The Chip And PIN Debate – Part 2

Monday, September 13, 2010

PCI Guru


In this post I would like to discuss from a statistical perspective why EMV is not making the impact on fraud that people are led to believe.  The following is the analysis I went through to prove this hypothesis. (Part One Here)

So, let us compare a year of card present fraud in the UK to that in the US.  Unfortunately, I could only get statistics for 2008 for such a comparison.  However, for 2009, card present fraud amounted to around 16% of all fraud and that is 0.43% of the total charged on credit cards in the UK. 

For comparison, the best I could come up with was 2008 for the US from the American Bankers Association which indicated that there was $788 million dollars in card present fraud which amounted to 1.6% of the total amount charged.

According to the UK Cards Association, in 2005 the last year before the rollout of EMV, card present fraud amounted to just over 30% of the total fraud incurred from credit cards.  I could not find the total amount charged in the UK that year, so I have no idea of how that amount of fraud related to the total charged. 

However, given that card present fraud has remained steady at 16% of total fraud under EMV, I would assume that was the same with non-EMV cards so I would estimate that card present fraud amounted to around 0.86% of total fraud in 2005.

So a 1% card present fraud rate drove UK bankers to invent EMV?  At the time UK bankers began to discuss EMV back in the early 1990s, it was my understanding that card present fraud rates were at least double or even triple those in the US, which would put the total percentage of card present fraud at somewhere around 3% to 4.5% of total charges since card present fraud rates are relatively stable. 

Unfortunately, I do not have access to figures to support that.  However, using just double that would mean that at 30% of all fraud in 2005, something must have been done to bring down the fraud rate before EMV was introduced.  I base this on the fact that card present fraud has remained static after the introduction of EMV which would mean that in 2005, card present fraud was around 0.86% of total charges. 

Could it be that enforcing better procedures at the merchant level which is what the banks mandated before EMV was introduced drove down card present fraud to around 1% of the total charged?  It does appear that way.

EMV will save US banks and merchants a total of around $394 million dollars annually.  Given the estimated ten billion it will cost to convert totally to EMV, is it any wonder why banks and merchants have no incentive to convert?  The ROI is just not there.

So what are the conclusions we can draw from this exercise?  Introducing EMV into the US would cut card present fraud by 50%.  However, since bankers and merchants believe card present fraud is already at a manageable level, there is no incentive to convert. 

But the more telling conclusion is that EMV does not eliminate card present fraud like it is perceived by the public.  And that is something that the public deserves to know.

UPDATE: See this post from the FDR Atlanta.

Cross-posted from PCI Guru

Possibly Related Articles:
PCI Banking
Post Rating I Like this!
Christie Christelis While I agree that there has to be a business case for banks to convert to EMV I think your figures are incorrect. The estimate for the cost of EMV implementation is, as you say, about $10 billion, but not all of that falls on the card issuer. Acquirers, processors and merchants share some of those costs. The savings due to card-present fraud are more likely to be of the order of $4 billion. Couple this with a liability shift which places the liability for card present fraud onto the merchants (if they are not compliant) there is certainly a business case for EMV migration on both sides. Banks will push for a liability shift if they can see that the cost of implementing EMV will result in an ROI for them. Other than vested interests (vendors supporting EMV migration), the business case will emerge naturally once fraud due to skimming starts to escalate in the US. If it doesn't, well, then the present levels of fraud merely the represent the cost of doing business.
PCI Guru The bottom line is that US banks and merchants do not have any reason to go through the hassle and cost of converting to EMV. Face-to-face fraud in the US is not the problem it was in Europe which is what drove the development of EMV. I'm not saying that EMV would not be a good thing, just that there is no ROI that would drive it. What will drive EMV in the US and the rest of the world is if a standard can be established for securing online transactions.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.