February 11, 2013
Is Growing Fraud Really a Catalyst for EMV?
My payments news feed has been filled with a heavy dose of EMV-related news these last few days. Take the January 2013 article from the American Banker that looks at the incidence of increasing fraud losses as the United States continues to lag on the implementation of EMV chip cards. This one especially caught my attention given that I had written a paper on this topic early in 2012.
In recent SEC filings, both Discover Financial Services and Capital One reported significant increases in fraud losses. Based on calculations using figures from Discover's latest annual report, its fraud rate on sales volume increased from 4.8 basis points in 2010 to 7.2 basis points in 2011, and reached 8.8 basis points in 2012. Because of our nation's continued reliance on magnetic-stripe cards, "we are the weakest link around the world," according to one analyst. According to another, "the fraud comes here." Given this trend of rising fraud losses, is fraud finally becoming a bigger part of the business case for EMV with card networks' liability shifts for counterfeit fraudulent transactions a little more than two years out?
I don't think that it is. While the American Banker article, and even my paper, paints a somewhat discouraging picture of the fraud situation, the fact remains that fraud is but a small, albeit growing, expense on an issuers' income statement. For example, Discover reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost them over $1.2 billion in 2012 and as much as $3.7 billion in 2010. Fraud risk as measured by fraud losses is just "another expense" to issuers while credit risk, measured by credit losses, has one of the largest, if not the largest, negative impact on an issuers' bottom line. Is it possible that fraud losses will have a larger negative impact further down the road? Absolutely, and I think they will. I also recognize there are other "soft costs" associated with card fraud in terms of cardholder inconvenience and overall payment safety perception.
Further, EMV does not address the entire fraud loss problem. It's no secret by now that while EMV has been excellent at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise because EMV does not effectively prevent it in today's online environment. For example, since the rollout of chip-and-PIN in 2008 in Canada, CNP fraud increased from C$128 million to C$259.5 million in 2011. This is another example of fraud moving to the weakest link in the payments chain. Ultimately, EMV as it exists today only solves part of the fraud equation. Until a cost-effective and consumer-friendly CNP fraud reduction solution gains traction, I believe a business case for EMV built around fraud losses will remain difficult to build. For some, the costs to implement EMV may be viewed as an insurance policy against a widespread compromise of the mag-stripe technology.
It has been more than 17 months since Visa announced its EMV U.S. migration plan and a year since MasterCard announced its EMV "Roadmap." Still, issuance and acceptance of EMV cards remains tepid, if that, here in the United States. With a little over two years until the first liability shifts for the U.S. are scheduled to take place in April 2015, issuers will need to make EMV migration decisions soon if they intend to take advantage. But is the business case there currently?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 11, 2013 in card networks, cards, chip-and-pin, EMV | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d40f3aa2f970c
Listed below are links to blogs that reference Is Growing Fraud Really a Catalyst for EMV?:
Comments
Posted by:
Chris Slane |
February 28, 2013 at 07:41 AM
Excellent article. One that takes the credit card fraud issue head-on and establishes that issuers and merchants have more serious issues to worry about than controlling fraud. I also found @MikeB's comment - especially the part about "issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most" - very sensible.
Posted by:
Ketharaman Swaminathan |
February 17, 2013 at 12:41 PM
I think you need to add other costs in (eg, PCI-DSS compliance and fraudulent portion of charge-offs) to obtain the correct cost/benefit calculation.
Posted by:
Dave Birch |
February 15, 2013 at 02:26 AM
Douglas,
Very interesting article and I agree that it appears that the EMV benefit is perhaps not worth the industry expense particularly if you're also shifting fraud from CP to CNP. In addition, it seems that here in the US, we're poised to move to new payment technologies such as Digital Wallets, NFC and/or Bar-codes that are more inline with the American customer, who I'm sure won't want to slow down at the point of sale to put in a PIN number on a Credit card transaction.
We conducted trials in the UK last year that I believe get to the issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most. By using Location-Based Analytic, we saw a 55% reduction of false positives while at the same time seeing a 30% increase in fraud detection . All of this in a non-intrusive manner, allowing the consumer the convenience of just swiping their card and moving on.
Mike
Posted by:
Mike Buhrmann, CEO Finsphere |
February 12, 2013 at 02:11 PM
Fraud may continue to be manageable from a cost perspective, but it is ultimately damaging to the user experience and the network brand experience. Consumers are increasingly frustrated by dealing with fraudulent charges (even with zero liability), receiving notices that their accounts are being breached, receiving re-issued cards, and having to re-configure their automatic payments. The networks are the ones pushing EMV because ultimately it's confidence in their systems that is taking the hit.
Posted by:
Aaron Press |
February 11, 2013 at 04:26 PM
Your comments raise an interesting question, namely, how much of what banks allocate as net charge-offs are actually fraud losses - especially in cases of account takeover fraud. The bad guy gains access to an account, changes the address, runs up a huge balance and bolts. As these balances get stale, the bank can either categorize them as fraud or simply charge them off.
Posted by:
Chip Wickenden |
February 11, 2013 at 10:23 AM
December 10, 2012
The Interchange Fee Cap: One Year Later
Make no mistake about it, I'm a debit card person, and a PIN debit one at that. So I write this under full disclosure of that bias. I haven't written a check at a retail merchant in more than 10 years and no longer even carry a checkbook. Rarely do I have more than $10 in my pocket—just enough for the purchase of some miscellaneous small-value items. I have always found PIN debit to be a highly convenient form of payment due to its reliability, accuracy, speed, and general acceptance at merchants that I frequent. If I forget or lose a receipt, a quick check of my account online will always show the transaction so I can record it in the balance register.
I know I am in the minority preferring PIN debit, as signature debit has dominated the debit card market both in terms of transaction and sales volume. Consumers like signature debit because of its acceptance at significantly more merchants, and they don't have to worry about remembering a PIN. Pre-Durbin, issuers preferred that their cardholders use signature debit because it generated substantially more point-of-sale (POS) interchange revenue than PIN debit. Some issuers encouraged their cardholders to select “credit” when using their debit card so the transaction would be processed on the signature debit rails and qualify for the higher interchange rate. That was the rub with merchants, especially the larger, high-volume ones. Signature debit was more expensive for them to process. In response, merchants with PIN pads programmed their terminals to encourage PIN usage by designating it as the default debit payment method.
Then came the Durbin Amendment (part of the Dodd-Frank Wall Street Reform and Consumer Protection Act) and the resulting implementation through Regulation II in October 2011 that changed the debit card world forever. The rule set a maximum interchange fee for signature and PIN debit and made no differentiation between the two, despite the overwhelming evidence that fraud losses on signature debit transactions were significantly higher than on PIN debit transactions. Although the final rule raised the interchange cap and reduced the fee-income hit to the issuers, forecasts of a diminished role in the market, especially for signature debit and other core bank products, came quickly from the bankers. A number of issuers that had established rewards programs linked to signature debit transactions (no or lower points for PIN debit transactions) announced plans to discontinue or reduce their debit rewards programs. Some major banks announced they would be imposing a monthly or annual fee for debit cards as a way to partially recover some of the revenue lost by the lower interchange fees. Another expected casualty was the free checking account. The banks said they could not afford to subsidize other account services without the fee income from debit card usage and the revenue loss suffered earlier in the year by the opt-in requirement for overdraft coverage for ATM and POS transactions.
Now, just over a year after the interchange cap took effect, what has been the result? There clearly has been a decrease in the number of rewards programs tied to debit cards as issuers sought to reduce program costs. Bankrate's 2011 Debit Card Rewards Study reported a 30 percent decline in debit rewards programs, even though the survey was taken before the interchange cap became effective. Not surprisingly, this study found that of the programs still operating, many were still offering reward points only for signature debit transactions.
Efforts by a number of the larger banks to impose a new debit card fee never gained traction. Many of the fee plans were dropped or modified to provide waivers if minimum balances were maintained. Free checking has certainly been a casualty as Bankrate's September 2012 Checking Survey showed that the number of banks offering free checking with no minimum balance requirement dropped from a high of 76 percent in 2009 to 45 percent in 2010, and then declined further, to 39 percent, in 2011.
Clearly, banks have suffered from the impact of Regulation II, with significant reductions in fee-income revenue through the lower interchange rate, especially for signature debit transactions. And consumers have a harder time finding debit rewards programs, and their account maintenance fees may have increased. The big winners have been the large to mid-sized retailers who have been able to renegotiate discount rates with their card processors. The merchant community says that consumers ultimately benefitted from the lower debit card processing expenses because the merchants have lowered or held steady their prices. However, the merchant claims are virtually impossible to validate since the pricing of goods and services is impacted by a large number of different elements, and interchange rates represent only a small one.
On a related note: the $7 billion class-action credit card interchange fee settlement recently received preliminary court approval amid opposition from some of the country's largest retailers and retailer industry groups. The litigation that originated in 2005 has used many of the same arguments that led to the passage of the Durbin Amendment legislation—primarily, that the interchange rates set by two major card issuers were arbitrary and excessive. Another major issue was that the payment card networks' rules prevented a merchant from implementing a surcharge to offset the increased costs claimed by merchants in accepting a credit card.
Clearly, the subject of interchange fees is not going to disappear anytime soon. What will be the longer term impact, if any, of the debit—and possibly credit—card interchange constraints? Will they impact the conversion of debit cards from magnetic-stripe technology to chip? We would like to hear your thoughts on who you believe are the winners and losers from Regulation II as well as its impact on debit and credit cards going forward.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 10, 2012 in cards, chip-and-pin, regulations | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c347ac8b4970b
Listed below are links to blogs that reference The Interchange Fee Cap: One Year Later:
Comments
November 26, 2012
Highlights from a Conference on Technology and Payments
The retail payments landscape is rapidly evolving as technological advances promote new electronic payment methods. On October 15–16, the Risk Forum convened at the Atlanta Fed a diverse gathering of stakeholders in the payments industry. Industry representatives were from telecommunication firms, airlines, standards bodies, payments processors, and coffee house retailers, as well as the more traditional players.
Federal Reserve Bank of Atlanta President and CEO Dennis Lockhart kicked off the event. His opening remarks focused on the Federal Reserve System's role as a central bank in the country's retail payment system, both as a payments operator and as the country's guardian of financial stability. In the latter role, the Fed aims to preserve the integrity of both the retail and wholesale payments systems. Lockhart stressed that although this role has national strategy overtones, it is not intended to stifle innovation and competition but rather to support a market-oriented approach to payment developments. By noting the vulnerabilities that the fast pace of change and innovation in the industry create, Lockhart set the stage for the day's session, the highlights of which we are sharing here. You can find the complete presentation materials on the Atlanta Fed website.
Technology developments in card-based payments
Legacy plastic cards are likely to remain important for some time. Nevertheless, significant changes are under way. These technological changes were the focus of this panel. The U.S. payments industry is struggling to collectively shift from magnetic stripe-enabled card payments to a more secure and interoperable environment. Panelists discussed the challenges posed by the planned U.S. migration to chip-enabled cards and to the EMV standards already adopted in most of the globe's major developed countries. They discussed the potential shift in fraud to card-not-present payments in the shift from mag-stripe cards. Panelists said that fraud mitigation in the future U.S. EMV environment will require additional data analysis tools, including the use of better encryption methods and tokenization. They also touched on the benefits of PIN versus signature authentication.
The evolution of technology standards in retail payments
Technology standards provide the cohesion to ensure the critical mass needed for successful payment network adoption. At the same time, the myriad of new market solutions, patent issues, and even standards bodies themselves challenges industry cooperation and consensus building, slowing the standards development process. Panelists discussed the activities of various standards bodies that touch retail payments today. They also talked about how they are working to galvanize industry stakeholders to agree and employ standards that foster security and interoperability.
Mobile payment developments at the point of sale
This panel of experts reviewed technological developments in the mobile channel for payments at the merchant's point of sale (POS), including the rollout of several mobile wallet initiatives. Panelists discussed the challenges associated with the highly dynamic nature of the technologies. They noted that new complex business models are resulting in many different types of payment solutions, creating a confusing ecosystem for mobile proximity payments.
Panelists noted that the many new, thought-provoking products out in the market place today create many unknowns, not only with respect to security, but also future viability. They agreed that it is hard to predict which solutions have true scalability. An interesting discussion took place on the success of new payments such as Square, which changed the proverbial game by expanding the population of merchants that can accept card payments and by repurposing the mobile handset into a payment acceptance device. The panel also discussed how Starbucks unwittingly assumed the role of a payments pioneer when they moved to the mobile channel. Their original aim was not to adopt a new payments method but rather to increase customer loyalty and convenience.
The merits and challenges with the upcoming EMV migration were also top of mind for the panel.
Technology trends in mobile payment transfers
U.S. mobile payment developments have generally centered on payments at the POS. However, remote mobile payments, or person-to-person mobile transfers, are also taking form as a business model. Panelists discussed how nonbank players are entering the money transmission space hoping to leverage new mobile technologies. They explored the current environment for domestic and cross-border mobile transfer payment activity, analyzing the changing roles of payment service providers and the subsequent regulatory and policymaking considerations.
Panelists noted that we are seeing a huge paradigm shift in mobile money, with prepaid airtime credits looking more and more like currency in developing countries. Some countries permit payment service providers to provide airtime cash-out; Kenya's M Pesa is one of these providers. The lack of system interoperability across borders and liquidity management considerations are barriers to a global, scalable airtime transfer system. Panelists also noted, however, that airtime transfers are increasingly becoming a natural complement to traditional remittances.
In addition, traditional remittance providers are partnering with telecom firms to deliver services in emerging markets. These providers also work with banks in more developed countries, like the United States, to use the mobile channel in more efficient ways.
Technology threats and mitigants in electronic payment systems
Whether through scams such as “Obama Will Pay Your Bills” or corporate account takeovers, criminals are increasingly using electronic payments networks to perpetrate fraud. Panelists stressed that industry stakeholders must themselves become more sophisticated in order to develop solutions to better detect and mitigate these risks. Future fraud detection will require more sophisticated approaches to address growing vulnerabilities in web applications. Panelists also stressed that financial institutions must validate transactions to enforce rules and limits and to manage fraud.
Conclusion
The Risk Forum uses events such as this to encourage dialogue and share critical business intelligence among participants. We can then use information that comes out of such discussions to inform our work with the payments industry as we collectively work on better solutions to detect and mitigate risk. Expect to see more discussion in future posts. As always, we value your responses.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
November 26, 2012 in chip-and-pin, collaboration, cybercrime, emerging payments, innovation | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c33fde72b970b
Listed below are links to blogs that reference Highlights from a Conference on Technology and Payments:
Comments
November 05, 2012
While Stalemate Continues, Another Retailer Data Breach Announced
We haven't heard about significant data breaches at any retailer's brick-and-mortar lately. In fact, the prevalence of cybercrimes and malware-related incidences has momentarily redirected our attention to payments made through online and wireless channels along with related payment crimes such as social engineering and malware-enabled account takeovers and card data theft. However, according to Verizon's 2012 Data Breach Investigations Report, while most attacks are not related to physical tampering, "there was no shortage of payment card skimming in 2011, and there were notable arrests." In fact, a recent press release from a major book retailer is cause to sharpen our focus on in-store card payments and the use of mag-stripe technology at payment terminals.
Tampering with PIN pad devices in stores
On October 24, 2012, the retailer announced that it had "detected tampering with PIN pad devices used in 63 of its stores" and that it had notified federal law enforcement to support an investigation into the criminal activity. Furthermore, it is working with the banks and payment card network brands to identify potential compromised accounts. Much to the retailer's credit, the press release also outlines precautionary steps consumers should take if they have shopped in any of the impacted stores—namely, changing PINs, reviewing account activity for unauthorized transactions, and notifying banks about unusual or unauthorized activity.
PCI compliance is not enough
How can retailers protect themselves from PIN pad tampering fraud? We explored the growing prevalence of card data breach incidents in a May 2011 post describing how a crafts retailer had experienced card terminal tampering that may have led to customer card data compromise. The post noted that while the Payment Card Industry (PCI) Data Security Council guidelines attempt to address advanced security measures, the vulnerabilities inherent in mag-stripe card technology present serious management challenges. The threats to terminals can come in the form of crime rings, company insiders, or the terminal manufacturers themselves.
Will merchants follow the EMV migration roadmap?
Card network brands separately issued announcements in 2011 and 2012 with their own EMV deployment milestones, which can be viewed as a collective roadmap. A summary of these milestones, grouped by payment network, is included in the October 2012 edition of Smart Card Talk and reproduced below. This publication explains the incentives in the form of audit relief from PCI compliance as well as liability shifts for counterfeit card losses for noncompliant banks and merchants.
However, many industry experts surmise that merchants are willing to take their chances on the potential card fraud losses for such a liability shift, judging them to be lower than the costs involved in terminal replacement for chip card acceptance.
Technology adoption stalemate
Industry participants continue to argue about the inequities in the economics for moving forward to a new security environment enabled with more secure chip-based technology. It is highly likely that there will never be a collective path forward considered fair to all, with the large number of industry players and dichotomies in revenue and cost-sharing expectations. So as the U.S. payments industry keeps moving along the same path, with participants arguing the merits and inadequacies of various deployment options for chip-based payments, we can expect to see more crimes at retailer terminals. These crimes will cause merchants to experience technology costs and even customer loss in unexpected and unpredictable ways. And bank issuers will continue to pay for cleanup in the aftermath, by issuing new cards. Perhaps an analysis of the economics of moving to chip-and-PIN should reflect a higher emphasis on the cost of data breach events and their cleanup efforts in the aftermath.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
November 5, 2012 in chip-and-pin, fraud, identity theft | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee4c5bf78970d
Listed below are links to blogs that reference While Stalemate Continues, Another Retailer Data Breach Announced:
Comments
August 27, 2012
Mind the Gap: PIN versus Signature Authentication
In a January post, Portals and Rails considered the difference in fraud rates for payments using signature versus those using PIN authentication. Based on the data at hand, we concluded that "financial institutions have significantly more exposure to fraud losses from card payments with signature authentication than those from PIN authentication." The just-released PULSE Debit Issuer Study reveals that in 2011 the gap in loss rates between signature and PIN debit transactions has widened further. Issuers lost an average of three cents per signature debit transaction compared to less than one-half of one cent on PIN transactions.
Fraud is a concern for issuers
According to the study, which was conducted by the consulting firm Oliver Wyman on 57 banks and credit unions, 74 percent of large financial institutions (asset size greater than $10 billion) and 90 percent of small institutions (asset size under $10 billion) view fraud as a major challenge for 2012. Looking deeper into 2012 fraud concerns, 54 percent of issuers, regardless of their size, expect signature debit fraud to increase, while only 37 percent of issuers expect an increase in PIN debit fraud levels.
With fraud being of such high concern to issuers, I expected EMV card issuance to be high on their priority list, but that is not the case. In fact, 71 percent of the financial institutions have no immediate plans to issue EMV cards. In the past, we've highlighted some of the many possible ways to do an EMV implementation—according to the study, these unknowns of a U.S. EMV implementation have many financial institutions taking a "wait-and-see" approach.
Of particular note, issuers are interested in knowing if PIN authentication will become mandatory or if it will continue to coexist with signature authentication. Hopefully, this issue and others surrounding EMV implementation will soon be addressed by the industry through the recently announced collaborative EMV Migration Forum created by the Smart Card Alliance. The sooner these issues get sorted out, obviously, the better, as signature debit card fraud is showing no signs of slowing down.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 27, 2012 in chip-and-pin, crime, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0177445db2c5970d
Listed below are links to blogs that reference Mind the Gap: PIN versus Signature Authentication:
Comments
April 30, 2012
Why are my credit and debit cards still embossed?
Having spent a number of years in the payments business focused on cards, I commonly receive questions from family and friends related to cards. I would be a wealthy individual if I received a dollar for every time someone asked me, "When am I going to get a card with a chip in it?" Although I am not able to offer any specifics on timing, I do feel confident in telling them that they are coming within a given time frame.
This past weekend, a neighbor out for a leisurely weekend stroll stopped me and asked, "Why do I still have an embossed credit card?" I must admit that I was a bit stumped by the question and couldn't offer him a reasonable explanation. I could not recall the last time that I had seen a "knuckle buster" machine used to make an imprint of a card. And who hasn't struggled trying to read your embossed card numbers and expiration date to make an Internet or phone transaction? Still pondering the question a few hours later, I did recall the food delivery driver who brought the old carbon paper slip, along with our food, to the door and used a writing pen to make an imprint of my card. I am quite certain that over the past five years, this was the only time an imprint of my card has been made—and this includes using my cards for purchases in taxis, from food truck vendors, and in developing countries such as Honduras, and remote Caribbean islands.
One answer to the need for embossed cards lies with network chargeback rules. Both MasterCard and Visa subject merchants to chargebacks on key-entered card-present transactions with no manual imprint. A key-entered transaction takes place when the terminal cannot read a card's magnetic stripe, so the vendor has to input the card number and expiration date. Even when this occurs, I am not so sure merchants follow the network's chargeback procedures. Do you remember a merchant making an imprint of your card in the rare instance your card information had to be manually keyed? Maybe it's time for the card networks to re-visit their chargeback procedures.
Another reason for maintaining embossed cards is that apparently some merchants, both domestically and internationally, still rely on imprints for transactions. I do not think that I am alone when it comes to my extremely limited experience with manual card imprints over the past five to even 10 years. With highly reliable telecommunication systems and the ever-growing number of mobile card readers, perhaps the networks should require all transactions to be swiped (for mag stripe cards), dipped (for EMV chip cards), or tapped (for contactless cards).
So while I have several answers to my neighbor's question, I am not convinced any of them are reasonable explanations in this day and age. Cards are embossed primarily for legacy reasons, and this embossing is irrelevant for most transactions. Maybe as issuers transition to chip-embedded cards (hopefully), they could subsequently transition away from embossed cards. In a recent American Banker article, Andrew Kahr discussed one good reason to change to nonembossed cards, and that would be to allow banks to instantly issue cards. I am quite certain my eyes would appreciate that change!
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 30, 2012 in cards, chip-and-pin | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016304f8a05b970d
Listed below are links to blogs that reference Why are my credit and debit cards still embossed?:
Comments
One thing to consider as a positive for embossing is someone who has difficulty seeing; they can feel the embossing if they are using the card over the phone, or even if they are swiping at POS to make sure they're getting their card back.
Of course, what I've found when designing card plastic is that embossing can also step on the text on the back of the card, obscuring fun things like Customer Service phone numbers.
Your article makes a good point tho; do we really need embossing in the 21st century, especially with the push to EMV that will happen in the next few years?
Posted by:
C. David |
May 01, 2012 at 08:50 AM
One of the reason that our company still issues embossed cards (in Europe) is that non embossed cards aren't taken seriously. This is obviously a public perception issue but when you have a piece of plastic with a printed PAN, expiry, etc, it just looks like a bit of a cheap imitation of a "real" card. I think this is most likely the biggest hurdle to get people using non-embossed cards.
For what it's worth, I haven't seen a knuckle duster in over 10 years, maybe even longer, but it's slightly different being in the UK as we migrated to EMV a while ago.
Posted by:
chunk |
May 01, 2012 at 07:04 AM
January 30, 2012
Is the United States payments industry following in the footsteps of the Netherlands?
The Forum recently took a dive into card fraud data from the many countries (not the United States, of course) that have tossed out their old magnetic-stripe cards and adopted the EMV standard. You can read the paper—it's available on our website—but here's a quick recap.
What we found in the data is a recurring pattern of fraud losses. For instance, the data show that chip-and-PIN has been highly successful in the domestic card-present environment in reducing counterfeit and lost or stolen card fraud. This chart depicts the United Kingdom's positive domestic card-present experience.
On the other hand, fraud on non-chip-and-PIN transactions—most notably in the card-not-present and cross-border environments—has actually increased. Ultimately, the net results to date on EMV chip-and-PIN's impact on total card fraud losses in these countries have been marginal. As an example, this next table shows Canada's growing card-not-present fraud loss trend.
The working paper uses the Netherlands experience as a case study because of the country's similarities to the United States. Much like the United States, the Netherlands was experiencing low rates of payment card fraud, so this country did not migrate to the EMV standard when all the rest of Europe was adopting it. Eventually, fraud loss rates in the Netherlands climbed, ultimately propelling the Netherlands banking industry into implementing chip-and-PIN.
Like the Netherlands, the United States is now seeing a growth of card fraud loss rates on both credit and debit cards. As we've blogged several times, the costs for an EMV implementation here in the United States have so far outweighed the fraud loss reduction benefits of chip-embedded cards, according to some industry stakeholders. But given the parallels between the United States and the Netherlands, it is reasonable to expect card fraud losses to continue to grow here as long as the industry relies on mag-stripe technology.
Clearly, there is a need for industry coordination for an EMV implementation to effectively reduce payment card fraud. Based on the fraud trends experienced by countries adopting EMV chip-and-PIN, implementing the EMV standard in the United States for only certain types of card products or without solutions for mitigating card-not-present fraud could lead to only a marginal reduction in total fraud losses as fraudsters seek to exploit the lowest hanging fruit.
It should be noted that while the card industry in each of the countries investigated in the working paper adopted PIN authentication, this method is only one of several options. The working paper focused on PIN authentication because of the abundance of card fraud and transaction data reported by these countries' payments industries.
For more details on the successes and failures that a number of countries have experienced in moving to EMV technology, read the paper on our website.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 30, 2012 in chip-and-pin, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0167615c8cea970b
Listed below are links to blogs that reference Is the United States payments industry following in the footsteps of the Netherlands?:
Comments
December 19, 2011
The many flavors of EMV
As 2011 comes to an end, EMV (Europay, MasterCard, and Visa) transactions are still the exception in the United States. However, the United States has made some progress towards an EMV migration—several financial institutions are now issuing EMV cards for select portfolios. Also, on the acquiring side, some large merchants voiced strong opinions during the year about adopting the EMV standard. And towards the end of summer, Visa announced details of its "chip migration and adoption of mobile payments acceleration plan."
The perceived cost of a full EMV migration has been a great barrier for the U.S. payments industry. Further complicating the migration are the different ways issues and merchants can implement EMV. In particular, the various transaction authorization processes of card authentication, cardholder verification, and payment authorization take place in an online or offline environment or a combination of the two.
This week's post highlights the differences between offline and online transactions and the implications for U.S. migration to EMV-supported card payments.
Offline EMV
Prior to the introduction of chip cards in the United Kingdom, cards used the same magnetic stripe technology that is currently the standard in the United States. However, the difference is that in the United Kingdom most card transactions were authorized offline. In an offline authorization environment, card transactions are batched over a given time period and then transmitted to issuers, usually at the close of business, for authorization. Because the offline authorization environment does not permit real-time authentication, fraud rates were significantly higher than in markets using online authorization. To mitigate the additional risk inherent in the offline environment, the United Kingdom adopted the EMV standard—more specifically, chip and PIN.
In an offline EMV chip-and-PIN transaction, the payment terminal communicates with the integrated circuit card (ICC), or chip, embedded in the payment card rather than using telecommunications to connect and communicate with the issuing bank. This communication between the ICC and terminal allows for real-time card authentication, cardholder verification, and payment authorization. However, because most payment terminals (not unattended terminals) now support online authorization, payment authorization usually occurs online while card authentication and cardholder verification usually take place offline.
Online EMV
In contrast to the United Kingdom's predominately offline authorization experience, nearly all card transactions in the United States are authorized online. This environment allows issuers to authorize transactions at the time of sale using multiple fraud and risk parameters.
In an online EMV transaction, the ICC-embedded card generates a cryptogram that is authenticated by the issuer during the authorization request. Assuming the card is authenticated and the merchant requires cardholder verification, either the terminal transmits the cardholder's encrypted PIN to the card issuer for verification or the merchant verifies the customer's signature to the signature on the card. Finally, for payment authorization, the terminal transmits payment-related information and a transaction-specific cryptogram to the issuer, which then authorizes or declines the transaction. This online payment authorization process is the same process that magnetic stripe cards currently use.
What does this mean for a U.S. EMV migration?
Unfortunately, the many methods for card authentication, cardholder verification, and payment authorization that EMV supports could lead to many different implementations in the United States. The few EMV-issuing financial institutions in the United States have reached no consensus when it comes to cardholder verification methods. Some issuers support offline PIN, others support online PIN, and still others support signature-only verification. Perhaps most critical to the EMV discussion is whether to support online or offline transactions, or both.
The costs associated with an offline implementation are higher. First, ICCs in an offline environment require an additional processor on the card—to support dynamic data authentication—that ICCs in an online environment do not. Second, PIN management in the offline environment involves manipulation of the PIN resident within the ICC, a process that requires issuers to purchase technologies they do not need in the online environment.
From a risk standpoint, both offline and online EMV card authentication support dynamic data and offer superior protection against counterfeit fraud compared to the magnetic stripe. For PIN cardholder verification, offline and online PIN offer the same protection against lost or stolen card fraud.
Offline EMV implementations were necessary in many markets around the globe because of a lack of telecommunications access at the payment terminals. Because the United States already operates in an online environment and the costs to implement an offline adoption are higher, the business case for an online EMV implementation is stronger than an offline adoption. Further, with most payment terminals in the world now supporting online transactions, global interoperability of online-only EMV cards is not the barrier that it was in the past.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 19, 2011 in cards, chip-and-pin, EMV | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01675efe7dfe970b
Listed below are links to blogs that reference The many flavors of EMV:
Comments
On your point relative to Online PIN I would like to suggest that most credit card networks (excluding the ATM portion) do not today support the transmission of the PIN from the POS device to the Issuer Host. To upgrade the credit networks to support the encryption and transport of the PIN to the Issuer has a cost. Not simply in the device but also in all the various processors in the chain. Further most POS devices now installed do not support Online PIN.
This whole question of Online versus Offline PIN is then compounded when one looks at the question of International acceptance. Again the International Credit Card networks and all the domestic networks would also need to support the transport of the PIN in order to allow PIN to be used as the means of cardholder verification.
Posted by:
Philip Andreae |
February 16, 2012 at 09:38 AM
August 22, 2011
Is recent EMV announcement the catalyst the U.S. needs to catch up?
During this past year, the team at Portals and Rails has published several articles exploring the growing risks in card-based payments and the need to move to a more sophisticated and secure enabling technology. But overhauling a payment system is no easy task, as there are many players that need to collaborate, from the card networks to the bank issuers and merchants. How does the industry organize itself to orchestrate a much-needed transition?
The merchant community in particular has rightfully expressed concerns over the infrastructure investment costs for card acceptance terminals. While they acknowledge the need to migrate to a more secure payment system that does not rely on outmoded magnetic stripe card technology, they understandably want a future-proof investment strategy.
Visa's recent announcement about its plans to accelerate chip migration and the adoption of mobile payments may just provide the clarity in direction and sufficient incentives to get merchants moving.
Reduced PCI compliance requirements and liability shifts: Carrots and sticks
Visa's plan will require merchants to invest in chip-acceptance terminals as well as bear responsibility for losses resulting from magnetic stripe card fraud if they continue to accept those cards beyond a specific transition period. Right now, the banks that issue the cards bear those costs. So Visa is essentially imposing a counterfeit fraud liability shift as the metaphorical stick to encourage merchants to comply with the plan. Since the United States is currently the last developed country to implement a plan to migrate to chip-based card payments and agree to such a liability shift, this is a significant move.
But Visa's plan also contains some compelling incentives for the merchant community. PCI data security compliance requirements are costly and increasingly ineffective in combating card fraud schemes like card skimming. The Visa plan will eliminate certain PCI compliance requirements for merchants for whom at least 75 percent of their Visa transactions originate from chip-enabled acceptance terminals. Merchants will still have responsibility for protecting customer authentication information such as security codes and PINs. The prospect for improved security coupled with the reduced PCI compliance costs should be a welcome benefit to merchants.
Building a future for mobile payments
By initiating a plan to migrate to both contact and contactless chip technology at the merchant point-of-sale, the Visa plan may actually speed up the adoption of mobile payments. Building out the acceptance infrastructure will be necessary to support contactless payments and other chip-based emerging technologies in the future.
Conclusion
The growing incidence of global card fraud schemes is drawing critical attention to the need to overhaul the U.S. card payment system. Not only are countries in the European Union moving to chip-and-PIN technology to support their card payments, but they've also discussed banning the acceptance of magnetic stripe cards as a possibility. What this means is U.S. travelers will not be able to use their payment cards abroad. As a matter of fact, if you've traveled to Europe lately, you've undoubtedly discovered that some merchants are not equipped to accept our U.S. payment cards now. The move to chip technology for card payments has been coming—but no one knew exactly when or how. Clearly for merchants, the Visa announcement represents a roadmap for the future.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
August 22, 2011 in chip-and-pin, payments, payments risk, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015390e620d5970b
Listed below are links to blogs that reference Is recent EMV announcement the catalyst the U.S. needs to catch up?:
Comments
March 14, 2011
Why U.S. issuers might be reluctant to adopt the EMV standard
A hot topic for Portals and Rails and the Retail Payments Risk Forum has been the replacement of magnetic-stripe cards with chip-and-pin cards in the United States. In fact, a recent industry blog labeled my colleague Rich Oliver "the first U.S. banking industry executive to publicly declare that a U.S. migration to the EMV payments standard is inevitable." Many countries around the globe have adopted or are in the process of adopting the EMV standard, but the United States has not budged, despite a recent European Payments Council resolution suggesting an end to mag stripe. Meanwhile, U.S. industry participants, including a large payment network and issuer, are investing in improving mag-stripe cards.
Let's consider the migration to EMV from an issuing perspective using recently collected debit card information by the Federal Reserve Board to assist with its responsibilities under the Durbin Amendment.
Current status of EMV in the United States
With the recent announcement that the Raleigh, N.C.-based State Employees Credit Union will convert its debit card portfolio to EMV by year's end, there are now two (yes, two!) small financial institutions in the United States committed to converting their portfolios to the EMV standard. If reports on fraud reduction since implementing the EMV standards in countries such as the United Kingdom are true, why then are U.S. issuers slow to convert to EMV? In last week's blog, Rich states that, given current fraud loss levels and fraud management and mitigation costs, there may not yet be a near-term business case for the migration to EMV. However, peeling back the onion another layer, a key difference in the authorization environments of the United States to other markets, such as the U.K., has led to lower levels of fraud, albeit at significant investment levels, and a fundamental reason behind issuers' reluctance to migrate.
Online versus offline authorization
Nearly all card transactions in the United States are authorized online. In this environment, the transaction authorization uses telecommunications at the time of a sale to route a merchant's authorization request to the issuer to approve or decline, based on a number of factors such as available funds or credit limit and multiple fraud prevention and mitigation checks. U.S. issuers and networks have invested heavily in fraud prevention and mitigation controls for online authorization programs. As a result, issuers have recognized relatively low levels of card fraud—approximately $.02 per debit transaction, or 5.4 basis points of transaction value. For PIN-based debit transactions, these numbers are even lower: $.01 per transaction, or 3.3 basis points of transaction volume.
Unlike the United States, the United Kingdom has primarily been an offline authorization market. In this scenario, the transactions are not authorized at the time of sale, but rather are batched throughout a given time period and transmitted to the issuers. Most importantly, this type of authorization process does not support PIN debit transactions using magnetic-stripe technology. While the EMV standard supports both online and offline authorizations, the reduction of fraud for offline authorizations was a key driver of implementation in the United Kingdom, as EMV allows for offline authorization at the time of sale.
According to analysis of data from the UK Payments Administration, fraud rates on all cards at the end of 2004 (near the beginning of the EMV implementation) were significantly higher than fraud levels currently seen on debit cards in the United States. However, by June of 2010, fraud in the United Kingdom has fallen by more than 50 percent to £.03 per transaction, or 6.6 basis points of transaction volume, which is still higher than debit card fraud rates experienced in the United States today.
Will there be a case for U.S. issuers to adopt the EMV Standard?
With approximately 500 million debit cards in circulation in the United States, relatively low levels of fraud, and significant investments into current authorization systems, it seems reasonable that debit issuers currently have little appetite for investing in the EMV standard today. While recognizing that the credit card story might paint a different picture with higher fraud losses, the fact remains that both issuers and networks have made significant investments in authorization systems to prevent and mitigate credit card fraud from which they don’t appear to be ready to walk away.
In light of U.S. issuers' shunning the EMV standard to date, here are some questions for industry participants to ponder. Will there be a tipping point for the United States to adopt the EMV standard? If so, what will that tipping point be? Can the global card payment market exist in an environment similar to the electrical market, whereby the United States uses 110-volt electricity while most of the world uses 220 volt? Can chip-and-pin prepaid cards such as the Travelex Cash Passport Currency Card address differences in global payment standards for U.S. issuers in a way that electrical adapters address the voltage issue?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 14, 2011 in chip-and-pin, EMV, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e334dd29970b
Listed below are links to blogs that reference Why U.S. issuers might be reluctant to adopt the EMV standard:
My view on EMV is that it is a fundamentally more secure payment vehicle than typical magnetic stripe cards - plain and simple.
There are many benefits outside of just fraud savings. Consider missed transactions that international travelers might incur with a traditional card. Aite analysis reveals that card issuers missed out on $4 billion in charge volume in 2008 because of problems cardholders had with their cards while traveling abroad.
Then there is consumer perception. Ask a consumer today if he/she would like to own a car without air bags? The answer is likely no. The same is likely to hold true for EMV cards. If I have two options, traditional or EMV, I'm likely to choose EMV because it's safer. We all need to protect and enhance the consumer experience.
One cannot accurately predict future fraud costs with any degree of certainty. The pie for fraudsters is getting smaller, and if I'm a bank or credit union I don't want to be in the cross-hairs, especially if those vulnerable are getting smaller. CNP fraud is escalating. The payments industry will need to solve for that.
Chris Slane, VP, Business Development, Quatrro Processing Services