Transcript PRES EPCXXX_07 www.europeanpaymentscouncil.eu EPC Card Fraud Prevention & Security Activities Cédric Sarazin – Chairman Card Fraud Prevention TF 19.

PRES EPCXXX_07
www.europeanpaymentscouncil.eu
EPC
Card Fraud Prevention
& Security Activities
Cédric Sarazin – Chairman Card Fraud Prevention TF
19. December 2007, FPEG Meeting - Brussels
EPC and a SEPA for cards
The timelines
EPC Cards Working Group
(Chair: Claude Brun)
EPC SEPA Card Framework (SCF)
Card Fraud Prevention TF
(Chair: Cédric Sarazin)
Cards Standardisation TF
(Chair: Peter Blasche)
Minimum
requirements
Recommended
specifications
2002
2003
2004
2005
2006
2007
2008
2009
2010
Page 2
SEPA Cards Framework
(SCF)
•
The SCF was approved by the EPC Plenary on 8 March 2006
•
The SCF spells out high level principles and rules which when
implemented by banks, schemes, and other stakeholders, will enable
European customers to use general purpose cards to make payments
and cash withdrawals in euro throughout the SEPA area with the same
ease and convenience than they do in their home country. There
should be no differences whether they use their card(s) in their home
country or somewhere else within SEPA.
•
The SCF creates the potential for any SCF terminal to accept any SCF
card with a SEPA based acquirer of the merchant’s choice.
•
SCF only covers euro card payments and cash withdrawals
•
Provides a single framework for banks, for schemes and for
processors/infrastructures to become SEPA compliant
(self-assessment procedure with EPC monitoring)
Page 3
Highlights from the SCF
•
Acquirers will offer merchants the option to acquire SCF compliant
card transactions from one or more SCF compliant schemes from 1
January 2008 onwards.
•
As fraud prevention is one of the priorities, the SCF indicates
that the EMV chip will be the supporting technology for cards as well
as the support of PIN on the acquiring side.
The SCF sets out the high level principles to foster the competition
between providers of technical infrastructure and payment services
and to remove legal and technical barriers. SCF compliant card
schemes will separate governance from processing functions.
The SCF contains both a number of short term objectives and a longer
term vision on the standardisation of the elements of the payment
chain.
The European Central Bank recently commented the proposed
migration towards a SEPA for card and recently acknowledged the
importance of the SCF.
•
•
•
Page 4
Impacts of EPC activities on the
different elements of card payment schemes
SEPA Cards Framework
(separation of the gouvernance
from processing functions
& EMV)
Clearing &
Settlement
Authorisation
Switching
Card Fraud
Prevention
TF
Product
Definition
& Rules
Technical
Standards
Security
& Risk
Management
Interlinking
Certification
(Gateways to
other systems)
Cards
Standardisation
TF
Page 5
Card Fraud Prevention TF
Mission, Work & Resolutions
The mission of the Card Fraud Prevention Task Force is to promote card fraud
prevention tools within the banking industry and to develop tactical initiatives to
fight against card fraud across SEPA.
To complete its mission the Task Force will follow a continuous process of:
-
•
Identification of issues (sharing of information about new threats)
Prediction of trends (sharing and development of statistics)
Promotion of prevention tools (Chip/PIN, databases, authentication methods…)
Development of innovative tactical initiatives
Commitment of industry (EPC resolutions and recommendations)
1 Two-days Forum "Fighting Card Fraud across Europe"
(Paris 8-9 October 2003)
•
1 Resolution on "Preventing and Fighting Card Fraud across Europe"
(Approved by the Plenary in December 2003)
•
1 Resolution "Preventing Card Fraud in the New SEPA Environment"
(Approved by the Plenary in March 2007)
Page 6
Card Fraud Trends
in SEPA
•
In most of SEPA countries:
– Counterfeit fraud
– Magstripe skimming compromission cases
(& subsequent fraud outside of chip countries)
– Card Not Present fraud (e-commerce notably)
– Fraudsters targetting weak point / sector / environment
– See (next slides) examples in a few countries
Page 7
Evolution of Fraud
on CB Cards
Million €
100
2005
2004
90
2006
2007*
80
70
33
18
60
47
23
2
50
18
40
16
31
30
20
1
16
36
23
10
14
4
24
17
13
CB System Worldwide
0,034%
Fraud Rate-Cross system: 0,71%
Fraud Rate CB:
out of
which EU
38
15
10,5
0
CB System Worldwide
out of
which EU
16
19
2,5
12
35
22
CB System Worldwide
0,033%
2
21
10
8
8
out of
which EU
0,035%
0,49%
Most important evolutions:
• Dynamic Data Authentication
• Fight against skimming
• Securing e-commerce
39
18
CB SystemWorldwide
16
8
8
out of
which EU
0,034%
0,47%
Lost/Stolen
"Yescard"
0,50%
MS Skimming
MOTO
Page 8
Initial impact of chip and PIN
on fraud on UK cards
Benefits of EMV being
starting to be realised
600
£ millions
500
400
300
200
100
UK ATM
Cash w ithdraw als at UK counters
UK MOTO & Internet
UK High Street purchases
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
1995
-
International
 Chip and PIN successfully combating targeted fraud types
 In 24 months: losses at UK high street retailers down £147mn
Source: APACS Statistics
Page 9
Fraud to sales turnover
at UK retail
0.30
0.25
0.15
0.10
0.05
Credit
Debit
Charge
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
0.00
1995
Ratio %
0.20
Total
 Fraud to sales levels at UK high street retailers their lowest for six years.
 For all card products combined the rate is below 10 basis points
Source: APACS Statistics
Page 10
Card Fraud Prevention TF
Current Priorities
•
Preventing the use of counterfeit cards at SEPA terminals
– Completing EMV migration – Monitoring EMV migration
=> Currently 56% of cards, 59% of POS, 72% of ATMs in EU
– Eliminating magstripe fallback at EMV terminals
•
Combating Card Not Present (CNP) fraud
– E-commerce environment: CVX2 full implementation
– MO/TO environment: CVX2
– E-commerce environment: 3D-Secure implementation
•
Collecting aggregated statistics on card fraud in SEPA
•
… and also:
– Work on card anti-skimming measures
– Fraud in specific environments (such as airlines)
– Work on cardholder authentication methods in e-commerce
Page 11
Examples of Anti-Fishing/
Anti-Skimming (AFAS) Devices
Page 12
Securing e-commerce
• CVX2 Mandatory
in all e-commerce transactions
(EPC Resolution: by 1st January 2008)
• 3D Secure : liability shift on card issuers
if the merchant is 3D-Secure equipped
(EPC Resolution: by 1st January 2009)
• Strong authentification of cardholders to be promoted,
notably using EMV chip.
Page 13
Strong Authentification using Chip:
Some pilotes or tests
Page 14
SEPA Card Standardisation Activities,
including Security Requirements
EPC as Project Coordinator
Issuer
ISO8583 / ISO20022
EPC Expert Group
Acquirer
(Harmonised Issuer to Acquirer
Exchanges at SEPA Level)
PSP
PSP
PCI Standards
EPAS Consortium
(Harmonised
+ CAS Project
(Harmonised
Security
Requirements and Evaluations
at SEPA Level)
Acquirer to Terminal
Exchanges
at SEPA Level)
ERIDANE
Project
EMV Standard
+ CIR Working Group
Cardholder
(Harmonised EMV Implementations
at SEPA Level)
Acceptor
(Harmonised
Terminal
Architecture
at SEPA Level)
Page 15
CIR: Common Implementation Requirements – EPAS: Electronic Protocols Application Software - PCI: Payment Card Industry – CAS: Common Approval Scheme
EPC Standards for
Card Terminals
Issuer
Acquirer-to-Issuer
Protocols
Terminal
Manager
Acquirer
EPAS
EPAS
CAS
(Security &
Certification)
Transaction:
Acquirer Protocol
Terminal
Management
Terminal:
CIR / TWG
(SEPA-FAST)
ERIDANE
Applicatio
Application
nApplicatio
n
Terminal
T
erminal
Terminal
Terminal
Architectur
Architectur
eArchitecture
EPAS
Retailer
Protocol
Electronic
Cash
Register
Page 16
EPC Card Standards
Implementation Plan
All schemes
SCF compliant
SCF implementation
SCF is the framework for all SEPA cards schemes
Minimum req’s
available
Promotion by
schemes
Only minimum
req’s elements
Application of Minimum Requirements
Schemes
include
support
Recommended
specs available
Implementation
2007
2008
2010
Promotion by
schemes
Application of Recommended Specifications
2012
2015
Page 17
Thank you for your Attention
www.europeanpaymentscouncil.eu
Page 18