4' Business Drivers for EMV Migration

1
4. Business Drivers for EMV Migration

• Richard Sanders, Business Consultant
• ACI Worldwide

2
EMV - Enhancing todays technology

• Magnetic Stripe
• Data capture capability small,
• read only infrastructure,
• no computing power
• limited in capabilities/use for other purposes
• fraud reduction capabilities of technology are
  limited
• encrypted PIN security
• CVV
• DES private key technology
• Stripe is very easy to copy to produce
  counterfeit cards

• Chip Based Debit/Credit
• authorisation controls driven by EMV chip a
  computer device (larger data capacity can offer
  more sophisticated services than stripe)
• enhanced data authentication
• enhanced audit trail
• off-line counterfeit detection
• off-line PIN controls
• on-line skimming detection
• RSA public key technology
• Chip hard but not impossible to copy

3
EMV Business Drivers

• Reduce Fraud Losses
• Counterfeit, Lost and Stolen decrease
• Growth in other areas
• Reduce Operational costs
• More transactions off-line
• Fewer disputes/chargebacks
• Longer card life
• New Value Add services
• Loyalty
• PKI
• E-ID
• Contactless
• Transit

4
Fraud Reduction
5
The French Fraud Experience
Source Cartes Bancaires
Moving to Chip and PIN and then EMV has
saved France 850m in Fraud Source Visa EU
6
Why did France move to EMV when its bespoke
implementation had reduced fraud already?

• France EMV Migration Business Drivers
• Realignment with International Standards from
  bespoke chip
• Reinforcing Security by upgrading the technology
• Address fraud by extending chip to cross border
  transactions
• SEPA compliance
• Introduce new services with multi-application
  cards
• Liability shift
• Guiding Principles
• Progressive migration rather than big bang like
  first time
• Involve key players Retailers, Consumer
  Associations, Vendors
• Cultivate close co-operation with peers EMVCo,
  Schemes
• EMV is the cornerstone for Merchant and Consumer
  trust and confidence in the card system and
  produces significant reductions in fraud
• Build sound relationship with all stakeholders

7
EMV ensures that

• The card is the genuine item
• Card Authentication Method (CAM)
• Based on data stored securely in the chip
• Protects against counterfeit fraud
• The person using it is genuine
• Cardholder Verification Method (CVM)
• Usually based on a PIN
• Protects against lost stolen card fraud

?
?
8
EMV Benefits Business Decisions

• Static, Dynamic or Combined Data Authentication?
• Germany CDA, Saudi Arabia DDA, UK SDA
• Parameter settings to be determined
• Issuer Action Codes need to be defined
• CVM needs to be defined
• Probably different scenarios for Debit and Credit
  to reflect current practice
• EMV is both a business and technical
  implementation
• Settings should not just be left to the Risk areas

9
Strengths and challenges of EMV

• Higher security and risk management than magnetic
  stripe
• Not invulnerable
• New, different attacks SDA compromise, service
  code re-writing, etc.
• Security levels and risk management must be
  fit-for-purpose and product
• On-line PIN, off-line PIN, signature,
  combination, no CVM at unattended devices, etc.
• Early entry option magnetic stripe on a chip no
  longer allowed in most markets

10
Although it will reduce Counterfeit and Lost and
Stolen, EMV will also lead to new Fraud Challenges

• Lost stolen and counterfeit will reduce but
  Mail non-receipt and application fraud will grow
• Chargebacks due to fraud will rise
• Miscellaneous Fraud bucket needs much more
  granularity
• CNP (Internet, TV, MOTO)
• Identity theft
• Cross border fraud
• Shifts to non-compliant cards, merchants and
  channels and new products with lesser fraud
  protection (pre-paid cards, store cards)
• New avenues will be exploited by the frustrated
  fraudster
• More sophisticated phishing and pharming
• Increased system hacking attempts on internet
  merchants
• Rise in sleeper or bust-out fraud
• Compromise at the ATM (shoulder surfing,
  pick-pockets)
• Attempts to crack the chip and beat the system
• Exploitation of 3rd-parties in the payments
  chain
• Siloed LOBs provide opportunity for the
  organised fraudster

11
Conclusions on EMV and Fraud Reduction

• EMV will cause fraudsters to look for weak links
  in the banking process
• Be aware, and prepare with an enterprise-wide
  strategy for information convergence
• Respond quickly with off-the-shelf plug-ins and
  in-house experts
• A sound fraud prevention platform contributes
  to
• Anti-money laundering (AML) compliance
  requirements
• Know your Customer (KYC) and marketing
  initiatives
• Risk monitoring
• Marketing initiatives

12
Reduce Operational Costs
13
Why Offline?

• War on Cash typically costs to the business
  are unclear
• Extending the scope of card-based payments
  especially in regions with telecommunication
  issues
• Low volume merchants unattended terminals
• New card products
• Sub-prime youth markets
• e-Government applications
• Contactless applications
• Prepaid
• Higher card and transaction volumes
• Higher profits

14
EMV Benefits Business Decisions

• The volume of authorisations is increasing EMV
  offers opportunity to reverse this trend
• Contactless will drive further away from on-line
• When to enable offline for debit portfolio
• Impact if IACs and CVM incorrect
• Opportunity to extend portfolio
• How and when to allow offline authorisation
• One in N transactions
• Balancing transaction loads at peak periods
• Parameters - Debit portfolio vs. Credit portfolio
• Could change further with Pre-Authorised Debit

15
Magnetic stripe risk management

• In the magnetic stripe world, risk management
  decisions made at the issuer level on host
  systems
• The transaction controlled offline by the
  terminal and limited to floor limits and hot card
  checking
• Institutions like Supermarkets/Petrol Stations
  may have zero floor limit hence authorisations
  increasing
• EMV chip cards provide additional risk management
  at the card level

16
Floor Limit Impact on Risk Management

• Lower limits
• Issuer closer to what is going on
• Acquirer can be more relaxed
• Reduce expenditure on Hot card File and Bulletins
• Limits potential for runaway spend
• Assists effectiveness of fraud detection
• Higher limits
• Issuer further from transactional activity
• Acquirer needs to be diligent about monitoring
  controls
• More expenditure on Hot Card File and Bulletin
• Exposure to runaway spend
• Impairs effectiveness of fraud detection
• Reduced IT/communications costs

17
EMV and floor limits

• Off-line risk parameters
• Distributed authorisation decision
• Floor limit is no longer the sole determining
  factor
• Issuer deploys floor limits on card
• LCOL, UCOL, Cumulative Total Transaction Amount
  Limit, etc.
• Opportunity to control risk at both product and
  customer segment level

18
Floor limits still have life

• Issuers
• Control against SDA and key compromise
• Attack via low floor limit LCOL, UCOL
• Fallback processing
• 2-3 years to full chip maturity
• Must factor in when determining risk parameters
  on card
• Requires merchant co-operation
• Maybe case for Chip and Signature cards for
  certain disabled groups
• Acquirer risk management still in place

19
CAM Fallback

• Chip Device unable to read chip
• Merchant Floor Limit is zero
• Approved Authorization Request properly indicates
  fallback to magnetic stripe or manual imprint
• Issuer Liable
• Chip Device unable to read chip
• No Authorisation or Authorisation Request does
  not contain the required fallback indicators
• Acquirer Liable

or
Chip Card Magnetic stripe read
Manual Imprint
19
20
EMV enables better control

• Permits
• More sophisticated authorisation decisions
• Safer authorisation decisions off-line
• Authorisations can be forced on-line
• Customer centric decisions at the terminal
• Acceptance in more locations
• Control managed within application on the chip
• Issuer can update card at terminal
• Change parameters (via scripting)
• Add/activate new applications at special terminals

21
EMV provides operational savings

• More off-line processing means
• Lower telecoms costs (e.g. France is 90
  off-line)
• Lower authorisation processing costs
• Managed peaks
• Enhanced security means
• Data integrity delivers lower exception
  processing costs
• Less disputes delivers lower chargeback
  processing costs
• Longer card life means lower issuing costs
• Ability to control card in the field through
  parameter change reduces need to block card
• Extended reissue timeframes because stripe does
  not wear out
• Application block means lost cards only
  reissued when confirmed
• Activation of chip to reduce CNP

22
The EMV migration stepladder
Post issuance
Full multi-application
Dynamic risk management and scripting
Static risk management and off-line payments
EMV issuance and personalisation
Magnetic stripe issuance and personalisation
23
Meeting the business challenge

• EMV parameter management
• Initial issuance
• Determine policy for initial values by product
• Reflect customer segment and business risk
  proposition Marketing vs. Fraud vs. Credit Risk
  department requirements
• Post issuance
• Customer lifecycle management
• Ensure access to all data required

24
Customer lifecycle management

• Influencing factors
• Fraud scores
• Behavioural scores
• Change of circumstances
• Risk profile
• Use of card
• Type of cardholder
• Contactless/Contact transaction split
• Usage of other LOBs

25
Who is seeing the bigger picture?

• Operational
• Risk management generally managed in silos
  either by Lines of Business (LOBs) or by
  expertise
• Fraud operations managed based on product and
  fraud types AML, debit, credit, merchant, etc
• Inspection/Audit may also have a view
• Technical
• Different platforms, data stores, applications
• Business challenge
• The need to have an integrated approach
• CRM will be the way forward

26
More Than Payment on a Chip
27
Responding to Key Business Objectives

• New income opportunities
• Expand the customer portfolio to new segments
  with new products
• Increase the transaction volumes by widening
  acceptance sectors more effectively
• Enhanced customer retention
• Offer expanded functionality to the POS without
  increasing risk
• Added value solutions leveraging the EMV
  technology shift assist business case

28
(No Transcript)