Playing_the_Visa_EMV_Game

 QUANTITATIVE ASSESSMENT & ANALYSIS Playing the Visa EMV Game By Ruth Fisher September 2011 Table of Contents 1. INTRODUCTION..............................................................................................................................1 2. BRIEF HISTORY OF CREDIT CARDS..........................................................................................1 3. PLAYERS IN THE CREDIT CARD MARKET ..............................................................................2 A. CREDIT CARD NETWORKS/ASSOCIATIONS ................................................................................................. 3 B. CREDIT CARD ISSUERS .................................................................................................................................... 4 C. CREDIT CARD ACQUIRERS .............................................................................................................................. 5 D. MERCHANTS ..................................................................................................................................................... 6 E. CARDHOLDERS .................................................................................................................................................. 7 4. HOW CREDIT CARD PROCESSING WORKS.............................................................................8 A. STAGE 1: AUTHORIZATION ......................................................................................................................... 10 B. STAGE 2: BATCHING ..................................................................................................................................... 12 C. STAGE 3: CLEARING ...................................................................................................................................... 12 D. STAGE 4: FUNDING ....................................................................................................................................... 13 5. CREDIT CARD FRAUD ................................................................................................................ 13 A. ESTIMATES OF THE MAGNITUDE OF CREDIT CARD FRAUD .................................................................. 14 B. ESTIMATES OF THE DISTRIBUTION OF CREDIT CARD FRAUD .............................................................. 20 6. CREDIT CARD SECURITY MEASURES.................................................................................... 21 A. SIGNATURES, PICTURES, SECURITY CODES .............................................................................................. 21 B. PINS ................................................................................................................................................................ 22 C. PCI DSS .......................................................................................................................................................... 22 D. CREDIT CARD MONITORING SYSTEMS ...................................................................................................... 24 E. EMV ................................................................................................................................................................ 24 F. END-­‐TO-­‐END DATA ENCRYPTION .............................................................................................................. 26 G. HARDWARE AND SOFTWARE TO PROTECT AGAINST DATA BREACHES .............................................. 27 H. TOLKENIZATION ........................................................................................................................................... 28 7. WHAT THE MEDIA SAYS ABOUT US ADOPTION OF EMV.................................................. 28 A. WHY HASN’T THE US ADOPTED EMV? ................................................................................................... 28 i. High Costs...................................................................................................................................................... 29 ii. The Uncertain Environment ................................................................................................................ 29 iii. The US Is Different from Europe/The Rest of the World........................................................ 30 B. WHY SHOULD THE US ADOPT EMV? ....................................................................................................... 31 i. Rewards for Adopting EMV ................................................................................................................... 31 ii. Punishment for Failing to Adopt EMV............................................................................................. 31 C. WHY US MERCHANTS SHOULDN’T RUSH TO ADOPT EMV .................................................................. 31 i. Avoidance of PCI DSS Audit Costs ....................................................................................................... 31 ii. Investment in Other Technologies..................................................................................................... 32 iii. EMV Won’t Address Largest Source of Fraud ............................................................................. 32 8. THE VISA EMV GAME ................................................................................................................. 32 A. STRUCTURE OF THE VISA EMV GAME ...................................................................................................... 32 i. Cardholders:................................................................................................................................................. 33 ii. Merchants .................................................................................................................................................... 34 iii. Acquirers..................................................................................................................................................... 35 Iv Network (Visa) .......................................................................................................................................... 36 v. Issuers ............................................................................................................................................................ 36 B. OUTCOME OF THE VISA EMV GAME ......................................................................................................... 38 C. WHAT CAN VISA DO TO SPEED UP ADOPTION OF EMV? ..................................................................... 41 9. REFERENCES................................................................................................................................. 44 1. Introduction Visa’s EMV technology standard -­‐-­‐ used for credit card processing -­‐-­‐ was introduced several years ago as a means of decreasing credit card fraud. This new EMV standard has passed well into the intermediate stages of adoption in virtually all countries in the rest of the world. However, EMV adoption is the US has barely taken hold. Visa has made a recent push to encourage US Merchants to upgrade their Visa credit card processing systems to the EMV standard. Interestingly, the media has noted that while the Merchants who accept Visa credit cards as payment for purchases made by their Customers will have to bear the majority of the total costs to industry associated with the technology upgrade, it will be the Issuers who realize the majority of the benefits of decreases in credit card fraud. This analysis was undertaken as a means to better understand the dynamics among industry players involved with adoption of EMV. 2. Brief History of Credit Cards The following history was taken from Douglas Akers, Jay Golter, Brian Lamm, and Martha Solt (2005) “Overview of Recent Developments in the Credit Card Industry” Although merchant credit may be as old as civilization, the present-­‐day credit card industry in the United States originated in the nineteenth century. In the early 1800s, merchants and financial intermediaries provided credit for agricultural and durable goods, and by the early 1900s, major U.S. hotels and department stores issued paper identification cards to their most valued customers…Generally these cards were useful only at one location or within a limited geographic area–an area where local merchants accepted competitors' cards as proof of a customer's creditworthiness. In 1949, Diners Club established the first general-­‐purpose charge card, enabling its cardholders to purchase goods and services from many different merchants in what soon became a nationwide network… In the late 1950s, Bank of America, located on the West Coast, began the first general purpose credit card (as opposed to charge card) program. At that time, banking laws placed severe geographic restrictions on individual banks. Virtually no banks were able to operate across state lines, and additional restrictions existed within many states. Yet for a credit card program to be able to compete with Diners Club, a national presence would be important. To increase the number of consumers carrying the card and to reach retailers outside of Bank of America's area of operation, therefore, other banks were given the opportunity to license Bank of America's credit card. At first Bank of America operated this network internally. As the network grew, the complexity of interchange–the movement of paper sales slips and settlement payments between member banks–became hard to manage. Furthermore, the more active bank licensees wanted more control over the network's policy making and operational implementation. To accommodate these needs, Bank of America spun off its credit card operations into a separate entity that evolved into the Visa network of today. In 1966, in the wake of Bank of America's success, a competing network of banks issuing a rival card was established. This effort evolved over time into what is now the MasterCard network. In addition, firms that were not constrained by interstate banking restrictions formed card networks on the single-­‐issuer model (the model established by Diners Club, in which many merchants accept payments on a card with a single issuer…). For instance, the American Express Company (American Express) introduced its charge card system in 1958, and Sears, Roebuck and Co. (Sears) established the Discover Card credit card in 1986. Among the challenges each of these networks faced was bringing together large numbers of cardholders with large numbers of merchants who accepted the cards as payment. Achieving a sufficiently large network was hard, partly because merchants, especially larger retailers, were reluctant to honor credit cards that would compete with their own store-­‐branded credit cards. Some smaller merchants, however, viewed general-­‐purpose credit cards as a way they could compete with larger merchants for customers. Merchants of all sizes were averse to having fees imposed on them by the credit card network. Currently the U.S. credit card industry is a mature market. Today credit cards are widely held by consumers… Credit cards are also widely accepted by merchants, and with the recent addition of fast-­‐food and convenience stores to the credit card networks, credit card payments are now processed at nearly all retail establishments. 3. Players in the Credit Card Market This section describes the roles of the various players involved in the credit card market. In Section 3, the relationships between the various players are presented within the context of the procedures for credit card transaction processing. Figure 4 provides a visual display of the relationships among the players within this context of the processing system. Also, In Section 7, when the structure of the Visa EMV game is detailed, there is another figure, Figure 11, that provides an alternative visual depiction of the relationships between the players. © Ruth D Fisher 2011 2 A. Credit Card Networks/Associations From Wikipedia, a credit card network is An association of card-­‐issuing banks such as Discover, Visa, MasterCard, American Express, etc. that set transaction terms for merchants, card-­‐issuing banks, and acquiring banks. Globally, the largest credit card networks are Visa, MasterCard, American Express, Discover, JCB (Japan-­‐based), and Diner’s Club. Visa and MasterCard together control over 80 percent of the market. See Figure 1. Since the Networks are owned and run by its member financial institutions who also act as issuers, the interests of the Networks and the Issuers are perfectly aligned. © Ruth D Fisher 2011 3 Note that the credit card Networks listed above enable Cardholders to use their cards to purchase goods and services from a large variety of Merchants. However, as seen in Figure 2, in terms of credit card numbers there are more credit cards issued in the US by specific stores (e.g., Macys, Sears, JC Penney) than there are by Visa and MasterCard. In terms of purchase volume, however, store-­‐specific card activity is swamped by activity on Network cards. B. Credit Card Issuers Credit card Issuers are the banks (or other financial institutions) that issue credit cards to card holders. The credit cards are issued under a specific credit card Network, such as Visa or MasterCard. Credit card Issuers pay Networks for the right to issue cards under the network, but it is the Issuer -­‐-­‐ not the Network -­‐-­‐ that has the relationship with the Cardholder. More specifically, Issuers are the parties who extend credit to Cardholders, bill them for purchases, collect payments from them, and bear any risks associated with Cardholder default or fraudulent credit card activity. To iterate, credit card Issuers bear most of the costs associated with fraudulent credit card activity. As seen in Figure 3, in the US, the four largest Issuers, American Express, Chase, Bank of America, and Citibank, control almost three-­‐quarters of US credit card purchases. © Ruth D Fisher 2011 4 C. Credit Card Acquirers Credit card Acquirers are the banks (or other financial institutions) that process credit card activity on behalf of Merchants. Acquirers solicit merchants to establish accounts and provide merchants with gateways (via point of sale (POS) credit card terminals) that enable credit card •
authorization (by Issuing banks on behalf of Cardholders), •
batching (by Merchant banks of Cardholder transactions), •
clearing (distribution of Merchants’ transactions with Cardholders to Issuing banks), and •
funding (by Issuers to Merchants of Cardholders’ purchases). Due to the timing of payments and the possibility of product returns (chargebacks) by customers to Merchants, credit card acquirers do bear some liability on behalf of merchants. Specifically, if a Merchant goes out of business between the time a Customer purchases a product from the Merchant and the time he returns the product to the Merchant, then the Acquirer becomes liable to the Customer for the amount of purchase. Credit card Acquirers are licensed by the networks and collect (monthly and per-­‐
transaction) fees from Merchants for the processing services they provide. © Ruth D Fisher 2011 5 D. Merchants Merchants are the providers of goods and services to credit Cardholders (purchasers) who accept the Networks’ credit cards for payment of goods and services. Merchants pay monthly and per-­‐transaction fees to credit card Acquirers and Issuers. In return, Merchants are able to sell their goods and services to Cardholders, who, without the ability to pay by credit card, might forego purchases from the Merchant. Merchants are liable for certain costs associated with fraudulent credit card activity, such as card-­‐not-­‐present (CNP) transactions, fraudulent chargeback activity, and foregone sales of “risky” proposed Cardholder purchases to avoid the risk of fraudulent activity. From Jennifer Meacham’s “Credit Card Fraud: How Big Is The Problem?”: Unlike face-­‐to-­‐face credit card transactions, where the merchant bank bears the responsibility of covering losses from fraudulently acquired merchandise, "card not present" transactions leave the merchant liable for the cost of that fraud. And the stark reality is that all Internet credit card transactions are "card not present." The end result for online retailers is a chargeback: Reversal of the original order amount plus an additional merchant-­‐bank fee of $5 to $35 per transaction... Rather than contest a chargeback and risk the bank siding with the friendly fraudster, in nearly half of the cases they simply refunded the card the amount of the order. This was done, the merchants reported, to keep their credit card processing rates down and curb chargeback costs. Across the board, the cost of managing fraud exceeds the cost of fraud itself by as much as 300 percent, according to preCharge's report. However, that's a far cry from the millions it could cost merchants who've suffered a data breach, according to Darwin Professional Underwriters, an insurance and risk management consulting firm. Its online Data Loss Cost Calculator calculates possible attorney fees, customer notification costs, fines, and the cost of paying for credit monitoring for every one of those customers... Meanwhile, the cost of mistakenly rejected orders adds up as well: …Though 63 percent of merchants surveyed by preCharge have sold outside the U.S., fewer than 15 percent actively sell internationally; more than 85 percent said they'd actively sell internationally if fraud could be managed properly. According to a 2009 LexisNexis Report: [R]etail merchants are absorbing the vast majority of the costs associated with fraud. Among the numerous fraud types affecting merchants, identity fraud or © Ruth D Fisher 2011 6 fraudulent transactions made up the bulk of fraud from a cost standpoint, representing 52 percent of total fraud losses. In addition, certain merchant segments revealed a higher prevalence of fraudulent transactions such as large eCommerce retailers, of which 40 percent saw an upsurge. Digital goods merchants attributed 54 percent of their fraud loss to unauthorized purchases, while merchants in telecom, social networking industries and online gaming reported 64 percent to 67 percent of their total annual fraud loss as the result of identity fraud. The report also found that: * One in five merchants experienced an increase in unauthorized transactions associated with identity fraud; * Credit card crimes continued to rise sharply, but alternative payments (i.e. online and mobile payments) represented a troubling new source of losses for large merchants; * Friendly fraud—where a consumer makes an online purchase with their credit card, then issues a chargeback after receiving the purchase, claiming the purchase was never delivered—accounted for more than one-­‐third of the total fraud for online-­‐accepting merchants; * Merchants showed low satisfaction for fraud technology solutions; and * Retail merchants sought more education and improved industry standards as they battled the cost of fraud. E. Cardholders Cardholders are the purchasers of goods and services from Merchants who use Networks’ credit cards as a method of facilitating payment to Merchants for the goods and services they purchase. Credit Cardholders pay interest and fees to Issuers for the balances they carry on their credit cards. Federal law limits Cardholder liability for fraud to $50, if Cardholders report fraudulent activity in a timely manner. However, most credit card Networks voluntarily indemnify Cardholders from all liability associated with fraud committed on their accounts. Both Visa and MasterCard have explicitly instituted “Zero Liability” programs for their cardholders, with the following limitations Visa Zero Liability •
Only US-­‐issued card are covered by the program; •
Does not apply to ATM transactions; © Ruth D Fisher 2011 7 •
PIN transactions must be processed by Visa; •
Any suspected fraudulent account activity or lost or stolen cards are reported to the Network in a timely manner. MasterCard Zero Liability •
Only cards issued for non-­‐commercial use are covered by the program; •
PIN debit transactions are not covered; •
Any suspected fraudulent account activity or lost or stolen cards are reported to the Network in a timely manner. •
Cardholders’ accounts are in good standing, Cardholders have exercised reasonable care to safeguard against fraud, and Cardholders have not reported more than one fraudulent event in the past 12 months. 4. How Credit Card Processing Works The way in which credit cards are processed determines the relationships between the various parties in the Credit Card Game, which serves to underscore the incentives each player faces. This progression is displayed in Figure 4 and described in the sub-­‐sections below. © Ruth D Fisher 2011 8 © Ruth D Fisher 2011 9 A. Stage 1: Authorization From Richard Sullivan’s “The Changing Nature of U.S. Card Payment Fraud: Industry and Public Policy Options”: A card payment approval system screens transactions to limit fraud. The system authenticates the card, identifies the cardholder, and determines whether the transaction satisfies certain limits set by the card issuer or merchant. Step 1: The Cardholder requests to purchase goods or services from the Merchant. Traditionally the Cardholder and the Merchant are in the same location, face-­‐to-­‐
face, when the request for purchase by means of credit card is made. In this case, the Cardholder has his credit card in hand, and the credit card is swiped at a point-­‐of-­‐service (POS) terminal, which collects the cardholder information. Alternatively, in with increasing prevalence, the Cardholder and the Merchant are not physically in the same location. This is the case for mail orders, phone orders, and purchases made through the Internet. Such card-­‐not-­‐present (CNP) transactions are becoming an increasingly significant as e-­‐commerce grows. Figures 5A and 5B show that as of 2009 Internet sales, of which a significant portion is made by credit card, have grown to about four percent of total US retail sales, totaling $145 billion. © Ruth D Fisher 2011 10 © Ruth D Fisher 2011 11 Step 2: Merchant submits the request to the Acquirer. When card information is passed from the Cardholder to the Merchant (via the POS terminal), the information is forwarded to the Acquirer. Step 3: Acquirer sends a request to the Issuer to authorize the transaction. The Acquirer forwards the information received from the Merchant regarding a customer request for purchase onto the appropriate Issuer. Step 4: Authorization code is sent to the Acquirer if there is valid credit available. The Issuer reviews information on the Cardholder (e.g., amount of Cardholder’s current purchases outstanding, Cardholder’s current credit limit, Cardholder’s historical purchasing patterns) and uses various forms of pattern recognition software to detect unusual activity related to fraud. If everything passes muster, the Issuer sends a purchase authorization to the Acquirer. Step 5: Acquirer authorizes the transaction. The Acquirer forwards the authorization received from the Issuer onto the Merchant. Step 6: Cardholder receives the product. The Merchant accepts the credit card payment from the Cardholder and releases the purchase items. B. Stage 2: Batching Step 7: The Merchant stores the day’s authorized sales to Cardholders, and at the end of the day he sends the batch of credit card sales to the Acquirer to receive payment. C. Stage 3: Clearing Step 8: Acquirer sends batch through the Card Network to request payment from the Issuer. The Acquirer sends the Merchant’s batch of credit cards sales to the appropriate Card Networks to request payment from the Issuers. © Ruth D Fisher 2011 12 Step 9: Card Network distributes each transaction to the appropriate Issuer. Each Card Network distributes the Merchant’s Cardholder transactions to the appropriate Issuers. Step 10: Issuer subtracts interchange fees, which are shared with the Card Network, and transfers amount. The Issuers take the total amount of cardholder purchases, subtract their interchange fees (generally 1 – 3% of the amount of transaction), and remit the difference to the card Networks. Step 11: Card Network routes the amount to the Acquirer. The Card Networks forward on the Issuers’ remittances to the Acquirer. D. Stage 4: Funding Step 12: Acquirer subtracts its transaction fee and pays the Merchant the remainder. The Acquirer subtracts its transaction fees (generally a per-­‐transaction fee ranging from $0.25 to $0.45) from the remittances forwarded by the Card Networks from the Issuers and forwards on the remainder to the Merchant. So the Merchant receives the amount of Cardholder purchases, less fees paid to Issuers (1 – 3%), less fees paid to the Acquirer ($0.25 – $0.45 per transaction). Step 13: Issuer bills Cardholder. After the Issuer has forwarded on payment to the Merchant, he bills the Cardholder for the amount of purchase. Step 14: Cardholder pays Issuer. The Cardholder remits the amount of purchase to the Issuer, or carries some portion of the purchase in his account with the Issuer, for which he pays interest. 5. Credit Card Fraud Ramon P. DeGennaro, from the Federal Bank of Atlanta, distinguishes three types of credit card fraud, while Peter Welch, in his European Payment Card Fraud Report 2010” distinguishes five methods of comprise. Putting these two sets of distinctions together gives us the following classification of credit card fraud: © Ruth D Fisher 2011 13 i. Existing Account Fraud: This type of fraud stems from stolen account information. It may take the form of •
Charges made on lost or stolen cards (card present transactions) •
Charges made on counterfeit cards (card present transactions) •
Charges made using card details (card not present transactions) intercepted, skimmed, or hacked from information contained in previous transactions made by the cardholder ii. New account fraud, also known as identity theft: A thief uses data intercepted, skimmed, or hacked from information contained in previous transactions made by the cardholder to open an account and subsequently incur debts (card present or card not present transactions) in the name of the cardholder. iii. Friendly fraud make legitimate transactions that they later deny having made (card present or card not present transactions). To gain more perspective in the area of credit card fraud, we need to better understand: A. •
The magnitude of credit card fraud; •
Changes in the incidence of credit card fraud over time, i.e., has it been increasing? •
The distribution of credit card fraud across sources or types; •
Changes in the distribution of credit card fraud over time. Estimates of the Magnitude of Credit Card Fraud Proper estimates of the costs of credit card fraud should include all costs incurred by all players in the system. Player-­‐specific costs of credit card fraud include, for example: •
Costs of Credit Card Fraud to Networks: o Loss in reputation associated with credit card fraud (see below) o Lost revenues associated with customers who forego purchases for fear of being victims of crime (see below) •
Costs of Credit Card Fraud to Issuers: o Reimbursements to Cardholders for fraudulent purchases made on their accounts © Ruth D Fisher 2011 14 o Resources expended in investigating, resolving, and preventing credit card fraud •
Costs of Credit Card Fraud to Acquirers o Reimbursements to Cardholders on behalf Merchants who go bankrupt because of credit card fraud •
Costs of Credit Card Fraud to Merchants o Loss in reputation associated with credit card fraud o Lost revenues associated with customers who forego purchases for fear of being a victim of crime o Loss in purchase price, credit card processing price, and chargeback fees for Cardholders who fraudulently claim orders were never received. o Increases in credit card processing costs to cover Issuer activity related to credit card fraud •
Costs of Credit Card Fraud to Cardholders o Loss in reputation associated with identity theft o Resources expended in resolving problems associated with identity theft o Higher purchases prices on goods and services passed on to customers by Merchants who must pay higher credit card processing fees to cover credit card fraud. o Higher purchases prices on goods and services passed on to customers by Merchants who cover (non-­‐processing-­‐fee-­‐related) costs associated with credit card fraud. o Costs associated with being mistakenly denied credit card authorization do to false positive alerts from anti-­‐fraud monitoring systems (see for example “Credit card fraud monitoring can halt legitimate purchases”) Evidence that supports the contention that Networks suffer losses in reputation due to credit card fraud is provided by Akers et. al. in “Overview of Recent Developments in the Credit Card Industry”: The industry is also facing serious challenges from credit card fraud, identity theft, and the need to secure confidential information. These challenges have always been an operational risk, but the problem has intensified now that large quantities of confidential information are maintained in Internet-­‐accessible © Ruth D Fisher 2011 15 systems and criminals are becoming more sophisticated in obtaining and using sensitive data. Besides being a costly drain on banks, these problems have the potential to erode consumer confidence in the credit card industry. Here are just a few pieces of evidence that support the contention that Cardholder fear of being the victim of credit card fraud discourages purchase activities: •
From Visa’s Zero Liability documentation: Shop worry-­‐free at millions of merchants. You can use your card to shop with confidence. That's because Visa protects your card information 24/7 and you won’t be held liable for unauthorized purchases made with your card or account information. •
From JB MacLean Consulting: For fear of becoming the next victim of identity theft, 150 million U.S. consumers don't bank online, according to experts. But the banking industry could improve profitability by as much as $8.3 billion per year if banks build consumers' confidence in online security. •
From FTC Testimony on Identity Theft: The fear of identity theft has gripped the public as few consumer issues have…Consumers fear the potential financial loss from someone's criminal use of their identity to obtain loans or open utility accounts. They also fear the long lasting impact on their lives that results from the denial of a mortgage, employment, credit, or an apartment lease when credit reports are littered with the fraudulently incurred debts of an identity thief. Comprehensive estimates of the costs associated with credit card fraud are difficult to find. However, piecemeal estimates of the problem for different aspects of fraud (e.g., Internet fraud, identity theft) occurring in different locations (US, UK, Canada) are available. Figure 6 provides some examples of estimates of the magnitude of credit card fraud. © Ruth D Fisher 2011 16 It is not clear that these estimates include all the costs associated with credit card fraud listed above. In particular, LexisNexis reports U.S. merchants are incurring $191 billion in fraud losses each year, according to a new report released today by LexisNexis® Risk Solutions. Among the findings, the 2009 LexisNexis® True Cost of Fraud Benchmark Study discovered that merchants must absorb nearly 10 times the identity fraud cost incurred by financial institutions. Retail merchants experience a massive $100 billion in losses solely attributed to identity fraud, which escalates to $191 billion when factoring in the additional cost of lost and stolen merchandise. The study also found that merchant fraud losses amounted to more than 20 times the total value of consumer fraud victim losses which totaled approximately $4.8 billion in 2008. These piecemeal estimates suggest that globally, credit card fraud is at least a multi-­‐
billion dollar problem. Estimates generally indicate that the magnitude of credit card fraud has been increasing over time. For example, the Sullivan Paper (estimate [10] in Figure 6) indicates: A recent study of banks found that, between 2006 and 2008, fraud losses from counterfeit cards rose on each of signature debit, PIN debit and ATM transactions (American Bankers Association 2009). Costs related to online © Ruth D Fisher 2011 17 payments fraud (lost sales, direct payment fraud losses, and fraud management) rose steadily from 2000 to 2008 (Cybersource 2010). The 2009 costs declined somewhat, to $3.3 billion (1.2 percent of sales revenue), in part due to the economic slowdown… [A] 2008 survey of banks… reports that 43 percent of respondents suffered payment fraud losses due to data breaches, up from 22 percent in 2006 (American Bankers Association 2009). The exception is the UK Card Association’s estimates of credit card fraud in the UK. In the Welch Report, the recent (2009 and 2010) decreases in the amounts of fraud are attributable as follows: Acccording to the UK banking and payments industry, there is no single “magic bullet” behind the reduced losses. In announcing the figures for the first half of 2010, the UK Cards Association said the drop in card fraud is the result of a number of initiatives including: • The growing use of sophisticated fraud screening detection tools and greater implementation of MasterCard SecureCode and Verified by Visa to tackle CNP fraud. • The work of the industry-­‐sponsored Dedicated Cheque and Plastic Crime Unit. • Improving the protection of Chip and PIN equipment from criminal attack. • Implementation of PCI DSS. • Tackling international fraud through the fraud detection systems that identify unusual spending, allied to the growth in international Chip and PIN implementation. • Continued investment in anti-­‐skimming devices and procedures to combat ATM fraud. • The roll-­‐out of iCVV and Dynamic Data Authentication (DDA) chip cards, of which there were 117 million and 38 million respectively in issue by the end of June. A further factor is the economic environment, with UK credit card issuers rejecting a higher proportion of applications and reducing credit limits on some existing cards. Credit cards can be particularly attractive to fraudsters given the line of credit available. As the chart shows, loss rates on credit cards are significantly higher than on charge and debit cards. © Ruth D Fisher 2011 18 Estimates generally indicate that the rate of credit card fraud is below 1% of credit card purchases volumes: •
From CardWeb (estimate [8] in Figure 6): While total fraud in the U.S. will exceed $1 billion this year [1998], it computes to only nine tenths of one percent of the total amount charged to bank credit cards. •
From the Welch Report: (estimates [3] and [5] in Figure 6): Figure 7 •
The Sullivan Paper (estimate [10] in Figure 6) provides the following estimates of Fraud Loss Rates on Debit and Credit Card Payments, 2006: Losses per $100 Australia $0.024 France $0.050 Spain $0.022 US $0.092 US issuers only $0.054 © Ruth D Fisher 2011 19 B. Estimates of the Distribution of Credit Card Fraud Freely available distributions of credit card fraud in the US were difficult to find, but there are some figures available for France, UK, and Canada, which are displayed in Figure 8. Supplementary to the graph above, according to the Welch report, CNP fraud has been increasing in France from about 42% of all credit card fraud in 2007 to about 54% in 2008 and 54% in 2009. Another scholar, Hendi Yogi Prabowo, found that Payment fraud statistics from Australia and UK suggest that card-­‐not-­‐ present fraud (e.g. online credit card fraud) is the most common type of credit card fraud followed by skimming/counterfeit card fraud. This is different from a decade ago when skimming/counterfeit card fraud was statistically the most prevalent modus operandi. The emergence and growth of e-­‐commerce has been a driving factor behind such a change. © Ruth D Fisher 2011 20 What these data suggest is that the majority of credit card fraud is associated with CNP activity, and that the portion of CNP fraud has been increasing over time. This conclusion is consistent with media reports. For example, Jennifer Meacham in “Credit Card Fraud: How Big Is the Problem” indicates: Internet sales have gone up an average 20 percent each year since 2000, according to CyberSource. Even though the percentage of fraud has dropped, the collective value of the products being stolen from North American e-­‐
merchants rose from $1.5 billion in 2000 to $3.6 billion in 2007, due in large part to the growth of Internet usage. The second most prevalent form of credit card fraud is that associated with counterfeit cards, but this activity has been decreasing over time, presumably with the advent of new technologies, such as EMV and other security measures, such as pattern recognition software (more on these later). The third most prevalent form of credit card fraud is that associated with lost or stolen cards. 6. Credit Card Security Measures This section provides some of the more prevalent security measures taken by credit card industry members in an attempt to reduce the amount of credit card fraud. A. Signatures, Pictures, Security Codes In the pre-­‐Internet days, most credit card transactions were conducted face-­‐to-­‐face, and a significant portion of credit card fraud was conducted either by counterfeiting cards, for example, by using the carbons from Cardholder transactions, or by using lost or stolen cards. “Old time” credit card security measures were introduced to address such face-­‐to-­‐face fraud and included using Cardholder signatures on the back of credit cards and/or Cardholder pictures on the front of credit cards to authenticate Cardholder identity, thereby reducing the incidence of fraud. To address the issue of card-­‐not-­‐present fraud, Networks subsequently introduced security codes on credit cards. These security codes do not show up on credit card carbons, and they are not (supposed to be) stored with other Cardholder information. As such, they are intended to decrease the incidence of counterfeiting that is generated from stolen Cardholder information. Consensus is that none of these measures is particularly effective in decreasing credit card fraud. © Ruth D Fisher 2011 21 B. PINs Personal Identification Numbers (PINs) were originally used exclusively to access ATMs, but they have been increasingly used for POS debit card transactions, and more recently as an added security measure to authenticate credit card transactions. Use of PINs has been acknowledge as being an effective anti-­‐fraud measure, assuming Merchants comply with Networks’ safety procedures and do not store PINs in their databases of transaction activities. However, an incident in 2006 revealed that not all Merchants are complying with this directive, and breaches of Merchant data have been the source of fraud associated with the use of PINs. C. PCI DSS With the advent of the Internet, breaches of Cardholder data stored by Merchants and Financial Institutions have become an insipid means for hackers to quickly and effectively collect large amounts of Cardholder data, which is used by the hackers themselves or sold to others to commit credit card fraud (for a comprehensive discussion of credit card data breaches see Sullivan’s “The Changing Nature of U.S. Card Payment Fraud: Industry and Public Policy Options”). To address the security of cardholder data, Visa introduced the Cardholder Information Security Program (CISP) in 2001, which subsequently evolved into the Payment Card Industry (PCI) Data Security Standard (DSS) in 2004: Mandated since June 2001, CISP is intended to protect Visa cardholder data–
wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard. In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard (DSS) resulting from a cooperative effort between Visa and MasterCard to create common industry security requirements. Effective September 7, 2006, the PCI Security Standards Council (SSC) owns, maintains and distributes the PCI DSS and all its supporting documents... PCI DSS compliance is required of all entities that store, process, or transmit Visa cardholder data, including financial institutions, merchants and service providers. The PCI DSS applies to all payment channels, including retail (brick-­‐
and-­‐mortar), mail/telephone order, and e-­‐commerce. Visa Inc.'s compliance programs manage compliance with the PCI DSS with the required program validation. The PCI DSS offers a single approach to safeguarding sensitive data for all card brands. The PCI DSS consists of twelve basic requirements categorized as follows: © Ruth D Fisher 2011 22 PCI Data Security Standard Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-­‐supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-­‐virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-­‐to-­‐know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Compliance validation Separate and distinct from the mandate to comply with the PCI DSS is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers. The PCI DSS system seems like it would be extremely effective safeguard against data breaches. Unfortunately, this has not been the case in practice. According to Richard Sullivan © Ruth D Fisher 2011 23 Only half of the largest U.S. merchants met the PCI compliance deadline of September 30, 2007. Similarly, many European retailers have been slow to achieve PCI compliance (Leyden). Implementing the PCI DSS has also been controversial. Merchants and processors face significant costs of compliance and question the benefits they receive (Mott). The standards themselves have been criticized because they do not address card network rules that require merchants to store card information to resolve disputed transactions or facilitate refunds. In addition, some merchants who have been certified as compliant have still been the victims of successful security breaches, raising concerns about the quality of the standard. D. Credit Card Monitoring Systems Credit card monitoring systems are used by Networks and Financial Institutions to profile users’ credit card usage patterns and flag activity that appears suspicious. Such monitoring systems are used during credit card processing to authorize or deny proposed purchases. For example, Visa’s Fraud Monitoring program is described as follows: Visa's e-­‐commerce fraud detection system is the first of its kind to use current worldwide fraud trends and global payment-­‐card usage patterns to provide a comprehensive assessment of transaction risk. At its heart is a data network that stores thousands of examples of valid purchase transactions and constantly updates cardholder data so future purchases can be evaluated against the most current profile. Each time an authorization request is processed, it's evaluated against the individual's transaction history. Visa also works closely with technology companies and our merchant partners to ensure that they operate as allies in the effort to keep your information out of harm's way. E. EMV A new credit card standard, EMV, has been introduced that proposes to replace the traditional magnetic strip credit cards. The EMV name comes from Europay, MasterCard and Visa, the companies that in 1994 initiated development of the EMV Specifications. Europay International SA became part of MasterCard in 2002. JCB joined EMVCo in 2004, and American Express in 2009. From Wikipedia, EMV is a global standard for inter-­‐operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions…IC card © Ruth D Fisher 2011 24 systems based on EMV are being phased in across the world, under names such as "IC Credit" and "Chip and PIN"… The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant credit card payment terminals throughout the world... One of the original goals of EMV was to allow for multiple applications to be held on a card: for instance, a credit and debit card application or an e-­‐purse. EMV chip card transactions improve security against fraud compared to magnetic stripe card transactions that rely on the holder's signature and visual inspection of the card to check for features such as hologram. The use of a PIN and cryptographic algorithms … provide authentication of the card to the processing terminal and the card issuer's host system... The supposed increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable. For transactions in which an EMV card is used, the cardholder is assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction, and did not inadvertently assist the transaction through PIN disclosure. Although not the only possible method, the majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a PIN (Personal Identification Number) rather than signing a paper receipt. Globally, many countries around the world have adopted or are in the process of adopting the EMV standard. The US is the major holdout. In an attempt to persuade US merchants to adopt the new standard, Visa recently announced an incentive program: A primary plank for encouraging merchant compliance with chip and PIN will trigger on October 1, 2012. That's when Visa says it will launch its keystone Technology Innovation Program (TIP) to the U.S. Here's what Visa advises merchants on the new program, in three key steps: Step No. 1: Visa says that TIP will end the mandate for merchants to validate their compliance with the PCI Data Security Standard (PCI DSS) for any year where 75 percent of the merchant's Visa transactions stem from chip-­‐based terminals. To accommodate the Visa mandate, merchants must use terminals that support contact and contactless chip technology. Visa also says that contact chip-­‐only or contactless-­‐only terminals will not be eligible for use by U.S. merchants. © Ruth D Fisher 2011 25 "Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable," said Visa in a statement. Step No. 2: Visa also insists that U.S. acquirer processors support merchant acceptance of chip transactions no later than April 1, 2013. "Chip acceptance will require service providers to be able to carry and process additional data that is included in chip transactions, including the cryptographic message that makes each transaction unique," said Visa. Visa will provide "additional guidance as part of its bi-­‐annual Business Enhancements Release for acquirer processors to certify that their systems can support EMV contact and contactless chip transactions." Step No. 3: Visa has also mandated a "U.S. liability shift" for U.S.-­‐based and overseas counterfeit card-­‐present point-­‐of-­‐sale (POS) transactions, effective October 1, 2015. Right now, POS counterfeit fraud is usually handled by card carriers. With the new rules on liability, if a contact chip card is used as payment to a merchant who is not using contact chip terminals, liability for counterfeit fraud lands with the merchant's acquirer. In countries that have adopted the EMV standard, the technology has proven to be effective at decreasing the incidence of credit card counterfeiting. However, EMV does not protect against CNP fraud, which is currently the largest and most quickly increasing portion of fraud. F. End-­‐to-­‐End Data Encryption With the advent of Near Field Communication technology and, with it, the increasing use of mobile and contactless credit card transactions, Networks and Financial Institutions are headed toward end-­‐to-­‐end encryption of data throughout the entire payment system. They are using this in an attempt to prevent interception and breaches of Cardholder information that can be use to perpetrate credit card fraud. Data encryption is one of the elements of PCI DSS however, there are certain aspects of the requirements that might currently result in PCI DSS compliant entities not realizing end-­‐to-­‐end encryption. As Ben Rothke and David Mundhenk note in “End-­‐to-­‐End Encryption: The PCI Security Holy Grail”: While the PCI DSS requires encryption or some other obfuscation of the PAN [primary account number], the payment industry as a whole still has some perceived shortcomings. Specifically, PCI does not require encryption of data in transit over a private or internal network. The current definition of a private network has been inferred by PCI standards documentation; however, it is still unclear how to make a determination in all cases. © Ruth D Fisher 2011 26 For example there are some public networks such as those comprised of Multiprotocol Label Switching (MPLS) and Plain Old Telephone System (POTS) elements that are most clearly public in nature, yet the PCI DSS requirements make exceptions for these. There is also some confusion on whether satellite-­‐based data networks are considered public or private, and hence in need of encryption capabilities or not. G. Hardware and Software to Protect against Data Breaches There has been much public and private sector collaboration on means of addressing the issue of data privacy and security. For example the US Department of Homeland Security (DHS) recently announced Today [July 22, 2011), the Department of Homeland Security and the Information Technology Sector Coordinating Council, which includes representatives from major IT companies, released three IT Sector risk management strategies to address risks to the Nation’s IT infrastructure as part of an ongoing collaboration between government and private-­‐sector stakeholders. In 2003 NIST (The National Institute of Standards and Technology) provided a special publication to address information security technologies: Guide to Selecting Information Technology Security Products: Recommendations of the National Institute of Standards and Technology. The publication provides guidance in the areas of identification and authentication, access control, intrusion detection, firewall, public key infrastructure, malicious code protection, vulnerability scanners, forensics, and media sanitizing. And in fact an entire industry has evolved to address matters of Information Security. •
From ISO (International Organization for Standardization): The ISO 27000 series of standards have been specifically reserved by ISO for information security matters. •
Many industry standards relating to information security have been established, such as PCI DSS for credit card information, HIPPA for healthcare information, and FISMA for Federal information •
Many private companies have entered the industry to offer products and services to help organizations secure their information. Services include analyzing organizations’ information systems and identifying (i) where breach have occurred, (ii) where breaches might occur, and (iii) how organizations might improve their systems to protect against future attacks. © Ruth D Fisher 2011 27 H. Tolkenization Another measure being introduced to combat credit card fraud is Tolkenization: In October 2009, Visa published the Visa Best Practices for Data Field Encryption to promote the proper encryption of sensitive card data that is transmitted, processed or stored by stakeholders throughout the payment system. As part of these best practices, Visa recommended that entities use tokens (such as a transaction ID or a surrogate value) to replace the Primary Account Number (PAN) for use in payment-­‐related and ancillary business functions. Tokenization can be implemented in isolation or in concert with data field encryption to help merchants eliminate the need to store sensitive cardholder data after authorization. Entities that properly implement and execute a tokenization process to support their payment functions may be able to reduce the scope, risks and costs associated with ongoing compliance with the Payment Card Industry Data Security Standards (PCI DSS). 7. What the Media Says about US Adoption of EMV Before analyzing the Visa EMV game, let’s first see what the media has to say about EMV, regarding whether or not the US should adopt the new technology. A. Why Hasn’t the US Adopted EMV? The current (as of Q1 2011) state of global deployment of EMV is depicted in Figures 9 and 10: Figure 9 © Ruth D Fisher 2011 28 Figure 10 In the table and map above, the US is conspicuous as being the only region in the world that has not yet adopted EMV. Why haven’t they? There are a number of reasons cited in the media to explain why the US has not adopted EMV technology while Europe andr the rest of the world has. i. High Costs An often cited reason for the US holdout is that the costs of adoption are too high, in absolute terms, relative to the benefits the technology will provide in terms of fraud reduction, and/or relative to the costs of the current (magnetic strip) technology. ii. The Uncertain Environment The uncertainty surrounding the final specifications in the Frank-­‐Dodd bill recently legislated in the US led Visa to delay roll-­‐out in the US, and it led to uncertainty regarding future transaction fees to be paid by Merchants to Issuers. In either case, waiting for the final legislation would provide clarity as to the new costs and benefits of the new system. Discussions on the adoption of EMV being delayed in the US due to uncertainty also cited uncertainty on the part of Merchants as to if and when EMV would be adopted. © Ruth D Fisher 2011 29 iii. The US Is Different from Europe/The Rest of the World a. Different Phone Systems: Other countries migrated to chip cards earlier on in part because at the time, their landline telephone systems on which mag stripe technology depends were less reliable. b. Different Banking Structure: In the U.S., the relationships and roles of card acquirers, issuers, networks and merchants is substantially different and, in some cases, more complex than much of the rest of the world. In many countries outside of the U.S., major banks typically do both card issuing and acquiring. Whereas in the U.S., a number of very large banks operate large portfolios of card customers whom they issue cards to; however, they do very little on the acquiring side, so there is a "distance" between the issuing and the acquiring businesses. Since both sides (issuing and acquiring) will be affected by EMV, both sides need to make investments. As there is little, if any, coordination between the two sides as to how those investments will get made and who foots the bill, it results in a stalemate in terms of adopting new payment technologies. c. Different Sources of Fraud Data Breaches: Fraud in the U.S. is no less substantial than in other countries. It is the focus and targets by fraudsters that is different. In the U.S. the biggest issue is in data breaches and data security, which is why financial institutions, particularly on the acquiring side, have been focused on PCI compliance and on making investments to secure the data they store to process payments. CNP Fraud, against which EMV has not proven to be effective: …CNP fraud remains the biggest strategic challenge facing the industry. It appears that greater adoption of 3D Secure has made an impact on losses, but few would present it as an online equivalent of Chip and PIN. The refusal of some major online retailers to implement 3D Secure and continuing growth in PayPal underline the extent of customer and merchant dissatisfaction. d. Different technologies The US has already invested in other technologies to combat credit card fraud, such as robust neural network systems and software and hardware to protect against “man in the middle” attacks. © Ruth D Fisher 2011 30 B. Why Should the US Adopt EMV? The media provide both carrot (rewards) and stick (punishment) justifications for the US to adopt the EMV standard. i. Rewards for Adopting EMV The most obvious reason for the US to adopt EMV is to reduce credit card fraud. Perhaps the most appealing reason given for the US to adopt EMV is that it will pave the wave for the US to adopt contactless and mobile payments using NFC (near field communication) technology. See for example here. Adoption of EMV will also pave the way for adoption of dynamic authentication technologies, which will further reduce credit card fraud. See for example here. ii. Punishment for Failing to Adopt EMV The most immediate consequence of the US’s failure to adopt EMV is the continuing problems US travelers face in not being able to use their magnetic stripe cards in countries that have adopted EMV. See for example here. Perhaps the more threatening reason to justify the US’s adoption of EMV is the migration of credit card fraud to the US: as other countries and regions implement EMV, the US becomes the main target for fraudsters using lost and stolen and counterfeit cards. C. Why US Merchants Shouldn’t Rush to Adopt EMV There are a couple of compelling reasons put forth as to why the benefits from EMV might not justify the costs. i. Avoidance of PCI DSS Audit Costs For Merchants to benefit from avoidance of paying PCI DSS audit costs, •
All the Networks would have to join: While dramatic, Visa’s initiatives will need a lot of help from other payments companies, including Visa’s rivals, before they bear fruit. Merchants have protested the expense of meeting PCI’s manifold dictates and annual audits, so Visa’s TIP Technology Innovation Program would seem to be a strong incentive. But in addition to Visa, merchants must validate PCI compliance with MasterCard Inc., American Express Co., Discover Financial Services, and Japan-­‐based JCB. If the others, especially No. 2 MasterCard and No. 3 AmEx (Visa, MasterCard, and AmEx command © Ruth D Fisher 2011 31 more than 90% of the U.S. credit card market) don’t offer something similar, Visa’s incentive is largely meaningless. •
Also, to avoid the costs of PCI DSS audit for Visa: (1) Merchants will have to invest in dual-­‐interface technology: To accommodate the Visa mandate, merchants must use terminals that support contact and contactless chip technology. Visa also says that contact chip-­‐only or contactless-­‐only terminals will not be eligible for use by U.S. merchants. (2) The majority (75 percent) of Merchants’ Visa transactions must be processed through EMV terminals. Given that the global EMV adoption rate for Cardholders has significantly lagged that of Merchants (see the global deployment of EMV table and map above), it will probably take a while after EMV adoption has officially taken place before merchants meet the 75 percent threshold. ii. Investment in Other Technologies Even with adoption of EMV, complete transaction security will still require Merchants to invest in other technologies, such as encryption: EMV won’t banish card fraud because data are still transmitted in the clear. Merchants will still need terminals that encrypt or tokenize card data iii. EMV Won’t Address Largest Source of Fraud Perhaps the trump card against EMV is the fact that the largest and fastest growing component of credit card fraud comes from CNP transactions, which EMV does not address. See for example, here. 8. The Visa EMV Game This section details the structure of the Visa EMV game; the likely outcome of the game, given the current environment and incentive schemes; and what Visa might do to speed up adoption of EMV in the US. A. Structure of the Visa EMV Game The players in the EMV game, together with their objectives and issues, are: © Ruth D Fisher 2011 32 i. Cardholders: (Potential) Cardholders must decide which credit card Networks to join (if any) and which purchases to use their credit cards for. Credit cards provide Cardholders a convenience, but using credit cards makes Cardholders vulnerable to fraud being committed on their credit card accounts. A Cardholder will be more likely to join a credit card Network and use his credit card to make purchases when (1) credit card interest rates are lower, (2) there is a lower probability that usage of his credit card will lead to credit card fraud being committed on his account, and (3) the Cardholder is not liable for credit card fraud committed on his account. More formally, each Cardholder must choose (C-­‐1) whether or not to apply for a Visa card, and (C-­‐2) assuming the Cardholder receives a Visa card, whether or not to use his Visa card for purchases made from a particular Merchant, given (C-­‐3) the interest rates Visa charges the Cardholder to carry balances, which is dependent on (C-­‐3a) the amount of Visa credit card fraud committed, which is dependent upon (C-­‐3a1) the effective amount of security precautions undertaken by Issuers/Visa, (C-­‐3a2) the effective amount of security precautions undertaken by the Merchant, and (C-­‐3a3) the effective amount of security in the other (MC, AE, Discover, JCB) Networks; (C-­‐3b) whether or not the Cardholder is liable for fraud committed on his Visa account, (C-­‐3c) the Cardholder’s credit history, and (C-­‐3d) the level of competition in the market for Issuers/Networks; (C-­‐4) the probability credit card fraud will occur on his account, which is determined by © Ruth D Fisher 2011 33 (C-­‐4a) the effective amount of security precautions undertaken by Issuers/Visa, (C-­‐4b) the effective amount of security precautions undertaken by the Merchant, and (C-­‐4c) the effective amount of security in the other (MC, AE, Discover, JCB) Networks; (C-­‐5) whether or not he is liable for credit card fraud committed on his account. ii. Merchants When there are more Cardholders in the population (that purchases their products), then Merchants are more likely to make sales, if they accept credit cards as payment for Customer purchases. However, accepting credit cards as payment by Cardholders is costly, because Merchants have to pay fees to process credit card purchases, where the fees are greater when there is more credit card fraud on the Network, and when Merchants are liable for a greater portion of credit card fraud committed on their Customers’ accounts. Merchants can decrease the incidence of credit card fraud committed on their Customers’ accounts by investing in effective anti-­‐fraud security measures, but such investments are costly. More formally, each Merchant must choose (M-­‐1) whether or not to join the Visa Network (accept Visa credit cards from Cardholders as payment); (M-­‐2) which Acquirer to use for processing Visa credit card transactions; and (M-­‐3) types of security measures in which to invest, so as to cost-­‐effectively minimize the amount of credit card fraud he experiences, given (M-­‐4) the portion of his customers that are Visa Cardholders; (M-­‐5) the amount of fees Merchants must pay to Issuers/Networks to process Visa transactions, which is dependent upon (M-­‐5a) the amount of Visa credit card fraud committed, which is dependent upon (M-­‐5a1) the effective amount of security precautions undertaken by Issuers/Visa, © Ruth D Fisher 2011 34 (M-­‐5a2) the effective amount of security precautions undertaken by the Merchant, and (M-­‐5a3) the effective amount of security in the other (MC, AE, Discover, JCB) Networks; and (M-­‐5b) whether or not Merchants are liable for fraud committed by Cardholders with whom the Merchant transacts; (M-­‐6) whether or not he is liable for credit card fraud committed on his Customers’ accounts; (M-­‐7) the amount of fees Merchants must pay to Acquirers to process Visa Transactions, which is dependent upon (M-­‐7a) the probability the Merchant will go bankrupt, (M-­‐7b) the level of competition in the market for Acquirers; and (M-­‐8) the effective amount of security precautions undertaken by Issuers/Visa iii. Acquirers Acquirers generate revenues by providing credit card processing services to Merchants. The costs associated with generating those revenues will be higher when there is a greater chance the Merchants will go bankrupt, thereby leaving Acquirers liable for purchase returns made by the Merchants’ Customers. More formally, each Acquirer must choose (A-­‐1) which Merchants to take on as clients. Less attractive (i.e., higher risk/cost) Merchants for Acquirers to serve are those who are more likely to go bankrupt: If a Merchant goes bankrupt, the Acquirer will be liable for any purchase returns sought by that Merchant’s customers after the Merchant has declared bankruptcy, (A-­‐2) processing fees to charge Merchants for Acquirers’ services, given (A-­‐3) the amount of Visa credit card fraud committed, which is dependent upon (A-­‐3a) the effective amount of security precautions undertaken by Issuers/Visa, (A-­‐3b) the effective amount of security precautions undertaken by the Merchant, and © Ruth D Fisher 2011 35 (A-­‐3c) the effective amount of security in the other (MC, AE, Discover, JCB) Networks; (A-­‐4) whether or not the Merchant is liable for credit card fraud committed on Visa Cardholders’ accounts; and (A-­‐5) the level of competition in the market for Acquirers. Iv Network (Visa) As previously indicated, the Networks are owned and run by its member financial institutions who also act as issuers. As such, the interests of the Networks and the Issuers are perfectly aligned. In the following analyses, I will assume the Issuers and Networks (Visa) together form a single party in the Visa EMV game. v. Issuers Issuers generate revenues from Cardholders (1) from the amount of Cardholder transactions Issuers process, and (2) from interest payments made on credit card balances carried by Cardholders. The costs of generating these revenues will be greater when (1) Cardholders are more likely to default on their credit card purchases, and (2) there is more credit card fraud on the Visa network. Issuers can reduce the amount of credit card fraud on the Visa network by investing in effective anti-­‐fraud security measures, but such investments are costly. Issuers can also reduce the about of credit card fraud they pay for by pushing liability for credit card fraud onto Merchants and/or Cardholders, but doing so will reduce the number of Cardholders and Merchants who join the Visa Network. More formally, each Issuer must choose (I-­‐1) Which applicants to issue Visa cards to (regarding “risky” Applicants/Cardholders, distinguish Cardholders likely to default on payments for their purchases from Cardholders likely to have fraud committed on their accounts), (I-­‐2) Interest rates to charge each Cardholder to carry credit card balances, (I-­‐3) Fees to charge Merchants to process Cardholder transactions, (I-­‐4) Whether or not to indemnify Cardholders from credit card fraud, and (I-­‐5) Whether or not to indemnify Merchants from credit card fraud, (I-­‐6) types of security measures in which to invest, so as to cost-­‐effectively minimize the amount of credit card fraud on the Visa Network, © Ruth D Fisher 2011 36 given (I-­‐7) the Cardholder’s credit history, (I-­‐8) the amount of Visa credit card fraud committed, which is dependent upon (I-­‐8a) the effective amount of security precautions undertaken by Issuers/Visa, (I-­‐8b) the effective amount of security precautions undertaken by Merchants, and (I-­‐8c) the effective amount of security in the other (MC, AE, Discover, JCB) Networks; and (I-­‐9) the level of competition in the market for Issuers/Networks. This situation, as displayed in Figure 11 (numbers in brackets correspond to Steps in credit card processing discussed in Section 3), forms a game because each of the (sets of) players is independent from the others, each faces his own set of incentives, and each takes actions to optimize his own outcome (profit or well-­‐being). Yet, the outcome achieved by each player depends on the actions taken by the other players. That is, while the players are independent entities, free to take whatever actions they choose, they are each dependent upon the others players and the actions these other players take for their outcomes. The questions thus become: What actions will each player be led to take, and what will be the outcomes of the game? © Ruth D Fisher 2011 37 B. Outcome of the Visa EMV Game What is comes down to is when there is less credit card fraud on the Visa network, then the costs to Cardholders and Merchants associated with credit card usage are lower, and so more Cardholders and Merchants will join the network and use credit cards more intensively. In other words, credit card fraud is bad for everybody except the thieves who get away with it. It follows that Visa/Issuers have an incentive to minimize the amount of fraud on the Visa network, by themselves investing in effective anti-­‐fraud security measures, and also by convincing Merchants to invest in effective anti-­‐fraud security measures. However, Merchants will only invest in anti-­‐fraud security measures if (1) they are liable for fraud committed on their Customers’ accounts, or they otherwise suffer costs when they do not invest sufficiently in anti-­‐fraud measures, and/or (2) the anti-­‐fraud measures they invest in are effective in reducing credit card fraud on their customers’ accounts. Until now, Visa/Issuers have persuaded Merchants to invest in anti-­‐fraud measures by requiring Merchant PCI DSS system audits in conjunction with granting no liability for fraud. That is, under the current system, Merchants invest in anti-­‐fraud measures, not because they are liable for fraud, but, equivalently, because they have to pay a penalty if they do not invest sufficiently in anti-­‐fraud measures. © Ruth D Fisher 2011 38 The current system is no longer working well for Visa/Issuers. What has changed is that another Network -­‐-­‐ the Visa Network in the rest of the world -­‐-­‐ has upgraded to a new technology, EMV, which is better at preventing fraud than is the old measure that is currently still in use in the US, magnetic stripe. The new situation is increasing the current costs for Visa/Issuers in two ways: 1. US Visa/Issuer Cardholders are having trouble using their Visa cards in other (non-­‐US) locations, which causes Visa to suffer a loss in reputation and perhaps lose customers to other Networks, and 2. The increased difficulty fraudsters are facing in other countries with the new technology is causing them to migrate to the US where they can commit fraud (via counterfeiting) more easily. In pressing adoption of EMV by US Cardholders and Merchants, Visa is taking a global, long-­‐term view of the situation. US adoption of EMV will eliminate the problems US travelers are having when trying to use their Visa credit cards in other countries, and it will also address the fraud that has migrated to the US in search of easier means of penetration. It is true that EMV does not address CNP crime. However, the new technology, EMV will help Visa to prepare for adoption of future technologies, namely contactless and mobile charges. In other words, Visa is effectively killing three birds with one stone: aligning Visa’s global network, which (1) prevents US Cardholders from having problems using their credit cards internationally and (2) foils the ability of fraudsters to find a weak link in the US, and (3) preparing for imminent adoption of next generation technologies. In contrast to the long-­‐term, global view being taken by Visa that is leading Visa to press for the EMV solution, US Merchants are taking a local, more short-­‐term view of the situation. For them, adoption of EMV technology is not currently cost effective at reducing fraud on their Customers’ accounts, due to a combination of several factors. First, the benefits in terms of avoiding PCI DSS compliance audits will be relatively small until (1) the other Networks also adopt EMV and waive their audit requirements, and (2) 75 percent of their Visa Customers have adopted EMV. Second, in addition to investing in EMV terminals, Merchants will also have to invest in other technologies (encryption, tokenization, etc.) to bolster the effectiveness of EMV. And third, the new, bolstered technology is not necessarily preventing enough fraud to justify the costs, since fraudsters are acquiring the information they need to commit fraud on Merchants’ customers’ accounts by breaching other parts of the credit card data processing system. As for impending new technologies, such as contactless and mobile, Merchants don’t have to worry about them until Customers start adopting these new technologies in force. And while the old versus new technology debate is taking place in the US, there’s an additional complicating factor in the form of the new financial (Frank-­‐Dodd) regulations taking effect. The new regulations © Ruth D Fisher 2011 39 ensure that fees charged to merchants by credit card companies [for processing] debit card transaction are reasonable and proportional to the cost of processing those transactions. The new regulations will decrease fees currently charged by Visa/Issuers to process Merchants’ debit cards transactions. The effect of this will be to ensure Merchants that debit cards will serve as a good alternative to credit cards. As such, Merchants will suffer fewer losses by refusing to accept Visa credit cards, if they can persuade their Customers to instead use Visa debit cards. This reduces the power of Visa/Issuers to unilaterally force US Merchants to upgrade to EMV. What’s not helping the situation (from Visa’s perspective) is the fact that in countries that have moved to the new EMV standard, the incidence of adoption by Cardholders lags that by Merchants (see Figures 5A and 5B). Cardholder’s will naturally be reluctant to (pay to) adopt a new technology that will reduced credit card fraud, if they don’t have to pay the (direct) costs associated with fraud (though they do presumably pay some of the costs through higher interest rates). This is, no doubt, a contributing factor to the reluctance on the part of US Merchants to adopt EMV, because if their customers do not have Chip and PIN cards, then Merchants are not losing sales by failing to upgrade to EMV. In short, there’s significant inertia in the adoption by US Cardholders and Merchants of EMV. Merchants are reluctant to pay the costs of adoption, especially since (1) the Other Networks (MC, AE, Discover, JCB) have not yet adopted EMV, which means Merchants will still have to bear substantial PCI DSS audit costs even if Visa waves its portion of those costs, (2) Merchants need to invest in other technologies (encryption or tokenization), and, perhaps most importantly, (3) most Cardholder have not (yet) adopted the standard, which means Merchants are not losing customer sales by holding out. And Cardholders are reluctant to upgrade to a new system that will decrease credit card fraud because, under zero liability, they do not bear the direct costs of fraud. As an aside on Visa’s shift of the liability for fraud from Visa/Issuers to Merchants as a means of pressing Merchants to adopt the new standard: Given the current economic environment (decreases in user spending mean low Merchant fees and Cardholder interest payments for Visa/Issuers), together with the passage of the Frank-­‐Dodd regulations (mandating decreases in fees for Visa/Issuers on debit card transactions), it’s not clear that Visa/Issuers would not have shifted some of the responsibility for fraud onto Merchants anyway to make up for some of the fees they are losing currently and into the future. In conclusion, EMV technology has been around for several years, and there are currently pockets of adoption in the US, by some Merchants, such as Wal-­‐Mart (but not the majority of its customers), and by some Cardholders, such as banks’ “high-­‐end customers who are frequent travelers”. © Ruth D Fisher 2011 40 Under the current rules of the game, adoption will most likely continue to limp along in “niche applications”, as Jim Schlegel puts it: While wholesale migration to EMV is unlikely, what is likely and happening now in embryonic form is the deployment of EMV-­‐like niche applications in areas such as transportation, quick service restaurants and retail; live events and entertainment; and specialist international cards for traveling, "high worth" clients. At some point adoption of contactless and/or mobile credit card transactions by niche Cardholders will start to force more Merchants to transition more quickly to EMV or risk losing sales. At some point, when the population of Cardholders has finally reached a critical mass, quicker adoption of EMV by holdout Merchants will then take place. C. What Can Visa Do to Speed Up Adoption of EMV? If Visa is not content to let adoption of EMV in the US limp forward until critical mass of Cardholders is eventually reached, there are a couple ways it can speed up adoption. First, let’s put some numbers on the table. From Patti Murphy, “Securing a place for EMV in the USA” Aite Group LLC estimated that in 2008 alone, 9.7 million U.S. cardholders' mag stripe cards were rejected at overseas locations, at an estimated cost to the card industry of $3.9 billion in transactions and $447 million in related revenues. Mercator Advisory Group calculated it would cost U.S. card issuers between $2.4 billion and $2.8 billion to replace all mag stripe cards in circulation with chip cards (also called smart cards) and that merchants would pay about $10 per terminal for EMV functionality. (Other experts interviewed for this story put the cost per terminal at between $30 and $50.) From Jim Schlegel “US: To EMV Or Not?” Javelin Strategy & Research estimates the basic cost of deployment for EMV in the U.S. at $8.6 billion, broken down as follows: POS terminal deployment estimated at $6.75 billion, with merchants bearing the brunt; card issuance estimated at $1.4 billion, with card issuers bearing most of the burden; retrofitting or replacing bank-­‐owned ATMs estimated at $500 million, with financial institutions bearing the majority of the cost. From SearchFinancialSecurity.com © Ruth D Fisher 2011 41 Card fraud costs the U.S. card payments industry about $8.6 billion annually with the bulk of the losses falling on card issuers, according to a report released this week by Aite Group LLC … Among the top forms of card fraud are card not present, counterfeit cards and lost/stolen card fraud, but the biggest category of card fraud is "first-­‐party" fraud, which is committed either by a thief or a legitimate cardholder who intentionally decides not to pay off a credit card balance, the report showed. Losses are split between card issuers, merchants and acquirers but the majority impacts card issuers, according to Aite Group. From Dan Balaban “Visa’s U.S. Migration Plan for EMV Supports Contactless and NFC” U.S. banks also have resisted the call because of the billions of dollars in costs for moving their cards and back-­‐end systems to EMV chip technology. And from Figure 1, Visa’s global share of Networks’ Payments Volume is about 50 percent, while its share of Credit Cards is about 60 percent. So we have rough estimates of: •
Visa/Issuers annual lost revenues from US Cardholders who cannot use their Visa credit cards overseas. Surely that number will decrease over time as frequent travelers upgrade to EMV cards (50 percent of all losses) $0.2235 B •
Credit card fraud savings with EMV, say 10% of all fraud $0.86 B Annual gains to Visa/Issuers with EMV, roughly $1B •
Costs of issuing EMV cards to US Visa Cardholders $1.4 -­‐ $2.8 B •
Costs of retrofitting ATMs $0.5 B •
Cost of POS terminal upgrades, though this seems a but high, because at $30 per terminal this gives us 225 million terminals in the US, which is more than 1 terminal for each person in the US $6.75 B •
Cost of upgrading back end systems Total Costs of Upgrade (mostly Merchants), roughly $ Several B $10B The Merchants’ costs up upgrading to the new system (cost of terminal upgrades, perhaps plus costs of encryption, tokenization, etc.,) clearly swamp the potential benefits (some decrease in fraud, minimal lost sales from EMV Cardholders who haven’t © Ruth D Fisher 2011 42 yet upgraded). So, for the Merchants to be persuaded to upgrade to EMV sooner, Visa/Issuers must either decrease the costs or increase the value to Merchants of upgrading to the new system. The costs of upgrading all Merchants’ terminals to EMV is probably not cost effective for Visa/Issuers, relative to the current benefits. This rules out having Visa/Issuers themselves simply pay to upgrade the Merchants’ terminals. However, Visa/Issuers could use some of the proceeds they will experience through lower costs of Visa network fraud to subsidize the Merchants’ costs of new terminals, say, by paying a portion of the costs outright. In fact, Visa/Issuers could almost certainly provide the terminals to Merchants at lower costs than the Merchants would have to pay on their own, since Visa/Issuers could benefit from lower per-­‐unit terminal prices associated with bulk purchases. In this sense, then, Visa/Issuers could subsidize the costs of terminal upgrades at not cost to Visa/Issuers, simply by negotiating a volume discount. The downside to this is that Merchants would have fewer choices of terminal varieties to choose from than if they were to purchase the terminals —at a greater cost — on their own. Alternatively, Visa could subsidize the costs of Merchants’ terminal purchases by having a portion of the costs of terminal upgrades be credited towards Merchants’ future Visa credit card transaction fees. As another option, depending on the relative costs, Visa/Issuers might subsidize the costs of encryption or tokenization for Merchants who upgrade. In the current mag-­‐strip environment there’s not enough to be gained for Merchants to upgrade on their own. However EMV terminals are equipped to handle next generation technology methods of credit card payments, namely mobile and other contactless transactions. Visa/Issuers might take advantage of this fact to strategically subsidize upgrades for a few, select Merchants whose customers are currently, or soon will be, equipped with contactless or mobile payment devices. These merchants will be more eager to upgrade, since, if they don’t, they risk (sooner than other merchants) losing sales to customers who are early adopters of next generation technology. As a substitute for strategically subsidizing upgrades of select Merchants, Visa/Issuers could instead strategically upgrade select influential Cardholders, so as to encourage Merchants to upgrade their terminals or risk losing sales to these Cardholders. Since Visa/Issuers will have to pay to upgrade their Cardholders eventually, this would simply entail shifting some future costs forward into the present. Along these lines of strategic upgrading, Jim Schlegel notes The emergence of NFC (Near Field Communications) technology, combined with the mainstream adoption of smart mobile devices, has the potential to set the ball in motion to change consumer expectation and demand for how they © Ruth D Fisher 2011 43 interact and undertake financial transactions with their retail world and lifestyle brands. The beginning of this potential new wave of emerging payments will be led by advances in applications brought about by contactless cards. Environments that deal with high volumes of customers such as mass transit, quick service restaurants, and live entertainment will see the first deployment of contactless NFC payment cards. Increasing the adoption momentum of a few select groups may be all it takes to stimulate ripples, then large waves, of adoption throughout the rest of the economy. As a final note, it is possible, if not likely, that after the new EMV technology has been adopted, the benefits -­‐-­‐ savings from decreases in credit card fraud -­‐-­‐ might not end up being as large as they were predicted to be. The nature of cat and mouse co-­‐evolution means that when EMV ends up blocking some or most forms of counterfeit and other fraud, thieves will seek out new means of penetration. So what will happen, is that after industry players have spent all that money to upgrade to the new system and counterfeit fraud has been addressed, network players will almost certainly see (perhaps with a bit of a lag) increases in other existing or even new forms of credit card fraud. In particular, countries that have adopted EMV have seen decreases in counterfeit-­‐related fraud, but they have also experienced increases in CNP fraud. Perhaps the new CNP fraud was due to people other than the recently stymied counterfeit fraudsters. Or perhaps the counterfeiters turned their attention away from counterfeit fraud and toward CNP fraud. Richard Sullivan describes the situation succinctly: The common underlying cause of these vulnerabilities is an information-­‐
intensive payment approval process. Criminals have incentives to gather and use the information to commit fraud. Because more in-­‐ formation will generally lead to a more accurate approval decision, card issuers (and merchants) have an incentive to continuously expand the data on which they rely (Roberds and Schreft 2008). The result appears to be an escalating cycle of card issuers adding information to their databases and criminals devising ways to gather the information…. 9. References ABA Banking Journal (August 30, 2011) “Will Visa’s push for chip cards and mobile move the needle?” http://www.ababj.com/tech-­‐topics-­‐plus/visa-­‐announces-­‐plans-­‐to-­‐
accelerate-­‐chip-­‐migration-­‐and-­‐adoption-­‐of-­‐mobile-­‐payments-­‐2259.html Akers , Douglas, Jay Golter, Brian Lamm, and Martha Solt (2005) “Overview of Recent Developments in the Credit Card Industry” FDIC Banking Review http://www.fdic.gov/bank/analytical/banking/2005nov/article2.html © Ruth D Fisher 2011 44 Balaban, Dan (August 9, 2011) “Visa’s U.S. Migration Plan for EMV Supports Contactless and NFC” NFC Times http://www.nfctimes.com/news/visa-­‐s-­‐us-­‐migration-­‐plan-­‐emv-­‐
supports-­‐contactless-­‐and-­‐nfc BinBase.com (2011) Credit Card Fraud: The costs of fraud, how it happens, and how you can prevent it” Bank Identification Numbers Database www.paymentsjournal.com/WorkArea/DownloadAsset.aspx?id=7113 Braintree Inc. (June 25, 2008) “What does it cost to become PCI Compliant?” http://www.braintreepayments.com/blog/what-­‐does-­‐it-­‐cost-­‐to-­‐become-­‐pci-­‐compliant Card Hub (2010) “International Credit Card Guide” http://education.cardhub.com/international-­‐credit-­‐card-­‐guide/ Card Hub (2010) “Market Share by Credit Card Network” http://education.cardhub.com/statistics/market-­‐share-­‐by-­‐credit-­‐card-­‐network/ Card Hub (2010) “Number of Credit Cards and Credit Card Holders” http://education.cardhub.com/statistics/number-­‐of-­‐credit-­‐cards/ Cardholder Information Security Program (CISP) Overview http://usa.visa.com/merchants/risk_management/cisp_overview.html Cavazos-­‐Wright, Ana (July 19, 2010) “Soccer balls and payment cards: A push for global standards” Federal Reserve Bank of Atlanta http://portalsandrails.frbatlanta.org/2010/07/soccer-­‐balls-­‐payment-­‐cards-­‐push-­‐for-­‐
global-­‐standards.html Cavazos-­‐Wright, Ana (July 26, 2010) “Can chip-­‐and-­‐pin technology address payment card fraud in the United States?” Federal Reserve Bank of Atlanta http://portalsandrails.frbatlanta.org/2010/07/can-­‐chip-­‐and-­‐pin-­‐technology-­‐address-­‐
payment-­‐card-­‐fraud-­‐in-­‐us.html Conlin, Jennifer (May 11, 2007) “Credit card fraud keeps growing on the Net” NYT http://www.nytimes.com/2007/05/11/your-­‐money/11iht-­‐
mcredit.1.5664687.html?pagewanted=print Credit Karma Blog (August 12, 2011) “Visa’s EMV Chips to Change the Face of US Credit Card Security http://blog.creditkarma.com/credit-­‐cards/visa’s-­‐e-­‐m-­‐v-­‐chips-­‐to-­‐change-­‐
the-­‐face-­‐of-­‐u-­‐s-­‐credit-­‐card-­‐security/ CreditCards.com (2009) “How a credit card is processed” www.creditcards.com/credit-­‐
card-­‐news/.../HowACreditCardIsProcessed.pdf © Ruth D Fisher 2011 45 DeGennaro, Ramon P. (2006) “Merchant Acquirers and Payment Card Processors: A Look inside the Black Box” Federal Reserve Bank of Atlanta Economic Review www.frbatlanta.org/filelegacydocs/erq106_degennaro.pdf DigitalTransactions.net (August 9, 2011) “Visa Tries To Juice EMV And Mobile Payments with New Initiatives” http://www.digitaltransactions.net/news/story/3153 Ensight Merchant Services (2009) “The Mechanics of Credit Card Transactions” http://www.ensightmerchantservices.com/Credit-­‐Card-­‐Transactions.html FDIC 6500 – Consumer Protection, Title IX – Electronic Fund Transfers, § 909. Consumer liability for unauthorized transfers http://www.fdic.gov/regulations/laws/rules/6500-­‐
1350.html Grance, Timothy, Marc Stevens, and Marissa Myers (2003) “Guide to Selecting Information Technology Security Products: Recommendations of the National Institute of Standards and Technology” NIST csrc.nist.gov/publications/nistpubs/800-­‐36/NIST-­‐
SP800-­‐36.pdf GSPAY Online Credit Card Processor http://www.gspay.com/online-­‐credit-­‐card-­‐
processor.php Guillot, Craig (November 8, 2007) “Credit card fraud monitoring can halt legitimate purchases” http://www.creditcards.com/credit-­‐card-­‐news/credit-­‐fraud-­‐monitoring-­‐
travel-­‐1282.php Hickley, Matthew (July 19, 2009) “Rise of the online credit card sharks: Annual crime figures reveal fraud soaring to £610m” Daily Mail http://www.dailymail.co.uk/news/article-­‐1200183/Card-­‐fraud-­‐costs-­‐UK-­‐610m-­‐chip-­‐pin-­‐
fails-­‐prevent-­‐thefts.html InfoMerchant (2010) “Merchant Account Comparison Chart” http://www.infomerchant.net/merchantaccounts/comparison.html JB MacLean Consulting Inc. (August 14, 2007) “Fear Of Identity Theft Discourages Consumers From Banking Online” http://www.canadafreepress.com/2007/internet-­‐
security081407.htm LexisNexis (November 9, 2009) “U.S. Retailers Face $191 Billion in Fraud Losses Each Year” http://www.lexisnexis.com/risk/newsevents/press-­‐
release.aspx?id=1258571377346174 Litan, Avivah (August 9, 2011) “Second Thoughts about Visa’s EMV program” Gartner http://blogs.gartner.com/avivah-­‐litan/2011/08/09/second-­‐thoughts-­‐about-­‐visas-­‐emv-­‐
program/ © Ruth D Fisher 2011 46 Litan, Avivah (August 9, 2011) “Visa finally moves U.S. closer to Chip cards and NFC acceptance; but are merchants getting the short end again?” Gartner http://blogs.gartner.com/avivah-­‐litan/2011/08/09/visa-­‐finally-­‐moves-­‐u-­‐s-­‐closer-­‐to-­‐chip-­‐
cards-­‐and-­‐nfc-­‐acceptance-­‐but-­‐are-­‐merchants-­‐getting-­‐the-­‐short-­‐end-­‐again/ Meacham, Jennifer D. (April 23, 2008) “Credit Card Fraud: How Big Is The Problem?” Practical Ecommerce http://www.practicalecommerce.com/articles/720-­‐Credit-­‐Card-­‐
Fraud-­‐How-­‐Big-­‐Is-­‐The-­‐Problem-­‐ Murphy, Patti (2011) “Securing a place for EMV in the USA” The Takoma Group http://www.greensheet.com/print_story.php?&story_id=2288 Newcastle Permanente “VISA 'chip' Credit and Debit cards” http://www.newcastlepermanent.com.au/Personal/ManagingYourAccounts/ChipCard/t
abid/779/Default.aspx O'Connell, Brian (August 23, 2011) “A guide to Visa's merchant incentives for chip-­‐and-­‐
PIN compliance” http://www.merchantaccountguide.com/merchant-­‐account-­‐
news/visa-­‐merchant-­‐incentives-­‐chip-­‐and-­‐pin-­‐compliance-­‐32.php PCI Compliance Guide: Frequently Asked Questions http://www.pcicomplianceguide.org/pcifaqs.php PCI Compliance Guide: The Basics of PCI Compliance and Validation Regulations http://www.pcicomplianceguide.org/pci-­‐basics.php Prabowo, Hendi Yogi (2010?) “Nationwide Credit Card Fraud Prevention” www.popcenter.org/problems/credit.../Prabowo%20card%20fraud.pdf Public Affairs (July 22, 2011) “Protecting Critical Infrastructure by Securing Information Technology” DHS http://blog.dhs.gov/2011/07/protecting-­‐critical-­‐infrastructure-­‐
by.html Rothke, Ben and David Mundhenk (September 9, 2009) “End-­‐to-­‐End Encryption: The PCI Security Holy Grail” CSO http://www.csoonline.com/article/501694/end-­‐to-­‐end-­‐
encryption-­‐the-­‐pci-­‐security-­‐holy-­‐grail Royal Canadian Mounted Police: Credit Card Fraud http://www.rcmp-­‐grc.gc.ca/scams-­‐
fraudes/cc-­‐fraud-­‐fraude-­‐eng.htm Schlegel, Jim (May 1, 2010) “US: To EMV Or Not?” Bank Technology News http://www.americanbanker.com/btn/23_5/us-­‐to-­‐emv-­‐or-­‐not-­‐1018371-­‐1.html Schultz, Matt (2010) “Credit Card and Debit Card Statistics for Australia and the World” CreditCards.com Australia http://australia.creditcards.com/credit-­‐card-­‐news/australia-­‐
credit-­‐card-­‐debit-­‐card-­‐statistics-­‐international.php © Ruth D Fisher 2011 47 SearchFinancialSecurity.com (January 14, 2010) “Payment card fraud costs $8.6 billion per year, Aite Group says” http://searchfinancialsecurity.techtarget.com/news/1378913/Payment-­‐card-­‐fraud-­‐
costs-­‐86-­‐billion-­‐per-­‐year-­‐Aite-­‐Group-­‐says Security Standards Council (2008) “Payment Card Industry (PCI) Data Security Standard (DSS) Self-­‐Assessment Questionnaire A and Attestation of Compliance” https://www.pcisecuritystandards.org/security_standards/documents.php?category=sa
qs Security Standards Council (2008) “Payment Card Industry (PCI) Data Security Standard Self-­‐Assessment Questionnaire: Instructions and Guidelines, Version 1.1” https://www.pcisecuritystandards.org/security_standards/documents.php?category=sa
qs Sidel, Robin and Ann Zimmerman (August 9, 2011) “Visa Pushes a Card Upgrade” Wall Street Journal http://online.wsj.com/article/SB10001424053111904480904576498484264333872.htm
l Smart Card Alliance (May 25, 2010) “EMV Comes to U.S. for International Travelers, Wal-­‐Mart Calls for Chip and PIN” http://www.smartcardalliance.org/articles/2010/05/25/emv-­‐comes-­‐to-­‐u-­‐s-­‐for-­‐
international-­‐travelers-­‐wal-­‐mart-­‐calls-­‐for-­‐chip-­‐and-­‐pin Sullivan, Bob (March 9, 2006) “Debit card thieves get around PIN obstacle” MSNBC http://www.msnbc.msn.com/id/11731365/ns/technology_and_science-­‐
security/t/debit-­‐card-­‐thieves-­‐get-­‐around-­‐pin-­‐obstacle/#.Tm1I5E9KgZM Sullivan, Richard J. (Second Quarter 2010) “The Changing Nature of U.S. Card Payment Fraud: Industry and Public Policy Options” Economic Review www.kansascityfed.org/Publicat/Econrev/pdf/10q2Sullivan.pdf The UK Cards Association: Facts and Figures (2010) http://www.theukcardsassociation.org.uk/view_point_and_publications/facts_and_figu
res/plastic_fraud_figures_%282009%29/ United States Senate Committee on Banking, Housing, and Urban Affairs (July 2011) “Brief Summary of the Dodd-­‐Frank Wall Street Reform and Consumer Protection Act” http://www.cfainstitute.org/learning/products/publications/contributed/Pages/brief_s
ummary_of_the_dodd-­‐
frank_wall_street_reform_and_consumer_protection_act.aspx?WPID=Topic_List_Tabbe
d&PageName=All © Ruth D Fisher 2011 48 Visa (July 14, 2010) “Visa Best Practices for Tokenization Version 1.0” usa.visa.com/download/merchants/tokenization_best_practices.pdf Visa Blog (August 10, 2011) “Visa Boycott Mag-­‐Stripe, Welcome Chip” http://visablog.net/2011/08/visa-­‐boycott-­‐mag-­‐stripe-­‐welcome-­‐chip.html Visa Inc. (2010 )“Visa PCI DSS Data Security Compliance Program” usa.visa.com/download/merchants/cisp_overview.pdf Visa Security Program: Zero Liability http://usa.visa.com/personal/security/visa_security_program/zero_liability.html, http://usa.visa.com/merchants/risk_management/zero_liability.html Visa, Inc 10K Reports, 2007, 2009, 2010 Welch, Peter “European Payment Card Fraud Report 2010” Payments Cards and Mobile LLP http://www.paymentscardsandmobile.com/Payments-­‐Cards-­‐Mobile-­‐
Affiliates/fraud-­‐report/PCM_Fraud_Report_2010.pdf Wikipedia: EMV http://en.wikipedia.org/wiki/EMV Wilson, Stephen (2007) “Cardless criminals: Card-­‐not-­‐present fraud is spiraling out of control, with very few options for stopping it” http://www.onlinebankingreview.com.au/SWilson021.php Woolsey, Ben and Matt Schulz (2011) “Credit card statistics, industry facts, debt statistics” CreditCards.com http://www.creditcards.com/credit-­‐card-­‐news/credit-­‐card-­‐
industry-­‐facts-­‐personal-­‐debt-­‐statistics-­‐1276.php © Ruth D Fisher 2011 49