03 September 2015
A global approach is essential to address global online fraud
In 2013 the total value of reported fraud using cards issued in SEPA amounted to 1.44 billion euros. Still, only 1 in 5.000 transactions (0.020%) is subject to fraud. These are some of the outcomes of the fourth report on card fraud, issued by the ECB. In short, the value of fraud on cards issued inside SEPA increased for Card Not Present (CNP) transactions and decreased across the other transaction channels. Why is CNP fraud increasing and what needs to be done to stop it?
This fourth oversight report on card fraud analyses developments in fraud related to card payment schemes (CPSs) in the Single Euro Payments Area (SEPA) and covers almost the entire cards market. One of the conclusions is that fraud in general decreased, which is mainly because of geo-blocking. This means that cards that were skimmed in one country could no longer be used in other countries to withdraw cash from an ATM, using the so-called “track 2” data, copied from the magnetic stripe. The use of the card abroad with the magnetic stripe is blocked by default, unless the cardholder validates this option in his online banking environment. This measure has led in the Netherlands to a mere diminishing of this type of fraud.
CNP fraud keeps increasing
It is becoming more difficult for criminals to use stolen magnetic stripe card data, but this does not mean that they cease their attempts to steal money. What the report rightly states is that CNP transaction fraud still increases. A CNP transaction is ‘a payment card transaction made where the cardholder does not or can not physically present the card for a merchant’s visual examination at the time that an order is given and payment effected’.
CNP fraud is the major part of all the fraud that is committed with debit and credit cards. CNP transactions are mainly done via the web (e-commerce). The EBC stated that the European Banking Authority (EBA) published recommendations to improve the security of online payments. All the payment service providers should have implemented these measures as of August 1st, 2015.
The need of a global approach
The question is whether these measures are sufficient to curb the increasing fraud while the popularity of online payments keeps increasing. The problem is the fact that e-commerce is a global market and local policies do not have a big effect. A short time ago, fraud was committed locally and that meant that it could be dealt with locally. CNP transactions provide a global platform to fraudsters and local, European of country specific guidelines therefor seem inadequate. Countries in the EU struggle to work together on fraud detection. Cooperation, both operationally amongst institutions and legally in law enforcement with countries outside the EU sometimes almost seem like a mission impossible.
To detect or fight fraud in a global market is very difficult and that is why there should be more focus on prevention. Methods of identification of card and account holders and the validation of transaction data are now the subject of worldwide research.
New forms of payments imply new forms of fraud
The newest guidelines from the ECB, such as the Payment Services Directive, dictate that banks provide access to their account systems for providers of payment solutions. This means that third parties will be able to develop payment applications to implement web shops or that developers are given the chance to introduce a peer-to-peer payment system. This can lead to new forms of payment. New forms of fraud have yet to be invented for these new payment types, but one thing is certain: it will happen.
It is necessary to introduce a new and more robust method of identification and verification to make it as difficult as possible for fraudsters. Recently, a card scheme made an announcement that they will add photo recognition to their arsenal of preventive measures to stop on-line fraudsters. It is probably a matter of days or weeks before fraudsters counter this measure. Therefore I would advocate the implementation of an electronic ID system, whereby only the actual cardholder can make a transaction. This new e-ID contains sub-identities that are provided by trusted parties. For instance, without the need to display the full passport a sub-identity can be used to prove the vendor in the liquor store that someone is older than eighteen years old. It can be used to prove that someone is authorized to make a transaction or that he is the legitimate owner of a debit or credit card.
Easy big money
As any system and any standard that is known to mankind, there will be a time where this new system will be subject to attacks. That is why there should be a really swift way to limit the fraud and issue a new transaction identity to the victim and void the one that has fallen in the hands of the criminal. It should become too much of a hassle for the criminal to steal a very limited amount of money against an enormous effort. These economics are one of the main drivers for fraudsters: easy big money.
At the moment various stakeholders are working on a global standard, so that the various countries can issue e-ID’s locally. Only with a global mindset and our eyes on the economics of fraud, card not present fraud will be successfully addressed around the globe.
- Regulation & Compliance