About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« Soccer balls and payment cards: A push for global standards | Main | Fight against payments fraud: The target is moving, but not everybody takes aim »

July 26, 2010


Can chip-and-pin technology address payment card fraud in the United States?

Last week's blog discussed how the United States has been slow to adopt the chip-and-pin payments card technology that many other countries are already using. We suggested that the continued reliance of the United States on the magnetic-stripe standard leaves consumers here more vulnerable to fraud. In fact, the Federal Reserve Bank of Kansas City recently published a paper that looked at global security standards within the payment card industry and found that "the difference between U.S. fraud rates and those in other countries is sufficiently large."

This week's blog looks a little closer at some of the numbers behind magnetic-stripe and chip-and-pin payment cards, including the cost of payment card fraud in the United States and what it would take to move to the EMV chip-and-pin technology. (Recall that EMV is an abbreviation for the originators of the standard: Europay, MasterCard, and VISA. EMV is now also owned by other card companies: the Japanese company JCB and American Express.)

Fraud losses on credit, debit, and prepaid cards in the United States totaled $6.89 billion in 2009, up 7 percent from 2008—a figure said to be on pace to reach $10 billion by 2015. According to PULSE 2010 Debit Issuer Study debit card fraud for signature-based debit card fraud increased 43 percent last year and personal identification number (PIN) debit card fraud loss rose by 24 percent.


How much of the Fraud is Occurring in the U.S.?
ENLARGE

Exploiting the weakest link
The magnetic stripe stores data on a band of magnetic material on the back of a credit card. The stored data on a magnetic stripe can be read by swiping the card through a reader. The chip-and-pin card, on the other hand, most commonly exists as a smart card embedded with a microchip. The microchip can store a unique PIN, which ultimately replaces the cardholder's signature and can be used in contact or contactless mode. Chip-and-pin cards can therefore protect against card swipe fraud, cloning, and stolen data from lost or stolen cards—the most common kinds of fraud experienced by magnetic stripe cards.

Protecting payment cards: Security versus cost concerns
The implementation of chip technology will require a merchant to use new hardware and the consumer to use a new smart card with a microchip. Javelin Strategy & Research estimates the basic cost for the implementation of the EMV chip standard stands at $8.6 billion. Is this a figure the payments industry is ready and willing to dispense in this current economic climate? Today, we know of at least one U.S. financial institutions that have migrated to EMV. Will this cause others to migrate, or is it too early to tell?

Defining the next logical approach
Some experts predict that the globalization of the EMV standard will drive the initial issuance of chip-and-pin cards in the United States. Other experts do not foresee the United States' immediate migration to chip-and-pin cards. Yet the growth of U.S. chip payment cards may prove migration to EMV sooner than most believe.

Continuously guarding against debit and credit card fraud loss solidifies consumers' confidence in card payments and the financial system. EMV chip-and-pin and its methods for combating payments card fraud seems like a natural choice to replace the magnetic stripe card in the United States. With Europe, and other parts of the world, documented success rate in combating payments card fraud since their move to EMV chip and pin, it may turn out that EMV chip and pin's global interoperability may become the next security vehicle that can rein in magnetic stripe card fraud.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

July 26, 2010 in chip-and-pin , EMV , fraud | Permalink

Comments

A large number of vendors will accept signatures for card transactions without even looking at the card. They don't ask for identification to verify the card holder. The resulting fraudulent transaction usually becomes the liability of the bank. Obviously, the vendor isn't regulated and has little liability. It is past the time for chip-and-pin cards. Signatures (although convenient for the customers) should no longer be allowed. At least if the card number is compromised, the chances that the PIN number is also compromised, is slim. The EMV standard for tighter security doesn't seem to be progressing very quickly. For the protection of our customers and banks, we should be one of the front runners in a push for more security of our card transactions. Instead, we are at the mercy of the EMV standards which don't seem to be keeping up with the rest of the world.

Posted by: Michelle Johnson | September 14, 2010 at 11:49 AM

As an argument against adopting EMV, critics have pointed to EMV fraud weaknesses, such as susceptibility to man-in-the-middle-attacks. On the other hand, other countries that have adopted EMV and Chip-and-PIN have witnessed a reduction in counterfeit and skimming fraud. While EMV may not be foolproof, it is important to keep in mind that any single fraud deterrent solution needs to be part of an larger, overarching fraud strategy. Financial institutions still need build in layered security into their products and implement vigorous application screening controls when issuing cards to new clients. Also, financial institutions should integrate enterprise fraud management systems and real-time analytics to more accurately predict fraudulent transactions as they happen.

Also, to address the debate as to whether or not the U.S. should adopt EMV, the good news is that we are ready for it. The smart card technology infrastructure that supports EMV or Chip and PIN is already available today and will even be able to evolve with next-generation chip-based card innovations.

Thanks, Jim!

Posted by: Jim Schlegel | August 4, 2010 at 01:44 PM

EMV in the U.S. business case:

U.S. EMV Migration Cost = $8.6 billion (once off);
U.S. Card Fraud = $6.89 billion (per annum);

ROI = 1.25 years!
Cost savings over next 5 years = $34 billion!

Even assuming a 100% error in the migration estimates, its still an ROI less than the average 3 years a card is valid.

I'm not an Economist, but this looks like a pretty good investment to me. I say go, go, go! :)

Posted by: Wynand Vermeulen | August 4, 2010 at 06:24 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad