EMV and NFC migration in the US
 

EMV and NFC migration in the US

on

  • 3,152 views

Frost & Sullivan recent white paper entitled “Managing the Migration to EMV and NFC Payment Technology – How to ensure the successful and efficient market deployment of a product”, provides ...

Frost & Sullivan recent white paper entitled “Managing the Migration to EMV and NFC Payment Technology – How to ensure the successful and efficient market deployment of a product”, provides United States (U.S.) payment card issuers and acquirers with an insight into the EMV standards landscape. The document, which follows announcements from U.S. payment systems in 2011 regarding their commitment to accelerate EMV adoption, also explains how this infrastructure can support next generation payment solutions such as NFC.

Statistics

Views

Total Views
3,152
Views on SlideShare
2,598
Embed Views
554

Actions

Likes
0
Downloads
102
Comments
0

8 Embeds 554

http://www.frost.com 286
http://blogs.intuit.com 253
http://www.twylah.com 5
http://emv-cards.com 3
http://www.gilcommunity.com 3
http://gilcommunity.com 2
http://www2.frost.com 1
http://www.frost.com.ezp1.lib.umn.edu 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

EMV and NFC migration in the US EMV and NFC migration in the US Document Transcript

  • 50 Years of Growth, Innovation and LeadershipTitleManaging the Migration to EMV and NFC Payment Technology:How toSubtitle ensure the successful and efficient market deployment of a product A Frost & Sullivan White Paper Jean-Noël Georges www.frost.com
  • Frost & Sullivan Introduction............................................................................................................................. 4 EMV and NFC:The Opportunities Created by a Chip Landscape..................................... 6 The Drivers for Worldwide Deployment of EMV Secure Chip Payment Technology...... 7 The Chip-Based Infrastructure and Other Technologies.................................................... 7 NFC: An Emerging Technology............................................................................................. 8 The Added Value of the NFC-Based Mobile Payments....................................................... 8 Specifications and Standards: Creating an Interoperable Payment Landscape............... 9 Contactless Payment Standards and the Challenges Between Stakeholders.................. 10 Union of the Payment Systems............................................................................................. 10 Solution Development and Testing: How to Implement a Trusted and Sustainable Infrastructure ........................................... 11 What an Issuer or a Personalization Bureau Should Remember Before Introducing an EMV/NFC Product........................................................................................ 12 Selection of a Vendor Product.............................................................................................. 12 Evaluation of the Risk........................................................................................................... 12 Impact on the Personalization Process............................................................................... 13 Undertaking Personalization Testing................................................................................... 14 What an Acquirer or a Processor Needs to Understand When Deploying EMV/NFC POS Terminals.................................................................................... 15 Standards and Specifications............................................................................................... 15 Transaction Process to be Adapted...................................................................................... 15 POS Terminal Infrastructure to Fit EMV Requirements...................................................... 15 New Authentication Process................................................................................................. 15 Configuration of the Terminals to Meet the Requirements of Merchants and Other Stakeholders................................................................................ 16 Terminal Testing Prior to Market Launch............................................................................ 16 CONTENTS
  • Frost & SullivanWhat a Merchant Needs to Take into Account.................................................................... 17 Impact on Small to Medium Sized Merchants.................................................................... 17 Impact on Large Organizations........................................................................................... 17Markets Integration Strategy................................................................................................ 18 Local Knowledge and Local Presence.................................................................................. 18 Knowledge of EMV, NFC and Dedicated Brand Specificities............................................. 18 Engaged Across Sectors......................................................................................................... 19 Third-Party Accredited.......................................................................................................... 19The Last Word......................................................................................................................... 20 Ensure You Have an EMV and NFC Strategy...................................................................... 20 Know What Standards Must be Achieved............................................................................ 20 Plan for Testing and Certification Time............................................................................... 20 Continually Look to the Future............................................................................................ 20 CONTENTS
  • Frost & Sullivan INTRODUCTION Migration to EMV® provides an opportunity for issuers and acquirers within the United States (U.S.) to implement secure chip technology that will deliver value-added and convenient services to end-users. While U.S. stakeholders can learn from different markets, they also have the chance to lead the global payments industry in deploying an advanced payment network by implementing a framework that is scalable and will support the next generation of payment solutions, including near field communication (NFC). Ensuring that a payment product will be fully interoperable with existing and future infrastructures and can be successfully integrated into the marketplace, is fundamental to achieving a secure chip payment environment that reaches its full potential. This requires: • The development of functional and security standards that must be adhered to by all stakeholders. • An established and agreed upon testing process for cards, devices and software that can certify that a product will perform as advertised. • Market stability and confidence by ensuring new regulation and functional requirements are fully backward compatible, minimizing investment risk. This white paper provides U.S. issuers and acquirers with an insight into the EMV standards landscape. It offers advice into how technology development costs can be contained by understanding which functional and security standards are stipulated by the secure chip payment industry. An appreciation of the certification process will result in a shorter time to market and ensure no unforeseen delays are incurred during the final stages of product development. The paper also outlines the industry standards that are not mandatory but are shaping the next-generation payment ecosystem. These standards will protect product investment as the market continues to advance at a significant pace and industry sectors converge to deliver services through new channels such as NFC. The paper concludes by highlighting the unique opportunity available to the U.S. payments market to create a combined EMV and mobile payment strategy. Using the experiences of other countries that have implemented EMV, and the success of NFC trials globally, it can aim to achieve both EMV and NFC in a single migration project. 4 Frost.com
  • Managing the Migration to EMV and NFC Payment TechnologySponsor’s Word“FIME is delighted to sponsor and contribute to this white paper developed by Frost & Sullivan.We believe this document is a must-read and will serve as a valuable reference source toissuers and acquirers in the U.S. who are about to embark on an EMV implementation project.“To ensure optimum return on investment, U.S. stakeholders involved in the implementationof EMV should acknowledge today future requirements and plan accordingly. Consultanciessuch as FIME invest significant resources to understand long-term market needs to assiststakeholders in developing sustainable technology implementations, as well as guide partiesthrough the testing and product certification stages.“FIME has over 15 years of experience supporting stakeholders that have implementedEMV — and increasingly NFC — solutions globally. During this time, we have developed ourknowledge not only on the standards that are mandatory, but also the specifications thatwill support the next generation of payments and the delivery of value-added services. Asmarkets converge to offer new and exciting payment tools, the ability to adapt quickly andsecurely will be key to gaining market share and consumer confidence.“Working with market integration consultancies that can offer strategic advice, test toolsand certification services, ensures EMV and NFC technologies can successfully integratewith other solutions and easily accommodate upgrades. This significantly reduces a solution’stime to market.”“It is without doubt an exciting time for the U.S. payments community. We look forward tosharing our secure-chip expertise and working with you to advance this landscape.”Pascal Le RayGeneral Manager, FIME Frost.com 5
  • Frost & Sullivan EMV AND NFC: THE OPPORTUNITIES CREATED BY A CHIP LANDSCAPE At the end of 2011, Frost & Sullivan estimated that there were more than 1.5 billion EMV-compliant cards in circulation. By 2017, it is predicted that almost the entire world will have completed, or will be close to completing, the EMV migration process. Figure 1: Status of EMV standard implementation, March 2012 EMEA EMV cards: 850 M. EMV terminals: 13.0 M. Asia Pacific EMV cards: 396 M. EMV terminals: 5.1 M. Americas EMV cards: 345 M. EMV terminals: 5.1 M. Penetration of EMV One or more banks Early preparation No preparation for cards, POS, and/or ATMS are migrating or have for EMV migration EMV migration is above 50 percent migrated to EMV Source: EMVCo,Visa, MasterCard, Frost & Sullivan analysis The United States (U.S.) is the only country that is still in the preparation stage for EMV migration. Stakeholders of the U.S. payment industry cannot afford to isolate their ecosystem, especially as consumers and businesses look to embrace technological advances and new payment tools. 6 Frost.com
  • Managing the Migration to EMV and NFC Payment TechnologyTHE DRIVERS FOR WORLDWIDE DEPLOYMENT OF EMVSECURE CHIP PAYMENT TECHNOLOGYEMVCo, the EMV standards body collectively owned by American Express, JCB, MasterCardand Visa, maintains and advances secure-chip payment technology. To date, the EMVsecure-chip standard forms the basis for the payment infrastructure across Europe, Canadaand many countries within the Asia-Pacific region.The migration to secure-chip technology has been fueled by a number of factors: 1. Security: The EMV standard and payment system security mechanisms work together to enhance payment card security. 2. Fraud migration: Fraud rates have been relatively low in the U.S. compared to the rest of the world, but they may soon rocket as fraud migrates to non-compliant EMV countries. This change will predominately be driven by the migration to the EMV standard in Mexico and Canada. 3. Liability shift: The liability for fraudulent transactions will shift from issuers to acquirers and retailers by 2015 in the U.S. As a result, the acceptance of chip bank cards will increase. 4. Flexibility: This is probably the key word for this technology. Indeed, the capability to manage the risk based on card present or not present for online or offline payments is the perfect approach for a reliable product. 5. Interoperability: EMVCo works to maintain an interoperable and open ecosystem based on the standard. 6. Value-added services: EMV technology is closely associated with cost savings in relation to mitigating against fraudulent activity. The migration to EMV is also an opportunity to develop new partnerships that will support additional revenue generation beyond traditional payment transactions. This includes payment-enabling technology, such as downloading a train ticket onto a mobile phone and using this as proof of purchase, or using a mobile coupon in a retail store. 7. Global acceptance: For financial institutions that have customers traveling internationally, an EMV payment card is required to successfully undertake payments abroad.THE CHIP-BASED INFRASTRUCTURE AND OTHER TECHNOLOGIESThe migration to EMV in the U.S. creates an environment that will support other chip-basedtechnologies such as near field communication (NFC).Frost & Sullivan believes that the successful deployment of NFC-based payments depends on the end-user experience. It is important to note that EMV development in an NFC environment supports arange of different business models to manage risk and customer experience. This paper will furtherdescribe the added value that the NFC technology will bring to the payment ecosystem. Frost.com 7
  • Frost & Sullivan NFC: AN EMERGING TECHNOLOGY If well implemented, NFC has the power to accelerate the decision-making process when purchasing goods by providing more chances for both consumers and service providers to interact. Figure 2: Example of current and expected NFC commercial rollouts, 2012 United Kingdom Quick Tap France AEPM China China Unicom United States China Telecom Google Wallet UnionPay ISIS Singapore iDA Turkey BonusluAvea Cep-T-Cüzdan Australia CBA NFC Commercial Rollout Expected NFC commercial rollout The figure above provides a small sample of current and future NFC projects around the world. The U.S. payment industry can learn from the experiences of other countries using contactless payments and has the opportunity to directly implement a contactless and EMV- compliant payment ecosystem. THE ADDED VALUE OF THE NFC-BASED MOBILE PAYMENTS Paying with a mobile phone is not a new idea; many technologies like SMS or USSD render the same services. Hence, it is valid to ask what advantages NFC has over other mobile payment technologies: Customer experience: NFC provides new ways of interaction for both merchants and consumers. Advertising through smart (contactless-enabled) posters, location-based services and highly customized loyalty programs are some of the approaches marketers can use to move from a “push” to a “pull” marketing strategy. More revenue for the merchants: The change of marketing strategy approach is expected to generate more frequent visits of customers to the stores, higher coupon redemption rates and more sales. 8 Frost.com
  • Managing the Migration to EMV and NFC Payment Technology Multiple applications: Besides payment, loyalty programs and couponing, NFC can be the enabling technology for a plethora of applications, such as transport ticketing, social networking (e.g., exchange of business cards) and access control. Security: NFC-based mobile payments can be equipped with bank-grade security. In fact, NFC-based mobile payments can be EMV-compliant, adding all the benefits and security of the EMV standard to the mobile payment services.SPECIFICATIONS AND STANDARDS: CREATINGAN INTEROPERABLE PAYMENT LANDSCAPEThe payment industry is facing a revolution as mobility becomes a standard. Consumers arelooking for a payment solution that is available “anywhere, anytime”; in line with the nature ofother technologies that they use in their everyday lives.To support these changes, it is crucial that financial institutions adhere to existing standardsin order to create a trusted and stable ecosystem. According to Frost & Sullivan’s research,it is particularly important for financial institutions to adhere to standards enablinginteroperable security mechanisms as convenience is considered by consumers to be themost valued feature of a payment solution. For instance, specific EMV requirements for riskmanagement, such as online and offline authentication or the Cardholder Verification Method(CVM), can be leveraged to build a secure payment mechanism.Moreover, in countries where EMV has been widely deployed, financial institutions shoulddevelop payment solutions that are compliant to EMV to protect previous investments andensure compatibility with established systems.In countries where EMV is still in its infancy, like the U.S., financial institutions can benefit fromthe adherence to EMV as a means to ensure a globally interoperable payment solution. Somebanks in the U.S., such as JP Morgan Chase, Wells Fargo and the U.S. Bank, are aware of theimportance of global interoperability and they have issued EMV cards to their customers whofrequently travel.Finally, and it is probably the most important change for the U.S. market, financial institutionshave agreed to the liability shift policy. This policy is implemented by card associationswhich have decided to expand and accelerate the EMV infrastructure deployment in theU.S. by adopting a plan (effective October 2015) which encourages interested merchantsto switch to a contact and contactless chip terminal to avoid possible fraud. It is importantthat any contact and contactless chip cards issued can benefit from top-of-the-rangepayment cryptographic mechanisms by using a dedicated payment terminal.The liabilityshift supports this strategy as it will be the merchant’s acquirer that will be responsible forfunding the cost of fraudulent activity if a contact or contactless chip payment terminal hasnot been implemented. Frost.com 9
  • Frost & Sullivan CONTACTLESS PAYMENT STANDARDS AND THE CHALLENGES BETWEEN STAKEHOLDERS The arrival of contactless technologies, namely contactless payment cards and NFC, has modified the payment industry. This change is a great opportunity for each country to implement the latest and most up-to-date payment mechanisms and associated standards. Contactless features that are deployed based on existing and validated payment infrastructures will be accelerated. EMV contactless solutions should be seen as good examples of this evolution. The same example could be applied to a mobile contactless payment solution. In an ideal world, the NFC payment solution will perfectly fit to the actual card’s payment process and will be interoperable worldwide. Instead of reinventing the wheel, it is opportunistic to use existing processes and it will be more efficient for all stakeholders to adopt a set of common standards and open platforms. Besides the evolution of technical solutions, there is a need to focus on regional and brand variations that new payment solutions are subjected to.When it comes to contactless payments, each payment scheme has developed its own solution, for instance, MasterCard PayPass, Visa payWave, American Express expresspay and JCB J/Speedy. These solutions will be included in the payment infrastructure after being certified by accredited test laboratories. UNION OF THE PAYMENT SYSTEMS In summer 2011,Visa announced plans to accelerate the use of EMV cards. This announcement is in line with the global strategy; Visa’s Technology Innovation Program (TIP) will be expanded into the U.S. with an effective date in October 2012. This is a program that will give the merchants the capability to process contact and contactless EMV transactions with the use of dual-interface terminals. Following the same strategy, MasterCard announced at the end of January 2012 its U.S. roadmap to enable the next generation of electronic payments. It paves the way for the migration from the magstripe to EMV technology. EMV standards will then become the backbone and the foundation for the next generation of payments. The acquirer infrastructure will have to be modified, and the targeted deadline has been set for April 2013. Finally, in June 2012, American Express revealed its roadmap to advance EMV chip-based contact, contactless and mobile payments for all merchants, processors and issuers of American Express-branded cards in the U.S. It is also important to mention some regional standards for North America. Interac is currently rolling out Interac Flash (a contactless solution for EMV-based secure chip processing) and in mid-March 2012, Discover Financial Services announced an initiative to bring EMV chip card payments to the U.S. Discover payment network. EMV-compliant cards will continue to be deployed in 2012 across the Diners Club, PULSE and Discover Card networks.The plan describes the different steps to reach April 2013 as the key date for merchants and acquiring processors to be certified to support contact and contactless EMV chip card transactions. 10 Frost.com
  • Managing the Migration to EMV and NFC Payment TechnologyTo make a contactless payment process as safe as possible in accordance with internationalsecurity payment standards there is a need to have a secure element. GlobalPlatform1, withthe launch of its compliance program, announced in February 2012 that it will align its secureelement program with the mobile payments certification structures provided by EMVCo.As for standard bank card payment brands, ISIS2 is deploying a brand for mobile wallet paymentin the U.S. ISIS is one of the most advanced entities to coordinate and accelerate the walletecosystem in the U.S. The “ISIS ready” brand could then be used by merchants in a similarmanner to how the MasterCard or Visa logo is used today to generate consumer confidencethat a transaction will be secure.SOLUTION DEVELOPMENT AND TESTING:HOW TO IMPLEMENT A TRUSTED AND SUSTAINABLE INFRASTRUCTUREIt is clear that there are many benefits of migrating to a chip-based payment solution. Thedecision process and efforts of how this activity will be implemented, however, will differdepending on the company positioning within the payment value chain. Frost & Sullivan hasdefined three groups that will be directly impacted by an EMV and NFC migration: issuers andpersonalization bureaus, acquirers and processors, and merchants.Figure 3: Impact level per profile, 2012 Issuers - Perso Bureau Acquirers - Processors Merchants Card POS Terminal Personalization Networks MINOR LOW MEDIUM HIGH IMPORTANT Source: Frost & Sullivan analysis 1 GlobalPlatform is a cross-industry, not-for-profit association that identifies, develops and publishes specifications that facilitate the secure and interoperable deployment and management of multiple embedded applications on secure chip technology. 2 The Isis™ joint venture is between AT&T Mobility LLC, T-Mobile USA and Verizon Wireless. The Isis mobile commerce network will be available to all merchants, banks, payment networks and mobile carriers. Frost.com 11
  • Frost & Sullivan WHAT AN ISSUER OR A PERSONALIZATION BUREAU SHOULD REMEMBER BEFORE INTRODUCING AN EMV/NFC PRODUCT SELECTION OF A VENDOR PRODUCT To start deploying EMV-compliant and NFC-enabled products, card issuers should have a strategy in place. The first step is to focus on the chip card issuance process as it provides a solid foundation for the complete project.The embedded application is at the heart of the card for an EMV-compliant payment product and offers a good starting point. Indeed, the application could come from a card association such as Visa, MasterCard or American Express. The key point when selecting a payment solution is the compliance with the EMV and NFC standards based on the International Organization of Standardization (ISO) for contact and contactless interfaces. Regarding data management, the issuer and personalization bureau must conform to the Payment Card Industry Data Security Standards (PCI-DSS) regulations. But perhaps one of the most important aspects is that the vendor product should implement an appropriate chip card authentication mechanism to protect the integrity and authenticity of the chip card data and its corresponding PIN. Figure 4:The payment ecosystem, 2012 Source: Frost & Sullivan analysis EVALUATION OF THE RISK It is well known that cards interact with the payment schemes. The parameters, under which these interactions occur, may vary and provide different levels of security for authenticating a card, verifying the cardholder identity and approving the transaction. 12 Frost.com
  • Managing the Migration to EMV and NFC Payment TechnologyThese parameters include whether a transaction is performed online or offline and whetherthe cardholder verification method (CVM) is signature or PIN-based, among others. Currently,the U.S. payment industry uses magstripe cards, the transactions are online and the CVM issignature-based.With EMV-compliant cards, the embedded chip will be responsible for managing most of therisk parameters. For instance, the transactions could, by default, be performed offline (toreduce the processing time) and after a pre-established number of transactions, the approvalcan be performed online. Similarly, the CVM could be signature-based or PIN-based, or therecould even be no CVM. While U.S. consumers prefer to sign when paying, in the long term,PIN-based CVM could provide a higher degree of security and lower costs to merchants (asthe transaction fees will be smaller).The next step is to define the risk management approach. In the traditional approach, asingle set of risk parameters is defined for all cardholders. In contrast, the dynamic approachoffered by EMV defines a specific set of parameters for each cardholder (or for certain groupsof cardholders). The “customization” of risk parameters is based on the historical data of cardusage and card fraud. Using a dynamic and tailored approach can benefit the card issuer as itwill contain the risk to their operations.IMPACT ON THE PERSONALIZATION PROCESSEMV migration needs to be fully prepared, planned and defined. There is no doubt that thegreatest impact during EMV migration is on the issuer needing to modify: • The back office system (new personalization requirements, new data generation management, new way to manage the application life cycle) • The authorization system (new parameters to be able to handle new risk management, fraud monitoring and PIN management policies) • The customer service (customer relationship management)And, specifically for the NFC migration, there is a need for: • A payment software application or a walletAt the moment, there are no specific risk parameters for NFC-based payments. The NFCwallet application will need to be certified to fulfill contactless feature requirementsand to follow payment standards.In the U.S., much of the buzz surrounding NFC-based payments has been created by ISIS’ andGoogle’s offerings. ISIS has created a mobile commerce network and a payment brand intendedto augment customer awareness of NFC-based payments. Likewise, Google announced inMay 2011 that it will be part of this market with its Google Wallet based on its new openNFC product. Frost.com 13
  • Frost & Sullivan Although there is no standardized set of parameters for NFC-based payments, the NFC ecosystem will include new market participants, such as telecom service providers, and new procedures. For instance, some of these new procedures will include the life cycle management of the NFC payment application, and the management of the secure element. These functions will probably be performed by a Trusted Service Manager (TSM). The TSM provides a contact point between service providers and NFC mobile phones. Service providers can deliver NFC mobile phones with remote and secured multi-application management functionality through the TSM. UNDERTAKING PERSONALIZATION TESTING The upgrades of the card issuers’ systems, required by the EMV migration or a contactless payment program, need to be tested and certified. Indeed, EMVCo is an association that provides EMV specifications and certifications to ensure global interoperability of chip-based payments. Frost & Sullivan defines four different steps within the validation testing process for both contact and contactless cards. 1. The first step (Level 1 certification for card manufacturers) is to validate that the card is compliant to physical and electrical specifications. This may include supporting a given voltage or supporting different communication protocols, among others. 2. The second step (Level 2 certification for card vendors) is to verify that the operating system of the card and the embedded application for the EMV payment mechanism function properly. For example, this may mean that card vendors have to validate that the card supports different cryptographic functionalities. As a minimum, issuers should choose vendor products that have passed the Level 1 and Level 2 certifications. 3. The next step is for the issuer to validate the personalization of the card application according to the needs of the payment scheme’s requirements that the card complies with, such as MasterCard and Visa. 4. The last step is about certifying the manufacturing process used by the issuer and/or personalization bureau. The process consists of selecting a sample of (recently produced) cards and testing whether they contain the proper payment application and are personalized with the desired set of data. The process also includes validating the data processing. To be able to test these different steps, it is necessary to develop dedicated tools, or as most firms prefer, to receive assistance from a testing company. The choice is between doing in-house testing with an internal or a commercial test tool or debugging and validating with an accredited third party. Hence, opting for the second option is usually recommended. The chosen third party will provide a tool that will be able to simulate different scenarios to which a card will normally be exposed in the real world. During this process, potential errors will be identified and fixed. It is important to mention that contactless products must comply with specific brand requirements (MasterCard, Visa or American Express) as well as regional specifications such as SAMA SPAN for the Saudi banks network. 14 Frost.com
  • Managing the Migration to EMV and NFC Payment TechnologyWHAT AN ACQUIRER OR A PROCESSOR NEEDS TO UNDERSTANDWHEN DEPLOYING EMV/NFC POS TERMINALSSTANDARDS AND SPECIFICATIONSAccording to EMVCo, the requirements for acquirers/processors to be EMV-compliant can besummarized in the following three main domains: the terminal, the network and the backoffice system. As far as NFC is concerned, EMVCo is currently working with the telecomindustry and major market participants from the NFC ecosystem to develop the necessaryspecifications for mobile payments.TRANSACTION PROCESS TO BE ADAPTEDBack office systems, payment processing networks and platforms have to be upgraded tocomply with the EMV standard. And EMV-compliant transactions usually involve more volumeof data than a magstripe-based payment transaction. Furthermore, the data of EMV-complianttransactions is structured in a particular way.Hence, the payment processing network and platform should be able to retrieve that data andproperly route the payment transaction. The back office system should also be able to extractthe relevant data and correctly process it. And last but not least, the related fraud preventionand risk management systems should be upgraded.POS TERMINAL INFRASTRUCTURE TO FIT EMV REQUIREMENTSTerminals - including Point-of-Sale (POS) or Point-of-Interaction (POI) terminals, ATMs andunattended terminals - should be equipped to read the data from EMV-compliant cards.And similar to cards, terminals are subject to Level 1 (hardware) and Level 2 (software)certifications; in other words, acquirers and processors need to choose vendor products thatare already Level 1- and Level 2- certified. In the majority of cases, the upgrade of terminalsrequires replacing the entire terminal. If the acquirer (processor or merchant) happens tohave terminals with a slot for reading chip cards, then a software upgrade may be the onlyupgrade required.NEW AUTHENTICATION PROCESSThe authentication mechanism is based on strong cryptography with associated key-management processes based on PCI-DSS requirements. The great advantage of theEMV authentication process is that it is based on dynamic data exchange to avoid any potentialhack. Authentication mechanisms, such as Dynamic Data Authentication (DDA) and CombinedData Authentication (CDA), are in that case used for card-present authentication.But when paying on the internet, for example, the card is not present to compute such data,and there is a need to use a proprietary solution such as 3-D Secure developed by Visa andMasterCard. This new step in the payment process adds a new security layer. Instead ofproviding the bank card’s physical information only (card number, expiration date, CVV, etc.) apersonal question is asked (e.g. birth date) or, even better, a one-time password is sent by SMSto the cardholder. Frost.com 15
  • Frost & Sullivan CONFIGURATION OF THE TERMINALS TO MEET THE REQUIREMENTS OF MERCHANTS AND OTHER STAKEHOLDERS Whenever the terminal is EMVCo-certified, there is a next important step to perform to be able to minimize the payment risk. For the terminal, it means setting up parameters to follow acquirer and merchant requirements. These parameters will, for example, indicate the floor limit check (for debit, credit, magstripe) or the velocity checking (maximum number of offline transactions). The parameters will drive the content of the TVR (Terminal Verification Results). In the end, and based on these parameters, the terminal will make the decision to decline the transaction or to request an online approval. TERMINAL TESTING PRIOR TO MARKET LAUNCH ATM and POS terminals play an important role in the payment ecosystem. These devices are the only devices in direct contact with the end-users. Each payment terminal follows particular specifications.All terminals need to be EMV-certified.This is true not only for the terminal itself but also for the embedded software known as the kernel. As previously mentioned, there are some brand specificities such as MasterCard PayPass Terminal Integration Process (M-TIP) that should be followed. This is why the terminal integration testing phase is essential for the acquirers. Indeed, this phase is crucial because it is during this process that the required tests will be performed to validate the terminal integration. With an increasing number of contactless terminals coming to market, there is a specific need for testing prior to launching the product. This is an important stage for the development of a specific POS terminal, as only certified products will be deployed globally. And it is important to keep in mind that terminal testing is a long process and the timing should be adjusted to fit targeted deadlines. However, acquirers could also choose an already certified product to fully comply with specific brand requirements. 16 Frost.com
  • Managing the Migration to EMV and NFC Payment TechnologyWHAT A MERCHANT NEEDS TO TAKE INTO ACCOUNTThe merchant should be prepared to support all payment solutions. This means that themerchant should have contact and contactless readers. Readers, network, protocols andsystems should be certified compliant with international electronic payment rules. Source: Frost & Sullivan analysisIMPACT ON SMALL TO MEDIUM SIZED MERCHANTSTo reduce the time to market and to optimize the merchant’s commercial offering, it isnecessary to have a complete certified solution.Visa announced in 2011 that the U.S. will haveto support NFC and EMV at the same time. Merchants will have to upgrade basic magstripeterminals to EMV-compliant contactless terminals. Those contactless-enabled terminals acceptonly cards with a magstripe-based technology called MSD (Magnetic Stripe Data), which is notEMV compliant.Migration for a small to medium sized merchant, therefore, means that they will need to buy(or rent) a certified payment terminal to accept all international payment formfactors, to avoid losing clients and to optimize the payment risk. The choice of the rentalmodel is an opportunity for the merchant to receive associated services such as maintenanceto be sure to have the latest version of the operating system for the terminal and that supportsthe latest versions of the payment application.IMPACT ON LARGE ORGANIZATIONSWhereas small– to medium-sized merchants need to upgrade their payment terminal, largemerchants must upgrade their payment network and software platform. In this case,merchants should be able to accept all payment solutions to avoid any loss. This strategy couldbe driven by using the payment solutions that large firms have already deployed in other regions.Walmart, for example, has already migrated to EMV in its European stores. It is pushing todeploy the same program within the U.S. retail market so it will be able to accept EMV cardsfrom international visitors. In 2011, Walmart announced that it had purchased EMV-enabledterminals for all 4,000 U.S. stores. Frost.com 17
  • Frost & Sullivan MARKETs INTEGRATION STRATEGY As highlighted previously, a migration for EMV and NFC is a long and complex story. For all involved stakeholders, it is crucial to be assisted during the selection of a product, during the certification of their solution and, finally, during the risk management definition and testing. A partnership approach will allow the migration to become a smooth process instead of a complex problem. With the support of a testing and market integration consultancy, it is possible to provide lessons learned from past projects, facilitating faster and easier decision-making thus reducing time to market. As such, changes will be implemented with assistance and issues will be quickly managed. The decision process channel and timing will then be optimized and more flexible; in other words, the investments and the total cost will be rationalized. LOCAL KNOWLEDGE AND LOCAL PRESENCE EMV and NFC technologies are following international standards. But there are also regional specifications to be adhered to. This paper has already referred to the Saudi Payment Network (SPAN), another example is the Electronic Protocols Application Software (EPAS) network that has been conducted to reach the European Payments Council (EPC) objectives. A global partner with local visibility and market awareness is ideally positioned to offer guidance and advice to ensure that an implementation adheres to the full scope of national, regional and international industry standards. By assisting in the development, testing and certification activity, this level of support will see a product brought to market as effectively as possible. KNOWLEDGE OF EMV, NFC AND DEDICATED BRAND SPECIFICITIES Knowledge of EMV payment mechanisms independent of any brand is crucial. Functional understanding is important when handling payment mechanisms coming from content chip and PIN cards as in addition to those coming from emerging payment solutions using Visa or MasterCard contactless applications. Other brands are available on the market, such as American Express, Discover or JCB. Through the partnership, the implementation company should have a complete knowledge of the EMV standards, plus some technical particularities linked to the targeted brands. The company involved in an EMV or NFC migration should have a historical partnership with global associations such as EMVCo, the PCI Security Standards Council and EPC for SEPA. It is also necessary to have the capability to deal with MULTOS cards or GlobalPlatform cards and the ability to use different applications such as Visa VSDC, qVSDC, and MasterCard M-Chip. This is why a partner that already has a long history within the migration space is key to succeed. This historical background will bring best practices and dedicated knowledge for a smooth migration. 18 Frost.com
  • Managing the Migration to EMV and NFC Payment TechnologyENGAGED ACROSS SECTORSThe payment industry is in constant evolution. Payment schemes, security mechanisms and newdevices appear every year. In order to reach the quality level required for the migration, theaccredited company selected for a migration should be recognized as a key participant withinworking groups currently addressing future technologies and commercial issues.For the payment industry, in addition to EMVCo activity, it is also important to mention that,from a pure technology point of view and for emerging payments such as NFC, working groupssuch as ETSI, GSMA and the NFC Forum are crucial.As these standards are evolving, the technologies involved and the associated operating systemsand security rules are affected.This is why working groups with non-profit associations such asGlobalPlatform are relevant; they will allow the migration to be ready for the future paymentsteps evolutions.THIRD-PARTY ACCREDITEDMigration includes several required certifications. These certifications could be based onthe selected payment mechanism (EMVCo-certified for example), or the selected terminal(NFC, EMVCo, PCI-certified for example) or even based on a brand (Visa, MasterCard,Discover, GlobalPlatform, etc.).Using an implementation company that is accredited with most of the international standardsduring migration mitigates the risk of the deployment and reduces costs; all while maintaininga single point of contact. A direct contact will optimize the communication process and willbring transparency and credibility to the workflow. Frost.com 19
  • Frost & Sullivan THE LAST WORD ENSURE YOU HAVE AN EMV AND NFC STRATEGY The EMV announcement and the arrival of NFC in the U.S. is the perfect time to prepare a combined strategy. A single investment for a migration, including two technologies, is an opportunistic approach to reduce the total cost of the project. KNOW WHAT STANDARDS MUST BE ACHIEVED Alternative payment means generated many devices, solutions and products. This is crucial to select an offer that will successfully integrate into legacy systems. The solutions should be able to evaluate in the time it takes to accommodate functional, security and regulatory updates. PLAN FOR TESTING AND CERTIFICATION TIME Wherever you are within the payment chain (issuer, acquirer or merchant), it is necessary to take into account the time it will take between the choice of the payment solution and the product certification. Testing and certification plans should be carefully scheduled over the next two years. Timing is everything. CONTINUALLY LOOK TO THE FUTURE The payment world is evolving and emerging payment solutions are appearing more and more often.That said, it is important to have an approach based on technology scouting or to partner with a company that is aware of the regulation changes. 20 Frost.com
  • Silicon Valley San Antonio London 331 E. Evelyn Ave. Suite 100 7550 West Interstate 10, Suite 400, 4, Grosvenor Gardens, Mountain View, CA 94041 San Antonio, Texas 78229-5616 London SWIW ODH,UK Tel 650.475.4500 Tel 210.348.1000 Tel 44(0)20 7730 3438 Fax 650.475.1570 Fax 210.348.1003 Fax 44(0)20 7730 3343 877.GoFrost • myfrost@frost.com http://www.frost.comAbout Frost & SullivanFrost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionaryinnovation that addresses the global challenges and related growth opportunities that will make or break today’smarket participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emergingbusinesses, the public sector and the investment community. Is your organization prepared for the next profoundwave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthroughbest practices, changing customer dynamics and emerging economies? Contact Us: Start the DiscussionFor information regarding permission, write:Frost & Sullivan331 E. Evelyn Ave. Suite 100Mountain View, CA 94041Auckland Dubai Mumbai SingaporeBahrain Frankfurt Moscow Sophia AntipolisBangkok Hong Kong Oxford SydneyBeijing Istanbul Paris TaipeiBengaluru Jakarta Pune Tel AvivBogotá Kolkata Rockville Centre TokyoBuenos Aires Kuala Lumpur San Antonio TorontoCape Town London São Paulo WarsawChennai Manhattan Seoul Washington, DCColombo Mexico City ShanghaiDelhi / NCR Miami ShenzhenDhaka Milan Silicon Valley