Post-PCI: Visa Experiments With More Secure Card Strategies

Tools

Visa has been experimenting—through retail and processor partners—with several alternative security approaches for its cards, including a challenge and response effort at OfficeMax, a digital card fingerprint-like image at processor Fifth Third and a strict data segregation experiment at McDonalds.

Visa's chief enterprise risk officer, Ellen Richey, said the program is all about looking for the next security approach, to identify ways to develop security measures that are currently not a part of PCI. She said that Visa looks favorably on some form of the chip-and-PIN approach that is used today in the U.K.. ""It's a matter of when we are going to adopt it and how," she said, adding that existing contactless payment trials in the U.S. are based on similar technology. "We fully support this technology (chip) as there are different needs in different parts of the world."

Added Gerry Sweeney, global head, E-Commerce & Authentication at Visa: "We must move from static data to dynamic data, particularly in the area of authenticating consumers and cards."

The challenge and response pilot was started late last year at 100 OfficeMax stores in Illinois, Indiana and Florida, according to OfficeMax Treasurer William Van Orman. "It originally was to be completed by May of this year. It was initially supposed to be a six month pilot, but it was extended by four more months at the request of Visa," Van Orman said.

The trial has cashiers asking consumers a series of rotating questions, including asking them to say their Zip Code, the last four numbers of their home phone number, the last four digits of their cell phone number and their home phone area code, Van Orman said. The trial has had small impacts on store operations, such as requiring disclosure signs near the POS and additional associate training. But Van Orman said his team detected no speed reductions at POS.

Fifth Third Bank, one of the largest card processors, argued that a popular theoretical approach—true end-to-end encryption—is a good idea on paper but it has logistical hurdles that may ultimately make it not viable. "With end to end encryption, there is a tremendous key management issue," said Fifth Third's Don Roeber, vice president and manager of merchant PCI compliance. "It's a significant challenge for (retailers) to manage all those keys. It has some implementation issues."

Instead, he's been pushing—and testing—an approach where the processor can take a digital snapshot of the card's magstripe. "It's like a digital ID. We read that swipe and take a picture. It's like a fingerprint, a DNA print of that card," he said, adding that Fifth Third quietly installed 1,000 specially-designed readers to retailers, saying that it was just part of their normal upgrade process. "It was transparent to the merchant," Roeber said. "When they read that card, not only do they pick up the magnetic strip, the typical sensitive data that we authorize with, but they also pick up that DNA picture and send that along with the authorization message," Roeber said. "Once that card is swiped, the first time that it comes into Visa, we establish a baseline DNA fingerprint for that card at Visa. Once that's established, all subsequent swipes of that card, and other merchants with that same reader, can analyze that swipe. There's tolerance thresholds levels built into the technology to figure out, 'Well, is this really the same card or not?' One thing that I like about this technology is that there's no key management to deal with. From a merchant standpoint, all they have to do is install the new readers."

Still, Roeber said, this approach is based on the assumption that the initial card was legitimate. If it happened to be fraudulent, this approach would unintentionally validate the bogus card. To address that, Roeber said the ideal approach is to create the fingerprint as soon as the card is made. "That DNA could be captured at the point of creating the cards, working with the card that is right off the factory line. The best way is to start (the process) from the issuer. The DNA is captured there."

Fifth Third's trial technology factored in the small changes to a card that come from wear and tear and it estimates those changes given the age of the card. "When you swipe a card time after time after time, you're going to age that strip to a certain extent," Roeber said. "This technology actually takes that degradation into account so you minimize the number of false positives when you swipe those cards."

Over at McDonalds, their trial was less technological than organizational and structural: A complete segregation of all payment data from all other data in the restaurant chain's databases.

"Our point of sale will send a message to a PIN device," which will send the data through to their processor, said McDonalds CIO David Weick. "None of our internal systems will even have access to cardholder data," he said.

The CIO of the $24 billion chain said that although McDonalds is huge—with some 33,000 restaurants around the world—the very high percentage of the restaurants that are owned by franchisees makes IT policy enforcement much more difficult. About 85 percent of all McDonalds restaurants in the U.S. are franchised and that figure drops to only 70 percent globally. "That means that I can't dictate to our franchisees the technology that they are going to put in place. Franchisees may buy into it intellectually, but not necessarily with their pocketbooks." Weick said he'd go the easy route and start his data segregation trials with company-owned stores. Another impact of the franchisee factor, Weick said, is pure ROI. In the U.S., he said, the typical McDonalds brings in about $2.1 million to $2.2 million in revenue per store. "So any solution that I come up with needs to fit within a P&L that starts with a $2.1 million or $2.2 million revenue line. If I come up with something that is way out of line, I have the franchisees who are there to tell me and to describe for me the economics of their business and whether or not it fits," Weick said.

He said that he also needs to be especially sensitive to even slight slowdowns in the checkout process, adding that other retailers are likely going to be somewhat more tolerant.

As part of a general discussion of PCI ROI, Fifth Third's Roeber said that his firm has tried to be more flexible in PCI rulings, with an eye on minimizing material risk as opposed to trying to unrealistically avoid all risk. He cited an example of a retailer who was being assessed about a year ago.

"Say they lost power or lost connectivity at one particular store. Their terminals would go into a store and forward mode, holding onto this data until a connection could be made again. During this period, these transactions were being stored in the clear. That's a problem. That's not in compliance with the PCI data security standards," Roeber said. "The assessor was really taking a hard line, saying that you have got to upgrade every one of your terminals in your entire environment to a terminal that will encrypt this data." That's when Roeber said he got involved. "If Store A loses connectivity, no one can connect to that terminal because it's not connected to the Internet. Once it does connect, it will be immediately be shipped on out for authorization. So I thought, 'the only risk here is that you might have a store employee that recognizes this particular risk and figures out a way to extract data off that terminal.' You're really talking 40 or 50 transactions at the max. I thought, 'That's a pretty small risk. That risk was not material.'"