Strong User Authentication

To ensure the security of the payment system, we need to authenticate the identity of each person making a payment. There are numerous ways to do this, both in-person and online. Unfortunately, very few of these ways have been approved or deployed by the card networks across the payment system.

Innovation is coming by way of mobile and Internet-driven payment methods that validate a user’s identity, such as biometrics, text-message codes and back-end algorithms to identify fraud. But the “chip” cards that are used at in-store terminals do not require these or any other kinds of secondary authentication – not even PIN, which has been required outside of the U.S. for credit transactions for more than a decade and at ATMs for more than 30 years.

SPP believes that the payment system should recognize, accommodate and demand results-driven authentication that will give consumers the speed and convenience they want and the security they need. In the near term, we believe PIN should be enabled on credit cards, just like most of the rest of the world, for merchants who want to utilize PIN. That technology is readily available through the EMV machines in which store owners have already invested billions of dollars.

But the drive for strong authentication must not end there. Authentication technologies can and should innovate and develop with the cooperation of businesses throughout the payments system to develop new and better ways to make sure that card users are who they say they are. Technology advancement should happen for in-store, online and mobile transactions. And merchants accepting cards should be allowed to use authentication technologies that work in other arenas. That will allow them to tailor solutions to their own risks without one sector imposing restrictions that limit fraud prevention.

Payment Security Innovation

Payment technologies take a lot of different forms, but we must always ensure that the payments system uses the best security technology available. Currently, that is chip-and-PIN, but as payment technologies continue to rapidly evolve to keep pace with the many ways commerce is conducted, it is important that payment security evolves as well.

SPP supports innovative technologies that drive the U.S. payments system forward and make U.S. transactions the most secure in the world. Some of these technologies include mobile and wearable payments, biometrics (i.e. fingerprints, facial recognition, iris scanning, and vein mapping), geolocation, IP verification, blockchain, ultrasonic sound waves and others.

Open Security and Implementation Standards

The payment system is complex, made up of many participants, all of whom have expertise and should play a role in establishing payment card security standards and ensuring those standards are implemented in a manner that provides equal and fair access.  Security standards and their implementation are important because they establish guidelines for anyone involved in the payment process from designing payment devices to accepting or processing payments.

Currently, these payment security standards are dictated by the Payment Card Industry Security Standards Council, a closed group controlled by one segment of the payment industry sector – the dominant payment card networks- and EMVCo, which is also controlled by the dominant payment card networks. And those payment networks also dictate the implementation of those standards. This closed decision-making process provides limited and non-voting opportunities for merchants, payment processors, and domestic debit networks to substantively shape the standards and policies governing payments transactions. This gives one narrow subset of the entire payments industry complete control over the creation of proprietary and closed implementations of security standards that impact all businesses and consumers. We must move beyond making decisions based on what is best for one business segment and enact standards and processes that benefit all members of the payment card industry and consumers.

Network Routing Competition

Every credit card should have multiple networks enabled to process transactions. Multiple networks are required for debit cards and this requirement should be expanded to include credit cards. Doing so will foster innovation, help contain costs, and more importantly create important redundancies in case one network goes down, ensuring the transaction can still be processed on another network. Additionally, requiring multiple networks on a credit card will foster innovation and advancements in security as networks compete for both bank and retailer business.