6' EMV Implementation - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

6' EMV Implementation

Description:

Help-desk support and training material specially written. Key message for issuers and merchants ... Insource Vs. Outsource debate. Multi-sourcing plastics ... – PowerPoint PPT presentation

Number of Views:211
Avg rating:3.0/5.0
Slides: 43
Provided by: spen8
Category:

less

Transcript and Presenter's Notes

Title: 6' EMV Implementation


1
6. EMV Implementation
  • Richard Sanders, Business Consultant
  • ACI Worldwide

2
Agenda
  • Brief Review of EMV Introduction
  • The Challenges of an EMV Implementation
  • What Banks do and dont think about in an EMV
    Implementation
  • EMV Implementation Strategy
  • Conclusions

3
Smart Card Implementations - Timescales
4
EMV - More than Fraud prevention ?
Advantages
Problems
Unrealistic timelines?
Schemes Mandated Chip and PIN cards By Liability
Shift
Reduce fraud
Cost
Accelerate Transactions _at_ POS
Merchant resistance (cost and disruption)
Save till paper
Need for consumer re-education
Charge-backs fewer reason codes
Vendors lengthy accreditation process
Better Risk Controls
Special considerations for disabled
5
Challenges of Issuing EMV cards
Competitive advantage
Competitive advantage
Competitive advantage
What did I forget?
Lead times
Transaction times
Be prepared for the un-expected Lots of AHAs
Foundation Investments that
Matters for DAY 1
Fraud savings
tools
When?
6
The Challenges - 1
  • Consumers behaviour
  • Will cardholders adapt or use another payment
    method?
  • Can they be prevented from writing down PIN
    numbers?
  • Retailers
  • Staff need the information and confidence to
    assist cardholders
  • Merchants to enforce the strict regime on
    fallback
  • One level of fallback during transition
  • No fallback for Chip PIN transactions after
    maturity
  • Communication
  • Acquirers responsible for communications to their
    merchants
  • Supported by Central Bank led generic messages
    and Schemes
  • To be provided over a long time - from early
    trials through rollout to maturity
  • UK Website available www.chipandpin.co.uk

7
The Challenges - 2
  • Technology
  • Acceptance testing - including Inter- participant
    (IPT), closed and open testing and the need for a
    town trial to refine procedures prior to full
    rollout (and how will this be done geography,
    card replacement, merchant specified?)
  • Type approval and certification EMVCo, Schemes,
    Acquirer
  • Counter logistics and management information
  • Transaction timings
  • Training bank and retail staff
  • New technology but not so different to ATM use
  • Demands a high level of co-operation from
    retailers
  • Schemes provide the rules but recognise the
    difficulty of training all front-line staff
  • Help-desk support and training material specially
    written
  • Key message for issuers and merchants
  • Be proactive, plan well ahead, lobby suppliers.

8
EMV The Key Questions a Bank asks
  • What is the date of the EMV migration for my
    country or region set by the card associations?
  • How do I interface with EMVCo?
  • What level of testing period do I want to allow
    before going live with my EMV card
    base/infrastructure?
  • Which vendors can help facilitate my move to EMV?
  • Is Outsourcing a solution?
  • Can a bureaux provide all my needs?
  • When I start migrating my card base to EMV, do I
    use a force reissue or at renewal/replacement?
    What is the liability from stripe cards still in
    circulation after the EMV migration date?
  • How do I enforce Fallback
  • Are fraudsters targeting us? Have competitors
    already migrated?
  • Am I losing business by not moving rapidly to
    smart cards? Etc etc.
  • What Staff Training do I need? Where can I get it
    ?

9
And Typically What it Does Not Ask
  • What extra business can I generate by achieving
    first mover advantage in my markets by moving to
    smart cards?
  • My card will have an anchor financial
    application. Do I want it to carry other
    applications such as cashback/loyalty scheme run
    in-house or by a third party or partners and how
    will I load/delete/manage these applications?
  • Is the Management Information I had developed for
    testing/trial sufficient for my live needs in
    areas like fraud strategy
  • Do I want to retain my existing methodology for
    card issuance?
  • How do I plan fallback withdrawal?
  • How will I handle Magnetic stripe cards from e.g.
    the US
  • Are there any special interest groups e.g. the
    disabled I need to accommodate
  • Can I utilise the EMV Infrastructure for other
    applications like ID?
  • How do I migrate to higher specification versions
    of EMV?
  • Will EMV take away all my fraud problems? If not,
    what else can I do?

10
EMV Implementation Methodology
  • EMV end-to-end payment system implies numbers of
    activities from various internal/external
    entities like
  • Business (Banks, Acquirer, Issuer)
  • Legal (Banking Association, Payment Schemes,
    Government)
  • Identify impacts of any other migrations
    activities/legislation - e.g. Chip and Signature
    cards for some disabled customers
  • Technical (Cards, Terminals, Host systems,
    Network, Back Office, Operations, Certification,
    MI)
  • Vendors (Hardware/Software, Bureaux, Processors)
  • Service (i.e. Merchant support, Education,
    Installation, Upgrades, Maintenance,
    Communications)
  • Customer
  • Manage bypass and fallback
  • Communication

11
Pre-Implementation analysis
  • Although mandated by the Schemes, markets are
    different and EMV settings used may depend on -
  • Telecommunications Costs is there currently a
    preference for seeing transactions on-line?
  • Credit/Debit Mix security concerns are quite
    different
  • Cash vs. cheques vs. electronic payments mix
    compared to cards
  • Government view particularly on ID cards
  • EMV delivers options
  • EMV allows for many forms of secure card
    authentication method (CAM) through
  • SDA, DDA, CDA
  • Legacy Terminal infrastructure can slow
    innovation
  • SDA failures, wrong AID length issues not fully
    removed until legacy terminals replaced

12
Considerations for an EMV Implementation - 1
  • Issuing
  • New Chip Card (card production changes)
  • New Card management System (including
    personalisation)
  • Issuer Host Modification for EMV payment flow
  • New HSM software for EMV cryptography
  • Interface to international networks including
    certification
  • PIN Management Infrastructure
  • Key Management Infrastructure
  • Changes to Operational Processes
  • Customer/Staff Education Programme
  • Script Processing/Risk Management Enhancements
  • New Procedures for Cardholders (Chip and PIN,
    Chip and Signature, Technical Fallback, PIN
    Bypass management

13
Considerations for an EMV Implementation 2
  • Acquiring
  • Acquirer Host Modification for EMV payment flow
  • Interface to international networks including
    certification
  • ATMs upgraded to offer Reciprocal PIN Management
    services?
  • Acquiring and Issuing silos need to work together
  • Terminals
  • Hardware and Software Base needs to be replaced
  • Problem Management SDA Failures,
  • ATMs why do some have 100 fallback?

14
Considerations for an EMV Implementation - 3
  • General
  • Education
  • Understand EMV Settings to avoid costly mistakes
    like having the wrong AID length that terminals
    cannot read
  • Have a system that identifies the settings on
    each card
  • Requirements Definition
  • Continuous review including MI and Workflow
  • Execution Strategy
  • Special cases disabled drivers etc
  • Training
  • Communications
  • Customers, staff, merchants, media all need
    regular updates
  • Keep reviewing the project structure/plan as new
    items develop

15
EMV Business Case Key Areas
  • Market
  • Size larger markets require more investment
  • Importance of cards as a payment instrument
  • Adoption rate of High Usage retailers e.g.
    Supermarkets, Petrol
  • Proportion of mid-tier retailers as they are
    slowest to adopt
  • Domestic market requirements levels of E Purse
    schemes etc
  • Processor/Retailer terminal agreement lengths
  • Proportion of Bank Owned Terminals
  • Strategic market goals to embrace
    multi-application, ID etc.
  • Other Chip Functionality (Transit Mifare card
    etc)
  • Merchant Card Issuance and Other Financial
    Products
  • TelCo ambitions
  • Government position
  • Work/Life Balance of Cardholders

16
EMV Business Case Key Areas
  • Issuer
  • Fraud Costs and Types domestic/cross border
    (some Banks do not collect data)
  • Interchange fee incentive
  • Internet Banking /MO/TO
  • Cash replacement
  • Multi-application
  • Loyalty on Credit/Debit
  • ID
  • Contactless, Prepaid options Day 1
  • Increased Acquisition of Customers at a Lower
    Cost
  • Increased Retention through Service, broad
    Product Portfolio and Cross-Selling Opportunities
  • Reduced Operational Costs and Increased
    Productivity

17
EMV Business Case Key Areas
  • Merchant
  • High Traffic retailers e.g. Supermarkets, Petrol
  • Mid tier retailers attitude
  • Percentage of Business on-line/MO/TO
  • Higher security of EFTPOS terminals increases
    certification time
  • Level of any reduction in MSCs for compliance
  • Perceived value of not storing receipts for
    chargebacks
  • Value of increase in speed of transaction times
    and convenience to customers
  • Cash replacement
  • Plans for Unattended terminals

18
EMV Business Case Key Areas
  • Customers
  • Ultimate Convenience - deliver customer
    confidence/peace of mind by removing the worry,
    hassle and inconvenience of fraud
  • Privacy and ID Theft Protection
  • Choice of Channel for purchasing
  • Control of the Relationship
  • Instant Gratification through loyalty at POS
  • Money Rich, Time Poor Scenario
  • Need for Convenience and Speed
  • Ever Growing Value for Their Business
  • Multi- application
  • Loyalty
  • ID
  • Access

19
Potential Barriers to EMV Implementation
  • Cost of Cards
  • PC Base having Integrated Readers and Software
  • Installation of Smart Card Readers
  • Transaction Times
  • Interoperability
  • Inconsistent Messages
  • No Compelling/Killer Chip application
  • Is the Chip for security, ID , loyalty/promotion,
    other
  • POS Infrastructure Costs retailers have set
    hardware replacement cycles and have to be
    convinced and Banks will have to contribute to
    get Issuance IT Resource shortages due to Basel
    II, Sarbannes Oxley

20
Education it is complex
  • Create an education programme across
  • Executives they will have to agree it
  • Marketing they have to build on it
  • Technology they have to maintain and enhance it
  • Operations how they do/report everything could
    change
  • Finance to build the business case
  • Corporate Communications how you communicate
    the change to customers is key
  • Issuing and Acquiring (POS ATM) sides have to
    work together
  • Retailers are key its their customers too !
  • Leverage what exists in the market
  • Conferences and Associations Seminars
  • Vendors
  • Professional Training Seminars

21
Requirements Definition - Checklist
  • Functional and Technical Requirements
  • What type of Smart Card do you want and what do
    you want it to do today and tomorrow - drives
    Chip Size
  • What Applications do you want on it ?
  • At issuance/To be loaded later
  • Contact/Contactless
  • What Infrastructure do you want
  • Data storage/retrieval Card Life Cycle
    Management
  • Expiry dates typically can be lengthened from
    stripe
  • Design with the Future in Mind to avoid costs
  • Interoperability
  • Scalability
  • Usability
  • Data privacy/protection
  • What can be seen by who

22
Requirements Definition - Checklist
  • Authentication
  • PIN, Password changes
  • Key Changes/Management
  • Expiry dates
  • Velocity Checks
  • Personal Card Readers
  • Insource Vs. Outsource debate
  • Multi-sourcing plastics
  • Personalisation
  • Credit and Debit parameter settings on cards may
    be different
  • Migrating from Chip and Signature is different to
    migrating from Magnetic Stripe. Will you still
    need Chip and Signature for special cases of
    disabled?

23
Impact analysis Business and Functional Areas -
1
  • Marketing/Sales
  • Product Propositions
  • Customer Communications
  • Authorisations
  • Card authentication and cryptographic management
  • Customer verification
  • Additional data elements and script management
  • Online and offline PIN change synchronisation
  • 3DES, AKDS
  • Processing
  • New personalisation requirements additional
    parameters, Offline PIN Block, inheritance
  • Application life-cycle management
  • Parameter management, risk management, CRM

24
Impact analysis - Business and Functional Areas -
2
  • Operational procedures
  • Key management
  • Application processing
  • BIN Management
  • PIN management
  • Parameter management
  • MI
  • Workflow
  • Customer Service
  • Changes to business processes
  • Scripts
  • Enhanced disputes management
  • Blocked PIN offline and online

25
Impact analysis - Business and Functional Areas -
3
  • Risk Management Fraud and Credit Risk
  • MI
  • Fraud Strategies
  • Credit Risk Management Strategies
  • Distribution Infrastructure
  • IT Systems Infrastructure
  • Current Procurement and Fulfilment Processes
  • Testing and Test systems (including Pilots)
  • Staff/Closed/Open Trial
  • Town Trial
  • Handover post rollout
  • Issuing/POS Acquiring/ATM Acquiring interfaces

26
Execution Strategy
  • Implement a formal process
  • Establish a dedicated project team
  • Well defined responsibilities for key personnel
    (CEO, CTO,COO,MIS Manager,Security and
    Compliance,HR)
  • Have experts or people who want to become
    experts
  • Define and develop project plans and agree them
    with suppliers/outsourcers and Payment Schemes so
    you are all working to the same plan
  • Identify the Project Supply Chain and Supplier
    timescales
  • Allow time for testing and certification the
    Schemes may take longer
  • Get Communications/Card design materials together
    may have long lead times

27
The 6 Phases of an Implementation Plan
  • Phase 1 Strategy
  • Phase 2 Definition
  • Phase 3 Design
  • Phase 4 Development
  • Phase 5 Integration
  • Phase 6 Deployment

28
Phase 1 Strategy
  • Understand EMV and its impact
  • For initial implementation and further
    developments
  • Define Value Proposition
  • Define Project Objectives and critical success
    factors for your organisation
  • Clarify Scheme requirements/input
  • Review any central co-ordination requirements and
    input
  • Initial assessment of impact on lines of business
    and review outsourcing options
  • Create estimated budget
  • Obtain Management approval to move to next phase

29
Phase 2 Definition
  • Define Business Requirements
  • Include all business areas
  • Examples will it be automatic renewal/replacement
    with chip
  • New services/applications/products to be offered
    to customers
  • Translate into Technical Functional
    Requirements
  • Pre- migration planning, organisation and roadmap
  • Budget Definition
  • Payment Scheme input/requirements
  • Consultancy needs
  • Vendors
  • Outsourcers - timeframes/costs/mandated
    deliverables
  • Agreements
  • Central Project Requirements/representation
  • Project Management
  • Project Team

30
Phase 3 Design
  • High Level Design Specifications
  • Functional Specifications including MI
    Requirements
  • Site visits to any contacts who have issued EMV
    cards
  • Low level Design Review with-
  • Outsourcers/Partners/Suppliers/Vendors
  • Test Plan
  • Begin building training materials
  • Customer, Merchants, Staff
  • Review with Payment Scheme
  • Define realistic launch date and strategy
  • Initial workflow exercise
  • Issue resolution escalation processes
  • QA certification with Information Security,
    Audit etc.

31
Phase 4 Development
  • Coding
  • Unit tests
  • Documentation (User Manuals , Quick start guide,
    troubleshooting, Call centre scripts)
  • Scheme Certification Issuer and Acquirer (POS
    and ATM)

32
Phase 5 Integration
  • Integration tests including regression testing
  • System tests
  • Acceptance testing
  • Inter participant testing
  • Issue resolution escalation processes
  • Support team education training
  • Staff issued with cards
  • Closed Trials
  • Open Trials
  • Review Communications/Training materials and
    Issue resolution escalation processes

33
Phase 6 Deployment
  • Set up Help Desk/Customer service
  • Live Customer Pilots
  • Town Trial and Review
  • Scripting/Training/Education Review
  • Platform maintenance
  • Product Release
  • Customer Communications issued and review as move
    from announce to inform phases
  • Delivery
  • PIR
  • Maintain experts for next phases
    multi-application, contactless, two factor
    authentication etc.

34
Implications for Banks in Delaying EMV
Implementation
  • Reputational Risk
  • Failure to Meet Payment Scheme timescales
  • Fraud increases as a result of migration to
    non-chipped parties - will be apparent to
    marketplace and consumers
  • Without smart cards will appear more vulnerable -
    Low technology is not a good message
  • Compliance Risk
  • Increased costs as a result of Payment Scheme
    liability shifts
  • Legislation
  • Strategic/Operational Risk
  • Missed revenue opportunities in secure e-/mobile
    commerce
  • Operational problems in charge-backs/authorisation
    s and reduced Customer Service compared to
    competitors
  • Transaction risk as they will not be off-line and
    lower cost
  • Valuable operational learning and opportunity to
    strengthen customer relationship for multi
    application cards will be lost
  • Forced reissue of cards may be required rather
    than replacement within existing card expiry
    process

35
Bank benefits of EMV
  • Fraud Prevention
  • Reduce counterfeit and lost and stolen fraud
  • Avoid being the weakest link - prevent
    migration of fraud to own card base as other
    banks implement
  • Avoid card scheme liability shift
  • Improved Credit Risk Control
  • Reduce and improve management of bad debt by
    utilising chip parameters e.g. to restrict below
    floor limit spending.
  • Apply different levels of control according to
    cardholder profile
  • Provides authentication and platform for ID
  • Maintain Competitiveness
  • Maintain credibility in customers and competitors
    eyes.
  • Endorse Brand with reliable, secure and
    innovative product.
  • A migration path for loyalty and
    multi-application products.
  • Operational savings from reduced
    chargeback/authorisation costs

36
The EMV migration stepladder
Magnetic stripe issuance and personalisation
37
The EMV migration stepladder
EMV migration in phases Phase 1 replace
magstripe cards which has sub phases Phase 2
dynamic risk management Phase 3
multi-application
38
Attributes of Successful Programmes
  • Planning, Planning and Re-planning
  • Established and Communicated Goals, Objectives
    and Strategy (Short, Medium and Long term)
  • Leading to a flexible business case
  • Established and Communicated Project Management
    Team
  • Scheduled Ongoing Audits/Reviews
  • Over Emphasis on Testing throughout
  • Partnerships with Vendors and Payment Schemes

39
Conclusions on an EMV Implementation - 1
  • EMV Migration is a complex technological and
    business project
  • Business case is hard to justify on fraud alone
  • impacts every link of the process chain
  • EMV Migration is largely driven by Payment Scheme
    incentives, mandates and liability shifts.
  • Central Banks, Issuers, Acquirers, Merchants,
    Vendors, Payment Schemes and even Government will
    be involved
  • Do not underestimate resources and project
    duration
  • Inexperience can slow down migration - rollout
    will probably take longer than originally
    expected - time lag between receipt of card and
    usage
  • Multiplicity of payment means processors/vendors
    can be involved in one project
  • Special Interest Groups disabled definition
    changes with EMV

40
Conclusions on an EMV Implementation - 2
  • Retailer rollout is key
  • Volume of transactions required to drive usage
    and PIN remembrance requires supermarkets
    petrol stations to be in the vanguard
  • Testing and Certification with Schemes may take
    longer than planned
  • Technical Issues like SDA failures will occur
  • Transaction times must better Stripe Signature
  • Privacy is a key concern for cardholders and this
    needs to take this into account in system design
  • Best practices need to be documented and a
    generic approval process introduced globally to
    facilitate implementation of the next generation
    of payment systems

41
Conclusions on an EMV Implementation - 3
  • The customer will accept it so long as you tell
    him why and keep telling him as there may be a
    lag between him receiving a Chip and PIN card and
    finding a terminal to use it in.
  • ATM networks need to offer reciprocal PIN
    Management services to all Issuers develop for
    own customers first to provide learning
  • The PIN bypass allowed period needs to be agreed
    and withdrawal planned
  • Migration of Fraud will happen Banks and
    Merchants will have to invest in other tools to
    combat CNP/Internet and account takeover
  • Chip and PIN enable branch counters and review
    in-branch issuance if you are a Bank
  • Look at this as the first stage of a revolution
    as to how cards will develop. EMV implementation
    is the starting point to add multi-application,
    contactless, biometrics etc. not the end game !!

42
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com