The Green Sheet Online Edition
August 25, 2014 • Issue 14:08:02
Card data security debate goes public as EMV deadline nears
A s the pace of data breaches intensifies, so, too, does public momentum for merchants and card issuers to move to the Europay/MasterCard/Visa (EMV) protocol. It’s not just Visa Inc. and MasterCard Worldwide preaching alone for migration anymore. Lawmakers and the public at large are making their voices heard, too, as evidenced by a recent debate in the California legislature.
SB 1351, introduced by California State Senator Jerry Hill, D-SD13, would have required that 75 percent of new or replacement payment cards issued to California residents as of April 2016 incorporate EMV technology. The bill, widely opposed by the banking industry, was approved by a Senate committee, but then was tabled before it could be considered by the full Senate, at Hill’s request.
EMV is a standard for credit and debit cards that relies on a chip in lieu of magnetic stripe technologies to secure card information. Originally developed by Europay, MasterCard and Visa – hence its name – EMV also requires upgrades to merchant terminals and processor systems. Acquirers and processors must be in compliance and able to handle EMV traffic by now, according to EMVCo, the organization that manages the standard.
Card issuers and merchants have a little more than a year to get with the program, or suffer financial consequences. Those consequences: liability for fraud falls to the party that is not in compliance, the financial institution that issued the non-EMV card or merchant lacking EMV-compliant terminals.
Proponents of the California legislation included several consumer advocacy and privacy rights groups. Opponents included MasterCard, Visa, about a dozen groups representing financial institutions and merchants, and at least one acquirer, Heartland Payment Systems Inc. Among the opponents' arguments: it interferes with an already national plan for EMV migration, it stifles innovation by "freezing a particular technology in statute," and it puts small, local retailers at a competitive disadvantage to large, multistate chains, according to an official bill analysis prepared by the state’s Senate Banking and Financial Institutions Committee. And there was this from the California Bankers Association: the edict is unconstitutional and preempted by federal statutes anyway.
Meanwhile, on the federal front, Sen. Al Franken, D-Minn., seized on the issues of data privacy and EMV following the massive 2013 Target Corp. data breach. The Minneapolis-based retailer has been reeling from bad publicity, legal action and red ink in the aftermath of the breach, which appears to have occurred during the year-end holiday season, and was said to have compromised card numbers and other information pertaining to more than 100 million customers.
In August 2014, Target put a $148 million price tag on the incident, which it said will be offset by $38 million in insurance, and drastically cut its second-quarter earnings forecast as a result, Reuters reported. That total excludes costs banks and other card issuers incurred sending out new credit and debit cards to customers, lest the stolen card numbers get used to generate counterfeit cards.
In the wake of the Target breach, Sen. Franken fired off letters to card companies and leading issuers raising questions about EMV adoption. Franken, who chairs the Senate Judiciary Subcommittee on Privacy, Technology and the Law, signed on as a co-sponsor of legislation establishing federal data security standards and breach disclosure requirements. That bill, the Personal Data Privacy and Security Act of 2014 (S.1897), was authored by Sen. Patrick Leahy, D-Vt., who chairs the Senate Judiciary Committee.
"Data breaches raise important questions about the responsibilities companies have to protect consumers' sensitive information and to prevent future theft," Franken wrote. "Recent data breaches at Target, Neiman Marcus and other companies make it clear to me we're dealing with a systemic security problem." Franken added that he was troubled by the lack of industry standards for chip cards, such as whether chip cards should have the added protection of PIN authorization.
The debate over PIN versus signature authorization of EMV cards has been ongoing. "PIN authorization, matched with chip cards, when implemented properly renders the POS unassailable," said industry consultant Paul Martaus, echoing a broadly held sentiment. "You need them both," he added. However, many of the EMV chip cards issued in the United States these days rely on signature authorization; they also bear traditional mag stripes, encoded with cardholder and account information that can easily get lifted by fraudsters.
Douglas King, of the Federal Reserve Bank of Atlanta, addressed the necessity for PIN and chip, combined, in a 2012 paper titled Chip-and-PIN: Success and Challenges Reducing Fraud and published by the Federal Reserve’s Retail Payments Risk Forum. "EMV chip-based cards offer superior protection of cardholder data compared to mag stripe cards, and PIN verification is far superior to signature verification in preventing fraud," King wrote. Referencing fraud data collected by the Fed, King explained that losses to card fraud involving signature authorizations are nearly four times as costly as fraud where transactions were authorized by PIN.
EMV adoption reflected in fraud figures
Worldwide, EMV adoption is strong. Figures published last year by EMVCo indicated that 1.6 billion EMV-compliant credit and debit cards had been issued and that there were 23.8 million EMV-compliant terminals in service, worldwide. The strongest showing was in Western Europe (where better than 80 percent of cards and 94 percent of terminals are EMV compliant) and a grouping that includes Canada, Latin America and the Caribbean (with 49 percent of cards and 78.5 percent of POS devices supporting EMV security).
U.S. adoption of EMV to date pales in comparison. The 2013 Federal Reserve Payments Study revealed that just 7 percent of general-purpose credit cards in the United States were EMV-compliant chip cards in 2012; 8 percent of debit cards were EMV cards. The Smart Card Alliance estimated that at present there are 10 to 15 million EMV-enabled credit cards in the United States; it counts about 1 million terminals as EMV-capable, although EMV functionality may not yet be turned on. "In other words, a lot of work remains," Jeff Carelli, Vice President of Credit and Fraud Solutions at FIS, wrote in a recent blog post on EMV.
Meanwhile, a 2014 survey of U.S. retailers by First Annapolis Consulting found nearly half of respondents had no idea what EMV was; just 24 percent said they were aware of the upcoming deadline for complying with EMV.
This lack of awareness is further evidenced by fraud figures. Since 2004, when the United Kingdom and several other large economies began moving to EMV (with PIN authorization) fraud rates on U.S. bankcards have risen 70 percent. The consultancy Aite Group LLC painted a more dire picture; it estimated that fraud rates on credit cards doubled, to 10 basis points (that is, $10 for every $100 in transactions) between 2007 and 2014.
According to the Fed’s 2013 payments study, which compiled data from 2012, 92 percent of all unauthorized third-party transactions (and 63 percent of the dollars lost to payment fraud) involved general-purpose credit, debit and prepaid cards. The Fed's data also pointed out another trend that is likely to intensify with EMV adoption: losses to card-not-present (CNP) fraud.
At 11.4 basis points, the CNP fraud rate in 2012 was nearly three times as great as the 3.9 basis points rate for card-present transactions. Similar trends have been witnessed as the U.K. and other nations moved to EMV. The success of EMV with PIN authorization in the U.K., King wrote, "has led the fraudsters to seek the lowest common denominator in terms of perpetrating fraud, transactions not protected by chip-and-PIN. These transactions most commonly occur in the CNP environment and in countries that still rely on mag stripe technology." Like the United States.
Several new reports suggest EMV adoption is picking up in the United States. Mercator Advisory Group Inc. projects 58 percent of credit cards issued and 26 percent of POS devices in the United States will be EMV compliant by the end of next year. "Issuers and merchants both appear to be taking EMV migration in stride, which is to say that they are incorporating it into routine card and terminal refresh cycles," said Michael Misasi, a senior analyst at Mercator and lead author of a new report, Preparing for 2015: The Year of the Liability Shift.
A recent report by Aite – EMV: Lessons Learned and the U.S. Outlook – paints a more optimistic forecast: 70 percent of credit cards and 41 percent of debit cards will be EMV enabled by the end of 2015, Aite said. Javelin Strategy & Research is perhaps most optimistic; it’s predicting 166 million credit cards and 105 million debit and prepaid debit cards by year-end 2015.
One reason for all the optimism: at least eight leading card issuers plan to ramp up EMV card issuance in the fourth quarter, according to Aite. "Taking the world’s largest card market from mag stripe to EMV is a massive undertaking," said Julie Conroy, Research Director for Retail Banking at Aite.
Target was watershed event
"The Target breach was a watershed," said Mike Fisher, Manager of Technical Sales at CPI Card Group. Fisher, with a career that has included American Express Co. and several card issuance and security firms, was hired to head up CPI's EMV initiatives. CPI specializes in card personalization and fulfillment and bills itself as "the global leader" in EMV payment card and related services. "My team is focused on educating [issuers] and putting together a road map for implementing EMV," Fisher said, adding that getting "hardware in place is one thing," but the learning curve for issuers and merchants can be steep.
Fisher said large retailers generate about 75 percent of payment card transactions here in the United States, and most are now migrating to EMV terminals. That, combined with stepped-up issuer compliance with EMV, suggests "the bulk of the transaction volume will probably be ready" by the October 2015 deadline set by the card companies, he noted.
Kris Riley, Product Manager at Direct Connect LLC, is hopeful too. The trick is going to be getting the millions of small businesses to embrace EMV. Many of the folks running these businesses either don't know about EMV, or they don't see a need, believing (erroneously) that fraudsters (many of whom are part of organized gangs) only hack into the POS systems of large businesses.
"We find that it helps to incentivize merchants to implement new security solutions," like EMV, Riley said. For example, Direct Connect offers free POS terminals to clients willing to upgrade to EMV. "We have agents out there actively going out to merchants and getting them to upgrade," said Garima Shah, Direct Connect Senior Vice President for Sales. "It's one of our biggest pushes this year." The Virginia-based ISO also makes available to customers a wealth of information about card fraud and EMV. Shah said the EMV push has been driving new sales for Direct Connect as well. "We're seeing our sales numbers double and triple every month," she said.
EMV and tokens?
Nobody expects EMV to put an end to payment card fraud, but it should stave off counterfeit credit, debit and prepaid cards, which are huge sources of bank losses, according to the American Bankers Association. "While EMV is not a silver bullet, it is an improvement over mag stripe. It may not have prevented some of the recent major breaches, but it would have reduced overall damage since there would have been fewer cards vulnerable to counterfeiting," Carelli said.
Meanwhile, leading merchants are pressing for added card security with tokenization. Tokenization protects card data by substituting a card's primary account number (PAN) with a randomly generated token, which is used to complete transactions in lieu of actual account information. The true PAN can only be discerned with the proper decryption key, which makes it possible to protect stored card data as well as data in transit.
A group of leading business trade associations released a statement in late July urging banks and other providers of payment card services to adopt tokenization. "Regardless of whether a consumer is paying at a brick-and-mortar checkout, at the pump, on the Internet, or even via a mobile phone, there is a need to ensure the payment data is protected," the statement read. "One way this can be done is through a technology called tokenization. A properly designed, implemented and enforced tokenization standard would move the U.S. payments system in the right direction toward mitigating payment card fraud and identity theft."
Side Bar:Getting a handle on cost
It’s true that only small portions of credit and debit card transactions are fraudulent, but total losses remain huge because of the immense volume of card payments U.S. consumers make.
According to the 2013 Federal Reserve Payments Study, 775.4 million general-purpose payment cards were used by Americans to ring up nearly $4 trillion in transactions in 2012. Although exact figures are hard to come by, most experts agree fraud involving payment cards costs the banking industry about $10 billion a year.
Opposition to EMV in the United States has been largely due to concerns about costs. Javelin Strategy & Research estimated the cost to U.S. card issuers and merchants of rendering all POS devices, ATMs and cards EMV-compliant to be $8.6 billion – a figure that is substantially less than the $10 billion in yearly losses to card fraud.
All card issuers and merchants must be EMV compliant by October 2015; petroleum merchants have until October 2017 to comply.
If the experiences of other countries are an indication, however, card fraud won’t disappear then, but rather move online and to other card-not-present transactions. These days CNP fraud accounts for 62 percent of all fraud involving cards issued in the U.K., up from 30 percent in 2004, noted Douglas King of the Fed’s Retail Payments Risk Forum. CNP transactions now account for 54 percent of all fraud involving payment cards issued in France, up from 25 percent in 2006.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.