1. No category

the Case Study

eStudy
EMV® 2015:
Development &
Merchant Readiness
OpenEdge Research & Development Group
December 2015
855.443.8377
[email protected]
openedgepayment.com
blog.openedgepayment.com
eStudy
EMV 2015: Development &
Merchant Readiness
Table of Contents
Executive Summary........................................................................................... 3
The Payments Industry Landscape.................................................................. 4
Some Background on EMV®.............................................................................. 5
Why EMV Now?.................................................................................................. 6
Liability for EMV Transactions.......................................................................... 7
EMV Adoption Challenge................................................................................... 8
Edge Shield & EMV.......................................................................................... 10
How Can EMV Benefit Software Developers?................................................13
What Now?........................................................................................................13
EMV
Non EMV
855.443.8377
2
eStudy
EMV 2015: Development &
Merchant Readiness
Executive Summary
EMV®, the New Security Standard
The U.S is migrating to the EMV® security standard. The technology is based on a microprocessor
(or ‘smart chip’) that is virtually impossible to duplicate and will change the credit card purchasing
experience. The payments industry is instituting a liability shift in which the party in the payments
chain not enabling EMV will be considered responsible if fraud occurs.
A More Complicated Integration
Software developers offering credit card payments in their applications face a far more complicated
integration than was necessary with magnetic stripe technology. EMV certifications are expensive
and cumbersome.
Edge Shield
The OpenEdge answer to a simplified EMV integration is the Edge Shield security bundle.
Developer benefits include:
• A pre-certified EMV offering including device management and card brand certifications
• Supports mobile payments using NFC technology (e.g. Apple Pay™, Android Pay™)
• Future-proofing: easy addition of hardware devices in the future
• Encryption, protecting data in transit
• Tokenization, protecting data at rest in the POS
• PA-DSS 3.0 Out-of-Scope and PCI DSS scope minimization
• Developer Breach Reimbursement Guarantee
855.443.8377
3
eStudy
EMV 2015: Development &
Merchant Readiness
The Payments Industry Landscape
Card Data Breaches
The frequency and impact of card data breaches are increasing. A series of recent high profile
breaches at major retailers has provided a decisive impetus for the payments industry to institute
the long-planned transition to EMV. The U.S. payments industry began migrating to the new
standard in 2015.
Payment Card Fraud
The theft of payment card data is a lucrative criminal trade. The magnetic stripe technology on
credit and debit cards is notoriously easy to access and counterfeit. Well-organized, sophisticated
global criminal networks sell and use the stolen card data, often in other countries, before payment
industry participants can act. While U.S. consumers are largely protected against direct financial
losses, stolen cards or payment credentials affect everyone through the payment chain: issuing
banks, payment processors, and the businesses selling goods and services.
Estimated
Breaches Annually
950
Estimated
Customer Records
Compromised
Annually
750 million
Average Cost per
Stolen Record
$277
Lost
Business
Accounts for
56%
Records
compromised
since 2004
1 billion+
Source: OpenEdge and PCI SSC
of Data Breach
Costs
Mobile Technologies
In addition to traditional credit and debit plastic cards, the public uses smart phones for purchasing
goods, paying bills and mobile banking. Consumers and businesses using new cloud and mobile
technologies require secure, intuitive, seamless payments. This presents new opportunities and
challenges as businesses prepare to take payments using near field communications (NFC), mobile
and cloud technologies while protecting against fraud.
855.443.8377
4
tless
eStudy
EMV 2015: Development &
Merchant Readiness
Some Background on EMV
Counterfeit, Lost and Stolen Cards.
EMV – a microprocessor or ‘smart chip’ – is a fraud-reducing technology that protects against
losses from the use of counterfeit cards. It also combats lost and stolen card fraud when using a PIN
as a cardholder verification method. EMV cards generate a new code for every transaction, making
the card virtually impossible to counterfeit and re-use. When criminals steal card data, they can
manufacture new cards with a magnetic stripe, but not with a chip or the unique transaction code.
Counterfeit card use will be curtailed with the implementation of EMV devices at merchant
purchase locations.
EMV Standard
The payments industry answer to counterfeit card fraud is the EMV standard. It is nearly impossible
to duplicate a chip card. The microprocessor (smart chip) is embedded in EMV cards, interacting
with hardware devices and payment networks to ensure the card is authentic. This standard was
deployed decades ago and has been widely adopted in Europe and Asia. Major card networks such
as Visa®, MasterCard®, Discover®, American Express®, JCB and Union Pay maintain the EMV standard
though an organization known as EMVCo.
Front of Card
Back of Card
My Bank Card
Authorized Signature - NOT VALID UNLESS SIGNED
EMV Chip
Signature
My Bank Card Trust
This card is the property of My Bank Card. By signing, xnzcb vnbh vygbs vyrgvyu vsdgvh.
Vhsdfgvbuy hcywet hwegvh. Vnfjvh mnwetrf, vsdnvbsuh, vbshdvbhj vye vryw y8 fyg hcvbhvbh
vhus. Fhsnac yasdcg bgd ye vb.
VALID
THRU
CCA
Chip & PIN
****
Magnetic
Stripe
For Customer Service, call 1.888.567.8942
First
Bank
Chip
+Only
PIN + Signature.
Chip
Magnetic Stripe
The EMV chip stores data and supports multiple levels of authentication and communication
between the card, card reader and payment networks, ensuring the card is legitimate. This
technology comes in two flavors, mimicking how U.S. consumers use debit and credit cards today,
easing the transition to the EMV standard.
CHIP + PIN
Chip & Signature
Chip + PIN requires the cardholder to enter a password to confirm cardholder identity, and presents
a strong defense against lost and stolen card fraud. This authentication method is most common
withContactless
debit cards in the U.S. Chip & PIN
Chip Only
Magnetic Stripe
CHIP + SIGNATURE
****
Chip + Signature requires the cardholder to sign for the transaction at the point-of-purchase.
It’s frequently used for credit cards.
855.443.8377
5
eStudy
EMV 2015: Development &
Merchant Readiness
EMV Transactions and the New User Experience
Magstripe technology consists of only two back-and-forth communications. Yet, in an EMV
transaction, there are 12 back-and-forth communications between the hardware, POS application,
and card networks. The communications deal with card data authentication, cardholder verification,
risk management and authorization. The multiple communications result in a new consumer
experience and more complicated payment integration. Rather than swiping cards, consumers
insert them into a card reader (many are calling this action “dipping”). The user only removes the
card after the device indicated the transaction is complete and prompts the consumer. Merchants
will need to watch for consumers forgetting cards after the EMV transactions.
Drop in Card-Present Fraud
Countries adopting the EMV standard have seen a significant drop in card-present fraud.
United
Kingdom
69%
France
35%
Canada
Australia
30%
15%
Source: Federal Reserve Bank Atlanta
Why EMV Now?
More High-Profile Breaches
With EMV in place in other countries, worldwide counterfeit fraud has shifted, targeting the less
secure magnetic stripe standard in the United States. A recent rash of card breaches among large
retailers added a sense of urgency for the industry to implement the more secure technology. Card
data stolen elsewhere are used for purchases at U.S. merchants because of the lack of chip card
safeguards. As EMV becomes common, thieves will concentrate on merchants who do not adopt
the new standard.
Liability Switch Deadline
To motivate a nationwide transition to EMV, card networks instituted a liability switch in 2015.
Liability in the payment chain for counterfeit cards fall on the party with the least degree
of security.
Apple Pay™, Android Pay™
and Mobile Payments
April 2013
Processor Host
Compliance
855.443.8377
October 2015
Liability shift begins for
Visa, MasterCard, American
Express and Discover
(Automated Fuel
Dispensers are excluded)
October 2017
Liability shift begins
for Automated
Fuel Dispensers
Payments functionality in smart phones is
expanding rapidly. Apple Pay™ and Android
Pay™ use Near Field Communication
technology at NFC-enabled terminals
to facilitate payments through mobile
phones. NFC purchases carry the lower
rates associated with “card present”
purchases and provide fast, convenient
transactions.
6
eStudy
EMV 2015: Development &
Merchant Readiness
Liability for EMV Transactions
The key argument the industry uses for persuading businesses to adopt EMV is a “liability shift.” But
what does that mean? Liability for what? To whom is liability shifted, and under what conditions?
The short answer: EMV can prevent card-present
counterfeit fraud, so merchants processing cards
using EMV-enabled card readers and using proper
procedures are not liable for losses if counterfeit
cards are used. In the past, counterfeit card fraud
losses were absorbed by issuing banks. Now,
the liability for counterfeit fraud resides with
merchants not adopting EMV.
In 2014, transactions using counterfeit cards
represented 37% of all US credit card fraud. EMV
eliminates this situation. It is relatively easy to
manufacture magnetic stripe cards using card
data stolen during breaches, but extremely difficult
and impractical to clone the cards with a chip.
U.S. Card Fraud by Type, 2014
Other
Lost/stolen
4%
14%
45%
Online
(card not
present)
37%
Counterfeit
Source: Aite Group, “EMV: Lessons Learned and the U.S. Outlook,” June 2014.
The Rules
Card-present fraud liability resides with whomever is the least EMV-compliant party in a counterfeit
transaction. The key rule is that the party in the transaction chain that prevented the use of EMV
(card issuer, merchant or ISO/processor) is responsible should a counterfeit card be used.
It covers both domestic and cross-border (cards issued in other countries) counterfeit
How Does a Merchant
transactions.
Avoid the Liability
from Counterfeit Card
Transactions?
1. Acquire EMV-enabled card
reader(s) and POS software.
The EMV transition requires
upgrading software and buying
new card readers.
2. Use EMV to complete the
transaction.
It’s not enough to have an EMV
payment system. It must be
properly used. The transaction
has to use the EMV payment
flow, in which the customer
dips the card and conducts
and EMV transaction. When
a customer tries to swipe
the card, EMV devices will
recognize when the card has
a chip and prompt the user to
dip instead of swipe.
The policy assigns liability for counterfeit fraud to the party that has not made the
investment in EMV chip cards (issuers) or terminals (merchants’ acquirers). The policy
encourages wider deployment of EMV cards and terminals. MasterCard, American Express
and Discover support a liability for lost, stolen and never received/issued-cards residing
with the party not supporting PIN as a cardholder verification method. If neither party
supports PIN, only the counterfeit liability shift rules apply.
Apple Pay & Android Pay:
Also Shielding Merchants from Counterfeit Fraud
Apple Pay and Android Pay are secure payment systems similar to EMV, but use devices
instead of chip cards. The device does not store actual card data, but a card token, and
generates a unique code for each transaction. The algorithm for the code generation is in
a special chip – the “secure element” – in the device. The token’s unique device account
number is 16 digits long and handled as if it were a regular credit card number. The secure
element takes the role of the chip, generating the one-time use code for each transaction.
Face-to-face (in store) transactions are considered “card present.” Merchants require an
NFC-enabled terminal (common for EMV card readers). Customers’ devices communicate
with the NFC terminal to complete the transaction. Note that the card provisioned does
not need to be a chip card.
3. Enable Apple Pay in place
of EMV cards.
855.443.8377
7
eStudy
EMV 2015: Development &
Merchant Readiness
Card Provisioning and Account Fraud
Consumers enable payment on their mobile devices using their Apple or Android accounts or by
entering card data directly into the device (either by scanning a card with the device’s camera
or keying the card data). The device then sends the data to the card-issuing bank, which verifies
user identity and card validity by email, text or phone. Once the card and consumer identity are
confirmed, the device receives a token used for purchases.
Because these methods are so secure, the only fraud perpetrated so far has been “account fraud”
using stolen card data to provision Apple Pay or Android Pay, in which a thief impersonates the
cardholder when adding a card to the device, or creates a fraudulent account. It is up to the issuing
bank to verify authenticity, thus shifting liability back to the issuer.
EMV Adoption Challenge
Chicken or the Egg?
Businesses are not motivated to upgrade their equipment to EMV, as most of their customers
did not have chip cards. Issuing banks were not willing to incur the expense of issuing more
expensive chip cards because their customers had nowhere to use them. That paradox is
evaporating. At the end of 2015 over 70% of credit cards and 40% of debit cards in the U.S. had the
chip, and 50% of the merchants had EMV card readers. EMV and magnetic stripe technology will
co-exist for some time; the card readers will accept both payment types.
EMV Complexity
At the end of 2015...
The transition to EMV presents a major undertaking for software developers, merchants and
processors. Card brands have mandated that payment processors must be able to process
70%
40%
EMV transactions, yet EMV processing remains voluntaryoffor
merchants and
credit
ofpayment
debit software
developers. While software providers are not liable for fraud
that is preventable
cards
cardsby EMV, not
supporting EMV will clearly be a competitive disadvantage for these businesses. To avoid liability,
merchants will have to replace their terminals with devices capable of processing EMV transactions,
and obtain EMV-enabled software.
&
...in the U.S. had an EMV chip.
50% of merchants...
At the end of 2015...
1 processor x 4 card brands x 3 devices
70% = 12 EMV certifications
40%
of credit
of debit
EMV
EMVcards
EMV
cards Certified
Certified
Certified
&
EMV
Certified
EMV
Certified
EMV
Certified
...in the U.S.EMV
had anEMV
EMV chip.
EMV
Certified
Certified
Certified
EMV
Certified
EMV
Certified
EMV
Certified
50% of merchants...
ds x 3 devices = 12 EMV certifications
EMV
Certified
EMV
Certified
EMV
Certified
EMV
EMV
EMV
Certified
Certified
Certified
855.443.8377
EMV
Certified
EMV
Certified
EMV
Certified
50%
had EMV card readers.
50%
8
had EMV card readers.
eStudy
EMV 2015: Development &
Merchant Readiness
EMV Certification Challenge
Card networks require EMV certification for every instance of the payment process – every
combination of a payment processor, card network and card reader. For example, software
supporting payments through one payment processor, four card brands (Visa, MasterCard, Discover
and American Express) and three devices will require twelve EMV certifications.
When transaction processes change (POS software updates, new hardware, updated kernels),
the software developer must perform certifications again. Clearly, this is too complicated for most
developers. In response, some processors are launching simpler, cheaper ways to enable EMV
transactions. The approach uses a payment application that isolates the developer’s software from
payment data, so the POS is not subject to EMV certifications.
1 processor x 4 card brands x 3 devices = 12 EMV certifications
855.443.8377
EMV
Certified
EMV
Certified
EMV
Certified
EMV
Certified
EMV
Certified
EMV
Certified
EMV
Certified
EMV
Certified
EMV
Certified
EMV
Certified
EMV
Certified
EMV
Certified
9
At the e
eStudy
EMV 2015: Development &
Merchant Readiness
Edge Shield & EMV
Our EMV solution is part of the Edge Shield
security bundle. Edge Shield is a set of
complementary solutions combining
EMV processing, point-to-point (P2P)
encryption and tokenization. The goal is
to simplify EMV payments integration for
software developers and provide a secure
payment solution.
An advanced security technology that
prevents counterfeit fraud, the OpenEdge
EMV solution includes a pre-certified payment
application handling payment data and payment flow,
including device driving, so the POS software does not
have to (recall that chip card processing is much
more complicated than magnetic stripe processing).
EMV: In Scope vs. Out of Scope
POS Developer in EMV Scope
VISA
MASTERCARD
DISCOVER
AMERICAN EXPRESS
DEBIT
EMV
DEVICE
POS
REGULAR
GATEWAY
PROCESSOR
POS Developer
out of EMV Scope
POS
PRE-CERTIFIED
PAYMENT
APPLICATION
EMV Only
Encryption + Tokenization
EMV + Encryption + Tokenization
855.443.8377
EMV
DEVICE
PROCESSOR
VISA
MASTERCARD
DISCOVER
AMERICAN EXPRESS
DEBIT
Prevents
Counterfeit Fraud
Protects Data
in Transit
Protects Data
at Rest
3
7
3
7
3
3
7
3
3
10
eStudy
EMV 2015: Development &
Merchant Readiness
Edge Shield Benefits
The benefits for a software developer using Edge Shield include:
• No EMV certification needed
• No device driving needed
• Supports mobile payments using NFC technology (e.g. Apple Pay, Android Pay)
• Future-proofing: easy addition of hardware devices in the future
• Encryption, protecting data in transit
• Tokenization, protecting data at rest in the POS
• PA-DSS 3.0 Out-of-Scope and PCI DSS scope minimization
• Developer Breach Reimbursement Guarantee
Note that the EMV standard only deals with card and (with PIN) cardholder authentication.
It does not address the security of the payment data itself, which could be transmitted in clear
text. To protect card data, Edge Shield adds P2P encryption and tokenization. The payment
application ensures that card data – encrypted at the source – is securely delivered to the
OpenEdge processing platform so it cannot be stolen and misused by hackers.
Vulnerable Systems
Some processors may have solutions in which data is not encrypted at the entry point and,
therefore, remains vulnerable until encryption occurs within the software. Or, in some gateway
software supporting multiple processors, data may be decrypted and re-encrypted in the
payment software before reaching the secure environment of a payment processor.
855.443.8377
11
eStudy
EMV 2015: Development &
Merchant Readiness
Edge Shield Architecture
There are two ways to implement an EMV pre-certified payment application:
• Install it on a PC
software differentiation
through payment innovation
• Install it on a card reader
Payment App on PC vs on Card Reader
EMV Controller Residing on a PC
EMV Controller Residing on an EMV Device
EMV Device +
Payment App
EMV Device
Mobile
$20.15
PAY HERE
POS + Payment App
$20.15
PAY HERE
POS
PAY HERE
Non-EMV
Devices
Kiosk/
Unattended
SCALABLE
Supports multiple points of interaction
Supports multiple devices
NOT SCALABLE
Does NOT support multiple points of interaction
Does NOT support multiple devices
The application, when placed on high-end card readers (typically Linux®-based), only supports
insertion/swipe of the card. If a business needs to support a variety of devices, card insertion/swipe
and keyed entry (typically by clerk), having the EMV application on a PC is recommended. It is easier
to add future devices when the application is not specific to the device or manufacturer. For these
reasons, OpenEdge supports EMV applications installed on the PC.
Edge Shield
Application
on Device
Supports high-end devices
Yes
Yes
Features
Supports cheap low-end devices
Yes
No
One integration supports both card present
(dip or swipe) and keyed transactions
Yes
No
Future proofing: new devices can be easily
and quickly added
Yes
No
Developer Support
An integral part of the Edge Shield solution is a dedicated support for software developers to
provide “best practices” for integration and security by providing hands-on help with integrating and
verifying the payments integration.
855.443.8377
12
eStudy
EMV 2015: Development &
Merchant Readiness
Edge Shield Summary
OpenEdge’s Edge Shield simplifies the EMV transition for developers and merchants while reducing
developers’ effort and liability. That results in significant savings in time, effort and cost – initially and
for the long-term as updates to the POS software or payment devices occur.
OpenEdge provides a pre-certified EMV offering for developers, manages device driving and
certifications, so developers can implement EMV swiftly with minimal effort. It also takes developers
out of PA-DSS scope and minimizes the PCI DSS scope using secure technologies. We are so
confident about our security technology that we offer a Developer Breach Reimbursement
Guarantee for those integrating Edge Shield payment technology.
How Can EMV Benefit Software Developers?
Significant Business Opportunity
For software developers, EMV migration is a challenge that can be turned into a major business
opportunity. They can position themselves as being the most up-to-date, forward-thinking software
providers in their fields. New EMV payments functionality may be marketed to new customers,
re-invigorating current and past relationships, selling more software upgrades, and improving
market competitiveness.
What Now?
Start planning your EMV strategy now. Developers should:
• Contact OpenEdge to get the integration of EMV payment functionality on their roadmaps
• Communicate EMV plans to customers and prospects
• Get ready to adopt this new, secure payments technology with minimal disruption
About OpenEdge
OpenEdge helps software developers and businesses succeed by delivering secure and
personalized payment solutions. As the integrated payments division of Global Payments,
OpenEdge is driving innovation – adapting, scaling and simplifying how payments are processed,
across platforms and points-of-interaction, in an increasingly complex landscape. OpenEdge
serves more than 2,000 technology partners across 60 industry verticals throughout the United
States and Canada.
© 2016 OpenEdge, a division of Global Payments, operates through the following entities: OpenEdge Payments LLC is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA and a registered ISO of BMO Harris Bank N.A., Chicago, IL and a registered ISO/MSP of Synovus Bank, Columbus, GA.
PayPros LLC is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA.
EMV® is a registered trademark owned by EMVCo LLC.
American Express is a registered trademark of American Express Company, its subsidiaries and/or affiliates.
Android and Android Pay are trademarks of Google Inc.
Apple, Apple Pay, Apple Watch, iPad, iPhone and iTunes are trademarks of Apple Inc., registered in the U.S. and other countries.
Discover belongs to Discover Financial Services and its affiliates.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
MasterCard is a registered trademark of MasterCard Worldwide or its subsidiaries in the United States.
VISA is a registered trademark of Visa in the United States and other countries.
QIR™ is a trademark owned by PCI Security Standards Council, LLC.
OEEMVCSA-SD-100716-TN

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz