PCI, EMV, and Other Four Letter Words!!!!!

Oracle Industry Connect Marc L. Windahl, VP

My First EMV Conference in 2013

“You are LAZY and RECKLESS!!!!!!!!”

Sincerely, Issuing Banks

And nothing has changed. . . Retail security is “LAX”

Rick Metzger, Vice Chairman of the National Credit Union Administration Board

at the NCUA’s annual Governmental Affairs Conference right here in Washington, DC, March 8-12, 2015

And the answer is EMV. . . All major card brands have announced the US payments industry will move to EMV, and have announced a liability shift date of October 1, 2015.

What Questions do we have? ●  What is EMV? ●  What does “liability shift” mean? ●  What will EMV cost merchants? ●  Is EMV really different from Magnetic stripe? ●  What are the “Big Rocks”? ●  Will anyone make the October 1st date? ●  This removes the need for PCI, correct? ●  What other lessons do I need to know? ●  Is there any good news? ●  Where can I learn more?

Any I missed?

What Is EMV? ●  EMV stands for Eurocard, Mastercard, Visa. EMVCo is a separate

company, wholly owned by Visa and Mastercard that owns the EMV standard, EMV kernel, and all related Intellectual Property.

●  The EMV standard is a global standard for securing Card Present transactions via use of a Chip embedded on the card, or EMV credentials used in a contact-less transaction.

Swipe becomes Dip!

What Is EMV? ●  EMV protects against counterfeit cards. Period.

Would it have protected against recent retail breaches using malware and memory scrapping? Nope. . . . . . . but it would have made it MUCH harder to monetize the stolen PAN’s in a card present transaction.

What Is EMV? ●  Magnetic Stripe is a static transaction: read the data, add the $amount,

and pass it. ●  EMV is a dynamic transaction:

o  Card and terminal are constantly negotiating and checking each other. o  Cryptography is dynamically used to create a unique transaction. o  No two messages are ever the same.

Now, I know there are a lot of questions here and we will come back to this!

What does “liability shift” mean? ●  Card Brands have announced deadlines for US transactions:

o  US merchants: October 1, 2015 o  ATM

§  Visa: October 1, 2017 §  Mastercard: October 1, 2016

o  Petro merchants at automated fuel dispensers: October 1, 2017 * And short of a “Hail Mary” lawsuit, these deadlines will not change!

What does “liability shift” mean? ●  General principle: The participant that is the ‘weakest link’ is responsible

for fraud for counterfeit transactions*. o  If Merchant has magnetic swipe terminal and card only has magnetic

stripe, Issuer pays. o  If Merchant has EMV capable terminal and card only has magnetic

stripe, Issuer pays. o  If card has EMV chip and merchant processes as magnetic swipe,

Merchant pays. (note, presence of EMV terminal is irrelevant!) o  “Rule of least secure”

●  Geek speak: If service code = 2, then merchant must process chip-on-chip in contact or contactless mode or liability shifts.

* Mastercard also has Lost/Stolen liability shift.

What will EMV Cost Merchants? ●  $8.65 Billion. (Reuters, early March, 2015) ●  A medium-sized Acquirer noted in March of 2015:

o  Business that operate at very minimal margins have to decide if they will invest in EMV or their business.

o  Smaller ISVs and VARS are already being forced out of the business. ●  Your costs will vary, but it is not a small amount.

o  Development o  Testing o  Certification o  New payment devices o  Networking o  Wiring o  Training o  Implementation

What will EMV Cost Merchants? And its not just merchants, Fifth Third Bancorp will spend $15M in the second half of 2015 on EMV card issuance alone!

Dan Alamo, Fierce Retail IT newsletter, 2/26/15

Is EMV really different from Mag Stripe? ●  Static v. Dynamic ●  Three VERY large US retailers: “We’ve been working on this for years and

we don’t have it right yet!” ●  I have never found a great flowchart. . . ●  Geek Speak:

o  Cryptography method (4 choices) o  Card verification method CVM (4 choices)

§  Offline v. Online PIN o  Offline v. Online Authentication o  Type of card

§  Credit §  Debit §  Dual / Multi

o  Application (AID) -- (lots of choices) o  Etc.

Is EMV really different from Mag Stripe? ●  But isn’t Credit Credit and Debit Debit?

o  Within the same BIN, cards can be programmed differently (dynamic settings) and behave completely differently. §  For example: Floor limits and no-signature needed (No-CVM)

now become “negotiated” between Merchant and Issuer provisioned preferences and will vary.

§  Also applies to Offline, Offline-PIN, and many other areas. o  Major Issuer: Nope, we have traditional debit, prepaid, benefits, and

HSA, to name a few different types: §  They can have different CVM rules, AIDs, etc. §  They will have different dynamic settings.

Is EMV really different from Mag Stripe? Wait, the US is last, not first! Why can’t we just copy? ●  Large Global Merchant: “US is very different!” “We have a lot of unique

issues” “It is a very bumpy road” ●  US is unique: we have a huge number of players:

§  Issuers §  Merchants §  Acquirers §  Debit Networks §  Terminal manufacturers §  VARs §  ISVs §  etc.

●  and a hugely complex system! BTW -- If this presentation was for card brands or issuers, “Durbin” is also a four letter word!

Is EMV really different from Mag Stripe? Consensus of Stakeholders: “EMV cannot be wrestled into existing processes and an environment built for magnetic stripe.” “The learning curve is huge.” “You need to throw out all your old lessons and questions from mag stripe out the window and get a new perspective.” “EMV LITERALLY changes every factor of your organization”

What are the “Big Rocks”? ●  EMV Debit (aka “son of Durbin”)

o  Common AID solves issue. o  But specifications for programming are LATE

§  Very Large Retailer recently: “We finally received in December 2014.”

§  Scheels – Just Received ●  Contactless Debit (aka “red-headed step-child of “Durbin”)

o  How long is a tap? Rule of thumb: MLB baseball pitch (400ms) o  A work-around has been discovered by ONE payment device

manufacturer -- testing in August 2015. o  Permanent solution will require EMV Specification and Kernel change

-- don’t hold your breath.

What are the “Big Rocks”? ●  Testing and Certification

o  Inconsistent processes, long, and costly §  Way too much time recertifying what is already certified. §  Average acquirer today? If you get an answer, still mostly hearing

6 to 8 months and thousands of billable hours. §  10x rule (10x the cost and time of magnetic stripe certification) §  Testing tools, and even test cards are big $$$$

o  Medium Acquirer: With all the changes in payments in the US, we are still certifying the exact same way we did 30+ years ago for standalone terminals that connected to a phone line!

o  Help is coming, but no consistency -- Need collaboration and best practices.

What are the “Big Rocks”? ●  Offline v. Online -- Visa basically said no need for Offline in US, wow!!

o  Fact is, some cards will not support offline, period. §  And some provisioned cards cannot be taken if you want to get paid.

o  Card brands are inconsistent on rules. o  Issuers are inconsistent on how cards are provisioned. o  Each merchant will have to study and do due diligence. I can’t give

you answers, just tell you your plan better include this or it will fail! ●  Cryptography Methods

o  Again, inconsistency in both requirements and actual issuance o  Geek Speak: is chip CDA or DDA?

§  MasterCard requires CDA for offline functionality §  Card manufacturers reporting 30 to 50% sales CDA §  Complex test cases, rules and implications. Due diligence.

What are the “Big Rocks”? ●  PIN Bypass

o  This is where customer does not know PIN or wants to use signature. o  Huge implications for install, including liability. Adds complexity to all

levels. o  Each merchant has to decide if they will allow and if so, when it is

enabled. Due diligence.

What are the “Big Rocks”? ●  Dead-ends -- There are many use cases that can cause failures that result

in a decline or force removing the card and starting over. Sorry, examples are a bit Geek Speak: o  Terminal requests PIN, customer selects PIN Bypass to use signature instead, card is

NOT provisioned for Chip and Signature -- start over. §  There are issuers with branches in 3 miles of us right now where this can and will

happen with 100% of their cards. o  Card is provisioned to prefer Chip&PIN CVM and Terminal requests PIN. Customer

selects PIN Bypass to use signature. Merchant adds information to message and sends to issuer. Card passes crypto check, but issuer, based on fraud risk, can choose to decline transaction. §  Decision based on both customer activity and Merchant activity. §  This has actually happened already at large US Merchant!

Note: not every use case includes PIN Bypass!

What are the “Big Rocks”? ●  Customer Experience

o  Multiple Very Large Merchants have huge concern about speed of service. §  One: We will not hit October 1st §  Walmart disabled EMV in 4Q14 for fear of slowing lanes during

holidays. As of mid March were only back on in 2 US stores. o  Needs to be seamless for the customer.

Soapbox: US will work best if the customer experience, as much as possible, is EXACTLY the same in every shopping experience at every merchant!

What are the “Big Rocks”? ●  Bottom line: No one and done

o  Original hope was figure this out, do EMV Credit, EMV Debit, & Contactless in one project with one certification and be done!

o  3 years later, too many other Big Rocks o  “Partial Implementation” Or as one Very Large Merchant said:

§  Hodgepodge §  Duplication of effort §  Confusion for everyone, especially cashiers and customers §  Lots of certifications!

Will anyone make the October 1st date? “Lies, damn lies, and statistics. . . “ Mark Twain, Benjamin Disraeli, ??? ●  Lots of “Surveys” with lots of numbers

o  Many metrics §  #/% Merchants §  #/% Terminals §  #/% Doors §  #/% Transactions

o  And, of course, details in fine print. . . §  Terminal “EMV ready” v. “EMV capable”

o  Watch dates! October 1, 2015 or “End of year 2015” o  And data is “survey” with a fair amount of wishful thinking. . .

Will anyone make the October 1st date? Issued Cards? ●  Mastercard 7% in March 2015, 21% Growth month over month. Saw 190K

transactions “chip on chip” in January 2015 *(really low number!!!!!!!)

●  AmEx 100% by end of year (all chip&signature CVM) ●  Very Large US Bank

o  Started issuing in 2012 o  Most by later this year for credit but that includes “acceleration plans” o  Debit will be slower o  ~2% transactions “chip on chip” in February 2015

●  Very Large US Bank o  “mostly done” by 10/1 for credit o  Debit will be slower.

Will anyone make the October 1st date? Issued Cards? ●  Very Large US Bank that is also service provider to other Financial

Institutions (FI) o  Has deployment plans for self. o  Medium FI customers = planning o  Smaller FI customers = lots of questions on where to start

●  “Many banks won’t be fully ready for October EMV deadline” Dan Alamo, Fierce Retail IT quoting PaymentsSource, 2/26/15. o  FNBO is taking a risk and will not meet deadline

Will anyone make the October 1st date? Issued Cards? ●  Alite Group survey by end of 2015. (reported Fierce Retail IT, Dan Alamo,

2/11/15) o  70% US Credit cards o  41% of US debit cards

●  Gartner’s VP Avivah Lilan “I don’t buy into projections that 50% of US Cards will be chip by the end of this year. That is way too aggressive”

(Quoted in Pymnts.com, 1/22/15)

Will anyone make the October 1st date? Issued Cards? -- Roadblocks? Same as merchants. Because merchants were late getting specifications, merchants are late rolling out systems. But that leaves banks with no where to test. They are rolling-out huge number of cards without being sure they will actually work in all circumstances.

Will anyone make the October 1st date? Merchants -- MAG Survey 1Q15 ●  Survey of 85 merchants-members (Is this sample set set representative of

all of us?) o  40% of merchants by October 1, 2015 o  30% within next three months o  24% within 12 months

●  Why miss? o  Delay in Debit o  Limited ROI o  Inadequate timeline

Extremely complex, extremely costly, and extremely disruptive!

Will anyone make the October 1st date? Merchants ●  ACI Survey (January 2015)

o  12% Compliant today o  19% “Confident will hit” o  28% Working o  41% Still evaluating options.

Is there really 12% compliant today?

Will anyone make the October 1st date? Merchants ●  Large US Merchant -- working for over 3 years on project.

o  Good news: we are an early adopter! o  Bad news: we are an early adopter! o  Encountering not only hurdles, but roadblocks in testing. Hope to now pilot in July 2015.

●  Very Large International Merchant o  Will NOT hit October 1, 2015 o  Concerns

§  Lack of Debit specifications

§  Lack of contactless specifications and solutions

§  Will slow and complicate the customer experience

§  Inconsistency among card brands (Offline limits, floor limits, etc.)

Will anyone make the October 1st date? Merchants ●  Very Large US Merchant -- Walmart

o  Turned off EMV prompt in all stores in 4Q14 to avoid slowing lanes. As of mid March, only back on fully in two locations.

o  Concern about delay in debit specifications from acquirer. o  Will do contact only in 2015.

●  Very Large US Merchant o  Contact only in 2015

Will anyone make the October 1st date? Merchants -- Other reports ●  Payments Source Survey of 400 Merchants -- 46% have not started ●  Boston Retail Partners: “Certification and Certification Backlog will prevent

some from hitting plans.” ●  Dick Mitchell at Randstad: EMV migration will be rough, risky ride”

“Shortage of devices. . .”, “Shortage of resources . . .”, & “Scarcity of already over-committed deployment partners. . . “ means that most projections are overly optimistic.

●  Ingenico: “Middle tier merchants will be a very long tail”

Will anyone make the October 1st date? Merchants -- My take ●  Define success?

o  2013 was EMV Credit & Debit for both contactless and contact. o  Now: partial implementation

●  My prediction by October 1, 2015 o  Issuance

§  Credit 60% -- 90% by July 2016 -- Prepaid Never. §  Debit 20% -- 90% by end of 2016 §  Contactless <2% -- No idea when it will exceed 20%

o  Merchant §  25 to 35% EMV Credit -- 85% by end of 2016 §  15 to 20% EMV Debit -- 85% by July 2017 §  <1% Contactless -- No idea when it will exceed 50%

This removes the need for PCI, correct?

Nope

This removes the need for PCI, correct? “STILL same old broken payment system” ●  Still PAN in the clear under EMV Specification. ●  EMV addresses counterfeit cards, not entire payment system problems.

Large breaches in 2013 and 2014 would still have happened. Don’t confuse “PCI Audit Relief” (AmEx: “PCI DSS Reporting Relief”) with PCI relief. ●  Basically streamlines reports you have to submit ●  Requires 75% of terminals to support EMV Contact AND EMV Contactless. ●  I am not holding my breath. . . .

What other lessons do I need to know? ●  Set Expectations clearly -- unless you are certifying today, you will

probably not hit October 1, regardless of how much Senior Management wants it or how much money you throw at it. In fact, that is risky, because complexity means you will make it worse.

“If you do not do due diligence, you will fail. Might as well not do it” Major

Debit Network, March 2015

What other lessons do I need to know? ●  EMV requires “Code Freeze” for testing and certification -- scope is entire

system, so if your POS is not separated from your payments system, you cannot make any changes during testing and certification, and ALMOST every future POS change will trigger a recertification!

Good News: OR-POS with Advanced Payments Foundation is the way to go! ●  Large Tool vendor: “Must shift to new architecture” or within 5 years of

EMV you will not be able to make ANY changes in POS. ●  Medium acquirer -- First heard of this model in early 2000’s and thought

Tier I would never go. Now fastest change in payments seen during their career! EMV forcing, but security benefits huge!!!

Is there any good news? Chip&Sig is hopefully dying!!! ●  Obama Presidential Order means FI Issurers today with no chip&sig CVM ●  Merchant lobby is getting out there!

o  NRF o  MAG o  Consumer Policy Solutions launching “Protect my Data” campaign for consumers

●  Issuers are starting to feel uncomfortable. o  Entire push for chip&sig was based on customer surveys o  Now seeing customer survey responses questioning the security of no PIN.

●  Consumer demand will help Merchants -- Issuers will change

Is there any good news? Streamline Certification is coming! ●  “We have not improved testing and certification for at least 30 years” --

Medium Acquirer ●  Change is coming

o  Streamlined process with much less certifying parts that have already been certified. §  Early adopters are end-to-end certification, meaning, for example, the terminal has

to be re-certified, even if manufacturer has already done that. o  New testing systems and tools are starting roll-out

§  Imagine a 24x7 testing system that does not require scheduling and provides instant feedback without an analyst at the acquirer!

o  Early feedback -- “Can shave months”

●  Today is piecemeal by acquirer, but all stakeholders, including card brands are working on permanent solutions.

Is there any good news? MasterCard Account Data Compromise Relief

“If at least 75% of MasterCard transactions originate from EMV-compliant contact and contactless POS Terminals, the merchant is relieved of 50% of account data compromise penalties.”

Probably limited value. . .

Is there any good news? Dawning public realization Merchants (We!) are not lazy and stupid. ●  Issuers are now understanding the reason they cannot test the cards they

want to issue is the system is complex, specifications were late, and even the Merchants that have been working for 3+ years don’t have it figured out yet!

●  Recent press analysis is starting to admit the Payments System is broken, and Merchants are really not in the wrong, Card Brands are! o  See Tracy Kitten in DataBreachToday 3/1/15 for some great quotes! o  Reality is, we are in business to sell stuff, not because we want to

protect financial information, and a system that requires us to do so, is poorly designed!

Where can I learn more? ●  Big Five:

o  Card Brands o  Acquirer(s) o  Debit Networks o  Software vendor(s) o  Terminal vendor(s)

All these sources have huge resources from EMV 101 webinars to specifications, guidance, and documentation. Look especially for whitepapers on best practices (terminal vendors have some great ones!!!) Thanks to PCI, interchange battles, and Durbin, Merchants have an adversarial relationship with Card Brands. But for EMV to work, you need to tap into their resources AND give them feedback on what does and does not work (i.e. certification, etc.)

Where can I learn more? EMV focused organizations ●  EMV Migration forum -- www.emv-connetion.com

o  Collaboration by members from ALL stakeholder groups. §  This is where the roadblocks are being solved!

o  Knowledge Center has hundreds of resources o  “Minimum EMV Chip Card and Terminal Requirements” o  Liability Shift document -- lays out deep details for all card brands

●  Merchant Advisory Group -- www.merchantadvisorygroup.org ●  Smart Card Alliance -- www.smartcardalliance.org

o  Created EMV Migration Forum and its Site.

Where can I learn more? Payments and Security focused news sources ●  Payments Source -- www.paymentssource.com ●  PYMNTS -- www.pymnts.com ●  American Banker -- www.americanbanker.com ●  Data Breach Today -- www.databreachtoday.com ●  Office of Inadequate Security -- www.databreaches.net ●  Krebs on Security -- www.krebsonsecurity.com ●  Payments News -- www.paymentsnews.com/emv/ ●  PayX -- www.payxintl.com