In this post I would like to discuss from a statistical perspective why EMV is not making the impact on fraud that people are led to believe. The following is the analysis I went through to prove this hypothesis.
So, let us compare a year of card present fraud in the UK to that in the US. Unfortunately, I could only get statistics for 2008 for such a comparison. However, for 2009, card present fraud amounted to around 16% of all fraud and that is 0.43% of the total charged on credit cards in the UK. For comparison, the best I could come up with was 2008 for the US from the American Bankers Association which indicated that there was $788 million dollars in card present fraud which amounted to 1.6% of the total amount charged.
According to the UK Cards Association, in 2005 the last year before the rollout of EMV, card present fraud amounted to just over 30% of the total fraud incurred from credit cards. I could not find the total amount charged in the UK that year, so I have no idea of how that amount of fraud related to the total charged. However, given that card present fraud has remained steady at 16% of total fraud under EMV, I would assume that was the same with non-EMV cards so I would estimate that card present fraud amounted to around 0.86% of total fraud in 2005.
So a 1% card present fraud rate drove UK bankers to invent EMV? At the time UK bankers began to discuss EMV back in the early 1990s, it was my understanding that card present fraud rates were at least double or even triple those in the US, which would put the total percentage of card present fraud at somewhere around 3% to 4.5% of total charges since card present fraud rates are relatively stable. Unfortunately, I do not have access to figures to support that. However, using just double that would mean that at 30% of all fraud in 2005, something must have been done to bring down the fraud rate before EMV was introduced. I base this on the fact that card present fraud has remained static after the introduction of EMV which would mean that in 2005, card present fraud was around 0.86% of total charges. Could it be that enforcing better procedures at the merchant level which is what the banks mandated before EMV was introduced drove down card present fraud to around 1% of the total charged? It does appear that way.
EMV will save US banks and merchants a total of around $394 million dollars annually. Given the estimated ten billion it will cost to convert totally to EMV, is it any wonder why banks and merchants have no incentive to convert? The ROI is just not there.
So what are the conclusions we can draw from this exercise? Introducing EMV into the US would cut card present fraud by 50%. However, since bankers and merchants believe card present fraud is already at a manageable level, there is no incentive to convert. But the more telling conclusion is that EMV does not eliminate card present fraud like it is perceived by the public. And that is something that the public deserves to know.
UPDATE: See this post from the FDR Atlanta.
PCI Guru 
The UK did have a 28% drop in card fraud from 2008 to 2009 (I’m not sure what percentage of that was card present). According to the payment council it’s the first time their fraud has dropped since 2006 – part of the credit for this drop does go to Chip and PIN technology as well as better fraud detection systems/tools. That said, online banking fraud did increase (by 14%) due to more sophisticated attacks being targeted at the customers’ instead of the banks’ — however, card-not-present fraud decreased (19%) due to the increasing the use of fraud screening detection tools by retailers and banks, as well as increased used of MasterCard’s SecureCode and Verified by Visa. The decrease in card-not-present fraud doesn’t appear to be due to Chip and PIN technology – so I am curious if the increase in screening and online fraud prevention systems are in part due to PCI requirements or perhaps just general growth in security?
While Chip and PIN in Europe and Canada has been successful, I’ve heard there are additional encryption and authentication mechanisms that are likely to be deployed in the US as technology continues to advance. Apparently Visa and MasterCard (according to our acquiring bank) are studying the issue and working to devise the appropriate approach for deployment in the US from an implementation, security, and cost containment perspective. With the US being the world’s largest credit card market and the cost of implementation of Chip and PIN – it is not a sound business case at this time. As you said, the ROI just isn’t there.
Do I agree that Chip and PIN has some benefits to protect against fraud, yes – but I also agree that the PCI requirements are still needed. To me, Chip and PIN doesn’t get rid of all the issues which the PCI DSS is working to protect against. If anything, they should go hand in hand and work together – it shouldn’t be one or the other.
Card present fraud increased by 34% between 2007 and 2008 and then dropped back the 28%. However, as a percentage of the total fraud picture, other than 2007 when it was around 13.6%, it has remained steady at around 16% give or take a couple of tenths of a percent year to year. My guess is that in 2007 the bad guys were still assimilating the EMV card and reformulating how they could deal with the new environment and that stymied their activities for a short period of time.