Card Acquiring Service - Bureau of the Fiscal Service Acquiring Service ... Learning Objectives....
Transcript of Card Acquiring Service - Bureau of the Fiscal Service Acquiring Service ... Learning Objectives....
Card Acquiring Service:2017 Conversion
Ian Macoy, Fiscal ServiceWinston Wilson, Comerica Bank
Michael Halpin, Vantiv
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 2
1. Card Acquiring Service (CAS): What is it and where we’re goingIan Macoy, AAPDirector, Settlement Services Division; Revenue Collections ManagementBureau of the Fiscal Service
2. Conversion to Our New Financial Agent Comerica: What agencies need to knowWinston WilsonVice PresidentComerica Bank
3. Securing Cardholder Data: Leveraging Conversion for Program Improvements and a Safer EnvironmentMichael HalpinSenior Relationship ManagerVantiv
Agenda
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 3
• A strong understanding of CAS and the future…– How your help with the conversion links to that
future…
• A more in-depth understanding of the CAS conversion and other important initiatives
– How we will be leveraging the conversion to further secure your customers’ data
Learning Objectives
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 4
The Card Acquiring Service: What is it and where we’re going
Ian Macoy, AAPDirector, Settlement Services Division; Revenue Collections ManagementBureau of the Fiscal Service
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 5
What is the Card Acquiring Service? CAS is a Fiscal Service program providing merchant acquirer/payment card acceptance services to federal agency customers.
Services provided: • Enables agency acceptance of credit, debit, electronic benefit transfer (EBT),
and branded stored value (e.g. gift, etc.) cards• Performs payment card authorization, transaction processing, settlement and
customer support functions
Acceptance Points:• Point-of-sale (“card present”)
– Traditional standalone point-of-sale (POS) terminals– Value Added Reseller (VAR)/Integrated POS (iPOS) systems (e.g. electronic
cash registers)– Vantiv Accept (mobile) and kiosks
• Internet-based software applications (“card not present”) through Pay.gov
Financial Agent: Comerica Bank, with Vantiv as merchant acquirer/processor
CAS Program Overview
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 6
Transaction Volume (dollars):• $12.2 billion collected
– POS (standalone and integrated POS systems): 49%
– Pay.gov: 51%– $9.7 billion Credit Card
Of which, Signature Debit $1.9 bil.– $2.5 billion PIN Debit
Transaction Count:• 132.8 million transactions
– POS: 74%– Pay.gov: 26%– 96.0 million Credit Card
Incl. 35.2 million Signature Debit – 36.7 million PIN Debit
Avg. Transaction: $92.38
Key Program Metrics*
*NOTE: As of Calendar Yearend 2016
2016 CAS Program Costs
Interchange
Network Fees
Direct
90+ agencies, bureaus and offices
~ 9,900 Acceptance points• 38% terminals; 40% iPOS; 21% Pay.gov
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 7
• Complete conversion to new Financial Agent– Current processor Vantiv remains, thereby reducing impact to Fiscal
Service and customer agencies– Target completion with agencies for 10/2017
• Further secure cardholder data– Implement tokenization and point-to-point encryption in FY2017
through conversion process with new FA• Technology will protect data at rest and data in transit• Rollout and maintenance costs will be borne by CAS
– Promote agency PCI Data Security Standard (PCI DSS) compliance
• Ensure compliance with card network rules restricting credit card use for loan and other debt payments (“using debt to pay debt”)– Working with impacted agencies to establish debit card-only card
acceptance for debt repayment card cashflows– Credit card acceptance on these will be “turned off” by 12/2017
CAS Roadmap: 2017 Priorities
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 8
• CAS Application - Future State: – Creating a more robust CAS application and automating the review process
• CAS Website re-engineering– All-new Design with modern web standards and readable on more devices– New ways to navigate and new way to enroll in CAS
• CAS Policy UpdatesBackground: The CAS Team conducted a thorough review of chapter 7000 of the TFM and found that several changes/updates were warranted in order to better meet the needs of the program:– Credit Card Limit (incorporating 2015 change)– Clarifying program compliance rules, including prohibitions on “using debt to
pay debt”
Expect publication of changes later in 2017
CAS Future Roadmap (cont.)
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 9
Conversion to Our New Financial Agent Comerica:
What agencies need to know
Winston WilsonVice President
Comerica Bank
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 10
• Conversion to Comerica Bank
• Convert all terminals, software, and hardware
• Reporting
• Tokenization and Encryption
• EMV VAR/ISV compliance
• Enable MasterCard 2 Series BIN Compliance
Objectives
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 11
• Terminal Self-Service Support (Preferred Method) – Terminal Update with new MID data– Requires line connectivity– Dial Line – approx. 10 min, IP Line – approx. 2 min– Vantiv Phone Support for Escalation/Troubleshooting
• Some terminals require replacement • Terminal Coached Support
– Scheduled time with Vantiv rep for walking through update
• VAR Updates– VAR sheet updates processed with new financial agent information– Agency and associated VAR will collaborate with respect to service
agreement and conversion timing
Conversion Options
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 12
Mar April May Jun Jul Aug Sep Oct
2017
Mar 23 - Fiscal Service CAS Conversion Implementation Strategy Webinar
Wave 1: May 1 – July 31
May 1– Wave 1 Overseas Locations – October 15
Wave 2:Aug 7 – Sep 18
Wave 3:Sep 1 – Oct 13
MID Conversion Complete
August 19th: Conversion of Pay.gov MID’s (6:00 pm ET)
Aug 14 -16Gov’t Financial Management Conference
Pay.gov MID Freeze: Aug 7 – 18th
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 13
Securing Cardholder Data:Leveraging Conversion for Program
Improvements and a Safer Environment
Michael HalpinSenior Relationship Manager
Vantiv
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 14
EMV Chip Migration - April 2017*
*Sources: Visa / MARS data as of April 30, 2017*Going forward, card counts will be reported on a quarterly basis. Card count in this report is for Q1 2017 (measured during the last month of the quarter). Card counts are estimates based on the number of active cards during the reporting time period. 1Visa branded transactions processed as chip transactions2Magstripe transactions using a Visa branded chip card in a chip terminal
18.6%US credit card chip on
chip PV adoption
8.2%US debit card chip on
chip PV adoption
2.8%US EMV credit card
fallback rate
5.7%US EMV debit card
fallback rate
80%of US Debit PV on EMV
cards 236.6M active cards*
2.09MUS EMV Visa locations
51% by PV
97%of US Credit PV on EMV
cards 184.5M active cards*
Adoption
Usage1 Fallback2
45%US credit transactions
were chip on chip55% by PV
28%US debit transactions
card chip on chip37% by PV
2.0%US EMV credit card
fallback rate1.7% by PV
2.8%US EMV debit card
fallback rate2.7% by PV
89% of overall US payment volume in April was on EMV cards
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 15
Decrease in counterfeit fraud at U.S. chip-enabled
merchants in January 2017 compared to a year earlier
56%
Decrease in counterfeit fraud for all U.S. merchants in January 2017 compared
to a year earlier
36%Source: Visa Fraud Reporting System (FRS)—”Chip enabled merchants” are those with chip-on-chip PV greater than 80% of total CP PV
Decrease in Counterfeit Fraud
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 16
Key Security-Solution Delivery Objectives
Encryption and Tokenization
Works for large national clients – consistent with their goals, scale, and systems architecture
Can be implemented within our systems– with
minimal operational disruption
Is sustainable and flexible as association
and governing bodies rules evolve
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 17
E2EE and Tokenization are a powerful data
protection combination.
We will provide the latest in secure
technology.
• End-to-End Encryption (E2EE)– Keeps cardholder data secure from inception to completion– Reduces likelihood of thieves obtaining usable card
information if system is compromised
• Tokenization– Replaces card numbers with a substitute value (token)– Prevents the value from being used to originate fraudulent
transactions– Eliminates retention of card data, reducing PCI-related risk
Encryption and Tokenization
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 18
• Encryption without complex key injection
• True end-to-end encryption• Maximum reliability• High volume• Multi-environment encryption:
– Swipe– Key-entered– E-commerce
Risk mitigationPotential PCI scope reduction
– Ability to take components out of scope
Protection of brand reputation Security that is:
– Sustainable– Flexible as rules evolve
• Key Solution Capabilities • Key Customer Benefits
Encryption and Tokenization
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 19
End-to-End Encryption and Tokenization
Merchant completes post-authorization & back-office activities
Auth. approval received,card token generated and submitted back to merchant
Personal Access Number (PAN), Track and Expiration
Data encrypted in device
Encryption transferredfrom merchant’s POS or Host to our data center
We decrypt data and transmit to the networks
Card data is encrypted at the point of capture
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 20
• The Payment Card Industry Data Security Standard (PCI DSS) = industry-accepted minimum security requirements designed to protect cardholder data and prevent breaches.
• Applies to all organizations, systems, networks and applications that process, store or transmit at least the cardholder number.
• Store no cardholder data beyond name, number, expiration date and service code.
PCI DSS Requirements
All merchants are required to comply regardless of size! This includes all U.S. Treasury Agencies that accept cards for payment – even those using Pay.gov!
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 21
PCI DSS Requirements
See Appendix I for more information on PCI compliance and resources
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 22
Contact Information
Fiscal Service ComericaIan Macoy Winston WilsonDirector, RCM Settlement Services VP, Comerica Merchant [email protected] [email protected] 404-547-8015
Richard Yancy VantivCAS Program Manager Mike [email protected] Senior Relationship Manager, U.S. Treasury202-874-5217 [email protected]
513-900-3385
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 24
Compliance vs. Validation
24
Validation: A snapshot of your compliance status• Entails completion of the Self-Assessment
Questionnaire (SAQ) or an On-Site Audit (depending on your merchant level) in order to “validate” that your organization is compliant according to PCI DSS requirements
• Also requires the quarterly submission of External Network Vulnerability Scans
Compliance: Ongoing security controls and procedures that help to protect your business on a 24/7 basis• Entails continual adherence to the PCI
DSS requirements
Validation does not necessarily mean Compliance
However, going through the validation process is the best way to understand whether you are truly compliant.
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 25
Visa & MasterCard Merchant Levels
25
Level 1 merchants have more rigorous compliance validation requirements.
All other merchants, regardless of acceptance channelLevel 4 merchants also have compliance requirements.
Any merchant processing 20,000 to 1 million e-commerce Visa® or MasterCard®
transactions per year
Any merchant, regardless of acceptance channel, processing 1-6 million Visa® or MasterCard®
transactions per year
Any merchant processing 6 million or more Visa® or MasterCard®
transactions/year, regardless of acceptance channel. Also, any merchant the card brands deem Level 1.
Merchant Level
Merchant Level
Merchant Level
Merchant Level
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 26
Merchant Validation
*Note: Due to MasterCard® Site Data Protection (SDP) program rules, all level 1 and 2 merchants that elect to perform their own validation assessments must ensure that the primary internal auditor staff engaged in validating PCI DSS compliance attend merchant training programs offered by the PCI Security Standards Council (PCI SSC) and pass any PCI SSC associated accreditation program annually in order to continue validation in this manner.
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 27
New Visa Small Merchant Mandates
https://usa.visa.com/dam/VCOM/download/merchants/bulletin-small-merchant-security-faq.pdf
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 30
• A set of online data security tools targeted to Level 4 merchants– Helps merchants protect their
businesses with best practices– Provides step-by-step instructions for
completing critical steps required for PCI compliance validation
• A service provided by Trustwave®, the leading provider of PCI DSS compliance services– Uses Trustkeeper® compliance management software
PCI Assist
30
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 31
• Accessed through Trustwave’s portal– https://pci.trustwave.com/fiscalservice
• Includes self-assessment wizard that asks simple questions
• Completes the appropriate SAQ in the background
• Includes an external vulnerability scan for IP connected merchants
PCI Assist
31
Remember: Cardholder data security is a merchant’s responsibility.
Level 4 merchants must validate compliance annually.
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 32
• CAS is covering the cost of participation for level 4 agencies
• To register you will need:– “Company Name” – If you do not have this, call the Federal Agency Support line at
1-866-914-0558 and request the “chain legal name” associated with your account
– One of your merchant ID numbers
– To get started please visit: https://pci.trustwave.com/fiscalservice
CAS Program Information
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 34
Third-Party Compliance
34
Requirement 12.8 – Addresses Third-Party compliance within PCI DSS requirements
Merchant is responsible for monitoring compliance status of Third Parties and ensuring the use of appropriate contractual languageUse of Gateway/Service Provider does not exempt merchant from compliance requirementsPotential to use SAQ A Only IF all storing, processing and transmitting of cardholder
data is fully outsourced to a third party AND merchant is exclusively card-not-present
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 35
Service Provider Levels Validation Actions
Criteria
On Site Security Audit conducted by a QSA
Self –AssessmentQuestionnaire
Network Vulnerability Scans
Level 1 Any processor directly connected to a Visa or MasterCard or any service provider that stores, processes and/or transmits over 300,000 transactions per year
Report on Compliance (ROC) Required Annually
Not Applicable
Required Quarterly
Level 2** Any service provider that stores, processes and/or transmits less than 300,000 transactions per year
Not Applicable
Required Annually
Required Quarterly
**Effective February 1, 2009, Level 2 service providers were no longer listed on Visa’s List of PCI DSS Compliant Service Providers. Entities that wish to be on the List of PCI DSS Compliant Service Providers must validate as a Level 1 provider.
Service Provider Validation
35
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 36
• Where possible, use only providers that have engaged a QSA for validation
• If you have a level 2 service provider that self validated, only accept SAQ D
• Their areas of non-compliance are your risk• If a provider states they cannot afford some aspect
of compliance or validation, you may want to consider one that can
• Carefully review your contracts with service providers
Service Provider Considerations
36
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 38
• PCI Security Standards Council – www.pcisecuritystandards.org– PCI DSS, PA DSS, PTS, & P2PE Standards– Downloadable Self Assessment Questionnaires– List of ASVs, QSAs, PFIs, PA QSAs, QIRs, etc.– List of PA DSS Validated Payment Applications, validated P2PE solutions,
validated PTS devices– Searchable FAQ Tool– PCI Supporting Documents
• Visa ® CISP website – www.visa.com/cisp– Merchant & Service Provider Levels Defined– List of CISP Compliant Service Providers– Important Alerts, Bulletins and Webinar
• MasterCard® SDP website – www.mastercard.com/sdp– Merchant & Service Provider Levels Defined– List of CISP Compliant Service Providers– PCI 360 Merchant Education Program – on demand educational webinars
Helpful PCI Resources
38
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 40
Near-Field Communication (NFC) is a set of standards for smartphones and other mobile devices to establish radio communication with each other by touching them together or bringing them into close proximity usually no more than a few centimeters
What is NFC?
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 41
How does NFC work?
An NFC chip can be on a contactlesscard where the chip is tapped or held near the terminal
- OR -A chip can be inside your smart phone, smart watch, or other device and the device is waived near the terminal
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 44
How Does an NFC Mobile App Work?
Secure Element and Host Card Emulation
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 45
How Does an NFC Transaction Work?
45
Customer holds their phone
close (1.5 in) to the contactless card reader on the payment
terminal
Their default card will be presented in the mobile app (where another
card can be selected if desired)
They touch their finger to the
Phone's reader to initiate the
transaction with the terminal
The transaction will process like a
normal transaction!Customer signs or
enters a PIN just as the always do
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 46
In addition to the NFC and HCE Visa contactless transactions, Samsung devices can also transact with “magnetic stripe terminals” using Magnetic Secure Transmission™ (MST) technology.
MST payments are face-to-face transactions made with a Samsung mobile device equipped with MST technology capable of wirelessly transmitting the payment information encoded on a card’s magnetic stripe to either a contactless or traditional magnetic stripe terminal.
Magnetic Secure Transmission (MST) Payments
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 47
NFC Adoption: USA vs. The World
EMV pushing NFC
Apart from long term security benefits, EMV migration has the potential to kick-start contactless payments from both a convenience and ubiquity perspective.
Outside of the US, NFC ubiquity driven by EMV terminal migration and the inconvenience of “dip and wait” sparkedcontactless’ “Tap and Go” adoption
L E A D ∙ T R A N S F O R M ∙ D E L I V E RPage 48
• Ingenico iCT220 with iPP320• EMV Reader• Mag Stripe Reader• Contactless reader in PIN Pad
• VeriFone Vx520 with Vx805• EMV Reader• Mag Stripe reader• Contactless reader in PIN Pad
Available Now!
Standalone Terminals and PIN Pads