New security standards needed to enable safer e-commerce, says credit care firm’s risk chief for Asia
PaymentS giant Visa has launched what it calls its future security roadmap for Thailand, while taking steps to keep its lead in the payment industry. Joe Cunningham, the company’s head of risk for Asia Pacific, said the future of payment lies in new kinds of experiences as a constant stream of innovations impact the relationship between cardholders and merchants.
One of the most interesting developments in payment has been the huge explosion in the kind and numbers of devices that can be used by consumers, such as mobile phones, the Internet of Things and wearables, Cunningham says.
Visa boasts over three billion cards worldwide, a figure it expects will multiply by 10 times over the next decade, even as their form increasingly shifts from a card to other payment devices, including wearables and the Internet of Things.
On the merchant’s side of the counter, Visa also foresees a mirrored explosion in the “ways to pay” as merchants and commercial enterprises join in disrupting the traditional payment system, and also traditional financial services.
The result is a very interesting time in the payment industry, Cunningham says. But the company will continue to lead the payment industry in partnership with its clients, who serve the millions of merchants around the world that accept the billions of Visa cards carried in customer wallets, along with mobile phones, every day.
“One of the most important things as we think about the future, is that Visa must maintain its focus on security,” says Cunningham. “It is one of the most important priorities of our cardholders – they need feel that they have confidence and trust in electronic payment. It is a very important part of Visa’s strategy.”
Visa has developed principles that it tries to enforce within the industry: to innovate responsibly, with all innovations based on “security by design.”
“We drive security across the payments ecosystem. We are guided by the principle of responsible innovation through optimising the balance between risk and innovation,” says Cunningham.
Visa has launched a “future of security roadmap” for Thailand, a plan that parallels similar roadmaps around the world.
“As we think about the future of payment and the number of innovations taking place in payment, we need to make sure that all stakeholders make the right investments to ensure they protect cardholders, removing any sensitive data from the payment system, and having a balance between security and convenience, between security and innovation,” says Cunningham.
“In order to do that, Visa has been working with clients in Thailand – the Thai Bankers’ Association and Bank of Thailand – to get their endorsement of the plan for the market,” says Cunningham.
Visa is undertaking four security initiatives. First is to devalue data by removing sensitive data from the ecosystem and making stolen account details useless. Second is to protect data by implementing safeguards to protect personal data as well as account details. Third is to harness data by identifying potential fraud before it occurs and to increase confidence in approving good transactions. Fourth is to empower everyone, including account holders, third-party providers and merchants, to plan an active role in securing payments.
“We intend to do those four things over the next couple of years,” says Cunningham, “creating a strategy of payment security. We want to eliminate sensitive data. The 16-digit number on the card would not be stored anywhere by the merchant, bank or payment facilitator/processor. The sensitive data in the 16-digit number would be removed and replaced by something that would be worthless if the number was stolen.”
There are two important aspects of this “transaction control,” he says – making sure that the cardholder becomes part of the solution over the long term, and giving cardholders more effective control and management over their accounts and their Visa card.
The vast of majority of Visa-card fraud in Thailand, the Asia Pacific and all around the world, now takes place on e-commerce. Because most countries around the world, but especially in Asia Pacific have implemented the EMV chip, limited fraud now takes place in the physical world. Fraud has moved to e-commerce.
“The focus of our roadmap for the future is very much on e-commerce. How to protect e-commerce and how to make sure e-commerce will be safe, continue to be convenient and secure. The best way is to make it easy for merchants and the banks to share data at the time the transaction is occurring. The aim is less fraud and a seamless transaction,” says Cunningham.
The first stage is to remind stakeholders what they need to do today, including to apply a global security standard. The time frame for the future of the security roadmap is the next three years, 2019 to 2021.
By 2019 end, all debit-card issuers will have completed the EMV chip migration. In Thailand, all debit cards will by 2019 have to include a chip. And, by end of next year, all issuers will have adopted digital transaction controls enabling cardholders to control their card usage.
By 2020, all issuers must implement the new standard for e-commerce, called 3-DS version 2.0, with effect from April 2020. All high-risk merchants, such as airlines and online travel agents, must support 3DS 2.0 from then. It will help support the rapid growth of e-commerce, increased convenience for merchants, and at the same time increased security confidence by cardholders.
The next important thing is “credential on file tokenisation”. By 2020, the acquirers must use payment gateways that support EMVCo tokens, and all new point-of-sale terminals deployed after the end of 2020 are recommended to be capable of supporting PCI point-to-point encryption.
“We want merchants to adopt this standard of token to replace sensitive data, to devalue data by removing sensitive data. It is the major piece of the roadmap,” says Cunningham.
By 2020, Visa will encourage specific large merchants to adopt the credential on file tokenisation, and by 2021 all merchants must tokenise.
For the large number of people who have never had traditional credit card and debit card products, there is a need for innovation to take place. Mobile is a very important part of that solution, with the new acceptable standards such as the QR code standard, for example, offering very inexpensive ways for merchants to accept electronic payments as compared to POS devices of the past.
The traditional debit card and credit card may not be relevant for these newcomers. They may access the storefront through mobile phones, as well as join the formal financial system.
“Our role is to facilitate the standard, making sure that innovation can continue to evolve and to offer new services and experiences delivered to these people,” he says.
“The standard and the infrastructure will go with it. We will continue to maintain a secure system, which is the important part of the innovation agenda of responsive innovation and security by design.
“We are delighted to take the lead in championing security for Thailand, making sure Thailand stays head. Thailand traditionally has a very strong reach, leading in payment security, and we are delighted that Thailand is committed to being there, and closing any gaps and to never be the weak link in payment security.
“We look forward to conversations with all partners in Thailand to make sure they do the right things to protect anybody on the ecosystem and to maintain trust in electronic payment, as it is the most important aspect of the success over time for commerce and payment.”