By Gray Taylor, Executive Director, Conexxus

The official EMV liability shift schedule was announced by Visa in August of 2011, giving our economy—which arguably cannot function without card payments—just over four years to complete the Herculean task of changing from a magnetic stripe to chip card architecture.  In contrast, Canada formally started their EMV program in 2003, and at a PCI meeting this week proudly announced that they were going to be complete their program this year—a full 12 years after launching a well-coordinated and supported migration program. 

We have half as many POS terminals as Canada has actual citizens and yet our timeline is one third that of Canada.  It kind of feels like America is getting a “bum’s rush” in the name of fraud reduction.

The chip architecture of EMV has been touted as a serious remedy for card fraud, and it is indeed a credible “layer” of added security that addresses one factor of card fraud: counterfeit.  The other two types of transactional fraud—lost and stolen, and card not present—are not touched by EMV, along with their massive respective societal costs.  So while our economy spends close to $30 billion to greatly reduce (notice I did not say eliminate, because it won’t) counterfeit fraud, to the tune of about $3.5 billion annually, the whole enterprise misses the mark on the other two types of fraud. 

If the card payments system were serious about reducing the societal cost of fraud, we would have adopted PIN authentication for all card transactions years ago.  A 2012 Federal Reserve study showed that signature authenticated transactions experienced 400% more fraud than PIN authenticated (over 11 basis points of sales for some card types versus 2.7 basis points for PIN).  Further, most merchants have been equipped to accept PIN for years as a requirement for accepting PIN debit transactions. Post EMV, all compliant merchants will be capable of PIN, but the card brands have elected to buck the trend of most other G20 nations and marry its new 20th century technology with signature—the security system first adopted by the Pharaohs—instead of PIN.

So after merchants invest roughly $15 billion to support EMV, including the universal ability to take PIN, the card brands will take a pass on driving a stake into the heart of transactional fraud by making PIN a “choice” of the issuer.  What is really accomplished with EMV is the effective shifting of the last vestige of bank transactional fraud liability to the merchant.  Starting today, banks will have little stake in improving card security any further because it can no longer hurt their bottom line, and those with the liability will have no control over further improvements. This spells the end of any hope of getting PIN required on all card transactions.

Merchants used to be in league with the issuers on fraud, and the mutual stakes in fraud reduction benefitted society.  After today, controlling the societal cost of fraud is squarely on the merchants’ back—the least enabled stakeholder in the payments ecosystem to implement further structural safeguards.  Our society needs to ensure that if issuers and card brands wish to vacate their position of shared liability for fraud, they at least leave the “house in order” by implementing chip and PIN, while developing low cost and non-invasive methods of authenticating card not present transactions, or it is society who will continue to pay for the cleanup.

Without this requirement, chip and choice sounds more like “let them eat cake.”

Gray Taylor serves as executive director for the Conexxus, focused on interoperability standards, card payment policy and security issues within the industry. For more on Conexxus and its work around EMV and data security, visit conexxus.org.