EMV 101 & Myths of EMV Itai Sela Vice President B2 Payment Solutions
[email protected]
The EMV Universe
1
EMVTM 101 – What is EMV? Name of the standards developed by Europay, MasterCard and Visa in 1993 Currently owned by Visa, MasterCard, JCB and Amex Designed originally for “card present” contact chip card payment acceptance. Basis for chip migration by payment schemes in markets around the world
EMV™ is a trademark owned by EMVCo LLC
The EMV Universe
2
EMV 101 EMVCo manages, maintains and enhances the EMV Specifications to ensure global interoperability and acceptance of chip cards Also, is responsible for a type approval process for terminal compliance testing (EMV Level 1 and 2)
Level 1 – Terminal hardware components Level 2 – EMV Kernel – Software (EMV Commands)
Scheme Certification (Visa, MasterCard, Amex etc.)
Level 3 – Payment application level
The EMV Universe
3
EMV 101
EMV was designed to be a comprehensive toolbox that enables protection against:
Counterfeit and skimming - through the use of cryptography
Lost or Stolen - through the use of offline PIN and/or online PIN Consumer delinquency through the use of offline risk management
Offline card authentication Online card authentication
Secure offline transaction processing capability
Over the years evolved to support “card not present” as well (CAP and DPA*)
* CAP – Card Authentication Program (MasterCard), DPA – Dynamic Passcode Authentication (Visa) The EMV Universe
4
EMV 101
There are 3 main steps to an EMV transaction:
Card Authentication – Card is genuine
Offline Online
Cardholder Verification – Card presented by its rightful owner Offline PIN (Plaintext/Encrypted) Online PIN Signature Amount Authorization Offline – using the Issuer counters and limits within the chip Online – using the Issuer host
The EMV Universe
5
EMV 101 Type of Fraud
Offline
SDA
✔
DDA\CDA
✔
ARQC/ARPC ATC Variance Offline or Online PIN
Lost and Stolen
Replay
✔ ✔
Offline PIN Online
EMV Toolbox
Security Method
Counterfeit Skimming Card
✔
✔ ✔
✔
✔
The EMV Universe
6
Myth #1: EMV = Old Technology EMV was developed in 1993 which makes it almost 20 years old Why should a market implement a technology that is this old? Would we consider it obsolete? Maybe we should create a new technology to secure transactions moving forward
The EMV Universe
7
Reality #1: EMV Old Technology Modern cryptography is over 35 years old but we still use it EMV security relies on cryptographic functions – these evolve together with the evolution of cryptography In the early years of EMV the challenges have been with the implementations. Now with over 15 years of experience fewer issues occur There are over 1 Billion EMV Cards issued in the world
The EMV Universe
8
Myth #2: EMV = Chip & PIN Chip & PIN was the marketing brand used for the UK implementation of EMV PIN is one of the core EMV security features PIN only protects against lost and stolen fraud
The EMV Universe
9
Reality #2: EMV Chip & PIN There are EMV cards in the world today that don’t support PIN (Issuer, Brand and/or Market choice) It is up to the Issuer to decide if and when it is worth the investment to enable offline PIN as it requires an expensive infrastructure Canada 2010 – credit card Lost and stolen accounted for only 10% of card fraud* Once EMV is implemented there is no additional impact for the merchant to implement offline PIN at POS
EMV = Chip & Choice *http://www.rcmp-grc.gc.ca/
The EMV Universe
10
Myth #3: PCI vs. EMV
There are two ways to look at cryptography based security:
Privacy/Secrecy (Encryption) Authenticity (Digital Signature)
EMV is based on Authenticity PCI is based on Privacy
EMV Cryptograms ≠ Encryption
EMV data is not Encrypted
The EMV Universe
11
Reality#3: PCI & EMV To protect the “Card Not Present“ environment, card data must be kept secret in the “Card Present” environment PCI will continue to complement EMV as long as there isn’t a more widely adopted solution for “Card Not Present” PCI and EMV should be implemented together – Visa will waive PCI audits for the merchant if 75% of the transactions are EMV
The EMV Universe
12
Myth #4: EMV Certification is enough Interop
Functional
Purchase
Refund
Other Trans
Scripts
Performance
Destructive
Visa
MasterCard
Amex
The EMV Universe
13
Reality#4:EMV Certification is NOT enough No performance testing – crucial with EMV Not enough negative or exception testing Customer specific testing not included Consult with your acquirer to receive the full EMV test requirements
The EMV Universe
14
Canadian Company located in the Greater Toronto Area We provide world class knowledge and training, POS development, products and services for EMV, Contactless, NFC, banking, e-commerce and card payments B2 is the exclusive distributor for the Collis Payment Products in Canada and the USA
The EMV Universe
15
Thank you
For more information, visit www.b2ps.com www.collisamerica.com www.emv-usa.com www.actcda.com
The EMV Universe
16