20 December 2014

Business case for US migration to EMV called into question

15 February 2013  |  12973 views  |  19 credit card chip

A senior staffer at the Federal Reserve Bank of Atlanta has queried the business case for a mass market migration to EMV-based Chip and PIN technology in the US.

With a little over two years until the first liability shifts for the US are scheduled to take place in April 2015, issuers are being urged to set out their migration roadmaps as an urgent business priority.

Much of the thrust behind the shift is based on the fallibility of magnetic stripe cards and the US' exposure to rising fraud as other countries switch over to chip cards.

But as Douglas King, a payments risk expert at the Atlanta Fed points out in a recent blog post: "Fraud is but a small, albeit growing, expense on an issuers' income statement."

He points to the example of Discover - which is five years into its planning for EMV migration - which reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost it over $1.2 billion in 2012 and as much as $3.7 billion in 2010.

Further, as King points out: "It's no secret by now that while EMV has been excellent at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise because EMV does not effectively prevent it in today's online environment."

Across the border in Canada losses from CNP fraud since the roll-out of Chip and PIN in 2008 had more than doubled by 2011, rising from C$128 million to C$259.5 million.

"Ultimately, EMV as it exists today only solves part of the fraud equation," says King. "Until a cost-effective and consumer-friendly CNP fraud reduction solution gains traction, I believe a business case for EMV built around fraud losses will remain difficult to build."

Comments: (19)

Mike McCormack - PALMA ADVISORS LLC - Fort Lauderdale | 15 February, 2013, 09:42

This is no suprise though, and has been the case since the 1990s, when average issuer fraud losses were managed down below 10bp of card sales.   As the article points out there are larger amounts of fraud losses, much of which are currently being pushed onto merchants through chargebacks and fees, particularly in the card-not-present sector.  For EMV/chip cards to fit into the traditional financial institution model of seeing a 2-3X payback on an investment within a few years, it will be necessary for FIs to work with some large retailers to get a loyalty program implemented with instant point of sale redemption which reduces retailer cost or drives more retailer sales, and shifts more volumes to the Issuers. Obviously this sort of program is only effective with large national retailers where consumers frequently purchase, so the number of good dance partners are few.  

However, as it appears the payment networks are going to push U.S. Issuers, Acquirers, and the Merchants into EMV/chip acceptance anyhow, there is reason why the enterprising issuer should not try to leap into some arrangements with one or more retailers now.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 15 February, 2013, 09:48 EMV is making life difficult for itself by not extending itself to online transactions. There are several ways in which EMV can offer tangible value to the US issuers to sweeten the pill. Once somebody does it for them (via mobile SE), EMV could be on the Kodak path. There are twice as many mobile phones than bank accounts in the world. 90%+ of phones have Bluetooth and can generate QRs. Most retail outlets have barcode scanners. Phone-based Secure Elements are the same as EMV chips. Doesn't EMV see it coming?..
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
David Abbott - Fiserv - London | 15 February, 2013, 10:02

This seems like a classic case of 'look over there'  distraction.... comparing the cost of fraud to the cost of postage is a silly analogy.....  Card processors are desperately driving Postage costs down by turning off paper statements and going online because the cost savings they make go straight to the bottom line. Of course saving the cost of merchant fraud does not help the Issuers bottom line - but come the day that POS fraud is an issuer problem i think it will join postage costs as something that needs to be managed..

To point the finger at CNP without addressing the reductions in fraud due to 3DSecure is to miss the point also...  Would issuers rather see consumers use Paypal wallets funded from their bank accounts via ACH for online transactions - I think not...

Interestingly there is NO mention in the article about the annual cost of card present fraud in the USA.... or any discussion of its continuing growth... 100% of which is authorised by the issuer wherever they are located.... or indeed the cost to Non US Issuers who often block first use of Cards at ATM's when the cardholder lands in the USA due to the high incidence of Skimming fraud that the USA continues to export to the rest of the worlds card issuing banks.    America needs to think out beyond two years.....  

 4 thumb ups! (Log in to thumb up)
Nick Collin - Collin Consulting Ltd - London | 15 February, 2013, 12:14

@David.  Excellent points! To add a few of my own:

- EMV does have a solution for CNP fraud in the form of Remote Chip Authentication with 3D Secure (MasterCard CAP; Visa DPA) - now very convenient to use in the form of Authentication Display Cards.

- US fraud is growing fast as it migrates from chipped countries to the weakest link.

- The monetary value of the fraud itself is just the tip of the iceberg - there's also the cost of preventing it, the damage to the integrity of card payments, and the social costs of organised crime funded by card fraud.

- EMV does a lot more than just reduce fraud, through a raft of added value applications.

- Richard Oliver of the Atlanta Fed actually called for US EMV migration to reduce fraud back in 2010, as reported in Finextra at the time -

20 July, 2010 - 15:32: US risks becoming a global centre for card fraud warns senior Fed staffer

 2 thumb ups! (Log in to thumb up)
A Finextra member | 15 February, 2013, 12:49

Could it be the SAME senior staffer - flipping or flopping?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Nick Collin - Collin Consulting Ltd - London | 15 February, 2013, 12:57

No, the original senior staffer was Richard Oliver - to be fair, Douglas King's article doesn't really say EMV is a bad idea - the headline is a bit one-sided.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Bjorn Soland - Promon AS - Oslo | 15 February, 2013, 13:39

The business case discussion need to include the fact that the card industry's sloppy security feeds criminals and terrorists globally. What costs should be included? Comments please.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 15 February, 2013, 13:49 Is EMV the only viable option for the US issuers?.. Especially from the fraud-prevention point of view? I don't think so...
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Randy Vanderhoof - Smart Card Alliance - Princeton Junction | 15 February, 2013, 15:59

This article and Doug King's quotes are only addressing half of the story about the EMV business case for the U.S.  Yes, it will be costly and messy but the US payments market has been living off (and profiting from) a outdated magnetic stripe system for many years - and now it is time to pay for that deferred investment.  The report does not mention the spiraling cost of fraud prevention (PCI, end-to-end encryption, tokenization) that only slows the bleeding from organized criminal fraudsters, not to mention the financial impact on the rest of the global payments industry to have the US as the big donut hole in the worldwide interoperability and security framework.  It correctly states that CNP fraud is not addressed by EMV and that in all countries, CNP fraud went up after EMV was implemented, but it fails to point out that total fraud (including recently Canada) has gone down in every case over time.  CNP fraud is still a small fraction of total fraud, but you have to plug the huge leak in your canoe before you can start bailing.  From inside the EMV Migration Forum, which is the world where I live, I see a lot of strong industry leaders that understand that and are working towards a timely and efficient migration, and not questioning whether they should do it at all. 

 3 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 15 February, 2013, 16:27 Randy, good points. By the "industry" do you refer to just the issuers or to the retailers too? If the latter, how does that correlate with the MCX plans?.. It takes two to tango with any payment method, whether it's EMV or seashells. Three, in fact, if you count the consumers too - NFC, and contactless EMV, is the latest lesson of what happens if you don't. It's one thing to issue a new payment method; it's a totally different story to make the retail and the consumers to adopt it...
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Paul Penrose - Finextra - London | 15 February, 2013, 17:27

Walmart, for one, are four-square behind EMV. Speaking at last week''s Smart card Alliance summit Walmart's John Drechny described EMV as an opportunity for retail payments executives to be leaders and move their organisations’ technology forward "in the right ways". In fact, Walmart has for some time had 100% of its payment system hardware equipped to accept EMV chip and PIN: Wal-Mart executive calls for US move to Chip and PIN.

 1 thumb up! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 15 February, 2013, 19:38

I just left a comment on this Forrester blog post wondering why US regulators don't impose tighter security on ecommerce transactions. After reading this article, I think I've found the answer. But, as I'd commented on this Finextra post, I think the Fed has got this one right. For the first time, I'm actually seeing figures for fraud loss as a percentage of revenues / GDV, and they surely don't warrant the huge investment in EMV, especially since even magstripe transactions in the USA are authorized online. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 15 February, 2013, 19:48

@PaulP: Sorry but Wal-Mart hasn't exactly had a great track record in heralding new technologies - at least not in the last 10 years. Three years ago, I'd pointed out in my personal blog post Will Wal-Mart Succeed With EMV Where It Failed With RFID? that Wal-Mart hadn't achieved much success with RFID. I'm now inclined to believe that its EMV pioneering efforts are unlikely to bear fruit.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 15 February, 2013, 23:58 Ketharaman, I think you would be interested in reading this post: http://tomnoyes.wordpress.com/2012/09/20/emv-battle-impacts-mobile-payments/
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 16 February, 2013, 19:12

Nice article, TY for pointing it out @AlexP.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Pat Carroll - ValidSoft - London | 25 February, 2013, 11:09

EMV is based on reading the chip in the card. King is right to point out to the limitations of EMV for a CNP environment.  A card can indeed be fitted with an OTP generator (they already exist) and would the satisfy the 2FA requirements, clearly a step forward albeit with an associated cost. It is worth remembering that this is still only authentication and as such cannot guarantee the integrity of the transaction. Recently the European Central Bank issued a set of recommendations around securing electronic payments, especially the online channel. Like King, the ECB points to the fact that CNP is an environment that is complex and is the target from fraudsters from many channels. In 2013 we should not only expect such attacks to escalate in terms of frequency and significance, but for traditional defence technologies to provide little resistance. In my view, the winning solution will need to be suitable for use with tablets and smart-phones as they become increasingly popular forms of transacting online.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Brett King - Moven - New York | 09 February, 2014, 18:48

The lack of encryption is a fraud nightmare with mag-stripe. US banks have already had to reissue 17m cards as a result of the Target fraud, which would have been prevented with EMV - none of which is taken into account in King's comments. I'm afraid he's grossly underestimating the impact by chosing only one small data set in an avalanche of data against mag stripe. 

My favorite is this. The US accounts for 47% of global card fraud, but processes only 23% of card transactions globally. I think that says it all - it's all down to mag-stripe vs EMV.

http://www.businessweek.com/articles/2013-12-23/why-the-u-dot-s-dot-leaves-its-credit-card-system-vulnerable-to-fraud 

While there may be a better solution to EMV in EMV v2 or SE, regardless mag-stripe is grossly outdated tech that needs to be replaced. The US myth that something better than EMV is going to come along and they'll lead is just wishful thinking. 

 1 thumb up! (Log in to thumb up)
David Abbott - Fiserv - London | 09 February, 2014, 20:18

I was in the USA last week - two announcements  on TV (lots of TV news coverage)

1. 17M cards replaced at $10 per card ergo £170M cost to US issuers

2. Target are moving their Private label storecards away from Mag stripe to chip.

There is no mention (as yet) if the Chip/protocols used by Target will be EMV standard? For private label its not essential I suppose. We will hear in the fullness of time I am sure.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 10 February, 2014, 07:58

At the risk of sounding facetious, some more big ticket Target-like breaches - Neiman Marcus? - will result in some more replacements of magstripe with chip-and-PIN cards and, eventually, the US might end up with EMV by default rather than design! 

BTW, any idea if banks can pass on the $170M cost (sorry @DavidA: 17M x $10 = $170M, not £170M) triggered by the Target breach to Target?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board, sign up now.

Related blogs

Create a blog about this story (membership required)

Related stories

04 February, 2013
08 January, 2013
07 November, 2012
24 July, 2012
02 July, 2012
15 March, 2012
31 January, 2012
17 January, 2012
08 November, 2011
19 July, 2011
14 July, 2011
13 April, 2011
01 March, 2011
20 July, 2010
25 May, 2010
21 October, 2009

Related company news

 

Featured job

to £85k base, double OTE, benefits
London, UK

Find your next job