As consumers, we don't always think about the complexities behind the dip of our chip card into an EMV terminal. Most consumers just assume that during those long three seconds upon making a purchase, the terminal is magically extracting our money straight from our bank account and placing it conveniently into the merchant's account.
It's not quite that simple.
I had a really great interview with Vantiv's Technology Program Manager, Lisa Killigrew to kick off our brand new "Become an Expert in Payments" blog series. We explored in detail the complete journey that our payment data follows at the moment of purchase.
As we all know, there's a lot happening as we stand there staring at the terminal waiting for the affirmative "approved" message that allows us to carry on with our day! Lisa explained all of the details, providing a lot of interesting tidbits of facts behind the basics of payments, and we left no stone un-turned by the end of our chat.
Read on for the entire interview:
MC: Let’s start with the basics: In my lifetime, there have always been cash, checks, and credit cards. Occasionally I see someone still writing a check. Sometimes I question the security of having a checkbook on you that could get lost and in the wrong hands. Just curious – what does a payments expert at Vantiv think about checks?
Lisa: Funny you should ask, because I am the only person I know who still writes checks. I pay my bills the old-fashioned way, but even I am converting to online payments. I think checks are quickly becoming a method of the past. They are cumbersome, inconvenient, and as you mentioned, it’s a big risk to carry your checkbook around. It’s also a pain to order new checks; whereas if you use your credit or debit card the payment is instantaneous.
MC: Can you tell me a little bit about the logistics of payment data, starting from the initial swipe/tap/voice command, etc… Where does this payment information go, when/how is it encrypted, what stops does it make along the way?
Lisa: It’s amazing how many steps the payment data goes through once you swipe or insert your card. When I first started with Vantiv I knew nothing about payments and decided to map out the process for myself. It took me two weeks to get it right!
When a consumer uses a credit/debit card, two things have to happen. The consumer’s card needs to have the transaction amount deducted from their card balance, and the merchant must receive that transaction amount. With cash, it’s easy. With cards, it gets a little more complicated.
Deduct transaction amount from consumer’s card (Payment Authorization): After the consumer uses their card, the transaction is sent from the merchant’s POS system to Vantiv IP, where the transaction is checked for validity, meaning is all the right information being sent in the transaction. Then the transaction is sent to the card brands, who validate that the card is not expired or fraudulent. After that the transaction is passed on to the card-issuing bank, who verifies there are sufficient funds on the consumer’s card to cover the transaction. If so, it approves the transaction, which is then sent back to Vantiv IP with the approval. Vantiv IP sends the approved transaction back to the Merchant’s system, which displays “approved” and the consumer can be on their way.
Add transaction amount to Merchant’s account (Settlement and Funding): When processing a transaction, the Merchant’s POS system “captures” it, meaning it makes a record of it, and adds it to the merchant’s batch. A “Batch” is a set of bundled transactions that the merchant POS system sends to Vantiv IP, usually at the end of their business day. At a pre-set time, Vantiv IP sends this batch to the card brands, who then parse the transactions and send them on to the appropriate Issuing banks. The card brands send the funds for the transaction amount back to Vantiv IP, who then sends those funds to the merchant’s account. The Issuing bank subtracts the transaction amount from the consumer’s account and sends those funds back to the card brands.
MC: I’d like to talk more about security. First of all, we all know that EMV is the new standard over magnetic stripes. Tell me what’s going on with that chip. What’s happening as we stand there waiting for it to process? How is the chip more secure?
Lisa: The chip on an EMV card is actually a tiny microprocessor. When an EMV card is inserted into an EMV card-reader, the card, device and issuing bank carry on a two-way exchange of information. This exchange is done to verify that the card is authentic, determine whether it’s a credit or debit card, and what the verification method is (PIN, signature or none.) In addition to this validation process, the chip creates a unique transaction code that can only be used once. If the transaction request is stolen or reproduced, the reproduced data will be incorrect, thus protecting the card from being physically counterfeited.
It’s incorrect to think that EMV chips are more secure than magnetic stripe cards; rather, they provide a different layer of protection, specifically against creation of counterfeit cards. They do not add protection to the actual transaction. This is why Vantiv only offers EMV solutions combined with point-to-point encryption. The encryption protects all of the sensitive data sent with a transaction, such as credit card number and expiration date.
MC: The magnetic stripe was around for a very long time. It seems that EMV came around at an interesting time while other methods of payments are evolving so quickly. How are merchants adapting? What are some of their biggest challenges? How long do you think these chips will be around? What do you feel will be the preferred method of payments in 5 years?
Lisa: Yes, the timing of EMV in the U.S. was interesting. EMV has been available in Europe and Canada for many years; the card brands decided it was time for the US to catch up to the rest of the world. It’s a bit ironic though, because EMV technology was invented over 20 years ago, and since then there have been huge leaps in payment technologies that were inconceivable at the time, such as mobile payments. To give a bit of perspective, when EMV first launched in 1992, Microsoft Windows came to market for the first time, and the internet was just starting to have a graphical user interface. Mobile phones were big and clunky, and only used by a privileged few.
Merchant adoption of EMV within Vantiv is steadily growing, especially in the retail industry. A big motivating factor is their liability for fraudulent transactions. Prior to EMV, the card issuers took on the risk of fraudulent transactions and chargebacks. Beginning in October 2015 that risk shifted to the merchants if they did not accept EMV cards. However, not all merchants are converting to EMV, and there are several reasons for this. A big one is cost - EMV devices are two to three times as expensive as magnetic stripe readers. Another reason is restaurants are resisting the changes to the consumer experience - a customer cannot just hand their EMV card to a waiter for payment. Instead, the payment device must be brought to the customer so they can insert their card. Americans are resistant to change, especially if it is a longer process. A third reason is the chargeback risk, at least for certain businesses, has not turned into as big a problem as feared, and merchants are willing to pay a couple of hundred dollars in chargebacks instead of the expense needed to purchase and install an EMV solution.
Technology and innovation is happening so fast these days, it’s hard to know where we’ll be in five years. It could be new types of currencies like BitCoin, or new ways to purchase merchandise like virtual reality, or something we can’t even conceive of today.
Mobile payments and OmniCommerce are big trends right now, which makes sense because these make the consumer’s life more convenient. For example, being able to order items on line then picking them up in the store is quite popular.
MC: Regarding tokenization and P2P encryption: Can you explain a little more about how this works? At what point does the card data convert to a token, and where does this occur? In the POS software, and immediately upon swiping? Hackers seem pretty smart these days… how does this token ensure that a hacker wouldn’t ever be able to find a way to break into it?
Lisa: Sure. First you should understand that tokenization and P2P encryption are two different things. Tokens are software based and are used in place of actual cardholder data when a transaction is processed. P2P encryption is a hardware-based solution, where the card data is immediately encrypted by the payment device when the card is swiped or inserted for payment.
Let’s start with tokenization. A token is a unique, dynamically created card data reference number that is used in place of the card account number and expiration date. There are a few different methods used by software companies; Vantiv IP’s approach is to generate a unique token with every transaction. Vantiv IP is the sole custodian of the process that generates and then unlocks a token. In our method, the business application (POS or eCommerce) must send a token request as part of the payment request. Vantiv IP generates the token based on the request criteria and passes it back to the local POS as part of the authorization response. The token can be stored for future use, such as a return or recurring billing. Unlike “vault token” methods, Vantiv IP does not store token data in any form.
Point to point encryption, also referred to as end to end encryption, encrypts cardholder data from the point of entry, meaning when it is swiped or inserted into the payment device. In order to do this, the payment device (such as a VX805 or iSC250) is loaded or “injected” with encryption keys that are specific to Vantiv IP. Vantiv IP has its own custom, secure decryption environment to validate, decrypt and process the data. Our encryption keys are only allowed to be injected by certified, third-party injections vendors, also known as “Key Injection Facilities” or KIFs.
In both cases card data is converted to an encrypted format which can only be decrypted by Vantiv. Should a hacker capture an transaction while it’s being transmitted, the data would be useless.
Using encryption, tokenization and EMV together provides the best overall card data security solution. By using P2P encryption for initial card data entry, and storing a token for subsequent transactions, the business application is completely removed from handling, storing, or transmitting clear text card data altogether.
MC: I love using my mobile wallet. But the fact that I can just touch a device and it takes my money sometimes makes me feel nervous. As a consumer, what can you say to make me feel better about this? As a developer, is there anything I need to think about, or is the security 100% baked into our APIs?
Lisa: With mobile wallets, your payment data is exposed only once, when you enter your card information into your wallet. This information is then encrypted so that every time you tap your mobile wallet for payment, “virtual” payment data is sent from your phone to the payment device (meaning it’s not your real card information) so your full card number is not exposed by your phone. When this virtual data is passed to the device, it is immediately encrypted by Vantiv using payment card industry (PCI) validated methods. So your data has two layers of protection. If you think about it, this is safer than carrying around a physical card which could easily be stolen.
MC: Speaking of developers, what’s the number one thing you wish they’d spend more time learning about?
Lisa: This is a great question, and depending on who you ask, you’ll get a lot of great answers. I work in the Developer Integrations department, where our analysts work directly with developers to integrate our payment software with their business applications, so I get to hear a lot about common issues and concerns. I’d say there’s two things developers should learn more about.
The first is all the payment industry nuances, especially PCI PA-DSS and PCI DSS requirements. The PCI Council is all about protecting cardholder data, and the requirements include the merchant’s network environment as well as software requirements.
The second area developers should focus on more is the setup, installation and support processes for their merchants. Many times this is almost an after-thought, which leads to a lot of delays and frustration as merchants struggle to start using the software. Our analysts can help developers with planning this phase, which includes things like does the merchant have the proper server, router, connectivity needed? How many payment devices will they need, and who is going to order them? Who is going to install the equipment, and how are software updates going to occur? All of these things, if planned ahead, make for a very smooth merchant experience, which ultimately results in a faster time to revenue for everyone.
MC: What is the biggest opportunity that you see for developers who are integrating payments into their solutions today (and tomorrow)?
Lisa: OmniCommerce. OmniCommerce means that the consumer can mix and match their payment experiences - such as placing orders online or through their phone and picking them up in the store; the behind-the-scenes processing is linked together to handle these transactions quickly and smoothly. Today’s focus on card data security and fraud prevention has resulted in a slower checkout experience. Omnicommerce tools provide ways to maintain card data security and facilitate a better checkout experience.
Vantiv IP always has its eyes toward the future; one of our philosophies it to provide solutions that are not only good for today, but can accommodate whatever happens tomorrow.
MC: Great stuff, Lisa. Thanks for taking the time to help us to explain some basics about transactions.
Lisa: It's been a pleasure!
Have more questions? Leave them in the comments below!
Coming up: Josh Mather on Blockchain/Bitcoin! Stay tuned for more information, right here at Vantiv O.N.E.
Top of Form
Bottom of Form
Have more questions? Leave them in the comments below!
Coming up in this series: Josh Mather on Blockchain/Bitcoin! Stay tuned for more information right here at Vantiv O.N.E.