The executives revealed the card brand's security plans at the annual Global Security Summit that Visa sponsors every other year in Washington. The event brings together card and information security executives from retailing firms, Visa issuers and processors as well as the card brand and third-party security firms.
Visa has held the summit every two years since 2005 and has watched its importance grow as the entire card industry has wrestled with the effects of successive card security breaches in recent years. For example, the card brand rolled out the details of how it would implement the agreed upon card data security standards (PCI DSS) at the 2007 summit, announcing that it would focus first on retailers with the highest number of transactions and then move down through the entire chain of merchants.
That model has dominated card security landscape and seemed successful overall except in failures like the recent Heartland Payment Systems breach.
But Ellen Richey, chief enterprise risk officer for the card brand, reaffirmed Visa's support for the security standards at this year's summit in the face of post-Heartland criticism.
"Recent rumblings about the demise of the PCI DSS are not only premature, they are dangerous to long-term security," Richey told participants. "Despite recent negative commentary, the PCI DSS remains an effective security tool when implemented properly. Simply put, it is the best defense against data theft available today. As we've said before, no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."
But as much as she recommitted Visa to the card security standards, Richey also said, as good as PCI DSS is, it alone is not enough, and being validated as compliant with industry data standards on any given day is not enough.
"Let there be no mistake, it's not validation that provides protection-validation is only a snapshot in time, like a financial audit or a health inspector's report. It is the ongoing commitment to maintaining compliance-24 hours a day, 365 days a year-that protects an organization from suffering a breach," she added.
This approach has put the security burden primarily on merchants and card processors, but Richey and other Visa executives present at the meeting emphasized that their approach going forward would spread the burden out a bit, focusing industry wide on preventing criminal attacks, protecting the system when they do occur and responding immediately to minimize their impact.
A good start will be to make any stolen card data worthless or nearly worthless to the thief by involving the cardholder in fraud prevention.
"We agree that everyone has a role to play in securing the system-including consumers themselves," Richey detailed for the meeting. "And so, while Visa and its issuers already monitor and risk score transactions, we can achieve even more by providing consumers with additional tools and putting more information in their hands."
The two new tools that Visa is working on are the transaction alert system and the targeted acceptance program.
The transaction alert system is already in beta testing with some Chase cardholders and Chase mobile device users, and Visa anticipates rolling it out to all users sometime toward the end of 2009.
Transaction alert participants will receive near real-time notification of purchase activity via mobile device or e-mail. The consumer can personalize the alerts-by transaction size, online purchases or foreign-currency transactions. Armed with this kind of information, cardholders can help monitor usage on their accounts and stop fraud, Richey explained.
Other Visa executives explained the program in more detail. Participating credit unions will provide a link to an enrollment page from their home pages. The enrollment pages will carry the credit union's brand and allow the credit union member to set up the parameters they desire for alerts-for example, when a transaction over $100 is made. Then Visa will send an e-mail or text message with the credit union's brand to the credit union member alerting them to the transaction. It will also include a 800 number the member can call to report the fraud right away.
The executives also said the brand had not yet decided if the program would be free to card issuers or whether it would carry a small fee based on the number of enrolled accounts.
The transaction acceptance program is farther from launch. In this program, consumers will also enroll with Visa through their credit union, and Visa will keep their parameters for where and when they want their cards to be used. Businesses already use a variation of this program for controlling employee use of corporate credit cards. A Visa executive said operational issues still had to be worked out to bring it to the level of the individual cardholder.