Visa's new approach will also likely spell the end—within about five-to-seven years—of mag-stripe cards in the U.S., a move that many payment security advocates say is years overdue. To make all of this happen, Visa is bringing its global EMV incentive program—officially the Technology Innovation Program (TIP)—to the States, along with its PCI-relaxation components. (PCI relaxation? There are two words I never expected to see used consecutively.) This means chains that start using specific EMV chip-enabled terminals (and use them to process at least 75 percent of all Visa transactions) will be permitted to forego the annual compliance validation nightmare. But Visa has added such a lengthy list of qualifiers and exceptions to the program—along with the practical fact that some chains will opt to do the assessments anyway, for pure security purposes—that it's not clear how many chains will find that incentive compelling enough to do massive hardware swaps.
(See PCI Columnist—and QSA—Walt Conway's column about how this move will impact PCI enforcement.)
Beyond an easing of PCI assessments—to be clear, though, Visa stressed that all other PCI rules will still apply—the new effort will also promise the same liability shift that Canada and parts of Europe now enjoy. That shift—effective Oct. 1, 2015, for all retailers except gas stations, which were given an extra two years—makes retailers fully responsible for any losses from the acceptance of fake cards unless a Visa-accepted EMV terminal is used. If it is, the liability then stays with the card issuer. That liability shift is likely to be a much more compelling incentive than the PCI change. Together, though, it's a powerful move that gives mag-stripes little hope of long-term survival.
On the surface, the move seems like a clean security upgrade. Clearly, it is. Although EMV has certainly had its share of recent security problems, few argue that it is not an order of magnitude more secure than today's plastic mag-stripe card. EMV is hardly perfect, but it's certainly a sharp improvement.
This shift, though, goes far deeper than security. Visa is painting the move as being a bridge to imminent mobile payments. That's absolutely true, but the move is not going to favor all mobile-payment approaches equally. By strengthening its payment network and strongly motivating retailers to upgrade hardware to devices that can handle both contact and contactless chips, along with dynamic authentication, Visa accomplishes two things.
First, it will make it much easier for retailers to push all mobile transactions through the new EMV terminals. That would potentially make much less relevant the phone-based security modules from mobile-payments efforts such as Google. By remarkable coincidence, Visa was noticeably absent from the Google Wallet rollout.
Second, this is a clever play in the battle to, if you will, control the mobile conversation. More precisely, it's a play to control the mobile environment. Randy Vanderhoof, executive director of the Smart Card Alliance, said negotiations between Google and Visa have devolved into gamesmanship about who would be dominant in any type of mobile alliance.
"There's a tension between who's going to be the landlord and who's going to be the tenant in the mobile phone," Vanderhoof said. "Visa's strategy is that they want to be the landlord where they can."
Put another way, Visa wants the core mobile transactions to be running over the Visa network, with the security under the control of the card brand.Put another way, Visa wants the core mobile transactions to be running over the Visa network, with the security under the control of the card brand. All mobile players—including Google, Apple, PayPal and ISIS—would then pay rent, if you will, to Visa. Hence, Visa is acting as landlord.
Google, however, has something else in mind. It wants the security and main data-crunching functionality to reside in—and be dependent upon—its Android phones. It controls the environment, and everyone has to work through Google to get access to those consumer transactions. Hence, Google will be the landlord.
"Google's approach is to be the landlord and be the wallet and manage the secure element," Vanderhoof said. "Google will set the rules for who is going to have access to the secure element."
In that light, Visa's move is quite clever. While improving payment security, it's pushing retailers to upgrade hardware right away and to therefore make it that much easier for mobile transactions to run over the existing network. Indeed, Visa could argue its new EMV-enabled dynamic values approach will make Google's secure element much less of a differentiator. Would it make it irrelevant? Probably not, but it would certainly blunt its value-add. And it's all done while making a move that security advocates have begged for for years. Not bad.
Google spokesperson Nate Tyler wouldn't comment on the Visa-Google interactions, other than to say, "We believe the variety of players in this market speaks to the promise of mobile wallets."
Gartner Security Analyst Avivah Litan said she also sees the move as supporting a more Visa-friendly mobile reality.
"Rather than spend the money issuing new smart EMV chip cards to their customers, the issuers can rely to a large extent on consumer-owned mobile phones that are capable of transmitting NFC-based EMV payments. This will enable the card issuers and Visa to compete much more forcefully in the mobile-payments world and not necessarily have to concede market leadership to non-bank players like Google and Apple," Litan said. "The latter companies can benefit from the merchant terminal hardware upgrades done for Visa EMV payments. But if they use different, non-EMV payment instruments and standards, they will have to figure out the complex logistics and incentives involved in activating merchant payment terminals with their own message formats and routing the payments to their own payment ecosystems."
Getting back to the PCI changes from Visa, one drawback to the move is that removing responsibilities surrounding Visa transactions does little good unless MasterCard and, to a lesser extent, American Express and other card brands join in. As a practical matter, though, MasterCard and Amex have little reason to fight such a move and are almost certain to join before the Visa deadline.
MasterCard spokesperson Seth Eisen said the brand is considering its options. "To date, consumer demand and market economics have not justified a migration in the U.S. We are helping our customers understand what the implications of EMV and other technologies in the U.S. would be," Eisen said. "Any migration must take into account all customer and consumer interests if a collective effort is to be successful. Obviously, Visa's decision will impact market direction and we will continue to consider our actions accordingly."
Eisen also added the obligatory mom-and-apple-pie comment: "MasterCard remains focused on working with issuers and merchants to drive electronic payments forward, maximizing investments in security and fraud prevention to enhance the value, integrity and the global interoperability of our network." (No need at all to thank me for sharing.)