Transcript EMV and Restaurants: What You Need to KnowApril 29, 2015

@WeRRestaurants
/RestaurantDotOrg
/NationalRestaurantAssociation
Restaurant.org
1
EMV and Restaurants:
What You Need to Know
April 29, 2015
2
Panelists
Mike English – Heartland Payments
Executive Director of Product Development
Jan McGrath – MasterCard
Vice President, Go to Market Strategy, USPD
Jim Higgins – National Restaurant Association
Vice President, Payments & Financial Services
3
Agenda- Payment Security
• EMV overview & Timelines
• Demystifying the liability shift
• Considerations to act soon vs
later
• Payment Security beyond EMV
•
Tokenization & Encryption
•
Questions
4
What EMV is…
Micro Chips on Cards and
Chip readers at merchant POS
US adoption of a world standard
Anti counterfeit chip technology
An enabling technology for additional security
5
EMV Card and Security
Validating the Card & Cardholder
Optional PIN adds extra validation of the
cardholder. Chip and Signature is allowed but is
less secure
Card Authentication
 EMV uses
Cryptogram s to
verify the card is
authentic
 And verifies the
issuer is authentic to
the card
Validating Card Use
Transaction Certificate (TC) proves that the
card was present and was used for payment
6
©2014 Heartland Payment Systems, Inc.
What EMV is not…
Is not mandated or required
Does not protect against all chargebacks
Does not secure cardholder data
Does not equate to PCI compliance
Does not reduce interchange
7
U.S. EMV Timelines for Restaurants
Oct-2013
MC ADC relief takes
effect (50%)
Oct-2016
Visa GCAR relief
Oct-2015
Liability shift
Oct-2012
PCI validation relief1
2012
2013
Apr-2013
Processor support for chip
processing
2014
2015
2016
2017
Oct-2015
MC ADC
relief (100%)
AFD: Automated Fuel Dispenser
Visa GCAR: Global Compromised Account Recovery
MasterCard ADC: Account Data Compromise
1
Applies to Level 1 & Level 2 merchants where 75% of transactions come from a dual interface, chip-enabled, terminal
8
Chip Liability Hierarchy
Issued
Device/Card
Magnetic stripe and/or
contactless magnetic stripe
Acceptance
Terminal
Higher Risk
EMV contact or EMV contactless
(signature CVM)
EMV contact or EMV contactless
(online or offline PIN CVM)
Magnetic stripe and/or
contactless magnetic stripe
EMV contact or EMV contactless
(not PIN capable)
Lower Risk
EMV contact or EMV contactless
(online or offline PIN capable)
9
Market Projections
Cards
Terminals
Payment
Security
Taskforce
50% of U.S. issued
cards will be chip
enabled by end 2015
At least 47% of U.S.
terminals will be chip
enabled by end 2015
Aite
2015 70%
2016 91%
2017 98%
Javelin
2015 29%
2016 58%
2017 83%
2015 = 3.59mm / EMV 53%
2016 = 4.76mm / EMV 71%
2017 = 5.64mm / EMV 84%
10
•
9%
•
ISSUANCE
of all U.S. MasterCard
cards are chip cards
13%
ACCEPTA
NCE
growth in chip-active
locations MOM
PERFORMANCE
98%
Approval rates
for all domestic U.S. chip
transactions
– In line with current magnetic
10%
50%
Growth in MasterCard chipenabled cards in-market MOM
-
Debit chip card issuance
continues to grow rapidly
-
Consumer credit card issuance
showed moderate growth
of all MasterCard issuer
programs are deploying
Signature preferring profiles
-
-
12%
stripe approval rates
of U.S. ATMs are chip active
– PIN declines are minimal; <1% of
overall transaction volume
16%
208,715
60% of consumer credit
programs to date are deploying
signature preferring profiles
7% of programs have certified
on both profiles (Signature and
PIN)
growth in chip-active POS
transactions MOM
Chip-active locations in the
U.S.
-
Activity distributed across large,
mid-tier and single location
merchants
-
474 merchants with multiple
locations
-
143,935 single-location
merchants
9%
Fallback 9%
– Fallback returning to more
acceptable levels after a large
retailer coded chip transactions
as mag stripe fallback
transactions during the holidays.
They are now working to revert to
standards
EXECUTIVE SUMMARY – U.S. MARKET CHIP TRENDS, March 2015
•
•
Enabled – Fully capable of chip transactions; will do chip transaction if interfaces with a chip-enabled terminal
Active – Chip transactions seen in that period
11
EMV adoption Now or Later?
• Current and anticipated chargeback costs
• Sensitivity to card security
• Competitors and EMV
• Locations and demographics best suited for
EMV
• Impact on PCI
• Future technology considerations
12
MASTERCARD CHIP
RESEARCH
WHAT CONSUMERS ARE SAYING
US CONSUMERS WANT EMV
ALREADY AWARE
OF EMV IN THE US
WOULD CHANGE BANKS
IF CHIP NOT OFFERED
PREFER PIN TO
PURCHASE AT THE POS
2015
69%
33%
49%
2014
60%
15%
45%
2013
50%
9%
37%
©2014 MasterCard.
Proprietary and Confidential
Page 14
EMV USE
BELIEVE CHIP
CARDS ARE EASY
TO USE
MORE INNOVATIVE
WAYS TO PAY FOR
PRODUCTS AND
SERVICES
WANT A
CHIP CARD
IMMEDIATELY
PREFER TO SHOP AT
MERCHANT THAT
ACCEPTS CHIP
CARDS
2015
62%
61%
39%
40%
2014
47%
42%
40%
35%
32%
Debit
Credit
©2014 MasterCard.
Proprietary and Confidential
Page 15
WHERE CONSUMERS EXPECT TO SHOP
80%
Supermarkets/Gr
ocery Stores
78%
77%
Department
Stores
Gas Stations
74%
Food and
Beverage
76%
Drug Stores
48%
Unmanned
Ticket Terminals
Source: MasterCard US EMV
Consumer Research 2015
The large majority of card users continue to
expect all types of stores to accept chip cards
©2014 MasterCard.
Proprietary and Confidential
Page 16
Completing
a Chip
Transaction
Usability studies inform both Issuer & Merchants
FIRST USE
CONSUMER PREFERENCE
EASE OF USE
• 6% of participants inserted the
card incorrectly overall transaction
types
• 62% of participants preferred chip &
PIN
• Chip & signature rated lower
than chip & PIN for ease of use
• 38% preferred chip & signature
• 27% removed the card too soon
on first use
• Previous study (27% and 10%
respectively)
• A further 8% did it again on their
second try
• After a first failed attempt
consumers get it right most of
the time on the second attempt
and beyond
• Credit users expect they will select or
• Assistance from terminal
update the PIN on their credit card
prompts and store cashiers will
during the card activation process
help increase success of first
use
• Note debit users more likely to pull
the card out sooner because of the
ATM process – 30% more likely
than credit transactions
Source: MasterCard Usability Study August 2014
©2014 MasterCard.
Proprietary and Confidential
Page 17
EMV Process Adjustments
•
•
•
•
•
Staff training
Customer verification methods
• Tap, insert or nothing?
What is intuitive?
• Is speed of service a need?
• Patron comfort factor
• Forgotten cards?
Additional time per transaction?
Are there other technology considerations?
• Serving a demographic that is looking to mobile
payments?
18
EMV limitations to Security
• Implementing EMV still leaves a customer’s
primary account number (PAN) and discretionary
data exposed
• If crime ware gets into the restaurant’s POS
system or network, the cardholder data could be
stolen and used fraudulently
• Every EMV card being issued in the US
includes a magstripe
1
Visa International Operating Regulations (Public version), 15 April 2013, page 421, reference ID#: 150413-010410-0004832
19
Encryption and Tokenization adds Security
• Encryption protects data ‘in flight’
• Tokenization protects data ‘at rest’
• Tokenization and Encryption offer the most
secure solution available today for most
merchants
• PCI Audit benefits- Fewer compliance questions
to answer
1
Visa International Operating Regulations (Public version), 15 April 2013, page 421, reference ID#: 150413-010410-0004832
20
EMV, Encryption and Tokenization
21
Why is encryption and tokenization
needed for full payment security?
904
> 1,000,000
9,700
In the first 9 months of 2014, 904 million records
were compromised in 1,922 confirmed incidents
in businesses in the United States.
Many of the incidents reported in 2014 involved
record-setting amounts of data, including 20
incidents that compromised more than 1 million
records each.
9,700 companies found that they’d detected
nearly 43 million security incidents in 2014, a
compound annual growth rate of 66% since 2009
Managing cyber risks in an interconnected world, PwC, 2015
Steve Ragan, “Nearly a billion records were compromised in 2014,” Network World.
http://www.networkworld.com/article/2848479/security0/nearly-a-billion-records-were-compromised-in-2014.html.
22
Verizon 2014 Data Breach Investigations Report: http://www.verizonenterprise.com/DBIR/2014/
22
It’s About Mitigating Risk!
• EMV plus and encryption and tokenization
remove ability to
thieves to sell stolen payment data
• Encryption and tokenization remove card
data from the businesses’ environment
• Encryption and tokenization are a definitive
response to “all organizations should assume
they’ve been hacked”
• Encryption and tokenization reduce a
merchant’s PCI scope as per a Coalfire study
Cisco 2014 Annual Security report
https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf
Heartland Payment Systems E3™ MSR Wedge Technical Assessment White Paper, Coalfire, January 4, 2011
23
Mike English
Executive Director of Product Development
[email protected]
(877) 798-9656 x 2756
Janette McGrath
VP – Go To Market Strategy USPD
[email protected]
(636) 722-4554
QUESTIONS?
Jim Higgins
VP – Payments & Financial Services
National Restaurant Association
[email protected]
24
@WeRRestaurants
/RestaurantDotOrg
/NationalRestaurantAssociation
Restaurant.org
25