By Mike Ryan

As anticipated, Visa announced the extension of the Technology Innovation Program (TIP) originally announced for non-U.S. markets back in February.  Reading through the document, it is clear that this is an attempt to get the market moving on two major Visa initiatives: near-field communications (NFC) and EMV.

As several analysts and my fellow bloggers have pointed out, this program says at least as much about Visa’s focus on NFC as it does about EMV. But, I’m more interested in what it doesn’t say.

First, the announcement doesn’t say that to qualify for PCI exemptions, 75 percent of the traffic needs to be EMV transactions.  It only says that the terminal must be EMV and NFC capable.  U.S. payment processors don’t support the standard today, so clearly no merchant would qualify. Obviously this is not an attempt to make the industry more secure or reduce fraud in the short term.

Second, you may have also noted that there are no liability shifts or protections from data breach penalties as there were in the global version of the program.  It seems that Visa knows that this program will not enhance security or prevent fraud, so while merchants may get a temporary reprieve from regulation they will still be subject to fines and penalties if they are breached

I’ll be honest…a part of me wants to applaud the effort to accelerate the NFC roll out because I want to use my phone to make purchases at the point-of-sale (POS).  However, I can’t do this with a clear conscience because my job is to help merchants become more secure and avoid the high cost of a data breach.

The reality is that EMV is still several years away.  While it will eventually help prevent some types of card-present fraud, it does nothing to protect cardholder data from being stolen from merchants’ networks.  The EMV message still sends card numbers in the clear — without point-to-point encryption (P2PE) and/or tokenization — so it essentially does nothing to protect data.

That data, if stolen, can still be used at the POS until EMV is widely adopted several years from now — or for the foreseeable future in card-not-present (CNP) fraud.  According to Javelin Strategy & Research’s most recent Identity Fraud Survey Report, CNP has outpaced card-present fraud for the first time ever.

Visa’s program doesn’t offer any new protection, so the penalties will continue to rest with the merchant.  So let’s start preparing for EMV and NFC, but don’t be fooled…unless you render the data useless, criminals will still try to steal that data and someone will ultimately pay the price when a breach occurs.

Write a Comment