The financial giant explains how it plans to protect online transactions, contactless payments and more.
Despite the fuss made in the general media and on talkback radio, contactless payments made with stolen cards are not a big problem. The vast majority of card fraud in Australia – 78 percent of it – involves what's known as “card not present” transactions. That's where cards are used to make purchases over the phone or online.
The additional risk in such situations has been long known, and that's why merchants face higher fees for these transactions. For example, Square charges 1.9 percent if the card is inserted, tapped or swiped, increasing to 2.2 percent for online transactions or where the card number is keyed in by the merchant.
Introducing 3-D Secure 2.0
So, Visa's security roadmap for the period to 2020 includes the introduction of 3-D Secure 2.0, a new version of the payment protocol which, according to Visa, allows the “seamless authentication of consumers when shopping online, and enhanced fraud detection for all parties in an e-commerce transaction.”
According to Visa, 3-D Secure 2.0 “enables a real-time, secure, information-sharing pipeline that merchants can use to send an unprecedented number of transaction attributes that the issuer can use to authenticate customers more accurately without asking for a static password or slowing down commerce.”
For a visual explanation of how it works, Visa has provided a 3-D Secure 2.0 infographic (PDF).
The other changes outlined by Visa for implementation in the next few years are:
- 100 percent EMV acceptance: 92 percent of Visa face-to-face transactions in Australia are already contactless, which suggests most merchants have already upgraded their card readers to accept contactless or chip-and-PIN cards. Visa will be working on the laggards to ensure that everyone benefits from EMV (which stands for Europay, MasterCard and Visa, the global security standard for credit cards with computer chips).
- Standards for biometrics: Visa will promulgate standards for biometrics such as fingerprint or face recognition on smartphones, and certify the compliance of third-party devices and software.
- Standards for software-based PIN entry: Some low-end mobile POS systems (such as PayPal Here) provide a keypad on the reader for PIN entry, but others (such as the Square Reader for contactless and chip) rely on the smartphone or tablet running the software. So the Payments Card Industry Security Standards Council (PCI SSC) is developing standards for software-based PIN entry, and Visa is contributing the results of its ongoing pilot in this area.
- Tokenisation: The tokenisation of card account details is most commonly associated with systems such as Apple Pay. Instead of providing the POS device with the account number and other details, they transfer a 'token' that is associated with the actual account behind the scenes and can only be used once. Since the merchant is never in possession of the account details, any illicit modification of the POS device or a subsequent data breach cannot reveal them. Visa wants to see the widespread tokenisation of account details by financial institutions and merchants.