According to the most recent Nilsen Report, in 2014 card fraud losses reached $16.31 Billion globally, up 19% over 2013. However, to put this into a better perspective, the average losses to fraudsters per $100 spent went up from $5.5c in 2013 to $5.7c, which in turn is up from $4.5c just 5 years ago.
This may not sound like a lot, but when the total payments volume driven by the major card brands was $23.78 TRILLION, the loss of tiny fractions of a percent per transactions translates to billions; $16.31 billion to be precise.
The biggest victim? That’s right, the US, who accounted for 48.2% of the gross fraud losses, but only generated 21.4% of the global purchase volume, giving them a loss ratio more than double that of the rest of the world (at $12.75 lost / $100 spent).
The causative factors are numerous, some of which are being addressed, some of which will only get worse BECAUSE the first ones are addressed;
- By far the biggest cause is the lack of EMV adoption in the US, where card counterfeiting accounted for almost 1/4 of all losses globally ($23.9%). This is particularly frustrating for regions where they have full EMV implementations, but fraudsters can just put transactions through US-based mag stripe terminals
- The US’s over reliance on predictive analysis anti-fraud techniques, which given its ‘back-office’ nature, is too little, too late. Besides, it’s only the larger merchants who can afford such measures
- US merchants have not embraced 3-D Secure to protect e-commerce transactions as they “care less about merchandise lost than they do shopping cart abandonment”. And it’s not just the loss of a single transaction, as an angry customer is unlikely to hurry back
Not that the rest of the world have anything to boast about, and seeing as the payment card industry will only expand over the next 5 years – which in itself quite ridiculous give the numerous alternatives-, the criminal gangs can be expected to double and re-double their efforts until unsecurable legacy transaction processes are finally replaced.
The only highlight in the entire Nilsen report – if you can call a loss a highlight – is that PIN-based ATM debit transactions were the lowest risk of all transaction types at only $1.3c lost / $100 spent. Which begs the question; Why on earth is the US implementing their EMV rollout with ‘chip & choice’, not ‘chip & PIN’? Why rely on just a more-secure-than-mag-stripe technology when 2-factor authentication is rapdily become a industry standard AND regulation?
The number of solutions to the challenges that are available today make the continued losses all the more frustrating; from mobile devices capable of multi-factor AND multi-mode (multiple instances of a factor) authentication, ‘enhanced positive data’ available from contextualised big data, to identity management techniques capable of adding reputational decisions to a given transaction, are all established products.
Seeing as over 2/3 of all Americans have a smartphone, even the simple and ubiquitous PIN has the capability of vastly reducing the continued fraud associated with magnetic stripe transactions. Integrate an out-of-band PIN authentication within existing acquirer transaction processes and the card data becomes almost meaningless.
Payment innovation will eventually make the current vulnerabilities a thing of the past, but why wait?