Restaurant.org @WeRRestaurants /RestaurantDotOrg /NationalRestaurantAssociation
EMV and Restaurants: What You Need to Know April 29, 2015
Panelists Mike English – Heartland Payments Executive Director of Product Development Jan McGrath – MasterCard Vice President, Go to Market Strategy, USPD Jim Higgins – National Restaurant Association Vice President, Payments & Financial Services
Agenda- Payment Security EMV overview & Timelines Demystifying the liability shift Considerations to act soon vs later Payment Security beyond EMV Tokenization & Encryption Questions
What EMV is… Micro Chips on Cards and Chip readers at merchant POS US adoption of a world standard Anti counterfeit chip technology An enabling technology for additional security
EMV Card and Security Validating the Card & Cardholder Optional PIN adds extra validation of the cardholder. Chip and Signature is allowed but is less secure Card Authentication EMV uses Cryptogram s to verify the card is authentic And verifies the issuer is authentic to the card Validating Card Use Transaction Certificate (TC) proves that the card was present and was used for payment ©2014 Heartland Payment Systems, Inc.
What EMV is not… Is not mandated or required Does not protect against all chargebacks Does not secure cardholder data Does not equate to PCI compliance Does not reduce interchange
U.S. EMV Timelines for Restaurants Oct-2013 MC ADC relief takes effect (50%) Oct-2016 Visa GCAR relief Oct-2015 Liability shift Oct-2012 PCI validation relief1 2012 2013 2014 2015 2016 2017 Apr-2013 Processor support for chip processing Oct-2015 MC ADC relief (100%) AFD: Automated Fuel Dispenser Visa GCAR: Global Compromised Account Recovery MasterCard ADC: Account Data Compromise 1 Applies to Level 1 & Level 2 merchants where 75% of transactions come from a dual interface, chip-enabled, terminal
Chip Liability Hierarchy Issued Device/Card Magnetic stripe and/or contactless magnetic stripe EMV contact or EMV contactless (signature CVM) EMV contact or EMV contactless (online or offline PIN CVM) Acceptance Terminal Magnetic stripe and/or contactless magnetic stripe EMV contact or EMV contactless (not PIN capable) EMV contact or EMV contactless (online or offline PIN capable) Higher Risk Lower Risk
Market Projections Cards Terminals Payment Security Taskforce Aite 50% of U.S. issued cards will be chip enabled by end 2015 At least 47% of U.S. terminals will be chip enabled by end 2015 Aite 2015 70% 2016 91% 2017 98% Javelin 2015 29% 2016 58% 2017 83% 2015 = 3.59mm / EMV 53% 2016 = 4.76mm / EMV 71% 2017 = 5.64mm / EMV 84%
ISSUANCE ACCEPTANCE PERFORMANCE 9% of all U.S. MasterCard cards are chip cards 10% Growth in MasterCard chip- enabled cards in-market MOM Debit chip card issuance continues to grow rapidly Consumer credit card issuance showed moderate growth 50% of all MasterCard issuer programs are deploying Signature preferring profiles 60% of consumer credit programs to date are deploying signature preferring profiles 7% of programs have certified on both profiles (Signature and PIN) 13% growth in chip-active locations MOM 12% of U.S. ATMs are chip active 16% growth in chip-active POS transactions MOM 208,715 Chip-active locations in the U.S. Activity distributed across large, mid-tier and single location merchants 474 merchants with multiple locations 143,935 single-location merchants 98% Approval rates for all domestic U.S. chip transactions In line with current magnetic stripe approval rates PIN declines are minimal; <1% of overall transaction volume 9% Fallback 9% Fallback returning to more acceptable levels after a large retailer coded chip transactions as mag stripe fallback transactions during the holidays. They are now working to revert to standards EXECUTIVE SUMMARY – U.S. MARKET CHIP TRENDS, March 2015 Enabled – Fully capable of chip transactions; will do chip transaction if interfaces with a chip-enabled terminal Active – Chip transactions seen in that period
EMV adoption Now or Later? Current and anticipated chargeback costs Sensitivity to card security Competitors and EMV Locations and demographics best suited for EMV Impact on PCI Future technology considerations
MASTERCARD CHIP RESEARCH WHAT CONSUMERS ARE SAYING April 16, 2017 MasterCard has tackled some of the key issues during the EMV migration head on Understanding the consumers; their levels of awareness and their thoughts and attitudes Usability Study – how will consumers handle the new kind of transaction, what will they understand and how should issuers and the market prepare consumers for chip MASTERCARD CHIP RESEARCH WHAT CONSUMERS ARE SAYING
69% 33% 49% 60% 15% 45% 50% 9% 37% US CONSUMERS WANT EMV 2015 2014 ALREADY AWARE OF EMV IN THE US WOULD CHANGE BANKS IF CHIP NOT OFFERED PREFER PIN TO PURCHASE AT THE POS 69% 33% 49% 2015 60% 15% 45% 2014 50% 9% 37% 2013
EMV USE BELIEVE CHIP CARDS ARE EASY TO USE MORE INNOVATIVE WAYS TO PAY FOR PRODUCTS AND SERVICES WANT A CHIP CARD IMMEDIATELY PREFER TO SHOP AT MERCHANT THAT ACCEPTS CHIP CARDS 62% 61% 39% 40% 2015 47% 42% 40% 35% 32% 2014 Debit Credit
WHERE CONSUMERS EXPECT TO SHOP April 16, 2017 WHERE CONSUMERS EXPECT TO SHOP 80% 78% 77% 74% 76% 48% Supermarkets/Gr ocery Stores Department Stores Gas Stations Food and Beverage Drug Stores Unmanned Ticket Terminals Source: MasterCard US EMV Consumer Research 2015 The large majority of card users continue to expect all types of stores to accept chip cards
Completing a Chip Transaction Usability studies inform both Issuer & Merchants FIRST USE CONSUMER PREFERENCE EASE OF USE 6% of participants inserted the card incorrectly overall transaction types 27% removed the card too soon on first use A further 8% did it again on their second try Note debit users more likely to pull the card out sooner because of the ATM process – 30% more likely than credit transactions 62% of participants preferred chip & PIN 38% preferred chip & signature Previous study (27% and 10% respectively) Credit users expect they will select or update the PIN on their credit card during the card activation process Chip & signature rated lower than chip & PIN for ease of use After a first failed attempt consumers get it right most of the time on the second attempt and beyond Assistance from terminal prompts and store cashiers will help increase success of first use Now for a closer look at the MasterCard numbers; Generally we are seeing good progress on the issuing side – outpacing the level of acceptance points so far Pace driven by data breaches and a need to be seen to securing consumer data Issuers feel the urgency to secure cardholder data because this is what their consumers expect Source: MasterCard Usability Study August 2014
EMV Process Adjustments Staff training Customer verification methods Tap, insert or nothing? What is intuitive? Is speed of service a need? Patron comfort factor Forgotten cards? Additional time per transaction? Are there other technology considerations? Serving a demographic that is looking to mobile payments?
EMV limitations to Security Implementing EMV still leaves a customer’s primary account number (PAN) and discretionary data exposed If crime ware gets into the restaurant’s POS system or network, the cardholder data could be stolen and used fraudulently Every EMV card being issued in the US includes a magstripe 1 Visa International Operating Regulations (Public version), 15 April 2013, page 421, reference ID#: 150413-010410-0004832
Encryption and Tokenization adds Security Encryption protects data ‘in flight’ Tokenization protects data ‘at rest’ Tokenization and Encryption offer the most secure solution available today for most merchants PCI Audit benefits- Fewer compliance questions to answer 1 Visa International Operating Regulations (Public version), 15 April 2013, page 421, reference ID#: 150413-010410-0004832
EMV, Encryption and Tokenization
Why is encryption and tokenization needed for full payment security? 904 In the first 9 months of 2014, 904 million records were compromised in 1,922 confirmed incidents in businesses in the United States. Many of the incidents reported in 2014 involved record-setting amounts of data, including 20 incidents that compromised more than 1 million records each. 9,700 companies found that they’d detected nearly 43 million security incidents in 2014, a compound annual growth rate of 66% since 2009 > 1,000,000 9,700 Managing cyber risks in an interconnected world, PwC, 2015 Steve Ragan, “Nearly a billion records were compromised in 2014,” Network World. http://www.networkworld.com/article/2848479/security0/nearly-a-billion-records-were-compromised-in-2014.html. Verizon 2014 Data Breach Investigations Report: http://www.verizonenterprise.com/DBIR/2014/
It’s About Mitigating Risk! EMV plus and encryption and tokenization remove ability to thieves to sell stolen payment data Encryption and tokenization remove card data from the businesses’ environment Encryption and tokenization are a definitive response to “all organizations should assume they’ve been hacked” Encryption and tokenization reduce a merchant’s PCI scope as per a Coalfire study Cisco 2014 Annual Security report https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf Heartland Payment Systems E3™ MSR Wedge Technical Assessment White Paper, Coalfire, January 4, 2011
Questions? Mike English Executive Director of Product Development michael.english@e-hps.com (877) 798-9656 x 2756 Janette McGrath VP – Go To Market Strategy USPD Janette_McGrath@mastercard.com (636) 722-4554 Jim Higgins VP – Payments & Financial Services National Restaurant Association jhiggins@restaurant.org Questions?
Restaurant.org @WeRRestaurants /RestaurantDotOrg /NationalRestaurantAssociation