Visa's chief financial officer said that securing retail point-of-sale infrastructure will take a hefty investment, chips on credit cards are critical and better encryption may be the fastest way to secure transactions.
Byron Pollitt, CFO of Visa, said at the Morgan Stanley Technology Media & Telecom conference that cybersecurity is the No. 1 topic in the payment ecosystem following the widely publicized data breaches at Target. Target CIO Beth Jacob resigned on Wednesday.
Related: Visa CEO: We need better security, EMV chips, tokens | Target CIO Jacob resigns following data breach | Target's data breach tab mostly covered by insurance so far | How hackers stole millions of credit card records from Target | Target hackers hit air-conditioning firm first as a way in | Target's data breach: It gets worse | Many times bitten, retailers scramble to prevent another Target-like meltdown
Pollitt characterized security as a never-ending investment cycle for retailers. In the near term, Pollitt said Visa will be "pushing more in the encryption activity. Encryption that goes beyond the minimum required to be PCI compliant."
Why? Better encryption could be implemented the fastest. So-called chip and PIN technology is also critical, but will take more time to implement, he said. EMV (Europay, Mastercard, Visa) puts chips on cards and makes them harder to counterfeit. About 70 percent of fraud revolves around the magnetic stripe on credit cards.
When you have a high penetration of chip cards and merchants with chip readers and you have replaced the magstripe, you have replaced the primary driver of counterfeit.
However, Visa's take is a bit more nuanced. Pollitt said he wasn't sold on PINs.
Our view is it is chip and choice, and that PIN could well be a red herring here because two-thirds of the retailers in the United States do not have a PIN pad with their POS terminal, two-thirds.
And so if PIN were to be included as a fix at the same time, in our view, it would dramatically slow the rollout of EMV, which is chip, and chip is what gets you to 70 percent of the fraud. The lost and stolen is addressed by PIN.
And there are lot of other issues with PIN. But given the catalyst of the Target breach, the urgency that the industry feels now to take action to get fraud levels down, chip is the horse that will win the race if we let it run as fast as it can. And that means keep focused on chip, get the chip readers in place, get the cards replaced with chip and get that foundation in. And at that point we should have substantially dealt with the primary cause of fraud at the physical point of sale.
Chip infrastructure can and should be rolled out, but it'll take "quite a bit of investment" to make EMV the norm in the U.S., said Pollitt, who added most retailers will have to upgrade their terminals.
These terminals are going to have to be replaced, which means investment. And then if you were to look in your wallet I strongly suspect you might have one card with a chip on it, some of you will have none.
So all of these cards are going to have to be reissued with chips and so that's an issuer cost. The retailers and/or the acquirers are going to be investing in the chip terminals. A lot of software work to make sure that all this happens.
Pollitt also noted that the investment cycle against fraud can't end because cybercrime just moves to the next weakest link. Better encryption and chips can be deployed and PINs will be targeted. "You invest, you strengthen and then fraud moves," he said. "The resourcefulness, the intellect, the level of innovativeness in the fraud sector is absolutely amazing. I don't know where their Silicon Valley is. I think it moves. But it is just a proposition that will never end."