Visa Inc. on Thursday announced a new network service to flag high-risk transactions at fuel pumps, and the PCI Security Standards Council published guidance to help merchants and other organizations that handle payment card data manage their relationships with third parties to whom their outsource data-security tasks.
n
Visa calls its new service Visa Transaction Advisor (VTA) and says it doesn’t require costly hardware or software upgrades and doesn’t disrupt the customer experience. After testing that began early this year at Los Angeles gas stations, oil giant Chevron Corp. has rolled VTA out across the country, as has Shell, another big oil company. In a Visa news release, Chevron said it saw a 23% reduction in its fraudulent chargeback rate after implementing VTA.
n
VTA is now in use at 25,000 gas station/convenience stores, including Chevron and Shell locations, and some other gas stations served by merchant acquirer Vantiv Inc., Mark Nelsen, Visa vice president of risk products and business intelligence, tells Digital Transactions News.
n
Fuel pumps present security risks because most nowadays are unattended card-accepting locations. After the customer swipes a card at a VTA-enrolled pump, the VisaNet network employs predictive analytics to generate a real-time risk score based on nearly 500 pieces of data to identify transactions that may involve a lost, stolen, or counterfeit card. The analysis includes so-called velocity checks—how often a card has been used in a particular time period—along with the card’s recent transaction locations, and whether it has been involved in a data breach.
n
Based in part on the retailer’s own risk parameters, the score ranges from one to 99, with the lower the score the less risky the transaction, according to Nelsen. A score indicating high risk could prompt a message at the pump asking the cardholder to come into the convenience store before allowing fuel to be dispensed.
n
n
An advantage of VTA is its ability to track the card’s usage across different merchant sectors, according to Nelsen. “The gas stations, a lot of them have velocity checks, but they’re only seeing what goes on at their stations,” he says. “It’s much easier for Visa to identify anomalies.”
n
Nelsen says VisaNet has generated risk scores for card issuers for many years, but VTA represents the network’s first effort at generating scores for merchants. Visa is offering VTA through Vantiv and other acquirers for a per-transaction fee, with the acquirers setting their own pricing for merchants. “We have definitely priced the service to encourage adoption,” says Nelsen.
Meanwhile, the PCI Council, which administers the main Payment Card Industry data-security standard and two associated standards, today issued a 47-page document stating what merchants and other companies should be aware of when they hire third-party vendors to protect card data. The guidance basically says that outsourcing doesn’t mean a merchant can forget about card security.
“The key message of this document is that security always was and always will be a shared responsibility,” Troy Leach, the Wakefield, Mass.-based PCI Council’s chief technology officer, tells Digital Transactions News.
A 160-member so-called special interest group consisting of people from merchants, banks, and service providers, developed the document.
The guidance is meant to supplement Requirement 12.8 in the current Version 3.0 of the PCI DSS, which requires that merchants and other entities handling card data have policies and procedures governing their relationships with third-party vendors, including the monitoring of vendors’ PCI-compliance status and delineation of who is responsible for handling particular tasks spelled out in the PCI rules.
“We want to arm them with questions for the service providers that they may not have thought of on their own,” says Leach.
Citing research by the Traverse City, Mich.-based Ponemon Institute, the PCI Council noted that nearly two-thirds of data breaches involve issues linked to third parties.
The federal government, in part through its controversial Operation Choke Point program, has been cracking down on banks’ relationships with third parties in an effort to prevent fraudulent merchants from getting access to the payment system. Leach, however, says the crackdown did not prompt the Council to issue the new guidance. The previous version of the PCI rules addressed third-party relationships, he notes, and Version 3.0, which took effect Jan. 1, added new requirements. “We’ve been proactive in the service-provider space for several years now,” he says.
In early 2013, the PCI Council issued guidance for merchants when they employ cloud-based services providers