To encourage adoption of new security standards in the U.S., the most important tool is policy.
So says Eduardo Perez, head of global payment system risk for Visa Inc.
Perez has thought long and hard about the course of action necessary to bring the San Francisco payment network's security in the U.S. in line with global standards, particularly around adoption of the EMV chip card, where the U.S. has lagged.
"My career has been focused on the areas of safety and soundness and making sure we consider the policies we can promote to incent the right behavior," Perez says.
Perez draws on years of experience from the Federal Reserve Bank of San Francisco, where he was a senior examiner and financial analyst manager, and from Harvard University, where he earned a master's degree in public policy.
Perez started at Visa in 2002, first working for Michael E. Smith, who had a role similar to Perez's. Smith has since moved on to an international position in charge of risk for the Asia-Pacific, Central and Eastern Europe, the Middle East and Africa for Visa.
Perez has been instrumental in helping Visa create its external security policy, which has three legs for increasing the safety of participants in its payment network.
Those legs represent the devaluing of merchant data either at rest with the merchant or in transit to the issuer, pushing for the EMV standard and assessing fraud risk during the transaction through real-time scoring.
EMV, which stands for Europay MasterCard Visa, is a standard that is used in many countries to provide added security at the point of sale. The secure-card format is commonly paired with the use of a PIN, earning it the nickname of chip and PIN.
It's around EMV that Perez's understanding of the importance of policy is perhaps most marked, drawing on years of traveling and interacting with cultures globally, he says. One cornerstone: clear and concise language.
"I have learned throughout my career at Visa any good policy requires a lot of thought about how you communicate, explain or relate that policy to the intended audience," Perez says.
In August, Visa took a strong public stand on the need for EMV and set an aggressive timetable, along with a number of carrots and sticks that will either entice or force merchant acquirers, merchants and issuers to make chip card adoption a reality in the U.S.
Among the carrots: early incentives that include relieving merchants of the costly need to validate compliance with the Payment Card Industry data security standards if they handle at least 75% of their transactions from chip-accepting terminals by 2012.
And the sticks: By 2017, if Visa and Perez have their way, liability for not accepting chip cards will start shifting to merchants and card processors. Similar liability shifts have been among the chief catalysts for other regions moving to the chip card standard, Perez says.
"Chip lays the groundwork for a lot of the payment innovation we think is going to take place in the coming years, particularly as it relates to mobile," Perez says.
Policy-setting is not new territory for Perez. In 2006 he helped create a set of initiatives, including something called the PCI Compliance Acceleration Program, which provided incentives to merchant acquirers and merchants to get them up to snuff with PCI standards. This program provided $20 million to help merchants defray the cost of compliance validation.
The result is more than 90% compliance today. Previously compliance rates were in the teens.
Perez generally gets good marks from the risk analyst community.
"For EMV and other things, [Perez] certainly has a wealth of experience and a good grasp of payment risk," says Julie Conroy McNelley, senior analyst for Aite Group.
But there's still plenty of work for Perez and Visa to do. And some analysts say Visa, like its rival MasterCard Inc., of Purchase, N.Y., has to take an even stronger leadership role, particularly around promoting EMV.
"Visa has been talking about devaluing data in transactions for a long time, but not much has changed," says Avivah Litan, a vice president at Gartner.
Though Visa has set specific deadlines for its plan for EMV adoption, Litan says its guidance could be clearer. "In general I'd like to see both MasterCard and Visa lay out a clear road map for EMV adoption in the U.S.," she says.
Others say Perez's vision for chip card adoption is spot on.
"Rather than forcing chip and PIN, which is what Europe has adopted, Visa has taken a more modern approach, which is dynamic authentication technology, and that is the right thing to do," says Zil Bareisis, a senior analyst for the research firm Celent.
For the next few years, Visa and Perez will continue to create incentives for participants in its network. "You can have a fantastic technology and product and solution, but if you have not considered how you are going to implement and execute and incent adoption of those services, your intended outcome may fail," Perez says.