initiatives of the epc card fraud...
TRANSCRIPT
1
Initiatives of the EPC Card Fraud Prevention
Task ForceCédric Sarazin
-
Director Development & StrategyCartes Bancaires “CB”
-
ChairmanEPC Card Fraud Prevention Task Force
Payment Fraud and EU Enlargement: Threat & Challenges - 8th March 2006
2
EPC was established in June 2002
64 members : major European banks & European Banking Associations representing 27 European countries
to investigate & recommend an architecture for the Single European Payment Area (SEPA)
− defined as countries and territories subject to EC Directives, Regulations, and Recommendations
for credit transfers, direct debit and card transactions
European Payments Council
3
EPC Cards Working Group
EDD CARDS CASH
E-payments TF
M-payments TFCard Fraud Prevention TF
Business Model TF
EPC PlenaryG. Hartsink (NL)C. Brun (France)
SecretariatC. Bryant
CoordinationGroupG. Hartsink
C. Brun
LEGAL
Regulatory constraints TF
NLF TF Cash Handling
TF
OITS ECT
Roll out Committee
G. Hartsink
3
EPC Cards Working Group
EDD CARDS CASH
E-payments TF
M-payments TFCard Fraud Prevention TF
Business Model TF
EPC PlenaryG. Hartsink (NL)C. Brun (France)
SecretariatC. Bryant
CoordinationGroupG. Hartsink
C. Brun
LEGAL
Regulatory constraints TF
NLF TF Cash Handling
TF
OITS ECT
Roll out Committee
G. Hartsink
4
EPC SEPA Cards Framework
• High Level Principles & Rules to be respected by card issuers, acquirers and card schemes in SEPA– Consolidate on what already exists, works and brings
satisfaction to the users: cards already work in Europe & beyond within a healthy & competitive market.
– Improve some aspects: card scheme rules and practices to become pan-European, better standardisation & interoperability, enlarged card acceptance … and card fraud prevention / security !
• Notably, regarding security aspects:– EMV CHIP & PIN migration completed by 2010 !– Commitment to EPC Fraud Prevention Activities– Further work on security standards & procedures
5
forum for experts from European and International banks & schemes to discuss fraud prevention related issues
develop tactical initiatives to fight against card fraud across SEPA
promote card fraud prevention tools
monitor implementation of security standards and procedures, e.g.: − Quarterly EMV Implementation Snapshots
since 2004 − ‘3DSecure’ Implementation snapshot under construction
Work on a SEPA Card Anti-Fraud Database − Feasibility Study Completed, to be aligned with EPC decisions on
SEPA Cards Framework
EPC Card Fraud Prevention Task Force
6
EPC Card Fraud Prevention TFRecent activities - 1
• Communication plan under study – to promote EMV migration to banks (and to other stakeholders:
merchants, administrations, etc.)– more generally to promote security oriented standards & practices
(Internet fraud, ID Theft, use of databases…)– in each domain, identification of the migration holes and creation of
generic arguments • Ban of magstripe fallback foreseen (date to be decided)• Refinement and extension of the implementation
snapshots concept to the main standards (EMV, 3D-Secure, etc.)
• Work on aggregated statistics on card fraud in Europe and on an anti-fraud database (see next slide)
7
Why do we need a European Fraud Database ?First, size the problem, and then...
Issuers
Fraudreports
t
F
Fo
t
F
Fo
t
F
Fo
EUROPEAN DATA BASE
t
F
Fo
t
F
Fo
t
F
Fo
TARGET
ACQUIRER 1 ACQUIRER 2 ACQUIRER 3
FRAUD ALERT
MERCHANT M
SHARED FRAUD ALERT
SCHEME 1 SCHEME 2 SCHEME 3
ACTION POSITIVE RESULT
ACTION POSITIVE RESULT
ACTION POSITIVE RESULT
Fraud Levels at merchant M
Issuers
Fraudreports
FRAUD ALERT
t
F
Fo
t
F
Fo
t
F
Fo
t
F
Fo
t
F
Fo
t
F
Fo
NO ACTION FRAUD TRANSFER
CURRENT SITUATION
MERCHANT M
SCHEME 1 SCHEME 2 SCHEME 3
ACQUIRER 1 ACQUIRER 2 ACQUIRER 3
ACTION POSITIVE RESULT
Fraud Levels at merchant M
8
EPC Card Fraud Prevention TFRecent activities - 2
• Inventory of the main standards & certification procedures in the area of card security and fraud prevention – Geographical zone of usage ?– Level of generalisation ?– Interoperability standards, e.g. EMV, 3D Secure– Implementation standards, e.g. card, terminal or
protocol implementations)– Objective to make appropriate convergence
recommendations and initiate the work if needed
9
Examples of Convergence Projects on European & International Standards
Authorisation Switching
Clearing & Settlement
« ISO 8583 »
Customer Bank
EPAS
ERIDANE
EMV
CASCAS
CIR TWGCIR CWG
Merchant Bank
10
CAS Group
• Common Approval Scheme• Objective to standardise:
– SEPA Security Requirements– SEPA Security Certification processes
• Initial work on:– Cards– Terminals
• Participants from all major European countries.• Dialogue initiated with EPC.
11
Common Certification Process in SEPA
• 2 different domains of certification:– Functional Certification– Security Certification
• 3 steps to distinguish in the process:– Approval– Certification– Evaluations
• Certification processes require first common standards / requirements to be fully integrated
12
Experience of the Chip & PIN migrationin France - 1/4
26
121
135
153
170
190
204220
107100
90817872
675849
39
0,27
0,16
0,11
0,17
0,08
0,020,020,030,030,04
0,020,03
0,030,04
0,035
0,12
0,050,04
0,00
50,00
100,00
150,00
200,00
250,00
1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 20040,00
0,05
0,10
0,15
0,20
0,25
0,30
Card Payments (Billions €) Fraud Rate on payment transactions (%)
1st CHIP MIGRATION
Billions €uro %
Fraud Rate (%) CB Card Payments(billion €uro)
EMV MIGRATION
2005
237B€
0,03%
13
>50 m>1 m
>45 k
19 m
500 k
16 k
LIAB
ILIT
Y SH
IFT
2005
1992
B0’ ProprietaryChip
2002
B0’ +Electronic Purse
EMVDDA
4 CHIP MIGRATIONS
IN 15 YEARS !
2004B0’/EMV SDA
1990
Magnetic stripe
CB IN FRANCE
2006
Experience of the Chip & PIN migrationin France - 2/4
14
Progressive migration rather than “BIG BANG” based on :software downloads where possible, hardware
upgrades where necessary, pinpad replacements, ... complete certification of the whole payment card value chain
Involve key players throughout the project Retail Sector & Consumer Associations : seamless transition
for users
Technology Vendors, Maintenance & Service Providers
Cultivate close cooperation with peers EMVco, International schemes, Other European schemes,
European EMV users group, ...
Experience of the Chip & PIN migrationin France - 3/4
15
Provides an international standard for the card to terminal interface
Chip and PIN is the cornerstone for Merchant & Consumer Trust & Confidence in the Card System
Produces significant reduction in Fraud
Builds sound relationships with all stakeholders
Experience of the Chip & PIN migrationin France - 4/4
16
EMV Migration already completed for
49.9% of bank ATMs
36.1% of Eftpos Terminals
42.2% of Payment cards (credit+debit cards)
Status of EMV in Europe(end Q4 2005)
Source = European Payments Council8th EMV Implementation Snapshot
as of end Q4 2005
EMV
EMV
Cards
POS
EMV
ATM
17
Status of EMV in EU25 Cards per country
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Q104
Q204
Q304
Q404
Q105
Q205
Q305
Q106
Q206
Q306
Q406
Q107
Q207
Q307
Q407
Q108
Q208
Q308
Q408
Q109
Q209
Q309
Q409
Q110
Q210
Q405
δ / ZERO
D = Debit Cards
C = Credit Cards
Source = European Payments Council
8th EMV Implementation Snapshot
as of end Q4 2005
C CD
D
D
C
C
D DD
C
DC
18
EMV Migration in Europe:
Source : EPC
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
LUUKDKATFREEIESEFIEU25LVBEDEHUNLSIGRITESCYCZ
% of EMV Payment Cards in a few EU 25 countries
Q1 04 Q2 04 Q3 04 Q4 04 Q1 05 Q2 05 Q3 05 Q4 05
21
Status of EMV in in EU25 ATMs per country
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Q104
Q204
Q304
Q404
Q105
Q205
Q305
Q405
Q106
Q206
Q306
Q406
Q107
Q207
Q307
Q407
Q108
Q208
δ / ZERO
Source = European Payments Council
8th EMV Implementation Snapshot
as of end Q4 2005
22
EMV Migration in Europe:
Source : EPC
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1 2 3 4 5 6 7
BEDKFIFRUKLUEEIESEMTEU25ESATPTGRITCZ
% of EMV ATMs in a few EU 25 countries
Q1 04 Q2 04 Q3 04 Q4 04 Q1 05 Q2 05 Q4 05Q3 05
24
French EMV cards at Cross border ATMsAcquired ATMs transactions, Feb. 25. 2006
Nbr of transactions processed on EMV mode / total (%)
0
10
20
30
40
50
60
70
80
90
Denm
ark
Belgiu
m UKIre
land
Luxe
mbg
.Cze
ch R
epPo
rtuga
lSw
eden
Austri
aSp
ainSw
itzer
land
Aver
age
%
27,85%
EMV Migration in Europe: X-border ATM Transactions
By
cons
truct
ion,
Fra
nce
is n
ot o
n th
is c
hart
25
French EMV cards at Cross border ATMs Nbr of ATMs withdrawals, Feb. 25. 2006
EMV mag stripe fall back / EMV total processed (%)
0
5
10
15
20
25
30
35Switz
erlan
dGre
ece
Avera
geSpa
inIre
land
UKLu
xemb.
%
Average7,57%
EMV Migration in Europe: Fallback ATM Transactions
By
cons
truct
ion,
Fra
nce
is n
ot o
n th
is c
hart
26
Status of EMV in EU25 Eftpos per country
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Q104
Q204
Q304
Q404
Q105
Q205
Q305
Q106
Q206
Q306
Q406
Q107
Q207
Q307
Q407
Q108
Q208
Q308
Q408
Q109
Q209
Q309
Q409
Q110
Q405
δ / ZERO
Source = European Payments Council
8th EMV Implementation Snapshot
as of end Q4 2005
27
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
LUIEUKFRBELVEEEU25ESGRHUPTDKFIITSEMTATDECYCZ
% of EMV POS Terminals in a few EU 25 countries
EMV Migration in Europe:
Source : EPC Q1 04 Q2 04 Q3 04 Q4 04 Q1 05 Q2 05 Q4 05Q3 05
29
French EMV cards at Cross border merchantsAcquired Payment transactions, Feb. 25. 2006
Nbr of transactions processed on EMV mode / total face to face(%)
0
10
20
30
40
50
60
70
80Lu
xem
bour
gM
alay
sia
Irela
ndTu
rkey
Mor
occo
Belg
ium
Taiw
anBr
azil
Czec
h Rp UK
Spai
nAv
erag
e
%
25,87%
EMV Migration in Europe: X-border POS Transactions
By
cons
truct
ion,
Fra
nce
is n
ot o
n th
is c
hart
30
French EMV cards at Cross border merchants Nbr of payments auth requests, Feb. 25. 2006
EMV mag stripe fall back / full EMV processed (%)
0
10
20
30
40
50
60
70Gre
ece
Tuni
siaSo
uth A
frica
Sing
apor
ePo
rtuga
lTa
iwan
Brazil
Turk
eyMor
occo
Malays
iaCze
ch R
epAve
rage
%
Average5,27%
EMV Migration in Europe: Fallback POS Transactions
By
cons
truct
ion,
Fra
nce
is n
ot o
n th
is c
hart
31
3DSecure Migration
• Objective to put in place an implementation snapshot on 3D Secure migration
• Example on France:– 3K 3DS merchants on a total of 9K e-com merchants: 33%– All CB payment cards are 3DS enabled (total of 48M cards)– ~600K cards with authentication method registered:
1% of the CB payment cards– 9% of the ecom transactions are 3DSecure– 0,3% are Full-3DSecure (with cardholder authentication)
3DS
Merchants
Full 3DS
Cards
Classic
Transactions
3DSEnabled
3DSFull 3DS
Classic
32
The Single European Payment area needs :
not only harmonised legislation … as targeted by the ‘New Legal Framework’
but also coherent and standardised security
Early movers, late adopters and others
January 1st 2005 “liability shift” was not sufficient
All European card schemes, issuers and acquirers to respect the 2010 deadline set by the EPC Sepa Cards Framework !
European card schemes & EMV
33
fraud will move to the point of least resistance EPC SEPA Cards Framework pushes all card schemes, issuers and
acquirers to move to EMV
Concluding remarks
33
fraud will move to the point of least resistance EPC SEPA Cards Framework pushes all card schemes, issuers and
acquirers to move to EMV
must protect the soft spot (magnetic stripe technology) in the card payment value chain
Concluding remarks
33
fraud will move to the point of least resistance EPC SEPA Cards Framework pushes all card schemes, issuers and
acquirers to move to EMV
must protect the soft spot (magnetic stripe technology) in the card payment value chain
the fight against fraud is not a competitive issue
Concluding remarks
33
fraud will move to the point of least resistance EPC SEPA Cards Framework pushes all card schemes, issuers and
acquirers to move to EMV
must protect the soft spot (magnetic stripe technology) in the card payment value chain
the fight against fraud is not a competitive issue although the efficiency and effectiveness of individual card scheme
tools may vary,
Concluding remarks
33
fraud will move to the point of least resistance EPC SEPA Cards Framework pushes all card schemes, issuers and
acquirers to move to EMV
must protect the soft spot (magnetic stripe technology) in the card payment value chain
the fight against fraud is not a competitive issue although the efficiency and effectiveness of individual card scheme
tools may vary,
support EC & EPC activities on Card Fraud Prevention
Concluding remarks
33
fraud will move to the point of least resistance EPC SEPA Cards Framework pushes all card schemes, issuers and
acquirers to move to EMV
must protect the soft spot (magnetic stripe technology) in the card payment value chain
the fight against fraud is not a competitive issue although the efficiency and effectiveness of individual card scheme
tools may vary,
support EC & EPC activities on Card Fraud Prevention
maintain trust and confidence in card payments
Concluding remarks
33
fraud will move to the point of least resistance EPC SEPA Cards Framework pushes all card schemes, issuers and
acquirers to move to EMV
must protect the soft spot (magnetic stripe technology) in the card payment value chain
the fight against fraud is not a competitive issue although the efficiency and effectiveness of individual card scheme
tools may vary,
support EC & EPC activities on Card Fraud Prevention
maintain trust and confidence in card payments EMV + PIN code entry by cardholder + authorisation
Concluding remarks
33
fraud will move to the point of least resistance EPC SEPA Cards Framework pushes all card schemes, issuers and
acquirers to move to EMV
must protect the soft spot (magnetic stripe technology) in the card payment value chain
the fight against fraud is not a competitive issue although the efficiency and effectiveness of individual card scheme
tools may vary,
support EC & EPC activities on Card Fraud Prevention
maintain trust and confidence in card payments EMV + PIN code entry by cardholder + authorisation
transaction irrevocable guaranteed payment
Concluding remarks
33
fraud will move to the point of least resistance EPC SEPA Cards Framework pushes all card schemes, issuers and
acquirers to move to EMV
must protect the soft spot (magnetic stripe technology) in the card payment value chain
the fight against fraud is not a competitive issue although the efficiency and effectiveness of individual card scheme
tools may vary,
support EC & EPC activities on Card Fraud Prevention
maintain trust and confidence in card payments EMV + PIN code entry by cardholder + authorisation
transaction irrevocable guaranteed payment
Address the Card Not Present environments
Concluding remarks