Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payments technology and security

Published byMelissa Howard Modified over 9 years ago

Similar presentations

Presentation on theme: "Payments technology and security"— Presentation transcript:

1 Payments technology and security
Mercury Confidential and Proprietary - For Recipient's Internal Use Only

2 Agenda Introduction End-to-end encryption (E2E) Tokenization
EMV Summary Mercury Confidential and Proprietary - For Recipient's Internal Use Only

3 Introduction This is an exciting time for the payments industry. There is a steady stream of disruptive technologies and security conformance being injected into the industry. From End-to-end encryption to EMV. Today, we will discuss end-to-end encyption, tokenization and EMV technologies and how they impact the small to medium sized merchants. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

4 End-to-end Encryption

5 Security Breaches The volume of data breach
Investigations increased 54 percent over 2012. 45 percent of data thefts involved non-payment card data E-commerce made up 54 Percent of assets targeted Weak passwords opened the door for the initial intrusion in 31 percent of compromises. Source: Mercury Confidential and Proprietary - For Recipient's Internal Use Only

6 Security Breaches Every year that we produce the Trustwave Global Security Report, retail, food and beverage and hospitality jostle for position as the most frequently compromised industries. Retail once again led the pack in 2013 at 35 percent, a decrease of 10 percent over Food and beverage industry breaches counted for 18 percent of the total, 35% a five percent decrease from 2012. Source: Mercury Confidential and Proprietary - For Recipient's Internal Use Only

7 E2E Encryption – (Protecting data in transit)
Before At initial swipe, credit card data is stolen in real time from peripherals and memory even though the transaction is transmitted securely. Payment Providers such Vantiv, Mercury, FirstData etc. Transaction is returned securely as well, but it is too late – the cardholder data has already been stolen. ! Computers get infected with malware. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

8 E2E Encryption – How it works
After At initial swipe, credit card data is encrypted and cannot be stolen. Transaction is sent encrypted to a Payment Provider. Payment Providers such Vantiv, Mercury, FirstData etc. Only non-sensitive transaction data is returned to the POS. d5e35c1e081cec7f5dbaddad3e4f5628 fdb02703b0c193f380c7fd0c8 c65c7e8df63ec1fb275f c716e ea3b9d29feb72299fbbb710b1ce0674e 1784bfac4d5f0a74e3d457f12d82ac7f dbbf abfd72bfa8e7cf08777 Using an Encryption enabled device such as the Verifone, Infinite Peripherals or Ingenico devices, card data is encrypted at the initial swipe. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

9 E2E enabled device examples
Mercury Confidential and Proprietary - For Recipient's Internal Use Only

10 Card Networks: Visa, MasterCard, Amex, Discover
E2E transaction flow with Tokenization At initial swipe, card data is encrypted Payment Provider 2 3 Get Authorization from Card Brands Card Networks: Visa, MasterCard, Amex, Discover E2E/Token Service 4 d5e35c1e081cec7f5dbaddad3e4f5628 c65c7e8df63ec1fb275f c716e fdb02703b0c193f380c7fd0c8 1784bfac4d5f0a74e3d457f12d82ac7f ea3b9d29feb72299fbbb710b1ce0674e dbbf abfd72bfa8e7cf08777 1 5 ,0811 Transaction is sent encrypted to Payment Provider Call the E2E/Token Service ,0811 Point of Sales stores token safely. Token Service creates token, returns token to Merchant location. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

11 Tokenization

12 Tokenization (Protecting data at rest)
Benefits Reduced risk Help merchants with their PCI compliance Use Cases Recurring Billing Card not present Tip Modifications Delayed shipping Layaway purchases Voids and returns Adjustments Capabilities Replaces non-encrypted card data PAN with a reference token Card information is saved with the payment provider How It Works Card number is used in first transaction Token reference data is created – a unique string of letters and numbers Token is returned to the requester along with authorization Token can be used to perform subsequent transactions on the card Mercury Confidential and Proprietary - For Recipient's Internal Use Only

13 ! Tokenization – How it works Payment Providers such
The transaction response is sent back securely with a token. ,0811 ,0811 ,0811 ,0811 ,0811 Payment Providers such Vantiv, Mercury, FirstData etc. Credit card is initially swiped or keyed, then transmitted securely. ! Computers can still get infected with malware. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

14 E2E & Tokenization Together
Card information never exists in a readable format First transactions Subsequent transactions At initial swipe, credit card data cannot be stolen since it already is encrypted. Transaction is sent encrypted to Mercury. ,0811 ,0811 ,0811 ,0811 ,0811 d5e35c1e081cec7f5dbaddad3e4f5628 c65c7e8df63ec1fb275f c716e fdb02703b0c193f380c7fd0c8 1784bfac4d5f0a74e3d457f12d82ac7f ea3b9d29feb72299fbbb710b1ce0674e dbbf abfd72bfa8e7cf08777 The transaction response is sent back securely with a token for long term storage. Payment Providers such Vantiv, Mercury, FirstData etc. Using an encryption enabled device card data is encrypted at the initial swipe, before sending to the POS. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

15 SMB Merchant’s using E2E and MToken
Tokenization: Ease of integration Supports recurring billing, tip adjustment, returns, and more! Helps merchant to maintain a more secure payment processing environment Easier POS Compliance – Fewer PA-DSS requirements to meet Tokenization would have prevented many of the past breaches E2E: Helps developers reduce the costs and hassle of PA-DSS compliance Helps merchants achieve PCI compliance Card data theft is dramatically reduced Mercury Confidential and Proprietary - For Recipient's Internal Use Only

16 EMV

17 What is EMV EMV is a set of standards that defines interoperability of secure transactions across the international payments landscape. EMV transactions introduce dynamic-data specific to the card and the transaction, with the goal of reducing the risk of counterfeit fraud. The computer chip on the card uses cryptography to provide security. In the context of EMV, encryption is only used to protect the PIN. EMV is a card present schema only. Does not solve for ecommerce transactions Mercury Confidential and Proprietary - For Recipient's Internal Use Only

18 EMV Transaction Flow: MagStripe vs EMV
Mercury Confidential and Proprietary - For Recipient's Internal Use Only

19 EMV Transaction Flow: MagStripe vs EMV
Mercury Confidential and Proprietary - For Recipient's Internal Use Only

20 U.S Market EMV Update Significant progress underway*
Multiple issuing pilots underway, top issuers Up to 2 million EMV ready terminals installed million EMV cards issued Top acquirers fully certified Merchants reinvigorating EMV cert and security discussions as a result of 2013 holiday breaches Active EMV implementation projects at many tier 1 merchants Wal-Mart® “live” with EMV today * Data is only based on information provided by Mercury’s partners and does not include all international payment systems. Mercury Confidential and Proprietary - For Recipient's Internal Use Only

21 Certification Standards
EMVCo™ Level 1: Certification of the device’s electrical, mechanical, and communication protocol characteristics Level 2: Certification of application software that supports specified EMV functionality Card Networks Brand/“Level 3”: Approval of end-to-end solution Brand-by-brand testing requirements Mercury Confidential and Proprietary - For Recipient's Internal Use Only

22 Network Certification Programs
American Express® (30 tests) American Express ICC Payment Specification (AEIPS) Expresspay Contactless Specification Discover® (24 tests) D-PAS Acquirer-Terminal End-to-End (E2E) MasterCard® (114 tests) MasterCard terminal integration process (M-TIP) Visa® (105 tests) Acquirer Device Validation Toolkit (ADVT) Contactless Device Evaluation Toolkit (CDET) Quick Visa Smart Debit Credit Device Module (qVSDC DM) Mercury Confidential and Proprietary - For Recipient's Internal Use Only

23 Points of pain for Merchants
Cardholders EMV card never leaves the cardholder’s hand Contact EMV – dipping Contactless EMV – tapping Chip and Signature vs Chip and Pin Restaurant environments Merchants Merchant and consumer payment process flow will change Varied merchant impacts by vertical: pizza delivery, fine dining, unattended kiosk(Car washes) Cost for new EMV enabled hardware/software Liability Shift: charge back Line-busting will change Cost vs. Customer impact 5 Mercury Confidential and Proprietary - For Recipient's Internal Use Only

24 Thank you! Thank you!

Download ppt "Payments technology and security"

Similar presentations

Credit Card Processing 101

Credit Card Processing 101
Weighing the Risks and Benefits of Online Financial Transactions

Weighing the Risks and Benefits of Online Financial Transactions
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
WHAT IS EMV? A joint effort between Europay, MasterCard and Visa It is a security framework that defines the payment interaction at the physical, electrical,

WHAT IS EMV? A joint effort between Europay, MasterCard and Visa It is a security framework that defines the payment interaction at the physical, electrical,
PCI DSS for Retail Industry

PCI DSS for Retail Industry
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.

HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
CONFIDENTIAL AND PROPRIETARY ©2014 DISCOVER FINANCIAL SERVICES 2014 Discover ® Dealer Incentive Program & EMV Update.

CONFIDENTIAL AND PROPRIETARY ©2014 DISCOVER FINANCIAL SERVICES 2014 Discover ® Dealer Incentive Program & EMV Update.
Protecting Your Customers’ Card Data ASTRA Presentation 05.14.2013 Brian Chapman and Peter O’Rourke.

Protecting Your Customers’ Card Data ASTRA Presentation Brian Chapman and Peter O’Rourke.
1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.

1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Northwest Card Association Acquirer Update January 2012.

Northwest Card Association Acquirer Update January 2012.
Contactless Payment. © Family Economics & Financial Education – January 2007 –– Financial Institution Unit – Contactless Payment - 2 Funded by a grant.

Contactless Payment. © Family Economics & Financial Education – January 2007 –– Financial Institution Unit – Contactless Payment - 2 Funded by a grant.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Memorial University of Newfoundland An Update on Chip September 26, 2007.

Memorial University of Newfoundland An Update on Chip September 26, 2007.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

Similar presentations

Ads by Google