FINANCIAL SERVICES & RETAIL

EMV and NFC Evolution and Deployment Considerations for the Payments Industry

Written by Dr. Toni Merschen Principal at Toni Merschen Consulting [email protected]

Introduction

The discussion on whether to introduce EMV compliant chip cards, terminals and ATMs in the United States has been going on for more than 10 years. It was not until the August 2011 announcement of a U.S. EMV migration roadmap by Visa (and the subsequent moves by MasterCard, American Express and Discover) that a certain degree of practical momentum was introduced into the consumer payments landscape in the U.S. At the start of 2013, several major issuers have both EMV card and NFC mobile payment programs already underway.

This white paper will discuss the relationship between EMV and NFC to demonstrate that one relies on the other and together they represent a convenient and secure technology base for the next generation of consumer payments in the U.S.

In essence: EMV is more than ‘chip & PIN’ – NFC goes beyond contactless payments.

EMV for Secure Contact and Contactless Payments

EMV was initially developed to prevent fraud in card payments. The global deployment of EMV contact chip cards over the last decade has been tremendously successful. Significant fraud reduction ratios have been achieved and sustained wherever EMV has been comprehensively implemented, including the objective verification of the cardholder’s Personal Identification Number PIN by the chip.

The guiding principles of EMV transaction technology on which fraud reduction is based are:  Strong Card : a chip card can be authenticated as a valid and genuine payment card at the point of sale (POS) or ATM because, unlike the magnetic stripe, counterfeiting of a properly designed EMV chip card is next to impossible.  Use of Dynamic Data: Each transaction carries a unique ‘stamp’ which prevents transaction data from being fraudulently reused, even if stolen in large numbers from a merchant’s or processor’s data base. The reasoning for dynamic data is: ‘if you can’t prevent it from being stolen, then make the stolen data useless’.

In the case of chip & PIN being implemented:  Objective Cardholder Verification: The card can identify the rightful cardholder via a PIN offline, even when the financial transaction itself is being authorized on-line. This safeguard is much stronger than a signature, which in practice is rarely checked.

When MasterCard and Visa started to consider complementing contact chip cards with contactless technology they based their approach on EMV principles. In North America where EMV transactions were not supported by the acceptance and network infrastructure at the time, an EMV-like method was implemented using microprocessor based cryptography and unpredictable numbers to create an authorization request that could be transported by the magstripe network and message infrastructure. While this method’s security is much better than that of static magnetic stripe technology, it lacks the strength of EMV technology. Contactless payment cards outside of North America have used a customized version of the full EMV transaction flow from the outset and have hence inherited EMV’s superb security characteristics.

1 EMV stands for Europay, MasterCard, and Visa, the companies that originally created the global EMV® standard for credit and debit payment cards based on chip card technology. The EMV® Integrated Circuit Card Specifications are managed, maintained and enhanced by EMVCo, a company owned by American Express, JCB, MasterCard and Visa. For details see www.emvco.com.

NFC Standardization for Card Payments

From the very beginning, contactless payments were considered a formidable use of the upcoming NFC communication standard. In particular, the NFC card emulation mode allows an NFC-enabled mobile device to emulate a contactless . The NFC-enabled mobile device can present itself as a payment card in the hands of its owner who pays at a merchant’sPOS terminal.

The global payment systems and EMVCo have worked in close cooperation with other relevant standardization groups such as the NFC Forum, the GSM Association and GlobalPlatform to create a suitable architecture for EMV and NFC based mobile payments. This includes requirements for mobile handsets, the customer user interface, the mobile secure element (SE) containing the cardholder credentials and the EMV payment application. And lastly, for the secure provisioning of this data to the SE over the air (OTA).

US Migration: Why EMV and NFC need to go together

Before mobile proximity payments based on NFC become more widespread in the U.S., a more secure acceptance infrastructure needs to be deployed replacing the current magstripe technology. When Visa first announced its plans to migrate the U.S. payments market to EMV, their intentions were clearly stated:

“Visa Inc. today announced plans to accelerate the migration to EMV contact and contactless chip technology in the United States. The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the arrival of NFC-based mobile payments by building the necessary infrastructure to accept and process chip transactions that support either a signature or PIN at the point of sale ”.

In the same announcement, Ellen Richey, chief enterprise risk officer at Visa Inc., paraphrased the EMV philosophy as described above:

"Dynamic authentication is the key to securing payments into the future. Adding dynamic elements to transactions makes account data less attractive to steal and takes more merchant systems out of harm's way, shrinking the battlefield against criminals.”

This move by Visa, which has since been seconded by MasterCard, Discover and American Express, reflects the changes regarding security and control that come with mobile payments.

In contrast to the card payment ecosystem, the data and applications necessary for conducting a secure mobile payment transaction cannot be stored and processed consistently and completely under full and exclusive control of the payment systems. In the payment card world, acceptance terminals, cards and networks are issued, controlled and managed by financial institutions in a relatively closed environment with stringent certification and audit requirements. In the mobile world, payment apps and their data co-reside with other potentially not as security sensitive, apps in a rather open environment on the mobile device which is not fully controlled by the financial industry. The data provisioning and the transactions themselves are conducted over open networks which were not designed with the security requirements the financial industry had in mind. In this situation, the decision to introduce a dynamic data regime along the lines of the EMV specifications to replace the existing static data magstripe infrastructure is more than prudent.

1 Visa Announces Plans to Accelerate Chip Migration and Adoption of Mobile Payments, http://corporate.visa.com/newsroom/press- releases/press1142.jsp, August 9, 2011

Conclusion: Secure and Attractive Services for the Consumer

In summary, EMVCo and the payment systems demand that mobile NFC payments are based on EMV technology; that the consumer credentials, the payments applications and the payments systems’ cryptographic keys are securely stored and processed in a Secure Element (SE), i.e. a microprocessor with security characteristics like a chip in an

EMV card. The reach of EMV technology is thus extended to provide a secure management and transactional base for upcoming NFC payments.

Finally, the same SE together with mobile wallet software can help not only make transactions more secure, but also offer the additional services such as personalized coupons and discounts, customer loyalty and geo-centric applications that make mobile payments successful in the market.

EMV and NFC are not mutually exclusive. They will continue to work together to create and maintain the next generation of the consumer payment experience. This is an exciting time for mobile payments in the U.S., and this is only the beginning.

Contact

For more information on this white paper or to reach Dr. Toni Merschen directly, please refer to his full contact information listed below.

Dr. Toni Merschen Principal at Toni Merschen Consulting

Herrberigstr. 5, 52152 Simmerath, Germany GSM: +49 151 4077 1528 Phone: +49 2473 5493290 FAX: +49 2473 5493291 E-mail: [email protected]

About Gemalto (Euronext NL0000400653 GTO) is the world leader in digital security with 2012 annual revenues of €2.2 billion and more than 10,000 employees operating out of 83 offices and 13 Research & Development centers, located in 43 countries.

We are at the heart of the rapidly evolving digital society. Billions of people worldwide increasingly want the freedom to communicate, travel, shop, bank, entertain and work – anytime, everywhere – in ways that are enjoyable and safe. Gemalto delivers on their expanding needs for personal mobile services, payment security, authenticated cloud access, identity and privacy protection, eHealthcare and eGovernment efficiency, convenient ticketing and dependable machine-to-machine (M2M) applications.

Gemalto develops secure embedded software and secure products which we design and personalize. Our platforms and services manage these secure products, the confidential data they contain and the trusted end-user services they enable. Our innovations enable our clients to offer trusted and convenient digital services to billions of individuals.

Gemalto thrives with the growing number of people using its solutions to interact with the digital and wireless world.

For more information, please visit www.gemalto.com, www.justaskgemalto.com, blog.gemalto.com, or follow @gemalto on Twitter.