EMV and NFC migration in the US

TitleSubtitle

50 Years of Growth, Innovation and Leadership

A Frost & Sullivan White Paper

Jean-Noël Georges

www.frost.com

Managing the Migration to EMV and NFC Payment Technology:How to ensure the successful and efficient market deployment of a product

http://www.frost.com

Frost & Sullivan

CONTENTS CONTENTS

Introduction ............................................................................................................................ 4

EMV and NFC: The Opportunities Created by a Chip Landscape .................................... 6

The Drivers for Worldwide Deployment of EMV Secure Chip Payment Technology ..... 7

The Chip-Based Infrastructure and Other Technologies ................................................... 7

NFC: An Emerging Technology ............................................................................................ 8

The Added Value of the NFC-Based Mobile Payments ...................................................... 8

Specifications and Standards: Creating an Interoperable Payment Landscape .............. 9

Contactless Payment Standards and the Challenges Between Stakeholders.................. 10

Union of the Payment Systems ............................................................................................ 10

Solution Development and Testing: How to Implement a Trusted and Sustainable Infrastructure .......................................... 11

What an Issuer or a Personalization Bureau Should Remember Before Introducing an EMV/NFC Product ....................................................................................... 12

Selection of a Vendor Product ............................................................................................. 12

Evaluation of the Risk .......................................................................................................... 12

Impact on the Personalization Process .............................................................................. 13

Undertaking Personalization Testing .................................................................................. 14

What an Acquirer or a Processor Needs to Understand When Deploying EMV/NFC POS Terminals ................................................................................... 15

Standards and Specifications .............................................................................................. 15

Transaction Process to be Adapted ..................................................................................... 15

POS Terminal Infrastructure to Fit EMV Requirements ..................................................... 15

New Authentication Process ................................................................................................ 15

Configuration of the Terminals to Meet the Requirements of Merchants and Other Stakeholders ............................................................................... 16

Terminal Testing Prior to Market Launch ........................................................................... 16

Frost & Sullivan

CONTENTS

What a Merchant Needs to Take into Account ................................................................... 17

Impact on Small to Medium Sized Merchants ................................................................... 17

Impact on Large Organizations .......................................................................................... 17

Markets Integration Strategy ............................................................................................... 18

Local Knowledge and Local Presence ................................................................................. 18

Knowledge of EMV, NFC and Dedicated Brand Specificities ............................................ 18

Engaged Across Sectors ........................................................................................................ 19

Third-Party Accredited ......................................................................................................... 19

The Last Word ........................................................................................................................ 20

Ensure You Have an EMV and NFC Strategy ..................................................................... 20

Know What Standards Must be Achieved ........................................................................... 20

Plan for Testing and Certification Time .............................................................................. 20

Continually Look to the Future ........................................................................................... 20

Frost & Sullivan

4 Frost.com

INTRODUCTION

Migration to EMV® provides an opportunity for issuers and acquirers within the United States (U.S.) to implement secure chip technology that will deliver value-added and convenient services to end-users. While U.S. stakeholders can learn from different markets, they also have the chance to lead the global payments industry in deploying an advanced payment network by implementing a framework that is scalable and will support the next generation of payment solutions, including near field communication (NFC).

Ensuring that a payment product will be fully interoperable with existing and future infrastructures and can be successfully integrated into the marketplace, is fundamental to achieving a secure chip payment environment that reaches its full potential. This requires:

• The development of functional and security standards that must be adhered to by all stakeholders.

• An established and agreed upon testing process for cards, devices and software that can certify that a product will perform as advertised.

• Market stability and confidence by ensuring new regulation and functional requirements are fully backward compatible, minimizing investment risk.

This white paper provides U.S. issuers and acquirers with an insight into the EMV standards landscape. It offers advice into how technology development costs can be contained by understanding which functional and security standards are stipulated by the secure chip payment industry. An appreciation of the certification process will result in a shorter time to market and ensure no unforeseen delays are incurred during the final stages of product development.

The paper also outlines the industry standards that are not mandatory but are shaping the next-generation payment ecosystem. These standards will protect product investment as the market continues to advance at a significant pace and industry sectors converge to deliver services through new channels such as NFC.

The paper concludes by highlighting the unique opportunity available to the U.S. payments market to create a combined EMV and mobile payment strategy. Using the experiences of other countries that have implemented EMV, and the success of NFC trials globally, it can aim to achieve both EMV and NFC in a single migration project.


Managing the Migration to EMV and NFC Payment Technology

5Frost.com

Sponsor’s Word

“FIME is delighted to sponsor and contribute to this white paper developed by Frost & Sullivan. We believe this document is a must-read and will serve as a valuable reference source to issuers and acquirers in the U.S. who are about to embark on an EMV implementation project.

“To ensure optimum return on investment, U.S. stakeholders involved in the implementation of EMV should acknowledge today future requirements and plan accordingly. Consultancies such as FIME invest significant resources to understand long-term market needs to assist stakeholders in developing sustainable technology implementations, as well as guide parties through the testing and product certification stages.

“FIME has over 15 years of experience supporting stakeholders that have implemented EMV — and increasingly NFC — solutions globally. During this time, we have developed our knowledge not only on the standards that are mandatory, but also the specifications that will support the next generation of payments and the delivery of value-added services. As markets converge to offer new and exciting payment tools, the ability to adapt quickly and securely will be key to gaining market share and consumer confidence.

“Working with market integration consultancies that can offer strategic advice, test tools and certification services, ensures EMV and NFC technologies can successfully integrate with other solutions and easily accommodate upgrades. This significantly reduces a solution’s time to market.”

“It is without doubt an exciting time for the U.S. payments community. We look forward to sharing our secure-chip expertise and working with you to advance this landscape.”

Pascal Le Ray General Manager, FIME


Frost & Sullivan

6 Frost.com

EMV AND NFC: THE OPPORTUNITIES CREATED BY A CHIP LANDSCAPE

At the end of 2011, Frost & Sullivan estimated that there were more than 1.5 billion EMV-compliant cards in circulation. By 2017, it is predicted that almost the entire world will have completed, or will be close to completing, the EMV migration process.

Figure 1: Status of EMV standard implementation, March 2012

AmericasEMV cards: 345 M.EMV terminals: 5.1 M.

Asia PacificEMV cards: 396 M.EMV terminals: 5.1 M.

EMEAEMV cards: 850 M.EMV terminals: 13.0 M.

Penetration of EMV cards, POS, and/or ATMS is above 50 percent

One or more banks are migrating or havemigrated to EMV

Early preparationfor EMV migration

No preparation for EMV migration

Source: EMVCo, Visa, MasterCard, Frost & Sullivan analysis

The United States (U.S.) is the only country that is still in the preparation stage for EMV migration. Stakeholders of the U.S. payment industry cannot afford to isolate their ecosystem, especially as consumers and businesses look to embrace technological advances and new payment tools.


7Frost.com

THE DRIVERS FOR WORLDWIDE DEPLOYMENT OF EMV SECURE CHIP PAYMENT TECHNOLOGY

EMVCo, the EMV standards body collectively owned by American Express, JCB, MasterCard and Visa, maintains and advances secure-chip payment technology. To date, the EMV secure-chip standard forms the basis for the payment infrastructure across Europe, Canada and many countries within the Asia-Pacific region.

The migration to secure-chip technology has been fueled by a number of factors:

1. Security: The EMV standard and payment system security mechanisms work together to enhance payment card security.

2. Fraud migration: Fraud rates have been relatively low in the U.S. compared to the rest of the world, but they may soon rocket as fraud migrates to non-compliant EMV countries. This change will predominately be driven by the migration to the EMV standard in Mexico and Canada.

3. Liability shift: The liability for fraudulent transactions will shift from issuers to acquirers and retailers by 2015 in the U.S. As a result, the acceptance of chip bank cards will increase.

4. Flexibility: This is probably the key word for this technology. Indeed, the capability to manage the risk based on card present or not present for online or offline payments is the perfect approach for a reliable product.

5. Interoperability: EMVCo works to maintain an interoperable and open ecosystem based on the standard.

6. Value-added services: EMV technology is closely associated with cost savings in relation to mitigating against fraudulent activity. The migration to EMV is also an opportunity to develop new partnerships that will support additional revenue generation beyond traditional payment transactions. This includes payment-enabling technology, such as downloading a train ticket onto a mobile phone and using this as proof of purchase, or using a mobile coupon in a retail store.

7. Global acceptance: For financial institutions that have customers traveling internationally, an EMV payment card is required to successfully undertake payments abroad.

THE CHIP-BASED INFRASTRUCTURE AND OTHER TECHNOLOGIES

The migration to EMV in the U.S. creates an environment that will support other chip-based technologies such as near field communication (NFC).

Frost & Sullivan believes that the successful deployment of NFC-based payments depends on the end-user experience. It is important to note that EMV development in an NFC environment supports a range of different business models to manage risk and customer experience. This paper will further describe the added value that the NFC technology will bring to the payment ecosystem.

Frost & Sullivan

8 Frost.com

NFC: AN EMERGING TECHNOLOGY

If well implemented, NFC has the power to accelerate the decision-making process when purchasing goods by providing more chances for both consumers and service providers to interact.

Figure 2: Example of current and expected NFC commercial rollouts, 2012

United StatesGoogle Wallet

ISIS

United KingdomQuick Tap

SingaporeiDA

TurkeyBonusluAvea

Cep-T-Cüzdan AustraliaCBA

ChinaChina Unicom

China Telecom

UnionPay

AEPM

Expected NFC commercial rolloutNFC Commercial Rollout

France

The figure above provides a small sample of current and future NFC projects around the world. The U.S. payment industry can learn from the experiences of other countries using contactless payments and has the opportunity to directly implement a contactless and EMV-compliant payment ecosystem.

THE ADDED VALUE OF THE NFC-BASED MOBILE PAYMENTS

Paying with a mobile phone is not a new idea; many technologies like SMS or USSD render the same services. Hence, it is valid to ask what advantages NFC has over other mobile payment technologies:

Customer experience: NFC provides new ways of interaction for both merchants and consumers. Advertising through smart (contactless-enabled) posters, location-based services and highly customized loyalty programs are some of the approaches marketers can use to move from a “push” to a “pull” marketing strategy.

More revenue for the merchants: The change of marketing strategy approach is expected to generate more frequent visits of customers to the stores, higher coupon redemption rates and more sales.


9Frost.com

Multiple applications: Besides payment, loyalty programs and couponing, NFC can be the enabling technology for a plethora of applications, such as transport ticketing, social networking (e.g., exchange of business cards) and access control.

Security: NFC-based mobile payments can be equipped with bank-grade security. In fact, NFC-based mobile payments can be EMV-compliant, adding all the benefits and security of the EMV standard to the mobile payment services.

SPECIFICATIONS AND STANDARDS: CREATING AN INTEROPERABLE PAYMENT LANDSCAPE

The payment industry is facing a revolution as mobility becomes a standard. Consumers are looking for a payment solution that is available “anywhere, anytime”; in line with the nature of other technologies that they use in their everyday lives.

To support these changes, it is crucial that financial institutions adhere to existing standards in order to create a trusted and stable ecosystem. According to Frost & Sullivan’s research, it is particularly important for financial institutions to adhere to standards enabling interoperable security mechanisms as convenience is considered by consumers to be the most valued feature of a payment solution. For instance, specific EMV requirements for risk management, such as online and offline authentication or the Cardholder Verification Method (CVM), can be leveraged to build a secure payment mechanism.

Moreover, in countries where EMV has been widely deployed, financial institutions should develop payment solutions that are compliant to EMV to protect previous investments and ensure compatibility with established systems.

In countries where EMV is still in its infancy, like the U.S., financial institutions can benefit from the adherence to EMV as a means to ensure a globally interoperable payment solution. Some banks in the U.S., such as JP Morgan Chase, Wells Fargo and the U.S. Bank, are aware of the importance of global interoperability and they have issued EMV cards to their customers who frequently travel.

Finally, and it is probably the most important change for the U.S. market, financial institutions have agreed to the liability shift policy. This policy is implemented by card associations which have decided to expand and accelerate the EMV infrastructure deployment in the U.S. by adopting a plan (effective October 2015) which encourages interested merchants to switch to a contact and contactless chip terminal to avoid possible fraud. It is important that any contact and contactless chip cards issued can benefit from top-of-the-range payment cryptographic mechanisms by using a dedicated payment terminal. The liability shift supports this strategy as it will be the merchant’s acquirer that will be responsible for funding the cost of fraudulent activity if a contact or contactless chip payment terminal has not been implemented.

Frost & Sullivan

10 Frost.com

CONTACTLESS PAYMENT STANDARDS AND THE CHALLENGES BETWEEN STAKEHOLDERS

The arrival of contactless technologies, namely contactless payment cards and NFC, has modified the payment industry. This change is a great opportunity for each country to implement the latest and most up-to-date payment mechanisms and associated standards.

Contactless features that are deployed based on existing and validated payment infrastructures will be accelerated. EMV contactless solutions should be seen as good examples of this evolution. The same example could be applied to a mobile contactless payment solution. In an ideal world, the NFC payment solution will perfectly fit to the actual card’s payment process and will be interoperable worldwide. Instead of reinventing the wheel, it is opportunistic to use existing processes and it will be more efficient for all stakeholders to adopt a set of common standards and open platforms.

Besides the evolution of technical solutions, there is a need to focus on regional and brand variations that new payment solutions are subjected to. When it comes to contactless payments, each payment scheme has developed its own solution, for instance, MasterCard PayPass, Visa payWave, American Express expresspay and JCB J/Speedy. These solutions will be included in the payment infrastructure after being certified by accredited test laboratories.

UNION OF THE PAYMENT SYSTEMS

In summer 2011, Visa announced plans to accelerate the use of EMV cards. This announcement is in line with the global strategy; Visa’s Technology Innovation Program (TIP) will be expanded into the U.S. with an effective date in October 2012. This is a program that will give the merchants the capability to process contact and contactless EMV transactions with the use of dual-interface terminals.

Following the same strategy, MasterCard announced at the end of January 2012 its U.S. roadmap to enable the next generation of electronic payments. It paves the way for the migration from the magstripe to EMV technology. EMV standards will then become the backbone and the foundation for the next generation of payments. The acquirer infrastructure will have to be modified, and the targeted deadline has been set for April 2013.

Finally, in June 2012, American Express revealed its roadmap to advance EMV chip-based contact, contactless and mobile payments for all merchants, processors and issuers of American Express-branded cards in the U.S.

It is also important to mention some regional standards for North America. Interac is currently rolling out Interac Flash (a contactless solution for EMV-based secure chip processing) and in mid-March 2012, Discover Financial Services announced an initiative to bring EMV chip card payments to the U.S. Discover payment network. EMV-compliant cards will continue to be deployed in 2012 across the Diners Club, PULSE and Discover Card networks. The plan describes the different steps to reach April 2013 as the key date for merchants and acquiring processors to be certified to support contact and contactless EMV chip card transactions.


11Frost.com

To make a contactless payment process as safe as possible in accordance with international security payment standards there is a need to have a secure element. GlobalPlatform1, with the launch of its compliance program, announced in February 2012 that it will align its secure element program with the mobile payments certification structures provided by EMVCo.

As for standard bank card payment brands, ISIS2 is deploying a brand for mobile wallet payment in the U.S. ISIS is one of the most advanced entities to coordinate and accelerate the wallet ecosystem in the U.S. The “ISIS ready” brand could then be used by merchants in a similar manner to how the MasterCard or Visa logo is used today to generate consumer confidence that a transaction will be secure.

SOLUTION DEVELOPMENT AND TESTING: HOW TO IMPLEMENT A TRUSTED AND SUSTAINABLE INFRASTRUCTURE

It is clear that there are many benefits of migrating to a chip-based payment solution. The decision process and efforts of how this activity will be implemented, however, will differ depending on the company positioning within the payment value chain. Frost & Sullivan has defined three groups that will be directly impacted by an EMV and NFC migration: issuers and personalization bureaus, acquirers and processors, and merchants.

Figure 3: Impact level per profile, 2012

Card

POS Terminal

Personalization

Networks

MerchantsAcquirers - ProcessorsIssuers - Perso Bureau

MINOR LOW MEDIUM HIGH IMPORTANT

Source: Frost & Sullivan analysis

1 GlobalPlatform is a cross-industry, not-for-profit association that identifies, develops and publishes specifications that facilitate the secure and interoperable deployment and management of multiple embedded applications on secure chip technology.

2 The Isis™ joint venture is between AT&T Mobility LLC, T-Mobile USA and Verizon Wireless. The Isis mobile commerce network will be available to all merchants, banks, payment networks and mobile carriers.

Frost & Sullivan

12 Frost.com

WHAT AN ISSUER OR A PERSONALIZATION BUREAU SHOULD REMEMBER BEFORE INTRODUCING AN EMV/NFC PRODUCT

SELECTION OF A VENDOR PRODUCT

To start deploying EMV-compliant and NFC-enabled products, card issuers should have a strategy in place. The first step is to focus on the chip card issuance process as it provides a solid foundation for the complete project. The embedded application is at the heart of the card for an EMV-compliant payment product and offers a good starting point. Indeed, the application could come from a card association such as Visa, MasterCard or American Express.

The key point when selecting a payment solution is the compliance with the EMV and NFC standards based on the International Organization of Standardization (ISO) for contact and contactless interfaces. Regarding data management, the issuer and personalization bureau must conform to the Payment Card Industry Data Security Standards (PCI-DSS) regulations. But perhaps one of the most important aspects is that the vendor product should implement an appropriate chip card authentication mechanism to protect the integrity and authenticity of the chip card data and its corresponding PIN.

Figure 4: The payment ecosystem, 2012


EVALUATION OF THE RISK

It is well known that cards interact with the payment schemes. The parameters, under which these interactions occur, may vary and provide different levels of security for authenticating a card, verifying the cardholder identity and approving the transaction.



13Frost.com

These parameters include whether a transaction is performed online or offline and whether the cardholder verification method (CVM) is signature or PIN-based, among others. Currently, the U.S. payment industry uses magstripe cards, the transactions are online and the CVM is signature-based.

With EMV-compliant cards, the embedded chip will be responsible for managing most of the risk parameters. For instance, the transactions could, by default, be performed offline (to reduce the processing time) and after a pre-established number of transactions, the approval can be performed online. Similarly, the CVM could be signature-based or PIN-based, or there could even be no CVM. While U.S. consumers prefer to sign when paying, in the long term, PIN-based CVM could provide a higher degree of security and lower costs to merchants (as the transaction fees will be smaller).

The next step is to define the risk management approach. In the traditional approach, a single set of risk parameters is defined for all cardholders. In contrast, the dynamic approach offered by EMV defines a specific set of parameters for each cardholder (or for certain groups of cardholders). The “customization” of risk parameters is based on the historical data of card usage and card fraud. Using a dynamic and tailored approach can benefit the card issuer as it will contain the risk to their operations.

IMPACT ON THE PERSONALIZATION PROCESS

EMV migration needs to be fully prepared, planned and defined. There is no doubt that the greatest impact during EMV migration is on the issuer needing to modify:

• The back office system (new personalization requirements, new data generation management, new way to manage the application life cycle)

• The authorization system (new parameters to be able to handle new risk management, fraud monitoring and PIN management policies)

• The customer service (customer relationship management)

And, specifically for the NFC migration, there is a need for:

• A payment software application or a wallet

At the moment, there are no specific risk parameters for NFC-based payments. The NFC wallet application will need to be certified to fulfill contactless feature requirements and to follow payment standards.

In the U.S., much of the buzz surrounding NFC-based payments has been created by ISIS’ and Google’s offerings. ISIS has created a mobile commerce network and a payment brand intended to augment customer awareness of NFC-based payments. Likewise, Google announced in May 2011 that it will be part of this market with its Google Wallet based on its new open NFC product.

Frost & Sullivan

14 Frost.com

Although there is no standardized set of parameters for NFC-based payments, the NFC ecosystem will include new market participants, such as telecom service providers, and new procedures. For instance, some of these new procedures will include the life cycle management of the NFC payment application, and the management of the secure element. These functions will probably be performed by a Trusted Service Manager (TSM). The TSM provides a contact point between service providers and NFC mobile phones. Service providers can deliver NFC mobile phones with remote and secured multi-application management functionality through the TSM.

UNDERTAKING PERSONALIZATION TESTING

The upgrades of the card issuers’ systems, required by the EMV migration or a contactless payment program, need to be tested and certified. Indeed, EMVCo is an association that provides EMV specifications and certifications to ensure global interoperability of chip-based payments. Frost & Sullivan defines four different steps within the validation testing process for both contact and contactless cards.

1. The first step (Level 1 certification for card manufacturers) is to validate that the card is compliant to physical and electrical specifications. This may include supporting a given voltage or supporting different communication protocols, among others.

2. The second step (Level 2 certification for card vendors) is to verify that the operating system of the card and the embedded application for the EMV payment mechanism function properly. For example, this may mean that card vendors have to validate that the card supports different cryptographic functionalities.

As a minimum, issuers should choose vendor products that have passed the Level 1 and Level 2 certifications.

3. The next step is for the issuer to validate the personalization of the card application according to the needs of the payment scheme’s requirements that the card complies with, such as MasterCard and Visa.

4. The last step is about certifying the manufacturing process used by the issuer and/or personalization bureau. The process consists of selecting a sample of (recently produced) cards and testing whether they contain the proper payment application and are personalized with the desired set of data. The process also includes validating the data processing.

To be able to test these different steps, it is necessary to develop dedicated tools, or as most firms prefer, to receive assistance from a testing company. The choice is between doing in-house testing with an internal or a commercial test tool or debugging and validating with an accredited third party. Hence, opting for the second option is usually recommended. The chosen third party will provide a tool that will be able to simulate different scenarios to which a card will normally be exposed in the real world. During this process, potential errors will be identified and fixed. It is important to mention that contactless products must comply with specific brand requirements (MasterCard, Visa or American Express) as well as regional specifications such as SAMA SPAN for the Saudi banks network.


15Frost.com

WHAT AN ACQUIRER OR A PROCESSOR NEEDS TO UNDERSTAND WHEN DEPLOYING EMV/NFC POS TERMINALS

STANDARDS AND SPECIFICATIONS

According to EMVCo, the requirements for acquirers/processors to be EMV-compliant can be summarized in the following three main domains: the terminal, the network and the back office system. As far as NFC is concerned, EMVCo is currently working with the telecom industry and major market participants from the NFC ecosystem to develop the necessary specifications for mobile payments.

TRANSACTION PROCESS TO BE ADAPTED

Back office systems, payment processing networks and platforms have to be upgraded to comply with the EMV standard. And EMV-compliant transactions usually involve more volume of data than a magstripe-based payment transaction. Furthermore, the data of EMV-compliant transactions is structured in a particular way.

Hence, the payment processing network and platform should be able to retrieve that data and properly route the payment transaction. The back office system should also be able to extract the relevant data and correctly process it. And last but not least, the related fraud prevention and risk management systems should be upgraded.

POS TERMINAL INFRASTRUCTURE TO FIT EMV REQUIREMENTS

Terminals - including Point-of-Sale (POS) or Point-of-Interaction (POI) terminals, ATMs and unattended terminals - should be equipped to read the data from EMV-compliant cards. And similar to cards, terminals are subject to Level 1 (hardware) and Level 2 (software) certifications; in other words, acquirers and processors need to choose vendor products that are already Level 1- and Level 2- certified. In the majority of cases, the upgrade of terminals requires replacing the entire terminal. If the acquirer (processor or merchant) happens to have terminals with a slot for reading chip cards, then a software upgrade may be the only upgrade required.

NEW AUTHENTICATION PROCESS

The authentication mechanism is based on strong cryptography with associated key-management processes based on PCI-DSS requirements. The great advantage of the EMV authentication process is that it is based on dynamic data exchange to avoid any potential hack. Authentication mechanisms, such as Dynamic Data Authentication (DDA) and Combined Data Authentication (CDA), are in that case used for card-present authentication.

But when paying on the internet, for example, the card is not present to compute such data, and there is a need to use a proprietary solution such as 3-D Secure developed by Visa and MasterCard. This new step in the payment process adds a new security layer. Instead of providing the bank card’s physical information only (card number, expiration date, CVV, etc.) a personal question is asked (e.g. birth date) or, even better, a one-time password is sent by SMS to the cardholder.

Frost & Sullivan

16 Frost.com

CONFIGURATION OF THE TERMINALS TO MEET THE REQUIREMENTS OF MERCHANTS AND OTHER STAKEHOLDERS

Whenever the terminal is EMVCo-certified, there is a next important step to perform to be able to minimize the payment risk. For the terminal, it means setting up parameters to follow acquirer and merchant requirements. These parameters will, for example, indicate the floor limit check (for debit, credit, magstripe) or the velocity checking (maximum number of offline transactions). The parameters will drive the content of the TVR (Terminal Verification Results). In the end, and based on these parameters, the terminal will make the decision to decline the transaction or to request an online approval.

TERMINAL TESTING PRIOR TO MARKET LAUNCH

ATM and POS terminals play an important role in the payment ecosystem. These devices are the only devices in direct contact with the end-users. Each payment terminal follows particular specifications. All terminals need to be EMV-certified. This is true not only for the terminal itself but also for the embedded software known as the kernel. As previously mentioned, there are some brand specificities such as MasterCard PayPass Terminal Integration Process (M-TIP) that should be followed. This is why the terminal integration testing phase is essential for the acquirers. Indeed, this phase is crucial because it is during this process that the required tests will be performed to validate the terminal integration. With an increasing number of contactless terminals coming to market, there is a specific need for testing prior to launching the product.

This is an important stage for the development of a specific POS terminal, as only certified products will be deployed globally. And it is important to keep in mind that terminal testing is a long process and the timing should be adjusted to fit targeted deadlines. However, acquirers could also choose an already certified product to fully comply with specific brand requirements.


17Frost.com

WHAT A MERCHANT NEEDS TO TAKE INTO ACCOUNT

The merchant should be prepared to support all payment solutions. This means that the merchant should have contact and contactless readers. Readers, network, protocols and systems should be certified compliant with international electronic payment rules.


IMPACT ON SMALL TO MEDIUM SIZED MERCHANTS

To reduce the time to market and to optimize the merchant’s commercial offering, it is necessary to have a complete certified solution. Visa announced in 2011 that the U.S. will have to support NFC and EMV at the same time. Merchants will have to upgrade basic magstripe terminals to EMV-compliant contactless terminals. Those contactless-enabled terminals accept only cards with a magstripe-based technology called MSD (Magnetic Stripe Data), which is not EMV compliant.

Migration for a small to medium sized merchant, therefore, means that they will need to buy (or rent) a certified payment terminal to accept all international payment form factors, to avoid losing clients and to optimize the payment risk. The choice of the rental model is an opportunity for the merchant to receive associated services such as maintenance to be sure to have the latest version of the operating system for the terminal and that supports the latest versions of the payment application.

IMPACT ON LARGE ORGANIZATIONS

Whereas small– to medium-sized merchants need to upgrade their payment terminal, large merchants must upgrade their payment network and software platform. In this case, merchants should be able to accept all payment solutions to avoid any loss. This strategy could be driven by using the payment solutions that large firms have already deployed in other regions.

Walmart, for example, has already migrated to EMV in its European stores. It is pushing to deploy the same program within the U.S. retail market so it will be able to accept EMV cards from international visitors. In 2011, Walmart announced that it had purchased EMV-enabled terminals for all 4,000 U.S. stores.

Frost & Sullivan

18 Frost.com

MARKETS INTEGRATION STRATEGY

As highlighted previously, a migration for EMV and NFC is a long and complex story. For all involved stakeholders, it is crucial to be assisted during the selection of a product, during the certification of their solution and, finally, during the risk management definition and testing.

A partnership approach will allow the migration to become a smooth process instead of a complex problem. With the support of a testing and market integration consultancy, it is possible to provide lessons learned from past projects, facilitating faster and easier decision-making thus reducing time to market. As such, changes will be implemented with assistance and issues will be quickly managed. The decision process channel and timing will then be optimized and more flexible; in other words, the investments and the total cost will be rationalized.

LOCAL KNOWLEDGE AND LOCAL PRESENCE

EMV and NFC technologies are following international standards. But there are also regional specifications to be adhered to. This paper has already referred to the Saudi Payment Network (SPAN), another example is the Electronic Protocols Application Software (EPAS) network that has been conducted to reach the European Payments Council (EPC) objectives.

A global partner with local visibility and market awareness is ideally positioned to offer guidance and advice to ensure that an implementation adheres to the full scope of national, regional and international industry standards. By assisting in the development, testing and certification activity, this level of support will see a product brought to market as effectively as possible.

KNOWLEDGE OF EMV, NFC AND DEDICATED BRAND SPECIFICITIES

Knowledge of EMV payment mechanisms independent of any brand is crucial. Functional understanding is important when handling payment mechanisms coming from content chip and PIN cards as in addition to those coming from emerging payment solutions using Visa or MasterCard contactless applications. Other brands are available on the market, such as American Express, Discover or JCB. Through the partnership, the implementation company should have a complete knowledge of the EMV standards, plus some technical particularities linked to the targeted brands.

The company involved in an EMV or NFC migration should have a historical partnership with global associations such as EMVCo, the PCI Security Standards Council and EPC for SEPA. It is also necessary to have the capability to deal with MULTOS cards or GlobalPlatform cards and the ability to use different applications such as Visa VSDC, qVSDC, and MasterCard M-Chip.

This is why a partner that already has a long history within the migration space is key to succeed. This historical background will bring best practices and dedicated knowledge for a smooth migration.


19Frost.com

ENGAGED ACROSS SECTORS

The payment industry is in constant evolution. Payment schemes, security mechanisms and new devices appear every year. In order to reach the quality level required for the migration, the accredited company selected for a migration should be recognized as a key participant within working groups currently addressing future technologies and commercial issues.

For the payment industry, in addition to EMVCo activity, it is also important to mention that, from a pure technology point of view and for emerging payments such as NFC, working groups such as ETSI, GSMA and the NFC Forum are crucial.

As these standards are evolving, the technologies involved and the associated operating systems and security rules are affected. This is why working groups with non-profit associations such as GlobalPlatform are relevant; they will allow the migration to be ready for the future payment steps evolutions.

THIRD-PARTY ACCREDITED

Migration includes several required certifications. These certifications could be based on the selected payment mechanism (EMVCo-certified for example), or the selected terminal (NFC, EMVCo, PCI-certified for example) or even based on a brand (Visa, MasterCard, Discover, GlobalPlatform, etc.).

Using an implementation company that is accredited with most of the international standards during migration mitigates the risk of the deployment and reduces costs; all while maintaining a single point of contact. A direct contact will optimize the communication process and will bring transparency and credibility to the workflow.

Frost & Sullivan

20 Frost.com

THE LAST WORD

ENSURE YOU HAVE AN EMV AND NFC STRATEGY

The EMV announcement and the arrival of NFC in the U.S. is the perfect time to prepare a combined strategy. A single investment for a migration, including two technologies, is an opportunistic approach to reduce the total cost of the project.

KNOW WHAT STANDARDS MUST BE ACHIEVED

Alternative payment means generated many devices, solutions and products. This is crucial to select an offer that will successfully integrate into legacy systems. The solutions should be able to evaluate in the time it takes to accommodate functional, security and regulatory updates.

PLAN FOR TESTING AND CERTIFICATION TIME

Wherever you are within the payment chain (issuer, acquirer or merchant), it is necessary to take into account the time it will take between the choice of the payment solution and the product certification. Testing and certification plans should be carefully scheduled over the next two years. Timing is everything.

CONTINUALLY LOOK TO THE FUTURE

The payment world is evolving and emerging payment solutions are appearing more and more often. That said, it is important to have an approach based on technology scouting or to partner with a company that is aware of the regulation changes.

877.GoFrost • [email protected]://www.frost.com

ABOUT FROST & SULLIVAN

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? Contact Us: Start the Discussion

For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041

Silicon Valley 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041 Tel 650.475.4500 Fax 650.475.1570

San Antonio 7550 West Interstate 10, Suite 400, San Antonio, Texas 78229-5616 Tel 210.348.1000 Fax 210.348.1003

London 4, Grosvenor Gardens, London SWIW ODH,UK Tel 44(0)20 7730 3438 Fax 44(0)20 7730 3343

Auckland Bahrain Bangkok Beijing Bengaluru Bogotá Buenos Aires Cape Town Chennai Colombo Delhi / NCR Dhaka

Dubai Frankfurt Hong Kong Istanbul Jakarta Kolkata Kuala Lumpur London Manhattan Mexico City Miami Milan

Mumbai Moscow Oxford Paris Pune Rockville Centre San Antonio São Paulo Seoul Shanghai Shenzhen Silicon Valley

Singapore Sophia Antipolis Sydney Taipei Tel Aviv Tokyo Toronto Warsaw Washington, DC

http://www.frost.com/prod/servlet/register-form.pag?refpage=http%3A/www.frost.com/prod/servlet/frost-home.pag&SRC=Contact

EMV and NFC migration in the US

Business

nfc payment technology

knowledge of emv

emv requirements

payment systems

nfc strategy

contactless payment

secure chip technology

advanced payment network