Playing the Visa EMV Game
Written on 16 September 2011
by Ruth Fisher, PhD
Structure of the Visa EMV Game
Outcome of the Visa EMV Game
What Can Visa Do to Speed Up Adoption of EMV?
Visa’s EMV ("Europay, MasterCard and Visa") technology standard (aka "Chip and PIN") -- used for credit card processing -- was introduced several years ago as a means of decreasing credit card fraud. This new EMV standard has passed well into the intermediate stages of adoption in virtually all countries in the rest of the world. However, EMV adoption in the US has barely taken hold. Visa has made a recent push to encourage US Merchants to upgrade their Visa credit card processing systems to the EMV standard. Interestingly, the media has noted that while the Merchants who accept Visa credit cards as payment for purchases made by their Customers will have to bear the majority of the total costs to industry associated with the technology upgrade, it will be the Issuers who realize the majority of the benefits of decreases in credit card fraud.
An analysis of this game was undertaken as a means to better understand the dynamics among industry players involved with adoption of EMV. The following is an excerpt from the analysis. A copy of the full analysis can be downloaded by clicking on the link at the bottom of this blog entry.
The current credit card system used int he US involves credit cards that contain a magnetic stripe ("mag stripe") on the back, through which the card currently communicates with point-of-sale (POS) terminals to effect and authenticate/validate credit card transactions. Adopting the new EMV standard would entail (1) replacing the current mag stripe credit cards with new credit cards that contain a chip (i.e., a smart card), together with (2) new POS terminals that can "communicate" with the new smart cards. The new "Chip and PIN" system can better authenticate and validate credit card transactions relative to the current magnetic stripe technology system.
8. The Visa EMV Game
This section details the structure of the Visa EMV game; the likely outcome of the game, given the current environment and incentive schemes; and what Visa might do to speed up adoption of EMV in the US.
A. Structure of the Visa EMV Game
The players in the EMV game, together with their objectives and issues, are:
i. Cardholders
(Potential) Cardholders must decide which credit card Networks to join (if any) and which purchases to use their credit cards for. Credit cards provide Cardholders a convenience, but using credit cards makes Cardholders vulnerable to fraud being committed on their credit card accounts. A Cardholder will be more likely to join a credit card Network and use his credit card to make purchases when (1) credit card interest rates are lower, (2) there is a lower probability that usage of his credit card will lead to credit card fraud being committed on his account, and (3) the Cardholder is not liable for credit card fraud committed on his account.
More formally, each Cardholder must choose
(C-1) whether or not to apply for a Visa card, and
(C-2) assuming the Cardholder receives a Visa card, whether or not to use his Visa card for purchases made from a particular Merchant,
given
(C-3) the interest rates Visa charges the Cardholder to carry balances, which is dependent on
(C-3a) the amount of Visa credit card fraud committed, which is dependent upon
(C-3a1) the effective amount of security precautions undertaken by Issuers/Visa,
(C-3a2) the effective amount of security precautions undertaken by the Merchant, and
(C-3a3) the effective amount of security in the other (MC, AE, Discover, JCB) Networks;
(C-3b) whether or not the Cardholder is liable for fraud committed on his Visa account,
(C-3c) the Cardholder’s credit history, and
(C-3d) the level of competition in the market for Issuers/Networks;
(C-4) the probability credit card fraud will occur on his account, which is determined by
(C-4a) the effective amount of security precautions undertaken by Issuers/Visa,
(C-4b) the effective amount of security precautions undertaken by the Merchant, and
(C-4c) the effective amount of security in the other (MC, AE, Discover, JCB) Networks;
(C-5) whether or not he is liable for credit card fraud committed on his account.
ii. Merchants
When there are more Cardholders in the population (that purchases their products), then Merchants are more likely to make sales, if they accept credit cards as payment for Customer purchases. However, accepting credit cards as payment by Cardholders is costly, because Merchants have to pay fees to process credit card purchases, where the fees are greater when there is more credit card fraud on the Network, and when Merchants are liable for a greater portion of credit card fraud committed on their Customers’ accounts. Merchants can decrease the incidence of credit card fraud committed on their Customers’ accounts by investing in effective anti-fraud security measures, but such investments are costly.
More formally, each Merchant must choose
(M-1) whether or not to join the Visa Network (accept Visa credit cards from Cardholders as payment);
(M-2) which Acquirer to use for processing Visa credit card transactions; and
(M-3) types of security measures in which to invest, so as to cost-effectively minimize the amount of credit card fraud he experiences,
given
(M-4) the portion of his customers that are Visa Cardholders;
(M-5) the amount of fees Merchants must pay to Issuers/Networks to process Visa transactions, which is dependent upon
(M-5a) the amount of Visa credit card fraud committed, which is dependent upon
(M-5a1) the effective amount of security precautions undertaken by Issuers/Visa,
(M-5a2) the effective amount of security precautions undertaken by the Merchant, and
(M-5a3) the effective amount of security in the other (MC, AE, Discover, JCB) Networks; and
(M-5b) whether or not Merchants are liable for fraud committed by Cardholders with whom the Merchant transacts;
(M-6) whether or not he is liable for credit card fraud committed on his Customers’ accounts;
(M-7) the amount of fees Merchants must pay to Acquirers to process Visa Transactions, which is dependent upon
(M-7a) the probability the Merchant will go bankrupt,
(M-7b) the level of competition in the market for Acquirers; and
(M-8) the effective amount of security precautions undertaken by Issuers/Visa
iii. Acquirers
Acquirers generate revenues by providing credit card processing services to Merchants. The costs associated with generating those revenues will be higher when there is a greater chance the Merchants will go bankrupt, thereby leaving Acquirers liable for purchase returns made by the Merchants’ Customers.
More formally, each Acquirer must choose
(A-1) which Merchants to take on as clients. Less attractive (i.e., higher risk/cost) Merchants for Acquirers to serve are those who are more likely to go bankrupt: If a Merchant goes bankrupt, the Acquirer will be liable for any purchase returns sought by that Merchant’s customers after the Merchant has declared bankruptcy,
(A-2) processing fees to charge Merchants for Acquirers’ services,
given
(A-3) the amount of Visa credit card fraud committed, which is dependent upon
(A-3a) the effective amount of security precautions undertaken by Issuers/Visa,
(A-3b) the effective amount of security precautions undertaken by the Merchant, and
(A-3c) the effective amount of security in the other (MC, AE, Discover, JCB) Networks;
(A-4) whether or not the Merchant is liable for credit card fraud committed on Visa Cardholders’ accounts; and
(A-5) the level of competition in the market for Acquirers.
iv. Network (Visa)
As previously indicated, the Networks are owned and run by its member financial institutions who also act as Issuers. As such, the interests of the Networks and the Issuers are perfectly aligned. In the following analyses, I will assume the Issuers and Networks (Visa) together form a single party in the Visa EMV game.
v. Issuers
Issuers generate revenues from Cardholders (1) from the amount of Cardholder transactions Issuers process, and (2) from interest payments made on credit card balances carried by Cardholders. The costs of generating these revenues will be greater when (1) Cardholders are more likely to default on their credit card purchases, and (2) there is more credit card fraud on the Visa network. Issuers can reduce the amount of credit card fraud on the Visa network by investing in effective anti-fraud security measures, but such investments are costly. Issuers can also reduce the about of credit card fraud they pay for by pushing liability for credit card fraud onto Merchants and/or Cardholders, but doing so will reduce the number of Cardholders and Merchants who join the Visa Network.
More formally, each Issuer must choose
(I-1) Which applicants to issue Visa cards to (regarding “risky” Applicants/Cardholders, distinguish Cardholders likely to default on payments for their purchases from Cardholders likely to have fraud committed on their accounts),
(I-2) Interest rates to charge each Cardholder to carry credit card balances,
(I-3) Fees to charge Merchants to process Cardholder transactions,
(I-4) Whether or not to indemnify Cardholders from credit card fraud, and
(I-5) Whether or not to indemnify Merchants from credit card fraud,
(I-6) types of security measures in which to invest, so as to cost-effectively minimize the amount of credit card fraud on the Visa Network,
given
(I-7) the Cardholder’s credit history,
(I-8) the amount of Visa credit card fraud committed, which is dependent upon
(I-8a) the effective amount of security precautions undertaken by Issuers/Visa,
(I-8b) the effective amount of security precautions undertaken by Merchants, and
(I-8c) the effective amount of security in the other (MC, AE, Discover, JCB) Networks; and
(I-9) the level of competition in the market for Issuers/Networks.
This situation, as displayed in Figure 11 (numbers in brackets correspond to Steps in credit card processing discussed in Section 3), forms a game because each of the (sets of) players is independent from the others, each faces his own set of incentives, and each takes actions to optimize his own outcome (profit or well-being). Yet, the outcome achieved by each player depends on the actions taken by the other players. That is, while the players are independent entities, free to take whatever actions they choose, they are each dependent upon the others players and the actions these other players take for their outcomes. The questions thus become: What actions will each player be led to take, and what will be the outcomes of the game?
B. Outcome of the Visa EMV Game
What is comes down to is when there is less credit card fraud on the Visa network, then the costs to Cardholders and Merchants associated with credit card usage are lower, and so more Cardholders and Merchants will join the network and use credit cards more intensively. In other words, credit card fraud is bad for everybody except the thieves who get away with it.
It follows that Visa/Issuers have an incentive to minimize the amount of fraud on the Visa network, by themselves investing in effective anti-fraud security measures, and also by convincing Merchants to invest in effective anti-fraud security measures. However, Merchants will only invest in anti-fraud security measures if (1) they are liable for fraud committed on their Customers’ accounts, or they otherwise suffer costs when they do not invest sufficiently in anti-fraud measures, and/or (2) the anti-fraud measures they invest in are effective in reducing credit card fraud on their customers’ accounts.
Until now, Visa/Issuers have persuaded Merchants to invest in anti-fraud measures by requiring Merchant PCI DSS system audits in conjunction with granting no liability for fraud. That is, under the current system, Merchants invest in anti-fraud measures, not because they are liable for fraud, but, equivalently, because they have to pay a penalty if they do not invest sufficiently in anti-fraud measures.
The current system is no longer working well for Visa/Issuers. What has changed is that another Network -- the Visa Network in the rest of the world -- has upgraded to a new technology, EMV, which is better at preventing fraud than is the old measure that is currently still in use in the US, magnetic stripe. The new situation is increasing the current costs for Visa/Issuers in two ways:
1. US Visa/Issuer Cardholders are having trouble using their Visa cards in other (non-US) locations, which causes Visa to suffer a loss in reputation and perhaps lose customers to other Networks, and
2. The increased difficulty fraudsters are facing in other countries with the new technology is causing them to migrate to the US where they can commit fraud (via counterfeiting) more easily.
In pressing adoption of EMV by US Cardholders and Merchants, Visa is taking a global, long-term view of the situation. US adoption of EMV will eliminate the problems US travelers are having when trying to use their Visa credit cards in other countries, and it will also address the fraud that has migrated to the US in search of easier means of penetration. It is true that EMV does not address CNP crime. However, the new technology, EMV will help Visa to prepare for adoption of future technologies, namely contactless and mobile charges. In other words, Visa is effectively killing three birds with one stone: aligning Visa’s global network, which (1) prevents US Cardholders from having problems using their credit cards internationally and (2) foils the ability of fraudsters to find a weak link in the US, and (3) preparing for imminent adoption of next generation technologies.
In contrast to the long-term, global view being taken by Visa that is leading Visa to press for the EMV solution, US Merchants are taking a local, more short-term view of the situation. For them, adoption of EMV technology is not currently cost effective at reducing fraud on their Customers’ accounts, due to a combination of several factors. First, the benefits in terms of avoiding PCI DSS compliance audits will be relatively small until (1) the other Networks also adopt EMV and waive their audit requirements, and (2) 75 percent of their Visa Customers have adopted EMV. Second, in addition to investing in EMV terminals, Merchants will also have to invest in other technologies (encryption, tokenization, etc.) to bolster the effectiveness of EMV. And third, the new, bolstered technology is not necessarily preventing enough fraud to justify the costs, since fraudsters are acquiring the information they need to commit fraud on Merchants’ customers’ accounts by breaching other parts of the credit card data processing system. As for impending new technologies, such as contactless and mobile, Merchants don’t have to worry about them until Customers start adopting these new technologies in force.
And while the old versus new technology debate is taking place in the US, there’s an additional complicating factor in the form of the new financial (Frank-Dodd) regulations taking effect. The new regulations
ensure that fees charged to merchants by credit card companies [for processing] debit card transaction are reasonable and proportional to the cost of processing those transactions.
The new regulations will decrease fees currently charged by Visa/Issuers to process Merchants’ debit cards transactions. The effect of this will be to ensure Merchants that debit cards will serve as a good alternative to credit cards. As such, Merchants will suffer fewer losses by refusing to accept Visa credit cards, if they can persuade their Customers to instead use Visa debit cards. This reduces the power of Visa/Issuers to unilaterally force US Merchants to upgrade to EMV.
What’s not helping the situation (from Visa’s perspective) is the fact that in countries that have moved to the new EMV standard, the incidence of adoption by Cardholders lags that by Merchants (see Figures 5A and 5B). Cardholder’s will naturally be reluctant to (pay to) adopt a new technology that will reduced credit card fraud, if they don’t have to pay the (direct) costs associated with fraud (though they do presumably pay some of the costs through higher interest rates). This is, no doubt, a contributing factor to the reluctance on the part of US Merchants to adopt EMV, because if their customers do not have Chip and PIN cards, then Merchants are not losing sales by failing to upgrade to EMV.
In short, there’s significant inertia in the adoption by US Cardholders and Merchants of EMV. Merchants are reluctant to pay the costs of adoption, especially since (1) the Other Networks (MC, AE, Discover, JCB) have not yet adopted EMV, which means Merchants will still have to bear substantial PCI DSS audit costs even if Visa waves its portion of those costs, (2) Merchants need to invest in other technologies (encryption or tokenization), and, perhaps most importantly, (3) most Cardholder have not (yet) adopted the standard, which means Merchants are not losing customer sales by holding out. And Cardholders are reluctant to upgrade to a new system that will decrease credit card fraud because, under zero liability, they do not bear the direct costs of fraud.
As an aside on Visa’s shift of the liability for fraud from Visa/Issuers to Merchants as a means of pressing Merchants to adopt the new standard: Given the current economic environment (decreases in user spending mean low Merchant fees and Cardholder interest payments for Visa/Issuers), together with the passage of the Frank-Dodd regulations (mandating decreases in fees for Visa/Issuers on debit card transactions), it’s not clear that Visa/Issuers would not have shifted some of the responsibility for fraud onto Merchants anyway to make up for some of the fees they are losing currently and into the future.
In conclusion, EMV technology has been around for several years, and there are currently pockets of adoption in the US, by some Merchants, such as Wal-Mart (but not the majority of its customers), and by some Cardholders, such as banks’ “high-end customers who are frequent travelers”.
Under the current rules of the game, adoption will most likely continue to limp along in “niche applications”, as Jim Schlegel “US: To EMV Or Not?” puts it:
While wholesale migration to EMV is unlikely, what is likely and happening now in embryonic form is the deployment of EMV-like niche applications in areas such as transportation, quick service restaurants and retail; live events and entertainment; and specialist international cards for traveling, "high worth" clients.
At some point adoption of contactless and/or mobile credit card transactions by niche Cardholders will start to force more Merchants to transition more quickly to EMV or risk losing sales. At some point, when the population of Cardholders has finally reached a critical mass, quicker adoption of EMV by holdout Merchants will then take place.
C. What Can Visa Do to Speed Up Adoption of EMV?
If Visa is not content to let adoption of EMV in the US limp forward until critical mass of Cardholders is eventually reached, there are a couple ways it can speed up adoption.
First, let’s put some numbers on the table.
From Patti Murphy, “Securing a place for EMV in the USA”
Aite Group LLC estimated that in 2008 alone, 9.7 million U.S. cardholders' mag stripe cards were rejected at overseas locations, at an estimated cost to the card industry of $3.9 billion in transactions and $447 million in related revenues.
Mercator Advisory Group calculated it would cost U.S. card issuers between $2.4 billion and $2.8 billion to replace all mag stripe cards in circulation with chip cards (also called smart cards) and that merchants would pay about $10 per terminal for EMV functionality. (Other experts interviewed for this story put the cost per terminal at between $30 and $50.)
From Jim Schlegel “US: To EMV Or Not?”
Javelin Strategy & Research estimates the basic cost of deployment for EMV in the U.S. at $8.6 billion, broken down as follows: POS terminal deployment estimated at $6.75 billion, with merchants bearing the brunt; card issuance estimated at $1.4 billion, with card issuers bearing most of the burden; retrofitting or replacing bank-owned ATMs estimated at $500 million, with financial institutions bearing the majority of the cost.
From SearchFinancialSecurity.com
Card fraud costs the U.S. card payments industry about $8.6 billion annually with the bulk of the losses falling on card issuers, according to a report released this week by Aite Group LLC …
Among the top forms of card fraud are card not present, counterfeit cards and lost/stolen card fraud, but the biggest category of card fraud is "first-party" fraud, which is committed either by a thief or a legitimate cardholder who intentionally decides not to pay off a credit card balance, the report showed. Losses are split between card issuers, merchants and acquirers but the majority impacts card issuers, according to Aite Group.
From Dan Balaban “Visa’s U.S. Migration Plan for EMV Supports Contactless and NFC”
U.S. banks also have resisted the call because of the billions of dollars in costs for moving their cards and back-end systems to EMV chip technology.
And from Figure 1, Visa’s global share of Networks’ Payments Volume is about 50 percent, while its share of Credit Cards is about 60 percent.
So we have rough estimates of:
• Visa/Issuers annual lost revenues from US Cardholders who cannot use their Visa credit cards overseas. Surely that number will decrease over time as frequent travelers upgrade to EMV cards (50 percent of all losses)
$0.2235 B
• Credit card fraud savings with EMV, say 10% of all fraud
$0.86 B
Annual gains to Visa/Issuers with EMV, roughly
$1B
• Costs of issuing EMV cards to US Visa Cardholders
$1.4 - $2.8 B
• Costs of retrofitting ATMs
$0.5 B
• Cost of POS terminal upgrades, though this seems a but high, because at $30 per terminal this gives us 225 million terminals in the US, which is more than 1 terminal for each person in the US
$6.75 B
• Cost of upgrading back end systems
$ Several B
Total Costs of Upgrade (mostly Merchants), roughly
$10B
The Merchants’ costs up upgrading to the new system (cost of terminal upgrades, perhaps plus costs of encryption, tokenization, etc.,) clearly swamp the potential benefits (some decrease in fraud, minimal lost sales from EMV Cardholders who haven’t yet upgraded). So, for the Merchants to be persuaded to upgrade to EMV sooner, Visa/Issuers must either decrease the costs or increase the value to Merchants of upgrading to the new system.
The costs of upgrading all Merchants’ terminals to EMV is probably not cost effective for Visa/Issuers, relative to the current benefits. This rules out having Visa/Issuers themselves simply pay to upgrade the Merchants’ terminals. However, Visa/Issuers could use some of the proceeds they will experience through lower costs of Visa network fraud to subsidize the Merchants’ costs of new terminals, say, by paying a portion of the costs outright. In fact, Visa/Issuers could almost certainly provide the terminals to Merchants at lower costs than the Merchants would have to pay on their own, since Visa/Issuers could benefit from lower per-unit terminal prices associated with bulk purchases. In this sense, then, Visa/Issuers could subsidize the costs of terminal upgrades at not cost to Visa/Issuers, simply by negotiating a volume discount. The downside to this is that Merchants would have fewer choices of terminal varieties to choose from than if they were to purchase the terminals —at a greater cost — on their own.
Alternatively, Visa could subsidize the costs of Merchants’ terminal purchases by having a portion of the costs of terminal upgrades be credited towards Merchants’ future Visa credit card transaction fees.
As another option, depending on the relative costs, Visa/Issuers might subsidize the costs of encryption or tokenization for Merchants who upgrade.
In the current mag-strip environment there’s not enough to be gained for Merchants to upgrade on their own. However EMV terminals are equipped to handle next generation technology methods of credit card payments, namely mobile and other contactless transactions. Visa/Issuers might take advantage of this fact to strategically subsidize upgrades for a few, select Merchants whose customers are currently, or soon will be, equipped with contactless or mobile payment devices. These merchants will be more eager to upgrade, since, if they don’t, they risk (sooner than other merchants) losing sales to customers who are early adopters of next generation technology.
As a substitute for strategically subsidizing upgrades of select Merchants, Visa/Issuers could instead strategically upgrade select influential Cardholders, so as to encourage Merchants to upgrade their terminals or risk losing sales to these Cardholders. Since Visa/Issuers will have to pay to upgrade their Cardholders eventually, this would simply entail shifting some future costs forward into the present.
Along these lines of strategic upgrading, Jim Schlegel notes
The emergence of NFC (Near Field Communications) technology, combined with the mainstream adoption of smart mobile devices, has the potential to set the ball in motion to change consumer expectation and demand for how they interact and undertake financial transactions with their retail world and lifestyle brands. The beginning of this potential new wave of emerging payments will be led by advances in applications brought about by contactless cards. Environments that deal with high volumes of customers such as mass transit, quick service restaurants, and live entertainment will see the first deployment of contactless NFC payment cards.
Increasing the adoption momentum of a few select groups may be all it takes to stimulate ripples, then large waves, of adoption throughout the rest of the economy.
As a final note, it is possible, if not likely, that after the new EMV technology has been adopted, the benefits -- savings from decreases in credit card fraud -- might not end up being as large as they were predicted to be. The nature of cat and mouse co-evolution means that when EMV ends up blocking some or most forms of counterfeit and other fraud, thieves will seek out new means of penetration. So what will happen, is that after industry players have spent all that money to upgrade to the new system and counterfeit fraud has been addressed, network players will almost certainly see (perhaps with a bit of a lag) increases in other existing or even new forms of credit card fraud. In particular, countries that have adopted EMV have seen decreases in counterfeit-related fraud, but they have also experienced increases in CNP fraud. Perhaps the new CNP fraud was due to people other than the recently stymied counterfeit fraudsters. Or perhaps the counterfeiters turned their attention away from counterfeit fraud and toward CNP fraud. Richard Sullivan in "The Changing Nature of US Card Payment Fraud: Industry and Public Policy Options" describes the situation succinctly:
The common underlying cause of these vulnerabilities is an information-intensive payment approval process. Criminals have incentives to gather and use the information to commit fraud. Because more in- formation will generally lead to a more accurate approval decision, card issuers (and merchants) have an incentive to continuously expand the data on which they rely (Roberds and Schreft 2008). The result appears to be an escalating cycle of card issuers adding information to their databases and criminals devising ways to gather the information….