UK hits 10 year Chip and PIN anniversary

True that counterfeit fraud is down, but EMV drove more fraud losses to CNP fraud than ever. Take a look at your losses for CNP FRAUD they are staggering over 10 years. Soon this will be seen in the US as they rollout EMV ... CNP losses had the same pattern in Canada after EMV .... The fraudsters change and evolve tactics ....

By not addressing and securing MOTO or e-Commerce - EMV created a castle with stone walls but a wooden backdoor.  I'm still waiting for someone to create a secure and effective solution for locking down CNP transactions but I suspect the economics are that the fraud is at a level that is at what banks would consider "sustainable" versus investing to secure the environment.

Matt ... VISA announced their API last week for Banks which can go a long way to help in securing cards from CNP if used by the customer diligently via mobile logical lock/unlock .... something I proposed some 7 years back. Banks debit cards/credit cards do not have to be wide open 7/24/365 .... let the customer lock them and unlock them via mobile/web (except for pre-auth debits) .... if the card is logically locked CNP fraud is greatly reduced... the millelial generation is well tuned into mobile and they do want control over all aspects of their spend .... why even allowing the customer to geo-block his card is also possible when on vacation to prevent false positives from the fraud neural networks in delcining ligitiment card purchases... VISA is doing the right thing with it open API concept ....

 (wooden back door ... good one LOL) 

I can't see mobile unlock being a viable solution to this issue - the "always on" world of card transactions for may users (uber, subscription payments, etc) wouldn't make this viable.

Tokenisation has to be the future to sort this one out, once Apple Pay and Android Pay are widely implemented and used on most ecommerce sites there really shouldn't be a reason for the "real" PAN to be out there on the internet at all.  Maybe then the ability to lock your card to F2F or tokenised payments only might prove useful!

Dear Finextra member   ... http://tsys.com/ngenuity-journal/digital-banking-and-retail-commerce-a-whole-new-ball-game-for-fraud-prevention.cfm

Payment providers can look to make their customers a security partner by empowering them to be active participants in the fight against fraud.

The Digital Eagles program run by Barclays is a free service aimed at upskilling the technological abilities of U.K. consumers (particularly older generations). Given around 15 percent of online payment compromise victims globally are aged 55 and over (as per our 2015 CPI Survey), such a service stands to have a positive effect on reducing the susceptibility levels of older consumers to cyber-attacks and fraudsters when transacting online.

Payment providers can also look to equip their customers with technological tools that empower them to directly tackle card fraud, both online and at the point of sale (POS). Advancements in mobile technology have seen a rise in the number of mobile-based card management services available. Such services are designed to enable consumers to lock and unlock their card accounts based on their preferences across a number of parameters – such as purchasing channel, transaction value, merchant type, currency and location.

Whaaat - "almost four in every five pounds of spending at British retailers is made through debit and credit cards."? That's 80% cards. 

https://www.finextra.com/news/fullstory.aspx?newsitemid=27384: "cash ... still accounts for 52% of those made by consumers."

https://www.finextra.com/news/fullstory.aspx?newsitemid=26120: "cash remains the dominant method of payment, with 53% of transactions still made in loose change".

Numbers don't seem to match.

The lock/unlock proposition doesn't work.  2FA should close most cases and is surely better than the infinitely resetable 3DSecure Passphrase approach.

Dear anonymous Finextra member ... I always admire definitive statements, however, I could possibley admire that one more " lock/unlock proposition doesn't work" if you were to post it with your credentials .... afterall VISA just introduced the API last week .... please explain your findings or conclusions ...most interested keeping an open mind .... regards  

I think lock/unlock would be good for some of a certain generation - i.e people like my parents who sometimes buy things online but otherwise would be quite happy having CNP blocked for the rest of the time.  As I mentioned above, it wouldn't be suitable for millenials who use services such as Uber, in app purchases, etc on a regular basis where lock/unlock would just be too painful to use.

It's great functionality if you think you've lost your card or if you're an infrequent user but it's not going to cut it as a mainstream solution.  2FA or tokenisation has to be the way to go.

@FinextraMember:

You do have a valid point. I have several recurring payment commitments e.g. website hosting. Some of them literally happen "in the middle of the night". Lock/Unlock is not practical. And I'm not even a Millennial.

That said, from personal experience, 2FA is not the solution. Ever since our overzealous regulator mandated 2FA for online payments a couple of years ago, CNP transactions have become extremely painful and have started suffering from high failure rates. The problem has become so bad that diehard card lovers - like me - have gone back to cash (Why I Went From Card To COD). Which is ironic because the regulator thought people would feel more comfortable about paying with cards online but 2FA has resulted in the exact opposite outcome.

Not sure how tokenization works in CNP.

Personally, I'm in favor of relaxing security, improving CX, letting business happen smoothly and addressing fraud, if any, through other methods, as I've highlighted in Mitigating Fraud Does Not Pay The Bills.

Gentlemen ... The API if designed/maintained by the card issuer would most likely have or should have an "authorized exception table" for "pre-auth" approved transactions, thereby allowing such exceptions to be customized to ones personal preferences. This is not beyond the scope of a sophisticated well written interface for such a feature as lock/unlock .....time will tell as Banks evaluate the capabilities of the API for their customers.... regards  

Gentlemen ... please read 

https://developer.visa.com/products/vctc

FYI .... BBVA    http://www.paymenteye.com/2015/05/28/bbva-customers-can-now-completely-control-their-cards/

FYI .... lock/unlock serves a competitive differencing for Banks that offer it

Talk to CommBank of Australia .....

https://www.commbank.com.au/about-us/news/media-releases/2014/commbank-launches-temporary-lock-feature-for-credit-cards.html 

On another note and returning to the main topic, wonder if EMV (Chip + Signature) will even see its first anniversary in USA:

"Side note: my European colleagues always point out EMV (chip) cards work “great” in Europe. I don’t care. At all. They suck stateside. A lot." https://t.co/zdVr3UYLUF

In US not many use PIN .... which is not much change security wise ...

http://www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php

Read UK fraud stats since EMV introduced 2004 .... CNP 2014 $656 Million CND double since 2004 

https://www.google.ca/webhp?sourceid=chrome-instant&ion=1&espv=2&es_th=1&ie=UTF-8#q=UK+card+fraud

Pushing responsibility to the consumer isn't practical - consumers will forget whether they've locked or unlocked their payment instrument - and a series of declines would more than likely lead to your Card being religated from Top of the Wallet to second or third choice pretty quickly. In Spain they have been effectively using 2FA as an extra later of security for both customer present and customer not present - and would appear to be quite effective. Perhaps our learned friend might suggest a physical box for our card and a padlock as his next "innovation"...

Matt ... Lock/Unlock is only one part of the API innovation by VISA ( not just my own innovation from a paper I wrote some 7 years back) If our "learned" friend "VISA" thought it useless then they wouldn't of included it as part of their over-all strategy for their "customer focussed API" .... there are many segments to the capability to allow customers to be more engaged with their own security, including using the metadata to restrict purchases, geo-location blocks etc ... take the time to read their Developer site and perhaps you will see the value in "engaging" the customer .... Like I use Verified by VISA all the time, however, I personally will also use the other features including block/unblock ... you need to look at the corporate card fraud that goes on, those cards do not need to be open all the time , just another example of use of the API .... by the way the padlock idea you suggested is a bit naïve given your esteemed background ... let the customer decide what they want ....  our ping pong discussion is not going to make one bit of difference in the end LOL

I feel Iike I'm engaged in a "British Monty Python" sketch ..... LOL 

Matt I suggest u start to read whats going on outside of Europe ... with all due respect .... 

We just launched a new feature on the CommBank app. Read on to learn more about lock and limit, which gives you even more control over your credit card.

We know that security, trust and privacy are of the utmost importance to you. As more and more of us do our banking online and on our mobile, there is an increased need for assurance that our digital banking is safe and secure.

We know how important this is to you, which is why we’re pleased to launch a new, Australian-first addition to our app that empowers our customers to control credit card transactions and security features direct from their smartphone.

LOCK BLOCK LIMIT

Australian customers will now have the ability to control security settings and transactional limits on their credit card, directly from the CommBank app. There are four different lock and limit features, all of which the primary cardholder can customise through the ‘Cards’ tab within the app.

1. 1

Lock in-store international payments

No overseas holidays planned in the near future? For further peace of mind, why not lock in-store international payments. This will block transactions made at a merchant terminal outside of Australia, where the card is physically presented at the terminal at the time of processing the payment. Note: this does not include ATMs.

1. 2

Lock online international payments

Love shopping online but concerned about the risk of international credit card fraud? Now there is a simple way to protect yourself, by locking your card against online international payments. This will block transactions that are processed outside of Australia where the card is not present or the card number is entered manually. This could include online, phone, or mail order transactions and transactions on Australian websites where the merchant processes the transaction overseas.

1. 3

Block ATM cash advances

Never withdraw cash or make transfers from your credit card at an ATM? You can now lock ATM cash advances, which will block all cash withdrawals or transfers using your credit card account at any ATM, both domestically and overseas, giving you added security should your card fall into the wrong hands.

1. 4

Limit your spend per transaction

Having trouble keeping track of your (or your partner’s) credit card spending? Give yourself a head start and set a limit to control how much you spend in one transaction. Once a transaction limit is set, all transactions over this amount will be declined. A transaction limit won’t affect the credit limit or daily withdrawal limit.

The cardholder can also utilise a timer feature, which enables you to remove a lock for a set period of time. So if you decide you really want that pair of shoes from the US, or have booked a shopping trip to Singapore, you can unlock the limits you have set and, at the end of the designated time period, the lock will automatically re-apply without you having to re-set it.

The new self-service features will be accessible via the CommBank app and can be updated to ‘lock’ or ‘allow’ payments in seconds, giving you greater convenience and more control over your credit cards than ever before.

Go to commbank.com.au/commbankapp to watch a ‘How To’ video on the new lock and limit features and learn how you can benefit.

That's fine Fred but it doesn't solve the issue of domestic CNP fraud?

Finextra member .... In the Australian market losses for domestic CNP for 2013 were $86 M Aus and in 2014 they were $99 M Aus .... but the Australian losses for cards used overseas was $125 M Aus for 2013 and $201 M Aus for 2014. So clearly the best payback from a reduction in Fraud losses is geared to the much larger CNP abroad ... source http://www.rba.gov.au/publications/annual-reports/psb/2015/pdf/retail-payments-developments.pdf

 From my understanding Auzzies love the option ... I will advise on the dosmestic CNP todate ... clearly a personal option from that perspective

From the UK stats .... its clear at 7.5p loss per 100 pounds spent  ...doesn't seem like much (cost of doing business) but when the fraud costs are passed on to the cardholder they are going to want more control over their "own" security, Banks that provide this option may be able to gain "card-holder" market share as a competitive differentiator .... now thats worth something !

Card fraud losses as a proportion of the value of purchases has risen slightly from 7.4p in every £100 spent, to 7.5p in 2014. In 2008, this was 12.4p in every £100. Overall, the number of incidents of card fraud rose by 5 per cent to 1.3m in 2014.

Losses on purchases made using a card remotely – those made online, over the phone or by mail order – rose 10% in 2014 to £331.5m. The number of incidents rose 7% from the previous year. Contained within these figures, e-commerce card fraud losses increased from £190.1m in 2013 to £217.4m in 2014 – a 14% rise. For the first time FFA UK has compiled sales figures for remote purchases. In 2014 e-commerce spending in the UK was £148 billion, meaning that for every £100 spent only 9.2p was fraudulent. Losses declined at both UK retailers and UK ATMs, with decreases of 14% to £49.2m and 15% to £27.3m respectivel

Matt Scott - NCR Corporation - London | 17 February, 2016, 08:34 "Pushing responsibility to the consumer isn't practical - consumers will forget whether they've locked or unlocked their payment instrument .....

In all fairness I should declare that I took a good equity position in Visa's IPO a few years back and continue to hold their stock( even after the 4 to 1 split), while at the same time I do not own any NCR stock 

Leading up to the official launch, select financial institutions, technology companies and startups have participated in beta trials of the Visa Developer platform, which has caused many of those to already create their own prototype applications using Visa’s technology. Trial partners include Capital One, CIBC, Emirates NBD, National Australia Bank (NAB), RBC, TD Bank, Scotiabank, TSYS, U.S. Bank and VenueNext.

http://www.pymnts.com/news/payment-methods/2016/visa-opens-up-network-with-visa-developer-launch/

Roman citizens were divided into two classes, Plebeians and Patricians.

"When the Patricians always try to decide whats good for the Plebeians .... eventually the dynamics change " .... we know you like Roman history ...   

http://www.pymnts.com/news/security-and-risk/2016/payment-security-in-the-palm-of-the-cardholders-hand/

From Bankingtech.....Visa is introducing a new service to help Visa issuers empower consumers to monitor and control how, where, and when their Visa credit, debit, and prepaid accounts can be used. It provides real-time visibility and control over their accounts so consumers can take immediate action to protect themselves from security threats and fraud.

http://www.bankingtech.com/434552/visa-api-puts-users-in-charge-of-security/

From Mastercard  ...putting cardholders in control ... of course

https://www.finextra.com/pressarticle/63166/mastercard-expands-controls-and-alerts-for-cardholders 

Putting Cardholders In Control

Since 2007, MasterCard has offered the In Control platform, providing real-time account alerts via SMS or e-mail that help cardholders set spending limits and “turn on” or “turn off” their credit, debit and small business cards at certain merchants or in certain geographies.

Each issuing bank can choose the most appropriate features and benefits for their cardholders. The cardholders can then access In Control either through the bank’s mobile app and website or at a standalone site.

“Consumers who take advantage of security features like transaction monitoring, email alerts and credit freezes could see their stolen information being used for 75 percent longer by fraudsters,” said Al Pascual, senior vice president and head of fraud and security, Javelin Strategy & Research. “These tools will help detect fraud more quickly.”

From Yahoo Finance .... yesteday

http://finance.yahoo.com/news/visa-adds-tools-more-control-110045833.html

https://www.commbank.com.au/blog/make-the-most-of-commbank-apps-latest-credit-card-feature-lock-block-and-limit.html

I should also point out that since the roll-out of EMV in Canada the CNP fraud numbers have increased 180% ... from $128 M in 2008 to $360 M in 2014 latest figures.

http://www.cba.ca/contents/files/statistics/stat_creditcardfraud_en.pdf

From CommBank    https://www.commbank.com.au/blog/why-australians-want-more-control-over-their-credit-card-spending-and-security.html?ei=sco_c2_al

Why Australians want more control over credit card spending and security

We give you the inside track on attitudes to credit card spending and security, to help you make the most of Lock, Block and Limit.

To help you take advantage of Lock, Block and Limit, we spoke to 1,000 Australians about their attitudes to credit card spending and security.

Whether it’s more control over everyday spending, instant access to security settings or simply the ability to block certain transactions, it’s clear from our research that Australians want more control over their credit card.

Some of the key insights include:

• Overall, 80% of Australians would like more control over the security of their credit card.
• 75% say they would feel more secure about using their credit card if they could block transactions processed outside of Australia while they’re not overseas.
• When asked about managing everyday spending, 58% of Australians said they would find it useful to be able to set a transaction limit on their credit card.
• On cash advances, 66% say they never withdraw cash using their credit card, and 70% would feel more secure if they could block ATM cash advances completely.

It’s clear then that while Australians like using their credit cards, there’s a need to provide more access to card security and spending management tools.

Using Lock, Block and Limit

As part of our commitment to help improve and enhance your financial wellbeing, we’ve launched Lock, Block and Limit.

Lock, Block and Limit gives you a safer way to pay with features like the ability to instantly lock your credit card from overseas purchases, block ATM cash advances and set your own spending limits.

See how Lock, Block and Limit can give you unprecedented control over your credit card security in our handy how-to video.

Just posted today from Digitalcheck.com .... 

http://www.digitalcheck.com/digital-check-blog/lock-and-unlock-your-credit-cards-a-great-idea-waiting-to-take-off

Every so often, an idea comes along at just the right time to solve a big problem in the payments business, and makes you wonder, "Wow, how come nobody thought of that before?" With people's credit and debit card numbers getting stolen left and right these days, we may be seeing just that with new apps that "turn off" your cards when not in use.

The idea behind the new wave of apps is the total opposite of what we're used to hearing about payments security. After every major data breach, stories warn of hit-and-miss protection at the point of sale, and we're reminded that banks and retailers need to run a tighter ship in the IT department if our data is ever going to be safe. In fact, American businesses are about to spend several billion dollars replacing every credit card and card reader in the country with new ones that use EMV, the chip-based card system prevalent in Europe.

The problem with that approach is, it means the individual consumer is largely a bystander in the card-security fight, unable to affect it much, but certainly at risk of suffering from the outcome. Beyond exercising some basic common sense about when and where to use your card, you are essentially just along for the ride; pay for anything from groceries to insurance, and there is literally nothing you can do to prevent the company on the receiving end from being hacked, infiltrated, or otherwise compromised, and no way of telling if that's likely.

But this approach is more like, "Go ahead and steal my credit card number. In fact, it's probably going to be stolen anyway, if it hasn't been already. I'll just make sure that when you do steal it, you won’t be able to use it." That ability to seize back some amount of control in this fight is quite appealing.

I resolved to try it out for myself shortly after hearing about it, so I looked some apps up on Google Play, settling on Fiserv's CardValet, which had been launched quietly in a January press release. Surprisingly, only 100 people had downloaded it so far, albeit to mostly positive reviews. The documentation revealed even more ambitious features beyond merely "parking" your card, such as notifications based on location or the type of merchant, and the ability to set dollar limits. So, what was the terrible catch?

Unfortunately, there was a major one: CardValet is not a universal app; it only works with debit cards for now, and only with those from selected banks that have signed up for the service. A Fiserv spokesperson confirmed that the app will eventually be expanded to include credit cards, though at launch, the focus was on debit cards in order to reach the maximum number of potential customers.

That part is actually a smart move, because in addition to representing a higher proportion of transactions (38% of all payments in the U.S. versus 21% for credit), debit cards also tend to suffer from inferior protection against fraud, opening you to potentially limitless liability if not reported quickly. What's more, in the meantime, you are not just disputing a charge on a bill – your money is actually gone. So as the more urgent of the two problems for consumers, attacking debit first in a consumer app makes sense.

Now, with the shift to EMV (chip-based "smart" cards) already under way, you might wonder: What's the use of this kind of app? Aren't the new cards going to protect me already? The answer is only partly; EMV does a great job of stopping card fraud at the point of sale using cloned cards, but it’s no good at all against online fraud. In fact, in countries where they've had time to study the effect of EMV, one very consistent pattern is that shortly after the new technology's introduction, most card fraud migrates online or overseas.

In other words, the criminals will still steal your card data one way or another, and then instead of cloning a physical card, they'll use it online, where EMV is not enforced. Parking your card would be one way to close that wide-open backdoor.

But, back to the one major problem: Without some cooperation and standardization, a card-parking app is going to be a tough sell. In my attempt to try CardValet, for example, if my bank hadn't signed up with the service, I was out of luck. The way that works isn't Fiserv's fault – no bank is going to let an app go in and start manipulating account information without some ironclad agreements and protections in place behind the scenes, and frankly, that's the way it should be.

What it means, though, is that my ideal scenario – being able to turn ALL of my cards on or off from one place, rather than relying on an army of competing apps for each card – seems unlikely in the near future. I'd wager most of us would want the same thing; and since most Americans also have more than one card, that could present a major pain point in the coming years. Perhaps one day, a single app, or a combination of two or three, will build enough momentum to reach the critical mass where they become convenient and near-universal. Until then, however long it takes – 18 months? Years? Decades? – credit-card parking may remain a great technology in waiting.

By the way the Monty Python Sketch I was thinking of during these back and forth dialogues ... Was "The Dead Parrot" .... a true classic of differing opinions LOL

https://www.youtube.com/watch?v=4vuW6tQ0218