The Changing Face of Payment Security

2010 looks set to be the year when payments take centre stage. Despite the global recession, electronic transaction volumes have continued to rise and, as the economy picks up, volumes will only increase. However, as the number of transactions grows, so too does the opportunity for fraud. In line with this trend, the financial services community has been implementing measures to combat the risk of fraud, which seem to be paying off. Card fraud in the UK, for example, dropped by 23% during the first half of 2009, compared with the same period last year. However, the industry cannot become complacent if it is to retain customer trust.

Face-to-face Payment Security

Since 2003, UK face-to-face card fraud has declined significantly. This trend can be traced back to the UK’s adoption of EMV, or chip and PIN. The migration to EMV in the UK had an immediate impact on fraud reduction and, according to the UK Payments Administration, losses on high street transactions reduced by 67% from £218.8m in 2004 to £73m in 2007. EMV is mandated across the entire eurozone as part of the single euro payments area (SEPA) Cards Framework.

Equally, Australia has stepped up its migration to chip and PIN cards and will ban signature transactions by April 2013, while Canada will not be accepting magnetic stripe transactions beyond 2015. As criminals move away from countries with secure chip and PIN payment systems, countries that continue to use magnetic stripe technology, such as the US and parts of the Middle East, are likely to be seen as increasingly attractive targets. Because the regional disparities in face-to-face payment security will remain, in the short term at least, this trend of fraudsters moving activity to less secure areas looks set to continue throughout 2010.

CNP Fraud

Two-factor authentication

UK banks have spearheaded the fight against card-not-present (CNP) fraud through the roll-out of two-factor authentication technologies. In 2007, banks rolled out smart card or CAP readers to provide two-factor authentication for their online banking customers and, according to APACS, online banking fraud losses reduced by 33% between 2006 and 2007 as a result. Barclays, Nationwide and RBS have all distributed card readers to customers. By making customers strongly authenticate themselves using an unconnected smart card reader and their bank card for online banking, the banks have the identity confirmation required before transfers are initiated. In fact, an announcement by Barclays stated that customers using two-factor authentication for online banking experience no fraud whatsoever.

Despite the initial decline in fraud following the roll-out of card readers, 2009 has seen an increase in fraud. Financial Fraud Action UK suggested that online banking fraud had actually risen by 55% in the first half of 2009. As with the migration to EMV by some regions, the adoption of two-factor authentication by some banks may have left those without this technology more vulnerable to fraud as criminals now know who to target. As a result, attacks can be focused on those customers without access to two-factor authentication technology and this may have resulted in an increased number of successful attacks.

Without two-factor authentication technology, consumers are left open to phishing and other malware attacks that target vulnerabilities in customers’ PCs. Which? Computing judged banks without this technology, such as Abbey and Halifax, as having ‘poor’ online security. Both banks require three pieces of information to be entered in full at log-in, making the information vulnerable to a simple keylogger that captures keystrokes or even characters picked from a drop-down list to be used later by the fraudster to gain access to the account. One way for all banks to protect their customers and stem the rising tide of fraud would be for them all to roll-out two-factor authentication technologies to their customers in 2010.

E-commerce security

While 2009 has seen growth in online banking fraud, there has been a significant decline in CNP fraud during this time. Much of this is due to increased e-commerce security. So what was done to achieve success this year? To date, card schemes have led the charge in initiatives that address e-commerce fraud. Verified by Visa and MasterCard SecureCode are two initiatives that encourage customers to register in order to protect transactions with an additional password. The systems allow financial institutions to confirm a cardholder’s identity to the online retailer, thus making transactions more secure against fraudsters.

To make e-commerce even more secure, banks should consider extending two-factor authentication to the e-commerce environment. The fact that the infrastructure for two-factor authentication has already been put in place for online banking means that there is a strong business case to employ two-factor authentication more broadly online. With few opportunities to differentiate services, banks should seize the opportunity to extend their security offering to e-commerce and demonstrate to customers that they are reacting to the threat of fraud, improving customer retention as a result.

Protecting Cardholder Data

2009 also saw increased momentum behind protecting cardholder data as it is stored and processed by banks, payments institutions and merchants. While card scheme mandates require PINs to be protected through encryption, cardholder data has not had the same protection and is vulnerable to fraud. The focus on protecting cardholder data is in large part due to the impact of the Payments Cards Industry Data Security Standard (PCI DSS). This standard aims to prevent any information that could be used to make a counterfeit card or a fraudulent online transaction from falling into the wrong hands, and applies to every acquiring bank, merchant and third party that accepts or processes payment cards.

It is now mandatory for businesses with over 100,000 transactions a year to either be PCI DSS compliant or be able to demonstrate plans to become so. Furthermore, the European Commission (EC) is considering implementing data protection regulation for all companies that accept payments. As a result, 2009 has seen an increased focus on compliance with data security mandates within the payments industry. As requirements will become more stringent over time and the PCI is already discussing the new version of its data security standard, meeting regulatory requirements will continue to be a focus for all parties involved in processing payments throughout 2010.

In the past year, US merchants and processors, in particular, have been extremely active in pursuing end-to-end encryption projects to protect cardholder data throughout the payments network. The Accredited Standards Committee X9 (ASC X9) is working on end-to-end encryption standards, but many organisations have chosen to go ahead with their projects now, with the goal of improving PCI-DSS compliance. In the US, PIN debit is another means of improving transaction security, requiring cardholders using their debit card for purchases to enter their PIN, which is validated with the issuer. Like the roll-out of chip and PIN in EMV territories, this does require a point of sale (POS) terminal upgrade, which can be a barrier to adoption for smaller merchants, or those with integrated tills.

2009 has also seen increased buzz around the use of tokenisation as a key way to help secure card data and comply with PCI DSS, and projects using this technology are now being pursued by many large merchants. However, there has, up until now, been relatively low awareness of what tokenisation is and how it can add to the security mix. Tokenisation involves substituting card details (which can be used for fraud) with random numbers (which are useless to a fraudster). So, when an organisation processes a given transaction, instead of tracking the transaction using card details, it uses a random number or token that has been allocated to represent the card. The card details are encrypted and, as tokens are used instead of card details to record and track transactions, far fewer locations use card numbers. Consequently, the opportunity for data spillage or fraudulent interception is significantly reduced.

In 2009, the payments industry put protection of cardholder data firmly on the agenda and efforts to increase security will only escalate next year. End-to-end encryption and tokenisation are key to tackling this issue and 2010 will see more widespread deployment of both these technologies throughout the industry.

Contactless Takes Off

The adoption of new payment methods will significantly impact upon the payments landscape in 2010. The biggest change is likely to result from the greater adoption of contactless payments. This is due in large part to a series of initiatives from card companies, mobile phone operators and big retail groups. Uptake is likely to be driven by certain players. For example, Barclays has said its plans model a migration of 26% of cash transactions to contactless cards by 2016, which it predicts will double card transaction volumes for UK acquirers.

2009 has seen much talk of the roll-out of contactless payments on the mobile and the buzz around this innovation will continue in 2010. Further trials have been recently announced, and more are expected in 2010. However, it is unlikely that it will be rolled out for a few years yet. In terms of deployment in 2010, the focus will remain firmly on contactless cards.

When developing contactless cards, security has been a top priority. The payments industry has added security on both the contactless devices and in the processing network and security measures include generating a unique card verification value or CVV for each transaction. Additionally, and unlike traditional payments, with contactless it is possible to detect repeat attacks. A ‘repeat attack’ is where the fraudster obtains all the information from a real transaction and then conducts the same transaction many times over.

The fraudster relies on the system that they are trying to attack not realising that it is receiving the same instances of the real transaction. However, the added network security in contactless means that transactions can only be processed once. Consequently, this type of fraud will be more difficult to commit. Furthermore, the processing of some contactless payments does not require the use of the cardholder’s name and some cards do not even include the cardholder’s account number. This means that there are no card details available for a fraudster to steal. It is clear that contactless payments are relatively robust in terms of security and this bodes well for fraud reduction in 2010.

To summarise, the payments industry has seen real progress in security during 2009. However, the fight against fraud is far from over. Technology such as end-to-end encryption and tokenisation, combined with two-factor authentication are critical to increasing the security of payment transactions and we expect to see increased momentum behind the roll-out of all three technologies next year. With payments moving towards centre stage in banking strategy this year, 2010 may well be the year when payment security is pushed to the top of the agenda.


Related reading