The Migration to EMV in the USA from a Founders Perspective

Philip AndreaeOberthur Technologies

Pass

port

Identity Card

Chip CardBanking Card

Dual

Car

d

Contact

Cont

actle

ss

Chip

Pin

SIM

car

d Form FactorsmultiSIM

NFC

eSE

Identity

Smar

t Tra

nsac

tions

TransportAcce

ss C

ontr

ol

M2M

Mobile Financial ServicesOUR

ENVIRONMENTGreen Products Convergence

Increase Efficiency

Banking Card

Acce

ss C

ontr

olCh

ip C

ard

eSE

Form

Fac

tors

NFC

Chip Card

Green Products multiSIM

Convergence

Devices Clou

d Big DataInternet of Things

Digi

tal s

ecur

ity

Mobility

Our environment

14 BillionConnected

M2M devicesin 2020

3 billionpayment

smart cardsShippedin 2017

75% Ofpassports

will beelectronic

by 2016

1.2 BillionNFC-Enabled

PhonesSold in 2018

MobilePaymentMarket

$721 Billionin 2017

80%of ID cardsare expected

to be electronicin 2015

Mobility, at the heart of OT world

Why Are We Here?

August 2011: Visa Inc. announced its roadmapJune 2012: American Express, Discover and MasterCard agreed to converge on the same common timelineApril 2013: Acquirers and processors must support EMV transactionsApril 21st 2014: Court of Appeal found for the Board of Governors Federal ReserveApril 30th: EMF published Debit Technical White PaperOctober 2015: Liability shift

– Liability is the responsibility of the party not protecting the transaction – Liability remains the issuer’s if merchant upgrades to EMVOctober 2017: Liability shift for gas stationsDecember 2013: Following a number of compromises – Target, Neiman Marcus – the time has come for the U.S. to embrace EMV

EMV the Global Standard for Credit & Debit Payments

In 1993 The International Payment Brands Decided The Long Term Solution To Fraud Was The “ICC” and Agreed To Develop A Common Specification To Assure Global Interoperability

They agreed the requirements and published “The Integrated Circuit Card Specifications for Payment Systems”

EMVCo is owned & staffed by Visa, MasterCard, JCB, American Express, UnionPay and Discover

Lost and Stolen Fraud Cardholder Verification

Revenue CreationValue Added Services

Counterfeit ProtectionOff/On-line Authentication

Offline AuthorizationCost Reduction

The Classic Smart Card Business Case

Is Based On

A CAM to stop counterfeit losesCard Authentication Method

A CVM to reduce lost and stolen card fraudCardholder Verification Method

Card Risk Management to assure payment everywhere

Support for Value Added Services

The Intangible value of Security

One Green Void In a Sea of Color

USA Last to Migrate to EMV…

Why have US payment card Issuers resisted EMV migration?– US has robust 100% online (network) infrastructure employing sophisticated

fraud management techniques – The US Contactless initiative failed to produce positive revenue– The perceived economics haven’t justified the investment on the Issuer or

Merchant side of the transaction– QR Codes require much less investment in terminal hardware– Interchange has created opportunities to create Cloud and ACH based

alternatives– Many ask the question why an old technology “EMV” when the Cloud and

Smart Phones are the futureEMV IS A PROVEN SOLUTION TO REDUCE FRAUD AT THE POINT OF SALE.

THE TIME HAS COME TO MIGRATE

As a result of the data breaches The US market is accelerating beyond expectations

Includes estimates for Debit, Credit, PLCC and Prepaid

300

781

1,004

1,1221,237

228

638

807875 940

165

515 638672

727

0

200

400

600

800

1,000

1,200

1,400

2014 2015 2016 2017 2018

High Base LowAn Extrapolation using recent Payment Security Task Force project of 575 Credit and Debit Cards

Benefits of EMV to Merchants and Acquirers

AcquirerIrrefutability of transactionReduced costs through offline transactionsReduced cost of handling chargebacksLow value transactions

– Drives transaction growthNew revenue opportunities

• Rewards• Consumer profile• Loyalty• Other value-added services

MerchantGuarantee of paymentReduced costs through offline transactionsOpportunity to expand unattended payment locationsEnhance efficiencies:

– Speed and ease of use at the POS– Reduce storage of paper receipts– Improve dispute procedures– Reduces fraud

Builds infrastructure for NFC Mobile Commerce

Benefits of EMV to Issuers

EMV pro-activity provides a competitive advantageEMV issuance protects the brand Reduced fraud; therefore, less exceptionsLiability shift reduces financial exposure of IssuerMore secure payment cardUnique PINs for each person on accountGlobal interoperabilityEfficiency in servicing low value transactionsAbility to support credit and debit on a cardNew revenue opportunitiesPaves way for use of NFC mobile payments

Business Process Implications

With the decision to move to EMV, Financial Institutions have decisions to make:

– Impact of product and EMV program design– Inclusion of chip in card design– Consumer-selected PIN management– Card production and issuance– Card/chip lifecycle must be managed– Card issuance and replacement– Call center representative training– Changes to back-office procedures – Consumer card usage education– Marketing opportunities

Back Office Debit and Credit SystemsMany systems require upgrade or replacement

Credit card systems must perform online authentication

Banking systems must perform online authentication

Key management becomes a core competency

Integration with card management processes

New PIN management techniques required

Fraud and risk management systems

Card life cycle must be managed

Card issuance and replacement

AN EMV PRIMER

Authentication, Verification, Authorization and Irrefutability

Four Words describe what EMV offers the payment industry

Three Key Capabilities Are Defined by EMVDesigned to be Future Proof

• Based on a stable standard• Built on evolving technologies

Offline by TerminalOnline on Issuer Host

“What you have”

Authentication

“What you know”

Verification

“You have the funds”

Authorization

SignaturePIN In ChipIN On HostNo CVM

Online 0 Floor LimitHost Authorized

OfflineIssuer Defined Card Risk

Management Parameters

• Settle with Merchant

Field 55 Designed to Support Authentication

Interface to chip:• Prepare

authorization• Draft data

capture

Terminal

• Select appropriate route

• Forward to payment network

Acquirer

• Validate transactions• Route to issuer• Settle between Issuer

and Acquirer

Payment Network

• Authenticate ARQC• Authorize transaction• Prepare ARPC and scripts• Return authorization

response

Issuer

Authorization or Financial Request:The ARQC to authenticate the card to the issuer

Authorization or Financial Response:The ARPC authenticates the issuer to the card

A chance to update the card with scripts

Clearing and Settlement:The transaction Certification assures

Irrefutability

• Optionally authenticate TC• Settle with payment system

Merchant Acquiring Bank Payment Switch Issuing Bank

At Completion or end of day

Insert Card

into Reader

Answer to reset

Select AID(s)

Develop Candidate AID List

Consumer Selection

1. Personal Credit Card2. Corporate Credit Card3. Family Debit Card4. Personal Debit Card

Enter 1, 2, 3 or 4To select payment method?

EMV Defined Application Selection Issuer Control & Consumer Choice

PSE – Payment Systems EnvironmentAID – Application Identifier

Chip Cards Can Support Various Applications

Credit

Debit

Stored Value

Home Banking

Payment

Guarantee

Ticket

Itinerary

Boarding

Pass

Frequent

Flyer

VIP – Security

Calling Card

Parking Cards

Fitness Club

Library Card

Campus

Cards

Points

Rewards

Coupons

Discounts

Punch Card

Passport

Drivers

License

Corporate ID

National ID

Photo

Biometrics

Pharmacology

Emergency Data:

Blood type, Donor

Status, Allergies

Physician’s Details

Health Insurance

Token

Tap On

Tap Off

Senior/Studen

t

Period Pass

Car Key

PSE IATA Subscriber Loyalty ID Health Transit

Key uses: Security, Authentication, Identification, and Data Storage

PSE – Payment Systems Environment IATA – International Air Transport Associations

Mobile Devices Solve the Branding Issue

Credit

Debit

Stored Value

Home Banking

Payment

Guarantee

Ticket

Itinerary

Boarding

Pass

Frequent

Flyer

VIP – Security

Calling Card

Parking Cards

Fitness Club

Library Card

Campus

Cards

Points

Rewards

Coupons

Discounts

Punch Card

Passport

Drivers

License

Corporate ID

National ID

Photo

Biometrics

Pharmacology

Emergency Data:

Blood type, Donor

Status, Allergies

Physician’s Details

Health Insurance

Token

Tap On

Tap Off

Senior/Studen

t

Period Pass

Car Key

PSE IATA Subscriber Loyalty ID Health Transit

PSE – Payment Systems Environment IATA – International Air Transport Associations

EMVDesigned to be Future Proof

A stable standardBuilt on evolving technologies

NFC & HCE Built on the same

Stable standardEmploying evolving technologies

Business Relationships and Infrastructure Is Key

Elemetary FileEF

Elemetary FileEF

Data FileDF

Data FileDF

Master FileMF

Inter-industry Commands • READ BINARY command• WRITE BINARY command• UPDATE BINARY command• ERASE BINARY command• READ RECORD(S) command• WRITE RECORD command• APPEND RECORD command• UPDATE RECORD command• GET DATA command• PUT DATA command• SELECT FILE command• VERIFY command• INTERNAL AUTHENTICATE command• EXTERNAL AUTHENTICATE command• GET CHALLENGE command• MANAGE CHANNEL command • GET RESPONSE command• ENVELOPE command

VPN

Host Application

Card Application

Terminal Application

Local Store Merchant Data Center

VPN

Payment Switch

Cash Register

PED

EMV Impacts the Merchant’s Systems

Store Server

Acquirer• Replace PIN Pad with EMV PIN Entry Device• Upgrade payment software to support EMV

Transaction flow and the Payment Networks• Add Bit 55 with TLV coded data elements• Certify with Acquirer and Payment Networks Debit

Networks

Chip Cards Come In Multiple Form Factors

*Not compatible with foil card designs

Pure contactless card*:1. One chip connected to the antenna and buried inside plastic body2. Works only in contactless mode

Dual interface card*:1. One chip embedded with external contacts and antenna connections2. Works in contact and contactless mode (contactless like US contactless and

NFC transactions – future proof solution)

Contact card:1. One chip connected to external contacts2. Works only in contact mode

The Card Operating SystemNATIVE JAVA Global Platform

• Proprietary OS: Supplied by all major vendors • Highly secure: Hardware (EAL5+) and software

(EAL4+).• Dominant smart card technology: Most widely

deployed to date• Full EMV compatibility for single and multi-

applications payment cards• Offer best price competitiveness to issuers. Ideal

choice for EMV migrating markets and mass volume penetration strategy

• Optimized OS and applications for best-in-class memory consumption and timing performances

• Full compatibility with EMV common personalization systems offering issuers multiple sourcing and seamless products migrations (lower switching cost).

• Many providers competing on performance and security, with multiple silicon providers

• Industry open standard: Offer the largest multi-sourcing to issuers

• High portability and security• Open business model: Issuer-centric or multi-issuer• Possibility to reuse existing infrastructure (KMS, CA)• Java cards can be issued using any global platform

compliant infrastructure such as personalization equipment and key management system

• Healthy competition brings innovation faster to the market place, along with competitive prices for the issuers

• Applications developed in Java standard language known by most developers

• Large pool of OS implementers competing on performance and security, with multiple silicon providers

Application, Offline Characteristic and Interface1

2

3

4

5

MChip VSDC AEIPSD-Pas

MiFareDate Storage AccessPKI

1.AID(s)2.Keys3.Configuration

Parameters4.Card Risk

Management Parameters

5.Counters6.PIN

RSATDES

SecretsContactContactlessDual

2

The SpecificationsISO 7816 – Smart Card

– Part 1: Physical characteristics – Part 2: Cards with contacts – Dimensions and location

of the contacts – Part 3: Cards with contacts – Electrical interface and

transmission protocols – Part 4: Organization, security and commands for

interchange

ISO 14443 – Contactless– Part 1: Physical characteristics – Part 2: Radio frequency power and signal interface – Part 3: Initialization and anti-collision – Part 4: Transmission protocol

EMV Version 4.3 – Contact– Book 1: Application independent ICC to terminal interface

requirements– Book 2: Security and key management – Book 3: Application specification – Book 4: Cardholder, attendant and acquirer interface

requirementsEMV Version 2.3 – Contactless

– Book A: Architecture and general requirements– Book B: Entry point specification– Books C1-6: Kernel specifications– Book D: Communications protocol

Payment system specifications– Operating rules– Network requirements– AEIPS Card specification– AEIPS Terminal Specifications– Key management requirements– E2E certification requirements

The industry is awaiting the debit networks’ To all Publish their network specifications and

certification requirements

ISO 7816 Defines the Communications Protocol

Today’s Track 1 DataStart sentinel 1 byte (the % character)Format code 1 byte alpha (The standard for financial institutions "B")Primary Account number Up to 19 characters. Separator 1 byte (the ^ character)Country code 3 bytes, if used. (The United States is 840)SurnameSurname separator (the / character)First name or initialSpace (when followed by more data)Middle name or initialPeriod (when followed by a title)Title (when used)Separator 1 byte (^)Expiration date or separator 4 bytes (YYMM)Discretionary data Optional data can be encoded here by the issuer.End Sentinel 1 byte (the ? character)Longitudinal Redundancy Check (LRC) 1 byte.

Today’s Track 2 Data

Start sentinel 1 byte (0x0B, or a ; in ASCII)

Primary Account Number Up to 19 bytes

Separator 1 byte (0x0D, or an = in ASCII)

Country code 3 bytes, if used. (The United States is 840) This is only used if the account number begins with "59."

Expiration date or separator 4 bytes (YYMM) or the one byte separator if a non-expiring card

Discretionary data Optional data can be encoded here by the issuer.

End Sentinel 1 byte (0x0F, or a ? in ASCII)

Longitudinal Redundancy Check (LRC) 1 byte.

Data Element Tag Description as per EMV 4.2 Book 3 Table 33 Or ISO Specification

Bit Map if 55 then

only in 55

1100

1110

1200

1210

1300

1310

1320

1330

1340

1350

1400

1410

1420

1430

Receipt

Application Selection Indicator —

For an application in the ICC to be supported by an application in the terminal, the Application Selection Indicator indicates whether the associated AID in the terminal must match the AID in the card exactly

Authorisation Response Cryptogram (ARPC)

—Cryptogram generated by the issuer and used by the card to verify that the response came from the issuer.

Included in Tag 91

Card Status Update (CSU) —

Contains data sent to the ICC to indicate whether the issuer approves or declines the transaction, and to initiate actions specified by the issuer. Transmitted to the card in Issuer Authentication Data.

Certification Authority Public Key Check Sum

—

A check value calculated on the concatenation of all parts of the Certification Authority Public Key (RID, Certification Authority Public Key Index, Certification Authority Public Key Modulus, Certification Authority Public Key Exponent) using SHA-1

44 P1.8 M

Certification Authority Public Key Exponent

—Value of the exponent part of the Certification Authority Public Key

44 P1.6 M

Certification Authority Public Key Modulus

—Value of the modulus part of the Certification Authority Public Key

44 P1.4 M

Default Dynamic Data Authentication Data Object List (DDOL)

—

DDOL to be used for constructing the INTERNAL AUTHENTICATE command if the DDOL in the card is not present Shall only contain the Tag and Length for Unpredictable Number (tag 9F37)

Default Transaction Certificate Data Object List (TDOL)

—TDOL to be used for generating the TC Hash Value if the TDOL in the card is not present No one requires a default be set

Enciphered Personal Identification Number (PIN) Data

—Transaction PIN enciphered at the PIN pad for online verification or for offline verification if the PIN pad and IFD are not a single integrated device

52 CNA

CNA

CNA

CNA

Maximum Target Percentage to be used for Biased Random Selection

—Value used in terminal risk management for random transaction selection

Message Type —Indicates whether the batch data capture record is a financial record or advice

Personal Identification Number (PIN) Pad Secret Key

—Secret key of a symmetric algorithm used by the PIN pad to encipher the PIN and by the card reader to decipher the PIN if the PIN pad and card reader are not integrated

PIX — Proprietary Application Identifier Extension

Processing Code —A set of numbers that describe the type of the transaction as well as the account

Proprietary Authentication Data —Contains issuer data for transmission to the card in the Issuer Authentication Data of an online transaction.

RID — Registered Application Provider Identifier 44 p1.1a M

Target Percentage to be Used for Random Selection

—Value used in terminal risk management for random transaction selection

Terminal Action Code – Default —

Specifies the acquirer‘s conditions that cause a transaction to be rejected if it might have been approved online, but the terminal is unable to process the transaction online

EMV & ISOData Elements

Durbin in Context

An Industry Seeking Answers

Multi- Access and Multi-Application

AID – Application IdentifierThe AID is the name of the directory in the chip that contains the keys, certificates, parameter, counters and identifies the “application”The AID are registered by the payment networks:

– Visa (credit or debit) A000000003 1010Visa Electron A000000003 2010 Visa Interlink A000000003 3010 US Common Debit A000000098 0840

– MasterCard A000000004 1010Maestro Int’l A000000004 3060US Maestro A000000004 2203

– Amex A000000025 01XX – JCB A000000065 1010– Discover A000000324 1010– DNA Common Debit A000000620 0620

ApplicationThe Payment Networks’ Card and Terminal specifications defines of the software required in the card and how the terminal will employ the EMV tool kitEach Payment Network has invested in in defining, maintaining and certifying implementations of their specifications

– Amex – AEIPS– Discover - D-Pas– MasterCard – MChip– Visa – VIS

The Visa and MasterCard specification define methods of sharing data between two or more AIDs to support US Debit requirementsCard and terminal vendors develop and request type approval of their products

Durbin introduced Merchant Choice as a Matter of Law

The Durbin amendment changed Debit Cards operations

– Reduced Interchange fees earned by debit card Issuers

– Required Issuers to define two unaffiliated routes for each transaction

The Federal Reserve issued Regulation iiReg. ii was implemented October 2011

July 31st 2013 Judge Richard Leon remanded Regulation II back to the Federal ReserveMarch 21st 2014 The Court of Appeal found for the Board of Governors of the Federal Reserve SystemApril 30th 2014 The EMV Migration Forum Published “U.S. Debit EMV Technical Proposal”

Much Work Still To Do

Debit Networks must define how EMV transactions will be processed Each Debit network must license or develop an EMV applicationVisa and MasterCard must publish the US Debit specificationsDebit Networks must upgrade to support field 55Merchants, acquirers, POS vendors and processors must implement a Debit solutionMerchant and acquiring terminals and Interfaces must be certifiedThe framework for Contactless must be defined

Debit Conundrum Score Card Owner

MasterCard Visa

Specs Issued

AFFNAlaska OptionAllpointATHCirrus MasterCard done done YesCU-24 doneInterlink Visa done done YesJeanie VantivMaestro MasterCard done done YesMoney PassNetsNYCE FIS done done YesPlus Visa done done YesPrestoPulse Discover done done YesShazam done doneStar First Data done doneThe Co-op doneThe Exchange/Accel Fiserv done done Yes

Dispelling Myths

EMV was designed to address counterfeit and lost and stolen fraud in the physical worldProximity (NFC) mobile payments are based on EMV specificationsNear Field Communications or NFC is a communication protocolOnce EMV is fully deployed it significantly reduces the value of the data that can be acquired by breaking into payment systemsTo address card not present or shopping on the Internet, an EMV capable card reader (contact or contactless) could be deployed, utilizing 3D-SecureEMV uses cryptography to create dynamic digital signatures – the ARQC, ARPC and TCTokenization, End to End Encryption and EMV compliment each other

EMV Is Driven by Cryptographic Processes

At its core EMV is about using cryptography to assure that the card is authentic at both the

terminal and when the transaction is seen by the Issuer’s host.

The Key to Secure Identification

Multi-Factor Authentication

– Something You Have The Token = Card

– Something You Know The Secret = PIN

– Something You Are Biometric = You

Offering Issuers Fraud Protection & Future Flexibility

Authentication and ConfidentialityRequires Cryptography

Symmetric– One participant establishes a secret

and shares the secret key S with other participants

– Triple DES algorithm is used for on-line PIN security

– EMV employs Triple DES for On-line Authentication

– Sharing the secret key with too many parties puts the secret key at risk

Asymmetric– Each participant establishes a

unique pair of keyspublic key P and secret key S

– Public Key cryptography is used to assure authenticity and security on the Internet

– EMV employs RSA for Off-line Authentication

– Each participant has a unique secret key they do not share

DATAFDTS

Primer in Symmetric CryptographyOnline Authentication is based on Triple DES

DATA

TDESSign

TDESEncrypt

Secret

Secret

TDESVerify

TDESDecrypt

Hash

Signature

Hash

S – Secret Key

Bob

Sally

Secret

Secret

DATAFDTS

Primer in Public Key CryptographyOffline Authentication is Based on RSA

DATA

PSally

RSASign

RSAEncrypt

SBob

SSally

RSAVerify

RSADecrypt

PBob

Hash

Signature

Hash

S – Secret KeyP – Public Key

Founders RSA Algorithm Ron Rivest Adi Shamir Leonard Adleman

Bob

Sally

BIN

Issuer Public Key

…Certificate

RSA Issuer Certificate Request Process

From Issuer-BIN-Cert. Exp. Date

From Oberthur-Public Key-Hash-Self Signed Certificate

BIN (Test/Live)

Tracking #

Public Key

Private Key

CertificateAuthority

(Visa/MC)

Oberthur Certification Request