The Adoption of the EMV Standard in the U.S.

Report
Hot Topics in Payments
Dallas AFP
Oct. 16, 2014
Matt Davies, AAP, CTP, CPP
Federal Reserve Bank of Dallas
1
EMV
 “EMV” = Europay, MasterCard, and Visa
 1994: Founded the global standard for credit and
debit payments based on chip card technology.
 Today, EMV standards are set by EMVCo, a joint
venture of Visa, MC, AmEx, JCB, Discover and
UnionPay.
2
EMV
 “Chip cards,” “chip and PIN cards,” and “smart cards”
are used interchangeably.
– Plastic cards that contain a microchip that sends a dynamic
protected value unique to each transaction
 Though “chip and PIN” is often used with EMV, the
standards allow for cardholder verification via
signature (PIN is most common in other countries).
 U.S. implementation: “chip and choice”
3
EMV
 EMV standards have been adopted in many other
countries
 U.S. is one of the last developed nations to implement
– Reluctance due to high cost of upgrading payment
terminals, or buying new ones, to accept chip payments.
– Card issuers must reissue all credit and debit cards
– Cost of terminal and card migration may be as high as
$12bn (Javelin).
4
EMV
Two Ways of Accepting Chip Card Payments
 Contact (“dipping” the card): Cardholder inserts card into POS
device. Card remains in device until completion of the
transaction. If customer removes card before the charge is
approved, the transaction will fail and the customer will be
required to provide the card again.
 Contactless (“tap-and-go”): Cardholder waves the card by the
chip card-enabled POS device to provide payment information.
Once the transaction has been authorized, customer might
then be prompted to enter PIN or sign a receipt.
Dynamic Authentication
 When traditional mag-stripe cards are swiped at POS
terminal, data, such as primary account number (PAN)
and expiration date, are transmitted to the card
issuer.
 The data—known as static data—remains the same
for each transaction.
 EMV relies on dynamic authentication: chip generates
data unique to each individual card transaction.
Dynamic Authentication
 In EMV transactions that use dynamic auth., the chip is a mini
computer that generates a unique cryptogram using
transaction data each time the card is inserted into the chip
terminal.
 The cryptogram is sent to the card issuer, which uses its keys
and codes to calculate a cryptogram based on the same
transaction data.
 If the two cryptograms match, the issuer knows the data is
from a valid card.
 Effectively, you have a different number being sent each time.
 Dynamic auth. makes the chip almost impossible to
counterfeit.
Card Associations & EMV
 Visa roadmap to EMV (August 2011)
– Expand TIP: Visa will expand its Technology Innovation
Program (TIP) to merchants in the U.S.
• TIP ends the mandate for merchants to validate compliance with the PCI
Data Security Standard (PCI DSS) for any year in which 75% of the
merchant’s Visa transactions stem from chip-based terminals.
• To accommodate the Visa mandate, merchants must use terminals that
support both contact and contactless chip technology.
• “Qualifying merchants must continue to protect sensitive data in their
care by ensuring their systems do not store track data, security codes or
PINs, and that they continue to adhere to the PCI DSS standards as
applicable.”
8
Card Associations & EMV
 Liability Shift: Visa will institute a U.S. liability shift for
counterfeit card-present POS transactions, eff. Oct. 1,
2015.
– MasterCard, AmEx and Discover have adopted the same date
– Currently, POS counterfeit fraud is largely absorbed by card
issuers
– After liability shift, if a contact chip card is presented to a
merchant that has not adopted, at minimum, contact chip
terminals, liability for counterfeit fraud may shift to the
merchant’s acquirer.
– The acquirer will likely shift that liability down to the merchant.
9
Liability Shift
 Fuel-selling merchants have until Oct. 1, 2017, before
liability shift takes effect for transactions at
automated fuel dispensers, due to the added expense
of updating.
 NACS (2012): Average card fraud costs at fuel pumps
at each store, about $700 a year, but PCI security
standards costs were rising to about $2,000 a year.
 Average cost of EMV conversion per pump: $6-10k
David Heun, “Gas Stations Face EMV Sticker Shock,” PaymentsSource, Oct. 7, 2014
Card Associations & EMV
 Liability shift to be introduced for ATM transactions in the
U.S.
– MasterCard Oct. 2016; Visa Oct. 2017
– All ATMs need to be EMV compliant
– After October 2016/2017, FIs can hold ATM operators liable for
fraudulent withdrawals and cash advances from debit and credit
cards.
 Approximately $2,000 to upgrade an ATM to be EMV-
capable (Aite)
– Some ATMs will not take the upgrade for EMV and/or Windows
(move from XP); 35k+ for a new ATM
Card Issuers & EMV
 Some U.S. card issuers began by issuing cards to frequent
international travelers, corporate cardholders, T&E
 Only 1.5% of an estimated 1.2 billion payment cards in the
US have an EMV chip
 Javelin predicts that, in Dec. 2015, only 29% of credit
cards and 17% of debit and prepaid cards will be EMVenabled.
– At that time, Javelin predicts 53% of POS terminals will support
EMV.
Card Issuers & EMV
 JPMC
– First major card issuer to adopt chip-and-signature model for U.S. cards
– Announced 2/25/2014 that it would begin issuing chip-and-PIN cards
this year. Will others follow suit?
– Expects most of its debit cards to be chip-enabled by EOY 2015
 BofA
– Has been issuing chip credit cards (consumer, commercial, and
corporate) since 2012
– 9/30/2014: Announced it will begin issuing chip debit cards to new
customers in Oct.; cards for existing accountholders issued as these
cards expire or are replaced
– Plans to have the majority of its cards converted by late 2015
13
Card Issuers & EMV
 Wells Fargo: “Testing chip technology with its debit cards
and plans to issue them ‘on a broad scale’ in the coming
year.”
 Citibank
– Will begin issuing chip debit cards in 2015
– All of its new consumer credit cards are issued with chip
technology
– Should have half of its portfolio of consumer credit cards chip-
enabled by EOY 2014.
– Most customers can go online or call customer service to request
a chip credit card.
14
Merchants & EMV
 Many merchants support elimination of signatures as a
verification method in U.S., but Visa and MC will continue to
support signature (“chip and choice”).
 Merchants tend to favor PIN due to lower fraud rates than
signature transactions.
 Visa and MC will also support transactions with no cardholder
verification for low-value, low-risk transactions like payments
at quick service restaurants (QSRs) and parking meters.
 “The ROI is simply not there without a PIN requirement. The
signature card has by far has outlived its usefulness. It’s not the
mag-stripe that’s the problem, it’s the signature that’s the
problem.”—Mark Horwedel, Merchant Advisory Group (MAG)
15
Merchants & EMV
 Only about 10% of the POS terminals in the U.S. are
EMV-ready; mostly in “big-box” stores (Javelin)
 Wal-Mart has turned on EMV acceptance at about 4,000 of its
5,000 stores
 Javelin predicts 53% of POS terminals will support EMV in Dec.
2015.
 Wal-Mart, Home Depot and AMC Theaters all prefer PIN
over signature
16
Merchants, Consumers & EMV
 Issue: Consumer Awareness
– If a cardholder tries to swipe a chip card at a terminal as he
would normally swipe a mag-stripe card, at a store where
EMV acceptance has been enabled, the terminal prompts
the cardholder to insert the card in the device so that it
reads the chip.
– Solution: Advertising and education by card networks and
banks?
• e.g., “Don’t remove your EMV card too quickly, but don’t leave it in the
terminal either!
• FRB Dallas Video
Issues
 EMV’s age
 EMV is a proprietary standard
– Governments and other entities around the world are
looking for open, non-proprietary standards
 International interoperability?
 Issuers, merchants, or processors object that they
have not had a say in how the standard works or how
it is being implemented in the U.S.
Issues
 Durbin Amendment: merchant choice when routing debit
transactions
– Resolved by “common application identifier” (AID)
– In the EMV specification, the AID is a string of characters that
identifies the network brand and the specific type of card, e.g., credit
or debit.
 But…One potential problem in the U.S.: “Glitches in routing
EMV transactions over PIN-debit networks as required by
the…Durbin Amendment, despite accords the networks have
reached with Visa and MC this year designed to facilitate
smooth routing.”
Jim Daly, “Warning: The EMV Chip Card Conversion Will Be Slow and Fraught With Peril,” Digital Transactions News, Oct. 7, 2014
Issues: Fraud
 Potential increase in international fraud
– Might offset or exceed the decrease in counterfeit fraud wrought by
EMV.
 E.g., in Canada, largely stemming from fraud on mag stripes
still included on EMV cards, used in cases where merchants
have not upgraded terminals, or EMV functionality of terminal
is not working
 Mag stripes can be skimmed (e.g. at ATMs) and data used to
commit card fraud in the US
 To eliminate such fraud, Interac (Canada’s debit network) plans
to eliminate next year the option of reverting to the magnetic
stripe.
Beyond EMV?
 Tokenization
 Point-to-Point Encryption
 3DSecure (online)
Tokenization
 In a card transaction, tokenization replaces the primary
account number (PAN) with a string of numbers.
 Tokens are not mathematically derived from information
associated with the card (unlike encryption).
 The card issuer can re-associate the tokenized number
with the PAN for authorization and other purposes
 The tokenized number is otherwise worthless to hackers.
Apple Pay
 iPhone 6 (available Sept. 19) and a new smart watch,
Apple Watch (available early 2015)
 Uses near field communication (NFC) technology to
facilitate “contactless” (a.k.a. “tap-and-go”) payments at
the point of sale (POS), as well as online payments
through in-app solutions.
 There will be an NFC antenna across the top of the phone.
 The NFC protocol has encryption built into it.
Apple Pay
 Uses the iPhone’s TouchID fingerprint scanner
(introduced in the previous iPhone model, the 5s, and
built into the iPhone’s home button) as a form of
authentication.
 iPhone 6 has a new chip called a secure element (SE)
in the phone handset that stores the holder’s
payment information (though not the actual card
number).
Apple Pay
 Apple Pay will automatically use the card(s) on file for the
customer with Apple’s iTunes as the default payment account.
– iPhone 6 users with iTunes accounts will just need to enter the card
security code (typically referred to as the CVV or CVC) to get started.
 Users can add additional cards by taking pictures of them with
the phone’s camera, or by typing the card details into
Passbook.
 Apple verifies the account data with the card issuers and
places digital renderings of the cards in Apple’s Passbook
wallet app.
Apple Pay
 Apple Pay uses tokenization to remove payment card
numbers from the transaction process.
– When a user adds a credit card, Apple does not store the actual
card number; instead, it creates a “device-only” account number
for each card and stores it in the phone’s SE
– Each time Apple Pay is used, Apple uses a one-time payment
number, along with a dynamic security code, essentially creating
a one-time card use system and eliminating the need for the
static security code (CVV/CVC) on the plastic card.
– The merchant never sees the cardholder’s name, card number
or security code.
Apple Pay
 To make a payment using his default card, the user does not need to
open an app or “wake” the phone’s display, because of the NFC
antenna.
 He will simply hold the iPhone near the merchant’s contactless card
reader, and use the Touch ID (home) button to authenticate himself
by fingerprint.
 A subtle vibration and beep lets him know the payment information
has been sent. If he wants to pay with a card other than his default
card, he must first open the Passbook app and select an alternate
card.
 If an iPhone owner loses his phone, he does not have to cancel his
credit cards. He can use the “Find My iPhone” app and suspend all
payments from that phone.
Apple Pay
 For those with privacy concerns: Apple will not collect
any transaction data (how much consumers spent,
what they bought, etc.).
– “Apple doesn't know what you bought, where you bought
it or how much you paid for it. The transaction is between
you, the merchant and your bank.”—Eddy Cue, SVP, Apple
 Note that the Apple Watch also enables payments,
but it must be paired with the phone to do so.
Apple Pay
 Apple has reached agreements with:
– Card networks: Visa, MasterCard, and American Express (in
discussions with Discover)
– 11 large credit card issuers (with more to be added): BofA, Chase, Citi,
AmEx, Wells Fargo, Capital One, U.S. Bank, Navy FCU, USAA, PNC,
Barclays.
• These issuers represent 83% of U.S. card transaction volume.
• Reports indicate that the card-issuing banks have agreed to pay a per-transaction fee to
Apple to be included on the phone. These fees to Apple may be offset by the number of
transactions that consumers make with Apple Pay, as the banks collect interchange fees
(levied on merchants) on all credit and debit card transactions.
– Merchants, including (in addition to Apple’s own stores): Walgreen’s,
McDonald’s, Disney, Macy’s and Bloomingdales, Staples, Subway,
Starbucks, Whole Foods, Groupon, Uber, Panera, OpenTable and
Tickets.com
Mobile Wallets
Background: Mobile Wallet Competition
 Generally, consumer adoption of mobile wallets to date
has been limited.
– Much of this is due to the fact that mobile wallets don’t
necessarily solve a problem for consumers; swiping a credit card
is not really that difficult!
 Because of low consumer adoption, and the proliferation
of multiple vendors and offerings, retailers have not
invested heavily in the new (or upgraded) POS terminals
that will allow them to accept mobile payments.
Mobile Wallets
Other players in the mobile wallet space include:
 Google Wallet: Originally used NFC, but as of Sept. 2013, allows for storage
of card credentials in the cloud. Google added Host Card Emulation (HCE)
to Android 4.4, which allows Google Wallet to bypass the SIM card for NFC
transactions.
 Softcard: Until recently known as Isis Mobile Wallet. Joint venture of AT&T,
Verizon and T-Mobile; has 20,000 new activations of its app daily, according
to the company.
 MCX: Merchant-driven. Members include 7-Eleven, Southwest Airlines,
Wal-Mart, Target, and many others. In development for more than two
years; now testing its mobile wallet, CurrentC. No launch date yet
announced, and few details have been provided as to how its technology
will work.
 Amazon: Testing a mobile wallet.
Future?
 Number of iPhones in consumers’ hands
 8 million POS in the U.S.
– About 220k of those are NFC-enabled
– Many of those are vending machines
 Will “a rising tide lift all boats”?
– Will uptake of Apple Pay also encourage merchant acceptance of
Google Wallet and MCX/CurrentC?
 What role for community banks and CUs?
 Interchange?
Corporate Account Takeover
 Experi-Metal v. Comerica
 Patco Construction v. People’s United
Choice Escrow vs. BancorpSouth
 2010: Choice Escrow & Land Title, victim of hackers
who obtained its online banking details using
malware and wired $440,000 to a bank in Cyprus.
 Choice sued BancorpSouth for failing to provide
“commercially reasonable security”
 2012: Bank filed counter-suit
 US district court in Missouri dismissed the bank’s
counter-claim, though judge said it was a “very close
call.”
Choice Escrow vs. BancorpSouth
 March 2013: U.S. District Court rejected Choice’s suit against
BSB.
 Based on the fact that Choice declined to use security
measures BSB had encouraged it to use.
 When Choice adopted online banking (2009), BSB usually
required that customers use dual control
 Choice declined dual control on two different occasions; it was
convenient, as their employee who handled wire transfers was
often in the office by herself.
 Choice Escrow appealed; verdict upheld in favor of Bank (+
legal fees!)
Dual Control
 Alternatives for customers that are too small to have
dual custody?
– E.g., Wells Fargo has a feature called secure validation.
– When a customer submits a payment, the bank can text or
call the user’s mobile device and provide a number that
the customer then has to enter in a field on the site.
“Digital Disbursements”
 Future best practice for combatting check fraud?
 BofA’s Digital Disbursements
– “Alias-based B2C payments solution”
– Allows corporate customers to pay consumers digitally.
• e.g., payments are directly routed to a customer’s bank account using the
customer’s e-mail or mobile phone number
– Available to middle-market, large corporate and public sector
clients
– Supports B2C payments including rebates, refunds and claims
– Fewer checks mailed = fewer opportunities for fraud
“Digital Disbursements”
 BofA’s Digital Disbursements (cont.)
– Customers don’t have to wait for a check via mail.
– Corporate can reduce end-to-end disbursement costs as much
as 75% (acc. to BofA), compared to a paper check.
– Merchants could potentially save more than $1b annually by
eliminating disbursement checks (Aite)
– Corporate customers don’t need to maintain a consumer’s
personal bank account information.
• Recent FRB study: 85% of consumers, 81% of businesses prefer not to provide
bank account info to the payee when making a payment.
Source: Evan Nemeroff, “BofA Introduces Digital Disbursements,” AmericanBanker.com, Oct. 1, 2014
Questions?
Matt Davies, AAP, CTP, CPP
Payments Outreach Officer
Federal Reserve Bank of Dallas
Phone: 214-922-5259
E-mail: [email protected]
Follow us on:
@DallasFed
DallasFed

similar documents