Implementing so-called chip-and-PIN authentication for U.S. credit cards would cost merchants and card issuers more than $7 billion but prevent only about $850 million in lost-and-stolen card fraud over five years, a new report from Aite Group LLC says.
The report, “Chip Cards in the United States: The PIN, PINless, Debit, Credit Conundrum,” addresses the controversial idea of using personal identification numbers to authenticate cardholders using the country’s new EMV chip credit cards. PIN authentication is nearly universal with U.S. chip debit cards, is it was with magnetic-stripe debit cards. With EMV credit cards, PIN authentication is frequently used in other countries, but with the exception of some cards for international business travelers is very rare in the U.S., where signature authentication remains the norm.
Many merchants and their trade groups support the idea of bringing PIN authentication to all chip cards. The argument is that a fraudster using a lost or stolen card would need to know the correct PIN to use such a card. Issuers have resisted, saying EMV chips alone are effective in preventing counterfeit fraud, which produces much bigger losses than lost-and-stolen fraud, and that credit card holders are used to signing for purchases, not remembering the cards’ PINs.
Aite says the return on credit card chip-and-PIN investments would not be worthwhile. Issuers’ expenses would total $2.62 billion, some $2.1 billion of which would be for reissuing cards. But such cards would prevent only $852 million in lost-and-stolen fraud over five years, making the net issuer cost-benefit a negative $1.77 billion, according to report author Thad Peterson, an Aite senior analyst.
Merchants would incur even greater costs—$4.53 billion, but get little in return through reduced lost-and-stolen fraud losses for which they would bear liability. The biggest expense, $3.1 billion, would be for non-PIN-accepting merchants—about 37% of the card-accepting U.S. merchant base—to add PIN pads at an estimated cost of $125 per unit. Peterson also estimates that PIN-penetration is low among the country’s 684,000 restaurants and bars.
“That’s not a small group of merchants,” Peterson tells Digital Transactions News. “If you think about any mandate to PIN, that’s going to be costly.”
The remaining expenses would include retrofitting current PIN-accepting merchants to process PIN-based EMV credit cards, staff training, and incremental expenses for pay-at-table restaurants.
The report is based on 361 telephone surveys conducted from April to June with retail-trade merchants with $500,000 or more in annual revenue. Aite says the results have a margin of error of plus or minus five percentage points at the 95% confidence level. Aite supplemented the survey findings with 40 interviews with large retailers, merchant acquirers, processors, terminal manufacturers, and card issuers.
Some 62% of the surveyed merchants said yes when asked, “Do you think that chip-and-PIN should be implemented for all chip cards in the United States?” More than half cited increased security for cardholders, and more than a third thought chip-and-PIN would reduce fraud for merchants. Only 34%, however, said yes when asked if chip-and-PIN should be mandated by a regulator.
Aite also notes some merchants’ misconceptions about lost-and-stolen fraud. Merchants underestimate its extent: the surveyed merchants estimated lost-and-stolen fraud in their stores at 1.7% of their card-present fraud, but Aite says its research shows lost-and-stolen fraud accounts for 9% of all U.S. credit card fraud. That compares with 45% for counterfeiting, 38% for card-not-present fraud, and 8% for all other fraud types.
“The only explanation I have is there is just a real misunderstanding of the nature of fraud,” says Peterson.
Another mismatch involves the significant merchant support for credit card chip-and-PIN even though their exposure to lost-and-stolen fraud liability is minimal if they have terminals that read contact chip cards, according to Peterson. Under current network rules in the wake of the October 2015 liability shifts, issuers continue to bear “the vast majority” of the liability, says Peterson.
The major exception is when the cardholder presents a chip credit card encoded with a PIN-preferring verification method, but the merchant’s contact EMV reader processes signatures, not PINs. But that won’t prevent much fraud, because very few such cards have been issued, says Peterson. “They’re rare use cases,” he says.
So instead of retrofitting the point of sale to implement credit card chip-and-PIN, Peterson says the money would be better spent attacking Internet and other forms of card-not-present fraud. CNP fraud boomed in other countries when the introduction of EMV made POS fraud harder to commit, and observers say the same phenomenon will happen in the U.S.
“If we were to take that money and apply that expense to get merchants ready for EMV and to work on that CNP [fraud], it would be so much more beneficial to the ecosystem,” he says.