Dynamic Authentication and Card Security

Visa Says Dynamic Data Is Best Way to Eliminate Card Fraud
Eduardo Perez, head of Global Payment System Security at Visa, says the EMV chip is an ideal dynamic data technology, but mobile and others offer similar security benefits.

Visa recently announced the launch of its Technology Innovation Program, designed to eliminate eligible merchants from the annual requirement to validate their compliance with the Payment Card Industry Data Security Standard. The program, which takes effect March 31, aims to fuel dynamic data authentication through the continued deployment of EMV chip terminals in all parts of the world except the U.S.

Perez says the United States has been kept from the program because of pending regulatory changes that could affect how security mandates impact debit transactions.

"Dynamic authentication promotes the use of a dynamic variable that will be part of each part of the transaction," Perez says. This dynamic variable ensures that cardholder data cannot be "replayed" for use in subsequent, fraudulent, transactions. "The EMV chip," he says, "generates a cryptographic message for the transaction, thereby making that transaction dynamic."

So, what impact will all of this have on U.S. merchants and financial-services providers that are not only excluded from the program, but are not part of the EMV movement? Perez says the focus will be on other, similar payment technologies, like mobile, that offer similar security benefit.

"In the U.S., we are focusing on the same things, by eliminating card data in the transaction," he says. "Some additional payment factors or devices that also promote dynamic authentication are contactless and mobile payments. So, those are emerging technologies where (U.S.) stakeholders have an interest and are using those technologies."

During this interview, Perez discusses:

  • Tokenization and other emerging technologies U.S. entities are expected to invest in;
  • The state of EMV and card fraud around the world; and
  • The role Visa expects to play in the regulatory landscape.

Eduardo Perez, CFA, is the head of Global Payment System Security for Visa Inc. Perez joined Visa in 2002. In this role, he has direct-line responsibility for key areas including, global authentication, global payment system security policy and procedures, global third-party agent risk, global cybersecurity investigations, and global breach response and incident analysis. Notably, Perez and his team have developed and executed industry leading strategies to eliminate, protect and devalue payment card data throughout the payment system.

Perez has extensive experience in payment system risk and has previously led other key risk management groups within Visa, including global responsibility for credit settlement risk and anti-money laundering programs. Before Visa, Perez worked with the Federal Reserve Bank of San Francisco's Division of Banking Supervision and Regulation, where he held various positions, including senior examiner and financial analyst and manager of the Country Analysis Unit. Perez received a bachelor's degree in economics from the University of California at Berkeley and a master's in public policy from Harvard University.

Balancing Security and Regulatory Mandates

TRACY KITTEN: Visa's new compliance program for dynamic authentication is encouraging merchants throughout most parts of the world to continue their moves toward EMV chip acceptance. The U.S., however, is not part of the program. Uncertainty regarding regulatory changes to debit poses challenges for U.S. merchants. How are U.S. merchants and financial-services providers expected to balance security and pending regulatory mandates? I'm here today with Eduardo Perez, who heads up global payment system security for Visa. Eduardo, Visa announced last week the launch of its technology innovation program, an international PCI compliance program that aims to encourage dynamic data authentication. Can you explain a bit about the program and how it's expected to help merchants reduce their PCI compliance expenses?

EDUARDO PEREZ: Sure, Tracy. As you noted, Visa's new technology innovation program is intended to support our broader security strategy, which focuses on eliminating, protecting, and devaluing cardholder data throughout the payment system. The program will specifically eliminate the requirement that merchants must validate PCI-DSS compliance for any year in which at least 75 percent of the merchant's Visa transactions originate from chip-enabled terminals. To qualify, the merchants must have either previously validated PCI-DSS compliance or have a plan to come into compliance and not have been involved in any breach of cardholder data. The program is for merchants operating outside of the United States.

What is 'Dynamic Authentication'?

KITTEN: Now, the EMV program aims to provide a path toward dynamic authentication. Can you explain a little bit about dynamic authentication and the role the EMV chip plays?

PEREZ: The concept of dynamic authentication is intended to promote the use of a dynamic variable that will be included as part of each transaction that flows through the payment system. And the notion is that if there is a dynamic variable that accompanies that transaction that changes with every transaction, then that information cannot be used in the future to replay a transaction for fraudulent purposes. So, the notion of dynamic data is very powerful in that, again, each transaction would be unique. EMV chip, in particular, promotes the transmission of dynamic data by generating a cryptographic message that accompanies the transaction, and thereby makes that transaction dynamic.

KITTEN: Visa has noted that the future of cardholder security depends on authentication solutions that move toward dynamic data technologies such as EMV, but the U.S., the world's largest payment-card market and one that continues to see escalating incidents of card fraud, is not part of the Visa program. Can you?

PEREZ: Sure, Tracy. Let me start by correcting one misconception that's out there, and that's that escalating incidents of card fraud are occurring. Just to be clear, what we see within the Visa payment system, from information that's reported to us by issuers and acquirers, is that fraud rates remain low and stable, and on a global basis, they account for about 6 cents out of every $100 transaction. So, by that measure, fraud rates continue to be low and stable, and that's a trend that we see, pretty much, across all major markets in the payment system. So, that's one point to address. In regard to the U.S. and other markets, as I noted previously, we continue to focus on promoting an authentication strategy of eliminating data, protecting residual data that may be in the payment system, and then moving, over time, to the use of dynamic data. And different markets are in different phases of developing solutions, like EMV technology, or adopting those solutions to move toward dynamic data. But there still remains a notable amount of static data within the payment system that needs to be eliminated and protected, and so, as such, we're going to continue to focus on those opportunities, as well.

KITTEN: Now, all merchants outside the U.S. are eligible for the program. How will the program impact big box retailers like Wal-mart that have global operations?

PEREZ: Those qualifying merchants that have operations outside the United States, or those merchants that have operations within the Visa Europe territories, they can achieve efficiencies or not have to validate PCI-DSS compliance on a going-forward basis, if they meet the qualifying criteria, and that can result in substantial cost savings that we hope they will consider reinvesting in their migration toward dynamic solutions like EMV chip. The URL that I encourage your listeners to visit is www.visa.com/cisp, as in Cardholder Information Security Program.

KITTEN: Now, what does the current EMV landscape look like, Eduardo? How far along are most global markets?

PEREZ: Based on information that's released by EMVCo, which is the global organization that focuses on promoting the interoperability of EMV technology, both from a terminal and card perspective, they indicate that about a third of cards and about two-thirds of terminals in the world support EMV-chip technology. So, as I mentioned, Tracy, different markets have adopted the technology at different rates. Markets in Europe are further along that migration, while ours are still in the early stages of adopting that technology. And, again, information on the different adoption rates by market is available through EMVCo.

EMV and the Rest of the World

KITTEN: From your view, Eduardo, as the rest of the world moves toward a more dynamic authentication process, how will U.S. financial-services providers and merchants be affected? How will they keep up from a security standpoint?

PEREZ: Great question, Tracy. At Visa, we continue to focus on both solutions that are going to secure and protect the perimeter of the payment system in addition to also focusing on solutions that are going to protect the core of our payment system by offering network solutions. I'll give you two quick examples of network solutions that Visa has innovated in and provided to its clients and stakeholders in the payment system. One of the solutions that we've developed to empower cardholders is known as our Visa Transaction Network Service. That service is intended to provide a real-time notice to cardholders of transactions that are being conducted based on their preference. I participate in the pilot, and oftentimes when I conduct a transaction, I have received an alert before the clerk is able to hand my card back, once I've completed the transaction. So, that's obviously a powerful solution, because it informs me as a cardholder that the transaction was conducted and that I was the individual who conducted the transaction. It gives me a significant degree of confidence that I will be able to identify transactions that, perhaps, may have not been my transactions.

Another good example of a network solution that we provide at Visa -- and we provide these solutions globally -- is Visa Advanced Authorization, which is a new network tool that we've developed that risk-rates transactions on a real-time basis, to provide the issuer the ability to authorize the transaction in real-time. So, those are two examples of core or network solutions that we've provided to create a strong and smart core network that's going to reduce the burden on participants. And, at the same time, we continue to promote solutions that are focused on our strategy of eliminating, protecting and devaluing cardholder data by moving toward the use of dynamic authentication solutions.

KITTEN: Now, the global push to EMV does put the U.S. in somewhat of a precarious position. Until a move -- and we don't even know if it's going to happen -- to EMV is made in the U.S., what authentication options does the U.S. have at its disposal? You've noted a couple of them; but what could be implemented today, from a technology standpoint, that would require less infrastructural change, less investment, and could help the U.S. along, if and when it's ready to make an EMV move?

PEREZ: So, some additional payment factors or devices that also promote dynamic data that are based on EMV chip technology include contactless and mobile payments. And we've certainly seen a greater degree in the payment system to potentially adopt those solutions throughout the payment system. Those are other examples of technologies that are emerging, where stakeholders are interested in using those technologies, which also promote dynamic authentication variables that accompany the transaction.

Card Fraud the Role of Authentication

KITTEN: When it comes to payment-card fraud in the U.S., what direction do you see authentication and other security investments taking in 2011 and beyond?

PEREZ: Tracy, we're going to continue to see entities invest in the three core areas that I've already indicated as being part of our strategy -- solutions that help stakeholders within the payment system eliminate cardholder data. One good example of a solution that's coming to market and being used in market today actually is tokenization: A variable that represents the cardholder data whereby the merchant or entity does not have to retain that data and can refer to that transaction or primary account number via the use of an alternative reference number like a token. There are also solutions on the protection side that are gaining ground and becoming more popular, like encryption. And then there is end-to-end encryption to encrypt cardholder data at the point of swipe all the way back to the back-end processor or a merchant's host system. And then, as I mentioned, there are existing solutions and new solutions that are emerging around devaluing cardholder data by using dynamic solutions like contact EMV, contactless and mobile payments. So, I believe that we're going to continue to see stakeholders focus on those solutions that promote those three factors to eliminate, protect and devalue cardholder data.

Regulatory Uncertainty

KITTEN: I'm going to back up and talk a little about some of the regulatory issues that are impacting payments. When we look at the U.S., it's one of the reasons Visa has decided not to launch this particular program for U.S. deployers. What role, however, will global, not just U.S., regulatory mandates play in the U.S. payments landscape in the future?

PEREZ: Regulatory requirements are a factor that our stakeholders and clients have to deal with, and we at Visa are committed to helping stakeholders address their regulatory requirements by providing them solutions that can facilitate their regulatory expectations in whatever market they operate. And, obviously, as you've implied, our stakeholders operate in over 200 markets, globally, and they have to navigate through a number of regulatory expectations and requirements and laws that they have to comply with. So, our focus is on ensuring that we maintain a flexible payment system that meets their past needs, their present needs, and their future needs as they relate to regulatory obligations. I would also add that we're focused on ensuring that we continue to focus on market innovation and providing new solutions that are going to meet those entities' unique needs in whatever market they operate.

KITTEN: You've answered my next question, which was, "What role does Visa expect to play?" It sounds like you'll be collaborating, not only with the financial institutions that you work with, but also by just keeping an eye on what some of the regulatory bodies are doing throughout the world.

PEREZ: Absolutely. We realize that it's a complex economic and regulatory environment that continues to evolve, and our focus is on maintaining a flexible system that's going to be able to, again, meet past, present and future needs as the marketplace evolves.

KITTEN: And, finally, Eduardo, what thoughts would you like to share with our audience about Visa's new program and the impact globalization is expected to have on payments and the security of payment-card transactions in 2011 and beyond?

PEREZ: Tracy, this continues to be an exciting area within the payment system, to properly secure and protect cardholder data and to maintain a high degree of confidence in our payment system. We at Visa are going to continue to be diligent in pursuing opportunities that are going to maintain the trust in our payment system. And I would continue to say that we're going to really focus on the strategy we've laid out, to seek opportunities to further eliminate cardholder data, to protect cardholder data and to devalue data, while at the same providing those services from the core of our network to facilitate all participants that want to participate in the payment system. In closing, I would also add that we're looking for solutions that continue to empower all stakeholders in the payment system. I gave the example of Visa transaction alerts as being a powerful solution that can empower consumers, in this case, to do their part to help protect the entire payment system.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.