Richard Clarke’s assessment of the state of cybercrime in the U.S. started quite the conversation at The Innovation Project. So much of one, that it got MPD CEO Karen Webster to thinking about EMV’s future as a “must-have” security protocol for card fraud. She’s come up with six reasons why we should push the “pause” button on EMV and consider the real threat to our payments systems, which isn’t at the point of sale.
The Innovation Project 2014 is a wrap. And to paraphrase the words of one of our delegates, the series of rich and relevant “conversations” among the industry’s elite that started last week in Boston will fuel the actions and activities of those dedicated to driving innovation in the payments and commerce space in the years to come.
Ten such facilitated conversations took place over two days, covering topics as diverse as the differences in how payments innovators and incumbents are igniting new payment methods, how to get consumers to shift from plastic to mobile, lessons learned in igniting payments in developing markets that can be applied in developed markets, the feasibility of Bitcoin as a currency, and whether cash could be on life support, for real, some time soon.
One of the most spirited discussions was on the topic of cyber crime and what the payments industry needs to do about it. Former White House Cyber Czar and cyber security expert Richard Clarke and First Data’s GM of Cyber Crime, Paul Kleinschnitz, initiated this conversation. Panelists included a group of security and fraud experts whose diverse backgrounds and points of view inspired a very candid conversation including The Clearing House’s Dave Fortney, Experian’s Michael Bruemmer, Cortex MCP’s Shaunt Sarkissian, Loop’s George Wallner and Fiserv’s Tom Tobin.
Richard Clarke set the stage by telling us that cyber crime really does pay and is a business that recruits highly qualified Ph.D’s in math from Eastern European universities who go to work every day relentlessly focused on stealing money and data from our financial systems. He told our group that there are only two kinds of companies – those who’ve been hacked, and those who have and don’t know it. He pointed out that almost every large and midsize company in the U.S. has been compromised and that it takes an average of 253 days for a company to realize it has been hacked. He also said that 85 percent of those breaches are caused by people “doing the wrong thing,” citing the Target breach as the poster child for that data point. He also mentioned that, while the hackers are profiting from the fruits of their labor – Target’s 100 million compromised accounts that could sell for anywhere between $20 and $100 per account – Target has since seen a 46 percent drop in profit quarter over quarter and has said that ongoing expenses related to the breach could have a material adverse effect for the 2014 Q1 earnings and beyond.
Yes, cyber crime really does pay and, yes, cyber crime really does cost its victims dearly.
But I have another, even more controversial takeaway from this panel, and that’s this: we should push the “pause” button on EMV right now, rethink our approach to keeping cardholder data secure, and reinvent how the card industry protects itself from the risks of cyber security.
Here are the 6 reasons why:
1. EMV solves the wrong problem – and an old one at that.
Yeah, I know, you’ve heard this from me before. But last week, it wasn’t just me expressing this point of view; someone on the panel even went so far as to say, “EMV is a swear word.” Sure, we need to “fix” the problem of static PAN data transmitted via the mag stripe, but EMV-issued cards in the U.S. won’t eliminate that risk since they will include mag stripes for some time, just as those issued by non-U.S. banks do today. And at the moment, the prevailing standard is “Chip and Choice,” where a PIN is not required. Published reports suggest that using a PIN with debit transactions reduces fraud by a factor of 5x. Not clear that EMV implemented without requiring a PIN makes much sense.
And in terms of eliminating fraud? Well, we don’t even need to speculate as to whether this is a fait accompli. It isn’t. In the countries where EMV has been implemented, fraud via card counterfeiting has declined dramatically, but card-not-present fraud has increased by as much as the card fraud has declined, if not more. It’s like the fraud “whack a mole” game – beat down fraud via card counterfeiting, and it pops up online. Now advocates say that the online risk is lower since the volume is lower, but as card transactions increasingly move to the cloud, which is where payments is headed, that risk will only intensify. And the industry will have to spend even more money to eliminate that risk, after having spent lots of money on a solution that just moves the problem to a different place.
2. It’s not really clear that we have a real problem to solve.
There was an interesting discussion about how much of a fraud problem we really have in the U.S. and worldwide. In the U.S., fraud exists, but it is very low. In fact, the rate of fraud for online transactions is less than 1 percent, which is exactly where it was in 2010. When fraud dollars are reported, those numbers are higher, which makes sense, of course, since the base since 2010 has grown, but the rate at which fraud is occurring remains constant. Interestingly, outside of the U.S., and where EMV has been implemented, online fraud rates are more than twice that rate.
According to Nilson, in 2012 worldwide total transaction volume of credit, debit, prepaid, private label cards was $21.604 trillion, with fraud losses worldwide of $11.27 billion – or roughly 0.05 percent, or 5.2 cents, per $100. Douglas King, who authored a report for Atlanta’s Federal Reserve Bank, questioned whether the U.S., looking at these overall numbers, felt there was enough of a problem to invest the billions needed to move to EMV, which, as I’ve noted, doesn’t really eliminate fraud but simply moves it to a new playing field. It’s worth noting that this report was published before the Target breach, but the question remains: how much should the payments industry invest to reduce fraud – and to reduce it to what level?
It’s an important and valid question. Every industry, not just payments, has to make decisions about investing to eliminate its major source of risk entirely versus reducing it to an acceptable level that also doesn’t impose too much friction on their customers in the process. And, in fact, those in law enforcement have to do cost benefit calculations, too. We can always spend more money to get less crime, but the question is whether the additional spending is worth the additional crime reduction.
9/11 is also a good proxy for this thought process. Post 9/11, the U.S. invested in new systems and policies designed to reduce the risk of terrorists using airplanes as weapons of mass destruction. In the early days of that horrific incident, that even included forcing passengers to stay seated during the first and last 30 minutes of flights headed into or departing from Washington, D.C. We could have made a decision to eliminate such risks entirely by having people completely disrobe for scanning before boarding an airplane or banning carry-on luggage entirely – as was done to and from the UK in the early days following the aftermath of 9/11, or subject passengers to El-Al airline screening prior to every flight. Hey, we could even have stopped flying and made people walk or take the train or the bus everywhere.
Instead, over the last several years, the TSA has implemented systems like Pre-Check that allows expedited screening for passengers who have gone thru a background check and have installed the somewhat controversial body scanners that check passengers for hidden explosives and have adjusted acceptable levels of carry-on stuff. But all of those things don’t eliminate entirely the risk of bad things happening – it just makes it more of a pain for the bad guys to do bad things, which, I say as a TSA Pre-Check passenger, is a tolerable amount of friction introduced into the system.
Now back to payments. We could eliminate the risk of payments fraud completely by making consumers use cash to pay for their purchases. Or subjecting them to an arduous authentication process that would, as we’ve seen with 3-D Secure, eliminate the consumer’s appetite for making purchases online, which only hurts merchants. Or, as we are now about to do, spend billions on a standard that only attacks a small piece of a problem that isn’t really that big to begin with. And, as our panel said, to what end – to eliminate a risk that is already really low? Where’s the ROI – and for whom? I haven’t seen any of the advocates produce a real ROI analysis—please send, and we’ll post on PYMNTS.com.
3. EMV makes the wrong people pay
Richard Clarke made a point that “we” as an industry need to understand who’s suffering as a result of the breaches, and then upon answering that question who should pay.
This is where the conversation gets really interesting.
Someone on the panel remarked that the big conundrum of payments is that the parties who issue the cards are completely disconnected from the parties who accept the cards who are completely disconnected with the people who use the cards. Further, today, the parties being asked to change – and being forced to pay – are the consumers who will be inconvenienced by being asked to “dip” and not swipe and the merchants who are being asked to install new equipment or else face the risk of liability and the banks who will be forced to issue new, more expensive cards. According to Nilson, issuers last year absorbed roughly 63 percent of the risk while merchants absorbed 37 percent.
Target has said it will spend $100 million installing EMV readers, but that’s just the tip of the iceberg. There are more than 16 million devices in the U.S. that will have to be upgraded to support EMV payments at a cost of between $200 and $1,500 per device. Taking the low end of the scale, at $200 per device, that’s a $3.2 billion expense (just for the equipment) to the industry, borne by the merchants, not to eliminate fraud but to simply watch it move to another channel, that they’ll also have to invest in new solutions, like tokenization, to fight.
And if you wanted to put a price tag on this to the consumer, assuming that consumers would pay a penny not to have to dip instead of swipe, they’ll be paying another three-quarters of a billion dollars annually (assuming 75.6 billion credit, debit and private label card transactions in 2013) notwithstanding, of course, any of the price increases that they’ll be paying for merchandise bought at merchants to offset the costs of these new devices, they’ll absorb. And these price increases will be borne by consumers, who, for all of the wailing and gnashing of teeth over the Target breach, don’t really feel the pain – roughly 90 percent of those whose accounts are at risk because of a retailer’s breach sign up for credit monitoring after the fact.
Consumers know that they are protected in the event of a compromise and don’t sweat it too much. But 100 percent of consumers will be asked to change how they use their cards and be inconvenienced by it, and maybe even pay more for the things they buy because of it. The big question left unanswered is the extent to which they feel that the tradeoff they are being asked is helping them in any way since they don’t perceive a real problem today.
But here’s the real crime. Those who are perpetrating these crimes are laughing all the way to the bank. Cyber crooks operate today in sanctuary countries like Russia, well out of our reach to find, much less prosecute. If we, as a payments industry, really wanted to put some teeth into getting rid of cyber fraud, we’d be knocking on the doors of our members of Congress about putting the screws to the countries that harbor these bad guys, slapping on fines and penalties, even cutting off their ability to access U.S. Internet sites. We, as an industry, would be far better off mobilizing Congressional hearings on that point rather than risking that the government decides it needs to intervene on imposing a fraud standard for the industry because of the media coverage of the breach and the faulty assumption that fraud rates are out of control. At the moment, the people who inflict the pain and impose the costs on our payments system are getting off scot free.
To put this another way, we could take some of the billions we’re spending on the EMV upgrade and use it to lobby Congress and the president to put the screws on countries that harbor these criminals that are wreaking havoc on us.
4. EMV does nothing to help in the short term.
Yes, Virginia, there is a deadline set for the liability shift, but it’s not realistic to think that most merchants will be able to make that deadline. Until the Target breach, the prevailing wisdom was that EMV was going to be languish as merchants looked to other, cloud-based payment options, and security solutions linked to those payments alternatives. Now, out of fear and motivated by the PR value of saying that they are embracing EMV, their priorities have shifted sharply.
Even so, there just isn’t enough time to implement EMV in 16 million terminals in about a year’s time. So between now and whenever all 16 million terminals are upgraded, two, three or even more years from now, cardholder data transmitted by EMV cards with mag stripes will continue to be at risk of compromise at the physical point of sale, not to mention moving online as history tells us will be the case.
There are solutions available now that could, for a lot less of an investment, protect cardholder data by making it useless to the bad guys. After all, if data are what they want, then making it useless should be the focus. And tokenization and end-to-end encryption solutions, among other things, are technologies that are available today that can accomplish that goal and are embraced by the networks.
5. EMV is taking our eye off the real threat.
I think that even EMV advocates would agree that EMV wouldn’t have prevented the Target problem. But as one panelist said very well, point-of-sale fraud is bupkus when compared with the volumes that pass over the ACH network, CHIPS and the Fed Wire every day. NACHA reports that in 2013, an estimated $40 trillion dollars moved from bank account to bank account every day at an average value of $1,760 per transaction. If the bad guys really wanted to wreak havoc, that’s where they’d turn their attention, if not to steal money outright, to shut down our ability to conduct commerce as a nation and as a world.
Ditto with the SWIFT network, which passes secured messages related to financial transactions between more than 10,000 users at FIs and companies in 210 countries resulting in an average of 10 million messages a day. A question raised by someone on the panel was the degree to which our efforts should be focused on ensuring that these systems remain rock solid versus spending tens of billions on systems that have relatively low risks of fraud to begin with. Sorry Target, you get all the press, but you are really small potatoes.
6. EMV is taking our eye off the real opportunity.
A big question related to the risk/return/reward equation of investing in EMV raised by this panel is the consequence of diverting attention away from the move to digital payments enabled by connected devices that can secure cardholder data in superior ways. Merchants are interested in supporting mobile payments for a variety of reasons, something underscored by the decision of MCX to adopt a mobile/digital only scheme.
Mobile commerce provides merchants with the opportunity to communicate with their customers and target and serve their most profitable and desirable consumers better with a solution that is potentially more secure than what exists today at the physical point of sale. The deployment of EMV only forces them to divert attention and resources away from something that adds value to the consumer as well as the merchant and the overall payments system.
The discussion that we had last week laid out a number of facts that took the conversation about the merits of EMV from one that simply waved hands around why we should embrace it to one centered on a bunch of facts that paint a very compelling picture about why we might need to push pause and rethink it all. As I’ve said before, simply implementing a 30-year-old technology because everyone else in the world has already done it, doesn’t make it the right thing to do right now. And the facts bear this out.
I say it’s time now to disagree on the basis of the ROI of making the move to EMV, not on the basis of the U.S. being the last holdout (which also isn’t true.) So, show me the money – or better yet, bring me the analysis, and we’ll host a debate live on PYMNTS.com.
So, who’s game?