Gareth Ellis

1
Session 3 High Level Impacts of EMV

• Gareth Ellis
• Senior Solutions Consultant

2
Agenda

• Card Impacts
• Issuer Impacts
• Transaction Impacts
• Acquirer Impacts

3
Card Impacts
4
EMV Card
Chip Card with gold plated contacts removed
Conductive Micromodule (removed from card in
photo)
5
CHIP contents

• ROM operating system plus EMV payment
  application
• RAM scratchpad

• EEPROM cardholder details plus dynamic
  applications and offline txn data
• Crypto-processor for
• sophisticated cards

cpu rom
cpu
rom
Data bus
ram
eeprom
i/o
security
6
Whats in a chip?

• 128K
• EMV Application

• Keys
• Parameters
• Customer data
• 2K to 64K

Crypto- Processor

• DDA cards

• EEPROM is approx. 5 x cost of ROM
• EMV generally in ROM
• Choose EEPROM memory size based on customer
  segment i.e. do not deploy costly card which will
  not be used!

7
Card/Chip Manufacturers

• Examples
• Philips
• Samsung
• Infineon
• IBM
• Specifications are to ISO standards
• 7816-13 physical characteristics
• 7816-4 inter industry commands
• 14443 contactless
• Design and production of silicon
• Wafers, drivers (crypto), interfaces

8
Card Vendors

• Develop Operating Systems
• often include applications
• Provide services
• embedding of chips into cards
• data preparation
• personalization
• fulfilment
• Examples
• GD, Oberthur, Gemalto, Sagem-Orga

9
Card Operating Systems (COS)

• File System Cards (Native)
• Proprietary (mass market)
• MPCOS (Gemplus)
• StarCOS (GD)
• SECCOS
• Virtual Machine Cards
• GP/Java
• Multos
• Based on PKI (KMA)
• Requires a co-processor
• Expensive

10
Chip Card prices
11
Issuer Impacts
12
Issuer Choices

• ACI believe EMV is a business opportunity for
  banks
• Banks must choose between a
• standard migration with payment only cards
• or differentiation with payment and added value
  applications
• single function e.g. credit
• multi-function e.g. credit and debit
• multi-application e.g. credit and loyalty
• ACIs message is choose a future-proof solution
• Do not underestimate the time required to
  implement EMV

13
Adding chip complexity to your cards
Card products
Card types
Life cycle rules
Card profiles
keys
App. profiles
Risk Profiles
14
Issuer control at terminal

• Issuer now has the ability to effect the terminal
  transaction
• Since the card can act on the Issuer behalf, the
  Issuer needs to configure appropriate values
  examples
• Geographical Check to allow domestic and
  international transactions
• Application Effective Date Checking
• Checking offline transaction limits
• Cardholder Verification Methods supported

15
Issuer Action Codes

• Chip introduces new data elements that need to
  be personalised
• Issuer Action Codes are the decisions the Issuer
  has made about how they want offline transactions
  to behave
• Actions are to decline, go online, or what to do
  if cant go online
• IACs set at card level

16
Issuer Action Codes
Off-line data authentication Cardholder
verification Terminal risk General off-line
authorisation controls
17
Update of Parameters Post-Issuance
Authorisation Host
EMV Parameter Management System
Get EMV Parameter
18
Post-issuance parameters

• Offline spending limits
• total offline spend before going online
• LCOL/UCOL
• Lower/Upper Consecutive Offline Limit
• number of consecutive offline transactions before
  trying (LCOL) to go online or you must (UCOL) go
  online
• PIN try counters
• number of Offline PIN attempts before PIN is
  blocked
• Application Block/Unblock
• Card Block

19
Impacts to Back Office Systems

• Enhancements to the back-office systems
• Additional applications customer service
• New personalisation requirements - CMS
• Application life-cycle management use of chip
  database
• Parameter management, risk management, CRM
• Risk parameters will impact systems for
• Behavioural scoring
• Fraud detection does it check EMV data?
• Risk management

20
Operational requirements

• Enhancements to authorisations systems
• EMV Authentication
• Fallback checking CVR/TVR checking
• Additional EMV data elements
• Offline PIN try exceeded?
• Was last script update successful?
• Whether or not to reset spend accumulators to
  zero
• Always keep offline limit below account balance?
• Online and offline PIN change synchronisation
• Customer services
• Enhanced disputes management
• PIN block offline and online

21
Tactical versus Strategic

• The Impact depends on the Issuers response
• One response is to get EMV payment cards out
  there
• Another response is to look to the future and
  implement systems with value-add
• Loyalty
• Contactless
• Two-factor authentication
• PKI
• Maybe a third route is to implement solutions
  that can support future requirements

22
Transaction Impacts
23
Magnetic stripe transaction
24
EMV transaction overview
25
Acquirer Impacts
26
Terminals

• New terminal hardware (EMV Level 1)
• Encrypting PIN pad
• Encrypted PIN if separate reader
• Encrypting PIN Pad must meet scheme requirements
  and PCI PED security requirements
• CHIP reader
• New terminal firmware (EMV Level 2)
• To support communication with the card
• To support extra data in host messages
• To support new cryptographic calls

27
Testing and Approvals

• EMV terminal certification
• At EMVco laboratory
• EMVco issues Letter of Approval and lists
  approved products on www.emvco.com. Terminals
  accepting scheme cards must have
• EMV Level 1 Approved Card Reader (hardware)
• EMV Level 2 Approved Application Kernel
  (software)
• Schemes have Acquirer Validation Toolkits to
  test each hardware/software combination
• Scheme EMV Certification for acquirers/issuers

28
Terminals

• New EMV Card Scheme keys held in terminal
• 6 PKI public keys from each Card Scheme (EMV
  recommends 4)
• 1024 bits until 2009
• 1152 bits until 2014
• 1408 1984 until 2017
• Terminal Key policy needs to be updated for EMV
• Upgrade or replace? Age profile?
• Whats in it for the Merchant?
• Benefit goes mainly to Issuers?
• Can Issuers fund acquirer incentives?
• Will charges change?
• Co-ordinated and timely terminal migration is
  fundamental to successful chip introduction

29
Merchants

• Terms and conditions between merchant and
  acquirer will change
• Disputes - Fewer chargeback reason codes
• Liabilities
• fees
• Merchant training
• e.g. Fallbacks, PIN Bypass
• Need to know which merchants have chip enabled
  devices
• Indication of possible problem/fraud

30
Merchants

• Offline management
• Transaction capture, software upgrades, etc
• Key distribution
• Review acquiring policies such as floor limits,
  MSC
• MSC was lower in EU as an incentive
• Merchant payback may be higher floor limits
• Authorise fewer low-risk transactions

31
ATMs

• Seen as a safe location for
• Unblock, change pin
• Add applications
• Execute more lengthier scripts
• ATMs do not perform Offline Authentication or
  Offline PIN so no need for Public Keys in ATMs
• ATMs must support Application Identifiers
• Card can hold Language Preferences and compare it
  to terminal
• Fallback generally, issuers discretion

32
ATM Migration

• Evaluate existing ATMs to determine if can be
  upgraded for chip
• Obtain list of approved products from EMVCo
• Select hardware and software upgrades
• Make Policy decisions related to ATM requirements
• Languages, cardholder application selection,
  fallback policy
• Obtain chip recommendations from Card Schemes
• Obtain Terminal Action Codes from Card Schemes
• Update authorisation/clearing message formats

33
Acquirer Host Systems - Data
Sent to the ATM By the Card

• Generated or supplied during
• transaction processing

Sent by the Issuer to the ATM
34
Acquirer Host Systems

• Authorisation request extra 39-96 bytes (Visa)
• Authorisation response extra 10-142 bytes (Visa)
• Authorisation delegation and stand-in
• Bilateral deals for MS transactions still apply?
• PIN _at_ POS requires declined auths to go to the
  issuer
• Acquirer Interfaces to UAE Network
• EMV data new message format
• Communications
• Polling Offline transactions

35
Clearing/Back Office systems

• Acquirers clearing system messages and controls
  will change to accommodate chip data
• Changes to back-office procedures to deal with
  changes in disputes/chargebacks
• TC and ARQC cryptograms

36
(No Transcript)