Card Fraud Spurs EMV in U.S.
Visa: Skimming, Mobile Make Time Right for EMV
Visa has set aim on 2013 as one of its EMV target dates.
The Europay, MasterCard, Visa standard, now commonly used in place of the magnetic-stripe in most global markets, says Visa is serious about getting the U.S. payments infrastructure ready for new technology. That serious attitude was the catalyst for Visa's creation of an EMV-adoption roadmap as well as guidelines to help issuers and merchants successfully launch and complete their EMV rollouts.
- Information Security Risk and the Need for Quantitative Ratings
- Top 10 Tips for Educating Employees about Cybersecurity
- Applying Analytics with Big Data for Customer Intelligence: Seven Steps for Success
- Relationships Matter: The Business Value of Connection Analytics
- Practical Guide to IT Security Breach Prevention Part II: Reducing Mobile, Web, and Social Media Risks
The catalyst for Visa's EMV push: escalating incidents of card fraud. The United States' continued reliance on magnetic-stripe card technology is perpetuating the spread and growth of global card fraud.
MasterCard also has set a 2013 EMV-compliance deadline for all U.S. ATMs, which are the targets most often hit by skimming attacks.
Ericksen, who focuses her attention at Visa on payments solutions, security and devices, says losses linked to skimming are escalating, and vulnerabilities fraudsters exploit in the U.S. increasingly pose challenges for the rest of the world.
"Several factors are at play that we believe made this a good time for the U.S. to adopt and embrace chip technology," Ericksen says. "The movement toward mobile, which uses the same technology as EMV, is a big reason. We've been working on that in the U.S. for a long time. ... and we've had several U.S. issuers that have been looking to issue chip cards for their international travelers."
In an exclusive interview with BankInfoSecurity's Tracy Kitten [transcript below] Ericksen discusses:
- Why more EMV rollouts are expected to focus on credit first and debit later;
- The role the Federal Reserve could play in EMV-migration incentives for card issuers; and
- Why the U.S. is in a better position than its global EMV predecessors to rapidly roll out a chip-capable infrastructure.
Ericksen is responsible for managing integration of Visa's contactless and contact chip payment services and new form factors beyond traditional cards, Verified by Visa, Visa Advanced Authorization, Visa Risk Manager, and the product platforms that enhance the security of Visa's core product offerings. Since joining Visa in 1994, Ericksen has been actively involved in developing the global smart card implementation strategy and formulating business cases for Visa Smart Debit/Credit, GlobalPlatform and multiapplication product offerings on contact and contactless chip cards and in mobile phones. Ericksen also has managed Visa's participation with standards organizations such as GlobalPlatform, EMVCo and the Mobile Payment Forum.
Visa's EMV Push
TRACY KITTEN: Visa is encouraging U.S. card issuers, acquirers and merchants to embrace chip technology that meets the requirements laid out in the Euro-Pay MasterCard Visa standard, which has been widely adopted throughout most of the world. What can you tell us about the timing of Visa's EMV push? Why now?
STEPHANIE ERICKSEN: When we're talking about chip in the United States, there's a nomenclature that exists in the industry where chip is commonly referred to as chip-and-pin. We're really trying to dispel that myth where we considered adoption of EMV technology or EMV chip as not always being partnered with pin. When we're talking about the U.S. adopting EMV technology and EMV chip, we're very much advocating the dynamic data and the dynamic authentication capability of chip, not so much chip-and-pin.
In terms of the timing of why now, there are really several factors that were at play that made this a good time, we believe, for the United States to embrace chip technology. One of the most relevant points is that we already have a lot of embrace in the United States and the rest of the world in adopting mobile payments technology, which relies very heavily on the same EMV data infrastructure. We've been working for a number of years in the United States to enable contactless payment at the point-of-sale. Many of our issuers had already been issuing contactless-enabled chip cards for use at certain merchant outlets. We also saw that there was a need to enhance the infrastructure from a security point-of-view and an international interoperability point-of-view to also add the EMV contact chip component. We also had several U.S. issuers who were beginning to explore the issuance of international chip cards or chip cards for their international travelers and their affluent customer segment so that they could better improve the interoperability and the consumer experience when those card holders traveled abroad to markets where chip was more prevalent.
KITTEN: In responses to some of the industry requests that Visa has received - that's the reason that Visa came out with some of its recommendations for an EMV deployment in the U.S. - can you walk us through what some of those recommendations were?
ERICKSEN: Certainly. First of all, on the issuance side, we have several recommendations to make it as simple and cost-effective and the fastest time to market for our issuers in the U.S. We have the benefit of the U.S. being one of the markets that's later at adopting chip technology so fortunately we can learn from some of the other markets that have deployed EMV, which has several different options of the way that it can be deployed, but there's also a lot of complexity. And we've learned from other markets that the added complexity is not always needed in terms of making an effective business case. We really looked at the options within EMV and what was needed for the environment like the U.S., which is a 100 percent online environment with zero floor-limit environment, and we looked at the way to implement EMV that would be the most cost-effective and the fastest for issuers to get up and running in supporting EMV without major disruption to their business.
From an issuer best practice or an issuer recommended practice point-of-view, we recommend that issuers issue chip cards that support online data authentication or online authentication. The reason for that is those chip cards tend to be much less expensive to purchase and they're also much less complex to personalize and issue and get out to the card holder. From an issuer point-of-view, it decreases the card cost to purchase a card that only supports online authentication, but it doesn't do anything at all to compromise the security. Online data authentication is just as secure in preventing counterfeit as offline data authentication, but it's much less expensive to purchase the card and much less expensive for the issuer to support in their host systems.
Then secondly, from a card holder verification method point-of-view, we recommend that issuers support card holder verification where signature could be used or no signature could be required for merchants and markets that accept that, and also for needs where the issuer might need to support online PIN for debit, for example. The issuer could also have a card that supports signature, no signature and online PIN. We've streamlined some of the implementation options on the data authentication side as well as on the cardholder verification method side to make it easier for the issuers.
On the acquiring side, as I mentioned earlier, we're really focusing on paving the way for mobile infrastructure as we see that in the next few years is really going to become one of the major payment methods adopted in the United States. We want to make sure that as merchants and acquirers upgrade their system to pass chip data that also at the merchant point of sale not only do they deploy EMV contact chip reading technology, but that they also and continue to include contactless readers to accept the contactless cards that exist in the market today, as well as the NFC-enabled mobile phones and contactless payment mobile phones that will be coming out in future years.
Roadmap to U.S. Adoption
KITTEN: Visa has recently put out a roadmap for the U.S. adoption of EMV cards as well as NFC-enabled mobile payments, which you have mentioned. In this roadmap, the dates have been highlighted as being in 2013 and 2015. What stipulations do each of these dates hold and what recommendations does the roadmap outline?
ERICKSEN: To clarify, those key dates in the roadmap, we really wanted to focus on the acceptance in acquiring infrastructure first to make sure that the merchant infrastructure and the acquiring infrastructure was enabled to efficiently pass the chip data and to be able to support those transactions. The first date is April of 2013 and that's the date by which we want the acquirers in the United States to have upgraded their systems to be able to pass the additional data in the message that supports chip and dynamic authentication. That's the acquirer mandate of April 2013, for the acquirer and processor systems to be able to handle the incremental data that supports dynamic authentication from chip, and that dynamic authentication data supports both contact chip for EMV as well as contactless and mobile. It supports contact chip as well as mobile and contactless payments.
The second date is October 2015 and that's the liability shift date, and that's a further incentive for the merchant infrastructure to deploy contact chip technology at the point-of-sale to continue to preserve their liability protection for counterfeit transactions. So by the October 2015 date, for those merchants who have not yet adopted contact chip technology at the point-of-sale, they may take on some liability at that point in time for counterfeit transactions if chip could have prevented that transaction from being counterfeited.
KITTEN: Does the roadmap make any recommendations where the transition from the magnetic-stripe to a chip card or a mobile chip is concerned? Is Visa suggesting that they'll be simultaneous moves for both credit and debit or are there any suggestions as far as leapfrogging to mobile technology?
ERICKSEN: We do see that there are many issuers that, from a contactless point-of-view, will probably focus some of their efforts on mobile technology, but from an issuing of card point-of-view, we've had just over ten issuers who have recently come out in the market with press releases or actual small issuance of chip cards where they're issuing either contact chip cards or dual-interface cards which support contact and contactless to their card holders. They're primarily issuing those cards for their international travelers and their more affluent card holders since those are the card holders that will most often experience chip transactions today. But as the U.S. acquirer and merchant infrastructure begins to deploy chip technology more at the point-of-sale, we do have many issuers that we're supporting how they would expand their chip issuance to their domestic portfolios and their domestic card holders as well, or their card holders that don't travel internationally as frequently.
In terms of our recommendations, we're talking more to issuers today about how they would plan for their card re-issuance cycles, so as their cards come up for re-issuance in the next two or three years, getting closer to that 2015 liability shift date, how they can plan to have critical mass of their cards in market supporting chip technology as their business case fits.
Credit vs. Debit
KITTEN: And what about recommendations for credit versus debit, or both?
ERICKSEN: Right now many of our issuers are focusing on credit and there have been complexities as it relates to the recent regulation and Durbin regulation [with] how issuers would be able to manage issuance of debit cards with chip. We do support that and we have some recommended practices for issuers on how they can manage supporting debit and multiple networks with a chip card, although many of them today are just focusing most of their energy on their credit portfolios, their affluent segments and their international travelers. We do have a few that are targeting their debit-card portfolios. We do have a few debit card chip cards in market already today, but most of them are primarily focused on credit for this first part and then focusing on how they'll handle debit as they interpret more of the Durbin regulation and what that impact is to them.
KITTEN: This is a great segue for my next question because I did want to talk a little bit about the expense for U.S. card issuers. You've talked a little bit about that, but I wanted to touch on some of the incentives that might be available. When we look at the Durbin amendment to Dodd Frank, it does call for some incentive on an interchange perspective where fraud prevention is concerned. Could that be applied to an EMV move?
ERICKSEN: So far that's something that we would want the Fed to come out with or to interpret for us. It's not something that we've interpreted in anything related to the Durbin communications as it relates specifically to the issuance of debit cards with chip. We're supporting our issuers who would like to issue chip in conjunction with their debit cards, whether they believe that's something that will improve their business case or improve the way they support their customers in providing them with technology that helps them transact domestically as well as when they travel. But as it relates to the Durbin regulation, that's not something that we've been proactively talking to our customers about or have interpreted yet from a pricing or regulation point-of-view from the Fed.
KITTEN: And what about incentives that Visa is offering? I know that there have been some incentives from a PCI-compliance perspective. Could you explain those?
ERICKSEN: Certainly. From October of 2012, so October of this year, the merchants that have deployed dual-interface technology, so EMV contact chip as well as contactless, in mass at their point-of-sale would qualify for some reduced PCI validation requirements. We see that as one incentive for the merchants to help offset some of the cost related with moving to chip ... We would reduce the burden on them of validating their PCI compliance from October of this year.
KITTEN: For institutions that are considering moves to EMV amid numerous other security mandates and considerations, what advice can you offer?
ERICKSEN: Something that we're working with the merchants on is how do they plan this into their normal terminal and hardware and software upgrade cycles? EMV technology and contactless chip technology, fortunately, has been around for a number of years. The vendors that support the merchants and market all have solutions that the merchants can utilize. And most of the merchants that we've been talking about are very interested in adopting this technology for the added security it provides for some of their customer experiences that they would like to be able to offer, to build up their infrastructure to support mobile, and it's more the merchants planning for when best to slot this into their infrastructure upgrade plans over time.
There are many merchants who have just recently upgraded their infrastructure, so they're planning to make this part of their next infrastructure upgrade, and there are several merchants that we're talking about that have plans over the next year or two that are actively talking to us about how to include this and incorporate chip into the infrastructure upgrade. So, due to the cost that most merchants have of running their infrastructure, we're trying to make sure that the dates that we've set out are reasonable, that the PCI incentive, the chip program incentive we have, is meaningful and provides some value to the merchants.
And also, that as merchants begin to adopt this technology over time, we give them several years in advance of the liability shift date in order for them to plan how their infrastructure can incorporate this technology. We also believe that the added benefit of supporting dual interface, in planning for mobile, is something that we would like the merchants to embrace; because we really see that is future-proofing their investment so they have to make fewer changes to their infrastructure over time.
Follow Jeffrey Roman on Twitter: @gen_sec
When you're thinking about securing your data assets and web site, how do you really know the value...
Latest Tweets and Mentions
When you're thinking about securing your data assets and web site, how do you really know the value...
The ISMG Network
Zeus Banking Trojan Threats Still Dominate, CERT-UK Warns
OWASP's Soi on Securing the Application Lifecycle
Expert Explains Key Credentials for Healthcare InfoSec Pros
Why Workforce Training Isn't Enough
Gartner's Scholtz on How to Educate Management
Juniper's Paul on What 'Layered Security' Really Means
Vasco's Dica on Authentication Trends in the Indian Market
Warning Describes Security Flaws in Certain Hospira Devices
Report Outlines Medicare Options to Paper Cards