According to statistics released by the UK Cards Association earlier this year, fraud losses on UK cards, cheques and online banking have fallen to their lowest levels since the turn of the century. The largest drop has been in counterfeit card fraud – where a card is cloned or skimmed – which last year was cut by an impressive 41% to £47.6m when compared to 2009. Several factors have been attributed to the decline of this type of fraud, not just in the UK but across Europe. For instance, the greater adoption of anti-skimming equipment attached to automatic teller machines (ATMs) – where fraudsters typically copy details from the magnetic stripe of a genuine card – has helped reduce counterfeit fraud. Yet, Chip and personal identification number (PIN) is still largely accredited for the fall in card-present fraud.
Until the introduction of Chip and PIN, all face-to-face plastic card transactions used a magnetic stripe to read and record account data, and a signature for verification. This system has proved reasonably effective but has a number of security flaws, namely that cards can be easily cloned and used without the owner’s knowledge through forged signatures. Therefore, Europay Mastercard Visa (EMV) technology, or Chip and PIN as it has been branded, was developed to overcome this problem and enhance the authentication process by requiring the user to enter a unique PIN to authorise a payment.
However, despite the now widespread roll-out of Chip and PIN in Europe, counterfeit fraud has not been totally eradicated and, while it is decreasing, it still remains a big issue for many European banks’ card operations and merchants in the region. EMV migration has been effective insofar as it has minimised losses against card-present fraud, but until it becomes a universally applied standard across the world, fraud techniques around skimming will remain attractive to fraudsters keen to exploit regional loopholes, such as in the US.
Chip and PIN in the US
Despite the successful implementation of Chip and PIN in Europe, the US has been reluctant to embrace this proven technology. There are many factors that can help explain the US’ aversion to Chip and PIN. Aside from consumer habits and preferences, there is also no perceived financial benefit of migrating over to EMV. Historically, relatively low telecommunication costs for card validation by phone in the US, compared to higher costs in Europe before the liberalisation of the telecommunication industry, was a factor. More recently, the sheer number of point-of-sale (POS)terminals and volume of card transactions means that the expense and inconvenience of implementing Chip and PIN technology for many stateside outweighs the cost of absorbing any losses due to fraud. The business case for a move to EMV is further undermined by the fact there is no liability on banks in the US should their customers lose out to fraud, The business case for a move to EMV is further undermined.
However, reasons to upgrade the US infrastructure to support EMV have become far more appealing after Visa signalled its determination to push the country into abandoning magstripe cards in favour of Chip and PIN technology. Visa’s roadmap includes an incentive for merchants to install chip-enabled terminals: when 75% of a merchant’s transactions originate from chip terminals, that merchant will no longer have to go through the troublesome process of annually validating their compliance with the Payment Card Industry Data Security Standard (PCI DSS) standard. There will also be a shift in the liability for counterfeit fraud. Under Visa’s new plan, if a transaction using a counterfeit card is carried out at a merchant without a chip-enabled terminal, liability will lie with the merchant acquirer.
A Clear Route to EMV Migration
This is a positive development for payments security and the first time a major player in the cards industry has provided a clear route to EMV migration. It follows a growing number of proactive initiatives by large American companies to go it alone and adopt Chip and PIN technology. Companies like Wells Fargo and Chase Card Services are beginning to recognise how outdated the 50-year old magnetic stripe has become and how the customer and account identification data stored on it makes the card vulnerable to skimming. Americans themselves are also starting to realise that there are instances when abroad in Europe – such as buying a ticket at train vending machine – where only Chip and PIN is accepted. In such situations, they have to revert to cash which makes travelling more inconvenient and expensive for them. Indeed, the State Employees’ Credit Union, which recently became one of the first financial institutions in the US to implement EMV card chip technology, claimed that one of the reasons it made the move was due to obstacles travelling members faced when merchants refused to accept magstripe cards.
These hurdles are mounting as more and more EMV-enabled countries look to tackle the problem of counterfeit fraud. As of January this year, 22 Belgian banks made the decision to block their debit cards for usage outside Europe and it has been reported that this measure has already lead to a decrease in fraud due to skimming. While this is a first step in combating fraud, in the long run, it is recommended that steps should be taken to tackle the problem of skimming at its root by removing the magnetic stripe altogether. This is the approach Luxembourg has taken where banks have decided to replace Maestro cards with VPay cards, which only have Chip and PIN capability.
These moves follow the publication of the seventh progress report by the European Central Bank (ECB) last October, which recommended that from 2012 onwards all newly issued cards in the single euro payments area (SEPA) should be issued, by default, as ‘Chip-only’ cards. This has been reiterated more recently by the ECB’s Gertrude Tumpel-Gugerell, a member of the executive board, who stressed the importance of security within SEPA and called for issuers to drop magstripes from their cards.
Indeed, the debate around the universal adoption of Chip and PIN technology and the abolition of cards with magnetic stripes stepped up a gear in the UK earlier this year, when fraudsters began targeting tube and rail commuters for their card details by attaching skimming devices to station ticket machines. Similar to ATM fraud, the magnetic stripe was being copied as passengers bought tickets and then used to create fake cards for use in countries with no Chip and PIN protection.
This new approach to skimming highlighted how fraudsters are reinventing ways in which to steal card details to exploit in non-EMV countries and are always looking at ways to counteract the fraud prevention tools already in place. Whereby ATM fraud has been reduced by anti-skimming devices, these fraudsters simply turned to other terminals where they can capture the same data. Although it may take time for these frauds to become apparent, it is clear that the industry cannot take the declining counterfeit fraud figures for granted and divert efforts to stamp it out altogether.
While Visa’s plans to persuade US banks and merchants to adopt EMV technology are promising, it does not oblige them to do so and could still result in a fragmented deployment of Chip and PIN in the US. One simple solution is to mandate Chip and PIN technology worldwide in order to stamp out counterfeit fraud altogether. Adopting this proactive security measure will no doubt place even more pressure on non-EMV countries like the US to follow suit.
However, this does not look like it will happen anytime soon. For example, the SEPA regulation mandates EMV in the eurozone but only as far as the issuing side. Therefore, there needs to be broader and more far reaching regulation, as well as an industry agreement, on how to move forward with this issue. If global legislation does come in to prohibit magstripe cards, it will require countries like the US to either adopt EMV or introduce alternative ways for card users to authorise their payments and ensure the genuine card is being used. There is speculation that should the US implement a card fraud strategy, it is likely to skip Chip and PIN altogether and opt for the next generation of payment security technology in a mobile solution. This is perhaps why Visa has set out a programme to drive the adoption of dual-interface Chip technology and compel merchants to invest in terminals that support both contact and contactless Chip acceptance, including mobile near field communication (NFC).
Nevertheless, the reality is that until a common standard is introduced, counterfeit fraud will continue to appeal to fraudsters keen to take advantage of the gaps in Chip and PIN protection. As such, banks need to ensure that if they cannot prevent a card being reproduced for fraudulent purposes, they should be able to monitor the transaction flow and stop the fraud in its tracks. This requires effective fraud management processes, such as the setting up of reliable customer-specific rules and back-office tools to block settlements. At least these systems can flag any irregularities in a customer’s transaction behaviour as soon as possible and open a case to investigate.
Despite promising statistics on the fall in counterfeit fraud, the key to eliminating it is to fight it together. Europe is certainly on its way to eradicating this fraud by killing off the magnetic stripe, however, for this to have a real impact, the US will need to say farewell to this die-hard technology as well. In addition, as the banks grapple with this specific fraud issue and the innovative ways in which fraudsters are approaching it, they also need to keep an eye on fraud levels associated with new payment methods such as mobile payments and contactless. As such, banks cannot afford to be complacent.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.