WASHINGTON -- In the wake of a wave of card security breachesthat have cost many issuers tens of millions of dollars, twomessages came through loudly at Visa USA's Maintaining Trust inPayments conference on card security, which the card brand hostedfree to most participants in Washington, D.C. on Mar. 8.

First, that the card brand understands the importance of gettingthe card security program under control and appreciates how muchthe waves of card data security breaches have undermined consumerconfidence in cards already.

Second, even as it announced different ways it would change itsbusiness practices to counter the card fraud problem, Visaemphasized that solving the problem of card data security willrequire the cooperation of every part of the card paymentssystem.

Visa CEO John Phillip Coughlin laid out these two themes whenaddressing the conference, arguing the case that changes intechnology and policy were going to be necessary in the fightagainst credit card fraud.

One key technological change will be the migration of some ofthe dynamic card systems from contactless card technology, where itis used already, to general card use. Dynamic data systems likedynamic card verification value, or DCVV, work by assigning aunique value to each card transaction, thus identifying it andrendering any record of it useless as a source of information forfuture card data frauds.

The key policy change could also have been borrowed from NCUA.Visa will begin working with merchants and processors to base itscard fraud prevention efforts on risk-based evaluations.

"Today, more than 80% of the dollars lost to fraud come fromjust 20% of fraudulent transactions," Coughlin said. "By singlingout the highest-risk transactions, we can apply targeted securitysolutions in those areas--and knock out a disproportionate amountof fraud. This approach helps us to get the most out of each dollarwe invest in security and very importantly it will achieve resultsfaster." New Technology: Chip and PIN Light?

The new technology Coughlin mentioned is called dynamic data ordynamic card verification. Essentially, through a combination ofchanges to the card's magnetic stripe as well as the card reader,each transaction with that card is assigned a unique cardtransaction value. Even if a thief were later able to hack into acomputer and download the card transaction data, the data for eachcard transaction could not be used again to authenticate newtransactions.

In fact, the attempted use of the compromised card data wouldalert Visa to the fact that there had been a breach andspecifically as to where and when it had occurred, explained BrianTripplet, Visa's senior vice president of emerging productdevelopment.

In approach, the DCVV resembled the card verification valuesystem that is currently in use, but unlike the contemporary systemthat relies on static CVV codes, which once compromised remaincompromised, the DCVV approach would essentially present would-bethieves with a moving target and make breaking into card filestremendously less profitable.

As an advantage, the new technology would be a major advance inwhat many card security experts describe as an "arms race" betweenthe card industry and thieves and could significantly reduce fraud.But as a disadvantage, Triplett acknowledged that the newtechnology would need changes to cards and to card readers, raisingconcerns about the cost of the new approach.

Another disadvantage is that the technology is not really readyyet for widespread use on traditional cards. The DCVV technology isalready in place for contactless transactions, with microchipsembedded in the devices and responders in the readers, but thetechnology is still being tested for the use in mainstream cards.Visa expects to have it up and ready to roll out in a matter ofmonths.

The question of cost and adoption of the new technology is wherethe second key theme, the notion of risk-based fraud prevention,comes in, explained Triplett. Whereas another approach, such asusing a combination of microchip and personal identificationnumbers which has been in place in the U.K and is being put intoplace in Canada, would require widespread and very expensivechanges across most or all of the industry, the risk-based approachwould focus the effort on those parts of the retail and card spacewhere fraud is most prevalent, Triplett explained.

"The likelihood would be that we would start with retailers whoare selling the items which can be easily fenced and which are verypopular with card thieves," Triplett said. "These sectors would bethe first ones who would get the DCVV readers and only graduallywould they migrate into the rest of the industry."

Triplett indicated that electronics retailers and jewelry storeswould be among the earliest to get the new technology and thatretailers who needed help with the cost of the new readers wouldprobably receive it. The first DVCC ready cards would likely comefrom the biggest issuers first and then flow to the processors.Will it Be Enough?

But while credit union participants in the summit said theywelcomed Coughlin's approach, they added that it seemed most likelythat, eventually, the U.S. industry is going to have to adopt theChip and PIN approach.

"When you consider that Chip and PIN is migrating through Europeand now into Canada, the U.S. market will just keep standing outmore and more as the place in the world which does not have it,"said Connie Trudgeon, vice president for operations for CO-OPFinancial Services. "I think that the U.S. will eventually have toadopt it."

Trudgeon also said that she appreciated Visa taking the steps toindicate how significantly it takes the fraud losses and to fightthem and she agreed with the notion that the issue goes toeveryone, not just the card brands. She expressed disappointment,for example, that there was not more participation from merchantsin the summit, though she said that she was not surprised by thefigures on how many merchants have satisfied the minimum cardsecurity requirements (see sidebar).

No credit union participants were on the summit's panels. Theyconsisted mostly of industry security experts, along with somelarge issuers and government officials.

Jim Hanisch, senior vice president with CO-OP, put the summitand the question of credit union participation in the broadercontext of Visa's restructuring from an association to a publiclytraded company and the preparation for the initial public offeringof stock. In the face of these developments, Hanisch said, it wasnot surprising the card brand sought to both try to work on thefraud problem and not to rock too many boats in doing so, such as awholesale move to Chip and PIN might [email protected]