The US has seen a surge in card fraud recently, as fraudsters realise time is running out before the US implements EMV. Robin Arnfield investigates.
"My research with US issuers has revealed that, since the fourth quarter of 2011, there has been a significant rise in US card fraud losses across all transaction types, from around 6.8 basis points to 7.4-7.6 basis points," says Aite Group senior analyst Julie Conroy. "Issuers are concerned, as this is a big rise in percentage terms, and fraud loss rates were flat for the previous three years."
"The US is becoming a classic example of card-present fraud migrating to countries that lag behind in terms of EMV migration," say Antonio Gonzalez and Alexeis Perera, joint managing directors at Latin American-based CYBS Consulting. "Due to fraud migrating from Canada and Mexico which are both close to completing their EMV rollout, as well as from Europe, which is already EMV-compliant, US card fraud is starting to grow at alarming rates."
According to Javelin Strategy & Research’s 2012 Identity Fraud Report, fraud on existing US credit cards rose to $6 billion in 2011 from $5 billion in 2010, while fraud on existing US debit cards fell to $2 billion from $3 billion in 2010.
Fraudsters have a two-and-a-half year window to commit counterfeit card fraud before Visa and MasterCard’s October 2015 deadline for the domestic US EMV point-of-sale liability shift. "There’s a huge amount of stolen US card information available on fraudster bulletin boards, and this situation is going to get worse before it gets better," says Conroy. "Criminals know they have a limited amount of time before they come up against EMV."
"In the ramp-up to EMV, US fraudsters will go on a spree, and bricks-and-mortar merchants will see a spike in counterfeit card transactions," says Dave Divitt, principal fraud consultant at UK-based card software firm Alaric Systems.
EMV migration will be more gradual in the US than it was in the UK, says Conroy. "Based on our projections, we expect 55% of US merchants to be EMV-ready by October 2015, so this won’t be a cut-off date," she says.
"There’s a question mark over how many US issuers will be EMV-ready by 2015," says Zil Bareisis, a senior analyst at Celent. "US issuers are looking at shifting corporate cards and cards used by international travellers first to EMV."
"The lack of effective information regarding US card fraud losses is a major problem," says Bob Hughes, managing partner at US consultancy Bank Solutions Group. "Unlike their Australian, Canadian, and UK counterparts, US issuers haven’t signed up to provide breakdowns to a centralised body on the different categories of card fraud. There’s no federal requirement for US issuers to do this. Issuers are required to disclose overall card fraud and credit losses as part of their financial reporting, as these are used in the calculation of loss reserves. Typically, card fraud and credit losses are added together, so it’s impossible to distinguish fraud from credit loss."
Hughes says that, in the absence of centralised reporting, the cards industry has to rely on surveys by consultancies and industry bodies to gauge the extent of different types of card fraud. "This makes it difficult to know how effective the industry is in tackling the various card fraud categories," he says. "You can’t fix something if you can’t measure it."
A third-quarter 2012 survey by ACI Worldwide and Aite Group of 5,223 consumers in 17 countries about their experience of card fraud found that the US has the second highest card fraud rate after Mexico. The survey results, which weren’t broken down into card-present and CNP fraud, were published in the Aite Group report "Global Consumers React to Rising Fraud: Beware Back of Wallet."
The report says 44% of Mexican respondents had experienced credit, debit or prepaid card fraud in the previous five years, followed by 42% of US respondents and 37% of Indian respondents. Only 25% of Canadian respondents had experienced card fraud in the previous five years. European fraud rates were much lower, with 13% of Germans and 12% of Dutch respondents having experienced card fraud in the past five years.
The survey found that 37% of US respondents had experienced credit card fraud in the past five years, and 20% debit card fraud, while 19% of Canadian respondents had experienced credit card fraud and 13% debit card fraud. The lower level of US debit card fraud compared to credit card fraud is attributable to US debit card transactions being secured with a PIN.
The Durbin Amendment to the Dodd-Frank Act, which took effect in October 2011, requires US banks with assets of over $10 billion to cut debit card interchange from an average of 44 cents per transaction to 21 cents plus 0.05% of the transaction value. Javelin says one consequence of Durbin – banks promoting credit cards to their debit cardholders – will likely have consequences for card fraud losses.
"The cap on debit interchange fees makes credit cards a more profitable product for large FIs," Javelin’s 2012 Identity Fraud report says. "As a result, FIs are using promotional deals and other incentives to encourage the use of credit cards as the primary payment method among debit users. The anticipated increase in credit card usage and decrease in debit usage will likely shift the balance of existing card fraud victims toward a higher percentage of credit card fraud victims and a lower percentage of debit fraud victims."
According to US card analytics firm FICO, between January 2010 and September 2011, US card-not-present (CNP) credit card fraud losses increased at twice the rate of counterfeit credit card losses. Top merchant categories for credit card fraud were grocery stores, restaurants and online retailers.
Between January 2010 and September 2011, debit card fraud grew faster than credit card fraud, driven by a 15% increase in transaction authorization volume and a rise in the use of techniques such as skimming. The top three sources of US debit card fraud were ATMs, grocery stores, and automated fuel dispensers. FICO says. Its data is drawn from the hundreds of millions of US credit and debit cards processed by the FICO Falcon Fraud Manager platform.
"US issuers are concerned that fraud will shift to the online channel once EMV is implemented in the US," says Rich Rezek, director of global product management at card fraud prevention firm ReD. "This is what happened in Canada after it implemented EMV."
E-merchants are liable for card fraud committed on their websites, unless they have implemented Verified by Visa and MasterCard SecureCode, in which case the liability shifts to the issuer. According to CyberSource’s 2012 Online Fraud Report, only 25% of US e-commerce merchants used SecureCode and Verified by Visa in 2011.
"If US card fraud migrates in a big way to the web, and significant numbers of e-merchants start using Verified by Visa and SecureCode to prevent chargebacks, then US issuers could be hit with big fraud losses," says Rezek. "So far, issuers haven’t had to worry about online fraud, as they haven’t been liable."
Rezek argues that tackling CNP fraud requires greater data-sharing between e-merchants and issuers, particularly in order to prevent genuine transactions being rejected. He says AVS (Address Verification System), a fraud prevention tool used by many US websites, is inadequate, as it rejects legitimate cardholders if their address is entered incorrectly.
"ReD’s Fraud Exchange system enables merchants to send real-time queries about suspect transactions to issuers," Rezek says. "The issuer checks the transaction information supplied by the merchant, such as the cardholder’s billing and shipping address, their email and IP address, and their purchasing history, with what they hold on their files about the customer. ReD Fraud Exchange also compares transaction information provided by different merchants. If one merchant recently delivered goods to an address without the cardholder making a chargeback, this is valuable information for another merchant evaluating that customer."
Conroy says the majority of US card fraud is attributable to breaches of cardholder databases held by processors and large merchants, although skimming is also widespread in the US. Most US states mandate that card companies and retailers publicly report data breaches. Bookseller Barnes & Noble and fast-food chain Subway are among US retailers which suffered skimming attacks in 2011 and 2012.
"In a large data breach, tens of millions of card numbers are stolen," says Hughes. "These numbers are auctioned to the highest bidder on online marketplaces. Fraudsters can also buy malware such as viruses and worms for stealing card information on these marketplaces."
To prevent breaches, the card networks mandate that issuers, merchants, processors and acquirers must comply with the Payment Card Industry Data Security Standard (PCI DSS). "The problem with PCI compliance is that it’s only valid when a compliance audit is carried out," says Hughes. "PCI compliance is not necessarily on-going, as software updates, for example, can unintentionally make a database vulnerable to being breached."
Conroy says Level 4 merchants – retailers processing under 20,000 Visa or MasterCard e-commerce transactions a year or under 1 million Visa or MasterCard transactions a year via any channel – are vulnerable to breaches, as they typically don’t have good, PCI-compliant security systems. "The usual problem with Level 4 merchants is that their POS system gets compromised," says Conroy. "When the acquirer carries out forensics at a compromised Level 4 merchant, they may find two to three different pieces of malware, each of which is skimming card numbers. This means a number of criminals have had access to the same system."
"Merchants keep customers’ card data on their systems because they want to avoid chargebacks, for example," says Hughes. "Under Visa and MasterCard rules, merchants must provide a lot of information in order to avoid chargebacks, so they keep data local."
Technologies which help prevent merchant breaches include tokenisation and end-to-end encryption. In a tokenisation system, customers’ actual card numbers are stored in the acquirer’s secure server, and these card numbers are converted into randomly-assigned numbers known as tokens. Because these tokens are no use to fraudsters, merchants can safely store them on their systems, and use them for customer service transactions and sales analysis.
End-to-end encryption involves encrypting card numbers when cards are swiped at a POS device, and ensuring that the data remains encrypted as it is transmitted over the payments network.
Acquirer PCI survey
US acquirers’ PCI program goals have shifted from primarily focusing on risk mitigation to revenue generation, reports an October 2012 survey of 123 US acquirers serving Level 4 merchants by PCI compliance specialist ControlScan and industry organisation Merchant Acquirer’s Committee (MAC).
"Competitive pressures in the payments industry impact how acquirers balance their merchants’ needs with their own business’ need for a healthy bottom line," says Joan Herbig, ControlScan’s CEO. "Traditional merchant services aren’t as profitable as they once were, so we’re seeing a conflict between risk and revenue in the way acquirers manage their PCI programs."
Asked to rank the goals of their PCI compliance program, acquirers said generating additional revenues came first, followed respectively by meeting card brand requirements, achieving high compliance rates, and reducing risk from cardholder data breaches. The previous year’s survey identified risk reduction as the top priority, followed respectively by meeting card brand requirements, achieving high compliance rates, and generating additional revenues.
Acquirers are becoming much more aggressive with PCI program fees, ControlScan and MAC say. The percentage of acquirers charging an annual participation fee of $71 or more, rose from 50% in the previous survey to 59%. Also, 83% of acquirers with the lowest compliance rates charge the higher annual participation fee, versus 46% of those with the highest compliance rates.
ControlScan and MAC say it is possible that acquirers are using non-compliance fees as a revenue source as well as a method of motivating merchants’ PCI compliance. The survey found that 60% of acquirers charge non-compliance fees, while only 15% offer discounts for achieving PCI compliance by a specific date. Among acquirers charging non-compliance fees, the percentage charging over $26 a month has tripled since the last survey to 18%.
Non-compliance fees are being imposed earlier, with only 9% of respondents saying they wait six months or more to charge non-compliance fees, compared to 22% of respondents in the last survey.
"We’ve seen a precipitous rise in data breaches at small US merchants."
Aite Group senior analyst Julie Conroy.
For Conroy, the answer to merchant breaches is for retailers to store card data in the cloud, particularly as this reduces their PCI compliance costs. "We’re increasingly seeing acquirers moving merchants to the cloud," she says. "One reason is the greater data security and fraud prevention offered by acquirers’ cloud-based systems. Also, software updates and patches are easier on a cloud-based system than on a platform hosted by a merchant. Thirdly, it’s easier for acquirers to provide merchants with value-added services if the software doesn’t reside on the merchant’s computer system but in the cloud."
Conroy notes that 100,000 new strains of malware are released daily. "It takes security programs such as Norton and McAfee a few days to identify new malware after it has been released," she says. "The acquirers’ cloud-based solutions are much more robust than Norton and McAfee, and they also use tokenisation and encryption."
Conroy says smaller US merchants are keener to use the cloud than large retailers. "For a small merchant, a cloud-based system that makes security a no-brainer is very attractive," she says. "Larger merchants may be wary of using cloud-based systems as this means trusting someone else’s security. Some large merchants consider data security as a core competence that they don’t want to entrust to a third party."
Divitt says Alaric has noted an increasing trend for large online retailers and bricks-and-mortar retailers to operate their own on-premise fraud prevention systems. "We’re being approached more and more to provide merchants with our on-premise anti-fraud solution," he says. "If merchants have their own IT infrastructure, it makes sense for them to manage their own fraud prevention system."
Divitt argues that key drivers for keeping card fraud prevention systems in-house are merchants’ need for access to, and control of, their data. "If you want to analyse your own data, you don’t want to hand it over to a third party," he says. "We’ve heard stories about merchants having to wait months to get access to their own data from a third-party service provider."
"The merchant’s reputation is important," says Andy Brown, Alaric’s product marketing manager. "If they keep the data in-house, it’s under their control, and they can ensure PCI compliance. By using a third-party security provider, you can expose your reputation if the third party’s security is compromised."
Divitt says storing card data in the cloud could actually increase the merchant’s security risks. "A centralized system that stores a lot of data from multiple clients is more attractive to fraudsters than individual merchants’ systems," he says. According to ThreatMetrix, a US cybercrime prevention specialist, cloud computing increases fraud risks. "As enterprise systems move to the cloud, this makes businesses more vulnerable to security breaches," it warns. "The cloud is much easier for fraudsters to attack than traditional behind-the-firewall systems."
"Large Canadian merchants typically invest in their own fraud prevention systems, especially those which operate both in the US and Canada, whether online or face-to-face," says Mike Bradley, a Toronto-based director for Bank Solutions Group and formerly head of products at Visa Canada. "They tend to align their fraud prevention systems across borders for both online and POS transactions. Smaller Canadian merchants use their acquirers’ fraud prevention technology."
Driven by Visa Canada and MasterCard Canada’s domestic liability shift, as well as by deadlines established by Canadian debit scheme Interac Association, Canada is close to completing its migration to EMV.
Visa Canada and MasterCard Canada both implemented a 31 March 2011 liability shift for domestic POS terminals and a 31 December 2012 liability shift for pay-at-pump automatic fuel dispensers. Interac mandated that by the end of 2012, all Canadian-issued debit cards and ATMs had to migrate to EMV, and that, by the end of 2015, all other acceptance devices (including POS terminals and pay-at-pump automatic fuel dispensers) must be EMV-compliant.
Bradley says that by the end of 2012 over 90% of Canadian credit and debit cards were EMV-compliant and 75-80% of Canadian POS terminals had been upgraded to EMV. "The vast majority of bank-owned ATMs were EMV-ready at the end of 2012," he says. "Many white-label ATMs have also been upgraded to EMV."
The effect of Canada’s EMV migration has been to significantly reduce domestic card-present fraud losses, while sharply increasing CNP fraud, Bradley says. "Canadian issuers also suffer from having their cards counterfeited and exploited in the US," he adds.
The Canadian Bankers Association (CBA) reports that in 2011 Canadian Visa, American Express, and MasterCard credit card losses due to CNP fraud rose by 47.35% year-on-year to C$259.5 million ($259.9 million), while domestic counterfeit credit card fraud fell by 15.42% to C$88.4 million. Cross-border counterfeit credit card fraud rose by 1.75% to C$31.81 million in 2011.
Total Canadian credit card fraud, including account takeover fraud, lost and stolen cards, non-receipt, and fraudulent applications, rose by 19.38% year-on-year to C$436.6 million in 2011, the CBA says.
Interac debit card counterfeit fraud fell by 41.1% year-on-year in 2011 to C$70 million. Interac cards can only be used at the point-of-sale, as a PIN has to be entered.
Debit card fraud
The American Bankers Association’s 2011 Deposit Account Fraud Survey found that the leading debit card fraud category in 2010 was counterfeit cards for both signature debit (41% of losses) and PIN debit (44%), followed by CNP transactions (e-commerce and mail/telephone orders) for signature debit, and stolen cards for PIN debit. The survey, which was published in December 2011, revealed that 96% of US banks experienced debit card fraud losses in 2010, up from 94% in 2008.
Of the 185 banks participating in the survey, 35% reported having losses from skimming, 31% reported incurring losses from data breaches, and 29% from phishing/spoofing attacks in 2010.
According to the Federal Reserve’s 2010 Payments Study, US debit card payment transactions rose by a CAGR of 14.8% from 25.0 billion in 2006 to 37.9 billion in 2009. During the same period, US credit card payment transactions fell by a CAGR of 0.2% from 21.7 billion to 21.6 billion, and prepaid card transactions rose by a CAGR of 21.5% from 3.3 billion to 6.0 billion. Cheque payments fell by a CAGR of 7.1% from 30.5 billion in 2006 to 24.5 billion in 2009.