Payments technology and security

Slides:



Advertisements
Similar presentations
Credit Card Processing 101
Advertisements

Weighing the Risks and Benefits of Online Financial Transactions
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
WHAT IS EMV? A joint effort between Europay, MasterCard and Visa It is a security framework that defines the payment interaction at the physical, electrical,
PCI DSS for Retail Industry
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
CONFIDENTIAL AND PROPRIETARY ©2014 DISCOVER FINANCIAL SERVICES 2014 Discover ® Dealer Incentive Program & EMV Update.
Protecting Your Customers’ Card Data ASTRA Presentation Brian Chapman and Peter O’Rourke.
1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Northwest Card Association Acquirer Update January 2012.
Contactless Payment. © Family Economics & Financial Education – January 2007 –– Financial Institution Unit – Contactless Payment - 2 Funded by a grant.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Memorial University of Newfoundland An Update on Chip September 26, 2007.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Draft 1. Cards PSAM The Nets PSAM is a secure application module providing acquirers, merchants and vendors secure processing of card transactions in.
Around the World, Around the Corner WorldPay for Small Business.
EMV’s Impact on U.S. Retailers – It’s Coming! Presented by: Chris Francis VP, Market Development February 21, 2014.
An Introduction to EMV Presented to:
Why Comply with PCI Security Standards?
SMARTER. TOGETHER. Skimming Prevention: Overview of Best Practices August 5, 2014.
THE TRANSFORMATION OF PAYMENTS. NFC Hosted Payments EMV in the US End-to-End Encryption Mobile POS.
Card Brand Mandates. Key EMV dates from Card Brands © 2012 VeriFone Systems, Inc.  2012: TECH Innovation Program (TIP) - PCI validation relief for Level.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
R U Ready? V M E EUROPAY MASTERCARD VISA EMVco was formed in 1999.
© 2014 CustomerXPs Software Pvt Ltd | | Confidential 1 Tentacles of Fraud #StarfishBanks CustomerXPs Software Private Limited.
Contactless Payment. © Family Economics & Financial Education – January 2007 –– Financial Institution Unit – Contactless Payment - 2 Funded by a grant.
EMV – The New Landscape 21 Days & 12 Hours
Confidential – For Discussion & General Information Purposes Only EMV to Card Not Present Fraud Gavin Levin, CTP eReceivables Consultant.
Walter Conway, QSA 403 Labs, LLC Sneak Preview: What to Expect from PCI DSS v. 2.0  Changes  Clarifications  Guidance.
Agenda EMV – What Is It? EMV In The UK EMV Is Coming To The US
Smart Payment Processing ™ Recur} Happen again. Persist. Return. Come back. Reappear. Come again.
The next generation of payments is here. Is your business ready?
Getnationwide.com Let’s Talk about EMV Danielle Rourke.
TransArmorSM A Secure Transaction ManagementSM Solution
What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
e-Learning Module Credit/Debit Payment Card Acceptance and Security
VeriFone Virtual Terminal Web-Hosted Hosted Payment Gateway
EMV: transforming the payment experience
VeriShield Protect Revolutionary technology that simplifies PCI DSS compliance with no system upgrades Now available on V x Solutions!
INTRODUCTION TO SIM.DLL AGENDA SIM.DLL Overview and Features SIM.DLL Requirements Supported Terminals Transaction Flow Benefits.
EMV: What is it and how will it impact your business.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
Confidential and Proprietary - NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES. ASTRA EMV Review/Best.
EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.
Copyright 2009, First Data Corporation. All Rights Reserved. How Does TransArmor SM Work at the POS? SafeProxy Merchant Anti FraudAnalytics First Data.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
PCI COMPLIANCE & A/R AUTOMATION 101 Nodus Technologies, Inc.
EMV.
A catalyst for mobile contactless payments adoption?
EMV Acceptance Training
Make This Document Your Own
PCI-DSS Security Awareness
Decrypting Tokenization What is it and why is it important?
Eastern Ontario Treasurers Association
Fraud Prevention Solutions Make it secure, keep it simple!
EMV & Parking – 6 Months On
Internet Payment.
BY GAWARE S.R. DEPT.OF COMP.SCI
New Jersey Gasoline C-Store Automotive Association
Reducing PCI Scope PSFOA, 09 October 2019
Presentation transcript:

Payments technology and security Mercury Confidential and Proprietary - For Recipient's Internal Use Only

Agenda Introduction End-to-end encryption (E2E) Tokenization EMV Summary Mercury Confidential and Proprietary - For Recipient's Internal Use Only

Introduction This is an exciting time for the payments industry. There is a steady stream of disruptive technologies and security conformance being injected into the industry. From End-to-end encryption to EMV. Today, we will discuss end-to-end encyption, tokenization and EMV technologies and how they impact the small to medium sized merchants. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

End-to-end Encryption

Security Breaches The volume of data breach Investigations increased 54 percent over 2012. 45 percent of data thefts involved non-payment card data E-commerce made up 54 Percent of assets targeted Weak passwords opened the door for the initial intrusion in 31 percent of compromises. Source: https://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_Report.pdf Mercury Confidential and Proprietary - For Recipient's Internal Use Only

Security Breaches Every year that we produce the Trustwave Global Security Report, retail, food and beverage and hospitality jostle for position as the most frequently compromised industries. Retail once again led the pack in 2013 at 35 percent, a decrease of 10 percent over 2012. Food and beverage industry breaches counted for 18 percent of the total, 35% a five percent decrease from 2012. Source: https://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_Report.pdf Mercury Confidential and Proprietary - For Recipient's Internal Use Only

E2E Encryption – (Protecting data in transit) Before At initial swipe, credit card data is stolen in real time from peripherals and memory even though the transaction is transmitted securely. Payment Providers such Vantiv, Mercury, FirstData etc. Transaction is returned securely as well, but it is too late – the cardholder data has already been stolen. ! Computers get infected with malware. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

E2E Encryption – How it works After At initial swipe, credit card data is encrypted and cannot be stolen. Transaction is sent encrypted to a Payment Provider. Payment Providers such Vantiv, Mercury, FirstData etc. Only non-sensitive transaction data is returned to the POS. d5e35c1e081cec7f5dbaddad3e4f5628 7882881fdb02703b0c193f380c7fd0c8 c65c7e8df63ec1fb275f3231490c716e ea3b9d29feb72299fbbb710b1ce0674e 1784bfac4d5f0a74e3d457f12d82ac7f dbbf952022528abfd72bfa8e7cf08777 Using an Encryption enabled device such as the Verifone, Infinite Peripherals or Ingenico devices, card data is encrypted at the initial swipe. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

E2E enabled device examples Mercury Confidential and Proprietary - For Recipient's Internal Use Only

Card Networks: Visa, MasterCard, Amex, Discover E2E transaction flow with Tokenization At initial swipe, card data is encrypted Payment Provider 2 3 Get Authorization from Card Brands Card Networks: Visa, MasterCard, Amex, Discover E2E/Token Service 4 d5e35c1e081cec7f5dbaddad3e4f5628 c65c7e8df63ec1fb275f3231490c716e 7882881fdb02703b0c193f380c7fd0c8 1784bfac4d5f0a74e3d457f12d82ac7f ea3b9d29feb72299fbbb710b1ce0674e dbbf952022528abfd72bfa8e7cf08777 1 5 40030001234567820811400300012345783,0811 Transaction is sent encrypted to Payment Provider Call the E2E/Token Service 40030001234567820811400300012345783,0811 Point of Sales stores token safely. Token Service creates token, returns token to Merchant location. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

® Tokenization

Tokenization (Protecting data at rest) Benefits Reduced risk Help merchants with their PCI compliance Use Cases Recurring Billing Card not present Tip Modifications Delayed shipping Layaway purchases Voids and returns Adjustments Capabilities Replaces non-encrypted card data PAN with a reference token Card information is saved with the payment provider How It Works Card number is used in first transaction Token reference data is created – a unique string of letters and numbers Token is returned to the requester along with authorization Token can be used to perform subsequent transactions on the card Mercury Confidential and Proprietary - For Recipient's Internal Use Only

! Tokenization – How it works Payment Providers such The transaction response is sent back securely with a token. 40030001234567820811 4003000123456783,0811 4003000123456784,0811 4003000123456785,0811 4003000123456786,0811 4003000123456787,0811 Payment Providers such Vantiv, Mercury, FirstData etc. Credit card is initially swiped or keyed, then transmitted securely. ! Computers can still get infected with malware. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

E2E & Tokenization Together Card information never exists in a readable format First transactions Subsequent transactions At initial swipe, credit card data cannot be stolen since it already is encrypted. Transaction is sent encrypted to Mercury. 40030001234567820811 4003000123456783,0811 4003000123456784,0811 4003000123456785,0811 4003000123456786,0811 4003000123456787,0811 d5e35c1e081cec7f5dbaddad3e4f5628 c65c7e8df63ec1fb275f3231490c716e 7882881fdb02703b0c193f380c7fd0c8 1784bfac4d5f0a74e3d457f12d82ac7f ea3b9d29feb72299fbbb710b1ce0674e dbbf952022528abfd72bfa8e7cf08777 The transaction response is sent back securely with a token for long term storage. Payment Providers such Vantiv, Mercury, FirstData etc. Using an encryption enabled device card data is encrypted at the initial swipe, before sending to the POS. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

SMB Merchant’s using E2E and MToken Tokenization: Ease of integration Supports recurring billing, tip adjustment, returns, and more! Helps merchant to maintain a more secure payment processing environment Easier POS Compliance – Fewer PA-DSS requirements to meet Tokenization would have prevented many of the past breaches E2E: Helps developers reduce the costs and hassle of PA-DSS compliance Helps merchants achieve PCI compliance Card data theft is dramatically reduced Mercury Confidential and Proprietary - For Recipient's Internal Use Only

EMV

What is EMV EMV is a set of standards that defines interoperability of secure transactions across the international payments landscape. EMV transactions introduce dynamic-data specific to the card and the transaction, with the goal of reducing the risk of counterfeit fraud. The computer chip on the card uses cryptography to provide security. In the context of EMV, encryption is only used to protect the PIN. EMV is a card present schema only. Does not solve for ecommerce transactions Mercury Confidential and Proprietary - For Recipient's Internal Use Only

EMV Transaction Flow: MagStripe vs EMV Mercury Confidential and Proprietary - For Recipient's Internal Use Only

EMV Transaction Flow: MagStripe vs EMV Mercury Confidential and Proprietary - For Recipient's Internal Use Only

U.S Market EMV Update Significant progress underway* Multiple issuing pilots underway, top issuers Up to 2 million EMV ready terminals installed 50-100 million EMV cards issued Top acquirers fully certified Merchants reinvigorating EMV cert and security discussions as a result of 2013 holiday breaches Active EMV implementation projects at many tier 1 merchants Wal-Mart® “live” with EMV today * Data is only based on information provided by Mercury’s partners and does not include all international payment systems. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

Certification Standards EMVCo™ Level 1: Certification of the device’s electrical, mechanical, and communication protocol characteristics Level 2: Certification of application software that supports specified EMV functionality Card Networks Brand/“Level 3”: Approval of end-to-end solution Brand-by-brand testing requirements Mercury Confidential and Proprietary - For Recipient's Internal Use Only

Network Certification Programs American Express® (30 tests) American Express ICC Payment Specification (AEIPS) Expresspay Contactless Specification Discover® (24 tests) D-PAS Acquirer-Terminal End-to-End (E2E) MasterCard® (114 tests) MasterCard terminal integration process (M-TIP) Visa® (105 tests) Acquirer Device Validation Toolkit (ADVT) Contactless Device Evaluation Toolkit (CDET) Quick Visa Smart Debit Credit Device Module (qVSDC DM) Mercury Confidential and Proprietary - For Recipient's Internal Use Only

Points of pain for Merchants Cardholders EMV card never leaves the cardholder’s hand Contact EMV – dipping Contactless EMV – tapping Chip and Signature vs Chip and Pin Restaurant environments Merchants Merchant and consumer payment process flow will change Varied merchant impacts by vertical: pizza delivery, fine dining, unattended kiosk(Car washes) Cost for new EMV enabled hardware/software Liability Shift: charge back Line-busting will change Cost vs. Customer impact 5 Mercury Confidential and Proprietary - For Recipient's Internal Use Only

Thank you! Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.