7/15/2015 1 EMV in Hotels Observations and Considerations Just in: EMV in the Mail Customer Education: Credit Card companies have already started customer training for the new smart cards.
7/15/2015
1
EMV in HotelsObservations and Considerations
Just in: EMV in the Mail
Customer Education: Credit Card companies have already started customer training for the new smart cards.
7/15/2015
2
Questions to be Answered
What is EMV?
What does the October Mandate mean?
What will EMV look like?
How does EMV help?
Will EMV cost me more?
How does EMV help with security and with my PCI Audit?
Should I implement EMV sooner than later?
Glossary of Terms
EMV = Europay, MasterCard and Visa
EMV Dip = the insertion of the chip card into the new card readers
CVM = card verification method
Chip and PIN = dipping the EMV card and entering your PIN
Chip and Signature = dipping your EMV card and sampling signing the receipt
Smart cards = EMV cards
Card Present = credit card transactions when the credit card is physically in hand
Card Not Present = any other transaction where the credit card is physically not present
P2PE = Point to Point Encryption ‐ prevents both manual and swiped credit card data from being stolen
Tokenization = replaces credit card numbers in databases with values that only the hotel system can understand and use
7/15/2015
3
What is EMV?
EMV started in France in about 1992, when 3 organization came together to create a standard for credit card payments designed to:
combat fraud
process offline
EMV was legally mandated and adopted in Europe in 2005.
EMV utilizes an embedded chip on the card rather than the magnetic stripe on the back of the credit card.
EMV transactions involve inserting the payment card into a slot on the payment terminal and allowing the applications on the card’s chip to interact with the applications on the payment terminal ‐ in some cases, communication to the outside world is not needed.
EMV transaction involves verifying not only that the card is valid, but the cardholder is valid as well.
What is the U.S. October 2015 Mandate?
The U.S. mandate is not a legal mandate rather it is a set of merchant incentives that encourage merchants to adopt the chip technology
There are no fines or penalties associated with EMV deployment –yet
There are some real benefits for hoteliers for implementing EMV
Chargeback liability relief
Limited credit card breach protection
Opportunity to upgrade to newer terminals that can do more
7/15/2015
4
October 2015 and Liability Benefits
Visa MasterCard American Express Discover
October 2015The party that is the cause of a contact chip transaction not occurring will be financially liable for any resulting card present counterfeit fraud losses. Does not include automated fuel dispensers (AFD).
October 2015MC ADC relief takes effect (100%). If at least 95% of MasterCard transactions originate from EMV‐compliant POS terminals, the merchant is relieved of 100% of ADC penalties. MC liability hierarchy takes effect (excluding AFD).
October 2015American Express will institute a fraud liability shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology.
October 2015Discover will institute a FLS. This FLS policy will be a risk‐based payments hierarchy that benefits the party that leverages the highest level of available payments security.
What does EMV do?
The Chip Technology accomplishes several basic things:
Better authenticates the card and the cardholder (especially if PINs are used)
Better Supports Offline Processing
Prevents Fraudulent Card Duplication
Forces upgrades to old technology
7/15/2015
5
EMV Fraud Behavior Shifts
Credit fraudsters will always look for the weakest link to try to ply their trade.
2005
2012
2015
2010
Chip and PIN vs Chip and Signature
Chip and PIN: card insertion + PIN input (more secure)
Chip and Signature: card insertion receipt signature (either electronic or paper signature) [less secure]
Most of the world’s EMV implementations operate in Chip and PIN mode. The US will implement both, but most card brands are expected to be primarily Chip and Signature, so Chip and Choice.
The decision whether a consumer is to use Chip and PIN or Signature is made by a number of factors:
A. The Issuing Bank – Decides the CVM embedded in the card’s chip
B. The merchant – who deploys the terminals that can take a PIN
C. The Gateway (if applicable) – who is the liaison between the merchant and the banking networks
7/15/2015
6
Why Chip and Choice?
The Durbin Amendment to the Dodd‐Frank Financial Reform Act requires that a choice be given to merchants on how they wish to process debit transactions. Debit transactions are very close to EMV transactions, therefore, Chip and Choice.
Resetting of the PIN ‐ In most of the rest of the world, Chip and PIN started with the ATM infrastructure. This allowed cardholders to reset their PIN numbers easily at the ATM if and when they needed to do it for a myriad of reasons.
Payment experience in many locations. Customer familiarity and convenience vs EMV security.
EMV Devices ‐ choices
7/15/2015
7
EMV Players ‐What’s Taking So Long?
EMV Certifications are lengthy ‐ there are approximately 2500 individual tests that need to be run and passed to become validated
As the deadline approaches and the technology players finish their sprints to meet customer demand, the certifications queues are filling up and many companies are in line waiting for certification resources
Each EMV certification requires each card type to be certified with each device with each processor (and gateway if applicable).
Any changes to hardware or software in the EMV transaction path require full recertification.
Many industry experts assumed that the U.S. would mimic Europe and Canada and defer the EMV mandate for several years, apparently that is not happening so the is on.
EMV ‐ Integrated vs Stand Alone
Stand Alone
Many banks offer stand alone or stand beside terminals to process EMV. These devices are sold by the credit processor and the EMV transaction would connect directly
Devices and direct processing is typically cheaper (fees and hardware)
Terminals are not integrated so a manual porting over of data into the PMS would need to occur
Stand alone terminals tend to lock in a merchant with their credit processor since moving to another process might be more difficult
Credit processors may typically only offer limited device choice
Credit processors tend to treat everyone like retail and do not typically offer Hotel‐grade security products
Integrated
Integrated solutions tend to require a gateway in between the PMS and the credit processor
Gateways tend to make function and reporting more seamless to the users
Gateways also tend to offer more choice of credit processors, better and more tailored security, better and more tailored support, and a variety of devices choices
Disadvantages of gateways are that they tend to increase costs and dictate when choices are available
7/15/2015
8
Will EMV Cost More?
Yes. Costs will definitely increase.
Fact: everyone’s costs are expected to increase.
Banks ‐ chip cards cost more to produce
Credit processors ‐ the processing infrastructure needs to accommodate the new data and support
Gateways ‐ processing infrastructure, equipment deployment, configuration, support, and training
Device manufacturers ‐ new terminals are more powerful and can do more. Example, NFC, scrolling advertisements, and offline.
Property management system manufacturers ‐ supporting EMV might require a version upgrade, installation and configuration costs, network configuration and maintenance, and training
No one is expected to “eat” the increased costs which will likely result in an increase of fees and service charges
Hidden costs? New Security Measures ‐ keeping a safe at the front desk?
EMV in Hotels ‐What does it look like?
Hotel and Fraud. Hotels generally do not have a card present fraud problem (someone checking in with a counterfeit plastic credit card). Recent published hotel fraud rates are less than a basis point.
Front Desk Future? EMV is technology to enhance a process the hotel industry has been trying to get rid of for decades ‐ the front desk check in process
EMV will require new credit card devices on the front desk. Affixed to the front desk or tethered behind counter?
EMV and Mobile. Networking, Bluetooth vs Wi‐Fi, device addressing will require significant thought and configuration
EMV and Speed. The EMV authorization process is slower than today’s magstripe authorization due to “conversation” or prompting between the device and the customer
7/15/2015
9
Hotels Are Generally NOT Card Present
Card Not Present
CRS Reservations
Card on File authorizations
Batching/Settlements
Call Center reservations
Hotel Website reservations
Incremental authorizations
Authorization reversals
Advance Deposits
Back office accounting
Refunds
Loyalty/Membership signups
24%
67%
9%
Magstripe or manual
entry
Card Not Present
EMV Eligible
Card Present
Check‐in swiped or EMV dipped
Check‐in manual card entry
EMV’s Effect on PCI
Both Visa and MasterCard have offered programs to promote early adoption of EMV.
These programs, while not eliminating any of the requirements of PCI, do provide merchants with latitude on validating their requirements. In order to qualify a hotelier must have:
o an EMV solution fully implemented for both contact and contactless cards
o the bulk of the merchant’s card present transactions must originate through dual‐interface chip enabled terminals. The exact percentage of transactions is available on the Visa and MasterCard websites.
While the merchant can gain some relief in the validation process, these programs in no way affect the base merchant requirement to maintain a fully PCI compliant payment card environment.
7/15/2015
10
The Role of Current PCI Technologies
Tokenization ‐ replaces card numbers in databases with tokens
Point to Point Encryption ‐ from the point of contact with the card reading device, the card data is wrapped in encrypted technology
Hosted Payment Pages ‐ Direct posting of credit card on websites for tokenization
Reservation Tokenization ‐ Tokenizing directly with reservation systems
Call Center and Accounting Encryption – deploying cheap encrypting keyboard pads to encrypt manual input of credit cards for call centers, reconciliation centers, accounting, etc…
Email and Paper Fax Tokenization ‐ scrubbing emails and faxes of credit card numbers (sales and catering bookings, room bookings from third parties, etc…)
Corporate Card Reporting Tokenization ‐ tokenizing the corporate card files that are transmitted to companies that specialize in processing those files
+ EMV? (why not?) ‐ EMV will add to the security mix, but is not by itself the security magic bullet
RESTAURANTS OTHER RETAIL QSR'S B2B SUPERMARKETS LODGING
2011 2012 2013 Jun‐14
Where Are Breaches Happening?
* Courtesy of Visa
7/15/2015
11
Spa
Sales & Catering
Hotel PMS
Back Office
Ecommerce
Reservations
Golf
Restaurant
Retail
GDS/ADS
Loyalty and Membership
Corporate Card Reporting
Hotel Website
DirectReservations
Call Center
PRE TOKENIZATION AND OTHER SECURITY TECHNOLOGIES
The Hotel Omni Channel Security Challenge
Spa
Sales & Catering
Hotel PMS
Back Office
Ecommerce
Reservations
Restaurant
Retail
GDS/ADS
Loyalty and Membership
Corporate Card Reporting
Hotel Website
DirectReservations
Call Center
Golf
…AND WHAT CURRENT SECURITY TECHNOLOGIES + EMV SOLVE
The Hotel Omni Channel Security Challenge
7/15/2015
12
EMV ‐ Is it too late?
EMV is being mandated by October of 2015, but is it too late?
There are a myriad of competing technologies emerging.
How much technology are merchants, especially hoteliers willing to support and spend for?
Why you should deploy EMV NOW?
EMV will help reduce your card present fraud
You will play your part in preventing others from being victims of card fraud
You will get chargeback relief and in some cases breach protection (MasterCard if PIN is supported)
The credit industry and government may someday force you to. Currently, there are incentives to implement EMV. However, if Europe is an example, retailers did not truly invest into the technology until fines and penalties were involved. Are we any different?
Brand reputation ‐ there is so much misinformation out there about what EMV does that not implementing it may lead your guests to think you don’t care about security
There might be residual PCI benefits
7/15/2015
13
Hoteliers ‐why you should wait on EMV?
The October Liability shift doesn’t do much for hotels since they don’t have a fraud problem in the first place
The longer hotels wait to deploy EMV, the:
greater device choice hotels will have
greater credit processor choices hotels will have
greater competition will be among gateways and processors which in turn is expected to drive costs down
Adoption ‐will consumers embrace the new process? The 2015 usage of EMV chip cards is expected to be pathetically low. 2016 will increase exponentially, but will the usage outweigh the costs of deploying the new technology?
In the scramble to get EMV out ‐will the industry get it right?
EMV in the hotel world is still relatively new ‐ especially in an integrated fashion and especially in a market as big as the U.S.
What YOU should do?
Fact: you are going to have to support this technology ‐someday
Some may have no choice but to implement EMV (corporate mandates are an example)
Find trusted advisors and ask tough questions
Perform cost/benefit analysis of implementing or not
Inform yourself ‐ read security blogs, opinion articles, ask vendors serious questions on implementation timing, device availability, costs, support, and training
Understand what happens if you decide to delay or defer
Don’t panic