Visa won't budge on fraud liability shift deadline

Visa has no intention of extending the October fraud liability shift deadline for EMV chip cards.

The credit and debit card network will continue its rollout plan for EMV even though a majority of retailers and some banks won't be ready for it in October. That's when lagging retailers or banks will assume liability for fraudulent card use depending on who is least prepared to accept the EMV chip cards.

Many in the retailing universe have called for this deadline to be extended, but Eduardo Perez, Visa's senior VP of risk services, said there will be no delay in Visa's Oct. 1, 2015 deadline. Other networks have broadly stated that "October, 2015" is their deadline.

"Visa laid out our U.S. EMV chip roadmap in 2011 and we remain committed to that roadmap," Perez said in a video interview recorded at last week's RSA Conference. "We know that based on how we've rolled out the EMV chip in other markets that we won't see all merchants chip-enabled by the liability shift date. We are aware of that.

"We do see that over time, as the liability shift takes effect, the merchants and acquirers and issuers have a strong incentive to deploy the technology. There is no mandate to deploy the technology, and we believe that the liability shift will act, as it has acted in other markets, to incent merchants to deploy the technology."

There has been a heated debate over whether the EMV chip cards should be verified at the point-of-sale by a signature or personal identification number. "It is important to know that we provided issuers and merchants a choice on the cardholder verification method that they want to accept," Perez said. "About half of the merchants in the United States today do not accept PIN, so we want to make sure that we are providing cardholder verification methods that meet the needs of the merchant community, and a large portion of the U.S. merchant community does not accept PIN."

Secondly, Visa does not have a lost-and-stolen liability shift that merchants will be subject to. "So from their perspective, they aren't going to be subject to any liability repercussions if they don't do PIN, or if they do not wish to do PIN," Perez said. "Our goal over the long term has been to find solutions that will not cause consumers to invoke a static PIN that we know criminals covet and can be compromised. We are continuing to look for innovative ways to provide other cardholder verification methods, such as we've seen with the deployment of Apple Pay."

Consumers use their fingerprint to activate the device, which is a form of cardholder verification that does not require the cardholder or customer to put their PIN in a PIN pad.

Shoppers who can't remember their PIN at the POS present another issue. "One of the common struggles I have with any password is I forget it, so I am constantly having to reset it on any website that I go to, and we do know that is a challenge," Perez said.

Visa, along with the rest of the payments industry, is developing network solutions that manage risk at the core of the network rather than rely on individuals at the edge of the network to use things like user names, passwords and PINs that require that the retailer or other entities protect that data.

"Some of the network solutions that we have focused on from a Visa perspective are deploying enhanced analytical models that help issuers and merchants to score transactions for possible fraud," Perez said. "Those models have turned out to be very effective in helping both issuers and merchants to mitigate fraud."

Another example is geolocation. "Now that every consumer has a mobile phone in their pocket, we are trying to leverage that information so we can provide that additional data point as part of the risk scoring of the transaction," Perez said, adding that tokenization and encryption are also being implemented to improve security.

Alerts based on parameters set by the consumer can be sent as soon as a transaction is complete, providing another layer of security.

"... There are going to be a plethora of very robust solutions that are going to be provided to consumers and will continue to grow and expand and help consumers to better manage risk, while empowering them as well," Perez said.

For more:
-See this Information Security Media Group video interview
-See this Visa merchant EMV readiness guide
-See this EMV migration timeline

Related stories:
The importance of pushing back the EMV fraud liability shift deadline
Banks worried that retailers won't be ready for EMV
Many banks won't be fully ready for October EMV deadline
Card issuers ramp up for EMV, retailers lag
EMV cards to see heavy use by year's end