Our Blog

Battle to secure online card payments

The fear of the unknown is a terrible affliction.

When it comes to fraud all players in the card payments pool have attempted to stay ahead of the hackers and fraudsters. Unfortunately, for the most part, they’re not altogether sure who, or what, they are fighting.

card payments

The EMV chip mandate for the U.S. card payments industry has led to intense debate on its merits or otherwise. One side of the industry was upset that the mandate (deadline set for October 2015) was asking too much, while others were adamant that it did not go far enough and was, in fact, almost obsolete as hackers had evolved.

For now it’s a chip-and-signature mandate, even though the EU and other developed nations switched to chip-and-pin in the early 21st Century (2003 to be precise).

Even the U.S. President’s recent actions indicate that this will not be enough. In late October 2014 he signed an executive order mandating that all U.S. federal activities be carried out via chip-and-pin. Chip-and-signature is evidently not secure enough for Capitol Hill and its external activities.

There’s a school of thought that has labelled the U.S. EMV mandate as an old fix for an old problem. Sure, it will protect customers at the POS and – just like it did in Europe – will reduce card-present fraud. The issue, for some, is that it doesn’t deal with the card-not-present (CNP) fraud issues – online fraud: e-commerce and m-commerce.

Growth of CNP fraud – despite EMV

Online commerce is booming but CNP fraud is also a growing menace. Fraudsters will always look for the weak link, the chink in the armour. When European terminals became harder to hack due to the chip-and-pin upgrades of the early 2000s the fraudsters quickly turned their attention to U.S. terminals.

Since the EMV upgrade in the EU, the rate of card-present fraud in the U.S. has accelerated to record levels. When signing that recent executive order Obama outlined just how prevalent fraud is in the U.S.: “More than 100 million Americans had information that was compromised in data breaches in some of our largest companies. And identity theft is now America’s fastest-growing crime. “ He added: “We know this technology [chip-and-pin] works. When Britain switched to a chip-and-pin system, they cut fraud in stores by 70 percent. Seventy percent.”

As the U.S. closes in on the October 2015 EMV mandate deadline this level of fraud is rising further as hackers look for one last big pay day before they move on to their next weak link. The U.S. can already expect an increase in CNP fraud in the years ahead. A recent Javelin Strategy & Research paper into the issue of CNP fraud forecast that by 2018 CNP fraud in the U.S. will be nearly four times greater than POS card fraud. The fraud will grow in the same pattern of online commerce transaction growth. The report added that the CNP fraud increase has little to do with a change in criminal behavior post-EMV.

Pat Carroll, executive chairman and founder of ValidSoft, in writing an Information Week opinion piece declared: “There’s a grave danger we’ll spend billions of dollars on new chip-and-PIN cards, and POS devices capable of processing them, only to find that consumers and crooks have moved on, making EMV a ‘too little, too late’ poster child.”

Why the pessimism? Well, CNP fraud simply continues unabated in Europe (where EMV has been in use since 1997) and in the U.S.

Solutions needed to online card payments fraud

Solutions are being sought. Last month (October 2014) the European Forum on the Security of Retail Payments (SecuRe Pay) released a consultation document on the future security of internet payments (deadline for submissions is November 14, 2014).

The SecuRe Pay forum (a European Banking Authority (EBA) and European Central Bank (ECB) joint venture) was established in 2011 and brings together PSP supervisors and overseers of payment systems, schemes, and instruments, within the EU/EEA. Its aim is to understand the issues related to the security of online payments and to make recommendations.

SecuRe Pay has already published recommendations, including the most recent on the security of internet payments in October 2014. The ECB had released its final SecuRe Pay recommendations for the security of internet payments in January 2013 with an implementation date for February 1, 2015. These recommendations are now to be implemented by August 2015.

Latest SecuRe Pay recommendations

The following were the first set of recommendations (considered as minimum internet payments security requirements) issued by the SecuRe Pay forum in January 2013, after two months of consultation:

  • Protect the initiation of internet payments, as well as access to sensitive payment data, by strong customer authentication
  • Limit the number of log-in or authentication attempts, define rules for internet payment services session “time out” and set time limits for the validity of authentication
  • Establish transaction monitoring mechanisms designed to prevent, detect, and block fraudulent payment transactions
  • Implement multiple layers of security defences in order to mitigate identified risks
  • Provide assistance and guidance to customers about best online security practices, set up alerts, and provide tools to help customers monitor transactions.

On foot of these recommendations the EBA agreed to develop guidelines “aimed at establishing a framework for PSPs with regards to the security of internet payments.” These EBA guidelines come into force on August 1, 2015, and are based on the provisions in the European Commission’s Payment Services Directive (PSD) – first published in December 2007.

A July 2013 revision of the PSD includes a proposal that in order to facilitate effective fraud prevention and combat payment fraud across the EU, there should be an “efficient exchange of data” between PSPs who should be allowed to “collect, process and exchange personal data relating to persons involved in payment fraud.”

This is a call for unity from all involved in the online retail payments system to fight fraud. Of course a united front and this exchange of data should strengthen the system and prevent future CNP fraud.

There is a common theme to recent responses to the SecuRe Pay forum. Clarification is required on the role of crucial stakeholders in the existing card payment processing system including: 1. the issuer, who knows the identity of the card user and can therefore authenticate; 2. the acquirer, dictating the type of payment, and the card schemes, who will have to put implement any future mechanisms, or perhaps this will be the responsibility of the issuer?

What is at stake? Well, quite a lot of revenue . . .

In 2013 European B2C e-commerce revenue grew by 16.3% to €363.1 billion. For the same period U.S. B2C e-commerce topped $40 billion, up some 16.9% on the 2012 figure. This eMarketer report also states that U.S. e-commerce still represents a small portion of overall retail sales—a mere 5.8% last year. However, e-commerce will continue to increase in the double digits year over year to bring its share of overall retail to almost 9% by the end of our forecast period. The same website has predicted that worldwide B2C e-commerce will surge past $1.5 trillion in 2014, a 20% jump from the previous year.

$1.5 trillion – that should encourage all involved to unite in the fight against CNP fraud. It’s frightening to think of the amount of revenue that will be lost otherwise.

Contact us

For more information on our products and services contact us at info@aviso.io, or follow us on Twitter and LinkedIn.