[Dave Birch] I saw a very good talk by Gerard Hartsink, Chairman of the European Payments Council. He was talking about SEPA and the evolution of the European payments sector. The context isn’t important, but I did want to highlight one comment he made — which caused some passionate discussion — about the future of payment cards. He said that he could see a situation in 2011 or 2012 when magnetic stripe transactions would be banned in SEPA and only chip transactions would be allowed at ATM and POS. Now, before we launch into a debate on this, let me point out that he is not the only person of influence who is thinking this way.

Tony Chew, head of the technology risk supervision division of the Monetary Authority of Singapore, is advocating for a concerted global effort to phase out magnetic stripe technology entirely. “We can all go chip and PIN which will be a more effective method of combating counterfeit card fraud,” says Chew.

[From Vendor Articles: 12/6/2009 Credit card fraud rising]

It’s the rise in fraud that is causing this kind of thinking. Far from shrinking card fraud, the introduction of chip & PIN in the UK has multiplied a thousandfold the number of places where people use PINs and therefore where PINs can be stolen from. So long as there are places where easy-to-copy magnetic stripes can be used, the incentive for criminals is clear. Things are getting worse.

It is my belief – and feel free to come back and tell me that it’s me that is the idiot – that after a number of years of declining card present fraud (magnetic stripe cloning is so much easier, and a gift from the card issuers), we are now going to see a dramatic increase, and there is nothing we can do about it!

[From 2009 – is that the year we all went online?]

I happened to be reading this month’s Fraud Watch, and one of the front page stories is “ATM fraud threatens global acceptance”. The story says that “several issuers are considering blocking major cities and possibly whole countries where international card fraud is high, because there is no chance for reimbursement for those losses even though the original cards are EMV chip and PIN compliant”. (There are, as I understand, no plans for a liability shift to rectify this, particularly in the USA.) Oh dear. Incidentally, the top three destinations for ATM fraud on UK-issued cards last month were…. 1. Canada, 2. Italy and 3. the USA.

Suppose Gerrard is right? What will happen in 2012 when travellers from the USA arrive in Paris and discover the shops, hotels and ticket machines won’t accept their cards any more?

The scale of these ATM frauds is, frankly, impressive. They are well-organised on a large scale and the attacks are executed with precision in order to defeat card issuers’ fraud management responses. Here’s an example…

RBS WorldPay not only had the data hacked for around 1.5 million payroll and gift cards back on December 23rd, but also that the mag stripe and other information must have been gained as well. Shortly after midnight Eastern Time on November 8th, a co-ordinated global attack took place in thirty minutes withdrawing $9 million from ATMs by lifting the limits on each card:

[From The Financial Services Club’s Blog: $9 million in 30 minutes in a Global ATM scam]

Until issuers decline all non-stripe ATM withdrawals, which they can’t do until there’s an infrastructure of EMV-capable ATMs in each region, this isn’t going to change. All we can do is try to accelerate ICVV migration and advise new issuers to start with ICVV from the beginning. I should add that not all ATM frauds combine stealth, sophistication and crack teams of co-ordinated international criminals co-ordinating across continents:

Two former workers at an Abbey branch in London managed to steal more than £120,000 from cash machines by stuffing wads of notes down their trousers.

[From Finextra: Former Abbey workers pinch £120,000 in ATM scam]

Sometimes the old ways are the best.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

2 comments

  1. Why should faced to face retailers not be allowed to do mag stripe transactions, whereas online retailers can accept keyed in card details for payment? Some retailers do not do enough card business to justify the investment in chip and PIN. Should they be excluded from the payment cards world? If fraud has a cost, which it obviously does retailers should be financially encouraged to invest in chip (or discouraged from using mag stripe). I cannot see a mechanism for how mag stripe transactions could be banned let alone any possibility of it happening by 2012.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: