2014-03-21

KEY POINTS

The massive data breach at Target stores in late 2013 is only a spectacular recent example of a deep-seated card fraud problem in the U.S. In 2013, fraud in the U.S. cost $6.8 billion and accounted for 51% of global card fraud losses. That amount is completely out of proportion to the U.S. share of global card transaction volume: 24%. 

Card networks are pushing for a solution — the adoption of a 20-year-old technology known as EMV, which places a smart chip on credit cards. Large-scale implementation of the standard is on the way, and will affect every player in the payments value chain. 

We estimate that the total cost of implementing EMV in the U.S. will be about $11 billion, representing a huge cost — but also a big opportunity for payment technology and service providers.

It will be a relatively long process to turn over existing technology to the EMV standard, taking at least four years. The full rollout will near completion around 2018, in the best-case scenario. We believe penetration of EMV-compatible payment terminals in the US will cross the 50%-mark in 2015. 

The EMV migration will not necessarily benefit all players. It will alleviate fraud perpetrated with counterfeit credit cards. But it will likely lead to a spike in "card-not-present fraud," which may hurt U.S. e-commerce retailers. Card-not-present refers to transactions, like online or phoned-in purchases, which are made without the merchant being able to see the actual card.

There's also a great deal of uncertainty over which variant of chip card transaction will catch on in the U.S. market. Banks that issue credit cards will be able to decide between "chip-and-sign," in which consumers plug their chip cards into special terminals, but still sign receipts, or "chip-and-PIN," which will require people to enter a PIN number instead of a signature. 

With such high costs and an uncertain timeline, the rollout of EMV might turn out to be a Pyrrhic victory for many of the players involved, even taking into account the fraud cost reduction. Payments technology is evolving so quickly that by the time the U.S. starts to see payoff from adopting EMV there may be a better solution available, such as biometric authentication. 

INTRODUCTION

The EMV or "chip card" standard,  is coming to the U.S., and it will have an enormous impact on consumers, merchants, and payment companies. 

EMV is a payments security standard for credit and debit card transactions. It stands for Europay, MasterCard, and Visa, which are the companies that developed it in the early 1990s, though the technology continues to evolve.

The technology is most recognizable as a chip on your credit or debit card (see image, above) and it is already widely used throughout much of the rest of the world outside of the U.S. It's particularly associated with Europe. 

The chip card standard is more secure than conventional magnetic stripe-bearing cards for several reasons. The embedded chip allows the card to communicate with payment company's computer servers. That means the card's security features aren't static — they can be refined and reinforced over time. In contrast, if magnetic stripe cards are "skimmed," the data can more easily be used to create clones of the card to commit fraud.

From a consumer's perspective, paying with chip cards is quite a bit different than the swipe-and-sign method commonly used in the U.S. Instead of the card being swiped, it's inserted into a payment terminal. After that, depending on the type of card issued by the bank, the customer either signs a receipt or enters a PIN number to complete the transaction.

The chip card standard has been adopted in most of the developed world, but has yet to be adopted in the U.S., which drives a large share of payment card global transaction value, and an even bigger share of global fraud, as we'll discuss in detail further on.

The fraud problem in the U.S. is why the largest card networks have set a 2015 deadline for EMV adoption. (A few select types of businesses will face a 2017 deadline, as we'll discuss further in the report.) After the deadline, participants in the credit card-processing ecosystem will need to upgrade their payment systems, or face greater liability for fraudulent transactions. Everyone will be affected. That includes "merchant acquirers," the banks and other vendors that help merchants accept card payments, the banks that issue credit cards to consumers, hardware makers (manufacturers of payment terminals), the big credit card-processing companies like First Data, and retailers. 

The EMV migration will be costly. We estimate that it will create $11 billion in spending on new terminals and related systems, new chip-bearing plastic cards, and ATMs. 

Will it be worth it? We look at the U.K., where EMV was implemented in the mid-2000s, as a case study to gauge the likely effect in the U.S. We believe the impact will be similar — card fraud overall will drop, but there will be an accompanying rise in fraud on e-commerce sites. Online merchants obviously can't access the technology embedded on the physical card (that's why e-commerce payments are called "card-not-present"), so the chips on chip cards won't help them very much. 

Additionally, payment technology is evolving so quickly that the migration to the new standard may end up being a Pyrrhic victory. Once merchants and payments service providers upgrade, new technology may come along that is cheaper and more functional than the systems they initially deploy to meet the chip card standard. For example, new EMV terminals might include technologies like NFC-compatibility (near-field communications) to accept mobile payments, but not biometric features like eye-scanners or fingerprint readers. 

Click here to download the charts and data in Excel » 

Click here to download the PDF version of this report »

The U.S. Has An Enormous Fraud Problem 

The scale of credit card fraud in the U.S. is completely out of proportion with the country's share of global card transaction volume. It adds a huge cost burden to the credit card industry. 

Consider the numbers: 

The U.S. share of fraud volume outpaces its share of payment card volume by about two-to-one. In 2012, the U.S. accounted for 47% of $11.7 billion in global payment card fraud, but only 23.5% of global card volume, according to the Nilson Report. 

We believe card fraud losses in the U.S. will rise again dramatically this year. Our own estimate, based on Nilson's data series, has the U.S. driving $7.1 billion in card fraud losses, or 51% of global card fraud volume in 2013. 

Nearly 95% of payment terminals in Western Europe run chip cards. But in the U.S., just 14% of the 11.8 million terminals in operation are EMV-compatible, putting the country dead last in EMV adoption compared to other regions.

Since the U.S. is the only developed economy with a mature consumer finance sector where the EMV standard isn't widespread, it's hard to escape the conclusion that chip cards would quickly put a dent in U.S. card fraud. 

(We'll take a closer look in a later section at what the U.K.'s fraud problem looked like in the years
before and after EMV adoption to get a sense of what could be in store for the U.S.)

Right now, most U.S. cards contain only a magnetic stripe, which is not much different than what you might find on the back of a hotel room key. That makes it easy for fraudsters to skim data from these cards and copy it onto a "clone," or duplicate counterfeit card.  

These clones can be used at physical payment terminals to effect fraudulent transactions (the holder of the skimmed card won't know it has been compromised, so they won't have had the chance to cancel it). 

The ability to clone cards is one reason why hackers target retailers, as they did in the now-infamous data breach at Target in late 2013, exactly as the U.S. holiday shopping season got underway over Black Friday weekend. 

Target's data breach, which occurred in late 2013 and affected as many as 110 million people, is a good example of why magnetic stripe cards are so vulnerable, and so widely used for fraud. The payment card information that was stolen from Target can be used to make multiple clones per card, and criminals are willing to pay between $20 to $100 for the information from a single card.

As we will see in the next section, the implementation of the chip card standard can't stop data breaches themselves — hackers can still break into retailers' computer systems. But since EMV card information can't be cloned, it reduces the incentive for hackers to go after payment card information.

This Is How Much EMV Is Going To Cost To Implement 

We estimate that the total cost of upgrading U.S. payment terminals and software systems to accept chip cards is going to be around $11 billion in order to reach full penetration. 

This $11 billion includes the cost of the three main components of the EMV ecosystem: 

$7 billion: New payment terminals and associated software

$3 billion: New debit cards and credit cards with the embedded chip

$840 million: Additional ATM hardware and infrastructure costs

Here's how we came up with these numbers. 

We arrived at the cost of new terminals and software by calculating an average selling price or ASP for new payment terminals, and tallying annual cost depending on how quickly adoption will proceed.

In a nutshell, large retailers will adopt EMV terminals first, and will spend on relatively expensive hardware and systems, and ASP will fall over time. So much of the spending will be "front-loaded," occurring this year and next, while prices are still high. 

We think that EMV-compliant terminals will account for 35% of all payment registers by year-end, and 87% of all checkout systems by 2017. 

But new payment terminals are not the only cost. We also need to account for banks that will have to issue new payment cards.

Chip cards cost about $2-$4 to issue, versus $0.15 for magnetic stripe cards, according to First Data.

There are about 1.1 billion credit and debit cards circulating in the U.S., according to our estimates, which are based on company filings from Visa, MasterCard, American Express, and Discover. 

That means that the cost of issuing chip cards will be around $3.3 billion ($3.1 billion more than it would have cost to reissue the old magnetic stripe cards). 

The other cost associated with the change over to the EMV standard is ATM upgrades.

There are about 400,000 bank and privately owned ATMs in the U.S. and upgrades cost about $3,500 on average per terminal, based on data from Vantiv.

If we assume two-fifths of those ATMs would need to be upgraded as part of the normal replacement cycle in the next three and a half years — in other words, they would have had to be changed out anyway — then the additional ATM cost triggered by the EMV conversion comes to $840 million. 

That brings the total cost of upgrading to the EMV standard to around $11 billion by our estimates, not including the cost that back-end payment processors have already spent to upgrade their systems.

Our estimate is in the same ballpark as those made by First Data and Aite group, though it's worth mentioning that the National Retail Foundation is quoted as saying the cost of upgrading for merchants alone could be as high as $30 billion, according to Reuters. 

Why The Card Networks Are Pushing Chip Card Adoption

Although card networks like Visa and MasterCard don't currently bear responsibility for fraud, these are the companies that have instituted the EMV deadline. Why?

The are three main reasons.

Brand protection: The major concern among card networks is their brands. People are understandably distressed when their credit cards are used for fraud. Consumers may come to associate the main credit card brands with troublesome experiences, and use them less. So, reducing fraud is in the best interest of the card networks, even though they don't bear the direct financial cost.

New technologies: Second, the card networks don't want to be left out as consumers move to new payment tools, like smartphone-based payments. Pushing the chip standard may indirectly help keep them in the game because many of the new EMV-compliant terminals will also be compatible with technologies like NFC (Near-Field Communications), which is used by mobile wallets like Google Wallet and Isis.  

Interoperability: In the final analysis, what card networks like Visa and MasterCard want is more volume. If a customer isn't able to easily use their card all over the world because of different security standards, that hurts the card networks. 

To the card networks, it doesn't matter if transactions come from physical plastic cards or smartphones, as long as the transactions are processed through the rails they control, based on credit card numbers. Since most mobile wallets use stored credit card information to run transactions, the card networks remain a key part of the process.

Mobile-based payments will definitely account for a bigger slice of total in-store sales transaction volume in coming years.

This is great for credit card companies — if they're involved in these transactions — because many of these payments, particularly for inexpensive purchases, will replace the use of cash, which is the entire card industry's real enemy.

EMV, in other words, could serve as a kind of Trojan Horse for mobile payments tech, getting it into merchant point-of-sale terminals. 

Since typical terminal upgrade cycles are long, between three to seven  years, card networks would rather see NFC-compatible terminals deployed now, in conjunction with the EMV migration, in anticipation of more mobile payments volume, rather than missing out as merchants wait many more years to upgrade.

"One of the added benefits of installing EMV ... is that it puts the U.S. payments system on a much more robust platform to support other payment solutions that may come to that market," says Randy Vanderhoof, executive director of the Smart Card Alliance and director of the EMV Migration Forum. "NFC is one of those innovations that has had a varied uptake because there has not been the infrastructure to accept payment via mobile device prior to this migration to EMV." 

The stipulations of each card network's EMV deadline vary slightly, but these are the broad requirements and timeline put forth for their implementation:

April 2013 — Merchant acquirers and credit card processors had to upgrade their systems to be able to process chip card transactions. 

October 2015 — Liability for magnetic stripe card fraud — the type of fraud most commonly committed today — is shifted to the entity that does not support EMV technology, i.e. the piece of the credit card chain that forces the transaction to revert to magnetic stripe authentication (which EMV cards can still support). While the liability question gets complex in specific instances, the broad idea is that the merchant, issuing bank, or credit card processor that's not on board with EMV would bear the responsibility when fraud occurs.  

October 2017 — The liability shift goes into effect for organizations that sell fuel, i.e. gas stations. These businesses have much more expensive payments terminal — think of the high-tech gas pumps that also accept credit cards — and so have more time to upgrade. 

One way to think of the EMV deadline in the context of the liability question is to liken it to a game of chicken. 

It is not that banks or merchants will actually face some kind of direct and immediate penalty if they fail to meet the EMV deadline. The different players in the credit card-processing ecosystem will face different incentives and risks in the migration to EMV, and some will nudge other players in the chain to upgrade. 

Some players will delay implementation, and try to muddle through for a time, even as fraud risk piles up. 

This is also why full EMV compliance will happen over a period of years, rather than quickly follow the actual deadline.   

One piece of recent U.S. financial regulation, the Durbin Amendment, will complicate EMV implementation for debit card transactions.

The reasons go beyond the scope of this report, but in order to comply with aspects of the amendment, debit card networks will face a host of technical challenges as they migrate to the EMV system.

Will EMV Solve The U.S. Fraud Problem?

As the above example shows, EMV won't completely solve the fraud problem in the U.S., but it will certainly lead to a significant reduction in fraud. E-commerce businesses, however, will need to keep watch because they will actually likely see an increase in fraud. 

The chart on the right is based on an analysis we did to gauge how effective the EMV standard was in reducing card fraud in the U.K.

We controlled for inflation, as well as the growth in the volume of electronic transactions overall. 

Card-present fraud loss was halved in two years: It was £83 ($137) per 1,000 card-present transactions in 2004 as EMV neared 20% implementation, but losses were down to £38 ($63) by the time EMV was fully implemented in 2006.

But online card fraud went up: As card-present fraud ticked down, another form of fraud, "card-not-present," went up. Criminals in the U.K., deterred by EMV, looked for opportunities to perpetrate fraudulent e-commerce transactions. But even card-not-present fraud began to decrease after 2008.

In a decade, card fraud dropped dramatically: By 2012, total fraud had dropped by an impressive 66% in the U.K. compared to 10 years earlier.

The U.K. story shows that not all merchants will win with EMV, at least not right away. Online merchants will be understandably wary of the impact. 

"We have seen evidence in the other countries that have implemented EMV that when you reduce fraud in the counterfeit channels and physical retail stores, fraud does increase in those online channels," says Vanderhoof, of the Smart Card Alliance. "Once we've taken care of the major fraud vulnerability — which is counterfeit fraud — then we can put more resources into the online channels which represent less than 25% of what the total card payments market is today." 

The size of the fraud problem post-EMV will depend on many factors, but one of the principal ones is whether the U.S. card industry ends up adopting "chip-and-PIN" as their system for completing card purchases, or "chip-and-sign."  

In the U.K., chip card transactions require cardholders to enter their PIN number with every card transaction, which makes it difficult for stolen cards to be used.

But in the U.S., card networks are only requiring a signature to comply with the liability shift. The card issuing-bank can choose to adopt the more secure PIN standard but that is the bank's choice, rather than a mandate from the card networks.  

If banks decide to only require a signature with chip card transactions, then fraud reduction may not be as significant as what we saw in the U.K.

Without a PIN requirement, lost or stolen chip cards can more easily be used for fraudulent transactions. 

But say issuers do decide to institute the chip-and-PIN standard — with the best-case scenario for fraud reduction in place, we would expect to see the decrease in total fraud to be even more significant than in the U.K. for three reasons: 

The major card networks have improved their systems for catching card-not-present fraud. 

There's no longer many places in the world that don't accept chip cards. Chip cards still have their magnetic stripes, and are run as magnetic stripe cards at terminals that aren't chip card-compliant. That's one explanation for the spike in counterfeit card fraud on U.K. cards in 2007 and 2008, after the chip card rollout was complete. (See chart, above.) This does not represent fraud primarily in the U.K. Instead, it's fraud that was conducted using UK cards, primarily in other countries where presumably magnetic stripe terminals are still in use. 

There will be less fraud from lost or stolen cards. In the case of the U.S., a full conversion to chip-and-PIN cards would also reduce fraud from lost or stolen cards, whereas with chip-and-sign, lost or stolen cards can still be used. 

So will the U.S. turn to chip-and-sign or chip-and-PIN? 

"Based on early evidence from issuers we are seeing a mix of cardholder verification methods," says Vanderhoof of the Smart Card Alliance. Some are chip-and-pin and others are chip-and-signature. It's going to be up to the issuers to decide what their particular customer portfolio wants and what best fits their market."  

The truth is that no one knows yet, although we believe that one of the two protocols will win out and become the standard. Eventually all transactions will be completed through one of the two methods. If they do coexist for a time — which will be very confusing to consumers — it will be short-lived. 

One reason that banks are issuing chip-and-sign cards right now is that some crucial functions of chip cards aren't supported in the current payments infrastructure. 

For example, in order to change the PIN on a chip-and-PIN card, the user needs to find a chip-compatible ATM or go to a branch to do so. Since not all ATMs have upgraded, consumers wishing to reprogram their PIN face difficulty in finding a place to do so. That could be a huge inconvenience for consumers who forget their PIN, since in a full chip-and-PIN system they'd be effectively blocked from making purchases until they recovered their PIN or changed it into a new one. 

All things being equal, after all the necessary investments are made, the U.S. card industry probably wouldn't start to see a net positive return — in the form of eliminated fraud — from implementing the chip standard until the early- to mid-2020s, even if the chip-and-PIN transaction method is implemented everywhere.

The risk is that by the time EMV-triggered savings do come into force, other forms of authentication will be state-of-the-art.

There are already alternative technologies for payments security out there that limit exposure of payment information even more than the EMV system. One example is Dwolla's token-based system, which we recently profiled. Bitcoin's system involves an ingenious layer of encryption, which also limits exposure of private information (although the Bitcoin system has shown itself to be vulnerable to theft as well).

Finally, biometric authentication systems — technologies that read fingerprints or scan the eyes — could also supplant the numbers-based systems that the credit card networks use. Apple's inclusion of a fingerprint scanner in the iPhone 5S, which can already be used to authenticate app store purchases, offers a clue of what payment authentication might look like in the future.

THE BOTTOM LINE

The massive data breach at Target stores in late 2013 is only a spectacular recent example of a deep-seated card fraud problem in the U.S. 

Card networks are pushing for a solution — the adoption of a 20-year-old technology known as EMV, which places a smart chip on credit cards. 

We estimate that the total cost of implementing EMV in the U.S. will be about $11 billion, representing a huge cost — but also a big opportunity for payment technology and service providers.

It will be a relatively long process, taking at least four years. 

The EMV migration will not necessarily benefit all players. It will alleviate fraud perpetrated with counterfeit credit cards. But it will likely lead to a spike in "card-not-present fraud," which may hurt U.S. e-commerce retailers. 

There's also a great deal of uncertainty over which variant of chip card transaction will catch on in the U.S. market. 

With such high costs and an uncertain timeline, the rollout of EMV might turn out to be a Pyrrhic victory for many of the players involved. 

Join the conversation about this story »

    

Show more