• Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.

1. EMV Payments: Changes at the Point of Sale
 Greg Boardman
 SVP
 Ingenico North America

2. Table of Contents
 Synopsis
 The Key Dates Revisited
 Merchant Impact Chart
 Message Format Changes
 Merchant Checklist
 EMV / NFC Connection
 Merchant Stratificaiton
 CDE Mapping
 Other Factors

3. Synopsis
EMV migration can impact a number of areas that link a merchant’s transactions
processing infrastructure with the same processing side that has long supported
magstripe card acceptance. A US migration may pose a number of unique
challenges, perhaps more than other regional migrations to date.
• The Visa incentives programs expressly imply both contact AND contactless
• This means that support for both technologies should be considered
• The market will still experience a need for supporting magstripe
• A hybrid model would be anticipated
• Acceptance devices will need to support all payment types
• “Fallback” possibilities
• PCI compliance challenges are already straining budgets and tolerance
• P2PE still not pervasive
• PCI PTS evolutions / threat of physical attacks on older devices

4. Dates VISA MasterCard Discover American Express
Oct 2012 • Technology Innovation
Program (TIP) Annual PCI
DSS audt relief
• 75% Visa trans must
come from EMV terminals
• Terminals must support
contact and c’less + NFC
April
2013
• Acquirers and sub-
processors must support
EMV (Mandate)
• Acquirers / sub-
processors must support
• Maestro ATM liability
shift1
• Acquirers, sub-
processors,
direct connect merchants
support EMV elements
• Acquirers and sub-
processors must support
EMV , including mobile
(Mandate)
Oct 2013 • Merchant Account Data
Compromise(ADC) relief
(Phase I)
• PCI audit waivers
• 75% of Discover trans on
terminals supporting
contact and contactless
• (PULSE) Direct connect
merchants and POS
acquirers / processors to
support EMV
• PCI DSS relief
• 75% of transactions occur
on Amex EMV chip-based
contact and contactless
devices
Oct 2015 • US Liability Shift1 • US Liability Shift2
• Merchant ADC Relief
(Phase II)
• US liability shift (+
PULSE)
• US Liability Shift
Oct 2016 • US liability shift for ATM
Oct 2017 • AFD Liability Shift1 • AFD Liability Shift2 • AFD Liability Shift • AFD Liability Shift
"By encouraging investments in EMV contact and contactless chip technology, we will speed up the
adoption of mobile payments as well as improve international interoperability and security," ~ Jim
McCarthy, global head of product, Visa Inc.

5. Merchant Impact Chart
Setup POST Register Controller Switch End to End Cert Processor Impact
HW SW HW SW SW SW SW
Countertop POST
Replace w/new POST
  - - - - -  Low
Countertop POST
Add all-in-one PINpad
  - - - -   High
Mobile POST
Replace w/new POST
  - - - - -  Low
POS w/mag wedge
Replace w/CT POST
  - - - - -  Low
POS w/mag wedge
Replace w/PINpad
  -  - -   Medium
Integrated PINpad
Replace w/new PINpad
  -      High
Integrated wedge
Replace w/PINpad
  -      High
Smart phone integrated
Replace w/EMV dongle
  -      High
Smart phone stand
alone
Replace w/EMV dongle
  - - - - -  Low

6. Message Format Changes
Tag Tag Descriptor Functionality Details
9F26 Application cryptogram Card authentication Contains the cryptogram used to authenticate the
transaction.
9F36 Application transaction
sequence counter
Card authentication Contains the value of the POS terminal transaction
sequence counter. The POS terminal maintains a
transaction sequence counter and increments the
count each time a transaction is initiated.
9F07 Application usage control Card authentication Specifies the issuer’s restrictions on the geographic
usage and services allowed for the application.*
9F27 Cryptogram information data Card authentication Indicates the type of cryptogram and the actions to
be performed by the terminal.
9F34 CVM results Cardholder verification Identifies how the cardholder was verified at the
POS: by cardholder signature, cardholder PIN, or
verification not required.
9F0D Issuer action code—default Transaction authorization Specifies issuer conditions that cause a transaction
to be rejected if the transaction might have been
approved online but the terminal is unable to process
it online.*
9F0E Issuer action code—denial Transaction authorization Specifies issuer conditions that cause a transaction
to be denied without an attempt to go online.*
9F0F Issuer action code—online Transaction authorization Specifies issuer conditions that cause a transaction
to be transmitted online.*
9F10 Issuer application data Card authentication Contains issuer application data transmitted from the
chip to the issuer. Is updated by the issuer in the
response message.
9F37 Unpredictable number Card authentication Contains the POS terminal unpredictable number
value. POS terminal generates the number value
that may be used as input to the application
cryptogram algorithm.
The EMV payments infrastructure
includes a new network message field
that transports chip data. In the U.S.,
this field is often referred to as Field 55.
Field 55 is a generic, flexible, variable
length container that conforms to tag-
length-value (TLV) encoding. Every data
element carried in the field has a specific
tag, followed by the length of the data
and then the actual data. Each tag is
defined by EMV or specified in the
relevant payment brand specifications.
Field 23 carries the card sequence
number.
Issuers, acquirers, and merchants will all
need to change their infrastructure to
support Field 55 in the authorization
request and response messages and
Field 23.

7. Merchant Checklist
 Designated an in-house EMV expert / program owner (critical for large merchants / ISO / Processor)
 POS providers / VARS aligned with EMV (including plan and roadmap)
 POST that I own or will soon own supports all payment types
 Remember: Contact, Contactless / NFC, and magstripe
 My NFC support includes mobile wallet (of my choosing)
 The device bears all the necessary approvals (Lvl1, Lvl2, C’less approvals, PCI PTS)
 Remember that V1 expires in 2014!
 Ensure the ability to remotely manage (some peripherals may not accommodate this)…
 My EMV migration dates coincide with the association benefits and key dates for compliance
 My POS provider can assist in the migration process
 My processor / acquirer is available for the migration and planning
 I have received my end to end certification process from them (if applicable)
 I have all the test tools I need (cards, etc.)
 I am developing a training program for my personnel
 To understand the new payment types
 To understand the changes in consumer behavior at the POS and dispel myths

8. The EMV / NFC Connection
Remember that the incentives from the card brand associations are predicated on accepting both
contact and contactless EMV as well as NFC
• An
EMV
chip
can
be
on
a
“contactless”
card
where
the
chip
is
“tapped”
or
“held”
near
the
terminal
…..or…..
• A
chip
can
be
inside
your
smart
phone
and
the
phone
is
“waived”
near
the
terminal…
• Mobile
wallets
(eWallets)
are
rapidly
growing
in
number,
which
mulBplies
the
opportunity
for
incremental
sales
for
merchants
and
new
revenue
opBons
for
ISOs

9. Merchant Stratification
Qualification and
Grouping
Transaction #
Volume
Examples
• > 6M Visa tran
• Top retailers / Some global
• Annual ROC
Extremely high
• WalMart
• The Home Depot
• Target
• 1-6M Visa tran
• Annual SAQ
High
• Golden Corral
• CMT
• Academy Sports
• 20K-1M Visa tran
• Annual SAQ
Medium
• < 1M Visa tran
• Annual SAQ
recommended
Light
• “Mom and Pop”
• Single business
• Not a Visa tier
• Very small businesses
• Often no merchant
account
Extremely low
• Beginning
business
• Babysitters
• Service entities
• Not a Visa tier
• Sparse payment needs
• No merchant account
One time
- or –
extremely infrequent
• Garage sales
• Personal
purchases
1
Est ~
125
2
Est ~ 85K
merchants
3
Est ~ 750K
merchants
4
Est ~ 8M merchants
5
Est ~ 22M merchants
6
No estimates exist

10. Customer Scope Segments
Small
• Typically
tier
4
• Simple
structure
• Small
EMV
footprint
• Easy
conversion
• Single
–
several
store
• Storefront
Mid-­‐sized
• Typically
tier
3
• Small
structure
• Light
EMV
footprint
• Small
conversion
• Regional
chains
• Storefront
• E-­‐commerce
Large
• Tier
2
level
merchant
• Large
structure
• Large
EMV
footprint
• Challenging
conversion
• Regional
–
nat.
chains
• Storefront
• E-­‐commerce
• MOTO
• Field
Services
Super
• Tier
1
level
merchant
• Complex
Structure
• Huge
EMV
footprint
• Integrated
POS
• Difficult
conversion
• National
chains
• Storefront
• E-­‐commerce
• MOTO
• Field
Services
• Multiple
brands

11. CDE Mapping

12. Countertop Point of Sale Terminal
At the transaction origin, the EMV chipcard must be inserted into a POS device that has
the hardware capability to process it, as well as the necessary software application.
Countertop terminals are the most common among small retailers.
• Many legacy countertop POST in the field do not incorporate EMV readers
• Even fewer support NFC and Contactless
• Many that do are at or nearing EOL for other reasons (PCI, obsolescence, etc.)
• Software updates may not be available for some models
Possible Solutions
The Challenge
• Software update for legacy devices that candidates for migration
• All-in-One terminal hardware and software upgrade for non-accepting devices
• Bolt-on NFC readers for devices that support EMV, but have no C’less reader
Other Factors
• PCI PTS deadlines
• End to End certification should NOT be required by the acquirer
• Form factor (2 piece or single device?)
• Performance (dial only)
• PIN support – international cards still have PIN as a payment form
• Does the end to end testing include interoperability?

13. POS Wedge
At the transaction origin, the EMV chipcard must be inserted into a POS device that
has the hardware capability to process it, as well as the necessary software
application. A wedge reader that is configured either as a stand-beside or a fully
integrated solution will not satisfy the requirements.
• A typical wedge reader also does not support an EMV card insertion or C’less
• These devices are typically stand-beside or integrated to a POS system
The Challenge
Possible Solutions
• Replace or supplement with an all-in-one PINpad with EMV and C’less/NFC
Other Factors
• PCI PTS deadlines

14. Retail Point of Sale Terminal
At the transaction origin, the EMV chipcard must be inserted into a POS device
that has the hardware capability to process it, as well as the necessary software
application. Retail customer activated devices are widely deployed where a multi-
lane style of interaction occurs. Many of these cannot support EMV or C’less.
Possible Solutions
The Challenge
• Software update for legacy devices that candidates for migration
• Terminal hardware and software upgrade for non-accepting devices
Other Factors
• PCI PTS deadlines
• P2PE transitions underway
• Other infrastructure changes required (POS register, switch, etc.)
• Many legacy retail POST in the field do not incorporate EMV readers
• Even fewer support NFC and Contactless
• Many that do are at or nearing EOL for other reasons (PCI, obsolescence, etc.)
• Software updates may not be available for some models

15. Other Impact Areas
 Consider semi-integrated approaches to solve for EMV
 Beneficial for P2PE, RKI, estate management, etc.
 Best time to do it while “the patient is open”
 Don’t forget the CDE areas that would escape typical scrutiny
 ATM, AFP
 Transaction speeds
 Card remains in the device
 Initial learning curve
 Contactless may follow naturally as a faster mode

16. Other Impact Areas – The Customer
• New payment card types
• New payment flows
• Card remains in device
• Contactless
• Use displays for training!

17. Other Impact Areas – Employees
• Chargeback handling
• Return handling
• New hire training
• SME training

18. Other Impact Areas – Mechanical
• E2E cert testing
• New failure points
• Out of band cards
• Transactions speeds

19. Start
Planning
Today!
969
Days
remaining
to
October,
2015
liability
shiQ
“If you haven’t already started planning, you will want to get started in early 2013, or you will be
considered already lagging behind….” ~ Rob Hayhow, TD Bank

20.  Smart Card Alliance
 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828
 www.smartcardalliance.org
Greg Boardman
Greg.Boardman@ingenico.com