Beruflich Dokumente
Kultur Dokumente
1
Key Messages
2
3
Target: A Game-Changer?
4
Rescator.la: For Your Everyday Fraud
Needs!
5
Is an ROI Motivation Lacking?
$ Billion
$70.00
$60.00
$50.00
$40.00
$ Billion
$30.00
$20.00
$10.00
$0.00
U.S. Counter. Global U.S. U.S.-Banks U.S.-Merch Other Merch Interchange Charge-offs
7
Politics of Payments Complications
Card brands were ready to retreat (on 10/2015
Liability Shift) until Target breach hit
Merchants loath to be perceived as dragging feet
Processors push on new source of revenues
Visa/MC view HCE and Tokenization as
mechanisms to re-assert control of payments
Failure of card brand solution to fully address
CNP venue might be an opening for alternatives
8
9
EMV/NFC Payments Linked
Date EMV/NFC Payment Market Development
2000 The card brands led the effort to instill the ISO 14443 standard for chip-based (EMV), single-path, card emulation mode
2000 About that same time, Visa/MC announced that by 2005, all of their cards in the U.S. would require a chip; shortly after,
this requirement was rescinded, due to member bank objections
2004 In 2004, the card brands pushed through ISO 18092, which enabled a two-way path for supporting marketing applications
2004 Shortly after, a major effort to promote acceptance and adoption of tap-and-go contactless ensuedfocused significantly
on the U.S.
2008 By 2008, the legacy payments industry decided that near-field communications (NFC) would be the preferred embodiment
for mobile handsets, which would operate in the card emulation mode, using a secure element
2009 BestBuy shut down its tap-and-go program because Visas PayWave would not support PIN-debit option; only stores with
aggressive local issuers noticed
2010 Tap-and-go contactless support began to dry up due to low adoption and volumes; NFC-slow to appear on handsets and in
business modelsfaced growing challenges
2011 EMV contactless specs arrived in 2011 geared to common interfaces to NFC terminals; Visa announced its EMV program in
August, including a liability shift by 2015
2012 EMV, designed to be synonymous with NFC, received support from other brands, butlike NFChits a wall with merchant
adoption
2012 EMV, designed to be single-branded, doesnt comply with the Durbin mandate for merchant choice of two, non-affiliated
debit networks; EFT networks are upset
2013 Efforts to reconcile implementation issues with EMV are being addressed by the EMV Migration Forum (EMF); meanwhile
NFC continues to struggle (though Isis and others are still trying to push it)
2013 U.S. court (Judge Leon) rejects Feds implementation of Durbin Amendment, and adds potential requirement for merchant
choice of two signature-debit networks; Fed appeals; uncertainly stymies EMF progress toward single, common debit card
AID for contact card; Google introduces Host Card Emulation (HCE) workaround of Secure Element
10
Background of EMV
EMV originally designed to make offline
payments more secure by verifying user to the
authorized card account; can do online as
wellbut not over the Internet
Relied heavily on PIN validation
Supported multiple payment options (credit,
debit, purse) and loyalty applicationsbut
under one brands Application IDentifier (AID)
Generally produces liability shift (to Issuers)
for chip-authenticated transactions (while
sticking slow deployers with mag-stripe fraud)11
Whats Wrong with EMV?
Card emulation mode comes at a huge cost for
just a baby step in added security
Old specification/business casedoesnt
address U.S. or online/mobile world
Disparate implementations globally
lead to user
problems with acceptance/
issuer confusion
No real evidence of long-term fraud mitigation
(U.K., France) after first-flush of reduced
counterfeit fraud
Pressure on merchants to terminalize for EMV
12
post-Target (which wont mitigate future data
Old Problems Get Perpetuated
Brands answer: Card emulation mode
Too little value for too much cost?
Only card credential encrypted past POS is CVV
(with a blog of unique transaction data); but many
merchants dont use CVV online, so exposed
credentials can be intercepted and used for online
fraud
Retention of CNP becomes an albatross to
innovation
Is the continuing CNP problem the black hole of
13
payments?
CNP Debate: A problem that wont go
away
Card Not Present a vestige of 2000, when the payments industry
lived in fear of the Internet
20-30 bps premium over card-present rates even today
Merchants absorb virtually all liabilities, despite huge investments
Visa/MC decree only card-emulation mode warrants lower card-
present interchange
Ostensibly an incentive to adopt NFC/EMV, but a disincentive to accept
competing technologies that might be safer!
Transaction risk much higher with card-emulation
Concerns persist about intrinsic NFC risk (e.g., Apple)
Google, PayPal others pay premiums and fees, and absorb liabilities
Visa and MC allude to studies to give partial and perhaps full parity
with card-present to qualifying (secure) alternatives
14
No ROI for EMV Implementation
Tower Group (2001):
Costs
75% paid by Merchants
13% paid by Issuers
12% paid by Networks
Javelin Strategy Research (2010):
Merchants pay 2/3; POS drags feet (especially
small merchants
Others: (relative to Canada);
Is NFC a separate implementation?
Isis model for loading accounts rejected by issuers
Merchant deployment costs could multiply with
proprietary aspects 15
US Debit
Card
Durbin-
Compliant
Solution
16
EMV Helpsbut Where is the Business
Case?
$ Billion
$70.00
$60.00
$50.00
$40.00
$ Billion
$30.00
$20.00 EMV
Cost
$10.00
$0.00
U.S. Counter. Global U.S. U.S.-Banks U.S.-Merch Other Merch Interchange Charge-offs
450.3
2013
20
Too Many (Uncertain) Technology
Choices
21
Host Card Emulation: Rolling the
Dice
22
Host Card Emulation: Savior or Killer
of NFC?
Benefits Challenges
SE in the cloud enables much Introduces higher level of
more flexible app risk without SE
development and no limits on
Latency and coverage issues
SE storage size
arise
Deploys at much lower cost
Treats trusted
Spares issuers the need for
and provisioning of SEs environment at apps level
where exposure is greatest
Can be updated continually at
low cost Carriers could assert control
Multiple wallets can be of domain again
supported on the handset Interoperability questions?
23
MasterCard Pushes HCE with CapOne,
BBVA
BBVA First Bank to Offer Mobile Payments Via Host Card
Emulation
24
Hybrid Cards Emerge to Bridge
Gaps
25
X.9 New Work Item for CNP Coming?
28
Race for Control of
Mobile/Digital
Payments is On
Tens of thousands of merchants already have
processor- or third-party-providedand
proprietarytokenization schemes in-place
MCX announces tokenization plans for POS
and (holds some discussions about
collaboration with TCH) (November 2012 to
June 2013)
TCH announces program to develop
tokenization standard for mobile (July 2013)
Visa/MC/Amex announce their own plans for
tokenization standard (Oct 2013)
EMVCo, which also includes brand co-owners
Discover, JCB and China Union Pay, release
tokenization specifications for EMV cards
(March 2014)
ANSI X.9 accelerates its efforts to create more
secure, global, scalable tokenization standard;
PCI council addresses tokenization for
payment card credentials at-rest, too
Fed prepares to examine new X.9 initiative for
CNPwith tokenization that works fully in
digital venues
29
Big Banks Stake a Tentative Claim
30
TCH Secure Token Exchange
- / . ) # 0 ' " +3( * I +( - - # / * ) +%* &# " 0 ( ) %# * +%.+. ) # " ' 2 +. ' - / " ' $1++
+
- 98BCE : @
! 4=E : 5B8++ 3456+ - 4@A+ 3456+
><45B+
0 :@
!@ C>: 88C@+ :@
( >Q97@ + * : BR C@6+ +
%889: @
+
+
) C6: 5+T+! ( * + +
: P><45H: + +
+
+
" : Q9: 8B+A=54E 7>+BC6: 5+ " : Q9: 8B+BC6: 5TG456++ 3456+ +
4>>C95B+75DC@ E 4B7C5+ +
%889: @
F 4??: B+ :+
. : >9@ +
- ?C9A+ S49?B+ +
$C4A+A=54E 7>+BC6: 5+ 7: S: +BC6: 5TG456+
" : B@
4>>C95B+75DC@ E 4B7C5+
: 8+CD+B<: +8C?9B7C5+
I : =+D: 4B9@
T) , D'$. . 2&3'7) 2%-. '13&) -&', &8 '5*, ) + $1'-" D&, . P'
J " ') 11&. . '-" '12. -" + &3'#) , D'
) 11" 2, -'$, G" 3+ ) -$" , ' 0&123&'4%" 25'&H19) , E&. '5*, ) + $1'-" D&, . 'G" 3'12. -" + &3'#) , D') 11" 2, -'$, G" 3+ ) -$" , '523$, E'
L 11&. . '-" '12. -" + &3'#) , D' C) *+ &, -') 2-9" 3$U) -$" , P'''
) 11" 2, -'$, G" 3+ ) -$" , ' ; " 3'C) *+ &, -') 2-9" 3$U) -$" , >'#) , D') 1V2$3&3. '. &, 5'12. -" + &3'#) , D') 11" 2, -'$, G" 3+ ) -$" , '-" '
2. -') . '-9&*'5" '-" 5) *P'''
#) , D'$. . 2&3. '7$) '1) 35', &-8 " 3D. 'W
! $, $+ ) %'$+ C) 1-') -'+ &319) , -'C" $, -N" GN. ) %&P'
31
S'
And EMV is their Imperfect
Instrument
Criticism of EMVs security limitations led to
preliminary work (and recent push) for adding-on
tokenization
Original thrust was for dynamic tokens with various
tiers of use cases for different venues/transaction
risks
But one BIG Visa issuer cant do dynamic tokens, so
EMVCo was pushed to start out with static tokens, and
sell the feature for merchants to track customer use
to see if the merchant bite
Meanwhile, Visa/MC are working on issuers to support
monolithic tokens (one each per consumer device); but
are there enough BINs/PANs to support three devices
with four+ separate usage tiers?
Plans for dynamic tokens put on the back burner, as big32
banks hedge their bets on whether Visa/EMVCo can
Four Use
Cases
Offered,
Beginning
withof
course
NFC
33
Other Use Cases Gate Gated thru EMV
Mode
34
Collaboration on Risk Management Produces Big
Potential Payoff
MERCHANT
Information on buyer at
given merchant
Account history with
merchant payment type
Buyer history with other
bank payment types
MOBILE Risk management history
Full information on PROVIDER Transaction session
buyer information
Full account history
across multiple
Mobile device/network data
merchants
Mobile usage and session
Risk management
information
history
Mobile marketing experiences
35
36
Square Cash: Pushing Debit Card
Use?
37
Merchant Aggregators Gain
Traction
38
Virtual Acceptance:
Braintree/Venmo
39
Venmo: Breakout Payment Sign-up
App
40
Payments Become Transparent:
Yelp
41
...And Even Groupon
42
Merchant-Directed Mobile Apps:
Subway
43
Sources: MobileCommerceToday + Websites
Payments Commoditize: e.g., MCX
44
Many Players Chasing The Uber
Experience
45
46
Crypto-Currencies Emerge
Miners
Exchangers
Wallet
Providers
Payment
Processors
Merchants
Others
The Auditable Blockchain is the
Breakthrough
48
Implications for Banking Industry
Merchants and corporate
customers will soon be
asking for supportwhat do
you do then?
If the pipe of the future for
transferring value is based on
mathematical cryptography rendered
in software, who provides the layers
of necessary supporting
infrastructure?
If regulated financial
institution accounts will
comprise the vast bulk of
digital funding transactions,
All Paths Lead to Digital IDs
50
PII and
Online
(Digital)
Access and
Habits Set Us
All Up for
Data Breach
Exposure;
Are Digital
IDs the
Solution? 51
Security
and Trust
Play Well
in
Emerging
Digital
Venues
01 01 01 01 01 0
10 10 10 10 10 1
Steve Mott
01 01 01 01 01 0 BetterBuyDesign
10 10 10 10 10 1 dba CSI Management Services, Inc.
01 01 01 01 01 0 1386 Long Ridge Road
10 10 10 10 10 1 Stamford, CT 06903
and 1214 Querida Drive
01 01 01 01 01 0 Colorado Springs, CO 80909
10 10 10 10 10 1 (o) 203.968.1967
01 01 01 01 01 0 (c) 203-536.0588
email: stevemottusa@yahoo.com
10 10 10 10 10 1
website:www.betterbuydesign.com
01 01 01 01 01 0
53