Visa's 2015 Action Items: Apple Pay, Tokenization, Passwords, EMV
Modern technology has turned the payments industry into a juggling act, particularly for those charged with deploying new techniques to protect payment card data.
Major card brands have many tasks at hand related to the October 2015 liability shift date for EMV chip-based cards in the U.S., as well as the introduction of the Apple Pay mobile wallet.
While the conversion to chip-based transactions should stop counterfeit fraud at the point of sale, much work still needs to be done by all stakeholders to improve data security, said Eduardo Perez, Visa Inc.'s senior vice president for North America risk services.
After discussing new payment card technology at a consumer action conference in Chicago this week, Perez sat down with PaymentsSource to share Visa's vision of its role in the advancement of payment technology.
PaymentsSource: Apple Pay has garnered much attention in payments. Is there any confusion among merchants as to how this mobile pay system creates more EMV transactions?
Perez: For merchants, the Apple Pay solution is invoking a Visa payWave [contactless] transaction. The way to think about that is there is an algorithm on a chip card, and in our case we call it the Visa Smart Debit/Credit Application (VSDC). It will also be on the secure element on the Apple device to generate the cryptographic message. It transmits as an EMV transaction. In addition, the Apple Pay solution has also tokenized the transaction, so the account number is a unique card number solely for that solution. It is not the same number as on your card, but a number to represent your account.
PaymentsSource: As for tokenization, is there still uncertainty in the industry as to which standards are available and open to anyone?
Perez: There are any number of solutions out there, but our token is going to be accessible for the transaction to be routed out as the merchant would choose to route it for debit. In our case, we are going to provision a token that represents the Visa account number, but we have a service for others to use it in the way they want to use it to route the transaction. We don't foresee [who handles tokenization] being an issue.
PaymentsSource: On occasion, we hear that various tokens may be needed, depending on who provides the service. Is that true?
Perez: They [independent networks] have to think about how it applies to their circumstances and take the action they need to in order to facilitate that transaction. The important principle is that we have a mechanism to get back that tokenized transaction to the issuer so they can ultimately authorize and authenticate that transaction. That's the important part of this. Some services may only be able to do part of that process; our solution works the whole way through. Some tokenization services are tied to encryption services and, depending on the provider, it may work differently in terms of how that transaction flows and is translated back to an account number to be routed through our system. For us, among the many important features of a token, is that it is going to still have a BIN [bank identification number] so we know where to route it.
PaymentsSource: MasterCard recently announced it was moving forward with a process to eliminate passwords in e-commerce, and mentioned it was working with Visa to do so.
Perez: Passwords can create a good amount of friction and can impede a payment because people forget them. It creates issues. The worst transaction is a legitimate transaction that is declined for whatever reason. In order for our payment system to be viable, we have to be backward compliant, be relevant in the current environment and think about the future and how we are evolving. We are definitely looking at solutions like our Visa consumer authentication service, which evokes 3D Secure technology to get us into a situation where we don't have to rely on a username and password to gain confidence that it is really you conducting that transaction.
PaymentsSource: So, passwords are not long for this world?
Perez: There are many instances in which a consumer would be required to use a username and password, depending on how the merchant has set up their access or payment facilities that they offer. There is a mixed environment and, over time, we are offering solutions that don't require or evoke a password to authenticate and authorize a transaction.
PaymentsSource: What do you view as the key issue as we move closer to the October 2015 liability shift in the EMV migration in the U.S.?
Perez: From a Visa perspective and an industry perspective, we are doing a lot of stakeholder education. We are doing a 20-city tour over the next several months to educate stakeholders in those key, large metropolitan markets about this new technology and how it is coming to market and what they need to do and think about as they adopt this technology. We have actively been working with all of the largest issuers and acquirers across the payments system to make sure they have the information, resources and guidance to deploy the technology.
PaymentsSource: How is the migration going at this point?
Perez: We are seeing issuers planning to actively issue cards next year, and there does seem to be a more growing awareness of EMV. But we continue to work on it, because it is challenging, given the size of our market, for all stakeholders to deploy, adopt and become comfortable with that technology. As we have seen in other markets, it happens, but it happens over time. It doesn't happen all at once.
PaymentsSource: Does that mean the U.S. can make this transition in the same manner as most other countries?
Perez: Given that we have 2.5 billion-plus EMV cards in the rest of the world, we believe that ultimately consumers and merchants have the capacity to understand this technology and adopt it fairly simply.