EMV Credit Card Security Implementation
Presented By:
Mike Hughes, North American Strategic PartnershipsMoneris Solutions
• U.S. EMV Migration Update
• Lessons learned from the Canadian EMV Migration
• EMV Upgrades: Roles and Responsibilities
• Value of End-2-End Encryption
• Key Functionalities for Parking
• EMV Use Cases
5
CAN V/MC
Domestic
Liability Shift
Mar 31st
2011
CAN AFD
Liability Shift
Mar 31st
2012
CAN Visa Intl.
Liability Shift
Oct 31st
2010
7 7
EMVCo sets the “Standards”, but it is the Brands who determine what, and how, these standards are “Implemented”.
Layers Management Functions Certification Entity
Level 1 - Physical Protocols between the chip card and the PED
EMVCo
Level 2 - Software (Kernel)
EMV application selection, EMV command set, and the EMV transaction steps
EMVCo
PED Payment Application
EMV command/response mgmt., encryption, communication protocols
Acquirer on behalf of brands
9
Visa Quick Chip enables deploying an online only configuration (zero floor limit)
Source: Visa September 2016 EMV Newsletter, Visa Quick Chip Implementation Steps
Reducing PCI Scope
• End-to-End Encryption solutions manage all aspects of the transaction requiring clear-text account data (BIN lookup, PIN block, etc.), and…
• End-to-End Encryption prevents the release of clear-text account data into the merchant’s environment, thus…
• The “edge” of the Payment Entry Device (PED) becomes the boundary of the merchant’s Cardholder Data Environment (CDE) completely removing the POS from PCI PA-DSS compliance scope
Effective 1 October 2012, Visa’s Technology Innovation Program (TIP) rewards U.S. merchants
that have invested in EMV technology by eliminating the PCI DSS validation requirement for any
year in which at least 75 percent of the eligible merchant’s Visa transactions originate from dual
interface EMV chip-enabled terminals.
Source: Visa Data Security Program Keeping Cardholder Data Safe
• EMV Credit• PIN Debit / Interac• E2E Encryption• Hashing (Card-in/Card-Out)• Whitelisting of 3rd Party Cards
(unencrypted non-bankcard)• Use of Pin Pad for Non-Payment Data Entry
• Store and Forward• Tokenization / Recurring• Remote Download • Contactless Credit / Debit• Progress Tokens / Key Echoing• Card Reader Only Configuration
(No Pin Pad)
13
• 20 VenTek International Pay Stations
• Solar Battery Powered
• Cellular Modem 3G or 4G Connection
14
VenTek Paystation Internal Network
MonerisUX300
Secure CardReader
TAPReader
PINPad
VenTekAuxiliary
Control Unit(acting as Router)
VenTekC1100
PaystationController
CellularModem
(3G or 4G)
May also be Wi-Fior Ethernet
Paystation Cabinet
VenTek DataCenter
andMoneris
15 https://youtu.be/BMAm7zCTij0
WMATA NEPP Pilot• 10 fare gates• 50 buses• 2 parking lanes• 2,000+ customers
16
ICS Car Wash• 5,000+ U.S. Kiosks• EMV Certified in CAN and US• ISO and Proprietary Gift• Tokenization / Recurring
• Direct Vs. Pre-Certified Solution
• Functionality and Future Proofing
• Physical and Environmental Impacts
• Cost, Timeline, and PCI Security