“Effective 12 October 2018, in the European Region, an Issuer must decline any Authorization Request using the Contactless MSD transaction path.”
So reads a nondescript footnote in Table 4-19 of the October 2017 edition of the Visa Product and Service Rules. The table applies to authorization requests originating from all “Contactless Payment Devices”, except “Mobile Payment Devices”.
The term “contactless” refers to the use of Near Field Communications (“NFC”) methods to exchange data through a tap on the reader as opposed to a physical card insertion, which creates a contact connection.
The new edict is noteworthy for a couple of reasons.
Most importantly, it expresses the conviction of card brands to eradicate outdated security.
It’s little known, but, in fact, there are two “transaction paths” for contactless payments: EMV and MSD.
EMV Contactless is the more secure form because it employs cryptograms, which are now universally supported by Acquirers and Issuers. MSD, short for “Magnetic Stripe Data”, relies on Issuers to score the flags and indicators that arrive (or not) in transaction messages received from Acquirers.
MSD Contactless had its origins in non-EMV markets and was promulgated globally in the name of interoperability. As EMV coverage became more widespread, card networks moved to sunset MSD through a series of earlier rule changes.
Now, for the first time, there’s a hard date when Issuers will mechanically block the flow of non-compliant MSD transactions. It’s a big development that should spur action in the U.S. where MSD Contactless proliferates.
Also remarkable is the ruling’s exception for “Mobile Payment Devices”.
The carve-out is an acknowledgement that programs like Apple Pay and Android Pay have compensating security features, such as DANs (“Device Account Numbers”) and CDCVM (“Consumer Device Cardholder Verification Method”), which sufficiently defeat the risks of MSD Contactless.
Payment networks would much rather let old vending machines run Apple Pay transactions than create more headwind for mobile payments.
Critical to all of this, of course, is solid EMV and Apple Pay software running at merchant locations. Without fast transaction speeds and built-in payments logic that meshes with store operations, not much else matters.
EMV need not be a huge expense or a technology hassle. Merchants should be able to preserve their point-of-sale operations and implement Quick Chip and Apple Pay in just a few days. If you agree, check out RevChip.