Visa's Chief Risk Officer on the Future of Credit Card Fraud

If and when consumers begin receiving credit cards with embedded chips en masse from their banks, it’ll mark a significant change in the way Americans pay for things. Visa’s Chief Risk Officer, Ellen Richey, told me in an exclusive interview recently that for many consumers, the only change will be “swiping vs. dipping.” And while adding chips will bring the U.S. in line with the rest of the world, chips alone won’t really do much to stop credit card fraud. Here’s my Q&A with her on the future of credit cards and fraud.

Is this “Chip & Something” thing really happening? When?

We will have widespread chip adoption, but it does take time to get those cards out into the market. We are talking about several years before we see significant impact, for sure. But the momentum is there. You don’t see key players backing off or letting the enthusiasm wane.

So when popular imagination moves on from the Target hack, you don’t think the momentum for converting cards will disappear, too?

In the past there’s been a lot of publicity around data breaches for a short period of time. But this time, the combination of publicity and the moment that we’re at (makes a difference). The rest of the world has gone in this direction.

Is the U.S. targeted by hackers because our payment card technology is behind the times?

We do see criminals attacking the U.S. This trend so obvious. As far as being able to achieve a large data theft where you can turn stolen data into counterfeit cards, the U.S. is the prime target.

One potential holdup: Merchants are backing a “chip and PIN” system like the one in Europe, which would require a change in consumer behavior. Banks seem to favor “chip and signature” because it could be implemented faster and not require new consumer behavior. Where does Visa stand?

Our primary objective is for chip deployment to be as seamless as possible. We are not promoting one way or the other. Our objective is to get chip cards out there; “chip and choice” is our recommendation.

What’s your best guess about chip and PIN vs. chip and signature?

I can’t answer. We will have to let it play out.

Why don’t we just switch to card and PIN? That is, just make credit card consumers use PINs the way debit card users do? Isn’t that simpler?

Static data is the problem we are having. Now, you can steal the magnetic stripe data out of a database and make a counterfeit card. If you have just PINs and magnetic stripes, these are two types of static data.

And criminals would focus a lot of attention on getting their hands on PINs, making them ultimately less secure?

Right. They would shift focus toward attacking PINs.

That’s a good transition point. One criticism of converting to chip and pin/signature is that it does nothing to stop “card not present” fraud, such as with online shopping. Won’t chip cards just shift criminals’ focus online?

Yes. We have seen in other markets where they didn’t take additional steps to secure the online environment, that’s exactly what happens. But we’ve also seen, as in the UK, in places where they adopted additional measures to secure online transactions, absolute fraud rates did dip.

In other words, online merchants will have a big target on their backs the day that consumers get chip cards, right?

That’s why we have created a new standard for a new technology, tokenization, that would replace card numbers (in online transactions) with a set of meaningless numbers that couldn’t be used elsewhere…We will be publishing the formal tokenization standard soon.

What could halt or significantly slow chip card adoption? Isn’t the pin/signature debate going to slow things down?

In the past we might have seen bickering take precedent over security, but I don’t think we will now. I don’t think we will see a groundswell for mandating PIN acceptance…so that won’t be an impediment.

There’s also been talking about the Durbin Amendment, which requires that merchants have choices in how they process transactions, causing a delay in programming required for merchants to accept chip cards.

In the last month we reached a resolution of all those debates (with the major payment networks), so we think that impediment with be lifted.

What about ATMs? Will they need to accept chip cards?

ATMs are a more expensive proposition, which is why we’ve given them extra time. By 2017, there will be a global liability shift and we’ll see ATMs that take chip cards.

When will most Americans get chip cards?

There are already are 7 million chip cards in the U.S. market, mostly sent to consumers who travel overseas a lot… It’s more likely most consumers will see them with their card renewal. The jury is out about when, but I would expect by October of next year you will see a lot of them.

And what will change? What will consumers need to know?

Once they get a chip card, there might a little confusion right at beginning. If you reach out to swipe a card along the side of a terminal, instead you will be instructed to just dip it in, like at an ATM, and that’s it. If you do it wrong, the machine will tell you.

Merchants that don’t have chip readers will still take magnetic stripe swipes, right? The cards will still have stripes, won’t they?

Yes. Consumers should just read the instructions that come with a card… I don’t think it’ll be too confusing.