Upload
creditcall
View
860
Download
2
Embed Size (px)
Citation preview
P2PE, EMV & TOKENIZATION
www.GoRSPA.org/Education
The ‘Holy Trinity’ of Payment Security
Jeremy GumbleyCreditcallCTO
@jeremy_gumbley linkedin.com/in/jgumbley
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
EMV is Coming to the U.S.
Long time for EMV to
arrive
Contactless is already
here
U.S. EMV cards do
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
Chip Cards by Numbers575 million EMV cards to be issued by the end of 2015
59% of retail locations will be EMV-compliant by the end of 2015
78,800 EMV chip-activated merchant locations
70% of U.S. credit cards will be issued as EMV cards by the end of 2015
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
Chip Cards by Numbers86% of financial institutions plan on issuing EMV debit cards BY 2015
$3.50 Average cost for issuing a new EMV card
$500 Average cost of an EMV-compliant POS terminal
Sources: Javelin Research & Strategy, Aite Group, 2014 PULSE Debit Issuer Survey
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
Why is EMV Required?
Liability shift Global approach to securityFraud reduction
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
Liability Shift Put Simply
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
EMV
Tokenization
Weapons Against Card Fraud
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
P2PE PCI P2PE (Certified ) P2PE (Non-Certified)P2PE implementation manual for merchant to follow
Mandatory - Merchants must follow PIM to get PCI P2PE protection
Not defined
Secure supply chain Mandatory - Merchants must use scheme defined by solution provider
Not defined
PCI DSS De-scoping Yes - If merchant is only using PCI P2PE certified solution to take card payments; Merchants can complete a PCI DSS SAQ designed for P2PE
No - It remains each processor’s decision as to whether the solution offers any de-scoping of PCI DSS
PINpad key injection cost Yes YesPINpad encryption licence cost
Yes Yes
Solution provider costs to provide encryption
Yes Yes
Certification costs Solution provider has to cover costs of P2PE assessment. Merchant should have lower PCI DSS costs if only using certified solution
Merchant has all the cost of PCI DSS
P2PE vs. PCI P2PE
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
Without P2PE
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
With P2PE
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
P2PE Can Protect Against
Loss of cardholder data
Brand & reputation damage
Loss of revenue
Payment brand penalties
PCI fines
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
DynamicApplication Cryptogram changes with each
transactionEMVStatic
Card data always the same
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
TokenizationTokenization Proprietary Gateway
Scheme Network GeneratedComplexity Simple HardRe-usable for other payments Yes Possibly. Depends on TokenOnline/Offline Online Offline capable Real-time 3rd party dependency (i.e. token service provider)
No Yes
Works with existing magstripe cards
Yes No
Cost None TBCCross gateway compatible No Potentially
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
2 Tokenization3 Processor Interfaces and EMV Messages4 Card Brand Certifications
5 Terminal Management Systems
1 P2PE
Getting a PINpad
Tip of the Iceberg
[email protected] @jeremy_gumbley www.creditcall.com/emv-migration
If you have any questions, please contact:
Jeremy GumbleyCTO
Creditcall Corp1133 Broadway, Suite 706, New York, 10010
800 868 [email protected]/emv-migration
@jeremy_gumbley
@Creditcall