The Innovator. March 2012
The Innovator
Factors Influencing EMV Adoption in the United States
•
•
•
•
•
•
•
BITS & BYTES: EMV in the U.S., by Dan Schutzer, BITS
Consumer Payments 3.0© - Secure Payments across all Channels in the US, by Dr. Toni
Merschen, Toni Merschen Consulting
A US Shift to EMV Technology – Ensuring Interoperability in a Connected World, by
Ben Knieff, NICE Actimize
EMV in the U.S.: Simplifying Deployment in a Zero Floor Limit Environment, by Simon
Hurry, Visa Inc.
Creating the Next Generation U.S. Payment System Environment – the MasterCard
Perspective, by Dave Meadon, MasterCard
Adopting EMV in the U.S., by Eric Schindewolf, Vice President, Wells Fargo Bank
Chip-and-PIN: Success and Challenges in Reducing Fraud, by Douglas King, Federal
Reserve Bank of Atlanta
We value your opinion. Please contact Dan Schutzer, [email protected], if you have comments
about this edition of The Innovator.
Disclaimer: The views and opinions expressed in the enclosed articles are those of the authors
and do not reflect the official policy or position of BITS or The Financial Services Roundtable.
BITS and BYTES: EMV in the U.S.
By Dan Schutzer, Chief Technology Officer, BITS
Those in the U.S. payments business are beginning to take a serious re-look at migrating to
EMV. Simon Hurry reminds us in his article that there was an earlier attempt to introduce EMV
in the U.S. that was based upon loyalty and multi-application cards as the main driver. It failed
because the cost of cards and the supporting infrastructure to process both chips and loyalty
applications was too high at the time; and we didn’t have then the drivers of increasing card and
ATM fraud, issues of acceptance for travelers to Europe and other countries outside the U.S., and
the move to mobile. This re-look was recently highlighted by announcements by VISA and,
more recently MasterCard, 1 of an EMV roadmap for the U.S. In this issue of The Innovator, we
are fortunate to have contributions from many of the key players in the payment processing
supply chain, from consultants, to payment processors, to card networks, issuers and regulators.
Several key themes emerge from these articles:
1. Costs have dropped, especially when we are doing online EMV. 2
2. “Although ‘offline-only’ transactions, even if not the way forward when building a U.S.
domestic program, may be necessary to accommodate international travelers, especially at
off-line only terminals and kiosks, such as those used by the French rail”. 3
3. Although “EMV is not perfect, 4 it has resulted in reduced fraud and continues to evolve
and adapt” 5 in response to changing fraud patterns.
4. EMV can provide the industry with “a technology that is fit for a fully-connected world
with a multitude of consumer devices that can be used ‘anywhere, anytime’; that secures
commerce; that enables us to innovate and grow the retail payments business.” 6
5. “For EMV to get widely adopted in the U.S., because of its complexity and the large
number of different stakeholders, there will need to be incentives and liability shifts,” 7
with some level of uniformity. 10
8 9
1
“MasterCard says U.S. EMV Adoption is Key to Next-Gen Payments,” by Olivia LaBarre, Bank Systems & Technology,
February 1, 2012.
2
Simon Hurry’s article, “EMV in the U.S.: Simplifying Deployment in a Zero Floor Limit Environment,” The Innovator, March
2012.
3
Eric Schindewolf’s article, “Adopting EMV in the U.S.,” The Innovator, March 2012.
4
Ross Anderson, University of Cambridge, January Schindewolf20, 2012, BITS R&D SIG presentation on the vulnerability of
EMV, Online and Electronic Fraud – Incentives and Regulation.
5
Ben Knieff’s article, “A US Shift to EMV Technology – Ensuring Interoperability in a Connected World,” The Innovator,
March 2012.
6
Dave Meadon’s article, “Creating the Next Generation U.S. Payment System Environment – the MasterCard Perspective,” The
Innovator, March 2012.
7
Ben Knieff’s article, “A US Shift to EMV Technology – Ensuring Interoperability in a Connected World,” The Innovator,
March 2012.
8
See Simon Hurry’s description of its Technology Innovation Program (TIP) that relieves merchants of their annual PCI DSS
compliance validation obligation provided that 75% of their Visa transactions originate from contact and contactless EMV chip
capable terminals, and their October 2015 liability shift, where any fraud resulting from counterfeit cards, created using data from
the magnetic stripe of an EMV card and used at a merchant who does not have an EMV capable POS terminal, may entitle the
issuer with the right to chargeback the transaction.
2
6. If the U.S. decides to move to EMV or some other chip-based technology, there needs to
be a coordinated effort amongst financial issuers, networks and merchants to prevent
fraud from shifting to other products and devices. 11 12
I hope you agree with Toni Merschen when he states, “The US financial industry and the
merchant community have a once in a lifetime chance to bring their payment infrastructure
to a state-of-the-art level which addresses usability, functionality, security and cost
requirements,” by adopting EMV or some variant of it. Thanks and happy reading!
9
The VISA liability shifts are in some contrast to MasterCard’s recent announcement where their liability shift in 2015 falls to
the party in the payment process that provides the least security; e.g. “If the merchant has chip-and-PIN capabilities, but the
issuer has only chip-and-signature, the liability falls to the issuer, or vice-versa,” MC: Pick Any Chip-Card Security You Want,
as Long as It’s PIN,” by David Heun, American Banker, Feb 2, 2012
10
“The separate initiatives launched by two different card schemes could be worrisome to industry leaders such as David Porter,
general manager of Chase card services at JPMorgan Chase, who said in a recent BS&T article that successful adoption of EMV
in the U.S. won’t happen until all of the card schemds take a more uniform approach.”, MasterCard Says U.S. EMV Adoption is
Key to Next-Gen Payments, by Olivia LaBarre, Bank Systems & Technology, February 1, 2012
11
Doug King’s article, Chip-and-PIN: Success and Challenges in Reducing Fraud, The Innovator, March 2012.
12
Eric acknowledges in his article that although solutions exist today for applying EMV to “Card not Present” they introduce a
whole new set of expenses and servicing challenges for U.S. issuers who’ve only just started working with EMV
3
Consumer Payments 3.0© - Secure Payments across all Channels
in the US
Dr. Toni Merschen, Principal at Toni Merschen Consulting
Introduction and Background
Momentum is undoubtedly building around upgrading the infrastructure US consumers use every
day to pay at the point-of-sale (POS) and withdraw cash at automated teller machines (ATM).
After using cash to pay merchants for delivering goods and services for ages, i.e. ‘consumer
payments 1.0’, consumers and merchants started to rely on magnetic stripe based plastic cards
more than 40 years ago. Although many improvements in terms of functions, features and
security characteristics have been implemented during this time period, this ‘consumer payments
2.0’ technology is approaching its end of life. A whole series of innovative ways to pay and
interact, e.g. contactless cards, mobile payments, position based services, and person-to-person
transactions, require a more secure and versatile payment infrastructure than the magnetic stripe
technology can provide.
Against this backdrop, both Visa and MasterCard have recently announced initiatives to
introduce chip based technologies for the US market in the next couple of years. They are
requesting - in various flavors and along so far unsynchronized timetables – the deployment of
EMV compliant terminal and ATM technology and the support of the associated data
transmissions in the payment system networks and servers. EMV has been the accepted global
standard for the interaction between chip cards and terminals equipped to accept such cards 13 .
The payment world outside the US has witnessed an impressive success story regarding the
deployment of EMV. More than 1.3 billion EMV cards are in circulation and are accepted at
more than 20 million EMV terminals around the world 14 . Most recently, Canada has undergone
a complete upgrade of its payment infrastructure and implemented EMV nationwide.
EMV is not just about chip cards, it’s about a modern, multifaceted and highly secure payment
infrastructure. It works in the brick-and-mortar world but also for payments and strong
authentication in non-face-to face situations such as on the internet or with phone based services.
The US payments industry and the merchants have a unique opportunity to deploy what we call
‘consumer payments 3.0’. That is to revamp the payments experience for consumers and
merchants, through contact, contactless and mobile payments at the POS. Simultaneously, all
stakeholders can leverage the new technology infrastructure to make non-face-to-face payments
and ATM withdrawals more secure. In doing so, they have a huge chance to avoid the mistakes
other markets made when introducing EMV.
13
The abbreviation EMV is derived from the initials of the original developers of the standard (Europay, MasterCard and Visa).
Europay has since merged with MasterCard and the EMV standard is now maintained and managed by EMVCo LLC, jointly
owned by American Express, JCB (Japan Credit Bureau), MasterCard and Visa.
14
http://www.emvco.com/about_emvco.aspx?id=202
4
Basics
EMV chips store cardholder data and credentials which include their PIN, and the cryptographic
keys of the payments systems in a secure storage that is next to impossible to break into. At the
beginning of a transaction the chip authenticates itself to the terminal so both participants know
that the card is genuine and has not been counterfeited. EMV chips can also verify the PIN
entered by cardholders proving that the cardholders are who they claim to be. These two
features have reduced payment card fraud – counterfeit and lost & stolen – significantly
wherever the technology has been deployed. The ensuing transaction authorization is based on
the electronic documentation of both the card authentication and the cardholder verification; it is
therefore more reliable and efficient than any paper based or manual procedure. Certainly, the
payment networks have to be prepared to process the chip related data generated during the
transaction from the point of interaction to the issuer host and all the way back.
All three stages of the EMV transaction described above can be executed offline at the terminal
or online using the networks. It is important to understand though that while card authentication
and PIN verification can be handled offline the transaction authorization itself can be still be
performed online involving the issuer host. In fact, most chip transactions worldwide are
authorized online; the authorization request from the chip will include electronic indicators that
the card and the PIN have been positively identified as genuine.
The versatility of the EMV technology described is underlined by the fact that EMV supports
contact, contactless and mobile payment transactions. Both contactless cards and mobile phones
have integrated chips that perform the same functions during a transaction as would a chip
embedded in a contact EMV card. Visa’s request to upgrade the US merchant environment to
EMV clearly indicates that Visa rates the current magnetic stripe infrastructure as not secure
enough to support mobile payments in mass volumes.
EMV technology provides issuers, acquirers, consumers and merchants with a functional and
security architecture and operational infrastructure that works consistently across multiple
channels. Transaction processing including the expensive handling of exceptions and
chargebacks becomes more efficient and less costly.
Finally, EMV chips can be leveraged to protect interactions via non-face-to-face channels. As
discussed above, the chip can verify a PIN offline and then generate a dynamic one-time
password (OTP) which can be transmitted to the issuer. Once the issuer has verified the OTP as
genuine (by using chip parameters he monitors in his systems) the issuer knows that the card was
present and the correct PIN was used. This form of authentication is by orders of magnitude
stronger than a static password or other classical means of authentication such as mother’s
maiden name or address verification. With static passwords being frequently hacked and identity
theft turning into a major problem for the entire society, strong authentication must become a
matter of highest priority for the payment industry.
5
Migration Considerations
The aforementioned announcements of both Visa and MasterCard primarily focus on the
acquiring side of the payment infrastructure. However, at this point there is no indication that the
entire system has a plan to start a nationwide migration. If there is one lesson from EMV
migration projects around the world, though, then it is that issuers and acquirers, merchants and
ATM providers have to move in lock step in order to optimize the overall return of the EMV
business case.
The other lesson that can be learnt from other markets is that fraud migrates from channel to
channel. If EMV is only implemented in the brick-and-mortar world, fraudsters will focus on the
card-not-present (CNP) channel. The associated fraud history, e.g. in the UK, clearly indicates
that while fraud at the merchant POS decreased significantly, CNP fraud skyrocketed.
Last but not least, fraud migrates from regions and markets that implement chip to those which
don’t. Fraudsters tend to select the path of least resistance as has been experienced by many
markets around the world.
Recommendation for the US Market
The US is one of the few markets globally that does not have a comprehensive EMV migration
plan agreed upon by all stakeholders. The market participants still have to convince themselves
as a whole that a market wide migration makes sense from a business case and payments system
integrity perspective. For a detailed description of the facts and myths as they relate to the US
market see the author’s paper ‘Chip in the US: The Myths and the Facts’ 15 . Here are some
recommendations how to optimize the US deployment plan:
PIN vs. signature
The objective verification of cardholder PIN by the chip not only reduces fraud based on lost &
stolen cards, it also simplifies the merchant checkout procedure, relieves the merchants of much
paperwork and reduces the complexity of exception handling and chargebacks. Although EMV
allows signature or even no cardholder verification as options, e.g. for low value payments, it is
strongly suggested to take advantage of the chip to verify the PIN at the POS so it does not to
have to be transported across the network.
Online vs. offline
The online vs. offline decision relates to three different elements of the transaction which can be
handled somewhat independently.
• PIN: As said above, checking the PIN offline between the chip and the PIN pad is not only
the most elegant way of PIN verification as it renders PIN encryption and transport across
15
http://www.smartcardalliance.org/pages/smart-cards-applications-emv
6
•
the network unnecessary. It is also the only method of PIN verification at certain unattended
POS such as ticket machines and parking kiosks. Without the support for offline PIN a card
transaction would not be possible there. Obviously, when either the online or offline PIN is
changed, they must be synchronized requiring a capable infrastructure supporting this
function. ATMs have been used in many markets for this purpose.
Cards can be authenticated securely off-line if the chip supports dynamic data authentication
(DDA). Transaction authorization can be handled off-line by the card based on settings preset by the card issuer.
In fact, most chip transactions around the world are authorized online, with the results of offline
PIN check and offline card authentication included in the authorization request. Nevertheless,
cards need to be specified such that they are capable to transact in full offline mode. This can be
extremely helpful in emergency situations, e.g. hurricanes or earthquakes where network
connectivity is interrupted. Other usage scenarios such as contactless transactions in a public
transport environment require transaction times below 300 milliseconds which can only be
achieved by means of offline checks. Again, in order to stay offline securely the chip must
support DDA which today is only minimally more expensive than SDA.
Market organization
The single biggest hurdle for the US to start migrating to EMV is the absence of a nationwide
governing body that can consolidate the market realities related to the business model. That is the
US needs a committee which facilitates agreement between the major stakeholders and triggers
decisions regarding a US EMV migration plan. Such a forum needs to be urgently formed and
put to work by the stakeholders in the US.
Conclusion
The US financial industry and the merchant community have a once in a lifetime change to bring
their payment infrastructure to a state-of-the-art level which addresses usability, functionality,
security and cost requirements. EMV provides this technological basis and the learnings from
other market migrations offer guidance for the US market participants. In order to make the
migration feasible for all stakeholders it must follow a comprehensive and holistic plan that is
managed rigorously.
Dr. Toni Merschen
Principal at Toni Merschen Consulting
Herrberigstr. 5, D-52152 Simmerath, Germany
GSM: +49 1525 3122456, Phone: +49 2473 5493290,
FAX: +49 2473 5493291, e-mail: [email protected]
Dr. Toni Merschen is a global expert and independent consultant on chip-card technology based business solutions
for the financial, telecommunication, and transportation industries. He provides strategic consulting services and
knowledge transfer for emerging consumer payment technologies. He was formerly senior vice president of
7
MasterCard’s global Chip Center of Excellence in Waterloo, Belgium and prior to that he was head of Citigroup’s
global competence centre for chip-card-enabled solutions and mobile financial services, located in New York. He
had earlier spent 14 years with IBM, undertaking numerous responsibilities. Toni Merschen has been a board level
contributor to several global standards enabling smart card businesses and he serves on the Editorial Board of the
Journal of Payment Strategy & Systems. He holds a PhD and a Masters degree in mathematics and physics from the
Technical University of Aachen, Germany.
8
A US Shift to EMV Technology – Ensuring Interoperability in a Connected
World
By Ben Knieff, Director of Fraud Product Marketing, NICE Actimize
The industry debate on migration to EMV technology in the United States continues apace with
many questions unanswered, but overall the discussion is moving in a positive direction.
Financial institutions are concerned about the costs, benefits and complexity associated with the
scale of a migration. Experiences in the United Kingdom and other nations are instructive; the
size of the US market and infrastructure, legal and regulatory forces, and the payments behavior
of consumers, could result in a dramatically different transition in the US.
Additionally, some industry experts are suggesting that the US should “leapfrog” EMV for a
newer alternative, but few workable alternatives have been proposed as of this writing. With the
broad global adoption of chip and PIN EMV, there are substantial positive network effects for
the US to join the rest of the global community and ensure interoperability in an increasingly
interconnected world.
Another common refrain points to the fact that migration to EMV fails to eliminate fraud: simply
shifting fraud to card not present methods, fraudsters move from using counterfeit cards for cash
and merchandise to the still lucrative method of utilizing card data for online purchases. These
challenges, though, should not prevent the US from making the switch and embracing what has
become a clear global standard. Failure to do so will lead to the US market being an even more
attractive and lucrative target for fraudsters.
As discussion continues on whether EMV will foster or hinder innovation in the US payments
market, it is important to note the misconception that EMV technology implies only chip and
PIN cards. Considering that the most common implementations today focus on replacing
magnetic stripe with chip cards, this is understandable. It is critical to remember EMV is a
standard for communication between a payment terminal and a payment device – this can
include contactless NFC capabilities in cards, mobile devices and other new form factors. Recent
updates from networks, such as Visa’s recent changes to its Technology Innovation Program 16 ,
support the use of EMV at point of sale through both chip and PIN and contactless methods. This
can foster innovation broadly to support mobile NFC and other form factors that increase
electronic payments utility and convenience. In the face of changes associated with the Durbin
amendment, merchants may be less inclined to support enhanced convenience and security in
accepting small dollar debit payments in the US; innovation can continue for larger payments
and non-US markets 17 .
16
Visa TIP - http://usa.visa.com/download/merchants/bulletin-tip-us-merchants-080911.pdf
See Digital Transactions vol. 8 no. 11 page 32 “the 10 Most Pressing Issues in – Payments” – the Durbin amendment resulted
in an increase in interchange cost for small ticket purchases, with cost parity occurring at $17.
17
9
While it is clear EMV is not perfect, and no standard is, it has continued to evolve and be
implemented more and more successfully. No single change in payment standards will eliminate
fraud completely. Data from Financial Fraud Action UK shows a massive 41 percent reduction 18
in counterfeit card fraud from 2009 to 2010, and a 50 percent reduction from 2008 to 2009 – this
impressive reduction easily makes up for some modest increases in other categories, such as nonreceived item. These reductions are even more significant when one considers they took place
despite the initial implementation of the less secure static data authentication (SDA), as opposed
to the more secure dynamic data authentication (DDA) that would be deployed in the US.
The data also show a decline in online/card not present fraud over the same period, attributed to
“…increasing use of sophisticated fraud screening detection tools by retailers and banks, as well
as the growth in use of MasterCard SecureCode and Verified by Visa….” 19 This suggests that
concurrent evolution in both online and offline payments results in a significant reduction in
fraud overall, with the UK numbers showing a 17 percent decrease in card fraud overall from
2009 to 2010. Major security gaps in the 3D Secure program, and modest adoption in the US,
currently provides limited security for online payments, but major players, such as MasterCard
and Intel, 20 are working on new methods to further secure online transactions which could
become adopted concurrently with EMV rollout at point of sale to address fraud on both fronts.
But at what cost?
It is evident that rolling out EMV with a chip and PIN implementation substantially reduces POS
and ATM fraud, but at what cost? The Smart Card Alliance suggests, “In the past, one area of
great concern has been the incremental cost of supporting EMV, estimated to be between $5 –
$13 billion for U.S. industry as a whole.” 21 Various players in the payments ecosystem face
differing costs and benefits. Financial institutions must issue new cards and upgrade ATMs,
merchants must install new POS terminals, while acquirers and processors will have some degree
of software or systems changes along with operational changes for all parties. The benefits
associated with these costs do not accrue fully to the parties who take on the costs until certain
rules change – particularly a liability shift for fraud losses. Under current network rules,
merchants have little incentive to invest in upgrading POS terminals as issuers are liable for most
losses – and issuers have little incentive to provide more expensive chip cards if merchants can’t
or won’t accept them.
The complex, multi-party system with a series of incentives designed around a decades-old
magnetic stripe infrastructure is difficult to change without either a regulatory body with broad
jurisdiction, a coalition of merchants and issuers with sufficient mass or tough moves from the
18
Fraud the Facts - http://www.financialfraudaction.org.uk/Publications/files/assets/downloads/publication.pdf page 7
Fraud the Facts - http://www.financialfraudaction.org.uk/Publications/files/assets/downloads/publication.pdf page 12
20
Intel and MasterCard Join Forces to Enhance the Consumer Payment Experience for Online Shopping http://newsroom.intel.com/community/intel_newsroom/blog/2011/11/14/intel-and-mastercard-join-forces-to-enhance-theconsumer-payment-experience-for-online-shopping
21
Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure
http://www.smartcardalliance.org/resources/pdf/Payments_Roadmap_in_the_US_020111.pdf
19
10
networks. As noted in a recent Chicago Fed Letter 22 , “However, no single entity has broad
jurisdiction over U.S. retail payments. This decentralized structure is critical to understanding
why it is so challenging to come up with workable solutions to payments fraud (whether
committed online or offline) in the U.S.”
With such decentralization and lack of regulatory jurisdiction, the task falls to the private sector
to realign incentives and coordinate efforts, which has already begun with the previously
mentioned changes to Visa’s Technology Improvement Program.
Once incentives become aligned, the actual costs become more manageable for card present
merchants and card issuers and broader benefits begin to accrue. While reduction in fraud losses
is the most commonly cited benefit, lower costs for PCI DSS compliance and reduction in
chargeback costs represent substantial additional cost savings. Revenue opportunities can emerge
through loyalty applications embedded in the chip along with the payment application.
Additional incremental revenue opportunities arise through such simple things as capturing
interchange revenues from international travelers. Aite Group research from 2009 23 suggests
financial institutions lost out on as much as $447million in revenue during 2008 due to lost card
payment volume (interchange, foreign exchange and other fees) – not to mention the negative
customer experience.
Some U.S. issuers have begun to provide chip cards to frequent travelers, though most of these
initiatives are in “pilot” mode with very limited distribution. While the foreign transaction
revenue will clearly not offset reduction in signature debit interchange revenue that would be
associated with chip and PIN, it does represent revenue that is not captured today and will only
grow as chip and PIN implementations of EMV are increasingly the global standard. With the
existing consumer comfort with signature purchases, it is possible to implement dynamic data
authentication (DDA) chip cards but rely on the signature for the customer verification method
and still realize a substantial decrease in cloned/counterfeit card activity and interoperability with
the rest of the world.
Ripple effects require action
No matter what path the US ultimately takes to roll out EMV broadly, it will take time and there
will be a number of ripple effects, some we can foresee and other novel ones will emerge, that
will require action. To date, US issuers and card not present merchants have kept fraud losses in
check through sophisticated fraud detection software analyzing transactions for anomalies and
blocking suspicious transactions. A migration to EMV will not eliminate the need for these
systems – but they will need to evolve to address both changes in legitimate and fraudulent
activity. The ability to rapidly respond to shifting trends will be critical as the roll out will
inevitably last a number of years, moving at different speeds for different issuers and merchants.
22
Chicago Fed Letter, December 2011 http://www.chicagofed.org/digital_assets/publications/chicago_fed_letter/2011/cfldecember2011_293a.pdf
23
Aite Group 2009 "The Broken Promise of Pay Anytime, Anywhere: The U.S. Cardholder Abroad."
11
Detecting fraud relies on an understanding of both legitimate user behavior and known
fraudulent behavior. As an EMV migration comes to fruition, both behaviors will change, while
at the same time there will be a mix of EMV and magnetic stripe based payments. This mix and
the shifts in relative volume between the two require issuers to have the flexibility to adjust fraud
detection models and strategies over time with minimal IT investment, operational change, time
to production, and end customer impact.
For example, as EMV cards are rolled out, fraudsters will inevitably continue to target the
magnetic stripe to counterfeit cards, thus inherently leading to a greater degree of risk associated
with swipe transactions over chip transactions compared to swipe transactions today (i.e. the
overall proportion of swipe transactions declines while the portion of fraudulent swipe
transactions increases). Institutions which can identify transactions from cards issued with a chip,
and the capabilities of the POS terminal being used, can quickly refine their fraud logic to
effectively weight these variables and find the most fraud with minimal impact to legitimate
transactions (i.e. false positives).
A shift to EMV-based card present payments, both chip and PIN and contactless, will have longterm positive effects for financial institutions, merchants, acquirers and consumers. Card present
fraud will be greatly reduced, freeing resources to fight card not present and other forms of fraud.
Consumers will experience less friction transacting outside the US, while issuers realize
interchange, interest and foreign exchange revenue from these transactions. Servicing costs can
be reduced while consumer confidence in institutions and electronic payments can be improved,
enabling new revenue opportunities.
There is no question that EMV is imperfect, but the network effects of migrating to a global
standard provides benefits well beyond those derived from “leapfrogging” to an alternative
payment scheme. And while EMV does not eliminate fraud, the substantial reduction in fraud
does provide a powerful reason to invest in the change.
Ben Knieff
Enterprise Fraud Prevention
Ben Knieff is the Director of Product Marketing at NICE Actimize and has responsibility for defining the strategic
direction for the company's fraud management technology. Mr. Knieff is an expert in security, compliance, and
fraud management and for more than 10 years, has consulted with financial institutions across the globe, helping
merge technology with business objectives to improve efficiency, efficacy, and profitability. Mr. Knieff often presents
at industry conferences related to various financial crime topics including regulatory compliance, fraud
management, and identity theft. He has led multiple product enhancements, new product launches, and entry to new
markets with companies such as FIS and PayPal.
12
EMV in the U.S.: Simplifying Deployment in a Zero Floor Limit
Environment
By Simon Hurry, Visa Inc.
Executive Overview
The Europay, MasterCard, Visa standards, commonly referred to as EMV, have been around for
almost 20 years. EMV was established with the goal of creating a global interoperable set of
standards for smartcard chip-based payments. One of the primary early business drivers for EMV
was to reduce fraud in the retail store environment, given the high cost and slow dial up speeds
of obtaining a real time authorization using the telecommunications infrastructure prevalent at
the time. Most of the standards, therefore, were designed to facilitate so called “offline”
authorized transactions, which provided card based risk management to transact below certain
merchant floor limits without online issuer authorization.
Since then, both the cost and speed of telecommunications have improved exponentially, to the
extent that even in Europe the number of “offline” authorized transactions has diminished
significantly, from an estimated high of around 35% in the mid nineties to less than 10% today 24 .
The United States has always been a zero floor limit or “online” environment, and as a late
comer to the EMV party, can avoid much of the cost and complexity of deploying EMV chip
cards by implementing a minimal, online-only subset of the EMV standards while still reaping
all of the benefits of reduced counterfeit fraud.
Introduction
The Europay, MasterCard, Visa standards, commonly referred to as EMV, have been around for
almost 20 years, yet the United States, until now, has long resisted migrating to the standard. The
primary reason for this reluctance to migrate was the lack of a coherent business case to justify
the significant cost of the infrastructure. With fraud levels remaining relatively stable, primarily
due to the fact that the U.S. has a zero floor limit policy and highly effective online fraud
detection tools, few issuers felt an incentive to migrate.
Historically, the U.S. did attempt an EMV program in early 2001, but the business case was
primarily based on loyalty and multi-application cards rather than fraud reduction. The cards
were very expensive, as was the acceptance and host infrastructure needed to process both chip
and loyalty transactions. Coupled with these factors, the process for loading and redeeming
rewards was not as elegant or appealing to consumers as hoped and the program went the way of
several other early chip endeavors in this country.
24
Source VisaNet clearing & settlement counts
13
What’s different this time? While various authors have touted EMV as a significant upgrade to
the U.S. payments system, these assumptions are largely based on EMV programs in other
countries, including Canada. While POS terminals and ATM’s will require a replacement or
retrofit with new chip hardware and software, much of the issuer or processor development may
be avoided. Visa is recommending a very simple online only implementation that allows issuers
to take advantage of the Visa Chip Authentication Services 25 . What this means is that all
transactions are always real-time authorized and Visa can optionally convert the transaction back
to its magnetic stripe equivalent without compromising the security benefits conferred by
smartcard-based transactions. Furthermore, the costs of cards, especially smartcards that do not
require offline risk management, are much less expensive than before, further improving the
business case.
The primary influences redefining the landscape include:
•
•
•
•
•
•
Mobile proximity payment capabilities including Near Field Communication (NFC)
Opportunities to enhance acceptance for international travelers in Europe
Gradual increases in counterfeit fraud on magnetic stripe cards.
Critical mass of chip in the rest of the world, including Canada and Latin America
Availability of simple low cost online only cards
Visa U.S. chip acceleration efforts and the Technology Innovation Program (TIP) announcement
This article examines these influences to illustrate why EMV has sufficient groundswell this time
around. The article also broadly covers what Visa has done to encourage adoption, reduce cost,
and lay the foundation for the eventual elimination of magnetic stripe technology on payment
cards.
EMV: European History and the American Approach
It is generally acknowledged that the French pioneered smart card technology for payments with
the primary goal of reducing fraud in an environment where both the cost and speed of
authorizing all transactions through the communications network was prohibitive. For this reason
the Europeans introduced merchant floor limits, under which transactions were not required to
obtain online issuer authorization. On magnetic stripe technology this presented an opportunity
for fraudsters, who quickly learned the floor limits at various merchants and were able to transact
with impunity using counterfeit magnetic stripe cards for amounts below those limits.
EMVCo, the organization responsible for the development of standards for smart card payments,
was tasked with providing a solution to solve this problem. The result is a method based on a
public key infrastructure (PKI) that enables terminals to authenticate cards, and cards to manage
the ‘open to buy’ risk up to certain limits. For the more technically minded, the diagram below
describes the scheme:
25
Often referred to as Visa On Behalf Of (OBO) service they allow an issuer to launch a chip program with very minimal impact
to the issuer or processor host systems.
14
Figure 1: Offline Dynamic Data Authentication 26
In situations where the transaction amount was above the merchant floor limit, or where the card
did not allow an offline authorization, network communication was required and an “online” or
real time issuer authorization was obtained.
EMV chip cards therefore have the capability to support both online and offline authorization.
More importantly, they also have the ability to support online authentication. However, unlike
offline authentication, online authentication is achieved using a symmetric key based scheme.
The diagram below depicts the flow of an online authenticated transaction:
Figure 2: Online Authentication
26
Source: EMV 4.2 Book 2, Security and Key Management
15
It’s Different in the U.S.
In the U.S., all transactions are authorized online. Given that fact, one can understand why the
offline risk management capability of EMV is largely irrelevant. In fact, with the declining costs
and phenomenal speeds of IP based networks, the Europeans themselves now authorize fewer
than 10% of transactions offline, down from an estimated 30 to 40% in the early days of EMV.
The use of online-only authorization is thus a best practice in the U.S. because it leverages the
“always online” infrastructure and enables issuers to continue to use their host-based fraud
detection tools to manage risk. Online authorization also provides a more streamlined
personalization approach, reducing time to market and cost. In fact, as much as 70% of the EMV
specifications, the bulk of which are designed to support offline transactions, can simply be
ignored while still gaining the anti-counterfeit fraud benefits of EMV.
It’s Different This Time
Several attempts have been made to develop a business case for EMV in the U.S. and at least one
concerted effort was made to introduce contact chip, in the U.S. before. Given the U.S.’s always
online environment, augmented by sophisticated, real time, host-based fraud detection systems
the business case has been tenuous at best, especially when focused primarily on fraud.
Recently, however, significant influences both on the issuing and acquiring side of the equation,
coupled with an almost wholesale migration to EMV by the rest of the world almost certainly
will result in a conversion to EMV card and EMV-based mobile payments over the medium to
long term. The radical simplification of EMV as made possible by an always-online environment,
in conjunction with the opportunity to reduce counterfeit fraud and enhance international
acceptance present EMV in a new light to the U.S. payments industry.
Finally, the promise of mobile payments, and the tie in to Visa’s chip acceleration efforts for the
U.S., completes the picture.
The Cost of Offline Authentication
The major inhibitor to the issuance of chip cards in the U.S. has been cost and complexity. Few
people fully understand the significant cost impact introduced by offline risk management. The
next few sections take a closer look at these impacts and explain why they are not needed in the
U.S. environment. There are three areas that contribute to the cost of an EMV chip program, all
of which are significantly reduced or completely eliminated by an online-only solution.
•
•
•
Cost of chip cards and personalization
Cost of host system changes
Cost of training and support
16
Cost of chip cards and personalization
In order to support offline risk management as required by Europe in the previous century, it was
first necessary to establish a Public Key infrastructure as depicted in Figure 1: Offline Dynamic
Data Authentication: above. However, this requirement extended all the way to the cards leading
to an estimated 30% increase in cost as a result of the following requirements:
•
•
•
•
•
•
•
Generation of the issuer asymmetric key pair
Issuer registration with the brand certificate authority (CA)
Card brand issuer due diligence and creation of multiple issuer public key certificates
Issuer certificate management
Card asymmetric key generation
Card public key certificate generation
The need for smartcards with large memory capacity plus crypto coprocessors capable of storing
long asymmetric keys and performing complex public key encryption calculations.
An online-only solution eliminates every single one of the above requirements, since it is only
necessary to generate and personalize the relatively short symmetric keys needed for online
authentication.
Cost of host system changes
The impact to the host systems can now also be significantly reduced both on the issuer and
acquirer side. Requiring support for offline risk management more than doubles the development
effort, especially with respect to clearing and settlement. In addition, it further complicates the
dispute resolution process since offline transaction logs need to be interrogated to determine
what offline risk management activities took place between the card and the terminal. Once
again, these impacts are either mitigated or eliminated by an online only environment but more
importantly can almost entirely be avoided through the implementation of the Visa Chip
Authentication Services. The Visa Chip Authentication Services can effectively convert an
online chip transaction to a magnetic stripe equivalent while retaining 100% of the counterfeit
protection delivered by the online authentication that EMV chip cards deliver. The following
bullets touch on the primary areas of cost savings when implementing an online-only solution:
•
•
•
•
•
Issuers do not need to support real time EMV scripts required to reset offline risk management
counters on the cards
Issuers do not need to develop their own host-based chip real time authentication capability as
this can be managed by Visa on their behalf
Issuers do not need to interrogate offline chip data in clearing records to determine what
happened at the point of sale in the event of a disputed offline transaction
Acquirers and merchants may optionally not need to manage and distribute the Visa public root
keys needed for offline data authentication
Acquirers and merchants may not need to build and test the code necessary to clear and settle
offline chip transactions
17
Cost of training and support
While the savings in card costs, personalization costs and reduction in host system development
are significant, it is the savings in training, coupled with the ability to completely avoid the
Everest-high learning curve associated with offline risk management that really should interest
U.S. issuers. Visa has effectively simplified chip for the U.S., to the extent that it no longer
requires years of training, months of preparation and weeks of analysis on the impact to systems,
processes and customer support. Chip now simply provides strong security against counterfeit
magnetic stripe transactions, leaving most of the existing processes and procedures and customer
service interfaces intact.
Chip and PIN: The Great PIN Debate
The final topic in this EMV discussion is the issue of offline PIN. No other aspect of offline risk
management in EMV has generated more debate and passion than the issue of offline PIN and
for this reason it merits an entire section on its own.
Prior to engaging in this area, it is necessary to describe the various cardholder verification
methods (CVM) and how they work with respect to chip cards. Cardholder Verification is used
to check that the valid cardholder is using the card. Chip technology allows issuers to tailor the
CVM to the transaction environment through the use of a prioritized list of CVM options that
they place on the card. The list is referred to as a CVM List and supports multiple verification
methods and the circumstances or priority under which they are invoked. Included in the list are
signature, online PIN, offline PIN and No_CVM. No_ CVM is similar to the Visa Easy Payment
service often called the “No Signature Required” program where neither PIN nor signature is
needed for low value transactions. Offline PIN as distinct from online PIN is sent directly from
the PIN Pad to the card where it is validated by the chip. Online PIN is encrypted in the PIN Pad
and sent to the issuer host for validation. It is important to understand that a chip card may
support all or any of the CVMs, but it is the issuer who controls the list on the card and the EMV
standard requires the terminal to follow suit.
In the last century, offline data authentication solved the problem of counterfeit cards in an
offline environment, but it did not prevent lost and stolen cards from being used below the floor
limits. For this reason support for offline PIN in Europe was essential and considered an
important element in the business case. The United Kingdom, in particular, described their
program as “chip and PIN” leading to the often quoted misconception that chip cards require the
use of a PIN. The fact that the slogan rolled off the tongue easily, combined with a robust and
effective marketing campaign, further cemented this fallacy. The truth is that the rest of the
world has not deployed the so called “chip and PIN” option. The map in Figure 3: PIN vs.
Signature preferring countries provides a rough idea of the prevalence of signature to PIN
preferring deployments.
18
The departure point in this discussion is whether offline PIN has any relevance in an always
online environment. Online PIN is already firmly entrenched in the U.S. and has very little
impact with respect to an EMV deployment. Offline PIN however, especially the more secure
offline encrypted version, requires a card that supports asymmetric keys and the full EMV PKI
infrastructure to be present. More importantly, managing and synchronizing the offline PIN with
the online PIN is very difficult and expensive, something most U.S. financial institutions are
expressly trying to avoid. But most importantly in our 100% online environment, there is no
requirement for offline PIN support.
One small problem does remain for cardholders that travel and may use their U.S. chip cards at
certain unattended kiosks in Europe. The unfortunate reality is that online PIN is not supported in
parts of Europe and there are a few unattended kiosks that require offline PIN. For this reason, a
U.S. card issuer may consider placing offline clear text PIN as the last priority in the CVM list
on the card, but only for cardholders that reside in or travel frequently to Europe. Over time as
chip becomes more prevalent in the U.S., European acquirers may reconfigure these unattended
devices to also support No_CVM.
Figure 3: PIN vs. Signature preferring countries
19
New Influences on the U.S. EMV Business Case
The changing battlefield against data compromise and fraud
From the acquiring and merchant perspective, PCI DSS compliance and annual compliance
assessments, while effective, have been costly and remain a constant and ongoing expense for
the acquiring community. According to a 2011 Merchant Advisory Group (MAG) survey it is
roughly estimated that Level 1 and Level 2 merchants (those processing more than 1 million
Visa transactions annually) have spent $20 billion to date on PCI DSS compliance. Managing
data security through PCI DSS compliance has been effective and more than 90% of large U.S.
merchants have validated their compliance. Additionally, technologies such as encryption and
tokenization are effective in reducing the scope of PCI DSS. However, these efforts continue to
be focused on the protection of vulnerable data. Magnetic stripe technology based on its static
nature is fundamentally vulnerable to compromise, at the source i.e. the magnetic stripe on the
card itself. Should smartcard technology completely replace the magnetic stripe, then at least in
the brick and mortar environment, the scope of PCI DSS may be limited, and the war on data
compromise and fraud will shift to a different battlefield. Compliance with PCI DSS remains a
key component of Visa’s data security strategy which relies on layers of security, however, Visa
identifies a significant value in EMV and the use of dynamic authentication to devalue
transaction data in the face to face environment. With that change, more effort may be directed
towards protecting data from compromise and fraudulent use in the ecommerce environment.
Chip is no longer a four letter word for U.S. issuers
For the past several years, suggesting to U.S. issuers that they should move to chip cards was a
pretty efficient way of getting shown to the door. Today, complaints about magnetic stripe
acceptance in Europe, lowered costs of cards and the simpler online-only chip and signature
approach are starting to present a much more attractive picture to issuers. Furthermore, despite
the counteracting impact of online fraud tools, counterfeit fraud remains a growing problem,
especially in the U.S.
Visa’s Roadmap for dynamic authentication
Despite the radical simplification of EMV described above, wholesale adoption would still be
unlikely without the introduction of a set of issuer and acquirer incentives. Based on its
experience in other countries, Visa announced a U.S. roadmap for dynamic authentication with
the primary purpose of encouraging and accelerating the adoption of chip and contactless / near
field communication (NFC) based payments in the U.S. The Visa roadmap includes a set of
incentives, mandates and deterrents as described in the diagram below:
20
Figure 4: Visa Chip Acceleration Program
There are three primary components to the Visa announcement. These are the Technology
Innovation Program (TIP), the acquirer mandate in 2013 and the counterfeit liability shift
program.
1. Technology Innovation Program (TIP). This lever relieves qualifying merchants of
their annual PCI DSS compliance validation obligation provided that 75% of their Visa
transactions originate from dual interface i.e. contact and contactless EMV chip capable
POS terminals. While TIP does not eliminate a merchant’s PCI DSS compliance
requirements, the savings on the annual assessment, can be fairly substantial.
2. Acquirer and Acquirer Processor Mandate. While merchants are not required to
terminalize i.e. there is no mandate to deploy chip terminals, acquirers and their
processors must be ready to carry the dynamic cryptogram and related chip data
associated with an EMV transaction. This mandate is effective April 2013 and basically
requires the acquiring network to support a new chip field commonly referred to as Field
55. The intent of the mandate is to facilitate chip and mobile transactions should a
merchant choose to deploy the POS terminal environment.
3. Liability Shift. Beginning October, 2015, any fraud resulting from counterfeit cards,
created using data from the magnetic stripe of an EMV card and used at a merchant who
does not have an EMV capable POS terminal, may entitle the issuer with the right to
chargeback the transaction. This liability shift will be in effect for both domestic and
cross border POS transactions. Gasoline retailers have been granted a two year extension
given their regulatory environment, and the relatively high cost of replacing or
retrofitting the automatic fuel dispenser environment. It should be noted that the purpose
of the liability shift is to protect the entity that has invested in chip technology. Thus for
the merchant that has invested in chip acceptance technology, there is no concern
21
regarding liability shift and in the highly unlikely event that counterfeit fraud occurs the
existing issuer liability rules remain intact.
Conclusion
The approach proposed by this paper strips EMV of much of its cost and complexity. This
mirrors many modern day approaches to innovation that reflects a series of simple adaptations,
that provide needed functionality and meet the majority of business needs in the most
economical and logical fashion.
Even if at some point the business needs dictate a requirement for offline risk management,
issuers can always add that functionality in the next issuance cycle. But if done up front and
never used, that cost is sunk, never to be recovered. This entire document can be summarized by
three phrases:
Keep it simple.
Keep the cost down.
Keep it online.
Simon Hurry is a Senior Business Leader at Visa Inc, responsible for Global contactless and contact chip card
programs. Simon has over 17 years of experience in the payments industry with a specialized focus on smart card
and contactless payments. Prior to joining Visa, Simon architected smart card clearing and settlement systems at
Nedcor Bank in South Africa. He was an active member and vice chairman of the GlobalPlatform systems
committee, and is currently co-chair of the Smart Card Alliance Payments Council. Simon holds a Bachelor of
Science from the University of Kentucky and an MBA from the University of Pretoria.
22
Creating the Next Generation U.S. Payment System Environment –
the MasterCard Perspective
by Dave Meadon, MasterCard
MasterCard’s Vision
The progress of technology continues apace, in all walks of life, especially in the retail payments
arena. It is becoming clearer by the day that we are relying more and more on electronic
payments for our daily purchases; we are heading, inexorably, toward a ‘World Beyond Cash.’
Over the last 45 years, the U.S. payments industry has relied upon magnetic stripe card
technology; this technology brought automation to the original paper-based, manually-intensive
way of buying goods and services. It has served us well, but at MasterCard, we believe that we
need a new payment technology infrastructure for the future. We need a technology that is fit for
a fully-connected world with a multitude of consumer devices that can be used ‘anywhere,
anytime;’ that secures commerce; that enables us to innovate and grow the retail payments
business.
MasterCard’s vision is a world where consumers and merchants can enjoy and benefit from new
transactional experiences, where commerce can be conducted readily over all face-to-face and
remote channels, and where the payment experience is always easy, reliable and safe.
Delivering this vision requires a technology infrastructure that provides strong user
authentication; utilizes dynamic transactions that cannot be replayed; ensures interoperability
between potentially billions of consumer devices and millions of merchant acceptance locations;
and, has proven it can scale, not least by providing a commercially viable balance between cost,
convenience and security.
MasterCard strongly believes that EMV can deliver this vision, and that is why MasterCard has
endorsed it as the baseline infrastructure for the next chapter of the U.S. payments business.
MasterCard’s U.S. Roadmap
The recent announcement (Jan. 30, 2012) from MasterCard sets our approach for establishing a
payments infrastructure in the U.S. that will help achieve the vision of a ‘World Beyond Cash.’
At its heart are a number of key principles that MasterCard believes are central for the future U.S.
retail payment system. These principles are:
• To make the system ‘future ready,’ by enabling simpler, more secure payments and fostering
new experiences for consumers, wherever and however they choose to transact. The aim is to
enable and integrate new solutions, not simply to move from magnetic-stripe to EMV cards.
23
•
•
To provide a framework that delivers real benefits to merchants and issuers as they upgrade
to the more secure contact and contactless EMV technologies, including the flexibility to
select and configure the technology to meet their business needs.
To facilitate the industry as a whole working together to achieve this significant and
necessary upgrade, not creating unilateral mandates, and ensuring our customers and other
stakeholders are aligned and supported every step of the way.
In support of these principles, the MasterCard roadmap sets out key milestones that provide
clarity for the various payment system stakeholders as they plan the drive toward adopting this
new infrastructure for the U.S. market:
• U.S. acquirers must be ready to carry the additional payment data required for authenticated
and dynamic EMV transactions, by October 2013;
• PCI audit relief, in certain instances, starting October 2012;
• Account data compromise benefits to merchants, starting in October 2013;
• A liability shift favoring the party that has invested in the most secure configurations of
EMV POS devices, starting October 2015 (2017 for automatic fuel dispensers).
Full details of the roadmap can be found at http://www.mastercard.us/mchip-emv.html.
The MasterCard roadmap is relevant now because the global industry is already witnessing
major changes in the payments business environment. Notable drivers and influences include:
• Maturing of contactless / NFC technologies. An upgrade of the U.S. payments
environment is an opportunity to also enable an infrastructure that provides a ‘Tap-andGo’ retail payments experience for PayPass-enabled cards and NFC-enabled mobile
devices, as well as other contactless payment form factors.
• Explosion of smartphones and other intelligent devices. These devices have the potential
to help create a richer payment experience with adjacent value-added applications and
services.
• Rise of e- and m-commerce as attractive, high-growth channels. Consumers continually
look for a reliable payment tool regardless of where and when they shop. A move toward
payments with properties similar to those of ‘card-present’ transactions will catalyze the
growth in these channels even further. EMV-based authentication (such as MasterCard’s
Chip Authentication Program technologies) has already been deployed and other
integrated solutions (such as MasterCard’s recent partnership with Intel) are on the way.
• Data breaches and PCI related costs. Major data compromise events still occur from
time-to-time, despite huge industry efforts to establish security standards to protect
‘static’ cardholder data. Now is the time to move from static to dynamic transaction
authentication as part of the effort to eliminate – not mitigate or reduce – fraud.
• Global EMV chip migration. Approximately 650 million MasterCard-branded cards
have been issued around the world. This has been increasing at a rate of around 100MM
per year in recent years. Additionally, more than 20 million EMV terminals have been
deployed, roughly two-thirds of all terminals on the planet.
24
As we look at the opportunities for innovation, the changes in consumers’ lives and the way in
which our payments environment continues to evolve, it is clear that it is time to take this step. It
is time to lay the right foundation for future payment devices and consumer experiences.
The outlook for the U.S. payment system environment is both exciting and challenging.
MasterCard’s roadmap enables our customers and partners to embrace innovation, but also
leverage tried and tested assets to build their businesses of tomorrow.
Deploying EMV in the U.S.
The U.S. market is in a unique position to benefit from EMV technology. Unlike markets such
as the UK, which adopted EMV in its early days (and therefore had the challenge of taking EMV
from a concept to a mass-market solution), the U.S. market will benefit from a now mature and
experienced industry.
That being said, as with any major technology shift in any industry, there are important
considerations that the U.S. market needs to take into account, including:
• The size of the market. The sheer number of stakeholders in the U.S. payment system
and the lack of a central coordination body point to the need for market leadership.
MasterCard recognizes the need for collaboration as well as competition and has
proposed, as part of our roadmap, to play a leading role in defining the market-level plan
as well as a plan for our own customers and partners.
• Managing fraud migration. Implementation experience from around the world has shown
that EMV technology is exceptionally effective in preventing fraud where implemented.
However, financial institutions need to consider the fact that fraud tends to migrate to the
weakest link in any system. Banks will need to apply increasing focus on residual
transactions and channels that rely upon static data and deploy appropriate fraud
management tools and methods to mitigate the associated risks. MasterCard’s roadmap
rewards participants in our payment system that invest in the most secure configurations
of EMV technology.
• Technological evolution. The rise of intelligent devices will bring new and tangible
opportunities to grow electronic payments and revenues. But this will demand new and
more sophisticated merchant technologies. MasterCard identifies in our roadmap the
opportunity to deploy dual-interface technologies (contact and contactless) from the
outset to avoid two-stage upgrades that other markets have been through in the past.
Furthermore, MasterCard will be bringing new educational and advisory services to help
our customers to develop payment strategies to exploit the new roadmap.
We must also acknowledge that the future will create opportunities and challenges that cannot be
foreseen at this time, but it is unlikely that the basic principles of commerce (connecting
consumers with merchants, being sure about who is transacting, transferring money from one
party to another with integrity, and so on) will change. EMV is focused on these principles.
25
MasterCard’s view is that EMV will serve U.S. customers in the future as well as it has served
other customers in other markets over the last 15 years.
MasterCard was one of the original inventors of EMV and, with our current partners in EMVCo,
we continue to lead the evolution of the standard to ensure it remains at the forefront of retail
payments around the world. As we build the future and bring the U.S. into the global EMV
world, we must facilitate seamless technology transitions for both the new players and the earlier
adopters from other markets.
Merchants, acquirers and issuers from around the world are already processing billions of EMVbased transactions every year. Those credit, debit and prepaid core products, coupled with
innovations such as mobile payments, contactless devices and new card solutions, are set to bring
even greater opportunities to the U.S.
We at MasterCard believe that the Point of Interaction (POI) roadmap announced in January
signals the beginning of an infrastructure change in the U.S. payments landscape that opens up
massive opportunities to the industry. The payments infrastructure we propose to implement
will: lead to safer payments, enable new consumer experiences and products, and bring the U.S.
market into the same global framework for interoperable, EMV-based payments that many parts
of the world have already implemented. There is no doubt that the upgrade of the U.S. payments
business is a major undertaking. The upgrade is not only achievable but essential in the move
toward a ‘World Beyond Cash.’
Dave Meadon is based in London and is group head, Chip Solutions and Engineering. He is responsible for
overseeing the conversion of the MasterCard magnetic-stripe based products to chip and for creating and
implementing processes to ensure their successful deployment around the world. His role also involves identifying,
developing and deploying innovative solutions and services based on this new and powerful platform. This includes
providing foundational technology for a new generation of payments in the contactless, mobile and remote payments
arenas. Mr. Meadon represents MasterCard on the Executive Committee of EMVCo, the industry body that defines
the global standards for chip-based payments. He is also Chair of the MULTOS Consortium which provides
industry direction for one of the most widely deployed multi-application smart card operating systems. Mr. Meadon
graduated with an honors degree in Mathematics and Computational Science from the University of Leeds and
subsequently with an MBA (Distinction) from City University (London).
26
Adopting EMV in the U.S.
By Eric Schindewolf, Vice President, Product Development, Consumer Credit Card Services,
Wells Fargo Bank
(This article reflects the views of the author and does not necessarily reflect the official policy or position of Wells
Fargo)
I begin by admitting I’m already convinced of EMV’s effectiveness in reducing “card present”
fraud and of the need for U.S. adoption. To me it’s no longer a question of if but when and how
U.S. banks will begin offering EMV. The how is critical, and U.S. issuers and acquirers can
benefit from the lessons of their international counterparts who’ve gone before them. Like
anything, EMV has its strengths and limitations.
EMV is the international standard for chip-based payment technology and has been adopted by
every major payment association, card and terminal manufacturer. Its specifications underlie
both contact and “contactless” (NFC) payments for ensuring global interoperability. EMVco is
the governing body owned by Visa, MasterCard, American Express and JCB, with a board of
representatives that stretches across the payments industry. All of them have a vested interest in
EMV’s long-term success and mindful evolution to eliminate disruptions in the payments chain.
No other next-generation payment technology has such widespread support and adoption.
EMV provides practical security, which is to say the expense and effort required to crack a single
EMV card are far greater than the credit line associated with it. It’s simply too much work for
too little payout, especially when easier options exist. Even if a card’s keys were somehow
exposed, this information cannot be used to derive the master keys housed securely behind the
processor’s physical and logical security controls, which are many. Another important aspect of
EMV security is its use of dynamic data to prohibit the capture and re-use of transaction
information to make fake cards or “replay” attacks. Also, EMV is intended to complement the
issuer’s existing fraud detection systems and not to be viewed as the end in itself. When
integrated properly with the issuer’s back-end processing, EMV provides high-level fortification
against fraud.
Where EMV’s security has been questioned is in regards to two basic transaction types: “Card
not Present” and “Offline-only” transactions. For “Card not Present” transactions (e.g. internet
purchases), the reason is obvious, because neither the card nor its chip data is ever read during
the transaction process. While solutions do exist today for incorporating EMV data into these
types of transactions, it has not been widely adopted and introduces a whole new set of expenses
and servicing challenges for U.S. issuers who’ve only just started working with EMV.
Regarding “Offline-only” transactions, EMV’s vulnerability is much less apparent because it was
designed with offline-only acceptance in mind for regions with poor telecommunication
networks. These transactions result when a merchant terminal is incapable of going online to
27
perform an authorization. Examples of this might be cruise ships, self-serve kiosks or the French
rail. During offline-only transactions, the entire decisioning process is based upon the card and
terminal’s interaction and settings. No authorization message ever is sent to the issuer for
approval; only the settlement file. The vulnerability lies in the fraudster’s ability to either fool
the terminal with false responses (e.g. Cambridge attack) or easing the capture of sensitive card
and PIN data at the point of sale (more on this shortly). The desire to fight fraud at the periphery,
while well intentioned, will only result in the need for ever more sophisticated (and costly) cards
and terminals.
A better approach is to drive every transaction online for decisioning by the acquirer and issuer
processors. This allows all decisioning to be managed centrally, where investment dollars are
best applied; this helps ensure card and terminal costs are kept to a minimum. There are few
reasons in this day and age for merchants not to perform online authorizations as part of their
standard business practice (excluding unanticipated network outages, such as those caused by
natural disaster).
International Travel Programs
U.S. issuers should consider directing their initial EMV efforts at international travelers and
travel card programs. International travelers are among an issuers’ best customers. For these
customers, international card acceptance is critical, because carrying large sums of foreign
currency is both impractical and unwise. U.S. issuers able to offer an EMV solution to
international travelers will have a competitive advantage over those who don’t. For these
customers, international acceptance drives “top of wallet” behavior.
EMV also can improve an issuer’s authorization rates when cardholders fail to notify them of
foreign travel. Validating the card’s cryptogram confirms the card’s authenticity; if it hasn’t been
reported lost/stolen, the issuer can approve a transaction it might previously have declined.
However, supporting an EMV travel card program can also result in added complexity
depending upon the issuer’s decision on whether to support offline PIN capability. One of the
main complaints of international travelers is their inability to use magnetic stripe cards at offlineonly terminals like those used by the French rail. Issuers who offer EMV cards with offline PIN
support will have a competitive advantage over those who don’t. I recognize my comments here
seem counter to my earlier statements and my opposition to offline-only acceptance. However, I
say this only as an accommodation strategy to enable low-value transactions in foreign markets
and not as the way forward when building U.S. domestic programs.
Solving for offline PIN can be problematic when the same card also has an online cash advance
PIN associated with it. In the following example, we’ll assume the card being used shares the
same value for both online and offline PIN. The terminal in this case is an offline-only device,
unmanned, and has been tampered with (a hidden camera is placed nearby to capture they key
pad entries). When the cardholder “dips the chip” into the terminal, it also exposes the card’s
28
magnetic stripe. Copying the magnetic stripe data along with the PIN pad entries will allow
fraudsters to then reproduce simple magnetic stripe cards with corresponding PIN numbers for
use in U.S.-based ATMs (defrauding issuers out of potentially millions of dollars). Note, even if
the issuer had decided to purchase the most expensive EMV card available with offline DDA
capability, it would be useless against such an attack.
Domestic Market Adoption
EMV’s arrival in the U.S. will depend on wide-scale merchant adoption. This was the challenge
of the past and remains true today. Visa’s August 9, 2011, announcement on new EMV and NFC
rules for U.S. merchants and processors was a profound step forward in pushing the U.S. market
toward mobile and chip-based technology. The new rules provide a clear roadmap and timeframe
for merchants when planning terminal upgrades, which typically occur in three- to five-year
cycles. U.S. merchants now have real economic reasons to upgrade their POS environment to
EMV and NFC as a way of minimizing fraud liability and safeguarding long-term investments. It
also ensures merchants will have the means to capture whatever form of payment customers are
using well into the future.
The expense to upgrade to EMV has also dropped because of POS manufactures pre-bundling
this hardware into their new product launches to better manage their own production expenses.
For the big point-of-sale manufactures, EMV and NFC represent a whole new paradigm of
expanded business opportunities that takes them beyond pure hardware sales to more reoccurring review through software updates and new terminal based applications and services.
Along with mass merchant adoption, the cost of EMV cards needs to be further reduced before
U.S. issuers begin converting their entire card portfolios to EMV. Existing prices range from just
under $1 to $2.50 per plastic card depending on the volume and type of card being purchased.
Even at the low end, this is almost a tenfold increase from today’s magnetic stripe card costs,
which are around 10 cents per card. Overcoming the higher card expense through increased
purchase volume or lower fraud rates is questionable at this point in time. Only after wide-scale
U.S. merchant adoption and ATM upgrades have been implemented will U.S. issuers reap any
real fraud savings. For issuers who prematurely convert a majority of their card portfolios to
EMV, card costs will skyrocket -- but they will be no better off than their magnetic stripe
competitors at addressing fraud. Those who convert too late may well find themselves the prime
target of fraudsters.
In the end it will be a confluence of factors that eventually drives U.S. issuers to full EMV
adoption in the U.S. This includes external influences like merchant adoption and competing
bank EMV offers as well as internal factors like decreased fraud, increased customer demand
and/or new business opportunities (e.g. multi-application). As each of these things grow, so will
the availability of EMV cards and mobile solutions. This is an exciting time for the industry and
consumers alike, as new products and value-add services become available and more convenient
through the use of affordable chip-based technology.
29
Eric Schindewolf is VP, Product Development at Wells Fargo Consumer Card Services. Prior to working for Wells
Fargo, Eric was Director of New and Emerging Technologies for VISA USA/International. He has 13+ years of
Payment Industry experience, having worked on all sides of the credit card business model (Association, Merchant,
Issuer). He is focused on new product and business development to drive market adoption, increase acquisitions,
broaden card acceptance and grow balances thru new customer facing solutions. He has a proven track record
leading complex payment initiatives that reaches across organizations, technologies, and business models to achieve
the strategic goals of all stakeholders.
30
Chip-and-PIN: Success and Challenges in Reducing Fraud27
By Douglas King, Payments Risk Expert with the Federal Reserve Bank of Atlanta
Abstract: Traditional payment cards have evolved in much of the world and now rely on the
EMV global standard using chip technology. However, this evolution of payment cards has yet
to occur in the United States payment card industry, which continues to rely on magnetic stripe
technology. Transactions conducted with EMV chip-embedded cards that use PIN verification
are more secure than transactions conducted using magnetic stripe technology. This paper
explores the experience of multiple European, Asian-Pacific, and North American countries in
fraud reduction by migrating away from magnetic stripe payment cards to EMV chip cards using
PIN verification. Where information and data is available, the paper reviews the reason behind a
country’s migration to chip-and-PIN, the actual migration process, and the migration’s success in
reducing payment card fraud. It also examines the pattern of fraud migration from chip-enabled
payment transactions to non-chip-enabled payment transactions. Finally, the paper closes by
examining current payment card fraud trends in the United States and potential implications of
prolonging a migration to chip-enabled payment technology.
I.
Introduction
As the rest of the globe moves to EMV’s global standard 28 using chip technology, the United
States remains the last developed country reliant on magnetic stripe (mag stripe) cards. Based on
available data from countries around the globe with EMV experience, chip-and-PIN cards have
successfully reduced fraud on face-to-face transactions. However, these cards have had less
impact on overall fraud levels as fraudsters have shifted their focus to non-chip transactions.
Fraud has simply shifted to different products (from credit to debit), other channels (from cardpresent to card-not present, or CNP), or other geographies (cross-border fraud).
27
Taken from Retail Payments Risk Forum Working Paper, Federal Reserve Bank of Atlanta, January 2012.
EMV stands for Europay, MasterCard, and Visa. EMV is a standard for the inter-operation of chip-embedded cards with POS
terminals and ATMs used to authenticate payment card transactions.
28
31
Figure 1: EMV Adoption Rates by Region i
As the EMV standard and chip-and-PIN cards mature in adopting countries, the United States
could be prone to increased fraud as long as it continues to rely on mag stripe technology. Should
the U.S. payments industry decide to abandon mag stripe technology in favor of chip-and-PIN, a
coordinated effort from issuers, networks, and merchants will be needed to prevent fraud from
shifting to other products and channels. Fortunately for the United States, fraud shifting crossborder should be less of an issue than it was for early EMV adopters since all developed
countries will have converted to chip-and-PIN.
Many industry stakeholders argue that a business case based on current fraud loss costs versus
chip-and-PIN deployment costs in the United States has yet to fully crystallize, although data in
this paper suggests a business case is emerging. However, this paper focuses on the impacts
EMV chip-and-PIN has had on card fraud in markets that have adopted the technology.
Furthermore, it analyzes card fraud trends in the United States during this nearly global EMV
chip-and-PIN migration.
II.
EMV and Chip-and-PIN Explained
EMV is a global standard for payment cards based on chip technology established in 1994 by
Europay International SA (acquired by MasterCard in 2002), MasterCard, and Visa. Today, the
EMV standard is managed by EMVCo, which is a joint venture of MasterCard, Visa, JCB, and
American Express. As of early 2011, 1.2 billion EMV cards were deployed across the globe
along with 18.7 million EMV terminals. ii
A cardholder’s confidential data is more secure on a chip-embedded payment card than on a mag
stripe card. Chip-embedded cards support dynamic authentication where as data on mag stripe
cards is static. Thus, data from traditional mag stripe cards can be easily copied (skimmed) with
a simple and inexpensive card reading device. Skimming enables criminals to make counterfeit
32
cards for use at Point-of-Sale (POS) devices or in the CNP environment. Chip technology is
effective in combating such counterfeiting through the introduction of dynamic values for each
transaction.
PIN verification provides superior protection against fraud losses, especially those losses from
lost or stolen cards, compared to signature verification. Based on 2008 debit card fraud data
collected by the Federal Reserve Board of Governors, total fraud losses to all parties on
signature-based transactions per dollar volume were .13 percent, or 13 basis points. PIN-based
transactions experienced a significantly lower fraud loss rate of .035 percent, or 3.5 basis points,
per dollar volume. iii In the event that a card is lost or stolen, PIN verification is more effective in
combating fraud than signature verification.
The EMV specification can be used in both online and offline environments 29 and supports both
signature and PIN verification with PIN being the dominant verification method used to-date. In
fact, the “Chip and PIN” brand name adopted by UK banks for the rollout of EMV cards has
become nearly synonymous with EMV, despite the fact that the EMV specification supports
signature authorization. The EMV standard evolves with the payments industry and now also
includes specifications for contactless payments and mobile payments.
Whether or not the U.S. payments industry adopts the EMV specifications or develops new
specifications, a move to chip technology is needed to avoid increased fraud levels. Although
there have been multiple reports of security issues with chip technology using the EMV
standard, iv it is reasonable for the United States to adopt the global EMV standard that is
supported by the three largest card networks in this country. EMV chip-based cards offer
superior protection of cardholder data compared to mag stripe cards and PIN verification is far
superior to signature verification in preventing fraud. v Also, as seen with the additional
contactless and mobile specifications to the EMV standard, chip-based technology is scalable
along the payment evolution continuum into contactless cards and mobile.
III.
EMV and Chip-and-PIN in the United States Today
The first U.S. payment card utilizing the EMV standard was issued by the United Nations
Federal Credit Union (UNFCU) in October 2010. These cards, issued to approximately 5,000
high-value credit card customers, are chip-and-PIN cards. Although payment security was a
factor in UNFCU’s decision to issue EMV cards, the primary rationale was to provide its
members, many of whom reside outside the United States, with a globally accepted card. Mag
stripe cards are becoming less accepted outside of the United States, especially in offline
applications such as unattended parking and ticketing kiosks. State Employees’ Credit Union
29
In an online environment, the transaction authorization uses telecommunications at the time of sale to route a merchant’s
authorization request to the issuer to approve or decline. In an offline environment, transactions are not authorized at the time of
sale, but rather are batched throughout a given time period and transmitted to the issuer to approve or decline. For an offline
EMV chip–and-PIN transaction, the PIN is authorized through communication between the terminal and chip without the need
for telecommunications.
33
(SECU) announced in February 2011 that it was issuing EMV chip-and-PIN debit cards to all of
its 1.6 million debit cardholders with the migration to be completed by the end of 2011. vi
Following SECU’s announcement, EMV issuance gained some momentum with larger U.S.
issuers, albeit for some very small card portfolios. During the second quarter of 2011, Wells
Fargo, JPMorgan Chase, and U.S. Bancorp all announced plans to migrate certain credit card
portfolios to the EMV standard. Again, the reason for the technology migration by these
financial institutions had less to do with risk and was more about global acceptance of the cards.
Interestingly, the larger institutions have primarily opted for signature cardholder verification
while the credit unions have opted for PIN cardholder verification.
Table 1: EMV Consumer Cards in the United States*
Approximate
Date of First
Issuance
Portfolio
Approximate
Portfolio Size
Network
Cardholder
Verification
United Nations Federal Credit
Union
October 2010
Platinum Elite
7,000
Visa
PIN
State Employees' Credit Union
March 2011
Debit
1,600,000
Visa
PIN
June 2011
Palladium
Don't Know1
Visa
Signature
Mid-Summer
2011
N/A2
15,000
Visa
Signature & PIN
July 2011
FlexPerks
Travel Reward
20,000
Visa
Signature
Issuer
JPMorgan Chase & Co.
Wells Fargo & Co.
U.S. Bancorp
*
Information through June 30, 2011.
1
No reports of portfolio size, but likely smaller than other credit card portfolios listed.
2
The Wells Fargo card is a pilot program that will be issued to high frequency international traveling cardholders.
On the acquiring side of the equation, there is currently no merchant acceptance in the United
States of EMV chip-embedded cards. Most EMV chip cards issued abroad and domestically also
contain a mag stripe and thus are accepted at all U.S. merchant locations that accept cards.
However, several large U.S. merchants have expressed an interest in chip-and-PIN technology to
replace mag stripe technology and signature verification.
Perhaps both the issuance and acceptance of EMV chip cards (and potentially other chip-enabled
devices such as mobile phones) will increase with a recent announcement by Visa. vii This
announcement specified incentives and deadlines to urge U.S. merchants to accept both contact
and contactless chip-enabled cards. One merchant incentive includes the elimination of the
34
requirement for annual PCI 30 compliance validation if 75 percent of a merchant’s transactions
originate from chip-enabled terminals effective October 1, 2012. For the largest merchants,
savings from an annual PCI compliance validation would average approximately $225,000 a
year. viii Further, Visa set October 1, 2015 as the date when a card-present counterfeit fraud
liability shift from issuers to merchant acquirers will be implemented if fraud occurs in a
transaction that could have been prevented with a chip-enabled payment terminal. While the
announcement lays a path towards EMV chip card migration, it does not necessarily set a path to
chip-and-PIN as Visa will continue to support both signature and PIN cardholder verification
methods.
In the interim, the U.S. card industry continues to wrestle with the decisions of chip card
adoption, as well as signature versus online or offline PIN verification, despite evidence that
fraud in the card-present environment is significantly reduced in EMV chip-and-PIN adopting
countries.
IV.
The Chip-and-PIN Experience in the UK
Background
In the early 1990’s, the Association for Payment Clearing Services (APACS), 31 consisting of
financial institutions and payment clearing and settlement companies, created the Plastic Fraud
Prevention Forum (PFPF). This Forum represents all of the UK’s major card issuers and works
to develop card fraud prevention initiatives. The PFPF launched a major project in the mid1990’s to obtain a better understanding of systemic fraud on payment card transactions. Card
fraud in the UK was relatively high compared to other developed markets. The authorization
environment was a key driver for the UK’s high card fraud figures.
Unlike the United State’s online card authorization environment, the UK has primarily been an
offline authorization market. Because of this difference in authorization environments, UK card
fraud rates have historically been much higher than the rates in the United States. For example,
card fraud for 2004 in the UK stood at .14 percent per transaction value ix compared to an
estimated .05 percent of bankcard fraud per transaction value in the US. x
Since EMV chip-and-PIN supports authorization at the time of sale in either an online or offline
environment, it was viewed as a key driver of reducing card fraud in the UK given the country’s
offline authorization market. Following several successful chip-and-PIN trials in the mid- to late1990s, the APACS decided on a national rollout of EMV chip-and-PIN in 2002. Implementation
of chip-and-PIN gained traction in 2004, and by the end of August 2006, the UK was close to
full migration (99.8 percent of chip transactions were PIN-verified). xi
30
PCI is a security standards council launched in 2006 by American Express, Discover Financial Services, JCB International,
MasterCard Worldwide, and Visa Inc. This council is responsible for the development, management, education, and awareness of
payment card security standards for issuing and acquiring participants of these card networks.
31
As of July 6, 2009, APACS was replaced by its successor organization, The UK Payments Administration Ltd. This
organization supplies services to multiple payments-related trade associations including The UK Cards Association.
35
Much like in the United States, UK bank card issuers were saddled with the majority of the fraud
loss burden, yet the migration was going to be costly for merchants to install new hardware and
software to accept chip-and-PIN cards. Merchants did not find the benefits of migration to chipand-PIN to be very equitable as the bulk of the investment landed with the merchants, while the
benefits of reduced fraud losses flowed to the issuers. In order to encourage merchants to migrate
to chip-and-PIN enabled terminals, the card networks instituted a liability shift which places the
fraud loss burden on the non-EMV compliant party. Beginning in July 2005, any merchant that
had not upgraded their terminals to be chip-and-PIN compliant would be liable for fraudulent
transactions using chip-and-PIN cards which could have been avoided by upgrading the terminal.
The card issuer remains liable for fraudulent transactions if the transaction is conducted using a
mag stripe card or if both parties are chip-and-PIN enabled.
Impact on Fraud
According to data from the UK Payments Administration, EMV chip-and-PIN has been
successful at reducing certain types of card fraud, especially domestic counterfeit and lost or
stolen card fraud. Total card fraud in the UK began declining in 2005 as the chip-and-PIN
movement gained traction. However, with widespread chip-and-PIN adoption completed by
2006, total card fraud increased significantly in 2007 and 2008 due to significant increases in
CNP and cross-border fraud. Few viable chip-and-PIN solutions for online merchants have
emerged, leading to the migration of fraud to the CNP channel. Also, since chip-and-PIN cards
still contain mag stripes for use at merchant locations not equipped to handle chip transactions,
fraud has migrated abroad through the use of counterfeit cards in countries primarily using mag
stripe technology. As more countries have adopted chip-and-PIN and CNP fraud prevention
measures have been increased, total card fraud has been on a significant decline since 2009.
Chart 1: Fraud Losses on UK-Issued Cards
36
EMV chip-and-PIN has been highly successful reducing domestic fraud in the UK Since 2004,
domestic fraud losses on UK-issued cards has fallen by over 34 percent. Chip-and-PIN has
successfully thwarted the primary fraud losses it was designed to prevent, counterfeit and lost or
stolen card fraud.
Since widespread implementation of EMV chip-and-PIN in 2004, counterfeit fraud declined
drastically on UK-issued cards. Fraud losses from counterfeit cards have fallen by over 63
percent. In fact, in 2004 counterfeit card fraud accounted for over 25 percent of all card fraud on
UK issued cards compared to 13 percent by the end of 2010. Domestic counterfeit card fraud fell
to £17 million in 2010 from £46 million in 2006 and now represents only 6 percent of all
domestic card fraud
Chart 2: Fraud Losses on UK-Issued Cards at UK Retailers (Face-to-Face Transactions)
However, counterfeit fraud on UK-issued cards has not been on a continuous decline since chipand-PIN implementation in 2004. Interestingly, counterfeit fraud rose significantly in 2007 and
2008 as UK card issuers experienced a dramatic increase in cross-border counterfeit fraud. Since
UK-issued chip cards still contain a mag stripe, fraudsters are able to capture card data off the
mag-stripe and commit fraud in countries that have yet to migrate to chip-and-PIN. As migration
of chip-and-PIN increased in other countries, especially other European countries, losses from
counterfeit cards abroad began to abate. Today, nearly 75 percent of cards and 90 percent of POS
terminals in Western Europe have adopted the EMV chip-and-PIN standard. xii
Much like counterfeit fraud, lost or stolen card fraud in the UK has declined significantly since
the implementation of EMV chip-and-PIN in 2004. The 61 percent decline in lost or stolen card
fraud losses from 2004 to 2010 exhibits a much different pattern of decline than the decline
witnessed in fraud losses from counterfeit cards. While counterfeit fraud losses increased
37
significantly in 2007 and 2008 due primarily to cross-border fraud committed on UK-issued
cards, lost or stolen card fraud has decreased every year since 2004 and now stands at its lowest
level since the industry began collecting fraud loss data in 1991.
While immense strides against fraud losses have been made seven years into chip-and-PIN
implementation, counterfeit and lost or stolen card fraud still exists in the UK. Chip-and-PIN has
been successful at reducing both of these fraud types, but contrary to some reports circulating in
the US, xiii the technology has not completely eliminated any one type of fraud, and has actually
pushed fraud to CNP and cross-border transactions.
The success of EMV chip-and-PIN at thwarting fraud at the POS in the UK has led the fraudsters
to seek the lowest common denominator in terms of perpetrating fraud, transactions not protected
by chip-and-PIN. These transactions most commonly occur in the CNP environment and in
countries that still rely on mag stripe technology. Consequently, since the introduction of chipand-PIN in 2004, both CNP and cross-border fraud rose dramatically through 2008, before
falling in 2009 and 2010.
Chart 3: Counterfeit Card Fraud Losses on UK-Issued Cards
38
Chart 4: Lost or Stolen Card Fraud Losses on UK-Issued Cards
CNP fraud now accounts for 62 percent of all fraud on UK-issued cards, up from 30 percent in
2004. Although solutions for chip-and-PIN transactions exist in the CNP environment, they have
yet to gain much adoption by either merchants or cardholders due to cost and consumer adoption
concerns. These hardware-based solutions, often attached through a USB device, create a secure
connection and generate dynamic data in a manner similar to a card-present transaction. The
recent decline in CNP fraud on UK-issued cards has primarily been due to the growth in the use
of a non-chip-and-PIN solution, 3-D secure 32 by both merchants and cardholders.
Chart 5: Card Not Present Fraud Losses on UK-Issued Cards
32
3-D Secure is an XML-based protocol designed to be an added layer of authentication for Internet-based payment card
transactions. Visa, MasterCard, American Express, and JCB all offer the 3-D Secure protocol. This protocol requires that a
cardholder enter a unique PIN to complete a CNP transaction as an additional identity verification process.
39
As the EMV chip-and-PIN standard became more prevalent around the globe, and especially in
Europe, cross-border fraud on UK-issued cards began declining in 2009 after peaking in 2008.
Chart 6: Cross-Border Fraud Losses on UK-Issued Cards
However, fraud occurring in the United States on UK-issued cards stands at a higher level in
2010 than it did in 2005. In fact, fraud in the United States accounted for 14 percent of crossborder fraud losses on UK-issued cards in 2005, and today accounts for 23 percent of all crossborder fraud losses. Interestingly, as most of Europe has migrated, or is in the process, to EMV
chip-and-PIN, no European country is part of the top 5 countries for cross-border fraud on UKissued cards in 2010.
V.
The Chip-and-PIN Experience in France
Background
France was an early adopter of chip card technology. By the mid-1980’s, the fraud rate on
French-issued cards was extremely high, reaching .27 percent by 1987, xiv according to data from
Groupement des Cartes Bancaires. With fraud rates on the rise, French banks issued the first
chip-embedded smart cards in 1986. By 1992, all French bank cards were embedded with a chip
resulting in a sharp decline in fraud. The fraud rate on French-issued payment cards was down
to .03 percent in 1995.
Even though card fraud levels were already extremely low, France followed the UK card
industry’s lead and began migrating to EMV chip-and-PIN cards in 2002 with several trials. By
October of 2003, a national rollout was launched with the migration to chip-and-PIN finalized by
the end of 2006. Since 2005, all French-issued cards use chips that support dynamic data
authentication.
40
Impact on Fraud
Since implementation of chip-and-PIN, both fraud losses and fraud rates in France have actually
increased slightly from low levels of fraud losses and rates prior to EMV chip-and-PIN.
However, a noticeable shift in fraud has taken place that is the primary driver of the higher fraud
losses and rates. As witnessed in the UK following that country’s migration to chip-and-PIN,
domestic fraud losses and rates on face-to-face transactions experienced significant declines. Yet,
cross-border and CNP fraud increased significantly.
Chart 7: Fraud Losses on French-Issued Cards
Though total fraud incurred by French issuers has increased since the introduction of EMV chipand-PIN, domestic face-to-face fraud has significantly declined to extremely low levels. Between
2004 and 2009, fraud losses from domestic face-to-face transactions fell by over 35 percent.
Even more impressive though, is the fraud rate on these transactions fell by over 50 percent and
by 2009 stood at .01 percent. So during a time of increasing card usage for face-to-face
transactions in France, fraud losses decreased significantly.
41
Chart 8: Fraud Losses on French-Issued Cards at French Retailers
With fraudsters moving away from domestic face-to-face transactions in France, they are
focusing their attention on transactions not supported by chip-and-PIN. As such, CNP fraud has
experienced a significant increase since the introduction of EMV chip-and-PIN. While
transaction volume has increased in the CNP channel with the growth of online commerce, fraud
losses in the CNP channel have grown at even a more rapid pace, especially in cross-border CNP
transactions. CNP fraud now represents almost 54 percent of all card fraud on French-issued
cards up from 25 percent in 2006. The comparison of fraud rates for in-person versus CNP
transactions is striking. While face-to-face transactions in France have a fraud rate of .01 percent,
domestic CNP transactions have a fraud rate of .26 percent and cross-border CNP transactions
have an alarmingly high 1.35 percent fraud rate.
Not only do cross-border CNP transactions carry a higher rate of fraud than domestic CNP
transactions, cross-border face-to-face transactions also have a higher fraud rate than domestic
face-to-face transactions. By the end of 2009, the fraud rate on cross-border face-to-face
transactions stood at .41 percent compared to .01 percent for domestic face-to-face transactions.
In fact, the amount of losses in 2009 from cross-border transactions (€45 million) actually
surpassed the losses from domestic transactions (€41 million). And while domestic transactions
have experienced a decline in both total fraud losses and rate since the introduction of EMV
chip-and-PIN, both total fraud losses and the fraud rate on cross-border transactions have
increased.
42
Chart 9: Card-Not-Present Fraud Losses on French-Issued Cards
Chart 10: Fraud Losses on French-Issued Cards for Face-to-Face Transactions
VI.
The Chip-and-PIN Experience in Canada
Background
Although Canada’s payment card fraud rates were not high by global standards, issuers were
becoming concerned by the increasing rate of card fraud experienced during the early to mid
2000’s. Issuers had not invested heavily in fraud monitoring and prevention systems like their
counterparts in the United States, and agreed in 2006 that a move to chip-and-PIN was needed to
43
reduce the growing rate of fraud. The move to chip-and-PIN is near completion today, but the
on-going migration process has been long and slow.
In June 2003, Visa Canada announced that it was committed to chip-and-PIN. Following Visa’s
lead, MasterCard announced similar plans and guidelines in 2005. Interac, Canada’s national
debit payment network, announced in October 2005 that it was also committed to chip-and-PIN
with a target date of 100 percent migration by the end of 2015. In March 2006, members of the
Canadian payments industry 33 announced alignment and “commitment to a broad industry
migration to chip technology.” xv Finally, in October of 2007, an EMV chip-and-PIN trial was
launched in Kitchener-Waterloo and continued until October 2008 when a national roll-out of
chip-and-PIN began. xvi American Express did not announce its EMV chip-and-PIN guidelines
until August 2010, but it expects a quick migration with a liability shift date set for October 31,
2012. xvii
Today, Canada is far along the process of migrating to EMV chip-and-PIN. Visa and MasterCard
are all but complete with the migration. Liability shift on both Visa and MasterCard transactions
went into effect at the end of March 2011. American Express has set a date of October 2012.
With a longer time horizon for migration than the credit card networks, Interac’s migration to
EMV chip-and-PIN has been slower and thus the Canadian debit network remains more reliant
on mag stripe technology today than the credit networks.
Impact on Fraud
Although the national roll-out of chip-and-PIN did not begin until late 2008, similar fraud
migration trends experienced in other chip-and-PIN markets are appearing in Canada. Although
total card fraud losses have only decreased by 5 percent from $CAD512 million in 2008 to
$CAD485 million in 2010, fraud is migrating to non-chip enabled transactions. In the case of
Canada, these transactions are occurring in the CNP environment and with debit cards.
Unfortunately, cross-border fraud migration trends are not available as the Canadian Bankers
Association did not begin reporting cross-border counterfeit fraud until 2010, presumably
because it is becoming a growing issue. And since the roll-out of chip-and-PIN, the EMV chipand-PIN standard has been effective at reducing the types of fraud it is best suited to prevent -counterfeit and lost or stolen credit card fraud has decreased by 30 percent.
As seen in other chip-and-PIN countries, while fraud losses from counterfeit, lost or stolen cards
as well as face-to-face domestic transactions have declined, fraud losses in the CNP environment
have increased significantly. And this is no different in Canada. In fact, fraud losses on credit
cards in the CNP environment have increased by 37 percent since 2008 when CNP fraud
accounted for 31 percent of fraud losses on Canadian-issued credit cards. By the end of 2010,
CNP fraud losses account for nearly 50 percent of credit card fraud in Canada.
33
Members of the Canadian payments industry consist of MasterCard Canada, Visa Canada, Interac Association, and many of
their respective card issuers, payment processors, and merchants.
44
Chart 11: Counterfeit and Lost or Stolen Fraud Losses on Canadian-Issued Credit Cards
Chart 12: Card-Not-Present Fraud Losses on Canadian-Issued Credit Cards
Although debit card fraud losses remain significantly lower than credit card fraud losses, fraud
committed using debit cards has increased. Between 2008 and 2010, debit card fraud increased
while fraud committed using credit cards declined since the chip-and-PIN roll out in 2008. This
phenomenon can be explained in large part due to Interac’s much slower migration to chip-andPIN than the credit networks in Canada - MasterCard, Visa, and American Express. As has been
the case in every market that has migrated to chip-and-PIN, fraudsters have sought the easiest
method for perpetrating card fraud. And in Canada, with debit cards’ migration to chip-and-PIN
lagging credit cards, fraudsters have taken notice. Debit card fraud spiked in 2009, reaching
$CAD142 million up from $CAD104 million in 2008. Fraud on debit cards fell in 2010 to
45
$CAD119 million as Interac advanced its chip-and-PIN migration efforts, but still remains
higher than levels seen during 2008, the year of the national roll-out of chip-and-PIN.
Chart 13: Fraud Losses on Canadian-Issued Cards
VII.
The Chip-and-PIN Experience in Australia
Background
Australia has traditionally enjoyed a comparatively low rate of card fraud. However, with the
movement to EMV chip-and-PIN underway in many European countries and some Asia-Pacific
countries, the Australian Payments Clearing Association (APCA) 34 held an initial Chip for
Australia Implementation Forum in May 2007. In the absence of significant fraud losses, chip
implementation in Australia is being spurred by credit card network incentives and liability shifts.
Rather than implement a mass roll-out of chip-and-PIN, APCA agreed to a progressive roll-out
to take place over a number of years.
In January 2008, APCA established the Chip Payments Programme for Australia (CPPA) 35 to
manage the migration to chip-and-PIN. By the end of 2008, approximately 12 percent of
payment cards in Australia were embedded with an EMV chip. xviii In June 2010, EFTPOS
Payments Australia Limited (EPAL), 36 Australia’s national debit network, announced a move to
chip technology beginning in 2011 with completion set for 2014. xix
34
APCA is the payments industry’s principal self-regulatory body and the vehicle for payments industry collaboration. The
Association’s members include banks, building societies, credit unions, the Reserve Bank, and other payment organizations in its
five payment clearing systems.
35
The CPPA is comprised of card issuers, acquirers, and networks.
36
EPAL is a joint venture company established in 2009 by Australia’s major retail financial institutions and retailers to manage
promote and develop Australia’s PIN debit card system (EFTPOS) on a commercial basis.
46
The migration to chip-and-PIN is well underway for the credit and scheme 37 debit networks.
According to the “MasterCard Roadmap” released at the end of March 2011, all new and
reissued MasterCard cards must be EMV capable beginning October 2011. All POS terminals
need to be EMV compliant by April 2012 to coincide with a liability shift. And by April 2013,
all cards and payment terminals must be EMV capable. xx Visa’s migration timeline is similar to
MasterCard’s. All newly issued credit cards beginning in 2010 had to be EMV compliant. Debit
and prepaid card EMV issuance began in 2011 and by April 2013 all Visa cards must be EMV
compliant with Visa’s liability shift set to take place. xxi
Impact on Fraud
With migration to EMV chip-and-PIN in Australia still in its early stages, data from the APCA is
already showing similar patterns of fraud trends observed in more mature chip-and-PIN markets.
Fraud from counterfeit cards has been declining since the migration to chip-and-PIN began;
however, total fraud has increased largely due to the significant increase in CNP fraud.
Since rolling out chip-and-PIN cards in 2008 when fraud from counterfeit cards peaked at
$AUD56 million, fraud from counterfeiting fell to $AUD47 million in 2010. While the 15
percent decline in counterfeit fraud is promising, it is more modest than the decline in counterfeit
fraud in other chip-and-PIN markets. However, the Australian payments market has taken a more
methodical and progressive approach to chip-and-PIN implementation. The APCA recently
wrote that “chip technology is proving effective in driving skimming [counterfeit] fraud
down….notwithstanding unusual spikes, chip technology is expected to combat skimming fraud
in Australia over the long-term.” xxii
Chart 14: Counterfeit Fraud Losses on Australian-Issued Cards
37
MasterCard and Visa
47
Although counterfeit fraud is down 15 percent from 2008 to 2010 on Australian-issued cards,
CNP fraud has increased by nearly 70 percent during the same time period. And while there are
both chip-enabled and non-chip solutions to reduce CNP fraud, they do not appear to be gaining
traction in the Australian market. According to the APCA, “financial institutions, card schemes
and retailers are working to implement additional security for online payments using 3D Secure
and to increase awareness of the importance of using anti-fraud tools.”
Chart 15: Card-Not-Present Fraud Losses on Australian-Issued Cards
VIII. The Netherlands
The Netherlands provides an interesting glimpse into a country that was slow to migrate to EMV
chip-and-PIN at the same time that a majority of its European neighbors were moving to chipand-PIN. The Netherlands differs from early European adopters of chip-and-PIN in that debit
cards are much more popular than credit cards. All debit transactions are authorized online and
require a PIN for cardholder verification. xxiii Finally, debit cards cannot be used for CNP
transactions in the Netherlands. xxiv
With online authorization, PIN verification of all debit card transactions, and no CNP debit card
transactions, the fraud rate on card transactions in the Netherlands has been historically low. In
2005, a period when many European countries were migrating to chip-and-PIN, the Netherlands
experienced a fraud rate of only 0.02 percent. This fraud rate is comparable to France’s current
fraud rate using chip-and-PIN. Given the low fraud rate, there was not a business case for chipand-PIN in the Netherlands. Hence, the Dutch initially took a cautious and slow approach to
migrating to chip-and-PIN.
However, as the rest of Europe migrated to chip-and-PIN, fraud loss rates climbed in the
Netherlands, but still remained relatively low. By the end of 2009, fraud loss rates rose to 0.05
percent. The debit card fraud rate rose to over 0.03 percent in 2009 from less than 0.01 percent in
48
2005 as skimming of card data for use to counterfeit cards increased significantly. This trend
reversed in 2010 as the industry took added measures such as the use of anti-skimming devices
to lower the incident of skimming.
In the 2005 Currence 38 Annual Report, the association stated that it “has established the PIN [the
Netherland’s debit network] EMV requirements for payment terminals and cards…This will be
achieved in part by natural replacement of payment devices and cards over a maximum period of
eight years. Given the agreements reached between banks and retailers, Currence expects that the
entire operation will be completed by 2013.” Given the significant rise in card fraud and the
initially slow implementation of chip-and-PIN, the Netherlands’ banking industry is now rushing
to implement chip-and-PIN. In May 2009, banks and collective POS institutions agreed to
accelerate the implementation of chip-and-PIN and on March 2, 2011, the Minister of Finance
officially launched the national roll-out of chip-and-PIN in the Netherlands with the expectations
that all retailers and consumers will be using chip-and-PIN by the end of 2011.
Chart 16: Fraud Rates on Payment Transactions with Dutch-Issued Cards
While fraud rates in the United States are not as low as those historically experienced in the
Netherlands, the current situation in the United States is similar to that of the Netherlands. To
date in the United States, the business case for chip-and-PIN has been lacking due to low fraud
rates. Also, as our neighboring countries Canada and Mexico move to chip-and-PIN along with
the rest of the developed world, the U.S. card industry is slow and late to migrate away from the
mag stripe.
IX.
Card Fraud Trends in the United States
38
Currence was founded in 2005 through an initiative by eight Dutch banks. Its purpose is to facilitate a competitive market and
transparency while preserving the quality and security of the payment systems of the Netherlands.
49
While markets that have migrated, or are in the process of migrating, to EMV chip-and-PIN have
seen a significant decrease in fraud on chip-and-PIN transactions, overall fraud levels in the
United States are trending upward. Unlike the other countries discussed in this paper, the United
States does not have a single entity that collects and reports comprehensive card fraud data.
Therefore, it is difficult to fully measure total fraud losses and fraud losses by specific types of
fraud such as CNP or counterfeit fraud. However, there are limited studies and anecdotal
evidence that point to rising fraud losses and rates for U.S. payment cards. And while no single
factor can be attributed to the rising fraud trend on payment cards in the United States, the card
industry’s reliance on mag stripe technology is certainly a factor in this trend.
Since 2004, the fraud rate on bankcards 39 issued in the United States has increased by 70 percent.
The fraud rate on bank cards in 2004 was .05 percent, and by the end of 2010, the fraud rate on
bank cards stood at .09 percent. In fact, 2010 represented the first year that the fraud rate on
U.S.-issued bankcards exceeded the fraud rate on UK-issued cards.
Chart 17: U.S. Bankcard Fraud Rates
Debit cards are also experiencing an increase in fraud rates. According to annual debit issuer
studies conducted for Pulse, 40 both signature and PIN debit fraud rates have increased
significantly since 2004. Signature debit fraud rates have increased by nearly 80 percent since
2004, climbing from .04 percent to .08 percent by 2010. The fraud rate on signature debit
transactions is closely aligned with the fraud rate of bankcards. Fraud rates on PIN debit
39
Bankcards are MasterCard and Visa-branded consumer and commercial credit cards issued by financial institutions. Bankcards
do not include credit cards issued by American Express and Discover or any debit cards.
40
Pulse is an ATM/debit network owned by Discover Financial Services. The network serves more than 4,400 financial
institutions in the United States.
50
transactions are significantly lower than those of signature debit or bankcards. However, PIN
debit fraud rates have increased more than threefold since 2004, growing from 0.003 percent to
0.013 percent by 2010.
Coinciding with rising fraud rates, the reported incidences of card data breaches remain high.
These breaches have been highly prominent in the news, culminating most recently in May with
the announcement from Michaels Stores Inc. Michaels announced that PIN debit payment
terminals had been tampered with by fraudsters, resulting in a breach of debit card and PIN data
at its stores across the United States. According to a 2011 Data Breach Report, “these attacks
have been occurring for years, but are on rise in many areas according to both public reports and
the caseload of the U.S. Secret Service.” xxv
Card skimming is becoming more widespread in the United States as payment cards issued here
continue to rely on mag stripe technology while the rest of the world moves to chip technology.
In fact, physical tampering/skimming threats accounted for nearly 30 percent of the data
breaches received by the U.S. Secret Service in 2010 up from approximately 10 percent in 2007.
In 2010, only Malware threats accounted for more data breaches than tampering/skimming
threats. xxvi As seen in available data from countries that have adopted EMV chip-and-PIN, chip
cards have been highly effective at reducing card skimming and ultimately counterfeit card fraud.
Chart 18: Fraud Rates on US-Issued Debit Cards
X.
Conclusion
Chip-and-PIN cards have been successful in thwarting counterfeit and lost or stolen card fraud in
the card present environment. However, a clear pattern of fraud migration from chip-and-PIN
enabled transactions to non-chip-and-PIN transactions, namely CNP and mag stripe (be it
51
another market or another product within market) transactions exists. For a chip-and-PIN
migration in the United States to have a successful impact on reducing total card fraud, the entire
payment card industry needs to be coordinated with regards to product issuance and acceptance
as well as solutions for mitigating CNP fraud.
As evidenced in every country where data was available, CNP fraud increased as face-to-face
fraud fell, initially resulting in little to no impact in overall card fraud. In countries where CNP
fraud is now being lowered, merchants have adopted fraud prevention measures that require 3-D
Secure for CNP transactions. However, the 3-D Secure protocol is not unique to chip-and-PIN
cards as it can also be integrated with mag stripe cards. Though new technology specific to chipand-PIN cards to reduce CNP fraud is available, it has not been widely deployed due in part to
the success of the 3-D Secure protocol. It will be imperative for the U.S. payments industry to
adopt CNP fraud solutions in order to combat this fraud migration phenomenon should the
industry decide to migrate to chip-and-PIN.
Cross-border card fraud is increasing as fraudsters seek an opportunity to counterfeit cards in
chip-and-PIN markets and then use these cards in markets still relying on mag stripe technology.
Should the U.S. industry continue to rely on mag stripe cards, it is reasonable to expect fraud
committed in the United States on foreign-issued cards to increase as long as foreign issuers
continue to issue cards with both chips and mag stripes. In response to this dynamic, the
European Central Bank is recommending that beginning in 2012, all newly issued Single Euro
Payments Area payment cards should be issued as chip-only cards. xxvii If the U.S. payments
industry decides to migrate to chip-and-PIN, cross-border fraud on U.S.-issued cards should be a
minimal issue given the mass migration to chip-and-PIN in the rest of the world.
Based on the experiences of chip-and-PIN migrations in other countries, it is imperative that all
card based products should be migrated at, or near, the same time to have a positive impact on
reducing face-to-face fraud within a country’s borders. As witnessed in Canada, migrating credit
before debit resulted in a significant increase in fraud perpetrated with debit cards, ultimately
resulting in a minimal reduction of total card fraud. If the United States migrates to chip-and-PIN
without market consensus, agreement, or in a timely and concerted effort; those issuers, networks,
or merchants who are slow to migrate will see increased fraud levels and the impact on overall
fraud levels could be minimal.
Complicating a full U.S. migration to chip-and-PIN is the prevalence of signature verification in
the United States. In fact, the largest card issuers that have announced plans to issue EMV cards
will be issuing chip cards that support signature verification. And in Visa’s plan to move its
network participants to the EMV standard, the network remains committed to both signature and
PIN verification. A move away from mag stripe cards to chip cards would have a positive impact
on counterfeit card fraud in the United States. Maintaining signature as a cardholder verification
method for EMV chip cards might not have a similar positive impact on lost or stolen card fraud
as experienced in chip-and-PIN countries. However, a U.S. migration to an EMV chip-based
52
environment, regardless of the cardholder verification method, will provide a more secure
payment environment.
Finally, should the U.S. payments industry continue to rely on mag stripe technology as long as
possible, a scenario similar to the Netherlands experience could occur in the United States. While
the business case didn’t exist for the Dutch when its European counterparts were migrating, the
business case rapidly changed by the time most of Europe had migrated and fraud in the
Netherlands subsequently increased significantly. With a clear pattern of fraudsters targeting
non-chip transactions, the United States faces a significant risk of continued escalating fraud
rates as long as the payments industry relies on magnetic stripe technology.
Douglas King is a Payments Risk Expert with the Federal Reserve Bank of Atlanta’s Retail Payments Risk Forum.
Since joining the Bank in January 2011, Doug’s work has been primarily focused on risks associated with cardbased and emerging payments in light of a rapidly changing payments regulatory environment. Prior to joining the
Bank, Douglas worked with the payments consulting firm, Edgar, Dunn & Company. At EDC, he provided strategic
guidance to clients across the payments value chain, including global card networks, card issuers, processors, and
merchants. Douglas has experience with multiple payment types and product areas, including credit, debit, and
prepaid cards, debit cards, person-to-person payments, and mobile payments. Prior to receiving an M.B.A from the
UCLA Anderson School of Management, Douglas began his career with an institutional investment consulting firm.
i
EMVCo. iii
IBID. iv
Murdoch, S.J, S. Drimer, R. Anderson, and M. Bond, “Chip and PIN is Broken.” 2010 IEEE Symposium on Security and
Privacy, http://www-test.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf, accessed on October 4, 2011.
v
“Debit Card Interchange Fees and Routing,” 12 CFR Part 235 Regulation II; Docket No. R-, December 16, 2010,
http://www.federalreserve.gov/boarddocs/meetings/2010/20101216/20101216_InterchangeFeeProposedRuleDRAFTFRNotice.p
df, accessed October 4, 2011.
vi
“SECU leads in the US with the addition of EMV Card Chip Technology,” State Employees’ Credit Union Press Release,
February 17, 2011, https://www.ncsecu.org/PDF/Press/20110217_EMVCardChipTechnology.pdf, accessed October 4, 2011.
vii
“Visa Announces Plans to Accelerate Chip Migration and Adoption of Mobile Payments,” Visa Inc. Press Release,
http://corporate.visa.com/media-center/press-releases/press1142.jsp, accessed October 4, 2011.
viii
Ponemon Institute, “PCI DSS Trends 2010: QSA Insights Report,” March 2010,
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/PCI%20DSS%20Trends%20%20QSA%20Insights%20010310.pdf, accessed on October 4, 2011.
ix
Financial Fraud Action UK, “Fraud the Facts 2011 The Definitive Overview of Payment Industry Fraud and Measures to
Prevent It,” http://www.financialfraudaction.org.uk/Publications/#, accessed on October 4, 2011.
x
Jeffrey Green, “2006 Bankcard Profitability Study & Annual Report, Cards & Payments, May 2006, pp. 31-32.
xi
APACS Reports UK Chip and PIN Success, August 14, 2006, Payments News Glenbrook Partners,
http://www.paymentsnews.com/2006/08/apacs_reports_u.html, accessed on November 3, 2011.
xii
EMVCo.
xiii
Bell ID, “Six Myths Preventing EMV Migration in the U.S. Fact vs. Fiction, http://www.finextra.com/Finextradownloads/featuredocs/White%20Paper%20-%20EMV%20Migration%20US%201.9.pdf, accessed on October 4, 2011.
xiv
Nathalie Ha, “EMV: Challenges & Best Practices” (presentation, Banking Vietnam 2009 Conference, Hanoi, Vietnam, May
27-29, 2009).
xv
“Payment industry comes together to ensure smooth migration to chip technology in Canada,” Interac Association Press
Release, March 13, 2006, http://www.interac.ca/media/press_5.php, accessed on October 4, 2011.
xvi
Philip Andreae and Associates, “The Canadian Migration to EMV,” September 2006,
http://www.andreae.com/presentation/The%20Canadian%20Migration%20to%20EMV%20sept%202006.pdf, accessed on
October 4, 2011.
xvii
Kate Fitzgerald, “Amex Sets Date of Canada EMV Liability,” American Banker, August 27, 2010,
http://www.americanbanker.com/issues/175_166/amex-emv-canada-1024728-1.html, accessed October 4, 2011.
xviii
John Hill and Victoria Conroy, “EMV: the story so far,” Cards International, April 13, 2009, http://www.vrl-financialnews.com/cards--payments/cards-international/issues/ci-2009/ci419/emv-the-story-so-far.aspx, accessed on November 3, 2011.
ii IBID.
53
xix
“EFTPOS Moves to Chip For Enhanced Security and Functionality,” EFTPOS Payments Australia Limited Press Release,
June 3, 2010, http://www.eftposaustralia.com.au/docs/media-releases/eftpos-moves-to-chip-for-enhanced-security-andfunctionality.pdf, accessed on October 4, 2011.
xx
“MasterCard Announces Five Year Plan to Change the Face of the Payments Industry in Australia,” MasterCard Worldwide
Press Release, March 29, 2011, http://www.mastercard.com/au/general/en/aboutus/press/payment_industry_fiveyearplan.html ,
accessed on October 4, 2011.
xxi
“Visa International Operating Regulations April 10, 2011,” Visa Inc., p. 181.
xxii
“Payments Monitor,” Australia Payments Clearing Association, Second Quarter 2011,
http://www.apca.com.au/PM/2011_Quarter2/index.html, accessed on October 4, 2011.
xxiii
“From Stripe to Chip: EMV (January 2004 version),” Technology Study Group of the Social Forum on the Payments System,
http://www.dnb.nl/en/binaries/From%20stripe%20to%20chip%20-%20EMV_tcm47-145653.pdf, accessed on October 4, 2011.
xxiv
Currence, 2010 Annual Report, p. 26, http://cloud.reportsir.com/reports/41/2011622173740/default.htm, accessed on October
4, 2011.
xxv
“2011 Data Breach Investigations Report,” A Study Conducted by the Verizon RISK Team with cooperation from the U.S.
Secret Service and the Dutch High Tech Crime Unit, http://www.verizonbusiness.com/resources/reports/rp_data-breachinvestigations-report-2011_en_xg.pdf, accessed on October 4, 2011.
xxvi
IBID.
xxvii
“Seventh Progress Report Beyond Theory Into Practice,” European Central Bank, Single Euro Payments Area, October 2010,
http://www.bundesbank.de/download/zahlungsverkehr/sepa_fortschrittsbericht.en.pdf, accessed on October 4, 2011.
54