Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 14, 2011
Why U.S. issuers might be reluctant to adopt the EMV standard
A hot topic for Portals and Rails and the Retail Payments Risk Forum has been the replacement of magnetic-stripe cards with chip-and-pin cards in the United States. In fact, a recent industry blog labeled my colleague Rich Oliver "the first U.S. banking industry executive to publicly declare that a U.S. migration to the EMV payments standard is inevitable." Many countries around the globe have adopted or are in the process of adopting the EMV standard, but the United States has not budged, despite a recent European Payments Council resolution suggesting an end to mag stripe. Meanwhile, U.S. industry participants, including a large payment network and issuer, are investing in improving mag-stripe cards.
Let's consider the migration to EMV from an issuing perspective using recently collected debit card information by the Federal Reserve Board to assist with its responsibilities under the Durbin Amendment.
Current status of EMV in the United States
With the recent announcement that the Raleigh, N.C.-based State Employees Credit Union will convert its debit card portfolio to EMV by year's end, there are now two (yes, two!) small financial institutions in the United States committed to converting their portfolios to the EMV standard. If reports on fraud reduction since implementing the EMV standards in countries such as the United Kingdom are true, why then are U.S. issuers slow to convert to EMV? In last week's blog, Rich states that, given current fraud loss levels and fraud management and mitigation costs, there may not yet be a near-term business case for the migration to EMV. However, peeling back the onion another layer, a key difference in the authorization environments of the United States to other markets, such as the U.K., has led to lower levels of fraud, albeit at significant investment levels, and a fundamental reason behind issuers' reluctance to migrate.
Online versus offline authorization
Nearly all card transactions in the United States are authorized online. In this environment, the transaction authorization uses telecommunications at the time of a sale to route a merchant's authorization request to the issuer to approve or decline, based on a number of factors such as available funds or credit limit and multiple fraud prevention and mitigation checks. U.S. issuers and networks have invested heavily in fraud prevention and mitigation controls for online authorization programs. As a result, issuers have recognized relatively low levels of card fraud—approximately $.02 per debit transaction, or 5.4 basis points of transaction value. For PIN-based debit transactions, these numbers are even lower: $.01 per transaction, or 3.3 basis points of transaction volume.
Unlike the United States, the United Kingdom has primarily been an offline authorization market. In this scenario, the transactions are not authorized at the time of sale, but rather are batched throughout a given time period and transmitted to the issuers. Most importantly, this type of authorization process does not support PIN debit transactions using magnetic-stripe technology. While the EMV standard supports both online and offline authorizations, the reduction of fraud for offline authorizations was a key driver of implementation in the United Kingdom, as EMV allows for offline authorization at the time of sale.
According to analysis of data from the UK Payments Administration, fraud rates on all cards at the end of 2004 (near the beginning of the EMV implementation) were significantly higher than fraud levels currently seen on debit cards in the United States. However, by June of 2010, fraud in the United Kingdom has fallen by more than 50 percent to £.03 per transaction, or 6.6 basis points of transaction volume, which is still higher than debit card fraud rates experienced in the United States today.
Will there be a case for U.S. issuers to adopt the EMV Standard?
With approximately 500 million debit cards in circulation in the United States, relatively low levels of fraud, and significant investments into current authorization systems, it seems reasonable that debit issuers currently have little appetite for investing in the EMV standard today. While recognizing that the credit card story might paint a different picture with higher fraud losses, the fact remains that both issuers and networks have made significant investments in authorization systems to prevent and mitigate credit card fraud from which they don’t appear to be ready to walk away.
In light of U.S. issuers' shunning the EMV standard to date, here are some questions for industry participants to ponder. Will there be a tipping point for the United States to adopt the EMV standard? If so, what will that tipping point be? Can the global card payment market exist in an environment similar to the electrical market, whereby the United States uses 110-volt electricity while most of the world uses 220 volt? Can chip-and-pin prepaid cards such as the Travelex Cash Passport Currency Card address differences in global payment standards for U.S. issuers in a way that electrical adapters address the voltage issue?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Why U.S. issuers might be reluctant to adopt the EMV standard:
- EMV Comments That Make Me Cringe
- Taking a Quantum Leap into Payment Security
- Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud