This movement has occurred as the importance and popularity of “always on” online commerce has increased. As the internet takes a larger role in the global economy, online payments grow alongside it.
" In recent years, consumers (and the merchants serving them) have placed significantly more emphasis on convenience over security."
Lance Blockley, Managing Director – Consulting at RFi Group
Households are directing a greater portion of their payments online, whether for shopping, booking travel or paying bills. Indeed, global eCommerce sales are reported to have reached $US1.5 trillion in 2014, an increase of 20.1 per cent over the prior year, with forecasts of $US2.0 trillion in 2016.
The vast majority of this purchasing is paid for using cards, meaning cardholders across the world are regularly entering their 16- or 15-digit card numbers into computers and mobile phones - at an increasing rate.
These “card not present” (CNP) transactions are more vulnerable to payment fraud than face-to-face transactions. Sixty six per cent of card fraud in the Single Euro Payments Area is now associated with CNP transactions. This is primarily online payments - totalling €958 million in fraud losses in 2013, up 20.6 per cent on the previous year and the only fraud category showing an increase.
Global losses to CNP fraud are estimated at over $US6.2 billion for 2014, not including related insurance costs. Based on published figures and industry estimates it appears CNP fraud is running at around 0.2 per cent to 0.25 per cent of CNP sales value in the West.
The United States stands out with its much lower CNP fraud rate, but this appears to be due to the ease with which Card Present (CP) fraud can be conducted in the USA compared with other countries – not that CNP fraud is harder there.
The US is unique as the major remaining market that has only just started the transition towards the mass issuance of more secure, chip-based EMV cards. CP fraud, made up mainly of counterfeit and skimming fraud of mag-stripe cards, continues to account for over 50 per cent of total US card fraud as of 2014.
It is expected as EMV issuance ramps up in the US, CP (especially counterfeit and skimming) fraud rates will decline as criminals switch to the newest low-hanging fruit.
In nearly all countries, CNP fraud rates are significantly higher for a domestic card used on an overseas website than for a domestic card on a domestic websites (in fact the offshore rate is 15 times higher than the domestic for Australian cards, in terms of bps).
The fraudsters clearly understand that they are safer to be out of jurisdiction when using the stolen card details and can also choose websites and markets where stronger authentication measures have yet to be deployed.
As the crooks move to focus on CNP transactions, online merchants can no longer write off fraud as something that only happens to others. Research by TeleSign and RSA in December 2014 found just 11 per cent of US companies have not recorded fraudulent incidents in the past 12 months.
Source: Telesign and RSA
So how is the industry responding? The key approaches are:
The rollout of tokenisation is seen as a key plank in the battle for data devaluation. This involves replacing the PAN (Primary Account Number) of the card with another random number of no value, other than perhaps to the merchant. However, it will take some years before all data held outside of the financial services industry is tokenised, so strong defences against attack remain vital.
Stronger cardholder authentication is being tackled by many new technologies and covers a range of approaches from biometrics through to passwords.
A two-factor authentication would, for example, ask for a password and card number to verify the authenticity of the cardholder performing the transaction. A number of jurisdictions, including Singapore and India, have mandated two-factor authentication be adopted on all payment card transactions conducted online, with Singapore going further in prescribing that the second factor must be a one-time password delivered onto a mobile phone.
In January 2013, the European Central Bank mandated all transactions acquired within the SEPA must be authenticated using strong customer authentication by August 2015. The mandate is intended to provide a level and technology neutral playing field.
In addition, the ECB has recommended all stored payment card data be in a “tokenised” (encrypted/obfuscated) format, so that card details are protected from hacking attacks and data breaches. The ECB says both “strong customer authentication” and “tokenisation” are required to improve e-commerce security.
So, with card payment fraud in online purchases now being squeezed through the deployment of tokenisation and two-step identification, where will the fraud balloon pop out next?
Initially it will expand into markets where these tools have not yet been deployed, just like card present fraud has been lowered by Chip&PIN, but remains high in the USA where there is no such requirement.
As much as it would be nice to stay one step ahead of the fraudsters, gaining agreement across all of the various stakeholders in the card industry to take security actions in any particular market will be very difficult: there is a constant trade-off between security and convenience.
In recent years, consumers (and the merchants serving them) seem to have placed significantly more emphasis on convenience over security.
Fortunately tokenisation does take place in the background, but most forms of two-factor authentication require some kind of cardholder participation. Hopefully this will become more widely accepted by consumers as the cost of keeping their payments safe and secure.
Maybe one day we will actually step on the balloon and it will finally bust.
Lance Blockley is Managing Director – Consulting at RFi Group
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
15 Sep 2015
22 May 2015
14 Jan 2015