Card Fraud: definition & best practices
In a world where cards are and will remain one of the top means of payment during the next years, despite technological innovation and digitization, banks continue to improve more and more their card fraud processes & tools in order to minimize financial & image losses.
In this article, Sia Partners aims at offering an overview of what "card fraud" is and how banks and other actors can manage and integrate fraud management processes in the card processing chain. The main actors and best practices in this field will also be presented.
"Card Fraud", what is it?
Card fraud can be defined in many ways. The definition that applies the best is the following:
"Unlawful action that is taking place during the preparation, the implementation, the use of a payment card or via the data that are associated with it, thereby causing a loss to the bank of the cardholder or the acquirer".
Card fraud can have different origins. The main ones are lost or stolen cards, lost non-received cards, falsified or counterfeited cards (magnetic, embossing or programming, card number theft, the breaking-up of payments ...).
Fraud impacts all type of channels: proximity payments or withdrawals (point of sales, via ATM) but also remote payments (internet, mail, fax/telephone or any other means).
Various techniques are used by criminals to commit card fraud:
- card skimming (copy the magnetic strip info of a payment card via the use of a specific reader)
- identity theft, abusive cancellation (payment contestation by a holder acting in bad faith of a valid payment card transaction which he initiated),
- abusive card number/PAN generation (use of issuing bank rules in order to generate fraudulent PAN).
In general, large banks adopt different measures to minimize fraud risks. The main ones are:
- Systematic compliance with binding rules and standards (EMV, PCI...)
- Strict monitoring of transactions (analytical and predictive fraud tool)
- Temporary closure of ATMs that recorded many fraudulent transactions
- Block or limit certain type of transactions (limitation of offline transactions; adaptation of commercial offer to different customer segments; block BIN numbers and/or the Â« country code Â» suspects...)
- Block suspicious cards
- Implementation of a preventive alert system on client level (transactions executed abroad, certain amount, etc.)
- Vigilance on ATM skimming and on exchange of BIN numbers within the bank's network
"Card Fraud" in SEPA zone, some figures
In 2012 fraud volume represented approximately 0.038% of total transactions (1.33 B€ in total). An important growth of "card-non-present" fraud- fraud practices where the genuine card is not presented (typically internet fraud) - must be stressed.
Transactions acquired from outside the SEPA zone continue to represent a higher risk for SEPA banks: in the context of SEPA issued cards, only 2% of all transactions are acquired outside the SEPA zone, however they account for 25% of all fraud, mainly because of the use of low security technologies such as magnetic stripes.
The set-up of rules and principles in the SEPA zone (PCI, EMV, SCF, CVV, 3D Secure...) by banking networks and financial institutions, as well as technological improvements and the indirect empowering of banks, have made transactions more secure. In other areas of the world where efforts have been less pronounced, card fraud is more present and on the rise.
"Card Fraud", integrated in each card processes
Fraud can occur at each step of the card processing chain. That is why banks and related actors have to integrate fraud management in each card processing step.
Two main card macro processes are represented hereunder: PIN/Card ordering & transactions. Each step has to be considered as key contributor in the set-up of a successful fraud management structure.
As an example, we focus hereunder on one step of the transaction macro process: the authorization.
In this step, the objective is definitively to be able to decline transactions, before the fraud takes place (so to define a trigger, when the risk is considered too important). Solution for banks can be to:
- Define a restriction policy for some transactions (ex: transactions in high risk countries, non-secured internet transactions, great number of transactions or high amounts in a short period of time ...).
- Implement a cardholder authentication system for internet transactions (3-D Secure).
- Implement a real-time anti-fraud tool (suspicious transactions can be declined automatically).
- Perform continuous monitoring of transactions blocked for a suspicion of fraud.
- Each transaction declined for a suspicion of fraud must be analyzed with the upmost importance in order to investigate on the fraud case and to take appropriate action by blocking the card or not.
"Card Fraud", main players
As we already stated, each card actor has an important role in risk mitigation. Main players involved in card fraud (prevention, detection, etc.) can be classified in different categories:
- bank departments (supported by dedicated fraud tools);
- bank customers;
- external organizations (define & impose initiatives and rules).
- networks / processors / embossers;
In this context, measures are imposed to banks by some founding global payment brands: PCI Security Standards. These standards are all about bank reputation, brand protection, ensuring customer confidence in using cards and protecting customer data.
PCI standards impact card manufacturers, card software developers, card merchant & processors.
A fight to be included in the bank strategy
The fight against fraud should be considered as top priority for banks and cannot be isolated to just a financial point of view due to the vast impact on a bank's image (reputation risk) and on the client's confidence (commercial risk) towards a bank. Each financial institution must therefore manage card fraud risk very securely, using appropriate countermeasures at each step of the card processing value chain with the explicit aim to avoid fraud as much as possible and to reduce damages to an absolute minimum.
ECB 02/2014 Fraud card report