It’s nearly November, and many of us in the payments space are still reeling from EMV. Nothing like waiting until the last minute to convert, right?
One of the topics that has not been covered as much from a breach perspective is the consideration of the cost of re-issuance in a post-EMV world. Graves, Acquisti, and Christin (2014) published a working paper discussing some of the challenges that issuers face when it comes to the decision of re-issuance. Through their analysis they suggest investing in analytics to only re-issue when fraud losses begin occurring on lost cards.
When a payment card is known to be included in a card dump from a breached merchant, issuers have a choice to make. Should they de-activate that card, knowing that the card may have fraudulent transactions on it, or should they let it go given that many cards involved in a breach never see fraud?
Not all breached cards are re-issued for a number of reasons. Issuers are getting better at detecting fraud and use these skills to remove some of the cost of re-issuance through analytics. If that issuer has now switched to issuing EMV cards, these models must change as the cost goes up dramatically.
From my research, issuing EMV cards is around 3 times more expensive than a static magstripe card. What used to be between $1 and $2 to re-issue (volume makes a huge difference here) may now be upwards of $3 to $5. When you think about the size of some of these big breaches, the cost to re-issue jumps up pretty quickly. With fraud shifting to the card-not-present channel, issuers will need to get smarter in their ability to detect fraud in the system, and react quickly to minimize losses. In addition, any models around re-issuing must be updated to reflect the new cost of re-issue, meaning that some fraud in the system may be preferred over blanket re-issuance.
Graves, J. T., Acquisti, A., & Christin, N. (2014). Should payment card issuers reissue cards in response to a data breach. In 2014 Workshop on the Economics of Information Security.