emv gathers steam as us moves toward liability shift

Transcription

emv gathers steam as us moves toward liability shift
WHITE PAPER
EMV GATHERS STEAM
AS U.S. MOVES TOWARD
LIABILITY SHIFT
Approaching deadlines will shift liability of
card-present counterfeit fraud from issuers to
acquirers and merchants. That combined with
growing concerns over theft of card data and
data breaches, EMV migration is speeding up.
W H I T E PA P E R
EXECUTIVE SUMMARY
The U.S. payments industry has relied on magnetic stripe-based card technology for decades, but incentives
are laying the path for U.S. adoption of the EMV chip card standard, in use in most developed countries.
EMV ensures a card is authentic by utilizing encrypted data stored on the card (although it does not encrypt
the actual transaction). More than 575 million chip-enabled cards are expected to be in circulation by the end
Adoption of EMV acceptance technologies is increasing, with the growing threat of network security breaches
prompting major retailers to make the shift and limit their potential liabilities. Merchants may find migration
easier, less costly and more beneficial than they realize, especially when used with end-to-end encryption
and tokenization solutions that can eliminate virtually all the risks of data breaches.
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
2
S E P T E M B E R / 2 014
W H I T E PA P E R
CONTENT
Executive Summary
2
Why EMV?
4
The Winds of Change
4
Chip & Pin (or Signature)
6
U.S. Resistance Melts
7
EMV Not a Defense Against Network Breaches
8
Rules are Changing
9
Implementation Issues and Solutions
10
EMV and End-to-End Security
10
VeriFone – Your EMV Expert for a New Era
11
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
3
S E P T E M B E R / 2 014
W H I T E PA P E R
WHY EMV?
Adoption of EMV cards now stands at more than 40% around the world, excluding the U.S., and EMV –
acceptance device adoption is at more than 70%, according to EMVCo. The U.S. is essentially alone in
resisting migration to this standard.
EMV was initiated to provide a worldwide standard for interaction between integrated microprocessor (chipbased) “smart cards” and approved payment devices and ATMs. This standard encompasses credit, debit
and contactless payment transactions.
These chip-based cards can support a range of applications, but the primary usage common around the
world is to perform payment transactions that store encryption data for authentication. As part of the
transaction authorization, the card uses the data to prove it is authentic. Encrypted data on chip cards
has been used for more than ten years to prevent the cloning of payment cards. If it is combined with PIN
consumer authentication and the prevention of non-repudiation are achieved.
For general payment applications, an EMV terminal reads data stored on the chip card and authenticates
that it is legitimate, thus preventing use of stolen or cloned cards. Strong cryptographic functions are used
to authenticate the card and cardholder to ensure validity and authenticity.
Magnetic stripe cards, on the other hand, do not have the same kind of data storage and have no
microprocessor; therefore, magnetic stripe
cards cannot contain the same security
features as chip cards because there is no
dynamic data element and cards are easy to
REGION
EMV
CARDS
Canada, Latin America,
and the Caribbean
471M
54.2%
7.1M
84.7%
Asia Pacific
942M
17.4%
15.6M
71.7%
Africa & the Middle East
77M
38.9%
699K
86.3%
Europe Zone 1
794M
81.6%
12.2M
99.9%
Europe Zone 2
84M
24.4%
1.4M
91.2%
clone. With magnetic stripe cards, the
ADOPTION
EMV
ADOPTION
RATE
TERMINALS
RATE
stripe on the back of the card, similar to a tape
recorder. When the card is swiped, all of the
cardholder data, such as the account number,
name and expiration date, is sent in one
direction, from the payment terminal to the
authorization network, which checks the
information, authorizes the charge and
Source: EMVCo
provides a payment guarantee to the merchant.
THE WINDS OF CHANGE
EMV – an acronym of Europay International, MasterCard and Visa, which in 1994 joined to initiate the
specification – has been or is in the process of being adopted by every developed country (including
Canada) other than the U.S., as well as most emerging countries. Today, EMVCo is comprised of six
member organizations – American Express, Discover, JCB, MasterCard, UnionPay and Visa (Europay was
absorbed by MasterCard) – and supported by dozens of banks, merchants, processors, vendors and other
industry stakeholders.
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
4
S E P T E M B E R / 2 014
W H I T E PA P E R
The U.S. long resisted moving to EMV because, despite some proponents such as Walmart, the payments
ecosystem comprised by card brands, processors, acquirers and merchants had largely been content with the
magnetic stripe-based infrastructure. But in August 2011, Visa announced a Technology Innovation Program (TIP)
and liability shift for the U.S. that set out an EMV migration plan that included incentives for adoption and potential
EMV adoption, followed by Discover – which disclosed in 2013 that it had already accepted EMV in the U.S. at
certain Walmart locations – and American Express.
The major dates and requirements are similar across the four major card brands in the U.S. such as the requirement
that POS terminals must be hybrid devices enabled to accept contact and contactless chip cards but there are
distinct differences:
CARD BRAND
ACQUIRER/PROCESSOR LIABILITY SHIFT DATE
DEADLINE FOR
SUPPORTING EMV
RELIEF
VISA
April 2013
October 2015
October 2012
(Fuel merchants:
October 2017)
Eliminate annual PCI validation
requirements for merchants who have
75% of their Visa transactions
originating on chip-enabled terminals.
October 2015
October 2013
(Fuel dispensers:
October 2017)
50% relief from Account Data
Compromise (ADC) if at least 75% of
MasterCard transactions originate from
EMV-compliant hybrid POS terminals.
MASTERCARD
April 2013
MASTERCARD
October 2015
100% ADC relief if 95% of transactions
originate from EMV-compliant POS
terminals.
AMERICAN
EXPRESS
April 2013
October 2015
October 2013
(Fuel dispensers:
October 2017)
Relief from PCI Data Security Standard
(DSS) reporting requirements if the
acceptance locations, where 75% of
their transactions occur, are enabled to
process American Express EMV chipbased contact and contactless
transactions.
DISCOVER
April 2013
October 2015
October 2013
*Includes direct-connect
merchants
(Fuel dispensers:
October 2017)
PCI audit waivers for merchants that
process 75% of Discover Network
transactions using EMV hybrid
terminals.
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
5
S E P T E M B E R / 2 014
W H I T E PA P E R
Each card brand has adopted a “carrot and stick” approach to steer acquirers and merchants toward EMV
compliance. Prior to October 2015 (October 2017 for fuel dispensers), the brands (primarily the issuers) absorbed the
costs of counterfeit card fraud. After that date, the liability shifts to essentially the weakest link in the payments chain:
Visa – “To spur adoption of the new technology, starting in 2015 our guidelines will place financial responsibility
MasterCard – “The party that has made investment in the most secure EMV options is protected from financial
liability for card-present fraud losses for both counterfeit and lost, stolen and non-receipt fraud on this date.”
American Express – “will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of
fraudulent transactions away from the party that has the most secure form of EMV technology.”
Discover – “Fraud Liability Shift policy will be a risk-based payments hierarchy that benefits the entity that
leverages the highest level of available payments security.”
Regardless of specific regulations implemented by each brand, clearly the goal is to shift fraud liability away from card
issuers that, in most cases, have traditionally absorbed fraudulent costs of counterfeit card transactions. Presuming
those issuers provide consumers with EMV chip cards, the onus will be on acquirers and merchants to ensure they
devices, they will eventually become liable for card-present fraudulent card transactions that would have been
prevented if they were processed over EMV terminals.
CHIP & PIN (OR SIGNATURE)
just one flavor of EMV that has been widely adopted and was implemented in the UK under that name in the past
decade. But other countries have opted for a Chip & Signature approach.
Chip & Signature. What Visa actually said was, they “will continue to support a range of cardholder verification
methods (CVMs) with EMV chip, including signature, online PIN and no-signature for low-value, low-risk
The Merchant Advisory Group, which includes Walmart, Target, Sears, CVS Caremark and many others, has
strongly endorsed Chip & PIN as a requirement for U.S. EMV adoption. Although card brands and issuers concede
that EMV with PIN is more secure than EMV with signature, it does not appear that issuers will default to this option
as the best shield against fraud liability.
being used by a thief at the point of sale by signing for the transaction,” MasterCard president of North America Chris
McWilton told the Washington Post. But, he conceded, “There are different views in the marketplace on whether PIN
is the way to go. Banks will determine that based upon how they configure their PIN and whether they invest the
time and effort in the back office to issue PINs to customers. There are costs to go with that standard.”
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
6
S E P T E M B E R / 2 014
W H I T E PA P E R
get to a secure payment system in the U.S. is not to complicate matters by requiring everybody to adopt pin
everywhere.” She also noted that only a third of U.S. merchants currently accept PIN for card authorization.
At this point it is up to the card issuers to determine whether they are providing Chip & PIN or Chip &
for either cardholder verification method. In particular, with issuers talking about a “liability hierarchy,” it
raises the question of whether a merchant accepting only Chip & Signature faces increased liability if its
acquirer utilizes both authentication methods. According to MasterCard Advisors, “MasterCard supports a
liability shift for lost, stolen, and never received or issued (NRI) cards to the party that does not support PIN
as a cardholder verification method. If neither party supports PIN, only the counterfeit liability shift rules apply.”
MasterCard, which also supports different flavors of EMV, has talked about a liability hierarchy, which
essentially means that liability for EMV fraud is going to rest on the shoulders of whichever party in the
processing chain has the weakest implementation of EMV.
EMV acceptance is a bit more complicated when it comes to debit networks, as the “Durbin Amendment”
to the Dodd-Frank Financial Reform Legislation of 2010 requires merchants to have access to at least two
unaffiliated networks. But major data breaches also caused debit networks to sign on for EMV more quickly
than expected.
“There had been somewhat of a stalemate between the networks and a group of debit networks working
together until news broke of the Target and Neiman Marcus breaches,” according to CardNotPresent.com.
“The resulting publicity turned into a groundswell of support for EMV which has prodded the debit networks
into accepting Visa and/or MasterCard solutions, both which had technology ready to go.”
According to that report, “Star now has agreement with MasterCard and Visa to license the common
to Star, Accel and Interlink so far have signed agreements with MasterCard.”
U.S. RESISTANCE MELTS
Until recently, efforts to promote chip cards for payment in the U.S. had largely fallen flat. That changed in
had been stolen in a major breach of its network.
Issuers were reluctant to replace mag-stripe cards with more expensive chip cards; merchants essentially
refused to invest in new terminals that could read the cards. And consumers never were provided with a
compelling case on why they should even care.
A key element in the U.S. resistance was the fact that mag-stripe had worked very well. Unlike much of the
world, online card authentication is common and relatively inexpensive in the U.S. and the cost of fraud has
been relatively stable and built into the price for managing online transactions.
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
7
S E P T E M B E R / 2 014
W H I T E PA P E R
Walmart was the first major U.S. retailer to climb on the EMV bandwagon. “Our terminals are already capable
of accepting chip-and-PIN technology, so if card technologies are upgraded to EMV chip cards, our systems
will be able to process transactions. Walmart installed EMV-capable terminals about eight years ago,” company
spokesman Randy Hargrove was quoted by Marketwatch. “Today, about 2,000 of our U.S. stores are enabled
In the wake of the Target breach, retailers have become more visible and vocal in their support of EMV.
Target announced that it would reissue all of its existing co-brand cards as MasterCard co-branded cards with
consumer and small business credit card portfolio to EMV beginning in early 2015. Kroger spokesman Keith
Dailey told the Dallas Morning News in early 2014 that the company has been building toward chip-and-PIN
technology for the past two years and that all new PIN pads at the supermarket chain can read EMV cards.
Sears and CVS Caremark are also reportedly rolling out EMV capabilities.
According to the Payment Security Task Force, participating issuers who expect to issue more than half a
billion EMV cards by the end of 2015 include Bank of America, Capital One, Chase, Citi, Discover, Independent
Community Bankers of America (representing issuing members), Navy Federal Credit Union, U.S. Bank and
Wells Fargo & Company. Other issuers, according to EMV Connection, include American Express, BMO
Diners Club, Silicon Valley Bank, SunTrust, U.S. Bank, and the Andrews Federal Credit Union, North Carolina
State Employees Credit Union, Star One Credit Union, State Department Federal Credit Union, and United
Nations Federal Credit Union.
EMV NOT A DEFENSE AGAINST NET WORK BREACHES
Following disclosure of the Target data breach, some politicians and pundits angrily demanded why EMV had
not been adopted to prevent such criminal acts. In truth, EMV does nothing to stop network compromises or
the placement of malware. What EMV does do is authenticate that the card being presented at the point of
sale is not counterfeit. That is a major advancement over mag-stripe cards, but falls far short of preventing the
compromise of cardholder data.
There are two distinct kinds of criminal activity involving payment cards: fraud and data theft. Fraud is the use
usually in large quantities, for later use in fraudulent transactions. EMV will prevent counterfeiting of a chipbased card, but it will not prevent using the data in other ways, particularly while the U.S. payment system still
accommodates magnetic-strip-based cards. An indirect impact is that fraud shifts to offline card-not-present
(CNP) transactions.
The most secure payment transaction possible today is one that combines three technologies: EMV, Track
Data Encryption and tokenization. Retailers using a comprehensive, multi-layered approach to transaction
security can make themselves less appealing for criminal activity.
Data-level encryption, applied as close to the point of entry or capture as possible, almost completely
eliminates access points where unencrypted card data could be intercepted.
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
8
S E P T E M B E R / 2 014
W H I T E PA P E R
This is also called end-to-end or point-to-point encryption because data is encrypted at the point of capture,
processor. If at any point along the way, the encrypted data is stolen, the data will be useless to criminals
in their encrypted form.
Tokenization provides another barrier to cyber thieves. Tokenization replaces cardholder account numbers
with a valueless substitute -- a digital token. Tokenization reduces retailer security risks in the event of data
have been authorized. If the token numbers are stolen, they are meaningless to thieves because outside of
the correlation database, they are simply collections of random numbers. But they allow the processor or
retailer to conduct necessary back-end processes ranging from chargebacks to analytics.
RULES ARE CHANGING
There are many business factors that are converging to make EMV more relevant to the U.S. payments
industry.
First off, while the cost of card fraud has been relatively consistent and has been built into the fee structure for
card acceptance, it still represents a huge sum of money, and issuers are eager to transfer liability for those
costs to the merchant.
It is difficult to precisely catalog the losses from card fraud in the U.S., but according to a report by a senior
economist with the Federal Reserve Bank of Kansas City, it amounts to more than $3 billion annually, spread
among card issuers ($2 billion), point-of-sale merchants ($837 million), and mail order, telephone and Internet
merchants ($900 million).
Furthermore, organized crime to exploit payment cards have resulted in increasingly sophisticated efforts and
large heists such as a crime ring that was charged in 2008 with stealing 45 million credit and debit cards from
a number of national retailers. In January 2009, an assault on Heartland Payment Systems compromised an
estimated 130 million card accounts. More recently, New York City law enforcement officials charged
“members of five organized forged credit card and identity theft rings based in Queens County and having ties
to Europe, Asia, Africa and the Middle East” with stealing personal credit information of thousands of unwitting
American and European consumers “and costing these individuals, financial institutions and retail businesses
more than $13 million in losses over a 16-month period.”
Rather than adopt EMV, the U.S. payments industry was driven by the card brands to adopt Payment Card
Industry (PCI) standards issued by the PCI Security Standards Council. While undoubtedly increasing the
security of card payments overall, PCI standards are expensive for merchants who must audit their internal
systems to ensure compliance, and vendors who provide hardware, software and services and who have had
to implement new requirements into their products and services.
The biggest merchant complaint about PCI is that compliance certification only reflects a moment in time, and
subsequent changes to their systems can unknowingly create potential breach points that can leave them
liable for resulting damages.
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
9
S E P T E M B E R / 2 014
W H I T E PA P E R
Aside from security, there are other compelling reasons to move to EMV. With the rest of the world adopting
EMV, it will become increasingly difficult for mag-stripe cardholders to pay for transactions overseas and some
large U.S. issuers have announced limited EMV card issuance for U.S. travelers abroad. Similarly, once
overseas issuers do away with mag-stripe completely, as the European Payments Council has recommended,
U.S. retailers may find themselves unable to accept card payments from foreign visitors.
IMPLEMENTATION ISSUES AND SOLUTIONS
EMV migration in the U.S. does not have to be costly and difficult. EMV card-acceptance devices are readily
available – for example, a global supplier, VeriFone, has been selling in overseas markets EMV-capable
versions of the payment devices it provides in the U.S. Additionally, dual interface PIN pads will enable
retailers to adapt older non-EMV systems to the new payment requirements.
For large retailers, the return on investment will be obvious. Many are already eager to adopt contactless in
order to take advantage of the broader range of benefits, but simply need more hard evidence for the business
can reap meaningful savings through the reduction of costs associated with annual PCI DSS validation, and
will have the opportunity to re-invest those savings into additional payment technology infrastructure to support
dynamic data processing.” With MasterCard, merchants in 2015 could achieve 100 percent fee relief for
compliance testing.
For smaller merchants, it may be more difficult at first to make a business case because most are not currently
required to conduct annual audits. However, acquirers do have the ability to require such audits even with
require their smaller merchants to go along for the ride. In addition, with the liability shift taking effect, a
fraudulent transaction event could threaten the existence of smaller merchants by saddling them with the
liability of card-present counterfeit fraud.
Merchants may be pleasantly surprised by the additional benefits of implementing consumer-facing EMV
devices. Payment technology today is increasingly interactive – think of how consumers pay for gas or
purchase train or lottery tickets. This interactive element provides opportunities to engage with the consumer
and create a deeper relationship.
EMV AND END -TO -END SECURIT Y
While EMV limits the exposure of merchant payment transactions to fraud and misuse, it does not protect
cardholder information, that under EMV is still transmitted in the clear during the transaction. EMV can be
viewed as part of an overall security portfolio for protecting all aspects of card transactions.
encryption and tokenization to secure cardholder information, from insertion to processing and back.
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
10
S E P T E M B E R / 2 014
W H I T E PA P E R
VERIFONE – YOUR EMV EXPERT FOR A NEW ERA
EMV is a global standard and VeriFone has global experience in developing EMV payment-system solutions
and peripherals that have achieved EMV Level 1 and Level 2 Type Approval. The complexity of migrating to
EMV chip card standards can pose significant challenges for acquirers and merchants. Since the inception of
EMV, VeriFone has provided internationally an unmatched line of EMV-compliant hardware and software – as
VeriFone is working closely with partners to ensure that all payment applications designed to run on these
devices will be EMV-compliant. VeriCentre Estate Management solution can be utilized to centrally manage
your device base to handle simultaneous downloads efficiently and at the least disruptive times.
• Accept a broad range of EMV card functionality including Dynamic Data Authentication (DDA) functionality
and enciphered PIN
• Feature application separation to support multiple applications running securely on the terminal
• Offer 32-bit processing power to handle the performance demands related to EMV compliance across
borders, and across hosts
VeriFone supports the global EMV movement. Our experience and expertise with EMV will help guide you
through these upcoming changes from start to finish and as mandates change over time.
For more information contact your VeriFone or reseller representative. Visit www.verifone.com/emv-us.
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
11
S E P T E M B E R / 2 014
W H I T E PA P E R
________________________
“More Than 575 Million U.S. Payment Cards to Feature Chip Security in 2015,” Aug. 13, 2014. Payments Security Task
Force.
http://newsroom.mastercard.com/press-releases/more-than-575-million-u-s-payment-cards-to-feature-chip-security-in-2015
“About EMVCo,” EMVCo. http://www.emvco.com/about_emvco.aspx
“Using Embedded Microchips to Battle
Cyberthieves,” Visa CEO Charlie Scharf writing in the Wall Street Journal, Feb. 23, 2014.
http://online.wsj.com/news/articles/SB10001424052702304275304579392752553670222
“EMV Migration – Driven by Payment Brand Milestones,” by Cathy Medich, Smart Card Alliance. http://www.emvconnection.com/emv-migration-driven-by-payment-brand-milestones/
“American Express Announces U.S. EMV Roadmap to Advance Contact, Contactless and Mobile Payments,” June 29,
2012. American Express. http://about.americanexpress.com/news/pr/2012/emv_roadmap.asp
“Discover Financial Services Announces Next Steps for EMV Deployment across the Globe.” Nov. 12. 2012. Discover
Financial Services. https://www.pulsenetwork.com/news/archive/2012/emv-deployment.html
www.washingtonpost.com/blogs/wonkblog/wp/2014/02/20/mastercard-visa-explain-why-your-credit-card-isnt-safer/
“EMV for U.S. Acquirers: Seven Guiding Principles for EMV Readiness,” Phillip Miller, Guy Berg, Jeff Stroud and Steven
Paese. MasterCard Advisors. http://www.mastercardadvisors.com/_assets/pdf/emv_us_aquirers.pdf
“Debit Networks Continue to Adopt MasterCard, Visa Common AID Solutions for EMV/Durbin Problem,” April 7, 2014.
CardNotPresent.com. http://cardnotpresent.com/news/cnp-news-april14/Debit_Networks_Continue_to_Adopt_MasterCard,_
Visa_Common_AID_Solutions_for_EMV/Durbin_Problem_-_April_7,_2014/
Erin McClam. NBC News.
http://www.nbcnews.com/business/consumer/millions-target-customers-credit-debit-card-accounts-may-be-hit-f2D11775203
marketwatch.com/story/target-actually-sets-the-bar-for-credit-card-security-2014-05-05
“Target Appoints New Chief Information Officer, Outlines Updates on Security Enhancements,” Apr 29 2014. Target Corp.
http://pressroom.target.com/news/target-appoints-new-chief-information-officer-outlines-updates-on-security-enhancements
mastercard.com/news-briefs/bjs-wholesale-club-converts-credit-card-portfolio-to-mastercard/
“Retailers have already installed hardware to read safer smart cards,” January 27, 2014, Maria Halkias. Dallas Morning
News, http://www.dallasnews.com/business/retail/20140127-retailers-have-already-installed-hardware-to-read-safer-smartcards.ece
“3 Trends in EMV Adoption in the U.S.,” Bikram Saha, January 21, 2014. Bank Systems & Technology.
http://www.banktech.com/payments/3-trends-in-emv-adoption-in-the-us/a/d-id/1296794
© 2014 VeriFone. All rights reserved. VeriFone and the VeriFone logo are registered trademarks of VeriFone in the United States and/or other
countries. No portion of this document may be reproduced or distributed in any form or by any means without the prior written permission of
said company. All other trademarks are the property of their respective holders. 09/14 Rev A FS
E M V G AT H E R S S T E A M A S U . S . M O V E S
TOWARD LIABILITY SHIFT
12
S E P T E M B E R / 2 014