[Dave Birch] In the US, which accounts for about half of all payment card fraud, the fraud rate is double that in SEPA (at around eight basis points). That’s doesn’t seem too bad. But a true measure of the impact of card fraud must include the costs incurred by the retailers and others as well as the issuers. SEPA card fraud was €1.5 billion last year (Payment Cards and Mobile, Jan-Feb 2013). But how much was spent on charge-offs, PCI-DSS, identity theft recovery and so forth? You have to suspect that the real costs of card fraud are much higher than the headlines indicate. If they’re not, then EMV starts to look expensive.

He points to the example of Discover – which is five years into its planning for EMV migration – which reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost it over $1.2 billion in 2012 and as much as $3.7 billion in 2010.

[From Finextra: Business case for US migration to EMV called into question]

In Europe, we spent the money on EMV but – speaking very generally – we used it as a hard-to-copy magnetic stripe system. Authorisations are still online and we never used any of the functionality that EMV provides (e.g., multiple payment applications on the same chip). This was good enough to transfer some fraud away to magnetic stripe zones (ie, the USA) but some of it stayed at home and shifted to payday loan fraud and the like, where it shows up in the figures as bad debt rather than card fraud. This does make it hard to do the proper cost benefit analysis. Fortunately, there are organisations such as Consult Hyperion who can help issuers and acquirers to develop roadmaps and deploy solutions that keep their costs under control, but there are costs beyond those borne by the banks and these are not under control.

One particular category of cost not always properly accounted for is crime. The law enforcement organisation Europol say that card fraud delivers €1.5 billion to organised crime and that is used to fund a variety of criminal enterprises: the social cost of this needs to be factored. I remember this discussion from the early days of EMV planning in the UK and if memory serves this was the UK police’s position as well. It wasn’t the absolute level of card fraud that was the problem, but the fact that it provided easy ‘seed capital’ for organised crime.

I’m not suggesting that the US has any more of a problem with organised crime than Europe does, but I’m sure it would be one of the factors to be considered if there were a national strategy towards payment systems, which there isn’t. This is a good reason for proceeding with EMV migration even though the rudimentary fraud-based business case simply does not stack up, especially if you do not assume some technological progress in other areas during the time that EMV migration takes. In fact, as I wrote some time back, the absolute level of fraud may well be somewhere down the list.

All these years we’ve been thinking that the EMV migration business case depends on fraud, and now it turns out that it might instead depend on fraud prevention, the cost of which is becoming punitive. PCI-DSS has undoubtedly had a positive impact reducing card fraud, but the cost to merchants is enormous.

[From Best pay]

The costs of PCI are huge. The root cause of this is that authentication of the consumer is performed using credentials such as the card number and expiry date that are not secret and are trivial to obtain and copy. We need a better way of authenticating the consumers credentials for payments and this needs to be distinct from the authorisation from the payment system.

my position (and that of most non network people) is that AUTHORIZATION and AUTHENTICATION are completely different problem sets

[From EMV Battle Impacts Mobile Payments « FinVentures]

If the identification and authentication problem can be handed over to a more general, cross-sector set of solutions that work inside a much wider framework (I’m think here of initiatives such as FIDO operating with something like NSTIC) then these costs can be drastically reduced and the issuers can focus on the separate authorisation and risk management problem. In fact, I might go a little further and say that if cross-sector authentication solutions are developed reasonably quickly, then the issuers might be much better off shifting to the “something present” (SP) model sooner rather than later: you buy something in a store, a message pops up on your device formerly known as the mobile phone, you enter a PIN, up pops the receipt, that kind of thing. After all, why waste money sending out expensive chip cards when the customers can use the chip cards that they already have (ie, their SIM cards) ?

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

2 comments

  1. I think it must be time for a war on credit cards! What we need is good old fashioned cash issued by the government or even by productive businesses (i.e. anyone but banks).
    – You can trust cash, banks can’t steal it from your account.
    – You don’t forget the access codes, and its private. – Its much harder to launder millions of billions when its all in paper.
    – You can keep track of how much issued, unlike commercial credit.
    – the most vulnerable people (insofar as we care about them) find cash easier to budget with.

  2. And what do issuers and Weve say about using SIM as “chip”? (I.e. what are the main reasons, on both sides, for not doing it?)

    As for crime proceeds etc, what is your opinion on the hypothetical scenario of some country replacing cash with chip cards, i.e. issuing cards instead of cash?.. Say, offer a free chip card to every foreigner who ask for it at the border (doing instant KYC as part of passport check) as well to every citizen who doesn’t have a bank account (state prepaid EMV if you like). How long would it take to stop moaning about privacy etc and to “keep calm and carry on”? My guess is 6-12 months, if implemented right…

Leave a Reply to Alexander Peschkoff Cancel reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: