There are a lot of people out there that have apparently taken big swigs of the EMV Kool Aid and think that merchants and banks in the United States are all idiots for not believing in EMV. Well folks, here is EMV by the numbers. Unfortunately, the best set of complete numbers I could get are from 2009, but I know that the fraud percentages have not radically changed since 2009.
As this example will illustrate, EMV in the US is a non-starter, not because we do not like EMV, but because it makes no financial sense. While I am using Target as the example, these numbers are pretty much what most retailers (large or small) are looking at as they evaluate going to EMV.
- Target had around $65B USD in revenue for 2009 as reported in their Annual Report.
- For 2009, card fraud amounted to 0.11% according to a report from the US Federal Reserve Bank of Kansas City report on EMV adoption. For comparison, card fraud in the UK (the best in Europe and the best for EMV countries) is 0.08%, a 0.03% improvement over the US.
- We know that not all of Target’s revenue is in card transactions but I will estimate that 70% of revenue was card transactions (around $45.5B USD). Then Target has around $50M in losses related to card fraud for the year at 0.11%. Therefore, assuming a 0.03% improvement in fraud due to implementing EMV, Target is saving around $13.5M USD a year.
- Estimating between $50M to $100M USD to replace the POS (possibly), terminals and software to support true EMV (for comparison, Target is already spending an estimated $25M to $30M just on new terminals), Target gets a payback on that $13.5M USD savings due to EMV in around four to seven years.
I can tell you from experience that, if a merchant cannot get a three year or less payback, they will not even consider the investment. A two year or less payback is actually preferred and the only sure way for any project to get management’s consideration and approval.
But while the financials for EMV do not add up, there are also other factors that are causing retailers to question a conversion to EMV.
One of the largest is the fact that EMV does nothing to stem the fraud losses from card not present (CNP) transactions. Since most retailers are viewing eCommerce as their next new retail opportunity, the exponentially increasing losses due to CNP fraud does not improve the likelihood of converting to EMV. And with that larger focus on eCommerce and maintaining brick and mortar margins, there is also the concern regarding investing significantly in any changes to those brick and mortar operations that also hold back retailers from transitioning to EMV.
Another consideration is that a lot of retailers just upgraded their terminals a few years back to comply with the PCI PTS requirement. Most retailers like to get at least seven to ten years out of their technology investments. Had Visa and MasterCard played their cards right and coordinated their EMV push with the PTS changes, the US likely would have converted to EMV.
Finally, there are concerns about EMV even surviving given the advent of new payment technologies such as eWallets as well as Bitcoin and other new forms of payments. As a result, a lot of retailers are sitting on the sidelines while technology and payment methods sort themselves out before considering making any investments in new payment process capabilities.
That my friends are the cold, hard facts of why EMV is currently dead on arrival in the US.
PCI Guru 
I think that the banks want EMV as a way to cut their liability. EMV puts the burden of proof on the cardholder, not the bank.
Ah, but it only puts the risk on the cardholder for card present (CP) transactions, not card not present (CNP) transactions. And since the majority of fraud is now with CNP transactions, it really did not do a lot did it?
going from .11% to .08% is a 27% improvement.
Agreed. But even a 27% improvement doesn’t pay for what is required to get that improvement. That’s the whole point of the post and why merchants see no benefit.
I think that PCI DSS is a workaround of EMV implementation in USA for Point-of-sales merchants. While EMV is in France a by default mechanism, migrating the USA with EMV will be too expensive for every one. PCI DSS and a good fraud detection mechanism is cheapest.
Given that the PCI DSS was the rebranding of the Visa USA Cardholder Information Security Program (CISP), it is not a work around or even substitute for EMV. That is particularly ironic given that Visa was a prime developer of EMV along with EuroPay and MasterCard.
The CISP was modified by Visa Europe and the other Visa regions and implemented in those respective regions. Over time that specialized version of the CISP was phased out and the PCI DSS became all regions’ standard.
What I meant was not that Visa enfroces PCI DSS as a workaround, but : for regions where EMV is not in place, the only way to secure POS is PCI DSS, I mean to secure against TRACK2 data breaches.
Furthermore, I think that USA will simply jump from legacy card swipe to contactless payment.
Exactly my point. There are too many technologies available for paying that I think merchants and the banks are taking a wait and see approach to the detriment of the card brands’ pushing EMV.