Evan Schuman's StorefrontBacktalk

When Visa announced Tuesday (Aug. 9) that it was reversing course and endorsing EMV for the U.S., the card brand billed it as a bridge to mobile payments, which it is. But the move is also some crafty strategy, one designed to lay a foundation for a mobile-payment environment that will be much more hospitable for Visa’s mobile-payment flavor than for rivals’ options.

Visa’s new approach will also likely spell the end—within about five-to-seven years—of mag-stripe cards in the U.S., a move that many payment security advocates say is years overdue. To make all of this happen, Visa is bringing its global EMV incentive program—officially the Technology Innovation Program (TIP)—to the States, along with its PCI-relaxation components. (PCI relaxation? There are two words I never expected to see used consecutively.) This means chains that start using specific EMV chip-enabled terminals (and use them to process at least 75 percent of all Visa transactions) will be permitted to forego the annual compliance validation nightmare. But Visa has added such a lengthy list of qualifiers and exceptions to the program—along with the practical fact that some chains will opt to do the assessments anyway, for pure security purposes—that it’s not clear how many chains will find that incentive compelling enough to do massive hardware swaps.

(See PCI Columnist—and QSA—Walt Conway’s column about how this move will impact PCI enforcement.)

Beyond an easing of PCI assessments—to be clear, though, Visa stressed that all other PCI rules will still apply—the new effort will also promise the same liability shift that Canada and parts of Europe now enjoy. That shift—effective Oct. 1, 2015, for all retailers except gas stations, which were given an extra two years—makes retailers fully responsible for any losses from the acceptance of fake cards unless a Visa-accepted EMV terminal is used. If it is, the liability then stays with the card issuer. That liability shift is likely to be a much more compelling incentive than the PCI change. Together, though, it’s a powerful move that gives mag-stripes little hope of long-term survival.

On the surface, the move seems like a clean security upgrade. Clearly, it is. Although EMV has certainly had its share of recent security problems, few argue that it is not an order of magnitude more secure than today’s plastic mag-stripe card. EMV is hardly perfect, but it’s certainly a sharp improvement.

This shift, though, goes far deeper than security. Visa is painting the move as being a bridge to imminent mobile payments. That’s absolutely true, but the move is not going to favor all mobile-payment approaches equally. By strengthening its payment network and strongly motivating retailers to upgrade hardware to devices that can handle both contact and contactless chips, along with dynamic authentication, Visa accomplishes two things.

First, it will make it much easier for retailers to push all mobile transactions through the new EMV terminals. That would potentially make much less relevant the phone-based security modules from mobile-payments efforts such as Google. By remarkable coincidence, Visa was noticeably absent from the Google Wallet rollout.

Second, this is a clever play in the battle to, if you will, control the mobile conversation. More precisely, it’s a play to control the mobile environment. Randy Vanderhoof, executive director of the Smart Card Alliance, said negotiations between Google and Visa have devolved into gamesmanship about who would be dominant in any type of mobile alliance.

“There’s a tension between who’s going to be the landlord and who’s going to be the tenant in the mobile phone,” Vanderhoof said. “Visa’s strategy is that they want to be the landlord where they can.”

Put another way, Visa wants the core mobile transactions to be running over the Visa network, with the security under the control of the card brand.