The compromise of tens of millions of credit cards at Target and other retailers has raised the awareness of the risks of credit card fraud. In the wake of this data breach, significant attention has been given to how a new credit card technology called EMV many have suggested will significantly reduce this kind of fraud. (In fairness, this technology is new only to the United States; it’s been widely used elsewhere since 2005.) The premise of this suggestion is that EMV cards are harder to use fraudulently because they contain a chip which is much more difficult to duplicate than the magnetic strip used in U.S. credit cards today. Unfortunately this premise is wrong.
While EMV is marginally better than what we have today, it does nothing to solve the fundamental problem that enables fraud in the first place – more on that in a moment. First, though, it’s important to understand two payments industry metrics:
- Card-not-present transactions represented 24% of all credit card transactions in 2012, representing a 15.1% compound annual growth rate (CAGR) since 2009 and a much faster increase compared to the 4.6% CAGR increase in card-present transactions. Card-not-present transactions are a broad category of transactions that basically boil down to the use of a credit card not involving a swipe: things like online purchases, purchases over the telephone, recurring bills to a credit card, etc. These are in contrast to card-present transactions where the card is physically swiped to make a purchase.
- More than 50% of fraudulent credit card transactions (by value) occurred through card-not-present transactions. The rate of card-present fraudulent transactions by value was 9.16 basis points in 2012, compared to 11.38 basis points for card-not-present transactions.
These numbers show that card-not-present transactions represent a significant portion of transactions in the non-cash payments ecosystem and are particularly susceptible to fraud. The introduction of EMV does virtually nothing to solve this problem because EMV only adds new protections against fraud for card-present transactions. Fraudsters can and will focus their efforts where there is the least friction to fraud: card-not-present transactions.
This highlights that the root of the credit card fraud problem has almost nothing to do with the physical plastic card that consumers carry around. The real problem is that those plastic cards represent payment instruments that are long-lived and difficult to change. The entire credit card ecosystem has been built around passing around 16 digit numbers that only change every few years. When those numbers are compromised, it is costly to the issuer and inconvenient to the customer to change to a new number. When credit cards were first invented there was no better solution available, so this solution made sense. In the intervening 55 years, technology has come a long way. We have lots of better solutions now, but they require merchants, issuers, and the card networks to change the way the payments system works.
If we could magically erase the last 55 years of knowledge about how to operate credit card systems and start over with modern technology, the solution the banking industry would invent would look nothing like what we currently have. Payment instruments would be short-lived tokens that would be useless if intercepted and virtually impossible to guess. The system would be designed to inherently prevent the storage of widely reusable payment information by third-parties, like when an online merchant stores your credit card number. Reuse of a compromised token would be immediately detected. We would not be cobbling together a standard like EMV that solved part of the problem but was completely hamstrung by the constraints in the current payment networks that caused the fraud problem in the first place.
If we want to address the fraud problem seriously, we need to be prepared for more significant change in the ecosystem. We have the technical capability. We just need to find the will.