Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
EMV® GLOBAL PAYMENT SPECIFICATIONS ADAPTING FOR MOBILE COMMERCE
Brian Byrne, EMVCo Director of Operations
05 February 2014
Copyright © 2014 EMVCo
Agenda
2
Introduction to EMVCo
• Next Generation
• Mobile Payment
• Mobile Acceptance
• Tokenisation
Key Initiatives
Get involved
INTRODUCTION TO EMVCO
Copyright © 2014 EMVCo 4
EMVCo’s Mission
To facilitate the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications
and related testing processes
Copyright © 2014 EMVCo 5
EMV Facilitates Global Interoperability
• Banks conducted pilots of chip cards to reduce high levels of fraud
Pilots
• Individual countries were adopting the ISO secure chip standard
ISO • Implementing
domestic chip standards and specifications did not reduce cross-border fraud
Domestic deployments
• Three international payment systems developed a global specification
Worldwide interoperability
Copyright © 2014 EMVCo
EMVCo’s scope and participation continues to evolve over time in response to emerging payment, technology and industry needs
6
Scope and Participation
Next?
Next?
JCB Joins
American Express
Joins
Expanded Industry
Participation
Board of Advisors
Europay, Mastercard,
Visa
Contact Spec Interoperability Management
Terminal Type Approval Process
CCD/CPA Specs
Scope
Participation
Next Generation
UnionPay & Discover
Join
Tokenisation
Terminal mPOS, Security & Integration Task Forces
Security Evaluation and Card Type
Approval
Copyright © 2014 EMVCo 7
Roles of EMVCo and Payment Systems
EMVCo
Manage and evolve EMV Specifications
Perform product testing & certification
Enhance payment security
Support emerging payment technologies
Vendor focus
Global, Regional and Domestic Payment Systems
Product development
EMV mandates
Commercial incentives
Fraud liability shift policy
Issuer & acquirer focus
INTRODUCTION TO NEXT GEN
Copyright © 2014 EMVCo 9
Introduction to EMV Next Gen
Convergence
• Simplified terminal design • Integrated type approval
processes
• Contact / contactless technologies
• Common Contactless Terminal Roadmap
Evolution Optimisation
• Public key cryptography (ECC)
• New payment technologies (e.g. mobile)
NEXT GENERATION a common and robust payment
platform
Copyright © 2014 EMVCo 10
Product Time to Market
Enable a more cost & time efficient deployment of current,
emerging & future payments
Terminal Evolution Reduce impact on terminal infrastructure as product
requirements evolve
POS Throughput Provide options for improving
throughput at point-of-sale
Transaction Quality Improve transaction data quality
& relevance
Transaction & Business Environments
Address different types of transactions & various business
environments
Product Selection Improve the product selection for
the cardholder & merchant
Security To future-proof EMV security including incorporating ECC & mitigate privacy-related issues
Business Drivers
Copyright © 2014 EMVCo 11
2011
2011
2012
2013
2014
2015
2016
2025
2030
Start the EMV Next Generation effort
EMVCo Next Generation scope finalisation
EMV Next Generation high-level architecture completed
EMV Next Generation Draft Specification completed
EMV Next Generation Specification completed
Terminal Type Approval Process availability
Payment systems may sunset the issuance of legacy contact/contactless cards
Payment systems may remove legacy cryptography (i.e. keys) from terminals
*The timeline and milestones presented are provisional and subject to change
Project Milestones
CONTACTLESS MOBILE PAYMENT (CMP)
Copyright © 2014 EMVCo
Mobile Payment – A Complex Ecosystem Compared to the Card World
13
Multiple secure element options
Proliferation of: • Handsets • Digital & analog
functionality
Multiple issuer and/or payment system
applications
Bespoke user interface per
implementation
Contactless Payment with Mobile device
OTA Perso, Provisioning
& Application Management
Traditional payment card end-to-end providers
Handset OEMs
MNOs
Add-on accessory manufacturers
MicroSD manufacturers
Issuers
Payment systems TSM 3rd party
developers
An extended range of vendors to engage with across each component:
Copyright © 2014 EMVCo
Mobile Payment – A Complex Ecosystem Compared to the Card World
14
Multiple secure element options
Proliferation of: • Handsets • Digital & analog
functionality
Multiple issuer and/or payment system
applications
Bespoke user interface per
implementation
Contactless Payment with Mobile device
OTA perso, provisioning & application management
GlobalPlatform ETSI SCP
NFC Forum
EMVCo PCI DSS
Payment systems GSMA
With an extended range of governance and applicable specifications:
Copyright © 2014 EMVCo
Mobile Payment – Reducing the Complexity of Payment Device Approval
15
Multiple secure element options
Proliferation of: • Handsets • Digital & analog
functionality
Multiple issuer and/or payment system
applications
Bespoke user interface per
implementation
Contactless Payment with Mobile device
OTA Perso, Provisioning
& Application Management
Traditional payment card end-to-end providers
Handset OEMs
MNOs
Add-on accessory manufacturers
MicroSD manufacturers
Issuers
Payment systems TSM 3rd party
developers
Copyright © 2014 EMVCo
Mobile Product Level 1 Type Approval in two Phases
16
Phase 1:
EMVCo limits the scope of testing to contactless analogue and digital functionality according to the EMVCo Level 1 Specifications.
Phase 2:
EMVCo will expand the scope of testing to include additional testing such as testing with terminals in the field.
The EMVCo Mobile Product Level 1 Type Approval Process will be implemented in two phases:
Copyright © 2014 EMVCo 17
Assessment of new mobile technologies and implications for EMVCo activities:
Contactless Mobile Payment 2014 Focus
• Potentially significant change to the nature of the mobile ecosystem, providing new issues and challenges to address, including use of tokenisation
Host Card Emulation
Alternative communication protocols e.g. Blue Tooth Low Energy
Embedded secure elements – how to address the challenges of certification
Advance the work of the EMVCo Card Approval Working Group to progress Level 1 Type Approval
MOBILE POINT OF SALE
Copyright © 2014 EMVCo 19
Mobile Point of Sale (mPOS)
Industry requirements
Acknowledgement & understanding of market
challenges
New market entrants may need EMV Specification clarification & processes
guidance
Clarity on responsibilities among industry bodies
Emerging marketplace
Many new entrants to payment terminal solution
space
Need to balance: innovation, user consistency, security &
interoperability
Various key bodies participating in this areas
Copyright © 2014 EMVCo 20
EMVCo is evaluating updates to the EMV Specifications and testing processes to facilitate deployment of EMV compliant mPOS
solutions
mPOS: EMVCo Activity
OEMs Solution providers Banks
Merchants Payment
Processors Testing providers /
Labs
Identified participants in the mPOS space that will benefit from the framework include:
Copyright © 2014 EMVCo
mPOS: Initial Deliverable
EMVCo Mobile Point of Sale (mPOS) Initial Considerations
The document defines basic EMVCo terminology, high level architecture and applicable EMVCo and PCI SSC approval processes associated with mPOS solutions
21
PAYMENT TOKENISATION
Copyright © 2014 EMVCo 23
What is Payment Tokenisation?
Payment tokens offer a way to further enhance security of digital payments and simplify the purchasing experience when shopping on a mobile handset, tablet, personal computer or other smart device
It achieves this by:
Replacing a traditional card account number with a unique
payment token
Restricting the use of a payment token by device, merchant, transaction type or channel
Process is invisible to the consumer
Fraudulent activity reduced as:
Payment token is limited to a specific
domain
Payment token can be unlinked from card account number as
required
Merchants / digital wallet operators do not
need to store traditional card account
numbers
Copyright © 2014 EMVCo 24
One Example of the Payment Tokenisation Process
Mobile/
Digital Wallet
Interaction
Cardholder
Authorisation
Request:
• Token
• Token Exp. Date
Merchant Acquirer
Authorisation
Response:
• Token
Issuer
Authorisation
Request:
• Token
• Token Exp. Date
Authorisation
Response:
• Token
Authorisation
Request:
• PAN
• PAN Exp. Date
• Token + Token
Exp. Date
Token Vault
Payment Network
De-Tokenise
Token Service Provider
Copyright © 2014 EMVCo 25
Why Payment Tokenisation Specifications and Why EMVCo
• Existing payment tokenisation systems are proprietary
Today
• National bodies recognised the need for action
Domestic requirements •Compatibility with
existing payment infrastructure to achieve consistency across all payment environments
Cohesive global payments
framework
• Facilitate secure and interoperable payments globally
• Strategic breath, industry knowledge and technical depth
EMVCo mission
INDUSTRY ENGAGEMENT
Copyright © 2014 EMVCo 27
PCI SSC Data Security
GSMA Mobile
Applications
NFC Forum Contactless
GlobalPlatform Multi-
Application Secure Platform
EMVCo Secure
Interoperable Payments
Engagement with Global Organisations
Copyright © 2014 EMVCo 28
Objective – Engage with regional and national bodies as needed to support the continued migration to EMV technology
Engagement with Key Industry Stakeholders
Other bodies
EMVCo Secure Interoperable
Payments
Examples include:
Copyright © 2014 EMVCo 29
Objective – Align EMVCo guideline, specification and external communication activities to ensure a consistent approach to security of the payment transaction data
Areas of focus in 2014: • Mobile payment devices • Mobile acceptance devices • Terminal security • Tokenisation
EMVCo and PCI SSC
PCI SSC Data Security
EMVCo Secure Interoperable
Payments
EMVCO ASSOCIATES PROGRAMME (EAP)
Copyright © 2014 EMVCo
EMVCo Structure – 2014
31
Strategic Focus
Board of Advisors
Business Associates
Subscribers
Technical Associates
Executive Committee
Secretariats Director of Operations
Board of Managers
Working Groups
Level 1
Terminal Approval
Security
Card Approval
Security Evaluation
Inter- operability
Mobile Payments
Level 2 Task Forces
Technical and Operations Focus
Copyright © 2014 EMVCo
EAP Connects EMVCo to Industry Leaders
32
Benefits:
Access. Engage and connect with EMVCo’s Executive Committee,
Board of Managers and Working Groups.
Insight. Learn more about EMVCo’s work
programme, including future initiatives.
Influence. Contribute to the future evolution of the
EMV Specifications by sharing expertise,
experience and requirements.
Foresight. Receive advanced updates on EMV
Specifications and technical amendments.
Participation levels:
Plus: Networking opportunities and free company subscriber benefits
Copyright © 2014 EMVCo 33
Sample EMVCo Associate Workshop Topics
Tokenisation
Next generation migration
Terminal security
Terminal integration testing
Mobile acceptance
Handset approvals
Copyright © 2014 EMVCo 34
Business Associates (29)
ANZ BANCOMAT BoC Credit Card* BPCE Bundesverband deutscher
Banken e.V.
Carrefour Banque* Cartes Bancaires* Credit Mutuel Dutch Payment Association
(NVB) EFTPOS Payments Australia
Ltd.*
Equens SE EURO 6000, S.A. European Payments Council Interac* Moneris Solutions*
National Credit Card Center of R.O.C.*
PAN-Nordic Card Association*
PASA Poste Italiane* Rede
Redsys SIA-SSB SRC Research Swedbank AB UK Cards Association*
United Nations Federal Credit Union
Vantiv Verve International* Worldpay
Technical Associates (28)
BoC Credit Card* Carrefour Banque* Cartes Bancaires* Cubic EFTPOS Payments Australia
Ltd.
FIME Infineon Technologies Ingenico Inside Secure ISIS
Interac* McDonald’s Corporation Moneris Solutions* National Credit Card Center
of R.O.C.* Nationz
NCR Financial Solutions Group Limited
NXP Semiconductor PAN-Nordic Card
Association* PAX Computer Technology
(Shenzhen) Co., Ltd. Poste Italiane*
Shanghai Huahong Integrated Circuit Co., Ltd.
Smart Payment Association Square SRC Research Toshiba
UK Cards Association* Verifone Verve International* ^ Participation as of 15 January 2014
*Denotes dual associates: registered as technical and business associates
Current EMVCo Associates
Copyright © 2014 EMVCo
Thank You! For more information visit www.emvco.com or join us on LinkedIn