Factors Influencing EMV Adoption in the United States

Transcription

1 The Innovator. March 2012 The Innovator Factors Influencing EMV Adoption in the United States BITS & BYTES: EMV in the U.S., by Dan Schutzer, BITS Consumer Payments Secure Payments across all Channels in the US, by Dr. Toni Merschen, Toni Merschen Consulting A US Shift to EMV Technology Ensuring Interoperability in a Connected World, by Ben Knieff, NICE Actimize EMV in the U.S.: Simplifying Deployment in a Zero Floor Limit Environment, by Simon Hurry, Visa Inc. Creating the Next Generation U.S. Payment System Environment the MasterCard Perspective, by Dave Meadon, MasterCard Adopting EMV in the U.S., by Eric Schindewolf, Vice President, Wells Fargo Bank Chip-and-PIN: Success and Challenges in Reducing Fraud, by Douglas King, Federal Reserve Bank of Atlanta We value your opinion. Please contact Dan Schutzer, Dan@fsround.org, if you have comments about this edition of The Innovator. Disclaimer: The views and opinions expressed in the enclosed articles are those of the authors and do not reflect the official policy or position of BITS or The Financial Services Roundtable.

2 BITS and BYTES: EMV in the U.S. By Dan Schutzer, Chief Technology Officer, BITS Those in the U.S. payments business are beginning to take a serious re-look at migrating to EMV. Simon Hurry reminds us in his article that there was an earlier attempt to introduce EMV in the U.S. that was based upon loyalty and multi-application cards as the main driver. It failed because the cost of cards and the supporting infrastructure to process both chips and loyalty applications was too high at the time; and we didn t have then the drivers of increasing card and ATM fraud, issues of acceptance for travelers to Europe and other countries outside the U.S., and the move to mobile. This re-look was recently highlighted by announcements by VISA and, more recently MasterCard, 1 of an EMV roadmap for the U.S. In this issue of The Innovator, we are fortunate to have contributions from many of the key players in the payment processing supply chain, from consultants, to payment processors, to card networks, issuers and regulators. Several key themes emerge from these articles: 1. Costs have dropped, especially when we are doing online EMV Although offline-only transactions, even if not the way forward when building a U.S. domestic program, may be necessary to accommodate international travelers, especially at off-line only terminals and kiosks, such as those used by the French rail Although EMV is not perfect, 4 it has resulted in reduced fraud and continues to evolve and adapt 5 in response to changing fraud patterns. 4. EMV can provide the industry with a technology that is fit for a fully-connected world with a multitude of consumer devices that can be used anywhere, anytime ; that secures commerce; that enables us to innovate and grow the retail payments business For EMV to get widely adopted in the U.S., because of its complexity and the large number of different stakeholders, there will need to be incentives and liability shifts, with some level of uniformity MasterCard says U.S. EMV Adoption is Key to Next-Gen Payments, by Olivia LaBarre, Bank Systems & Technology, February 1, Simon Hurry s article, EMV in the U.S.: Simplifying Deployment in a Zero Floor Limit Environment, The Innovator, March Eric Schindewolf s article, Adopting EMV in the U.S., The Innovator, March Ross Anderson, University of Cambridge, January Schindewolf20, 2012, BITS R&D SIG presentation on the vulnerability of EMV, Online and Electronic Fraud Incentives and Regulation. 5 Ben Knieff s article, A US Shift to EMV Technology Ensuring Interoperability in a Connected World, The Innovator, March Dave Meadon s article, Creating the Next Generation U.S. Payment System Environment the MasterCard Perspective, The Innovator, March Ben Knieff s article, A US Shift to EMV Technology Ensuring Interoperability in a Connected World, The Innovator, March See Simon Hurry s description of its Technology Innovation Program (TIP) that relieves merchants of their annual PCI DSS compliance validation obligation provided that 75% of their Visa transactions originate from contact and contactless EMV chip capable terminals, and their October 2015 liability shift, where any fraud resulting from counterfeit cards, created using data from the magnetic stripe of an EMV card and used at a merchant who does not have an EMV capable POS terminal, may entitle the issuer with the right to chargeback the transaction. 2

3 6. If the U.S. decides to move to EMV or some other chip-based technology, there needs to be a coordinated effort amongst financial issuers, networks and merchants to prevent fraud from shifting to other products and devices. I hope you agree with Toni Merschen when he states, The US financial industry and the merchant community have a once in a lifetime chance to bring their payment infrastructure to a state-of-the-art level which addresses usability, functionality, security and cost requirements, by adopting EMV or some variant of it. Thanks and happy reading! 9 The VISA liability shifts are in some contrast to MasterCard s recent announcement where their liability shift in 2015 falls to the party in the payment process that provides the least security; e.g. If the merchant has chip-and-pin capabilities, but the issuer has only chip-and-signature, the liability falls to the issuer, or vice-versa, MC: Pick Any Chip-Card Security You Want, as Long as It s PIN, by David Heun, American Banker, Feb 2, The separate initiatives launched by two different card schemes could be worrisome to industry leaders such as David Porter, general manager of Chase card services at JPMorgan Chase, who said in a recent BS&T article that successful adoption of EMV in the U.S. won t happen until all of the card schemds take a more uniform approach., MasterCard Says U.S. EMV Adoption is Key to Next-Gen Payments, by Olivia LaBarre, Bank Systems & Technology, February 1, Doug King s article, Chip-and-PIN: Success and Challenges in Reducing Fraud, The Innovator, March Eric acknowledges in his article that although solutions exist today for applying EMV to Card not Present they introduce a whole new set of expenses and servicing challenges for U.S. issuers who ve only just started working with EMV 3

4 Consumer Payments Secure Payments across all Channels in the US Dr. Toni Merschen, Principal at Toni Merschen Consulting Introduction and Background Momentum is undoubtedly building around upgrading the infrastructure US consumers use every day to pay at the point-of-sale (POS) and withdraw cash at automated teller machines (ATM). After using cash to pay merchants for delivering goods and services for ages, i.e. consumer payments 1.0, consumers and merchants started to rely on magnetic stripe based plastic cards more than 40 years ago. Although many improvements in terms of functions, features and security characteristics have been implemented during this time period, this consumer payments 2.0 technology is approaching its end of life. A whole series of innovative ways to pay and interact, e.g. contactless cards, mobile payments, position based services, and person-to-person transactions, require a more secure and versatile payment infrastructure than the magnetic stripe technology can provide. Against this backdrop, both Visa and MasterCard have recently announced initiatives to introduce chip based technologies for the US market in the next couple of years. They are requesting - in various flavors and along so far unsynchronized timetables the deployment of EMV compliant terminal and ATM technology and the support of the associated data transmissions in the payment system networks and servers. EMV has been the accepted global standard for the interaction between chip cards and terminals equipped to accept such cards 13. The payment world outside the US has witnessed an impressive success story regarding the deployment of EMV. More than 1.3 billion EMV cards are in circulation and are accepted at more than 20 million EMV terminals around the world 14. Most recently, Canada has undergone a complete upgrade of its payment infrastructure and implemented EMV nationwide. EMV is not just about chip cards, it s about a modern, multifaceted and highly secure payment infrastructure. It works in the brick-and-mortar world but also for payments and strong authentication in non-face-to face situations such as on the internet or with phone based services. The US payments industry and the merchants have a unique opportunity to deploy what we call consumer payments 3.0. That is to revamp the payments experience for consumers and merchants, through contact, contactless and mobile payments at the POS. Simultaneously, all stakeholders can leverage the new technology infrastructure to make non-face-to-face payments and ATM withdrawals more secure. In doing so, they have a huge chance to avoid the mistakes other markets made when introducing EMV. 13 The abbreviation EMV is derived from the initials of the original developers of the standard (Europay, MasterCard and Visa). Europay has since merged with MasterCard and the EMV standard is now maintained and managed by EMVCo LLC, jointly owned by American Express, JCB (Japan Credit Bureau), MasterCard and Visa

5 Basics EMV chips store cardholder data and credentials which include their PIN, and the cryptographic keys of the payments systems in a secure storage that is next to impossible to break into. At the beginning of a transaction the chip authenticates itself to the terminal so both participants know that the card is genuine and has not been counterfeited. EMV chips can also verify the PIN entered by cardholders proving that the cardholders are who they claim to be. These two features have reduced payment card fraud counterfeit and lost & stolen significantly wherever the technology has been deployed. The ensuing transaction authorization is based on the electronic documentation of both the card authentication and the cardholder verification; it is therefore more reliable and efficient than any paper based or manual procedure. Certainly, the payment networks have to be prepared to process the chip related data generated during the transaction from the point of interaction to the issuer host and all the way back. All three stages of the EMV transaction described above can be executed offline at the terminal or online using the networks. It is important to understand though that while card authentication and PIN verification can be handled offline the transaction authorization itself can be still be performed online involving the issuer host. In fact, most chip transactions worldwide are authorized online; the authorization request from the chip will include electronic indicators that the card and the PIN have been positively identified as genuine. The versatility of the EMV technology described is underlined by the fact that EMV supports contact, contactless and mobile payment transactions. Both contactless cards and mobile phones have integrated chips that perform the same functions during a transaction as would a chip embedded in a contact EMV card. Visa s request to upgrade the US merchant environment to EMV clearly indicates that Visa rates the current magnetic stripe infrastructure as not secure enough to support mobile payments in mass volumes. EMV technology provides issuers, acquirers, consumers and merchants with a functional and security architecture and operational infrastructure that works consistently across multiple channels. Transaction processing including the expensive handling of exceptions and chargebacks becomes more efficient and less costly. Finally, EMV chips can be leveraged to protect interactions via non-face-to-face channels. As discussed above, the chip can verify a PIN offline and then generate a dynamic one-time password (OTP) which can be transmitted to the issuer. Once the issuer has verified the OTP as genuine (by using chip parameters he monitors in his systems) the issuer knows that the card was present and the correct PIN was used. This form of authentication is by orders of magnitude stronger than a static password or other classical means of authentication such as mother s maiden name or address verification. With static passwords being frequently hacked and identity theft turning into a major problem for the entire society, strong authentication must become a matter of highest priority for the payment industry. 5

6 Migration Considerations The aforementioned announcements of both Visa and MasterCard primarily focus on the acquiring side of the payment infrastructure. However, at this point there is no indication that the entire system has a plan to start a nationwide migration. If there is one lesson from EMV migration projects around the world, though, then it is that issuers and acquirers, merchants and ATM providers have to move in lock step in order to optimize the overall return of the EMV business case. The other lesson that can be learnt from other markets is that fraud migrates from channel to channel. If EMV is only implemented in the brick-and-mortar world, fraudsters will focus on the card-not-present (CNP) channel. The associated fraud history, e.g. in the UK, clearly indicates that while fraud at the merchant POS decreased significantly, CNP fraud skyrocketed. Last but not least, fraud migrates from regions and markets that implement chip to those which don t. Fraudsters tend to select the path of least resistance as has been experienced by many markets around the world. Recommendation for the US Market The US is one of the few markets globally that does not have a comprehensive EMV migration plan agreed upon by all stakeholders. The market participants still have to convince themselves as a whole that a market wide migration makes sense from a business case and payments system integrity perspective. For a detailed description of the facts and myths as they relate to the US market see the author s paper Chip in the US: The Myths and the Facts 15. Here are some recommendations how to optimize the US deployment plan: PIN vs. signature The objective verification of cardholder PIN by the chip not only reduces fraud based on lost & stolen cards, it also simplifies the merchant checkout procedure, relieves the merchants of much paperwork and reduces the complexity of exception handling and chargebacks. Although EMV allows signature or even no cardholder verification as options, e.g. for low value payments, it is strongly suggested to take advantage of the chip to verify the PIN at the POS so it does not to have to be transported across the network. Online vs. offline The online vs. offline decision relates to three different elements of the transaction which can be handled somewhat independently. PIN: As said above, checking the PIN offline between the chip and the PIN pad is not only the most elegant way of PIN verification as it renders PIN encryption and transport across

7 the network unnecessary. It is also the only method of PIN verification at certain unattended POS such as ticket machines and parking kiosks. Without the support for offline PIN a card transaction would not be possible there. Obviously, when either the online or offline PIN is changed, they must be synchronized requiring a capable infrastructure supporting this function. ATMs have been used in many markets for this purpose. Cards can be authenticated securely off-line if the chip supports dynamic data authentication (DDA). Transaction authorization can be handled off-line by the card based on settings preset by the card issuer. In fact, most chip transactions around the world are authorized online, with the results of offline PIN check and offline card authentication included in the authorization request. Nevertheless, cards need to be specified such that they are capable to transact in full offline mode. This can be extremely helpful in emergency situations, e.g. hurricanes or earthquakes where network connectivity is interrupted. Other usage scenarios such as contactless transactions in a public transport environment require transaction times below 300 milliseconds which can only be achieved by means of offline checks. Again, in order to stay offline securely the chip must support DDA which today is only minimally more expensive than SDA. Market organization The single biggest hurdle for the US to start migrating to EMV is the absence of a nationwide governing body that can consolidate the market realities related to the business model. That is the US needs a committee which facilitates agreement between the major stakeholders and triggers decisions regarding a US EMV migration plan. Such a forum needs to be urgently formed and put to work by the stakeholders in the US. Conclusion The US financial industry and the merchant community have a once in a lifetime change to bring their payment infrastructure to a state-of-the-art level which addresses usability, functionality, security and cost requirements. EMV provides this technological basis and the learnings from other market migrations offer guidance for the US market participants. In order to make the migration feasible for all stakeholders it must follow a comprehensive and holistic plan that is managed rigorously. Dr. Toni Merschen Principal at Toni Merschen Consulting Herrberigstr. 5, D Simmerath, Germany GSM: , Phone: , FAX: , t.merschen@online.de Dr. Toni Merschen is a global expert and independent consultant on chip-card technology based business solutions for the financial, telecommunication, and transportation industries. He provides strategic consulting services and knowledge transfer for emerging consumer payment technologies. He was formerly senior vice president of 7

8 MasterCard s global Chip Center of Excellence in Waterloo, Belgium and prior to that he was head of Citigroup s global competence centre for chip-card-enabled solutions and mobile financial services, located in New York. He had earlier spent 14 years with IBM, undertaking numerous responsibilities. Toni Merschen has been a board level contributor to several global standards enabling smart card businesses and he serves on the Editorial Board of the Journal of Payment Strategy & Systems. He holds a PhD and a Masters degree in mathematics and physics from the Technical University of Aachen, Germany. 8

9 A US Shift to EMV Technology Ensuring Interoperability in a Connected World By Ben Knieff, Director of Fraud Product Marketing, NICE Actimize The industry debate on migration to EMV technology in the United States continues apace with many questions unanswered, but overall the discussion is moving in a positive direction. Financial institutions are concerned about the costs, benefits and complexity associated with the scale of a migration. Experiences in the United Kingdom and other nations are instructive; the size of the US market and infrastructure, legal and regulatory forces, and the payments behavior of consumers, could result in a dramatically different transition in the US. Additionally, some industry experts are suggesting that the US should leapfrog EMV for a newer alternative, but few workable alternatives have been proposed as of this writing. With the broad global adoption of chip and PIN EMV, there are substantial positive network effects for the US to join the rest of the global community and ensure interoperability in an increasingly interconnected world. Another common refrain points to the fact that migration to EMV fails to eliminate fraud: simply shifting fraud to card not present methods, fraudsters move from using counterfeit cards for cash and merchandise to the still lucrative method of utilizing card data for online purchases. These challenges, though, should not prevent the US from making the switch and embracing what has become a clear global standard. Failure to do so will lead to the US market being an even more attractive and lucrative target for fraudsters. As discussion continues on whether EMV will foster or hinder innovation in the US payments market, it is important to note the misconception that EMV technology implies only chip and PIN cards. Considering that the most common implementations today focus on replacing magnetic stripe with chip cards, this is understandable. It is critical to remember EMV is a standard for communication between a payment terminal and a payment device this can include contactless NFC capabilities in cards, mobile devices and other new form factors. Recent updates from networks, such as Visa s recent changes to its Technology Innovation Program 16, support the use of EMV at point of sale through both chip and PIN and contactless methods. This can foster innovation broadly to support mobile NFC and other form factors that increase electronic payments utility and convenience. In the face of changes associated with the Durbin amendment, merchants may be less inclined to support enhanced convenience and security in accepting small dollar debit payments in the US; innovation can continue for larger payments and non-us markets Visa TIP See Digital Transactions vol. 8 no. 11 page 32 the 10 Most Pressing Issues in Payments the Durbin amendment resulted in an increase in interchange cost for small ticket purchases, with cost parity occurring at $17. 9

10 While it is clear EMV is not perfect, and no standard is, it has continued to evolve and be implemented more and more successfully. No single change in payment standards will eliminate fraud completely. Data from Financial Fraud Action UK shows a massive 41 percent reduction 18 in counterfeit card fraud from 2009 to 2010, and a 50 percent reduction from 2008 to 2009 this impressive reduction easily makes up for some modest increases in other categories, such as nonreceived item. These reductions are even more significant when one considers they took place despite the initial implementation of the less secure static data authentication (SDA), as opposed to the more secure dynamic data authentication (DDA) that would be deployed in the US. The data also show a decline in online/card not present fraud over the same period, attributed to increasing use of sophisticated fraud screening detection tools by retailers and banks, as well as the growth in use of MasterCard SecureCode and Verified by Visa. 19 This suggests that concurrent evolution in both online and offline payments results in a significant reduction in fraud overall, with the UK numbers showing a 17 percent decrease in card fraud overall from 2009 to Major security gaps in the 3D Secure program, and modest adoption in the US, currently provides limited security for online payments, but major players, such as MasterCard and Intel, 20 are working on new methods to further secure online transactions which could become adopted concurrently with EMV rollout at point of sale to address fraud on both fronts. But at what cost? It is evident that rolling out EMV with a chip and PIN implementation substantially reduces POS and ATM fraud, but at what cost? The Smart Card Alliance suggests, In the past, one area of great concern has been the incremental cost of supporting EMV, estimated to be between $5 $13 billion for U.S. industry as a whole. 21 Various players in the payments ecosystem face differing costs and benefits. Financial institutions must issue new cards and upgrade ATMs, merchants must install new POS terminals, while acquirers and processors will have some degree of software or systems changes along with operational changes for all parties. The benefits associated with these costs do not accrue fully to the parties who take on the costs until certain rules change particularly a liability shift for fraud losses. Under current network rules, merchants have little incentive to invest in upgrading POS terminals as issuers are liable for most losses and issuers have little incentive to provide more expensive chip cards if merchants can t or won t accept them. The complex, multi-party system with a series of incentives designed around a decades-old magnetic stripe infrastructure is difficult to change without either a regulatory body with broad jurisdiction, a coalition of merchants and issuers with sufficient mass or tough moves from the 18 Fraud the Facts - page 7 19 Fraud the Facts - page Intel and MasterCard Join Forces to Enhance the Consumer Payment Experience for Online Shopping Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure 10

11 networks. As noted in a recent Chicago Fed Letter 22, However, no single entity has broad jurisdiction over U.S. retail payments. This decentralized structure is critical to understanding why it is so challenging to come up with workable solutions to payments fraud (whether committed online or offline) in the U.S. With such decentralization and lack of regulatory jurisdiction, the task falls to the private sector to realign incentives and coordinate efforts, which has already begun with the previously mentioned changes to Visa s Technology Improvement Program. Once incentives become aligned, the actual costs become more manageable for card present merchants and card issuers and broader benefits begin to accrue. While reduction in fraud losses is the most commonly cited benefit, lower costs for PCI DSS compliance and reduction in chargeback costs represent substantial additional cost savings. Revenue opportunities can emerge through loyalty applications embedded in the chip along with the payment application. Additional incremental revenue opportunities arise through such simple things as capturing interchange revenues from international travelers. Aite Group research from suggests financial institutions lost out on as much as $447million in revenue during 2008 due to lost card payment volume (interchange, foreign exchange and other fees) not to mention the negative customer experience. Some U.S. issuers have begun to provide chip cards to frequent travelers, though most of these initiatives are in pilot mode with very limited distribution. While the foreign transaction revenue will clearly not offset reduction in signature debit interchange revenue that would be associated with chip and PIN, it does represent revenue that is not captured today and will only grow as chip and PIN implementations of EMV are increasingly the global standard. With the existing consumer comfort with signature purchases, it is possible to implement dynamic data authentication (DDA) chip cards but rely on the signature for the customer verification method and still realize a substantial decrease in cloned/counterfeit card activity and interoperability with the rest of the world. Ripple effects require action No matter what path the US ultimately takes to roll out EMV broadly, it will take time and there will be a number of ripple effects, some we can foresee and other novel ones will emerge, that will require action. To date, US issuers and card not present merchants have kept fraud losses in check through sophisticated fraud detection software analyzing transactions for anomalies and blocking suspicious transactions. A migration to EMV will not eliminate the need for these systems but they will need to evolve to address both changes in legitimate and fraudulent activity. The ability to rapidly respond to shifting trends will be critical as the roll out will inevitably last a number of years, moving at different speeds for different issuers and merchants. 22 Chicago Fed Letter, December Aite Group 2009 "The Broken Promise of Pay Anytime, Anywhere: The U.S. Cardholder Abroad." 11

12 Detecting fraud relies on an understanding of both legitimate user behavior and known fraudulent behavior. As an EMV migration comes to fruition, both behaviors will change, while at the same time there will be a mix of EMV and magnetic stripe based payments. This mix and the shifts in relative volume between the two require issuers to have the flexibility to adjust fraud detection models and strategies over time with minimal IT investment, operational change, time to production, and end customer impact. For example, as EMV cards are rolled out, fraudsters will inevitably continue to target the magnetic stripe to counterfeit cards, thus inherently leading to a greater degree of risk associated with swipe transactions over chip transactions compared to swipe transactions today (i.e. the overall proportion of swipe transactions declines while the portion of fraudulent swipe transactions increases). Institutions which can identify transactions from cards issued with a chip, and the capabilities of the POS terminal being used, can quickly refine their fraud logic to effectively weight these variables and find the most fraud with minimal impact to legitimate transactions (i.e. false positives). A shift to EMV-based card present payments, both chip and PIN and contactless, will have longterm positive effects for financial institutions, merchants, acquirers and consumers. Card present fraud will be greatly reduced, freeing resources to fight card not present and other forms of fraud. Consumers will experience less friction transacting outside the US, while issuers realize interchange, interest and foreign exchange revenue from these transactions. Servicing costs can be reduced while consumer confidence in institutions and electronic payments can be improved, enabling new revenue opportunities. There is no question that EMV is imperfect, but the network effects of migrating to a global standard provides benefits well beyond those derived from leapfrogging to an alternative payment scheme. And while EMV does not eliminate fraud, the substantial reduction in fraud does provide a powerful reason to invest in the change. Ben Knieff Enterprise Fraud Prevention Ben Knieff is the Director of Product Marketing at NICE Actimize and has responsibility for defining the strategic direction for the company's fraud management technology. Mr. Knieff is an expert in security, compliance, and fraud management and for more than 10 years, has consulted with financial institutions across the globe, helping merge technology with business objectives to improve efficiency, efficacy, and profitability. Mr. Knieff often presents at industry conferences related to various financial crime topics including regulatory compliance, fraud management, and identity theft. He has led multiple product enhancements, new product launches, and entry to new markets with companies such as FIS and PayPal. 12

13 EMV in the U.S.: Simplifying Deployment in a Zero Floor Limit Environment By Simon Hurry, Visa Inc. Executive Overview The Europay, MasterCard, Visa standards, commonly referred to as EMV, have been around for almost 20 years. EMV was established with the goal of creating a global interoperable set of standards for smartcard chip-based payments. One of the primary early business drivers for EMV was to reduce fraud in the retail store environment, given the high cost and slow dial up speeds of obtaining a real time authorization using the telecommunications infrastructure prevalent at the time. Most of the standards, therefore, were designed to facilitate so called offline authorized transactions, which provided card based risk management to transact below certain merchant floor limits without online issuer authorization. Since then, both the cost and speed of telecommunications have improved exponentially, to the extent that even in Europe the number of offline authorized transactions has diminished significantly, from an estimated high of around 35% in the mid nineties to less than 10% today 24. The United States has always been a zero floor limit or online environment, and as a late comer to the EMV party, can avoid much of the cost and complexity of deploying EMV chip cards by implementing a minimal, online-only subset of the EMV standards while still reaping all of the benefits of reduced counterfeit fraud. Introduction The Europay, MasterCard, Visa standards, commonly referred to as EMV, have been around for almost 20 years, yet the United States, until now, has long resisted migrating to the standard. The primary reason for this reluctance to migrate was the lack of a coherent business case to justify the significant cost of the infrastructure. With fraud levels remaining relatively stable, primarily due to the fact that the U.S. has a zero floor limit policy and highly effective online fraud detection tools, few issuers felt an incentive to migrate. Historically, the U.S. did attempt an EMV program in early 2001, but the business case was primarily based on loyalty and multi-application cards rather than fraud reduction. The cards were very expensive, as was the acceptance and host infrastructure needed to process both chip and loyalty transactions. Coupled with these factors, the process for loading and redeeming rewards was not as elegant or appealing to consumers as hoped and the program went the way of several other early chip endeavors in this country. 24 Source VisaNet clearing & settlement counts 13

14 What s different this time? While various authors have touted EMV as a significant upgrade to the U.S. payments system, these assumptions are largely based on EMV programs in other countries, including Canada. While POS terminals and ATM s will require a replacement or retrofit with new chip hardware and software, much of the issuer or processor development may be avoided. Visa is recommending a very simple online only implementation that allows issuers to take advantage of the Visa Chip Authentication Services 25. What this means is that all transactions are always real-time authorized and Visa can optionally convert the transaction back to its magnetic stripe equivalent without compromising the security benefits conferred by smartcard-based transactions. Furthermore, the costs of cards, especially smartcards that do not require offline risk management, are much less expensive than before, further improving the business case. The primary influences redefining the landscape include: Mobile proximity payment capabilities including Near Field Communication (NFC) Opportunities to enhance acceptance for international travelers in Europe Gradual increases in counterfeit fraud on magnetic stripe cards. Critical mass of chip in the rest of the world, including Canada and Latin America Availability of simple low cost online only cards Visa U.S. chip acceleration efforts and the Technology Innovation Program (TIP) announcement This article examines these influences to illustrate why EMV has sufficient groundswell this time around. The article also broadly covers what Visa has done to encourage adoption, reduce cost, and lay the foundation for the eventual elimination of magnetic stripe technology on payment cards. EMV: European History and the American Approach It is generally acknowledged that the French pioneered smart card technology for payments with the primary goal of reducing fraud in an environment where both the cost and speed of authorizing all transactions through the communications network was prohibitive. For this reason the Europeans introduced merchant floor limits, under which transactions were not required to obtain online issuer authorization. On magnetic stripe technology this presented an opportunity for fraudsters, who quickly learned the floor limits at various merchants and were able to transact with impunity using counterfeit magnetic stripe cards for amounts below those limits. EMVCo, the organization responsible for the development of standards for smart card payments, was tasked with providing a solution to solve this problem. The result is a method based on a public key infrastructure (PKI) that enables terminals to authenticate cards, and cards to manage the open to buy risk up to certain limits. For the more technically minded, the diagram below describes the scheme: 25 Often referred to as Visa On Behalf Of (OBO) service they allow an issuer to launch a chip program with very minimal impact to the issuer or processor host systems. 14

15 Figure 1: Offline Dynamic Data Authentication 26 In situations where the transaction amount was above the merchant floor limit, or where the card did not allow an offline authorization, network communication was required and an online or real time issuer authorization was obtained. EMV chip cards therefore have the capability to support both online and offline authorization. More importantly, they also have the ability to support online authentication. However, unlike offline authentication, online authentication is achieved using a symmetric key based scheme. The diagram below depicts the flow of an online authenticated transaction: Figure 2: Online Authentication 26 Source: EMV 4.2 Book 2, Security and Key Management 15

16 It s Different in the U.S. In the U.S., all transactions are authorized online. Given that fact, one can understand why the offline risk management capability of EMV is largely irrelevant. In fact, with the declining costs and phenomenal speeds of IP based networks, the Europeans themselves now authorize fewer than 10% of transactions offline, down from an estimated 30 to 40% in the early days of EMV. The use of online-only authorization is thus a best practice in the U.S. because it leverages the always online infrastructure and enables issuers to continue to use their host-based fraud detection tools to manage risk. Online authorization also provides a more streamlined personalization approach, reducing time to market and cost. In fact, as much as 70% of the EMV specifications, the bulk of which are designed to support offline transactions, can simply be ignored while still gaining the anti-counterfeit fraud benefits of EMV. It s Different This Time Several attempts have been made to develop a business case for EMV in the U.S. and at least one concerted effort was made to introduce contact chip, in the U.S. before. Given the U.S. s always online environment, augmented by sophisticated, real time, host-based fraud detection systems the business case has been tenuous at best, especially when focused primarily on fraud. Recently, however, significant influences both on the issuing and acquiring side of the equation, coupled with an almost wholesale migration to EMV by the rest of the world almost certainly will result in a conversion to EMV card and EMV-based mobile payments over the medium to long term. The radical simplification of EMV as made possible by an always-online environment, in conjunction with the opportunity to reduce counterfeit fraud and enhance international acceptance present EMV in a new light to the U.S. payments industry. Finally, the promise of mobile payments, and the tie in to Visa s chip acceleration efforts for the U.S., completes the picture. The Cost of Offline Authentication The major inhibitor to the issuance of chip cards in the U.S. has been cost and complexity. Few people fully understand the significant cost impact introduced by offline risk management. The next few sections take a closer look at these impacts and explain why they are not needed in the U.S. environment. There are three areas that contribute to the cost of an EMV chip program, all of which are significantly reduced or completely eliminated by an online-only solution. Cost of chip cards and personalization Cost of host system changes Cost of training and support 16

17 Cost of chip cards and personalization In order to support offline risk management as required by Europe in the previous century, it was first necessary to establish a Public Key infrastructure as depicted in Figure 1: Offline Dynamic Data Authentication: above. However, this requirement extended all the way to the cards leading to an estimated 30% increase in cost as a result of the following requirements: Generation of the issuer asymmetric key pair Issuer registration with the brand certificate authority (CA) Card brand issuer due diligence and creation of multiple issuer public key certificates Issuer certificate management Card asymmetric key generation Card public key certificate generation The need for smartcards with large memory capacity plus crypto coprocessors capable of storing long asymmetric keys and performing complex public key encryption calculations. An online-only solution eliminates every single one of the above requirements, since it is only necessary to generate and personalize the relatively short symmetric keys needed for online authentication. Cost of host system changes The impact to the host systems can now also be significantly reduced both on the issuer and acquirer side. Requiring support for offline risk management more than doubles the development effort, especially with respect to clearing and settlement. In addition, it further complicates the dispute resolution process since offline transaction logs need to be interrogated to determine what offline risk management activities took place between the card and the terminal. Once again, these impacts are either mitigated or eliminated by an online only environment but more importantly can almost entirely be avoided through the implementation of the Visa Chip Authentication Services. The Visa Chip Authentication Services can effectively convert an online chip transaction to a magnetic stripe equivalent while retaining 100% of the counterfeit protection delivered by the online authentication that EMV chip cards deliver. The following bullets touch on the primary areas of cost savings when implementing an online-only solution: Issuers do not need to support real time EMV scripts required to reset offline risk management counters on the cards Issuers do not need to develop their own host-based chip real time authentication capability as this can be managed by Visa on their behalf Issuers do not need to interrogate offline chip data in clearing records to determine what happened at the point of sale in the event of a disputed offline transaction Acquirers and merchants may optionally not need to manage and distribute the Visa public root keys needed for offline data authentication Acquirers and merchants may not need to build and test the code necessary to clear and settle offline chip transactions 17

18 Cost of training and support While the savings in card costs, personalization costs and reduction in host system development are significant, it is the savings in training, coupled with the ability to completely avoid the Everest-high learning curve associated with offline risk management that really should interest U.S. issuers. Visa has effectively simplified chip for the U.S., to the extent that it no longer requires years of training, months of preparation and weeks of analysis on the impact to systems, processes and customer support. Chip now simply provides strong security against counterfeit magnetic stripe transactions, leaving most of the existing processes and procedures and customer service interfaces intact. Chip and PIN: The Great PIN Debate The final topic in this EMV discussion is the issue of offline PIN. No other aspect of offline risk management in EMV has generated more debate and passion than the issue of offline PIN and for this reason it merits an entire section on its own. Prior to engaging in this area, it is necessary to describe the various cardholder verification methods (CVM) and how they work with respect to chip cards. Cardholder Verification is used to check that the valid cardholder is using the card. Chip technology allows issuers to tailor the CVM to the transaction environment through the use of a prioritized list of CVM options that they place on the card. The list is referred to as a CVM List and supports multiple verification methods and the circumstances or priority under which they are invoked. Included in the list are signature, online PIN, offline PIN and No_CVM. No_ CVM is similar to the Visa Easy Payment service often called the No Signature Required program where neither PIN nor signature is needed for low value transactions. Offline PIN as distinct from online PIN is sent directly from the PIN Pad to the card where it is validated by the chip. Online PIN is encrypted in the PIN Pad and sent to the issuer host for validation. It is important to understand that a chip card may support all or any of the CVMs, but it is the issuer who controls the list on the card and the EMV standard requires the terminal to follow suit. In the last century, offline data authentication solved the problem of counterfeit cards in an offline environment, but it did not prevent lost and stolen cards from being used below the floor limits. For this reason support for offline PIN in Europe was essential and considered an important element in the business case. The United Kingdom, in particular, described their program as chip and PIN leading to the often quoted misconception that chip cards require the use of a PIN. The fact that the slogan rolled off the tongue easily, combined with a robust and effective marketing campaign, further cemented this fallacy. The truth is that the rest of the world has not deployed the so called chip and PIN option. The map in Figure 3: PIN vs. Signature preferring countries provides a rough idea of the prevalence of signature to PIN preferring deployments. 18

19 The departure point in this discussion is whether offline PIN has any relevance in an always online environment. Online PIN is already firmly entrenched in the U.S. and has very little impact with respect to an EMV deployment. Offline PIN however, especially the more secure offline encrypted version, requires a card that supports asymmetric keys and the full EMV PKI infrastructure to be present. More importantly, managing and synchronizing the offline PIN with the online PIN is very difficult and expensive, something most U.S. financial institutions are expressly trying to avoid. But most importantly in our 100% online environment, there is no requirement for offline PIN support. One small problem does remain for cardholders that travel and may use their U.S. chip cards at certain unattended kiosks in Europe. The unfortunate reality is that online PIN is not supported in parts of Europe and there are a few unattended kiosks that require offline PIN. For this reason, a U.S. card issuer may consider placing offline clear text PIN as the last priority in the CVM list on the card, but only for cardholders that reside in or travel frequently to Europe. Over time as chip becomes more prevalent in the U.S., European acquirers may reconfigure these unattended devices to also support No_CVM. Figure 3: PIN vs. Signature preferring countries 19

20 New Influences on the U.S. EMV Business Case The changing battlefield against data compromise and fraud From the acquiring and merchant perspective, PCI DSS compliance and annual compliance assessments, while effective, have been costly and remain a constant and ongoing expense for the acquiring community. According to a 2011 Merchant Advisory Group (MAG) survey it is roughly estimated that Level 1 and Level 2 merchants (those processing more than 1 million Visa transactions annually) have spent $20 billion to date on PCI DSS compliance. Managing data security through PCI DSS compliance has been effective and more than 90% of large U.S. merchants have validated their compliance. Additionally, technologies such as encryption and tokenization are effective in reducing the scope of PCI DSS. However, these efforts continue to be focused on the protection of vulnerable data. Magnetic stripe technology based on its static nature is fundamentally vulnerable to compromise, at the source i.e. the magnetic stripe on the card itself. Should smartcard technology completely replace the magnetic stripe, then at least in the brick and mortar environment, the scope of PCI DSS may be limited, and the war on data compromise and fraud will shift to a different battlefield. Compliance with PCI DSS remains a key component of Visa s data security strategy which relies on layers of security, however, Visa identifies a significant value in EMV and the use of dynamic authentication to devalue transaction data in the face to face environment. With that change, more effort may be directed towards protecting data from compromise and fraudulent use in the ecommerce environment. Chip is no longer a four letter word for U.S. issuers For the past several years, suggesting to U.S. issuers that they should move to chip cards was a pretty efficient way of getting shown to the door. Today, complaints about magnetic stripe acceptance in Europe, lowered costs of cards and the simpler online-only chip and signature approach are starting to present a much more attractive picture to issuers. Furthermore, despite the counteracting impact of online fraud tools, counterfeit fraud remains a growing problem, especially in the U.S. Visa s Roadmap for dynamic authentication Despite the radical simplification of EMV described above, wholesale adoption would still be unlikely without the introduction of a set of issuer and acquirer incentives. Based on its experience in other countries, Visa announced a U.S. roadmap for dynamic authentication with the primary purpose of encouraging and accelerating the adoption of chip and contactless / near field communication (NFC) based payments in the U.S. The Visa roadmap includes a set of incentives, mandates and deterrents as described in the diagram below: 20

21 Figure 4: Visa Chip Acceleration Program There are three primary components to the Visa announcement. These are the Technology Innovation Program (TIP), the acquirer mandate in 2013 and the counterfeit liability shift program. 1. Technology Innovation Program (TIP). This lever relieves qualifying merchants of their annual PCI DSS compliance validation obligation provided that 75% of their Visa transactions originate from dual interface i.e. contact and contactless EMV chip capable POS terminals. While TIP does not eliminate a merchant s PCI DSS compliance requirements, the savings on the annual assessment, can be fairly substantial. 2. Acquirer and Acquirer Processor Mandate. While merchants are not required to terminalize i.e. there is no mandate to deploy chip terminals, acquirers and their processors must be ready to carry the dynamic cryptogram and related chip data associated with an EMV transaction. This mandate is effective April 2013 and basically requires the acquiring network to support a new chip field commonly referred to as Field 55. The intent of the mandate is to facilitate chip and mobile transactions should a merchant choose to deploy the POS terminal environment. 3. Liability Shift. Beginning October, 2015, any fraud resulting from counterfeit cards, created using data from the magnetic stripe of an EMV card and used at a merchant who does not have an EMV capable POS terminal, may entitle the issuer with the right to chargeback the transaction. This liability shift will be in effect for both domestic and cross border POS transactions. Gasoline retailers have been granted a two year extension given their regulatory environment, and the relatively high cost of replacing or retrofitting the automatic fuel dispenser environment. It should be noted that the purpose of the liability shift is to protect the entity that has invested in chip technology. Thus for the merchant that has invested in chip acceptance technology, there is no concern 21

22 Conclusion regarding liability shift and in the highly unlikely event that counterfeit fraud occurs the existing issuer liability rules remain intact. The approach proposed by this paper strips EMV of much of its cost and complexity. This mirrors many modern day approaches to innovation that reflects a series of simple adaptations, that provide needed functionality and meet the majority of business needs in the most economical and logical fashion. Even if at some point the business needs dictate a requirement for offline risk management, issuers can always add that functionality in the next issuance cycle. But if done up front and never used, that cost is sunk, never to be recovered. This entire document can be summarized by three phrases: Keep it simple. Keep the cost down. Keep it online. Simon Hurry is a Senior Business Leader at Visa Inc, responsible for Global contactless and contact chip card programs. Simon has over 17 years of experience in the payments industry with a specialized focus on smart card and contactless payments. Prior to joining Visa, Simon architected smart card clearing and settlement systems at Nedcor Bank in South Africa. He was an active member and vice chairman of the GlobalPlatform systems committee, and is currently co-chair of the Smart Card Alliance Payments Council. Simon holds a Bachelor of Science from the University of Kentucky and an MBA from the University of Pretoria. 22

23 Creating the Next Generation U.S. Payment System Environment the MasterCard Perspective by Dave Meadon, MasterCard MasterCard s Vision The progress of technology continues apace, in all walks of life, especially in the retail payments arena. It is becoming clearer by the day that we are relying more and more on electronic payments for our daily purchases; we are heading, inexorably, toward a World Beyond Cash. Over the last 45 years, the U.S. payments industry has relied upon magnetic stripe card technology; this technology brought automation to the original paper-based, manually-intensive way of buying goods and services. It has served us well, but at MasterCard, we believe that we need a new payment technology infrastructure for the future. We need a technology that is fit for a fully-connected world with a multitude of consumer devices that can be used anywhere, anytime; that secures commerce; that enables us to innovate and grow the retail payments business. MasterCard s vision is a world where consumers and merchants can enjoy and benefit from new transactional experiences, where commerce can be conducted readily over all face-to-face and remote channels, and where the payment experience is always easy, reliable and safe. Delivering this vision requires a technology infrastructure that provides strong user authentication; utilizes dynamic transactions that cannot be replayed; ensures interoperability between potentially billions of consumer devices and millions of merchant acceptance locations; and, has proven it can scale, not least by providing a commercially viable balance between cost, convenience and security. MasterCard strongly believes that EMV can deliver this vision, and that is why MasterCard has endorsed it as the baseline infrastructure for the next chapter of the U.S. payments business. MasterCard s U.S. Roadmap The recent announcement (Jan. 30, 2012) from MasterCard sets our approach for establishing a payments infrastructure in the U.S. that will help achieve the vision of a World Beyond Cash. At its heart are a number of key principles that MasterCard believes are central for the future U.S. retail payment system. These principles are: To make the system future ready, by enabling simpler, more secure payments and fostering new experiences for consumers, wherever and however they choose to transact. The aim is to enable and integrate new solutions, not simply to move from magnetic-stripe to EMV cards. 23

24 To provide a framework that delivers real benefits to merchants and issuers as they upgrade to the more secure contact and contactless EMV technologies, including the flexibility to select and configure the technology to meet their business needs. To facilitate the industry as a whole working together to achieve this significant and necessary upgrade, not creating unilateral mandates, and ensuring our customers and other stakeholders are aligned and supported every step of the way. In support of these principles, the MasterCard roadmap sets out key milestones that provide clarity for the various payment system stakeholders as they plan the drive toward adopting this new infrastructure for the U.S. market: U.S. acquirers must be ready to carry the additional payment data required for authenticated and dynamic EMV transactions, by October 2013; PCI audit relief, in certain instances, starting October 2012; Account data compromise benefits to merchants, starting in October 2013; A liability shift favoring the party that has invested in the most secure configurations of EMV POS devices, starting October 2015 (2017 for automatic fuel dispensers). Full details of the roadmap can be found at The MasterCard roadmap is relevant now because the global industry is already witnessing major changes in the payments business environment. Notable drivers and influences include: Maturing of contactless / NFC technologies. An upgrade of the U.S. payments environment is an opportunity to also enable an infrastructure that provides a Tap-and- Go retail payments experience for PayPass-enabled cards and NFC-enabled mobile devices, as well as other contactless payment form factors. Explosion of smartphones and other intelligent devices. These devices have the potential to help create a richer payment experience with adjacent value-added applications and services. Rise of e- and m-commerce as attractive, high-growth channels. Consumers continually look for a reliable payment tool regardless of where and when they shop. A move toward payments with properties similar to those of card-present transactions will catalyze the growth in these channels even further. EMV-based authentication (such as MasterCard s Chip Authentication Program technologies) has already been deployed and other integrated solutions (such as MasterCard s recent partnership with Intel) are on the way. Data breaches and PCI related costs. Major data compromise events still occur from time-to-time, despite huge industry efforts to establish security standards to protect static cardholder data. Now is the time to move from static to dynamic transaction authentication as part of the effort to eliminate not mitigate or reduce fraud. Global EMV chip migration. Approximately 650 million MasterCard-branded cards have been issued around the world. This has been increasing at a rate of around 100MM per year in recent years. Additionally, more than 20 million EMV terminals have been deployed, roughly two-thirds of all terminals on the planet. 24

25 As we look at the opportunities for innovation, the changes in consumers lives and the way in which our payments environment continues to evolve, it is clear that it is time to take this step. It is time to lay the right foundation for future payment devices and consumer experiences. The outlook for the U.S. payment system environment is both exciting and challenging. MasterCard s roadmap enables our customers and partners to embrace innovation, but also leverage tried and tested assets to build their businesses of tomorrow. Deploying EMV in the U.S. The U.S. market is in a unique position to benefit from EMV technology. Unlike markets such as the UK, which adopted EMV in its early days (and therefore had the challenge of taking EMV from a concept to a mass-market solution), the U.S. market will benefit from a now mature and experienced industry. That being said, as with any major technology shift in any industry, there are important considerations that the U.S. market needs to take into account, including: The size of the market. The sheer number of stakeholders in the U.S. payment system and the lack of a central coordination body point to the need for market leadership. MasterCard recognizes the need for collaboration as well as competition and has proposed, as part of our roadmap, to play a leading role in defining the market-level plan as well as a plan for our own customers and partners. Managing fraud migration. Implementation experience from around the world has shown that EMV technology is exceptionally effective in preventing fraud where implemented. However, financial institutions need to consider the fact that fraud tends to migrate to the weakest link in any system. Banks will need to apply increasing focus on residual transactions and channels that rely upon static data and deploy appropriate fraud management tools and methods to mitigate the associated risks. MasterCard s roadmap rewards participants in our payment system that invest in the most secure configurations of EMV technology. Technological evolution. The rise of intelligent devices will bring new and tangible opportunities to grow electronic payments and revenues. But this will demand new and more sophisticated merchant technologies. MasterCard identifies in our roadmap the opportunity to deploy dual-interface technologies (contact and contactless) from the outset to avoid two-stage upgrades that other markets have been through in the past. Furthermore, MasterCard will be bringing new educational and advisory services to help our customers to develop payment strategies to exploit the new roadmap. We must also acknowledge that the future will create opportunities and challenges that cannot be foreseen at this time, but it is unlikely that the basic principles of commerce (connecting consumers with merchants, being sure about who is transacting, transferring money from one party to another with integrity, and so on) will change. EMV is focused on these principles. 25

26 MasterCard s view is that EMV will serve U.S. customers in the future as well as it has served other customers in other markets over the last 15 years. MasterCard was one of the original inventors of EMV and, with our current partners in EMVCo, we continue to lead the evolution of the standard to ensure it remains at the forefront of retail payments around the world. As we build the future and bring the U.S. into the global EMV world, we must facilitate seamless technology transitions for both the new players and the earlier adopters from other markets. Merchants, acquirers and issuers from around the world are already processing billions of EMVbased transactions every year. Those credit, debit and prepaid core products, coupled with innovations such as mobile payments, contactless devices and new card solutions, are set to bring even greater opportunities to the U.S. We at MasterCard believe that the Point of Interaction (POI) roadmap announced in January signals the beginning of an infrastructure change in the U.S. payments landscape that opens up massive opportunities to the industry. The payments infrastructure we propose to implement will: lead to safer payments, enable new consumer experiences and products, and bring the U.S. market into the same global framework for interoperable, EMV-based payments that many parts of the world have already implemented. There is no doubt that the upgrade of the U.S. payments business is a major undertaking. The upgrade is not only achievable but essential in the move toward a World Beyond Cash. Dave Meadon is based in London and is group head, Chip Solutions and Engineering. He is responsible for overseeing the conversion of the MasterCard magnetic-stripe based products to chip and for creating and implementing processes to ensure their successful deployment around the world. His role also involves identifying, developing and deploying innovative solutions and services based on this new and powerful platform. This includes providing foundational technology for a new generation of payments in the contactless, mobile and remote payments arenas. Mr. Meadon represents MasterCard on the Executive Committee of EMVCo, the industry body that defines the global standards for chip-based payments. He is also Chair of the MULTOS Consortium which provides industry direction for one of the most widely deployed multi-application smart card operating systems. Mr. Meadon graduated with an honors degree in Mathematics and Computational Science from the University of Leeds and subsequently with an MBA (Distinction) from City University (London). 26

27 Adopting EMV in the U.S. By Eric Schindewolf, Vice President, Product Development, Consumer Credit Card Services, Wells Fargo Bank (This article reflects the views of the author and does not necessarily reflect the official policy or position of Wells Fargo) I begin by admitting I m already convinced of EMV s effectiveness in reducing card present fraud and of the need for U.S. adoption. To me it s no longer a question of if but when and how U.S. banks will begin offering EMV. The how is critical, and U.S. issuers and acquirers can benefit from the lessons of their international counterparts who ve gone before them. Like anything, EMV has its strengths and limitations. EMV is the international standard for chip-based payment technology and has been adopted by every major payment association, card and terminal manufacturer. Its specifications underlie both contact and contactless (NFC) payments for ensuring global interoperability. EMVco is the governing body owned by Visa, MasterCard, American Express and JCB, with a board of representatives that stretches across the payments industry. All of them have a vested interest in EMV s long-term success and mindful evolution to eliminate disruptions in the payments chain. No other next-generation payment technology has such widespread support and adoption. EMV provides practical security, which is to say the expense and effort required to crack a single EMV card are far greater than the credit line associated with it. It s simply too much work for too little payout, especially when easier options exist. Even if a card s keys were somehow exposed, this information cannot be used to derive the master keys housed securely behind the processor s physical and logical security controls, which are many. Another important aspect of EMV security is its use of dynamic data to prohibit the capture and re-use of transaction information to make fake cards or replay attacks. Also, EMV is intended to complement the issuer s existing fraud detection systems and not to be viewed as the end in itself. When integrated properly with the issuer s back-end processing, EMV provides high-level fortification against fraud. Where EMV s security has been questioned is in regards to two basic transaction types: Card not Present and Offline-only transactions. For Card not Present transactions (e.g. internet purchases), the reason is obvious, because neither the card nor its chip data is ever read during the transaction process. While solutions do exist today for incorporating EMV data into these types of transactions, it has not been widely adopted and introduces a whole new set of expenses and servicing challenges for U.S. issuers who ve only just started working with EMV. Regarding Offline-only transactions, EMV s vulnerability is much less apparent because it was designed with offline-only acceptance in mind for regions with poor telecommunication networks. These transactions result when a merchant terminal is incapable of going online to 27

28 perform an authorization. Examples of this might be cruise ships, self-serve kiosks or the French rail. During offline-only transactions, the entire decisioning process is based upon the card and terminal s interaction and settings. No authorization message ever is sent to the issuer for approval; only the settlement file. The vulnerability lies in the fraudster s ability to either fool the terminal with false responses (e.g. Cambridge attack) or easing the capture of sensitive card and PIN data at the point of sale (more on this shortly). The desire to fight fraud at the periphery, while well intentioned, will only result in the need for ever more sophisticated (and costly) cards and terminals. A better approach is to drive every transaction online for decisioning by the acquirer and issuer processors. This allows all decisioning to be managed centrally, where investment dollars are best applied; this helps ensure card and terminal costs are kept to a minimum. There are few reasons in this day and age for merchants not to perform online authorizations as part of their standard business practice (excluding unanticipated network outages, such as those caused by natural disaster). International Travel Programs U.S. issuers should consider directing their initial EMV efforts at international travelers and travel card programs. International travelers are among an issuers best customers. For these customers, international card acceptance is critical, because carrying large sums of foreign currency is both impractical and unwise. U.S. issuers able to offer an EMV solution to international travelers will have a competitive advantage over those who don t. For these customers, international acceptance drives top of wallet behavior. EMV also can improve an issuer s authorization rates when cardholders fail to notify them of foreign travel. Validating the card s cryptogram confirms the card s authenticity; if it hasn t been reported lost/stolen, the issuer can approve a transaction it might previously have declined. However, supporting an EMV travel card program can also result in added complexity depending upon the issuer s decision on whether to support offline PIN capability. One of the main complaints of international travelers is their inability to use magnetic stripe cards at offlineonly terminals like those used by the French rail. Issuers who offer EMV cards with offline PIN support will have a competitive advantage over those who don t. I recognize my comments here seem counter to my earlier statements and my opposition to offline-only acceptance. However, I say this only as an accommodation strategy to enable low-value transactions in foreign markets and not as the way forward when building U.S. domestic programs. Solving for offline PIN can be problematic when the same card also has an online cash advance PIN associated with it. In the following example, we ll assume the card being used shares the same value for both online and offline PIN. The terminal in this case is an offline-only device, unmanned, and has been tampered with (a hidden camera is placed nearby to capture they key pad entries). When the cardholder dips the chip into the terminal, it also exposes the card s 28

29 magnetic stripe. Copying the magnetic stripe data along with the PIN pad entries will allow fraudsters to then reproduce simple magnetic stripe cards with corresponding PIN numbers for use in U.S.-based ATMs (defrauding issuers out of potentially millions of dollars). Note, even if the issuer had decided to purchase the most expensive EMV card available with offline DDA capability, it would be useless against such an attack. Domestic Market Adoption EMV s arrival in the U.S. will depend on wide-scale merchant adoption. This was the challenge of the past and remains true today. Visa s August 9, 2011, announcement on new EMV and NFC rules for U.S. merchants and processors was a profound step forward in pushing the U.S. market toward mobile and chip-based technology. The new rules provide a clear roadmap and timeframe for merchants when planning terminal upgrades, which typically occur in three- to five-year cycles. U.S. merchants now have real economic reasons to upgrade their POS environment to EMV and NFC as a way of minimizing fraud liability and safeguarding long-term investments. It also ensures merchants will have the means to capture whatever form of payment customers are using well into the future. The expense to upgrade to EMV has also dropped because of POS manufactures pre-bundling this hardware into their new product launches to better manage their own production expenses. For the big point-of-sale manufactures, EMV and NFC represent a whole new paradigm of expanded business opportunities that takes them beyond pure hardware sales to more reoccurring review through software updates and new terminal based applications and services. Along with mass merchant adoption, the cost of EMV cards needs to be further reduced before U.S. issuers begin converting their entire card portfolios to EMV. Existing prices range from just under $1 to $2.50 per plastic card depending on the volume and type of card being purchased. Even at the low end, this is almost a tenfold increase from today s magnetic stripe card costs, which are around 10 cents per card. Overcoming the higher card expense through increased purchase volume or lower fraud rates is questionable at this point in time. Only after wide-scale U.S. merchant adoption and ATM upgrades have been implemented will U.S. issuers reap any real fraud savings. For issuers who prematurely convert a majority of their card portfolios to EMV, card costs will skyrocket -- but they will be no better off than their magnetic stripe competitors at addressing fraud. Those who convert too late may well find themselves the prime target of fraudsters. In the end it will be a confluence of factors that eventually drives U.S. issuers to full EMV adoption in the U.S. This includes external influences like merchant adoption and competing bank EMV offers as well as internal factors like decreased fraud, increased customer demand and/or new business opportunities (e.g. multi-application). As each of these things grow, so will the availability of EMV cards and mobile solutions. This is an exciting time for the industry and consumers alike, as new products and value-add services become available and more convenient through the use of affordable chip-based technology. 29

30 Eric Schindewolf is VP, Product Development at Wells Fargo Consumer Card Services. Prior to working for Wells Fargo, Eric was Director of New and Emerging Technologies for VISA USA/International. He has 13+ years of Payment Industry experience, having worked on all sides of the credit card business model (Association, Merchant, Issuer). He is focused on new product and business development to drive market adoption, increase acquisitions, broaden card acceptance and grow balances thru new customer facing solutions. He has a proven track record leading complex payment initiatives that reaches across organizations, technologies, and business models to achieve the strategic goals of all stakeholders. 30

31 Chip-and-PIN: Success and Challenges in Reducing Fraud 27 By Douglas King, Payments Risk Expert with the Federal Reserve Bank of Atlanta Abstract: Traditional payment cards have evolved in much of the world and now rely on the EMV global standard using chip technology. However, this evolution of payment cards has yet to occur in the United States payment card industry, which continues to rely on magnetic stripe technology. Transactions conducted with EMV chip-embedded cards that use PIN verification are more secure than transactions conducted using magnetic stripe technology. This paper explores the experience of multiple European, Asian-Pacific, and North American countries in fraud reduction by migrating away from magnetic stripe payment cards to EMV chip cards using PIN verification. Where information and data is available, the paper reviews the reason behind a country s migration to chip-and-pin, the actual migration process, and the migration s success in reducing payment card fraud. It also examines the pattern of fraud migration from chip-enabled payment transactions to non-chip-enabled payment transactions. Finally, the paper closes by examining current payment card fraud trends in the United States and potential implications of prolonging a migration to chip-enabled payment technology. I. Introduction As the rest of the globe moves to EMV s global standard 28 using chip technology, the United States remains the last developed country reliant on magnetic stripe (mag stripe) cards. Based on available data from countries around the globe with EMV experience, chip-and-pin cards have successfully reduced fraud on face-to-face transactions. However, these cards have had less impact on overall fraud levels as fraudsters have shifted their focus to non-chip transactions. Fraud has simply shifted to different products (from credit to debit), other channels (from cardpresent to card-not present, or CNP), or other geographies (cross-border fraud). 27 Taken from Retail Payments Risk Forum Working Paper, Federal Reserve Bank of Atlanta, January EMV stands for Europay, MasterCard, and Visa. EMV is a standard for the inter-operation of chip-embedded cards with POS terminals and ATMs used to authenticate payment card transactions. 31

32 Figure 1: EMV Adoption Rates by Region i As the EMV standard and chip-and-pin cards mature in adopting countries, the United States could be prone to increased fraud as long as it continues to rely on mag stripe technology. Should the U.S. payments industry decide to abandon mag stripe technology in favor of chip-and-pin, a coordinated effort from issuers, networks, and merchants will be needed to prevent fraud from shifting to other products and channels. Fortunately for the United States, fraud shifting crossborder should be less of an issue than it was for early EMV adopters since all developed countries will have converted to chip-and-pin. Many industry stakeholders argue that a business case based on current fraud loss costs versus chip-and-pin deployment costs in the United States has yet to fully crystallize, although data in this paper suggests a business case is emerging. However, this paper focuses on the impacts EMV chip-and-pin has had on card fraud in markets that have adopted the technology. Furthermore, it analyzes card fraud trends in the United States during this nearly global EMV chip-and-pin migration. II. EMV and Chip-and-PIN Explained EMV is a global standard for payment cards based on chip technology established in 1994 by Europay International SA (acquired by MasterCard in 2002), MasterCard, and Visa. Today, the EMV standard is managed by EMVCo, which is a joint venture of MasterCard, Visa, JCB, and American Express. As of early 2011, 1.2 billion EMV cards were deployed across the globe along with 18.7 million EMV terminals. ii A cardholder s confidential data is more secure on a chip-embedded payment card than on a mag stripe card. Chip-embedded cards support dynamic authentication where as data on mag stripe cards is static. Thus, data from traditional mag stripe cards can be easily copied (skimmed) with a simple and inexpensive card reading device. Skimming enables criminals to make counterfeit 32

33 cards for use at Point-of-Sale (POS) devices or in the CNP environment. Chip technology is effective in combating such counterfeiting through the introduction of dynamic values for each transaction. PIN verification provides superior protection against fraud losses, especially those losses from lost or stolen cards, compared to signature verification. Based on 2008 debit card fraud data collected by the Federal Reserve Board of Governors, total fraud losses to all parties on signature-based transactions per dollar volume were.13 percent, or 13 basis points. PIN-based transactions experienced a significantly lower fraud loss rate of.035 percent, or 3.5 basis points, per dollar volume. iii In the event that a card is lost or stolen, PIN verification is more effective in combating fraud than signature verification. The EMV specification can be used in both online and offline environments 29 and supports both signature and PIN verification with PIN being the dominant verification method used to-date. In fact, the Chip and PIN brand name adopted by UK banks for the rollout of EMV cards has become nearly synonymous with EMV, despite the fact that the EMV specification supports signature authorization. The EMV standard evolves with the payments industry and now also includes specifications for contactless payments and mobile payments. Whether or not the U.S. payments industry adopts the EMV specifications or develops new specifications, a move to chip technology is needed to avoid increased fraud levels. Although there have been multiple reports of security issues with chip technology using the EMV standard, iv it is reasonable for the United States to adopt the global EMV standard that is supported by the three largest card networks in this country. EMV chip-based cards offer superior protection of cardholder data compared to mag stripe cards and PIN verification is far superior to signature verification in preventing fraud. v Also, as seen with the additional contactless and mobile specifications to the EMV standard, chip-based technology is scalable along the payment evolution continuum into contactless cards and mobile. III. EMV and Chip-and-PIN in the United States Today The first U.S. payment card utilizing the EMV standard was issued by the United Nations Federal Credit Union (UNFCU) in October These cards, issued to approximately 5,000 high-value credit card customers, are chip-and-pin cards. Although payment security was a factor in UNFCU s decision to issue EMV cards, the primary rationale was to provide its members, many of whom reside outside the United States, with a globally accepted card. Mag stripe cards are becoming less accepted outside of the United States, especially in offline applications such as unattended parking and ticketing kiosks. State Employees Credit Union 29 In an online environment, the transaction authorization uses telecommunications at the time of sale to route a merchant s authorization request to the issuer to approve or decline. In an offline environment, transactions are not authorized at the time of sale, but rather are batched throughout a given time period and transmitted to the issuer to approve or decline. For an offline EMV chip and-pin transaction, the PIN is authorized through communication between the terminal and chip without the need for telecommunications. 33

34 (SECU) announced in February 2011 that it was issuing EMV chip-and-pin debit cards to all of its 1.6 million debit cardholders with the migration to be completed by the end of vi Following SECU s announcement, EMV issuance gained some momentum with larger U.S. issuers, albeit for some very small card portfolios. During the second quarter of 2011, Wells Fargo, JPMorgan Chase, and U.S. Bancorp all announced plans to migrate certain credit card portfolios to the EMV standard. Again, the reason for the technology migration by these financial institutions had less to do with risk and was more about global acceptance of the cards. Interestingly, the larger institutions have primarily opted for signature cardholder verification while the credit unions have opted for PIN cardholder verification. Table 1: EMV Consumer Cards in the United States * Approximate Issuer Date of First Issuance Portfolio Approximate Portfolio Size Network Cardholder Verification United Nations Federal Credit Union October 2010 Platinum Elite 7,000 Visa PIN State Employees' Credit Union March 2011 Debit 1,600,000 Visa PIN JPMorgan Chase & Co. June 2011 Palladium Don't Know 1 Visa Signature Wells Fargo & Co. Mid-Summer 2011 N/A 2 15,000 Visa Signature & PIN U.S. Bancorp July 2011 FlexPerks Travel Reward 20,000 Visa Signature * Information through June 30, No reports of portfolio size, but likely smaller than other credit card portfolios listed. 2 The Wells Fargo card is a pilot program that will be issued to high frequency international traveling cardholders. On the acquiring side of the equation, there is currently no merchant acceptance in the United States of EMV chip-embedded cards. Most EMV chip cards issued abroad and domestically also contain a mag stripe and thus are accepted at all U.S. merchant locations that accept cards. However, several large U.S. merchants have expressed an interest in chip-and-pin technology to replace mag stripe technology and signature verification. Perhaps both the issuance and acceptance of EMV chip cards (and potentially other chip-enabled devices such as mobile phones) will increase with a recent announcement by Visa. vii This announcement specified incentives and deadlines to urge U.S. merchants to accept both contact and contactless chip-enabled cards. One merchant incentive includes the elimination of the 34

35 requirement for annual PCI 30 compliance validation if 75 percent of a merchant s transactions originate from chip-enabled terminals effective October 1, For the largest merchants, savings from an annual PCI compliance validation would average approximately $225,000 a year. viii Further, Visa set October 1, 2015 as the date when a card-present counterfeit fraud liability shift from issuers to merchant acquirers will be implemented if fraud occurs in a transaction that could have been prevented with a chip-enabled payment terminal. While the announcement lays a path towards EMV chip card migration, it does not necessarily set a path to chip-and-pin as Visa will continue to support both signature and PIN cardholder verification methods. In the interim, the U.S. card industry continues to wrestle with the decisions of chip card adoption, as well as signature versus online or offline PIN verification, despite evidence that fraud in the card-present environment is significantly reduced in EMV chip-and-pin adopting countries. IV. The Chip-and-PIN Experience in the UK Background 31 In the early 1990 s, the Association for Payment Clearing Services (APACS), consisting of financial institutions and payment clearing and settlement companies, created the Plastic Fraud Prevention Forum (PFPF). This Forum represents all of the UK s major card issuers and works to develop card fraud prevention initiatives. The PFPF launched a major project in the mid s to obtain a better understanding of systemic fraud on payment card transactions. Card fraud in the UK was relatively high compared to other developed markets. The authorization environment was a key driver for the UK s high card fraud figures. Unlike the United State s online card authorization environment, the UK has primarily been an offline authorization market. Because of this difference in authorization environments, UK card fraud rates have historically been much higher than the rates in the United States. For example, card fraud for 2004 in the UK stood at.14 percent per transaction value ix compared to an estimated.05 percent of bankcard fraud per transaction value in the US. x Since EMV chip-and-pin supports authorization at the time of sale in either an online or offline environment, it was viewed as a key driver of reducing card fraud in the UK given the country s offline authorization market. Following several successful chip-and-pin trials in the mid- to late- 1990s, the APACS decided on a national rollout of EMV chip-and-pin in Implementation of chip-and-pin gained traction in 2004, and by the end of August 2006, the UK was close to full migration (99.8 percent of chip transactions were PIN-verified). xi 30 PCI is a security standards council launched in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. This council is responsible for the development, management, education, and awareness of payment card security standards for issuing and acquiring participants of these card networks. 31 As of July 6, 2009, APACS was replaced by its successor organization, The UK Payments Administration Ltd. This organization supplies services to multiple payments-related trade associations including The UK Cards Association. 35

36 Much like in the United States, UK bank card issuers were saddled with the majority of the fraud loss burden, yet the migration was going to be costly for merchants to install new hardware and software to accept chip-and-pin cards. Merchants did not find the benefits of migration to chipand-pin to be very equitable as the bulk of the investment landed with the merchants, while the benefits of reduced fraud losses flowed to the issuers. In order to encourage merchants to migrate to chip-and-pin enabled terminals, the card networks instituted a liability shift which places the fraud loss burden on the non-emv compliant party. Beginning in July 2005, any merchant that had not upgraded their terminals to be chip-and-pin compliant would be liable for fraudulent transactions using chip-and-pin cards which could have been avoided by upgrading the terminal. The card issuer remains liable for fraudulent transactions if the transaction is conducted using a mag stripe card or if both parties are chip-and-pin enabled. Impact on Fraud According to data from the UK Payments Administration, EMV chip-and-pin has been successful at reducing certain types of card fraud, especially domestic counterfeit and lost or stolen card fraud. Total card fraud in the UK began declining in 2005 as the chip-and-pin movement gained traction. However, with widespread chip-and-pin adoption completed by 2006, total card fraud increased significantly in 2007 and 2008 due to significant increases in CNP and cross-border fraud. Few viable chip-and-pin solutions for online merchants have emerged, leading to the migration of fraud to the CNP channel. Also, since chip-and-pin cards still contain mag stripes for use at merchant locations not equipped to handle chip transactions, fraud has migrated abroad through the use of counterfeit cards in countries primarily using mag stripe technology. As more countries have adopted chip-and-pin and CNP fraud prevention measures have been increased, total card fraud has been on a significant decline since Chart 1: Fraud Losses on UK-Issued Cards 36

37 EMV chip-and-pin has been highly successful reducing domestic fraud in the UK Since 2004, domestic fraud losses on UK-issued cards has fallen by over 34 percent. Chip-and-PIN has successfully thwarted the primary fraud losses it was designed to prevent, counterfeit and lost or stolen card fraud. Since widespread implementation of EMV chip-and-pin in 2004, counterfeit fraud declined drastically on UK-issued cards. Fraud losses from counterfeit cards have fallen by over 63 percent. In fact, in 2004 counterfeit card fraud accounted for over 25 percent of all card fraud on UK issued cards compared to 13 percent by the end of Domestic counterfeit card fraud fell to 17 million in 2010 from 46 million in 2006 and now represents only 6 percent of all domestic card fraud Chart 2: Fraud Losses on UK-Issued Cards at UK Retailers (Face-to-Face Transactions) However, counterfeit fraud on UK-issued cards has not been on a continuous decline since chipand-pin implementation in Interestingly, counterfeit fraud rose significantly in 2007 and 2008 as UK card issuers experienced a dramatic increase in cross-border counterfeit fraud. Since UK-issued chip cards still contain a mag stripe, fraudsters are able to capture card data off the mag-stripe and commit fraud in countries that have yet to migrate to chip-and-pin. As migration of chip-and-pin increased in other countries, especially other European countries, losses from counterfeit cards abroad began to abate. Today, nearly 75 percent of cards and 90 percent of POS terminals in Western Europe have adopted the EMV chip-and-pin standard. xii Much like counterfeit fraud, lost or stolen card fraud in the UK has declined significantly since the implementation of EMV chip-and-pin in The 61 percent decline in lost or stolen card fraud losses from 2004 to 2010 exhibits a much different pattern of decline than the decline witnessed in fraud losses from counterfeit cards. While counterfeit fraud losses increased 37

38 significantly in 2007 and 2008 due primarily to cross-border fraud committed on UK-issued cards, lost or stolen card fraud has decreased every year since 2004 and now stands at its lowest level since the industry began collecting fraud loss data in While immense strides against fraud losses have been made seven years into chip-and-pin implementation, counterfeit and lost or stolen card fraud still exists in the UK. Chip-and-PIN has been successful at reducing both of these fraud types, but contrary to some reports circulating in the US, xiii the technology has not completely eliminated any one type of fraud, and has actually pushed fraud to CNP and cross-border transactions. The success of EMV chip-and-pin at thwarting fraud at the POS in the UK has led the fraudsters to seek the lowest common denominator in terms of perpetrating fraud, transactions not protected by chip-and-pin. These transactions most commonly occur in the CNP environment and in countries that still rely on mag stripe technology. Consequently, since the introduction of chipand-pin in 2004, both CNP and cross-border fraud rose dramatically through 2008, before falling in 2009 and Chart 3: Counterfeit Card Fraud Losses on UK-Issued Cards 38

39 Chart 4: Lost or Stolen Card Fraud Losses on UK-Issued Cards CNP fraud now accounts for 62 percent of all fraud on UK-issued cards, up from 30 percent in Although solutions for chip-and-pin transactions exist in the CNP environment, they have yet to gain much adoption by either merchants or cardholders due to cost and consumer adoption concerns. These hardware-based solutions, often attached through a USB device, create a secure connection and generate dynamic data in a manner similar to a card-present transaction. The recent decline in CNP fraud on UK-issued cards has primarily been due to the growth in the use of a non-chip-and-pin solution, 3-D secure 32 by both merchants and cardholders. Chart 5: Card Not Present Fraud Losses on UK-Issued Cards 32 3-D Secure is an XML-based protocol designed to be an added layer of authentication for Internet-based payment card transactions. Visa, MasterCard, American Express, and JCB all offer the 3-D Secure protocol. This protocol requires that a cardholder enter a unique PIN to complete a CNP transaction as an additional identity verification process. 39

40 As the EMV chip-and-pin standard became more prevalent around the globe, and especially in Europe, cross-border fraud on UK-issued cards began declining in 2009 after peaking in Chart 6: Cross-Border Fraud Losses on UK-Issued Cards However, fraud occurring in the United States on UK-issued cards stands at a higher level in 2010 than it did in In fact, fraud in the United States accounted for 14 percent of crossborder fraud losses on UK-issued cards in 2005, and today accounts for 23 percent of all crossborder fraud losses. Interestingly, as most of Europe has migrated, or is in the process, to EMV chip-and-pin, no European country is part of the top 5 countries for cross-border fraud on UKissued cards in V. The Chip-and-PIN Experience in France Background France was an early adopter of chip card technology. By the mid-1980 s, the fraud rate on French-issued cards was extremely high, reaching.27 percent by 1987, xiv according to data from Groupement des Cartes Bancaires. With fraud rates on the rise, French banks issued the first chip-embedded smart cards in By 1992, all French bank cards were embedded with a chip resulting in a sharp decline in fraud. The fraud rate on French-issued payment cards was down to.03 percent in Even though card fraud levels were already extremely low, France followed the UK card industry s lead and began migrating to EMV chip-and-pin cards in 2002 with several trials. By October of 2003, a national rollout was launched with the migration to chip-and-pin finalized by the end of Since 2005, all French-issued cards use chips that support dynamic data authentication. 40

41 Impact on Fraud Since implementation of chip-and-pin, both fraud losses and fraud rates in France have actually increased slightly from low levels of fraud losses and rates prior to EMV chip-and-pin. However, a noticeable shift in fraud has taken place that is the primary driver of the higher fraud losses and rates. As witnessed in the UK following that country s migration to chip-and-pin, domestic fraud losses and rates on face-to-face transactions experienced significant declines. Yet, cross-border and CNP fraud increased significantly. Chart 7: Fraud Losses on French-Issued Cards Though total fraud incurred by French issuers has increased since the introduction of EMV chipand-pin, domestic face-to-face fraud has significantly declined to extremely low levels. Between 2004 and 2009, fraud losses from domestic face-to-face transactions fell by over 35 percent. Even more impressive though, is the fraud rate on these transactions fell by over 50 percent and by 2009 stood at.01 percent. So during a time of increasing card usage for face-to-face transactions in France, fraud losses decreased significantly. 41

42 Chart 8: Fraud Losses on French-Issued Cards at French Retailers With fraudsters moving away from domestic face-to-face transactions in France, they are focusing their attention on transactions not supported by chip-and-pin. As such, CNP fraud has experienced a significant increase since the introduction of EMV chip-and-pin. While transaction volume has increased in the CNP channel with the growth of online commerce, fraud losses in the CNP channel have grown at even a more rapid pace, especially in cross-border CNP transactions. CNP fraud now represents almost 54 percent of all card fraud on French-issued cards up from 25 percent in The comparison of fraud rates for in-person versus CNP transactions is striking. While face-to-face transactions in France have a fraud rate of.01 percent, domestic CNP transactions have a fraud rate of.26 percent and cross-border CNP transactions have an alarmingly high 1.35 percent fraud rate. Not only do cross-border CNP transactions carry a higher rate of fraud than domestic CNP transactions, cross-border face-to-face transactions also have a higher fraud rate than domestic face-to-face transactions. By the end of 2009, the fraud rate on cross-border face-to-face transactions stood at.41 percent compared to.01 percent for domestic face-to-face transactions. In fact, the amount of losses in 2009 from cross-border transactions ( 45 million) actually surpassed the losses from domestic transactions ( 41 million). And while domestic transactions have experienced a decline in both total fraud losses and rate since the introduction of EMV chip-and-pin, both total fraud losses and the fraud rate on cross-border transactions have increased. 42

43 Chart 9: Card-Not-Present Fraud Losses on French-Issued Cards Chart 10: Fraud Losses on French-Issued Cards for Face-to-Face Transactions VI. The Chip-and-PIN Experience in Canada Background Although Canada s payment card fraud rates were not high by global standards, issuers were becoming concerned by the increasing rate of card fraud experienced during the early to mid 2000 s. Issuers had not invested heavily in fraud monitoring and prevention systems like their counterparts in the United States, and agreed in 2006 that a move to chip-and-pin was needed to 43

44 reduce the growing rate of fraud. The move to chip-and-pin is near completion today, but the on-going migration process has been long and slow. In June 2003, Visa Canada announced that it was committed to chip-and-pin. Following Visa s lead, MasterCard announced similar plans and guidelines in Interac, Canada s national debit payment network, announced in October 2005 that it was also committed to chip-and-pin with a target date of 100 percent migration by the end of In March 2006, members of the Canadian payments industry 33 announced alignment and commitment to a broad industry migration to chip technology. xv Finally, in October of 2007, an EMV chip-and-pin trial was launched in Kitchener-Waterloo and continued until October 2008 when a national roll-out of chip-and-pin began. xvi American Express did not announce its EMV chip-and-pin guidelines until August 2010, but it expects a quick migration with a liability shift date set for October 31, xvii Today, Canada is far along the process of migrating to EMV chip-and-pin. Visa and MasterCard are all but complete with the migration. Liability shift on both Visa and MasterCard transactions went into effect at the end of March American Express has set a date of October With a longer time horizon for migration than the credit card networks, Interac s migration to EMV chip-and-pin has been slower and thus the Canadian debit network remains more reliant on mag stripe technology today than the credit networks. Impact on Fraud Although the national roll-out of chip-and-pin did not begin until late 2008, similar fraud migration trends experienced in other chip-and-pin markets are appearing in Canada. Although total card fraud losses have only decreased by 5 percent from $CAD512 million in 2008 to $CAD485 million in 2010, fraud is migrating to non-chip enabled transactions. In the case of Canada, these transactions are occurring in the CNP environment and with debit cards. Unfortunately, cross-border fraud migration trends are not available as the Canadian Bankers Association did not begin reporting cross-border counterfeit fraud until 2010, presumably because it is becoming a growing issue. And since the roll-out of chip-and-pin, the EMV chipand-pin standard has been effective at reducing the types of fraud it is best suited to prevent -- counterfeit and lost or stolen credit card fraud has decreased by 30 percent. As seen in other chip-and-pin countries, while fraud losses from counterfeit, lost or stolen cards as well as face-to-face domestic transactions have declined, fraud losses in the CNP environment have increased significantly. And this is no different in Canada. In fact, fraud losses on credit cards in the CNP environment have increased by 37 percent since 2008 when CNP fraud accounted for 31 percent of fraud losses on Canadian-issued credit cards. By the end of 2010, CNP fraud losses account for nearly 50 percent of credit card fraud in Canada. 33 Members of the Canadian payments industry consist of MasterCard Canada, Visa Canada, Interac Association, and many of their respective card issuers, payment processors, and merchants. 44

45 Chart 11: Counterfeit and Lost or Stolen Fraud Losses on Canadian-Issued Credit Cards Chart 12: Card-Not-Present Fraud Losses on Canadian-Issued Credit Cards Although debit card fraud losses remain significantly lower than credit card fraud losses, fraud committed using debit cards has increased. Between 2008 and 2010, debit card fraud increased while fraud committed using credit cards declined since the chip-and-pin roll out in This phenomenon can be explained in large part due to Interac s much slower migration to chip-and- PIN than the credit networks in Canada - MasterCard, Visa, and American Express. As has been the case in every market that has migrated to chip-and-pin, fraudsters have sought the easiest method for perpetrating card fraud. And in Canada, with debit cards migration to chip-and-pin lagging credit cards, fraudsters have taken notice. Debit card fraud spiked in 2009, reaching $CAD142 million up from $CAD104 million in Fraud on debit cards fell in 2010 to 45

46 $CAD119 million as Interac advanced its chip-and-pin migration efforts, but still remains higher than levels seen during 2008, the year of the national roll-out of chip-and-pin. Chart 13: Fraud Losses on Canadian-Issued Cards VII. The Chip-and-PIN Experience in Australia Background Australia has traditionally enjoyed a comparatively low rate of card fraud. However, with the movement to EMV chip-and-pin underway in many European countries and some Asia-Pacific countries, the Australian Payments Clearing Association (APCA) 34 held an initial Chip for Australia Implementation Forum in May In the absence of significant fraud losses, chip implementation in Australia is being spurred by credit card network incentives and liability shifts. Rather than implement a mass roll-out of chip-and-pin, APCA agreed to a progressive roll-out to take place over a number of years. 35 In January 2008, APCA established the Chip Payments Programme for Australia (CPPA) to manage the migration to chip-and-pin. By the end of 2008, approximately 12 percent of payment cards in Australia were embedded with an EMV chip. xviii In June 2010, EFTPOS Payments Australia Limited (EPAL), 36 Australia s national debit network, announced a move to chip technology beginning in 2011 with completion set for xix 34 APCA is the payments industry s principal self-regulatory body and the vehicle for payments industry collaboration. The Association s members include banks, building societies, credit unions, the Reserve Bank, and other payment organizations in its five payment clearing systems. 35 The CPPA is comprised of card issuers, acquirers, and networks. 36 EPAL is a joint venture company established in 2009 by Australia s major retail financial institutions and retailers to manage promote and develop Australia s PIN debit card system (EFTPOS) on a commercial basis. 46

47 37 The migration to chip-and-pin is well underway for the credit and scheme debit networks. According to the MasterCard Roadmap released at the end of March 2011, all new and reissued MasterCard cards must be EMV capable beginning October All POS terminals need to be EMV compliant by April 2012 to coincide with a liability shift. And by April 2013, all cards and payment terminals must be EMV capable. xx Visa s migration timeline is similar to MasterCard s. All newly issued credit cards beginning in 2010 had to be EMV compliant. Debit and prepaid card EMV issuance began in 2011 and by April 2013 all Visa cards must be EMV compliant with Visa s liability shift set to take place. xxi Impact on Fraud With migration to EMV chip-and-pin in Australia still in its early stages, data from the APCA is already showing similar patterns of fraud trends observed in more mature chip-and-pin markets. Fraud from counterfeit cards has been declining since the migration to chip-and-pin began; however, total fraud has increased largely due to the significant increase in CNP fraud. Since rolling out chip-and-pin cards in 2008 when fraud from counterfeit cards peaked at $AUD56 million, fraud from counterfeiting fell to $AUD47 million in While the 15 percent decline in counterfeit fraud is promising, it is more modest than the decline in counterfeit fraud in other chip-and-pin markets. However, the Australian payments market has taken a more methodical and progressive approach to chip-and-pin implementation. The APCA recently wrote that chip technology is proving effective in driving skimming [counterfeit] fraud down.notwithstanding unusual spikes, chip technology is expected to combat skimming fraud in Australia over the long-term. xxii Chart 14: Counterfeit Fraud Losses on Australian-Issued Cards 37 MasterCard and Visa 47

48 Although counterfeit fraud is down 15 percent from 2008 to 2010 on Australian-issued cards, CNP fraud has increased by nearly 70 percent during the same time period. And while there are both chip-enabled and non-chip solutions to reduce CNP fraud, they do not appear to be gaining traction in the Australian market. According to the APCA, financial institutions, card schemes and retailers are working to implement additional security for online payments using 3D Secure and to increase awareness of the importance of using anti-fraud tools. Chart 15: Card-Not-Present Fraud Losses on Australian-Issued Cards VIII. The Netherlands The Netherlands provides an interesting glimpse into a country that was slow to migrate to EMV chip-and-pin at the same time that a majority of its European neighbors were moving to chipand-pin. The Netherlands differs from early European adopters of chip-and-pin in that debit cards are much more popular than credit cards. All debit transactions are authorized online and require a PIN for cardholder verification. xxiii Finally, debit cards cannot be used for CNP transactions in the Netherlands. xxiv With online authorization, PIN verification of all debit card transactions, and no CNP debit card transactions, the fraud rate on card transactions in the Netherlands has been historically low. In 2005, a period when many European countries were migrating to chip-and-pin, the Netherlands experienced a fraud rate of only 0.02 percent. This fraud rate is comparable to France s current fraud rate using chip-and-pin. Given the low fraud rate, there was not a business case for chipand-pin in the Netherlands. Hence, the Dutch initially took a cautious and slow approach to migrating to chip-and-pin. However, as the rest of Europe migrated to chip-and-pin, fraud loss rates climbed in the Netherlands, but still remained relatively low. By the end of 2009, fraud loss rates rose to 0.05 percent. The debit card fraud rate rose to over 0.03 percent in 2009 from less than 0.01 percent in 48

49 2005 as skimming of card data for use to counterfeit cards increased significantly. This trend reversed in 2010 as the industry took added measures such as the use of anti-skimming devices to lower the incident of skimming. 38 In the 2005 Currence Annual Report, the association stated that it has established the PIN [the Netherland s debit network] EMV requirements for payment terminals and cards This will be achieved in part by natural replacement of payment devices and cards over a maximum period of eight years. Given the agreements reached between banks and retailers, Currence expects that the entire operation will be completed by Given the significant rise in card fraud and the initially slow implementation of chip-and-pin, the Netherlands banking industry is now rushing to implement chip-and-pin. In May 2009, banks and collective POS institutions agreed to accelerate the implementation of chip-and-pin and on March 2, 2011, the Minister of Finance officially launched the national roll-out of chip-and-pin in the Netherlands with the expectations that all retailers and consumers will be using chip-and-pin by the end of Chart 16: Fraud Rates on Payment Transactions with Dutch-Issued Cards While fraud rates in the United States are not as low as those historically experienced in the Netherlands, the current situation in the United States is similar to that of the Netherlands. To date in the United States, the business case for chip-and-pin has been lacking due to low fraud rates. Also, as our neighboring countries Canada and Mexico move to chip-and-pin along with the rest of the developed world, the U.S. card industry is slow and late to migrate away from the mag stripe. IX. Card Fraud Trends in the United States 38 Currence was founded in 2005 through an initiative by eight Dutch banks. Its purpose is to facilitate a competitive market and transparency while preserving the quality and security of the payment systems of the Netherlands. 49

50 While markets that have migrated, or are in the process of migrating, to EMV chip-and-pin have seen a significant decrease in fraud on chip-and-pin transactions, overall fraud levels in the United States are trending upward. Unlike the other countries discussed in this paper, the United States does not have a single entity that collects and reports comprehensive card fraud data. Therefore, it is difficult to fully measure total fraud losses and fraud losses by specific types of fraud such as CNP or counterfeit fraud. However, there are limited studies and anecdotal evidence that point to rising fraud losses and rates for U.S. payment cards. And while no single factor can be attributed to the rising fraud trend on payment cards in the United States, the card industry s reliance on mag stripe technology is certainly a factor in this trend. 39 Since 2004, the fraud rate on bankcards issued in the United States has increased by 70 percent. The fraud rate on bank cards in 2004 was.05 percent, and by the end of 2010, the fraud rate on bank cards stood at.09 percent. In fact, 2010 represented the first year that the fraud rate on U.S.-issued bankcards exceeded the fraud rate on UK-issued cards. Chart 17: U.S. Bankcard Fraud Rates Debit cards are also experiencing an increase in fraud rates. According to annual debit issuer studies conducted for Pulse, 40 both signature and PIN debit fraud rates have increased significantly since Signature debit fraud rates have increased by nearly 80 percent since 2004, climbing from.04 percent to.08 percent by The fraud rate on signature debit transactions is closely aligned with the fraud rate of bankcards. Fraud rates on PIN debit 39 Bankcards are MasterCard and Visa-branded consumer and commercial credit cards issued by financial institutions. Bankcards do not include credit cards issued by American Express and Discover or any debit cards. 40 Pulse is an ATM/debit network owned by Discover Financial Services. The network serves more than 4,400 financial institutions in the United States. 50