Visa Reverses Course on Chip-and-PIN Credit Cards
By Marcia Frellick
August 10, 2011
After years of saying it wasn’t the right time for chip-and-PIN technology for credit cards in the United States, Visa announced Monday that it is all in.
Chip and PIN is the technology widely used in Europe and around the world that embeds a microchip into a credit or debit card so a customer need only hold the card near a reader and use a PIN on a keypad to make purchases instead of swiping a magnetic stripe. It is also known as EMV, which stands for Europay, MasterCard and Visa, the developers of the technology’s standards.
Visa also is endorsing near-field-communication (NFC) technology, which embeds payment information inside mobile phones.
EMV has reduced fraud in Europe at point-of-sale terminals, but hasn’t been widely accepted in the United States. Retailers haven’t wanted to spend the considerable cash on new payment systems until card companies adopt the new technology, and card companies haven’t wanted to use the chip cards until merchants agreed to accept them.
So why now? “For several years, Visa has been talking with clients and merchants on this subject — and now more than ever before, we’re hearing confirmation that chip is the right direction for the U.S.,” wrote Ellen Richey, Chief Enterprise Risk Officer for Visa, in the company blog. “Over the last year, for example, we’ve seen financial institutions issuing chip cards to international travelers. And some large merchants have already begun installing chip terminals. We believe our program offers the right level of direction and encouragement for merchant and issuer adoption of chip — at the right time. With a commercial framework in place, our goal is to enhance security and support the next generation of payments.”
Encouraging merchant adoption
Visa’s incentives for merchants making the change, which will likely take about four to five years, industry experts say, come in three phases:
1. Beginning Oct. 1, 2012, the company will let qualifying merchants off the hook for the costly and labor-intensive annual chore of validating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Qualifying merchants are those who use the new technology for at least 75 percent of their transactions in a given year and who have terminals that accept both EMV and magnetic-stripe transactions. Merchants will still need to protect any card data they store.
Waiving the validation could be a big incentive for merchants: A study by the Poneman Institute, which conducts research on privacy, data protection and information security, last year found that the largest of the merchants are paying an average of $225,000 each year to undergo this audit — and 10 percent of these businesses are paying $500,000 or more annually.
2. By April 1, 2013, Visa will require firms that handle credit card transactions for retailers to accept merchant chip transactions.
3. By Oct. 1, 2015, liability for fraud will shift. Until now, point-of-sale counterfeit fraud has been absorbed for the most part by card issuers. But under the new system, liability for counterfeit fraud will shift to the merchant’s acquirer (the party, often a bank, that facilitates payments for the merchant) if a contact chip card is presented to a retailer that has not adopted the technology. So credit card processors will have a big incentive to promote the technology to all their merchants — or potentially face huge liability. Fuel vendors will have an additional two years before liability shifts.
“The U.S. is the only country in the world that has not committed to either a domestic or cross-border liability shift associated with chip payments,” Visa said in a press release.
Shifting that liability will go a long way in encouraging merchants to adopt the technology, says Randy Vanderhoof, executive director of Smart Card Alliance Management, a nonprofit agency that promotes smart card adoption in North America and Latin America.
“Merchants have always felt that they share a disproportionate amount of the fraud that they had little control over because issuers were still issuing old magnetic stripe cards, which were being copied and counterfeited,” says Vanderhoof. “They felt (the PCI compliance audit) was a Band-Aid on a bigger problem and until U.S. issuers replaced the vulnerable magnetic stripe cards with chip cards, their fraud losses would continue and their investment in PCI to protect that magnetic stripe data was basically flushing money down the drain.”
Better fraud protection
Part of Visa’s plan is to gradually add layers of security. Although the company plans to continue supporting “static” identification — PIN numbers and signatures — for the near future, the company envisions its payment network converting to dynamic authentication, which makes it harder for a criminal to use a cardholder’s information at point of sale.
Dynamic authentication adds extra protection by making each transaction unique with encrypted information, whereas using a PIN or signature can easily be faked repeatedly once the criminal has the information. Dynamic authentication can also be put into use offline.
“It’s about time,” says George Peabody, Director of Mercator Advisory Group’s Emerging Technologies Advisory Service.
“When you replace a mag stripe card with a smartcard, you virtually eliminate the counterfeit card problem,” says Peabody. “We still need other technologies for security, like encryption and tokenization (replacement of a card number with another non-valid number). Smartcards aren’t the silver bullet but they certainly help a lot … EMV is the global standard … and the U.S. being the largest card market in the world—we’ve been sort of a big hole in the defensive perimeter.”
The technology will also eliminate the travel complications of Americans’ cards being declined when they travel out of the country. Currently, Americans can’t use magnetic stripe cards at many places without attendants, such as train ticket kiosks and gas stations, in other countries.
But paving the way for contactless cards has greater implications as well, such as allowing instant access to medical records or proving identity. “Some day I will be able to tap my health care card against my mobile phone with an NFC reader so I can get access to my medical health records,” Peabody says.
Other card payment giants will likely follow Visa’s lead, adds Peabody, who predicted MasterCard will be next.
American Express, however, says not so fast. A spokeswoman for the company responded in an email that, “There are markets today, like the UK, where we already offer chip-and-PIN. We have not had a large number of our card members in the U.S. requesting cards with chips.”
The NFC factor
Al Vrancart, industry adviser and founder of the International Card Manufacturers Association, says while the Visa move is necessary for the security and global use of U.S. credit cards, it also was necessary for Visa to protect its turf.
MasterCard, for instance, has partnered with Google on NFC payments with the upcoming launch of Google Wallet and mobile service providers are also elbowing their way into the game.
In April, Isis, a coalition of At&T, T- Mobile and Verizon, said it plans to launch mobile payments services next year with major payment networks.
“Visa is obviously under attack from other payment companies that are in their space and now that they’ve got a plan, that will thwart some of the competition,” Vrancart says.