EMV Myths Debunked / Fact vs. Fiction

Fact vs. Fiction /
EMV Myths Debunked
SEPTEMBER 23, 2015

Agenda
 Introduction & objective
 About Ingenico Group
 EMV defined
 EMV myths debunked
 Overview of Ingenico Group’s EMV-ready solutions
 Q&A

4
Speaker Introduction
Greg Burch
VP of Mobility and Business Development
Ingenico Group / North America
Allen Friedman
VP of Payment Solutions
Ingenico Group / North America
Fact vs. Fiction / EMV Myths Debunked - 10/1/2015

5
Objective
To finally put an end to all the confusion around EMV, and give you the
facts. We will answer common questions such as:
Can EMV prevent
data breaches?
Does EMV ensure PCI compliance?
What does it take to become EMV-ready?
What is EMV?
When is the deadline?
What happens after the deadline?
What does
“liability shift”
mean?

6
Poll
When is the EMV deadline?
A) October 1st
B) October 15th
C) October 16th
D) All of the above

8
Global footprint / multi-local solutions
$1.8B
in 2015
88
sites across
the world
35
years of
payment
expertise
global reach
170
countries
78
nationalities
5.5K
employees

9
• Security-focused / EMV, NFC, P2PE
• Seamless experience / in-store, out of store and onboard
• Innovative solutions / across industries and use cases
• Trusted partner / unmatched service and support
Ingenico Group U.S. / at a glance

10
Trusted partner / from small merchants to global brands
Network of
1,000+
financial
institutions
Partner with
70%
of the Top 30
leading retail
brands
250K+
merchants
connected to our
platforms
Accepting
300+
payment methods

12
EMV defined / what does EMV stand for?
E
M
V
EMV is a technical payments standard. It stands for Euro Pay,
MasterCard and Visa.

13
EMV defined / who manages it?
EMV is now managed by EMVCo, a consortium split among:
• Visa
• MasterCard
• JCB
• American Express
• China UnionPay
• Discover
In 2006, EuroPay was acquired by MasterCard.

14
EMV defined / how it works
EMV involves using smart cards to process payment that integrate a microprocessor
chip rather than magstripe
Cards must be physically inserted or “dipped” into smart terminal OR contactless
cards can be used, which can be read over a short distance
Also called “chip card” or “smart card”

15
EMV defined / how it works

16
Most of the world has
migrated to the EMV
standard.
The U.S. is one of the
few countries still yet to
fully migrate.
EMV defined / world overview

17
EMV Defined / World overview
Generally, a migration to EMV standards results in a large reduction in card-
present fraud.
• Chip-enabled cards are very difficult to physically reproduce or misuse, so stolen and
counterfeit cards become signiﬁcantly less valuable to fraudsters in EMV dominant
payment ecosystems
• This trend causes physical card fraud to move to countries where EMV is less
dominant
25%
75%
Share of Global
Transactions
U.S. Rest of the World
47%53%
Global Credit Card
Fraud
U.S. Rest of the World

18
EMV defined / major stakeholders
Card Manufacturers
Card Issuers
Cardholders
Merchants
Acquirer & Payment
Processors
ISVs & VARs

19
Definition / EMV common terms
AID – Application ID. Term used in reference to
applications which reside on a chip card. The
AID must be known by the terminal and card.
Card types – Issuers provide either contact,
contactless or dual interface cards and cards
are manufactured by many approved around
the world. All cards have only one chip and
continue to also have a magstripe on the back.
CVM – Cardholder Validation Method – PIN,
Signature, No CVM.
Dual Interface – contact and contactless
combined on card using one chip.
Dynamic Kernel –a smarter kernel which
applies business logic to the interaction
between the terminal and the card.
EMV – Europay, MasterCard, VISA.
EMVCo – Owns, manages, and maintains
global payment specifications to define
requirements between chip-based payment
cards and acceptance terminals.
Kernel – Software component that lives on the
payment terminal, which controls the interaction
between the terminal and the card.
PIN-Preferring – A merchant who has PIN CVM
as a priority.
EMV Dictionary

Fact vs.
Fiction
EMV Myths Debunked
4

21
Myth #1 / “The deadline occurs any date in October”

22
Myth #1 DEBUNKED / The deadline is October 1st
…and October 15th and October 16th
EMV
Liability
Deadline
EMV
Liability
Deadline
EMV
Liability
Deadline

23
Myth #1 DEBUNKED / October EMV timeline
• Europay,
MasterCard &
Visa issue first
EMV
specification.
1995
• Large retailer partners
with Visa to push for
more smart chip cards
to be used in the US.
• Efforts halt due to cost.
2001
• MasterCard,
Visa and
Discover
announce
roadmaps to
bring EMV to
U.S.
2011
• Acquirer & sub-
processors
deadline to
process EMV
payments
April,
2013 • U.S. EMV liability
shift deadline for
merchants
Oct. 1,
2015
• U.S. liability shift
for ATMs and
domestic cards
Oct. 1,
2016
Petroleum Liability
Shift Deadline
Oct. 2017

24
Myth #2 / “EMV is only necessary for major retailers”

25
Myth #2 DEBUNKED / EMV is for all merchants –
big & small
Small merchants need to know that
criminals are not just looking for the big
fish.
• As big merchants upgrade their payments
to accept EMV chip cards, the fraudsters
are going to migrate to smaller merchants
• Small fraudulent transactions can have
BIG negative affects to the health of a
small merchant

26
Myth #3 / “Implementing EMV is a government
requirement”

27
Myth #3 DEBUNKED / EMV is NOT a requirement –
government or otherwise
No government agency or industry
association is requiring you to
implement EMV.
• You will not be fined
• It is your decision

28
Myth #3 DEBUNKED / EMV is NOT a requirement, it’s a
liability shift
Counterfeit card fraud Liability Shift
• Liability for counterfeit fraud – applies to Visa, MasterCard, American Express and
Discover
• Post-Oct., if a merchant receives a counterfeit magstripe card (created from an EMV
chip card or transaction data), at a terminal that is not POS ready, then the merchant
is liable for the chargeback resulting from the fraud

29
Myth #3 DEBUNKED / EMV is NOT a requirement, it’s a
liability shift
Stolen card fraud liability shift
• The liability shift for stolen cards applies to MasterCard, American Express and
Discover
• Post Oct., if a merchant accepts a stolen EMV chip card that requires a PIN –
using a terminal that doesn’t support EMV with PIN entry, the merchant will be
liable for the chargeback resulting from the fraud

30
Myth #4 / “EMV is needed to comply with PCI standards”
Merchants believe they must
implement EMV to be compliant with
PCI Data Security Standards.

31
Myth #4 DEBUNKED / EMV is not needed to comply
with PCI standards
You don’t need to implement EMV to
be compliant with PCI Data Security
Standards.
• While EMV can be one component of
your data security strategy, it’s not
required nor mandated by PCI
• Likewise, implementing EMV will NOT
make you PCI compliant

32
Myth #5 / “Magstripes will no longer be accepted”
Merchants think that once they
implement EMV, they will not be able
to accept credit cards with magnetic
stripes.

33
Myth #5 DEBUNKED / Magstripes cards will be
accepted after Oct.
Magnetic stripes are not going anywhere,
anytime soon.
• 53.6% of consumers have not received their EMV
cards yet1
• As the migration continues, all EMV chip cards will
still have magstripes on the back
• When using an EMV-ready smart terminal, a
customer who does not have the chip can still
swipe their card on an EMV-ready smart terminal
• If a customer who does have a chip tries to swipe
the card, the smart terminal will alert the
cashier/customer to have the customer dip/insert
the card into the smart terminal
• Regardless if you are EMV-ready, you can still
accept magstripe cards
1 Data from Harbortouch survey

34
EMV Myth #6 / “EMV will never take hold in the U.S.“

35
EMV Myth #6 DEBUNKED / U.S. EMV migration is
happening
The U.S. migration is in full swing
• Millions of cards have been issued over
the past few years
• The majority of new POS smart
terminals have default EMV capabilities
• Several data processing infrastructures
have been upgraded to handle the new
data generated for EMV transactions

36
EMV Myth #6 DEBUNKED / U.S. EMV migration is
happening
The United States of EMV | By the Numbers:
90% U.S. cards that will have an EMV chip by
2016 – USA Today 2014
5,000 U.S. VISA EMV cards issued daily – VISA
2013
3.5M VISA EMV cards issued in the US. from
Aug. to May 2013 – VISA 2013
500K Estimated number of merchant locations
who are EMV-ready

37
There is some debate about EMV
payments vs. mobile payments
EMV Myth #7 / “It’s best to just jump to mobile
payments”

38
EMV and mobile payments are
complementary technologies
• Cards aren’t going away, so we
need to secure them
• Many smart terminals that accept
EMV contactless cards also
accept NFC mobile payments –
it’s the same technology
• It’s best to accept both in order
to future-proof your POS
EMV Myth #7 DEBUNKED / EMV & NFC mobile go
hand in hand

39
EMV Myth #8 / “EMV is useless because it doesn’t
address CNP fraud”
EMV is useless since it doesn’t
protect against card-not-present
fraud
• If the card isn’t present, there are
still vulnerabilities to fraud
• Online and e-commerce fraud are
still at risk
• EMV is only good for card-present
fraud reduction

40
Although it doesn’t completely
protect against it, EMV adds
security measures that help prevent
CNP fraud
• EMV chip cards enable additional
authentication security features such
as one-time passwords, on-card PIN
codes, and personal card readers
• Banks and merchants need to
implement these authentication
tools/features
• The European Union (EU) has seen
an 80% reduction in credit card fraud
since migrating to EMV
EMV Myth #8 DEBUNKED / EMV cards are very
successful at helping prevent CNP fraud

41
EMV could have prevented the
2013 card data breach at Target.
• This type of data breach occurs when
cyber criminals are able to access
weakly secured information on a
merchant’s system during data
transmission or storage
EMV Myth #9 / “EMV protects against data breaches”

42
EMV alone will not protect data
from being hacked and would not
have singularly prevented the
Target breach
• The major goal of EMV is to combat
credit card fraud
• EMV still sends card data in the clear
EMV Myth #9 DEBUNKED / EMV does NOT protect
against data breaches
Source: Hacking the Point of Sale, Slava
Gomzin, 2014

43
EMV offers a good start to enhancing data
security, with:
• Card authentication
• Cardholder verification
• Transaction authorization
But a multi-layered security approach
that includes encryption and tokenization
provides makes the data less valuable to
criminals, safeguarding both merchants and
their customers

44
EMV must be a part of a multi-layered security to ensure complete data
protection:
• EMV for card authentication – protect against fraudulent cards
• Point-to-point encryption (P2PE) – no clear card data outside
secure POI
• Tokenization – Protect card data at rest
With these security measures in place, if there is a successful attack on
the POS, it will not yield data that can be monetized

45
Multi-layered security protects against all threats:
Threats Protection
Card Present Card-Not-Present
EMV Encryption Tokenization EMV Encryption Tokenization
Counterfeit cards

Lost & stolen cards
1
Reusing stolen data
    
Stealing data in transit    
Stealing data in rest
   
1 When used with PIN CVM

46
EMV Myth 10# / “Migrating to EMV is scary, complex
and expensive”

47
EMV Myth #10 DEBUNKED / migrating to EMV
doesn’t have to be complex
5 easy steps to EMV migration
1. Choose the right technology partner
2. Build a project roadmap
3. Assess acquirer relationships
4. Design and implement
5. Test and certify

48
EMV Myth #10 DEBUNKED / migrating to EMV
doesn’t have to be complex
Consider a semi-integrated payments solution to:
Simplify EMV
Migration
Leverage
“pre-certified”
solutions
Minimize upgrades
required to POS
& back office
systems
Reduce costs of
EMV migration
PCI Scope
Reduction
Reduce footprint
where sensitive
data passes through
Opportunity for
PA-DSS removal
Lower cost of PCI
compliance
Increase chance of
audit success
Improvements
to Security
Limit attack surface
Avoid breaches
commonly occurring
in the POS
Simplify path to add
point-to-point
encryption (P2PE) &
tokenization
Avoid EMV
Certification
Bottleneck
Bypass the backlog
of merchants
simultaneously
looking for
certifications
Skip the long and
expensive process

49
EMV Myth # 10 DEBUNKED / EMV payment
technology is cheaper and easier to install than ever
We’ve learned lessons from other countries.
There are incentives from various payment brands.
By upgrading to a “one size fits all” smart terminal, merchants see huge savings
with scalable, flexible payment solutions:
• Contact chip card
• Contactless card acceptance
• Mobile payments
• Traditional

EMV
Migration
Time to get ready
5

51
EMV-ready / Ingenico Group Solutions
Leverage our global EMV expertise to get EMV-ready.
• Ingenico Group is the global leader in world-wide EMV deployments
• Ingenico Group streamlines your EMV implementation by helping you
identify the appropriate EMV-compliant solutions to meet your business
model’s specific needs
• We offer future-proof payment solutions that accept:
• EMV Chip & PIN
• EMV Chip & Signature
• Contactless (NFC) – Android Pay & Apple Pay

52
EMV-ready / Ingenico Group Solutions
Our diverse suite of EMV-ready smart terminals and mobile solutions can fit
your business model:
iPP 310
iSC Touch 480
iSMP for
iPhone® &
iPod
touch®
iCT 250

53
EMV / resources
Learn more:
• Download our EMV ebook: http://info.ingenico.us/emv-ebook-registration
• View our EMV webinars:
1. http://info.ingenico.us/semi-integrated-recorded-webinar-registration
2. https://event.webcasts.com/viewer/event.jsp?ei=1069764
• Visit these EMV websites:
• Go Chip Card Information
• EMVCo
• EMV Migration Forum
• EMV USA
• Smart Card Alliance
• Links will be emailed post webinar

EMV Myths Debunked / Fact vs. Fiction

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to EMV Myths Debunked / Fact vs. Fiction

Similar to EMV Myths Debunked / Fact vs. Fiction (20)

More from Ingenico Group

More from Ingenico Group (12)

Recently uploaded

Recently uploaded (8)

EMV Myths Debunked / Fact vs. Fiction

Editor's Notes