Banque de France ALEXANDRE STERVINOU
Transcript of Banque de France ALEXANDRE STERVINOU
Monitoring card payment fraud
1. The French Observatory for Payment Card Security
2. Fraud statistics and trends
3. Main security topics & recommendations
Check online @ www.observatoire-cartes.fr
The need for public intervention
■ The merge of the two leading domestic card schemes in the mid-80’s and the push for card acceptance at merchants led to a wide adoption of cards as a payment instrument Security a key element to the development of card payments
■ Despite Chip & PIN introduced in France in 1992, security
issues arose around the security of payment cards Got media attention in the late 90’s / 2000 Endangered public confidence in cards
■ The French legislator took concrete measures (Everyday Security Act – 2001) Banque de France had its oversight mandate extended to payment instruments Creation of an Observatory aimed at ensuring the security of card payments,
with all stakeholders involved
Banque de France extended oversight over payment instruments
■ All payment instrument issuers covered Includes issuing, administering and outsourcing of means of payments
■ Offsite/onsite inspections of all relevant entities Including technical providers / vendors
■ Close cooperation with the banking supervisor Annual reports from licensed entities on operational risk The EU Payment Services and e-money Directives introduced new
categories of payment service providers alongside banks As part of the licensing process under the supervisor’s responsibility,
Banque de France delivers an official statement on security of payment services and instruments
The French Observatory for Payment Card Security
■ Chaired by the Governor of Banque de France Members: MP, Senator, representatives for issuers, acquirers, schemes,
merchants, consumers and government bodies Bound by professional secrecy Secretariat: Banque de France
■ Three missions Elaborating fraud statistics Ensuring a technology watch and issuing recommendations Following closely security measures deployed by issuers/banks and
merchants
■ Annual report published online (in July)
The Observatory’s internal organisation (1)
The working group on statistics
■ Composition : – Defined by the Observatory by absolute majority, – Relies on technical experts delegated by the Observatory members.
■ Missions :
– Issues guidelines aimed at harmonising procedures for establishing fraud statistics for the various types of payment cards,
– Compiles statistics on fraud on the basis of the relevant information disclosed by payment card issuers to the Observatory's secretariat,
– Covers cards issued by payment service providers or other assimilated entities, that serve to withdraw or transfer funds.
■ Current focus : – Statistics related to 3D-Secure implementation (on the acquiring side) and 2FA
mechanisms using this protocol, – Contactless payments.
The working group on technology watch
■ Composition : – Similar to the working group on statistics, – May hear relevant stakeholders able to provide information useful to its
mandate.
■ Missions : – Maintains a technology watch in the card payments field, with the aim of
proposing measures to increase or maintain their security, – Collects all the available information that is liable to reinforce payment card
security and puts it at the disposal of its members, – Organises the exchange of information between its members while respecting
confidentiality where necessary.
The Observatory’s internal organisation (2)
The working group on technology watch Main studies since 2002 :
General topics Security of innovations
Standardisation and certification (2005/2007/2010)
Security of online / card-not-present transactions, 2FA (2008/2013)
Follow-up of the EMV migration in the SEPA area Security of prepaid cards (2010)
Security of mail orders and telephone orders (2009)
Contactless cards and mobile phones (2004/2007/2009/2012/2014)
Impact of co-branding on payment card security (2008)
Terminals
Security of open networks (2004/2006) Security of payment terminals (2005/2013)
Impact of biometry and cryptology on security (2003/2004/2014)
Security of unattended payment terminals and automated teller machines (2006)
Automated fraud detection systems (2003) Security of UPT networks (2008)
Security of « Light » terminals (2009)
The Observatory’s internal organisation (3)
■ Structure : – A specific case study → In 2010 and 2011, costs analysis related to the migrations to EMV and 2FA → Since 2012, stocktaking regarding the deployment of 2FA – Chapters on statistics and technology watch, incl. recommendations – A dedicated chapter of general interest drafted by the Secretariat → In 2011, security issues related to the emergence of a new European card payment scheme → In 2013, protection of personal data in fraud prevention systems
■ Adoption : – during the June Plenary meeting, – by absolute majority.
■ Publication : – Annual release at the beginning of July (FR version, EN in September), – Press conference (w/ Q&A) held by the President.
■ Follow-up of recommendations ensured by Banque de France
Annual report & Follow-up
Monitoring card payment fraud
1. The French Observatory for Payment Card Security
2. Fraud statistics and trends
3. Main security topics & recommendations
Card payment landscape in France (1)
Cheques 13%
Others 0%
e-money 0%
Cards 50%
Direct debits 19%
Credit transfers
18%
Payments in FR / 2014 (volume)
FR 27%
ES 9%
NL 9% IT
7%
DE 29%
Other 19%
Payments in Euro area / 2013
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
10,000
2009 2010 2011 2012 2013 2014
Nu
mb
er
of
op
era
tio
ns
(mil
lio
ns)
Cheques Credit transfers Direct debits Others Cards e-money Cash withdrawals
Card payment landscape in France (2)
Card payment fraud (2)
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
2006 2007 2008 2009 2010 2011 2012 2013 2014
FR/FR
International
Share of domestic (FR/FR) vs. international (FR/ET, ET/FR) fraud
(EMV in Europe) (CNP) + (EMV outside EU)
Card payment fraud (3)
0.0%
2.0%
4.0%
6.0%
8.0%
10.0%
12.0%
14.0%
16.0%
18.0%
20.0%
2011 2012 2013 2014
FR/ET
ET/FR
FR/SEPA
SEPA/FR
Focus on international fraud:
• Cards issued in France and frauded in SEPA or beyond (ET) • Cards from SEPA or beyond and frauded in France
EMV Worldwide CNP Internet Europe
Card payment fraud (4)
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
2006 2007 2008 2009 2010 2011 2012 2013 2014
Proximity payments
CNP w/o Internet
CNP Internet
Cash withdrawals
Breakdown of domestic fraud
CNP Internet: 65.3% of total fraud
(11.3% of total tx)
Proximity: 16% of total fraud (66% of total tx)
Slight increase in fraud on cash withdrawals
Card payment fraud (5)
0.000%
0.005%
0.010%
0.015%
0.020%
0.025%
0.030%
0.035%
0.040%
0.045%
0.050%
2010 2011 2012 2013 2014
Fraud rates Total vs. Proximity and Cash withdrawals
Proximity payments
Cash withdrawals
Total
0.000%
0.050%
0.100%
0.150%
0.200%
0.250%
0.300%
0.350%
0.400%
2010 2011 2012 2013 2014
Fraud rates CNP Internet vs. Total
CNP Internet
Total
Focus on domestic fraud rates
611
1109 1028 1048
17 31 103
525
13 60 85
35 0
200
400
600
800
1000
1200
2011 2012 2013 2014
Police forces indicators: number of attacks on acceptance devices
ATM
UPT
POS
!
Monitoring card payment fraud
1. The French Observatory for Payment Card Security
2. Fraud statistics and trends
3. Main security topics & recommendations
Summary of main threats and recommendations
Type of risk Recommended measures
Counterfeiting Insert hologram
Use cryptographic processes to identify components
Certification of components (card, terminal)
Theft Market-wide introduction of EMV standard
Authenticate cardholders using PIN
Set thresholds for transactions in contactless and prepaid mode
Use fraud detection systems
Compromise of card data Implement anti-phishing measures, conduct communication campaigns
Protect data end to end (encryption), use private networks
Use CVX2 for card-not-present transactions
Use virtual dynamic cards
Protect sensitive data by applying international standards
Enhance physical security of UPTs and instant issue systems
Limit use of stripe readers in UPTs
Use dedicated PAN for certain modes (contactless, mobile)
Have function to deactivate radio transmissions in contactless mode
Use cases that block radio waves
Online identity theft Enhanced cardholder authentication (also called one-time authentication)
CNP
Contactless
Enhancing online card payments security (1)
■ Since 2008, the Observatory main priority has been combatting Card-not-present fraud – Actions towards issuers/banks and e-merchants taken by Banque de France
■ Strong customer authentification / 2FA a must for online payments – Not necessarily the only solution but scoring techniques, etc., cannot replace it – Card issuers requested to have their carholders 2FA ready – Risk based approach allowing a progressive deployment by e-merchants
■ Cannot be a French only initiative – Banque de France strongly supported the emergence of a European forum for
supervisors and central bankers: SecuRe Pay (2011) – The revised European Payment Services Directive will implement 2FA in law
(adoption 2015, entry into force 2017/18)
6.14%
66.37%
71.46%
78.14% 79.67% 79.63% 74.94%
99.65% 99.74% 99.77% 100.00% 100.00% 100.00%
100.00%
77.00%
88.94% 88.26% 89.95% 93.70%
93.30% 90.90%
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
120.00%
April 2012 October 2012 April 2013 October 2013 April 2014 October 2014 April 2015
Cardholder 2FA equipment rate
Least advancedbankMost advancedbankAverage
Range for 50% of banks
Enhancing online card payments security (2)
10.93%
6.24%
10.54% 11.18%
7.60%
5.73% 4.52%
30.66%
43.21%
24.21% 23.41% 24.04% 21.73%
21.73%
19.70%
22.17%
17.47% 17.36%
15.35% 16.00%
14.59% 13.77%
12.05% 14.37%
14.80% 14.93%
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
50.00%
April 2012 October 2012 April 2013 October 2013 April 2014 October 2014 April 2015
3D-Secure failure rates
Least affected bank
Most affected bank
Average
Non 3D-Secure
Range for 50% of banks
Enhancing online card payments security (3)
19.00%
29.01%
15.88% 16.38% 18.14%
32.09% 32.09%
72.00%
80.72% 80.01% 79.78%
70.55%
86.62% 90.70%
52.00%
42.34% 42.36%
47.05%
43.11%
54.65% 57.58%
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
April 2012 October 2012 April 2013 October 2013 April 2014 October 2014 April 2015
e-merchants 3D-Secure equipment rate
Least advanced banks
Most advanced bank
Average
Range for 50% of banks
Enhancing online card payments security (4)
Security of contactless card payments
■ Since 2007, the Observatory has regularly analyzed the security of contactless technology – Remote activation // Eavesdropping
■ More a reputational risk than a financial one
– Transaction tresholds (number, amount of transactions, incl. cumulative) – Limited reuse of captured data
■ Recommendations issued to issuers: – Deactivation mechanisms for the contactless interface (remote EMV scripts ;
protective sleeves/shields) – Ability to issue contact-only cards on customer demand
■ First fraud figures gathered for 2014 – Origin of fraud: lost & stolen cards // Confirms the Observatory analysis &
conclusions – Fraud rate between proximity payments and cash withdrawals