In a world where Facebook and iPhone lead the seemingly continual pursuit of convenience, it is easy for the payments industry to disregard payment card fraud as a mere consequence of doing business with a disparate, disengaged customer base hungry for the new. However, the post-crisis need to re-establish banks as trusted enterprises responsible for the money and data that they hold on behalf of customers means that chasing revenues is not always the appropriate competitive space.
Unfortunately terrorists and organised criminal gangs are increasingly viewing card fraud as an ‘easy’ revenue generator that can be used to fund other activities. The Italian Job days of bank robberies by crime gangs are over. The increasing ease with which they can target weaknesses to defraud the payment system are startling and their business-like behaviours such as risk assessment and ROI measurement ensure that the drug trade, people trafficking and illicit arms dealing are all indirectly funded by payment system users.
“[Human] Traffickers are often involved in other transnational crimes, such as drug trafficking, payment card fraud, identity fraud, counterfeiting and money laundering.” Europol – OCTA 2009, EU ORGANISED CRIME THREAT ASSESSMENT
But in reality, why should banks care about this? After all, the balance sheet pain is considerably less costly than some of the cures. There is a simple answer to this question, which is ‘because your customers care’. Payment card fraud has consequences beyond the bottom line. A defrauded customer, particularly those experiencing debit product fraud, can face considerable difficulties with cash flow issues and will invariably lay the blame for all of these difficulties at the doorstep of their banking provider.
With increasingly agitated consumers able to be more vocal about their annoyance through mass communication channels, and criminals using the same channels to trade tools and market stolen data, it is inevitable that regulators step in to this space. Already the Eurosystem has tasked the EPC with delivering a Europe-wide certification scheme for payment terminals; the Commission demands action on the removal of the magnetic stripe from cards; Europol will shortly publish a comprehensive assessment on the threat posed by payment fraud in Europe; and increasingly the topic appears on the agenda of the European Parliament.
The potential reputational damage for Europe’s banks could be considerable unless they cease viewing essential card fraud mitigation as a competitive issue, but equally they need to realise that there is still considerable space beyond the essential mitigation that enables some level of competition. The cost-effectiveness of some initiatives can only be achieved with co-operative actions – as the industry has aleady done for EMV – and will likely be key to opening up the mobile channel. If the basics are in place then competition will seek less regulatory attention. Areas such as security for online banking; creation of practical telephone verification systems; and deploying consumer-empowering solutions are all key ways that a competitive bank can take a long stride away from fraudsters (and their competitors!).
Many banks understandably look at their bottom line – and act on fraud accordingly. However, it is in the long term interest of their ongoing relationship with their customers that these problems are addressed proactively. Going the extra mile on behalf of your customers can not only be beneficial for them, but can actually impact your bottom line positively by bringing new customers on board. A number of banks have proactively marketed how they’ve earned their trusted status and profited considerably.
In trying to define the collaborative space, the EPC Cards Working Group has taken a pragmatic line on card-based fraud and, through the Card Fraud Prevention Task Force, sought to establish the necessary baselines. National associations have also taken the issue seriously and implemented numerous collaborative efforts, such as Portugal’s MBNet, Germany’s HHD program, UK Payments 3D-Secure mandate, Sweden’s BankID program and the Belgian non-EMV debit card declines. These collaborative initiatives are essential in re-establishing consumer trust in the banking industry.
However, one of the major failings in the current payment card system is the continuing use of magstripe technology for card payments – something that only the international schemes have real power to change. In CNP transactions the static data requested is often directly equivalent to the data used during a magstripe transaction and consequently is replayable in either channel. Some card schemes are not keen to resolve this as it puts pressure on their ‘global interoperability’ selling point. Given the anticipated near-completion of the EMV card rollout in Europe, the removal of magstripe support for cards issued in Europe would not be a major blow to this. Indeed cards issued with a limited magstripe containing only the start sentinel would overcome the ATM legacy issue and allow banks to formally reject magstripe transactions on their cards – a move which many are already doing contrary to scheme rules. This in itself may be an opportunity for banks to establish themselves as leading the way in securing customer data.
Finally, and in the spirit of the goals of SEPA, banks should also seek to deploy cardholder technology that empowers their customers, allowing them to ‘switch off’ their cards when they want, or for certain geographic locations or payment channels when they are not required at that time – rather being a bank that declines non-EU transactions by default and causes customer issues. This technology not only further empowers cardholders, but also reduces risk for banks by bringing additional information into their authorisation decision making process. Customer empowering technologies will be the basis of how consumers feel about their bank’s attitude to fraud in the future – are they part of their banking or purely a user of an unfair system?
- MasterCard Approves Battery-Powered Credit Cards (credit-land.com)
- Trouble for Magnetic Stripe Credit Cards in Europe (cardhub.com)
- EMV=Europay, MasterCard & Visa AKA the Chip Card (sfms29.wordpress.com)