ECB publishes fifth report on card fraud

Published 27.09.2018

This fifth oversight report on card fraud analyses developments in fraud related to card payment schemes (CPSs) in the Single Euro Payments Area (SEPA) and covers almost the entire card market. It provides an overview of developments in card payment fraud between 2012 and 2016.

The total value of fraudulent transactions conducted using cards issued within SEPA and acquired worldwide amounted to €1.8 billion in 2016 – a decrease of 0.4% compared with 2015. In relative terms, i.e. as a share of the total value of transactions, fraud dropped by 0.001 percentage point to 0.041% in 2016, down from 0.042% in 2015. Compared, again in relative terms, with the levels of fraud observed in 2012, fraud increased by 0.003 percentage points in 2016. Although there was an upward trend in card fraud between 2012 and 2015, it seems the trend is changing, given that fraud went down in 2016.

With respect to the composition of card fraud in 2016, 73% of the value of card fraud resulted from card-not-present (CNP) payments, i.e. payments via the internet, post or telephone, 19% from transactions at point-of-sale (POS) terminals and 8% from transactions at automated teller machines (ATMs).

With €1.32 billion in fraud losses in 2016, CNP fraud was not only the largest category of fraud in absolute value but, unlike ATM and POS fraud, it was also the only one to record an increase (of 2.1%) compared with the previous year. Data on regular, i.e. non-fraudulent, CNP transactions, which are only partially available, suggest that there was also considerable growth in CNP transactions on the whole. Based on this partial information, it can be concluded that CNP fraud grew at a lower rate than CNP transactions.

In an interview, market representatives from a European security forum confirmed that there is an ongoing shift of fraud from the card-present to the card-not-present environment. However, the market has started to develop a plethora of fraud prevention and detection security tools with the objective of bringing online fraud rates down (e.g. implementation of 3D Secure, risk-based analysis, Tokenization). In addition, the European regulators have contributed to fighting online fraud with regulatory tools – the 2013 Recommendations for the security of internet payments and the 2014 Guidelines on the security of internet payments. Recently, they also strengthened the security requirements for electronic payments with the revision of the Payment Services Directive (PSD2) in 2015 and specified further such requirements in the Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication in 2017.

The largest drop in the level of fraud concerned card fraud committed at ATMs, with 12.4% less fraud in 2016 compared with 2015, while fraud committed at POS terminals went down by 3.0%. The lower level of ATM fraud was mainly due to a substantial decrease in counterfeit card fraud and fraud using lost and stolen cards following the migration of cards and terminals to EMV. Fraud using lost and stolen cards accounted for 47% of the value of fraud at ATMs and POS terminals, while counterfeit card fraud made up 43%. As observed in previous years, counterfeit card fraud was predominant for transactions acquired in countries outside SEPA. This trend continued in 2016, although that geographical category has seen a decrease in counterfeit card fraud compared with 2015.

For delayed debit cards and credit cards, CNP fraud was the most common type of fraud in 2016, accounting for 76% of the total value, followed by fraud occurring at POS terminals (20%) and ATMs (4%). For debit cards, CNP fraud was also the most common type, making up 71% of the total fraud value for these cards, followed by POS and ATM fraud, which accounted for 19% and 10% respectively.

From a geographical perspective, domestic transactions accounted for 90% of all transactions, but only 35% of fraudulent transactions. Cross-border transactions within SEPA made up for 8% of all transactions, but 43% of fraudulent transactions. Finally, although only 2% of all transactions were acquired outside SEPA, they accounted for 22% of all fraud. The euro area experienced slightly lower fraud levels from an issuing and acquiring perspective than SEPA as a whole.

Compared with SEPA as a whole, fraudsters in the euro area focused more on ATM and POS fraud (fraud committed at ATMs and POS terminals accounted for 30% of the total value of fraud in the euro area, compared with 27% in SEPA). The difference can be attributed mainly to the influence of the United Kingdom, which had a relatively high share of CNP fraud and, with its total level of fraud, accounted for 40% of total fraud losses on cards issued within SEPA.

This report also covers data on transactions conducted using cards issued outside SEPA, but acquired inside SEPA. These data show that there are higher fraud losses on non-SEPA issued cards used inside SEPA than there are on SEPA issued cards used outside SEPA. This also holds true in relative terms in relation to the value of transactions: 0.57% of the value of transactions acquired inside SEPA using non-SEPA issued cards was fraudulent, compared with 0.44% of the value of transactions acquired outside SEPA using cards issued inside SEPA. The finding suggests that European cardholders also benefit from high European security standards for transactions conducted outside SEPA.

For individual European Union (EU) Member States, large variations with respect to card usage were identified, as in the previous report: the number of cards per inhabitant ranged from 0.8 to 3.9, the number of payments made per year per inhabitant ranged from 26 to 329, while the corresponding transaction values ranged between €1,800 and more than €17,000 per year and inhabitant. Fraud shares, i.e. the fraud-related share of the transaction value or volume, ranged from 0.005% for cards issued in Poland to 0.073 % for cards issued in Denmark in terms of value, and from 0.002% in Poland to 0.043% for cards issued in France in terms of volume. There were also big differences with respect to the transaction channels used by fraudsters in the EU. Broken down by country of card issue, fraud committed at ATMs ranged from 0% to 18% of the total, the share of CNP fraud ranged from 41% to 84%, and the share of POS fraud ranged from 13% to 55%. Broken down by country of acquirer, these variations were even larger; ATM fraud ranged from 0% to 26%, CNP fraud from 33% to 93% and POS fraud from 7% to 61%.

Most of the countries with significant card markets (defined as countries with high volumes and values of card transactions per inhabitant) experienced high rates of fraud. CNP fraud was typically the most common type of fraud involving cards issued in these markets. By contrast, countries with limited card usage experienced relatively low levels of fraud.

In summary, in 2016 the total value of card fraud decreased. Fraud involving cards issued inside SEPA increased for CNP transactions and decreased across the other transaction channels. In 2016 CNP fraud accounted for 73% of total fraud losses on cards issued inside SEPA, compared with 71% in 2015. Furthermore, and unlike 2015, fraud at ATMs and POS terminals decreased in 2016 following the near completion of migration to the EMV standard within SEPA. The drop in card-present fraud could be a result not only of this migration within SEPA but also of an increasingly high adoption rate of EMV for terminals outside Europe[. A wider usage of geo-blocking, as well as increased physical security measures at terminals (e.g. lids to protect PIN entry, skimming device detectors, etc.) and the deactivation of the option to fall back to magnetic stripe (or “magstripe”) usage for cards might also be among the factors that contributed to this reduction. While ATM and POS fraud diminished substantially (and at a high pace between 2012 and 2016) as more countries outside SEPA migrated to EMV, CNP fraud saw a slight increase in 2016.

The application of the Eurosystem’s “Guide for the assessment of card payment schemes against the oversight standards” (February 2015) could also have contributed to making card payment schemes more secure. In particular, the application of the Recommendations for the security of internet payments, which are incorporated into the above-mentioned guide, may have helped limit the increase of online fraud.

The author of this article is solely responsible for the content published.


Contact

Association des Banques et Banquiers, Luxembourg

Address

12, Rue Erasme L-1468 Luxembourg

Phone Fax
Opening hours

Monday to Friday from 8:00 to 17:30.