EMVFrequently Asked Questions (April 2013)

©NCR Corporation 2012

What is EMV®?

EMV is a set of specifications defined by Europay International, MasterCard Worldwide, and Visa to define interoperability standards for smart card transactions. The EMV specifications were first published in 1996.

What is EMVCo?

EMVCo stands for Europay MasterCard and VISA. Europay was a European payment system, and it was bought by MasterCard in year 2002. Europay, MasterCard, and VISA were the first three payment systems to reach an agreement on a common set of specifications for chip functionality used to replace magnetic stripes. EMVCo now owns, maintains and enhances the specifications and also takes care of the approval process. American Express and JCB have also recently joined EMVCo. As of today EMVCo is owned by MasterCard, VISA, American Express and JCB (Japan Credit Bureau). More information on EMVCo can be found on the EMVCo website: www.emvco.com.

Why EMV?

EMV is designed to significantly improve security for consumer card payments by providing enabling features for reducing losses that result from counterfeit and lost and stolen cards. EMV also offers a worldwide technology standard for chip-based financial transactions and services.

Globally, 36% of total cards and 65% of total terminals deployed are based on the EMV standard. France was the first to pilot and implement EMV, and they have seen more than an 80% reduction in fraud since the first launch.

Technical and certification details can be found on the EMVCo website (www.emvco.com). Additional reference material can also be found on the Smart Card Alliance website (www.emv-connection.com).

Why is EMV a global standard?

Fraud always migrates to the weakest link. Countries that do not have the EMV standards implemented are now experiencing significant amounts of use of fraudulent cards and monetary losses.

©NCR Corporation 2012

Is there a liability shift for the United States?

Yes, there are a series of milestone dates where liability will shift.

MASTERCARD ATM CONVERSION

ATM fraud liability shifted to the ATM operators for Maestro (MasterCard’s debit network) and for internationally issued cards only began in the United States on April 19, 2013.

ATM fraud liability shifts for all transactions on October 1, 2016. When this milestone occurs, ATMs will be expected to possess the capability to process all EMV-compliant ATM transactions. If the ATM does not have the EMV compliance capability, the ATM transaction cannot be EMV compliant. Therefore, the ATM operator will be liable for all fraudulent transactions.

VISA ATM CONVERSION

Visa will require that all U.S. acquirer processors and sub-processors be able to support EMV transactions by April 1, 2015, and fraud liability shift for all VISA card transactions will occur on October 1, 2017.

©NCR Corporation 2012

Are the ATM EMV dates different than POS dates for liability shift?Yes, the card issuers have set different milestone dates for POS systems:

Relief from requirements to report PCI compliance testing results for early conversion – October 1, 2012

Merchant acquirer capability requirements – April 1, 2013 Merchant fraud liability shift – October 15, 2015 (October 1, 2015 for Discover Card) Fraud liability for Gasoline Retailers – October 15, 2017

What does an ATM deployer have to consider?An EMV-compliant infrastructure has four separate components.

First, new cards will need to be issued with a new microprocessor chip technology. This migration of the card base from magnetic stripe to chip (and the eventual elimination of the magnetic stripe) is the responsibility of the card issuers (e.g., financial institutions).

Second, consumer POS and ATM card reader hardware must be EMV capable or “smart card” ready. Since 2011, NCR has been shipping all SelfServ™ ATMs with smart card readers as standard.

Third, a software EMV kernel will have to be implemented into the ATM’s APTRA™ application provided by NCR.

Last, but most important, the acquiring network (generally the “ATM switch” closest or controlling the ATM) must configure and test end-to-end.

This would include the total hardware and software solution, from card acceptance at the ATM, through their acquiring switch, to the authorization of all on-us and off-us transactions – and back again. The network will control the EMV implementation timeline.

©NCR Corporation 2012

What are the components that need to be certified?The EMV Card Readers need to be EMVCo approved, and this approval is called Level 1 Approval.

A Level 1 Approval is granted for four years and can be renewed before the expiration date. Even if the approval for a Level 1 reader has expired, it can still be used in the acquirer’s deployed base of terminals; today, there is no requirement to upgrade expired devices in the field. However, if an acquirer is submitting a device for brand approval, the terminal being used and the devices present will need to have a valid EMVCo Approval.

Level 2 Approval for software is the same as above; however, Approval is granted for three years instead of four. It can still be used in the field after the expiration date; today, there is no mandate to upgrade expired and brand-certified software once it has been deployed in the field.

The Level 2 Software Kernel needs to be valid at the moment of the brand certification process.

The recommendation is to verify that before the brand certification process is started that the Level 1 hardware being used and the Level 2 Kernel present in the self-service applications are valid.

How can NCR’s hardware, software and services help you ease the burden of achieving EMV compliance ahead of the deadlines?

1. Hardware - NCR’s availability of EMV Level 1 certified card readers For Dip Card Reader upgrades, NCR has kits available for select Personas ATMs

(namely EasyPoint 62, Personas 77, 75, 86, 87 & 90).  All NCR SelfServ Dip Card Readers are and have always been Smart-capable, i.e. EMV Level 1 Compliant.

o When implementing Dip Card readers, it is important to take note that there will need to be customer training on how to use an EMV-compliant Dip Card at an ATM performing EMV transactions. The card now must be in contact with the reader throughout an entire EMV transaction. This will change the customer experience.

For motorized card upgrades, NCR has kits available across SelfServ and Personas ATMs.

NCR’s Contactless hardware module is and always has been EMV Level 1 compliant. No hardware upgrade required.  (n.b I’ve removed the ref to F720 as this is more of a legacy feature and F671+F672 are the advocated features – but since we aren’t referencing PIDs elsewhere I would just remove the PID reference here altogether)

NCR recommends a review of all card readers in your NCR ATM fleet to ensure compliance. Please provide your account manager with the serial numbers of your deployed NCR ATMs, and NCR will run a report to verify which ATMs, if any, need to be upgraded to EMV hardware.

What is the minimum processor and memory required for EMV and Windows® 7?

©NCR Corporation 2012

EMV’s minimum processor and memory requirements are minimal and combined into the application and platform requirements. For XP-based solutions, this is Pentium III or better, with 512MB RAM or better.

For Windows 7-based solutions, the minimum is “generally” Intel® Core™2 Duo processor or better, with 2GB RAM or better.

2. Software – NCR has Level 2 certified EMV Kernels for all APTRA application environments

All NCR’s EMV Kernels are certified and maintained per EMVCo rules. Certificates are available upon request and also available on the EMVCo website. (http://www.emvco.com/approvals.aspx)

All ATMs will require some change in software; NCR will work with the acquiring switches in establishing APTRA application release support for EMV Kernel integration, supportability and lifecycle management.

NCR will not provide EMV support for discontinued operating systems (OS/2 and RMX). NCR recommends the consideration of Windows 7 to maximize long-term support.

APTRA Edge 4.0 is currently being certified by several networks. APTRA Edge 5.0 will be delivered for certification in Q42013.

Can a PIN be changed at any EMV device? Or is this capability limited to a bank’s ATM or equipment?

Yes, it can be changed. It is done through an EMV mechanism called Issuer Scripts. Part of a normal EMV protocol messaging format, they will be received by the terminal on the authorization response message and will be sent to the card to update it.

3. Networks – NCR has production EMV certified application solutions ready to test with your network today:

NCR hosted a Network Summit with all of the networks in September 2011 where NCR presented on our EMV presence globally.

You will need to discuss with your network when they plan to have the host ready for testing.

NCR’s EMV program plan is to meet and work with each network, establishing minimum releases, support and lifecycle plans designed to minimize the certification effort.

©NCR Corporation 2012

What are the cost expectations associated with EMV?

Hardware:

Possible hardware upgrades: New ATM, upgraded card reader, upgraded core

(Replacement [pre-IMCRW] card reader price + installation) x units

+ (Upgraded card reader price + installation) x units

+ (ATM replacement of unsupported models + installation) x units

+ (implementation/project management)

Software:

Application software maintenance + EMV Kernel x # of units + integration/testing + EMV Kernel maintenance

(Edge 3.01.50 or higher)

(New EMV Kernel license) x ALL ATM units

+ (APTRA application upgrade licenses for ATMs NOT on SM&S) x units

+ (APTRA application upgrade licenses for ATMs contracted under SM&S) x units

+ (integration/testing)

+ (installation) x ALL ATM units

Operating System:Since software changes are required, NCR strongly urges our customers to use this opportunity to upgrade to Windows 7®.

XP minimum Windows 7 + testing + implementation/product management

Core Upgrades

APTRA XFS (6.1 or higher)

OS license details

How to plan ahead and meet the deadlines?

Hardware

©NCR Corporation 2012

Order all new ATMs with EMV Level 1 compliant hardware with Windows 7 capable PC cores. Start any upgrades as early as possible to avoid potential delay in meeting the EMV deadline.

©NCR Corporation 2012

Software

NCR recommends that all ATM APTRA software be contracted under Software Maintenance & Subscription, in order to achieve the lowest cost NCR software migration to EMV.

NCR recommends that a strategic software distribution be considered and implemented for your ATM network to drive long-term operational savings (lowering cost of ownership) and potentially EMV software installation savings (depending upon final software solution).

Networks

Work closely with your networks to understand their timelines.

Do the EMV standards apply to traditional ATM cards or only to branded (e.g., MasterCard and Visa) debit cards?

Operators will need to plan that by the end of migration timeline, all cards used by ATMs and by POS will need to transition to the chip and pin format.

So are we going to go back to having to manage captured cards if the card is held during the transaction?

There is a change to the customer experience during an EMV transaction. As part of the migration, there will need to be customer communication and staff training to address this change. The customer will need to understand that the card will now be held, and that they must not forget to remove the card at the end of the transaction.

There is still no possibility for the card to be jammed or captured by the Dip reader and that to minimise the risk of cards being left in the reader then we recommend that the card should be taken before cash is presented,

What will the consumer experience be like at other POS terminals?

The changes to the customer experiences are minimal. The EMV applications default to the applications on the card; the amount is presented; an optional amount confirmation may be presented; the PIN is requested and then authorized; and the card is removed.

POS implementations largely differ on the speed of the transaction (some are slower; others, like Wal-Mart or McDonalds, are very fast). The security benefit is an easy sell in POS implementations. There is a need to ensure proper staff training on the new applications. Customer acceptance will also be improved based on communication, signage and staff guidance.

©NCR Corporation 2012

Will the contacts in the EMV readers need to be cleaned regularly?

As card reader usage varies depending on transaction volumes and installed environment, there’s no set interval. NCR recommends that heads and rollers are cleaned at every service call.

How does EMV implementation affect an ATM setup with Solidcore?

There is no direct interaction between EMV and Solidcore. If EMV is installed on an existing ATM already locked down by Solidcore, then the appropriate standard steps must be taken to install EMV and update Solidcore.

©NCR Corporation 2012