WASHINGTON -- In the wake of a wave of card security breaches that have cost many issuers tens of millions of dollars, two messages came through loudly at Visa USA's Maintaining Trust in Payments conference on card security, which the card brand hosted free to most participants in Washington, D.C. on Mar. 8.
First, that the card brand understands the importance of getting the card security program under control and appreciates how much the waves of card data security breaches have undermined consumer confidence in cards already.
Second, even as it announced different ways it would change its business practices to counter the card fraud problem, Visa emphasized that solving the problem of card data security will require the cooperation of every part of the card payments system.
Visa CEO John Phillip Coughlin laid out these two themes when addressing the conference, arguing the case that changes in technology and policy were going to be necessary in the fight against credit card fraud.
One key technological change will be the migration of some of the dynamic card systems from contactless card technology, where it is used already, to general card use. Dynamic data systems like dynamic card verification value, or DCVV, work by assigning a unique value to each card transaction, thus identifying it and rendering any record of it useless as a source of information for future card data frauds.
The key policy change could also have been borrowed from NCUA. Visa will begin working with merchants and processors to base its card fraud prevention efforts on risk-based evaluations.
"Today, more than 80% of the dollars lost to fraud come from just 20% of fraudulent transactions," Coughlin said. "By singling out the highest-risk transactions, we can apply targeted security solutions in those areas--and knock out a disproportionate amount of fraud. This approach helps us to get the most out of each dollar we invest in security and very importantly it will achieve results faster." New Technology: Chip and PIN Light?
The new technology Coughlin mentioned is called dynamic data or dynamic card verification. Essentially, through a combination of changes to the card's magnetic stripe as well as the card reader, each transaction with that card is assigned a unique card transaction value. Even if a thief were later able to hack into a computer and download the card transaction data, the data for each card transaction could not be used again to authenticate new transactions.
In fact, the attempted use of the compromised card data would alert Visa to the fact that there had been a breach and specifically as to where and when it had occurred, explained Brian Tripplet, Visa's senior vice president of emerging product development.
In approach, the DCVV resembled the card verification value system that is currently in use, but unlike the contemporary system that relies on static CVV codes, which once compromised remain compromised, the DCVV approach would essentially present would-be thieves with a moving target and make breaking into card files tremendously less profitable.
As an advantage, the new technology would be a major advance in what many card security experts describe as an "arms race" between the card industry and thieves and could significantly reduce fraud. But as a disadvantage, Triplett acknowledged that the new technology would need changes to cards and to card readers, raising concerns about the cost of the new approach.
Another disadvantage is that the technology is not really ready yet for widespread use on traditional cards. The DCVV technology is already in place for contactless transactions, with microchips embedded in the devices and responders in the readers, but the technology is still being tested for the use in mainstream cards. Visa expects to have it up and ready to roll out in a matter of months.
The question of cost and adoption of the new technology is where the second key theme, the notion of risk-based fraud prevention, comes in, explained Triplett. Whereas another approach, such as using a combination of microchip and personal identification numbers which has been in place in the U.K and is being put into place in Canada, would require widespread and very expensive changes across most or all of the industry, the risk-based approach would focus the effort on those parts of the retail and card space where fraud is most prevalent, Triplett explained.
"The likelihood would be that we would start with retailers who are selling the items which can be easily fenced and which are very popular with card thieves," Triplett said. "These sectors would be the first ones who would get the DCVV readers and only gradually would they migrate into the rest of the industry."
Triplett indicated that electronics retailers and jewelry stores would be among the earliest to get the new technology and that retailers who needed help with the cost of the new readers would probably receive it. The first DVCC ready cards would likely come from the biggest issuers first and then flow to the processors. Will it Be Enough?
But while credit union participants in the summit said they welcomed Coughlin's approach, they added that it seemed most likely that, eventually, the U.S. industry is going to have to adopt the Chip and PIN approach.
"When you consider that Chip and PIN is migrating through Europe and now into Canada, the U.S. market will just keep standing out more and more as the place in the world which does not have it," said Connie Trudgeon, vice president for operations for CO-OP Financial Services. "I think that the U.S. will eventually have to adopt it."
Trudgeon also said that she appreciated Visa taking the steps to indicate how significantly it takes the fraud losses and to fight them and she agreed with the notion that the issue goes to everyone, not just the card brands. She expressed disappointment, for example, that there was not more participation from merchants in the summit, though she said that she was not surprised by the figures on how many merchants have satisfied the minimum card security requirements (see sidebar).
No credit union participants were on the summit\'s panels. They consisted mostly of industry security experts, along with some large issuers and government officials.
Jim Hanisch, senior vice president with CO-OP, put the summit and the question of credit union participation in the broader context of Visa's restructuring from an association to a publicly traded company and the preparation for the initial public offering of stock. In the face of these developments, Hanisch said, it was not surprising the card brand sought to both try to work on the fraud problem and not to rock too many boats in doing so, such as a wholesale move to Chip and PIN might do. --firstname.lastname@example.org