Visa Using EMV To Rig The Mobile Game

Written by Evan Schuman
August 11th, 2011

When Visa announced Tuesday (Aug. 9) that it was reversing course and endorsing EMV for the U.S., the card brand billed it as a bridge to mobile payments, which it is. But the move is also some crafty strategy, one designed to lay a foundation for a mobile-payment environment that will be much more hospitable for Visa’s mobile-payment flavor than for rivals’ options.

Visa’s new approach will also likely spell the end—within about five-to-seven years—of mag-stripe cards in the U.S., a move that many payment security advocates say is years overdue. To make all of this happen, Visa is bringing its global EMV incentive program—officially the Technology Innovation Program (TIP)—to the States, along with its PCI-relaxation components. (PCI relaxation? There are two words I never expected to see used consecutively.) This means chains that start using specific EMV chip-enabled terminals (and use them to process at least 75 percent of all Visa transactions) will be permitted to forego the annual compliance validation nightmare. But Visa has added such a lengthy list of qualifiers and exceptions to the program—along with the practical fact that some chains will opt to do the assessments anyway, for pure security purposes—that it’s not clear how many chains will find that incentive compelling enough to do massive hardware swaps.

(See PCI Columnist—and QSA—Walt Conway’s column about how this move will impact PCI enforcement.)

Beyond an easing of PCI assessments—to be clear, though, Visa stressed that all other PCI rules will still apply—the new effort will also promise the same liability shift that Canada and parts of Europe now enjoy. That shift—effective Oct. 1, 2015, for all retailers except gas stations, which were given an extra two years—makes retailers fully responsible for any losses from the acceptance of fake cards unless a Visa-accepted EMV terminal is used. If it is, the liability then stays with the card issuer. That liability shift is likely to be a much more compelling incentive than the PCI change. Together, though, it’s a powerful move that gives mag-stripes little hope of long-term survival.

On the surface, the move seems like a clean security upgrade. Clearly, it is. Although EMV has certainly had its share of recent security problems, few argue that it is not an order of magnitude more secure than today’s plastic mag-stripe card. EMV is hardly perfect, but it’s certainly a sharp improvement.

This shift, though, goes far deeper than security. Visa is painting the move as being a bridge to imminent mobile payments. That’s absolutely true, but the move is not going to favor all mobile-payment approaches equally. By strengthening its payment network and strongly motivating retailers to upgrade hardware to devices that can handle both contact and contactless chips, along with dynamic authentication, Visa accomplishes two things.

First, it will make it much easier for retailers to push all mobile transactions through the new EMV terminals. That would potentially make much less relevant the phone-based security modules from mobile-payments efforts such as Google. By remarkable coincidence, Visa was noticeably absent from the Google Wallet rollout.

Second, this is a clever play in the battle to, if you will, control the mobile conversation. More precisely, it’s a play to control the mobile environment. Randy Vanderhoof, executive director of the Smart Card Alliance, said negotiations between Google and Visa have devolved into gamesmanship about who would be dominant in any type of mobile alliance.

“There’s a tension between who’s going to be the landlord and who’s going to be the tenant in the mobile phone,” Vanderhoof said. “Visa’s strategy is that they want to be the landlord where they can.”

Put another way, Visa wants the core mobile transactions to be running over the Visa network, with the security under the control of the card brand.


2 Comments | Read Visa Using EMV To Rig The Mobile Game

  1. Tom Mahoney Says:

    For me, at least, the bigger question is how this will impact on-line merchants. Will we see a significant increase in CNP fraud like we did across the pond when EMV became ubiquitous over there? I suspect that we will, at least until the mag strip goes away, but I’d like to hear what the real experts think.

  2. Randy vanderhoof Says:

    CNP fraud is being addressed with EMV cards and mobile payments, although in slightly different ways. Multi-channel authentication using the EMV chip as the generator of a one time password that becomes part of the online check out transaction is being done today in the UK and other EMV countries. The card “presented” transaction involves a personal reader that generates a dynamic code to accompany the cardholder data. The EMV chip generates the encrypted code. An NFC mobile phone can create the same code without the extra reader so both EMV form factors can be applied to lower CNP fraud.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.