What’s the Deal with the Chip?
Over the past several months, your card issuer may have sent you a new card equipped with a funky little chip on it.
You probably received some marketing materials explaining that this chip enhances your card security, and instructions for using your new card at “EMV terminals” you have yet to actually see in the marketplace (unless you’re an experienced world traveler). Your card issuer may also now be asking you to use a PIN with your credit card (well that’s certainly annoying). So what’s the deal with the chip and PIN?
Collapsing Under the Weight of Fraud
It really comes down to fraud. The US mobile payments industry will reach $214 billion in gross dollar volume in 2015, up from $16 billion in 2010 – a 68% growth rate1, but margins are collapsing under the weight of fraud. The loss from US credit card fraud grew by 29% last year, and cost issuers a whopping $7.1 billion2. Predictions for 2015 push loss numbers past $15 billion globally and quite frankly, revenues from the card business can no longer absorb the fraud hit. Marry this to the fact that the US accounts for 51% of global payment card fraud costs3 , and you have one very large problem for American banks. Enter EMV.
EMV – What is it?
EMV (abbreviated from the Europay, Mastercard and Visa standards) are smart chips, embedded into enabled cards that actually work as mini-computers. They contain microprocessors that encrypt your personal information, which in turn helps safeguard that information from criminals when you make a transaction. Traditionally, this information is contained on the magnetic stripe on the back of a card (but not encrypted), making it easy for criminals to steal sensitive information, such as your name and account number. Remember the Target data breach? Ah, now you’re listening!
Crushing Costs of Conversion
So it sounds like a no-brainer. Why wouldn’t you switch over to a technology proven to reduce fraud, especially one that is already accepted as the technical standard behind more than 1.24 billion payment cards, and 15.4 million point of sale terminals, around the world4? The answer lies in the cost of conversion. Industry experts report that a US conversion to EMV technology
will affect 15 million point of service devices, 360,000 ATMs, 609.8 million credit cards, and will serve up a humbling $8 billion dollar bill to market participants5.
No wonder the US market has tried to keep its head down, and avoid the cost to convert thus far. But like grains of sand through an hourglass, the time to limp along with present technologies is running out, and the industry knows it. Issuers unable to shoulder crippling fraud costs are pushing for a liability shift. By October of 2015, if a contact chip card is presented to a merchant that has not adopted contact chip terminals at a minimum, liability for counterfeit fraud may shift to the merchant’s acquirer. And that’s got people talking…
This is GROUNDBREAKING!… or is it?
The US is the only country in the world that has not committed to either a domestic or cross-border liability shift associated with chip payments. These cards and technology have been in existence since the 1990s, and have been widely adopted in Europe. There, more than 83% of all cards are equipped with EMV chips6, and more than 96% of all card present transactions are made using EMV technology7. This is in comparison to single digit, US user ranges.
In Europe, early implementation of EMV was in response to the high rate of existing card fraud as compared to the US Communications networks; such methods were more expensive and less robust, making costs to use it in the prevention of fraud extremely prohibitive. These costs prevented merchants from using online transaction processing as the defacto, payment authorization standard, and therefore led to EMV capabilities. Is the U.S adopting a European solution? Or, is EMV a superior technology and the industry’s optimal solution in the fight against fraud?
So, Does it Work?
After EMV implementation, fraud in the Single Euro Payments Area (SEPA) fell by 7.6% between 2007 and 2011, including a 24% drop in fraud at POS terminals, despite a rising use of cards. When Canada introduced the Chip-and-Pin cards in 2008, card-skimming losses dropped 73%. That being said, crime never sleeps, and fraud patterns began shifting from traditional counterfeit and lost/stolen fraud, to a sharp increase in Card-Not-Present (CNP) fraud. Canada experienced a 133% increase in CNP fraud between 2008 and 20138.
The discussions weighing the pros and cons of EMV implementation, rage on. Some are adamant that savings clearly pay for the investment. Others wonder whether new technologies could very well make EMV obsolete. One thing everybody can agree on – conversion won’t be easy. According to Tommy Marshall, payments Partner at Capco, “The US is a large and complex marketplace, with multiple, uber-retailers, banks and card associations that would need to work together to implement this technological behemoth”. Additionally, these players have long been at odds over who should bear the responsibility for the predicted costs of EMV implementation. Are the gloves about to come off?
The biggest driver for EMV adoption in the US is the liability shift that is set to occur in October of this year. Stay tuned for deeper insights into EMV conversion, including what proposed shifts will mean in practice, and how banks will address the complexities of EMV card issuance and rollout in Part II of our series, “Our EMV Future”.
What’s up with the PIN?
Depending on your card issuer you may be asked to use a PIN in situations where you used to just swipe and sign. This is determined by how your issuer decides to set up its cardholder verification method (CVM) list. In the new EMV transaction authorization process, there are four ways to verify that the person making the transaction is authorized to do so.
In the order of most to least secure:
- Online PIN – your PIN is validated against the issuer’s system of record real-time
- Offline PIN – your PIN is validated against information stored on the chip
- Signature – you sign for the transaction (typical today)
- No CVM – typically used in low value transactions
The card issuer makes a prioritized list of CVMs it supports and loads it onto the card profile. This list is bumped up against a list of CVMs the point-of-sale terminal supports, and a common CVM is selected. PIN (online or offline) is considered to be the most secure CVM. However, your issuer may choose to forgo the PIN option because it is perceived as having a negative customer experience. Visa, for instance, has been encouraging its card issuers to retain signature as the primary CVM.