Payments fraud last year was pervasive and increasing
says a report from the Association for Payments Professionals. The Association for Finance Professionals did another survey and found that 72% of its 414 respondents had been victims of actual or attempted fraud in 2006, up from 68% in a 2005 survey. But here’s the good news: electronic payments turn out to be significantly safer than paper (cheques processed as images are also much safer than paper cheques) even though ACH and payment card networks are subject to increasing fraud attacks, particularly in transactions on the Internet and over the phone. Nearly all respondents said they had been the target of actual or attempted check fraud in 2006, while 35% reported fraud activity in ACH debits. Seventeen percent said they had seen attempted or actual fraud with consumer credit cards. Of those who reported fraud activity with cards, consumer credit cards accounted for by far the most response (82%), with signature debit cards registering 18%, stored-value cards 7%, and PIN debit cards 4%. Of those respondents that accept consumer payments via the phone or over the Internet and also reported ACH fraud, some 44% said they received fraudulent ACH instructions from their Internet channel; 45% said the same about the phone channel. Similarly, the organizations responding to the AFP survey are sustaining fraud losses from card-not-present transactions. Liability for these transactions is cited by 64% of those respondents that sustained losses because of card fraud as the primary reason for the loss. Delays in filing chargebacks comes in second, at 25%.
Organizations that suffer financial losses from card payments do so primarily because they are ‘card-not-present’ merchants
notes the report, although it might have gone on to say that they are CNP merchants that have not signed up to 3D Secure. Interestingly, in light of a recent string of hacker intrusions into merchant data bases, none of the respondents reported fraud stemming from a card-data breach. But then, as has been discussed on Digital Identity, there is a clear correlation between the size of the breach and the likelihood of fraud (and the type of data). If a neighbour steals your card from the post, there is pretty likely to be a subsequent fraud. If some government department tells the entire world your personal details, there may be a few frauds, but not that many.
While not all payment fraud is card fraud, there’s still plenty of card fraud. In the payment world, in the U.K., we have driven fraud online but the banks will be making a serious attempt to mitigate this with another improvement to online security is on its way later this year. The MasterCard CAP (Card Authentication Programme) and Visa DPA (Dynamic Password Authentication) programmes use a handheld security device in combination with an EMV card. The combination will generate a unique, once-only security code for each online transaction. These schemes should ensure that only the rightful owner of the card can use it online, because it won’t work unless the correct PIN is entered. They won’t really help that much against phishing unless they are used in signing mode, which is a bit of a pain for customers, but every little helps. Barclays said they will begin to roll-out such devices shortly and RBS is issuing similar devices already, but they are already widespread in other places. Croatia-based Privredna Banka Zagreb has distributed handheld smart card readers to all its Internet and telephone banking customers, which they would use along with MasterCard-branded EMV debit cards. The bank plans to have 40,000 customers using the card readers by the end of this year.
So, the big question is will card fraud in the U.K. be up or down this time next year. My guess is up. In Croatia? Don’t know, but would be genuinely interested to hear from a Croatian reader to see how it’s going over there.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]