MAG Webinar: EMV & Cardholder Verification Method Priority

Moderator: John Drechny- Senior Director of Payment Services , Walmart

Speaker: Jeff Stroud– Senior Managing Consultant, MasterCard Advisors

Speaker: Guy Berg- MasterCard Worldwide

Speaker: Simon Hurry- Sr. Business Leader, Chip Infrastructure-Visa, Inc.

Monday, June 3-12:00pm-1:00pm CT

Upcoming MAG Educational Opportunities

• WEBINAR: GETTING STARTED WITH EMV: BEST PRACTICES AND COMMON PITFALLS June 20, 2013- 12:00pm-1:00pm CT Register Online at www.merchantadvisorygroup.org

• EDUCATIONAL CLASS- Payments+ Planning for Tomorrow’s Payments: Consumer Engagement, EMV, Routing-Presented by W.Capra June 26, 2013 McDonald’s COB, Chicago, IL Register Online at www.merchantadvisorygroup.org

• Mark Your Calendars! Annual Conference-Celebrating 5 Years in the Big Easy October 7-9, 2013 Astor Crowne Plaza New Orleans New Orleans, LA

Registration Opens online in Mid-July

Detailed analysis of CVM Processing

Jeff Stroud MasterCard Advisors – Senior Managing Consultant

Guy Berg-MasterCard Worldwide

EMV & Cardholder Verification Method Priority

EMV Application Anatomy for Standard EMV

Application AID

CVM List Card

Authentication Method

Other Risk Management

Settings

EMV Profile

Standard EMV CVM List

Application AID

CVM List Card

Authentication Method

Other Risk Management

Settings

EMV Profile

Card Conveys to the terminal the preferred CVM

The Issuer sets the order of the CVM list

The CVM list will vary by issuer

Standard EMV CVM List

Application AID

CVM List Card

Authentication Method

Other Risk Management

Settings

EMV Profile

Card Perspective Terminal Perspective

Offline PIN Plaintext Enciphered

Online Enciphered PIN Signature No CVM

CVMs supported by the terminal

EMV Application Anatomy for Durbin EMV

Application AID

CVM List Card

Authentication Method

Other Risk Management

Settings

EMV Profile

Application AID

CVM List Card

Authentication Method

Other Risk Management

Settings

EMV Profile

Application Selection Process

EMV Application Anatomy for Durbin EMV

Application AID

CVM List Card

Authentication Method

Other Risk Management

Settings

EMV Profile

Application AID

CVM List Card

Authentication Method

Other Risk Management

Settings

EMV Profile

Application Selection Process

Conditions

Methods Amount Conditions

CVM Fallback

CVM List is defined on the card

CVM List provides the terminal with four pieces of information on how an issuer wishes the cardholder to be verified

1. CVM Method

Order of methods is in priority order that issuer wishes

2. Conditions of use

3. What if the CVM method is unsuccessful

4. In the case where conditions applied to a CVM method involve amounts, CVM list will contain AMOUNT X and AMOUNT Y values that the terminal will validate the condition against

Anatomy of a CVM List

CVM Methods Conditions

Methods Amount

Conditions

CVM Fallback

Offline Plaintext PIN

Online Enciphered PIN

Offline Enciphered PIN

Signature

No CVM

CVM Conditions

Always

If unattended cash

If not unattended cash and not manual cash and not purchase with cashback

If terminal supports CVM

If manual cash

If purchase with cash back

Conditions

Methods Amount

Conditions

CVM Fallback

EMV Defines CVMs that terminals may be capable of supporting Offline PIN (new with EMV)

Plaintext

Enciphered

Online Enciphered PIN (exists today with magstripe)

Signature (exists today with magstripe)

No CVM (exists today with magstripe – QPS)

Terminal Supported CVMs

CVM List (From Card)

TERMINAL

Terminal Processing of CVM List

CVM #1

CONDITION OF USE

CVM #2

CONDITION OF USE

Conditions Satisfied

CVM Processing Fails

CVM Supported If condition is not

satisfied AND CVM Method is not

supported Conditions Satisfied

CVM Supported If condition is not

satisfied AND CVM Method is not

supported

Occurs when the conditions for the preferred CVM method to be performed are met but the CVM method cannot be performed or, when performed, the CVM method failed

CVM Fallback Configuration Options Do not fallback if the CVM fails but proceed with the transaction

Fallback to the next CVM in the priority list

Examples of CVM method unable to be performed: PIN Entry required but PIN Bypassed (either by customer or merchant)

PIN Entry Required but PIN Pad is not present or not working

PIN Try Limit Exceeded

CVM Fallback Processing

Processing logic for when CVM Fallback is Supported by Card

CVM #1 CONDITION OF USE

Apply Next CVM

CVM #2 CONDITION OF USE

Apply Next CVM

Conditions Satisfied

Condition of Use Satisfied but CVM cannot be executed

successfully

When CVM Fallback is Not Supported by Card

CVM #1 CONDITION OF USE

Do Not Apply Next CVM

CVM #2 CONDITION OF USE

Apply Next CVM

Conditions Satisfied

Condition of Use Satisfied but CVM cannot be executed

successfully

CVM Processing Fails

Potential CVM Profiles on card (assumes Multiple AIDs)

US Debit AID

Offline PIN If Terminal Supports

Apply Next

Online PIN If Terminal Supports

Apply Next

Online PIN If Unattended Cash

Apply Next

No CVM If Terminal Supports

Do Not Apply Next

International AID

Online PIN If Terminal Supports

Apply Next

Signature If Terminal Supports

Do Not Apply Next

Online PIN If Unattended Cash

Apply Next

No CVM If Terminal Supports

Do Not Apply Next

May support Signature

May support Online PIN

May support Offline PIN (both

Plaintext and Enciphered)

May support No CVM

•Settings are dependent on how Terminal Vendor has certified their EMV Kernel with EMVCo

CVM Support defined within Terminal Capabilities

International AID

Online PIN If Terminal Supports

Apply Next

Signature If Terminal Supports

Do Not Apply Next

Online PIN If Unattended Cash

Apply Next

No CVM If Terminal Supports

Do Not Apply Next

Attended POS Terminal

Terminal Supported CVMs: Signature Online PIN Offline PIN

US Debit AID

Offline PIN If Terminal Supports

Apply Next

Online PIN If Terminal Supports

Apply Next

Online PIN If Unattended Cash

Apply Next

No CVM If Terminal Supports

Do Not Apply Next

International AID

Online PIN If Terminal Supports

Apply Next

Signature If Terminal Supports

Do Not Apply Next

Online PIN If Unattended Cash

Apply Next

No CVM If Terminal Supports

Do Not Apply Next

Attended POS Terminal Terminal Supported CVMs: Signature

US Debit AID

Offline PIN If Terminal Supports

Apply Next

Online PIN If Terminal Supports

Apply Next

Online PIN If Unattended Cash

Apply Next

No CVM If Terminal Supports

Do Not Apply Next

International AID

Online PIN If Terminal Supports

Apply Next

Signature If Terminal Supports

Do Not Apply Next

Online PIN If Unattended Cash

Apply Next

No CVM If Terminal Supports

Do Not Apply Next

Attended POS Terminal US Debit AID

Offline PIN If Terminal Supports

Apply Next

Online PIN If Terminal Supports

Apply Next

Online PIN If Unattended Cash

Apply Next

No CVM If Terminal Supports

Do Not Apply Next

Terminal Supported CVMs: Signature Online PIN No CVM

Simplifying Deployment

Simon Hurry

June 3, 2013

2004 2005 2006 2007 2008 2009 2010 2011 2012

US

Chip Impact on Counterfeit Fraud

Asia Pacific

•EMV chip has demonstrated its effectiveness at reducing counterfeit fraud

•The counterfeit fraud liability shift effective date in Asia Pacific was January 1, 2006

United States

•Counterfeit fraud in the U.S. continues to grow

•The counterfeit fraud liability shift effective date in the U.S. is October 2015

2004 2005 2006 2007 2008 2009 2010 2011 2012

Asia Pacific

Data Source: Visa Fraud Reporting System,TC40 client submitted annual domestic counterfeit fraud (ex cash) volume

- 68%

(from 2004 to 2012)

+ 394%

(from 2004 to 2012)

The U.S. is a complex and unique market

While we have learned a great deal from EMV implementations in other countries, the U.S. is more complex

• Zero floor limit environment

• Numerous domestic debit networks

• 2 processing environments – dual and SMS

• Newly regulated debit environment

• Simultaneous migration to contact and contactless chip

Visa’s overwhelming focus on the U.S. implementation has been to keep things simple and minimize impact on all stakeholders

• There are 3 different types of PIN ‒ online PIN, offline clear text PIN and offline enciphered PIN

• Chip cards can support multiple cardholder verification methods

• Online PIN

• Often not supported on international cross-border POS transactions

• Offline PIN

• Expensive and difficult to implement and manage

• Difficult to synchronize with the online PIN

• Requires merchants to manage PKI root keys

The simplest and least expensive option is to use signature and ‘no CVM’ as the baseline for global interoperability

Basics of Chip With Online or Offline PIN

PIN on chip is a lot more complex than people think

Recommended U.S. Chip Implementation

• Dual Interface

• Deploy latest version of Visa Contactless spec

• Support qVSDC

Chip Interface Options

• Signature

• If support PIN, deploy online PIN

• No CVM

Cardholder Verification Methods

Card

Authorization

• ALWAYS ONLINE

• No Offline

• ALWAYS ONLINE

• No Offline

• Signature

• Online PIN (Debit)

• No CVM

• Common AID is online PIN preferring

• Dual Interface OR contact with mobile companion

• Use latest version of Visa Contactless & Mobile spec

• No “Contactless-Only”

Card Profile Terminal Configuration

26

CVM Options designed for simplicity

CVM Goals

• Globally signature preferring cards are the lowest common denominator for acceptance.

• Online PIN is needed for cash, and domestic PIN debit networks.

• Offline PIN can be supported but is difficult and expensive to manage.

• No CVM is needed for VEPS and unattended devices.

• Continue to look for increased merchant operational efficiency.

• Balance fraud risk management with convenience.

• Maintain existing customer experience.

Signature

No CVM

Offline PIN

Online PIN

Signature

No CVM

Terminal’s Supported CVMs Card’s CVM List

X

X

X

CVM Options Credit Example

Online PIN

Signature

No CVM

Offline PIN

Online PIN

Signature

No CVM

Terminal’s Supported CVMs Card’s CVM List

X

Debit Example