1EMV, Tokenization and Apple Pay The New Landscape Carolina’s Credit Unions Council October 10, 2014 Leanne PhelpsSenior Vice President, Card ServicesState Employees’ Credit Union
2AgendaEMV: The TechnologyTokenizationMobile Payments with Apple Pay
3About State Employees’ Credit Union Serving state employees, teachers and their family members in North Carolina1.9 million members255 branch offices1,100 ATMs
4SECU Card ProgramsDebit Portfolio - Route through Visa DPS to SECU Host1.3 million Visa Check Cards$10.3 billion annual purchase volume305 million transactionsCredit Portfolio – Processed through First Data Resources300,000 Visa credit cards$1.1 billion open credit lines14.5 million transactions
5Why EMV? Secure chip stores payment information Chip card authentication prevents counterfeitingAdds cardholder verification methodsOffers online or offline authorization
6Form Factors Options Contact Chip is embedded in a card A contact card is inserted into a smart card readerThe contact points on the chip make contact with the card readerContactlessThe chip may be embedded in cards, key fobs, stickers, mobile phones, etc.A contactless chip requires close proximity to a reader (“tap and go”)Both the chip and the reader have an antenna and they use an RF (radio frequency) signal to communicate
7EMV – Building the Momentum The Top 10 DiscussionsAuthentication – Static vs. DynamicTransaction / Authorization Differences vs. TodayWhat is on the actual Chip – Application Identifier logicCard / Chip LifecycleVisa Recommendation for personalizationLiability ShiftPlanning and Implementation timingUnaffiliated networksVendor Support
9Transaction Flow Comparison Today – Magnetic StripeIssuer makes and passes Authorization DecisionFIIssuer Processor or Issuer validates cryptogram or cryptogram value, makes and passes Authorization DecisionTerminal Reads & Passes Track & Authorization DataMerchant Acquirer ProcessorIssuer ProcessorCard SwipedI
10Tomorrow - EMV New and Different Card InsertedThe terminal and chip card verify the response cryptogramMerchant Acquirer ProcessorIssuer ProcessorFIThe Issuer Processor or the FI verifies the request cryptogram and generates a response cryptogramCommunication between the chip card and the terminal – in both directionsTerminal to determine, by the Service Code, whether card is magnetic stripe only or chip cardService code is unique and placed on both the chip and magnetic stripe (begins with a 2 or 6)Track 2 equivalent on the chip
11EMV – Building the Momentum ConfigurationRoutingIndustry SupportMulti-accessBIN tableVisaCommonOne application / Two application identifiers (AIDs)Simplified personalizationEasier card managementLess application code and potentially less expensive chipSupports domestic and international usageEMV compliantFully supported by VisaUses existing network routing infrastructureOffers issuer flexibility through BIN file managementEnables merchants and POS acquirers to manage routing selection on a transaction by transaction basisSolution endorsed by EMV Migration Forum (EMF)All of the major unaffiliated debit networks support the Visa U.S. Common Debit AIDMaestroStarNYCEPulseAccelNetsCU 24ShazamAFFNCO-OP
12Card Personalization Best Practices Transaction AuthorizationAlways onlineNo offline authorization by chipAlways onlineNo offline data authentication1Card AuthenticationVisa CreditSignatureNo CVMOnline PIN (for ATM only)Visa DebitOnline PIN (POS and ATM)U.S. Common Debit AIDIssuer Cardholder Verification Method (CVM) ListBest practices should reduce complexity, cost and time-to-market
13Card Personalization Considerations Adding a contact chip to a mag stripe card impacts the card ordering / issuing process from both a timing and monetary perspective.A key stakeholder is the provider of card processing services What type of chip can they support and can they support you?Certification of the chips by the associations is taking between 90 days and six months.Based upon chip type and market availability of the chips, the turn times for card manufacturing should not vary much from mag stripe cards – perhaps adds two weeks. However, bear in mind that there is a growing global demand for chips (China, South America), which could impact chip availability.
14Points to RememberAdding a chip to a mag stripe card will increase costs – costs can be impacted by the type and size of chip. You can assume to add about a dollar to the present costs for manufacturing custom cards.Personalization Vendors are exploring ways to lower the costs of chip cards for small financial institutions, including the use of generic design plastics (hot-stamped with the credit union’s logo) and print-on-demand using edge to edge imaging equipment. The fees for personalizing the chips are incremental, and subject again to the type and number of applications being loaded onto the chip. Credit unions should expect these fees to be in the $0.25 to $0.40 per card range.Financial institutions should also ask their processor about possible fees associated with an EMV program (new BINs, key management, EMV transaction fees).
16Support of Debit Networks Common AID LicensingSupport StatusMaestroVisa U.S. Common Debit AIDCertified/Ready to SupportPulseJanuary 2015 CertificationNYCESTARFebruary 2015 CertificationCO-OPApril 2015 CertificationACCEL / AllPointSpecifications Under ReviewCU24Pending Specifications
17Counterfeit Fraud Liability Shifts Rewards investmentin EMVPOS: October 1, 2015AFD & ATM: October 1, 2017After Liability Shift: Liability shifts to the acquirer if counterfeit fraud occurs on a contact chip capable card and the merchant is not contact chip capableDoes not cover contactless, card-not-present transactions, or lost/stolen fraudCovers domestic and cross-border transactionsTransaction ExamplesCounterfeit LiabilityChip-on-chip transactionsIssuer holds the limited exposure that still existsMag-stripe cards at chip terminalsIssuer holds liabilityContact chip at mag-stripe terminalsAcquirer holds liability
18Key Vendors – Information & Requirements Host – Software VendorPlastic Card Vendors*VOL has the most updated listing of certified vendors*VOL has the common AID personalization specifications Debit & CreditEnhancement Control SupportSegmentation of basePOS entry mode – new data same fieldPINs – Host vs. StripeCertification and TimingMust be Visa/MasterCard CertifiedCard ArtStandard Chip & CVM’sTiming and AvailabilityKey managementNetworks & GatewaysInstant Issuance VendorsProcessor must code and certify with each networkCertification and TimingTiming and AvailabilityTest plastic will be required for certification
19Planning - 6 Weeks Key Considerations Vendor Readiness and Timelines RequirementsBuildCertificationLaunchVendor Readiness and TimelinesBudget – ROIIssuance Strategy – Full or Segmentation – At ReissueInternal Education PlanCardholder EducationMarketing StrategyPINs – Customer Selected – Host vs. Stripe Considerations and Project (if applicable)Credit FirstDebit – Date Coordination with Networks
20Tokenization – what is it?? Tokenization is the process of replacing the original payment credentials (PAN) with a unique “alternate identifier” which may be used in its stead to initiate payment activity.Replaces a traditional card account number with a unique payment token / digital account numberRestricts the use of a payment token by device, merchant, transaction type or channelPayment tokens further enhance security of digital payments and simplify purchase experience when shopping on mobile, computers or other smart devices and help reduce fraudulent activity….We need to start on what is tokenization, how is it different from familiar 16 digit card numberOctober 2013/March 2014April 2014 / June 2014October 20142015+PayIndustry standardCard Brand enabledMore to come…
21Minimizes ecosystem impact Supports new participation Core conceptsA Payment Token is a “alternate identifier” that can be used in place of a Personal Account Number (PAN) to initiate a payment transactionGlobalGlobal and interoperableCompatible with existing network routingCompatible with existing payment technologies (web, NFC, POS standards)Supports future payment technologiesImproved securityRegulatory compliantMultiple Payment Tokens can be attached to a single PANEnables new channelsSecurePayment Tokens Industry standard and serviceInteroperableMinimizes ecosystem impactSo how are payment tokens differentEssentially it’s a direct replacement for the primary account number that would be used to initiate a transaction through the payment networkIt does this by looking and acting like a real PAN in the systemPayment tokens would be securely mapped to the real PAN kept in what we’re calling the token vault and each issuer would be assigned a set of token BIN rangesIt’s more secure since the real PAN is never exposed and the use of token would be restricted to specific environments, devices or channelsIt would also ensure there would be consistency and more data coming from the trxn that would help improve security and transparency across all token trxnsAnd ultimately tokenization provides the foundation for new payments innovation that can be used across the industry by issuers, merchants and any 3rd parties looking to develop payment capabilitiesTo highlight the benefits and impact tokenization has across the value chainFrom implementation perspective, almost all the heavy lifting has been done by processors, endpoints and Visa to prepare systems to support and process tokensIt’s designed to be compatible with existing systems which means minimal disruption for most stakeholdersWhat this does is, it lays the foundation for everyone to benefit includingCARDHOLDERS who won’t even be aware of tokens but will appreciate that they do not have to face re-issuance every time they lose or have their phone stolenMERCHANTS and ACQUIRERS will have added protection of not having to store or manage sensitive card info….this obviously has become a lot important with recent merchant breaches that have happenedISSUERS can focus on developing new and innovative mobile and digital payments services without worrying about how they’ll store card credentials on mobile apps and the potential fraud that can happenWe’re taking this a step further to provide an end to end service for issuers that removes the burden of having to manage all the provisioning and lifecycle events for tokensSupports new participation
22Payment Tokens - Token Attributes Interoperable with BIN based account numbers / PANs – PAN / Account Number Validation Rules, Security, Structure and Regulatory Obligations Remain EnforcedDistinct and identifiable in system – merchant, consumer device(s) and issuerAble to support authentication by different entities and types (Issuer, Wallet, Merchant, etc)Tokens add value to the processing environment while improving visibility and protecting cardholder informationExisting PAN / Account Number Structure# # # # # # # # # # # # # # # #FI BIN Range –Various UseBIN - Identifies FIIdentifies CardholderNew Token Structure# # # # # # # # # # # # # # # #Identifies FIIdentifies Cardholder by PAN AND by Device AND by Merchant
23The Big Announcement! iPhone 6 – 4.7” display iPhone 6 Plus – 5.5” displayNFC!!!Apple Watch – with NFC!!!iOS 8And…….
24Apple Pay BasicsLatest addition to the mobile wallet landscape leveraging NFCBy Invitation-OnlySecurity and Privacy at the core of Apple PayUtilizes traditional payment rails preserving interchangeRequires tokenization
25Apple’s Motivation and Value Proposition Completing Transactions Apple Pay: What we knowScope and TimingApple’s Motivation and Value PropositionPayment AccountsCompleting TransactionsData and SecurityIn-Store PaymentsStreamlined online paymentsAvailable on iPhone 6, 6 Plus, and Apple Watch in 2015US Only in October 2014Replace physical walletPayments will be faster, more secure, and privateApple’s has 46% of market5 -10% terminals are NFC enabledAdd from iTune account or take a picture of cardStored as a token on secure element of deviceUse via Passbook appIn-store: contactless NFC terminals with Touch ID authenticationIn-App: integrated via the Apple Pay API with Touch ID authenticationData stays with merchant and financial institutionMerchant processes token, not card #
28Why Does Apple Matter? Widespread consumer acceptance and usage 10 million devices sold in first 3 days!800+ million iTunes accounts already on fileLeverages existing payments ecosystem and preserves interchangeImproves payment security = reduces potential fraudTokenizationSecure Element (Device number associated with token)Touch ID authenticates device and card owner
30What is your payments roadmap? Ensure your members can access their CU accounts from any channel they choose!Start with implementing EMVEnroll your card programs in tokenizationGet ready for the next generation of payments through mobile!
31Questions???Leanne Phelps State Employees’ Credit Union