He points to the example of Discover – which is five years into its planning for EMV migration – which reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost it over $1.2 billion in 2012 and as much as $3.7 billion in 2010.[From Finextra: Business case for US migration to EMV called into question]
In Europe, we spent the money on EMV but – speaking very generally – we used it as a hard-to-copy magnetic stripe system. Authorisations are still online and we never used any of the functionality that EMV provides (e.g., multiple payment applications on the same chip). This was good enough to transfer some fraud away to magnetic stripe zones (ie, the USA) but some of it stayed at home and shifted to payday loan fraud and the like, where it shows up in the figures as bad debt rather than card fraud. This does make it hard to do the proper cost benefit analysis. Fortunately, there are organisations such as Consult Hyperion who can help issuers and acquirers to develop roadmaps and deploy solutions that keep their costs under control, but there are costs beyond those borne by the banks and these are not under control.
One particular category of cost not always properly accounted for is crime. The law enforcement organisation Europol say that card fraud delivers €1.5 billion to organised crime and that is used to fund a variety of criminal enterprises: the social cost of this needs to be factored. I remember this discussion from the early days of EMV planning in the UK and if memory serves this was the UK police’s position as well. It wasn’t the absolute level of card fraud that was the problem, but the fact that it provided easy ‘seed capital’ for organised crime.
I’m not suggesting that the US has any more of a problem with organised crime than Europe does, but I’m sure it would be one of the factors to be considered if there were a national strategy towards payment systems, which there isn’t. This is a good reason for proceeding with EMV migration even though the rudimentary fraud-based business case simply does not stack up, especially if you do not assume some technological progress in other areas during the time that EMV migration takes. In fact, as I wrote some time back, the absolute level of fraud may well be somewhere down the list.
All these years we’ve been thinking that the EMV migration business case depends on fraud, and now it turns out that it might instead depend on fraud prevention, the cost of which is becoming punitive. PCI-DSS has undoubtedly had a positive impact reducing card fraud, but the cost to merchants is enormous.[From Best pay]
The costs of PCI are huge. The root cause of this is that authentication of the consumer is performed using credentials such as the card number and expiry date that are not secret and are trivial to obtain and copy. We need a better way of authenticating the consumers credentials for payments and this needs to be distinct from the authorisation from the payment system.
my position (and that of most non network people) is that AUTHORIZATION and AUTHENTICATION are completely different problem sets[From EMV Battle Impacts Mobile Payments « FinVentures]
If the identification and authentication problem can be handed over to a more general, cross-sector set of solutions that work inside a much wider framework (I’m think here of initiatives such as FIDO operating with something like NSTIC) then these costs can be drastically reduced and the issuers can focus on the separate authorisation and risk management problem. In fact, I might go a little further and say that if cross-sector authentication solutions are developed reasonably quickly, then the issuers might be much better off shifting to the “something present” (SP) model sooner rather than later: you buy something in a store, a message pops up on your device formerly known as the mobile phone, you enter a PIN, up pops the receipt, that kind of thing. After all, why waste money sending out expensive chip cards when the customers can use the chip cards that they already have (ie, their SIM cards) ?
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers