In a November 15 webinar with members of the National Association of Convenience Stores, Visa executives strove to shed some light on the efforts by Visa to update the card and payment authentication processes in the United States to conform to the EMV (Europay MasterCard Visa) chip card standard. Three main points discussed in the webinar were the expansion of Visa’s Technology Incentive Program (TIP), the acceptance infrastructure for chip, and the liability shift for counterfeit fraud.
The adoption of dual interface chip technology is intended to help prepare the current payment infrastructure in the United States for the arrival of NFC-based mobile payments, noted John Sheets, senior business leader at Visa Inc., who also outlined the three key initiatives of the plan.
Ross Snailer, senior business leader at Visa Inc., said that the first element of the plan is designed provide relief (i.e., a waiver) for qualified retailers that deploy dual interface terminals from their annual PCI DSS validation exercise. Retailers that obtain approval to participate in TIP must continue to comply with PCI DSS, and acquirers maintain full liability for any fees, fines or penalties that may be applicable in event of a data breach.
While TIP recognizes a retailer’s investment in chip, enrolling and participating is not automatic — retailers must apply and obtain approval by Visa. This process begins October 2012.
The first actual mandate by Visa comes in April 2013, when all U.S. acquirer processors and sub-processors service providers will be required to support retailer acceptance of chip transactions.
On October 1, 2015, the liability shift begins — if a dual-interface or contact chip card is presented to a retailer that has not adopted at minimum contact chip terminals, excluding automatic fuel dispensers, liability for counterfeit fraud will shift to the retailer. By October 2017, automatic fuel dispensers come into the play. Liability does not include lost/stolen card fraud, card-not-present transactions (e-commerce) and contactless cards without a contact chip.
To clarify, the liability will fall on whichever entity has not upgraded to chip, whether it’s the issuer or the retailer. If both have chip, then the issuer will be responsible. If the issuer has upgraded and the retailer has not, then the retailers will bear the liability costs.
During the Q&A, retailers asked whether it would make sense for Visa to help retailers with POS upgrades. Sheets and Snailer responded that TIP is the incentive program Visa intends to use and that retailers would obtain some reduction in PCI DSS validation costs. They recognized that this might not be enough, but that some retailers have said this is an interesting enough proposition for them and Visa doesn’t see the need for additional incentives at this time.
Some retailers asked about the cost and benefits of adopting chip technology, noting that they would like to use the information in their ROI calculations for upgrading their pump terminals. Sheets and Snailer suggested that retailers talk with their pump manufacturers because there are “widely differing numbers” depending on the type of pump a retailer has and the age of the current technology in use. They said that while they can’t provide a cost/benefit analysis, Visa could help a retailer’s acquirer develop a better understanding of the potential ROI.
As to when chip cards will be available to U.S. consumers, Visa said that the banks are responsible for issuing the cards, and that issuers are not required to re-issue cards with chip technology.
Retailers also asked “what’s the point” in investing in PCI DSS if liability falls on the retailers come 2015. Sheets and Snailer commented that cardholders will begin to prefer merchants who accept chip, and at some point fraud will migrate to locations without chip acceptance, which could increase costs over time. They said that there is also an opportunity to use a targeted approach — that if retailers recognize high concentrations of counterfeit fraud in some locations, they can begin chip migration with those sites.
“We [retailers] have long recognized that the current magnetic stripe system is broken and welcomes Visa’s leadership in working with our membership to fully understand the roadmap to replacing today’s flawed system,” said Gray Taylor, PCATS executive director and NACS payments consultant. “Without a well-defined implementation specification, we are skeptical the deadlines can be met, but are working with EMVCo and ANSI X9 to ensure a transparent and expedient resolution to this issue.
“We believe that Visa took a few key issues back from the webinar. First, where is the return on investment of this upgrade? Second, why doesn’t the next generation include cardholder authentication like other developed economies? Last, if the system is so secure, why isn’t there full indemnification of retailers implementing EMV?” said Taylor.