-
Visa Inc. plans to accelerate the U.S. migration to EMV contact and contactless chip technology, the card brand announced Aug. 9.
August 9 -
Citi plans to issue chip-based EMV credit cards later this year.
July 18 -
Visa Inc. will no longer require merchants outside the United States to validate annually their compliance with the Payment Card Industry Data Security Standard — provided that 75% of their transactions come from EMV chip-and-PIN cards.
February 9 -
The growing adoption of contactless payment cards in the United States could open the door to a more fraud-resistant — and until now, expensive — security format that has taken off almost everywhere but here.
January 30
Visa Inc. has introduced a series of incentives to spur the U.S. to adopt chip cards – a change once considered as likely as the country switching to the metric system.
The U.S. has lagged in its adoption of the EMV Integrated Circuit Card Specifications, commonly called chip-and-PIN, which many countries use to improve security at the point of sale. Skeptics have said the U.S. banking system is too fractured to support a widespread shift to the standard, and that the cost for merchants is too high to justify installing new terminals. Now Visa says U.S. banks and merchants are ready to make the switch, and on Tuesday it set its first deadline just over a year away.
"Two years ago, over a third of the population [of bank card security professionals] said that EMV would never get here," says Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC. "I would have been one of [them]."
But this year, that number dropped to 17%, spurred by a number of events, she says.
For one, enough major banks have agreed to issue EMV cards to finally move the country toward widespread acceptance.
This year, Wells Fargo & Co., JPMorgan Chase & Co., U.S. Bancorp and Citigroup Inc. have committed to issuing EMV-equipped cards, at least to travelers.
"We have seen so many factors change in the last two years," McNelley says. "Visa wouldn't have been able to push through an edict like this unless they had the majority of the issuers on board."
Merchants are also more outspoken about wanting to use chip cards to combat fraud, she says.
By Visa's October 2012 deadline, any merchant that accepts 75% of its annual Visa transactions through a terminal that can handle contact and contactless chip transactions will not have to validate compliance with the Payment Card Industry Data Security Standard.
"The costs [of PCI validation] can be significant," says Eduardo Perez, the head of Visa's global payments risk group. It costs some merchants $500,000 a year to perform the assessments, he says.
Visa is also trying to lay the groundwork for mobile payments acceptance. The systems it is testing rely largely on the contactless payments infrastructure, and "we're seeing a tremendous interest in mobile payments," Perez says.
When upgrading terminals, adding chip acceptance can cost just $30 more a unit, he says. This does not include other infrastructure expenses, Perez says, but the point is that the validation waiver addresses the concerns merchants expressed over upgrade investments.
The waiver offer in the U.S. is an extension of the Technology Innovation Program, which Visa introduced in other countries in February. The U.S. was excluded then because of regulatory uncertainty, but that settled somewhat after the Federal Reserve Board announced its cap for debit interchange rates, as required under the Durbin amendment to the Dodd-Frank Act.
By April 2013, U.S. "acquirer processors and sub-processor service providers" must support chip transactions. Perez says this is the only mandatory part of Visa's effort to spur chip card adoption.
And by October 2015 liability for fraudulent transactions on chip cards will in most cases shift from issuers to merchant acquirers if the merchants do not have chip-accepting terminals for contact cards. Issuers currently bear the liability, and would remain liable for fraud on contactless cards. Gas stations have until October 2017 until the liability shift takes effect.
"The liability shift has been the most traditional and effective" method of encouraging EMV acceptance in other countries, Perez says.
Visa did not outline specific incentives for issuers, but Perez says criminals will realize that those banks that do not issue chip cards are easier targets.
The main security benefit of the EMV standard, in contact and contactless form, is the addition of dynamic data, he says. Card data on magnetic stripes does not change, so it is easy to create a cloned card from copied data.
The data provided by EMV cards changes each time the card is used and this data cannot be reused, Perez says. The recent surge in newsworthy data breaches "just created even more of a reason to adopt dynamic authentication," he says.
Visa's incentives address cards used at the point of sale, though Visa plans to expand the program to other types of payments.
"When we're talking about dynamic authentication, we also do include card-not-present as part of that strategy," says Mark Nelsen, Visa's senior business leader for fraud risk products.
Nelsen says dynamic data would be used in digital wallets, but he would not go into detail about how Visa plans to use dynamic data for other card-not-present transactions. One example is SecureKey Technologies Inc. of Toronto, which offers a USB stick to enable contactless payments online by translating the dynamic data into something that could be sent in place of the card's printed security code.
That method does not require any changes on the merchant's part. Nelsen says Visa's approach would also not require e-commerce merchants to make changes.
Visa says that merchants are interested in using chip cards to improve security, but one observer says the card brand's approach places too much burden on the merchant.
"Everything about this program is really good, it's better security, but the merchants ... are always getting the short end of the stick," says Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc.
The details of the liability shift are "the most controversial thing" in Visa's program, she says.
Visa says that it does not require the use of a PIN with EMV cards.
"I am concerned by their continuing reliance on signature as an authentication method," says Mallory Duncan, general counsel for the National Retail Federation.
Smaller merchants will have to pay more than Visa's estimated $30 to upgrade their terminals, he says.
The PCI standard also remains a moving target, even for merchants who no longer have to validate their compliance, Duncan says. "In the past, PCI has shown an infinite ability to inflate its requirements," he says.
Perez says that Visa did not work with the other card networks in designing these programs.
A MasterCard spokesman said by email that it is involved with several U.S. chip card issuers, including Citi.