Visa Europe, Europe’s leading card payment system, has sealed its reputation as the security gold standard for payment cards by working in partnership with the wider commercial world to tackle card payment fraud and providing retailers and other merchants with new methods to help safeguard their customers and themselves from criminals’ ever more sophisticated attacks. As recent cases make clear, data fraud can have very costly consequences for everyone concerned, making protection measures and other precautions critically important in securing for customers, issuing banks and retailer data.
Visa has an outstanding track record as an initiator in this area: Visa and Mastercard came together to implement Chip and PIN in Europe in 1999, and other regions followed. Consequently, fraud on lost and stolen cards has fallen dramatically, as they can be rendered useless without the PIN number.
Visa Europe’s recent innovations include guidelines to support retailers with Payment Card Industry Data Security Standard (PCI DSS) Compliance, data field encryption and tokenisation solutions. Its latest payment security breakthrough is its Technology Innovation Programme for EMV (Chip & PIN) chip-enabled merchants, which went live on 30 April 2011 and is Visa’s next step towards its goal of full EMV chip migration in Europe. The new Technology Innovation Programme instantly reduces EMV chip merchants’ PCI DSS compliance resource requirements, and provides a strong incentive for the remaining magnetic stripe-only merchants to migrate to EMV chip acceptance technology. It also paves the way for implementation of further innovations such as contactless and mobile payments. Stanley Skoglund, Visa Europe’s Senior Vice President, Payment System Security, spoke to The Grocery Trader.
The Grocery Trader – Stanley, first of all, as Senior Vice President, Payment System Security, are you personally involved in developing and implementing encryption and other data protection solutions for retailers, and consulting them about adopting these measures?
Visa Europe does not develop these solutions ourselves, but instead I oversee teams of specialists working closely with institutions, acquiring banks and merchants to develop and provide guidance in how to best design and implement security solutions.
In managing the payment system and setting its evolutionary direction, Visa Europe’s overriding priority is to maintain and build upon consumer trust and value for all participants. For Visa Europe, trust is a fundamental aspect of our business: cardholders must trust that their card will work globally; they must trust that the experience of using their card will be seamless; and they must trust that their card details will be protected.
Visa Europe invests heavily in detective, preventative and corrective controls to combat fraudsters and to protect member banks, retailers, cardholders and other participants Visa Europe has spearheaded a range of strategic activities which aim to devalue or eliminate data. For example, Visa Europe’s risk team has developed and published the payment industry’s first guidance and specifications on how encryption and tokenisation technologies can be used to devalue and eliminate the data that fraudsters are so keen to obtain. We can offer support and consultancy to help retailers on any of these guides and specification and work closely with acquirers in doing this.
GT – What set up do you have in place to work with retailers to address this important area?
Our teams are on hand to provide bespoke advice to all stakeholders. VISA Europe’s latest innovations include the industry’s first practical guidelines to support retailers with PCI DSS compliance; specific end-to-end encryption guidelines. We are also looking at providing guidance for tokenisation solutions, which help reduce risks by replacing the account number with a surrogate token. Both these solutions help retailers to eliminate the cardholder data from their systems and thereby reducing the risks that they become a target for fraudsters. We’ve also just announced the Technology Innovation Programme in direct response to retailers’ needs, and we regularly hold bilateral discussions about risk management and other important topics that are relevant to the retail community.
GT – When we last spoke, in 2010, your remit was Payment System Risk, now I notice it’s Payment System Security. Should we read anything into this? Does this indicate a change of emphasis at Visa Europe?
Visa Europe, in addition to its continued administration of its PCI DSS compliance programme, has focused on three additional key strategic imperatives:
• Enhanced authentication of card transactions
• Account data devaluation
• Account data elimination
Through these initiatives, Visa Europe facilitates and supports the type of activities which:
• Enhance the ability of payment providers to authenticate genuine transactions and prevent fraudulent ones
• Render cardholder and account data less useful and attractive to criminals – so that, even if they do manage to obtain it, they cannot use it to commit fraud
GT – We ‘re going to concentrate in this interview on the new Technology Innovation Programme. To set the scene, can you remind us how Visa Europe works, and who owns it?
Visa Europe is owned and operated by more than 4,000 European member banks and was incorporated in July 2004. In October 2007, Visa Europe became independent of the new global Visa Inc., with an exclusive, irrevocable and perpetual licence in Europe. As a dedicated European payment system, Visa Europe is able to respond quickly to the specific market needs of European banks and their customers – cardholders and retailers – and to meet the European Commission’s objective to create a true internal market for payments.
GT – How big is Visa in the UK?
In the UK, Visa is the leading debit card with over 71 million debit cards issued. In the 12 months ending December 2009, these cards were used to make 4.2 billion purchases. In the same period, there were 612 million purchase transactions on Visa UK credit cards. Visa has unsurpassed acceptance and purchase protection at millions of retail locations worldwide.
GT – How close are you now to achieving full EMV chip migration in the UK? What about in Europe?
In the UK, we’re nearly there – there are still some retailers who aren’t yet EMV, but it’s close to 98%. Europe’s not far behind: Western Europe is close to full coverage but for the whole region the figure is 70%, which includes markets like Turkey and Israel, both yet to migrate to EMV.
GT – We last spoke in summer 2010, when you had just introduced the Visa Europe guidelines for PCI DSS compliance, data field encryption and tokenisation solutions, and also published your guidance on protection against SQL attacks. What has the retail industry’s response been since then to these guidelines?
The response across Europe including the UK has been very positive, and also outside, in the rest of the world. We said at the outset that if you invest in these technologies and the supporting infrastructure, there is a direct correlation in terms of lowering risk. We are now lessening people’s dependence on PCI DSS in return for investing in the Technology Innovation Programme (TIP). This makes strong business sense, and we are continuing our dialogue with people about it.
GT – Is the retail industry now much more security-minded about payment cards as a result?
Retailers are always interested in understanding the risk that they expose themselves to on a daily basis:
• Managing their inventories,
• Insuring their buildings against fire/water damage
• Protecting their customer’s data from theft.
We have seen, and continue to see wide-spread interest in how retailers in all different geographies can best protect and retain the trust that they have established with cardholders in accepting Visa cards.Visa Europe is very much at the centre of these discussions talking with all stakeholder communities in different markets about different approaches to data security that are best suited for retailers needs. Be that in relation to our technology innovation programme for EMV, our PCI DSS compliance programme and/or our encryption and tokenisation guidance.
GT – Does the UK retail industry’s attitude to payment card security differ at all to that of retailers in other countries?
The UK doesn’t stand out in terms of its attitude: retailers generally appreciate that the more authentication we have of the cardholder’s ID the better it is for everyone involved. France was historically a pioneer in payment technology for various reasons, but the UK has since caught up.
GT – Have you seen a further reduction in card payment fraud in the last year or so? Yes, we have.
Yes, we have. The fraud to sales ratio across Europe is now 0.049% (YE September 2010) compared to 0.057% (YE September 2009), a 14% year-on-year decrease.
GT – Why do you think this decrease has happened?
Chip and PIN has brought significant benefits to UK consumers and business since the change over five years ago. The improved security these cards offer has played a major role in bringing total fraud losses to a ten year low. Face-to-face card fraud has fallen by over a half since the introduction of chip & PIN.
Growth in VbV implementation, the introduction of Codesure in a number of markets and services like Real Time Scoring, have all helped CNP fraud to reduce as a proportion of fraud by 1% in the last year. CNP now accounts for 49% of all fraud (the fraud to sales ratio is now 0.049%, compared to 0.058% a year ago, a reduction of 14%)
GT – What are the benefits to retailers of the new Technology Innovation Programme?
This new initiative reflects the fraud reduction benefits that EMV chip technology has brought to card payments in Europe, and is designed to provide tangible benefits to those merchants who invest in EMV chip-enabled payments technology at point-of-sale. EMV chip is a proven technology platform that has helped reduce fraud and enables further payment innovation going forward. Visa is taking the lead in recognising and rewarding the investment that many face-to-face merchants throughout Europe have made in migrating to an EMV chip POS acceptance environment. This new programme means that merchants can meet their PCI DSS compliance requirements but reduce their overall security costs.
GT – How does the TIP reduce retailers’ overall security costs?
The cost of validating PCI DSS compliance varies from organisation to organisation, and is made up of elements including fees to external agencies, time and manpower. Consequently, it is difficult to put an exact figure on these savings. However, many studies indicate that these savings may be significant depending on a given merchant’s processing environment.
GT – Who is eligible for the Technology Innovation Programme?
The Technology Innovation Programme is available to any merchant who has previously validated PCI DSS compliance, or has provided a plan to come into compliance, and who has not been involved in a recent material breach of cardholder data. Details of the programme can be found on www.visaeurope.com/ais/
GT – Under the Technology Innovation Programme, what are retailers required to do now to comply with PCI DSS?
Merchants who enrol in the TIP programme will be recognised as having full, validated compliance if they have met milestones 1-2 of the Payment Card Industry’s Prioritised Approach for PCI DSS, and be exempt from penalties in the event of a data compromise if they have completed milestones 1-4. Full details of the programme are available on our website: www.visaeurope.com/ais
GT – In non-technical terms, can you explain what these milestones involve?
The milestones are an accessible way of approaching the challenge of PCI DSS Compliance. The milestones are intended to address the biggest risks first and provide a clear path for helping merchants implement a security programme. For instance, the first milestone describes the removal of sensitive authentication data from an environment. Sensitive authentication data can be very problematic from a fraud perspective as it can potentially be used to perpetrate fraud. Though Visa Europe’s initiatives in this area, we are proud to say that by working with our members and their merchants that we have effectively removed all stored sensitive authentication data from the retail environment.
GT – What are the likely costs of completing the milestones?
The cost varies depending on the supporting infrastructure retailers already have in place. For big retailers the cost has been estimated by select security commentators to be in the order of 1-2 million Euros to achieve full compliance with PCI DSS, smaller retailers will need much less investment.
GT – How can merchants enrol in the TIP programme?
They enrol through the acquiring banks who have the contracts with the retailers. Usually the acquirer and retailer talk initially and Visa steps into the conversation after that. Details of the qualifying criteria for the programme be found on our website: http://www.visaeurope.com/en/ais/
GT – What difference does the Technology Innovation Programme make regarding security procedures for face-to-face payment card transactions? What about phone and on-line transactions?
The programme qualification criteria are driven specifically by the card-present transactions where the physical card is used to authenticate transactions through an EMV-enabled terminal. In a mature EMV environment, there is compelling evidence that the reduction of risk to cardholder data in the face-to-face payment market s sufficient to make the bold concessions set out in this programme. Merchants that do not meet the programme’s EMV terminalisation requirements, including merchants whose transaction volume is primarily CNP, will continue to be required to comply with Visa Europe existing Account Information Security (AIS) programme. Visa Europe will work directly with acquirers to confirm eligible merchants and acquirer reporting responsibilities.
Dynamic authentication solutions can also be deployed in the card-not-present environment. For example, some issuers and e-commerce merchants are now using dynamic passcodes sent to cardholders by SMS text to make each transaction unique. These types of solutions can be readily integrated into existing authentication platforms such as Verified by Visa – which can already fully support dynamic data solutions – and it’s important to note that merchants participating in the Verified by Visa programme can shift their fraud liability to card-issuing financial institutions.
GT – What are the options for retailers who choose not to enrol in the programme, for whatever reason?
Those who choose not to enrol may seek to limit the availability of payment card data within their environment through full PCI DSS compliance or via other complementary technologies such as data field encryption and/or tokenisation. As these technologies may benefit many merchants, Visa Europe continues to support these technologies through its continuing leadership in this area with the publication of the first ever industry guidance on data field encryption and tokenisation which can be downloaded from the Visa Europe website: http://www.visaeurope.com/ais
GT – Why would someone prefer not to enrol in TIP?
TIP is a very good opportunity for retailers to analyse their security, and see what other risks they have. In some instances, depending on how merchant’s process card data it may be simpler for them to complete an alternative set of requirements called a Self-assessment Questionnaire. For example, if a merchant does not keep any cardholder data and has acceptance devices that connect directly to their Acquirer over a dial-up connection, they are eligible to complete a sub-set of the PCI DSS standard and it will make more sense for them to continue to do so.
GT – Can retailers inadvertently invalidate the Technology Innovation Programme?
Yes, they can. The Technology Innovation Programme is subject to certain criteria, and can be invalidated in circumstances where, for example, sensitive authentication data was stored; non-compliant changes to an entity’s processing environment or policies after validation; and where significant areas of non-compliance can be established through a forensic investigation, including, but not limited to, insufficient sampling of systems at the time of the initial PCI DSS compliance assessment.
GT – Can you explain how each of these situations might arise?
They can arise for many reasons, for example, a new system is deployed onto a retail network that is not secured prior to deployment. This system, if compromised could be used as a vehicle to attack other systems in the network. It is important to note, however, that very rarely is there an instance where just one or two controls are bad: if security is lax, it tends to be across the board.
GT – What would the retailer need to do to make their business secure again?
If a breach occurs a forensic examiner, who is an external specialist, comes in and investigates. Very often they will point to missing controls and give recommendations, and then the business consults other specialists regarding implementation. It will be a matter of re-establishing the controls that were found to be absent/incorrectly working at the time of the breach and making sure that other controls are all operational and working effectively.
GT – As we discussed before, the major retailers have pretty sophisticated security and fraud prevention measures in place, developed in house over the years. Is the Technology Innovation Programme an additional measure to these?
It is complimentary. TIP’s intention is to acknowledge and reward retailers for the steps they have taken regarding devaluation of their cardholder data, in terms of risk. We believe this new programme will make PCI compliance easier for merchants and reflects the investment they have made, or will soon make, in EMV technology. Many retailers have welcomed this programme.
GT – What has the retailers’ response been to TIP?
There has been a huge and positive response in the UK, EU and internationally. We couldn’t be happier.
GT – How are you liaising with retailers to help them migrate to the new programme?
We expect our acquirers to continue to engage with their merchants and report to us as required under our scheme rules on merchants take up of this programme and their overall levels of compliance. We are largely expending our effort on encouraging the acquiring banks to continue their engagement with our portfolio of security measures. Acquirers in turn can advise retailers, and retailers can contact acquirers for advice. We take every opportunity to engage: we attend retail conferences and explain the benefits of our programme, and how we offer various options for retail payment security.
GT – Last year you launched guidelines to support retailers with Payment Card Industry Data Security Standard (PCI DSS) Compliance, data field encryption and tokenisation solutions and SQL. Besides these guidelines, do you (Visa) provide specific data field encryption and tokenisation solutions?
Visa Europe works extensively with our Members to ensure in the first instance that the guidance is understood by our Members. We then facilitate our Members in reaching out to their retail customers so that the message can be passed on in the most effective and understandable means possible. We also attend many conferences which affords us the ability to talk directly to many stakeholders, especially the retail community.
GT – Going back to the Technology Innovation Programme, what targets have you set yourselves to achieve levels of migration to the Programme by given dates?
Our first target is to establish the programme. We are currently working with our Members to understand how best to enrol the many retailers who have expressed an interest in our initiative. Our goal is to transaction the programme to business as usual as quickly as possible so that retailers can begin to accrue the benefits of the programme.
GT – How does TIP fit into the Visa Europe grand strategy?
The Technology Innovation Programme further demonstrates our strong commitment to achieving full EMV chip migration in Europe, as it provides the best platform for reducing fraud, implementing the Single Euro Payments Area and introducing innovations such as contactless and mobile payments.
GT – The UK currently has no plans to join the Single Euro Payments Area(!), but what progress has there been in the past year towards implementing contactless and mobile payments in retail here? What’s Visa’s role been?
Contactless as a means of facilitating payment is proving to be a tremendously successful technology across many markets: it’s especially important in such areas as fast food and transit, with relatively low value transactions of 10 Euros or less, and represents an efficient and secure way to take payment, which is set to expand in Europe. Another important area is mobile, in the EU and globally, both to facilitate payment and on the acceptance side, using a mobile phone as a contactless card working on the same retailer acceptance platform.
Visa’s role is to establish a framework and specifications as to how these methods should operate, provide guidance on why contactless is a good idea and help overcome the technical challenges. For retailers of all sizes it’s a matter of evaluating how these measures can help in developing future payment systems.
GT – Finally, where do you see Visa Europe’s involvement going from here?
In spite of continued success in fighting payment card fraud, we need to remain vigilant and sustain and enhance our activities. The central imperative is to protect the integrity of the system and the payment data which circulates within it. There is an increasing expectation and demand for card payments to be made and accepted using a variety of new technologies and in a wider range of business contexts. In working with key stakeholders and members, Visa Europe has learnt that standardised solutions must cater for the needs of the vast majority of users in order to be widely adopted. And the sheer number of stakeholders means that so-called ‘point solutions’ are no longer appropriate for the continued evolution of the payment system.
Instead Visa Europe are reinvigorating the security debate and placing a renewed emphasis on authentication and data devaluation techniques, so that data is simply not available in a manner that is open to abuse. And, having done this, we can concentrate our protection efforts on residual risks in order for the business to continue growing.
This consideration is especially relevant as new acceptance technologies and channels are introduced, such as peer-to-peer, mobile and contactless payments. The security lessons learnt over the millennia all point to the same (obvious) conclusion – it is better to design a solution to be secure from the outset than to attempt to retrofit security afterwards. From the data field encryption viewpoint we’re working closely with PCI Security Standards Council, and have donated to them all the encryption technology we have developed for global implementation. It’s very important that retailers – whoever they are, whichever platform they use – view the technology in the same light and we achieve a global standard. After that, we must enable all payment card brands to view the standard identically: this is fundamentally important for European retailers.
For more information please visit: www.visaeurope.com/ais