It is a lesson from history that fraud always moves to the least secure form of payment available.

The first credit card was launched in 1950 in the US. To authorise a payment, the consumer simply had to present it and sign a paper where the merchant could check the conformity of the signature.

To counter the ease with which you could steal the card and imitate the holder’s signature, the system progressively changed in the ‘80s with the introduction of a PIN code.

Again, fraudsters found ways to uncover the PIN. The four-digit code is actually embedded in the black magnetic stripe on the back of the card. By using a card reader and a computer, the fraudster could run through 10,000 possibilities (from 0000 to 9999). And then BINGO.

Paying by cardNow, after 3 trials, the chip gets blocked. The chip-and-pin system has proved efficient, as long as the fraudster doesn’t already know the PIN.

But this system isn’t fit for the online world, where consumers make payments at all times of the day and in front of their computer or using their smartphone. There’s no way the consumer can key in his or her PIN. EU legislators are now looking at how to make online payments, whether card payments, credit transfers or direct debits, more secure.

How big a problem is online fraud?

In the Eurozone the value of all fraudulent transactions using cards online amounted to €1.44 billion in 2013, which represented an increase of 8% from 2012. In 2015, 71% of card fraud cases in the EU related to internet payments. In the UK, almost 1.2 million consumers were victims of online card fraud in 2015, a 20% increase on the previous year.

Indoor image of a shocked and worried young woman looking at credit card she is holding and putting her other hand on her face while giving frowning expression on face. One person, horizontal composition with copy space and selective focus.

And the harm that fraud causes to consumers can go well beyond just the financial loss. Psychologically and emotionally, the damage can be lasting, with the consumer less likely to trust the payment system and security around him.

For several years now, banks across Europe have been using tokens or card readers for online payments. In the latter case, you not only have to enter your PIN, you also generate a code that must be inserted to complete the transaction. But not every bank or service provider requires the use of these services.

In still too many cases, when the consumer wants to pay online by card, he only has to give the number of the card, the expiry date and the code at the back of the card, which is the CVV (Card Verification Value). This system is very unsafe, but it is still widely used by many online merchants.

If a thief has stolen the card number, he has the basic data he needs to make a payment. All he needs is a computer program to get the expiry date (12 months on 5 years = 60 trials) and the CVV (1000 trials).

In case of fraud, it is cumbersome for the consumer to get reimbursed. The burden of proof can be on him, which is time-consuming and requires dedication. Sometimes banks refuse to reimburse the consumer if they believe he did not keep his payment instrument safe.

The EU wants to increase the level of security in online payments, which it calls Strong Customer Authentication (SCA). All banks and merchants will have to use SCA for all electronic transactions including mobile ones. Consumers will have to provide two of the three following elements when making a payment:

  • something the consumer knows, like a pin code
  • something the consumer possesses, like a card
  • something about the consumer, like fingerprints, voice or face recognition software

This much has been written into an EU law in 2015 [1]. It’s now up to the European Banking Authority (EBA) to establish the more technical aspects of this legislation: what should this system look like for consumers? [2]

Higher security means more peace of mind

Some bankers and big online merchants are now lobbying EBA furiously so that there are as many exceptions to the rules as possible. Their argument is that stringent security measures will be too cumbersome and put people off from making purchases.

Electronic paymentThey propose what’s called a risk based assessment. This is where the bank, or the retailer, looks at the likelihood of a fraudulent transaction to decide whether to authorise it, such as where the transaction is taking place, for how much or whether the IP address used is the same as previous transactions.

At BEUC, we disagree that stringent security measures will put people off. In the Netherlands, at least 60% of consumers had recently used iDEAL, a payment method which works through the consumer’s bank and with the strong authentication level now being promoted by the EU. It is now the most used payment method in the country.

Giving the fraudsters a free ride can not be an option.

There is also a big difference between making a transaction in a face-to-face environment and making one in front of a computer or smartphone. In the latter, strong security measures should be even more important than in a face-to-face transaction due to the lack of interaction.

And we are not alone in asking for stronger security measures. Last December, the EU payment industry set up a task force which aims to tackle rise in European card fraud. Banks are also taking initiatives, like the use of CVVs which change frequently to improve the security.

Hand holding mobile phone with Digital Wallet word with blurredIn practice it is possible to combine strong security and a good level of convenience. For example, many experts in fact agree that the future of payments is likely to be biometric. Using new technologies will make security measures even more usable and convenient. And any risk-based assessment should complement the strong customer authentication, not replace it.

We are often told by bankers not to worry about fraud because consumers get reimbursed if there is foul play involved. But such an answer forgets two aspects:

  • It is cumbersome for the consumer to get reimbursed. The burden of proof can be on him, which is time-consuming and requires dedication, and sometimes banks refuse to reimburse if they believe the consumer did not keep his payment instrument safe. Very often, the consumer cannot use his cards for several days and the fraud can be highly upsetting, particularly when the customer needs his card while travelling.
  • Even if the individual consumer is reimbursed, the cost of this fraud is inevitably footed by society through the bank’s other customers.

In November, this year, the UK online bank Tesco was hit by the first e-robbery in the field of payments. 9,000 consumers saw their bank accounts debited by an average amount of £270. It is quite likely that if Strong Customer Authentication had been applied, the fraud would not have been possible.

It is a lesson from history that fraud always moves to the least secure form of payment available.

Of course some derogations should exist. For example, when you want to pay contactless on the bus, there is no way you should have to insert data like your PIN. Another derogation should be when the payer and the payee are always the same. But exceptions should not become the rule.

EBA has to provide the draft legislation in February and national governments, the European Parliament and the Commission all have to discuss it before the rules become law.

EBA must stand firm and issue strong rules that will protect consumers, in the spirit of the regulation that was passed in 2015. Giving the fraudsters a free ride can not be an option.

[1] This is regulated in the Payment Services Directive 2 which was adopted as EU law in 2015.

[2] BEUC answered EBA’s consultation on the matter here.

Posted by Jean Allix