In 2014, credit card fraud cost American retailers $32 billion – enough to pay for seven Nimitz-class nuclear aircraft carriers, with enough left over to build a state-of-the-art sports arena. So the news that we’re now just three months away from the conversion to EMV (also known as chip-and-PIN*) technology on credit and debit cards comes as a breath of relief for those businesses and their customers alike.
But since EMV mainly protects against in-person fraud using cloned magstripe cards, there’s been a lot of speculation that most of the fraud will simply move online. It’s a pretty reasonable fear, since that’s exactly what happened when chip-and-PIN was introduced in Australia, France, and the UK. Right now, fraud affects 0.9% of the just over $300 billion in annual online sales, and both numbers are projected to rise in the next few years. If nothing is done, this could be the next great crime wave to hit the payments industry.
With the amount of money stolen through credit card fraud, you could buy seven of these every year.
How to stop the impending disaster? Experts have proposed everything from tokenization to biometrics, but as of yet, no clear plan exists. But halfway around the world, banks in India seem to have hit on a solution that’s reduced card-not-present fraud to near zero for anyone who uses it. Any time a card is used to make an online purchase, the issuer sends a text message with a one-time password that must be entered to complete the purchase. While this is obviously not a universal feature worldwide – and almost unheard-of in the U.S. – it’s mandatory for e-commerce sites based in India, and without exception is built into the payments platform on the bank’s back end, with no visible cost or setup time for the merchant.. For in-person transactions, a regular chip-and-PIN system is used, which is sufficient since the original card is present.
Let’s stop for a moment and think about how this compares to what we’re doing in the U.S. The important part here is that in both cases – either a card-present or a card-not present transaction – there is a second authentication factor in the Indian system that is known only to the legitimate cardholder. A chipped card by itself prevents the card from being cloned, but not from being stolen. A chip and PIN renders both a cloned and a stolen card useless, but doesn’t prevent online fraud. A one-time password sets up a final roadblock when a thief tries to use your stolen credit card data for online purchases.
Which one is the U.S. going to use? Naturally, it’s a chip-and-signature system, which is to say the same thing as a chipped card by itself. Of the three major doorways to fraud, two will still be left wide open. Why this was decided on is anyone’s best guess, although according to this excellent primer on the subject from security expert Brian Krebs, it was largely a matter of cost: Fraud from lost and stolen cards is a smaller piece of the pie in the U.S., and the card issuers were more worried about losing business to their competitors (by complicating the transaction with a PIN) than they were about the risk of lost/stolen card fraud.
Back on topic: Would India’s one-time password system work in the United States? Well, the first thing you’d need is a mobile phone, and indeed, 91 percent of American adults had some kind of mobile device as of 2013, according to Pew Research statistics. So at first glance, it looks like online retailers would need to be convinced to voluntarily give up 9 percent of their potential customers to prevent 1-2 percent in fraud – not a winning tradeoff. But then again, if the 9 percent without mobile phones are the same people who do the least online shopping – or are less likely to have credit cards or bank accounts – then it becomes a much less unbalanced proposition. A more thorough cross-segment analysis would be needed, but when online fraud starts to spike in the coming years, it’s a safe bet that will come.
What about practical concerns? The first would be standardization; if everyone isn’t using the same system, it’s not going to be fully effective. As we’re seeing now with EMV, it is possible to standardize something as massive as the U.S. payments system, albeit slowly and at great expense: About $4 billion worth of cards and $8 billion worth of terminals had to be replaced. India’s own transition to EMV was made somewhat easier by the fact that the banks are also in the merchant acquiring business, and a slightly different way of selling POS terminals is the standard there. Typically, the terminal is bought and maintained by the acquirer, who makes back the cost of the device from transaction fees – the main point here is that there is no up-front cost to the merchant. But since one-time passwords are mainly an e-commerce thing, such an enormous hardware overhaul wouldn’t be necessary. The main expense would be updating the software that runs POS terminals and e-commerce sites behind the scenes. That’s nothing to sneeze at, but probably not in the billions either.
The major obstacle to one-time SMS codes is more likely one of convenience. Imagine the frustration of being unable to complete a purchase from Amazon because the mobile reception inside your apartment is unreliable, and you’ll understand why solving that problem is not optional. According to our sales manager in India, it’s rare but not unheard of for mobile reception to sabotage a transaction, although it’s mostly an urban/rural divide. If you’ve ever looked at network coverage maps of the United States, you can tell it’d probably be a similar problem here, so perhaps an alternative means of conveying the password would have to be introduced as a backup.
Can it be done, given what’s at stake? Right now, online fraud stands at over $3 billion per year; in the next 36 months it’s projected to double. Over the next decade, that gives us tens of billions of dollars’ worth of incentive to work on a solution.
*In the U.S., most card issuers have dropped the PIN requirement from credit cards, resulting in a less-secure “chip-and-signature” standard. This will still protect against fraud from cloned cards, but won’t work in cases where the original card is stolen.