6. EMV Implementation

1
6. EMV Implementation

• Richard Sanders, Business Consultant
• ACI Worldwide

2
Agenda

• Brief Review of EMV Introduction
• The Challenges of an EMV Implementation
• What Banks do and dont think about in an EMV
  Implementation
• EMV Implementation Strategy
• Conclusions

3
Smart Card Implementations - Timescales
4
EMV - More than Fraud prevention ?
Advantages
Problems
Unrealistic timelines?
Schemes Mandated Chip and PIN cards By Liability
Shift
Reduce fraud
Cost
Accelerate Transactions _at_ POS
Merchant resistance (cost and disruption)
Save till paper
Need for consumer re-education
Charge-backs fewer reason codes
Vendors lengthy accreditation process
Better Risk Controls
Special considerations for disabled
5
Challenges of Issuing EMV cards
Competitive advantage
Competitive advantage
Competitive advantage
What did I forget?
Lead times
Transaction times
Be prepared for the un-expected Lots of AHAs
Foundation Investments that
Matters for DAY 1
Fraud savings
tools
When?
6
The Challenges - 1

• Consumers behaviour
• Will cardholders adapt or use another payment
  method?
• Can they be prevented from writing down PIN
  numbers?
• Retailers
• Staff need the information and confidence to
  assist cardholders
• Merchants to enforce the strict regime on
  fallback
• One level of fallback during transition
• No fallback for Chip PIN transactions after
  maturity
• Communication
• Acquirers responsible for communications to their
  merchants
• Supported by Central Bank led generic messages
  and Schemes
• To be provided over a long time - from early
  trials through rollout to maturity
• UK Website available www.chipandpin.co.uk

7
The Challenges - 2

• Technology
• Acceptance testing - including Inter- participant
  (IPT), closed and open testing and the need for a
  town trial to refine procedures prior to full
  rollout (and how will this be done geography,
  card replacement, merchant specified?)
• Type approval and certification EMVCo, Schemes,
  Acquirer
• Counter logistics and management information
• Transaction timings
• Training bank and retail staff
• New technology but not so different to ATM use
• Demands a high level of co-operation from
  retailers
• Schemes provide the rules but recognise the
  difficulty of training all front-line staff
• Help-desk support and training material specially
  written
• Key message for issuers and merchants
• Be proactive, plan well ahead, lobby suppliers.

8
EMV The Key Questions a Bank asks

• What is the date of the EMV migration for my
  country or region set by the card associations?
• How do I interface with EMVCo?
• What level of testing period do I want to allow
  before going live with my EMV card
  base/infrastructure?
• Which vendors can help facilitate my move to EMV?
• Is Outsourcing a solution?
• Can a bureaux provide all my needs?
• When I start migrating my card base to EMV, do I
  use a force reissue or at renewal/replacement?
  What is the liability from stripe cards still in
  circulation after the EMV migration date?
• How do I enforce Fallback
• Are fraudsters targeting us? Have competitors
  already migrated?
• Am I losing business by not moving rapidly to
  smart cards? Etc etc.
• What Staff Training do I need? Where can I get it
  ?

9
And Typically What it Does Not Ask

• What extra business can I generate by achieving
  first mover advantage in my markets by moving to
  smart cards?
• My card will have an anchor financial
  application. Do I want it to carry other
  applications such as cashback/loyalty scheme run
  in-house or by a third party or partners and how
  will I load/delete/manage these applications?
• Is the Management Information I had developed for
  testing/trial sufficient for my live needs in
  areas like fraud strategy
• Do I want to retain my existing methodology for
  card issuance?
• How do I plan fallback withdrawal?
• How will I handle Magnetic stripe cards from e.g.
  the US
• Are there any special interest groups e.g. the
  disabled I need to accommodate
• Can I utilise the EMV Infrastructure for other
  applications like ID?
• How do I migrate to higher specification versions
  of EMV?
• Will EMV take away all my fraud problems? If not,
  what else can I do?

10
EMV Implementation Methodology

• EMV end-to-end payment system implies numbers of
  activities from various internal/external
  entities like
• Business (Banks, Acquirer, Issuer)
• Legal (Banking Association, Payment Schemes,
  Government)
• Identify impacts of any other migrations
  activities/legislation - e.g. Chip and Signature
  cards for some disabled customers
• Technical (Cards, Terminals, Host systems,
  Network, Back Office, Operations, Certification,
  MI)
• Vendors (Hardware/Software, Bureaux, Processors)
• Service (i.e. Merchant support, Education,
  Installation, Upgrades, Maintenance,
  Communications)
• Customer
• Manage bypass and fallback
• Communication

11
Pre-Implementation analysis

• Although mandated by the Schemes, markets are
  different and EMV settings used may depend on -
• Telecommunications Costs is there currently a
  preference for seeing transactions on-line?
• Credit/Debit Mix security concerns are quite
  different
• Cash vs. cheques vs. electronic payments mix
  compared to cards
• Government view particularly on ID cards
• EMV delivers options
• EMV allows for many forms of secure card
  authentication method (CAM) through
• SDA, DDA, CDA
• Legacy Terminal infrastructure can slow
  innovation
• SDA failures, wrong AID length issues not fully
  removed until legacy terminals replaced

12
Considerations for an EMV Implementation - 1

• Issuing
• New Chip Card (card production changes)
• New Card management System (including
  personalisation)
• Issuer Host Modification for EMV payment flow
• New HSM software for EMV cryptography
• Interface to international networks including
  certification
• PIN Management Infrastructure
• Key Management Infrastructure
• Changes to Operational Processes
• Customer/Staff Education Programme
• Script Processing/Risk Management Enhancements
• New Procedures for Cardholders (Chip and PIN,
  Chip and Signature, Technical Fallback, PIN
  Bypass management

13
Considerations for an EMV Implementation 2

• Acquiring
• Acquirer Host Modification for EMV payment flow
• Interface to international networks including
  certification
• ATMs upgraded to offer Reciprocal PIN Management
  services?
• Acquiring and Issuing silos need to work together
• Terminals
• Hardware and Software Base needs to be replaced
• Problem Management SDA Failures,
• ATMs why do some have 100 fallback?

14
Considerations for an EMV Implementation - 3

• General
• Education
• Understand EMV Settings to avoid costly mistakes
  like having the wrong AID length that terminals
  cannot read
• Have a system that identifies the settings on
  each card
• Requirements Definition
• Continuous review including MI and Workflow
• Execution Strategy
• Special cases disabled drivers etc
• Training
• Communications
• Customers, staff, merchants, media all need
  regular updates
• Keep reviewing the project structure/plan as new
  items develop

15
EMV Business Case Key Areas

• Market
• Size larger markets require more investment
• Importance of cards as a payment instrument
• Adoption rate of High Usage retailers e.g.
  Supermarkets, Petrol
• Proportion of mid-tier retailers as they are
  slowest to adopt
• Domestic market requirements levels of E Purse
  schemes etc
• Processor/Retailer terminal agreement lengths
• Proportion of Bank Owned Terminals
• Strategic market goals to embrace
  multi-application, ID etc.
• Other Chip Functionality (Transit Mifare card
  etc)
• Merchant Card Issuance and Other Financial
  Products
• TelCo ambitions
• Government position
• Work/Life Balance of Cardholders

16
EMV Business Case Key Areas

• Issuer
• Fraud Costs and Types domestic/cross border
  (some Banks do not collect data)
• Interchange fee incentive
• Internet Banking /MO/TO
• Cash replacement
• Multi-application
• Loyalty on Credit/Debit
• ID
• Contactless, Prepaid options Day 1
• Increased Acquisition of Customers at a Lower
  Cost
• Increased Retention through Service, broad
  Product Portfolio and Cross-Selling Opportunities
• Reduced Operational Costs and Increased
  Productivity

17
EMV Business Case Key Areas

• Merchant
• High Traffic retailers e.g. Supermarkets, Petrol
• Mid tier retailers attitude
• Percentage of Business on-line/MO/TO
• Higher security of EFTPOS terminals increases
  certification time
• Level of any reduction in MSCs for compliance
• Perceived value of not storing receipts for
  chargebacks
• Value of increase in speed of transaction times
  and convenience to customers
• Cash replacement
• Plans for Unattended terminals

18
EMV Business Case Key Areas

• Customers
• Ultimate Convenience - deliver customer
  confidence/peace of mind by removing the worry,
  hassle and inconvenience of fraud
• Privacy and ID Theft Protection
• Choice of Channel for purchasing
• Control of the Relationship
• Instant Gratification through loyalty at POS
• Money Rich, Time Poor Scenario
• Need for Convenience and Speed
• Ever Growing Value for Their Business
• Multi- application
• Loyalty
• ID
• Access

19
Potential Barriers to EMV Implementation

• Cost of Cards
• PC Base having Integrated Readers and Software
• Installation of Smart Card Readers
• Transaction Times
• Interoperability
• Inconsistent Messages
• No Compelling/Killer Chip application
• Is the Chip for security, ID , loyalty/promotion,
  other
• POS Infrastructure Costs retailers have set
  hardware replacement cycles and have to be
  convinced and Banks will have to contribute to
  get Issuance IT Resource shortages due to Basel
  II, Sarbannes Oxley

20
Education it is complex

• Create an education programme across
• Executives they will have to agree it
• Marketing they have to build on it
• Technology they have to maintain and enhance it
• Operations how they do/report everything could
  change
• Finance to build the business case
• Corporate Communications how you communicate
  the change to customers is key
• Issuing and Acquiring (POS ATM) sides have to
  work together
• Retailers are key its their customers too !
• Leverage what exists in the market
• Conferences and Associations Seminars
• Vendors
• Professional Training Seminars

21
Requirements Definition - Checklist

• Functional and Technical Requirements
• What type of Smart Card do you want and what do
  you want it to do today and tomorrow - drives
  Chip Size
• What Applications do you want on it ?
• At issuance/To be loaded later
• Contact/Contactless
• What Infrastructure do you want
• Data storage/retrieval Card Life Cycle
  Management
• Expiry dates typically can be lengthened from
  stripe
• Design with the Future in Mind to avoid costs
• Interoperability
• Scalability
• Usability
• Data privacy/protection
• What can be seen by who

22
Requirements Definition - Checklist

• Authentication
• PIN, Password changes
• Key Changes/Management
• Expiry dates
• Velocity Checks
• Personal Card Readers
• Insource Vs. Outsource debate
• Multi-sourcing plastics
• Personalisation
• Credit and Debit parameter settings on cards may
  be different
• Migrating from Chip and Signature is different to
  migrating from Magnetic Stripe. Will you still
  need Chip and Signature for special cases of
  disabled?

23
Impact analysis Business and Functional Areas -
1

• Marketing/Sales
• Product Propositions
• Customer Communications
• Authorisations
• Card authentication and cryptographic management
• Customer verification
• Additional data elements and script management
• Online and offline PIN change synchronisation
• 3DES, AKDS
• Processing
• New personalisation requirements additional
  parameters, Offline PIN Block, inheritance
• Application life-cycle management
• Parameter management, risk management, CRM

24
Impact analysis - Business and Functional Areas -
2

• Operational procedures
• Key management
• Application processing
• BIN Management
• PIN management
• Parameter management
• MI
• Workflow
• Customer Service
• Changes to business processes
• Scripts
• Enhanced disputes management
• Blocked PIN offline and online

25
Impact analysis - Business and Functional Areas -
3

• Risk Management Fraud and Credit Risk
• MI
• Fraud Strategies
• Credit Risk Management Strategies
• Distribution Infrastructure
• IT Systems Infrastructure
• Current Procurement and Fulfilment Processes
• Testing and Test systems (including Pilots)
• Staff/Closed/Open Trial
• Town Trial
• Handover post rollout
• Issuing/POS Acquiring/ATM Acquiring interfaces

26
Execution Strategy

• Implement a formal process
• Establish a dedicated project team
• Well defined responsibilities for key personnel
  (CEO, CTO,COO,MIS Manager,Security and
  Compliance,HR)
• Have experts or people who want to become
  experts
• Define and develop project plans and agree them
  with suppliers/outsourcers and Payment Schemes so
  you are all working to the same plan
• Identify the Project Supply Chain and Supplier
  timescales
• Allow time for testing and certification the
  Schemes may take longer
• Get Communications/Card design materials together
  may have long lead times

27
The 6 Phases of an Implementation Plan

• Phase 1 Strategy
• Phase 2 Definition
• Phase 3 Design
• Phase 4 Development
• Phase 5 Integration
• Phase 6 Deployment

28
Phase 1 Strategy

• Understand EMV and its impact
• For initial implementation and further
  developments
• Define Value Proposition
• Define Project Objectives and critical success
  factors for your organisation
• Clarify Scheme requirements/input
• Review any central co-ordination requirements and
  input
• Initial assessment of impact on lines of business
  and review outsourcing options
• Create estimated budget
• Obtain Management approval to move to next phase

29
Phase 2 Definition

• Define Business Requirements
• Include all business areas
• Examples will it be automatic renewal/replacement
  with chip
• New services/applications/products to be offered
  to customers
• Translate into Technical Functional
  Requirements
• Pre- migration planning, organisation and roadmap
• Budget Definition
• Payment Scheme input/requirements
• Consultancy needs
• Vendors
• Outsourcers - timeframes/costs/mandated
  deliverables
• Agreements
• Central Project Requirements/representation
• Project Management
• Project Team

30
Phase 3 Design

• High Level Design Specifications
• Functional Specifications including MI
  Requirements
• Site visits to any contacts who have issued EMV
  cards
• Low level Design Review with-
• Outsourcers/Partners/Suppliers/Vendors
• Test Plan
• Begin building training materials
• Customer, Merchants, Staff
• Review with Payment Scheme
• Define realistic launch date and strategy
• Initial workflow exercise
• Issue resolution escalation processes
• QA certification with Information Security,
  Audit etc.

31
Phase 4 Development

• Coding
• Unit tests
• Documentation (User Manuals , Quick start guide,
  troubleshooting, Call centre scripts)
• Scheme Certification Issuer and Acquirer (POS
  and ATM)

32
Phase 5 Integration

• Integration tests including regression testing
• System tests
• Acceptance testing
• Inter participant testing
• Issue resolution escalation processes
• Support team education training
• Staff issued with cards
• Closed Trials
• Open Trials
• Review Communications/Training materials and
  Issue resolution escalation processes

33
Phase 6 Deployment

• Set up Help Desk/Customer service
• Live Customer Pilots
• Town Trial and Review
• Scripting/Training/Education Review
• Platform maintenance
• Product Release
• Customer Communications issued and review as move
  from announce to inform phases
• Delivery
• PIR
• Maintain experts for next phases
  multi-application, contactless, two factor
  authentication etc.

34
Implications for Banks in Delaying EMV
Implementation

• Reputational Risk
• Failure to Meet Payment Scheme timescales
• Fraud increases as a result of migration to
  non-chipped parties - will be apparent to
  marketplace and consumers
• Without smart cards will appear more vulnerable -
  Low technology is not a good message
• Compliance Risk
• Increased costs as a result of Payment Scheme
  liability shifts
• Legislation
• Strategic/Operational Risk
• Missed revenue opportunities in secure e-/mobile
  commerce
• Operational problems in charge-backs/authorisation
  s and reduced Customer Service compared to
  competitors
• Transaction risk as they will not be off-line and
  lower cost
• Valuable operational learning and opportunity to
  strengthen customer relationship for multi
  application cards will be lost
• Forced reissue of cards may be required rather
  than replacement within existing card expiry
  process

35
Bank benefits of EMV

• Fraud Prevention
• Reduce counterfeit and lost and stolen fraud
• Avoid being the weakest link - prevent
  migration of fraud to own card base as other
  banks implement
• Avoid card scheme liability shift
• Improved Credit Risk Control
• Reduce and improve management of bad debt by
  utilising chip parameters e.g. to restrict below
  floor limit spending.
• Apply different levels of control according to
  cardholder profile
• Provides authentication and platform for ID
• Maintain Competitiveness
• Maintain credibility in customers and competitors
  eyes.
• Endorse Brand with reliable, secure and
  innovative product.
• A migration path for loyalty and
  multi-application products.
• Operational savings from reduced
  chargeback/authorisation costs

36
The EMV migration stepladder
Magnetic stripe issuance and personalisation
37
The EMV migration stepladder
EMV migration in phases Phase 1 replace
magstripe cards which has sub phases Phase 2
dynamic risk management Phase 3
multi-application
38
Attributes of Successful Programmes

• Planning, Planning and Re-planning
• Established and Communicated Goals, Objectives
  and Strategy (Short, Medium and Long term)
• Leading to a flexible business case
• Established and Communicated Project Management
  Team
• Scheduled Ongoing Audits/Reviews
• Over Emphasis on Testing throughout
• Partnerships with Vendors and Payment Schemes

39
Conclusions on an EMV Implementation - 1

• EMV Migration is a complex technological and
  business project
• Business case is hard to justify on fraud alone
• impacts every link of the process chain
• EMV Migration is largely driven by Payment Scheme
  incentives, mandates and liability shifts.
• Central Banks, Issuers, Acquirers, Merchants,
  Vendors, Payment Schemes and even Government will
  be involved
• Do not underestimate resources and project
  duration
• Inexperience can slow down migration - rollout
  will probably take longer than originally
  expected - time lag between receipt of card and
  usage
• Multiplicity of payment means processors/vendors
  can be involved in one project
• Special Interest Groups disabled definition
  changes with EMV

40
Conclusions on an EMV Implementation - 2

• Retailer rollout is key
• Volume of transactions required to drive usage
  and PIN remembrance requires supermarkets
  petrol stations to be in the vanguard
• Testing and Certification with Schemes may take
  longer than planned
• Technical Issues like SDA failures will occur
• Transaction times must better Stripe Signature
• Privacy is a key concern for cardholders and this
  needs to take this into account in system design
• Best practices need to be documented and a
  generic approval process introduced globally to
  facilitate implementation of the next generation
  of payment systems

41
Conclusions on an EMV Implementation - 3

• The customer will accept it so long as you tell
  him why and keep telling him as there may be a
  lag between him receiving a Chip and PIN card and
  finding a terminal to use it in.
• ATM networks need to offer reciprocal PIN
  Management services to all Issuers develop for
  own customers first to provide learning
• The PIN bypass allowed period needs to be agreed
  and withdrawal planned
• Migration of Fraud will happen Banks and
  Merchants will have to invest in other tools to
  combat CNP/Internet and account takeover
• Chip and PIN enable branch counters and review
  in-branch issuance if you are a Bank
• Look at this as the first stage of a revolution
  as to how cards will develop. EMV implementation
  is the starting point to add multi-application,
  contactless, biometrics etc. not the end game !!

42
(No Transcript)