EMV, P2PE and Tokenization - T2 Connect 2015

dave.witts@creditcall.com www.Creditcall.com/emv-migration
philipyu@t2systems.com www.T2Systems.com
17 November 2015 | 1
Dave Witts
President US Payment Services, Creditcall
Philip Yu
Director of Product Management, T2 Systems
EMV, P2PE &
Tokenization

Agenda
• Current EMV statistics in the US
• Weapons against fraud – EMV, P2PE & Tokenization
• What happens during a EMV certification, what’s required?
• The current state of EMV certifications in the US
• What happens during a P2PE certification, what’s required
• What has caused the delays?

Current EMV Statistics
575 million EMV cards to be issued by the end of 2015
59% of retail locations will be EMV-compliant by the
end of 2015
78,800 EMV chip-activated merchant locations
70% of U.S. credit cards will be issued as EMV cards by
the end of 2015

Current EMV Statistics
86% of financial institutions plan on issuing EMV debit cards BY 2015
$3.50 Average cost for issuing a new EMV card
$500 Average cost of an EMV-compliant POS terminal
Sources: Javelin Research & Strategy, Aite Group, 2014 PULSE Debit Issuer Survey

Weapons Against Card Fraud

Without P2PE

With P2PE

P2PE PCI P2PE (Certified ) P2PE (Non-Certified)
P2PE implementation manual
for merchant to follow
Mandatory - Merchants must follow PIM to get PCI P2PE protectionNot defined
Secure supply chain Mandatory - Merchants must use scheme defined by solution
provider
Not defined
PCI DSS de-scoping Yes - If merchant is only using PCI P2PE certified solution to take
card payments; Merchants can complete a PCI DSS SAQ designed
for P2PE
No - It remains each processor’s
decision as to whether the solution
offers any de-scoping of PCI DSS
PINpad key injection cost Yes Yes
PINpad encryption licence cost Yes Yes
Solution provider costs to
provide encryption
Yes Yes
Certification costs Solution provider has to cover costs of P2PE assessment. Merchant
should have lower PCI DSS costs if only using certified solution
Merchant has all the cost of PCI
DSS
P2PE vs. PCI P2PE

Tokenization
• “The replacement of a credit card number and expiry
date with a non-sensitive equivalent that has no
exploitable value.”
• A Payment Gateway organisation would return a token
of the card number and expiry date for every
transaction authorization received. This can be stored
by the merchant with no special precautions, and used
in place of the actual card number for any subsequent
transaction.

Key Benefits of Tokenization
• Improved customer experience in e-Commerce.
• Saves having to ask cardholder to re-enter card
number and expiry date.
• Far more secure than the merchant storing actual
card details.
17 November 2015 | 10

17 November 2015 | 11
Tokenization Proprietary Gateway Scheme
Complexity Simple
Re-usable for other payments Yes
Online/Offline Online
Real-time 3rd party dependency (i.e.
token service provider)
No
Works with existing magstripe cards Yes
Cost None
Cross gateway compatible No
Tokenization

What Happens During EMV Certification –
Typically up to 16 Months
1) Select an EMV Card Reader – 3 Months
• A card reader is where a large part of an EMV transaction takes place
through a complex dialogue between the chip card and the reader.
• Integration must invest time in learning about EMV (e.g. Application
Selection, Data Authentication, Online Processing and Issuer Script
Processing), transaction flows, transaction logic and of course, exception
handling when an inevitable error occurs in the transaction.
17 November 2015 | 12

2) Processor Interfaces and EMV Messages – 6 Months
• Different processors require every interface will need to be modified to
support the new EMV data fields and process flows.
• Most interfaces are based on legacy code developed many years ago, the
addition of new features such as EMV becomes an increasingly difficult task.
• Processors will have scaled their integration support sufficiently to cope with
the mass of other integrators who will be following the same path.
17 November 2015 | 13

3) Card Brand Certifications – 4 months
• Once processor interfaces have been updated, the complex task of end-
to-end testing and certification begins.
• M-TIP/ADVT/AEIPS/DPAS are the 4 different testing types required.
• Processors have not been able to cope with the volume of certifications
required before the October 2015 Liability Shift and continue to struggle.
• This is NOT a one-time process – it must be repeated every three years
when the EMV Kernel certification on the card reader expires.
17 November 2015 | 14

What happens during EMV certification –
Typically 16 months
4) Terminal Management System – 3 months
• It is essential that any EMV solution deployed has access to a TMS
platform for efficient and timely deployment of updates.
• Without a TMS platform, there is a risk of having card readers
without current software or the latest configuration.
17 November 2015 | 15

Current State of US EMV Certifications
• Unattended certifications have been delayed due to
attended taking priority by the processors.
• Attended has larger $$ volumes that concern processors
• Unattended certifications are scheduled to start in Q4
2015 with a 3-4 month window of completion.
• If certification fails at any stage, must start from the
beginning, important that all is ready before certification.
17 November 2015 | 16

Current State of US EMV Certifications
VeriFone VX820 for attended transactions currently EMV
certified with First Data and Chase. EMV certification with Elavon
expected Q4 2015, Global Payments & TSYS Q1 2016,
Heartland Q2 2016.
Globalcom BV1000 for unattended transactions has EMV
scheduled certifications with First Data, Chase, Elavon, Global
Payments, Vantiv, & TSYS Q2 2016 , Heartland scheduled for Q3
2016.
17 November 2015 | 17

17 November 2015 | 18
What is P2PE Certification

It is a solution comprising of components that store, processes
and transmit account data as part of a payment authorization or
settlement, while performing cryptographic key management
functions.
Every transaction is uniquely encrypted at source and only
decrypted once in the secure Payment Gateway for processor
authorization.
17 November 2015 | 19
?!
@#

The solution is deployed and maintained in a fully traceable, and secure
manner with clearly defined roles and responsibilities for all parties
involved throughout the life of the product thus ensuring compliance
integrity.
The PCI SSC certify that the solution meets the PCI P2PE standards
and list the solution on the PCI website:
17 November 2015 | 20
https://www.pcisecuritystandards.org/approved_companies_providers/validated_
p2pe_solutions.php

Key Benefits of P2PE
Implementation of a PCI certified P2PE solution may reduce PCI DSS
assessment scope for merchants.
Is the highest level of cardholder data security available.
Simplified payment processing architecture.
17 November 2015 | 21

17 November 2015 | 22dave.witts@creditcall.com www.Creditcall.com/emv-migration
Manufacturers
PCI PTS
PIN Entry Devices
Software
Developers
PCI PA-DSS
Payment
Application Vendors
Acquirers, Payment
Gateways,
Software
Developers & KIFs
PCI P2PE
Security Standard
Merchant &
Processors
PCI DSS
Data Security
Standard
Potentially
Reduced
The PCI Family & Relationship

17 November 2015 | 23dave.witts@creditcall.com www.Creditcall.com/emv-migration
Review of P-RoV by the PCI SSC
The P2PE Assessor determines the scope and assesses key-injection facilities,
Certification Authorities, device, applications, deployment and merchant support
mechanisms. They prepare the P-RoV and submit to the PCI SSC for review
The P2PE Solution Provider the provides access to the P2PE solution to the
Assessor
The P2PE Solution Provider Selects a P2PE Assessor • Solution Provider must have confidence
of compliance before starting the
assessment.
• The assessment is completed by a
independent PCI approve QSA
assessor.
• Involves evidence gathering and
potentially multiple site visits to produce
a P2PE Report of Validation (P-RoV)
• PCI SSC review and listing timescales
determined by the quality of the P-RoV
and the PCI SSC workload.
The P2PE Assessment Process

Delays we are Seeing in the Parking Industry
• Attended vs Unattended
• Delays in device manufacturers being ready to certify
• Processors not prepared for volumes
• Delivery times for devices
17 November 2015 | 24

If you have any questions, please contact:
Dave Witts
President of US Payment Systems
Creditcall Corporation
1133 Broadway, Suite 706, New York, NY 10010
609 339 9080
dave.witts@creditcall.com
Dave.Witts59
If you have any questions, please contact:
Philip Yu
Director, Product Management
T2 Systems
8900 Keystone Crossing, Suite 700, Indianapolis, Indiana 46240
317 524 7470
philipyu@t2systems.com

EMV, P2PE and Tokenization - T2 Connect 2015

Recommended

Recommended

More Related Content

More from Creditcall

More from Creditcall (7)

Recently uploaded

Recently uploaded (20)

EMV, P2PE and Tokenization - T2 Connect 2015

Editor's Notes