To ensure the security of the payment system, we need to authenticate the identity of each person making a payment. There are numerous ways to do this, both in-person and online. Unfortunately, very few of these ways have been approved or deployed by the card networks across the payment system.
Innovation is coming by way of mobile and Internet-driven payment methods that validate a user’s identity, such as biometrics, text-message codes and back-end algorithms to identify fraud. But the “chip” cards that are used at in-store terminals do not require these or any other kinds of secondary authentication – not even PIN, which has been required outside of the U.S. for credit transactions for more than a decade and at ATMs for more than 30 years.
SPP believes that the payment system should recognize, accommodate and demand results-driven authentication that will give consumers the speed and convenience they want and the security they need. In the near term, we believe PIN should be enabled on credit cards, just like most of the rest of the world, for merchants who want to utilize PIN. That technology is readily available through the EMV machines in which store owners have already invested billions of dollars.
But the drive for strong authentication must not end there. Authentication technologies can and should innovate and develop with the cooperation of businesses throughout the payments system to develop new and better ways to make sure that card users are who they say they are. Technology advancement should happen for in-store, online and mobile transactions. And merchants accepting cards should be allowed to use authentication technologies that work in other arenas. That will allow them to tailor solutions to their own risks without one sector imposing restrictions that limit fraud prevention.
Payment technologies take a lot of different forms, but we must always ensure that the payments system uses the best security technology available. Currently, that is chip-and-PIN, but as payment technologies continue to rapidly evolve to keep pace with the many ways commerce is conducted, it is important that payment security evolves as well.
SPP supports innovative technologies that drive the U.S. payments system forward and make U.S. transactions the most secure in the world. Some of these technologies include mobile and wearable payments, biometrics (i.e. fingerprints, facial recognition, iris scanning, and vein mapping), geolocation, IP verification, blockchain, ultrasonic sound waves and others.
The payment ecosystem is complex and made up of many participants, all of whom have expertise and a role to play in card security. That should include a role in setting the standards by which the industries abide. Security standards are important because they establish guidelines for anyone who is accepting or processing sensitive cardholder data.
Currently, these payment security standards are dictated by the Payment Card Industry Security Standards Council, a closed group controlled solely by one industry sector – the dominant payment card networks, and EMVCo, which is also controlled by the dominant payment card networks. This closed decision making process provides limited and non-voting opportunities for merchants to shape standards and policies on payments transactions issues and gives one sector complete control over setting security standards that impact all businesses and consumers. We must move beyond making decisions based on what is best for a certain business and enact standards that are best for security and the payment card system as a whole.
We need open security standards to create transparency and allow collaboration from other key contributors in the industry who have valuable input and should be part of the standard setting process.
Every credit card should have multiple networks enabled to process transactions. Multiple networks are required for debit cards and this requirement should be expanded to include credit cards. Doing so will foster innovation, help contain costs, and more importantly create important redundancies in case one network goes down, ensuring the transaction can still be processed on another network. Additionally, requiring multiple networks on a credit card will foster innovation and advancements in security as networks compete for both bank and retailer business.