U.S. Move to Chips: Improved SecurityVisa: EMV-Based Chips Provide Dynamic Authentication
"Our announcement is intended to essentially back a proven solution that has provided dynamic authentication at the point-of-sale for many years in the rest of the world, and we want to use that same technology in the U.S.," says Eduardo Perez, who leads Visa's Global Payment System Security group.
There are three reasons for Visa's U.S. move to chip technology. First is the innovation. EMV [Europay, MasterCard, Visa] chip technology provides a strong foundation for the evolution of contactless and mobile payments, Perez says. Global acceptance is another reason for the switch, ensuring that payment cards and devices are accepted everywhere. Lastly, and most importantly, is security.
With EMV, the process is effective, because it uses a "dynamic variable that changes with each transaction and makes the data around that transaction valueless to fraudsters and makes it infeasible to create a counterfeit card or device," Perez says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Visa's Technology Innovation Program [see Visa Pushes EMV in U.S.], which provides tools for issuers and merchants, is intended to provide clarity regarding the future of U.S. payments. One of the challenges when it comes to a U.S. migration toward EMV is chip transaction acceptance, card processing and transaction authentication. "So, at VisaNet, we make changes to authenticate these cards," says Mark Nelsen, senior business leader of fraud risk products at Visa. "We convert the message to make it look like a mag-stripe transaction," which Visa expects will help issuers and merchants more readily jump on the deployment wagon.
During this interview, Perez and Nelsen discuss:
- Why the time is right for a U.S. move toward contactless payments that enable dynamic data authentication;
- How the chip facilitates payments ubiquity and enhances security; and
- Visa's vision for the payments future.
Perez joined Visa in 2002 and today has direct-line responsibility for key areas including, global authentication, global payment system security policy and procedures, global third-party agent risk, global cybersecurity investigations, and global breach response and incident analysis. Perez and his team have developed and executed strategies to eliminate, protect and devalue payment card data throughout the payment system. Before Visa, he worked with the Federal Reserve Bank of San Francisco's Division of Banking Supervision and Regulation, where he held various positions.
Nelsen, who has nearly 20 years of experience in product development, now heads product strategy for Visa's global fraud risk and authentication solutions. Before Visa, Mark was a senior product architect at IBM.
U.S. Move to ChipTRACY KITTEN: Eduardo, you and I spoke in February about the launch of Visa's new innovation program which encourages merchants to adopt and accept chip-based payments that offer dynamic transactional authentication. At that time however, the program was only being offered internationally. Can you explain to us why Visa has expanded the offer to U.S. merchants?
EDUARDO PEREZ: Our authentication strategy has really revolved around promoting dynamic authentication solutions in the market place. Our announcement is intended to essentially back a proven solution that has provided dynamic authentication at the point-of-sale for many years in the rest of the world, and we want to use that same technology in the U.S. really for three key reasons. The first one is about innovation, and that is around our belief that EMV chip technology provides a strong foundation for the evolution of contactless and mobile payments over time. The second reason has to do with global acceptance and ensuring that our products and payments cards and devices are globally accepted around the world without any issues. And the third is around security, the security benefits that EMV chip technology provides by virtue of invoking the use of a dynamic variable that changes with each transaction and makes the data around that transaction valueless to fraudsters and makes it infeasible to create a counterfeit card or device. We believe that for those three key reasons, the time was right for Visa to make this announcement to support the U.S.'s chip migration and adoption of mobile payments.
KITTEN: Can you explain to us how the program works? For instance, only qualified merchants may participate. What are some of the requirements for qualification?
PEREZ: We actually announced three levers. The first one was to expand the technology innovation program that we announced earlier this year to merchants in the United States. That lever really provides the incentive for merchants that adopt dual-interface terminals, and by dual-interface I mean both contact and contactless EMV chip terminals to a rate where at least 75 percent of their transactions emanate from those terminals. Then, from a Visa perspective, we would provide PCI DSS validation relief on a go-forward basis. We would not expect merchants that met that qualification criterion to have to validate PCI DSS compliance on a go-forward basis.
KITTEN: And what makes the timing right now for the U.S.?
PEREZ: We've seen a tremendous amount of interest in the adoption of mobile payments and contactless payments, and so we've heard from the merchant community, the U.S. merchant community and merchant groups that there is high demand for clarity on the U.S.'s payment roadmap if you will. We felt compelled that as a result of those demands and our ongoing work, that the time was really right now to provide that guidance so that merchants and other stakeholders can make investments to support the future of payment technologies particularly around mobile payments and contactless payments.
Merchants and Chip PaymentsKITTEN: I wanted to also ask about card issuers. Are U.S. merchants concerned about demand for chip payments if card issuers don't jump aboard?
PEREZ: We've actually seen in recent months significant interest from U.S. issuers, both large and small to issue chip cards to their traveling card holders. We've seen some announcements from the largest banks in the U.S. but also from some smaller community-based banks that have a high degree or a high rate of their card holders who travel overseas. And as a result of that, it's interesting to see that there has actually been a move by U.S. issuers to start to issue these cards to selected card holders. We believe that overtime that issuance will continue and that there will be a vehicle for consumers to be able to use those cards and devices over time to make payments at those dual-interface terminals, contact chip and contactless interface terminals that will also allow for the evolution of mobile payments. We believe that again, by providing this guidance to the market place we are trying to lay out the roadmap and create greater certainty for merchants and all stakeholders' issuers in their investments in the EMV chip technology.
KITTEN: And how might this investment not only assist with the reduction of PCI compliance costs for merchants, but also aid card issuers that are seeking interchange incentives provided by the Durbin amendment for investments that they make in debit fraud prevention?
PEREZ: In terms of the PCI compliance cost, again one of the strongest features of the EMV chip technology is the fact that it helps to generate a cryptographic message. For those of your listeners that are familiar with the technology as it exists today on a mag-stripe, the card holder verification method that is used today to authenticate the authenticity of a card is a static variable. Because we know that information is coveted by criminals, merchants and other stakeholders in the payment system must properly protect that data. One of the biggest benefits of the EMV chip technology is that it essentially replaces that CVV factor with a dynamic cryptographic message that the issuer can validate the authenticity of that card or device. Or we can do it on their behalf on a go-forward basis. That is the first part and obviously, by doing that it reduces both the data that is out in the payment system and the risk that data may be compromised. That is one of the first benefits.
In terms of the Fed's rule on the Durbin amendment, the Fed has clearly indicated that they've made provisions to acknowledge issuers' investments in fraud prevention technology and for their fraud losses. We believe that this technology is in line with the Fed's intent to continue to improve the overall security of the payment system.
The Difference in U.S. TechnologyKITTEN: Now I would like to go back and talk a little bit about the program itself. How, if at all, does the technology innovation program in the U.S. differ from the program that is being offered to merchants in other parts of the world?
PEREZ: One key difference between the technology innovation program that we announced from the rest of the world is that for the rest of the world it focused on acknowledging and further incenting adoption of contact chip terminals, contact EMV chip terminals. That was really in consideration of where the rest of the world is in the adoption of EMV chip technology. A number of large markets have adopted the technology to high rates and as a result we see a significant number of chip-on-chip transactions as we call them in the rest of the world. In the U.S., because of our unique circumstances and where this market place is at, and given the advent of mobile and contactless payments, we wanted to make sure that we adjusted the program accordingly to incent the adoption of dual-interface terminals so that merchants can be prepared to take payments either as a contact-chip payment or a contactless card, or increasingly over time, the mobile NFC [Near Field Communication] payments that they can also leverage that same technology to accept those forms of payment devices. That was the key difference with the technology innovation program as we announced it for the U.S., that in order to qualify merchants have to adopt dual-interface terminals. And again, by dual-interface I specifically mean both contact and contactless EMV chip acceptance terminals.
KITTEN: Now Mark, I would like to talk with you for a moment about maybe some of the differences between the European market and the U.S. market, if there are any. The program relies on merchants' abilities to accept chip-based payments. Now in Europe for instance that means EMV, but in the U.S. it could mean mobile or some other type of NFC transaction. Visa is promoting a mobile option for the U.S. Can you explain why Visa is piggybacking on mobile?
MARK NELSEN: Actually, when we talk about mobile NFC, we are also referring to an EMV-based mobile acceptance. When you can, as a merchant or an acquirer, accept a chip-based product, you can also then support that mobile transaction as well, because the underlining infrastructure in technology is the same. In other words, the fields that are passed within the message are the same between the contact chip, the contactless, as well as mobile. We're really riding on that as the backbone so that we can make an infrastructure change one time that really kind of future proofs payments. Then, if there are issuers who want to more aggressively go after mobile, they can do that because the infrastructure is set up. However, if there are other merchants or issuers who want to go more after contact chip, they can also do that right. You make a change one time and that underlying technology is globally interoperable and supports contact chip, contactless, as well as mobile NFC. That is why we really want to lay that ground work now so we can accelerate mobile adoption in the U.S.
Mobile PaymentsKITTEN: Do you think in the U.S. we might leapfrog and move directly to mobile, or that the transition to mobile might be smoother?
NELSEN: I think that is a really good question. I think it is going to depend on the issuers. In our conversations, we've definitely heard that term often, the leap frog. There are some issuers who want to go directly to mobile. I think it is going to come down to some of it is the consumer's choice. Some consumers may want to go directly towards mobile, whereas with other consumers they want the contact chip card so they can go and travel. Earlier this year, there were a number of issuers who announced chip programs for example, for their traveling users. There was incredible demand from consumers as a result of that. I think you are going to see a little bit of both, but I do think there is a strong demand for mobile payments. There is kind of just that "wow" factor for one and there is strong demand from both the issuers as well as merchants for getting involved with this new technology. I think it will accelerate the technology adoption.
Visa Guidance to MerchantsKITTEN: Now I would like to go back to something that Eduardo was talking about earlier and either one of you, Mark or Eduardo, can answer this question. I do understand that there has been quite a bit of interest from merchants in the U.S., as well as card issuers in the U.S., in looking to a program that will enable chip payments. But if Visa prepared to offer some program assistance and guidance, and I'm asking this not only for merchants but also for financial institutions, who are the card issuers as well as the sponsoring financial institutions for the merchants that decide to make this move?
NELSEN: We are working on a number of what we call "chip on behalf of services" for both the merchants as well as the issuers. What we have is a variety of tools, which basically help an issuer design their right type of chip program for them. As you can imagine, chip technology has a lot of things that they can do with it and so we really help them say, "Okay, what is the best scenario for you? What are you looking to do?" We'll help design a program for them, and then also one of the big challenges that an issuer may have is, "How do we accept and process these new chip fields?" There are changes they would have to make through the host system in order to fully authenticate these cards. What we do at Visa is make changes to basically authenticate the card on behalf of the issuer and then translate their message, convert it so it looks like a mag-stripe transaction. We're doing this so that issuers can more quickly adopt and deploy chip-based technologies without having to make all of the system changes to their host systems. We're working on a number of programs to really help accelerate this adoption for both the issuing side as well as the merchant side.
KITTEN: That is a great point. In fact, I think that is something that Eduardo talked about back in February when we first discussed the introduction of this program. Before we close, I would like for each of you, what final thoughts would you like to leave our audience with as it relates to this new program specifically?
NELSEN: In general, the final thought is we're talking about dynamic authentication. And as Eduardo mentioned, dynamic authentication is powerful because it uses distinct, unique elements for that particular transaction, and they can't be reused. Today we've talked a lot about the card-present point-of-sale transactions, but we at Visa believe in dynamic authentication and we're also looking at how we get dynamic authentication in card-not-present transactions as well, because we are preparing as the E-Commerce channel has become more and more popular with more transactions. We also need to prepare for fraud that migrates to that channel. We're working on dynamic authentication in the card-not-present channel as well, which we'll provide further details on in the coming months.
PEREZ: We believe that this is an exciting time for the payments industry and here at Visa. Our announcement is really focused on innovation and making sure that we prepare the market place and lay out the policy ground work that we will need to promote the adoption of new forms of payments, particularly contactless and mobile payments. I will say that in closing, one of the greatest opportunities that we have and that we are pursuing at VisaNet is both ensuring that we have a smart perimeter by using smart devices that utilize dynamic authentication as EMV chip technology does. We're also continually looking to leverage the strength of our Smart network at the same time to provide a number of other solutions, some of which Mark highlighted, to reduce the burden and potential friction for all players in the payment system when conducting payments, and at the same time increase the security robustness and overall trust that consumers have come to have on electronic payments. Again, we're excited about this announcement and about the continuing work we're doing to both improve the overall effectiveness of our network and the types of payments that we're going to continue to promote in the payment system.