In this recorded webinar, we shed some light on the myths vs. the truths about EMV. Our payment experts address common misconceptions and provide answers to questions, such as:
- What is EMV?
- How does EMV security work?
- What does it take to become EMV-ready?
- Does EMV ensure PCI compliance?
- When is the migration deadline?
- What happens after the migration deadline?
View the full webinar - at http://info.ingenico.us/emv-myths-recorded-webinar
3. Agenda
Introduction & objective
About Ingenico Group
EMV defined
EMV myths debunked
Overview of Ingenico Group’s EMV-ready solutions
Q&A
4. 4
Speaker Introduction
Greg Burch
VP of Mobility and Business Development
Ingenico Group / North America
Allen Friedman
VP of Payment Solutions
Ingenico Group / North America
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
5. 5
Objective
To finally put an end to all the confusion around EMV, and give you the
facts. We will answer common questions such as:
Can EMV prevent
data breaches?
Does EMV ensure PCI compliance?
What does it take to become EMV-ready?
What is EMV?
When is the deadline?
What happens after the deadline?
What does
“liability shift”
mean?
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
6. 6
Poll
When is the EMV deadline?
A) October 1st
B) October 15th
C) October 16th
D) All of the above
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
8. 8
Global footprint / multi-local solutions
$1.8B
in 2015
88
sites across
the world
35
years of
payment
expertise
global reach
170
countries
78
nationalities
5.5K
employees
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
9. 9
• Security-focused / EMV, NFC, P2PE
• Seamless experience / in-store, out of store and onboard
• Innovative solutions / across industries and use cases
• Trusted partner / unmatched service and support
Ingenico Group U.S. / at a glance
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
10. 10
Trusted partner / from small merchants to global brands
Network of
1,000+
financial
institutions
Partner with
70%
of the Top 30
leading retail
brands
250K+
merchants
connected to our
platforms
Accepting
300+
payment methods
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
12. 12
EMV defined / what does EMV stand for?
E
M
V
EMV is a technical payments standard. It stands for Euro Pay,
MasterCard and Visa.
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
13. 13
EMV defined / who manages it?
EMV is now managed by EMVCo, a consortium split among:
• Visa
• MasterCard
• JCB
• American Express
• China UnionPay
• Discover
In 2006, EuroPay was acquired by MasterCard.
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
14. 14
EMV defined / how it works
EMV involves using smart cards to process payment that integrate a microprocessor
chip rather than magstripe
Cards must be physically inserted or “dipped” into smart terminal OR contactless
cards can be used, which can be read over a short distance
Also called “chip card” or “smart card”
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
15. 15
EMV defined / how it works
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
16. 16
Most of the world has
migrated to the EMV
standard.
The U.S. is one of the
few countries still yet to
fully migrate.
EMV defined / world overview
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
17. 17
EMV Defined / World overview
Generally, a migration to EMV standards results in a large reduction in card-
present fraud.
• Chip-enabled cards are very difficult to physically reproduce or misuse, so stolen and
counterfeit cards become significantly less valuable to fraudsters in EMV dominant
payment ecosystems
• This trend causes physical card fraud to move to countries where EMV is less
dominant
25%
75%
Share of Global
Transactions
U.S. Rest of the World
47%53%
Global Credit Card
Fraud
U.S. Rest of the World
18. 18
EMV defined / major stakeholders
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
Card Manufacturers
Card Issuers
Cardholders
Merchants
Acquirer & Payment
Processors
ISVs & VARs
19. 19
Definition / EMV common terms
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
AID – Application ID. Term used in reference to
applications which reside on a chip card. The
AID must be known by the terminal and card.
Card types – Issuers provide either contact,
contactless or dual interface cards and cards
are manufactured by many approved around
the world. All cards have only one chip and
continue to also have a magstripe on the back.
CVM – Cardholder Validation Method – PIN,
Signature, No CVM.
Dual Interface – contact and contactless
combined on card using one chip.
Dynamic Kernel –a smarter kernel which
applies business logic to the interaction
between the terminal and the card.
EMV – Europay, MasterCard, VISA.
EMVCo – Owns, manages, and maintains
global payment specifications to define
requirements between chip-based payment
cards and acceptance terminals.
Kernel – Software component that lives on the
payment terminal, which controls the interaction
between the terminal and the card.
PIN-Preferring – A merchant who has PIN CVM
as a priority.
EMV Dictionary
21. 21
Myth #1 / “The deadline occurs any date in October”
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
22. 22
Myth #1 DEBUNKED / The deadline is October 1st
…and October 15th and October 16th
EMV
Liability
Deadline
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
EMV
Liability
Deadline
EMV
Liability
Deadline
23. 23
Myth #1 DEBUNKED / October EMV timeline
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
• Europay,
MasterCard &
Visa issue first
EMV
specification.
1995
• Large retailer partners
with Visa to push for
more smart chip cards
to be used in the US.
• Efforts halt due to cost.
2001
• MasterCard,
Visa and
Discover
announce
roadmaps to
bring EMV to
U.S.
2011
• Acquirer & sub-
processors
deadline to
process EMV
payments
April,
2013 • U.S. EMV liability
shift deadline for
merchants
Oct. 1,
2015
• U.S. liability shift
for ATMs and
domestic cards
Oct. 1,
2016
Petroleum Liability
Shift Deadline
Oct. 2017
24. 24
Myth #2 / “EMV is only necessary for major retailers”
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
25. 25
Myth #2 DEBUNKED / EMV is for all merchants –
big & small
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
Small merchants need to know that
criminals are not just looking for the big
fish.
• As big merchants upgrade their payments
to accept EMV chip cards, the fraudsters
are going to migrate to smaller merchants
• Small fraudulent transactions can have
BIG negative affects to the health of a
small merchant
26. 26
Myth #3 / “Implementing EMV is a government
requirement”
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
27. 27
Myth #3 DEBUNKED / EMV is NOT a requirement –
government or otherwise
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
No government agency or industry
association is requiring you to
implement EMV.
• You will not be fined
• It is your decision
28. 28
Myth #3 DEBUNKED / EMV is NOT a requirement, it’s a
liability shift
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
Counterfeit card fraud Liability Shift
• Liability for counterfeit fraud – applies to Visa, MasterCard, American Express and
Discover
• Post-Oct., if a merchant receives a counterfeit magstripe card (created from an EMV
chip card or transaction data), at a terminal that is not POS ready, then the merchant
is liable for the chargeback resulting from the fraud
29. 29
Myth #3 DEBUNKED / EMV is NOT a requirement, it’s a
liability shift
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
Stolen card fraud liability shift
• The liability shift for stolen cards applies to MasterCard, American Express and
Discover
• Post Oct., if a merchant accepts a stolen EMV chip card that requires a PIN –
using a terminal that doesn’t support EMV with PIN entry, the merchant will be
liable for the chargeback resulting from the fraud
30. 30
Myth #4 / “EMV is needed to comply with PCI standards”
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
Merchants believe they must
implement EMV to be compliant with
PCI Data Security Standards.
31. 31
Myth #4 DEBUNKED / EMV is not needed to comply
with PCI standards
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
You don’t need to implement EMV to
be compliant with PCI Data Security
Standards.
• While EMV can be one component of
your data security strategy, it’s not
required nor mandated by PCI
• Likewise, implementing EMV will NOT
make you PCI compliant
32. 32
Myth #5 / “Magstripes will no longer be accepted”
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
Merchants think that once they
implement EMV, they will not be able
to accept credit cards with magnetic
stripes.
33. 33
Myth #5 DEBUNKED / Magstripes cards will be
accepted after Oct.
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
Magnetic stripes are not going anywhere,
anytime soon.
• 53.6% of consumers have not received their EMV
cards yet1
• As the migration continues, all EMV chip cards will
still have magstripes on the back
• When using an EMV-ready smart terminal, a
customer who does not have the chip can still
swipe their card on an EMV-ready smart terminal
• If a customer who does have a chip tries to swipe
the card, the smart terminal will alert the
cashier/customer to have the customer dip/insert
the card into the smart terminal
• Regardless if you are EMV-ready, you can still
accept magstripe cards
1 Data from Harbortouch survey
34. 34
EMV Myth #6 / “EMV will never take hold in the U.S.“
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
35. 35
EMV Myth #6 DEBUNKED / U.S. EMV migration is
happening
The U.S. migration is in full swing
• Millions of cards have been issued over
the past few years
• The majority of new POS smart
terminals have default EMV capabilities
• Several data processing infrastructures
have been upgraded to handle the new
data generated for EMV transactions
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
36. 36
EMV Myth #6 DEBUNKED / U.S. EMV migration is
happening
The United States of EMV | By the Numbers:
90% U.S. cards that will have an EMV chip by
2016 – USA Today 2014
5,000 U.S. VISA EMV cards issued daily – VISA
2013
3.5M VISA EMV cards issued in the US. from
Aug. to May 2013 – VISA 2013
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
500K Estimated number of merchant locations
who are EMV-ready
37. 37
There is some debate about EMV
payments vs. mobile payments
EMV Myth #7 / “It’s best to just jump to mobile
payments”
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
38. 38
EMV and mobile payments are
complementary technologies
• Cards aren’t going away, so we
need to secure them
• Many smart terminals that accept
EMV contactless cards also
accept NFC mobile payments –
it’s the same technology
• It’s best to accept both in order
to future-proof your POS
EMV Myth #7 DEBUNKED / EMV & NFC mobile go
hand in hand
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
39. 39
EMV Myth #8 / “EMV is useless because it doesn’t
address CNP fraud”
EMV is useless since it doesn’t
protect against card-not-present
fraud
• If the card isn’t present, there are
still vulnerabilities to fraud
• Online and e-commerce fraud are
still at risk
• EMV is only good for card-present
fraud reduction
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
40. 40
Although it doesn’t completely
protect against it, EMV adds
security measures that help prevent
CNP fraud
• EMV chip cards enable additional
authentication security features such
as one-time passwords, on-card PIN
codes, and personal card readers
• Banks and merchants need to
implement these authentication
tools/features
• The European Union (EU) has seen
an 80% reduction in credit card fraud
since migrating to EMV
EMV Myth #8 DEBUNKED / EMV cards are very
successful at helping prevent CNP fraud
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
41. 41
EMV could have prevented the
2013 card data breach at Target.
• This type of data breach occurs when
cyber criminals are able to access
weakly secured information on a
merchant’s system during data
transmission or storage
EMV Myth #9 / “EMV protects against data breaches”
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
42. 42
EMV alone will not protect data
from being hacked and would not
have singularly prevented the
Target breach
• The major goal of EMV is to combat
credit card fraud
• EMV still sends card data in the clear
EMV Myth #9 DEBUNKED / EMV does NOT protect
against data breaches
Source: Hacking the Point of Sale, Slava
Gomzin, 2014
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
43. 43
EMV offers a good start to enhancing data
security, with:
• Card authentication
• Cardholder verification
• Transaction authorization
But a multi-layered security approach
that includes encryption and tokenization
provides makes the data less valuable to
criminals, safeguarding both merchants and
their customers
EMV Myth #9 DEBUNKED / EMV does NOT protect
against data breaches
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
44. 44
EMV Myth #9 DEBUNKED / EMV does NOT protect
against data breaches
EMV must be a part of a multi-layered security to ensure complete data
protection:
• EMV for card authentication – protect against fraudulent cards
• Point-to-point encryption (P2PE) – no clear card data outside
secure POI
• Tokenization – Protect card data at rest
With these security measures in place, if there is a successful attack on
the POS, it will not yield data that can be monetized
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
45. 45
EMV Myth #9 DEBUNKED / EMV does NOT protect
against data breaches
Multi-layered security protects against all threats:
Threats Protection
Card Present Card-Not-Present
EMV Encryption Tokenization EMV Encryption Tokenization
Counterfeit cards
Lost & stolen cards
1
Reusing stolen data
Stealing data in transit
Stealing data in rest
1 When used with PIN CVM
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
46. 46
EMV Myth 10# / “Migrating to EMV is scary, complex
and expensive”
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
47. 47
EMV Myth #10 DEBUNKED / migrating to EMV
doesn’t have to be complex
5 easy steps to EMV migration
1. Choose the right technology partner
2. Build a project roadmap
3. Assess acquirer relationships
4. Design and implement
5. Test and certify
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
48. 48
EMV Myth #10 DEBUNKED / migrating to EMV
doesn’t have to be complex
Consider a semi-integrated payments solution to:
Simplify EMV
Migration
Leverage
“pre-certified”
solutions
Minimize upgrades
required to POS
& back office
systems
Reduce costs of
EMV migration
PCI Scope
Reduction
Reduce footprint
where sensitive
data passes through
Opportunity for
PA-DSS removal
Lower cost of PCI
compliance
Increase chance of
audit success
Improvements
to Security
Limit attack surface
Avoid breaches
commonly occurring
in the POS
Simplify path to add
point-to-point
encryption (P2PE) &
tokenization
Avoid EMV
Certification
Bottleneck
Bypass the backlog
of merchants
simultaneously
looking for
certifications
Skip the long and
expensive process
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
49. 49
EMV Myth # 10 DEBUNKED / EMV payment
technology is cheaper and easier to install than ever
We’ve learned lessons from other countries.
There are incentives from various payment brands.
By upgrading to a “one size fits all” smart terminal, merchants see huge savings
with scalable, flexible payment solutions:
• Contact chip card
• Contactless card acceptance
• Mobile payments
• Traditional
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
51. 51
EMV-ready / Ingenico Group Solutions
Leverage our global EMV expertise to get EMV-ready.
• Ingenico Group is the global leader in world-wide EMV deployments
• Ingenico Group streamlines your EMV implementation by helping you
identify the appropriate EMV-compliant solutions to meet your business
model’s specific needs
• We offer future-proof payment solutions that accept:
• EMV Chip & PIN
• EMV Chip & Signature
• Contactless (NFC) – Android Pay & Apple Pay
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
52. 52
EMV-ready / Ingenico Group Solutions
Our diverse suite of EMV-ready smart terminals and mobile solutions can fit
your business model:
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
iPP 310
iSC Touch 480
iSMP for
iPhone® &
iPod
touch®
iCT 250
53. 53
EMV / resources
Learn more:
• Download our EMV ebook: http://info.ingenico.us/emv-ebook-registration
• View our EMV webinars:
1. http://info.ingenico.us/semi-integrated-recorded-webinar-registration
2. https://event.webcasts.com/viewer/event.jsp?ei=1069764
• Visit these EMV websites:
• Go Chip Card Information
• EMVCo
• EMV Migration Forum
• EMV USA
• Smart Card Alliance
• Links will be emailed post webinar
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015
Greg
An EMV card is inserted into a terminal
The chip embedded in the card contains encrypted data, this is accessed by the reader in the terminal
Using data from the card, the terminal creates and sends a unique code, or “cryptogram” to the processor’s host during the transaction, validating the card
The card is removed when the transaction is completed
Greg
Greg
The U.S. migration to EMV means that the entire industry must come together to ensure a smooth process:
Card Issuers – upgrade their technologies and infrastructure to manage the chip card personalization, issuance and delivery process
Cardholders – use new chip cards, provide PIN and/or signature
Merchants – switch POS terminals to EMV-ready terminals
Card Manufacturers – develop chip cards
ISVs / Developers – make the EMV cards efficient and cost-effective with applications for the card chips, POS terminals, processors, ATMs and mobile devices
Acquirer & Payment Processors – they route transactions from smart terminals, point of sale systems or gateways
Greg
Greg
Allen
Allen
Greg
Allen
Greg
Allen
Allen
Allen
Greg
Allen
Greg
Allen
Greg
Allen
Allen
Greg
Allen
Greg
Allen
Greg
Allen
Allen
Allen
Allen
Greg
Allen
Allen
Greg – to ask about the costs
Allen – to talk about it