SIX Card Solutions
The latest set of statistics issued by Financial Fraud Action UK(1) show that fraud losses on UK cards decreased in the first half of 2011 compared with the same period last year. Total fraud losses on UK cards fell to £169.8 million between January and June 2011. This represents a nine per cent reduction compared with losses in the first six months of 2010. The 2011 half-year total is the lowest for 11 years and also the third consecutive decrease. Data released by the UK Cards Association(2) earlier this year also showed a similar fall in fraud losses. The largest drop, according to those statistics, has been in counterfeit card fraud where a card is cloned or skimmed – which last year was cut by an impressive 41 per cent to £47.6 million when compared to 2009.
The sustained fall in card fraud has been attributed to the success of a number of industry initiatives such as the increasing use of fraud detection software and the roll-out of updated chip cards. In terms of counterfeit fraud specifically, the greater adoption of anti-skimming equipment attached to automatic teller machines (ATMs) – where fraudsters typically copy details from the magnetic stripe of a genuine card – and the increasing roll-out of Chip and PIN technology beyond the UK are largely accredited for the fall in card-present fraud.
Reassuring as these figures are, and despite the now widespread roll-out of Chip and PIN in Europe, counterfeit fraud has not been totally eradicated and remains a big issue for many European banks’ card operations and merchants in the region. EMV migration has been effective insofar as it has minimised losses against card-present fraud. Yet, until it becomes a universally applied standard across the world, fraud techniques around skimming will remain attractive to fraudsters keen to exploit regional loopholes, such as in the US.
News that 111 people were recently arrested in New York in a massive US$13 million card fraud scam is a valuable and timely reminder of just how easy it still is to skim credit card details in the US. Following the case, NYPD Commissioner Raymond Kelly was quoted as saying: “Thieves have an amazing knowledge of how to use technology . . . The schemes and the imagination that is developing these days are days are really mind-boggling.” (3) Ironically though, there was nothing sophisticated about this crime. On the contrary, it was age old “traditional” skimming techniques employed to extract customers’ credit card details from the magnetic stripe, which could then be used either to manufacture false credit cards or for online purchases. This is still possible in the US because of the Americans’ reluctance to embrace Chip and PIN across their continent despite the successful implementation of this proven technology in Europe and, more recently, Canada.
There are many factors that can help explain the Americans’ aversion to Chip and PIN, namely their love of the magnetic stripe. Aside from consumer habits and preferences, there is also no perceived financial benefit of migrating over to EMV. Historically, relatively low telecommunication costs for card validation by phone in the US, compared to higher costs in Europe before the liberalisation of the telecommunication industry, was a factor. More recently, the sheer number of point-of-sale (POS) terminals and volume of card transactions means that the expense and inconvenience of implementing Chip and PIN technology for many stateside outweighs the cost of absorbing any losses due to fraud. In addition, as there is no liability on banks in the US should their customers lose out to fraud, the business case for a move to EMV is further undermined.
However, Chip and PIN may not be a complete lost cause in the US. Reasons to upgrade the US infrastructure to support EMV have become far more appealing after Visa recently signalled its determination to push the country into abandoning magstripe cards in favour of Chip and PIN technology. Visa’s roadmap includes an incentive for merchants to install chip-enabled terminals: When 75 per cent of a merchant’s transactions originate from chip terminals (4), that merchant will no longer have to go through the troublesome process of annually validating their compliance with the PCI DSS standard. There will also be a shift in the liability for counterfeit fraud. Under Visa’s new plan, if a transaction using a counterfeit card is carried out at a merchant without a chip-enabled terminal, liability will lie with the merchant acquirer.
This is a positive development for payments security and the first time a major player in the cards industry has provided a clear route to EMV migration. It follows a growing number of proactive initiatives by large American companies to go it alone and adopt Chip and PIN technology. Companies like Wells Fargo and Chase Card Services are beginning to recognise how outdated the 50-year old magnetic stripe has become and how the customer and account identification data stored on it makes the card vulnerable to skimming. Americans themselves are also starting to realise that there are instances when abroad in Europe – such as buying a ticket at train vending machine – where only Chip and PIN is accepted. In such situations, they have to revert to cash which makes travelling more inconvenient and expensive for them. Indeed, the State Employees’ Credit Union, which recently became one of the first financial institutions in the US to implement EMV card chip technology, claimed that one of the reasons it made the move was due to obstacles travelling members faced when merchants refused to accept magstripe cards.
These hurdles are mounting as more and more EMV-enabled countries look to tackle the problem of counterfeit fraud. As of January this year, 22 Belgian banks made the decision to block their debit cards for usage outside of Europe and it has been reported that this measure has already led to a decrease in fraud due to skimming. While this is a first step in combating fraud, in the long run, it is recommended that steps should be taken to tackle the problem of skimming at its root by removing the magnetic stripe altogether. This has been reiterated more recently by the ECB’s Gertrude Tumpel-Gugerell (Member of the Executive Board) who stressed the importance of security within SEPA (Single Euro Payments Area) and called for issuers to drop magstripes from their cards. Following suit, this is the approach Luxembourg has taken where banks have decided to replace Maestro cards with VPay cards, which only have Chip and PIN capability.
However, while the simple solution is to mandate Chip and PIN technology worldwide in order to stamp out counterfeit fraud altogether, this does not look like it will happen anytime soon. For example, the SEPA regulation mandates EMV in the eurozone but only as far as the issuing side. Therefore, there needs to be broader and more far reaching regulation, as well as an industry agreement, on how to move forward with this issue. If global legislation does come in to prohibit magstripe cards, it will require countries like the US to either adopt EMV or introduce alternative ways for card users to authorise their payments and ensure the genuine card is being used. While Visa’s plans to persuade US banks and merchants to adopt EMV technology are promising, it does not oblige them to do so and could still result in a fragmented deployment of Chip and PIN in the US. There is speculation that should the US implement a card fraud strategy, it is likely to skip Chip and PIN altogether and opt for the next generation of payment security technology in a mobile solution. This is perhaps why Visa has set out a programme to drive the adoption of dual-interface chip technology and compel merchants to invest in terminals that support both contact and contactless chip acceptance, including mobile NFC.
Nevertheless, the reality is that until a common standard is introduced, counterfeit fraud will continue to appeal to fraudsters keen to take advantage of the gaps in Chip and PIN protection. As such, banks need to ensure that if they cannot prevent a card being reproduced for fraudulent purposes, they should be able to monitor the transaction flow and stop the fraud in its tracks. This requires effective fraud management processes, such as the setting up of reliable customer-specific rules and back-office tools to block settlements. At least these systems can flag any irregularities in a customer’s transaction behaviour as soon as possible and open a case to investigate.
Despite promising statistics on the fall in counterfeit fraud, the key to eliminating it is to fight it together. Europe is certainly on its way to eradicating this type of fraud, however, for it to be completely eradicated, the US will need to say farewell to their beloved magnetic stripe as well. Only this way will the US authorities and banking community be able to avoid a repeat of the US$13 million card fraud scam in New York. And only then will the industry be equipped to tackle counterfeit fraud head-on.
1. Financial Fraud Action UK PR
2. UK Cards Association
3. WSJ article
4. VISA PR