EMV? Tokenization? Or Both?

WesPay 2014 Payments Symposium

Creating Payments Strategies
Steve Mott, PrincipalBetterBuyDesign
September 2014

1
Key Messages

2
3
Target: A Game-Changer?

4
Rescator.la: For Your Everyday Fraud
Needs!

5
 Is an ROI Motivation Lacking?
$ Billion
$70.00

$60.00

$50.00

$40.00
$ Billion
$30.00

$20.00

$10.00

$0.00
U.S. Counter. Global U.S. U.S.-Banks U.S.-Merch Other Merch Interchange Charge-offs

Sources; Nilson Reports, Moebs, Payments Source, industry reports

6
 PCI: Misbegotten Effort?
MAG survey: PCI costs
from 2004-2009 were
$20B (Tier 1
extrapolated to all)
US card fraud in same
period was $13.9B (45%
of global)
Fraud soaring again
(2011-2013)

7
Politics of Payments Complications
Card brands were ready to retreat (on 10/2015
Liability Shift) until Target breach hit
Merchants loath to be perceived as dragging feet
Processors push on new source of revenues
Visa/MC view HCE and Tokenization as
mechanisms to re-assert control of payments
Failure of card brand solution to fully address
CNP venue might be an opening for alternatives

8
9
 EMV/NFC Payments Linked
Date EMV/NFC Payment Market Development
2000 The card brands led the effort to instill the ISO 14443 standard for chip-based (EMV), single-path, card emulation mode

2000 About that same time, Visa/MC announced that by 2005, all of their cards in the U.S. would require a chip; shortly after,
this requirement was rescinded, due to member bank objections
2004 In 2004, the card brands pushed through ISO 18092, which enabled a two-way path for supporting marketing applications

2004 Shortly after, a major effort to promote acceptance and adoption of tap-and-go contactless ensuedfocused significantly
on the U.S.
2008 By 2008, the legacy payments industry decided that near-field communications (NFC) would be the preferred embodiment
for mobile handsets, which would operate in the card emulation mode, using a secure element
2009 BestBuy shut down its tap-and-go program because Visas PayWave would not support PIN-debit option; only stores with
aggressive local issuers noticed
2010 Tap-and-go contactless support began to dry up due to low adoption and volumes; NFC-slow to appear on handsets and in
business modelsfaced growing challenges
2011 EMV contactless specs arrived in 2011 geared to common interfaces to NFC terminals; Visa announced its EMV program in
August, including a liability shift by 2015
2012 EMV, designed to be synonymous with NFC, received support from other brands, butlike NFChits a wall with merchant
adoption
2012 EMV, designed to be single-branded, doesnt comply with the Durbin mandate for merchant choice of two, non-affiliated
debit networks; EFT networks are upset
2013 Efforts to reconcile implementation issues with EMV are being addressed by the EMV Migration Forum (EMF); meanwhile
NFC continues to struggle (though Isis and others are still trying to push it)
2013 U.S. court (Judge Leon) rejects Feds implementation of Durbin Amendment, and adds potential requirement for merchant
choice of two signature-debit networks; Fed appeals; uncertainly stymies EMF progress toward single, common debit card
AID for contact card; Google introduces Host Card Emulation (HCE) workaround of Secure Element
10
 Background of EMV
EMV originally designed to make offline
payments more secure by verifying user to the
authorized card account; can do online as
wellbut not over the Internet
Relied heavily on PIN validation
Supported multiple payment options (credit,
debit, purse) and loyalty applicationsbut
under one brands Application IDentifier (AID)
Generally produces liability shift (to Issuers)
for chip-authenticated transactions (while
sticking slow deployers with mag-stripe fraud)11
 Whats Wrong with EMV?
Card emulation mode comes at a huge cost for
just a baby step in added security
Old specification/business casedoesnt
address U.S. or online/mobile world
Disparate implementations globally
lead to user
problems with acceptance/
issuer confusion
No real evidence of long-term fraud mitigation
(U.K., France) after first-flush of reduced
counterfeit fraud
Pressure on merchants to terminalize for EMV
12
post-Target (which wont mitigate future data
 Old Problems Get Perpetuated
Brands answer: Card emulation mode
Too little value for too much cost?
Only card credential encrypted past POS is CVV
(with a blog of unique transaction data); but many
merchants dont use CVV online, so exposed
credentials can be intercepted and used for online
fraud
Retention of CNP becomes an albatross to
innovation
Is the continuing CNP problem the black hole of
13
payments?
 CNP Debate: A problem that wont go
away
Card Not Present a vestige of 2000, when the payments industry
lived in fear of the Internet
20-30 bps premium over card-present rates even today
Merchants absorb virtually all liabilities, despite huge investments
Visa/MC decree only card-emulation mode warrants lower card-
present interchange
Ostensibly an incentive to adopt NFC/EMV, but a disincentive to accept
competing technologies that might be safer!
Transaction risk much higher with card-emulation
Concerns persist about intrinsic NFC risk (e.g., Apple)
Google, PayPal others pay premiums and fees, and absorb liabilities
Visa and MC allude to studies to give partial and perhaps full parity
with card-present to qualifying (secure) alternatives

14
 No ROI for EMV Implementation
Tower Group (2001):
Costs
75% paid by Merchants
13% paid by Issuers
12% paid by Networks
Javelin Strategy Research (2010):
Merchants pay 2/3; POS drags feet (especially
small merchants
Others: (relative to Canada);
Is NFC a separate implementation?
Isis model for loading accounts rejected by issuers
Merchant deployment costs could multiply with
proprietary aspects 15
 US Debit
Card
Durbin-
Compliant
Solution

16
EMV Helpsbut Where is the Business
Case?
$ Billion
$70.00

$60.00

$50.00

$40.00
$ Billion
$30.00

$20.00 EMV
Cost
$10.00

$0.00
U.S. Counter. Global U.S. U.S.-Banks U.S.-Merch Other Merch Interchange Charge-offs

Sources; Nilson Reports, Moebs, Payments Source, industry reports

17
And Total Fraud is Rising Again (oops)

450.3

2013

Source: UK Payments Council

18
1. Tethering to EMV complicates rather than
simplifies adoption
Politics of payments has intervened: No solution for
online, but CNP and card-emulation (and PCI
exposure) persist
2. Card-emulation mode makes life easier for
issuers and acquirers, but murders the ROI for
merchantsand puts the new payments system
at risk
Why spend so much money on baby steps in
security?
3. Handset account loading, SE requirement,
restrictions on and costs for use hamper issuer 19
and user adoption
 Original Business Case for 2-way
NFC: OK
Relevant Customer
coupons: 1- recognition
to-1 (supplying
All this data
targeting, data and
can be used
real-time, Location- receiving Shopping
(with
refreshing, based offers and items can be
sufficient
etc. can services (e.g., updating Products can automatically
Loyalty consumer
reduce queries on rewards be pitched scanned/read
programs can opt-in) to
billions of nearest brand programs) inside the while
be integrated better
waste from store or upon store, while shopping,
and instantly address
$400 billion restaurant, entering shopping facilitating
updated for offers,
annual spend where stores; data including self-checkout
real-time promotions,
on paper and promotional can be competitive (where
redemptions financial
broadcast offers can be harvested for offers payment
services
media (where returned with banking options can
needed,
only 8% of info) products and be pitched)
targeting of
consumers joint
ads, etc.
collect and bank/mercha
just 1% nt
redeem) promotions

20
Too Many (Uncertain) Technology
Choices

21
Host Card Emulation: Rolling the
Dice

22
Host Card Emulation: Savior or Killer
of NFC?
Benefits
SE in the cloud enables much
more flexible app
development and no limits on
SE storage size
Deploys at much lower cost
Spares issuers the need for
and provisioning of SEs
Can be updated continually at
low cost
Multiple wallets can be
supported on the handset
Challenges
Introduces higher level of
risk without SE
Latency and coverage issues
arise
Treats trusted
environment at apps level
where exposure is greatest
Carriers could assert control
of domain again
Interoperability questions?
23
MasterCard Pushes HCE with CapOne,
BBVA
BBVA First Bank to Offer Mobile Payments Via Host Card
Emulation

Android users of the BBVA Wallet app will now be able to

make NFC payments thanks to Visas new cloud storage
specifications for credentials.

When Visa and MasterCard announced earlier this year that

they would be supporting Host Card Emulation (HCE) for
storing payments credentials in the cloud, it created an
opportunity for banks to take a step forward in mobile
payments. HCE eliminates the need for storing credentials in
the mobile device, enabling banks (and others) to offer
mobile payments without the help of telcos.
--6/30/2014 BankTech

24
Hybrid Cards Emerge to Bridge
Gaps

25
 X.9 New Work Item for CNP Coming?

Initiating an X9 security standard for card not

present transactions/e-commerce environment
begins with a New Work Item that is endorsed by five
X9 members.
New Work Item components:
Type of project
Value proposition, business benefit, return on
investment
Information about project & proposer
Justification of project: define issues,
need/benefit, identity of stakeholders 26
Token A surrogate value used in place of an underlying sensitive value (USV) in
certain, well defined situations, but not in every way that the USV is used

PAN Token Comment

13980 826539 1255 231poK983HKzns100 Token is composed of alphabetic

and numeric characters

Token is identical to PAN in

84295 195562 7629 12345 098765 6574 structure and character set (LUN
check could even hold)

Token is almost identical to PAN

91094 389921 9321 T3245 918234 4251 except for a character indicating it
is a token

Source: ANSI X.9 27

Key Players Contend for Solution Supremacy

28
Race for Control of
Mobile/Digital
Payments is On
Tens of thousands of merchants already have
processor- or third-party-providedand
proprietarytokenization schemes in-place
MCX announces tokenization plans for POS
and (holds some discussions about
collaboration with TCH) (November 2012 to
June 2013)
TCH announces program to develop
tokenization standard for mobile (July 2013)
Visa/MC/Amex announce their own plans for
tokenization standard (Oct 2013)
EMVCo, which also includes brand co-owners
Discover, JCB and China Union Pay, release
tokenization specifications for EMV cards
(March 2014)
ANSI X.9 accelerates its efforts to create more
secure, global, scalable tokenization standard;
PCI council addresses tokenization for
payment card credentials at-rest, too
Fed prepares to examine new X.9 initiative for
CNPwith tokenization that works fully in
digital venues

29
Big Banks Stake a Tentative Claim

30
 TCH Secure Token Exchange
- / . ) # 0 ' " +3( * I +( - - # / * ) +%* &# " 0 ( ) %# * +%.+. ) # " ' 2 +. ' - / " ' $1++

+
- 98BCE : @
! 4=E : 5B8++ 3456+ - 4@A+ 3456+
><45B+
0 :@
!@ C>: 88C@+ :@
( >Q97@ + * : BR C@6+ +
%889: @
+
+
) C6: 5+T+! ( * + +
: P><45H: + +
+
+
" : Q9: 8B+A=54E 7>+BC6: 5+ " : Q9: 8B+BC6: 5TG456++ 3456+ +
4>>C95B+75DC@ E 4B7C5+ +
%889: @
F 4??: B+ :+
. : >9@ +
- ?C9A+ S49?B+ +
$C4A+A=54E 7>+BC6: 5+ 7: S: +BC6: 5TG456+
" : B@
4>>C95B+75DC@ E 4B7C5+

I : =+D: 4B9@
J " ') 11&. . '-" '12. -" + &3'#) , D'
) 11" 2, -'$, G" 3+ ) -$" , '
L 11&. . '-" '12. -" + &3'#) , D'
) 11" 2, -'$, G" 3+ ) -$" , '
: 8+CD+B<: +8C?9B7C5+
T) , D'$. . 2&3'7) 2%-. '13&) -&', &8 '5*, ) + $1'-" D&, . P'
0&123&'4%" 25'&H19) , E&. '5*, ) + $1'-" D&, . 'G" 3'12. -" + &3'#) , D') 11" 2, -'$, G" 3+ ) -$" , '523$, E'
C) *+ &, -') 2-9" 3$U) -$" , P'''
; " 3'C) *+ &, -') 2-9" 3$U) -$" , >'#) , D') 1V2$3&3. '. &, 5'12. -" + &3'#) , D') 11" 2, -'$, G" 3+ ) -$" , '-" '
2. -') . '-9&*'5" '-" 5) *P'''
#) , D'$. . 2&3. '7$) '1) 35', &-8 " 3D. 'W
! $, $+ ) %'$+ C) 1-') -'+ &319) , -'C" $, -N" GN. ) %&P'

31
S'
 And EMV is their Imperfect

Instrument
Criticism of EMVs security limitations led to
preliminary work (and recent push) for adding-on
tokenization
Original thrust was for dynamic tokens with various
tiers of use cases for different venues/transaction
risks
But one BIG Visa issuer cant do dynamic tokens, so
EMVCo was pushed to start out with static tokens, and
sell the feature for merchants to track customer use
to see if the merchant bite
Meanwhile, Visa/MC are working on issuers to support
monolithic tokens (one each per consumer device); but
are there enough BINs/PANs to support three devices
with four+ separate usage tiers?
Plans for dynamic tokens put on the back burner, as big32
banks hedge their bets on whether Visa/EMVCo can
Four Use
Cases
Offered,
Beginning
withof
course
NFC

33
Other Use Cases Gate Gated thru EMV
Mode

34
 Collaboration on Risk Management Produces Big
Potential Payoff
MERCHANT

Information on buyer at
given merchant
Account history with
merchant payment type
Buyer history with other
bank payment types
MOBILE Risk management history
Full information on PROVIDER Transaction session
buyer information
Full account history
across multiple
Mobile device/network data
merchants
Mobile usage and session
Risk management
information
history
Mobile marketing experiences

35
36
Square Cash: Pushing Debit Card
Use?

37
Merchant Aggregators Gain
Traction

38
Virtual Acceptance:
Braintree/Venmo

39
Venmo: Breakout Payment Sign-up
App

40
Payments Become Transparent:
Yelp

41
...And Even Groupon

42
Merchant-Directed Mobile Apps:
Subway

43
Sources: MobileCommerceToday + Websites
Payments Commoditize: e.g., MCX

44
Many Players Chasing The Uber
Experience

45
46
 Crypto-Currencies Emerge
Miners
Exchangers
Wallet
Providers
Payment
Processors
Merchants
Others
The Auditable Blockchain is the
Breakthrough

48
 Implications for Banking Industry
Merchants and corporate
customers will soon be
asking for supportwhat do
you do then?
If the pipe of the future for
transferring value is based on
mathematical cryptography rendered
in software, who provides the layers
of necessary supporting
infrastructure?
If regulated financial
institution accounts will
comprise the vast bulk of
digital funding transactions,
All Paths Lead to Digital IDs

50
 PII and
Online
(Digital)
Access and
Habits Set Us
All Up for
Data Breach
Exposure;
Are Digital
IDs the
Solution? 51
 Security
and Trust
Play Well
in
Emerging
Digital
Venues

Source: Alix Partners, The Bank Wears Prada, Spring 2013 52

Steve Motts Contact Coordinates

01 01 01 01 01 0
10 10 10 10 10 1
Steve Mott
01 01 01 01 01 0 BetterBuyDesign
10 10 10 10 10 1 dba CSI Management Services, Inc.
01 01 01 01 01 0 1386 Long Ridge Road
10 10 10 10 10 1 Stamford, CT 06903
and 1214 Querida Drive
01 01 01 01 01 0 Colorado Springs, CO 80909
10 10 10 10 10 1 (o) 203.968.1967
01 01 01 01 01 0 (c) 203-536.0588
email: stevemottusa@yahoo.com
10 10 10 10 10 1
website:www.betterbuydesign.com
01 01 01 01 01 0

53