Smart Card Talk February 2013
•
a Smart Card Alliance ePublication
Dear Members and Friends of the Alliance, This year has already kicked off with a busy agenda of activities. Coming off a very successful 2013 Payments Conference, we are now hard at work on the NFC Solutions Summit, as well as planning webinars and getting resources ready for publication. As details and logistics fill my mind, I also make sure to keep an eye on the larger picture, which is this. The Smart Card Alliance is recognized as the single industry voice for smart card technology, leading the discussion on the impact and value of smart cards in the U.S. and Latin America. The staff and I take this role very seriously, and it is my hope that we continue to provide valuable information to our members and friends. And while our events provide opportunities for us to interact with you in a somewhat informal setting at times, your feedback assures me that we continue to meet your needs. I’m looking forward to all that 2013 will bring, and invite you to be an active participant. As always, thank you for your support of the Alliance.
• Volume 18 : Issue 2
In This Issue: ② Executive Director Letter >> ③ Latin America Letter >> ④ Member Profile >> ⑥ Feature Article >> ⑩ Council Reports >>
On the Web: Members in the News >> Alliance in the News >>
Randy Vanderhoof Executive Director, Smart Card Alliance Acting Director, EMV Migration Forum
Event Calendar
Click Here to Read Letter ...
EMV Migration Forum
March 21-22, 2013 Renaissance Concourse Atlanta Airport
Feature Article: EMV Fundamentals for Payment Transaction Security
Member Profile: TSYS
The U.S. payments industry is migrating to EMV chip card payments to reduce counterfeit card fraud, ensure global interoperability of payment cards, and lay the foundation for the next generation of card and mobile payments. This month’s article reviews EMV fundamentals for payment transaction security.
This month, Smart Card Talk spoke with Sarah Hartman of TSYS, who is Senior Director of Payment Solutions for the global payments processor. Her responsibilities in the North America Consumer Credit and Debit Business include product and strategy and activities associated with the U.S. Migration to EMV.
Click to Read More …
Click to Read More …
NFC Solutions Summit May 15-16, 2013 San Francisco, CA
executive director’s corner
Cool and Steady Sets the Pace Dear Members and Friends of the Alliance,
view The Standardization of Terminology on the EMV Connection website.
Earlier this month the Smart Card Alliance held its 2013 Payments Summit in Salt Lake City. I vividly recall reporting to you last year at this time that we had a record number of attendees for the 2012 Summit, which was the first year we expanded the event and focused on an all payments format. Well, we broke last year’s record. This year we registered 620 people and 48 exhibitors and sponsors (up from 520 and 35 in 2012, respectively). We kicked off the week with a ski social and Super Bowl party on Sunday before moving into the luxurious and spacious Grand America Hotel for the first EMV Migration Forum in-person meeting of 2013. More than 220 people attended the Forum meeting, many of whom stayed to attend the Payments Summit later in the week.
The Smart Card Alliance Payments Council also recently produced an interactive PowerPoint show on the EMV Ecosystem, a presentation that identifies every stakeholder involved in the EMV ecosystem, their roles, and their links to other participants. This is an easy-to-use educational tool to help with the understanding of how the payments ecosystem works, and can be viewed here.
The Summit was solid proof that the entire EMV payments, mobile payments, and transit payments ecosystems are moving forward. There were engaging and informative discussions about the U.S. move to chip-based EMV card payments in retail and transit, and the adoption of smart mobile payments. Both the one-day Forum session and the Payments Summit itself, each attended by a mix of payments brands, merchants, issuers, acquirers and payment processors, underscored the importance of education as the cornerstone to understanding, and then leading, a successful transition to EMV and NFC mobile payments. Other exciting news came from Isis, currently operating its mobile wallet trials in Salt Lake City and Austin, TX. The Isis joint venture partners from AT&T, Verizon and T-Mobile were on hand to help Summit attendees with NFC-enabled smart phones swap out their carrier’s SIM cards with SIMs enabled for the Isis wallet; those attendees could then download the free mobile wallet app and begin using it on the UTA transit system and at participating merchants, with the $10 credit each person received. Right before the Summit, I installed the mobile wallet on my personal Android smart phone. I love the ease of use; my wife instantly became fascinated with the ability to redeem offers and loyalty rewards. As we continue to digest and interpret all of the information that came out of the plenary sessions, panels and break-out discussions, we are also busy producing materials that serve as vital resources during this process. The EMV Migration Forum’s Communications and Education Working Committee just released its first official publication – “The Standardization of Terminology,” a document that defines a set of standard terminology for common chip, EMV, and EMV migration terms for use in educational and marketing communications relating to the U.S. migration. You can
2
Smart Card Talk
The Smart Card Alliance plans to return to Salt Lake City next year, and during the ensuing months, we’ll continue to track the progress of EMV and mobile payments in retail and transportation. Last year around this time, right after the Payments Summit, I publicly stated that the time was approaching for the Smart Card Alliance organization to become the facilitator for an industry collaboration needed to bridge the divide among all of the industry stakeholders that could slow or stall implementing the massive changes that support the next generation payments infrastructure. One full year later, the EMV Migration Forum, an organization created by the Alliance in the summer of 2012, is flourishing, with 122 member companies, four active working committees, and a newly elected Steering Committee. The Smart Card Alliance too is enjoying a swell of membership, with 217 member companies. As we talk about convergence in EMV chip cards and mobile payments, it’s hard to not see the convergence between the Alliance and the Forum, two organizations under separate leadership, with common goals to educate and foster industry collaboration. If you are interested in learning more about the Forum, I encourage you to check out the activities and upcoming events. Just six weeks into the new year, we plan on maintaining our incredible momentum through upcoming webinars, Council meetings, and future conferences. We’ve already started work on the upcoming NFC Solutions Summit, which will be held in May in Burlingame, CA. Please check the calendar of events on our website to see what’s in store. I invite you to join us on the ride. I promise you won’t look back. As always, thank you for your support of the Alliance. Sincerely,
Randy Vanderhoof Executive Director, Smart Card Alliance rvanderhoof@smartcardalliance.org
Dear Members and Friends of the Smart Card Alliance Latin America & the Caribbean, I hope that you have been able to enjoy the various celebrations this month. It is impossible not to feel amazed at the level of coordination necessary for the carnival shows with their grandiose floats, outfits, and dancing. The most famous of these parties is the Rio de Janeiro carnival at the “sambódromo,” where I was astonished at the messages that were conveyed through music, dance, and choreography. It provides us with a glimpse of what can be accomplished and what thoughts can be communicated when you have an organized group of people working for the same cause with a coordinated understanding of their role in the grand scheme of things. While organizing our next conference, EMVTour – ConoSur 2013, a co-sponsored event with PaymentMedia that is focused on promoting EMV Migration in the region, I have come to realize that our individual strengths ensure our success and provide the ability to create an effective conference, which is the overall goal of our organization. The participation by the conference organizational committee, member organizations, and partners are all vital, as we are all focused and determined that the event is a success. The event will be held on March 20th, 2013 at the Hilton in Buenos Aires, Argentina. Just like the carnival organizers that provide the stage for one of the greatest shows on earth, the Smart Card Alliance Latin America chapter (SCALA) provides a neutral setting where industry stakeholders can participate in one the greatest “shows” of smart cards technology related to EMV. These stakeholders can receive impartial information, content, and presentations from a coordinated industry effort geared to expand the understanding of our technology, implementations, and best practices. Each participant is focused on a task in the value chain where the final product is a well implemented project that hopefully becomes another best-in-class solution to be leveraged for future SCALA events.
Our survey results have shown that by providing a neutral forum for an informed audience, a lot of business decisions and networking by key decision makers are conducted at our EMVTour conferences. Each of the participating members and event sponsors reserve a space to display their products, solutions, and technologies to their potential clients. Instead of asking exhibitors about the technology, attendees begin to ask questions about their particular solutions. Similar to carnivals that provide a universal message of issues to be solved by humans, SCALA provides a message of collaboration and communication so that fraud can be eliminated and the chip platform can be shared, and provides a stage so that all parties can achieve success. The carnivals this year ended right before St. Valentine’s Day, when people celebrated the love and friendship they share. We hope that SCALA’s events leave individuals with a renewed respect for their colleagues, new friends, a greater understanding of the technology, and, hopefully, a love for smart cards. I invite you all to participate in our EMVTour – ConoSur 2013 conference, and hope you have a great month.
Sincerely,
Edgar Betts Associate Director, Smart Card Alliance Latin America (SCALA) Direct Line: +507-225-9089, email: ebetts@smartcardalliance.org
Smart Card Talk
3
latin america corner
EMV Tour – ConoSur 2013
member profile
1.Please describe your company. At TSYS, (NYSE: TSS), we believe payments should revolve around people — not the other way around. We call this belief “PeopleCentered PaymentsSM.” By putting people at the center of every decision we make, with unmatched customer service and industry insight, TSYS is able to support financial institutions, businesses and governments in more than 80 countries. Offering merchant payment-acceptance solutions as well as services in credit, debit, prepaid, mobile, chip, healthcare and more, we make it possible for those in the global marketplace to conduct safe and secure electronic transactions with trust and convenience.
2. What role does smart card technology play in your business? Smart card technology has been a key part of TSYS’ payment offerings for more than a decade—primarily from an EMV standpoint. TSYS started issuing chip cards in the early 2000s, initially supporting the European region, moving on to the Canadian region, and now focusing efforts on the U.S. EMV migration. We currently support issuers who utilize smart card technology in more than ten countries. While most of the current applications are EMV payment related and are being used to lower risk and fraud losses — we are excited about the opportunity to support our clients’ future uses of smart card technology, including loyalty programs and programs which use the smart card technology to securely store and access information and locations.
3. What trends do you see developing in your market?
This month Smart Card Talk spoke with Sarah Hartman of
TSYS, who is Senior Director of Payment Solutions for the global payments processor, which provides services to more than half of the top 20 international banks. Her responsibilities in the North America Consumer Credit and Debit Business include product and strategy and activities associated with the U.S. Migration to EMV. TSYS, whose headquarters are located in Columbus, GA, has local offices spread across the Americas, EMEA and Asia-Pacific. Ms. Hartman has over 25 years of payments industry experience. Prior to joining TSYS, she held a number of leadership roles with a large consumer bank where her responsibilities included consumer payment products, deposit and lending products, ATMs and online banking and bill payment. Ms. Hartman has extensive product management, sales and marketing experience. She has a B.S. degree in Accounting from Miami University and an M.B.A from the University of Dayton.
4
Smart Card Talk
Two of the exciting areas we’re involved with in all the markets we do business are mobile technologies and overall innovation. We have seen explosive growth with both over the last several years and are committed to helping our clients grow their business. We recently hired a head of product innovation and continue to move forward on the execution of our connected mobility and partnership marketing initiatives. From a U.S. standpoint, in addition to the continued focus on mobile applications, many of our clients are concentrating their efforts on the migration to EMV. To date, our U.S. issuers who have launched a chip card program have done so on a limited basis primarily with their international travelers. They have found a need to do so to ensure global card acceptance. However, we have many issuers who have projects underway to issue chip cards to their overall cardholder base. Of course, many issuers want to know how many merchants now have chip-enabled terminals and many merchants are interested in knowing how many issuers have is-
sued chip cards to their cardholders! There are a few issuers who have migrated to EMV that have begun pilot testing with secureelement powered mobile payments.
4. What things must you overcome to leverage those trends? One of the key challenges with new technologies and innovation, is how best to prioritize efforts between “business as usual” activities, which are critically important, and future offerings. Our creation of a global product team and innovation group, combined with strengthening the process we use to prioritize projects, has helped us meet this challenge. From a U.S. migration to EMV standpoint, TSYS is fortunate because we are a global processor. Therefore, much of the development needed was already complete from an issuer standpoint, and we have a number of chip experts working within the company. We are a strong supporter of the migration to EMV and enabling our clients to have a smooth transition. However, there are a number of current challenges, most notably those associated with the industry coming up with a U.S. EMV debit solution which is acceptable to all of the various constituents in the U.S. payments value chain. There is also a lot of work ahead by issuers, merchants and industry payment providers to upgrade terminals and processing systems, educate consumers and customer support staffs (at the point-of-sale and in back offices) and to put in place an infrastructure which supports the unique characteristics of the U.S. market. Merchant adoption, especially with smaller merchants, may be difficult due to the cost associated with terminal upgrades and due to the fact that Integrated Software Vendors (VARs) may wait for merchant demand before developing and certifying EMV applications. This could produce a testing and certification bottleneck in 2015, so we are looking for ways to incent the VARs to develop and test early. There are some thoughts that mobile payments may not necessarily be implemented with EMV. We currently see more mobile payment implementations that are cloud-based primarily because of the ease of deployment as compared to the EMV on mobile. Although cloud-based mobile and EMV applications have some appeal, the recent PCI guidance may influence more locally based applications.
5. What do you think are the key factors driving smart card technology in the government or commercial markets in the US? We believe there are a number of factors driving the adoption of smart card technology in government and commercial markets:
• Global interoperability – The growth in international travel has increased the need to have payment offerings which work consistently across the globe • Identity management – Smart card technology can fill the need which exists for a more secure way of verifying and authenticating an individual’s identity, and also their rights to enter physical or online locations • Mass transit/travel convenience – Smart card technology can facilitate payment and access to government-owned and run mass transit • Data – Chip technology can help with the identification and management of usage patterns and payment patterns
6. What type of measurable impact has the Smart Card Alliance and/or its Councils made in your company’s business? We have been extremely pleased with our partnership and participation with the Smart Card Alliance, with whom we’ve been associated for a number of years. TSYS is a principal member of both the Smart Card Alliance and the recently formed U.S. EMV Migration Forum, and we have participants on many of the different Councils and working groups. We were one of the first principal members of the U.S. EMV Migration Forum and a member of both the interim management committee and the recently elected Steering Committee. A specific example of the value provided is what we’ve seen from our association with the U.S. EMV migration. To date, the group has helped tremendously by: • Bringing members from all of the different industry groups together to discuss how best to move the U.S. EMV migration forward. The group is made up of: payment brands, debit networks, issuers, merchants, payment processors, acquirers, and other industry providers • Promoting EMV awareness and creating educational vehicles • Providing a venue for industry stakeholders to come together and discuss the issues • Creating synergy as useful ideas are formed • Tackling the challenges collectively through its working groups
Member point of contact:
Sarah Hartman Senior Director, Payment Solutions, TSYS SHartman@tsys.com 706.649.4360
Smart Card Talk
5
feature article EMV Fundamentals for Payment Transaction Security EMV is an open-standard set of specifications for smart card payments and acceptance devices. EMVCo, owned by American Express, JCB, MasterCard, and Visa, manages, maintains and enhances the EMV specifications, to ensure global interoperability of chip-based payment cards with acceptance devices including point of sale terminals and ATMs. EMV’s primary purpose is to ensure that standards for smart card-based payments are interoperable globally. In addition to storing payment information in a secure chip rather than on a magnetic stripe, using EMV improves the security of a payment transaction by adding functionality in three key areas: 1. Card authentication, protecting against counterfeit cards and skimming (i.e., to produce a copy of an authentic card) 2. Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards 3. Transaction authorization, using issuer-defined rules to authorize transactions 6
Smart Card Talk
In addition, EMV transactions use cryptograms to digitally sign the actions performed and the conditions at the time of the transaction, providing transaction non-repudiation.
Card Authentication Methods Card authentication protects the payment system against counterfeit cards, with methods defined in the EMV specifications and the associated payment brand chip specifications. Card authentication can take place online, offline, or both. Online Card Authentication. Online card authentication requires the transaction to be sent online for the issuer to authenticate and authorize in the same way magnetic stripe transactions are sent online today in the U.S. The important difference from current magnetic stripe transactions is the chip card’s use of symmetric key technology to generate an application cryptogram (AC). This cryptogram type, called the Authorization Request Cryptogram (ARQC), is validated by the issuer during the online authorization request. The ARQC is the dynamic data that makes an EMV trans-
action unique and provides card-present fraud protection against counterfeiting and skimming. Offline Card Authentication. Offline card authentication involves the EMV card and EMV terminal without connection to issuer host. Three methods of offline card authentication are defined in the EMV specifications, offering increasing levels of protection against counterfeit cards: • Static data authentication (SDA) • Dynamic data authentication (DDA) • Combined DDA with application cryptogram (AC) generation (CDA) The principle of offline card authentication is to establish a chain of trust without the need for, or prior to the establishment of an online connection. The acceptance device recognizes the card was issued by a trusted member of a payment brand. Static Data Authentication. Most cards issued worldwide support SDA. SDA is performed by the terminal using a pregenerated static digital signature stored on the card at the time of issuance. This signature guarantees the integrity and authenticity of critical static data stored on the card. SDA relies on a public key infrastructure (PKI) in which the payment brands act as the certificate authorities (CAs) and provide public key certificates to participating issuers. During the personalization process, the issuer uses the issuer’s private key to sign a set of card-specific data and loads the card’s certificate, the signed data and the issuer’s public key certificate onto the card. When the POS terminal is configured, the payment brand public keys (for those brands that are accepted) are loaded onto the terminal. At the beginning of the transaction, the terminal uses the payment brand’s root key to validate the issuer’s public key certificate. The terminal then extracts the issuer’s public key from the validated certificate. Using the extracted issuer public key, the terminal authenticates the static card data and the card certificate, validating that the card is authentic and issued by the correct issuer under the authority of the payment brand. This process is known as static data authentication because the data used for authentication is static—the same data is used at the start of every transaction. If this data can be skimmed, it may be used to recreate a fraudulent offline transaction, below the terminal floor limit. SDA is the simplest method of chip card authentication and provides the lowest level of protection against skimming and counterfeit fraud for an offline transaction.
Dynamic Data Authentication. DDA is similar to SDA but goes one step further. When supporting DDA, the card calculates a dynamic signature as opposed to providing a pregenerated static signature (as in SDA) for each transaction. The DDA signature is unique to the specific card and each transaction. In addition to the issuer asymmetric key pair, an asymmetric key pair is generated for each card. The issuer then creates an associated public key certificate by signing the card public key. All data is loaded onto the card during personalization. To authenticate a card, terminals follow the same process as for SDA, except that unique data is used and signed as part of the DDA signature by the card private key. The terminal then validates the signature using the card public key. DDA protects against SDA certificate cloning, card skimming and counterfeiting. Combined DDA with Application Cryptogram. When supported by both the card and the terminal, CDA combines a request for dynamic signature calculation and application cryptogram in one command. This offers an extra layer of security and faster speed when performing offline transactions. Certain payment brands require CDA for offline contactless transactions. CDA is faster than DDA and protects against SDA certificate cloning, card skimming and counterfeiting.
Cardholder Verification Methods Cardholder verification authenticates the cardholder. Use of a personal identification number (PIN) is a common cardholder verification method (CVM) and protect against the use of a lost or stolen card. EMV supports four types of CVMs, allows the use of multiple CVMs, and defines the conditions under which they may be used. CVMs supported by EMV specifications are: • • • •
Offline PIN Online PIN Signature verification No CVM
EMV defines a configuration data element called the CVM list. Depending on payment brand rules and/or guidelines and issuer preference, chip cards are personalized with one or more CVMs in order to be accepted in as wide a variety of locations as possible. The issuer’s choice of supported CVMs is listed in the CVM list in order of priority. Different terminal types support different CVMs. The terminal and the card use the first matching CVM type in the card’s CVM list. Each entry in the CVM list also contains the issuer’s choice to attempt (or not to attempt) the following entry if the first attempted CVM failed. For example, attended POS devices, in addition to supporting signature, may support online or offline PINs (or both). Offline PIN. Offline PIN is the only method of cardholder verification supported by EMV that is not available with magnetic stripe Smart Card Talk
7
cards. The offline PIN is stored securely on the card. When the cardholder enters a PIN during a transaction, the POS terminal sends the PIN to the EMV card for verification. The card compares the entered PIN to the stored PIN and sends the result of the comparison back to the POS terminal. It is important to note that while a card may support offline PIN, the card may not support offline transactions. Most EMV implementations globally employ offline card authentication and offline PIN verification yet still require online authorization of the transaction. The offline PIN is never sent to the issuer host—only the result of the comparison is passed. The issuer may configure the card not to decline transaction if offline PIN fails or if it has not been verified. Instead, the issuer may configure the card to either use the next CVM entry and/or force the transaction online (if offline transaction was requested), and subsequently make a decision at the host system level. Internationally, most if not all attended acceptance locations support offline PIN, signature and no CVM. Unattended acceptance locations (e.g., unattended gas stations, public transit stations) may be limited to supporting offline PIN and no CVM. Online PIN. The online PIN is not stored on the card; instead the PIN is sent online to the issuer for validation. Online PIN is currently supported for magnetic stripe cards for online PIN debit transactions; online PIN is also used for cardholder verification for cash withdrawals using credit cards. The cardholder enters the PIN at the POS terminal; the PIN is encrypted by the PIN pad and sent online to the host for validation. The security of the online PIN is standardized globally and is based on Triple Data Encryption Standard (TDES). For an ATM, online
PIN is always required and is the only valid CVM when implementing EMV. As a result, any implementation of offline PIN will, as they do today, still require online PIN if ATM access is needed. If a card supports both online and offline PIN CVMs, the issuer must ensure that the two PINs are synchronized or consumer confusion will result. In general, online PIN or offline PIN CVMs may help protect against fraud resulting from lost, stolen, and never-received cards. Signature. Signature verification requires a written signature at the POS, as is currently required with magnetic stripe cards. Validation occurs when the signature on the receipt is compared to and matches the signature on the back of the card. As is true today, signature verification also requires that the merchant retain an electronic or physical signed receipt and be in a position to produce this receipt in the event of a cardholder dispute. No CVM. EMV also supports transactions that require “No CVM.” Some POS devices may only support “No CVM” if they are not equipped with a PIN pad or a signature panel. POS devices can also be configured to support “No CVM” for transactions below a specific value.
Transaction Authorization EMV transactions can be authorized online or offline. For an online authorization, transactions proceed as they do today with magnetic stripe cards. The transaction information is sent to the issuer, along with a transaction-specific cryptogram, and the issuer either authorizes or declines the transaction. In an offline EMV transaction, the card and terminal communicate and use payment brand and issuer-defined risk parameters to determine whether the transaction can be authorized. Offline transactions may be used when terminals do not have online connectivity or when increasing the speed and convenience of a transaction can be further optimized (e.g., in transit and event ticketing, or in peak retail periods to support delayed batch processing). Cards can be configured to allow both online and offline authorization, depending on the circumstances. It is also important to note that use of the offline PIN CVM is not restricted exclusively to offline authorized transactions. Offline PIN can be used as the CVM, and the transaction can then go online for authorization in the majority of circumstances. EMV Offline Transaction Risk Management. The EMV specifications define features to allow issuers to manage the risk of when to support offline transactions or if to support offline transactions at all. Payment brands enhance the EMV specifications with additional flexibility and offer issuers a comprehensive set of configuration parameters to allow an EMV card to perform (or not perform) an offline EMV transaction.
8
Smart Card Talk
Offline risk management parameters on the card are defined by issuers and usually consist of offline limits expressed in two differ-
ent ways: number of consecutive offline transactions; or cumulative amount of offline transactions. When either of these limits is exceeded, the issuer forces the transaction online and/or the card declines the transaction. There are two main scenarios in which an EMV-capable terminal may request an offline transaction, assuming the issuer supports it on the card: • Scenario 1. The terminal (i.e., merchant) chooses to request an offline transaction for a number of reasons (for example, faster transaction processing and/or slow/costly communication capabilities), but not because the terminal is not capable of connecting to the payment network. • Scenario 2. The terminal has lost network connectivity and is not capable of processing an online transaction. In summary, EMV transaction risk management is evaluated in two distinct steps allowing both the terminal to provide its preference or capability, as well the card to respond with its agreement (based on issuer’s choice) with the terminal’s request. The card offline risk management parameters are defined in two groups: lower limits and upper limits. Issuers have the following choices when defining their EMV offline risk management parameters: • Online only EMV cards • Online preferring EMV cards • Offline capable EMV cards Online only EMV cards. An issuer may decide not to support any offline transaction. In this case the issuer sets both lower and upper offline limits to zero. If the terminal requests offline due to the first scenario above, the card will force the transaction online. In scenario 2, if the terminal is not capable of performing an online transaction, the card will decline an offline transaction. Online only cards do not need to implement any offline data authentication methods (SDA/DDA/CDA). Online preferring EMV cards. In order to support offline transactions, the issuer must implement offline data authentication (SDA/ DDA/CDA) based on payment brands’ requirements. In addition, the issuer should consider implementing offline PIN as part of the CVM list, as this is very often the only supported CVM for offline transaction processing. An online preferring EMV card has its offline transaction lower limits set to zero, and as such, will still request an online transaction in scenario above. However, when the terminal is not capable of connecting online (scenario 2 above), it will approve an offline transaction while the card’s offline upper limits are not exceeded. Offline capable EMV card. An offline capable EMV card must support offline card authentication and should support offline PIN; however, in this configuration option both lower and upper offline limits are not set to zero. The card can approve an offline transaction for scenario 1 when the lower limits are not exceeded,
and for scenario 2 when the upper limits are not exceeded. As an example, if an issuer decides to support offline authorization, it may configure its lower limits to three consecutive offline transactions not exceeding $50 in total and its upper limits to five consecutive offline transactions totaling up to $100. It is important to note that the U.S. is a predominantly zero floor limit environment that requires almost all transactions to be authorized online.
Summary All of the major payment brands have announced their roadmaps for U.S. migration to EMV. As the U.S. payments industry migrates to EMV, all stakeholders need to understand the value that EMV brings to secure payment transactions and the options that exist for implementation. EMV is a worldwide common standard that protects against fraud from counterfeit, lost and stolen cards, improves the security of the transaction authorization process, ensures global acceptance and interoperability and supports new form factors beyond cards, including key fobs, microSD memory cards, adhesive stickers, and NFC phones.
About this Article This article is an extract from the Smart Card Alliance Payments Council white paper, Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure?, published in September 2012 and updated in January 2013. The white paper was developed to educate stakeholders across the payments value chain about the critical aspects of deploying an EMV solution in their business environments in the U.S. Additional information on EMV can be found on the Smart Card Alliance EMV Connection web site.
About the Smart Card Alliance Payments Council The Smart Card Alliance Payments Council focuses on facilitating the adoption of chip-enabled payments and payment applications in the U.S. through education programs for consumers, merchants, issuers, acquirers/processors, government regulators, mobile telecommunications providers and payments service providers. The group is bringing together payments industry stakeholders, including payments industry leaders, merchants and suppliers, and is working on projects related to implementing EMV, contactless payments, NFC-enabled payments and applications, mobile payments, and chip-enabled e-commerce. The Council’s primary goal is to inform and educate the market about the value of chip-enabled payments in improving the security of the payments infrastructure and in enhancing the value of payments and payment-related applications for industry stakeholders. Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects. Smart Card Talk
9
council reports
Updates from the Alliance Industry Councils Access Control • The Access Control Council is developing industry comments on the changes being made to the FIPS 201 Evaluation Program. The nine draft FIPS 201 Evaluation Program documents that are being reviewed are available http:// fips201ep.cio.gov/draft_docs.php. • Other Council 2013 priorities include: providing input to NIST on FIPS 201-2 related publications; and providing recommendations and guidance on derived credentials.
Healthcare • The Healthcare Council has invited key government and industry contacts for a March 1st council web briefing on use cases for smart healthcare cards. Lawrence Carbanero, Memorial Hospital, North Conway, NH, and Roderick Bell, Resolute Health, Innovation Center for Vanguard Health, will be discussing their perspectives.
Identity • The Identity Council has started to develop a white paper on smart card technology and NSTIC. The goal of the white
10
Smart Card Talk
paper is to raise awareness of the benefits of smart card technology and show how smart card technology can be used for high assurance credentials in the NSTIC identity ecosystem. • The Council is leading a cross-council project on mobile devices and PIV credentials.
Mobile and NFC • The Mobile and NFC Council is planning a webinar series on mobile/NFC security fundamentals. The series will start on March 5th and include webinars on the security architecture of a mobile device, secure elements, NFC Forum tags and security considerations, and security perspectives for different NFC use cases. Registration for the webinars is now open. • The Council has started phase 2 of its mobile/NFC standards landscape project; phase 2 will identify critical gaps in standards for priority NFC applications. • The Mobile and NFC Council brainstormed other 2013 projects during its in-person meeting on Feb. 5th, at the 2013 Payments Summit. The Council will be developing detailed statements of work for priority projects and seeking member volunteers in early March.
Payments • The Payments Council published its new interactive EMV ecosystem resource. The resource is implemented as an interactive PowerPoint show that identifies every stakeholder involved in the EMV ecosystem, their roles, and their links to other participants. The EMV ecosystem project included broad cross-industry Payments Council member participation. Participants involved in the development of this tool included: Accenture; Acumen Building Enterprise; American Express, Apriva; Bank of America; Connexem Consulting; Datacard Group; Discover Financial Services; FIS; Fiserv; Gemalto; Giesecke & Devrient; Heartland Payment Systems; Infineon Technologies; JPMorgan Chase; Dale Laszig; MasterCard Worldwide; Morpho; NagraID Security; NXP Semiconductors; Oberthur Technologies; Quadagno & Associates; SHAZAM Network; TSYS; Valid USA; VeriFone; Visa Inc.; Wells Fargo. • The Council held a well-attended in-person meeting at the 2013 Payments Summit on Feb. 5th. During the meeting, Council members brainstormed possible projects for 2013; Council members will be providing input on priorities this month and will be launching new projects in March.
Transportation • The Council discussed 2013 projects during its in-person meeting at the 2013 Payments Summit on Feb. 6th. Topics being discussed for 2013 include: EMV and transit; small agency business model for open payments; transit and PIV card linkages; transit system reference architecture; and agency outreach.
Other Council Information • Members-only council web pages are available at http:// www.smartcardalliance.org/councils. These are passwordprotected pages that contain council working and background documents and contact lists. Each Council area has a separate password since Councils may have different membership policies. If you are a Smart Card Alliance member and would like access to a council site, please contact Cathy Medich. • A Council meeting calendar is available on the members-only web site at http://www.smartcardalliance.org/pages/memberscouncil-resources. • If you are interested in forming or participating in an Alliance council, contact Cathy Medich.
Alliance Members: Participation in all current councils is open to any Smart Card Alliance member who wishes to contribute to the council projects. If you are interested in participating in any of the active councils, please contact Cathy Medich.
Smart Card Talk
11
from the alliance office
Welcome New Members - Smart Card Alliance • • • • • • • • • • • •
Invoke Technologies, Associate Member AmbigMicro Inc., General Member Applus+Laboratories, General Member Genfare, a Division of SPX Corporation, General Member MagTek Inc., General Member Natural Security, General Member Regions Bank, General Member Veracity Payment Solutions, General Member City of Calgary, Calgary Transit, Government Member Edmonton Transit System, Government Member Enable S.A., SCALA Associate Member Tecnica Comercial Vilsa, S.A.DE C.V., SCALA General Member
New CSCIP Recipients CSCIP • Megan Shamas, Montner & Associates • Brett Chamaly, MasterCard CSCIP/Payments • Tony McGee, CPI Card Group • Keith Paulsen, Cirque Corporation • George Peabody CSCIP and CSCIP/P • Eric de Katow For more news, visit our website at www.smartcardalliance.org. Members can also access white papers, educational resources and other content.
191 Clarksville Road Princeton Junction, New Jersey 08550 1.800.556.6828 Fax: 1.609.799.7032 info@smartcardalliance.org www.smartcardalliance.org
12
Smart Card Talk
About Smart Card Talk
About the Smart Card Alliance
Smart Card Talk is the monthly e-newsletter published by the Smart Card Alliance to report on industry news, information and events and to provide highlights of Alliance activities and membership.
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.