Visa CFO: 'Quite a bit of investment' needed to install chip technology

Visa CFO: 'Quite a bit of investment' needed to install chip technology

Summary: Visa CFO Byron Pollitt explains why the Target data breach could spur a little investment boom as retailers scramble to upgrade infrastructure to cut fraud.

SHARE:
TOPICS: Security, E-Commerce
8

Visa's chief financial officer said that securing retail point-of-sale infrastructure will take a hefty investment, chips on credit cards are critical and better encryption may be the fastest way to secure transactions.

Byron Pollitt, CFO of Visa, said at the Morgan Stanley Technology Media & Telecom conference that cybersecurity is the No. 1 topic in the payment ecosystem following the widely publicized data breaches at Target. Target CIO Beth Jacob resigned on Wednesday.

Related: Visa CEO: We need better security, EMV chips, tokens | Target CIO Jacob resigns following data breach |  Target's data breach tab mostly covered by insurance so far | How hackers stole millions of credit card records from Target | Target hackers hit air-conditioning firm first as a way in | Target's data breach: It gets worse | Many times bitten, retailers scramble to prevent another Target-like meltdown 

Pollitt characterized security as a never-ending investment cycle for retailers. In the near term, Pollitt said Visa will be "pushing more in the encryption activity. Encryption that goes beyond the minimum required to be PCI compliant."

Why? Better encryption could be implemented the fastest. So-called chip and PIN technology is also critical, but will take more time to implement, he said. EMV (Europay, Mastercard, Visa) puts chips on cards and makes them harder to counterfeit. About 70 percent of fraud revolves around the magnetic stripe on credit cards.

Pollitt said:

When you have a high penetration of chip cards and merchants with chip readers and you have replaced the magstripe, you have replaced the primary driver of counterfeit.

However, Visa's take is a bit more nuanced. Pollitt said he wasn't sold on PINs.

Our view is it is chip and choice, and that PIN could well be a red herring here because two-thirds of the retailers in the United States do not have a PIN pad with their POS terminal, two-thirds.

And so if PIN were to be included as a fix at the same time, in our view, it would dramatically slow the rollout of EMV, which is chip, and chip is what gets you to 70 percent of the fraud. The lost and stolen is addressed by PIN.

And there are lot of other issues with PIN. But given the catalyst of the Target breach, the urgency that the industry feels now to take action to get fraud levels down, chip is the horse that will win the race if we let it run as fast as it can. And that means keep focused on chip, get the chip readers in place, get the cards replaced with chip and get that foundation in. And at that point we should have substantially dealt with the primary cause of fraud at the physical point of sale.

Chip infrastructure can and should be rolled out, but it'll take "quite a bit of investment" to make EMV the norm in the U.S., said Pollitt, who added most retailers will have to upgrade their terminals.

He said:

These terminals are going to have to be replaced, which means investment. And then if you were to look in your wallet I strongly suspect you might have one card with a chip on it, some of you will have none.

So all of these cards are going to have to be reissued with chips and so that's an issuer cost. The retailers and/or the acquirers are going to be investing in the chip terminals. A lot of software work to make sure that all this happens.

Pollitt also noted that the investment cycle against fraud can't end because cybercrime just moves to the next weakest link. Better encryption and chips can be deployed and PINs will be targeted. "You invest, you strengthen and then fraud moves," he said. "The resourcefulness, the intellect, the level of innovativeness in the fraud sector is absolutely amazing. I don't know where their Silicon Valley is. I think it moves. But it is just a proposition that will never end."

Topics: Security, E-Commerce

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Easy on a smartphone

    Forget plastic cards. Encryption combined with short NFC transaction is easy on a smartphone. Lets get moving on this! Europe is way ahead of the USA for NFC payments.
    Sean Foley
    • Not every phone comes with NFC

      Not every phone comes with NFC, and i am not even talking about cheap phones.
      Mac_Win
      • No excuses

        Europe is doing it, USA could too. NFC is common tech. Apple just needs to suck it up and use a standard technology for once.
        Sean Foley
  • Canada is beyond PIN, on Visa PayWave, MC PayPass tapping

    Why are these fogies gumming their toothless old jaws about the cost of obsolete PIN checkout when the terminals will need to be replaced again to facilitate "tap" card technology, which is already available at all major retail outlets in Canada? Does USA sell butter churns in the Dairy section?
    I2k4
  • Yes, quite a bit of investment is needed

    But it is investment that is MORE than necessary in the real world. It won't stop people from ordering stuff online from Newegg and sending it to a straw receiver, but it will stop people from walking into Best Buy and using someone's credit card without their permission.
    Lerianis10
  • We know what's coming next

    Look for a gigantic lobbying effort by Visa, Mastercard, and the other vendors to pass immigration "reform" so the U.S. can import more cheap H-1B visa workers to make the conversion to EMV chips. The unwashed masses will probably be confused by Visa desiring more visas, so it will pass without much fuss.

    American schadenfreude and the Senate Gang of Eight's fraudulent immigration reform bill S.744
    http://saucymugwump.blogspot.com/2013/11/american-schadenfreude-and-fraudulent.html
    saucymugwump
  • Chip and PIN is not a complete solution

    "chipped" cards will secure in-person transactions thoroughly, but they can't help with card-not-present online transactions. Electronic cards -that display and encode (on the mag-stripe) a one-time-use/one-merchant-use number... work to secure BOTH in-person and online transactions.

    Let's address the "static number" problem- not promote solutions that work well (EMV) for one transaction method, but ignore other real-world use cases/methods!


    All U.S. payment cards suffer from an inherent problem- it's known as the "replay attack".

    The numbers on your card can be re-played, over and over again with or without your authentication or authorization.
    This type of fraud could be all but eliminated, if the issuing banks were to embrace technology that's existed for several years. Just one of the technologies that could be used are dynamically created or 'changing' card numbers that are only valid for one merchant at a time (however, that merchant can use the number multiple times -including processing returns!)

    One perceived roadblock to a wider acceptance of "one time use" card technology is that merchant Point-of-Sale (POS) systems would need to change significantly, and therefore it's "too costly".
    This is not entirely true.

    Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode [one-time-use card] numbers onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer technology.

    A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.
    Whether or not card data is stored at (or scrapped from) the POS terminal is irrelevant if the data itself (the card number) changes with every transaction.

    See Dynamics Inc.'s webpage (/Corporate/Products) and their "Dynamics Inc. - Enabling Payments 2.0®" Dynamic Credit Card via archive.org [http://www.dynamicsinc.com/Cor...]

    Here: http://bit.ly/19fbXKb
    (last archived by archive.org on Oct. 1st, 2013).

    The single most frightening thing anyone could say that should be the catalyst for the card industry to move toward enhancing the 1950's card technology that we currently endure is "I'm just going to pay cash and stop using credit cards". Of course that'll never happen and as long as everyone continues to believe the myth that "all we can do" is to cancel compromised cards and pay extra for "account monitoring", recover from identity theft best we can, yada, yada, yada.

    The news story that consumers should be hearing is that card skimming fraud could have been eliminated years ago. I believe any merchants that get compromised, are victims themselves, victims of our current card technology that hasn't evolved significantly since it was first introduced in the 1950's.

    Taxicabs in Illinois, Target, Neiman Marcus, Michael's, Aaron Brothers, every merchant, and every consumer that has ever suffered financial, personal-data, or identity theft losses due to the inherent security flaws in (U.S.) credit card transactions, should hold the Payment Card Industry (including issuing banks) primarily responsible.
    johnlindemann
  • Still, an interim solution would be "Force the use of PIN"

    In the mean time, while we are waiting for the U.S. to catch up with "the rest of the world," an interim solution that costs virtually $ZERO would be to "force" the use of PIN.

    That's right, you can call it "lame" all you want but, if we are "forced" to enter a PIN, that eliminates a huge amount of fraud, until and unless someone forces you to divulge PIN or they guess it. Sure, there are many pitfalls/problems but the only reason it is NOT widely in use is because that Visa/MC, etc. felt it would "slow down the transactions and thus the revenue stream." Face it: If you steal my card and I have an 8-character PIN, the card is virtually useless, "as long as" ALL merchants require a PIN. Also, contrary to what the above says, I have seen most merchants having readers with PINpads, so it is a lie to say that they do not have capability to have you enter your PIN. Matter of fact, I have yet to see ANY location that does not allow ability for you to enter PIN.

    Again, the other advantage: Enabling the "force PIN use" feature costs virtually nothing, since most terminals support it, and everyone now is required to "have" a PIN, whether or not they use it.

    PIN is NOT a perfect solution, just an interim step but, "having/forcing PIN use" makes me MUCH more comfortable about fraud being more difficult. Sure, replay attacks can happen but the majority of fraud is, "Hey, we have these stolen cards, let's go CRAZY and spend $$$" - well, with PIN usage "forced," then the fraudsters have a much harder time trying to exploit the stolen cards vs. "NO PIN NEEDED, GO CRAZY WITH MY STOLEN CARD!"
    bitdoctor