The Green Sheet Online Edition
February 13, 2012 • Issue 12:02:01
Visa says PIN unnecessary for EMV in U.S.
In its push for the adoption of Europay/MasterCard /Visa (EMV) chip cards and near field communication (NFC)-enabled mobile payment devices in the United States, Visa Inc. released a set of best practices designed to clarify issues that concern EMV. One popular myth Visa seeks to dispel is that EMV will require personal identification numbers (PINs).
"There's a lot of confusion around the myth that EMV means 'chip-and-PIN,'" Stephanie Ericksen, Visa Head of Authentication Product Integration, said in a blog published Jan. 13, 2012. "It doesn't in many countries, including the U.S. That's because, in the U.S., we can rely on online processing where transactions are transmitted in real time to the issuer for approval. With that in place, there's no need for the offline authentication that was the genesis of chip-and-PIN."
Ericksen said because the United States will be a late adopter of EMV, it can avoid many of the costs and complexities of EMV implementation around the world and yet still receive the benefits of reducing fraud. Ericksen believes the key to EMV in the United States is to "implement a streamlined, online-only version of EMV chip."
"Our telecommunications system means we can rely on online processing that is fast, and where transactions are routinely analyzed with our real-time fraud scoring system prior to issuer review," Ericksen noted. "By adding the dynamic cryptogram of the EMV chip to online authorization, we'll increase transaction safety even more, yet without the more complex and expensive cards, terminals and processing capabilities that are needed to support offline authorization."
Static authentication supported, not the best
Visa will continue to support a number of static authentication methods after EMV is introduced, Ericksen wrote. The cardholder verification methods that will continue to be supported include signature, online PIN and no-signature for low-value transactions.
"In the longer term, we expect the industry will reduce or even eliminate its use of static verification methods, such as signature and PIN, in favor of new and dynamic forms of cardholder verification," she added, noting that online PIN entry devices must comply with the Payment Card Industry Data Security Standard.
Randy Vanderhoof, Executive Director of the 180-member nonprofit Smart Card Alliance, agreed that PINs need not be part of EMV verification. "The problem with static PINs is they can be copied or wormed and used to commit fraud much like the fraud we have today with cards without PINs," he said. "PINs are not a great solution."
Vanderhoof advocates for a "more dynamic card verification method" that would make it impossible for thieves to access accounts via skimming and phishing scams. "Static authentication methods remain vulnerable to reply attacks," he said, adding that the creation of dynamic authorization will be an important part of the payments industry. He called EMV a "starting point" in the United States' effort to curb card cloning and counterfeiting.
MasterCard Worldwide's own push for EMV adoption in the United States is "forthcoming," Vanderhoof said.
Visa's best practices document, Recommended Practices for EMV Chip Implementation in the U.S., stresses "all chip transactions should leverage the...infrastructure for authorization and authentication" because nearly all U.S. transactions are authorized online in real time. The card brand said its EMV specifications are specifically tailored for the U.S. market.
Visa added, "There are many options for additional complex functionality in the EMV specification, including offline authentication, offline cardholder verification and offline authorization, which are not necessary for chip technology implementation in the U.S."
Among Visa's recommendations for acquirers, acquiring processors and merchants implementing EMV are:
- Adopt chip technology "early"
- Ensure that merchants can send complete chip data to acquirers
- Deploy chip-enabled, dual-interface terminals supporting contact chip, Visa payWave and mag-stripe interfaces
- Use the latest version of the Visa contactless payment specification
- Enable the Visa smart debit/credit acceptance product and mag-stripe data features
- Support the acquirer device validation tool kit and device module, as well as the contactless device evaluation tool kit
- Configure EMV terminals to only support online options
- Guarantee that POS environments support online PIN verification if merchants choose to support PINs in addition to other card verification methods
The best practices document can be accessed at www.blog.visa.com/wp-content/uploads/bulletin-chip-recommended-practices1.pdf.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.