10
Jan
14

The Economics Of EMV

There are a lot of people out there that have apparently taken big swigs of the EMV Kool Aid and think that merchants and banks in the United States are all idiots for not believing in EMV.  Well folks, here is EMV by the numbers.  Unfortunately, the best set of complete numbers I could get are from 2009, but I know that the fraud percentages have not radically changed since 2009.

As this example will illustrate, EMV in the US is a non-starter, not because we do not like EMV, but because it makes no financial sense. While I am using Target as the example, these numbers are pretty much what most retailers (large or small) are looking at as they evaluate going to EMV.

  • Target had around $65B USD in revenue for 2009 as reported in their Annual Report.
  • For 2009, card fraud amounted to 0.11% according to a report from the US Federal Reserve Bank of Kansas City report on EMV adoption. For comparison, card fraud in the UK (the best in Europe and the best for EMV countries) is 0.08%, a 0.03% improvement over the US.
  • We know that not all of Target’s revenue is in card transactions but I will estimate that 70% of revenue was card transactions (around $45.5B USD). Then Target has around $50M in losses related to card fraud for the year at 0.11%.  Therefore, assuming a 0.03% improvement in fraud due to implementing EMV, Target is saving around $13.5M USD a year.
  • Estimating between $50M to $100M USD to replace the POS (possibly), terminals and software to support true EMV (for comparison, Target is already spending an estimated $25M to $30M just on new terminals), Target gets a payback on that $13.5M USD savings due to EMV in around four to seven years.

I can tell you from experience that, if a merchant cannot get a three year or less payback, they will not even consider the investment. A two year or less payback is actually preferred and the only sure way for any project to get management’s consideration and approval.

But while the financials for EMV do not add up, there are also other factors that are causing retailers to question a conversion to EMV.

One of the largest is the fact that EMV does nothing to stem the fraud losses from card not present (CNP) transactions. Since most retailers are viewing eCommerce as their next new retail opportunity, the exponentially increasing losses due to CNP fraud does not improve the likelihood of converting to EMV. And with that larger focus on eCommerce and maintaining brick and mortar margins, there is also the concern regarding investing significantly in any changes to those brick and mortar operations that also hold back retailers from transitioning to EMV.

Another consideration is that a lot of retailers just upgraded their terminals a few years back to comply with the PCI PTS requirement. Most retailers like to get at least seven to ten years out of their technology investments. Had Visa and MasterCard played their cards right and coordinated their EMV push with the PTS changes, the US likely would have converted to EMV.

Finally, there are concerns about EMV even surviving given the advent of new payment technologies such as eWallets as well as Bitcoin and other new forms of payments. As a result, a lot of retailers are sitting on the sidelines while technology and payment methods sort themselves out before considering making any investments in new payment process capabilities.

That my friends are the cold, hard facts of why EMV is currently dead on arrival in the US.

About these ads

8 Responses to “The Economics Of EMV”


  1. March 31, 2014 at 1:25 PM

    I think that the banks want EMV as a way to cut their liability. EMV puts the burden of proof on the cardholder, not the bank.

    • April 1, 2014 at 5:17 AM

      Ah, but it only puts the risk on the cardholder for card present (CP) transactions, not card not present (CNP) transactions. And since the majority of fraud is now with CNP transactions, it really did not do a lot did it?

  2. 3 Peter
    February 18, 2014 at 10:11 AM

    going from .11% to .08% is a 27% improvement.

    • February 19, 2014 at 11:18 AM

      Agreed. But even a 27% improvement doesn’t pay for what is required to get that improvement. That’s the whole point of the post and why merchants see no benefit.

  3. January 12, 2014 at 2:15 PM

    I think that PCI DSS is a workaround of EMV implementation in USA for Point-of-sales merchants. While EMV is in France a by default mechanism, migrating the USA with EMV will be too expensive for every one. PCI DSS and a good fraud detection mechanism is cheapest.

    • January 12, 2014 at 2:36 PM

      Given that the PCI DSS was the rebranding of the Visa USA Cardholder Information Security Program (CISP), it is not a work around or even substitute for EMV. That is particularly ironic given that Visa was a prime developer of EMV along with EuroPay and MasterCard.

      The CISP was modified by Visa Europe and the other Visa regions and implemented in those respective regions. Over time that specialized version of the CISP was phased out and the PCI DSS became all regions’ standard.

      • January 13, 2014 at 3:26 AM

        What I meant was not that Visa enfroces PCI DSS as a workaround, but : for regions where EMV is not in place, the only way to secure POS is PCI DSS, I mean to secure against TRACK2 data breaches.

        Furthermore, I think that USA will simply jump from legacy card swipe to contactless payment.

      • January 18, 2014 at 10:16 AM

        Exactly my point. There are too many technologies available for paying that I think merchants and the banks are taking a wait and see approach to the detriment of the card brands’ pushing EMV.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

FishNet Security is looking for experienced QSAs for their PCI practice. If you are an experienced QSA and are looking for a change, go to the Web site (http://www.fishnetsecurity.com/company/careers), search for 'PCI' and apply.

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

January 2014
M T W T F S S
« Dec   Feb »
 12345
6789101112
13141516171819
20212223242526
2728293031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 970 other followers


Follow

Get every new post delivered to your Inbox.

Join 970 other followers

%d bloggers like this: