EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical...
Transcript of EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical...
![Page 1: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/1.jpg)
June 6, 2016
© 2016 Higher One Inc. d/b/a/ CASHNet. All rights reserved.
EMV On-Campus
Post Liability Shift Don Smith
VP Payments Product Management
Higher One
![Page 2: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/2.jpg)
− 2 − − 2 −
• What is EMV and why are we moving in this direction?
• EMV Market Update
• Impact on Card Not Present Fraud
• Considerations for Your Campus
• Questions
Agenda
![Page 3: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/3.jpg)
Q: Q:
What is EMV?
![Page 4: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/4.jpg)
− 4 − − 4 −
• EMV = Europay MasterCard Visa
• Technical standards for a card with a smart chip and POS terminals and
ATMs (different than PCI)
• Standards overseen by EMVCo (Amex, Discover, JCB, MC, UnionPay, and
Visa)
• Accepted on 6/7 continents
• U.S. slow to adopt
EMV
![Page 5: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/5.jpg)
− 5 − − 5 −
• “Dip” card vs. “Swipe”
• Chip and signature vs. chip and pin
• Card stays in machine for transaction
• Most machines beep when transaction is done
Getting Familiar with POS Changes
![Page 6: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/6.jpg)
Dipping the Card
![Page 7: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/7.jpg)
Q: Q:
Why?
![Page 8: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/8.jpg)
25% Portion of the world’s
transactions that occurred in
the U.S. in 2014.* * Business Insider's "The US EMV Migration Report" (Nov 2015)
![Page 9: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/9.jpg)
50% Portion of the world’s card
fraud that occurred in the U.S.
in 2014.* * Business Insider's "The US EMV Migration Report" (Nov 2015)
![Page 10: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/10.jpg)
− 10 − − 10 −
Card Present
• Fraudsters purchase or steal
card info (or steal card)
• Load card info onto card’s mag
stripe
• Go to unmanned machines for
small amounts to test card info
• Try card at merchants that
have gift cards (or other things)
Card Not Present (CNP)
• Fraudsters purchase or steal
card info
• Test it where merchants do real
time processing
• Typically small amounts
• Once card number (and
associated info) is verified,
larger items will be purchased
Understanding Fraud
![Page 11: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/11.jpg)
− 11 − − 11 −
• Stolen Card: Card holder’s card is stolen and the fraudster uses card to make purchases at POS
Countermeasures:
– Look at signature on back of card
– Ask for Photo ID
– Input zip code
• Counterfeit Card: Fraudster has purchased stolen card number online and loaded it onto the magstripe of a fake card
Countermeasures:
– Look at signature on back of card
– Ask for Photo ID
– Input last four digits of card or CVV into terminal as condition of transaction
Making Card-Present Fraud More Difficult
![Page 12: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/12.jpg)
− 12 − − 12 −
• EMV makes use of dynamic info at the POS
• Makes it very difficult to create a counterfeit card
• Can make it very difficult to use a stolen card (PIN)
• Dynamic data (exclusive to each transaction) is sent to issuing bank through
payment rails to verify authenticity of card (Cryptographic Processing)
• Security can be enhanced by issuing bank requiring PIN at POS rather than
signature
EMV’s Main Purpose
![Page 13: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/13.jpg)
LIABILITY SHIFT
![Page 14: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/14.jpg)
− 14 − − 14 −
• Credit card brands encouraging adoption as a means to fight POS card-
present fraud
• Stopped short of a mandate
• Understand costs and logistics involved
• Realize changing consumer behavior is hard
• Issued “Liability Shift Date” of Oct. 1, 2015
• Pertains to all merchants with exception of pay at the pump gas stations
(Oct. 1, 2017)
• Think of Liability Shift as a start line vs. a finish line
Liability Shift
![Page 15: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/15.jpg)
− 15 − − 15 −
Merchant liable for fraud if ALL three of following occur:
1. The payer wants to use an EMV card to make a purchase
2. The campus is unable to process an EMV transaction (and therefore
processes a transaction using the card’s magnetic strip)
3. The transaction is fraudulent
What Does it Mean?
![Page 16: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/16.jpg)
$4.5B Estimated counterfeit card
fraud in U.S. for 2016.* *Aite Group
![Page 17: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/17.jpg)
$1B Estimated amount of
counterfeit card fraud in
2020.* *Aite Group
![Page 18: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/18.jpg)
MERCHANT ADOPTION
![Page 19: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/19.jpg)
![Page 20: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/20.jpg)
44% Merchants thought they were
going to be EMV ready by end
of 2015.* *The Strawhecker Group
![Page 21: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/21.jpg)
37% Merchants were accepting
EMV as of Feb 17.* *The Strawhecker Group
![Page 22: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/22.jpg)
20% Estimated portion of credit
card transactions that are
currently chip-on-chip.* *Aite Group
![Page 23: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/23.jpg)
Q: Q:
Why so few?
![Page 24: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/24.jpg)
− 24 − − 24 −
• Solutions more complex to develop • Conversations more complicated with dynamic data elements
• Comprises software, hardware and processor
• Certification is more arduous • Total solution in play for certification
• Card brands have different standards
• NFC add layer of certification
• Long certification queues • Evaluation can take months and cost up to $100K
• Each change to system prompts new certification
• Large number of solutions seeking certification
• Devices are expensive • Javelin Strategy and Research estimates it will cost $8.65B to implement EMV in the U.S; $6.75B on
POS devices alone!
Biggest Barriers
![Page 25: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/25.jpg)
0%
10%
20%
30%
40%
50%
Ready Plan toUpgrade
No Plansto
Upgrade
What'sEMV?
Small Merchants
Small Merchant EMV Readiness
*TD Bank Study 2015
![Page 26: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/26.jpg)
0%5%
10%15%20%25%30%35%40%45%
Small Merchants
For Merchants Who Don’t Plan to Upgrade
![Page 27: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/27.jpg)
− 27 − − 27 −
• Many Non-EMV ready merchants reporting higher rate of chargebacks
• Higher volume with merchants who sell goods prized by fraudsters • Gift cards
• Electronics
• Jewelry
• Many banks don’t know if chargebacks are related to EMV or not
• Merchants don’t have resources to research chargebacks
• B&R Supermarket Inc. and Grove Liquors LLC • Oct – Feb 2014: 4 Chargebacks
• Oct – Feb 2015: 88 Chargebacks
• B&R and Grove Liquors filed a lawsuit against card networks • Allege card networks knew merchants would be unable to comply with EMV Liability Shift
• Merchants unknowingly paying for more chargebacks than they should
• Set up banks for big payday
Change in the Air?
![Page 28: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/28.jpg)
50% Merchants will accept EMV by
end of June.* *The Strawhecker Group
![Page 29: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/29.jpg)
90% Merchants will accept EMV by
sometime in 2017.* * The Strawhecker Group
![Page 30: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/30.jpg)
CARD NOT PRESENT
![Page 31: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/31.jpg)
− 31 − − 31 −
• Experts have argued EMV causes spike in CNP fraud
• Fraudsters follow path of least resistance
• Easier to commit CNP fraud because dynamic element of chip not in play
• In the UK, brick and mortar fraud decreased 75% from 2004-2012
• 2015 report from Euro Central Bank on 2013 Data
• $1.44B in fraud; mostly CNP
• CNP fraud increased by 20.6% over previous year
• ATM fraud fell by 13.7%
• POS fraud fell by 7.9%
CNP Fraud Post EMV
![Page 32: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/32.jpg)
Canada Post EMV Implementation – 133% Increase in CNP Fraud
![Page 33: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/33.jpg)
− 33 − − 33 −
• Others argue not necessarily cause and effect
• Point to:
• Adoption of new technologies for payments
• Increase in merchant adoption of new online storefronts
• Increase in online payment volume over same period
• Improved techniques by fraudsters (more data breaches)
• These compound the increase of CNP fraud
• Argue EMV should still be implemented but also need new mitigation
strategies for CNP fraud
Not All on EMV?
![Page 34: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/34.jpg)
![Page 35: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/35.jpg)
− 35 − − 35 −
• eMarketer Report
• 2013: $262 billion online sales
• 2017: $440 billion online sales (estimate)
• 13.8% compounded annual growth rate
• ACI Report
• Jan – July 2014: 1/114 CNP transactions was fraud
• Jan – July 2015: 1/86 CNP transactions was fraud
• Javelin Strategy & Research study in 2015
• Account takeover and new account fraud to increase by 60% in next three years
• Will go from an estimated $5B in 2015 to $8B in 2018
In the U.S.
![Page 36: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/36.jpg)
CNP Expected to Double by 2018
![Page 37: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/37.jpg)
Q: Q:
How can we protect
ourselves from CNP fraud?
![Page 38: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/38.jpg)
− 38 − − 38 −
• 2016 will be an important year for the introduction and evaluation of new
technologies
• Geolocation
• Biometrics
• Dynamic data elements (authorization)
• Tokenization
• Real time transaction analytics
• Behavioral analytics
Pay Attention to New Developments
![Page 39: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/39.jpg)
− 39 − − 39 −
• EMV migration forum and Smart Card Allliance recommend a layered security
approach that could include:
• Device authentication, such as confirming that the device used to make the payment
is being used by the right consumer
• Multi-factor authentication, in which the credentials used to make the payment are
checked against the address, phone number, and email address provided by the
customer at check-out
• Tokenization, which replaces payment credentials with one-time codes
• Rigorously checking the identity of an online customer when they pick up
merchandise reserved in a physical store
Multi-Layered Approach
![Page 40: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/40.jpg)
15% Cardholders who had a
transaction declined because
it looked like fraud.* *Javelin Strategy & Research. “Overcoming False Positives”
![Page 41: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/41.jpg)
$118 B Lost sales from false
positives. *Javelin Strategy & Research. “Overcoming False Positives”
![Page 42: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/42.jpg)
$9 BB Actual ecommerce fraud in the
U.S. in 2015. *Javelin Strategy & Research. “Overcoming False Positives”
![Page 43: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/43.jpg)
− 43 − − 43 −
• Work with your payment software provider or processor to identify best strategy for your campus • In-person
• Define EMV strategy and roll out plan
• Implement cashier security measures in the business office
• CNP • Velocity limits
• CID/AVS
• Authentication
• Transaction reporting
• Mobile wallets
• Keep in mind fraud (CNP and CP) rates are low for most schools
• Stay abreast of new developments in technology
• Ensure your campus takes PCI seriously and work with a PCI certified QSA to document and test your environment
Think Through Your Strategy
![Page 44: EMV On-Campus Post Liability Shift...− 4 − • EMV = Europay MasterCard Visa • Technical standards for a card with a smart chip and POS terminals and ATMs (different than PCI)](https://reader035.fdocuments.us/reader035/viewer/2022071009/5fc7237b183eb72bf53efeef/html5/thumbnails/44.jpg)
Q: Q:
Questions?