Popping the payment fraud balloon

Payment fraud is a balloon: squeeze it in one place and it will pop out in another. This effect is readily seen in card payments. As lawmakers have attacked fraud at the physical point of sale fraudsters have moved to the historically less-secure online environment...

This movement has occurred as the importance and popularity of “always on” online commerce has increased. As the internet takes a larger role in the global economy, online payments grow alongside it.

" In recent years, consumers (and the merchants serving them) have placed significantly more emphasis on convenience over security."
Lance Blockley, Managing Director – Consulting at RFi Group

Households are directing a greater portion of their payments online, whether for shopping, booking travel or paying bills. Indeed, global eCommerce sales are reported to have reached $US1.5 trillion in 2014, an increase of 20.1 per cent over the prior year, with forecasts of $US2.0 trillion in 2016.

The vast majority of this purchasing is paid for using cards, meaning cardholders across the world are regularly entering their 16- or 15-digit card numbers into computers and mobile phones - at an increasing rate.

These “card not present” (CNP) transactions are more vulnerable to payment fraud than face-to-face transactions. Sixty six per cent of card fraud in the Single Euro Payments Area is now associated with CNP transactions. This is primarily online payments - totalling €958 million in fraud losses in 2013, up 20.6 per cent on the previous year and the only fraud category showing an increase.


Global losses to CNP fraud are estimated at over $US6.2 billion for 2014, not including related insurance costs. Based on published figures and industry estimates it appears CNP fraud is running at around 0.2 per cent to 0.25 per cent of CNP sales value in the West.

The United States stands out with its much lower CNP fraud rate, but this appears to be due to the ease with which Card Present (CP) fraud can be conducted in the USA compared with other countries – not that CNP fraud is harder there.

The US is unique as the major remaining market that has only just started the transition towards the mass issuance of more secure, chip-based EMV cards. CP fraud, made up mainly of counterfeit and skimming fraud of mag-stripe cards, continues to account for over 50 per cent of total US card fraud as of 2014.

It is expected as EMV issuance ramps up in the US, CP (especially counterfeit and skimming) fraud rates will decline as criminals switch to the newest low-hanging fruit.

In nearly all countries, CNP fraud rates are significantly higher for a domestic card used on an overseas website than for a domestic card on a domestic websites (in fact the offshore rate is 15 times higher than the domestic for Australian cards, in terms of bps).

The fraudsters clearly understand that they are safer to be out of jurisdiction when using the stolen card details and can also choose websites and markets where stronger authentication measures have yet to be deployed.

As the crooks move to focus on CNP transactions, online merchants can no longer write off fraud as something that only happens to others. Research by TeleSign and RSA in December 2014 found just 11 per cent of US companies have not recorded fraudulent incidents in the past 12 months.

Click image to zoom Tap image to zoom

Source: Telesign and RSA


So how is the industry responding? The key approaches are:

  • The devaluation of card data held outside of the industry - so if someone does hack into a database, the data is of no use to them; and
  • The stronger authentication of the cardholder at the time of purchase.

The rollout of tokenisation is seen as a key plank in the battle for data devaluation. This involves replacing the PAN (Primary Account Number) of the card with another random number of no value, other than perhaps to the merchant. However, it will take some years before all data held outside of the financial services industry is tokenised, so strong defences against attack remain vital.

Stronger cardholder authentication is being tackled by many new technologies and covers a range of approaches from biometrics through to passwords.

A two-factor authentication would, for example, ask for a password and card number to verify the authenticity of the cardholder performing the transaction. A number of jurisdictions, including Singapore and India, have mandated two-factor authentication be adopted on all payment card transactions conducted online, with Singapore going further in prescribing that the second factor must be a one-time password delivered onto a mobile phone.

In January 2013, the European Central Bank mandated all transactions acquired within the SEPA must be authenticated using strong customer authentication by August 2015. The mandate is intended to provide a level and technology neutral playing field.

In addition, the ECB has recommended all stored payment card data be in a “tokenised” (encrypted/obfuscated) format, so that card details are protected from hacking attacks and data breaches. The ECB says both “strong customer authentication” and “tokenisation” are required to improve e-commerce security.


So, with card payment fraud in online purchases now being squeezed through the deployment of tokenisation and two-step identification, where will the fraud balloon pop out next?

Initially it will expand into markets where these tools have not yet been deployed, just like card present fraud has been lowered by Chip&PIN, but remains high in the USA where there is no such requirement.

As much as it would be nice to stay one step ahead of the fraudsters, gaining agreement across all of the various stakeholders in the card industry to take security actions in any particular market will be very difficult: there is a constant trade-off between security and convenience.

In recent years, consumers (and the merchants serving them) seem to have placed significantly more emphasis on convenience over security.

Fortunately tokenisation does take place in the background, but most forms of two-factor authentication require some kind of cardholder participation. Hopefully this will become more widely accepted by consumers as the cost of keeping their payments safe and secure.

Maybe one day we will actually step on the balloon and it will finally bust.

Lance Blockley is Managing Director – Consulting at RFi Group

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

15 Sep 2015

Have crims developed a social conscience with tap'n'go?

Andrew Cornell | Past Managing Editor, bluenotes

The mass theft of payment card data aside, the biggest payments scam going in the United States at the moment is petrol theft – even as the cost of fuel falls.

22 May 2015

Forget tech toys, tap'n'go payment is what will replace cash

Alan Shields | Chief Data Officer, RFi Group

Every day there appears to be new payment technology being developed and it is easy to get excited – well, as a payments wonk anyway - at the prospect of a less-cash, more-digital payments scenario.

14 Jan 2015

Tapping the biggest shift in consumer payments

Lance Blockley | Managing Director Consulting, RFi Group

For many, many years I have presented at payments conferences about how consumer payments are habit forming. People tend to be “locked in” to how they pay for things by the time they are 30 years old. A much stronger – not just slightly stronger - “value proposition” is needed to knock them out of their old payment habit and into something new.