Chip migration

Document Sample
Chip migration Powered By Docstoc
					Chip Migration
Neil Dickson
Visa CEMEA Vendor Relations Training Workshop
London
27 January 2006




                                   For Visa Internal Use Only
Chip Migration Status




               For Visa Internal Use Only
Visa EMV Progress in CEMEA

4 million EMV cards
 5% of total card base
 89 certified VSDC issuers (13% of all issuers)


198,600 chip devices
 89 certified VSDC merchant acquirers (45% of all merchant
  acquirers)
 32 certified VSDC ATM acquirers (5% of all ATM
  acquirers)


 40 Members certified for CCD (using F55)

                       Information Classification as Needed Only
                                            For Visa Internal Use   Presentation Identifier.3
     Chip Terminal Deployment
Jordan – 68%
Lebanon – 42%
Bosnia – 14%
Albania – 30%


           Belarus
                        Ukraine
                                                                           Russia
   Moldova
    Romania
      Serbia &
      Montenegro
 Croatia
                                                                        Kazakhstan
      Bulgaria                                                                Uzbekistan
              Tunisia                                                            Azerbaijan
                          Libya Egypt                                      Georgia
Morocco                                                                                           37 countries have over 198,000
Algeria                                                        Qatar                              chip terminals deployed
                                                                       UAE
                                                                        Oman
                                                       Saudi Arabia
Ghana                                                                                                 0 – 10%

   Benin                                                                                              10 – 20%
                                                   Rwanda
    Nigeria                                                                                           20 – 50%
                                                       Madagascar
                                                                                                      50 – 80%
                                                       Mauritius
           Botswana                                                                                   80% and above

                                        South Africa Information Classification as Needed Only
                                                                          For Visa Internal Use                  Presentation Identifier.4
    Chip Card Issuance

   Kuwait - 1%
   Lebanon – 2%



                         Ukraine
                                                                         Russia
 Serbia &   Romania
 Montenegro
  Croatia
   Bosnia
  Macedonia
   Albania
                                                                       Kazakhstan
    Bulgaria
               Tunisia                                                        Uzbekistan
                           LibyaEgypt
Morocco                                                                   Azerbaijan
                                                              Qatar                               Members in 28 countries
                                                                      UAE                         have issued over 4 million
                                                                       Oman                       chip cards
                                                      Saudi Arabia
                                                                                                         0 – 5%
Ghana
  Benin                                           Rwanda                                                 5 – 10%
   Nigeria Cameroon                                                                                      10 – 50%
                                                                                                         50 – 80%
                                                                                                         80 – 100%



                                        South Africa Information Classification as Needed Only
                                                                          For Visa Internal Use                      Presentation Identifier.5
Chip Strategic
Priorities




                 For Visa Internal Use Only
 CEMEA Chip Strategic Priorities

Interoperability Monitoring                                                 Pre-Auth Payment


                                                                                 Contactless:
                                                                                 VSDC, Transit
     ADVT Testing
                                                                                 & ID
                              Chip Payment Solutions
                                Strategic Priorities
                                                                                  Value-Add:
          VPA                                                                     Social,
                                                                                  Health &
                                                                                  Petrol


      EMV Field Testing                                                        E-commerce:
                                                                               Dynamic Pass
                                M-commerce:
                                Megafon and Sberbank Pilot

                               Information Classification as Needed Only
                                                    For Visa Internal Use        Presentation Identifier.7
ADVT & VPA

ADVT
 Mandatory for all new and upgraded EMV hardware and software


 ADVT Version 4.0 released during Q1 2006
   3 new cards
   5 cards are being changed
 All Members and Vendors will need to upgrade their existing packs


 All ADVT compliance statements are now required to be submitted via VOL


VPA
 Visa CEMEA will be strongly recommending that Members use the VPA
 Visa will no longer be distributing the Personalisation templates


                             Information Classification as Needed Only
                                                  For Visa Internal Use   Presentation Identifier.8
Visa Public Keys

EMVCo Public Key review – October 2005
  1024 Key – expiry date remains at 31 December 2009
  1152 Key – expiry date extended to 31 December 2013
  1408 & 1984 Key – lifetime remains to at least December 2016

IML to follow shortly providing updates to members
Acquirers should be reminded to complete the latest key
exchange ASAP
  Remove 896 key
  Add 1408 & 1984 keys

Are there any concerns that the new keys may impact
transaction timings?

                          Information Classification as Needed Only
                                               For Visa Internal Use   Presentation Identifier.9
  Key Exchange

        Jan Jul Jan Jul Jan Jul Jan Jul Jan Jul Jan Jul Jan Jul Jan Jul Jan Jul Jan Jul Jan Jul Jan Jul
         2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
        Remove
 896

        Active              Stop Signing                 Remove
                              W/ 1024
1024

          Active                                                                        Remove
1152

  New    Intro     Active
                                                                                                  Remove
1408

  New    Intro     Active

1984



                                           Information Classification as Needed Only
                                                                For Visa Internal Use            Presentation Identifier.10
Key Exchange

Visa is currently reviewing proposals for a hand held chip card
reader.
The readers will be used to test terminals to ensure that they
have the correct Visa CA Public Keys loaded into them.
The devices will be available to both Members and Vendors for
purchase.




                         Information Classification as Needed Only
                                              For Visa Internal Use   Presentation Identifier.11
Liability Shift




                  For Visa Internal Use Only
EMV Liability Shift

Designed to protect those Members who have invested in EMV
Applies for card present designated fraud
  Counterfeit, Lost & Stolen, Not Received Item (NRI)
Visa CEMEA Specific
   Effective since 1 January 2006
Bi-Lateral Agreement with Visa Europe
   Excludes ATM transactions
  Effective since 1 January 2006




                        Information Classification as Needed Only
                                             For Visa Internal Use   Presentation Identifier.13
Common Core
Definitions




              For Visa Internal Use Only
Common Core Definitions

The Common Core Definitions are a minimum common set of implementation
   options, card behaviours, data element definitions and processes between
   the EMV chip card and the Issuer host interface, that are sufficient to
   accomplish an EMV transaction and are mutually recognized by both Visa
   and MasterCard.
   With these definitions, Issuers will receive and return chip data in one
   common format from both Visa and MasterCard branded cards.
   They were published in Specification Update Bulletin 25, to be used in
   conjunction with Specification Update Bulletins 26, 27, 28 and 34; all
   available on the EMVCo website.
   The Common Core Definitions and related bulletins have been incorporated
   into the new EMV 4.1. It incorporates all the related bulletins, as well as the
   many other updates and clarifications published since EMV 2000 was
   published.




                              Information Classification as Needed Only
                                                   For Visa Internal Use   Presentation Identifier.15
Common Payment Application

The Common Payment Application is a CCD-compliant application
   specification developed by Visa and MasterCard within EMVCo.
    CPA provides common functionality for the entire payment application. It
    specifies common data element definitions, card risk management options,
    common tags, card behaviors, common personalization, etc., that meet the
    requirements of EMV and CCD. CPA enables a single application
    implementation to be personalized with the same data elements and tags,
    including common risk management controls, for cards from all payment
    schemes supporting CPA specifications.
    When completed and implemented, this will allow Issuers to use the same
    mask for cards from all payment schemes supporting CPA specifications.
    The CPA specification will be owned, managed and maintained by
    EMVCo, with endorsement and acceptance by both Visa and MasterCard.


CPA cards, by definition, will be CCD-compliant. Issuers can also choose to
   support cards, which are CCD-compliant, but not necessarily CPA-compliant.
   It is important to note that use of CPA is optional on the part of the Issuer.
   Visa will continue to maintain VIS for those Issuers not electing to utilize
   CPA.


                              Information Classification as Needed Only
                                                   For Visa Internal Use   Presentation Identifier.16
Generic EMV Transport / Cards

Generic EMV Transport - the service provided in VisaNet to route
   transactions without performing any STIP or Issuer Authentication.
   VisaNet only routes the transaction to the Issuer and performs PIN
   translation if necessary. This service is intended for use with Generic
   EMV Visa cards.


Generic EMV Visa Cards - are Visa branded cards that are non-CCD- or
   CPA-compliant and non-VIS compliant, but are otherwise EMV-
   compliant. VisaNet will pass the transaction from the acquirer to the
   issuer with minimal processing. No STIP or Issuer Authentication
   Services will be performed. Issuers who choose to issue Generic
   EMV Transport cards must support Field 55 and use a unique BIN for
   these cards.



                           Information Classification as Needed Only
                                                For Visa Internal Use   Presentation Identifier.17
Visa Strategy re: VIS, CCD and CPA

Visa will fully support payment applications based on both VIS and
   CPA specifications
    • VIS and CPA will coexist
   • No sunset date for VIS
   • Visa will continue to maintain VIS specifications and will
     introduce to it the new payment features added to CPA as
     required
   • Card implementations based on VIS will continue to be tested
     and approved by Visa Industry Services
   • CPA Specification is now available to download
VisaNet will be upgraded to support VIS, CCD and CPA compliant
   cards

                         Information Classification as Needed Only
                                              For Visa Internal Use   Presentation Identifier.18
CCD Project Phase I - VisaNet

 VisaNet (April 2005)
     • Will continue to support VIS compliant cards
     • Updated to support CCD
     • Updated to support Field 55
     • Provides conversion between Field 55 acquirer to third bit map
       issuer and third bit map acquirer to Field 55 issuer
     • Updated to support “EMV Generic Transport” service




             POS          Acquirer                                     Issuer
           Terminal         Host                             VisaNet    Host
Card

             ATM
                          Information Classification as Needed Only
                                               For Visa Internal Use   Presentation Identifier.19
CCD Project Phase II - Acquirers

Visa POS and ATM Acquirers (from April 2005 until April 2006)
   • All Visa “full chip data” Acquirers must migrate to support CCD
     before card issuance can begin
   • All POS and ATM acceptance devices must support CCD
   • Common Payment Application (CPA) has no additional impact
   • No impact to „Early Option‟ chip acquirers
   • Acquirers could use Field 55 or third bit map, however, mandates
     in Visa Europe & CEMEA are for acquirers to use Field 55




            POS          Acquirer                                     Issuer
          Terminal         Host                             VisaNet    Host
Card

            ATM
                         Information Classification as Needed Only
                                              For Visa Internal Use   Presentation Identifier.20
 CCD Project Phase III - Issuers
Visa Issuers (After April 2006)
    • No impact for Issuers who choose to or continue to implement VIS
    • Issuers may implement CPA at their option, then Field 55 becomes
       mandatory
    • Issuers could issue CPA and VIS cards at the same time
    • Visa will continue to support and enhance VIS
    • Issuers receive EMV data elements either in Field 55 or third bit map
        – Issuers may choose to implement Field 55 after April 2005 for
          VIS transactions
        – Issuers using the Generic EMV Transport service must
          implement Field 55

               POS          Acquirer                                     Issuer
             Terminal         Host                             VisaNet    Host
 Card

               ATM
                            Information Classification as Needed Only
                                                 For Visa Internal Use   Presentation Identifier.21
Mandates for Visa Acquirers
TRANSPORTING OF CHIP DATA:
   Effective 1 October 2004, Acquirers must upgrade their host systems to support
    the VSDC full data option (CML 34/02)
   Effective 1 October 2005, all new full chip data acquirers must accept and process
    VIS and Common Core Definition chip cards
   Effective 1 April 2006, all full chip data acquirers must accept and process VIS and
    Common Core Definition chip cards
   Visa CEMEA is also mandating Acquirers to transport chip data in Field 55
    (September 2005 CEMEA Board – CEMEA ML 30/05):
     •   new Acquirers - from April 2006 and
     •   all Acquirers - from January 2008
MERCHANT TERMINALS:
· Effective 1 January 2006, an Acquirer must ensure that all Online-Capable Chip-
   Reading Merchant Devices support both „Plaintext PIN verified offline‟ and
   „Enciphered PIN verified offline‟ (refer to CEMEA Op Regs, section 4.4C)
· Effective 1 January 2006, an Acquirer must ensure that all Online-Only Chip-
   Reading Merchant Devices support „Enciphered PIN verified online‟ if these
   Devices do not support both „Plaintext PIN verified offline‟ and „Enciphered PIN
   verified offline‟ (refer to CEMEA Op Regs, section 4.4C)


                                Information Classification as Needed Only
                                                     For Visa Internal Use   Presentation Identifier.22
Cryptography Changes
Support for Cryptogram 14 authentication services will be removed
• VisaNet ability to authenticate Cryptogram 14 has been disabled
• RTN in place to disable other systems and remove from
  documentation
• Regions requested to return/destroy/not use all Cryptogram 14
  test cards
Cryptogram 5 will replace Cryptogram 4 to support CPA
• RTN being developed to implement replacement
• Expected to be implemented in October 2006
• Cryptogram 4 will remain functional for host certification
  purposes
• Regions may continue to use existing CCD test card for host
  certification purposes

                          Information Classification as Needed Only
                                               For Visa Internal Use   Presentation Identifier.23
Acquiring
VWS continuing to work with global vendors to monitor software
upgrades
• VWS has clarified issues with F55 and corrected misstated
  requirements for reversals and chargebacks
  – Document has been distributed to global software vendors (ACI, S2,
    Mosaic, Sonic/IFS, eFunds/Oasis)
• VWS has issued Errata to the VSDC System Technical Manual

Focus on Member progress
• VWS requesting regular updates and monitoring member migration.




                          Information Classification as Needed Only
                                               For Visa Internal Use   Presentation Identifier.24
Global CCD Certification status

  Region    Total Chip Acquirers     Certified as of         To be certified by     To be     To be certified after
               to be certified       January 1, 06             end March 06       scheduled       1st April 06



    AP              70                    5 (7%)                   24 (34%)                          46 (66%)


  Canada             2                    0 (0%)                   2 (100%)                         2 new chip
                                                                                                     acquirers


  CEMEA             114                 33 (29%)                   82 (74%)                          34 (30%)


  Europe¹           150                 33 (22%)                  106 (71%)       43 (28%)            1 (<1%)

   LAC               3                    0 (0%)                   3 (100%)


   USA               0




                                   Information Classification as Needed Only
                                                        For Visa Internal Use                 Presentation Identifier.25
Documentation and Communication
Available Documentation
• VisaNet Technical Letter Update Bulletin
• VisaNet MIG
• VisaNet SAG
• VSDC SAG Update
• VSDC System Technical Manual
• VSDC Acquirer MIG
• Generic EMV Transport guidelines
• EMV CPA Specifications
• www.visa.com/cad

Scheduled Documentation

• VSDC VIS Issuer MIG update             4Q05
• VSDC CPA Issuer MIG                    1Q06
• VIS (to reference CCD)                 2Q06

                            Information Classification as Needed Only
                                                 For Visa Internal Use   Presentation Identifier.26
EMV Field Testing




              For Visa Internal Use Only
EMV Field Testing Project
EMV Field Testing Project started as a pilot in Ukraine in
March 2005, because on-line testing Members undergo at
certification (in test environment) and ADVT testing do not
guarantee lack of interoperability problems.
Project Objectives are:
    To test interoperability of EMV-compliant POS and ATM
     infrastructure and EMV-compliant smart card products
     in live/production environment (unlike Test environment
     used at certification)
    Cross-testing of products issued by a Member with
     other Member‟s infrastructure and across the region
    Establishing of a managed process for testing of
     acceptance infrastructure and products, problem
     identification and resolution



                       Information Classification as Needed Only
                                            For Visa Internal Use   Presentation Identifier.28
EMV Field Testing Project
Testing Process:
   • Testing is being performed by Visa tester at Merchant
     locations in live environment: anonymous test
     purchases; terminal testing with a set of test cards.
   • For Members just launching Chip, initial testing at
     Member‟s premises is performed too.
Project Results: the Pilot proved a to be a success with
about 1000 terminals tested, 21 interoperability issues found,
17 already solved.
Project Roll-Out:
   • in 2006 EMV Field Testing will be developing from a
     pilot initiative to a Service for Members and
   • Will be rolled-out to 6 major Visa CEMEA Hubs and
     from there – to adjacent countries.


                       Information Classification as Needed Only
                                            For Visa Internal Use   Presentation Identifier.29
EMV Field Testing

Ukrainian field testing pilot, 6 Acquirers participated
1st Stage – testing at the Members premises
2nd Stage – testing at the Merchant in the presence of the Member
3rd Stage – anonymous testing of terminals


Plans to extend the pilot to other hubs in CEMEA during 2006.




                          Information Classification as Needed Only
                                               For Visa Internal Use   Presentation Identifier.30
Issues Found




               Information Classification as Needed Only
                                    For Visa Internal Use   Presentation Identifier.31
Issues by Implementation




               Information Classification as Needed Only
                                    For Visa Internal Use   Presentation Identifier.32
Issues by Reason




               Information Classification as Needed Only
                                    For Visa Internal Use   Presentation Identifier.33
Typical Issues Found, Requiring Attention
Of Vendors

Some of the common issues found by Field Testing that require Vendors‟
attention are:
     • Acquirer‟s host truncates the auth response cryptogram and passes to the
        terminal only part of it
     • Different interpretation of the same fields by terminal and host sides of the
        host-to-terminal interface
     • Tag sets deviations, leading to transaction failures:
        – presence of extra optional tags (allowed!) sent by a terminal and
          rejected by the host;
        – absence of mandatory tags (real example – absence of Transaction
          Amount in auth request)
     • Some POS terminals allow to perform mag stripe operation when chip
        card is swiped, without any request to use it as chip card




                               Information Classification as Needed Only
                                                    For Visa Internal Use   Presentation Identifier.34
Chip Interoperability




                For Visa Internal Use Only
 State of the Chip Interoperability

• Global Issues now number 202
• No CRITICAL Chip interoperability problems
• CEMEA has a relatively small percentage of cases,
  perhaps due to a „newer‟ infrastructure but also
  because:
   • Use „real‟ devices for certification
   • Only Full option Acquiring permitted
   • Card Review process established
   • Extensive staff chip training
   • Vanilla implementation approach
   • Acquirers must now use the ADVT
   • Issuers should use VPA for card profiles
                          Information Classification as Needed Only
                                               For Visa Internal Use   Presentation Identifier.36
State of the Chip Interoperability




                 Information Classification as Needed Only
                                      For Visa Internal Use   Presentation Identifier.37
State of the Chip Interoperability




                 Information Classification as Needed Only
                                      For Visa Internal Use   Presentation Identifier.38
Breakdown of CEMEA Issues Total = 67


     Not classified        4

      Member
   Implementation
                                                                                                                  39
       Vendor
   Implementation
                                                                                     21

      Network
Infrastructure error       3

    EMV or VIS
unclear/ erroneous

                       0       5                10                15            20        25                 30
  As of December
        2005
                                   Information Classification as Needed Only
                                                        For Visa Internal Use                  Presentation Identifier.39
   CEMEA Issues by Infrastructure


     Not classified                    8

         Host                                                                       19

        Device

                                                                                                                    36
      VisaNet                 3

       Card               1
                      0           5             10                 15              20    25                  30
As of December 2005
                                      Information Classification as Needed Only
                                                           For Visa Internal Use              Presentation Identifier.40
CEMEA CDR Failure rate summary
• SDA problems
   • Acquiring failure rate = 1.06%
   • Issuing failure rate = 1.34%
• DDA problems
   • Acquiring failure rate = 0%
   • Issuing failure rate = 0%
• CAM problems
   • Acquiring failure rate = 0.55%
   • Issuing failure rate = 1.18%
• CVV problems
   • Acquiring failure rate = 0.28%
   • Issuing failure rate = 0.05%
• Fallback problems
   • Acquiring failure rate = 36.93%                                    Figures correct for Nov 05


                           Information Classification as Needed Only
                                                For Visa Internal Use     Presentation Identifier.41
CEMEA chip failures by type against
total




                Information Classification as Needed Only
                                     For Visa Internal Use   Presentation Identifier.42
CEMEA chip failures by type




          Peaks = CVV – Togo, CAM – Tunisia, SDA - Morocco
                     Information Classification as Needed Only
                                          For Visa Internal Use   Presentation Identifier.43
 Minimising Interoperability Issues

• Use of devices approved to latest EMV specifications
• Ensure production keys are deployed
• Issuer certificates are valid and monitoring for incorrect
  certificates
• Keep host system and card settings simple
• Avoid host system edits on auth messages
• Vanilla implementation approach
• Acquirers must now use the ADVT
• Issuers should use VPA for card profiles



                           Information Classification as Needed Only
                                                For Visa Internal Use   Presentation Identifier.44
Thank you




            For Visa Internal Use Only

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:34
posted:10/5/2011
language:English
pages:45