What You Need to Know About Chip Card Issuance

EMVTM: What You Need to Know About Chip Card Issuance

August 26, 2014

Troy Cullen President

EMV is a trademark owned by EMVCo LLC Strictly Private & Confidential Elan is an Active Participant in the U.S. EMV Migration 1 Smart Card Alliance EMV Migration Forum ‒ Debit Committee ‒ Communication and Education ‒ Testing and Certification ‒ EMV Deployment ‒ ATM Migration ‒ Card Not Present

Elan will be fully EMV compliant on or before October 1, 2015

‒ October 1, 2015 – Visa® and MasterCard® Acquirer Fraud Liability Shift, POS ‒ October 1, 2016 – MasterCard® Acquirer Fraud Liability Shift, U.S. ATMs ‒ October 1, 2017 – Visa® Acquirer Fraud Liability Shift, ATMs

Note: No announced network mandates for Card Issuers

2 Strictly Private & Confidential What is the Current U.S. Chip Migration Status?

• U.S. Readiness (Q4 2013) – Primarily Credit, followed by Debit in 2015 – EMV Cards: ~17-20 million (< 2% of 1.1 billion cards total) – Adoption Rate: ~1-2% – EMV Capable Terminals: ~2 million (>12 million POS total)

• The critical path for U.S. EMV Debit card adoption includes two key factors: ‒ ability for regional PIN networks to participate in EMV for Debit card issuance (Durbin) ‒ interoperability between largest payment infrastructure of merchants, issuers, acquirers and sub processors

3 Strictly Private & Confidential U.S. Readiness estimates stated from EMV Migration Forum, May 2014 U.S. Issuer Migration

(2)

(3)

(9)

Source: Aite Group interviews with card executives from 18 of the top 40 U.S. issuers and payment networks, April and May 2014

4 Strictly Private & Confidential Projected U.S. Card Migration

Percentage of Credit and Debit Cards with EMV Capability, 2012 to e2017

98% 90% 91%

70% 68%

41%

25%

4% 8% 0.6%

Source: Aite Group interviews with card executives from 18 of the top 40 U.S. issuers and payment networks, April and May 2014 5 Strictly Private & Confidential Regional PIN Network Readiness – almost there

• Per Durbin routing rules, Debit cards must include unaffiliated brands. • VISA and MasterCard ‘US Common Debit AID’ getting adopted by PIN networks, beginning Q1 2014. • License agreements will allow regional PIN networks access to EMV technology - and merchants unaffiliated brands for routing. • Two unique AIDs for Debit issuance: one to support PIN networks and other to support global transactions. • Issuers began Credit issuance in 2014. Debit chip card issuance expected to lag until merchants have ability to support terminal routing.

6 Strictly Private & Confidential Projected U.S. Merchant Migration

• 53% of all terminals in U.S. expected to be converted by end of 2015 (mostly by large to medium sized merchants) • Estimated that only 25% of small merchants will be ready • Small merchants at risk due to October 2015 liability shift – Account for 58% of retailer establishments – 53% have limited to no knowledge of EMV – 50% have limited to no knowledge of upcoming EMV liability shift

Source: Javelin April 2014 EMV IN USA: Assessment of Merchant and Card Issuer Readiness 7 Strictly Private & Confidential What to Expect in 2015

• Merchants and ATM Acquirers begin to announce their readiness to support EMV at POS and ATM • POS and ATM Terminal Implementation: ‒ Chip capable: terminal hardware is “EMV ready”; software is not connected ‒ Chip enabled: software is connected at the chip terminal • The ATM kernel (“EMV kernel”) and software is updated to process the encrypted data • Processors and acquirers will be able to authorize the chip card transaction

8 Strictly Private & Confidential When Will Elan be Ready?

 Drop 1: January 2015 • Enablement of MoneyPass Network Certifications

 Drop 2: June 2015 • Elan’s primary deliverable for processing chip card transactions • Certification of Plus, Cirrus, Visa Debit, MasterCard, Interlink and Maestro network interfaces • Visa and MasterCard chip card issuance • EMV software go live for Elan North direct attached Diebold ATMs • Back Office system upgrades

 Drop 3: October 2015 • Further expansion of Elan North ATM Acquiring interfaces • EMV software go live for NCR ATMs (select models)

9 Strictly Private & Confidential EMV GLOBAL DRIVERS

10 Strictly Private & Confidential Global Drivers: Why is the U.S. Moving to EMV?

Security & Fraud Global NFC and Mobile Payment Reduce counterfeit, Interoperability Accelerator for EMV in Networks lost and stolen card Increasingly difficult for the U.S. to enable Major card brands are fraud U.S. travelers to use acceptance of other advancing the adoption Unique microprocessor cards form factors of EMV through a that prevents card Merchants series of liability shifts Vulnerability of U.S. and mandates cloning payments implementing NFC in Dynamic data infrastructure combination with enabling of EMV on Fraud migrates to the Foreign visitors will be POS devices weakest link, which is able to use their chip becoming the U.S. cards in the U.S. Consumer adoption of since other major contactless cards and markets have migrated mobile payments will continue to grow

11 Strictly Private & Confidential Source: EMV Migration Forum, 2014 Magnetic Stripe and Chip Card Data

Magnetic stripe transactions are STATIC

• HEREISYOURCARDNUMBER^HEREISYOURNAME^EXPIREDATE^SERVICECO DE^CVV

Chip transactions are DYNAMIC

12 Strictly Private & Confidential 12 How Does EMV Protect Against Fraud?

Embedded Microprocessor – Strong Security

Terminal Device Will Secure Storage of Detect Chip Card vs. Cardholder Data Mag Stripe

Dynamic Data Stolen Data Cannot Generated by the be Reusable in a Chip for Every Chip Transaction Transaction

13 Strictly Private & Confidential Will EMV Prevent Data Breaches: The Big Picture

• More than 600 data breaches were reported last year with a 30% increase from 2012 in breaches that exposed card data • Security executives caution that EMV cards and point-of-sale terminals alone would not have prevented a Target-style breach • Data can still be transmitted unencrypted, during an EMV transaction

14 Strictly Private & Confidential EMVCO’s New Tokenization EMVCo plans to establish new tokenization standards

• Tokenization is the process of replacing a card account number with a unique string of characters that is restricted in how it can be used

• Tokens can be assigned for use with a specific device, merchant, transaction type or channel

• Global networks will offer new specifications to complement existing EMV technical specifications

• Point to Point encryption protects against Card Not Present fraud

15 Strictly Private & Confidential Emerging Mobile Payment Technologies • EMV brings more revenue and increased efficiencies • Mobile = new business models and new players • EMV provides dynamic authentication in an enhanced contactless environment and paves the way for delivering seamless mobile payments – M-commerce (Mobile Payments) – Near Field Communication (NFC)

16 Strictly Private & Confidential EMV ISSUER BUSINESS CASE

17 Strictly Private & Confidential Building Your EMV Business Case

2014 Planning

 Step 1: Calculate Risk Exposure • Portfolio Segmentation • Determine business need for international travelers

 Step 2: Develop a Budget Plan • Terminal upgrades and chip card production costs

 Step 3: Choose an EMV Card Profile • Application/AIDs, including US Common Debit AID solution • Authorization/Authentication and Cardholder Verification Methods

 Step 4: Marketing and Communications Plan • Financial Institution and Cardholder education

18 Strictly Private & Confidential U.S. Chip Card Issuance Best Practices

ALWAYS ONLINE Transaction Authorization . Use Global and US Debit AIDs

ALWAYS ONLINE Card Authentication . Uses online cryptogram . No offline data authentication

. Signature (Goods and Services) Cardholder Verification . Online PIN (Cash) Method List . No CVM (Unattended/Trans<$50)

• Include multiple AIDs, including U.S. Common Debit AID to ensure Durbin compliance • The simplest and least expensive option is to use ‘Signature and No CVM’ as the baseline for global interoperability • MasterCard prefers Chip & PIN over Chip & Signature for Goods and Services

19 Strictly Private & Confidential 19 Which Chip Payment Application Should I Use? • Each payment application has its own data formats and proprietary fields. • Based on ISO/IEC and EMVCo specifications. • Contains risk management parameters and other values indicating how issuers want the card to act under given situations.

American Visa MasterCard Discover Express VSDC M/Chip DPAS AEIPS EMVCo Specifications

20 Strictly Private & Confidential Which Chip Application Identifier (AIDs) Should I Use?

• The AID acts as a ‘pointer’ that opens the application for interrogation • The Application and AIDs used depends on the brand on the front of the card • The U.S. will likely have two AIDs on the chip: ‒ 1 Global AID for Signature and International acceptance ‒ 1 U.S. Debit AID for domestic ATM, PIN POS and No CVM

21 Strictly Private & Confidential Merchant/Device Differences Restaurant • Terminal to table Different • PIN or signature merchant and • No CVM at some quick service restaurants device environments ATM will have • Online PIN – required unique experiences and timelines for EMV Automated Fuel Dispensers (AFD) • Pay at pump with PIN deployment • Pay at pump No CVM • Pay inside with PIN or signature

22 Strictly Private & Confidential Source: EMV Migration Forum, 2014 Cardholder Experience: How a chip card works in a mixed acceptance device environment

EMV Chip Card Terminal Insert card and leave in terminal Magstripe only Terminal until transaction is complete and Swipe card you are prompted to remove card Sign Receipt Follow screen prompts to complete transaction

• There are many terminals in market today with the Chip Reader that do not support EMV chip cards. This could cause some cardholder confusion/frustration. • If a chip card is swiped in a chip card enabled terminal the terminal will prompt the cardholder to insert the card into the reader.

23 Strictly Private & Confidential Cardholder Education Options

Channel Pre-issuance During Post Issuance Issuance

“What's Different” “How to use” Statements “Your card is changing” “How to use” “Benefits”

“Your new chip Welcome Packs card is here”

“Your card is “How to use your Call Center/IVR “Benefits” changing” card”

“Your card is “How to make

Issuers “Benefits” Online changing” internet purchases”

“How to use your “How to use” ATM card at the ATM”

24 Strictly Private & Confidential Source: EMV Migration Forum, 2014 What are the ATM Owner Impacts?

• Visa and MasterCard ATM Acquirer Liability Shift:  ATM card reader hardware must be EMV capable or “smart card” ready  Receipt changes  Updated messaging on ATM screens  It is not clear when, or if, U.S. ATMs will support contactless technology

• Consumer Education  Card must be engaged for transaction duration… “don’t forget your card!”

25 Strictly Private & Confidential ClickProcess to add to title a Chip Card Conversion

• Find Out the Readiness of Players Involved – Card Manufacturers – Card Personalization vendors – Regional PIN Network – Processor

• Program Cost – $$$ is determined by chip selection and encryption type – Testing and Certification

• Setting a Target Date to Begin your EMV Transition – 4 - 6 months depending on the U.S. market readiness – 2014 planning and budgeting for 2015 implementation

26 Strictly Private & Confidential Questions?

Sandy Dennler Senior Product Manager Elan Financial Services [email protected]

27 Strictly Private & Confidential APPENDIX

28 Strictly Private & Confidential U.S. Road Map for POS EMV Conversion

Strictly Private & Confidential 29 Proprietary & Confidential U.S. ATM EMV Road Map

Strictly Private & Confidential 30 Proprietary & Confidential Mandate vs. Liability Shift • A mandate is a directive from the networks to comply with their specific Operating Rules, with non-compliance resulting in potential fines. – Networks have mandated the processing of chip card transactions to POS and ATM acquirers and sub processors • A liability shift is not a mandate. • Global networks have stated in cases involving fraudulent cards the issuer or acquirer with the lowest levels of EMV protection will absorb the fraud liability. • If an acquirer is not supporting EMV, they will assume the loss for counterfeit fraud transactions. If the acquirer is EMV compliant, the fraud liability remains with the card issuer. • The following fraud types are excluded from the EMV Liability Shift: – Card-Not Present Fraud – Account Takeover – Lost/Stolen

31 Strictly Private & Confidential Liability Shift Scenarios

Issuer Chooses not to Issue EMV Cards

• Non-Compliant Terminal • Compliant Terminal

Card Magnetic Stripe Card Magnetic Stripe

Terminal Non-EMV Compliant Terminal EMV Compliant

Terminal Action No Change Terminal Action No Change

Cardholder Cardholder Card Swipe – Magnetic Stripe Card Swipe – Magnetic Stripe Experience Experience Liability Shift Issuer (BAU) Liability Shift Issuer (BAU)

32 Strictly Private & Confidential Liability Shift Scenarios

Merchant or ATM Acquirer Chooses not to Move to EMV

• Non-Compliant Terminal • Compliant Terminal

Card Chip Card Chip

Terminal Non-EMV Compliant Terminal EMV Compliant

Chip is read successfully. iCVV and Cryptogram data passed to Terminal Action No Change Terminal Action host. POS entry mode and cryptogram presence identify this as a chip transaction. Cardholder inserts card; may be Cardholder Card Swipe – Magnetic Cardholder directed to insert card if swiped Experience Stripe Experience first

Liability Shift Merchant or ATM Owner Liability Shift Issuer (if transaction approved)

33 Strictly Private & Confidential Liability Shift Scenarios Technical Fallback . Compliant Terminal

Card Chip Terminal EMV Compliant

The terminal creates a magnetic stripe transaction. This is (technical) fallback. CVV is from the mag stripe and there is no Terminal Action cryptogram present. POS entry mode help identify this as fallback because it indicates the terminal was chip capable but the chip was not read

Cardholder Cardholder inserts card. If chip cannot be read the terminal Experience prompts cardholder to swipe card

Liability Shift Merchant or ATM Owner

34 Strictly Private & Confidential Magnetic Stripe Card Transaction Flow

35 Strictly Private & Confidential Source: EMV Migration Forum, 2014 Chip Card Transaction Flow

36 Strictly Private & Confidential Source: EMV Migration Forum, 2014