Dicover’s  Fraud Liability Policy is to fit in with U.S. EMV migration schedules and will be effective from October 1, 2015 at point-of-sale terminals and Oct 1, 2017 at automated fuel dispensers. This Fraud Liability Shift Policy will be introduced for the Discover Network in the U.S, Canada and Mexico and PULSE in the U.S.  It will be a risk-based payments hierarchy that benefits the entity that leverages the highest level of available payments security.

Discover will grant annual PCI audit waivers for merchants that process 75 per cent of Discover Network transactions via terminals supporting both contact and contactless payments, starting in October 2013. As Discover looks to gradually start replacing its current cards with chip cards in the coming years, card members also will benefit from the enhanced security EMV provides, as PULSE EMV Deployment.

PULSE, a Discover Financial Services company and one of the nation’s leading debit/ATM networks, will capitalise on Discover’s already significant EMV-deployment experience by using the D-Payment Application Specification (D-PAS) to allow EMV transactions at the point of sale. PULSE in addition to introducing Fraud Liability Shift, will also require U.S direct-connect merchants and point of sale acquirer processors to support EMV data.

PULSE  is also collaborating with other debit networks and industry work groups to facilitate interoperability among card brands and to enable merchants to route debit transactions consistent with the requirements of the Federal Reserve’s Regulation II.

PULSE’s implementation of D-PAS supports all cardholder verification methods and its U.S implementation of EMV is expected to feature broad support for online PIN-authenticated transactions as the most secure cardholder verification method.

“Our timeline to support chip-based credit and debit transactions, in addition to our Fraud Liability Shift policy, are critical milestones to helping make EMV a reality in the U.S,” said Diane Offereins, President of Payment Services at Discover.

“As with the Discover mandate announced earlier this year, our approach to EMV enables participants to select verification methods and transaction types that meet their organization’s needs,” she added.

Jeremy Gumbley drives CreditCall’s technical development and is responsible for the design, development and implementation of the company’s market leading card payment and EMV services. A thought leader in the industry, Jeremy is always striving to come up with successful and secure pioneering solutions.

Called ‘EMV in the Cloud’, the Cartes presentation will take place on Thursday, November 8, at 4pm, and will cover:

- The Cloud as the most suitable platform
- Low cost solution for US EMV migration
- Advantages for hardware suppliers
- Centralized software service
- Lower cost of ownership
- Minimal configuration requirements

“EMV Kernel solutions in the Cloud can offer major benefits for the payments industry and particularly the USA,” comments Jeremy. “The US has just begun the process of migrating its payments infrastructure to secure EMV Chip and Pin and Chip and signature. American Express, Discover, MasterCard and VISA have already publicly declared their roadmaps and the deadlines when all payment terminals must be EMV compliant,” adds the CreditCall CTO.

Discussing this subject further during his talk, Jeremy will outline the framework and benefits of implementing cloud technology within the payments industry. The presentation will also consider some of the issues and questions that this hot topic is likely to bring up.

CreditCall believe that offering EMV Kernel technology in the cloud could potentially offer American terminal makers and others a timely and low cost solution for EMV. The company has deployed more than 1,000,000 of its EMV Kernel software solutions for Chip and PIN and Chip and Signature terminals worldwide. Its EMV Kernels are used in both contact and contactless applications, including card readers, POS, ATMs, petrol pumps, kiosks, ticketing terminals, smartphones and tablets.

CreditCall will be exhibiting at Cartes 2012, Paris Nord Villepinte in Paris at both 4 J 088 – if you’re at the event then please pop along and say hello.

The data from EMVCo represents the latest statistics from American Express, JCB, MasterCard and Visa, as reported by their respective global financial institutions.

The new EMV deployment figures demonstrate an increased take up of EMV technology, with over 1.5 billion EMV payment cards in circulation and 21.9 million EMV terminals active worldwide. This is an increase of 25 percent in payment cards in circulation and 18 percent in active terminals in 12 months.

Source: EMVCo deployment figures Q4 2011

Patricia Partelow, current Chair of the EMVCo Executive Committee, comments:

“The implementation of EMV technology enables the industry to create a truly interoperable chip-based consumer payment infrastructure. EMVCo works with industry stakeholders to continually advance the standard to ensure it supports the needs of the global payments marketplace and a common, robust technology platform is created, which supports contact, contactless and mobile interfaces for both online and offline payments.”

AmEx, the last holdout of the four big card issuers, revealed its three-step migration roadmap for abandoning mag-stripe for more advanced EMV technology for all merchants, processors and issuers of American Express-branded cards in the US.

American Express plans to start rolling out EMV-enabled POS infrastructure in the later part of this year, and expect all US processors to support merchant acceptance of the technology by April 2013. From October 2015 AmEx will change its fraud liability away from retailers that accept safer EMV-enable cards.

Like its industry counterparts American Express has emphasised the growing popularity of EMV chip-based cards, which is already the norm across much of Europe.  It has also focussed on the benefits for retailers such as relief from PCI Data Security Standard reporting requriements.

Suzan Kereere, GM, AmEx Global Network Business, says: “The payments industry is continuing to evolve rapidly, and American Express recognises the growing demand for chip-based contact and contactless payments in the US. We also fully recognize the complexities involved in migrating to EMV chip-based technology, and our first priority is to provide choice and flexibility for merchants and our card-issuing partners so they can adopt the EMV solution that best meets their needs.”

Mobile Credit Card Readers

Now though, by taking advantage of the powerful hardware available in current smartphones, there is scope for equipping them to become part of a mobile credit card acceptance solution. A number of commercial realisations of this have already been launched that provide a card reader as either  an external dongle fitted to a phone or a separate Bluetooth enabled card reader. By using the phone’s screen and communications capability, they allow it to be used as a Mobile Point of Sale (MPoS) device.

Security Requirements

In order to safeguard the card holder’s data there are a number of security requirements that all Point of Sale devices should be compliant with, including the PCI PA-DSS (Payment Card Industry Payment Application Data Security Standard) standard. However the PCI SSC (PCI Security Standards Council), which governs the PCI standards, have announced that currently they will not consider validating payment application running on mobile devices and so MasterCard have recently published a best practice guide for MPOS solutionsto provide assistance to solution providers looking to deliver MPOS products

Mobile EMV Kernel Software

CreditCall’s EMV Kernels are ideal for mobile POS solutions, whether the integrator is wishing to provide the Kernel running on a remote server or embedded on the card reader dongle. Check out the EMV Level 2 Kernel website for further details of these EMV Level 2 compliant Kernels.

1. Select an EMV Level 2 Kernel

The first step on this path is to select an EMV Level 2 Kernel. Providers may choose to develop their own kernel, but a more common approach is to license the use of a third party EMV Kernel (i.e. CreditCall’s EMV Level 2 Kernels). The latest version of the EMV specifications contains more than 700 pages, and EMVCo regularly publish additional bulletins that clarify or update these specifications, and so developing a brand new Kernel is a daunting task.

2. Register with EMVCo

After selecting a Kernel it is necessary to register with EMVCo and complete an Implementation Conformance Statement (ICS). The ICS details the specific features that the solution will support – there are many optional features in EMV and only a subset of them is required for each solution, and so it is important to understand which features will need to be supported. Some of these rules are driven by the regional banking regulations and others by the operating environment (for example an unattended device is not able to perform signature checking, in some markets EMV PIN entry is always required and cash dispensers must always contact the card issuer for authorisation before dispensing any cash).

3. EMV Level 2 Certification Testing

Once the EMV Kernel has been integrated into the device and it has been configured to operate according to the ICS, it is necessary to submit the device to an EMVCo approved lab for formal EMV Level 2 Certification Testing. This involves hundreds of test cases being run on the device to verify its conformance to the EMV specifications, and only if the device passes every test case will EMVCo issue a Letter of Approval and add it to the list of approved solutions.

CreditCall have many years experience of developing EMV compliant solutions and guiding their customers through the necessary requirements and certification process, and in over 100 certification projects over the past 10 years CreditCall’s EMV Level 2 Kernels have always successfully passed the EMVCo certification process first time.

For more information on how CreditCall could assist with EMV migration please visit www.level2kernel.com

Perhaps the most glaringly obvious security flaw in EMV is the CVM called “Offline Plaintext PIN”. The PIN is transmitted to the card for verification in the clear which places the burden of security (and cost) on the terminal Vendor and therefore the Merchant.

A large part of PCI PED for example deals with the PIN entry security environment. An attacker merely has to “sniff” the card IO pin to pull all manner of cardholder information from the transaction including the PIN. Some would argue that the compensating control for this is the fact that PIN pads are tamper responsive and evident but why take the risk when you have a much better CVM in “Offline Enciphered PIN”? The PIN is securely encrypted in the PIN pad using the card RSA Public Key and transmitted to the card for verification which is infinitely more secure.

Of course the next step would be to encrypt all the information that passes between the terminal and card using a similar mechanism but that’s a discussion for another day.

In summary, it’s clear that the weaknesses of SDA have been exploited and damaged the reputation of the EMV standard so surely it’s time we acknowledge the obvious – both SDA and Offline Plaintext PIN have had their day, it’s time they were put out to pasture.

MasterCard is planning to deliver an improved customer experience in-store, online, at ATMs and on mobiles giving consumers greater security and control of their payment choices. They will do this by helping to build out the EMV POS infrastructure by April 2013. The roadmap also envisages reduced fraudulent transactions, and financial benefits to merchants using EMV compatible terminals.

Chris McWilton, President, U.S. Markets, MasterCard  explained, “We’re moving toward a world beyond plastic, where consumers will shop and pay in a way that best fits their needs and lifestyles with a simple tap, click or touch in-store, online or on a mobile device”. He continues “Our roadmap represents a transformational shift in the approach to payments and is not simply about EMV, chip and PIN. We’re focused on readying the ecosystem to drive future innovation and provide new consumer experiences to enhance the value of electronic payments. “

MasterCard is part of the original group that created the global EMV standard for credit and debit cards based on chip card technology which included Europay, MasterCard and Visa. It is now owned by American Express, JCB, MasterCard and Visa. Click here for the latest EMV deployment and adoption figures.

If you are a terminal manufacturer and want to find out more how you can reduce risk, cost and time to market of your EMV Migration project, call us for free on 800.868. 1832 or email enquiries(at)level2kernel(dot)com.

The EMVCo published EMV deployment figures for Q3 2011 represent the latest statistics from American Express, JCB, MasterCard and Visa, as reported by their member financial institutions globally. More than 1.3 billion EMV cards and over 20 million EMV terminals are now in circulation.

Source: EMVCo EMV deployment figures Q3 2011

The statistics do not include data from the United States which currently uses magnetic stripe and signature for payment authorisation. This will soon change as Visa and MasterCard have now published their own guidelines for migration from magnetic stripe to EMV technology in the US.

Source: EMVCo EMV deployment figures Q3 2011

EMVCo are set to see another boost of its standard once the US have deployed the more secure and fraud-resistant EMV payment standard.

As we suggested, Visa are recommending that initially merchants in the USA should concentrate on online-only EMV solutions that do not need to support EMV offline PIN (where the PIN is checked by the card rather than the bank’s online host) – so whereas the rest of the world has typically implemented “Chip & PIN” solutions, in the USA it may be “Chip & Signature” instead.

We can help you reduce complexity, cost and time-to-market, to smoothly implement EMV in the U.S. Our EMV level 2 kernels are fully compliant with all the latest industry requirements for online or offline authorisation. They provide a simple but powerful way to add EMV level 2 functionality to attended (POS terminals, ticketing machines) and unattended (parking, vending, ATMs) card payment devices.

Check out www.level2kernel.com for more details or get in touch if you have any questions.