Secure Mobile Payments with eMV, P2Pe and Tokenization

Secure MobilePayMenTS wiTh eMV, P2Pe andTokenizaTion

September 2015

creditcall.com

Tokenization

http://goo.gl/bupGPv

03

04

05

07 07080909

1 0

1 11 11 11212

13

14

Secure Mobile PayMenTS wiTh eMV,P2Pe and TokenizaTion

02 | crediTcall.coM

index

1. introduction

2. The rise of mPoS

3. benefits of mPoS

4. Payment Security Trends4.1 EMV4.2 Tokenization4.3 PCI P2PE vs. P2PE4.4 De-Scoping PCI DSS

5. what do eMV, P2Pe and Tokenization Mean For mPoS iSVs and Vars?

6. The challenges6.1 Cost6.2 Time6.3 Knowledge6.4 Payment Security Is A Moving Target

7. The right Partner can address Payment Security needs

8. conclusion


Apart from electronic cash registers giving way to all-in-one POS (point of sale)terminals — over the course of decades — there wasn’t a whole lot of disruptionas far as retail technology is concerned. However, all that changed the momentsmart phones and tablets became indispensable parts of our lives. It didn’t takelong before forward-thinkers such as Square and Revel were figuring out how toreplace expensive clunky legacy POS terminals with lightweight, affordablemobile devices. Enter today’s age of mobile POS (mPOS).


1. introduction

For years, retail iT experienced a fairly steady and slow,if not stagnant, level of technology innovation in theunited States.

03 | crediTcall.coM



04 | crediTcall.coM

2. The rise of mPoS

“Traditional PoS environments arecomplicated to develop, complex to use,

expensive to purchase and maintain, lockretailers into using one vendor, and

contain a lot of functionality that mostretailers don’t truly need. ”

Fundamentally, a mobile phone and standard credit card terminal are very similar in terms of the electronics and communications technology driving them. Thus, it became apparent to some that convergence of the two technologies was inevitable.

However, whereas credit card terminals are typically purpose-built standalonedevices, mobile phones and tablets are able to do so many things due to the opennature of the OS and hardware. Soon, mobile phones and tablets were turned intoPOS terminals. This convergence of payments and mobility wasn’t just change for thesake of change. The industry was ready for more payment options to consider.

Traditional POS environments are complicated to develop, complex to use, expensiveto purchase and maintain, lock retailers into using one vendor, and contain a lot offunctionality that most retailers don’t truly need. Looking back, we can ponder whether thefailure of the legacy POS industry to evolve was because the ecosystem becamecomfortable and there was no disruption to drive change. Indeed, there were nochallengers to the status quo for many years.


“The hardware is an easily-sourcedcommodity product as opposed toa proprietary platform you have to

buy from a legacy PoS vendor...”


3. benefits of mPoS

mPoS changed everything. built using standard tabletsand smartphones, the industry is now leveraging aplatform people intuitively know how to use.

The hardware is an easily-sourced commodity product as opposed to a proprietary platform you have to source from a legacy POS vendor. The software runs on widely supported operating systems including Android and iOS. The devices are flexible, allowing merchants to use them in a fixed environment or in mobile applications such as tableside ordering or line busting. To see the combination of all these benefits in action, look no further than a product like Poynt, which has become a major disruptor to the traditional POS market.

Upgrades are easier with tablet-based solutions. To upgrade a legacy system, merchants were often required to replace all of their hardware, which was a huge capital expense. With mPOS, rather than pulling out the hardware, merchants simply download new functionality they require or install a new app.

Additionally, many mPOS apps are delivered as services, where a monthly fee is charged rather than a large up-front capital expense. This payment option has been very appealing to small mom-and-pop merchants who didn’t have the money or willingness to invest in an expensive POS system. Also, because it's offered as a service, with data stored in the cloud, the burden of IT administration and backups is removed from the store owner or solutions provider who maintains the system.

05 | crediTcall.coM


https://poynt.com


06 | crediTcall.coM

Finally, mPOS systems are small. Counter space is very valuable real estate, and aretailer can enhance the value of this space by utilizing the space-saving benefits ofmPOS solutions. In summary, the benefits of mPOS are numerous, varied, andcompelling.

This interest in mPOS isn’t just hype. According to Reuters, mPOS shipments wereexpected to grow at a CAGR of 40% between 2013 and 2018, which should lead tothe shipment of 52.1 million mPOS units by 20181. Also, according to PaymentsSource,one-third of businesses expect to see mobile point of sale as part of their transactionofferings2.

1 mPOS Expansion Shakes the Point of Sales Industry, Reuters2 Mobile Point of Sale Projected to Reach 46% Market Share in 2017, Payments Source

“mPOS shipments wereexpected to grow at a CAGR of40% between 2013 and 2018,which should lead to theshipment of 52.1 million mPOSunits by 2018.”


4. PaymentSecurity Trends

“...this standard has been themost significant and far-reaching

change in the past two or threedecades, affecting the entire

payments ecosystem...”


07 | crediTcall.coM

at the same time that mPoS experienced growth, there werea number of technological disruptions to the paymentprocessing industry.

4.1 eMV

EMV (Europay-Mastercard-Visa) has finally arrived in the United States. Without adoubt, this standard has been the most significant and far-reaching change in thepast two or three decades, affecting the entire payments ecosystem — frompayment companies, to software developers, down to the merchants themselves.

Other significant payment trends include a rising number of breaches. Despite theefforts of many to solve this problem, breaches continue to happen on a frequentbasis. Indeed, card issuers have found themselves re-issuing cards regularly in areactive attempt to deal with breaches.

Additionally, directly tied to the rise of mobile devices is the entrance of mobilewallet applications such as Apple Pay, Google Wallet, and the recently announcedSamsung Pay. These solutions afford a relatively seamless alternative method of payingfor goods, and help to advance the topic of EMV in a complementary way.

“...directly tied to the rise of mobiledevices is the entrance of mobilewallet applications such as apple Pay,Google wallet, and the recentlyannounced Samsung Pay.”



08 | crediTcall.coM

4.1 TokenizaTion

These trends have been front and center in the mainstream media and, therefore,have some end-user awareness. However, there are also some exciting innovativetrends going on behind the scenes in payments that many are not aware of. Consider,for instance, network tokenization:

Historically, tokenization schemes have been proprietary, with different formats andagendas driving them. What the brands are doing now, along with EMVCo, is creatinga common global specification for tokenization. Unlike the Primary Account Number(PAN), tokens can also be context-specific which provides extra protection in theevent of a data breach. In the future, once token-based solutions have beenimplemented, when card details get compromised, the only thing that will have to bedone will be to delete or deactivate the tokens. Unlike EMV, there aren’t anycustomer-facing changes that need to happen for this to take effect. Merchants areunaffected as well. However, changes are required in the back end of the network.



09 | crediTcall.coM

4.3 Pci P2Pe VS. P2Pe

Finally, another significant trend is PCI P2PE (Payment Card Industry Point to PointEncryption). At a time when many ISVs (Independent Software Vendors), VARs(Value-Added Resellers), and merchants are still struggling with EMV adoption,there’s the very real likelihood that PCI P2PE will be mandated within the near future.There are some significant differences between P2PE and PCI P2PE.

With traditional, or non-validated P2PE, there are no real checks and balances orcertifications. No one is ensuring that encryption keys are generated correctly andstored safely. In reality, merchants and software developers are just taking avendor’s word for it that they are using a secure approach. All that said, P2PE doessolve the problem of encrypting cardholder data, and that’s most important.Encrypted card holder data, even if obtained via a hacking event, has no value tothe hacker and cannot be used to compromise the payments system.

4.4 de-ScoPinG Pci dSS

PCI P2PE provides absolute peace of mind that the processes behind P2PE havebeen implemented correctly and are independently audited. Secondly, it gives theability to effectively — and officially — de-scope merchants from the burden ofPayment Card Industry Data Security Standard (PCI DSS). Non-validated P2PErequires the processor or Qualified Security Assessor (QSA) to determine what theybelieve is de-scoped and what isn’t. PCI P2PE removes any doubt of scope and canbe a great advantage to ISVs and merchants.

“Pci P2Pe provides absolutepeace of mind that the processes

behind P2Pe have beenimplemented correctly and are

independently audited.”

P2PE



5. what do eMV, P2Pe& Tokenization mean formPoS iSVs & Vars?consider the disruptive, confusing, and volatilesituation created when mPoS is combined with all ofthese payments trends.

That’s the difficult situation facing many software developers today. Additionally,developers of mobile solutions should be eager to incorporate payment functionalityinto their software. According to research by Javelin Strategy & Research, 70 percentof merchants in the United States — approximately 19 million businesses — do notcurrently accept electronic payments. This represents a $1.1 trillion opportunity, ofwhich software developers can earn a piece3.

The opportunity is certainly large and the market is ready. However, to those ISVslooking to incorporate payments into their software or to take their existing payments security functionality to the next level, figuring out how to incorporate EMV,tokenization, and P2PE, both quickly and affordably, can seem daunting. This situationcan feel overwhelming if the ISV doesn’t plan to offload the burden to an EMV,tokenization, and PCI P2PE-ready payment gateway.

“70 percent of merchants in the US — approximately 19 million businesses — do notcurrently accept electronic payments. Thisrepresents a $1.1 trillion opportunity, of whichsoftware developers can earn a piece”

3 Javelin Strategy & Research, Mobile POS (Point of Sale) Business and Market Impact 2013:

Emerging Technologies Expand Reach with Lower Cost, Disruptive Services, April 2013

10 | crediTcall.coM



6. The challenges

“The comprehensive security and peaceof mind that comes from Pci P2Pe

doesn’t come cheap and requires timeand a lot of payment-specific know-how.”


11 | crediTcall.coM

There are a lot of challenges when it comes to incorporating payments securely with an mPoSsolution. The comprehensive security and peaceof mind that comes from Pci P2Pe doesn’t comecheap and requires time and a lot of payment-specific know-how.

6.1 cost

The generation and management of DUKPT (Derived Unique Key PerTransaction, or “duck putt,” a cryptographic algorithm) -based keys for P2PEis done within a secure cryptographic device known as a Hardware SecurityModule (HSM). These are highly-specialized tamper-resistant computingdevices used to securely manage, create, and store cryptographic keys.These devices can run $30,000 to $40,000 each, and if developers buildout everything they need, the cost can reach $100,000.

6.2 Time

Beyond the costs of HSMs, software developers are looking at months, ifnot years, of work in creating the proper environment for a P2PE solution.All said, PCI P2PE is an expensive certification, the infrastructure behind thescenes is costly, and it requires processes and people trained on how tomanage the devices.



6.3 knowledge

The correct implementation of PCI P2PE requires a deep understanding of transaction security. The correct implementation of PCI P2PE will take a considerable amount of time and resource to integrate into a solution.

6.4 Payments Security is a Moving Target

Apart from P2PE, unless you have an effective Terminal Management System (TMS), you leave yourself open to problems. A TMS is used to keep firmware, configuration and software, that runs on the PIN Entry Device (PED), up to date. PEDs have some fairly sophisticated firmware that runs on the devices. Assume a security vulnerability is found in the software on the PED. Unless you have an effective way to push out updates remotely, you’re stuck with the possibility of a product recall, which is unacceptable in most retail environments. Time-limited certifications such as EMV Level 1 and Level 2 may also require software updates to be deployed during the lifespan of the device. Having such a TMS is a necessity and an additional expense of money and time.

In addition to the need for software updates, EMV requires terminals to maintain an extensive array of configuration parameters, and these may need to be updated over time, such as to add support for additional card schemes or to add or remove EMV public keys.

To address these challenges and others, many software developers have chosen to forgo building their own payment functionality and security, and partner with a company that hosts this expensive infrastructure and shoulders the burden of maintaining it. Leveraging the time, expertise, and scale of a payments partner can enable software developers to concentrate not on building out payment infrastructure and reinventing the wheel, but on improving the value-add of their product.

12 | crediTcall.coM




7. The right Partnercan address PaymentSecurity needscreditcall addresses payment security needs for iSVs andVars by simplifying and accelerating eMV integration andcertification processes. This ensures iSVs and Vars canbypass acquirer and processor eMV certification bottlenecksand focus on what they do best - provide their customerswith the most sophisticated and secure mPoS offerings.

This can be achieved with Creditcall’s portfolio of EMV SDKs for iOS, Android, Windows and Linux operating systems using Creditcall’s ChipDNA. Not only does ChipDNA make EMV certification easier for ISVs and VARs, since Creditcall supports all major U.S. processors and acquirers, merchants gain the freedom to work with any payments partner. In addition, they are not tied to a specific chip card reader manufacturer as Creditcall has already done the integration, providing a choice in devices.

In addition, all devices Creditcall supports for mPOS have internal capability to do strong P2PE. The encryption occurs within a very secure module and gets a key Creditcall provides to the manufacturer. No one — the merchant, ISV, or anyone else in between — has access to the key. If some malware is floating around on the device looking for cardholder data, it’s not going to find any because all the data is securely encrypted. This can lead to reduced scope of PCI DSS as merchants no longer handle actual cardholder data which,“…simplifies the merchant’s PCI DSS compliance effort by reducing the system components considered part of the cardholder data environment.4“

As far as TMS is concerned, Creditcall has a tried and tested TMS platform that is part of the Creditcall Gateway.

4 Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance, PCI Security

Standards Council

13 | crediTcall.coM



14 | crediTcall.coM


8. conclusion

For certain, developers, iSVs and Vars face asignificant challenge in addressing all the challengesthat come with payment security. eMV, P2Pe, andtokenization — the “holy Trinity” of payment security— are generally accepted as the best, most effectivecombination of security methods.

Unfortunately, the cost for a software developer to implement these on theirown is cost- and time-prohibitive. Fortunately, companies like Creditcall havethe capabilities and solutions ready and are willing to help.

Tokenization


Founded in 1996 and with over 14 years of proven track record in eMVMigration, creditcall's chipdna eMV Sdks provide the most secure,simplest and fastest route for software developers to integrate eMVpayments into their ioS, android, windows and linux based PoSapplications.

Security - Point to Point Encryption (P2PE)Simple integration - EMV SDKs for iOS,Android, Windows and LinuxSpeed - Bypass certification bottlenecksFlexibility - Pre-certified with majorprocessorschoice - Select preferred attended orunattended chip card readerupdates - Ongoing compliance and certifi-cation remote Management - TMSreliability - Data synced in four data centerscross industry expertise - Retail, hospitality,parking, and transportation

Creditcall makes card acceptance simple from any device, anywhere. No matter whether in retail, hospitality, parking or transportation, our award-winning EMV-ready Payment Gateway and EMV Kernels are at the very heart of our clients' businesses. Whether in-store, online or mobile, we ensure payments flow securely, all day, every day.

For more details, visit www.creditcall.com or call us on 800 868 1832

Creditcall – The Heart of Payments.

15 | crediTcall.coM


2. Selectprocessor

1. Pick chipcard reader

3. integrateeMV Sdks

4. eMVMigration

done



http://goo.gl/A9GZWg


Creditcall North America

1133 Broadway, Suite 706, New York, NY 10010, USA

T: +1 (800) 868 1832

E: [email protected]

W: www.creditcall.com

: @Creditcall

Creditcall Europe

Merchants House North, Wapping Road, Bristol, BS1 4RW, United Kingdom

T: +44 (0)117 930 4455

E: [email protected]

W: www.creditcall.com

: @Creditcall

Registered No: 3295353.

VAT Registered No: 713 0076 80.

For more white papers from Creditcall, visit www.creditcall.com/white-papers



http://goo.gl/OgfIuV

Secure Mobile Payments with eMV, P2Pe and Tokenization

Documents

Transcript of Secure Mobile Payments with eMV, P2Pe and Tokenization