EMV, Tokenization and Apple Pay The New Landscape Carolina’s Credit Unions Council October 10, 2014 Leanne Phelps Senior Vice President, Card Services State Employees’ Credit Union

Agenda EMV: The Technology Tokenization Mobile Payments with Apple Pay

About State Employees’ Credit Union Serving state employees, teachers and their family members in North Carolina 1.9 million members 255 branch offices 1,100 ATMs

SECU Card Programs Debit Portfolio - Route through Visa DPS to SECU Host 1.3 million Visa Check Cards $10.3 billion annual purchase volume 305 million transactions Credit Portfolio – Processed through First Data Resources 300,000 Visa credit cards $1.1 billion open credit lines 14.5 million transactions

Why EMV? Secure chip stores payment information Chip card authentication prevents counterfeiting Adds cardholder verification methods Offers online or offline authorization

Form Factors Options Contact Chip is embedded in a card A contact card is inserted into a smart card reader The contact points on the chip make contact with the card reader Contactless The chip may be embedded in cards, key fobs, stickers, mobile phones, etc. A contactless chip requires close proximity to a reader (“tap and go”) Both the chip and the reader have an antenna and they use an RF (radio frequency) signal to communicate

EMV – Building the Momentum The Top 10 Discussions Authentication – Static vs. Dynamic Transaction / Authorization Differences vs. Today What is on the actual Chip – Application Identifier logic Card / Chip Lifecycle Visa Recommendation for personalization Liability Shift Planning and Implementation timing Unaffiliated networks Vendor Support

Transaction Flow Comparison Today – Magnetic Stripe Issuer makes and passes Authorization Decision FI Issuer Processor or Issuer validates cryptogram or cryptogram value, makes and passes Authorization Decision Terminal Reads & Passes Track & Authorization Data Merchant Acquirer Processor Issuer Processor Card Swiped I

Tomorrow - EMV New and Different Card Inserted The terminal and chip card verify the response cryptogram Merchant Acquirer Processor Issuer Processor FI The Issuer Processor or the FI verifies the request cryptogram and generates a response cryptogram Communication between the chip card and the terminal – in both directions Terminal to determine, by the Service Code, whether card is magnetic stripe only or chip card Service code is unique and placed on both the chip and magnetic stripe (begins with a 2 or 6) Track 2 equivalent on the chip

EMV – Building the Momentum Configuration Routing Industry Support Multi-access BIN table Visa Common One application / Two application identifiers (AIDs) Simplified personalization Easier card management Less application code and potentially less expensive chip Supports domestic and international usage EMV compliant Fully supported by Visa Uses existing network routing infrastructure Offers issuer flexibility through BIN file management Enables merchants and POS acquirers to manage routing selection on a transaction by transaction basis Solution endorsed by EMV Migration Forum (EMF) All of the major unaffiliated debit networks support the Visa U.S. Common Debit AID Maestro Star NYCE Pulse Accel Nets CU 24 Shazam AFFN CO-OP

Card Personalization Best Practices Transaction Authorization Always online No offline authorization by chip Always online No offline data authentication1 Card Authentication Visa Credit Signature No CVM Online PIN (for ATM only) Visa Debit Online PIN (POS and ATM) U.S. Common Debit AID Issuer Cardholder Verification Method (CVM) List Best practices should reduce complexity, cost and time-to-market

Card Personalization Considerations Adding a contact chip to a mag stripe card impacts the card ordering / issuing process from both a timing and monetary perspective. A key stakeholder is the provider of card processing services . . . What type of chip can they support and can they support you? Certification of the chips by the associations is taking between 90 days and six months. Based upon chip type and market availability of the chips, the turn times for card manufacturing should not vary much from mag stripe cards – perhaps adds two weeks.  However, bear in mind that there is a growing global demand for chips (China, South America), which could impact chip availability. 

Points to Remember Adding a chip to a mag stripe card will increase costs – costs can be impacted by the type and size of chip.  You can assume to add about a dollar to the present costs for manufacturing custom cards. Personalization Vendors are exploring ways to lower the costs of chip cards for small financial institutions, including the use of generic design plastics (hot-stamped with the credit union’s logo) and print-on-demand using edge to edge imaging equipment.  The fees for personalizing the chips are incremental, and subject again to the type and number of applications being loaded onto the chip.  Credit unions should expect these fees to be in the $0.25 to $0.40 per card range. Financial institutions should also ask their processor about possible fees associated with an EMV program (new BINs, key management, EMV transaction fees).

Key EMV dates from Card Brands 4/13/2017 Key EMV dates from Card Brands © 2012 VeriFone Systems, Inc.

Support of Debit Networks Common AID Licensing Support Status Maestro Visa U.S. Common Debit AID Certified/Ready to Support Pulse January 2015 Certification NYCE STAR February 2015 Certification CO-OP April 2015 Certification ACCEL / AllPoint Specifications Under Review CU24 Pending Specifications

Counterfeit Fraud Liability Shifts Rewards investment in EMV POS: October 1, 2015 AFD & ATM: October 1, 2017 After Liability Shift: Liability shifts to the acquirer if counterfeit fraud occurs on a contact chip capable card and the merchant is not contact chip capable Does not cover contactless, card-not-present transactions, or lost/stolen fraud Covers domestic and cross-border transactions Transaction Examples Counterfeit Liability Chip-on-chip transactions Issuer holds the limited exposure that still exists Mag-stripe cards at chip terminals Issuer holds liability Contact chip at mag-stripe terminals Acquirer holds liability

Key Vendors – Information & Requirements Host – Software Vendor Plastic Card Vendors *VOL has the most updated listing of certified vendors *VOL has the common AID personalization specifications Debit & Credit Enhancement Control Support Segmentation of base POS entry mode – new data same field PINs – Host vs. Stripe Certification and Timing Must be Visa/MasterCard Certified Card Art Standard Chip & CVM’s Timing and Availability Key management Networks & Gateways Instant Issuance Vendors Processor must code and certify with each network Certification and Timing Timing and Availability Test plastic will be required for certification

Planning - 6 Weeks Key Considerations Vendor Readiness and Timelines Requirements Build Certification Launch Vendor Readiness and Timelines Budget – ROI Issuance Strategy – Full or Segmentation – At Reissue Internal Education Plan Cardholder Education Marketing Strategy PINs – Customer Selected – Host vs. Stripe Considerations and Project (if applicable) Credit First Debit – Date Coordination with Networks

Tokenization – what is it?? Tokenization is the process of replacing the original payment credentials (PAN) with a unique “alternate identifier” which may be used in its stead to initiate payment activity. Replaces a traditional card account number with a unique payment token / digital account number Restricts the use of a payment token by device, merchant, transaction type or channel Payment tokens further enhance security of digital payments and simplify purchase experience when shopping on mobile, computers or other smart devices and help reduce fraudulent activity…. We need to start on what is tokenization, how is it different from familiar 16 digit card number October 2013/March 2014 April 2014 / June 2014 October 2014 2015+ Pay Industry standard Card Brand enabled More to come…

Minimizes ecosystem impact Supports new participation Core concepts A Payment Token is a “alternate identifier” that can be used in place of a Personal Account Number (PAN) to initiate a payment transaction Global Global and interoperable Compatible with existing network routing Compatible with existing payment technologies (web, NFC, POS standards) Supports future payment technologies Improved security Regulatory compliant Multiple Payment Tokens can be attached to a single PAN Enables new channels Secure Payment Tokens Industry standard and service Interoperable Minimizes ecosystem impact So how are payment tokens different Essentially it’s a direct replacement for the primary account number that would be used to initiate a transaction through the payment network It does this by looking and acting like a real PAN in the system Payment tokens would be securely mapped to the real PAN kept in what we’re calling the token vault and each issuer would be assigned a set of token BIN ranges It’s more secure since the real PAN is never exposed and the use of token would be restricted to specific environments, devices or channels It would also ensure there would be consistency and more data coming from the trxn that would help improve security and transparency across all token trxns And ultimately tokenization provides the foundation for new payments innovation that can be used across the industry by issuers, merchants and any 3rd parties looking to develop payment capabilities To highlight the benefits and impact tokenization has across the value chain From implementation perspective, almost all the heavy lifting has been done by processors, endpoints and Visa to prepare systems to support and process tokens It’s designed to be compatible with existing systems which means minimal disruption for most stakeholders What this does is, it lays the foundation for everyone to benefit including CARDHOLDERS who won’t even be aware of tokens but will appreciate that they do not have to face re-issuance every time they lose or have their phone stolen MERCHANTS and ACQUIRERS will have added protection of not having to store or manage sensitive card info….this obviously has become a lot important with recent merchant breaches that have happened ISSUERS can focus on developing new and innovative mobile and digital payments services without worrying about how they’ll store card credentials on mobile apps and the potential fraud that can happen We’re taking this a step further to provide an end to end service for issuers that removes the burden of having to manage all the provisioning and lifecycle events for tokens Supports new participation

Payment Tokens - Token Attributes Interoperable with BIN based account numbers / PANs – PAN / Account Number Validation Rules, Security, Structure and Regulatory Obligations Remain Enforced Distinct and identifiable in system – merchant, consumer device(s) and issuer Able to support authentication by different entities and types (Issuer, Wallet, Merchant, etc) Tokens add value to the processing environment while improving visibility and protecting cardholder information Existing PAN / Account Number Structure # # # # # # # # # # # # # # # # FI BIN Range – Various Use BIN - Identifies FI Identifies Cardholder New Token Structure # # # # # # # # # # # # # # # # Identifies FI Identifies Cardholder by PAN AND by Device AND by Merchant

The Big Announcement! iPhone 6 – 4.7” display iPhone 6 Plus – 5.5” display NFC!!! Apple Watch – with NFC!!! iOS 8 And…….

Apple Pay Basics Latest addition to the mobile wallet landscape leveraging NFC By Invitation-Only Security and Privacy at the core of Apple Pay Utilizes traditional payment rails preserving interchange Requires tokenization

Apple’s Motivation and Value Proposition Completing Transactions Apple Pay: What we know Scope and Timing Apple’s Motivation and Value Proposition Payment Accounts Completing Transactions Data and Security In-Store Payments Streamlined online payments Available on iPhone 6, 6 Plus, and Apple Watch in 2015 US Only in October 2014 Replace physical wallet Payments will be faster, more secure, and private Apple’s has 46% of market 5 -10% terminals are NFC enabled Add from iTune account or take a picture of card Stored as a token on secure element of device Use via Passbook app In-store: contactless NFC terminals with Touch ID authentication In-App: integrated via the Apple Pay API with Touch ID authentication Data stays with merchant and financial institution Merchant processes token, not card #

Announced Participants Networks Banks / Issuers Merchants In store In App

Apple Pay and Payment Tokens

Why Does Apple Matter? Widespread consumer acceptance and usage 10 million devices sold in first 3 days! 800+ million iTunes accounts already on file Leverages existing payments ecosystem and preserves interchange Improves payment security = reduces potential fraud Tokenization Secure Element (Device number associated with token) Touch ID authenticates device and card owner

Still to Come….. 2015 and beyond

What is your payments roadmap? Ensure your members can access their CU accounts from any channel they choose! Start with implementing EMV Enroll your card programs in tokenization Get ready for the next generation of payments through mobile!

Questions??? Leanne Phelps State Employees’ Credit Union leanne.phelps@ncsecu.org 919-839-5134