March 11, 2013
The ATM: Disappearing Soon from a Location near You?
The ATM industry in the United States is facing a set of regulatory and operating rule deadlines that might impact the industry as much as similar deadlines did during 2005–08. Back then, ATM owners were required to upgrade their terminals to support the more secure Triple Data Encryption Standard (3DES) to safeguard ATM transaction messages during transmission. To comply, ATM owners faced the expense of hardware and software upgrades. Because a number of ATM independent sales organizations (ISOs) were operating older machines that required replacement rather than upgrades, they sold off their businesses claiming they could not support these additional expenses. Although the total number of ATMs is difficult to determine, most people in the industry agree that the 3DES requirement resulted in fewer of them.
Now it's "déjà vu all over again" for many ATM owners. Two recent changes to regulatory and operating rules require additional investment in their ATM fleets. The first of these is the accessibility provisions of the 2010 American with Disabilities Act (ADA) that include, but are not limited to, a voice guidance requirement, Braille signage, and input controls for visually-impaired individuals. These provisions were published in September 2010. ATM owners had a compliance date of March 2011 and an enforcement date of March 2012. An online Wall Street Journal article written near the 2012 deadline estimated that half of the ATMs in the United States did not fully comply with the new requirements. Because many ATM owners were in near compliance at the time of the deadline, the current level of incomplete compliance is not known. I understand, however, that several ATM owners, particularly ISOs with low-volume cash dispensers, have still not upgraded their ATMs. Despite a number of lawsuits filed by visually-impaired individuals against noncompliant ATM owners, many appear to be continuing to operate while hoping to go undetected. The act allows an exemption to an ATM owner if the upgrade would be an "undue burden," but the burden is on the owner to seek the exemption and prove the burden.
The second change comes from the recently announced liability-shift roadmaps for EMV chip implementation by Visa and MasterCard. MasterCard set a deadline of October 2016; Visa, a year later. Currently, the card issuer bears losses from fraudulent card transactions at the ATM. After those dates, if a counterfeit card is used at an ATM that has not been upgraded to handle EMV cards—in which case the ATM has to read the card's magnetic stripe back-up—the ATM owner will bear the loss resulting from that fraudulent transaction.
Even more pressing is MasterCard's liability shift for non-U.S.-issued Maestro card transactions at U.S. ATMs, scheduled for April 19, 2013. The National ATM Council, an industry group for ATM ISOs, has formally requested MasterCard to both delay this shift and push back the overall liability shift deadline to synchronize with Visa's 2017 date. Already struggling with the increased costs resulting from the upgrade decision, ISO ATM owners fear that absorbing counterfeit card losses would devastate their financial condition. I suspect that as many of them have done with the ADA requirements, many may continue to postpone upgrade expenses and just hope that their machines are not targeted. However, as I noted in a recent post, criminals tend to attack the weakest elements of their target.
ATM usage continues to face competition from debit POS (purchases and cash-back) as well as the expanding mobile payments channel. With ATMs being such a high fixed-cost operation, the impact of additional upgrade expense at a time when usage is decreasing is likely to take a toll on the number of operating ATMs. What do you think?
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 11, 2013 in ATM fraud, EMV, regulations | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee92da6ff970d
Listed below are links to blogs that reference The ATM: Disappearing Soon from a Location near You?:
Comments
Posted by:
Ketharaman Swaminathan |
March 15, 2013 at 06:44 AM
February 11, 2013
Is Growing Fraud Really a Catalyst for EMV?
My payments news feed has been filled with a heavy dose of EMV-related news these last few days. Take the January 2013 article from the American Banker that looks at the incidence of increasing fraud losses as the United States continues to lag on the implementation of EMV chip cards. This one especially caught my attention given that I had written a paper on this topic early in 2012.
In recent SEC filings, both Discover Financial Services and Capital One reported significant increases in fraud losses. Based on calculations using figures from Discover's latest annual report, its fraud rate on sales volume increased from 4.8 basis points in 2010 to 7.2 basis points in 2011, and reached 8.8 basis points in 2012. Because of our nation's continued reliance on magnetic-stripe cards, "we are the weakest link around the world," according to one analyst. According to another, "the fraud comes here." Given this trend of rising fraud losses, is fraud finally becoming a bigger part of the business case for EMV with card networks' liability shifts for counterfeit fraudulent transactions a little more than two years out?
I don't think that it is. While the American Banker article, and even my paper, paints a somewhat discouraging picture of the fraud situation, the fact remains that fraud is but a small, albeit growing, expense on an issuers' income statement. For example, Discover reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost them over $1.2 billion in 2012 and as much as $3.7 billion in 2010. Fraud risk as measured by fraud losses is just "another expense" to issuers while credit risk, measured by credit losses, has one of the largest, if not the largest, negative impact on an issuers' bottom line. Is it possible that fraud losses will have a larger negative impact further down the road? Absolutely, and I think they will. I also recognize there are other "soft costs" associated with card fraud in terms of cardholder inconvenience and overall payment safety perception.
Further, EMV does not address the entire fraud loss problem. It's no secret by now that while EMV has been excellent at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise because EMV does not effectively prevent it in today's online environment. For example, since the rollout of chip-and-PIN in 2008 in Canada, CNP fraud increased from C$128 million to C$259.5 million in 2011. This is another example of fraud moving to the weakest link in the payments chain. Ultimately, EMV as it exists today only solves part of the fraud equation. Until a cost-effective and consumer-friendly CNP fraud reduction solution gains traction, I believe a business case for EMV built around fraud losses will remain difficult to build. For some, the costs to implement EMV may be viewed as an insurance policy against a widespread compromise of the mag-stripe technology.
It has been more than 17 months since Visa announced its EMV U.S. migration plan and a year since MasterCard announced its EMV "Roadmap." Still, issuance and acceptance of EMV cards remains tepid, if that, here in the United States. With a little over two years until the first liability shifts for the U.S. are scheduled to take place in April 2015, issuers will need to make EMV migration decisions soon if they intend to take advantage. But is the business case there currently?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 11, 2013 in card networks, cards, chip-and-pin, EMV | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d40f3aa2f970c
Listed below are links to blogs that reference Is Growing Fraud Really a Catalyst for EMV?:
Comments
My view on EMV is that it is a fundamentally more secure payment vehicle than typical magnetic stripe cards - plain and simple.
There are many benefits outside of just fraud savings. Consider missed transactions that international travelers might incur with a traditional card. Aite analysis reveals that card issuers missed out on $4 billion in charge volume in 2008 because of problems cardholders had with their cards while traveling abroad.
Then there is consumer perception. Ask a consumer today if he/she would like to own a car without air bags? The answer is likely no. The same is likely to hold true for EMV cards. If I have two options, traditional or EMV, I'm likely to choose EMV because it's safer. We all need to protect and enhance the consumer experience.
One cannot accurately predict future fraud costs with any degree of certainty. The pie for fraudsters is getting smaller, and if I'm a bank or credit union I don't want to be in the cross-hairs, especially if those vulnerable are getting smaller. CNP fraud is escalating. The payments industry will need to solve for that.
Chris Slane, VP, Business Development, Quatrro Processing Services
Posted by:
Chris Slane |
February 28, 2013 at 07:41 AM
Excellent article. One that takes the credit card fraud issue head-on and establishes that issuers and merchants have more serious issues to worry about than controlling fraud. I also found @MikeB's comment - especially the part about "issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most" - very sensible.
Posted by:
Ketharaman Swaminathan |
February 17, 2013 at 12:41 PM
I think you need to add other costs in (eg, PCI-DSS compliance and fraudulent portion of charge-offs) to obtain the correct cost/benefit calculation.
Posted by:
Dave Birch |
February 15, 2013 at 02:26 AM
Douglas,
Very interesting article and I agree that it appears that the EMV benefit is perhaps not worth the industry expense particularly if you're also shifting fraud from CP to CNP. In addition, it seems that here in the US, we're poised to move to new payment technologies such as Digital Wallets, NFC and/or Bar-codes that are more inline with the American customer, who I'm sure won't want to slow down at the point of sale to put in a PIN number on a Credit card transaction.
We conducted trials in the UK last year that I believe get to the issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most. By using Location-Based Analytic, we saw a 55% reduction of false positives while at the same time seeing a 30% increase in fraud detection . All of this in a non-intrusive manner, allowing the consumer the convenience of just swiping their card and moving on.
Mike
Posted by:
Mike Buhrmann, CEO Finsphere |
February 12, 2013 at 02:11 PM
Fraud may continue to be manageable from a cost perspective, but it is ultimately damaging to the user experience and the network brand experience. Consumers are increasingly frustrated by dealing with fraudulent charges (even with zero liability), receiving notices that their accounts are being breached, receiving re-issued cards, and having to re-configure their automatic payments. The networks are the ones pushing EMV because ultimately it's confidence in their systems that is taking the hit.
Posted by:
Aaron Press |
February 11, 2013 at 04:26 PM
Your comments raise an interesting question, namely, how much of what banks allocate as net charge-offs are actually fraud losses - especially in cases of account takeover fraud. The bad guy gains access to an account, changes the address, runs up a huge balance and bolts. As these balances get stale, the bank can either categorize them as fraud or simply charge them off.
Posted by:
Chip Wickenden |
February 11, 2013 at 10:23 AM
August 27, 2012
Mind the Gap: PIN versus Signature Authentication
In a January post, Portals and Rails considered the difference in fraud rates for payments using signature versus those using PIN authentication. Based on the data at hand, we concluded that "financial institutions have significantly more exposure to fraud losses from card payments with signature authentication than those from PIN authentication." The just-released PULSE Debit Issuer Study reveals that in 2011 the gap in loss rates between signature and PIN debit transactions has widened further. Issuers lost an average of three cents per signature debit transaction compared to less than one-half of one cent on PIN transactions.
Fraud is a concern for issuers
According to the study, which was conducted by the consulting firm Oliver Wyman on 57 banks and credit unions, 74 percent of large financial institutions (asset size greater than $10 billion) and 90 percent of small institutions (asset size under $10 billion) view fraud as a major challenge for 2012. Looking deeper into 2012 fraud concerns, 54 percent of issuers, regardless of their size, expect signature debit fraud to increase, while only 37 percent of issuers expect an increase in PIN debit fraud levels.
With fraud being of such high concern to issuers, I expected EMV card issuance to be high on their priority list, but that is not the case. In fact, 71 percent of the financial institutions have no immediate plans to issue EMV cards. In the past, we've highlighted some of the many possible ways to do an EMV implementation—according to the study, these unknowns of a U.S. EMV implementation have many financial institutions taking a "wait-and-see" approach.
Of particular note, issuers are interested in knowing if PIN authentication will become mandatory or if it will continue to coexist with signature authentication. Hopefully, this issue and others surrounding EMV implementation will soon be addressed by the industry through the recently announced collaborative EMV Migration Forum created by the Smart Card Alliance. The sooner these issues get sorted out, obviously, the better, as signature debit card fraud is showing no signs of slowing down.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 27, 2012 in chip-and-pin, crime, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0177445db2c5970d
Listed below are links to blogs that reference Mind the Gap: PIN versus Signature Authentication:
Comments
May 14, 2012
Cooperating competitors? Yes, when it comes to payment standards
Standard sizes allow us to efficiently pick out clothing to try on at any store we go to, and even to shop online. Standard file formats enable the exchange of documents between computers with different operating systems and software programs. Similarly, standard payment formats ensure that our payment cards work at a wide range of merchants regardless of where we bank. Although we often take standards for granted, they are absolutely critical to the efficient functioning of the payment system.
Standard formats are a classic public good: they can be used by multiple people at no marginal cost per user and it is difficult to exclude people from using them. Typically, public goods have to be provided by the government, because no individual firm has sufficient incentive to provide them privately. However, in the payments industry, standard payment formats have frequently been adopted without government intervention. Instead, private firms generally cooperate to develop payment standards through membership organizations like NACHA, the Accredited Standards Committee X9, and EMVCo. These organizations are direct competitors who choose to cooperate in developing shared industry utilities. Atlanta Fed payments risk expert Doug King has written extensively on industry efforts to implement the EMV payment card standard in the United States.
The payments industry might be able to supply its own public goods due to the relatively low transaction costs of doing so. While a small number of companies manage the majority of card payments across the globe, the U.S. industry includes several well-established companies and numerous smaller competitors as well as start-ups. Most of the companies are already members of established industry organizations that facilitate collaboration. This is much simpler than the market providing a public good like low pollution in a river, for example. Somehow the many consumers and firms who access that river must assemble and agree on the pollution level, develop an enforcement mechanism, and implement the agreement—and many of these stakeholders will likely never have worked together before.
The effect of payment standards on competition is unclear. It’s possible that standards increase competition in the payments industry by leveling the playing field between established firms and start-ups. However, some payments standards are proprietary and may inherently favor the companies that most influenced their development. For example, to the extent that the largest card networks dictate the specifications for the EMV standard, this may disadvantage smaller networks. Those smaller networks are left in the unenviable position of having to comply with standards in which they had little voice in developing. Thus, although the payments industry seems to have been effective in developing standards cooperatively, it’s possible that this market activity has favored the dominant players. How will the move to the EMV payment card standard affect competition in the U.S. market?
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
May 14, 2012 in collaboration, EMV | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016305884fd2970d
Listed below are links to blogs that reference Cooperating competitors? Yes, when it comes to payment standards:
Comments
January 30, 2012
Is the United States payments industry following in the footsteps of the Netherlands?
The Forum recently took a dive into card fraud data from the many countries (not the United States, of course) that have tossed out their old magnetic-stripe cards and adopted the EMV standard. You can read the paper—it's available on our website—but here's a quick recap.
What we found in the data is a recurring pattern of fraud losses. For instance, the data show that chip-and-PIN has been highly successful in the domestic card-present environment in reducing counterfeit and lost or stolen card fraud. This chart depicts the United Kingdom's positive domestic card-present experience.
On the other hand, fraud on non-chip-and-PIN transactions—most notably in the card-not-present and cross-border environments—has actually increased. Ultimately, the net results to date on EMV chip-and-PIN's impact on total card fraud losses in these countries have been marginal. As an example, this next table shows Canada's growing card-not-present fraud loss trend.
The working paper uses the Netherlands experience as a case study because of the country's similarities to the United States. Much like the United States, the Netherlands was experiencing low rates of payment card fraud, so this country did not migrate to the EMV standard when all the rest of Europe was adopting it. Eventually, fraud loss rates in the Netherlands climbed, ultimately propelling the Netherlands banking industry into implementing chip-and-PIN.
Like the Netherlands, the United States is now seeing a growth of card fraud loss rates on both credit and debit cards. As we've blogged several times, the costs for an EMV implementation here in the United States have so far outweighed the fraud loss reduction benefits of chip-embedded cards, according to some industry stakeholders. But given the parallels between the United States and the Netherlands, it is reasonable to expect card fraud losses to continue to grow here as long as the industry relies on mag-stripe technology.
Clearly, there is a need for industry coordination for an EMV implementation to effectively reduce payment card fraud. Based on the fraud trends experienced by countries adopting EMV chip-and-PIN, implementing the EMV standard in the United States for only certain types of card products or without solutions for mitigating card-not-present fraud could lead to only a marginal reduction in total fraud losses as fraudsters seek to exploit the lowest hanging fruit.
It should be noted that while the card industry in each of the countries investigated in the working paper adopted PIN authentication, this method is only one of several options. The working paper focused on PIN authentication because of the abundance of card fraud and transaction data reported by these countries' payments industries.
For more details on the successes and failures that a number of countries have experienced in moving to EMV technology, read the paper on our website.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 30, 2012 in chip-and-pin, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0167615c8cea970b
Listed below are links to blogs that reference Is the United States payments industry following in the footsteps of the Netherlands?:
Comments
December 19, 2011
The many flavors of EMV
As 2011 comes to an end, EMV (Europay, MasterCard, and Visa) transactions are still the exception in the United States. However, the United States has made some progress towards an EMV migration—several financial institutions are now issuing EMV cards for select portfolios. Also, on the acquiring side, some large merchants voiced strong opinions during the year about adopting the EMV standard. And towards the end of summer, Visa announced details of its "chip migration and adoption of mobile payments acceleration plan."
The perceived cost of a full EMV migration has been a great barrier for the U.S. payments industry. Further complicating the migration are the different ways issues and merchants can implement EMV. In particular, the various transaction authorization processes of card authentication, cardholder verification, and payment authorization take place in an online or offline environment or a combination of the two.
This week's post highlights the differences between offline and online transactions and the implications for U.S. migration to EMV-supported card payments.
Offline EMV
Prior to the introduction of chip cards in the United Kingdom, cards used the same magnetic stripe technology that is currently the standard in the United States. However, the difference is that in the United Kingdom most card transactions were authorized offline. In an offline authorization environment, card transactions are batched over a given time period and then transmitted to issuers, usually at the close of business, for authorization. Because the offline authorization environment does not permit real-time authentication, fraud rates were significantly higher than in markets using online authorization. To mitigate the additional risk inherent in the offline environment, the United Kingdom adopted the EMV standard—more specifically, chip and PIN.
In an offline EMV chip-and-PIN transaction, the payment terminal communicates with the integrated circuit card (ICC), or chip, embedded in the payment card rather than using telecommunications to connect and communicate with the issuing bank. This communication between the ICC and terminal allows for real-time card authentication, cardholder verification, and payment authorization. However, because most payment terminals (not unattended terminals) now support online authorization, payment authorization usually occurs online while card authentication and cardholder verification usually take place offline.
Online EMV
In contrast to the United Kingdom's predominately offline authorization experience, nearly all card transactions in the United States are authorized online. This environment allows issuers to authorize transactions at the time of sale using multiple fraud and risk parameters.
In an online EMV transaction, the ICC-embedded card generates a cryptogram that is authenticated by the issuer during the authorization request. Assuming the card is authenticated and the merchant requires cardholder verification, either the terminal transmits the cardholder's encrypted PIN to the card issuer for verification or the merchant verifies the customer's signature to the signature on the card. Finally, for payment authorization, the terminal transmits payment-related information and a transaction-specific cryptogram to the issuer, which then authorizes or declines the transaction. This online payment authorization process is the same process that magnetic stripe cards currently use.
What does this mean for a U.S. EMV migration?
Unfortunately, the many methods for card authentication, cardholder verification, and payment authorization that EMV supports could lead to many different implementations in the United States. The few EMV-issuing financial institutions in the United States have reached no consensus when it comes to cardholder verification methods. Some issuers support offline PIN, others support online PIN, and still others support signature-only verification. Perhaps most critical to the EMV discussion is whether to support online or offline transactions, or both.
The costs associated with an offline implementation are higher. First, ICCs in an offline environment require an additional processor on the card—to support dynamic data authentication—that ICCs in an online environment do not. Second, PIN management in the offline environment involves manipulation of the PIN resident within the ICC, a process that requires issuers to purchase technologies they do not need in the online environment.
From a risk standpoint, both offline and online EMV card authentication support dynamic data and offer superior protection against counterfeit fraud compared to the magnetic stripe. For PIN cardholder verification, offline and online PIN offer the same protection against lost or stolen card fraud.
Offline EMV implementations were necessary in many markets around the globe because of a lack of telecommunications access at the payment terminals. Because the United States already operates in an online environment and the costs to implement an offline adoption are higher, the business case for an online EMV implementation is stronger than an offline adoption. Further, with most payment terminals in the world now supporting online transactions, global interoperability of online-only EMV cards is not the barrier that it was in the past.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 19, 2011 in cards, chip-and-pin, EMV | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01675efe7dfe970b
Listed below are links to blogs that reference The many flavors of EMV:
Comments
On your point relative to Online PIN I would like to suggest that most credit card networks (excluding the ATM portion) do not today support the transmission of the PIN from the POS device to the Issuer Host. To upgrade the credit networks to support the encryption and transport of the PIN to the Issuer has a cost. Not simply in the device but also in all the various processors in the chain. Further most POS devices now installed do not support Online PIN.
This whole question of Online versus Offline PIN is then compounded when one looks at the question of International acceptance. Again the International Credit Card networks and all the domestic networks would also need to support the transport of the PIN in order to allow PIN to be used as the means of cardholder verification.
Posted by:
Philip Andreae |
February 16, 2012 at 09:38 AM
July 25, 2011
Is the final Durbin Amendment rule an impetus for EMV in the United States?
On June 29, the Federal Reserve Board released its much-anticipated final rule, Regulation II, to the Durbin Amendment. The Board's final rule significantly differs from its interim rule on this amendment, resulting in ample commentary from the payments industry, financial institutions, and the merchant community.
However, there has been little commentary provided about the potential impact the final rule may have on encouraging the migration of debit cards away from mag stripe to the EMV standard. Upon closer examination of the Board's lengthy final rule, it appears that issuers might have the ability to recoup a portion of EMV-related costs should they opt to migrate away from magnetic-stripe technology in the years ahead.
Initially, the Board limited allowable costs for the calculation of the interchange fee cap of $0.12 to include only variable costs associated with the authorization, clearance, and settlement (ACS) of transactions. In setting the final interchange cap base component at $0.21, the Board broadened its definition of allowable costs and included costs incurred to effect a debit transaction such as network connectivity and processing fees. The Board also included fixed costs, such as hardware and software costs, in developing its final interchange cap.
In addition to the $0.21 base component of the interchange cap, the Board included an ad valorem component of 5 basis points of the transaction value to reflect a portion of issuers' fraud losses. Finally, the final rule allows for a fraud-prevention adjustment of $0.01 per transaction, conditioned upon the issuer adopting effective fraud-prevention policies and procedures. These interchange fees become effective on October 1, 2011.
The final rule requires that the Board collect cost data from debit card issuers biennially. Presumably, the Board can make any necessary adjustments to the base component, the ad valorem component, and the fraud-prevention adjustment based on issuers' biennial reports of incurred costs.
What impact will the Board's final rule have on the future of EMV?
If the Board makes future adjustments to the interchange standard components based on the survey of costs every two years, language within the Board's final rule suggests that issuers may be able to recoup some, but not all, costs associated with an EMV migration. Given the Board's addition of fixed costs as allowable costs, hardware and software costs incurred by issuers to migrate to EMV might be included in future adjustments to the base component of the interchange cap. While the research and development (R&D) costs are not included in the base interchange standard, the rule states "the cost of research and development of new authentication methods would be considered in the fraud-prevention adjustment." Should issuers adopt EMV, R&D costs incurred are allowable under the fraud prevention adjustment standard. Finally, the final rule clearly excludes the cost of card production and delivery—a requirement for migration to EMV—as an allowable cost.
The impact of the Durbin Amendment on movement toward EMV remains open to debate. Is the potential for future debit card interchange rate increases enough to motivate issuers to finally migrate to the EMV standard? Do the current interchange cap and exclusion of some EMV-related costs from the interchange standard hinder a future move toward EMV? I am optimistic that future potential adjustments to the components of the interchange standard under the final rule's expanded set of allowable costs—along with the consideration of R&D costs as part of the fraud adjustment component—will have a positive impact on migration to EMV.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 25, 2011 in bank supervision, consumer protection, EMV | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015433fcc0c2970c
Listed below are links to blogs that reference Is the final Durbin Amendment rule an impetus for EMV in the United States?:
Comments
May 09, 2011
United front needed to prevent EMV card fraud from picking low-hanging fruit
I was pleased to see in the news recently that Chase and Wells Fargo announced the issuance of EMV chip-enabled cards for several of their credit card portfolios. Though these EMV chip-enabled cards will still have mag stripes and are primarily intended for customers who travel internationally, these announcements represent a positive move toward a more secure payment card environment in the United States.
Based on available data from countries around the globe with EMV experience, EMV chip-enabled cards have been highly successful at reducing counterfeit and lost or stolen card fraud within market. However, these cards have had less impact on overall fraud levels. Fraud has simply shifted to different products (from credit to debit), other channels (from card-present to card-not-present, or CNP), or other geographies (fraud perpetrated abroad).
If the U.S. payments industry does decide to move forward with EMV, the experiences in markets that have already undergone or are undergoing the migration to EMV teaches us that issuers, networks, and merchants across all payment channels must make a coordinated effort in order to achieve a positive impact on overall payment card fraud levels. Without coordination, the United States would likely see fraud shifting to other products and channels but not geographies—by then, all developed countries will have converted to EMV, including our neighbors, Canada and Mexico.
EMV migration experience: Card-present fraud shifts to card-not-present fraud
The success of EMV in reducing card-present fraud in countries that have made the move is impressive. Based on the latest figures from the UK Cards Association, face-to-face card fraud at United Kingdom retailers fell by nearly 70 percent after the widespread introduction of EMV in 2004. Yet, during that same time, CNP fraud rose by 50 percent and now represents 62 percent of all payment card fraud in the country. Likewise, according to figures from the Observatory for Payment Cards Security, fraud rates in France on face-to-face transactions with French-issued cards fell from 0.029 percent in 2004 to 0.014 percent in 2009—but then CNP fraud rates for transactions within France rose from 0.177 percent to 0.263 percent. And in Australia, a similar pattern is emerging. According to the Australian Payments Clearing Association's latest release of fraud data for the 12 months ending June 30, 2010, skimming fraud is down significantly, yet overall payment card fraud continues to rise, in part due to a 25 percent increase in CNP fraud.
EMV migration experience: Fraud shifts between products
In Canada, the migration to the EMV standard has been led by the credit networks, namely Visa and MasterCard, who are all but done with the migration. (Liability shift—the movement of liability from the issuer to the merchant—took place March 31.) With a migration completion mandate set for January 2015, Interac, Canada's national debit payment network, has been much slower to migrate to the EMV standard. Criminal Intelligence Service Canada reported a slight decrease in payment card fraud from $512.2 million in 2008 to $500.7 million in 2009. However, as credit cards were the first to migrate, fraud shifted to debit cards. Interac reported a 36 percent increase in fraud in 2009—from $104.5 million in 2008 to $142.3 million. Interac, which Is deploying chip-and-pin in earnest now, recently reported a 2010 fraud loss figure of $119 million, down 16 percent from 2009.
Australia is seeing a similar development. Scheme debit, credit, and charge cards are in the process of migrating to the EMV standard, while proprietary debit cards continue to use mag-stripe technology. Skimming fraud is down on scheme cards, but proprietary debit cards experienced a 94 percent increase in skimming fraud.
Coordination prevents fraudsters from identifying weakest link
The bad news for the United States is that a coordinated effort to migrate to EMV would be very challenging. First, we have a large number of credit and debit networks, payment card issuers, and payment cards in circulation (including closed-loop prepaid and private label), as well as acceptance locations (including ATMs) in the marketplace. Second, the number of card purchases in a CNP environment through the Internet or mobile device is continuing to proliferate.
But the good news for the United States is that not only can we learn from the experiences of the earlier-adopting countries but we can also take advantage of new technologies coming to market. For example, First Data's EMV Go-Cap and SecureKey's One Tap both work in the CNP environment. Also, as my colleague Cindy Merritt recently blogged on, mobile has great potential to address the increasing fraud in the CNP environment.
If all participants in the payments industry coordinate their efforts while also adopting new technologies, we could keep fraudsters scratching their heads as they search for the lowest-hanging fruit during a U.S. migration to EMV.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 9, 2011 in EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538e6115c8970b
Listed below are links to blogs that reference United front needed to prevent EMV card fraud from picking low-hanging fruit:
Comments
March 14, 2011
Why U.S. issuers might be reluctant to adopt the EMV standard
A hot topic for Portals and Rails and the Retail Payments Risk Forum has been the replacement of magnetic-stripe cards with chip-and-pin cards in the United States. In fact, a recent industry blog labeled my colleague Rich Oliver "the first U.S. banking industry executive to publicly declare that a U.S. migration to the EMV payments standard is inevitable." Many countries around the globe have adopted or are in the process of adopting the EMV standard, but the United States has not budged, despite a recent European Payments Council resolution suggesting an end to mag stripe. Meanwhile, U.S. industry participants, including a large payment network and issuer, are investing in improving mag-stripe cards.
Let's consider the migration to EMV from an issuing perspective using recently collected debit card information by the Federal Reserve Board to assist with its responsibilities under the Durbin Amendment.
Current status of EMV in the United States
With the recent announcement that the Raleigh, N.C.-based State Employees Credit Union will convert its debit card portfolio to EMV by year's end, there are now two (yes, two!) small financial institutions in the United States committed to converting their portfolios to the EMV standard. If reports on fraud reduction since implementing the EMV standards in countries such as the United Kingdom are true, why then are U.S. issuers slow to convert to EMV? In last week's blog, Rich states that, given current fraud loss levels and fraud management and mitigation costs, there may not yet be a near-term business case for the migration to EMV. However, peeling back the onion another layer, a key difference in the authorization environments of the United States to other markets, such as the U.K., has led to lower levels of fraud, albeit at significant investment levels, and a fundamental reason behind issuers' reluctance to migrate.
Online versus offline authorization
Nearly all card transactions in the United States are authorized online. In this environment, the transaction authorization uses telecommunications at the time of a sale to route a merchant's authorization request to the issuer to approve or decline, based on a number of factors such as available funds or credit limit and multiple fraud prevention and mitigation checks. U.S. issuers and networks have invested heavily in fraud prevention and mitigation controls for online authorization programs. As a result, issuers have recognized relatively low levels of card fraud—approximately $.02 per debit transaction, or 5.4 basis points of transaction value. For PIN-based debit transactions, these numbers are even lower: $.01 per transaction, or 3.3 basis points of transaction volume.
Unlike the United States, the United Kingdom has primarily been an offline authorization market. In this scenario, the transactions are not authorized at the time of sale, but rather are batched throughout a given time period and transmitted to the issuers. Most importantly, this type of authorization process does not support PIN debit transactions using magnetic-stripe technology. While the EMV standard supports both online and offline authorizations, the reduction of fraud for offline authorizations was a key driver of implementation in the United Kingdom, as EMV allows for offline authorization at the time of sale.
According to analysis of data from the UK Payments Administration, fraud rates on all cards at the end of 2004 (near the beginning of the EMV implementation) were significantly higher than fraud levels currently seen on debit cards in the United States. However, by June of 2010, fraud in the United Kingdom has fallen by more than 50 percent to £.03 per transaction, or 6.6 basis points of transaction volume, which is still higher than debit card fraud rates experienced in the United States today.
Will there be a case for U.S. issuers to adopt the EMV Standard?
With approximately 500 million debit cards in circulation in the United States, relatively low levels of fraud, and significant investments into current authorization systems, it seems reasonable that debit issuers currently have little appetite for investing in the EMV standard today. While recognizing that the credit card story might paint a different picture with higher fraud losses, the fact remains that both issuers and networks have made significant investments in authorization systems to prevent and mitigate credit card fraud from which they don’t appear to be ready to walk away.
In light of U.S. issuers' shunning the EMV standard to date, here are some questions for industry participants to ponder. Will there be a tipping point for the United States to adopt the EMV standard? If so, what will that tipping point be? Can the global card payment market exist in an environment similar to the electrical market, whereby the United States uses 110-volt electricity while most of the world uses 220 volt? Can chip-and-pin prepaid cards such as the Travelex Cash Passport Currency Card address differences in global payment standards for U.S. issuers in a way that electrical adapters address the voltage issue?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 14, 2011 in chip-and-pin, EMV, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e334dd29970b
Listed below are links to blogs that reference Why U.S. issuers might be reluctant to adopt the EMV standard:
Comments
July 26, 2010
Can chip-and-pin technology address payment card fraud in the United States?
Last week's blog discussed how the United States has been slow to adopt the chip-and-pin payments card technology that many other countries are already using. We suggested that the continued reliance of the United States on the magnetic-stripe standard leaves consumers here more vulnerable to fraud. In fact, the Federal Reserve Bank of Kansas City recently published a paper that looked at global security standards within the payment card industry and found that "the difference between U.S. fraud rates and those in other countries is sufficiently large."
This week's blog looks a little closer at some of the numbers behind magnetic-stripe and chip-and-pin payment cards, including the cost of payment card fraud in the United States and what it would take to move to the EMV chip-and-pin technology. (Recall that EMV is an abbreviation for the originators of the standard: Europay, MasterCard, and VISA. EMV is now also owned by other card companies: the Japanese company JCB and American Express.)
Fraud losses on credit, debit, and prepaid cards in the United States totaled $6.89 billion in 2009, up 7 percent from 2008—a figure said to be on pace to reach $10 billion by 2015. According to PULSE 2010 Debit Issuer Study debit card fraud for signature-based debit card fraud increased 43 percent last year and personal identification number (PIN) debit card fraud loss rose by 24 percent.
|
|
| ENLARGE |
Exploiting the weakest link
The magnetic stripe stores data on a band of magnetic material on the back of a credit card. The stored data on a magnetic stripe can be read by swiping the card through a reader. The chip-and-pin card, on the other hand, most commonly exists as a smart card embedded with a microchip. The microchip can store a unique PIN, which ultimately replaces the cardholder's signature and can be used in contact or contactless mode. Chip-and-pin cards can therefore protect against card swipe fraud, cloning, and stolen data from lost or stolen cards—the most common kinds of fraud experienced by magnetic stripe cards.
Protecting payment cards: Security versus cost concerns
The implementation of chip technology will require a merchant to use new hardware and the consumer to use a new smart card with a microchip. Javelin Strategy & Research estimates the basic cost for the implementation of the EMV chip standard stands at $8.6 billion. Is this a figure the payments industry is ready and willing to dispense in this current economic climate? Today, we know of at least one U.S. financial institutions that have migrated to EMV. Will this cause others to migrate, or is it too early to tell?
Defining the next logical approach
Some experts predict that the globalization of the EMV standard will drive the initial issuance of chip-and-pin cards in the United States. Other experts do not foresee the United States' immediate migration to chip-and-pin cards. Yet the growth of U.S. chip payment cards may prove migration to EMV sooner than most believe.
Continuously guarding against debit and credit card fraud loss solidifies consumers' confidence in card payments and the financial system. EMV chip-and-pin and its methods for combating payments card fraud seems like a natural choice to replace the magnetic stripe card in the United States. With Europe, and other parts of the world, documented success rate in combating payments card fraud since their move to EMV chip and pin, it may turn out that EMV chip and pin's global interoperability may become the next security vehicle that can rein in magnetic stripe card fraud.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 26, 2010 in chip-and-pin, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485a00088970c
Listed below are links to blogs that reference Can chip-and-pin technology address payment card fraud in the United States?:
Comments
A large number of vendors will accept signatures for card transactions without even looking at the card. They don't ask for identification to verify the card holder. The resulting fraudulent transaction usually becomes the liability of the bank. Obviously, the vendor isn't regulated and has little liability. It is past the time for chip-and-pin cards. Signatures (although convenient for the customers) should no longer be allowed. At least if the card number is compromised, the chances that the PIN number is also compromised, is slim. The EMV standard for tighter security doesn't seem to be progressing very quickly. For the protection of our customers and banks, we should be one of the front runners in a push for more security of our card transactions. Instead, we are at the mercy of the EMV standards which don't seem to be keeping up with the rest of the world.
Posted by:
Michelle Johnson |
September 14, 2010 at 11:49 AM
As an argument against adopting EMV, critics have pointed to EMV fraud weaknesses, such as susceptibility to man-in-the-middle-attacks. On the other hand, other countries that have adopted EMV and Chip-and-PIN have witnessed a reduction in counterfeit and skimming fraud. While EMV may not be foolproof, it is important to keep in mind that any single fraud deterrent solution needs to be part of an larger, overarching fraud strategy. Financial institutions still need build in layered security into their products and implement vigorous application screening controls when issuing cards to new clients. Also, financial institutions should integrate enterprise fraud management systems and real-time analytics to more accurately predict fraudulent transactions as they happen.
Also, to address the debate as to whether or not the U.S. should adopt EMV, the good news is that we are ready for it. The smart card technology infrastructure that supports EMV or Chip and PIN is already available today and will even be able to evolve with next-generation chip-based card innovations.
Thanks, Jim!
Posted by:
Jim Schlegel |
August 04, 2010 at 01:44 PM
EMV in the U.S. business case:
U.S. EMV Migration Cost = $8.6 billion (once off);
U.S. Card Fraud = $6.89 billion (per annum);
ROI = 1.25 years!
Cost savings over next 5 years = $34 billion!
Even assuming a 100% error in the migration estimates, its still an ROI less than the average 3 years a card is valid.
I'm not an Economist, but this looks like a pretty good investment to me. I say go, go, go! :)
Posted by:
Wynand Vermeulen |
August 04, 2010 at 06:24 AM
FFIEC came up with two factor authentication guidelines in 2005 and followed it up with additional guidelines in 2012 or so. Still, there are so many banks that don't use 2FA in the USA. If big banks have managed to escape regulation for 8 years, it'd be much easier for ATM operators to fly under the regulatory radar for at least a few more years. So, I predict that ATMs will continue as they are and don't expect them to disappear anytime in the near future, at least not due to the current spate of regulation.