The EMV-Contactless World According to Visa

Tuesday, October 11, 2011

PCI Guru


Based on discussions recently with a variety of large merchants at the PCI Community Meeting in Phoenix, there is a lot of confusion as to what Visa is trying to accomplish with their new Technology Innovation Program (TIP) to promote adoption of EMV and contactless cards. 

I wrote about this program earlier and after the Community Meeting, it seems that my opinion of this program is shared by most merchants and QSAs.

The big clarification from discussions with Visa was related to the first criteria which is:

“At least 75% of the merchant’s transactions must originate from dual interface EMV chip-enabled terminals“

The big question merchants had was if it was strictly just terminals, or did it also require EMV or contactless cards?  Visa clarified this on Thursday morning stating that it was just to install and use EMV or contactless terminals.  However, in clarifying these criteria, they created a new question.  Visa claims that they will know through analysis of transactions if a merchant truly meets the 75% rule. 

While Visa could now what types of cards are used and how they are used through transaction logs, we were all stumped as to how Visa would know the type of terminal used to conduct the transaction since EMV cards are not yet available in the United States and contactless cards do not always appear as contactless if they are swiped.

The next big clarification came from the PCI SSC regarding the implication of this program and PCI compliance.  The PCI SSC stated that while Visa is not requiring merchants to file a ROC or AOC, the merchant still has to ensure that it is PCI DSS compliant.  This means that the merchant still must go through the PCI compliance assessment process of a ROC or respective SAQ to ensure that their controls are functioning properly.

Visa representatives were pushing this aspect of the program very heavily at the Community Meeting and their wording regarding this aspect of the program was very carefully crafted.  On first blush, what they seemed to say was that a merchant meeting the program criteria did not have to meet the requirements of the PCI DSS. 

However, when you went back and reviewed their statements and comments, Visa really was not contradicting the PCI SSC’s comment.  My concern is that some merchants will not do that re-review and will think that they are off the hook for complying with the PCI DSS.

In talking to the other card brands at the meeting, they are not buying this aspect of the program.  Since around 99% of merchants that accept Visa also accept MasterCard, going through an assessment and filing an AOC is still going to be required by them.  So, unless Visa can get the other card brands on board, this benefit will not create an advantage for any large merchants.

It is not that the other card brands do not want EMV.  It is that they are not agreeing with how Visa is trying to approach the problem of getting EMV adoption started in the United States.  The fear expressed by one of the other card brand representatives was that such a program opened the door to going back to pre-ROC times and not knowing if merchants really were securing cardholder data or not. 

All of the other card brands stated that they were assessing the Visa initiative, but for the time being, were sticking with their existing compliance requirements.  I have to admit, after having the interaction with Visa on Thursday morning, I too am concerned that this is what Visa is inadvertently promoting by their new TIP program.

The point that really got the table roaring was when one of the merchants used the term “Chip and PIN” when the Visa representative used the term EMV.

In response to the use of “Chip and PIN,” the Visa person said very loudly and matter of fact, “There is no PIN involved, only the chip.”

At which point, one of the QSAs at the table said to the Visa representative, “So, what’s the point of having EMV without the PIN?”

There was no Visa response which drew laughter all around the table.

And that is the point.  There is no driver for any large merchant to adopt new terminals just because Visa will allow them to not have to file an AOC and ROC.  And the way the Visa announcement was worded gave most merchants the impression that the program would get merchants out of the PCI compliance process, which was patently not true.  And when the PCI SSC made that clear, most merchants I spoke with did not understand the point of Visa’s program.

One of the processors I ran into at the Community Meeting brought up a very interesting perspective on this whole topic. He stated, “With eWallets just around the corner, what is the point of trying to drive EMV?”

He went on to explain, that with eWallets, bar codes can be generated that can be scanned thus avoiding the need for new terminals.  As a result, he said a lot of merchants are just biding their time, waiting until the whole mobile payment, eWallet technology is fleshed out.

The bottom line is Visa is attempting to use its 800 pound gorilla status to drive EMV and contactless into the United States.  The problem is that large merchants are not buying it and that appears to be frustrating to Visa since they have a vested interest in EMV and contactless technologies.

As I stated in my earlier post, if Visa were to work with a consortium of e-Commerce merchants, payment processors and other relevant entities to produce a common API for using EMV and contactless cards with PIN online, that would likely drive the adoption of more secure cards in the United States because there would be a business reason for adoption.  Without such a driver, EMV and contactless are still a solution looking for a problem.

Cross-posted from PCI Guru

Possibly Related Articles:
PCI DSS Compliance Visa PCI SSC Chip and Pin EMV Contactless Payment
Post Rating I Like this!
Jeff Feldman There is a Device Capability Code embedded in the authorization message format that indicates if a device has the capability to process EMV and/or contactless. There is also a POS Entry Mode field that indicates by what method a card was actually read.
Terry Perkins I have a question for you. I've read that "Visa is requiring all merchants who process Visa transaction to use the chip technology in their card readers by April 1, 2013 and Visa will also shift liability for fraudulent POS transactions to merchants on October 1, 2015 (except for fuel merchants)". Is that your understanding as well?
PCI Guru I have not heard of any dates that you quote. They may be repated to the TIP program, but I would seriously doubt that Visa would try to blanket enforce the TIP program.
PCI Guru What people seem to conveniently forget is that large merchants decode all of the DCC and other encryption as they act as their own transaction switch to get the best possible interchange rates. As a result, while I agree with your premise, in practice at least for large merchants, it does not matter.
Terry Perkins Check out this link.... It says exactly what I quoted. I just don't see this happening. Any suggestions are appreciated.
Jeff Feldman My understanding is that liability will shift to the non-complying entity in 2015. So if a fraudulent card is used that does not have a chip and the merchant has an EMV reader, liability to the issuer. If a fraudulent card is used that does have a chip, but is processed as mag stripe because the merchant does not have an EMV capable reader, liability to the merchant.
Of course, MasterCard, Amex, Discover, JCB have yet to weigh in. Once they do, I'm sure the date will get pushed back by a couple of years.
Jeff Feldman As for the capability code, that is just a standard field in the message format - nothing encrypted about it. Checking the validity of the capability code and entry mode is done as part of the application certification with the processor (which has to happen whether the merchant is running their own application or someone else's).
PCI Guru I went back and re-read the announcement and saw the dates. As Jeff Feldman points out, those dates are great but only apply to Visa and no one else. Visa can enforce them at their end, but they could backfire if none of the other card brands buy in.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.