Why Global Card Fraud Doesn't DeclineUK Worst in Europe; United States Ranks Fourth Globally
Consumers in the United Kingdom experience the highest levels of payment card fraud in Europe. Meanwhile, the world's fourth-highest card fraud levels are in the United States.
Those findings come from a new study that found markedly lower levels of fraud in countries that have adopted card security microchips compliant with the EMV - for Europay, MasterCard and Visa - standard. The study, from research firm Aite Group, is based on a survey conducted by electronic payments provider ACI Worldwide of approximately 300 consumers in 20 different countries who were asked to self-report any card-related fraud they've experienced in the past five years.
The countries with the five highest levels of fraud are the United Arab Emirates (where 44 percent of surveyed consumers experienced card-related fraud in the past five years) followed by China (42 percent), India and the United States (both 41 percent), and Mexico (33 percent). That represents a slight reshuffling from a similar 2012 study, in which Mexico (44 percent) and the United States (42 percent) reported the highest levels of fraud.
Nations With Low Fraud
In 2014, the countries reporting the five lowest levels of card-related fraud were Sweden (10 percent), the Netherlands (13 percent), Germany (16 percent), New Zealand (17 percent) and Poland (18 percent). Their secret: Beyond using EMV, consumers in those countries sign up for fewer cards. "It is important to note that consumers in countries such as Sweden, Poland, and Germany are low users of credit cards," the report says.
The new study doesn't make clear why the United Kingdom has more card-related fraud than any other nation in Europe. But the U.K. accounts for more than 30 percent of all card spending in the European Union, and British consumers hold 73 percent of the EU's credit cards, according to the U.K. Cards Association.
The study also notes that the percentage of UK consumers reporting card-related fraud declined from 34 percent in 2012 to 28 percent in 2014.
But global fraud rates don't appear to have increased in the past two years. "It's not all gloom and doom for the industry," says Michael Grillo, senior product marketing manager at ACI Worldwide, in a blog post. "Global card fraud rates have remained relatively flat from the last report." That means, however, that as fraud declines in one country, criminals are focusing elsewhere. Likewise, when countries introduce new security countermeasures, fraudsters often alter their tactics to focus on easier-to-exploit types of payments.
U.S. EMV Timeline
One potential fix for the U.S. fraud problem will be moving to EMV-compliant credit and debit cards. After years of U.S. retailers and payment card brands dragging their heels, the 2013 Target breach has driven many businesses and legislators to push for rapid EMV adoption.
Making the U.S. payment card ecosystem "EMV only" won't happen quickly, in part because merchants must install EMV-compatible point-of-sale systems, and banks must pay to issue cards with EMV chips. "Many small issuers will likely roll out EMV cards more slowly than the largest issuers, so it will likely take years before the U.S. market is fully EMV-compatible," the Aite Group study says.
Gartner analyst Avivah Litan says current estimates suggest that moving to an EMV-only system in the United States will take six years.
All Or Nothing
Any EMV-related decline in U.S. fraud, however, will hinge on merchants complying with regulations. "Even nations where EMV is becoming standardized are not immune to 'card present' fraud," says Bryan Jardine, product manager at security firm Easy Solutions. "In the country of Colombia, where EMV cards were meant to be mandatory by the end of 2013, local police are actually reporting a 25 percent increase in card cloning complaints from 2012 to 2013. Many merchants still simply swipe the magnetic stripe of the card when processing a transaction instead of using EMV-compliant technology to do it, rendering the EMV cards in the transactions just as vulnerable to cloning as the insecure cards they were meant to replace."
Furthermore, even with widespread U.S. EMV compliance, it's not clear how much fraud will dip. "It should decline - in theory - but what we do know is that this change will drive more innovation and creativity with these criminals," TK Keanini, chief technology officer at network and application security vendor Lancope, tells Information Security Media Group. "We need to remind ourselves that EMV was born out of necessity and adopted first where fraud was the highest. Without EMV, the fraud levels would have been so high the system would not have been able to function."
Any decline in card-present fraud may be offset by an increase in other types of fraud. "I'd expect to see some decline in the U.S. as they switch, but not as dramatically as happened in Europe and elsewhere, where the impact on fraud with lost/stolen cards and card-present fraud, even counterfeit fraud, has been considerable," says U.K.-based David Harley, senior research fellow at anti-virus firm ESET. "Even here, though, while there may have been migration to other regions ... there was also migration to other types of card-related fraud, notably card-not-present fraud and cross-border counterfeiting."
Indeed, as the Aite Group report notes: "After rolling out EMV, other countries have experienced a big decrease in counterfeit card fraud, but this has been offset by growth in counterfeit fraud in non-EMV countries, growth in card-not-present fraud, and growth in application fraud."
The recent push in the United States for EMV has also overshadowed bigger-picture questions about whether the payment card infrastructure itself is secure. Gartner's Litan, for one, has criticized the payment card industry for focusing on data security standards - collectively spending, with retailers, billions of dollars on related compliance - and pushing a "faulty and antiquated payment system" instead of spending money to upgrade payment system infrastructure to encrypt the transfer of card data between retailers and card issuers, as well as use EMV.
Today's payment card systems - whether EMV-compliant or not - can't block many types of malware attacks. "If malware is installed inside the POS devices, where names and account numbers were temporarily stored unencrypted, it doesn't matter what kind of card customers are using; any customer identifiable information stored in the clear can be read and reused if obtained by an attack," says Jardine of Easy Solutions.
That's why EMV cards wouldn't have stopped the Target breach, Troy Leach, lead security standards architect for the Payment Card Industry Data Security Standards Council, told Congress in March. "Protection from malware-based attacks requires more than just EMV chip technology," he said. "EMV chip technology could not have prevented the unauthorized access, introduction of malware and subsequent exfiltration of cardholder data" (see Target Hearings: EMV Not Enough).
Likewise, EMV won't stop "card not present" fraud, such as for orders placed online or via the phone. "An EMV card cannot provide any protection in these scenarios, which comprise two-thirds of fraud attacks, because there is no way to enter a PIN or scan the card," Jardine says.
To reduce overall fraud levels, security experts say card issuers should be focusing not just on point security improvements, such as EMV, but more big-picture changes. "When you look at this problem, you have to see it not as just stolen card information, but as a lifecycle of criminal activity that ends with making money," says Lancope's Keanini. "Only then can you start to change the economics and make it more expensive for the criminal to operate."