Banque de France ALEXANDRE STERVINOU

ALEXANDRE STERVINOU

Banque de France

Monitoring card payment fraud

1. The French Observatory for Payment Card Security

2. Fraud statistics and trends

3. Main security topics & recommendations

Check online @ www.observatoire-cartes.fr

http://www.observatoire-cartes.fr/



The need for public intervention

■ The merge of the two leading domestic card schemes in the mid-80’s and the push for card acceptance at merchants led to a wide adoption of cards as a payment instrument Security a key element to the development of card payments

■ Despite Chip & PIN introduced in France in 1992, security

issues arose around the security of payment cards Got media attention in the late 90’s / 2000 Endangered public confidence in cards

■ The French legislator took concrete measures (Everyday Security Act – 2001) Banque de France had its oversight mandate extended to payment instruments Creation of an Observatory aimed at ensuring the security of card payments,

with all stakeholders involved

Banque de France extended oversight over payment instruments

■ All payment instrument issuers covered Includes issuing, administering and outsourcing of means of payments

■ Offsite/onsite inspections of all relevant entities Including technical providers / vendors

■ Close cooperation with the banking supervisor Annual reports from licensed entities on operational risk The EU Payment Services and e-money Directives introduced new

categories of payment service providers alongside banks As part of the licensing process under the supervisor’s responsibility,

Banque de France delivers an official statement on security of payment services and instruments

The French Observatory for Payment Card Security

■ Chaired by the Governor of Banque de France Members: MP, Senator, representatives for issuers, acquirers, schemes,

merchants, consumers and government bodies Bound by professional secrecy Secretariat: Banque de France

■ Three missions Elaborating fraud statistics Ensuring a technology watch and issuing recommendations Following closely security measures deployed by issuers/banks and

merchants

■ Annual report published online (in July)

The Observatory’s internal organisation (1)

The working group on statistics

■ Composition : – Defined by the Observatory by absolute majority, – Relies on technical experts delegated by the Observatory members.

■ Missions :

– Issues guidelines aimed at harmonising procedures for establishing fraud statistics for the various types of payment cards,

– Compiles statistics on fraud on the basis of the relevant information disclosed by payment card issuers to the Observatory's secretariat,

– Covers cards issued by payment service providers or other assimilated entities, that serve to withdraw or transfer funds.

■ Current focus : – Statistics related to 3D-Secure implementation (on the acquiring side) and 2FA

mechanisms using this protocol, – Contactless payments.

The working group on technology watch

■ Composition : – Similar to the working group on statistics, – May hear relevant stakeholders able to provide information useful to its

mandate.

■ Missions : – Maintains a technology watch in the card payments field, with the aim of

proposing measures to increase or maintain their security, – Collects all the available information that is liable to reinforce payment card

security and puts it at the disposal of its members, – Organises the exchange of information between its members while respecting

confidentiality where necessary.


The working group on technology watch Main studies since 2002 :

General topics Security of innovations

Standardisation and certification (2005/2007/2010)

Security of online / card-not-present transactions, 2FA (2008/2013)

Follow-up of the EMV migration in the SEPA area Security of prepaid cards (2010)

Security of mail orders and telephone orders (2009)

Contactless cards and mobile phones (2004/2007/2009/2012/2014)

Impact of co-branding on payment card security (2008)

Terminals

Security of open networks (2004/2006) Security of payment terminals (2005/2013)

Impact of biometry and cryptology on security (2003/2004/2014)

Security of unattended payment terminals and automated teller machines (2006)

Automated fraud detection systems (2003) Security of UPT networks (2008)

Security of « Light » terminals (2009)


■ Structure : – A specific case study → In 2010 and 2011, costs analysis related to the migrations to EMV and 2FA → Since 2012, stocktaking regarding the deployment of 2FA – Chapters on statistics and technology watch, incl. recommendations – A dedicated chapter of general interest drafted by the Secretariat → In 2011, security issues related to the emergence of a new European card payment scheme → In 2013, protection of personal data in fraud prevention systems

■ Adoption : – during the June Plenary meeting, – by absolute majority.

■ Publication : – Annual release at the beginning of July (FR version, EN in September), – Press conference (w/ Q&A) held by the President.

■ Follow-up of recommendations ensured by Banque de France

Annual report & Follow-up

Card payment landscape in France (1)

Cheques 13%

Others 0%

e-money 0%

Cards 50%

Direct debits 19%

Credit transfers

18%

Payments in FR / 2014 (volume)

FR 27%

ES 9%

NL 9% IT

7%

DE 29%

Other 19%

Payments in Euro area / 2013

0

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

9,000

10,000

2009 2010 2011 2012 2013 2014

Nu

mb

er

of

op

era

tio

ns

(mil

lio

ns)

Cheques Credit transfers Direct debits Others Cards e-money Cash withdrawals

Card payment landscape in France (2)

Card payment fraud (1)


0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

2006 2007 2008 2009 2010 2011 2012 2013 2014

FR/FR

International

Share of domestic (FR/FR) vs. international (FR/ET, ET/FR) fraud

(EMV in Europe) (CNP) + (EMV outside EU)


0.0%

2.0%

4.0%

6.0%

8.0%

10.0%

12.0%

14.0%

16.0%

18.0%

20.0%

2011 2012 2013 2014

FR/ET

ET/FR

FR/SEPA

SEPA/FR

Focus on international fraud:

• Cards issued in France and frauded in SEPA or beyond (ET) • Cards from SEPA or beyond and frauded in France

EMV Worldwide CNP Internet Europe


0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

2006 2007 2008 2009 2010 2011 2012 2013 2014

Proximity payments

CNP w/o Internet

CNP Internet

Cash withdrawals

Breakdown of domestic fraud

CNP Internet: 65.3% of total fraud

(11.3% of total tx)

Proximity: 16% of total fraud (66% of total tx)

Slight increase in fraud on cash withdrawals


0.000%

0.005%

0.010%

0.015%

0.020%

0.025%

0.030%

0.035%

0.040%

0.045%

0.050%

2010 2011 2012 2013 2014

Fraud rates Total vs. Proximity and Cash withdrawals

Proximity payments

Cash withdrawals

Total

0.000%

0.050%

0.100%

0.150%

0.200%

0.250%

0.300%

0.350%

0.400%

2010 2011 2012 2013 2014

Fraud rates CNP Internet vs. Total

CNP Internet

Total

Focus on domestic fraud rates

611

1109 1028 1048

17 31 103

525

13 60 85

35 0

200

400

600

800

1000

1200

2011 2012 2013 2014

Police forces indicators: number of attacks on acceptance devices

ATM

UPT

POS

!

Summary of main threats and recommendations

Type of risk Recommended measures

Counterfeiting Insert hologram

Use cryptographic processes to identify components

Certification of components (card, terminal)

Theft Market-wide introduction of EMV standard

Authenticate cardholders using PIN

Set thresholds for transactions in contactless and prepaid mode

Use fraud detection systems

Compromise of card data Implement anti-phishing measures, conduct communication campaigns

Protect data end to end (encryption), use private networks

Use CVX2 for card-not-present transactions

Use virtual dynamic cards

Protect sensitive data by applying international standards

Enhance physical security of UPTs and instant issue systems

Limit use of stripe readers in UPTs

Use dedicated PAN for certain modes (contactless, mobile)

Have function to deactivate radio transmissions in contactless mode

Use cases that block radio waves

Online identity theft Enhanced cardholder authentication (also called one-time authentication)

CNP

Contactless

Enhancing online card payments security (1)

■ Since 2008, the Observatory main priority has been combatting Card-not-present fraud – Actions towards issuers/banks and e-merchants taken by Banque de France

■ Strong customer authentification / 2FA a must for online payments – Not necessarily the only solution but scoring techniques, etc., cannot replace it – Card issuers requested to have their carholders 2FA ready – Risk based approach allowing a progressive deployment by e-merchants

■ Cannot be a French only initiative – Banque de France strongly supported the emergence of a European forum for

supervisors and central bankers: SecuRe Pay (2011) – The revised European Payment Services Directive will implement 2FA in law

(adoption 2015, entry into force 2017/18)

6.14%

66.37%

71.46%

78.14% 79.67% 79.63% 74.94%

99.65% 99.74% 99.77% 100.00% 100.00% 100.00%

100.00%

77.00%

88.94% 88.26% 89.95% 93.70%

93.30% 90.90%

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

120.00%

April 2012 October 2012 April 2013 October 2013 April 2014 October 2014 April 2015

Cardholder 2FA equipment rate

Least advancedbankMost advancedbankAverage

Range for 50% of banks


10.93%

6.24%

10.54% 11.18%

7.60%

5.73% 4.52%

30.66%

43.21%

24.21% 23.41% 24.04% 21.73%

21.73%

19.70%

22.17%

17.47% 17.36%

15.35% 16.00%

14.59% 13.77%

12.05% 14.37%

14.80% 14.93%

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

40.00%

45.00%

50.00%


3D-Secure failure rates

Least affected bank

Most affected bank

Average

Non 3D-Secure



19.00%

29.01%

15.88% 16.38% 18.14%

32.09% 32.09%

72.00%

80.72% 80.01% 79.78%

70.55%

86.62% 90.70%

52.00%

42.34% 42.36%

47.05%

43.11%

54.65% 57.58%

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%


e-merchants 3D-Secure equipment rate

Least advanced banks

Most advanced bank

Average



Security of contactless card payments

■ Since 2007, the Observatory has regularly analyzed the security of contactless technology – Remote activation // Eavesdropping

■ More a reputational risk than a financial one

– Transaction tresholds (number, amount of transactions, incl. cumulative) – Limited reuse of captured data

■ Recommendations issued to issuers: – Deactivation mechanisms for the contactless interface (remote EMV scripts ;

protective sleeves/shields) – Ability to issue contact-only cards on customer demand

■ First fraud figures gathered for 2014 – Origin of fraud: lost & stolen cards // Confirms the Observatory analysis &

conclusions – Fraud rate between proximity payments and cash withdrawals

Banque de France ALEXANDRE STERVINOU

Documents

Transcript of Banque de France ALEXANDRE STERVINOU