Visa Europe, Europe’s leading card payment system, is working hand in hand with the wider commercial world to tackle payment fraud, by providing new ways to help retailers protect themselves and their customers from ever more sophisticated criminals.
The consequences of data fraud can be very costly: recent cases where retailers have lost cardholder data to criminals have highlighted encryption measures’ importance in ensuring protection for customers, issuing banks and retailers. Loss of cardholder data can result in financial and reputation damage to banks and retailers.
Visa Europe’s latest innovations include guidelines to support retailers with Payment Card Industry Data Security Standard (PCI DSS) compliance, data field encryption and tokenisation solutions. Stanley Skoglund, Visa Europe Senior Vice President, Payment System Risk, spoke to The Grocery Trader.
The Grocery Trader – To set the scene, how does Visa Europe work? Who owns it?
Visa Europe is the leading European payments system. Constituted as a membership association, it develops innovative products and technologies to benefit its 4000 plus member banks and their customers, individual cardholders on one hand and retailers on the other. In October 2007, Visa Europe became independent of the new global organisation Visa Inc., with an exclusive, irrevocable and perpetual licence in Europe.
GT – How big is Visa in the UK?
Visa is the leading debit card with over 66.2 million debit cards issued. In the 12 months ending December 2009, these cards were used to make 4.2 billion purchases. In the same period, there were 612 million purchase transactions on Visa UK credit cards. Visa has unsurpassed acceptance at millions of retail locations worldwide.
GT – As consumers, we’re told that if we use Visa to pay for retail or other face-to-face payments and there’s a fraud, we’re fully protected. Is that correct? Does the same protection apply to on-line payments and cardholder absent (phone) payments?
Banks generally have an upper limit they hold consumers liable for, but you’re right to say the vast majority of fraud will be reimbursed if the consumer holds to their end of the deal, i.e. that they report a lost or stolen card in a timely manner. It comes down to the individual bank.
GT – Stanley, what does your role involve as Senior Vice President, Payment Systems Risk?
I’m responsible for the security and integrity of the Visa payment system in Europe in order to ensure that the payment system provides a safe environment for processing card payments. I’ve been in the post since 2004. My role revolves around ensuring Visa’s policies and responses are adequate, and helping the other stakeholders – retailers and banks – mitigate and eliminate risk.
I spend considerable time advocating secure ways of handling card payment data and work actively with my team to evaluate innovative ways to protect card data. In this respect, Visa Europe recently published guidance on end-to-end encryption to ensure interoperability between solutions in our market and to assist stakeholders in assessing if these new methods of protecting cardholder data are suitable for them. Visa Europe has seen considerable interest in solutions that are complimentary to PCI DSS in its markets. We’ve been working to assist the global Payment Card Industry Security Standards Council (PCI SSC) by donating our IP to them and hope that they will adopt our thinking and that they will publish global guidance for end-to-end encryption implementation. It looks like they may be in a position to do so in September/October 2010.
GT – Are you personally involved with developing and implementing encryption solutions for major UK retailers?
I’m not personally, but our London team works with European retailers on the broad area of encryption. Our expertise is primarily theoretical, but translates into practical implementation when coupled with concrete processing solutions in various European markets.
Smaller retailers want to get on with accepting payments and be able to rely on security at interface level. Larger retailers may need to identify individual customers for their marketing, and hence have a need for tokenisation but with no sensitive data exposed. For many, encryption is seen as being key to reducing the ongoing costs for protecting cardholder data and fostering a high level of consumer confidence and managing data easily.
GT – How is Visa Europe set up to protect major UK retailers?
Our risk teams typically interact with the large retailers on the broad area of PCI compliance. We also carry out industry initiatives under the BRC umbrella.
GT – What distinguishes the UK as a territory for Visa payments? How does retail data fraud here compare to elsewhere?
The UK is by far Visa Europe’s largest debit and credit market. The UK shares with France the characteristic of being a very mature market in its adoption of EMV (Chip & PIN) security, with payments using Visa’s cardholder authentication service Verified by Visa accounting for over 50% of card not present transaction volumes in the UK.
We don’t see much fraud in face-to-face transactions in the UK: the majority of fraud is happening in e-commerce when transactions are not authenticated using Verified by Visa. What sets the UK apart is that consumers seem confident transacting on the internet and do so much more than elsewhere in Europe, and that the market for payment service providers is more fragmented and competitive. The latter point can be problematic from a payment system security point of view, as lines of responsibility for PCI DSS compliance may become blurred. To counteract these risks Visa Europe has mandated, effective October 2009, that e-commerce merchants must use PCI DSS certified payment service providers.
GT – When was Chip and PIN verification introduced here? What effect has it had on face to face fraud?
Chip and PIN has cut face-to-face fraud in half since it was introduced in 2005. Fraud on lost and stolen cards, in particular, has fallen dramatically as they are useless without PIN numbers.
GT – Was Chip and PIN a UK or EU Government initiative?
GT – Was Visa one of the initiators?
Yes, Visa and Mastercard came together to implement CHIP and Pin in Europe in 1999, and other regions followed. EMVCo, a company jointly owned by American Express, JCB, MasterCard and Visa, sets the global standards for EMV cards. The UK government has had no direct involvement, but the benefits have reached the EU commission and the European Central Bank, which has stated that the EMV standard is Europe’s standard and that all payment cards issued in Europe should use the EMV technology.
GT – Is the Chip and PIN technology in the UK going to stay as it is, or will there be a version 2.0 some time soon?
Chip and PIN has been tremendously successful, but can’t stay as it is forever. The current technology will need to be upgraded from static to dynamic data authentication by 2015, adding another security layer. The cards will change, but the POS devices will remain the same for now. However, security is never a ‘ job done’ issue. Technology evolves and so do the risks, so we will always endeavour to be one step ahead of criminals.
GT – We hear fraudsters are becoming more sophisticated in how they target and commit card fraud. What sort of things are they doing?
Due to Chip and PIN’s success in tackling face-to-face fraud, criminals are now looking at on-line opportunities. They are developing complex, business-like operations to target cardholder data on a large scale, hacking into online retailers’ databases and stealing card information in bulk.
GT – In non-technical language, how are they stealing this data?
Criminals are carrying out what are known as SQL injection attacks. SQL is a database programming language. With knowledge of SQL, fraudsters have become adept at remotely infiltrating vulnerable systems and extracting customer data.
GT – What kind of information is being stolen?
Typically thieves want cardholder and account data and other information that will enable them to re-use the data.
GT – What are the possible consequences for retailers and consumers?
If the consumer is innocently defrauded while using their card, nothing will happen to them, but there may be a tremendous impact for the retailer. Reputations turn around very quickly, and retailers who are highly dependent on online payment may go out of business if consumers do not trust them. This holds true for both brick-and-mortar and online retailers alike.
GT – Generally speaking, what can retailers do to protect themselves?
It depends on the size of the retailer. The big retailers have good risk mitigation procedures that remove risk effectively, and beyond that many use Visa Europe’s risk prioritisation approach, whereby the greater risks associated with transmitting and storing cardholder data are addressed in a prioritised order. Smaller retailers have to rely on the support of their acquirers, typically making sure that their POS devices are PCI certified and education in how to handle cardholder data in a secure manner.
GT – What protection are you offering to help them?
As mentioned in your introduction, Visa Europe’s latest innovations include the industry’s first practical guidelines to support retailers with PCI DSS compliance; specific end-to-end data field encryption guidelines. We are also looking at providing guidance for tokenisation solutions, which help reduce risks by replacing the account number with a surrogate token. Both these solutions may help retailers to eliminate the cardholder data from their systems and thereby reducing the risks that they become a target for fraudsters.
In addition, Visa Europe has also published guidance on how organisations can protect themselves from SQL injection attacks and the dangers of using default passwords. This guidance as well as our guidelines for encryption can be found on our website: http://www2.visaeurope.com/merchant/ais/resourcesanddownloads.jsp
GT – We’ll focus on PCI DSS for the remainder of this interview, but first, how effective against fraud is data encryption in general?
If implemented correctly data encryption can provide an excellent and effective means of protecting data. Between the till at the supermarket and the receiving bank, data can be secured from the time of transaction. Everything between the point of encryption and decryption is encrypted. There may be points of decryption along the way but this means that retailers know exactly where the data is accessible and where it needs to be protected. Today the data needs to be protected everywhere in their systems, which is costly. Encryption reduces reliance on humans doing the right thing, and maximises the technology’s efficiency.
GT – What specific data field encryption solutions do you offer?
Visa Europe does not provide any specific solutions but we offer guidance on how commercial solutions available should be implemented in order to provide maximum security. PCI SSC provides certification for POS devices that have capability to encrypt cardholder data at the point of data capture. Encryption solutions may reduce the scope for PCI compliance by reducing the number of systems and processing where data is available and mean criminals don’t have access to personal information, either in small enterprises or large, complex businesses.
We offer retailers a very good roadmap to comply with PCI DSS: we enable them to make a commercial decision about how far they want to go down the PCI DSS route, and they seem to understand the risks involved.
We see what compromises take place in which sector, and run seminars for the actors involved. A good example is the hotel industry that was heavily targeted by criminals.
GT – What do the Payment Card Industry Data Security Standards (PCI DSS) involve?
PCI is a big family of standards. PCI PTS covers PIN transaction security: PCI PA-DSS applies to software for payment applications, and PCI DSS concerns card processing and the wider business environment. The common objective of all these standards is to ensure customer data isn’t leaked to third parties, or if it is, it is rendered inaccessible.
GT – What has Visa Europe’s role been in developing these standards?
PCI SSC was originally set up to ensure that security requirements for protecting cardholder data became uniform and consistent across the globe. Visa was a global founding member of the Security Standards Council, and we’ve, alongside other payment systems, donated the intellectual property for various standards to the PCI. This is a very broad-based body, allowing retailer representation; including British retailers such as Tesco on its advisory board
GT – By when do retailers have to be PCI DSS compliant?
Level 1 retailers, with a turnover of over 6m transactions annually, had until 2005/6 to meet the absolute requirement that no authentication data should not be stored in retailers’ systems. Level 2 retailers, with turnovers of more than 1m but fewer than 6m transactions had until December 2008. Level 3 retailers, who cover the bulk of e-commerce retailers, had a deadline of October 2009 to use only PCI-approved service providers.
GT – Who is enforcing PCI DSS compliance? How is it validated?
Visa Europe enforces compliance with the broad PCI DSS programme, but doesn’t offer technical assessment – these are made by accredited QSAs (qualified security assessors) or a suitably qualified and independent internal resource to an organisation. If Visa Europe isn’t satisfied with the pace and quality of retailers’ PCI DSS implementation or risk mitigation, as a last resort we may levy a financial penalty on the acquiring bank, but our philosophy is generally to work in partnerships with retailers. We do not underestimate the efforts that retailers undertake to provide safe card payments.
GT – The major retailers have pretty sophisticated security and fraud prevention measures in place, which they have developed in house. How near are these to being PCI DSS?
Most fraud screening tools are used in retail to control fraud at the point of sale. PCI DSS is different, and looks at the whole environment, in relation to transmitting and/or storing payment information.
GT – Have retailers been holding off investing in data security measures during the recession?
My impression is that there’s not been any decrease in investment due to the recession; many retailers have realised they can’t compromise on security in terms of keeping consumers’ data safe. There’s a degree of scepticism about security among consumers, with 49% of people interviewed in a 2010 survey believing that merchants could be the source of a data breach.
GT – What is the cost/impact of a data breach?
We haven’t had anything major to speak of in the European market, but they have in the US, where losses have run into hundreds of millions of dollars. The level of exposure depends on the length of duration of the data compromise and whether or not sensitive authentication data was compromised. We know that 99% of large retailers in Europe and the UK have made sure to eradicate storage of sensitive authentication data after transactions have been authorised at point of sale.
GT – What measures do your PCI DSS guidelines for compliance cover? What security objectives do they achieve?
Our guidelines address some very high-level areas: customers’ personal data, firewalls and monitoring and logging of data traffic. The upshot is that PCI DSS isn’t above and beyond basic common sense precautions based on the assets we’re protecting and globally agreed minimum standards. It’s about making sure that electronic payments are secure, protecting data and safeguarding consumer trust.
GT – Where have these guidelines been developed? Have they been proven elsewhere?
The global players Visa, MasterCard and so on have donated individual card protection programmes. PCI DSS takes the best bits from those programmes and applies vigorous evaluation to them, to find a global form. PCI DSS is globally applicable, and is used by all the major card payment systems around the world, though details of implementation vary by region.
GT – Are your guidelines accepted by the major card issuers, banks and so on?
Our guidelines are universally accepted: they apply to all participants in the payment process, but most of the security measures are on the card acceptance side and at the point of acceptance.
GT – Under PCI DSS what are the rules about card readers, data networks and so on – do retailers, banks and so on need new equipment to comply?
The standards for card readers already exist. Manufacturers know who needs to approve their devices. Achieving compliance may involve a software change, or more than that. Depending on the business case, protecting cardholder data in a complex environment is likely to cost a given amount going forward, so end-to-end encryption solutions may be beneficial to reduce complexity and costs.
GT – As contactless payment technology comes in, will PCI DSS compliance prevent cardholders’ data being hacked into via payment terminals?
We don’t anticipate extra security being needed: if the various parties are PCI compliant, that should be enough. New technology will mean new rules, but there aren’t any new risks known to Visa Europe today that would prompt us to develop any specific PCI requirements for contactless or mobile payment.
GT – Do you (Visa Europe) provide an implementation service to ensure retailers are fully PCI DSS compliant?
We don’t get involved in validation, but we can and do work with retailers to look at individual cases and deploy resources for one to one consultation. Evaluation and implementation are best left to independent specialists, we prefer to remain impartial.
GT – Finally, where do you see payment card encryption technology going from here?
My best tip is that some very large retailers will move fairly quickly because they have the most tangible business case for exploiting the technology, and they can look at the overall picture. Improved encryption will reduce the cost of running and managing retailers’ payment systems, and the resulting savings will be a driving force.
Visa Europe Tel: 020 7937 8111 www.visaeurope.com