Business case for US migration to EMV called into question

A senior staffer at the Federal Reserve Bank of Atlanta has queried the business case for a mass market migration to EMV-based Chip and PIN technology in the US.

  14 19 comments

Business case for US migration to EMV called into question

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

With a little over two years until the first liability shifts for the US are scheduled to take place in April 2015, issuers are being urged to set out their migration roadmaps as an urgent business priority.

Much of the thrust behind the shift is based on the fallibility of magnetic stripe cards and the US' exposure to rising fraud as other countries switch over to chip cards.

But as Douglas King, a payments risk expert at the Atlanta Fed points out in a recent blog post: "Fraud is but a small, albeit growing, expense on an issuers' income statement."

He points to the example of Discover - which is five years into its planning for EMV migration - which reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost it over $1.2 billion in 2012 and as much as $3.7 billion in 2010.

Further, as King points out: "It's no secret by now that while EMV has been excellent at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise because EMV does not effectively prevent it in today's online environment."

Across the border in Canada losses from CNP fraud since the roll-out of Chip and PIN in 2008 had more than doubled by 2011, rising from C$128 million to C$259.5 million.

"Ultimately, EMV as it exists today only solves part of the fraud equation," says King. "Until a cost-effective and consumer-friendly CNP fraud reduction solution gains traction, I believe a business case for EMV built around fraud losses will remain difficult to build."

Sponsored [New Impact Study] Catering to a new generation through unified card programmes

Comments: (19)

Mike McCormack

Mike McCormack Managing Director at PALMA ADVISORS LLC

This is no suprise though, and has been the case since the 1990s, when average issuer fraud losses were managed down below 10bp of card sales.   As the article points out there are larger amounts of fraud losses, much of which are currently being pushed onto merchants through chargebacks and fees, particularly in the card-not-present sector.  For EMV/chip cards to fit into the traditional financial institution model of seeing a 2-3X payback on an investment within a few years, it will be necessary for FIs to work with some large retailers to get a loyalty program implemented with instant point of sale redemption which reduces retailer cost or drives more retailer sales, and shifts more volumes to the Issuers. Obviously this sort of program is only effective with large national retailers where consumers frequently purchase, so the number of good dance partners are few.  

However, as it appears the payment networks are going to push U.S. Issuers, Acquirers, and the Merchants into EMV/chip acceptance anyhow, there is reason why the enterprising issuer should not try to leap into some arrangements with one or more retailers now.

A Finextra member 

EMV is making life difficult for itself by not extending itself to online transactions. There are several ways in which EMV can offer tangible value to the US issuers to sweeten the pill. Once somebody does it for them (via mobile SE), EMV could be on the Kodak path. There are twice as many mobile phones than bank accounts in the world. 90%+ of phones have Bluetooth and can generate QRs. Most retail outlets have barcode scanners. Phone-based Secure Elements are the same as EMV chips. Doesn't EMV see it coming?..

A Finextra member 

This seems like a classic case of 'look over there'  distraction.... comparing the cost of fraud to the cost of postage is a silly analogy.....  Card processors are desperately driving Postage costs down by turning off paper statements and going online because the cost savings they make go straight to the bottom line. Of course saving the cost of merchant fraud does not help the Issuers bottom line - but come the day that POS fraud is an issuer problem i think it will join postage costs as something that needs to be managed..

To point the finger at CNP without addressing the reductions in fraud due to 3DSecure is to miss the point also...  Would issuers rather see consumers use Paypal wallets funded from their bank accounts via ACH for online transactions - I think not...

Interestingly there is NO mention in the article about the annual cost of card present fraud in the USA.... or any discussion of its continuing growth... 100% of which is authorised by the issuer wherever they are located.... or indeed the cost to Non US Issuers who often block first use of Cards at ATM's when the cardholder lands in the USA due to the high incidence of Skimming fraud that the USA continues to export to the rest of the worlds card issuing banks.    America needs to think out beyond two years.....  

Nick Collin

Nick Collin Director at Collin Consulting Ltd

@David.  Excellent points! To add a few of my own:

- EMV does have a solution for CNP fraud in the form of Remote Chip Authentication with 3D Secure (MasterCard CAP; Visa DPA) - now very convenient to use in the form of Authentication Display Cards.

- US fraud is growing fast as it migrates from chipped countries to the weakest link.

- The monetary value of the fraud itself is just the tip of the iceberg - there's also the cost of preventing it, the damage to the integrity of card payments, and the social costs of organised crime funded by card fraud.

- EMV does a lot more than just reduce fraud, through a raft of added value applications.

- Richard Oliver of the Atlanta Fed actually called for US EMV migration to reduce fraud back in 2010, as reported in Finextra at the time -

20 July, 2010 - 15:32: US risks becoming a global centre for card fraud warns senior Fed staffer

A Finextra member 

Could it be the SAME senior staffer - flipping or flopping?

Nick Collin

Nick Collin Director at Collin Consulting Ltd

No, the original senior staffer was Richard Oliver - to be fair, Douglas King's article doesn't really say EMV is a bad idea - the headline is a bit one-sided.

A Finextra member 

The business case discussion need to include the fact that the card industry's sloppy security feeds criminals and terrorists globally. What costs should be included? Comments please.

A Finextra member 

Is EMV the only viable option for the US issuers?.. Especially from the fraud-prevention point of view? I don't think so...

A Finextra member 

This article and Doug King's quotes are only addressing half of the story about the EMV business case for the U.S.  Yes, it will be costly and messy but the US payments market has been living off (and profiting from) a outdated magnetic stripe system for many years - and now it is time to pay for that deferred investment.  The report does not mention the spiraling cost of fraud prevention (PCI, end-to-end encryption, tokenization) that only slows the bleeding from organized criminal fraudsters, not to mention the financial impact on the rest of the global payments industry to have the US as the big donut hole in the worldwide interoperability and security framework.  It correctly states that CNP fraud is not addressed by EMV and that in all countries, CNP fraud went up after EMV was implemented, but it fails to point out that total fraud (including recently Canada) has gone down in every case over time.  CNP fraud is still a small fraction of total fraud, but you have to plug the huge leak in your canoe before you can start bailing.  From inside the EMV Migration Forum, which is the world where I live, I see a lot of strong industry leaders that understand that and are working towards a timely and efficient migration, and not questioning whether they should do it at all. 

A Finextra member 

Randy, good points. By the "industry" do you refer to just the issuers or to the retailers too? If the latter, how does that correlate with the MCX plans?.. It takes two to tango with any payment method, whether it's EMV or seashells. Three, in fact, if you count the consumers too - NFC, and contactless EMV, is the latest lesson of what happens if you don't. It's one thing to issue a new payment method; it's a totally different story to make the retail and the consumers to adopt it...

Paul Penrose

Paul Penrose Head of Research at Finextra

Walmart, for one, are four-square behind EMV. Speaking at last week''s Smart card Alliance summit Walmart's John Drechny described EMV as an opportunity for retail payments executives to be leaders and move their organisations’ technology forward "in the right ways". In fact, Walmart has for some time had 100% of its payment system hardware equipped to accept EMV chip and PIN: Wal-Mart executive calls for US move to Chip and PIN.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

I just left a comment on this Forrester blog post wondering why US regulators don't impose tighter security on ecommerce transactions. After reading this article, I think I've found the answer. But, as I'd commented on this Finextra post, I think the Fed has got this one right. For the first time, I'm actually seeing figures for fraud loss as a percentage of revenues / GDV, and they surely don't warrant the huge investment in EMV, especially since even magstripe transactions in the USA are authorized online. 

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

@PaulP: Sorry but Wal-Mart hasn't exactly had a great track record in heralding new technologies - at least not in the last 10 years. Three years ago, I'd pointed out in my personal blog post Will Wal-Mart Succeed With EMV Where It Failed With RFID? that Wal-Mart hadn't achieved much success with RFID. I'm now inclined to believe that its EMV pioneering efforts are unlikely to bear fruit.

A Finextra member 

Ketharaman, I think you would be interested in reading this post: http://tomnoyes.wordpress.com/2012/09/20/emv-battle-impacts-mobile-payments/

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Nice article, TY for pointing it out @AlexP.

Pat Carroll

Pat Carroll Founder/Executive Chairman at ValidSoft

EMV is based on reading the chip in the card. King is right to point out to the limitations of EMV for a CNP environment.  A card can indeed be fitted with an OTP generator (they already exist) and would the satisfy the 2FA requirements, clearly a step forward albeit with an associated cost. It is worth remembering that this is still only authentication and as such cannot guarantee the integrity of the transaction. Recently the European Central Bank issued a set of recommendations around securing electronic payments, especially the online channel. Like King, the ECB points to the fact that CNP is an environment that is complex and is the target from fraudsters from many channels. In 2013 we should not only expect such attacks to escalate in terms of frequency and significance, but for traditional defence technologies to provide little resistance. In my view, the winning solution will need to be suitable for use with tablets and smart-phones as they become increasingly popular forms of transacting online.

Brett King

Brett King CEO & Founder at Moven

The lack of encryption is a fraud nightmare with mag-stripe. US banks have already had to reissue 17m cards as a result of the Target fraud, which would have been prevented with EMV - none of which is taken into account in King's comments. I'm afraid he's grossly underestimating the impact by chosing only one small data set in an avalanche of data against mag stripe. 

My favorite is this. The US accounts for 47% of global card fraud, but processes only 23% of card transactions globally. I think that says it all - it's all down to mag-stripe vs EMV.

http://www.businessweek.com/articles/2013-12-23/why-the-u-dot-s-dot-leaves-its-credit-card-system-vulnerable-to-fraud 

While there may be a better solution to EMV in EMV v2 or SE, regardless mag-stripe is grossly outdated tech that needs to be replaced. The US myth that something better than EMV is going to come along and they'll lead is just wishful thinking. 

A Finextra member 

I was in the USA last week - two announcements  on TV (lots of TV news coverage)

1. 17M cards replaced at $10 per card ergo £170M cost to US issuers

2. Target are moving their Private label storecards away from Mag stripe to chip.

There is no mention (as yet) if the Chip/protocols used by Target will be EMV standard? For private label its not essential I suppose. We will hear in the fullness of time I am sure.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

At the risk of sounding facetious, some more big ticket Target-like breaches - Neiman Marcus? - will result in some more replacements of magstripe with chip-and-PIN cards and, eventually, the US might end up with EMV by default rather than design! 

BTW, any idea if banks can pass on the $170M cost (sorry @DavidA: 17M x $10 = $170M, not £170M) triggered by the Target breach to Target?

[Upcoming Webinar] Next Gen Payment Processing: How banks can embrace the futureFinextra Promoted[Upcoming Webinar] Next Gen Payment Processing: How banks can embrace the future