Community

Indeed - and the worrying thing for me, is why there was no-one in the audience that knew enough about the payments industry to explain to him and to the audience that he did not know enough about the issues to make such statements; and maybe even moreso, that he was talking complete twaddle. Either that or the reporting of what he said has been misheard, mis-reported and/or boiled down to something completely different.

Which is it?

Maybe someone, shoudl have simpy asked him whether he could explain how NFC could run securely without EMV; and did he realise that what he was saying was the same as: "Railroad tracks are so oldfashioned and restraining; trains should just take the routes that get the passenger there in the quickest way - i.e. along the roads or rivers or through mountains - whichever would help the customer in the bet way.

It sounds very exciting....... and that is what we have and need entrepreneours like this for - to keep us entertained.

He would have been better placed to explain that EMV was fantastic as it would:

a) give businesses the inate ability to build really valuable solution now like the rest oft he world

b) Allow merchants to speed up the customer journey

c) Reduce fraud and processing costs that will feed into teh customer massively

d) Allow the NFC solutions to be implemented faster and more securely

e) Present the platform for exponential growth in innovation and idea.

That woudl have been exciting.......

The cost of re-issue will be less than a tenth of that per card. How they can justify that size of loss based upon a reissue alone is not conceivable.

Accordingly, this figure MUST be calculated to include some of the 'consequential loss' - i.e. that the compromised cards were then used. Accordingly the banks will have to show a loss on their cards (as well as the costs to them of re-issue).

If I were in Target (and/or the Lawyers in the the defence team) then I would have plenty of defence arguments to tender:

a) What did the banks do to mitigate the losses.

b) What did their systems look for in the unusual transactional activity.

c) As the cards were compromised with limited security details, why did the banks not check the security details and prevent the transactions (as is done in most other places in the world).

d) As a preventative solution, why had the banks not implemented greater security with EMV (and/ or EMV with CHIP and PIN) as this would have significantly (or completely) removed the possibility that these cards could have been of use. The US issuers involved are far behind the global 'curve' on upgrading to the latest technology that was introduced across the rest of the world 15 - 10 years ago.

Someone introduce me to the consortium of banks or their lawyers to help build their case against Target - or better still to the Target people (and/or their indemnity insurers), as they probably have the much better and more fun case to present to the courts. 

In all cases and scenarios, this will be a superb case to watch; and reveals how poor the infrastructure in the USA is, and how far behind both the infrastructure and the thinking actually is - on all sides.

Absolutely no rocket-science here! Around the rest of the world, and especially in Europe, we have been seeing the fraud problem migrate to the USA over the last 3-4 years. Indeed, the gap will be much greater this year and next year:

a) Prior to the implementation and roll-out of EMV

b) Whilst teh issuers start to understand the parameters and settings and rules that will best help them.

c) Whilst the POS equipment is adapted / adopted

d) Because there is still an ongoing battle on how to properly inplement EMV - i.e. with SIGNATURE or PIN - if things are progressed with PIN - things will stabilise much quicker, if with SIGNATURE, then the gap will close a little and then widen as crooks understand the nuances on how to defeat the process. And equally, many will herald EMV as a failure, when the failure will only be in the thinking behind the implementation.

We are already seeing and 'picking-up the pieces' with the advice that we give to help correct poor assumptions and processes and parameters that help the savvy fraudster.  

I am not a vendor with a technology solution to sell; so whilst I agree that the sentiment expressed by the PSR MD is laudable, it is no less valuable than othe 'broad' and pointless statements such as "we should have fewer wars" or "children should not go hungry". What exactly does she mean and how should this be effected? There are no "pipes and wires" like she had and saw in her last role as a regulator, and one has to bear in mind that the infrastructure is safer, more secure, trusted and used as the backbone for £billions of payments every day with complete confidence across the world. Whatever is done needs to take full cognisance of the needs of other legislation and standards that is more critical and must be high on the agenda like AML, PoTA, DTR, Data Protection, PCI DSS, encryption etc. Let's have a little more clarity, some clear visibility on what is needed and some plans rather than these open-ended ideals that nobody can do anything with.

Maybe..... they should also have introduced a dynamic tokenized card number at the same time - given that they will already have had to implement the DCVC technology - then the leap to the second feature would not have been so great.

@Bjorn - I am REALLY struggling to identify how Mandatory fraud reporting is a way that even €1 can be saved. And to whom should fraud be mandated to be reported to? 

If reporting is to the Police, then nothing gets done with the data, and no one knows what to do with it and it get leaked, lost or both. It certainly does not get investigated or prosecuted - with less than 1% going through the process of what is reported today. I woudl support 100% mandatory reporting, were it mandated that all fraud reported shoudl be investigated and prosecuted!

Then the question would be: what woudl you mandate should be reported? Actual losses, attempted frauds, suspected frauds, frauds without evidence etc? The bigger categories of fraud are the latter ones. BY FAR. 

No - it would be VERY COSTLY for all of us, extremely bureaucratic and moreover rather pointles - if not accompanied by equal action-based requirements.

I have absolutely no idea what you mean by your last statement/sentence.

@Ketharaman - but it is certainly not as simple as a binary choice, because rarely are the processes vested in one organisation. For instance in making a payment using a card, there can be 5-10 intermediaries/parties that are involved in the process (including even Apple) and several of them involved in the risk ad the assignment of the risk/losses/ exposures - with a mirad of competitors in the pot and across multiple jurisdictions too. Accordingly, such decisions involving 'frictions rates' and revenue balancing are only post-event academic considerations. Markets are driven by consumer / commercial needs, pricing to make money (or not make net - losses) and then to let someone else address the problems with the holes that are left when the fraudsters attack the 'processes'.

Whlst the conversation started in the UK - you have moved this to the Indian payments model - which sounds very confusing and filled with risk for the Indian merchant and cardholder in respect of knowing what to do, and understanding their respective liabilities. I think thatthe liabilities and risks will be associated with the CHIP/PIN infrastructure with allowable fallback with associated liability where this is not possible. Chip/Pin AND signature is just plain stupid. 

We need to be very careful about articles like this, and comments like this too. 

The issue here is about REPORTING not dealing with (investigating, prosecuting and deterring) the crime. 

The real question here is, of the crimes that are reported to the authorities (i.e. the police), how many are investigated and how many are prosecuted and how many organised gangs identified and stopped and how many opportunists deterred. We can assume that the answer to these will be "almost ZERO %" on all counts.

I have sat with senior COL police people over many years (mainly in the 1990s) - who have refused to accept reports of fraud from banks, because they have no resources to investigate and prosecute. Accordingly £100 millions's of card fraud ARE reported and not progressed, and £100 million's of insurance fraud go the same way without even being reported - except for the MAJOR, MAJOR cases that are accepted by the police from the Insurance fraud bureau.

Try and get Leppard to accet such cases is nigh on impossible as only the top - fraction of 1% are progressed. And do not even start talking about or reporting to the police the Inland Revenue, Local Authority, NHS, Benefits etc. fraud because they won't look there either.

In the UK, we are held up globally (mainly the banks) for the exceptional fraud collation and reporting on card and banking fraud and insurance fraud - and we were leading with the statistical collation of fraud as UKPLC. This was all done 20 years ago as a fall-out from the Levi Home Office reporting - and 'wrapped up nicely' except for the police investigation, and prosecution bit, which is still absent.

So it is easy, but also abhorrent that a police officer shoudl stand up and throw stones at an industry that has been doing its bit for a long time. The industry also funds the fraud reporting centre that HE RUNS as part of the COL police force - so it is actually a) Under his control and b) HIS issue too!

BUT.... lets look at what we are talking about here..... We are asked to believe that banks are "covering up Cybercrime". What is this cybercrime? As far as the banks are involved, the banks lose money from criminals who are attacking the banks to obtain money through the abuse of the systems and processes. This is always how it has happenned and the banks are good at losing money in this way. Just because a new term started to be used 3-4 years ago - does not change the fraud position:

- Banks are attacked and lose money

- Some of it will always get misrecorded as bad-debt when the crooks have managed to con the banks that it was thus. The agreement with all parties has always been that this will not be considrered as fraud (Cybercrime) and will not get reported. The police adamantly refuse to accept such reports too - believeing that the banks have brought this upon themselves by lending money in the first place to these cybercriminals (Ironic eh?).

- Cybercrime / fraud losses are experienced, reported and not investigated.

It is OK to moan at the banks these days - for everything, and often they are to blame for a lot of their mistakes, but in this case we must be careful to spot that here we have a big policeman throwing stones from a very big greenhouse. 

Perhaps we should start asking him a few big questions and stop this outrageous reporting. It is probably too that he was taken out of context in this reporting, as I am afraif that I cannot believe that a responsible policeman would be so stupid as to criticise his partner banks, his funding bodies and people who are patiently waiting for him to do his job rather than trying to do theirs.

Very Interesting KS. I am so glad that you have put another view; and it was importantt that you declared your lack of expertise with this.

- First credit cards were in the USA - but, I woudl add that it was the USA companies who also invented CHIP and PIN / EMV and imposed it upon the ROW

- You have not seen any clear evidence about fraud % being higher in the USA. You need to look harder - it is rather more extreme than you may think. You will not have seen any evidence to the contrary either.

- I suggest that you read all the details above on Stephanie's statement. It may be true in the USA - to a degree!!!! - but the whole world is not on-line.

- A key issue as others have highlighted about is the adoption of a key global strategy to get rid of the magnetic stripes on the cards, which can only be done when all no longer need them. This will remove all sorts of serious problems and costs. And risks, and fraud.

- You really need to look at some figures, losses, migration numbers etc. and see how CHIP/PIN has eradicated many problems.

- All the latest card compromises will also be rendered useless in a CHIP & PIN environment.

From the above, you will gather that there are big issues in every one of your statements above, that most people have already answered or have the data that you clearly do not have - to be able to understand these issues better.

Indeed - I agree totally with the previous TWO comments. CHIP and PIN is the de-facto worlds standard for everywhere except the USA - there are no problems with it, it has been implemented for 20+ years and the following has happened:

1. ALL the fraud is now migrated or migrating to the USA. 

2. It is harder for USA citizens to travel cross-boarder (even to Mexico and Canada) - and they are left frustrated in Munich, Paris, London or ..... well wherever!

3. The equipment is the cheapest it has ever been for anyone else.

4. Fraud globally has migrated

5. The cost of card processing remains high in the USA with a requirement for merchants to retain signatures and recover them when needed

The excuses are endless on why this has not happened in the USA. And more and more creative, with less and less substance. This latest one about PIN Management Systems is just plain silly.

The one about no business case is equally laughable - as there has been a business case everywhere else. No-one has actually ever produced one though - because the US industry has no central body to effect such discussions through.

Equally blaming Durbin or other laws is just ignorance.

- AND the worst of all ...... "because the USA has a better telecoms/payments/banking system" is naiive - as each of these is now increasingly behind the ROW. 

YES - it is "GAME OVER" - sorry Visa and Stephanie Eriksen, you will have to find another way around the routing issues and competition in these areas and save the USA issuers and acquirers and Merchants $100millions in the meantime in fraud and processing costs.