EMV Cards - Chipping Away at Fraud

Transcription

1 EMV Cards - Chipping Away at Fraud Bill Kniering Director, Commercial Card Client Management MUFG Union Bank, N.A. A member of MUFG, a global financial group 2015 Mitsubishi UFJ Financial Group, Inc. All rights reserved. The MUFG logo and name is a service mark of Mitsubishi UFJ Financial Group, Inc., and is used by MUFG Union Bank, N.A., with permission. Member FDIC.

2 EMV Cards Chipping Away at Fraud Agenda: Card history What are EMV cards and where in the world are they? The October 2015 Liability Shift Why are there 2 options for EMV cards? EMV impacts in years to come Breaches 2

3 Looking Back A History in Plastic One Word: Plastics The Graduate Department store and gas card appear The first bank card, Charg-It, was introduced 1950 Diner s Club created first multi-use charge card 1958 American Express and BankAmericard debuts 1966 MasterCharge started 1970 s T&E cards offered by American Express and Diners Club 1992 Purchasing cards appear 1999 OneCards 2006 Payable cards make noise 2015 EMV Cards 3

4 EMV Cards Coming to Your Wallet Europay MasterCard Visa = Chip Enabled Cards Because the chip embedded in a smartcard generates a different, single-use code for every transaction, hacking to acquire card data is futile. 575 million chip cards to be issued in 2015 Only 50% in circulation Most will be Chip and Signature WSJ article points out challenge of remembering another PIN Canada 2012 EMV Active - Biggest issue was people leaving their card in the reader. Education will be key. 4

5 EMV Cards Chipping Away at Fraud Where The Cards Are 5

6 EMV Cards Chipping Away at Fraud Why Are They Better? Nearly impossible to clone an EMV card. The chip has strong cryptography and elaborate key management to digitally sign payment data to ensure transaction integrity. Each transaction carries a unique digital code (produced by the chip) which prevents the transaction data from being fraudulently reused, even if it is stolen from a merchant s or processor s database. Stolen card data cannot be reused at an EMV terminal without the original chip to generate the necessary code. 6

7 EMV Cards Chipping Away at Fraud What Happened When They Were Introduced? 45% of the World s payment cards are EMV 1.62 billion cards (not including the U.S.). 76% of the World s payment terminals are EMV 23.8 million terminals. After the EU completed its migration to EMV, the region has seen an 80% reduction in credit card fraud while the US saw a 47% increase. Canadian dollar losses due to card skimming declined by nearly 40% in 2011 after EMV implementation in The U.S. is the last member of the G20 to migrate to EMV. 7

8 EMV Cards Chipping Away at Fraud US EMV Timeline 8

9 EMV Cards PIN or Signature Which Card Verification Method (CVM) is best? Versus Signature, PIN CVM is most secure 60% of the EMV cards worldwide Debate is around the issuer s decision regarding online and offline transactions With PIN, cardholders will be able to make a payment both online and offline, without issues. With Signature, online transactions are fine but offline transactions may cause problems. The transaction may be below the offline limit and declined especially in Chip and PIN countries. If the signature is not checked then this is effectively a payment without any authentication anyway much like we see today Visa is backing Chip and Signature MasterCard, Discover and American Express are backing Chip and PIN Mike Cook, AT for Wal-Mart, called signature worthless as a form of authentication and criticized the rollout of chip-and-signature cards in the United States. 9

10 EMV Cards PIN or Signature Who is liable for what? October 2015 Liability Shift Mag Stripe Card Chip and Signature Card Chip and PIN Card Terminal vs. Card Type Responsible for Lost or Stolen Fraud Responsible for Counterfeit Fraud Responsible for Lost or Stolen Fraud Responsible for Lost or Stolen Fraud Mag Stripe Terminal Issuer Issuer Merchant Merchant Chip Terminal No PIN Pad PIN Pad not working Issuer Issuer Issuer Merchant Chip Terminal With PIN Issuer Issuer Issuer Issuer 10

11 EMV Cards Liability Shift The liability shift has a $10B potential price tag October 1, 2015 The entity with the lesser technology loses 11 A merchant using the swipe and signature terminal and the customer has an EMV card - the merchant is liable. A merchant has a chip enabled terminal but the bank hasn t issued the customer an EMV card - the bank is liable. Aite Group reported that 34% merchants interviewed late last year had never heard of the U.S. move to EMV. One Issuer said We don t really think we can teach Americans to do two things at once. So we re going to start with teaching them how to dip, and if we have another watershed event like the Target breach and consumers start clamoring for PIN, then we ll adjust.

12 EMV Cards The US by the Numbers 1.2 billion: Estimated number of cards that have to be upgraded to chip cards. 12 million: Estimated number of POS terminals that have to be upgraded to accept chip cards. 59%: Percentage of retail locations that will be EMV-compliant by the end of ,000: Current number of EMV chip-activated merchant locations 41%: Percentage of US. debit cards that will be issued as EMV cards by the end of %: Percentage of U.S. credit cards that will be issued as EMV cards by the end of 2015 $3.50: Average cost for issuing a new EMV card $500-$1,000: Average cost of an EMV-compliant point-of-sale terminal Sources: Javelin Research & Strategy, Aite Group, Payments Source, Payment Security Task Force, Visa 12

13 Card Breaches Do You Care? 579 data breaches in 2014, a 27.5% increase over the same period last year. Consumers have become complacent about breaches: 32% ignored the notifications or did nothing when alerted. 71% of respondents did not stop doing business with the company that had been breached. Target has spent $146 million to resolve data breach-related issues since the fourth quarter of Most of these expenses were for settling actual and potential breach-related claims, mainly by payment card networks The largest breach in history with 56 million accounts, Home Depot promised free identity-protection services, including credit monitoring, to any potentially impacted customers. To date, the company has spent $43 million in breachrelated expenses. For banks, it is a sizable costs just to reissue cards - $60 million for the Home Depot breach and $30 million with Target breach. 13