457f12d82ac7fea3b9d29feb72299fbbb710b1ce0674edbbf952022528abfd72bfa8e7cf08777
At initial swipe, credit card data is encrypted and cannot be stolen. Transaction is sent encrypted to a Payment Provider.
Using an Encryption enabled device such as the Verifone, Infinite Peripherals or Ingenico devices, card data is encrypted at the initial swipe.
E2E Encryption – How it works
After
Payment Providers suchVantiv, Mercury, FirstData etc.
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
E2E enabled device examples
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
At initial swipe, card data is encrypted
d5e35c1e081cec7f5dbaddad3e4f5628c65c7e8df63ec1fb275f3231490c716e7882881fdb02703b0c193f380c7fd0c81784bfac4d5f0a74e3d457f12d82ac7fea3b9d29feb72299fbbb710b1ce0674edbbf952022528abfd72bfa8e7cf08777
1
5
40030001234567820811400300012345783,0811
Paym
ent
Prov
ider 2
3 Get Authorization
from Card Brands
Card Networks: Visa, MasterCard, Amex,
Discover
E2E/
Toke
n Se
rvic
e
4
40030001234567820811400300012345783,0811
E2E transaction flow with Tokenization
Call the E2E/Token Service
Token Service creates token, returns token to Merchant location.
Transaction is sent encrypted to Payment Provider
Point of Sales stores token safely.
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
®
Tokenization
Capabilities• Replaces non-encrypted card data PAN
with a reference token• Card information is saved with the
payment provider
How It Works• Card number is used in first transaction• Token reference data is created – a unique string
of letters and numbers• Token is returned to the requester along with
authorization• Token can be used to perform subsequent
transactions on the card
Tokenization (Protecting data at rest)
Benefits• Reduced risk• Help merchants with their
PCI compliance
Use Cases• Recurring Billing• Card not present• Tip Modifications• Delayed shipping• Layaway purchases• Voids and returns• Adjustments
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
Tokenization – How it works
Credit card is initially swiped or keyed, then transmitted securely.
The transaction response is sent back securely with a token.
400300012345678208114003000123456783,08114003000123456784,08114003000123456785,08114003000123456786,08114003000123456787,0811
! Computers can still get infected with malware.
Payment Providers suchVantiv, Mercury, FirstData etc.
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
E2E & Tokenization Together
Using an encryption enabled device card data is encrypted at the initial swipe, before sending to the POS.
At initial swipe, credit card data cannot be stolen since it already is encrypted. Transaction is sent encrypted to Mercury.
The transaction response is sent back securely with a token for long term storage.
d5e35c1e081cec7f5dbaddad3e4f5628c65c7e8df63ec1fb275f3231490c716e7882881fdb02703b0c193f380c7fd0c81784bfac4d5f0a74e3d457f12d82ac7fea3b9d29feb72299fbbb710b1ce0674edbbf952022528abfd72bfa8e7cf08777
Card information never exists in a readable format• First transactions• Subsequent transactions
400300012345678208114003000123456783,08114003000123456784,08114003000123456785,08114003000123456786,08114003000123456787,0811
Payment Providers suchVantiv, Mercury, FirstData etc.
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
Tokenization:• Ease of integration• Supports recurring billing, tip adjustment,
returns, and more!• Helps merchant to maintain a more secure
payment processing environment• Easier POS Compliance – Fewer PA-DSS
requirements to meet• Tokenization would have prevented many of
the past breaches
E2E:• Ease of integration • Helps developers reduce the costs and
hassle of PA-DSS compliance• Helps merchants achieve PCI compliance• Card data theft is dramatically reduced
SMB Merchant’s using E2E and MToken
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
EMV
What is EMV
• EMV is a set of standards that defines interoperability of secure transactions across the international payments landscape.
• EMV transactions introduce dynamic-data specific to the card and the transaction, with the goal of reducing the risk of counterfeit fraud.
• The computer chip on the card uses cryptography to provide security. In the context of EMV, encryption is only used to protect the PIN.
• EMV is a card present schema only. Does not solve for ecommerce transactions
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
EMV Transaction Flow: MagStripe vs EMV
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
EMV Transaction Flow: MagStripe vs EMV
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
U.S Market EMV Update
Significant progress underway*
• Multiple issuing pilots underway,
top issuers
• Up to 2 million EMV ready terminals
installed
• 50-100 million EMV cards issued
• Top acquirers fully certified
• Merchants reinvigorating EMV cert
and security discussions as a result
of 2013 holiday breaches
• Active EMV implementation projects
at many tier 1 merchants
• Wal-Mart® “live” with EMV today* Data is only based on information provided by Mercury’s partners and does not include all international payment systems.
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
Certification Standards
EMVCo™• Level 1: Certification of the device’s electrical,
mechanical, and communication protocol characteristics
• Level 2: Certification of application software that supports specified EMV functionality
Card Networks• Brand/“Level 3”: Approval of
end-to-end solution• Brand-by-brand testing
requirements
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
Network Certification Programs
American Express® (30 tests)• American Express ICC Payment Specification (AEIPS)• Expresspay Contactless Specification
Discover® (24 tests)• D-PAS Acquirer-Terminal End-to-End (E2E)
MasterCard® (114 tests)• MasterCard terminal integration process (M-TIP)
Visa® (105 tests)• Acquirer Device Validation Toolkit (ADVT)• Contactless Device Evaluation Toolkit (CDET)• Quick Visa Smart Debit Credit Device Module (qVSDC DM)
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
Points of pain for Merchants
5
MerchantsMerchant and consumer payment process flow will changeVaried merchant impacts by vertical: pizza delivery, fine dining, unattended kiosk(Car washes)Cost for new EMV enabled hardware/softwareLiability Shift: charge backLine-busting will changeCost vs. Customer impact
CardholdersEMV card never leaves the cardholder’s handContact EMV – dippingContactless EMV – tappingChip and Signature vs Chip and PinRestaurant environments
Mercury Confidential and Proprietary - For Recipient's Internal Use Only
Thank you!
Thank you!