MIP OnLine - 2018

ECB publishes fifth report on card fraud

September 2018

In 2016, for the first time in five years, fraud rates involving cards issued in SEPA showed a slight decrease of 0.4% compared with 2015, falling to €1.8 billion. The steepest drop was registered for card fraud at ATMs, down by an impressive 12.4% from 2015. However, online fraud rose slightly, ultimately accounting for 73% of the total value of card fraud in 2016.

The European Central Bank (ECB) has published its fifth oversight report on card fraud. The report is based on data collected from card payment schemes active in the euro area.

According to ECB statistics, payment card transactions account for approximately half of all non-cash payments carried out in the European Union (EU). Furthermore, the data show that each person living in the EU has in their possession at least one payment card, and some up to four. These figures show the extent to which cards have become an intrinsic part of our daily life – a fact acknowledged by everyone and exploited by some.

Fraudsters try to access card data illegally and make unauthorised use of them. Their methods of operating fall into two categories:

  • Card-not-present fraud, which occurs when a fraudster uses malicious means (e.g. malware) to steal a cardholder’s data and then uses that data to make an unauthorised payment on the internet, by phone, email or other electronic means. The victim remains in possession of the card and can be unaware of the security breach for a long time.
  • Card-present fraud, which occurs when a fraudster withdraws cash at an automatic teller machine (ATM) or makes a payment at a point-of-sale terminal (POS) by using the physical card directly. It often involves copying (“skimming”) a card’s magnetic strip using hardware hidden in either the ATM or POS terminal or stealing the card from the cardholder. Sometimes this fraud is perpetrated using a lost card or a card intercepted by the fraudster before its delivery to the genuine cardholder.

European financial institutions have responded to card-present fraud by developing and implementing the EMV standard (developed by Europay, MasterCard and Visa and nowadays managed by EMVCo), otherwise known as “chip and PIN” or “chip and signature”. EMV technology features encrypted information that is very difficult to crack. It is now almost fully implemented across the EU, with the United States and Asia also transitioning to the standard.

In addition to adopting the EMV standard, the European banking industry has rolled out a large number of anti-skimming ATMs and has adopted various geo-blocking practices. The latter refer to the blocking of overseas transactions using EU-issued cards unless settings to allow such payments have been activated prior to travelling abroad.

In 2015, the Eurosystem issued the Guide for the assessment of card payment schemes against the oversight standards, which outlines the requirements that card payment schemes in Europe should meet when reporting statistical information. The guide is designed to help card payment schemes enhance their security, and the overseers to assess the schemes against oversight standards. One year prior to this, the European Banking Authority (EBA) adopted Guidelines for the security of internet payments, based on previous ECB Recommendations on the security of internet payments. The guidelines became applicable in 2015. In addition, the ECB has been gathering statistical information on card schemes since 2007 in order to monitor their security levels and produce regular reports on card fraud.

The ECB’s fifth card fraud report shows that fraudulent transactions decreased by 0.4% in 2016 compared with the previous year. Specifically, card-present fraud committed at ATMs was down 12.4%, while fraud committed at POS terminals dropped by 3.0%. Card-not-present fraud was the only payment channel that recorded an increase, however, rising by 2.1%. This is of particular importance considering that card-not-present fraud accounted for 73% of the total value of fraudulent activities, making up a total of €1.32 billion in losses.

From a geographical perspective, the fifth card fraud report indicates that even though the vast majority of transactions were domestic, fraud was more likely to be observed in cross-border activities. Although 90% of all transactions carried out with cards issued in the Single European Payments Area (SEPA) were domestic and 8% were cross-border within SEPA, the domestic transactions made up for 35% of fraudulent activity and the cross-border transactions for 43%. In addition, only 2% of transactions were carried out outside SEPA but 22% of them were fraudulent. Finally, the report records lower levels of fraud in the euro area than in SEPA as a whole.

All things considered, the fifth oversight report on card fraud illustrates clearly that SEPA residents are benefiting from the enhanced security standards set by the Eurosystem, supervisory authorities and financial institutions. The widespread use of sophisticated security features by payment service providers and card schemes, combined with the substantial progress made in the EMV migration, have resulted in a decrease in fraud rates for the first time since 2011. Even so, there is ample room for improvement as far as preventative measures go, since magnetic stripe cards are still used in many non-SEPA countries and fraud continues to migrate towards less secure payment channels and means of payment.

In this respect, the EU regulators recently revised the Payment Services Directive (PSD2), adding requirements to improve the security of electronic payments in the Union. As part of the revision, a number of secondary legislative acts were developed by the ECB and the EBA with that same aim. In particular, in accordance with the PSD2 and the recently published EBA Guidelines on fraud reporting, the ECB will receive payment fraud statistics for all payment instruments and services as of 2019. This will allow the Eurosystem to better monitor the evolution of payment fraud and obtain a broader overview of the security level for the entire payments market.

Eurosystem overseers expect attempts to circumvent security features to continue to evolve alongside payment habits. For that reason, they will carry on monitoring developments and fostering knowledge-sharing in an effort to safeguard payments in Europe.