Visa Inc. this week announced a plan to replace the familiar magnetic stripe payment card with cards carrying chips, a move that experts say could hasten the day when consumers pay in physical stores with a wave of a mobile phone but also raise new fraud threats for online merchants.
The chip cards that Visa is pushing would let consumers pay as they do today in Europe and much of the rest of the world, by inserting the card into a reader and tapping in a PIN that the card’s chip then verifies. This is considered far more secure than the magnetic stripe, which can be easily copied and used to make phony cards.
But the part that impacts mobile commerce is the Visa requirement that the cards also carry an embedded antenna so that the chips can communicate with payment terminals wirelessly, for example, using the Near Field Communication technology that’s starting to be built into some mobile phones. The Visa plan includes incentives for merchants to install new payment terminals that can read the chip in both contact and contactless mode, which would mean there would be millions of merchant locations where consumers could also pay with a wave of mobile handsets containing NFC chips.
To spur adoption, beginning Oct. 1, 2012, Visa will offer bricks-and-mortar merchants who have payment terminals with dual contact and contactless capability an exemption from validating their compliance with the PCI Data Security Standard if at least 75% of the merchant’s Visa transactions originate from chip-enabled terminals. That will be especially appealing to larger merchants that have to undergo annual audits to verify their PCI compliance, audits that cost on average $225,000, according to a study last year by the Ponemon Institute.“As NFC mobile payments and other chip-based emerging technologies are poised to take off in the coming years, we are taking steps today to create a commercial framework that will support growth opportunities and create value for all participants in the payment chain,” says Jim McCarthy, Visa global head of product.
Visa’s plan will force bricks-and-mortar retailers to install NFC readers, says Avivah Litan, an analyst at technology consulting firm Gartner Inc. “This is all about card issuers and Visa pushing NFC,” Litan says.
There is nothing in this plan for online or mobile retailers, she adds. That’s because consumers will still have to enter card numbers on their computers or mobile devices to complete a transaction.
In fact, in the United Kingdom, the adoption of chip cards nearly a decade ago led initially to more online fraud, as criminals thwarted by the improved security at bricks-and-mortar stores turned their attention to defrauding e-retailers.
That has started to subside since 2008 when payment networks pushed online retailers to adopt the web security systems Verified by Visa and MasterCard SecureCode, says David Smith, chief marketing and communications officer at IMRG, a UK-based e-retailer trade association. Those Visa and MasterCard systems, which both use an approach known as 3-D Secure, require the cardholder to register his payment cards and authenticate himself with a password when making an online purchase. Visa and MasterCard did not immediately respond to a request for the number of merchants participating in Verified by Visa and MasterCard SecureCode.
Card-not-present fraud peaked at 328.4 million pounds ($531.4 million) in 2008, according to the UK Payments Administration, but dropped in 2009 to 266.4 million pounds ($431.1 million) and to 226.9 million pounds ($367.2 million) in 2010.
Some payment experts expect to see a similar increase in online fraud attempts in the U.S., if Visa’s plan does indeed lead retailers to upgrade their card-accepting terminals at store checkout counters.
“For the card-not-present space it really means a lift in actual fraud attempts,” says David Montague, president of The Fraud Practice LLC, a consulting firm specializing in online fraud. He says that increase could start showing up in three years. “Fraud’s not going to go away,” he says. “It’s just going to move to whichever channel provides the least barriers.”
While Visa is acting alone it likely will force most merchants to follow its directive, as U.S. merchants use a single terminal to accept cards from all major brands.
Visa’s chief rival, MasterCard Inc., says it will wait and see how banks and merchants react to Visa’s directive.
“To date, consumer demand and market economics have not justified a migration in the United States,” a MasterCard spokesman says, but it is educating its customers about EMV. “Obviously, Visa’s decision will impact market direction and we will continue to consider our actions accordingly.”
American Express Co. did not respond to an Internet Retailer inquiry. Discover Financial Services says it is prepared to process chip card transactions in the United States and is committed to global standards, including EMV, the smart card standard that Visa, MasterCard, American Express and other global card brands all support.