Session 1 EMV Review

1
Session 1 EMV Review

• Richard Sanders Business Consultant
• ACI Worldwide

2
Agenda

• The Market Background to EMV
• What is EMV?
• The Aims of the EMV Specification
• What does EMV provide
• What is the Role of EMVCo?

3
Why Smart Cards are the Future

• The Payment Industry needs a payment
  infrastructure that allows transactions to be
  made across the globe that are-
• Easy to operate
• Cost effective compared to conventional banking
  systems
• Resistant to fraud
• Globally interoperable
• For over 30 years the magnetic stripe card met
  these criteria but the future now is smart cards

4
Magnetic Stripe Card

• Account and other data required for credit/debit
  transaction are held on the stripe at a much
  cheaper cost than chip cards.
• International standards (ISO 7813) exist for the
  positioning and content of data of the stripe to
  give global interoperability.
• When the card is swiped to initiate the
  transaction, the terminal receives the data to
  perform a transaction.
• Drawbacks of Magnetic Stripe Cards are-
• Stripe is very easy to copy to produce
  counterfeit cards
• Fraud prevention capabilities of stripe
  technology are limited
• The stripe is a read only infrastructure, does
  not have any computing power and is limited in
  its capabilities.
• Stripe has small capacity, holding only 440-660
  characters of data (220 on either two or three
  tracks), mostly account information, with little
  scope for adding more data for other purposes.

5
Smart Card

• Seen by the Payments industry as the replacement
  for stripe cards because it overcomes the
  drawbacks-
• Copying of the Chip, although possible in
  principle, prsesents the fraudster with cost,
  time and resource requirements out of proportion
  to the likely reward
• As the Chip is a computer device it can keep
  secrets, interact with with the accepting device
  and process data.
• The Chip has a larger data capacity, currently
  around 64,000 bytes (64K) which means it can
  offer more sophisticated services than stripe
• ISO standard 7816 defines the physical layout of
  the chip and its connections

6
Risk Management Stripe Vs. EMV

• In the magnetic stripe world, risk management
  decisions were made at the issuer level on host
  systems
• The transaction was controlled offline by the
  terminal and was limited to floor limits and hot
  card checking
• Now, EMV chip cards provide additional risk
  management at the card level
• EMV provides a set of extra tools to carry out
  risk management functions
• cardholder profiles can be tailored more
  precisely
• it is now the issuer that makes risk management
  decisions at the point of sale, rather than the
  acquirer
• controls can be extended further - from the
  issuer's own systems onto the smart cards
  themselves

7
The Market Background to EMV

• Lack of consumer affinity to any Financial
  services company so can use EMV to
  differentiate but cannot afford to be last in a
  market for reputational and fraud cost reasons
  Amex Blue is still revered
• EMV provides a platform to exploit IT
  developments (e.g. Internet) which have fuelled
  competition
• CRM investments are finally expected to create
  value
• Data privacy, Spending control, ID Theft, Value
  and Phishing/Trojans are now everyday customer
  concerns
• Governments and EU Bodies flexing legislative
  muscle
• Legislation increasingly an issue for Payment
  schemes
• All Banks want to move away from cash/cheques to
  cards and electronic payments

8
What is EMV?

• Europay, MasterCard and Visa (and now JCB)
• A Global Payment Specification for -
• A non-competitive standard that facilitates the
  building of a smart card infrastructure for
  credit and debit transaction processing.
• Incorporates mandatory and optional steps
• Secure Card Authentication Method (CAM) through
• Static Data Authentication (SDA)
• Dynamic Data Authentication (DDA)
• Combined Data Authentication (CDA)
• Secure Cardholder Verification Method (CVM)
• Enhanced Risk Management
• Contains certain defined Application Programming
  Interfaces (APIs) and certain physical and
  electrical standards.
• Defined by EMVco (www.emvco.com) endorsed by Amex

9
What is EMV?

• It does not at present cover -
• All possible payment scenarios or available
  technical capabilities
• E commerce certificates used on the internet
• Cryptographic methods other than ones it defines
  as in scope
• Payment specific mobile communications
• Biometrics EMV recognises these but provides no
  details

10
EMV Card Standards

• EMV builds on ISO (International Standards
  Organisation) Global Standards for the card
  industry
• ISO 7816 specifies the physical characteristics
  of a payment card e.g. size, where magnetic
  stripe/chip module located
• ISO 7813 specifies the data content of the
  magnetic stripe, so it can be read by any
  ISO-compliant card reader. The magnetic stripe
  service code a three digit number are 1XX, but
  2XX and 6XX specify a smart card allowing a smart
  card terminal to recognise a smart card has been
  swiped in error allowing the system to respond
  with a message and ensuring a smooth transition
  from the traditional to a smart card
  infrastructure
• ISO standards however need not be industry
  specific, Organisations may set their own
  standards in addition to those set by ISO e.g.
  Visa specification for location of the hologram
  and logo.

11
Contents of the EMV Specification

• The EMV specification is made up of 4 books -
• Electromechanical physical hardware interface
  between smart card and terminal - covers clock
  speeds, voltage thresholds and card reader slot
  size
• Security and Key Management cryptographic
  techniques to ensure EMV provides a secure
  mechanism to enable transactions where it can
  establish both the actual card and cardholder are
  present
• Application Selection defines from a software
  perspective how the smart card and the terminal
  (or accepting device) together select which
  application on the card will be run as both run
  EMV application software and there must be a
  common approach to selecting an application.
• Processing Interface details the data exchange
  requirements between the card, terminal and
  acquirer systems

12
How the EMV Framework has developed
EMV Functionality
EMV Common Core and Common Payment Application
(CPA )
Further Applications
Visa Smart Secure Storage (VS3)
MasterCard Open Data Storage (MODS)
SecureCode
Secure Internet Txns
Verified by Visa
AUTHENTICATION
Counteracts counterfeit lost/stolen fraud
Core EMV Functionality
13
The Aims of the EMV Specification

• Magnetic stripe technology cannot be developed
  further but the payment card industry needs-
• Enhanced transaction processing security and
  fraud protection
• Greater functionality within the card
• Global Interoperability of cards/ systems
  allowing suppliers to -
• concentrate on competitive issues rather than
  having to invest in proprietary infrastructures
• develop products to a single specification for a
  global market rather than for many fragmented
  markets
• A specification that allows growth and
  development in the future particularly to allow
  multiple applications on the card
• The EMV infrastructure specification meets these
  goals where both the card and cardholder are
  present in both a contact and contactless
  scenario.

14
EMV Provides

• Interoperability
• Of card acceptance, security and payment
  functions
• Liability shift
• Enhanced security
• Cryptography, offline risk management with a
  common decision being taken between card and
  terminal
• Better Control
• Sophisticated authorisation decisions
  off-line/forced on-line
• Issuer controlling the risk
• Customer centric decisions at the terminal,
  control managed within the application on the
  chip
• Operational Savings
• More off-line processing, fewer chargebacks,
  longer card life
• Issuer can update the card at the terminal
• Change parameters via scripting
• Add/activate new applications

15
EMV Common Core Definitions

• Defines common data element content format for
  sending chip information between an EMV card and
  the issuer via the acquirer
• Issuers Benefit
• Common issuer support system for multiple branded
  cards
• No longer need, at the data interface and host
  system cryptography support levels, to develop
  and maintain multiple issuer host systems to
  support chip for different brands
• Common host transaction processing for cards from
  multiple payment systems

16
EMV Common Payment Application

• Complete CCD-compliant application specification
  - Released in December 2005
• Enabled further commonality of card internal
  function and back-office support
• Common card application implementation
  specification endorsed by MasterCard, Visa and
  JCB
• Enables issuers to implement a single
  front-office and back-office to support all CPA
  chip cards
• One-stop testing and approval process managed and
  operated by EMVCo
• Can be used by issuers of multiple brands for
  both international and domestic payment
  applications

17
What is EMVCo

• History
• Mission
• Manage, maintain and enhance the EMV Integrated
  Circuit Card Specifications to ensure
  interoperability and acceptance of payment system
  IC cards on a worldwide basis
• Responsible for a type approval process for
  terminal compliance testing

18
What EMVCo are Working On
19
EMV interoperability implementation specs

• EMV is not an implementation spec
• Card associations National schemes develop
  implementation specs

20
EMV - More than fraud prevention ?
Advantages
Problems
Unrealistic timelines?
Schemes Mandated Chip and PIN cards By Liability
Shift
Reduce fraud
Cost
Accelerate Transactions _at_ POS
Merchant resistance (cost and disruption)
Save till paper
Need for consumer re-education
Charge-backs fewer reason codes
Vendors lengthy accreditation process
Better Risk Controls
Special considerations for disabled
21
(No Transcript)