Payments even more safe because of next generation of payment cards?

On the website ‘Het nieuwe pinnen’, as introduced by the end of last November, the following may be read:

As the Netherlands also participates in the transition to one European card payments market, we shall also be paying with the new chip on our payment cards. The good old payments with the magnetic tape stripe will disappear after 20 years. However, the ease-of-use remains. All cardholders in the Netherlands will receive a payment card with a chip on it. In addition to its standard Chipknip functionality it will also support the next generation of card payment. The next generation of card payment will make payments safer, because the chip can be copied less easily than the magnetic tape stripe. This results in fraudulent activities with payment cards to become more difficult.

The next generation of payment cards is meant to make payments safer and this is urgently needed. The last couple of years the slow decision making process with regard to the introduction of the chip on the payment card (EMV) in the Netherlands has resulted in maintaining obsolete technology (magnetic tape stripe), resulting in a considerable increase of fraudulent activities. In 2005 the loss due to fraud on the national debit of the PIN method of payment was only 0.003% of the total PIN turnover. In three years’ time this percentage has tripled to 0.032%. In 2008 the total PIN fraud had already increased to over 31 million Euro.

 

The question remains if the new generation of payment cards shall indeed make payments safer. Empirical figures from other European countries, such as Great-Britain and France, are not reassuring. As it happens, these figures mainly show that the next generation of payment cards is only a means to slow down the rapid growth of fraudulent activities and not to reduce or prevent fraud.

Some examples

• In 2008 the British program Watchdog showed that it is possible to commit fraud with a payment card with chip issued in Great-Britain. On Wednesday, 16 December 2009 the producers of the VPRO television program Goudzoekers showed that this type of fraud was also possible with payment card with chip issued in the Netherlands. At this very moment the practical process of such type of fraud is rather time-consuming process, but also frauds work on process improvement and it is only a matter of time before they develop a more practical method for committing this type of fraud.

• Parallel to the chip, the payments cards are still also equipped with a magnetic tape stripe. This is necessary because not all payment systems over the world migrate to the chip system. For example, the American payment system will remain based on the magnetic tape stripe. Therefore the magnetic tape stripes of these payment cards can still be skimmed and they can be used in countries with a payment system based on the magnetic tape stripe. Data from Great-Britain and France shows that the overall fraud with payment cards does not decrease. The fraud committed at local retailers and ATMs is reducing, whereas the fraud abroad increases.

• In addition to the skimming of the payment card (counterfeit fraud), there are also other types of fraud with payment cards, such as Card-not-present (CNP) fraud, lost/stolen, Card ID theft and mail non-receipt fraud. Practical experience primarily shows that in particular the CNP fraud and the Card ID theft fraud grow rapidly. Unfortunately the chip on the payment card is not a solution for payment card fraud.

These examples indicate that the transition of tape stripe to chip only is a means of slowing down the rapid growth of fraud. The chip is no means to limit or prevent fraud. Other measures are necessary to make payments really safer.

Possible measures

Possible measures are:

• All parties involved in card payments should be fully aware of the fact that frauds are well organized and well informed. Frauds are always looking for the weakest link in the system and therefore they are internationally oriented, not nationally. Non-compliance with international innovations in the field of card payments, only results in short-time cost savings. In the long run the cost will always be much higher.

• The time-to-market of innovations in the field of card payments should be faster. Frauds do not need years to find a weak spot in a technological improvement in the card payments process. For example: by now the weak spot in the current method for data authentication of the chip (dynamic/DDA) is known and a new method has been developed (cryptographic/CDA). The current payment cards with chip are still also equipped with the (obsolete) dynamic data authentication method. Industry representatives, consumer organisations, retailers and consumers often leave the timing of the introduction of improvements to the card payments processes to the suppliers of the payment products (payment schemes and banks). The trade organizations and consumer organizations could play an important role in enforcing faster time-frames.

• As long as the chip is not applied worldwide in the card payments business, skimming protection should be maintained. Also the card issuing organizations and suppliers of ATMs should keep following the international developments regarding skimming, inform each other correctly in these matters and take timely measures. After all, also the current skimming protection will become obsolete in due time.

• The card issuing organizations should also be obliged to use fraud detection systems for detecting possible fraudulent transactions. Also for this measure applies that trade organizations and consumer organizations are important players in the realization of this measure by the issuing organizations.

• The consumer organizations and trade organizations should oblige the card issuing organizations and payment schemes to increase the use of mobile technology in order to limit or prevent fraud. For example, in case of a possible fraudulent transaction, the card holder can be asked for approval of payment, by means of a text message.

• All card issuing organizations, acceptors and consumers should be obliged to use Verified by Visa (VbV) or MasterCard Securecode for CNP credit card transactions.

• In the Netherlands in particular iDeal is used for CNP debit card transactions. By now a number of the countries around us use the international method of payment Maestro for CNP debit card transactions. In order to prevent iDeal from becoming a weak link and the target for frauds in time, the international methods of payment for CNP debit card transactions should be followed closely and implemented by iDeal.

The banking  organizations and the payment schemes are initially responsible for a number of these measures. The parties involved in the card payments chain, such as retailers, consumers, trade organizations and consumer organizations, are also important players in the fighting of fraud and they should realize that they also need to take some actions. It is also important that these parties, more often and quicker, take a stand that is focused on the actual prevention of fraud.

 

Fraud prevention is a joint responsibility of all parties involved in the card payments arena and it requires organization, information and international orientation!

 

More information?

• The fraud developments in Great-Britain, France, Spain and the Netherlands may be found in the document Inside fraud.

• Fraud the facts 2009 contains information on fraud developments during the recent years in Great-Britain.

• More information on the transition to EMV may be found on the website Het nieuwe pinnen.

• The movie of the British consumer program Watchdog, in which is shown that fraud could also be committed with the chip.

• More information on the VPRO program Goudzoekers can be found on the website Goudzoekers.

• The broadcast of the program Goudzoekers on the new generation of payment cards can be seen via the Goudzoekers website.