New Security Group A Good Move, But Let’s Keep The Discussions Open

You know the problem is serious when Visa and MasterCard come together on something. And the recent spate of merchant data breaches and fraud is the latest example.

On Friday, the two bankcard brands formed a cross-industry group whose primary focus is to enhance payment system security. In a joint statement, they said they goal was to keep pace with the expectations of consumers, retailers and financial institutions. Between the lines, the goal really is to make sure the industry can better keep up with the pace of fraud sophistication.

To no one’s surprise, given the liability-shift mandates they’ve placed on the market that take effect in October 2015, the group initially will focus on the adoption of EMV chip technology in the United States. After that date, merchants presented with an EMV smart card who aren’t able to accept it take liability for any future counterfeit fraud committed with that card. Perhaps even more importantly, given the anticipated shift in fraud to card-not-present situations when EMV takes hold, the group also will address tokenization, point-to-point encryption and broader regional needs.

“One of the critical roles we play is to protect consumers and businesses against criminals and fraudsters,” said Chris McWilton, MasterCard president of North American Markets, said in the joint release. “Only through industry collaboration and cooperation will we address the real and immediate issue of security and maintain consumer confidence and trust. EMV will be the next step in these efforts, alongside enhanced security solutions for online and mobile channels.”

Initial focus: EMV

Understandable, but a bit troubling nonetheless, is the card brands’ adamant position on EMV. Nowhere is the joint release did they mention alternatives to the chip card’s 30-year-old technology that might better serve a 21st century audience.

And even EMV has its own critics, especially in terms of how the smart card technology gets rolled out. Visa and MasterCard both are allowing issuers to require only signatures when using their EMV cards, while merchants would prefer they require a PIN for better security.

Byron Pollitt, Visa’s chief financial officer, suggested during a recent call with Morgan Stanley analysts that if enough merchants accepted PIN, the Visa would drop allowing signature use.

“Our view is it’s chip and choice and that PIN could well be a red herring here because two-thirds of the retailers in the United States do not have a PIN pad with their POS terminal, two-thirds,” he said. “And so, if PIN were to be included as a fix at the same time, it would – in our view, dramatically slow the roll out of EMV, which is chip. And chip is what gets you to 70% of the fraud; the lost and stolen is addressed by PIN.”

In a recent PYMNTS.com post, Karen Webster, CEO of Market Platform Dynamics, noted that even with EMV, issuers will offer “hybrid” cards that still have mag-stripes on them. That suggests EMV will have limited impact until enough merchants get on board with EMV chip cards that the much more vulnerable mag-stripes simply go away.

Dave Fortney, senior vice president at The Clearing House, and five other C-suite execs will debate the various approaches to ensuring the safety and soundness of the U.S. payments systems in the face of cyber attacks with Cyber Security Czar Richard Clarke in The Innovation Project’s “Uber Solutions for Keeping the Criminals at Bay” on March 19.

Participation in the group Visa and MasterCard have formed will be broad and diverse, including banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups. The card brands stressed the need for collaboration, which also was a common theme addressed by key industry players in a recent congressional hearing on payments security.

Collaboration a chief necessity

In his own comment, Ryan McInerney, Visa’s president, cited the recent high-profile breaches as a catalyst for much needed collaboration between the retail and the financial-services industry. “As we have long said, no one industry or technology can solve the issue of payment system fraud on its own,” he said. “These conversations will serve as a useful forum to share ideas, break down barriers and spur the adoption of next generation security solutions for the benefit of all.”

MasterCard and Visa said they expect the group to complement and engage with other efforts across the industry, including proprietary risk councils, EMV task forces and the standard management bodies.

In the end, the group’s goal is to produce an actionable roadmap for securing payments across all market segments. Let’s hope the discussions are limited to maintaining the continued viability of the two major card brands and focus instead on what really matters: beating the bad guys at their ever-more-sophisticated game.