EMV Workshop for VARs, ISVs and ISOs
The EMV Migration Forum held a successful EMV workshop for retail value-added resellers (VARs), independent software vendors (ISVs) and independent service organizations (ISOs) on September 26, 2014. This one-day event, organized by the Forum’s Testing and Certification Working Committee, provided a comprehensive review of chip technology and focused sessions on the development process and implementation best practices.
Audio recordings of the six workshop sessions are now available. Each session presentation is posted below, with audio recording of the session.
- Why EMV Now in the U.S.
- EMV 101
- Development Preparation
- Payment Security Standards
- Implementation Best Practices & Considerations
- Testing Best Practices
Why EMV Now in the U.S. – Bruce Murray, B2 Payment Systems
Session Description and Key Takeaways: This session provided an overview of the drivers for the U.S. migration to EMV. Some points to consider when making the decision on when to migrate to EMV chip: 1) Payment brands (American Express, Discover, MasterCard and Visa) have counterfeit liability shift dates for October 2015 for POS with a two-year extension to October 2017 for Automated Fuel Dispensers. The EMV liability shift protects the investment of the entity that has invested in EMV chip technology. Some payment brands also have lost and stolen liability shift dates. Consult with your acquirer for specific payment brand details. 2) EMV chip technology provides several benefits including security and fraud protection, leverage for future innovation (i.e., tokenization, mobile payments), global standards and interoperability. 3) EMV and PCI are complementary technologies, implemented together to validate the card and transaction data using EMV and protect cardholder data using PCI. EMV POS solutions are now being developed to include both point-to-point encryption to protect cardholder data during transaction authorization and tokenization to protect the cardholder data at rest (when stored in a database). 4) U.S. issuers have been issuing EMV chip cards to international travelers to resolve magnetic-stripe-only acceptance issues and have expanded issuance to support the U.S. EMV chip migration, with projections of 575 million chip cards issued in the U.S. by 2015.
EMV 101 – Umesh Kulkarna, Clear2Pay
Session Description and Key Takeaways: EMV 101 provides an introduction to EMV for a diverse audience of technical and non-technical attendees and includes building blocks for the subsequent technical presentations for EMV development considerations, implementation best practices, and testing. It discusses the history of EMV, business cases that drive EMV, and the benefits of the technology. The overview also includes EMV chip card technology and the differences from both an issuer and acquirer perspective. The presentation concludes with implementation considerations including challenging use cases, attention to timelines, and the importance of testing. The key takeaways are education, preparation, setting realistic implementation timelines, understanding there are external dependencies on schedules (i.e., acquirer’s certification schedules) and understanding that EMV is uncharted territory for many organizations and resources (with lack of EMV knowledge). There are EMV documentation and resources available that can assist.
Development Preparation – Aidan Corcoran, Acquirer Systems
Session Description and Key Takeaways: Development Preparation provides recommendations for development of solutions to support EMV. Topics include documentation (least interesting but most critical), device configurations/requirements (i.e., kernel management) considerations, design stages, testing and overall project delivery. EMV is a well-balanced and experienced technology, so don’t be afraid of it! Data integrity is an important part of EMV as it is the basis for how the cryptogram works. The key takeaways are “read, read, read” the EMVCo and acquirer documentation as well as each of the payment brands’ requirements. There are standards established to ensure interoperability globally. EMV is dynamic and there will be ongoing updates unlike magnetic stripe. Spend time in the design phase. Brand testing should not be your QA cycle. Negative and exception testing is vital. Extend the project into live support to assist with interoperability. As you deliver solutions don’t be afraid to reach out for help to your acquirer, kernel provider and chip tool vendors as there are EMV resources available to help you.
Payment Security Standards – Russell Wolfe, UL Transaction Security
Session Description and Key Takeaways: The foundation of the presentation is based on the premise of how cardholders, merchants and banks share trust in a payment transaction process and how standards bodies with their associated certifications help create that framework of trust between the various parties. As a VAR, it is important to understand your place in the payment ecosystem as this will directly influence the standards organizations that you need to be in contact with. The key takeaway: there are many standards organizations in the payment ecosystem along with regional and brand requirements that need to be taken into account when planning/scheduling a project in the payments industry.
Implementation Best Practices & Considerations – Joe Santana, FIME
Session Description and Key Takeaways: The presentation provides recommendations on EMV chip migration including conducting a full business review, understanding your customer’s needs, and looking at the complete payment system in relation to all the stakeholders within the chain. EMV requires that all participants within this ecosystem operate correctly; ultimately systems need to be built with consideration of the acquirer, network, EMVCo and payment brand rules. Choices early in the project can impact the final certification. Take care—there is a lot of excellent documentation available to help guide and assist you. Make use of it and make sure you have the latest versions of these documents. With EMV migrations, keep in mind that once you implement your customers’ ideas, the process of testing needs to be cyclical (fixing, re-testing, fixing, re-testing), for final brand and acquirer certification is key to success.
Testing Best Practices – Derek Ross, ICC Solutions
Session Description and Key Takeaways: Testing Best Practices presented by ICC Solutions begins with an overview of the main stream payment brand certification processes in place today for EMV Chip Terminal Integration testing, highlighting the main steps, content and challenges. Only qualified tools are permitted to be used in these certification processes thereby ensuring accuracy, integrity and consistency. An explanation of how tools employing various automation features that can significantly improve the efficiency of test campaigns was presented. A discussion on areas for improvement, along with industry initiatives to streamline and standardize brand accreditation was also presented. The presentation concluded with an overview of one example of an innovative new “closed loop” certification process leveraging the rigor of host certification and placing the merchant/ISV in control with no direct involvement of the acquirer or payment brand. There are also testing solutions by other qualified chip tool vendors in the market which are available and in use today. Merchants, value-added resellers and independent software vendors should consult with their acquirers as they may already have test solutions available.
Please note: The information and materials available on this web page (“Information”) is provided solely for convenience and does not constitute legal or technical advice. All representations or warranties, express or implied, are expressly disclaimed, including without limitation, implied warranties of merchantability or fitness for a particular purpose and all warranties regarding accuracy, completeness, adequacy, results, title and non-infringement. All Information is limited to the scenarios, stakeholders and other matters specified, and should be considered in light of applicable laws, regulations, industry rules and requirements, facts, circumstances and other relevant factors. Use of or reliance on the Information is at the user’s sole risk, and users are strongly encouraged to consult with their respective payment networks, acquirers, processors, vendors and appropriately qualified technical and legal experts prior to all implementation decisions.
Please note that, on November 2, 2016, staff of the Board of Governors of the Federal Reserve System (the “Board”) released a FAQ relating to Section 235.7(b) of Federal Reserve Regulation II (promulgated by the Board pursuant to the Durbin Amendment to the Dodd-Frank Act), noting that although the FAQ is not an official Board interpretation, “[a] payment card network inhibits a merchant’s ability to route electronic debit card transactions if it, by network rules, standards, specifications, contractual agreements, or otherwise, requires the merchant to allow the cardholder to make the choice of EMV chip application on a debit card, where one application routes only to a single network.” None of the Information should be interpreted or construed to require or promote the establishment of any solution, practice, configuration, rule, requirement or specification inconsistent with applicable legal requirements, including Federal Reserve Regulation II, any of which may change over time. The U.S. Payments Forum assumes no responsibility to support, maintain or update the Information, regardless of any such change.