The Green Sheet Online Edition
July 13, 2015 • Issue 15:07:01
Insider's report on payments:
EMV and the law of unintended consequences
The law of unintended consequences posits that even the best of intentions can trigger unpleasant situations. It happens in the payments space. Twenty years ago, for example, financial institutions and their business customers were losing $10 billion a year, or more, to check fraud.
The marketplace at the time was swamped with inexpensive desktop publishing software, and laser printer-compatible check stock was readily available at office supply stores. In addition, check clearing was a paper- and labor-intensive process that took days to complete, making it easy for fraudsters to flood local markets with bogus checks and leave town before returns started rolling in.
As credit and debit card adoption spread, the underlying technologies improved, the Check 21 Act ushered in image-based clearing, and check fraud began to fall. However, it soon was eclipsed by card fraud, especially fraud perpetrated with credit cards.
The United States is now transitioning to Europay, MasterCard and Visa (EMV) technology. Some experts warn one unintended consequence may be to push more crooks online and to other card-not-present (CNP) situations. Javelin Strategy & Research, for example, issued a report in June 2015 predicting CNP fraud will nearly double between now and 2018.
Federal Reserve Board Governor Jerome H. Powell also spoke to the issue in June during a payments security conference at the Federal Reserve Bank of Kansas City.
He urged banks and merchants to get serious about card fraud. EMV, alone, is not enough, he said, especially when coupled with signature authorization.
EMV refers to standards that apply to computer chips embedded in plastic cards and chip-reading technologies in card-accepting devices. The chips validate that the card is legitimate; customer authentication continues to be signature based, at least in the United States.
The card brands decreed that by Oct. 1, 2015, all payment cards issued by U.S. financial institutions must contain EMV-compliant chips, and all merchants must be using EMV-compliant terminals. After that date liability for fraudulent transactions falls on the party that is not EMV compliant. Liability remains a shared responsibility if more than one party to a fraudulent transaction is not EMV compliant or if all parties are EMV compliant.
Powell is one in a growing chorus of experts warning the present EMV game plan for the United States doesn't go far enough.
PINning down EMV security
"Given the current technologies we have at our disposal, we should assess the continued use of signatures as a means of authenticating card transactions," Powell said. "New approaches to authentication increasingly offer greater assurance and protection."
Indeed, moving to EMV and not requiring PIN authentication could have several unintended consequences, including increased "friendly fraud." Friendly fraud is false or questionable claims of fraudulent transactions filed by cardholders that retailers pay rather than challenge. Friendly fraud costs retailers $11.8 billion a year, according to Monica Eaton-Cardone, Chief Operating Officer at Chargebacks911. And online retailers bear the brunt of that cost, she added, since no physical traces are left by online shoppers.
Chip cards authorized with personal identification numbers programmed into the chips are believed to be far more secure than chip and signature cards. When the Association for Financial Professionals asked its members to weigh in on card data security recently, 61 percent said they believed chip and PIN validation to be the most effective defense against credit and debit card fraud.
Fraud threatens everyone in the payments space. In 2012, 31.1 million unauthorized transactions were processed through the banking systems, and those transactions had a combined total value of $6.1 billion, according to the 2013 Federal Reserve Retail Payments Study. Most of that activity involved cards (credit, debit and prepaid) – 92 percent of the number of unauthorized transactions and 65 percent of the total dollars lost. (Checks accounted for just 3 percent of the total number and 16 percent of total dollars lost.) Not included in that price tag, of course, are the associated labor costs.
Yet card fraud defies simple fixes. "As crucial as they are, we should keep in mind that prevention tools [like EMV] cannot stand alone. Even with stronger authentication methods, robust network security and other approaches in place, preventative measures aren't sufficient," Powell said.
In his remarks, Powell echoed a sentiment that I have heard expressed with increased frequency: a need exists for more and better cooperation between and among players in the payments space to combat fraud. "Complacency is everyone's enemy," Powell added. "Unfortunately, the firms involved in the payment system are not the only ones innovating: criminals have an ever-increasing arsenal of cyber-weapons at their disposal."
The Fed can't do much about that on its own. Fraud fighting is not part of its charter. However, it is in charge of setting policies and providing services to banks that promote an efficient payment system. And security certainly contributes to efficiency in payments.
Powell said the Fed hopes its latest payment system improvements project can be a catalyst for change. (See "Fed looks to online real-time payments, eventually," The Green Sheet, March 23, 2015, issue 15:03:02) As part of that project the Fed has set up two industry task forces, one focused on faster payments, the other on payment security. Each task force is expected to help the Fed come up with plans for improving payments, which the central bank then can encourage the industry to follow. Seriously, that's how it works; the Fed's role is pretty much limited to jawboning.
In the meantime card issuers need to speed up migration to chip cards, and improve customer education, experts agree. "Neglecting cardholder education on EMV is a squandered opportunity for banks to shine," said Nick Holland, Head of Payments at Javelin. "The halo effect from EMV will not last long – only a few short years – because of the normalization process of EMV in the public domain. For FIs to capture consumer attention, they need to proactively educate across a variety of media."
For many consumers, the only education provided is printed materials delivered with new cards, Holland added. Which brings me to my final point: chip card issuance continues to lag. I carry two credit cards and two debit cards in my wallet. Yet not one has been replaced with a chip card, and the EMV compliance deadline is less than four months away.
Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.