initiatives of the epc card fraud...

1

Initiatives of the EPC Card Fraud Prevention

Task ForceCédric Sarazin

-

Director Development & StrategyCartes Bancaires “CB”

-

ChairmanEPC Card Fraud Prevention Task Force

Payment Fraud and EU Enlargement: Threat & Challenges - 8th March 2006

2

EPC was established in June 2002

64 members : major European banks & European Banking Associations representing 27 European countries

to investigate & recommend an architecture for the Single European Payment Area (SEPA)

− defined as countries and territories subject to EC Directives, Regulations, and Recommendations

for credit transfers, direct debit and card transactions

European Payments Council

3

EPC Cards Working Group

EDD CARDS CASH

E-payments TF

M-payments TFCard Fraud Prevention TF

Business Model TF

EPC PlenaryG. Hartsink (NL)C. Brun (France)

SecretariatC. Bryant

CoordinationGroupG. Hartsink

C. Brun

LEGAL

Regulatory constraints TF

NLF TF Cash Handling

TF

OITS ECT

Roll out Committee

G. Hartsink

4

EPC SEPA Cards Framework

• High Level Principles & Rules to be respected by card issuers, acquirers and card schemes in SEPA– Consolidate on what already exists, works and brings

satisfaction to the users: cards already work in Europe & beyond within a healthy & competitive market.

– Improve some aspects: card scheme rules and practices to become pan-European, better standardisation & interoperability, enlarged card acceptance … and card fraud prevention / security !

• Notably, regarding security aspects:– EMV CHIP & PIN migration completed by 2010 !– Commitment to EPC Fraud Prevention Activities– Further work on security standards & procedures

5

forum for experts from European and International banks & schemes to discuss fraud prevention related issues

develop tactical initiatives to fight against card fraud across SEPA

promote card fraud prevention tools

monitor implementation of security standards and procedures, e.g.: − Quarterly EMV Implementation Snapshots

since 2004 − ‘3DSecure’ Implementation snapshot under construction

Work on a SEPA Card Anti-Fraud Database − Feasibility Study Completed, to be aligned with EPC decisions on

SEPA Cards Framework

EPC Card Fraud Prevention Task Force

6

EPC Card Fraud Prevention TFRecent activities - 1

• Communication plan under study – to promote EMV migration to banks (and to other stakeholders:

merchants, administrations, etc.)– more generally to promote security oriented standards & practices

(Internet fraud, ID Theft, use of databases…)– in each domain, identification of the migration holes and creation of

generic arguments • Ban of magstripe fallback foreseen (date to be decided)• Refinement and extension of the implementation

snapshots concept to the main standards (EMV, 3D-Secure, etc.)

• Work on aggregated statistics on card fraud in Europe and on an anti-fraud database (see next slide)

7

Why do we need a European Fraud Database ?First, size the problem, and then...

7

Why do we need a European Fraud Database ?First, size the problem, and then...

Issuers

Fraudreports

t

F

Fo

t

F

Fo

t

F

Fo

EUROPEAN DATA BASE

t

F

Fo

t

F

Fo

t

F

Fo

TARGET

ACQUIRER 1 ACQUIRER 2 ACQUIRER 3

FRAUD ALERT

MERCHANT M

SHARED FRAUD ALERT

SCHEME 1 SCHEME 2 SCHEME 3

ACTION POSITIVE RESULT



Fraud Levels at merchant M

Issuers

Fraudreports

FRAUD ALERT

t

F

Fo

t

F

Fo

t

F

Fo

t

F

Fo

t

F

Fo

t

F

Fo

NO ACTION FRAUD TRANSFER

CURRENT SITUATION

MERCHANT M

SCHEME 1 SCHEME 2 SCHEME 3

ACQUIRER 1 ACQUIRER 2 ACQUIRER 3


Fraud Levels at merchant M

8

EPC Card Fraud Prevention TFRecent activities - 2

• Inventory of the main standards & certification procedures in the area of card security and fraud prevention – Geographical zone of usage ?– Level of generalisation ?– Interoperability standards, e.g. EMV, 3D Secure– Implementation standards, e.g. card, terminal or

protocol implementations)– Objective to make appropriate convergence

recommendations and initiate the work if needed

9

Examples of Convergence Projects on European & International Standards

Authorisation Switching

Clearing & Settlement

« ISO 8583 »

Customer Bank

EPAS

ERIDANE

EMV

CASCAS

CIR TWGCIR CWG

Merchant Bank

10

CAS Group

• Common Approval Scheme• Objective to standardise:

– SEPA Security Requirements– SEPA Security Certification processes

• Initial work on:– Cards– Terminals

• Participants from all major European countries.• Dialogue initiated with EPC.

11

Common Certification Process in SEPA

• 2 different domains of certification:– Functional Certification– Security Certification

• 3 steps to distinguish in the process:– Approval– Certification– Evaluations

• Certification processes require first common standards / requirements to be fully integrated

12

Experience of the Chip & PIN migrationin France - 1/4

26

121

135

153

170

190

204220

107100

90817872

675849

39

0,27

0,16

0,11

0,17

0,08

0,020,020,030,030,04

0,020,03

0,030,04

0,035

0,12

0,050,04

0,00

50,00

100,00

150,00

200,00

250,00

1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 20040,00

0,05

0,10

0,15

0,20

0,25

0,30

Card Payments (Billions €) Fraud Rate on payment transactions (%)

1st CHIP MIGRATION

Billions €uro %

Fraud Rate (%) CB Card Payments(billion €uro)

EMV MIGRATION

2005

237B€

0,03%

13

>50 m>1 m

>45 k

19 m

500 k

16 k

LIAB

ILIT

Y SH

IFT

2005

1992

B0’ ProprietaryChip

2002

B0’ +Electronic Purse

EMVDDA

4 CHIP MIGRATIONS

IN 15 YEARS !

2004B0’/EMV SDA

1990

Magnetic stripe

CB IN FRANCE

2006


14

Progressive migration rather than “BIG BANG” based on :software downloads where possible, hardware

upgrades where necessary, pinpad replacements, ... complete certification of the whole payment card value chain

Involve key players throughout the project Retail Sector & Consumer Associations : seamless transition

for users

Technology Vendors, Maintenance & Service Providers

Cultivate close cooperation with peers EMVco, International schemes, Other European schemes,

European EMV users group, ...


15

Provides an international standard for the card to terminal interface

Chip and PIN is the cornerstone for Merchant & Consumer Trust & Confidence in the Card System

Produces significant reduction in Fraud

Builds sound relationships with all stakeholders


16

EMV Migration already completed for

49.9% of bank ATMs

36.1% of Eftpos Terminals

42.2% of Payment cards (credit+debit cards)

Status of EMV in Europe(end Q4 2005)

Source = European Payments Council8th EMV Implementation Snapshot

as of end Q4 2005

EMV

EMV

Cards

POS

EMV

ATM

17

Status of EMV in EU25 Cards per country

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Q104

Q204

Q304

Q404

Q105

Q205

Q305

Q106

Q206

Q306

Q406

Q107

Q207

Q307

Q407

Q108

Q208

Q308

Q408

Q109

Q209

Q309

Q409

Q110

Q210

Q405

δ / ZERO

D = Debit Cards

C = Credit Cards

Source = European Payments Council

8th EMV Implementation Snapshot

as of end Q4 2005

C CD

D

D

C

C

D DD

C

DC

18

EMV Migration in Europe:

Source : EPC

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

LUUKDKATFREEIESEFIEU25LVBEDEHUNLSIGRITESCYCZ

% of EMV Payment Cards in a few EU 25 countries

Q1 04 Q2 04 Q3 04 Q4 04 Q1 05 Q2 05 Q3 05 Q4 05

19

•0 to 1%

•> 1%

•> 25%

•> 50%

•> 75 %

EMV debit card migration, end 2005

20

•0 to 1%

•> 1%

•> 25%

•> 50%

•> 75 %

EMV credit card migration, end 2005

21

Status of EMV in in EU25 ATMs per country

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Q104

Q204

Q304

Q404

Q105

Q205

Q305

Q405

Q106

Q206

Q306

Q406

Q107

Q207

Q307

Q407

Q108

Q208

δ / ZERO



as of end Q4 2005

22


Source : EPC

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1 2 3 4 5 6 7

BEDKFIFRUKLUEEIESEMTEU25ESATPTGRITCZ

% of EMV ATMs in a few EU 25 countries

Q1 04 Q2 04 Q3 04 Q4 04 Q1 05 Q2 05 Q4 05Q3 05

23

EMV ATM migration, end 2005

•0 to 1%

•> 1%

•> 25%

•> 50%

•> 75 %

24

French EMV cards at Cross border ATMsAcquired ATMs transactions, Feb. 25. 2006

Nbr of transactions processed on EMV mode / total (%)

0

10

20

30

40

50

60

70

80

90

Denm

ark

Belgiu

m UKIre

land

Luxe

mbg

.Cze

ch R

epPo

rtuga

lSw

eden

Austri

aSp

ainSw

itzer

land

Aver

age

%

27,85%

EMV Migration in Europe: X-border ATM Transactions

By

cons

truct

ion,

Fra

nce

is n

ot o

n th

is c

hart

25

French EMV cards at Cross border ATMs Nbr of ATMs withdrawals, Feb. 25. 2006

EMV mag stripe fall back / EMV total processed (%)

0

5

10

15

20

25

30

35Switz

erlan

dGre

ece

Avera

geSpa

inIre

land

UKLu

xemb.

%

Average7,57%

EMV Migration in Europe: Fallback ATM Transactions

By

cons

truct

ion,

Fra

nce

is n

ot o

n th

is c

hart

26

Status of EMV in EU25 Eftpos per country

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Q104

Q204

Q304

Q404

Q105

Q205

Q305

Q106

Q206

Q306

Q406

Q107

Q207

Q307

Q407

Q108

Q208

Q308

Q408

Q109

Q209

Q309

Q409

Q110

Q405

δ / ZERO



as of end Q4 2005

27

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

LUIEUKFRBELVEEEU25ESGRHUPTDKFIITSEMTATDECYCZ

% of EMV POS Terminals in a few EU 25 countries


Source : EPC Q1 04 Q2 04 Q3 04 Q4 04 Q1 05 Q2 05 Q4 05Q3 05

28

EMV POS terminal migration, end 2005

•0 to 1%

•> 1%

•> 25%

•> 50%

•> 75 %

29

French EMV cards at Cross border merchantsAcquired Payment transactions, Feb. 25. 2006

Nbr of transactions processed on EMV mode / total face to face(%)

0

10

20

30

40

50

60

70

80Lu

xem

bour

gM

alay

sia

Irela

ndTu

rkey

Mor

occo

Belg

ium

Taiw

anBr

azil

Czec

h Rp UK

Spai

nAv

erag

e

%

25,87%

EMV Migration in Europe: X-border POS Transactions

By

cons

truct

ion,

Fra

nce

is n

ot o

n th

is c

hart

30

French EMV cards at Cross border merchants Nbr of payments auth requests, Feb. 25. 2006

EMV mag stripe fall back / full EMV processed (%)

0

10

20

30

40

50

60

70Gre

ece

Tuni

siaSo

uth A

frica

Sing

apor

ePo

rtuga

lTa

iwan

Brazil

Turk

eyMor

occo

Malays

iaCze

ch R

epAve

rage

%

Average5,27%

EMV Migration in Europe: Fallback POS Transactions

By

cons

truct

ion,

Fra

nce

is n

ot o

n th

is c

hart

31

3DSecure Migration

• Objective to put in place an implementation snapshot on 3D Secure migration

• Example on France:– 3K 3DS merchants on a total of 9K e-com merchants: 33%– All CB payment cards are 3DS enabled (total of 48M cards)– ~600K cards with authentication method registered:

1% of the CB payment cards– 9% of the ecom transactions are 3DSecure– 0,3% are Full-3DSecure (with cardholder authentication)

3DS

Merchants

Full 3DS

Cards

Classic

Transactions

3DSEnabled

3DSFull 3DS

Classic

32

The Single European Payment area needs :

not only harmonised legislation … as targeted by the ‘New Legal Framework’

but also coherent and standardised security

Early movers, late adopters and others

January 1st 2005 “liability shift” was not sufficient

All European card schemes, issuers and acquirers to respect the 2010 deadline set by the EPC Sepa Cards Framework !

European card schemes & EMV

33

Concluding remarks

33

fraud will move to the point of least resistance

Concluding remarks

33

fraud will move to the point of least resistance EPC SEPA Cards Framework pushes all card schemes, issuers and

acquirers to move to EMV

Concluding remarks

33



must protect the soft spot (magnetic stripe technology) in the card payment value chain

Concluding remarks

33




the fight against fraud is not a competitive issue

Concluding remarks

33




the fight against fraud is not a competitive issue although the efficiency and effectiveness of individual card scheme

tools may vary,

Concluding remarks

33





tools may vary,

support EC & EPC activities on Card Fraud Prevention

Concluding remarks

33





tools may vary,


maintain trust and confidence in card payments

Concluding remarks

33





tools may vary,


maintain trust and confidence in card payments EMV + PIN code entry by cardholder + authorisation

Concluding remarks

33





tools may vary,



transaction irrevocable guaranteed payment

Concluding remarks

33





tools may vary,



transaction irrevocable guaranteed payment

Address the Card Not Present environments

Concluding remarks

34

Thank you : [email protected]

Please visit : www.cartes-bancaires.com

initiatives of the epc card fraud...

Documents