Webinar: The EMV Effect on ATMs

1UL and the UL logo are trademarks of UL LLC © 2016

May not be copied or distributed without permission.

WEBINAR

The EMV Effect on ATMs Present Challenges, Best Practices and Future Outlook

2

Our TeamYour great subtitle in this line

SPEAKER

Eric De Katow

Principal Advisor EMV Expert

UL Transaction Security

MODERATOR

David Yavorsky

Test AnalystEMV Expert

UL Transaction Security



WEBINAR

The EMV Effect on ATMs Present Challenges, Best Practices and Future Outlook

4

Agenda

What is EMV?

Liability Shifts and Fraud

Benefits of EMV

Who is affected by the EMV wave?

ATM Maintenance and Upgrade

Industry challenges: The Future of ATMs

Wrap-up

Next steps

5

Agenda

What is EMV?


Benefits of EMV




Wrap-up

Next steps

6

Payment Technology Evolution

Embossed

• Manual

payment

transactions

• Limited

fraud

protection

Magnetic Stripe EMV

• Electronic

Payment

transactions• Static fraud

protection

• Electronic

Payment

transactions• Dynamic

fraud

protection

7

What is EMV?

EMV is named after the original organizations that developed it: Europay, MasterCard

and Visa.

EMV is a global secure standard for payment transactions. The security is based on

dynamic cryptography.

It is a set of specifications that ensure interoperability between chip products and

acceptance devices.

EMV was designed as an acceptance device specification for card present transactions

using a contact chip interface.

8

Payment Technology: A Tale of 2 Cards

B370261765230537^71171

VALUEDCUSTOMER00007^1309101091099116

370261765230537=130910109109911600007

00 A4 04 00 0E - 31 50 41 59 2E 53 59 53 2E 44 44 46 30 31 6F 24 84 0E 31 50 41 59 2E 53 59

53 2E 44 44 46 30 31 A5 12 88 01 01 5F 2D 08 65 73 65 6E 66 72 64 65 9F 11 01 01 90 00 00 B2

01 0C 00 70 2A 61 28 4F 07 A0 00 00 00 04 10 10 50 0A 4D 43 52 44 43 52 45 44 49 54 87 01 01

9F 12 0D 43 52 45 44 49 54 4F 44 45 4D 43 52 44 90 00 00 B2 02 0C 00 6A 83 00 A4 04 00

07 A0 00 00 00 04 10 10 6F 32 84 07 A0 00 00 00 04 10 10 A5 27 87 01 01 9F 38 12 9F 1A 02 9F

33 03 9F 40 05 9F 1B 04 9F 09 02 9F 35 01 5F 2D 08 65 73 65 6E 66 72 64 65 9F 11 01 01 90 00

80 A8 00 00 13 - 83 11 08 40 E0 B0 C0 D0 00 F0 A0 00 00 00 00 00 00 01 22 80 0E 5C 00 08 01 01

00 10 01 03 01 18 01 03 00 90 00 00 B2 01 0C 00 70 3E 5F 20 0F 4D 43 52 44 20 46 55 4E 43 54 49

4F 4E 41 4C 57 11 51 05 10 51 05 10 51 00 D1 01 22 01 01 23 45 67 89 9F 1F 16 30 31 30 32 30 33

30 34 30 35 30 36 30 37 30 38 30 39 30 41 30 42 90 00 00 B2 01 14 00 70 0E 5A 08 51 05 10 51 05

10 51 00 5F 34 01 01 90 00 00 B2 02 14 00 70 4C 8C 17 95 05 9B 02 9F 02 06 9F 03 06 9F 1A 02 5F

2A 02 9A 03 9C 01 9F 37 04 8D 19 95 05 9B 02 8A 02 9F 02 06 9F 03 06 9F 1A 02 5F 2A 02 9A 03 9C

01 9F 37 04 9F 0E 05 00 00 00 00 00 9F 0F 05 F0 20 04 98 00 9F 0D 05 F0 20 04 00 00 90 00 00 B2

03 14 00 70 39 5F 25 03 95 07 01 5F 24 03 10 12 31 5F 28 02 08 40 9F 07 02 FF C0 8E 12 00 00 00

00 00 00 00 00 41 03 42 03 5E 03 43 03 1F 00 9F 08 02 00 8C 5F 30 02 02 01 9F 42 02 08 40

90 00 00 B2 01 1C 00 70 65 8F 01 97 90 60 24 0E 0E A6 D2 1E 65 52 B2 ED 3F AD C2 F1 D2 80 D1 AD

91 3E 62 2E 2C 35 21 AA DF 2A 47 B3 AC F6 6B 67 1D 4B 12 36 81 9A D1 B1 FA 9F A6 AC DE 38 66 5B

6B DE 53 C3 80 A1 53 16 9A BA AB 94 83 90 2F B7 63 E9 EA A7 AB 27 8A 5D 39 D3 A5 0E 15 98 B8 4C

22 13 9D 43 A7 48 6F 71 AA 0E C3 90 2D 26 90 00 00 B2 02 1C 00 70 1A 9F 32 01 03 92 14 CF B8 D4

88 5D 96 09 67 17 9F 98 2D 42 CE 54 EC C2 05 46 83 90 00 00 B2 03 1C 00 70 52 93 50 11 0B B9 DF

2D 21 98 19 06 B2 9A 30 14 11 F9 FA 60 CF 49 4D BA BA BF 54 B1 79 7C 9C 4B 5D 99 B5 E6 7A B7 30

49 E7 71 FC 5F DC 23 E5 83 50 B7 81 00 53 24 D3 1D C8 7A D0 FB F6 36 73 38 08 05 6D 66 07 46 32

71 1E 7C BF 14 07 37 96 E1 B6 0D 4D 90 00 80 CA 9F 17 00 9F 17 01 03 90 00 00 20 00 80 08 - 24

12 34 FF FF FF FF FF 90 00 80 AE 80 00 1F 40 80 00 80 00 C8 00 00 00 00 00 10 00 00 00

00 00 00 00 08 40 08 40 06 01 30 00 90 86 27 40 77 1E 9F 27 01 80 9F 36 02 45 67 9F 26 08 CA 3C

A2 03 D2 6C 67 7B 9F 10 07 06 01 1A 03 90 00 00 90 00 80 AE 00 00 21 - 40 80 00 80 00 E8 00 35

31 00 00 00 00 10 00 00 00 00 00 00 00 08 40 08 40 06 01 30 00 90 86 27 40 77 1E 9F 27 01 00 9F

36 02 45 67 9F 26 08 01 B7 8D 05 86 AC E4 F8 9F 10 07 06 01 1A 03 60 00 00 90 00

EMV Data2.5 K of data

Magnetic

Stripe DataTrack 1 & 2

9

Chips that include microprocessors are mini computers

integrated into a small piece of silicon… this enable

cryptographic operations

There are 2 main categories for chip architectures:

– Memory only

– Microprocessor and memory

Known in the industry as a chip, chip card, smartcard, or Integrated Circuit Card (ICC).

What is a Chip?

10

EMV devalues data by using digital signatures. A

common use for a digital signature in EMV is called a

cryptogram

The chip contains secret keys which allows EMV to use two forms of cryptography:

– Digital signatures - data integrity and authenticity

– Encryption* - data confidentiality

Microprocessor chips are used for EMV Payment cards because they provide strong security using cryptography.

What is a Chip?

11

Agenda

What is EMV?


Benefits of EMV




Wrap-up

Next steps

12

The State of EMV Adoption Worldwide

13

Card Fraud in the USA

14

Evolution of Card Fraud

15

The rise in ATM

compromises in US from

2014 to 2015

More non-bank ATMs,

such as those in

convenience stores,

were compromised in

2015 than in 2014

546%

10 times

ATM Fraud in the USA – FICO

The average duration

of a compromise fell

from 36 days in 2014

to 14 days in 2015

Criminals are taking a

quick-hit approach to

ATM theft and card

fraud.

ATM compromises in

2015 also spread out

across the country

16

Liability Shift

Counterfeit Liability shift

Lost & Stolen Liability Shift

Domestic transactions

Intra regional transactions

Counterfeit & skimming fraud

Lost / Stolen / Card-not-received Fraud

• Issuers assume counterfeit fraud related liability if a non-EMV chip card is presented at an EMV capable terminal

• Merchant / Acquirers assume counterfeit fraud related liability if an EMV chip card is presented at a non-EMV capable terminal

• EMV cards are issued without PIN support. Issuer continues to bear liability.

• Merchant / Acquirers are liable when the acceptance device is EMV without PIN support.

• Contactless Transactions are not within scope of liability shift• A country or region cannot participate in Chip/PIN Liability Shift

without first or concurrently participating in Counterfeit Liability Shift

17

10/2015 for POS10/2017 for AFDLiability Shift includes both Counterfeit and Lost and Stolen

10/2015 for POS10/2017 for ATM and AFDLiability Shift includes only Counterfeit

10/2015 for POS 10/2016 for ATM10/2017 for AFDLiability Shift includes both Counterfeit and Lost and Stolen

10/2015 for POS10/2017 for AFDLiability Shift includes both Counterfeit and Lost and Stolen

EMV Liability Shift – USA

18

Agenda

What is EMV?


Benefits of EMV




Wrap-up

Next steps

19

Benefits of EMV: Cryptography

• PIN Block

encryption

• Issuer Sripts

encryption

Confidentiality

• Inquiry &

response

cryptograms

• Issuer & card

certificates

• Digital

signatures

Authentication

• Issuer scripts

• Cryptograms

certificates

• Digital

signatures

Integrity

• Inquiry &

response

cryptograms

• Certificates

Non repudiation

The art or process of hiding data, then deciphering it, by using secrets

and algorithms”

Secrets: Symmetric and

Asymmetric Keys.

Algorithms: DES,

3DES, RSA, AES…..

20

Encrypt Decrypt Message Authentication Code

(MAC)

Once upon a time there

was, there was a man

Who lived inside me

wearing this cold armour,

The kind of knight of

whom the ladies could be

proud And send with

favours through unlikely

forests To fight infidels

and other knights and

ordinary dragons.

470cd6adeacfd52a00364

d4e090d98b39eca4d3411

8b1061cfd9ecb64d318c1

b0a8b075fc9c7f9cbbf68

d5a397a554565a6c59534

1d445497f9470e3521780

c2afc36fe1013f60d0cb7

0fffd0ab4e984db3185e2

3fddcfc6bc7bd93699619

a4addbf76c3d98a467f9a

19926a5b9fa44eaea12e9

Once upon a time there

was, there was a man

Who lived inside me

wearing this cold armour,

The kind of knight of

whom the ladies could be

proud And send with

favours through unlikely

forests To fight infidels

and other knights and

ordinary dragons.

MAC

Algorithm

sdfi8uh134590814f3038f9r9

Confidentiality Integrity + Authenticity

Benefits of EMV: Cryptography

21

A non-EMV certified device will process the transaction

as Magnetic Stripe and the acquirer will be liable for

the fraud.

Upon identifying a Chip Card Service Code, the acquirer

must request the card to be inserted in the Chip reader.

If the Magnetic Stripe of a Chip Card is “skimmed”, an

EMV certified device will require the Chip to be inserted

The Service Code on the card magnetic stripe

identifies the card technology: EMV or Magnetic Stripe

Benefits of EMV: EMV Devalues the Data on the

Magnetic Stripe

Service Code First Position tells the story:1 or 5: Magnetic Stripe

2 or 6: Chip Card

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi9rv7PrIzNAhUHQVIKHblSCqAQjRwIBw&url=http://www-03.ibm.com/ibm/history/ibm100/us/en/icons/magnetic/&bvm=bv.123664746,d.aXo&psig=AFQjCNHxAcrIIzeX8Twan5xE54A1EmNnzw&ust=1465060163158371

22

When the Issuer validates the Cryptogram, it confirms

that it was generated by the own Issuer Chip card

(Validation) and also confirmed that none of the 11

data elements were altered during the journey between

the Acquirer and the Issuer (Integrity)

The Cryptogram is generated in the CHIP using 11

different data elements, some dynamic, using secret

keys stored in the Chip Secure Element

A common use of digital signatures in EMV are

Cryptograms.

Benefits of EMV: Digital Signatures

EMV devalues data by using digital signatures


23

The previously valuable Magnetic Stripe data lost its

value because of the EMV process

Reducing Skimming Fraud at the ATM

Benefits of EMV: Reduces Card Present Fraud

24

Agenda

What is EMV?


Benefits of EMV




Wrap-up

Next steps

25

Who is affected by the EMV Wave?

26

Who is affected by the EMV Wave?

ATM Maintenance & Installation VendorsATM Manufacturers

27

Agenda

What is EMV?


Benefits of EMV




Wrap-up

Next steps

28

ATM Maintenance: What is inside an ATM?

ATM Architecture

• Hardware Components:• Combined Card reader

• Contactless Reader

• PIN PAD

• Display Screen

• Receipt Printer

• Statement Printer

• Cash dispenser

• Cash Cassettes

• Envelop Dispenser

• Envelop Deposit

• Personal Computer

• Speakers

• Camera

• Telephone

• Safe

• Secure Casing

• Software Components:• PC Operating System

• Software

• Loads (screens)

• Reader software

• PIN PAD software

• Online Software

• Online Monitoring

29

ATM Set up & Maintenance

Insurance

premiums

Maintenance

& cleaning

Site

rentals

Security

& Fraud prevention

Network

membership/

transactions

fees

Site surveys &

installation

Hardware: (All the equipment, inside and outside)

Software: purchase, maintenance, upgrades, developers

Windows OS Replacement

Telecommunication &

system connectivity

Cash supply &

Replenishment

30

• Require careful planning

• 9 to 12 months – sometimes longer

• Inventory of existing ATMs: HW&SW,

configuration, location……

• Define Business Requirements

• Card brands supported

• Transaction supported

• Transaction flow changes

ATM Upgrade for EMV: A Major Project

Upgrade or Replace?

In House or Outsource migration?

Receipt changes Work closely

with ATM

Vendors

Coordination

with Processors

and Acquirers

Set timelines:

HW & SW

upgrades,

Development

Testing and

Certification

Roll out

strategy


31

Agenda

What is EMV?


Benefits of EMV




Wrap-up

Next steps

32

Reduction in interchange fees

Industry Challenges: Today

Anti-money laundering rules

ADA: American with Disabilities Act

ATM Security (viruses, malware, skimming,

hacking etc.)

EMV migration costs

Windows OS Migration from XP to 7 & 10

Performance

33

Keeping up with changing technologies

Industry Challenges: Tomorrow

New Cardholder Identification methods

Additional services: Types of activities suitable

in an ATM?

Cardless Cash Withdrawals: what are the

options?

Mobile Technology and Mobile Banking

Trends: How will it impact ATMs?

34

The Future of ATMs: Cash

Cash is still ALIVE & Well, almost all over the world and especially in advanced and

developing economies

35

The Future of ATMs: Mobile and Cardless

BoA also demonstrated ATM Cash Withdrawal at the

Google I/O 2016 using Android Pay and NFC. Available

now in about 650 ATMs in the Bay Area, Nationwide by

EOY

Bank of America is developing automated teller

machines where customers will be able to withdraw

cash using their smartphones instead of plastic cards.

Mobile technology is predominant and its usage growing as Applications are multiplying.

Just about every Financial Institution now offers its own Mobile Banking App.

ATMs are beginning to meet the mobile challenge

36

The Future of ATMs: Mobile & Cardless

JPMorgan Chase is preparing

a nationwide rollout later this

year of thousands of new cash

machines that don’t need an

ATM card.

San Francisco-based Wells Fargo

announced its plan for a technology

that will let customers start a

transaction, such as withdrawing

cash, on their phone before heading

to an ATM.

37

All three services support

EMV contactless technology

which can be used with

ATMs

EMV Contactless processing

is very similar to Contact

EMV processing

The Future of ATMs: Changing Technology

* JPMorgan Chase and Wells Fargo also announced they will support NFC at their ATMs in 2016

NFC & Cardless

eliminate Skimming

38

Fingerprint is the principal

option, but not the only

biometrics that can be

applied at ATMs:

• Physiological:

Face recognition,

Palm Print, Eyes• Behavioral: Voice,

Signature, Keystroke

The Future of ATMs: Identification Methods

* Biometrics are gaining lots of strength as Valid Cardholder Verification Methods

Cardholder Verification is a key

element in cash withdrawals

While PIN is not dead, it is

breathing with difficulty

Two banks in Brazil allow cash

withdrawals and other

transactions without card, only

using biometrics

39

Managing checking and saving accounts

The Future of ATMs: Additional Services

Currency conversion

P2P transfer

Mortgage and loan applications

Undertaking various payments such as utility

bills, credit card bills, insurance premium, even

pay for lotteries

Cross border transfer

Train tickets

ATM can be much more than just a cash dispensing machine

40

It costs the bank 8 cents to make a deposit at an ATM.

ATM

It costs the bank 3 cents tomake a deposit through amobile app.

Mobile

It costs the bank 65 cents tomake a deposit with a teller.

Teller

• The trend in the Banking Industry is to shift

Customer Service from Branches to its ATMs

• Banks are shifting the cost of their ATMs from

their Operations Division to their Customer

Service Division

65 cents

8 cents 3 cents

The Future of ATMs: Additional Services & Costs

JPMorgan Chase study

41

Agenda

What is EMV?


Benefits of EMV




Wrap-up

Next steps

42

The ATM of the Future: Bank in Box

Security

Biometrics

Performance

Banking Service channel

No need to enter a Branch

Simplicity of use:

Simplified menus

Multifunctional:

Diverse transaction set

“From automated teller to value-added touch point: The ATMs to 2025”. Michael Lee. CEO. ATMIA

And still: Dispense Cash…..

Ease of access –NFC-QSR

Location Location Location

43

Magnetic Stripe and PIN are late 1960’s technology

They have ruled the payment industry for the past 50 years

Facts:

• USA, the last major Payment Market to adopt EMV

• Cardholder Validation Methods, such as Biometrics, are gaining strength

as more secure and reliable than PIN

• Mobile On Device CVM is more and more accepted as a valid CVM

A Note on the Future of Payment Cards and

Acceptance Devices

What will happen to Mag Stripe and PIN?

Some European Issuers are already considering eliminating the Magnetic Stripe from their payment products.

In the not so distant future, Payment Schemes will no longer require the ubiquitous Magnetic Stripe


44

Agenda

What is EMV?


Benefits of EMV




Wrap-up

Next steps

45

EMV is Here to Stay.

UL Transaction Security Bridges the Gap

46

EMV is Here to Stay.

UL Transaction Security Bridges the Gap

Reducing

efforts

Tools (BTT,

Astrex) and

Test Suites

(Brand

qualified)

CertPro

and similar

platforms

Increase quality

(test coverage)

Shortening

time to market

UL Transaction Security can play a role supporting the ATM

“Players” by leveraging:

• Testing and certification: brand test execution and validation

• Test Automation

47

Sign Up for our Trainings

October 18-20, 2016

Dallas, TX

December 6-8, 2016

Atlanta, GA

EMV Essentials

for the US Market

July 27-28, 2016

Las Vegas, NV

August 16-17, 2016

Toronto, Canada

October 4-5, 2016

San Jose, CA

Mobile Payments

Masterclass

To Register:

Visit www.ul-ts.com

Email [email protected]

*Mention Code ATMwebinarfor a 10% discount

48

UL

www.ul-ts.com

EMAIL US

Info

[email protected]

Test Tools Service

[email protected]

Eric de Katow

[email protected]

David Yavorsky

[email protected]

CALL US

North America

+1 510 771 1000

Latin America

+55 11 3049 8300

Europe

+31 71 581 3636

Middle East Africa

+971 4 558 5900

Asia Pacific

+65 62 74 0702

VISIT US

Find our locations on https://www.ul-ts.com/contact/

http://www.ul-ts.com/

mailto:[email protected]




tel:+15107711000

tel:+55 11 3049 8300

tel:+31715813636

tel:+971 4 558 5900

tel:+6562740702

https://www.ul-ts.com/about/contact-us/



Questions?