The end of verification? Visa Europe posits new age for payment security

Executives at Visa Europe are pondering an overhaul of card security standards as new technologies and consumer preferences for frictionless shopping create demands for a more flexible approach to protecting transactions.

26 comments

The end of verification? Visa Europe posits new age for payment security

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

As the US banking industry prepares for a mass-market migration to EMV chip card standards, Peter Bayley, executive director of Visa Europe is looking at the next wave of innovation.

"EMV is great and has served us well," he writes in a blog post. "Everyone loves it - but the days of the plastic card are coming to an end."

Instead, Bayley is looking ahead to a mobile and online future, in which data profiling and predictive modelling aligned with geo-location services provide a more nuanced approach to securing consumer transactions.

As expectations around security change, Visa has some big questions to answer, he says.

With the card schemes hammering out specifications for the use of digital tokens - rather than account numbers - for online and mobile transactions, Bayley asks: "How important is it to protect a token which can only be used where the customer wishes to do so or exists only for a few hours or minutes?"

On the mobile phone, Host Card Emulation offer the opportunity to completely remodel the security framework and provide a much smoother experience for consumers at the check-out by storing card details in the cloud.

Looking ahead, Bayley wonders whether Visa might not consider removing verification for most transactions.

"Silly you might say, but if we have the data and the models to show that our customer buys his coffee at 08:45 every morning at this merchant for this amount, and his phone GPS says he is there now - do I really need to check all the cryptography, and validate the PIN?," he asks. "How much extra security do we really need?"

Bayley's musings were quickly followed in a post by Jonathan Vaux, Visa's director of new payment propositions, which delved deeper into the development of 'card on file' technology in the cloud and biometric authentication on the mobile.

Visa needs to adapt quickly, he says: "We need to develop new standards, processes and capabilities that help enable these technologies which will, potentially, help us achieve our ambitions to be the world's most trusted currency and displace cash and cheques. For example, we will need to recognise other forms of authentication, such as thumbprint, in our process flows and evaluate its impact on the commercial framework."

Sponsored [Webinar] The Automation Imperative in Asset Servicing

Comments: (26)

Marite Ferrero

Marite Ferrero Director at Lumiere LTD

"Silly you might say, but if we have the data and the models to show that our customer buys his coffee at 08:45 every morning at this merchant for this amount, and his phone GPS says he is there now - do I really need to check all the cryptography, and validate the PIN?," "

Isn't that what NFC was supposed to do? Does this mean that VISA does not like NFC? Some people also prefer privacy and they don't turn on their GPS... they don't want to be located...

Is this really a problem worth solving? Using the example given by the VISA Exec, the time it takes to check the pin and all the cryptography does not bother cardholders.  

If this is truly not yet known to VISA execs, I would like to say that there is one problem that is worth solving. That's the Verified by VISA. Most complain about VBV. It is inconsistent and it adds a lot of steps into an online transaction. 

A Finextra member 

"If this is truly not yet known to VISA execs, I would like to say that there is one problem that is worth solving. That's the Verified by VISA. Most complain about VBV. It is inconsistent and it adds a lot of steps into an online transaction."

I agree it's not ideal, but our decline rate would be higher without it and the Card Schemes are looking to improve the customer journey through the launch of their wallets .....

Marite Ferrero

Marite Ferrero Director at Lumiere LTD

"I agree it's not ideal, but our decline rate would be higher without it and the Card Schemes are looking to improve the customer journey through the launch of their wallets ....."

Personally, I use Paypal or KLARNA (whichever one is available) because all I have to do is to type in my userid and password.

Whatever happened to V.me wallet which I first heard of in 2011? V.me wanted to do the same Paypal identification process (userid/password)...

A Finextra member 

Visa and other cards face the same problem despite EMV ....... " horrendous CNP fraud " .... Now that's a bad customer experience and costly for the issuers and it has grown ..... Let customers block and unblock theirs cards via their mobile devices, why do cards need to be available 7/24/365 for customers and Fraudster's ? Let the pre- authorized transactions go through, but let the customer lock his card when not in use, furthermore let the customer block his travel locations ahead of time when travelling via a schedule to avoid all those false positives. The customer is paying for all that fraud 750 mil Euro 2011 .... What happens when the FI's move that cost to the customer ...... Let them put their own cards in a logical vault ....

Marite Ferrero

Marite Ferrero Director at Lumiere LTD

"Let customers block and unblock theirs cards via their mobile devices,.."

Excellent idea from Mr. Pyziak. I designed this system way back in 2000. We've been offering it to banks since then. Offered it through CardSwitch Technology and now through Wembix. Banks were not happy to offer this system to their cardholders. They told us that this system made their cardholders worry. And you know what? I agree. 

But with the economies tanking since 2007 and more and more debit cards are in use, cardholders are asking to have this control. I need to add here that Mr. Pyziak and I do not know each other. But thank you Mr. Pyziak.

Peter Bove

Peter Bove Sales Manager at Aviso

"Silly you might say, but if we have the data and the models to show that our customer buys his coffee at 08:45 every morning at this merchant for this amount, and his phone GPS says he is there now - do I really need to check all the cryptography, and validate the PIN?," he asks. "How much extra security do we really need?"

Isn't this even more complex than a simple EMV transaction? Also, so now I've changed my phone, or left it at home and I'm left without the ability to pay.

There are a lot of things broken in the payments world, CNP being the most obvious, standards for Mobile Payments being another, let's focus on fixing those first.

Stefan Stafrace

Stefan Stafrace Consultant at Contractor

"Some people also prefer privacy and they don't turn on their GPS... they don't want to be located"

I don't think privacy is a relevant argument in this scenario, since the actual payment transaction itself reveals information that identifies the person committing the transaction at a specified location.  The GPS would only be a verification of what is already known.

Bill Trueman

Bill Trueman Director at Riskskill.com

A fantastic announcement from Visa people - about the future, i.e. a vision on what should be happening and where the industry should be. This is a debate about the future infrastructure that is needed - i.e. to facilitate payments beyond EMV and beyond anything that exists today.

The debate is needed and the planning is essential to drive global payments solutions forward properly.

Discussing the drawbacks that are inherrent in the design of today's solutions whatever they might be - or for whatever they were introduced for is not really part of this debate. VbV/3DS was a solution delivered to cure a sudden immediate need for a market solution in the short term - and is only transient. NFC is a solution for a small and narrow part of the transaction - that simply has not worked (for again many reasons) as well as it was expected. Neither is this about unblocking / blocking cards in the traditional sense - but more about the transactional certification using behavioural analytics built upon an infrastructure that is 'new' secure using what we have learned from EMV and knowing what is needed in 'the new world'.

These are all issues or real substance that need debating, and are clearly issues with substantive emotion and depth attacahed to them. However, they are all issues that lie outside of the 'strategy thinking' about the underlying infrastructure needed for tomorrow that is presented in these blogs. The comments thus far are the things that a strategic architecture - if designed properly - will wipe out over night. So we all need to be delighted that this is where the debate is moving to and for Peter / Jonathan for starting this. 

Critical review of this is very valid, but the debate needs to be at a strategy level. There are many more relevant questions that people like Peter and Jnathan should be challenged with. These all now relate to how to define the strategic solutions, how to agree them, how to INCLUDE all the parties involved from issuers, acquirers, technology companies, processors and of cours cardholders and retailers; but also regulators and governments centrally and globally. The thinking also needs to have not only a end-game vision, but a series of carefully planned milestones and agreed ways forward. These are the big challenges that will need to be addressed and where the challenge should be. However, the first stage has begun - and the important stage at that - i.e. setting down the vision for the future. Well done Peter Bayley and Jonathan Vaux.

 

Stephen Wilson

Stephen Wilson Managing Director at Lockstep Consulting

On the other hand, re-purposing of shopping habit data can't go on without limit. There are significant moves to limit the amount of data breadcrumbs left behind as we transact (with electronic cash being the extreme response). 

A Finextra member 

To the Visa Executive: Yes WE need the old fachioned endpoint security and PIN validation. Maybe not Visa, they push the fraud bill to others. but consumers don't like the idea of beeing tracked and governments detest terrorist funding. It seems like everybody thinks that "If only we were able to analyze everything about the user we are able to pin down the bogous transactions". Without going into details I am convinced that this assumtion is WRONG, simply because if your endpoint security is weak, you cannot trust the Information you are gathering. We need crypto, PIN validation, client side application security, malware protection, penetration test and what not... We clearly don't need Visa to try to gather Information about everything we do. The fraudsters will be able to hide. Decent people cannot.

Nihat R Erdem

Nihat R Erdem Manager at T.C.Ziraat Bankasi A.S.

Using PIN validation is something that cardholders do not see as a problem at all, where in contrary the card providers insist that it is a huge problem, which has to be solved in any way. I have not crossed a customer complaint about the time they spend for a PIN validation at the payment point. PIN validation is some security that the customer can see. If you apply 10 times more security than now, but the customer doesn't see it, the customer will not feel more secure. It is good to SHOW them that you do something for their security, and the customer is a part of this.

 

A Finextra member 

There's a lot of duplication of effort here!!  The banks are building all these fraud checks into their own systems but Visa are looking for new revenue streams now that their fee charging model is gone...

 http://www.out-law.com/articles/2014/february/european-parliament-committee-agrees-on-payment-card-interchange-fee-caps/

As mentioned above creating infuriating false positive security alerts won't make their job easier.  It will take us right back to the bad-old-days.

As Nihat correctly points out, it's consumer security of perception that's paramount and one or two false positive declines / frauds on Visa's fantabulous stealth geo-located, fingerprinted, voice activated authentication beast would drive me off of Visa instantly....

 

 

 

Bill Trueman

Bill Trueman Director at Riskskill.com

So summarising the above commentaries - they seem to have drifted 180 degrees away from the issue raised by Visa people and in summary are broadly based upon a criticism of Visa products, Visa motives, Visa products, Visa infrastructure and Visa revenues today. Does this mean that no-one thinks that Visa shoudl be thinking about the infrastructure and strategy for the payments industry, that we shoudl let this be dictated by the Visa Inc people rather than letting the Europe Visa people work on a strategy; and that we should just stop progress in the absence of anyone else coming up with or being able to direct an industry strategy? Anyone?

 

Peter Bove

Peter Bove Sales Manager at Aviso

Maybe Visa should focus on processing payments cheaply, securely and reliably and less on spending money on technology wild goose chases and sponsorship.

Bill Trueman

Bill Trueman Director at Riskskill.com

@Peter Bove.  Putting aside the issue that Visa does not really process anything itself...... If they did just that, then the consumer experience wouldn't get better or quicker; new technologoes would go nowhere, fraud and other losses would rise, new payment solutions would cease and we would all start demanding closure of the schemes in less than 5 years. In general, if we do not move forward then we move backwards, and if we keep doing that then we die. It is that simple.

A Finextra member 

@Bill. Errr.... Visa DO process. All Visa transactions go through the VisaNet system. Fraud losses ARE on the rise - mainly in CNP (particularly Telesales). Why? Because the liability rests with the merchant and the Card Issuers have no incentive to deal with it. The new technology comment is an interesting one. Is there much consumer demand for all this new technology or might it simply confuse and bamboozle them or create doubt and mistrust? Leaving innovation to card issuers is high risk - look at Pingit. The idea is sound but not enough demand from consumers to make any real headway and perceived as a 'Barclays' only product.

Innovation and modernisation is required, but it needs to be done in such a way that consumers want it AND it's cost effective for retailers to deploy. Contactless is a classic example of not getting the product right at the outset. Customers didn't trust it, retailers were expected to 'educate' them and the hardware & software required to deploy it was making it hard to create a robust business case. 

I'm sure that Visa will have learned from that experience and, hopefully engage with the relevant parties in advance of any new deployment next time.

Bill Trueman

Bill Trueman Director at Riskskill.com

Good points. Why the anonymity?

Peter Bove

Peter Bove Sales Manager at Aviso

@Bill Trueman - what makes you think that Visa is best place to manage innovation and new technologies? They don't control the payment device or the payment experience, or even the cardholder experience, so maybe they should butt out and let the people who do control the customer experience introduce the innovation.

Bill Trueman

Bill Trueman Director at Riskskill.com

@Peter Bove - I do not think that Visa is the best place for innovation at all, nor the best party to manage, co-ordinate or implement new technologies. But with a void in leadership coming from UK Plc (APACS, Payments Council, Banks collectively) or indeed the impossible task of getting this from EU or globally what are we to do. I believe that it is a real mistake for us (all) to allow schemes to manage innovation and/or direction because they move at the speed of the lowest-common-denominator (and that appears to be the USA at the moment!). BUT, who else is laying out a vision? I do not believe that this is Visa either (as Visa Inc or as Visa EU), but Peter Bayley and Jonathan Vaux (and behind them others I am sure SE/SP etc.) have stepped up to the podium on this one and started a debate with some leadership. So, the industry should, after picking itself up off the floor, 'run with the batton'. I would struggle to disagree with most (if not all) of the criticisms above; but that is NOT THE ISSUE HERE. Visa executives have 'stepped up to the plate' - we should not either knock them off their feet - nor should we throw last week's supper / or this year's 'pig's ear' at them. We should move forward, with the debate and the innovation and the thinking and the collective leadership ........... etc.

Sorry about all the analogies - especially the American one!

 

A Finextra member 

There does seem to be a groundswell of strong opinion abut Visa in general. However, what I take away from this article is a very positive sign that Visa has set the right direction of travel - with the destination being frictionless payments with the consumer experience at the heart of the change.  

Whatever we think about NFC, geolocation and profile modelling, these options do seem to form part of the future picture. Our responsibility in FinTech is to enable these things securely.

VbyV may be clunky but it tackles a very real issue - CNP fraud. There has been a great deal of innovation at the payment initiation level across the industry, outside the card schemes, but sadly less behind the scenes applying the newest security, cryptogrpahy, data modelling and analysis techniques to protecting the integrity of payment systems.  

I wish Visa well in tackling the problem of riding with the tide of consumer demand for frictionless payments without creating a systemic weakness that opens merchants and schemes up to Fraud.

With an aging population, care for the elderly is the new boom business. In payments, fraud has the same growth trajectory as ever easier payment methods, digital walles and the likes spread like a supervirus.

A Finextra member 

@Bill : Good points. Why the anonymity?

Unfortunately my business gets a little jumpy about what I may say publicly and I don't wish to get everything signed off in advance. Sorry!

While not a great fan (mainly due to cost), personally I think PayPal appear to have struck the right chord with the consumer. It's (perceived) as safe and extremely simple to transact.

Arguably it's the standard that others are striving to follow.

And they are!  The introduction of 'Wallets' such as now being introduced (V.me etc.) will, I think 'click' with consumers and enable them to transact in a very quick and simple way. Automatic login and a good strong password will go a long way toward faciltating a smooth payment process for on-line transactions. The challenge is how to extend that principle to telesales and the face to face environment - without the customer having to divulge their card (or account) details?

Tokenisation or 'one time use' numbers can play a role, but how to deploy the methodology in a cost effective way without retailers having to invest huge sums (with little to no benefit) will be the real challenge. 

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

At last Visa Europe admits to the reality that has stared at Visa Inc USA all along: VbV is painful; No leading online merchant has implemented it in USA (e.g. Amazon USA) despite FFIEC having mandated 2FA way back in c. 2005 - presumably because it causes more revenue loss due to shopping cart abandonment than fraud loss it prevents; I haven't heard a single report of fraud loss killing a single online merchant. If Visa Europe really goes ahead with plans for a "fantabulous stealth geo-located, fingerprinted, voice activated authentication" - to borrow from @MichaelD's comment - it will once again walk alone. I don't see any chance of Visa USA adopting such a "beast".

Jonathan Rosenne

Jonathan Rosenne Chairman at QSM Programming Ltd.

There is a more basic question. Every use of the PIN is a potential exposure. I don't think it is desireable to go into details here. Is it justified to check the PIN when the purchase is a cup of coffee? Visa should establish a minimum transaction amount below which PINs are not required.

Marite Ferrero

Marite Ferrero Director at Lumiere LTD

"Visa should establish a minimum transaction amount below which PINs are not required."

VISA INTL has a VISA Easy Payment Service No signature required program. For two merchant categories, the limit is up to $50.00. There is also VISA Paywave with NFC and it does not require the pin. There are similar VISA offers in the UK where the pin is not required with NFC for transactions under 20 quid.

A Finextra member 

In Australia, Visa payWave, MasterCard PayPass & American Express ExpressPay, can be used without a PIN number or signature for any amount less than $100.00. Signatures are going to be abolished in Australia on the 1st August 2014 for every form of card payment. This should tell you how successfull contactless payments have been throughout Australia in terms of preventing fraud.

Deepak Khirwar

Deepak Khirwar Senior Product Manager at Oracle

Nice change. Along with Thumbprint even Retina Scan can also be used for authentication. Any process which could help a customer by not carrying a plastic card would also be better as in - if a person looses his/her wallet, the damage till customer reports to the bank could be reduced as there will not be any plastic card. Reducing the plastic card even EMV will also be environment friendly.

[Webinar] AI in Banking: Building Compliant and Safe Enterprise AI at ScaleFinextra Promoted[Webinar] AI in Banking: Building Compliant and Safe Enterprise AI at Scale