Visa Incents 'Dynamic Authentication'

New Technology Innovation Program is All About Secure Transactions
Visa Incents 'Dynamic Authentication'
A move toward EMV can help merchants cut their security compliance costs, but only if they operate outside the U.S.

That's the message from Visa Inc., which last week announced the launch of the Visa Technology Innovation Program, which is designed to eliminate eligible international merchants from annual validations of their compliance with the Payment Card Industry Data Security Standard.

In the United States, where no official movement toward the Europay, MasterCard, Visa standard exists, other types of dynamic authentication are being encouraged by Visa. But they won't offer the same incentives (i.e. eliminating compliance validations) the Technology Innovation Program provides to qualifying EMV-compliant merchants in other parts of the world.

"With the United States facing government price controls on debit and restrictive routing and exclusivity rules, it is not feasible or appropriate to drive the market toward major infrastructure investments, especially in an environment where financial institutions could lose billions in revenue as a result of the regulation," states Bill Sheedy, Visa's group executive for the Americas in a statement issued by Visa. "With such a dramatic potential for revenue loss, financial institutions will likely curtail investments in future innovations."

"In the U.S., we are focusing on the same things, working to eliminate the card data in the transaction," says Eduardo Perez, CFA, head of Visa's global payment system security.

The goal: to encourage merchants to move toward dynamic data authentication, which EMV chip technology makes possible.

In order to qualify for the Technology Innovation Program, international merchants in EMV markets must prove that at least 75 percent of their transactions are EMV chip transactions. They also must validate previous compliance with the PCI-DSS, and they cannot have a breach of cardholder data history on their records. The program takes effect March 31.

"Dynamic authentication promotes the use of a dynamic variable that will be part of each transaction," Perez says. This dynamic variable ensures that cardholder data cannot be "replayed" for use in subsequent, fraudulent, transactions. "The EMV chip," he says, "generates a cryptographic message for the transaction, thereby making that transaction dynamic."

Dynamic Payments in the U.S.

The dynamic move in the U.S. will most likely be fueled by migrations to contactless and mobile payments. "Those are emerging technologies where (U.S.) stakeholders have an interest and are using those technologies," Perez says.

Globally, Perez says Visa estimates about one-third of the world's payment cards and about two-thirds of its payments terminals support EMV. European markets are furthest along in their EMV adoption; other markets, especially in developing or emerging countries, are staggered at various migration points. Because of so much market variation, some of the alternate dynamic technology being considered in the U.S. will likely be considered and deployed in other markets, even if it takes on an EMV flavor. Ultimately, Perez says, the U.S. payments landscape is not so unique.

"All of the markets vary," he says. "Even in different global markets, where they are in different phases of moving toward dynamic data, such as EMV, there still remains a lot of static data in the payment system that needs to be eliminated. So, in the U.S. and throughout the world, we will focus on eliminating that static information."

Perez also is quick to note that despite being the world's largest payment-card market, the U.S. does not suffer from higher-than-average or escalating incidents card fraud. "Fraud rates remain low and stable," he says. Globally, (Visa's) fraud accounts for about 6 cents out of every $100 card transaction.

"Entities will continue to invest in solutions that help stakeholders in the system to eliminate cardholder data," Perez says. "Tokenization is one way," and end-to-end encryption is another. "We realize that regulatory requirements are a factor our stakeholders and clients have to deal with. So, we are going to try to supply a flexible payments system that meets everyone's growing and changing needs."


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.