www.europeanpaymentscouncil.eu PRES EPCXXX_07

EPCCard Fraud Prevention

& Security Activities

Cédric Sarazin – Chairman Card Fraud Prevention TF19. December 2007, FPEG Meeting - Brussels

Page 2

EPC and a SEPA for cardsThe timelines

2002 2003 2004 2005 2006 2007 2008 2009 2010

EPC Cards Working GroupEPC Cards Working Group(Chair: Claude Brun)(Chair: Claude Brun)

EPC SEPA Card Framework (SCF)EPC SEPA Card Framework (SCF)

Cards Standardisation TFCards Standardisation TF(Chair: Peter Blasche)(Chair: Peter Blasche)

MinimumMinimumrequirementsrequirements

RecommendedRecommendedspecificationsspecifications

Card Fraud Prevention TFCard Fraud Prevention TF(Chair: Cédric Sarazin)(Chair: Cédric Sarazin)

Page 3

SEPA Cards Framework(SCF)

• The SCF was approved by the EPC Plenary on 8 March 2006

• The SCF spells out high level principles and rules which when implemented by banks, schemes, and other stakeholders, will enable European customers to use general purpose cards to make payments and cash withdrawals in euro throughout the SEPA area with the same ease and convenience than they do in their home country. There should be no differences whether they use their card(s) in their home country or somewhere else within SEPA.

• The SCF creates the potential for any SCF terminal to accept any SCF card with a SEPA based acquirer of the merchant’s choice.

• SCF only covers euro card payments and cash withdrawals

• Provides a single framework for banks, for schemes and for processors/infrastructures to become SEPA compliant (self-assessment procedure with EPC monitoring)

Page 4

Highlights from the SCF

• Acquirers will offer merchants the option to acquire SCF compliant card transactions from one or more SCF compliant schemes from 1 January 2008 onwards.

• As fraud prevention is one of the priorities, the SCF indicates that the EMV chip will be the supporting technology for cards as well as the support of PIN on the acquiring side.

• The SCF sets out the high level principles to foster the competition between providers of technical infrastructure and payment services and to remove legal and technical barriers. SCF compliant card schemes will separate governance from processing functions.

• The SCF contains both a number of short term objectives and a longer term vision on the standardisation of the elements of the payment chain.

• The European Central Bank recently commented the proposed migration towards a SEPA for card and recently acknowledged the importance of the SCF.

Page 5

Impacts of EPC activities on the different elements of card payment schemes

Certification

AuthorisationSwitching

Clearing &Settlement

ProductDefinition& Rules

Security & Risk

Management

TechnicalStandards

Interlinking(Gateways to other systems)

Card Fraud Prevention

TF

SEPA Cards Framework(separation of the gouvernance

from processing functions& EMV)

Cards Standardisation

TF

Page 6

Card Fraud Prevention TF Mission, Work & Resolutions

• 1 Two-days Forum "Fighting Card Fraud across Europe" (Paris 8-9 October 2003)

• 1 Resolution on "Preventing and Fighting Card Fraud across Europe" (Approved by the Plenary in December 2003)

• 1 Resolution "Preventing Card Fraud in the New SEPA Environment" (Approved by the Plenary in March 2007)

The mission of the Card Fraud Prevention Task Force is to promote card fraud prevention tools within the banking industry and to develop tactical initiatives to fight against card fraud across SEPA.

To complete its mission the Task Force will follow a continuous process of: -       Identification of issues (sharing of information about new threats)

-       Prediction of trends (sharing and development of statistics)

-       Promotion of prevention tools (Chip/PIN, databases, authentication methods…)

-       Development of innovative tactical initiatives

-       Commitment of industry (EPC resolutions and recommendations)

Page 7

Card Fraud Trendsin SEPA

• In most of SEPA countries:

– Counterfeit fraud

– Magstripe skimming compromission cases (& subsequent fraud outside of chip countries)

– Card Not Present fraud (e-commerce notably)

– Fraudsters targetting weak point / sector / environment

– See (next slides) examples in a few countries

Page 8

Evolution of Fraud on CB Cards

3623

13

35

17 10,5

38

15 8

39

188

31

1624

1219

8 8

18 16 142

182

1

23

4

2,5

33

16

47

22

2110 16

0

10

20

30

40

50

60

70

80

90

100

CB SystemWorldwide out of which EU

CB SystemWorldwide out of which EU

CB SystemWorldwide out of which EU

CB SystemWorldwide out of which EU

Lost/Stolen MS Skimming

"Yescard" MOTO

200620052004 2007*

Mill

ion

€

Most important evolutions:• Dynamic Data Authentication • Fight against skimming • Securing e-commerce

Fraud Rate CB: 0,034% 0,033% 0,035% 0,034% Fraud Rate-Cross system: 0,71% 0,49% 0,47% 0,50%

Page 9

-

100

200

300

400

500

600

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

2005

2006

£ m

illi

on

s

UK ATM Cash w ithdraw als at UK counters UK MOTO & Internet UK High Street purchases International

Chip and PIN successfully combating targeted fraud types

In 24 months: losses at UK high street retailers down £147mn

Initial impact of chip and PIN on fraud on UK cards

Initial impact of chip and PIN on fraud on UK cards

Benefits of EMV being starting to be realised

Source: APACS Statistics

Page 10

Fraud to sales turnover Fraud to sales turnover at UK retailat UK retail

0.00

0.05

0.10

0.15

0.20

0.25

0.30

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

2005

2006

Rati

o %

Credit Debit Charge Total

Fraud to sales levels at UK high street retailers their lowest for six years.

For all card products combined the rate is below 10 basis points

Source: APACS Statistics

Page 11

Card Fraud Prevention TFCurrent Priorities

• Preventing the use of counterfeit cards at SEPA terminals– Completing EMV migration – Monitoring EMV migration

=> Currently 56% of cards, 59% of POS, 72% of ATMs in EU

– Eliminating magstripe fallback at EMV terminals

• Combating Card Not Present (CNP) fraud– E-commerce environment: CVX2 full implementation

– MO/TO environment: CVX2

– E-commerce environment: 3D-Secure implementation

• Collecting aggregated statistics on card fraud in SEPA

• … and also:– Work on card anti-skimming measures

– Fraud in specific environments (such as airlines)

– Work on cardholder authentication methods in e-commerce

Page 12

Examples of Anti-Fishing/Anti-Skimming (AFAS) Devices

Page 13

Securing e-commerce

• CVX2 Mandatory

in all e-commerce transactions (EPC Resolution: by 1st January 2008)

• 3D Secure : liability shift on card issuers if the merchant is 3D-Secure equipped

(EPC Resolution: by 1st January 2009)

• Strong authentification of cardholders to be promoted,notably using EMV chip.

Page 14

Strong Authentification using Chip:Some pilotes or tests

Page 15

SEPA Card Standardisation Activities,including Security Requirements

Cardholder Acceptor

EPAS Consortium (HarmonisedAcquirer to TerminalExchanges at SEPA Level)

ERIDANE Project

(HarmonisedTerminal

Architecture at SEPA Level)

ISO8583 / ISO20022EPC Expert Group

(Harmonised Issuer to Acquirer Exchanges at SEPA Level)

EMV Standard + CIR Working Group

(Harmonised EMV Implementations at SEPA Level)

Issuer Acquirer

+ CAS Project(Harmonised Security Requirements and Evaluations at SEPA Level)

PCI Standards

EP

C a

s P

roje

ct C

oord

inat

or

CIR: Common Implementation Requirements – EPAS: Electronic Protocols Application Software - PCI: Payment Card Industry – CAS: Common Approval Scheme

PSPPSP

Page 16

EPC Standards for Card Terminals

Terminal Architecture

Terminal Architectur

Application Application Terminal

Architecture

Terminal Architecture

Application Application

EPAS

CIR / TWG(SEPA-FAST)

Electronic Cash

Register EPAS

Acquirer

Terminal Manager

Transaction:Acquirer Protocol

EPAS

Terminal

Management

Issuer

Terminal:

ERIDANE

Acquirer-to-Issuer

Protocols

Retailer Protocol

CAS (Security &

Certification)

Page 17

EPC Card Standards Implementation Plan

2007 2008 2012 2015

SCF SCF implementationimplementation

Application of Recommended SpecificationsApplication of Recommended Specifications

Only minimum req’s elements

All schemesSCF compliant

Promotion by schemes

Promotion byschemes

Schemesinclude support

SCF is the framework for all SEPA cards schemesSCF is the framework for all SEPA cards schemes

Minimum req’savailable

Recommendedspecs available

Application of Minimum RequirementsApplication of Minimum Requirements

2010

Implemen-Implemen-tationtation

Page 18

Thank you for your Attention

www.europeanpaymentscouncil.eu