Will Visa's Support For EMV Mean Fewer QSAs?

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Visa had its own version of "patch Tuesday" this week, when it released four bulletins announcing its plans to accelerate the adoption of EMV (named after its founders: Eurocard, MasterCard and Visa) chip technology in the U.S. market. A planned liability shift will have retailers looking at their technology budgets. But perhaps the most interesting point (from a PCI perspective) was its announcement that "Visa will waive PCI DSS compliance validation requirements" if merchants have the right POS devices. Did we just hear Visa announce the end of the QSA Full Employment Act, a.k.a. PCI compliance validation? And if Visa did make that announcement, are MasterCard, American Express and Discover likely to follow suit?

As usual, to qualify for any benefits, merchants and acquirers need to invest in their POS and back-office systems. But to make that investment pill easier to swallow, Visa is offering an incentive. And that incentive for merchants to make this investment appears to be quite substantial (it may also have me and some of my colleagues wondering if we'll be looking for work next year). Specifically, effective October 2012, Visa is extending its Technology Innovation Program (TIP) to the U.S. market. That means Visa will "waive PCI DSS compliance validation requirements" for any year in which at least 75 percent of a merchant's Visa transactions originate from a dual-interface, EMV chip-enabled terminals.

(See our news story companion to this column: Is Visa Using EMV To Rig The Mobile Game?)

Notice Visa is not saying that 75 percent of transactions have to be on EMV chip cards. TIP only requires that 75 percent of transactions—whatever cards are used—have to be on dual-interface terminals. Here is the fine print. If terminals process only Chip-and-PIN or contactless cards (i.e., not both), then the merchant cannot qualify for TIP. The terminals must be "dual-interface," meaning they can process both EMV chip and NFC transactions. Also, the merchant's and the acquirer's back-office systems have to support dynamic authentication.

Visa is by no means saying merchants can ignore PCI. Merchants must maintain PCI compliance. For example, to participate in TIP, merchants need to have validated their compliance within the last 12 months and confirm they do not store sensitive authentication data (e.g., the security codes or PIN data). If a merchant suffers a data breach, they will need to revalidate their PCI compliance to get back in the program.What TIP says is that after next October, a merchant meeting the program requirements does not need to re-validate its compliance. In other words, participating merchants are on the honor system for PCI. They neither need a QSA to assess their compliance, nor do they even need to file a self-assessment questionnaire (SAQ). In the past, when the card brands wanted merchants to introduce new technology, they offered incentive (i.e., lower) interchange rates. This time, Visa is offering no interchange fee discount. Instead, the incentive is the opportunity for Level 1 and some Level 2 merchants (those with more than one million Visa transactions a year) to reduce the cost of their outside assessment. Bottom line: TIP doesn't cost Visa or its issuers a penny.

Before, issuers paid for merchants to implement new technology (e.g., TIIF and TIIF2 incentive interchange rates). Now they are saying, "Hey, we'll keep the interchange but save you having to pay QSAs. But if you get breached, the same fines apply." Neat. They're transferring who pays.

It is unclear what benefits TIP holds for small and midsize merchants. These merchants self-assess their compliance. If they hire a QSA, it usually is to consult on improving their security, so TIP by itself may not be a particularly significant incentive for these merchants to make the investment in EMV compatibility.

A separate bulletin announced a liability shift that was similarly designed to stimulate implementing an EMV infrastructure. It is this liability shift that may prove to be the incentive that gets every merchant to move.

Effective October 2015, the liability for any U.S. counterfeit transaction (domestic or cross-border) will shift to "the party that is the cause of a chip-on-chip transaction not occurring." That means a merchant or acquirer that does not make the investment in EMV dual-interface terminals and infrastructure, or an issuer that does not move to chip cards, will be on the hook financially for all card-present fraud.

This point is worth repeating: Merchants, acquirers and issuers that are not capable of processing EMV chip transactions in four years will eat all POS fraud losses. Here's my simple-minded interpretation of the liability shift: Every cardholder in the U.S. will have an EMV chip card in about four years.

The three themes in Visa's plans are improving security, speeding the acceptance of mobile payments and accelerating changes in the U.S. infrastructure to enable EMV technology.Security is improved because dynamic authentication can reduce card fraud, at least at the POS. Without going into a lot of detail, dynamic authentication means the payment device (i.e., a chip card or smartphone with NFC) generates a unique field for each transaction. Therefore, compromised card data will have much less value, at least in a POS environment.

Dynamic authentication is not possible with a (static) magnetic stripe, hence the push to move to chip cards and NFC-enabled devices like smartphones. What Visa is doing is providing an incentive for U.S. card merchants to implement the POS infrastructure that will enable dynamic authentication and, thereby, enable mobile commerce while reducing POS fraud.

Mobile payments will at least be positioned to take off if there are more merchant devices capable of accepting transactions initiated by them.

Lastly, EMV technology will be positioned to take off in the U.S. market with the deployment of more POS devices, together with the accompanying back-office enhancements.

As with any announcement, there are lots of unknowns and a few unanswered questions. The biggest question is: Will the other card brands go along with Visa? Visa may be the largest issuer, but it is not the only one. The value of TIP participation goes down pretty fast if merchants still need to pay for PCI assessments to satisfy the other card brands' security programs. Another pretty significant question is whether the TIP incentives will be attractive to any but the very largest merchants. Where incentive interchange rates benefit every merchant that qualifies, TIP only seems to benefit the largest merchants.

Speaking as a cardholder who travels to Europe and other parts of the world where my mag-stripe card is viewed with a combination of disdain and pity, where I can't use a kiosk to buy a train ticket or rent a bicycle and where I have to ask waiters to swipe my card yet again, I hope Visa succeeds. It is time to move on and stop trying to retrofit a half-century-old technology like the mag stripe to today's E-Commerce, mobile commerce and security requirements.

EMV is far from perfect, and it is not a silver bullet for PCI. Maybe Visa's leadership combined with incentives and a liability shift will get the U.S. market to move to EMV cards (at least by 2015, anyway). If it does, I can support that, even if it does mean I have to start polishing my resume.

What do you think? Can your POS devices handle both EMV chip cards and NFC? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].