01
Sep
11

Visa Is Upset

It seems that I ruffled some feathers at Visa Inc. with my post regarding their program to incentivize adoption of EMV in the United States.  Since I irritated another vendor today, I thought why not make the day complete and irritate another vendor?

As a result of my “A Carrot for Chip and PIN” post, I was contacted by Visa’s public relations firm requesting that I correct my post to properly characterize the program.

“My client, Visa Inc., requests a correction to a factual error on your PCI Guru blog: “A Carrot for Chip and PIN” (https://pciguru.wordpress.com/2011/08/13/a-carrot-for-chip-and-pin/).
While the initiative is certainly aimed at promoting the use of EMV chip, it is not aimed at promoting PIN, per se.  Hopefully, the following post on the Visa corporate website will provide clarification, but please feel free to contact me if you have questions: http://blog.visa.com/2011/08/26/pin-largely-unaffected-in-u-s-migration-to-emv-chip-2/
Many thanks in advance for correcting the story!”

As requested, I went and read the Visa blog entry.  This blog entry is regarding the fact that PIN usage was not being affected or required by the new program.  Apparently a major industry media outlet had implied that Visa was pushing for not using PINs which is not the case.  However, if you read my posting, I do not reference anything regarding PIN usage.  As a result, I asked the PR person to clarify what the problem was with the post.

“I guess I’m a bit confused about your request for a correction
EMV is known as “Chip and PIN” everywhere around the world.  My post does not discuss PIN usage only that Visa is promoting “Chip and PIN” as a card format as well as the RFID contactless card.
I’m always willing to make corrections, but is what Visa is requesting is that I not use the terminology “Chip and PIN” and refer to it only as EMV?”

To which, I received the following reply.

“Yes, it would be correct if you just removed the references to PIN. While signature is the most common form of authentication uses with chip around the world, some regions such as the UK have so popularized the term chip and PIN that it has virtually become one word.
So yes, it can correctly be referred to as a move to “EMV chip” or just “chip” if you prefer.
Many thanks!”

At first blush, this seems to be a very petty argument as to why I need to change my blog post.

But whoa!  Signature is the most common form of authentication with EMV cards around the world?  So, what is the point of having EMV if signature verification is still used?  I have always been told that the whole point of EMV was the coupling of the chip technology with the personal identification number (PIN).  The only reason signature is the most common authentication method is because, outside of Europe, Ireland and the UK, no one has the infrastructure on a large enough scale to process EMV with a PIN.  That is the whole reason Visa is trying to push EMV and contactless is to broaden its use.

Basically, from my interpretation of this response, I was accurate in my original post when I stated that Visa thinks that removing the PCI ROC requirement is enough to drive merchants to implement EMV or contactless terminals.  How could that be when it would take most merchants 10, 20 or even more years of ROC cost to equal the cost of replacing terminals?  Just how does an organization justify such an expense?  Particularly since the other card brands have not agreed to support this program.

But the other thing that disturbs me about this response is that Visa is upset with the use of the term Chip and PIN.  Never mind the fact that Visa uses the term Chip and PIN on their own Web sites around the world as a reference to EMV.  As well as the fact that Chip and PIN is essentially being synonymous with EMV.

So I respond to the PR person.

“I have reviewed my post (https://pciguru.wordpress.com/2011/08/13/a-carrot-for-chip-and-pin/) against the post on Visa USA’s Web site (http://blog.visa.com/2011/08/26/pin-largely-unaffected-in-u-s-migration-to-emv-chip-2/) and I fail to see why any correction is necessary.
The post from the Visa blog references the fact the [media outlet] stated that the PIN was being dropped in the move announced in http://usa.visa.com/download/merchants/bulletin-us-adopt-dynamic-authentication-080911.pdf.  The Visa blog post goes on to further clarify and define the fact that PINs will still be used.
My blog post says nothing about the PIN being used or not used.  My blog post is about business reasons why such a program are not going to be a reason for US banks or US merchants to move to EMV.  As I reread my post, other than the fact that I used the term “Chip and PIN” in the title and then as a “aka” reference for EMV in the first paragraph, the remainder of the entry refers to the card by EMV or the dual chip terminal.  As a result, I fail to see the need to make any changes to the post as the post has no relevance to the Visa USA blog post other than they both reference the aforementioned Visa program to promote EMV in the US.
If Visa USA does not like the use of the term “Chip and PIN” then I suggest that Visa USA take that matter up with the UK and Irish banks that created it more than a decade ago.  The fact that EMV and “Chip and PIN” are now synonymous with each other is also an issue that I am not responsible for nor will making any change to my blog entry effect.
If there is anything else I can assist you with, please let me know.”

The PR person responds.

“EMV is not synonymous with chip and PIN. The EMV standard specifies a number of cardholder verification methods including signature, offline PIN, online PIN, and no verification. Also, while you may possibly be most familiar with chip and PIN implementations in the UK and Ireland, in fact the majority of global implementations of EMV chip have been with signature. Citing chip and PIN in the headline implies that every chip transaction would be verified with a PIN (as they are in the UK and Ireland), which in the U.S. is incorrect, and I know you want to avoid factual errors.
Thanks again for your consideration of this request. Please consider me a helpful resource on future security matters in which Visa Inc. may be a good fit for your story.”

While I understand the PR person’s point, let us face facts.  Google Chip and PIN or EMV and the other term comes up in the results.  If that is not the definition of synonymous, I do not know what is.  Visa’s beef with my post really is the implied connotation by using the term ‘Chip and PIN’ in the title that a PIN would be required.  Whereas, all I was trying to do was to provide an easily Google-able term for people interested in EMV since EMV is usually referred to as Chip and PIN.  Such a complaint is laughable if it were not so sad.

Then to bring up offline PIN entry when it has been repeatedly shown to be the biggest reason why EMV and contactless with PIN can result in card present fraud is amazing and just shows the limited knowledge this individual has regarding their client’s products and services.  But to add insult to injury, they then bring up the wonderful fact that EMV and contactless can also be used with no authentication.  Not that I think anyone would actually do this, but it is an option.

However, the issue of not using the PIN along with the chip truly comes through in this response.  In my very humble opinion, the fact that Visa actually believes that pushing EMV without the PIN is just hysterical.  What is the point?  And this response actually confirms that I was correct in what I stated in my original post and is why I wrote the original post in the first place.  Given the current state of affairs, there is no business reason for EMV or contactless if PIN is not part of the equation.

But this incentive program does nothing to address the even larger issue that merchants and banks face which is the one of card not present fraud.  Card not present fraud is growing at a 20% to 35% clip depending on the survey you read from wherever in the world and comprises more than 50% of total card fraud.  If Visa really wanted to make a difference and give merchants and banks a reason to push for EMV and contactless adoption in the United States, they would gather the various stakeholders together in e-Commerce and come up with a common API that would allow EMV and contactless work online.  That would rein in card not present fraud and would truly create a business reason for investing in EMV and contactless capability.

As it is now, EMV and contactless are solutions looking for a problem.

Advertisements

14 Responses to “Visa Is Upset”


  1. June 20, 2012 at 5:07 AM

    Personally I’ve found usernames, passwords and tokens a real pain. So I invented this: http://www.bmmagazine.co.uk/tech/7493/uk-firms-patent-could-mean-remembering-website-passwords-will-be-thing-of-the-past/ . Had to keep quiet about it until the UK patent was granted: http://bit.ly/Ensygnia_Patent. Interesting?

  2. 2 John
    September 14, 2011 at 5:46 PM

    Tough argument when the homepage of http://www.visa.ca/en/merchant/products/index.jsp calls it “chip and pin”

    • September 25, 2013 at 10:15 AM

      You should have made a screen shot. Looks like the page was removed.

  3. 4 Al1
    September 14, 2011 at 8:16 AM

    I’m sorry man, I see your point, but you’re being difficult for the sake of being difficult. You’re getting some sick, sadistic, good feeling for rebelling up against a large corporation. But what you’re rebelling against is irrelevant and arbitrary. I’t probably some intern PR person who was tasked with correcting misconceptions of this product and service. It would be a different story if they had asked you to take the story down in all, but it’s really just a TYPO correction. You’re throwing into the confusion regarding Visa Inc’s products and services, just for the sake of throwing in. Make everyone’s life happy and make the change.

    Jerk.

    Thanks,

    • September 14, 2011 at 5:13 PM

      All I’m trying to do is point out how pointless some decisions are by organizations and then I get badgered by one about that discussion. People need to know what goes on behind the scenes and the sometimes irrational arguments that are used to drive those decisions. This was not a simple typo correction request, this was a request to change something that did not require a change. I get a lot of comments that I do not discuss or publish, however the reason I shared this issue with the readership is that I was concerned that Visa would just force this marketing ploy down the throats of uninformed merchants for the sake of forcing it down their throats. Thereby forcing merchants to incur costs that create no business advantage or return for the merchant. Good business decisions should be informed, not based on the one-sided view of a vendor.

  4. 6 Sama
    September 8, 2011 at 8:06 AM

    I won’t comment on the technical content, but I do have some comments on the geographical content. When you says:
    “The only reason signature is the most common authentication method is because, outside of Europe, Ireland and the UK, no one has the infrastructure on a large enough scale to process EMV with a PIN.”
    When did Ireland and UK become out of Europe territories???
    🙂

    • September 8, 2011 at 3:47 PM

      In the case of the UK, the very fact that they still have the British Pound as their currency and only reluctantly accept Euros is a prime example. 🙂 Seriously, I know they are technically part of the European Union, but they do not act that way.

  5. September 5, 2011 at 8:59 PM

    I won’t comment on the PR side of this, but I do have some comments on the technical content:

    In regards to CNP, you should have a look at the Chip Authentication Program (CAP) / Dynamic Passcode Authentication (DPA) – a good jumping in point would be here: http://en.wikipedia.org/wiki/Chip_Authentication_Program
    This has been around for about 10 years now, and is widely deployed in some European countries.

    Regarding PIN processing, many other countries beyond UK / Europe use PINs every day – we’ve had them in Australia / New Zealand for decades, and other Asian countries are also big adopters. A good resource for information on global EMV deployment (terminals, ATMs) can be found here:

    http://www.visa-asia.com/securitysummit2010/deck/S1-04_Summit_Authentication_Strategy_EduardoPerez.pdf
    (slide 10)

    The point of EMV is to remove some of the vulnerabilities involved in mag-stripe cards. Cardholder Verification Methods (CVMs) are negotiated between the card and the terminal, and as you correctly note, this can result even in situations where there is no CVM at all. This is becoming more common – contactless transactions often have no CVM, and some large merchants in Australia now allow for no CVM under a certain floor limit. As a person who works in banking security, and goes to the supermarket all the time, I see this as a great thing. And as long as I use my EMV card, it actually reduces _my_ risk.

    Finally, offline PIN is an accepted CVM, and so it seems perfectly understandable that they may bring it up. Problems with offline PIN really stem from allowing plaintext PIN, not from the use of offline PIN itself, and I would personally argue that cards that use Static Data Authentication are a bigger problem (but both are still a damn sight better than mag stripe).

  6. September 2, 2011 at 2:21 AM

    PCI Guru,

    Excellent article, thanks. As always, you are clear, correct and concise. Hopefully the PR Machine will consider their words carefully, if there is a ‘next step’ in this conversation.

    Emma.

  7. September 1, 2011 at 9:32 PM

    > If Visa really wanted to make a difference and give merchants and banks a reason to push for EMV and contactless adoption in the United States, they would gather the various stakeholders together in e-Commerce and come up with a common API that would allow EMV and contactless work online.

    Somebody give this man a cigar!

    • 11 JJ
      September 2, 2011 at 11:25 AM

      On a similar note, how about your thoughts on Discover’s recent announcement that they are going to discontinue their “Secure Online Account Number” program? You could generate a separate number valid only for transactions processed by the first vendor that used it. They claim that their fraud detection methods eliminate the need.

      http://moneyland.time.com/2011/09/02/discover-discontinues-random-number-security-feature/

      Not only do I not believe them, but the only credit card I use online is Discover because of this feature. Now I no longer have a reason to use them exclusively. They just lost a bunch of business because there’s no longer a reason to use them.

      • September 2, 2011 at 5:09 PM

        American Express had a similar service years ago for e-Commerce that died due to lack of adoption. Barclays Bank and a few other UK banks also tried to secure online transactions with EMV and PIN, but they were all unable to attract e-Commerce sites to use their proprietary solutions. Until the card brands work with e-Commerce sites, application developers, transaction processors and banks to develop one single API for using EMV and contactless with a PIN online, there really is no good online solution for minimize card not present fraud.

      • 13 John
        September 6, 2011 at 10:57 PM

        What are your thoughts on 3d secure for online transactions (other than the fact that the iframe pop-up windows look like phishing attempts)? This is an enhancement over the Amex product you mention and a standard is somewhat in the making with similar protocols available from the different brands.

      • September 7, 2011 at 7:35 AM

        It’s a start. But what we need is a standard that works with all EMV cards from all brands and that will take everyone involved (card brands, processors, Web developers and terminal manufacturers) to come up with a USB driven, cheap terminal that works just like an EMV enabled POS terminal at a merchant location. The other option is a software driven single use transaction code generator that runs on a person’s PC or smartphone and then transmits that code to the processor via the network connection or through scanning by generating a 2D bar code on the smartphone screen. In both cases, the user would have to enter their four digit PIN to complete the transaction. Either of these solutions would be able to leverage the security features available through EMV and contactless.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

September 2011
M T W T F S S
« Aug   Oct »
 1234
567891011
12131415161718
19202122232425
2627282930  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,904 other followers


%d bloggers like this: