Card Industry Has a Compelling Case for Data Encryption, Report Says

End-to-end encryption of cardholder account data during the transaction process is an imperfect solution to payment card fraud, but it's the most practical out there now for the U.S., a new report about fraud management from Aite Group LLC concludes. The report estimates that fraud cost the U.S. card industry $8.6 billion in 2008. The fraud rate, however, 0.4% of $2.1 trillion in charge volume in 2008, has been stable for several years, according to report author Nick Holland. Merchant acquirers?notably Heartland Payment Systems Inc., which reported a huge data breach a year ago?along with point-of-sale terminal vendors and an assortment of technology companies are rolling out various iterations of end-to-end encryption to address the seemingly intractable problem of computer hackers getting illegal access to computer systems that hold or transmit cardholder data, and then stealing that data and selling it to other criminals who make fake cards to commit fraud. Thus, there is a compelling case for end-to-end encryption, which renders card data unusable to a hacker, according to Holland, senior researcher at Boston-based Aite. “It basically stamps out counterfeit and card not present [fraud], it attacks them head on,” Holland tells Digital Transaction News. But neither end-to-end encryption nor any of the other technologies being widely discussed today can thwart all card fraud, which Aite breaks down into six major categories. In fact, none of them attacks so-called first-party fraud, which Aite estimates alone accounts for 49.9% of all fraud. In such a scheme, a cardholder opens a credit card account and for some time makes timely payments in hopes his normal behavior will induce the issuer to increase his credit line. But sooner or later he runs up charges to, or near, the limit or takes out cash advances, all with no intent of repaying the issuer. In contrast, so-called third-party fraud typically involves those who steal card data or buy such information to make counterfeit cards, or make card-not-present (CNP) charges on a live account without the legitimate cardholder's knowledge. CNP fraud, which originates from Internet or telephone orders, accounted for 16.1% of fraud losses and cost $1.39 billion in 2008, Aite estimates. Counterfeit fraud cost $1.35 billion and accounted for 15.7% of fraud. Fraud from lost and stolen cards amounted to an estimated $1.42 billion, 16.5% of all fraud. The smallest forms of fraud were identity theft, $129 million in losses and 1.5% of fraud; and non-receipt of cards, $23 million, 0.3%. Aite based its estimates on fraud data in published reports, including issuer filings about losses, and interviews with more than 30 fraud-control professionals globally on all sides of the payments industry. Aite estimates it would cost $4 billion to implement end-to-end encryption on a nationwide scale and would take two years to fully roll out. The return on investment, or time needed in forgone fraud to recover the investment, is an estimated 1.6 years based on about $2.5 billion in annual fraud eliminated. While end-to-end encryption would address only about 29% all fraud, its advantages include reduced requirements for merchants to meet the Payment Card Industry data-security standard. Merchants, however, would bear virtually all implementation costs, mostly in the form of new terminals. The most expensive fraud fix would come from the so-called EMV chip card, which instead of a magnetic stripe puts the cardholder data on a much more secure chip and also requires entry of a PIN. Aite estimates EMV would cost $12.7 billion and take three years to deploy. Most costs would fall on the acceptance side for installing chip-reading terminals, but issuers also would need to replace mag-stripe with chip cards. The estimated payback would be nearly five years based on an estimated $2.6 billion in fraud avoided annually. EMV, popularly known as chip-and-PIN, could be counted on to cut about 30% of fraud losses by nearly eliminating counterfeit and lost-and-stolen card fraud. EMV, however, does nothing to address card-not-present fraud. In fact, Holland notes, that type of fraud increased in the United Kingdom after an EMV system took hold in the mid-2000s. Another impediment is the interchange question. Merchants would expect lower interchange on PIN than higher-cost signature transactions, but card issuers, especially debit card issuers, could be expected to fight to retain their lucrative signature-based interchange revenues. “Upgrading of card technologies to EMV chip cards in the United States will not occur while U.S. issuers and networks remain married to signature interchange,” the report says. International pressure?the U.S. is the only big industrialized country that has not switched or does not plan to switch to EMV?might eventually force the adoption of chip-and-PIN here if hanging on to the mag stripe impedes global commerce, Holland notes. So-called two-factor authentication technologies provide the highest levels of fraud reduction at the lowest cost, according to Aite. The main examples of these are physical tokens that generate one-time pass codes for completing a transaction, or text messages with one-time pass codes sent by the issuer to the cardholder. But the technologies also will generate friction in the form of cardholder and merchant resistance to any extra step in the transaction process, the report says.