Visa Says New Chip Cards Won’t Need Off-Line PINs
Visa USA has made some recommendations for how to implement the shift from magnetic stripe payment cards to those which use a chip for authentication. And a Visa executive predicted the technology will have become a standard payment method by 2015.
The broadly written guidelines for implementing the technology are written for card issuers, chip card transaction acquirers, chip vendors, chip card vendors, chip terminal vendors and chip card personalization bureaus. Stephanie Ericksen, head of authentication product integration for Visa., explained they were aimed at both clearing up misconceptions about the technology and assisting in the first part of the brand's implementation plan.
The chief misconception that Visa appears primarily concerned with dispelling is that the new cards will carry both a chip and off-line personal identification number.
The difference between an online and off-line PIN is that an online PIN is not stored on the card. Once the cardholder enters the PIN at the point of sale terminal, the PIN is encrypted by the PIN pad and sent online to the host for validation, similar to how PIN debit transactions are authorized today.
In an off-line PIN situation, the PIN is stored securely on the chip card and during a transaction, when the cardholder enters the PIN, the POS terminal sends the PIN to the chip card for verification. The cardholder verification therefore takes place within the chip card.
“One thing that’s clear from the questions is that there’s a lot of confusion around the myth that EMV means chip-and-PIN. It doesn’t in many countries, including the U.S.,” Ericksen wrote in an online entry about the recommendations. “That’s because, in the U.S., we can rely on online processing where transactions are transmitted in real-time to the issuer for approval. With that in place, there’s no need for the off-line authentication that was the genesis of chip-and-PIN.”
The card brand announced it was prepared to start supporting the use of chips in payment cards in the U.S. in August 2011.
“All chip transactions should leverage the robust, real-time online infrastructure for authorization and authentication,” Visa wrote in the guidelines. “The U.S. has a zero floor limit; therefore, nearly 100% of all transactions are authorized online in real time. Also, many U.S. issuers use host-based fraud mitigation tools enabled by online, real-time authorization. The existing online infrastructure should be used to optimize chip transaction processing in the U.S,” the card brand wrote.
Visa added that it will also continue to support other ways of verifying cardholder identity for transactions, including signature, online PIN and no signature for low-value, low-risk transactions. Visa will not require a chip-and-PIN approach in the U.S. Instead, stakeholders will have the flexibility to choose which CVMs to support, the brand added.
Ericksen said that since it indicated it would support the new technology in the U.S., the card brand has been focusing on building the infrastructure to allow more terminals and merchants to accept the cards.
Ericksen described this process as being more akin to renovating a house than tearing one down and rebuilding it. She described the necessary changes as additions to different parts of the acceptance and processing technology to allow them to carry the additional data from the smart card transactions.
“Card processors are already transmitting a good deal of data,” Ericksen observed, explaining that phase one is a matter of making sure they have the additional slots needed for the smart card data.
She also explained that the costs for the technology has been largely falling as more retailers, acquirers and processors have adopted it, but she also said that the costs of point-of-sale terminals, which can handle both smart card payments and mobile payments, have remained higher.
When Visa announced that it would support the smart card technology, Ericksen noted that the greatest relief from the PCI card data security compliance would come to retailers that installed terminals that both read smart cards and mobile payments. The brand hoped that savings from easing PCI compliance would be enough to offset the additional costs of terminals that accepted both smart card and mobile payments.
Ericksen said that once the acceptance infrastructure was in place, the brand would rely on issuers to handle introducing the technology to consumers and she predicted it would not be too hard to do. A number of issuers, including some credit unions, have already begun making the smart cards available to cardholders who travel overseas, she noted, and the card brand has heard that friends and family members of those cardholders have also approached their institutions seeking the cards.