A Roadmap to a Uniform Payments Standard · A Roadmap to a Uniform Payments Standard Deborah Baxley May ... • No requirement for SDA, DDA, ... There are some difference in …

A Roadmap to a Uniform Payments Standard

Deborah Baxley May 10, 2012

Financial Services

Deborah Baxley Principal

Consulting Services

Capgemini Financial Services USA Inc. 623 Fifth Ave., 33rd Fl

New York, NY 10022 USA Mob. +1 914.646.4732 – Fax + 1 845.622.3520

[email protected] Twitter: @debbaxley www.capgemini.com

CE v6.3

Capgemini operates in 40 countries across five industry sectors, including financial services

International thought leadership

Annual World Payments Report

Mobile Payments – Are you ready for the early majority?

Cards CoE

Market capture

Infrastructure

Knowledge Management

Solution development & Innovation

Training & certifications

Associate management

Client delivery

Global Centre of Excellence

Global network of 17,000 FS professionals with >4,000 dedicated in the card payment practice

A snapshot of Capgemini clients in the card payments area

Vendor / Platform analysis

Vendor selection

Sourcing strategy

Platform consolidation

Architecture

Chip & Mobile Strategy

Business & technology strategy

Performance data

Operational partnership

Outsourcing

Distribution models Data conversion

International client portfolio entails cards and payments success stories in business transformations and complex conversion

US$ 12.6 billion 2010 revenue More than 108,000 people worldwide

© 2012 Capgemini – All rights reserved 2

CE v6.3

U.S. payments stakeholders, notably merchants, issuers, and mobile operators are seeking industry consensus on a payments standard

Drivers for Payments Roadmap

Battle for supremacy: NFC vs. cloud-based mobile payments Press-worthy security breaches Tepid adoption of contactless payments Recent EMV announcements from Visa, MasterCard and Discover This talk will discuss potential US payments roadmap, incorporating the sometimes-conflicting views of the Merchant Advisory Group, the Smart Card Alliance, and the payment networks

Introduction


“How does the future of payments in the U.S. impact by business? “

“How should I prepare?”

• EMV • Chip & PIN • Signature • Contactless • Cloud vs. NFC • Dynamic security measures

Stakeholder Questions Roadmap Options

CE v6.3

According to Mercator, the U.S. is the “the gray gaping hole in the EMV ship”

Introduction

26.4% of cards 55.6% of terminals





EMV Adoption Rates by Region

Source: EMVCo Figures reported as of September, 2010 and represent the latest statistics from American Express, JCB, MasterCard and Visa as reporting by their member financial institutions globally. Figures do not include data from the United States


CE v6.3

The term “Chip and PIN” is sometimes misunderstood - PIN is not required by EMV or chip cards

Alternatives supported by EMV standards: • Online PIN: encrypted by PIN pad and sent

online to the issuer host for validation • Offline PIN: sent directly to chip card for

validation by chip – PIN never sent to host, only result is sent

• Signature only: Card determines whether PIN is required based on terminal support and transaction characteristics

ATMs typically require online PIN Chip protects from counterfeit fraud by enabling

card authentication PIN protects from lost and stolen by verifying

correct cardholder is using the card

Source of logo: www.chipandpin.co.uk

EMV Introduction

What About “Chip & PIN”?


CE v6.3

U.S. more likely to adopt EMV than ever before

1. Increasing fraud Cross regional fraud migration – from Europe, Latin America, Canada Organized fraud attacks on networks proves that PCI DSS not sustainable

2. Customer and merchant demand U.S. payment card issuers missed out on nearly $4 billion in 2008 charge

volume, ~$78.7 million in interchange fees, because of problems cardholders had with their cards while traveling abroad1

International customers using EMV cards at U.S. merchants and ATMs Large merchants loudly demanding a change

3. Declining costs Cost of conversion dropping rapidly – card level, software, terminals Contactless acceptance and PCI compliance priming the pump NFC mobile payments simultaneously lowers issuer costs and threatens

traditional payments franchise 4. Regulatory incentives Durbin Amendment disadvantages signature vs. PIN debit; fraud and card

reissuance costs unsustainable at lower rates Regulation threatens to step up when industry can’t find a solution on its

own 5. Network announcements on liability shifts

EMV

Five Main Drivers of U.S. EMV Adoption

Source: Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?, A Smart Card Alliance Payments Council White Paper, February, 2011 1 Card Problems Cost U.S. Issuers Hundreds of Millions Overseas,” Digital Transaction News, October 2009

6

"If we want to mitigate the

possibility of the United States being

a centre of card fraud and enable our

consumers and business folks to

travel abroad more easily, it may be time to charge someone in government with developing a well-

thought-out, participatory, multi-year plan to move this country to the emerging global payments card

standard,“ Richard Oliver, Federal

Reserve, Oct. 2010


CE v6.3

Several interconnected factors and developments must be considered in the construction of payments standard

Four Major Areas of Choice:

1. Card Interface 2. Card Authentication method 3. Transaction Authorization 4. Cardholder Verification method

Roadmap

Roadmap Considerations

Overall Factors for Consideration:

Current contactless implementation Contact or contactless EMV Options to suit the U.S. environment Convergence with NFC mobile

contactless payments PIN vs. signature CVM

Source: Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?, A Smart Card Alliance Payments Council White Paper, February, 2011


CE v6.3

Decision Area 1: Card Interface

Roadmap Option Description

1. Card Interface a) Contact

• Standard EMV chip card. • Requires contact reader.

b) Contactless • RF card, NFC on a mobile phone, or various form factors, including stickers.

• Requires contactless reader. • Leverages second-generation contactless cards

being deployed in the and .

c) Dual interface • Card containing both contact and contactless interface.

• Works with either contact or contactless reader.

Roadmap

8

The first variable is the choice of card interface – this choice impacts interoperability with mobile



CE v6.3

Authentication and authorization are closely related and together create a matrix of possible EMV choices

Authentication

Checks the authenticity of the card itself

Authorization

Validates the issuing bank’s approval of a transaction, considering the status of the cardholder’s account and the result of fraud checks

Roadmap

Offl

ine

Onl

ine

Online Offline

SignatureOnline PIN

Offline PINNo CVM

1. C

ard

Auth

entic

atio

n

2. Transaction Authorization

4. C

onta

ct, C

onta

ctle

ss, o

r Du

al C

hip

Inte

rfac

e

9



CE v6.3

Decision Area 2-3: Card Authentication and Transaction Authorization

Roadmap Option Description 2. Card Authentication

a) Online • 8-byte Triple DES cryptogram. • No requirement for SDA, DDA, or PKI cryptographic

co-processor2

b) Offline • SDA, DDA and/or CDA and PKI infrastructure. • PKI cryptographic co-processor (for DDA and CDA

only). 3. Transaction Authorization

a) Online • Authorization message sent to issuer as currently implemented for magnetic stripe card transactions

b) Offline • Authorization determined by EMV risk assessment and communication between card and terminal.

• May be forced online, depending on limits and other factors.

Roadmap

2. All microprocessor cards used for EMV include a DES cryptography engine. DES cryptography is employed as a core part of chip security and is used in the personalization process and in any post-issuance EMV scripts from the issuer that are used to change EMV settings on the card.



Card authentication and transaction authorization can be online, offline and have varying degrees of dynamic cryptography

CE v6.3

Decision Area 4: Cardholder Verification Roadmap Option Description 4. Cardholder Verification

a) Signature • No special POS requirement

b) Online PIN • Requires POS PIN pad

c) Offline PIN3 • Requires POS PIN pad • SDA for clear text PIN, and/or DDA or CDA and PKI

infrastructure for enciphered PIN • PKI cryptographic co-processor (for DDA and CDA

only)

d) No CVM • No special POS requirement • Usually reserved for low value transactions

Roadmap

3. Offline PIN can be either enciphered or clear text.



Finally, cardholder verification can be signature, PIN or “none”

CE v6.3

Chip implementations can range from very basic to highly complex

Roadmap

Chip Deployment Hierarchy


CE v6.3

Visa took the lead with its announcement on August 9, 2011, MasterCard and Discover quickly followed suit

EMV

Network EMV Announcements

The three networks harmonized their U.S.-specific compliance and liability shift dates

Awaiting more detailed announcements from American Express, Discover Positioning from debit networks – Pulse, NYCE, etc. – what EMV application, chose before POS

certification/testing starts Question of Cardholder Verification Method – signature vs PIN – and online vs offline transactions How soon should banks start issuing?

Merchants exempt from annual PCI compliance audit if >75%

transactions from EMV-capable POS

Visa announces program to

encourage EMV adoption, including

contactless

Acquirers support chip

data including dynamic

cryptograms

U.S. Counterfeit Liability Shift: when non-compliant party financially liable for card

present fraud losses1

Fraud liability shift for fuel

sellers

8/11 10/12 4/13 10/15 10/17


MasterCard announces EMV program with liability hierarchy

1/12

Discover announces intention to harmonize

implementation

3/12

Account Data Compromise

Relief (MasterCard)

1Cross-border liability shifts differ depending on country pairs and technology: mag stripe skimming vs. PIN

CE v6.3

There are some difference in implementation guidelines among the networks

EMV

Variations in Network’s EMV Guidelines

While all support all cardholder verification methods, and both online and offline card authentication and authorization, based on issuer choice…

Visa emphasizes the online-only nature of the U.S. payments market and takes steps to

ready the nation’s payment infrastructure for mobile Visa recommends online-only authorization, online card authentication, online PIN

and signature-preferring cards Requires dual interface POS terminals for PCI audit relief.

MasterCard introduced a hierarchy of liability shift to the party with the higher risk

environment, e.g. mag stripe vs. EMV, PIN vs signature vs. dynamic authorization.


CE v6.3

Implications of EMV conversion for international travelers

In 2008, An estimated 9.7 million U.S. cardholders experience magnetic stripe card acceptance issues when they travelled internationally

Small percentage of European offline-only POS terminals will not accept online-only EMV cards

Possibility for offline only locations to increase Critical decisions approaching U.S. issuers:

Roadmap

Decision on International Interoperability

Should they issue online-only EMV cards and accept the risk that their

cards will not work in offline locations?

Should they configure their cards to go online whenever possible and

only allow offline transactions when the terminal indicates that it

cannot go online?


CE v6.3

The past few months have witnessed a number of U.S. EMV-enabled product introductions, primarily focused on international travelers

EMV

Other EMV Announcements

“We're investing in you; your security is paramount," Merrill Halpern UNFCU


CE v6.3

EMV works in concert with other methods to prevent fraud from various attack points in the payment system

Benefits of EMV

EMV

Fraud Source Prevention Measure Counterfeit and Lost/Stolen Reliable online and offline card authentication

Reliable offline cardholder verification Move to Dynamic Data Authentication (DDA and CDA) PIN = more reliable authentication vs signature PIN blocking, card risk management, and card blocking Offline spending control, card risk management

Transactions at non-EMV POS & ATMs

Skimming protection, PCI DSS Chip-only cards

Card-Not-Presentation; Online Transactions

Skimming protection, PCI DSS CVV, AVS Verified by Visa / MasterCard Secure Code Dynamic authentication and USB readers Transaction alerts

Sources: Inside Fraud, http://www.paymentscardsandmobile.com/, 10/09, http://corporate.visa.com/media-center/press-releases/press1098.jsp


CE v6.3

$0

$1

$2

$3

$4

$5

$6

$7

93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09

The ongoing battle against fraud is driving rates downward, but the war continues as absolute losses continue to climb

EMV

Global Card Fraud

Source: The Niilson Report, #951, June, 2010

Tota

l Los

ses

in $

Bill

ions

Cents per $100 in Volume 6.1¢

4.8¢

5.5¢

4.7¢

4.6¢

5.5¢


CE v6.3

The UK, with its decade-long history of EMV, illustrates great success, coupled with emerging fraud challenges

Source: FRAUD THE FACTS 2010, http://www.financialfraudaction.org.uk

BY mid-2010, UK Credit card fraud fell to lowest level in a decade, down 20% from 2009

Card fraud loss rate declined 83% from 18 to 10 basis points from 2001 to 2009 While overall card spend doubled, overall card fraud increased only 7% from 2001

to 2009 Fraud types illustrate the ongoing challenge with e-commerce, use of fall-back and

international counterfeit fraud US = #1 fraud market for UK cards

Lost/stolen Mail non-receipt Card-not-present Counterfeit Card ID theft

2001: 0.183%

2009: ~0.10%

UK Card Fraud Losses Split by Type

!

! !

EMV


CE v6.3

Across Europe, as ATMs became more EMV-compliant, fraud losses declined dramatically

EMV

Source: European ATM Crime Report, 2010, E.A.S.T.

0%

20%

40%

60%

80%

100%

2005 2006 2007 2008 2009 2010

0

10

20

30

40

50

60

70

European ATMs – Issuer Fraud Losses Fell >40%

ATM Card Skimming Attacks

EMV Compliance

Issuer Domestic Losses € million

% European ATM EMV

Compliance


CE v6.3

Chip cards can prevent ecommerce fraud using a USB reader or with a One-Time-Password device

EMV

Examples

MasterCard Chip Authentication Program (CAP) and Visa Dynamic Passcode Authentication (DPA) * Barclay’s PINsentry

SecureKey

*Used by Barclays, Ulster, NatWest, Cooperative Bank, Smile, Royal Bank of Scotland, Lloyds TSB, Nationwide, Nordea Source: Lydian Journal, January, 2011, www.pymnts.com/journal


CE v6.3

Retail POS ATM Smart tags

Digital content Parking

Coffee shops C-stores Vending Ticketing Parking Transit

Remote Proximity

Macro

$10-25

Micro

SMS Browser, M-app Contactless, NFC, QR Code P

aym

ent S

ize

Payment Location

Payment Technology

Typical Funding Mechanism Carrier or Cash at agent Bank card / E-Wallet

P2P remittance Donations Mobile top-up

M-commerce Bill payment

Mobile payments can be classified by proximity, size, technology and funding source

Mobile Payments Location, Size, Technology, Funding

Source: Smart Card Alliance, “The Mobile Payments and NFC Landscape: A U.S. Perspective,” September, 2011

Mobile


CE v6.3

Comparing mobile payment approaches highlights the distinct advantage of integrated NFC

Comparison of Alternative Mobile Payment Approaches

Integrated NFC MicroSD Stickers,

Fobs Bar Codes Payments in the Cloud SMS

Reliability

Transaction Speed

Security

Ease-of-Use

Wallet Functionality

Acceptance

Device Availability

Additional Value Add Applications

Legend WORST BEST

Source: Smart Card Alliance, “The Mobile Payments and NFC Landscape: A U.S. Perspective,” September, 2011

Mobile


CE v6.3

All of these trends suggest a high-level scenario in which NFC and cloud co-exist for the foreseeable future


Mag stripe

Potential High-Level Evolution of U.S. Payments

Time Prevalent Spotty Adoption Declining Ending Continuing

Inno

vatio

n

CE v6.3

Approximately $5-6 billion is estimated to convert the U.S. to EMV Illustrative Costs for the EMV Implementation

Conclusions

Cost Magnetic stripe EMV Overall Industry Cost1

Card $1.11 $2.00 to $2.35 for contactless1 $2.4 - $2.8 billion Depending on contact vs dual interface

PKI infrastructure

NA Setup of key management for issuers for SDA and DDA not particularly costly. Most personalization bureaus have

SDA, DDA and CDA as standard functions.

Reader Sunk cost of mandate to support Triple DES Terminals can manage keys and PKI as a standard function Chip reader is minimal incremental (~$101) cost; most

terminals now support both contact chip and magnetic stripe.

$2.4 - $2.6 billion Depending on contact vs contactless mix

ATM $310 million

Source: Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?, A Smart Card Alliance Payments Council White Paper, February, 2011 1 EMV in the USA: Waiting on Debit, a Mandate, or Just the Opportune Moment, 12/10, Mercator Advisory Group

“Depending upon your point of view, the business case for EMV may be very hard to find. Or it may be the obvious ‘right thing to do.’” 1


CE v6.3

What are merchants saying?

PCI Angst Compliance not effective end point

in preventing future breaches Resentful for not having say in PCI

rulemaking All stick – no carrot!

Terminal Angst Contactless acceptance business

case not realized Do not want to invest in interim

solutions Want clear migration path to chip &

PIN Interchange Angst

Conflicts are clouding debate about payment fraud

Conclusions

“We are 100% ready for chip & PIN today,” Walmart

“Do away with ‘fraud-prone’ mag-stripe,” Walmart

“We have the technology- it's the right thing to do - move to NFC / EMV," MAG

“PCI certificate not worth 'warm spit' to hacked merchants/processors," MAG

"US spend on PCI would have more than paid for 100% EMV," David Birch


CE v6.3

1. Move to Chip & PIN 2. Merchant chooses contact, contactless or both 3. PINs required unless merchant takes risk of not requiring PINs 4. Liability shift to party without Chip & PIN 5. Chip standards governed by open standards body 6. Internet transactions must be addressed concurrently 7. Specific merchant verticals that face unique challenges to move to Chip and PIN

require more time to convert 8. Chip & PIN implementation should not interfere with current transaction routing choices


Merchant Advisory Group Chip & PIN Roadmap recommendations

The Merchant Advisory Group has a different view on the proper roadmap

Roadmap

CE v6.3

The Smart Card Alliance advocates a joint stakeholder effort to drive an expedient evolutionary roadmap to chip-enabled payments

Collaborative … Establish joint brand-issuer-merchant effort to agree on roadmap Provide incentives for merchant investment e.g. interchange, PCI waiver

Expedient … Move quickly or risk disintermediation by alternative mobile approaches, e.g.

wifi hotspots, ACH-backed, PayPal Evolutionary … Evolve to convergence with NFC

Transparent … Establish an authority to track, monitor and publish national card fraud statistics

and progress, similar to APACS

Conclusions

Smart Card Alliance Recommendations for U.S. Chip Migration


CE v6.3

For more information on these topics, please see these white papers

The Mobile Payments and NFC Landscape: A U.S. Perspective

http://www.smartcardalliance.org/pages/publications-the-mobile-payments-and-nfc-landscape-a-us-perspective

http://www.smartcardalliance.org/pages/publications-card-payments-roadmap-in-the-us

Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure?

Chip-Enabled Mobile Marketing

http://www.smartcardalliance.org/pages/publications-chip-enabled-mobile-marketing

http://www.us.capgemini.com/insights-resources/publications/world-payments-report-2011/


Documents

A Roadmap to a Uniform Payments Standard · A Roadmap to a Uniform Payments Standard Deborah Baxley May ... • No requirement for SDA, DDA, ... There are some difference in …