- Email: [email protected]
UK banks act to check rising card fraud
05 ctt may.qxd
5/13/02
9:29 AM
Page 14
feature Category: Most Innovative Implementation of the Year Winner: The Net1 ‘Malswitch’ project Made by: Net1 Applied Technology Holdings Ltd – APLITEC for Malswitch Contact: Brenda Stewart at NET1 Applied Technology Holdings Ltd – APLITEC, Tel: +27 11 343 2000, Email: [email protected] Category: Most Innovative Product of the Year Winner: Smart-Solution From: Retail Logic Ltd
Contact: Angus Blest at Retail Logic Ltd, Tel: +44 1252 776755, Email: [email protected] Category: ORGA Advanced Card Hall of Fame Award Winner: Marc Lassus Contact: Felicity Best at Gemplus Ltd, Tel: +44 23 9248 8037, Email: [email protected] Category: RNIB Usability Award Winner: Blatchford Adaptive Limb
UK banks act to check rising card fraud The UK banks are to launch their first pilot of PIN verification at the point-ofsale early next year. We look at the background to this move. Plastic card fraud losses cost the UK banking and retail industries GBP411 million in 2001, showing a rise of 30% on the 2000 losses of GBP317 million. Against this background of inexorably rising card fraud, the launch of a pilot of PIN code technology in Northampton early in 2003 (see In Brief, page 3) is coming not a moment too soon. The banks want to ensure that by 2005 all UK credit and debit card transactions are authorised by the customer keying in their PIN code, for verification by the chip on their smart debit or credit card, rather than by signing a till receipt. “Although the losses are huge,” said John Wilkinson, head of risk management at the
UK’s Association for Payment Clearing Services (APACS), “the increases must be seen alongside surges in card usage and numbers of cards issued. Fraud losses against turnover, at 0.183%, remain around half of the 1991 peak.” The impact of chip technology As French banks and retailers discovered more than a decade ago, the biggest single contribution to halting the growth in card fraud will come from the introduction of smart payment cards. The chip on the card will be able to verify that a card is genuine and not counterfeit; the
Type of fraud
GBP million 2000
GBP million 2001
Percent change Change
Counterfeit cards
107.1
160.3
50
Cards stolen or lost
101.9
114.0
12
Fraudulent use of card details
72.9
95.7
31
Cards intercepted in post
17.7
26.7
51
Fraudulent applications
10.5
6.6
- 37.5
Other
6.9
8.0
15
TOTAL
317.0
411.4
30
Losses against turnover
0.162
0.183
13
Table 1 Fraud losses on UK-issued cards by type 14
Entered by: Flint (for Blatchford) Contact: Mr Peter van der Sluijs, Tel: +44 1442 879222, Email: [email protected] Category: The Judges’ Award Winner: The Common Access Card Program at the US Department of Defense Entered by: ActivCard Europe Contact: Isabelle Joulot, Tel: +33 1 42 04 84 00, Email: [email protected]
PIN code (provided that it has not been disclosed to a third party) will be able to identify that a card user is the person they claim to be. The UK roll-out is well under way; by the end of 2001, there were some 25 million chip cards in issue – very roughly one in four of all payment cards – some 350,000 chip-reading terminals had been deployed at the point of sale, and more than 20,000 ATM cash machines had been equipped with chip readers. Wilkinson explains that the chip cards are being introduced to tackle counterfeit fraud. “The most prevalent type of counterfeit, socalled skimming, involves copying genuine data from the magnetic stripe on one card, without the cardholder`s knowledge and placing that data on to another card (often a piece of counterfeit plastic).” Initiatives As John Wilkinson points out, the full benefits of chip and PIN will not be be realised for several years. To fill the gap, the banking industry is working on a range of medium-term prevention initiatives. These include: •
•
•
•
• • •
A training programme for retail staff – Spot & Stop Card Fraud – which focuses on fraud-prone retail sectors and cities; Roll-out of an address and security code checking system, to reduce card-not-present fraud; Giving rewards to retail staff who stop a card being used fraudulently (more than GBP10 million was paid out in 2001); The use of intelligent computer systems that monitor accounts to spot fraud at an early stage; The use of ‘hot card’ files carrying details of lost/stolen cards; Implementing more secure methods for delivering new and replacement cards; and Increasing the number of transactions that are authorised at retailers – i.e. by phoning (manually or automatically) to card companies for authorisation. This has risen
Card Technology Today May 2002
05 ctt may.qxd
5/13/02
9:29 AM
Page 15
feature
from 10% of transactions in the early 1990s to 70% today. Card-not-present Alongside counterfeiting, a major source of fraud involves using fraudulently obtained card details to make a purchase. Usually the
details are taken from a discarded receipt or copied from a card without the owner`s knowledge. Most of this fraud occurs in telephone or mail-order transactions, and less frequently through the Internet. The card industry has now introduced an automated system that allows merchants
The meaning of liability shift Kalim Qureshi, Technical Director, Thyron Technologies, gives an equipment supplier`s view of the effect on retailers of forthcoming shifts in liability for card fraud. Today, the phrase ‘liability shift’ has increasing currency in the card industry. But what, exactly, is it? And what are its implications? I shall look briefly at both these questions. But, before I do so, it is worth reviewing the situation, with respect to card fraud, in the UK and Europe. In the UK – indeed, almost everywhere – card fraud is big business. In fact, the latest fraud figures from APACS (Association for Payment Clearing Services; see the above Feature) reveal some large numbers. Scale them up to reflect the problem at European level, and they become truly frightening. Something, clearly, has to be done. But what? One initiative, among others, which is currently at the planning stage in the UK, is to introduce a separate police body, partly funded by the credit card industry, dedicated to fighting card fraud. But the success of such a body may well be limited while magnetic stripe cards remain the dominant card technology. In order to reduce card fraud significantly, a different – and fundamentally more secure – technology is required. Ideally, a technology which will all but eliminate the possibility of fraudulent card use. We now possess such a technology in the form of the smart card. The UK is committed to the full implementation of PIN and chip technology, an approach which has already proved very successful in France. And these are not the only two countries to recognise the potential of PIN and chip; there are now some 15 other signatories to the European Card Scheme, which has adopted the technology as a basic tenet. The attractions of PIN and chip are numerous. And one of these, especially for the card issuers – who currently foot the bill for
Card Technology Today May 2002
card fraud – is that it provides them with an opportunity to offload this cost to the acquiring banks. For their part, the acquirers are confident that, as long as their merchants have appropriate equipment at the point of purchase, the risk of fraud is acceptably low. If fraud occurs where a merchant does not have suitable equipment, then that merchant will incur the cost of the fraud instead of the bank. In other words, liability passes to the weakest link in the transaction chain. This concept of liability shift is inextricably linked to the implementation of PIN and chip. Key to the success of the scheme is the need for merchants to have appropriate point-of-sale (POS) systems and applications, in order to minimise the risk to the banks. In practice this means that all hardware and software must comply with the latest EMV standards (defined by EMVCo, the company jointly owned by Europay International, MasterCard International and Visa International). These standards not only define how cards and devices should communicate to support interoperability (i.e. any card in any country), but also deal with debit/credit applications and with specific payment scheme information. Transaction systems (such as that offered by my own company, Thyron) which comply with EMV standards will be extremely difficult to abuse. In fact, so compelling are the benefits of international compliance that the French banking industry, which had previously built its successful PIN and chip infrastructure on its own national (B0') standard, has committed itself to migrate to EMV.
to verify the billing address of the cardholder and to cross-check coded digits on the card. And during 2001 some 335,000 cases of attempted fraud were prevented by the distribution of data held on the industry`s ‘hot card’ file to more than 80,000 retail outlets.
The concept of liability shift is, in itself, a real incentive to retailers to become EMVcompliant. After all, if retailers are not compliant, they will carry the cost of any fraud – a risk they obviously would prefer to avoid. However, there is a cost attached to upgrading POS systems to the latest EMV standard. To sweeten this particular pill, the acquiring banks typically offer a financial incentive, in the form of lower service charges, to those who make the switch. This ‘carrot’ of lower charges, coupled with the ‘stick’ of increased risk, is enough to persuade most retailers to upgrade. In fact, many major retailers have already done so, and Visa – as with the other members of EMVCo – expects full compliance on acceptance devices across all key European markets by 2005. But the benefits of PIN and chip go beyond their effect on card fraud and liability shift. They also offer the merchant real opportunities to enhance customer service and cut costs. For example, extensive tests in the UK by one major retailer showed that it could significantly improve throughput times at the check-out. Although the company found that chip-withsignature transactions took an average of 3.2 seconds longer than magnetic-stripe-withsignature transactions (an acceptable increase), it concluded that chip-with-PIN transactions will actually reduce times compared to magneticstripe-with-signature. In summary, then, the concept of liability shift is at once a driving factor in, and a result of, the move from magnetic stripe to PIN and chip technology. It is a technology which will not only radically change the landscape for card fraud, but which will introduce a host of other benefits for issuers, acquirers and merchants alike. Thyron is an independently owned supplier of mobile payment systems. The company’s range of products includes PayCell – a fixed, hand-held or mobile payment terminal which offers independence of communications networks, card technologies or geographical location – and PosMate, a family of intelligent, programmable, hand-held card processing terminals for portable EFTPoS, retail, electronic commerce and electronic banking. Contact Kalim Quereshi at Tel: +44 1923 236050 , Email: [email protected]
15
5/13/02
9:29 AM
Page 14
feature Category: Most Innovative Implementation of the Year Winner: The Net1 ‘Malswitch’ project Made by: Net1 Applied Technology Holdings Ltd – APLITEC for Malswitch Contact: Brenda Stewart at NET1 Applied Technology Holdings Ltd – APLITEC, Tel: +27 11 343 2000, Email: [email protected] Category: Most Innovative Product of the Year Winner: Smart-Solution From: Retail Logic Ltd
Contact: Angus Blest at Retail Logic Ltd, Tel: +44 1252 776755, Email: [email protected] Category: ORGA Advanced Card Hall of Fame Award Winner: Marc Lassus Contact: Felicity Best at Gemplus Ltd, Tel: +44 23 9248 8037, Email: [email protected] Category: RNIB Usability Award Winner: Blatchford Adaptive Limb
UK banks act to check rising card fraud The UK banks are to launch their first pilot of PIN verification at the point-ofsale early next year. We look at the background to this move. Plastic card fraud losses cost the UK banking and retail industries GBP411 million in 2001, showing a rise of 30% on the 2000 losses of GBP317 million. Against this background of inexorably rising card fraud, the launch of a pilot of PIN code technology in Northampton early in 2003 (see In Brief, page 3) is coming not a moment too soon. The banks want to ensure that by 2005 all UK credit and debit card transactions are authorised by the customer keying in their PIN code, for verification by the chip on their smart debit or credit card, rather than by signing a till receipt. “Although the losses are huge,” said John Wilkinson, head of risk management at the
UK’s Association for Payment Clearing Services (APACS), “the increases must be seen alongside surges in card usage and numbers of cards issued. Fraud losses against turnover, at 0.183%, remain around half of the 1991 peak.” The impact of chip technology As French banks and retailers discovered more than a decade ago, the biggest single contribution to halting the growth in card fraud will come from the introduction of smart payment cards. The chip on the card will be able to verify that a card is genuine and not counterfeit; the
Type of fraud
GBP million 2000
GBP million 2001
Percent change Change
Counterfeit cards
107.1
160.3
50
Cards stolen or lost
101.9
114.0
12
Fraudulent use of card details
72.9
95.7
31
Cards intercepted in post
17.7
26.7
51
Fraudulent applications
10.5
6.6
- 37.5
Other
6.9
8.0
15
TOTAL
317.0
411.4
30
Losses against turnover
0.162
0.183
13
Table 1 Fraud losses on UK-issued cards by type 14
Entered by: Flint (for Blatchford) Contact: Mr Peter van der Sluijs, Tel: +44 1442 879222, Email: [email protected] Category: The Judges’ Award Winner: The Common Access Card Program at the US Department of Defense Entered by: ActivCard Europe Contact: Isabelle Joulot, Tel: +33 1 42 04 84 00, Email: [email protected]
PIN code (provided that it has not been disclosed to a third party) will be able to identify that a card user is the person they claim to be. The UK roll-out is well under way; by the end of 2001, there were some 25 million chip cards in issue – very roughly one in four of all payment cards – some 350,000 chip-reading terminals had been deployed at the point of sale, and more than 20,000 ATM cash machines had been equipped with chip readers. Wilkinson explains that the chip cards are being introduced to tackle counterfeit fraud. “The most prevalent type of counterfeit, socalled skimming, involves copying genuine data from the magnetic stripe on one card, without the cardholder`s knowledge and placing that data on to another card (often a piece of counterfeit plastic).” Initiatives As John Wilkinson points out, the full benefits of chip and PIN will not be be realised for several years. To fill the gap, the banking industry is working on a range of medium-term prevention initiatives. These include: •
•
•
•
• • •
A training programme for retail staff – Spot & Stop Card Fraud – which focuses on fraud-prone retail sectors and cities; Roll-out of an address and security code checking system, to reduce card-not-present fraud; Giving rewards to retail staff who stop a card being used fraudulently (more than GBP10 million was paid out in 2001); The use of intelligent computer systems that monitor accounts to spot fraud at an early stage; The use of ‘hot card’ files carrying details of lost/stolen cards; Implementing more secure methods for delivering new and replacement cards; and Increasing the number of transactions that are authorised at retailers – i.e. by phoning (manually or automatically) to card companies for authorisation. This has risen
Card Technology Today May 2002
05 ctt may.qxd
5/13/02
9:29 AM
Page 15
feature
from 10% of transactions in the early 1990s to 70% today. Card-not-present Alongside counterfeiting, a major source of fraud involves using fraudulently obtained card details to make a purchase. Usually the
details are taken from a discarded receipt or copied from a card without the owner`s knowledge. Most of this fraud occurs in telephone or mail-order transactions, and less frequently through the Internet. The card industry has now introduced an automated system that allows merchants
The meaning of liability shift Kalim Qureshi, Technical Director, Thyron Technologies, gives an equipment supplier`s view of the effect on retailers of forthcoming shifts in liability for card fraud. Today, the phrase ‘liability shift’ has increasing currency in the card industry. But what, exactly, is it? And what are its implications? I shall look briefly at both these questions. But, before I do so, it is worth reviewing the situation, with respect to card fraud, in the UK and Europe. In the UK – indeed, almost everywhere – card fraud is big business. In fact, the latest fraud figures from APACS (Association for Payment Clearing Services; see the above Feature) reveal some large numbers. Scale them up to reflect the problem at European level, and they become truly frightening. Something, clearly, has to be done. But what? One initiative, among others, which is currently at the planning stage in the UK, is to introduce a separate police body, partly funded by the credit card industry, dedicated to fighting card fraud. But the success of such a body may well be limited while magnetic stripe cards remain the dominant card technology. In order to reduce card fraud significantly, a different – and fundamentally more secure – technology is required. Ideally, a technology which will all but eliminate the possibility of fraudulent card use. We now possess such a technology in the form of the smart card. The UK is committed to the full implementation of PIN and chip technology, an approach which has already proved very successful in France. And these are not the only two countries to recognise the potential of PIN and chip; there are now some 15 other signatories to the European Card Scheme, which has adopted the technology as a basic tenet. The attractions of PIN and chip are numerous. And one of these, especially for the card issuers – who currently foot the bill for
Card Technology Today May 2002
card fraud – is that it provides them with an opportunity to offload this cost to the acquiring banks. For their part, the acquirers are confident that, as long as their merchants have appropriate equipment at the point of purchase, the risk of fraud is acceptably low. If fraud occurs where a merchant does not have suitable equipment, then that merchant will incur the cost of the fraud instead of the bank. In other words, liability passes to the weakest link in the transaction chain. This concept of liability shift is inextricably linked to the implementation of PIN and chip. Key to the success of the scheme is the need for merchants to have appropriate point-of-sale (POS) systems and applications, in order to minimise the risk to the banks. In practice this means that all hardware and software must comply with the latest EMV standards (defined by EMVCo, the company jointly owned by Europay International, MasterCard International and Visa International). These standards not only define how cards and devices should communicate to support interoperability (i.e. any card in any country), but also deal with debit/credit applications and with specific payment scheme information. Transaction systems (such as that offered by my own company, Thyron) which comply with EMV standards will be extremely difficult to abuse. In fact, so compelling are the benefits of international compliance that the French banking industry, which had previously built its successful PIN and chip infrastructure on its own national (B0') standard, has committed itself to migrate to EMV.
to verify the billing address of the cardholder and to cross-check coded digits on the card. And during 2001 some 335,000 cases of attempted fraud were prevented by the distribution of data held on the industry`s ‘hot card’ file to more than 80,000 retail outlets.
The concept of liability shift is, in itself, a real incentive to retailers to become EMVcompliant. After all, if retailers are not compliant, they will carry the cost of any fraud – a risk they obviously would prefer to avoid. However, there is a cost attached to upgrading POS systems to the latest EMV standard. To sweeten this particular pill, the acquiring banks typically offer a financial incentive, in the form of lower service charges, to those who make the switch. This ‘carrot’ of lower charges, coupled with the ‘stick’ of increased risk, is enough to persuade most retailers to upgrade. In fact, many major retailers have already done so, and Visa – as with the other members of EMVCo – expects full compliance on acceptance devices across all key European markets by 2005. But the benefits of PIN and chip go beyond their effect on card fraud and liability shift. They also offer the merchant real opportunities to enhance customer service and cut costs. For example, extensive tests in the UK by one major retailer showed that it could significantly improve throughput times at the check-out. Although the company found that chip-withsignature transactions took an average of 3.2 seconds longer than magnetic-stripe-withsignature transactions (an acceptable increase), it concluded that chip-with-PIN transactions will actually reduce times compared to magneticstripe-with-signature. In summary, then, the concept of liability shift is at once a driving factor in, and a result of, the move from magnetic stripe to PIN and chip technology. It is a technology which will not only radically change the landscape for card fraud, but which will introduce a host of other benefits for issuers, acquirers and merchants alike. Thyron is an independently owned supplier of mobile payment systems. The company’s range of products includes PayCell – a fixed, hand-held or mobile payment terminal which offers independence of communications networks, card technologies or geographical location – and PosMate, a family of intelligent, programmable, hand-held card processing terminals for portable EFTPoS, retail, electronic commerce and electronic banking. Contact Kalim Quereshi at Tel: +44 1923 236050 , Email: [email protected]
15