It comes as a shock to few people that were currently in a period of high fraud, in an environment that can be characterized with words like high risk and unstable.
The data breach era is upon us. In 2012, there were a total of 1,154 data breach alerts nationwide; that number rose to 1,434 in 2013 and 1,697 in 2014. These breaches varied in size from very small to very large (think Target and Home Depot), but in total they affected hundreds of millions of cardholders. The question is no longer if youll be involved in a breach but when, and how youll react when it happens.
Attacks on data have become more sophisticated. Merchant PCI-DSS compliance isnt close to where it should be, especially for mid-size and smaller merchants. Data thieves are aggregating stolen data from disparate sources. And the change in fraud patterns to footprint attacks makes it harder for our prevention systems to detect fraud as the perpetrators are now shopping in our members own backyards, where they would normally shop.
Thankfully for members everywhere, being involved in a breach doesnt necessarily mean you will become a victim of fraud. It just means you were involved in a breach.
And there are technology solutions. EMV has been tapped as the answer to card present fraud facilitated by data breaches. The U.S. market is really just now gearing up on EMV, and most of the activity seen on EMV today is being driven by the October 2015 liability shift.
The U.S. is currently behind the rest of the world in terms of EMV card-present transactions. From June 2013 through June 2014, only 0.03% of transactions in the U.S. were EMV, as opposed to 19% in Asia; 75% in Africa and the Middle East; 83% in Canada, Latin America and the Caribbean; and between 60 and 96% across the whole of Europe. The U.S. markets deployment of EMV has been more complicated. This is largely due to the fact that EMV deployment in this country has been driven, or stalled, by issues more to do with merchant pricing than risk prevention.
Nonetheless, momentum on the U.S. issuer side has begun to strengthen. Several keystone issuers like Citi, Chase and Bank of America report that they will have strong EMV issuance completed by the end of 2015. On the U.S. merchant side of things, it appears that Tier 1 merchants will be somewhat in form by year-end. Some industry sources report the percentage of Tier 1 merchants that will be EMV enabled by year-end at 70%. Small to mid size merchants will not be there in 2015 and likely will not catch up for another 12 to 18 months.
The good news is that EMV chip technology will address the current strain of card present counterfeit fraud. EMV has proven to be successful in defeating counterfeiting in the markets where it has been deployed.
The bad news is that the side effects of EMV success have been consistent in the markets where its been deployed: card not present fraud increases.
Card not present fraud already makes up 16% of the U.S. card fraud picture today. This statistic represented more than $5.3 billion in losses to both issuers and merchants in 2013. Card not present fraud growth is being fueled by consumer comfort with online transactions, a trend likely to continue given that U.S. consumers are expected to spend more than $430 billion on e-commerce transactions by 2017. As EMV matures in the U.S. market, there will be more of a need to address card not present fraud, as it will undoubtedly become a larger component of the U.S. fraud environment.
Enter tokenization. While tokenization is in its early days in the U.S., it is the underlying security for Apple Pay transactions and other use cases like Samsung Pay. Tokenization is enabling the faster adoption of mobile payments by replacing a cards primary account number with a random numerical sequence unique to a specific device, merchant, transaction type or channel. For FIs, tokenization is easier and quicker to deploy than EMV the total implementation process should take just three to five weeks. For merchants, tokenization is easier and cheaper since its a software issue only (no new hardware is required), which is promising news since merchants have the most to gain from preventing card not present fraud from tokenization adoption.
Apple Pay has sparked interest in tokenization as the underlying security standard for mobile payments. But this is only the beginning: new use cases are likely coming soon, along with a ramp up in new requests for tokenization. If history repeats itself, well likely need to experience a new spike in card not present fraud to spur the industry to get energized on deploying tokenization at the card not present point of sale. Hopefully well learn from the experience of the markets that have adopted EMV and avoid as much card not present loss as possible.
The current risk environment is certainly a daunting challenge, but its also just another chapter in the evolution of the payments industry. EMV and tokenization will address our current threats, and somewhere down the road well no doubt encounter a fresh set of risk challenges and threats to manage.
Steve Ruwe leads the enterprise-wide risk management strategy for PSCU.