Upload
ul-transaction-security
View
251
Download
1
Embed Size (px)
Citation preview
1UL and the UL logo are trademarks of UL LLC © 2016
May not be copied or distributed without permission.
WEBINAR
The EMV Effect on ATMs Present Challenges, Best Practices and Future Outlook
2
Our TeamYour great subtitle in this line
SPEAKER
Eric De Katow
Principal Advisor EMV Expert
UL Transaction Security
MODERATOR
David Yavorsky
Test AnalystEMV Expert
UL Transaction Security
3UL and the UL logo are trademarks of UL LLC © 2016
May not be copied or distributed without permission.
WEBINAR
The EMV Effect on ATMs Present Challenges, Best Practices and Future Outlook
4
Agenda
What is EMV?
Liability Shifts and Fraud
Benefits of EMV
Who is affected by the EMV wave?
ATM Maintenance and Upgrade
Industry challenges: The Future of ATMs
Wrap-up
Next steps
5
Agenda
What is EMV?
Liability Shifts and Fraud
Benefits of EMV
Who is affected by the EMV wave?
ATM Maintenance and Upgrade
Industry challenges: The Future of ATMs
Wrap-up
Next steps
6
Payment Technology Evolution
Embossed
• Manual
payment
transactions
• Limited
fraud
protection
Magnetic Stripe EMV
• Electronic
Payment
transactions• Static fraud
protection
• Electronic
Payment
transactions• Dynamic
fraud
protection
7
What is EMV?
EMV is named after the original organizations that developed it: Europay, MasterCard
and Visa.
EMV is a global secure standard for payment transactions. The security is based on
dynamic cryptography.
It is a set of specifications that ensure interoperability between chip products and
acceptance devices.
EMV was designed as an acceptance device specification for card present transactions
using a contact chip interface.
8
Payment Technology: A Tale of 2 Cards
B370261765230537^71171
VALUEDCUSTOMER00007^1309101091099116
370261765230537=130910109109911600007
00 A4 04 00 0E - 31 50 41 59 2E 53 59 53 2E 44 44 46 30 31 6F 24 84 0E 31 50 41 59 2E 53 59
53 2E 44 44 46 30 31 A5 12 88 01 01 5F 2D 08 65 73 65 6E 66 72 64 65 9F 11 01 01 90 00 00 B2
01 0C 00 70 2A 61 28 4F 07 A0 00 00 00 04 10 10 50 0A 4D 43 52 44 43 52 45 44 49 54 87 01 01
9F 12 0D 43 52 45 44 49 54 4F 44 45 4D 43 52 44 90 00 00 B2 02 0C 00 6A 83 00 A4 04 00
07 A0 00 00 00 04 10 10 6F 32 84 07 A0 00 00 00 04 10 10 A5 27 87 01 01 9F 38 12 9F 1A 02 9F
33 03 9F 40 05 9F 1B 04 9F 09 02 9F 35 01 5F 2D 08 65 73 65 6E 66 72 64 65 9F 11 01 01 90 00
80 A8 00 00 13 - 83 11 08 40 E0 B0 C0 D0 00 F0 A0 00 00 00 00 00 00 01 22 80 0E 5C 00 08 01 01
00 10 01 03 01 18 01 03 00 90 00 00 B2 01 0C 00 70 3E 5F 20 0F 4D 43 52 44 20 46 55 4E 43 54 49
4F 4E 41 4C 57 11 51 05 10 51 05 10 51 00 D1 01 22 01 01 23 45 67 89 9F 1F 16 30 31 30 32 30 33
30 34 30 35 30 36 30 37 30 38 30 39 30 41 30 42 90 00 00 B2 01 14 00 70 0E 5A 08 51 05 10 51 05
10 51 00 5F 34 01 01 90 00 00 B2 02 14 00 70 4C 8C 17 95 05 9B 02 9F 02 06 9F 03 06 9F 1A 02 5F
2A 02 9A 03 9C 01 9F 37 04 8D 19 95 05 9B 02 8A 02 9F 02 06 9F 03 06 9F 1A 02 5F 2A 02 9A 03 9C
01 9F 37 04 9F 0E 05 00 00 00 00 00 9F 0F 05 F0 20 04 98 00 9F 0D 05 F0 20 04 00 00 90 00 00 B2
03 14 00 70 39 5F 25 03 95 07 01 5F 24 03 10 12 31 5F 28 02 08 40 9F 07 02 FF C0 8E 12 00 00 00
00 00 00 00 00 41 03 42 03 5E 03 43 03 1F 00 9F 08 02 00 8C 5F 30 02 02 01 9F 42 02 08 40
90 00 00 B2 01 1C 00 70 65 8F 01 97 90 60 24 0E 0E A6 D2 1E 65 52 B2 ED 3F AD C2 F1 D2 80 D1 AD
91 3E 62 2E 2C 35 21 AA DF 2A 47 B3 AC F6 6B 67 1D 4B 12 36 81 9A D1 B1 FA 9F A6 AC DE 38 66 5B
6B DE 53 C3 80 A1 53 16 9A BA AB 94 83 90 2F B7 63 E9 EA A7 AB 27 8A 5D 39 D3 A5 0E 15 98 B8 4C
22 13 9D 43 A7 48 6F 71 AA 0E C3 90 2D 26 90 00 00 B2 02 1C 00 70 1A 9F 32 01 03 92 14 CF B8 D4
88 5D 96 09 67 17 9F 98 2D 42 CE 54 EC C2 05 46 83 90 00 00 B2 03 1C 00 70 52 93 50 11 0B B9 DF
2D 21 98 19 06 B2 9A 30 14 11 F9 FA 60 CF 49 4D BA BA BF 54 B1 79 7C 9C 4B 5D 99 B5 E6 7A B7 30
49 E7 71 FC 5F DC 23 E5 83 50 B7 81 00 53 24 D3 1D C8 7A D0 FB F6 36 73 38 08 05 6D 66 07 46 32
71 1E 7C BF 14 07 37 96 E1 B6 0D 4D 90 00 80 CA 9F 17 00 9F 17 01 03 90 00 00 20 00 80 08 - 24
12 34 FF FF FF FF FF 90 00 80 AE 80 00 1F 40 80 00 80 00 C8 00 00 00 00 00 10 00 00 00
00 00 00 00 08 40 08 40 06 01 30 00 90 86 27 40 77 1E 9F 27 01 80 9F 36 02 45 67 9F 26 08 CA 3C
A2 03 D2 6C 67 7B 9F 10 07 06 01 1A 03 90 00 00 90 00 80 AE 00 00 21 - 40 80 00 80 00 E8 00 35
31 00 00 00 00 10 00 00 00 00 00 00 00 08 40 08 40 06 01 30 00 90 86 27 40 77 1E 9F 27 01 00 9F
36 02 45 67 9F 26 08 01 B7 8D 05 86 AC E4 F8 9F 10 07 06 01 1A 03 60 00 00 90 00
EMV Data2.5 K of data
Magnetic
Stripe DataTrack 1 & 2
9
Chips that include microprocessors are mini computers
integrated into a small piece of silicon… this enable
cryptographic operations
There are 2 main categories for chip architectures:
– Memory only
– Microprocessor and memory
Known in the industry as a chip, chip card, smartcard, or Integrated Circuit Card (ICC).
What is a Chip?
10
EMV devalues data by using digital signatures. A
common use for a digital signature in EMV is called a
cryptogram
The chip contains secret keys which allows EMV to use two forms of cryptography:
– Digital signatures - data integrity and authenticity
– Encryption* - data confidentiality
Microprocessor chips are used for EMV Payment cards because they provide strong security using cryptography.
What is a Chip?
11
Agenda
What is EMV?
Liability Shifts and Fraud
Benefits of EMV
Who is affected by the EMV wave?
ATM Maintenance and Upgrade
Industry challenges: The Future of ATMs
Wrap-up
Next steps
12
The State of EMV Adoption Worldwide
13
Card Fraud in the USA
14
Evolution of Card Fraud
15
The rise in ATM
compromises in US from
2014 to 2015
More non-bank ATMs,
such as those in
convenience stores,
were compromised in
2015 than in 2014
546%
10 times
ATM Fraud in the USA – FICO
The average duration
of a compromise fell
from 36 days in 2014
to 14 days in 2015
Criminals are taking a
quick-hit approach to
ATM theft and card
fraud.
ATM compromises in
2015 also spread out
across the country
16
Liability Shift
Counterfeit Liability shift
Lost & Stolen Liability Shift
Domestic transactions
Intra regional transactions
Counterfeit & skimming fraud
Lost / Stolen / Card-not-received Fraud
• Issuers assume counterfeit fraud related liability if a non-EMV chip card is presented at an EMV capable terminal
• Merchant / Acquirers assume counterfeit fraud related liability if an EMV chip card is presented at a non-EMV capable terminal
• EMV cards are issued without PIN support. Issuer continues to bear liability.
• Merchant / Acquirers are liable when the acceptance device is EMV without PIN support.
• Contactless Transactions are not within scope of liability shift• A country or region cannot participate in Chip/PIN Liability Shift
without first or concurrently participating in Counterfeit Liability Shift
17
10/2015 for POS10/2017 for AFDLiability Shift includes both Counterfeit and Lost and Stolen
10/2015 for POS10/2017 for ATM and AFDLiability Shift includes only Counterfeit
10/2015 for POS 10/2016 for ATM10/2017 for AFDLiability Shift includes both Counterfeit and Lost and Stolen
10/2015 for POS10/2017 for AFDLiability Shift includes both Counterfeit and Lost and Stolen
EMV Liability Shift – USA
18
Agenda
What is EMV?
Liability Shifts and Fraud
Benefits of EMV
Who is affected by the EMV wave?
ATM Maintenance and Upgrade
Industry challenges: The Future of ATMs
Wrap-up
Next steps
19
Benefits of EMV: Cryptography
• PIN Block
encryption
• Issuer Sripts
encryption
Confidentiality
• Inquiry &
response
cryptograms
• Issuer & card
certificates
• Digital
signatures
Authentication
• Issuer scripts
• Cryptograms
certificates
• Digital
signatures
Integrity
• Inquiry &
response
cryptograms
• Certificates
Non repudiation
The art or process of hiding data, then deciphering it, by using secrets
and algorithms”
Secrets: Symmetric and
Asymmetric Keys.
Algorithms: DES,
3DES, RSA, AES…..
20
Encrypt Decrypt Message Authentication Code
(MAC)
Once upon a time there
was, there was a man
Who lived inside me
wearing this cold armour,
The kind of knight of
whom the ladies could be
proud And send with
favours through unlikely
forests To fight infidels
and other knights and
ordinary dragons.
470cd6adeacfd52a00364
d4e090d98b39eca4d3411
8b1061cfd9ecb64d318c1
b0a8b075fc9c7f9cbbf68
d5a397a554565a6c59534
1d445497f9470e3521780
c2afc36fe1013f60d0cb7
0fffd0ab4e984db3185e2
3fddcfc6bc7bd93699619
a4addbf76c3d98a467f9a
19926a5b9fa44eaea12e9
Once upon a time there
was, there was a man
Who lived inside me
wearing this cold armour,
The kind of knight of
whom the ladies could be
proud And send with
favours through unlikely
forests To fight infidels
and other knights and
ordinary dragons.
MAC
Algorithm
sdfi8uh134590814f3038f9r9
Confidentiality Integrity + Authenticity
Benefits of EMV: Cryptography
21
A non-EMV certified device will process the transaction
as Magnetic Stripe and the acquirer will be liable for
the fraud.
Upon identifying a Chip Card Service Code, the acquirer
must request the card to be inserted in the Chip reader.
If the Magnetic Stripe of a Chip Card is “skimmed”, an
EMV certified device will require the Chip to be inserted
The Service Code on the card magnetic stripe
identifies the card technology: EMV or Magnetic Stripe
Benefits of EMV: EMV Devalues the Data on the
Magnetic Stripe
Service Code First Position tells the story:1 or 5: Magnetic Stripe
2 or 6: Chip Card
22
When the Issuer validates the Cryptogram, it confirms
that it was generated by the own Issuer Chip card
(Validation) and also confirmed that none of the 11
data elements were altered during the journey between
the Acquirer and the Issuer (Integrity)
The Cryptogram is generated in the CHIP using 11
different data elements, some dynamic, using secret
keys stored in the Chip Secure Element
A common use of digital signatures in EMV are
Cryptograms.
Benefits of EMV: Digital Signatures
EMV devalues data by using digital signatures
23
The previously valuable Magnetic Stripe data lost its
value because of the EMV process
Reducing Skimming Fraud at the ATM
Benefits of EMV: Reduces Card Present Fraud
24
Agenda
What is EMV?
Liability Shifts and Fraud
Benefits of EMV
Who is affected by the EMV wave?
ATM Maintenance and Upgrade
Industry challenges: The Future of ATMs
Wrap-up
Next steps
25
Who is affected by the EMV Wave?
26
Who is affected by the EMV Wave?
ATM Maintenance & Installation VendorsATM Manufacturers
27
Agenda
What is EMV?
Liability Shifts and Fraud
Benefits of EMV
Who is affected by the EMV wave?
ATM Maintenance and Upgrade
Industry challenges: The Future of ATMs
Wrap-up
Next steps
28
ATM Maintenance: What is inside an ATM?
ATM Architecture
• Hardware Components:• Combined Card reader
• Contactless Reader
• PIN PAD
• Display Screen
• Receipt Printer
• Statement Printer
• Cash dispenser
• Cash Cassettes
• Envelop Dispenser
• Envelop Deposit
• Personal Computer
• Speakers
• Camera
• Telephone
• Safe
• Secure Casing
• Software Components:• PC Operating System
• Software
• Loads (screens)
• Reader software
• PIN PAD software
• Online Software
• Online Monitoring
29
ATM Set up & Maintenance
Insurance
premiums
Maintenance
& cleaning
Site
rentals
Security
& Fraud prevention
Network
membership/
transactions
fees
Site surveys &
installation
Hardware: (All the equipment, inside and outside)
Software: purchase, maintenance, upgrades, developers
Windows OS Replacement
Telecommunication &
system connectivity
Cash supply &
Replenishment
30
• Require careful planning
• 9 to 12 months – sometimes longer
• Inventory of existing ATMs: HW&SW,
configuration, location……
• Define Business Requirements
• Card brands supported
• Transaction supported
• Transaction flow changes
ATM Upgrade for EMV: A Major Project
Upgrade or Replace?
In House or Outsource migration?
Receipt changes Work closely
with ATM
Vendors
Coordination
with Processors
and Acquirers
Set timelines:
HW & SW
upgrades,
Development
Testing and
Certification
Roll out
strategy
31
Agenda
What is EMV?
Liability Shifts and Fraud
Benefits of EMV
Who is affected by the EMV wave?
ATM Maintenance and Upgrade
Industry challenges: The Future of ATMs
Wrap-up
Next steps
32
Reduction in interchange fees
Industry Challenges: Today
Anti-money laundering rules
ADA: American with Disabilities Act
ATM Security (viruses, malware, skimming,
hacking etc.)
EMV migration costs
Windows OS Migration from XP to 7 & 10
Performance
33
Keeping up with changing technologies
Industry Challenges: Tomorrow
New Cardholder Identification methods
Additional services: Types of activities suitable
in an ATM?
Cardless Cash Withdrawals: what are the
options?
Mobile Technology and Mobile Banking
Trends: How will it impact ATMs?
34
The Future of ATMs: Cash
Cash is still ALIVE & Well, almost all over the world and especially in advanced and
developing economies
35
The Future of ATMs: Mobile and Cardless
BoA also demonstrated ATM Cash Withdrawal at the
Google I/O 2016 using Android Pay and NFC. Available
now in about 650 ATMs in the Bay Area, Nationwide by
EOY
Bank of America is developing automated teller
machines where customers will be able to withdraw
cash using their smartphones instead of plastic cards.
Mobile technology is predominant and its usage growing as Applications are multiplying.
Just about every Financial Institution now offers its own Mobile Banking App.
ATMs are beginning to meet the mobile challenge
36
The Future of ATMs: Mobile & Cardless
JPMorgan Chase is preparing
a nationwide rollout later this
year of thousands of new cash
machines that don’t need an
ATM card.
San Francisco-based Wells Fargo
announced its plan for a technology
that will let customers start a
transaction, such as withdrawing
cash, on their phone before heading
to an ATM.
37
All three services support
EMV contactless technology
which can be used with
ATMs
EMV Contactless processing
is very similar to Contact
EMV processing
The Future of ATMs: Changing Technology
* JPMorgan Chase and Wells Fargo also announced they will support NFC at their ATMs in 2016
NFC & Cardless
eliminate Skimming
38
Fingerprint is the principal
option, but not the only
biometrics that can be
applied at ATMs:
• Physiological:
Face recognition,
Palm Print, Eyes• Behavioral: Voice,
Signature, Keystroke
The Future of ATMs: Identification Methods
* Biometrics are gaining lots of strength as Valid Cardholder Verification Methods
Cardholder Verification is a key
element in cash withdrawals
While PIN is not dead, it is
breathing with difficulty
Two banks in Brazil allow cash
withdrawals and other
transactions without card, only
using biometrics
39
Managing checking and saving accounts
The Future of ATMs: Additional Services
Currency conversion
P2P transfer
Mortgage and loan applications
Undertaking various payments such as utility
bills, credit card bills, insurance premium, even
pay for lotteries
Cross border transfer
Train tickets
ATM can be much more than just a cash dispensing machine
40
It costs the bank 8 cents to make a deposit at an ATM.
ATM
It costs the bank 3 cents tomake a deposit through amobile app.
Mobile
It costs the bank 65 cents tomake a deposit with a teller.
Teller
• The trend in the Banking Industry is to shift
Customer Service from Branches to its ATMs
• Banks are shifting the cost of their ATMs from
their Operations Division to their Customer
Service Division
65 cents
8 cents 3 cents
The Future of ATMs: Additional Services & Costs
JPMorgan Chase study
41
Agenda
What is EMV?
Liability Shifts and Fraud
Benefits of EMV
Who is affected by the EMV wave?
ATM Maintenance and Upgrade
Industry challenges: The Future of ATMs
Wrap-up
Next steps
42
The ATM of the Future: Bank in Box
Security
Biometrics
Performance
Banking Service channel
No need to enter a Branch
Simplicity of use:
Simplified menus
Multifunctional:
Diverse transaction set
“From automated teller to value-added touch point: The ATMs to 2025”. Michael Lee. CEO. ATMIA
And still: Dispense Cash…..
Ease of access –NFC-QSR
Location Location Location
43
Magnetic Stripe and PIN are late 1960’s technology
They have ruled the payment industry for the past 50 years
Facts:
• USA, the last major Payment Market to adopt EMV
• Cardholder Validation Methods, such as Biometrics, are gaining strength
as more secure and reliable than PIN
• Mobile On Device CVM is more and more accepted as a valid CVM
A Note on the Future of Payment Cards and
Acceptance Devices
What will happen to Mag Stripe and PIN?
Some European Issuers are already considering eliminating the Magnetic Stripe from their payment products.
In the not so distant future, Payment Schemes will no longer require the ubiquitous Magnetic Stripe
44
Agenda
What is EMV?
Liability Shifts and Fraud
Benefits of EMV
Who is affected by the EMV wave?
ATM Maintenance and Upgrade
Industry challenges: The Future of ATMs
Wrap-up
Next steps
45
EMV is Here to Stay.
UL Transaction Security Bridges the Gap
46
EMV is Here to Stay.
UL Transaction Security Bridges the Gap
Reducing
efforts
Tools (BTT,
Astrex) and
Test Suites
(Brand
qualified)
CertPro
and similar
platforms
Increase quality
(test coverage)
Shortening
time to market
UL Transaction Security can play a role supporting the ATM
“Players” by leveraging:
• Testing and certification: brand test execution and validation
• Test Automation
47
Sign Up for our Trainings
October 18-20, 2016
Dallas, TX
December 6-8, 2016
Atlanta, GA
EMV Essentials
for the US Market
July 27-28, 2016
Las Vegas, NV
August 16-17, 2016
Toronto, Canada
October 4-5, 2016
San Jose, CA
Mobile Payments
Masterclass
To Register:
Visit www.ul-ts.com
Email [email protected]
*Mention Code ATMwebinarfor a 10% discount
48
UL
www.ul-ts.com
EMAIL US
Info
Test Tools Service
Eric de Katow
David Yavorsky
CALL US
North America
+1 510 771 1000
Latin America
+55 11 3049 8300
Europe
+31 71 581 3636
Middle East Africa
+971 4 558 5900
Asia Pacific
+65 62 74 0702
VISIT US
Find our locations on https://www.ul-ts.com/contact/
49UL and the UL logo are trademarks of UL LLC © 2016
May not be copied or distributed without permission.
Questions?