Title: 6' EMV Implementation
16. EMV Implementation
- Richard Sanders, Business Consultant
- ACI Worldwide
2Agenda
- Brief Review of EMV Introduction
- The Challenges of an EMV Implementation
- What Banks do and dont think about in an EMV
Implementation - EMV Implementation Strategy
- Conclusions
3Smart Card Implementations - Timescales
4EMV - More than Fraud prevention ?
Advantages
Problems
Unrealistic timelines?
Schemes Mandated Chip and PIN cards By Liability
Shift
Reduce fraud
Cost
Accelerate Transactions _at_ POS
Merchant resistance (cost and disruption)
Save till paper
Need for consumer re-education
Charge-backs fewer reason codes
Vendors lengthy accreditation process
Better Risk Controls
Special considerations for disabled
5Challenges of Issuing EMV cards
Competitive advantage
Competitive advantage
Competitive advantage
What did I forget?
Lead times
Transaction times
Be prepared for the un-expected Lots of AHAs
Foundation Investments that
Matters for DAY 1
Fraud savings
tools
When?
6The Challenges - 1
- Consumers behaviour
- Will cardholders adapt or use another payment
method? - Can they be prevented from writing down PIN
numbers? - Retailers
- Staff need the information and confidence to
assist cardholders - Merchants to enforce the strict regime on
fallback - One level of fallback during transition
- No fallback for Chip PIN transactions after
maturity - Communication
- Acquirers responsible for communications to their
merchants - Supported by Central Bank led generic messages
and Schemes - To be provided over a long time - from early
trials through rollout to maturity - UK Website available www.chipandpin.co.uk
7The Challenges - 2
- Technology
- Acceptance testing - including Inter- participant
(IPT), closed and open testing and the need for a
town trial to refine procedures prior to full
rollout (and how will this be done geography,
card replacement, merchant specified?) - Type approval and certification EMVCo, Schemes,
Acquirer - Counter logistics and management information
- Transaction timings
- Training bank and retail staff
- New technology but not so different to ATM use
- Demands a high level of co-operation from
retailers - Schemes provide the rules but recognise the
difficulty of training all front-line staff - Help-desk support and training material specially
written - Key message for issuers and merchants
- Be proactive, plan well ahead, lobby suppliers.
8EMV The Key Questions a Bank asks
- What is the date of the EMV migration for my
country or region set by the card associations? - How do I interface with EMVCo?
- What level of testing period do I want to allow
before going live with my EMV card
base/infrastructure? - Which vendors can help facilitate my move to EMV?
- Is Outsourcing a solution?
- Can a bureaux provide all my needs?
- When I start migrating my card base to EMV, do I
use a force reissue or at renewal/replacement?
What is the liability from stripe cards still in
circulation after the EMV migration date? - How do I enforce Fallback
- Are fraudsters targeting us? Have competitors
already migrated? - Am I losing business by not moving rapidly to
smart cards? Etc etc. - What Staff Training do I need? Where can I get it
?
9And Typically What it Does Not Ask
- What extra business can I generate by achieving
first mover advantage in my markets by moving to
smart cards? - My card will have an anchor financial
application. Do I want it to carry other
applications such as cashback/loyalty scheme run
in-house or by a third party or partners and how
will I load/delete/manage these applications? - Is the Management Information I had developed for
testing/trial sufficient for my live needs in
areas like fraud strategy - Do I want to retain my existing methodology for
card issuance? - How do I plan fallback withdrawal?
- How will I handle Magnetic stripe cards from e.g.
the US - Are there any special interest groups e.g. the
disabled I need to accommodate - Can I utilise the EMV Infrastructure for other
applications like ID? - How do I migrate to higher specification versions
of EMV? - Will EMV take away all my fraud problems? If not,
what else can I do?
10EMV Implementation Methodology
- EMV end-to-end payment system implies numbers of
activities from various internal/external
entities like - Business (Banks, Acquirer, Issuer)
- Legal (Banking Association, Payment Schemes,
Government) - Identify impacts of any other migrations
activities/legislation - e.g. Chip and Signature
cards for some disabled customers - Technical (Cards, Terminals, Host systems,
Network, Back Office, Operations, Certification,
MI) - Vendors (Hardware/Software, Bureaux, Processors)
- Service (i.e. Merchant support, Education,
Installation, Upgrades, Maintenance,
Communications) - Customer
- Manage bypass and fallback
- Communication
11Pre-Implementation analysis
- Although mandated by the Schemes, markets are
different and EMV settings used may depend on - - Telecommunications Costs is there currently a
preference for seeing transactions on-line? - Credit/Debit Mix security concerns are quite
different - Cash vs. cheques vs. electronic payments mix
compared to cards - Government view particularly on ID cards
- EMV delivers options
- EMV allows for many forms of secure card
authentication method (CAM) through - SDA, DDA, CDA
- Legacy Terminal infrastructure can slow
innovation - SDA failures, wrong AID length issues not fully
removed until legacy terminals replaced
12Considerations for an EMV Implementation - 1
- Issuing
- New Chip Card (card production changes)
- New Card management System (including
personalisation) - Issuer Host Modification for EMV payment flow
- New HSM software for EMV cryptography
- Interface to international networks including
certification - PIN Management Infrastructure
- Key Management Infrastructure
- Changes to Operational Processes
- Customer/Staff Education Programme
- Script Processing/Risk Management Enhancements
- New Procedures for Cardholders (Chip and PIN,
Chip and Signature, Technical Fallback, PIN
Bypass management
13Considerations for an EMV Implementation 2
- Acquiring
- Acquirer Host Modification for EMV payment flow
- Interface to international networks including
certification - ATMs upgraded to offer Reciprocal PIN Management
services? - Acquiring and Issuing silos need to work together
- Terminals
- Hardware and Software Base needs to be replaced
- Problem Management SDA Failures,
- ATMs why do some have 100 fallback?
14Considerations for an EMV Implementation - 3
- General
- Education
- Understand EMV Settings to avoid costly mistakes
like having the wrong AID length that terminals
cannot read - Have a system that identifies the settings on
each card - Requirements Definition
- Continuous review including MI and Workflow
- Execution Strategy
- Special cases disabled drivers etc
- Training
- Communications
- Customers, staff, merchants, media all need
regular updates - Keep reviewing the project structure/plan as new
items develop
15 EMV Business Case Key Areas
- Market
- Size larger markets require more investment
- Importance of cards as a payment instrument
- Adoption rate of High Usage retailers e.g.
Supermarkets, Petrol - Proportion of mid-tier retailers as they are
slowest to adopt - Domestic market requirements levels of E Purse
schemes etc - Processor/Retailer terminal agreement lengths
- Proportion of Bank Owned Terminals
- Strategic market goals to embrace
multi-application, ID etc. - Other Chip Functionality (Transit Mifare card
etc) - Merchant Card Issuance and Other Financial
Products - TelCo ambitions
- Government position
- Work/Life Balance of Cardholders
16EMV Business Case Key Areas
- Issuer
- Fraud Costs and Types domestic/cross border
(some Banks do not collect data) - Interchange fee incentive
- Internet Banking /MO/TO
- Cash replacement
- Multi-application
- Loyalty on Credit/Debit
- ID
- Contactless, Prepaid options Day 1
- Increased Acquisition of Customers at a Lower
Cost - Increased Retention through Service, broad
Product Portfolio and Cross-Selling Opportunities - Reduced Operational Costs and Increased
Productivity
17EMV Business Case Key Areas
- Merchant
- High Traffic retailers e.g. Supermarkets, Petrol
- Mid tier retailers attitude
- Percentage of Business on-line/MO/TO
- Higher security of EFTPOS terminals increases
certification time - Level of any reduction in MSCs for compliance
- Perceived value of not storing receipts for
chargebacks - Value of increase in speed of transaction times
and convenience to customers - Cash replacement
- Plans for Unattended terminals
18EMV Business Case Key Areas
- Customers
- Ultimate Convenience - deliver customer
confidence/peace of mind by removing the worry,
hassle and inconvenience of fraud - Privacy and ID Theft Protection
- Choice of Channel for purchasing
- Control of the Relationship
- Instant Gratification through loyalty at POS
- Money Rich, Time Poor Scenario
- Need for Convenience and Speed
- Ever Growing Value for Their Business
- Multi- application
- Loyalty
- ID
- Access
19Potential Barriers to EMV Implementation
- Cost of Cards
- PC Base having Integrated Readers and Software
- Installation of Smart Card Readers
- Transaction Times
- Interoperability
- Inconsistent Messages
- No Compelling/Killer Chip application
- Is the Chip for security, ID , loyalty/promotion,
other - POS Infrastructure Costs retailers have set
hardware replacement cycles and have to be
convinced and Banks will have to contribute to
get Issuance IT Resource shortages due to Basel
II, Sarbannes Oxley
20Education it is complex
- Create an education programme across
- Executives they will have to agree it
- Marketing they have to build on it
- Technology they have to maintain and enhance it
- Operations how they do/report everything could
change - Finance to build the business case
- Corporate Communications how you communicate
the change to customers is key - Issuing and Acquiring (POS ATM) sides have to
work together - Retailers are key its their customers too !
- Leverage what exists in the market
- Conferences and Associations Seminars
- Vendors
- Professional Training Seminars
21Requirements Definition - Checklist
- Functional and Technical Requirements
- What type of Smart Card do you want and what do
you want it to do today and tomorrow - drives
Chip Size - What Applications do you want on it ?
- At issuance/To be loaded later
- Contact/Contactless
- What Infrastructure do you want
- Data storage/retrieval Card Life Cycle
Management - Expiry dates typically can be lengthened from
stripe - Design with the Future in Mind to avoid costs
- Interoperability
- Scalability
- Usability
- Data privacy/protection
- What can be seen by who
22Requirements Definition - Checklist
- Authentication
- PIN, Password changes
- Key Changes/Management
- Expiry dates
- Velocity Checks
- Personal Card Readers
- Insource Vs. Outsource debate
- Multi-sourcing plastics
- Personalisation
- Credit and Debit parameter settings on cards may
be different - Migrating from Chip and Signature is different to
migrating from Magnetic Stripe. Will you still
need Chip and Signature for special cases of
disabled?
23Impact analysis Business and Functional Areas -
1
- Marketing/Sales
- Product Propositions
- Customer Communications
- Authorisations
- Card authentication and cryptographic management
- Customer verification
- Additional data elements and script management
- Online and offline PIN change synchronisation
- 3DES, AKDS
- Processing
- New personalisation requirements additional
parameters, Offline PIN Block, inheritance - Application life-cycle management
- Parameter management, risk management, CRM
24Impact analysis - Business and Functional Areas -
2
- Operational procedures
- Key management
- Application processing
- BIN Management
- PIN management
- Parameter management
- MI
- Workflow
- Customer Service
- Changes to business processes
- Scripts
- Enhanced disputes management
- Blocked PIN offline and online
25Impact analysis - Business and Functional Areas -
3
- Risk Management Fraud and Credit Risk
- MI
- Fraud Strategies
- Credit Risk Management Strategies
- Distribution Infrastructure
- IT Systems Infrastructure
- Current Procurement and Fulfilment Processes
- Testing and Test systems (including Pilots)
- Staff/Closed/Open Trial
- Town Trial
- Handover post rollout
- Issuing/POS Acquiring/ATM Acquiring interfaces
26Execution Strategy
- Implement a formal process
- Establish a dedicated project team
- Well defined responsibilities for key personnel
(CEO, CTO,COO,MIS Manager,Security and
Compliance,HR) - Have experts or people who want to become
experts - Define and develop project plans and agree them
with suppliers/outsourcers and Payment Schemes so
you are all working to the same plan - Identify the Project Supply Chain and Supplier
timescales - Allow time for testing and certification the
Schemes may take longer - Get Communications/Card design materials together
may have long lead times
27The 6 Phases of an Implementation Plan
- Phase 1 Strategy
- Phase 2 Definition
- Phase 3 Design
- Phase 4 Development
- Phase 5 Integration
- Phase 6 Deployment
28Phase 1 Strategy
- Understand EMV and its impact
- For initial implementation and further
developments - Define Value Proposition
- Define Project Objectives and critical success
factors for your organisation - Clarify Scheme requirements/input
- Review any central co-ordination requirements and
input - Initial assessment of impact on lines of business
and review outsourcing options - Create estimated budget
- Obtain Management approval to move to next phase
29Phase 2 Definition
- Define Business Requirements
- Include all business areas
- Examples will it be automatic renewal/replacement
with chip - New services/applications/products to be offered
to customers - Translate into Technical Functional
Requirements - Pre- migration planning, organisation and roadmap
- Budget Definition
- Payment Scheme input/requirements
- Consultancy needs
- Vendors
- Outsourcers - timeframes/costs/mandated
deliverables - Agreements
- Central Project Requirements/representation
- Project Management
- Project Team
30Phase 3 Design
- High Level Design Specifications
- Functional Specifications including MI
Requirements - Site visits to any contacts who have issued EMV
cards - Low level Design Review with-
- Outsourcers/Partners/Suppliers/Vendors
- Test Plan
- Begin building training materials
- Customer, Merchants, Staff
- Review with Payment Scheme
- Define realistic launch date and strategy
- Initial workflow exercise
- Issue resolution escalation processes
- QA certification with Information Security,
Audit etc.
31Phase 4 Development
- Coding
- Unit tests
- Documentation (User Manuals , Quick start guide,
troubleshooting, Call centre scripts) - Scheme Certification Issuer and Acquirer (POS
and ATM)
32Phase 5 Integration
- Integration tests including regression testing
- System tests
- Acceptance testing
- Inter participant testing
- Issue resolution escalation processes
- Support team education training
- Staff issued with cards
- Closed Trials
- Open Trials
- Review Communications/Training materials and
Issue resolution escalation processes
33Phase 6 Deployment
- Set up Help Desk/Customer service
- Live Customer Pilots
- Town Trial and Review
- Scripting/Training/Education Review
- Platform maintenance
- Product Release
- Customer Communications issued and review as move
from announce to inform phases - Delivery
- PIR
- Maintain experts for next phases
multi-application, contactless, two factor
authentication etc.
34Implications for Banks in Delaying EMV
Implementation
- Reputational Risk
- Failure to Meet Payment Scheme timescales
- Fraud increases as a result of migration to
non-chipped parties - will be apparent to
marketplace and consumers - Without smart cards will appear more vulnerable -
Low technology is not a good message - Compliance Risk
- Increased costs as a result of Payment Scheme
liability shifts - Legislation
- Strategic/Operational Risk
- Missed revenue opportunities in secure e-/mobile
commerce - Operational problems in charge-backs/authorisation
s and reduced Customer Service compared to
competitors - Transaction risk as they will not be off-line and
lower cost - Valuable operational learning and opportunity to
strengthen customer relationship for multi
application cards will be lost - Forced reissue of cards may be required rather
than replacement within existing card expiry
process
35Bank benefits of EMV
- Fraud Prevention
- Reduce counterfeit and lost and stolen fraud
- Avoid being the weakest link - prevent
migration of fraud to own card base as other
banks implement - Avoid card scheme liability shift
- Improved Credit Risk Control
- Reduce and improve management of bad debt by
utilising chip parameters e.g. to restrict below
floor limit spending. - Apply different levels of control according to
cardholder profile - Provides authentication and platform for ID
- Maintain Competitiveness
- Maintain credibility in customers and competitors
eyes. - Endorse Brand with reliable, secure and
innovative product. - A migration path for loyalty and
multi-application products. - Operational savings from reduced
chargeback/authorisation costs
36The EMV migration stepladder
Magnetic stripe issuance and personalisation
37The EMV migration stepladder
EMV migration in phases Phase 1 replace
magstripe cards which has sub phases Phase 2
dynamic risk management Phase 3
multi-application
38Attributes of Successful Programmes
- Planning, Planning and Re-planning
- Established and Communicated Goals, Objectives
and Strategy (Short, Medium and Long term) - Leading to a flexible business case
- Established and Communicated Project Management
Team - Scheduled Ongoing Audits/Reviews
- Over Emphasis on Testing throughout
- Partnerships with Vendors and Payment Schemes
39Conclusions on an EMV Implementation - 1
- EMV Migration is a complex technological and
business project - Business case is hard to justify on fraud alone
- impacts every link of the process chain
- EMV Migration is largely driven by Payment Scheme
incentives, mandates and liability shifts. - Central Banks, Issuers, Acquirers, Merchants,
Vendors, Payment Schemes and even Government will
be involved - Do not underestimate resources and project
duration - Inexperience can slow down migration - rollout
will probably take longer than originally
expected - time lag between receipt of card and
usage - Multiplicity of payment means processors/vendors
can be involved in one project - Special Interest Groups disabled definition
changes with EMV
40Conclusions on an EMV Implementation - 2
- Retailer rollout is key
- Volume of transactions required to drive usage
and PIN remembrance requires supermarkets
petrol stations to be in the vanguard - Testing and Certification with Schemes may take
longer than planned - Technical Issues like SDA failures will occur
- Transaction times must better Stripe Signature
- Privacy is a key concern for cardholders and this
needs to take this into account in system design - Best practices need to be documented and a
generic approval process introduced globally to
facilitate implementation of the next generation
of payment systems
41Conclusions on an EMV Implementation - 3
- The customer will accept it so long as you tell
him why and keep telling him as there may be a
lag between him receiving a Chip and PIN card and
finding a terminal to use it in. - ATM networks need to offer reciprocal PIN
Management services to all Issuers develop for
own customers first to provide learning - The PIN bypass allowed period needs to be agreed
and withdrawal planned - Migration of Fraud will happen Banks and
Merchants will have to invest in other tools to
combat CNP/Internet and account takeover - Chip and PIN enable branch counters and review
in-branch issuance if you are a Bank - Look at this as the first stage of a revolution
as to how cards will develop. EMV implementation
is the starting point to add multi-application,
contactless, biometrics etc. not the end game !!
42(No Transcript)