Over the past few decades, financial institutions, transaction acquirers and processors, and merchants around the world have been wrestling with the problem of fraud in the consumer payments system. While cash has its own set of vulnerabilities – and indeed, counterfeiting is on the rise – electronic payments have become widely accepted and have increasingly come under attack by fraudsters. The high level of sophistication of those perpetrating fraud has been countered in a number of ways, including fraud analytics and neural networks to identify fraudulent transactions, as well as trying to secure the payment transaction itself.
At the root of the problem is the still-ubiquitous magnetic stripe card that carries data, in a relatively unprotected manner, on the magnetic tracks on the card. Much of the world is, however, implementing the EMV specification suite, and migrating their magstripe payment cards to the more secure integrated circuit cards (smart cards or chip cards). The key driver for EMV implementation has, for the most part, been fraud – or at the very least, the threat of increased fraud.
What is EMV?
EMV denotes the set of specifications developed by EMVCo to govern the migration to chip for debit and credit payment systems. Since a private sector consortium developed these specifications, they represent de facto standards (as opposed to de jure standards). Their adoption is voluntary, although once adopted, compliance with certain parts of the standards is mandatory for the offering to be considered EMV-compliant.
The most recent version of the full EMV specifications was issued in June 2008 under the label EMV 4.2. An EMV Contactless Communication Protocol Specification has also been released (version 2.0.1, dated July 2009), which draws on the Level 1 Test Equipment Specifications (PICC Manual, PCD Manual, CMR Manual, Gerber Files) specification issued in May 2008. The first EMV standards to be put into place were issued in October 1994, when Release 1 was issued.
EMVCo is a company established by Europay, MasterCard and Visa (hence EMV) – and currently owned by American Express, JCB, MasterCard and Visa – to “manage, maintain and enhance EMV Integrated Circuit Card Specifications to ensure global interoperability of chip-based payment cards with acceptance devices including point of sale terminals and ATMs. EMVCo also administers a testing and approval process, and oversees the procedures for confirming compliance with the EMV standards.”*
* Source: www.emvco.com
The Fraud Question in the US
Card-based payments in the US amounted to US$3.7 trillion in 2009, about 47% of personal expenditure on goods and services. Direct losses resulting from card-based payment fraud are estimated to be approximately US$2.7bn, with 31% of that being from debit cards. This represents 7.4 basis points. The economic costs of fraud, however, are much higher – possibly even 10 times that of direct losses. This would include costs for card replacement, servicing fraud claims, lawsuits, lost business, etc.
Fraud has been, and will continue to be, a significant cost to card issuers, merchants and transactions acquirers in the US, but at current levels it has been accepted as part of the cost of doing business. One of the reasons that it has been managed so well is that most electronic payment transactions conducted in the US require online authorisation, whereas in jurisdictions with a less-developed telecommunications infrastructure, offline transactions may be allowed.
While the absolute level of fraud is always an important consideration in determining the investment that will be made in countermeasures, the trajectory of fraud is of critical importance. And the types of fraud perpetrated determine what can be done. The two largest categories of fraud in the US are counterfeit fraud (card skimming) and lost/stolen card fraud. Implementing a solution that can eliminate these two types of fraud domestically could reduce the annual fraud bill by almost 50%.
There is, however, much debate about whether any additional measures are required to combat fraud, or whether the measures which are candidates, such as EMV implementation, can support a business case based on fraud.
The Heartland Phenomenon
The Heartland Payment Systems breach reported in early 2009, and widely publicised since, brought the question of US payment system security into the public eye in a very dramatic way. Some 130 million credit cards were compromised (across all of the organisations breached). And while attention was focused on Heartland, it forced all players in the payments ecosystem to reassess payments system security. It also brought Payment Card Industry Data Security Standard (PCI DSS) into question, since Heartland was thought to be compliant.
It was subsequently found that Heartland was not compliant at the time of the breach, but that still served to call into question the effectiveness of PCI DSS, particularly since it comes at a substantial cost to those forced to implement it. There have also been suggestions that there may be some more onerous provisions embedded in new releases of the specifications – which are periodically reviewed – as a result of the lessons learned from the Heartland breach. Merchants have not found the idea of higher compliance costs and more stringent measures appealing.
PCI DSS cannot, by itself, secure the payments system. As many payments security experts have noted, security needs to be layered to be effective. Furthermore, a payments processor or merchant has relatively little control over the security of the ecosystem as a whole, mainly because they do not issue payment cards. If the payment cards are inherently vulnerable to fraud – as magstripe cards are – any amount of protection from the time the card data is presented at a payment terminal to the time the transaction is processed by the issuing bank will not prevent fraud where the input data is fraudulent.
Nevertheless, the Heartland case resulted in a search for what can be done by merchants and acquirers/processors to address those areas of security that they are able to control. Measures such as end-to-end encryption and tokenisation are being considered for implementation, and have already been implemented by some.
In the first 11 months of 2009, 35 million US citizens travelled abroad. Mexico, Canada, the UK, Germany and Japan are where most US travellers spend their money when they travel. All of these countries have, or are in the process of, implementing EMV. Much of US travellers’ expenditure is paid for using credit cards.
Increasingly US travellers are finding that foreign merchants with EMV terminals are declining their magstripe cards. Acceptance issues are likely to escalate as more and more merchants and acquirers migrate to EMV. There is also a strong likelihood that, within a few years, fallback to a magstripe transaction will no longer be allowed in some jurisdictions. Essentially it points to the fact that the US card payments system is on a divergent path from that of many other countries.
The US consumer has embraced contactless payments, mainly because of the speed and convenience of completing a payment transaction. Although it currently represents a small component of all card-based payments, this form of payment is experiencing a particularly high growth rate. A contactless payment card already has a chip on the card, which is used to communicate with the payment terminal to complete a payment transaction. Contactless payments will increasingly come under attack from fraudsters, and hence a secure transaction is a requirement for this form of payment as well. This is the primary reason for EMV establishing a series of specifications for contactless payments.
Since 9/11, the US federal government has taken a strong interest in flows of funds to terrorist organisations. Organised crime is increasingly using electronic payments fraud to fill their coffers, and there are known pathways between funds of organised crime and terrorist organisations. The US government has consequently started to pay greater attention to the security of the electronic payments systems, for these and other reasons.
While there is no plan to mandate any specific technology solution – indeed such a move would represent folly – there is a chance that increased regulatory oversight and intervention could force the industry to think more seriously about EMV implementation, not in isolation, but in addition to other security measures. Indeed, increased regulatory interest may be the catalyst that is required in the US to get all of the diverse parties together to rally around a solution.
The EMV Option
EMV implementation is far from trivial. Nor is it cheap. The estimated cost for the US to implement EMV is in the region of US$10bn if all costs are taken into account, i.e. over and above the costs of changing the card base, banking systems and systems used to process transactions. In the US’s case, the sheer size of the migration programme – it would be the largest in the world, by far – coupled with the thousands of players that would need to be involved, including the payment schemes, card issuing organisations, acquirers, processors and merchants, adds a layer of complexity to implementation that is not found in many other jurisdictions. And EMV migration will take a long time – possibly up to 10 years.
Ideally implementation should be built around sufficient consensus so that there is enough momentum from key stakeholders to carry the initiative forward. This is difficult to achieve in the US at the best of times, but when the business case is questionable – and questioned on so many fronts by all categories of player in the ecosystem – it is almost impossible.
It seems, however, that there may be a perfect storm brewing. With the US surrounded by jurisdictions that are implementing EMV, migration of payment card fraud to the less secure US payments system may well increase domestic fraud to levels where the business case for EMV becomes clearer. The pressure from processors and large merchants on card issuers to ‘fix the card problem’ may add some impetus. Increasing acceptance problems by US travellers may well force card issuers to start issuing EMV cards, even if it is only to those travelling. The increasing popularity of contactless payments among consumers may provide a mechanism for migration that makes the business case more attractive. And above all, the threat of regulatory intervention could be the accelerator for an industry-wide initiative.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.