We are never the first to report on a data breach. There is a usual swarm of media and unnecessary speculation grabbing the headlines. The reality of a data breach is that at least 4-8 weeks have passed before it hits the Wall Street Journal, New York Times or the American Banker.
That does not mean that we do not have opinions on data breaches. We talk to our clients about breaches. We help prepare strategies for mitigating data breach risk. We assess the damage to the industry, issuer and merchant.
We certainly do opine on data breaches but think there are bigger issues.
Take the issue about MasterCard and Visa mandating US implementation of EMV. By 2015, millions of merchants, servicing almost 1 billion US cards, must be EMV/Smart Chip compliant or face industry sanctions. It sounds great, if you listen to credit card manufacturing companies, but the technology does very little to help credit card fraud. Plenty of EMV and Fraud research are in the CEB TowerGroup library (and other places) but the facts are:
- The EMV standard is 30 years old. Think about what has happened in the computer industry since Ronald Reagan was in office.
- According to Visa’s published numbers, US card fraud is at an historic low: five basis points. There is little payback for implementation when you consider that cost of magnetic stripe cards is only about 8% of the cost to produce compliant chip enabled, near field communications payment cards.
- New cards are ineffective in protecting against card not present (CNP) transactions, the segment that covers internet and mobile payments. CNP transactions account for about 34% of total fraud.
The industry does need a more sophisticated access device, and we will surely see significant advances in card technology over the next few years that can make access easier, improve customer loyalty and populate mobile wallets.
To link this all together, the industry focus on new fraud technologies to protect the card itself misses the mark. Card fraud is under control at well run issuers (those in the top tier control 85% of the market). Yes, of course, we do need to upgrade the payment access card or device, but must recognize that EMV will not fix the problem.
The real problem in fraud comes from organized attack against the system. Look at where the risk has been. Global Payments Network, a top tier US transaction acquirer, potentially exposed 1 million records- mild by recent standards. The ugly reality is that generally accepted industry numbers are that about 340 million financial records have been exposed since January 2005. Not to minimize the issue, but “big ones”, like retailer TJX in January 2007 affected 94 million records, acquirer Heartland exposed about 80 million in 2009, and Hannaford compromised 40 million in 2008. The industry must protect data at all levels: in use, at rest, and in transit.
What we are missing here with EMV the focus on the wrong area of risk. Fraud technologies that target on account behavior are strong. They’ve helped drive the fraud numbers down to record lows. The industry’s infrastructure is old and needs to consider the future. Focusing on the front end is not a US-centric solution for fraud control even though EMV has worked for other parts of the world. What we need to be doing is protecting (and refining) the infrastructure, not just the entry points.
To learn more, CEB TowerGroup Retail Banking and Cards members can access our latest research, EMV in the United States: Essential Perspectives for Issuers and Acquirers