EMV® GLOBAL PAYMENT SPECIFICATIONSFeb 05, 2014 · Redsys SIA-SSB SRC Research Swedbank AB UK Cards Association* United Nations Federal Credit Union Vantiv Verve International* Worldpay

EMV® GLOBAL PAYMENT SPECIFICATIONS ADAPTING FOR MOBILE COMMERCE

Brian Byrne, EMVCo Director of Operations

05 February 2014

Copyright © 2014 EMVCo

Agenda

2

Introduction to EMVCo

• Next Generation

• Mobile Payment

• Mobile Acceptance

• Tokenisation

Key Initiatives

Get involved

INTRODUCTION TO EMVCO

Copyright © 2014 EMVCo 4

EMVCo’s Mission

To facilitate the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications

and related testing processes


EMV Facilitates Global Interoperability

• Banks conducted pilots of chip cards to reduce high levels of fraud

Pilots

• Individual countries were adopting the ISO secure chip standard

ISO • Implementing

domestic chip standards and specifications did not reduce cross-border fraud

Domestic deployments

• Three international payment systems developed a global specification

Worldwide interoperability


EMVCo’s scope and participation continues to evolve over time in response to emerging payment, technology and industry needs

6

Scope and Participation

Next?

Next?

JCB Joins

American Express

Joins

Expanded Industry

Participation

Board of Advisors

Europay, Mastercard,

Visa

Contact Spec Interoperability Management

Terminal Type Approval Process

CCD/CPA Specs

Scope

Participation

Next Generation

UnionPay & Discover

Join

Tokenisation

Terminal mPOS, Security & Integration Task Forces

Security Evaluation and Card Type

Approval


Roles of EMVCo and Payment Systems

EMVCo

Manage and evolve EMV Specifications

Perform product testing & certification

Enhance payment security

Support emerging payment technologies

Vendor focus

Global, Regional and Domestic Payment Systems

Product development

EMV mandates

Commercial incentives

Fraud liability shift policy

Issuer & acquirer focus

INTRODUCTION TO NEXT GEN


Introduction to EMV Next Gen

Convergence

• Simplified terminal design • Integrated type approval

processes

• Contact / contactless technologies

• Common Contactless Terminal Roadmap

Evolution Optimisation

• Public key cryptography (ECC)

• New payment technologies (e.g. mobile)

NEXT GENERATION a common and robust payment

platform


Product Time to Market

Enable a more cost & time efficient deployment of current,

emerging & future payments

Terminal Evolution Reduce impact on terminal infrastructure as product

requirements evolve

POS Throughput Provide options for improving

throughput at point-of-sale

Transaction Quality Improve transaction data quality

& relevance

Transaction & Business Environments

Address different types of transactions & various business

environments

Product Selection Improve the product selection for

the cardholder & merchant

Security To future-proof EMV security including incorporating ECC & mitigate privacy-related issues

Business Drivers


2011

2011

2012

2013

2014

2015

2016

2025

2030

Start the EMV Next Generation effort

EMVCo Next Generation scope finalisation

EMV Next Generation high-level architecture completed

EMV Next Generation Draft Specification completed

EMV Next Generation Specification completed

Terminal Type Approval Process availability

Payment systems may sunset the issuance of legacy contact/contactless cards

Payment systems may remove legacy cryptography (i.e. keys) from terminals

*The timeline and milestones presented are provisional and subject to change

Project Milestones

CONTACTLESS MOBILE PAYMENT (CMP)


Mobile Payment – A Complex Ecosystem Compared to the Card World

13

Multiple secure element options

Proliferation of: • Handsets • Digital & analog

functionality

Multiple issuer and/or payment system

applications

Bespoke user interface per

implementation

Contactless Payment with Mobile device

OTA Perso, Provisioning

& Application Management

Traditional payment card end-to-end providers

Handset OEMs

MNOs

Add-on accessory manufacturers

MicroSD manufacturers

Issuers

Payment systems TSM 3rd party

developers

An extended range of vendors to engage with across each component:


Mobile Payment – A Complex Ecosystem Compared to the Card World

14



functionality


applications


implementation


OTA perso, provisioning & application management

GlobalPlatform ETSI SCP

NFC Forum

EMVCo PCI DSS

Payment systems GSMA

With an extended range of governance and applicable specifications:


Mobile Payment – Reducing the Complexity of Payment Device Approval

15



functionality


applications


implementation


OTA Perso, Provisioning

& Application Management

Traditional payment card end-to-end providers

Handset OEMs

MNOs

Add-on accessory manufacturers

MicroSD manufacturers

Issuers

Payment systems TSM 3rd party

developers


Mobile Product Level 1 Type Approval in two Phases

16

Phase 1:

EMVCo limits the scope of testing to contactless analogue and digital functionality according to the EMVCo Level 1 Specifications.

Phase 2:

EMVCo will expand the scope of testing to include additional testing such as testing with terminals in the field.

The EMVCo Mobile Product Level 1 Type Approval Process will be implemented in two phases:


Assessment of new mobile technologies and implications for EMVCo activities:

Contactless Mobile Payment 2014 Focus

• Potentially significant change to the nature of the mobile ecosystem, providing new issues and challenges to address, including use of tokenisation

Host Card Emulation

Alternative communication protocols e.g. Blue Tooth Low Energy

Embedded secure elements – how to address the challenges of certification

Advance the work of the EMVCo Card Approval Working Group to progress Level 1 Type Approval

MOBILE POINT OF SALE


Mobile Point of Sale (mPOS)

Industry requirements

Acknowledgement & understanding of market

challenges

New market entrants may need EMV Specification clarification & processes

guidance

Clarity on responsibilities among industry bodies

Emerging marketplace

Many new entrants to payment terminal solution

space

Need to balance: innovation, user consistency, security &

interoperability

Various key bodies participating in this areas


EMVCo is evaluating updates to the EMV Specifications and testing processes to facilitate deployment of EMV compliant mPOS

solutions

mPOS: EMVCo Activity

OEMs Solution providers Banks

Merchants Payment

Processors Testing providers /

Labs

Identified participants in the mPOS space that will benefit from the framework include:


mPOS: Initial Deliverable

EMVCo Mobile Point of Sale (mPOS) Initial Considerations

The document defines basic EMVCo terminology, high level architecture and applicable EMVCo and PCI SSC approval processes associated with mPOS solutions

21

PAYMENT TOKENISATION


What is Payment Tokenisation?

Payment tokens offer a way to further enhance security of digital payments and simplify the purchasing experience when shopping on a mobile handset, tablet, personal computer or other smart device

It achieves this by:

Replacing a traditional card account number with a unique

payment token

Restricting the use of a payment token by device, merchant, transaction type or channel

Process is invisible to the consumer

Fraudulent activity reduced as:

Payment token is limited to a specific

domain

Payment token can be unlinked from card account number as

required

Merchants / digital wallet operators do not

need to store traditional card account

numbers


One Example of the Payment Tokenisation Process

Mobile/

Digital Wallet

Interaction

Cardholder

Authorisation

Request:

• Token

• Token Exp. Date

Merchant Acquirer

Authorisation

Response:

• Token

Issuer

Authorisation

Request:

• Token

• Token Exp. Date

Authorisation

Response:

• Token

Authorisation

Request:

• PAN

• PAN Exp. Date

• Token + Token

Exp. Date

Token Vault

Payment Network

De-Tokenise

Token Service Provider


Why Payment Tokenisation Specifications and Why EMVCo

• Existing payment tokenisation systems are proprietary

Today

• National bodies recognised the need for action

Domestic requirements •Compatibility with

existing payment infrastructure to achieve consistency across all payment environments

Cohesive global payments

framework

• Facilitate secure and interoperable payments globally

• Strategic breath, industry knowledge and technical depth

EMVCo mission

INDUSTRY ENGAGEMENT


PCI SSC Data Security

GSMA Mobile

Applications

NFC Forum Contactless

GlobalPlatform Multi-

Application Secure Platform

EMVCo Secure

Interoperable Payments

Engagement with Global Organisations


Objective – Engage with regional and national bodies as needed to support the continued migration to EMV technology

Engagement with Key Industry Stakeholders

Other bodies

EMVCo Secure Interoperable

Payments

Examples include:


Objective – Align EMVCo guideline, specification and external communication activities to ensure a consistent approach to security of the payment transaction data

Areas of focus in 2014: • Mobile payment devices • Mobile acceptance devices • Terminal security • Tokenisation

EMVCo and PCI SSC

PCI SSC Data Security

EMVCo Secure Interoperable

Payments

EMVCO ASSOCIATES PROGRAMME (EAP)


EMVCo Structure – 2014

31

Strategic Focus

Board of Advisors

Business Associates

Subscribers

Technical Associates

Executive Committee

Secretariats Director of Operations

Board of Managers

Working Groups

Level 1

Terminal Approval

Security

Card Approval

Security Evaluation

Inter- operability

Mobile Payments

Level 2 Task Forces

Technical and Operations Focus


EAP Connects EMVCo to Industry Leaders

32

Benefits:

Access. Engage and connect with EMVCo’s Executive Committee,

Board of Managers and Working Groups.

Insight. Learn more about EMVCo’s work

programme, including future initiatives.

Influence. Contribute to the future evolution of the

EMV Specifications by sharing expertise,

experience and requirements.

Foresight. Receive advanced updates on EMV

Specifications and technical amendments.

Participation levels:

Plus: Networking opportunities and free company subscriber benefits


Sample EMVCo Associate Workshop Topics

Tokenisation

Next generation migration

Terminal security

Terminal integration testing

Mobile acceptance

Handset approvals


Business Associates (29)

ANZ BANCOMAT BoC Credit Card* BPCE Bundesverband deutscher

Banken e.V.

Carrefour Banque* Cartes Bancaires* Credit Mutuel Dutch Payment Association

(NVB) EFTPOS Payments Australia

Ltd.*

Equens SE EURO 6000, S.A. European Payments Council Interac* Moneris Solutions*

National Credit Card Center of R.O.C.*

PAN-Nordic Card Association*

PASA Poste Italiane* Rede

Redsys SIA-SSB SRC Research Swedbank AB UK Cards Association*

United Nations Federal Credit Union

Vantiv Verve International* Worldpay

Technical Associates (28)

BoC Credit Card* Carrefour Banque* Cartes Bancaires* Cubic EFTPOS Payments Australia

Ltd.

FIME Infineon Technologies Ingenico Inside Secure ISIS

Interac* McDonald’s Corporation Moneris Solutions* National Credit Card Center

of R.O.C.* Nationz

NCR Financial Solutions Group Limited

NXP Semiconductor PAN-Nordic Card

Association* PAX Computer Technology

(Shenzhen) Co., Ltd. Poste Italiane*

Shanghai Huahong Integrated Circuit Co., Ltd.

Smart Payment Association Square SRC Research Toshiba

UK Cards Association* Verifone Verve International* ^ Participation as of 15 January 2014

*Denotes dual associates: registered as technical and business associates

Current EMVCo Associates


Thank You! For more information visit www.emvco.com or join us on LinkedIn

http://www.emvco.com/

Documents

EMV® GLOBAL PAYMENT SPECIFICATIONSFeb 05, 2014 · Redsys SIA-SSB SRC Research Swedbank AB UK Cards Association* United Nations Federal Credit Union Vantiv Verve International* Worldpay