Going Beyond PCI ComplianceVisa's Richey Stresses Adoption of Chip Cards, Tokenization
Ellen Richey, chief legal officer and enterprise risk officer at Visa, says card issuers, retailers, payments processors and others handling card data must go beyond PCI compliance if they expect to effectively fight fraud.
"There are already best practices out there that go beyond the technical side of PCI," Richey says in an interview with Information Security Media Group (transcript below). Those best practices include guidelines and recommendations related to the need for wider adoption of chip cards, such as those that conform to the Europay, MasterCard, Visa standard, tokenization and end-to-end encryption.
Another important fraud-prevention step, Richey says, is limiting the storage of card data. "Today, upwards of 90 percent of our retailers have certified that they no longer store that data" - information that is not essential to processing a payment or transaction, she says.
For card data that processors must store, tokenization should be applied, she stresses, to make card numbers inaccessible.
During this interview, Richey also discusses:
- The role enhanced analytics is playing in fraud detection;
- How Visa is working with other card brands to spur adoption of EMV in the U.S.; and
- Why tokenization is so critical for the security of e-commerce, card-not-present transactions.
Richey oversees Visa's compliance, audit and risk teams, including payment system risk, settlement risk and enterprise risk. She also serves as the company's primary legal adviser. Before joining Visa in 2007, she worked at Washington Mutual Inc. as senior vice president of enterprise risk management and executive vice president of card services. Earlier in her career, she served as vice chairman of Providian Financial Corp., where she led the enterprise risk management, legal, corporate governance, corporate relations, compliance and audit functions. Richey also was a partner in the San Francisco law firm Farella, Braun & Martel, where she specialized in corporate, real estate and financial institution matters.
Limiting Access to Data
TRACY KITTEN: Explain how limiting the amount of data merchants access is expected to reduce fraud?
ELLEN RICHEY: First, we need to ensure that no one is storing anything they don't need. The good news on that front is that we've made tremendous progress since the early days of data compromises in the payments industry; now, upwards of 90 percent of our retailers have certified that they no longer store unnecessary data. So that's one big step forward we've already accomplished. The next step, and something that is already in progress, is to devalue the data that passes through their systems. So even if they're not storing it, they are vulnerable to attack as the data moves through their system. We have multiple ways of devaluing the data, one of which is our primary focus right now, in 2014, which is rolling out with EMV chip.
Ongoing Storage of Data
KITTEN: Why is this ongoing storage of card data such a problem for the industry?
RICHEY: As I mentioned, it really isn't storage in the retail environment anymore. We have made huge strides in that regard. Of course, you've got some parts of the payments industry that still have to maintain the data, and in recent years we've seen attacks, for example, on processors. So the answer there is that we will have one segment of the industry where the data is devalued, so that it is no longer targeted by thieves. But we will have to have even stronger security than we have today, because there is always going to be the need for storage somewhere.
Beyond PCI Compliance
KITTEN: Could Visa mandate that the industry go beyond PCI compliance?
RICHEY: There are already best practices out there, particularly on the processing side, that we've published and are available on our website to go beyond the technical side of PCI; also, to do more along the resilience side of data security, such as improved or more frequent vulnerability monitoring and intrusion detection. Today in data security, you need to be getting away from strictly building a fortress to protect data and pay more attention to what you do in case hackers should be in your environment. Then, the second big item is to restrict the utility of the data in the hands of the retail industry. By that I mean, if we can make the data less valuable to criminals by using dynamic data that can't be reused to commit fraud, we can actually take the retailers out of harm's way. And, of course, one of the examples there is the EMV chip; another example would be our initiative around tokenization, which would devalue data in large portions of the industry.
Additional Security Layers
KITTEN: What additional security layers is Visa pushing?
RICHEY: The big three in our mind right now are the chip, tokenization and point-to-point encryption, which is a valuable tool available right now for retailers to protect themselves from the moment data is entered at the point-of-sale. In addition to that, we're always looking at the next generation of predictive analytics for fraud control; we're also improving our response technologies, the way we identify when breaches have occurred and get that intelligence out into the industry.
Securing POS Networks
KITTEN: What role do you see the card brands playing in merchant security?
RICHEY: We have a rather elaborate program called the Cardholder Information Security Program. Information about that is available on Visa.com. We also, as part of that program, ask that our acquiring banks provide a validation of PCI compliance throughout the industry based on the size of the merchant. For example, they may provide a third-party independent validation, a self-assessment and so forth. That is one big area where we've been involved for quite a few years, and, of course, we are moving beyond enforcement toward incentives, such as our liability shift for EMV.
KITTEN: Do you ever foresee there being regulatory oversight over retailers?
RICHEY: That is hard for me to say. At the [Congressional] hearing, where I testified, certainly FTC [Federal Trade Commission] Chairwoman [Edith] Ramirez was taking a strong position that additional oversight is needed. However, they just don't have that system of strict supervision outside the banking industry that they do within it. So I would be doubtful that you'll see the same level of regulatory oversight as you see in the banking industry.
Adoption of EMV
KITTEN: Can you talk about some of the steps that are being taken to help retailers enhance their adoption of EMV?
RICHEY: We've certainly been working for some years to make sure that the standards are really implementable here in the United States, and tailored to our market. One of the more recent initiatives there is to make sure we've licensed the technology to ensure all the merchants can route their transactions as is required by the Dodd-Frank Act. That has been resolved, really, with some of the major processors, like First Data, for example, in recent months. That is one big effort that is coming to a conclusion. In addition, Visa and MasterCard recently formed a cross-industry working group that will meet to accelerate EMV adoption, by working together collaboratively. We also, across all the brands, provide services on behalf of smaller institutions that might not want to make the investment themselves. We can actually do that for them.
KITTEN: What are some of EMV's security limitations?
RICHEY: The great thing about EMV is it will eliminate, if it's fully deployed, counterfeit fraud. But counterfeit fraud is only one type of fraud, and probably the biggest gap, if one did not pursue tokenization, would be card-not-present fraud. In today's world, that means e-commerce fraud. That is why we are so interested in pushing forward with our tokenization initiative.
Payment Infrastructure Changes
KITTEN: Could you talk about some of the changes you see coming in 2014 from a payment's infrastructure and technology perspective?
RICHEY: I think we may have covered most of them, but the biggest item we're looking toward is the uptake in EMV cards. I think you'll start seeing them come into the market as the cards are routinely re-issued through the course of business. Secondly, of course, is our tokenization initiative. You will start to see actual tokenization service providers coming on later this year, perhaps as early as late summer or fall, and that will be an interesting change for the industry. We also see quite a bit of adoption of risk-based Verified By Visa services, which are based on not only behavioral data analytics, but also information that can be gained from the computer or device that is used to make the transactions. So we're seeing quite a bit of uptake there on our Visa consumer authentication services, and others like it.