WIXLIB

EMV – Beyond October 1, 2015Kristi KuehnVP, Compliance – Heartland

Conexxus HostLinda Toth, Director of StandardsConexxusModeratorMark Carl, CEOEchoSatPresenterKristi Kuehn, Vice President, ComplianceHeartland Payment Systems2Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

HousekeepingThis webinar is being recorded (posted in about 10 days) YouTube (youtube.com/conexxusonline) Website Link (conexxus.org)Slide Deck Survey Link – Presentation provided at endParticipants Ask questions via webinar interface Please, no vendor specific questionsEmail: info@conexxus.org3Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

About ConexxusWe are an independent & non-profitVolunteersWe set standards Data exchange, Security, PaymentsWe provide clarityIdentify and EducateEmerging tech/trendsWe advocate for our industryOpen standards, innovation and competitionWe improve profitability4Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

2016 Conexxus Annual ConferenceMay 1 – 5Loews Ventana CanyonTucson, AZRegistration is openConexxus.org/AnnualConference5Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Conexxus Data SecurityStandards Committee6Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Agenda 7EMV overviewTimelinesEMV numbersConsiderationsLiability shiftConexxus: EMV – Beyond October 1, 2015(presented by Heartland)Chip Card

What EMV is EMVCoOwned & operated byGlobal paymentstandard consistent experienceworldwide8Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)Improved security Decreased fraudBuilding blockforfuture technology

What EMV is not EMV Mandated / requiredMerchant choice to implement!EMV Protection against all chargebacksLiability shift is for counterfeit& lost/stolen only.EMV Secure cardholder dataEMV does not protect orencrypt card numbers.EMV PCI DSSEMV protects against fraud, PCIfocuses on security of sensitivedata.9Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Why EMV?EMV CARD It is all about the Chip The chip contains a micro-processor that will generate dynamic data for eachtransactionMakes it harder and more expensive to steal & copy data on the cardThe chip is harder to steal & duplicate than mag stripe data CHIP CARDSMART CARD10Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)CHIP & PINCHIP & SIGNATURE

U.S. EMV TimelinesOct-2016Visa GCAR reliefOct-2013MC ADC relief takeseffect (50%)Oct-2015Non-AFD liability shiftOct-2012PCI validation relief1201220132014Apr-2013Processor support for chipprocessingApril-2014Visa unattended liability shift2015Oct-2015MC ADCrelief (100%)Oct-2017AFD liability shift2016Oct-2016MC ATMliability shiftAFD: Automated Fuel DispenserVisa GCAR: Global Compromised Account RecoveryMasterCard ADC: Account Data Compromise1Applies to Level 1 & Level 2 merchants where 75% of transactions come from a dual interface, chip-enabled, terminal11Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)2017Oct-2017Visa ATMliability shift

EMV: The NumbersMasterCard1: –30% U.S. issued MasterCards are chip cards ––Visa2:–212.7 million EMV chip cards issued–9% increase from Nov 2015 to Dec 2015–118 million EMV credit cards issued–94.8 million EMV debit cards issued–766k EMV chip activated merchants54% of these are credit cardsChip transactions at POS increased 55% Nov2015 versus Oct 2015809,417 chip active POS locations 20% growth month over month65% of merchants have multiple locations 1:MasterCard Chip Cards US Migration Trends Nov 20152:Visa US EMV Migration Summary December 201512Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)11% increase Nov - Dec

EMV Acceptance n ExpressBank of AmericaHawaiian Airlines VisaChaseCitiHSBCNorth Carolina State Employees’ CreditUnionSam’s Club & WalMart MasterCardUS BankUSAAWells FargoConexxus: EMV – Beyond October 1, 2015(presented by Heartland) WalgreensHome DepotAnd growing .

POS ConsiderationsSupported Cardholder Verification Method (CVM) PIN Signature No Signature (such as implemented at a QSR; also called no CVM)NFC / Contactless Support Is speed of service a need? Do you serve a demographic that is looking formobile payments?14Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Cardholder Verification Methods (CVM)Point of interaction can support variety of CVMsCVMDefinedProConOnlinePINPIN is encrypted and verified online by theissuer, via the auth messageSecurityRequires terminal support of PINOffline PINPIN verified offline by the terminal and card,without being sent in the auth message, onlythe result is sent to the hostSecurityRequires terminal support of PINand management of multiple keysSignatureThe signature on the receipt is compared tothe signature on the back of the cardSimple toimplementLess secure than PINNo CVMNo cardholder verification, generally used forlow value transactionsSpeedUnable to use for larger valuetransactions 15Merchant decides which CVMs to support at POI/POSIssuer decides which CVMs to support on the cardConexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Authentication / Authorization MethodsEMV transactions can be authorized ONLINE vs OFFLINEONLINEOFFLINEAuthorization message sent to issuer in realtime for approval or declineChip on EMV card and POS communicate to determineif transaction can be authorizedOnline, real timeUsually occurs when there is no online connectivityIncludes unique Cryptogram that issuer canvalidateUses risk parameters contained on the card inauthorization decision An EMV card can support both online & offline16Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Contact or Contactless? Contact:– Insert the card– Card remains in terminal during transaction Contactless:–––––“Tap” card or device near the terminalAllows for a faster transactionFewer cards left in terminals (short term concern)Building block for mobileMore costly for issuers to support 17Unknown how many cards will offer contactless supportConexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Liability Shift There is no mandate for merchants toimplement EMV!Liability Shift Potential ChargebacksGenerally liability is going to shiftto the party using the least secure technology11 Rules18outlined are as of September 2015Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Counterfeit Card Fraud Liability ShiftAmerican Express, Discover, MasterCard & VisaBefore October 1, 2015Issuer liable19Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)Current andOctober 2017 for AFDsFor chip cards,Merchant liableif non-chip terminal

Counterfeit Card Fraud Liability1BeforeOctober 1, 2015Mag stripecard Mag stripeterminal Mag stripeterminalMag stripecardChip2cardMag stripecardCurrentChip2card Issuerliable Issuerliable Chip2terminal Issuerliable Mag stripeterminal Merchantliable Chip2terminal Issuerliable1Same2With20applies for all brandsor without PIN capabilitiesConexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Counterfeit Card Fraud Liability1BeforeOctober 1, 2015Mag stripecardMag stripecardCurrent when acounterfeitMagmagstripestripefrom a chipcardterminal Issuerliable Issuerliableis used at aChip2mag stripe terminal Chip2card Mag stripeterminal Merchantliable Chip2terminal Issuerliable1Same21to the merchantterminalIssuerliableMag stripecardChip2card2WithTo summarize Liability forMagfraud stripeshiftsapplies for all brandsor without PIN capabilitiesConexxus: EMV – Beyond October 1, 2015(presented by Heartland)As of Oct-2015/2017terminal

Lost / Stolen Fraud Liability ShiftAmerican Express, Discover & MasterCard22Attended /UnattendedBefore October 1, 2015AttendedIssuer liableUnattendedMerchant liableConexxus: EMV – Beyond October 1, 2015(presented by Heartland)Current andOctober 2017 for AFDFor chip cards,Merchant liable,If terminal is less secure(CVM hierarchy applies)

Lost / Stolen Fraud Liability:American Express, Discover & MasterCard1BeforeOctober 1, 2015Current1Attended23Mag stripecard Mag stripeterminal IssuerliableMag stripecard Mag stripeterminal IssuerliableMag stripecard Chipterminal IssuerliableChip & PINcard Mag stripeterminal MerchantliableChip & Sigcard Mag stripeterminal IssuerliableChip & Sigcard Chip & PINterminal IssuerliableChip & PINcard Chip & Sigterminal Chip & PINcard Chip & PINterminal MerchantliableIssuerliableEnvironmentsConexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Lost / Stolen Fraud Liability:American Express, Discover & MasterCard1BeforeOctober 1, 2015Current1Attended24To summarize Liability shifts Issuerto the merchant liablewhen aIssuerlost or stolen chip & PINcardliableIs used at aless secure terminalIssuerAs of Oct-2015 liableMag stripecard Mag stripeterminalMag stripecard Mag stripeterminalMag stripecard ChipterminalChip & PINcard Mag stripeterminal MerchantliableChip & Sigcard Mag stripeterminal IssuerliableChip & Sigcard Chip & PINterminal IssuerliableChip & PINcard Chip & Sigterminal Chip & PINcard Chip & PINterminal MerchantliableIssuerliableEnvironmentsConexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Lost / Stolen Fraud Liability:American Express/Discover/MasterCard Unattended1 (AFD)BeforeOctober 1, 2015Current unattended& after 10/2017 forAFD1Unattended25Mag stripecard Mag stripeterminal MerchantliableMag stripecard Mag stripeterminal MerchantliableMag stripecard Chipterminal IssuerliableChipcard Mag stripeterminal MerchantliableChip & Sigcard Chip & PINterminal IssuerliableChip & PINcard Chip & no-PINterminal MerchantliableChip & PINcard Chip & PINterminal Issuerliableincludes car washes, vending, laundry, etc.Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

To summarize Liability for fraud shiftsLost / Stolen Fraud Liability:to the issuer1 (AFD)American Express/Discover/MasterCard Unattendedwhen aBeforeOctober 1, 2015Current unattended& after 10/2017 forAFD1Unattended26stolen cardMerchant lost isorusedliableat aMag stripecard Mag stripeterminalMag stripecard Mag stripeterminalMag stripecard Chipterminal IssuerliableChipcard Mag stripeterminal MerchantliableChip & Sigcard Chip & PINterminal IssuerliableChip & PINcard Chip & no-PINterminal MerchantliableChip & PINcard Chip & PINterminal Issuerliableincludes car washes, vending, laundry, etc.Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)more secure AFD terminalMerchant after Oct-2017liable

Lost / Stolen Fraud Liability ShiftAttendedUnattendedBefore Apr-2014CurrentIssuer liableNo ChangeMerchant liableFor chip cards,Issuer liable,If chip terminalA variety of factors play into liability, such as if the full track data was provided, but for simplicitypurposes using the current general scenario27Conexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Lost / Stolen Fraud Liability:Visa – Attended EnvironmentBeforeOctober 1, 2015Current28 Issuerliable Issuerliable Chipterminal IssuerliableChip & PINcard Mag stripeterminal IssuerliableChip & Sigcard Mag stripeterminal IssuerliableChip & Sigcard Chip & PINterminal IssuerliableChip & PINcard Chip & Sigterminal Chip & PINcard Chip & PINterminal IssuerliableIssuerliableMag stripecard Mag stripeterminalMag stripecard Mag stripeterminalMag stripecardConexxus: EMV – Beyond October 1, 2015(presented by Heartland)

Lost / Stolen Fraud Liability:Visa – Attended EnvironmentBeforeOctober 1, 2015 IssuerliableChipterminal IssuerliableMag stripeterminal IssuerliableMag stripeterminal IssuerliableMag stripeterminalMag stripecard Mag stripeterminalChip & PINcard29Issuerliable Mag stripecardCurrent Mag stripecardChip & SigcardTo summarize The merchant is never liable forlost and stolenChip & Sigcard card fraudChip & PINterminal IssuerliableChip & PINcard Chip & Sigterminal Chip & PINcard Chip & PINterminal IssuerliableIssuerliableConexxus: EMV – Beyond October 1, 2015(presented by Heartland)