Network Security, Security Strategy, Plan, Budget

Visa advises on more secure credit card transactions

Visa has issued a set of best practices for implementing chip technologies, which can be used to better secure debit and credit card transactions.

The document, announced Friday, offers guidance for merchants, card issuers and processors.

News in August that Visa, effective Oct. 1, 2012, was extending its Technology Innovation Program (TIP) to U.S. merchants provided the first real sign that chip technology soon may become a reality here, long after other regional economies, including Europe and Asia, implemented it. EMV, the global standard on which chip technology is based, involves recognizing unique microchips embedded in credit and debit cards to validate that they are legitimate. It has been credited with the declining fraud rates overseas.

TIP eliminates the requirement for U.S. merchants to annually validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS) if at least 75 percent of their Visa transactions originate from chip-enabled terminals. To qualify, retailers must outfit their locations with terminals that accept contact and contactless chips, according to Visa. Other major card brands are expected to follow suit.

But there's a downside for merchants, too. If they fail to implement EMV by 2015, they will be on the hook to recoup customers for counterfeit fraud-related costs, not the banks that issued their cards, as has been the long-standing agreement.

Visa is trying to jumpstart the process with the new guidance. It includes recommendations on how to build and maintain an "always online" infrastructure for authorization and authentication, as well as how to offer flexible verificiation methods, including signatures, no signatures (for low-risk transactions) and PINs.

Avivah Litan, a vice president and distinguished analyst at research firm Gartner, said in a September research note that while EMV adoption will reduce the opportunity for criminals to steal data and create cloned cards, fraud will likely move to other channels, such as to card-not-present environments, like e-commerce.

In addition, merchants won't feel the economic incentives of migrating to the technology for several years, due to the cost of upgrading their point-of-sale terminals, which should cost about $30 or more per device.

"Ultimately, beginning in 2016, all industry players, including merchants will benefit from lower card-present fraud and chargeback costs that they currently absorb, but fraud will undoubtedly migrate to other channels, notably e-commerce, where merchants already pay for the vast majority of fraud and chargeback costs," Litan wrote in a research note.

Meanwhile, some banks, which may be reluctant to dip into their coffers to issue new cards that are compatible with chip terminals, may be able to avoid heavy costs if mobile device payments take off.

Last year, for example, Starbucks launched mobile payments in all of its U.S. stores. Customers download a mobile application, which contains a barcode, and they can pay simply by holding their mobile device in front of a countertop scanner. Sensing that more retailers will adopt such initiatives, the Payment Card Industry Security Standards Council offered an update in June on which types of mobile payment apps meet its requirements. Further guidance is expected.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.