Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 09, 2011
United front needed to prevent EMV card fraud from picking low-hanging fruit
I was pleased to see in the news recently that Chase and Wells Fargo announced the issuance of EMV chip-enabled cards for several of their credit card portfolios. Though these EMV chip-enabled cards will still have mag stripes and are primarily intended for customers who travel internationally, these announcements represent a positive move toward a more secure payment card environment in the United States.
Based on available data from countries around the globe with EMV experience, EMV chip-enabled cards have been highly successful at reducing counterfeit and lost or stolen card fraud within market. However, these cards have had less impact on overall fraud levels. Fraud has simply shifted to different products (from credit to debit), other channels (from card-present to card-not-present, or CNP), or other geographies (fraud perpetrated abroad).
If the U.S. payments industry does decide to move forward with EMV, the experiences in markets that have already undergone or are undergoing the migration to EMV teaches us that issuers, networks, and merchants across all payment channels must make a coordinated effort in order to achieve a positive impact on overall payment card fraud levels. Without coordination, the United States would likely see fraud shifting to other products and channels but not geographies—by then, all developed countries will have converted to EMV, including our neighbors, Canada and Mexico.
EMV migration experience: Card-present fraud shifts to card-not-present fraud
The success of EMV in reducing card-present fraud in countries that have made the move is impressive. Based on the latest figures from the UK Cards Association, face-to-face card fraud at United Kingdom retailers fell by nearly 70 percent after the widespread introduction of EMV in 2004. Yet, during that same time, CNP fraud rose by 50 percent and now represents 62 percent of all payment card fraud in the country. Likewise, according to figures from the Observatory for Payment Cards Security, fraud rates in France on face-to-face transactions with French-issued cards fell from 0.029 percent in 2004 to 0.014 percent in 2009—but then CNP fraud rates for transactions within France rose from 0.177 percent to 0.263 percent. And in Australia, a similar pattern is emerging. According to the Australian Payments Clearing Association's latest release of fraud data for the 12 months ending June 30, 2010, skimming fraud is down significantly, yet overall payment card fraud continues to rise, in part due to a 25 percent increase in CNP fraud.
EMV migration experience: Fraud shifts between products
In Canada, the migration to the EMV standard has been led by the credit networks, namely Visa and MasterCard, who are all but done with the migration. (Liability shift—the movement of liability from the issuer to the merchant—took place March 31.) With a migration completion mandate set for January 2015, Interac, Canada's national debit payment network, has been much slower to migrate to the EMV standard. Criminal Intelligence Service Canada reported a slight decrease in payment card fraud from $512.2 million in 2008 to $500.7 million in 2009. However, as credit cards were the first to migrate, fraud shifted to debit cards. Interac reported a 36 percent increase in fraud in 2009—from $104.5 million in 2008 to $142.3 million. Interac, which Is deploying chip-and-pin in earnest now, recently reported a 2010 fraud loss figure of $119 million, down 16 percent from 2009. Australia is seeing a similar development. Scheme debit, credit, and charge cards are in the process of migrating to the EMV standard, while proprietary debit cards continue to use mag-stripe technology. Skimming fraud is down on scheme cards, but proprietary debit cards experienced a 94 percent increase in skimming fraud.
Coordination prevents fraudsters from identifying weakest link
The bad news for the United States is that a coordinated effort to migrate to EMV would be very challenging. First, we have a large number of credit and debit networks, payment card issuers, and payment cards in circulation (including closed-loop prepaid and private label), as well as acceptance locations (including ATMs) in the marketplace. Second, the number of card purchases in a CNP environment through the Internet or mobile device is continuing to proliferate.
But the good news for the United States is that not only can we learn from the experiences of the earlier-adopting countries but we can also take advantage of new technologies coming to market. For example, First Data's EMV Go-Cap and SecureKey's One Tap both work in the CNP environment. Also, as my colleague Cindy Merritt recently blogged on, mobile has great potential to address the increasing fraud in the CNP environment.
If all participants in the payments industry coordinate their efforts while also adopting new technologies, we could keep fraudsters scratching their heads as they search for the lowest-hanging fruit during a U.S. migration to EMV.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference United front needed to prevent EMV card fraud from picking low-hanging fruit:
- A Presumption of Innocence
- The Hill Tackles Cybersecurity
- Keeping Up with the Criminals: Improving Customer Authentication
- Not Seeing a Tree for the Forest
- Fed Survey Shows Mobile Banking on Rise in Southeast
- Leaving a Cybersecurity Legacy
- What Can Parenting Teach Us about Data Security?
- Safely Motoring the Payments Highway
- Balancing Security and Friction
- Squeezing the Fraud Balloon
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud