January 30, 2012
Is the United States payments industry following in the footsteps of the Netherlands?
The Forum recently took a dive into card fraud data from the many countries (not the United States, of course) that have tossed out their old magnetic-stripe cards and adopted the EMV standard. You can read the paper—it's available on our website—but here's a quick recap.
What we found in the data is a recurring pattern of fraud losses. For instance, the data show that chip-and-PIN has been highly successful in the domestic card-present environment in reducing counterfeit and lost or stolen card fraud. This chart depicts the United Kingdom's positive domestic card-present experience.
On the other hand, fraud on non-chip-and-PIN transactions—most notably in the card-not-present and cross-border environments—has actually increased. Ultimately, the net results to date on EMV chip-and-PIN's impact on total card fraud losses in these countries have been marginal. As an example, this next table shows Canada's growing card-not-present fraud loss trend.
The working paper uses the Netherlands experience as a case study because of the country's similarities to the United States. Much like the United States, the Netherlands was experiencing low rates of payment card fraud, so this country did not migrate to the EMV standard when all the rest of Europe was adopting it. Eventually, fraud loss rates in the Netherlands climbed, ultimately propelling the Netherlands banking industry into implementing chip-and-PIN.
Like the Netherlands, the United States is now seeing a growth of card fraud loss rates on both credit and debit cards. As we've blogged several times, the costs for an EMV implementation here in the United States have so far outweighed the fraud loss reduction benefits of chip-embedded cards, according to some industry stakeholders. But given the parallels between the United States and the Netherlands, it is reasonable to expect card fraud losses to continue to grow here as long as the industry relies on mag-stripe technology.
Clearly, there is a need for industry coordination for an EMV implementation to effectively reduce payment card fraud. Based on the fraud trends experienced by countries adopting EMV chip-and-PIN, implementing the EMV standard in the United States for only certain types of card products or without solutions for mitigating card-not-present fraud could lead to only a marginal reduction in total fraud losses as fraudsters seek to exploit the lowest hanging fruit.
It should be noted that while the card industry in each of the countries investigated in the working paper adopted PIN authentication, this method is only one of several options. The working paper focused on PIN authentication because of the abundance of card fraud and transaction data reported by these countries' payments industries.
For more details on the successes and failures that a number of countries have experienced in moving to EMV technology, read the paper on our website.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 30, 2012 in chip-and-pin, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0167615c8cea970b
Listed below are links to blogs that reference Is the United States payments industry following in the footsteps of the Netherlands?:
Comments
December 19, 2011
The many flavors of EMV
As 2011 comes to an end, EMV (Europay, MasterCard, and Visa) transactions are still the exception in the United States. However, the United States has made some progress towards an EMV migration—several financial institutions are now issuing EMV cards for select portfolios. Also, on the acquiring side, some large merchants voiced strong opinions during the year about adopting the EMV standard. And towards the end of summer, Visa announced details of its "chip migration and adoption of mobile payments acceleration plan."
The perceived cost of a full EMV migration has been a great barrier for the U.S. payments industry. Further complicating the migration are the different ways issues and merchants can implement EMV. In particular, the various transaction authorization processes of card authentication, cardholder verification, and payment authorization take place in an online or offline environment or a combination of the two.
This week's post highlights the differences between offline and online transactions and the implications for U.S. migration to EMV-supported card payments.
Offline EMV
Prior to the introduction of chip cards in the United Kingdom, cards used the same magnetic stripe technology that is currently the standard in the United States. However, the difference is that in the United Kingdom most card transactions were authorized offline. In an offline authorization environment, card transactions are batched over a given time period and then transmitted to issuers, usually at the close of business, for authorization. Because the offline authorization environment does not permit real-time authentication, fraud rates were significantly higher than in markets using online authorization. To mitigate the additional risk inherent in the offline environment, the United Kingdom adopted the EMV standard—more specifically, chip and PIN.
In an offline EMV chip-and-PIN transaction, the payment terminal communicates with the integrated circuit card (ICC), or chip, embedded in the payment card rather than using telecommunications to connect and communicate with the issuing bank. This communication between the ICC and terminal allows for real-time card authentication, cardholder verification, and payment authorization. However, because most payment terminals (not unattended terminals) now support online authorization, payment authorization usually occurs online while card authentication and cardholder verification usually take place offline.
Online EMV
In contrast to the United Kingdom's predominately offline authorization experience, nearly all card transactions in the United States are authorized online. This environment allows issuers to authorize transactions at the time of sale using multiple fraud and risk parameters.
In an online EMV transaction, the ICC-embedded card generates a cryptogram that is authenticated by the issuer during the authorization request. Assuming the card is authenticated and the merchant requires cardholder verification, either the terminal transmits the cardholder's encrypted PIN to the card issuer for verification or the merchant verifies the customer's signature to the signature on the card. Finally, for payment authorization, the terminal transmits payment-related information and a transaction-specific cryptogram to the issuer, which then authorizes or declines the transaction. This online payment authorization process is the same process that magnetic stripe cards currently use.
What does this mean for a U.S. EMV migration?
Unfortunately, the many methods for card authentication, cardholder verification, and payment authorization that EMV supports could lead to many different implementations in the United States. The few EMV-issuing financial institutions in the United States have reached no consensus when it comes to cardholder verification methods. Some issuers support offline PIN, others support online PIN, and still others support signature-only verification. Perhaps most critical to the EMV discussion is whether to support online or offline transactions, or both.
The costs associated with an offline implementation are higher. First, ICCs in an offline environment require an additional processor on the card—to support dynamic data authentication—that ICCs in an online environment do not. Second, PIN management in the offline environment involves manipulation of the PIN resident within the ICC, a process that requires issuers to purchase technologies they do not need in the online environment.
From a risk standpoint, both offline and online EMV card authentication support dynamic data and offer superior protection against counterfeit fraud compared to the magnetic stripe. For PIN cardholder verification, offline and online PIN offer the same protection against lost or stolen card fraud.
Offline EMV implementations were necessary in many markets around the globe because of a lack of telecommunications access at the payment terminals. Because the United States already operates in an online environment and the costs to implement an offline adoption are higher, the business case for an online EMV implementation is stronger than an offline adoption. Further, with most payment terminals in the world now supporting online transactions, global interoperability of online-only EMV cards is not the barrier that it was in the past.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 19, 2011 in cards, chip-and-pin, EMV | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01675efe7dfe970b
Listed below are links to blogs that reference The many flavors of EMV:
Comments
July 25, 2011
Is the final Durbin Amendment rule an impetus for EMV in the United States?
On June 29, the Federal Reserve Board released its much-anticipated final rule, Regulation II, to the Durbin Amendment. The Board's final rule significantly differs from its interim rule on this amendment, resulting in ample commentary from the payments industry, financial institutions, and the merchant community.
However, there has been little commentary provided about the potential impact the final rule may have on encouraging the migration of debit cards away from mag stripe to the EMV standard. Upon closer examination of the Board's lengthy final rule, it appears that issuers might have the ability to recoup a portion of EMV-related costs should they opt to migrate away from magnetic-stripe technology in the years ahead.
Initially, the Board limited allowable costs for the calculation of the interchange fee cap of $0.12 to include only variable costs associated with the authorization, clearance, and settlement (ACS) of transactions. In setting the final interchange cap base component at $0.21, the Board broadened its definition of allowable costs and included costs incurred to effect a debit transaction such as network connectivity and processing fees. The Board also included fixed costs, such as hardware and software costs, in developing its final interchange cap.
In addition to the $0.21 base component of the interchange cap, the Board included an ad valorem component of 5 basis points of the transaction value to reflect a portion of issuers' fraud losses. Finally, the final rule allows for a fraud-prevention adjustment of $0.01 per transaction, conditioned upon the issuer adopting effective fraud-prevention policies and procedures. These interchange fees become effective on October 1, 2011.
The final rule requires that the Board collect cost data from debit card issuers biennially. Presumably, the Board can make any necessary adjustments to the base component, the ad valorem component, and the fraud-prevention adjustment based on issuers' biennial reports of incurred costs.
What impact will the Board's final rule have on the future of EMV?
If the Board makes future adjustments to the interchange standard components based on the survey of costs every two years, language within the Board's final rule suggests that issuers may be able to recoup some, but not all, costs associated with an EMV migration. Given the Board's addition of fixed costs as allowable costs, hardware and software costs incurred by issuers to migrate to EMV might be included in future adjustments to the base component of the interchange cap. While the research and development (R&D) costs are not included in the base interchange standard, the rule states "the cost of research and development of new authentication methods would be considered in the fraud-prevention adjustment." Should issuers adopt EMV, R&D costs incurred are allowable under the fraud prevention adjustment standard. Finally, the final rule clearly excludes the cost of card production and delivery—a requirement for migration to EMV—as an allowable cost.
The impact of the Durbin Amendment on movement toward EMV remains open to debate. Is the potential for future debit card interchange rate increases enough to motivate issuers to finally migrate to the EMV standard? Do the current interchange cap and exclusion of some EMV-related costs from the interchange standard hinder a future move toward EMV? I am optimistic that future potential adjustments to the components of the interchange standard under the final rule's expanded set of allowable costs—along with the consideration of R&D costs as part of the fraud adjustment component—will have a positive impact on migration to EMV.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 25, 2011 in bank supervision, consumer protection, EMV | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015433fcc0c2970c
Listed below are links to blogs that reference Is the final Durbin Amendment rule an impetus for EMV in the United States?:
Comments
May 09, 2011
United front needed to prevent EMV card fraud from picking low-hanging fruit
I was pleased to see in the news recently that Chase and Wells Fargo announced the issuance of EMV chip-enabled cards for several of their credit card portfolios. Though these EMV chip-enabled cards will still have mag stripes and are primarily intended for customers who travel internationally, these announcements represent a positive move toward a more secure payment card environment in the United States.
Based on available data from countries around the globe with EMV experience, EMV chip-enabled cards have been highly successful at reducing counterfeit and lost or stolen card fraud within market. However, these cards have had less impact on overall fraud levels. Fraud has simply shifted to different products (from credit to debit), other channels (from card-present to card-not-present, or CNP), or other geographies (fraud perpetrated abroad).
If the U.S. payments industry does decide to move forward with EMV, the experiences in markets that have already undergone or are undergoing the migration to EMV teaches us that issuers, networks, and merchants across all payment channels must make a coordinated effort in order to achieve a positive impact on overall payment card fraud levels. Without coordination, the United States would likely see fraud shifting to other products and channels but not geographies—by then, all developed countries will have converted to EMV, including our neighbors, Canada and Mexico.
EMV migration experience: Card-present fraud shifts to card-not-present fraud
The success of EMV in reducing card-present fraud in countries that have made the move is impressive. Based on the latest figures from the UK Cards Association, face-to-face card fraud at United Kingdom retailers fell by nearly 70 percent after the widespread introduction of EMV in 2004. Yet, during that same time, CNP fraud rose by 50 percent and now represents 62 percent of all payment card fraud in the country. Likewise, according to figures from the Observatory for Payment Cards Security, fraud rates in France on face-to-face transactions with French-issued cards fell from 0.029 percent in 2004 to 0.014 percent in 2009—but then CNP fraud rates for transactions within France rose from 0.177 percent to 0.263 percent. And in Australia, a similar pattern is emerging. According to the Australian Payments Clearing Association's latest release of fraud data for the 12 months ending June 30, 2010, skimming fraud is down significantly, yet overall payment card fraud continues to rise, in part due to a 25 percent increase in CNP fraud.
EMV migration experience: Fraud shifts between products
In Canada, the migration to the EMV standard has been led by the credit networks, namely Visa and MasterCard, who are all but done with the migration. (Liability shift—the movement of liability from the issuer to the merchant—took place March 31.) With a migration completion mandate set for January 2015, Interac, Canada's national debit payment network, has been much slower to migrate to the EMV standard. Criminal Intelligence Service Canada reported a slight decrease in payment card fraud from $512.2 million in 2008 to $500.7 million in 2009. However, as credit cards were the first to migrate, fraud shifted to debit cards. Interac reported a 36 percent increase in fraud in 2009—from $104.5 million in 2008 to $142.3 million. Interac, which Is deploying chip-and-pin in earnest now, recently reported a 2010 fraud loss figure of $119 million, down 16 percent from 2009.
Australia is seeing a similar development. Scheme debit, credit, and charge cards are in the process of migrating to the EMV standard, while proprietary debit cards continue to use mag-stripe technology. Skimming fraud is down on scheme cards, but proprietary debit cards experienced a 94 percent increase in skimming fraud.
Coordination prevents fraudsters from identifying weakest link
The bad news for the United States is that a coordinated effort to migrate to EMV would be very challenging. First, we have a large number of credit and debit networks, payment card issuers, and payment cards in circulation (including closed-loop prepaid and private label), as well as acceptance locations (including ATMs) in the marketplace. Second, the number of card purchases in a CNP environment through the Internet or mobile device is continuing to proliferate.
But the good news for the United States is that not only can we learn from the experiences of the earlier-adopting countries but we can also take advantage of new technologies coming to market. For example, First Data's EMV Go-Cap and SecureKey's One Tap both work in the CNP environment. Also, as my colleague Cindy Merritt recently blogged on, mobile has great potential to address the increasing fraud in the CNP environment.
If all participants in the payments industry coordinate their efforts while also adopting new technologies, we could keep fraudsters scratching their heads as they search for the lowest-hanging fruit during a U.S. migration to EMV.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 9, 2011 in EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538e6115c8970b
Listed below are links to blogs that reference United front needed to prevent EMV card fraud from picking low-hanging fruit:
Comments
March 14, 2011
Why U.S. issuers might be reluctant to adopt the EMV standard
A hot topic for Portals and Rails and the Retail Payments Risk Forum has been the replacement of magnetic-stripe cards with chip-and-pin cards in the United States. In fact, a recent industry blog labeled my colleague Rich Oliver "the first U.S. banking industry executive to publicly declare that a U.S. migration to the EMV payments standard is inevitable." Many countries around the globe have adopted or are in the process of adopting the EMV standard, but the United States has not budged, despite a recent European Payments Council resolution suggesting an end to mag stripe. Meanwhile, U.S. industry participants, including a large payment network and issuer, are investing in improving mag-stripe cards.
Let's consider the migration to EMV from an issuing perspective using recently collected debit card information by the Federal Reserve Board to assist with its responsibilities under the Durbin Amendment.
Current status of EMV in the United States
With the recent announcement that the Raleigh, N.C.-based State Employees Credit Union will convert its debit card portfolio to EMV by year's end, there are now two (yes, two!) small financial institutions in the United States committed to converting their portfolios to the EMV standard. If reports on fraud reduction since implementing the EMV standards in countries such as the United Kingdom are true, why then are U.S. issuers slow to convert to EMV? In last week's blog, Rich states that, given current fraud loss levels and fraud management and mitigation costs, there may not yet be a near-term business case for the migration to EMV. However, peeling back the onion another layer, a key difference in the authorization environments of the United States to other markets, such as the U.K., has led to lower levels of fraud, albeit at significant investment levels, and a fundamental reason behind issuers' reluctance to migrate.
Online versus offline authorization
Nearly all card transactions in the United States are authorized online. In this environment, the transaction authorization uses telecommunications at the time of a sale to route a merchant's authorization request to the issuer to approve or decline, based on a number of factors such as available funds or credit limit and multiple fraud prevention and mitigation checks. U.S. issuers and networks have invested heavily in fraud prevention and mitigation controls for online authorization programs. As a result, issuers have recognized relatively low levels of card fraud—approximately $.02 per debit transaction, or 5.4 basis points of transaction value. For PIN-based debit transactions, these numbers are even lower: $.01 per transaction, or 3.3 basis points of transaction volume.
Unlike the United States, the United Kingdom has primarily been an offline authorization market. In this scenario, the transactions are not authorized at the time of sale, but rather are batched throughout a given time period and transmitted to the issuers. Most importantly, this type of authorization process does not support PIN debit transactions using magnetic-stripe technology. While the EMV standard supports both online and offline authorizations, the reduction of fraud for offline authorizations was a key driver of implementation in the United Kingdom, as EMV allows for offline authorization at the time of sale.
According to analysis of data from the UK Payments Administration, fraud rates on all cards at the end of 2004 (near the beginning of the EMV implementation) were significantly higher than fraud levels currently seen on debit cards in the United States. However, by June of 2010, fraud in the United Kingdom has fallen by more than 50 percent to £.03 per transaction, or 6.6 basis points of transaction volume, which is still higher than debit card fraud rates experienced in the United States today.
Will there be a case for U.S. issuers to adopt the EMV Standard?
With approximately 500 million debit cards in circulation in the United States, relatively low levels of fraud, and significant investments into current authorization systems, it seems reasonable that debit issuers currently have little appetite for investing in the EMV standard today. While recognizing that the credit card story might paint a different picture with higher fraud losses, the fact remains that both issuers and networks have made significant investments in authorization systems to prevent and mitigate credit card fraud from which they don’t appear to be ready to walk away.
In light of U.S. issuers' shunning the EMV standard to date, here are some questions for industry participants to ponder. Will there be a tipping point for the United States to adopt the EMV standard? If so, what will that tipping point be? Can the global card payment market exist in an environment similar to the electrical market, whereby the United States uses 110-volt electricity while most of the world uses 220 volt? Can chip-and-pin prepaid cards such as the Travelex Cash Passport Currency Card address differences in global payment standards for U.S. issuers in a way that electrical adapters address the voltage issue?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 14, 2011 in chip-and-pin, EMV, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e334dd29970b
Listed below are links to blogs that reference Why U.S. issuers might be reluctant to adopt the EMV standard:
Comments
July 26, 2010
Can chip-and-pin technology address payment card fraud in the United States?
Last week's blog discussed how the United States has been slow to adopt the chip-and-pin payments card technology that many other countries are already using. We suggested that the continued reliance of the United States on the magnetic-stripe standard leaves consumers here more vulnerable to fraud. In fact, the Federal Reserve Bank of Kansas City recently published a paper that looked at global security standards within the payment card industry and found that "the difference between U.S. fraud rates and those in other countries is sufficiently large."
This week's blog looks a little closer at some of the numbers behind magnetic-stripe and chip-and-pin payment cards, including the cost of payment card fraud in the United States and what it would take to move to the EMV chip-and-pin technology. (Recall that EMV is an abbreviation for the originators of the standard: Europay, MasterCard, and VISA. EMV is now also owned by other card companies: the Japanese company JCB and American Express.)
Fraud losses on credit, debit, and prepaid cards in the United States totaled $6.89 billion in 2009, up 7 percent from 2008—a figure said to be on pace to reach $10 billion by 2015. According to PULSE 2010 Debit Issuer Study debit card fraud for signature-based debit card fraud increased 43 percent last year and personal identification number (PIN) debit card fraud loss rose by 24 percent.
|
|
| ENLARGE |
Exploiting the weakest link
The magnetic stripe stores data on a band of magnetic material on the back of a credit card. The stored data on a magnetic stripe can be read by swiping the card through a reader. The chip-and-pin card, on the other hand, most commonly exists as a smart card embedded with a microchip. The microchip can store a unique PIN, which ultimately replaces the cardholder's signature and can be used in contact or contactless mode. Chip-and-pin cards can therefore protect against card swipe fraud, cloning, and stolen data from lost or stolen cards—the most common kinds of fraud experienced by magnetic stripe cards.
Protecting payment cards: Security versus cost concerns
The implementation of chip technology will require a merchant to use new hardware and the consumer to use a new smart card with a microchip. Javelin Strategy & Research estimates the basic cost for the implementation of the EMV chip standard stands at $8.6 billion. Is this a figure the payments industry is ready and willing to dispense in this current economic climate? Today, we know of at least one U.S. financial institutions that have migrated to EMV. Will this cause others to migrate, or is it too early to tell?
Defining the next logical approach
Some experts predict that the globalization of the EMV standard will drive the initial issuance of chip-and-pin cards in the United States. Other experts do not foresee the United States' immediate migration to chip-and-pin cards. Yet the growth of U.S. chip payment cards may prove migration to EMV sooner than most believe.
Continuously guarding against debit and credit card fraud loss solidifies consumers' confidence in card payments and the financial system. EMV chip-and-pin and its methods for combating payments card fraud seems like a natural choice to replace the magnetic stripe card in the United States. With Europe, and other parts of the world, documented success rate in combating payments card fraud since their move to EMV chip and pin, it may turn out that EMV chip and pin's global interoperability may become the next security vehicle that can rein in magnetic stripe card fraud.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 26, 2010 in chip-and-pin, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485a00088970c
Listed below are links to blogs that reference Can chip-and-pin technology address payment card fraud in the United States?:
Comments
Posted by:
Michelle Johnson |
September 14, 2010 at 11:49 AM
As an argument against adopting EMV, critics have pointed to EMV fraud weaknesses, such as susceptibility to man-in-the-middle-attacks. On the other hand, other countries that have adopted EMV and Chip-and-PIN have witnessed a reduction in counterfeit and skimming fraud. While EMV may not be foolproof, it is important to keep in mind that any single fraud deterrent solution needs to be part of an larger, overarching fraud strategy. Financial institutions still need build in layered security into their products and implement vigorous application screening controls when issuing cards to new clients. Also, financial institutions should integrate enterprise fraud management systems and real-time analytics to more accurately predict fraudulent transactions as they happen.
Also, to address the debate as to whether or not the U.S. should adopt EMV, the good news is that we are ready for it. The smart card technology infrastructure that supports EMV or Chip and PIN is already available today and will even be able to evolve with next-generation chip-based card innovations.
Thanks, Jim!
Posted by:
Jim Schlegel |
August 04, 2010 at 01:44 PM
EMV in the U.S. business case:
U.S. EMV Migration Cost = $8.6 billion (once off);
U.S. Card Fraud = $6.89 billion (per annum);
ROI = 1.25 years!
Cost savings over next 5 years = $34 billion!
Even assuming a 100% error in the migration estimates, its still an ROI less than the average 3 years a card is valid.
I'm not an Economist, but this looks like a pretty good investment to me. I say go, go, go! :)
Posted by:
Wynand Vermeulen |
August 04, 2010 at 06:24 AM
A large number of vendors will accept signatures for card transactions without even looking at the card. They don't ask for identification to verify the card holder. The resulting fraudulent transaction usually becomes the liability of the bank. Obviously, the vendor isn't regulated and has little liability. It is past the time for chip-and-pin cards. Signatures (although convenient for the customers) should no longer be allowed. At least if the card number is compromised, the chances that the PIN number is also compromised, is slim. The EMV standard for tighter security doesn't seem to be progressing very quickly. For the protection of our customers and banks, we should be one of the front runners in a push for more security of our card transactions. Instead, we are at the mercy of the EMV standards which don't seem to be keeping up with the rest of the world.