EMV Security Implementation

Presented By:

Mike Hughes, North American Strategic Partnerships Moneris Solutions • U.S. EMV Migration Update • Lessons learned from the Canadian EMV Migration • EMV Upgrades: Roles and Responsibilities • Value of End-2-End Encryption • Key Functionalities for Parking • EMV Use Cases Largest electronic payment processor in , 6th largest in Source: USA Visa August 2016 Chip Update Infographic CAN Visa Intl. CAN V/MC CAN AFD Liability Shift Domestic Liability Shift st st Oct 31 2010 Liability Shift Mar 31 2012 st Mar 31 2011 5 6 EMVCo sets the “Standards”, but it is the Brands who determine what, and how, these standards are “Implemented”. Layers Management Functions Certification Entity Level 1 - Physical Protocols between the chip card and EMVCo the PED Level 2 - Software EMV application selection, EMV EMVCo (Kernel) command set, and the EMV transaction steps PED Payment EMV command/response mgmt., Acquirer on behalf 7Application encryption, communication protocols of7 brands 8 Visa Quick Chip enables deploying an online only configuration (zero floor limit)

Source: Visa September 2016 EMV Newsletter, Visa Quick Chip Implementation Steps 9 Reducing PCI Scope • End-to-End Encryption solutions manage all aspects of the transaction requiring clear-text account data (BIN lookup, PIN block, etc.), and… • End-to-End Encryption prevents the release of clear-text account data into the merchant’s environment, thus… • The “edge” of the Payment Entry Device (PED) becomes the boundary of the merchant’s Cardholder Data Environment (CDE) completely removing the POS from PCI PA-DSS compliance scope Effective 1 October 2012, Visa’s Technology Innovation Program (TIP) rewards U.S. merchants that have invested in EMV technology by eliminating the PCI DSS validation requirement for any year in which at least 75 percent of the eligible merchant’s Visa transactions originate from dual interface EMV chip-enabled terminals.

Source: Visa Data Security Program Keeping Cardholder Data Safe • EMV Credit • Store and Forward • PIN Debit / • Tokenization / Recurring • E2E Encryption • Remote Download • Hashing (Card-in/Card-Out) • Contactless Credit / Debit • Whitelisting of 3rd Party Cards • Progress Tokens / Key Echoing (unencrypted non-bankcard) • Card Reader Only Configuration • Use of Pin Pad for Non-Payment Data Entry (No Pin Pad) • 20 VenTek International Pay Stations

• Solar Battery Powered

• Cellular Modem 3G or 4G Connection

13 VenTek Paystation Internal Network

VenTek Data TAP Center Reader Moneris and UX300 Moneris Secure Card PIN Reader VenTek Pad Cellular Auxiliary Modem Control Unit (3G or 4G) (acting as Router) VenTek May also be Wi-Fi C1100 or Ethernet Paystation Controller

Paystation Cabinet

14 WMATA NEPP Pilot • 10 fare gates • 50 buses • 2 parking lanes • 2,000+ customers

15 https://youtu.be/BMAm7zCTij0 ICS Car Wash • 5,000+ U.S. Kiosks • EMV Certified in CAN and US • ISO and Proprietary Gift • Tokenization / Recurring

16 • Direct Vs. Pre-Certified Solution • Functionality and Future Proofing • Physical and Environmental Impacts • Cost, Timeline, and PCI Security Thank You!

[email protected]

18