Another article, this time in American Banker, questioning the rather odd trajectory of EMV in the USA. You’ll recall, I’m sure, that a number of international observers expressed surprise when (some time back) the banks over there decided to roll out chip and signature rather than chip and PIN or, indeed, chip and anything else (fingerprints, body odour or voice recognition). No-one seems to know why.
One reason banks offer for this choice is the presumed difficulty of remembering another PIN. Are we to think that Americans are not quite as capable as the British, Dutch or Canadians — all of whom managed to figure out a way to make the more secure Chip and PIN work?[From A Chip Without a PIN Is Asking for Fraud | Bank Think]
Is that really it? That American card issuers think that Americans are too stupid to remember a four digit PIN? The seems somewhat patronising to me. I wonder what the American government thinks about it? The FBI thinks that Americans can use a PIN. Or at least they did, before their CVM recommendation was mysteriously taken down.
The alert, which was removed from the FBI’s Internet Crime Complaint Center site on Oct. 9, noted: “When using the EMV card at a POS terminal, consumers should use the PIN, instead of a signature, to verify the transaction. This fully utilizes the security features built within the EMV card”… That recommendation left many of us scratching our heads because the vast majority of U.S. banks and credit unions have opted to roll out EMV as a chip-and-signature, not chip-and-PIN, transaction.[From FBI Quickly Pulls Alert About EMV – BankInfoSecurity]
So. Checkpoint. What do we know. Well, we know that PIN is far more secure than signature (I remember being told by Walmart that fraud on PIN debit cards was 250 times less than fraud on signature debit cards). The US banks are going to the expense of issuing chip cards that will defend only against the particular fraud of card counterfeiting — although to be fair according to the Nilson report, counterfeit card fraud losses to US issuers were something like a quarter of total world card fraud losses last year. But why not defend against other kinds of fraud (e.g., lost and stolen cards) by adding the PIN? Old chum David Poole says that the US is “stark raving mad” not to adopt PIN, on the basis of the latest fraud figures.
I was fascinated to read the latest fraud figures as reported in The Nilson Report this week. Worldwide card fraud is up 15% to $16b in 2014. Read that again – $16b that could potentially solve some austerity problems not to mention some poverty. I dare say many organisations would love to be reporting >15% top line revenue growth.[From None as blind as those that can’t see. If you can’t see it, smell the “coffee”… | David Poole | LinkedIn]
Let’s just put those figures in context. One of my favourite statistics last year, one that I often dropped into presentations, was that the US is a quarter of the world’s card volume but half of the world’s card fraud. Well, I’m afraid that statistic in no longer valid. On the basis of the latest figures, the US is now a fifth of the world’s card volume and half of the world’s card fraud. And remember, this the cost to issuers. It does not take into account the costs to merchants or the police.
The USA accounted for 48% of these losses. But a very important detail should not be omitted; this figure is over only 21% of the purchase volume. While this globally represents 5.65 cents in every $100 spent, the USA has more than doubled that at 12.75c per $100, and over the last five years the figure has increased each year.[From None as blind as those that can’t see. If you can’t see it, smell the “coffee”… | David Poole | LinkedIn]
The US has a problem. Yet, to be frank, if you were inventing EMV today, in a world of smartphones and online and biometrics, then you almost certainly wouldn’t come up with chip and PIN. You’d probably use a combination of convenient authentication and back-office analysis. It would not be surprising to me if the US banks have thought about this and have no intention of going to chip and PIN for their domestic market because chip solves their biggest card present fraud category (counterfeit, which is about half of their losses in the US) and tokenisation is a better solution to the card not present fraud category (and pretty much everything else). The evidence for this is that they’ve gone to chip, but rather than spend hundreds of millions on upgrading ATM networks for PIN management, waiting for merchants to add PINpads and educating customers about looking after their PINs, they’ve instead spent the money on tokenisation infrastructure, assuming that the growth of mobile, especially in-app, will be a more effective means to tackle overall fraud.
So, what does this mean? Well, that’s what I’m hoping to find out at Money2020 in Las Vegas next week, where I am chairing the session on authentication. For most of our clients, where to invest next is a crucial strategic question. Do they assume that US consumers and merchants will get fed up with “chip and wait” pretty quickly and so develop an appetite for contactless that they lack in a “swipe and go” world? Do they assume that none of this matters because in-store, online and mobile will all converge on in-app solutions? Do they assume that clever use of tokenisation platforms will deliver new services over and above fraud reduction? Well, it’s probably all three, but I will be fascinated to discover the sentiment in the corridors of the Venetian and will, of course, report back.