Www.europeanpaymentscouncil.eu PRES EPCXXX_07 EPC Card Fraud Prevention & Security Activities...
-
Upload
autumn-cobb -
Category
Documents
-
view
224 -
download
0
Transcript of Www.europeanpaymentscouncil.eu PRES EPCXXX_07 EPC Card Fraud Prevention & Security Activities...
www.europeanpaymentscouncil.eu PRES EPCXXX_07
EPCCard Fraud Prevention
& Security Activities
Cédric Sarazin – Chairman Card Fraud Prevention TF19. December 2007, FPEG Meeting - Brussels
Page 2
EPC and a SEPA for cardsThe timelines
2002 2003 2004 2005 2006 2007 2008 2009 2010
EPC Cards Working GroupEPC Cards Working Group(Chair: Claude Brun)(Chair: Claude Brun)
EPC SEPA Card Framework (SCF)EPC SEPA Card Framework (SCF)
Cards Standardisation TFCards Standardisation TF(Chair: Peter Blasche)(Chair: Peter Blasche)
MinimumMinimumrequirementsrequirements
RecommendedRecommendedspecificationsspecifications
Card Fraud Prevention TFCard Fraud Prevention TF(Chair: Cédric Sarazin)(Chair: Cédric Sarazin)
Page 3
SEPA Cards Framework(SCF)
• The SCF was approved by the EPC Plenary on 8 March 2006
• The SCF spells out high level principles and rules which when implemented by banks, schemes, and other stakeholders, will enable European customers to use general purpose cards to make payments and cash withdrawals in euro throughout the SEPA area with the same ease and convenience than they do in their home country. There should be no differences whether they use their card(s) in their home country or somewhere else within SEPA.
• The SCF creates the potential for any SCF terminal to accept any SCF card with a SEPA based acquirer of the merchant’s choice.
• SCF only covers euro card payments and cash withdrawals
• Provides a single framework for banks, for schemes and for processors/infrastructures to become SEPA compliant (self-assessment procedure with EPC monitoring)
Page 4
Highlights from the SCF
• Acquirers will offer merchants the option to acquire SCF compliant card transactions from one or more SCF compliant schemes from 1 January 2008 onwards.
• As fraud prevention is one of the priorities, the SCF indicates that the EMV chip will be the supporting technology for cards as well as the support of PIN on the acquiring side.
• The SCF sets out the high level principles to foster the competition between providers of technical infrastructure and payment services and to remove legal and technical barriers. SCF compliant card schemes will separate governance from processing functions.
• The SCF contains both a number of short term objectives and a longer term vision on the standardisation of the elements of the payment chain.
• The European Central Bank recently commented the proposed migration towards a SEPA for card and recently acknowledged the importance of the SCF.
Page 5
Impacts of EPC activities on the different elements of card payment schemes
Certification
AuthorisationSwitching
Clearing &Settlement
ProductDefinition& Rules
Security & Risk
Management
TechnicalStandards
Interlinking(Gateways to other systems)
Card Fraud Prevention
TF
SEPA Cards Framework(separation of the gouvernance
from processing functions& EMV)
Cards Standardisation
TF
Page 6
Card Fraud Prevention TF Mission, Work & Resolutions
• 1 Two-days Forum "Fighting Card Fraud across Europe" (Paris 8-9 October 2003)
• 1 Resolution on "Preventing and Fighting Card Fraud across Europe" (Approved by the Plenary in December 2003)
• 1 Resolution "Preventing Card Fraud in the New SEPA Environment" (Approved by the Plenary in March 2007)
The mission of the Card Fraud Prevention Task Force is to promote card fraud prevention tools within the banking industry and to develop tactical initiatives to fight against card fraud across SEPA.
To complete its mission the Task Force will follow a continuous process of: - Identification of issues (sharing of information about new threats)
- Prediction of trends (sharing and development of statistics)
- Promotion of prevention tools (Chip/PIN, databases, authentication methods…)
- Development of innovative tactical initiatives
- Commitment of industry (EPC resolutions and recommendations)
Page 7
Card Fraud Trendsin SEPA
• In most of SEPA countries:
– Counterfeit fraud
– Magstripe skimming compromission cases (& subsequent fraud outside of chip countries)
– Card Not Present fraud (e-commerce notably)
– Fraudsters targetting weak point / sector / environment
– See (next slides) examples in a few countries
Page 8
Evolution of Fraud on CB Cards
3623
13
35
17 10,5
38
15 8
39
188
31
1624
1219
8 8
18 16 142
182
1
23
4
2,5
33
16
47
22
2110 16
0
10
20
30
40
50
60
70
80
90
100
CB SystemWorldwide out of which EU
CB SystemWorldwide out of which EU
CB SystemWorldwide out of which EU
CB SystemWorldwide out of which EU
Lost/Stolen MS Skimming
"Yescard" MOTO
200620052004 2007*
Mill
ion
€
Most important evolutions:• Dynamic Data Authentication • Fight against skimming • Securing e-commerce
Fraud Rate CB: 0,034% 0,033% 0,035% 0,034% Fraud Rate-Cross system: 0,71% 0,49% 0,47% 0,50%
Page 9
-
100
200
300
400
500
600
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
£ m
illi
on
s
UK ATM Cash w ithdraw als at UK counters UK MOTO & Internet UK High Street purchases International
Chip and PIN successfully combating targeted fraud types
In 24 months: losses at UK high street retailers down £147mn
Initial impact of chip and PIN on fraud on UK cards
Initial impact of chip and PIN on fraud on UK cards
Benefits of EMV being starting to be realised
Source: APACS Statistics
Page 10
Fraud to sales turnover Fraud to sales turnover at UK retailat UK retail
0.00
0.05
0.10
0.15
0.20
0.25
0.30
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
Rati
o %
Credit Debit Charge Total
Fraud to sales levels at UK high street retailers their lowest for six years.
For all card products combined the rate is below 10 basis points
Source: APACS Statistics
Page 11
Card Fraud Prevention TFCurrent Priorities
• Preventing the use of counterfeit cards at SEPA terminals– Completing EMV migration – Monitoring EMV migration
=> Currently 56% of cards, 59% of POS, 72% of ATMs in EU
– Eliminating magstripe fallback at EMV terminals
• Combating Card Not Present (CNP) fraud– E-commerce environment: CVX2 full implementation
– MO/TO environment: CVX2
– E-commerce environment: 3D-Secure implementation
• Collecting aggregated statistics on card fraud in SEPA
• … and also:– Work on card anti-skimming measures
– Fraud in specific environments (such as airlines)
– Work on cardholder authentication methods in e-commerce
Page 12
Examples of Anti-Fishing/Anti-Skimming (AFAS) Devices
Page 13
Securing e-commerce
• CVX2 Mandatory
in all e-commerce transactions (EPC Resolution: by 1st January 2008)
• 3D Secure : liability shift on card issuers if the merchant is 3D-Secure equipped
(EPC Resolution: by 1st January 2009)
• Strong authentification of cardholders to be promoted,notably using EMV chip.
Page 14
Strong Authentification using Chip:Some pilotes or tests
Page 15
SEPA Card Standardisation Activities,including Security Requirements
Cardholder Acceptor
EPAS Consortium (HarmonisedAcquirer to TerminalExchanges at SEPA Level)
ERIDANE Project
(HarmonisedTerminal
Architecture at SEPA Level)
ISO8583 / ISO20022EPC Expert Group
(Harmonised Issuer to Acquirer Exchanges at SEPA Level)
EMV Standard + CIR Working Group
(Harmonised EMV Implementations at SEPA Level)
Issuer Acquirer
+ CAS Project(Harmonised Security Requirements and Evaluations at SEPA Level)
PCI Standards
EP
C a
s P
roje
ct C
oord
inat
or
CIR: Common Implementation Requirements – EPAS: Electronic Protocols Application Software - PCI: Payment Card Industry – CAS: Common Approval Scheme
PSPPSP
Page 16
EPC Standards for Card Terminals
Terminal Architecture
Terminal Architectur
Application Application Terminal
Architecture
Terminal Architecture
Application Application
EPAS
CIR / TWG(SEPA-FAST)
Electronic Cash
Register EPAS
Acquirer
Terminal Manager
Transaction:Acquirer Protocol
EPAS
Terminal
Management
Issuer
Terminal:
ERIDANE
Acquirer-to-Issuer
Protocols
Retailer Protocol
CAS (Security &
Certification)
Page 17
EPC Card Standards Implementation Plan
2007 2008 2012 2015
SCF SCF implementationimplementation
Application of Recommended SpecificationsApplication of Recommended Specifications
Only minimum req’s elements
All schemesSCF compliant
Promotion by schemes
Promotion byschemes
Schemesinclude support
SCF is the framework for all SEPA cards schemesSCF is the framework for all SEPA cards schemes
Minimum req’savailable
Recommendedspecs available
Application of Minimum RequirementsApplication of Minimum Requirements
2010
Implemen-Implemen-tationtation
Page 18
Thank you for your Attention
www.europeanpaymentscouncil.eu