«Public Version Situation Report Payment Card Fraud in the European Union Perspective of Law Enforcement Agencies This Europol product analyses and ...»
Situation Report - Payment Card Fraud 2012
Europol Public Information
Payment Card Fraud
in the European Union
Perspective of Law Enforcement Agencies
This Europol product analyses and evaluates the threat posed by types of serious
or organised crime. The assessment of threats is based on defined indicators.
Situation Report - Payment Card Fraud 2012
Europol Public Information
Table of Contents
1. KEY JUDGMENTS 3
2. INTRODUCTION 4
2.1. Background 4
2.2. Aims and objectives 5
3. COMBATING PAYMENT CARD FRAUD IN THE EUROPEAN UNION 5
4. CARD-PRESENT (CP) FRAUD 7
4.1. Introduction 7
4.2. Investigations into card-present (CP) fraud 8
5. CARD-NOT-PRESENT (CNP) FRAUD 10
6. FINAL REMARKS 12
Europol would like to thank its cooperation partners for their support in producing this report:
EU law enforcement authorities; American Express; MasterCard; Visa Europe; EAST (European ATM Security Team); ECB (European Central Bank); EPC (European Payments Council). Page 2 Situation Report - Payment Card Fraud 2012 Europol Public Information
1. KEY JUDGMENTS
• The criminal market of payment card fraud (PCF) within the European Union (EU) is dominated by well structured and globally active organised crime groups (OCGs). Criminal networks have managed to affect non-cash payments in the EU to the extent that protection measures are very expensive and need to be implemented on a global level. Consequently, the use of payment cards can be inconvenient and no longer fully secure for EU cardholders.
• Payment card fraud is a low risk and highly profitable criminal activity which brings organised crime groups originating from the EU a yearly income of around 1.5 billion euros. These criminal assets can be invested in further developing criminal techniques or can be used tofinance other criminal activities or start legal businesses.
• The EU is increasingly exposed to the threat of illegal transactions undertaken overseas and should develop more efficient solutions to help law enforcement authorities (LEAs) combat the fraud.
Europol, gathering intelligence on fraudulent overseas transactions affecting the EU, as requested by competent authorities of Member States (MS), is not entitled to cooperate with non-EU police forces or request specific measures to help combat and prevent fraud against the EU. A special mandate for Europol is recommended to dismantle globally-active OCGs and protect the EU against further fraud committed through non-cash means of payment.
• The majority of illegal face-to-face card transactions (skimming-related) affecting the European Union take place overseas, mainly in the United States. The EU should take urgent measures to promote the EMV standard as a global solution against the counterfeiting of payment cards. As full EMV implementation will take time, a temporary solution could be applied, namely the implementation of GeoBlocking – blocking overseas transactions using EU-issued cards unless they have been activated in advance.
• Common European legal solutions for the security of on-line retail payments (internet, mobile), as well as the mandatory reporting of financial data breaches, should be considered to prevent fraud affecting EU citizens. Prevention and combating card-not-present (CNP) fraud requires specific regulations on the customer’s identification (3D secure protocol) and security of the on-line payment environment. The role of the European Central Bank and Europol is crucial to present the problems and propose specific solutions.
2.1. Background The security of non-cash means of payment is a key factor in the economic stability of the European Union (EU). According to statistics1, the total number of payment cards issued in the EU in 2011 reached 726
906 710. The value of legitimate non-cash transactions with EU cards exceeded 3000 billion euros. From a security perspective, EU industry has taken an important step forward by fully implementing the EMV (chip-embedded cards) standard for card-present (CP) transactions, and is advanced with the protection of on-line transactions through the strong identification of customers (3D secure).
Banking institutions are profit-making businesses, so reducing the illegal income of criminals is not always a priority for them when introducing new banking products or services. Acceptable levels of fraud and expected net profit for banks are more important than the real prevention of fraud that would lead to depriving criminals of the huge amounts of money they are stealing using EU payment cards. With the current global nature in which the banking sector and non-cash transactions operate, security measures in place on a regional (EU) level are not sufficient and have been exploited by criminal networks.
The illicit activities and fraudulent transactions of organised crime groups (OCGs) performed outside the EU have affected the security and convenience of non-cash payments in Europe and have consequently caused substantial losses to the EU economy. European law enforcement authorities (LEAs) have collected information and intelligence on the activities and development of the OCGs responsible for payment card fraud. Europol has processed and analysed the data in order to define the most vulnerable areas and provide some recommendations.
This report is based mainly on data provided by law enforcement agencies from EU Member States and some cooperating non-EU States. The figures and latest trends were identified based on information from the European Central Bank, European Payments Council, European ATM Security Team (EAST), card schemes, Fuel Industry Card Fraud Investigation Bureau (FICFIB) and some card issuers.
Since criminals affect both physical transactions with payment cards (shops, ATMs), and the internet environment, for the purpose of this report payment card fraud (PCF) is divided into card-present (CP) fraud and card-not-present (CNP) fraud.
Page 4 Official statistics from the European Central Bank.
Situation Report - Payment Card Fraud 2012
3. Combating Payment Card Fraud in the European Union In 2011 Europol provided support to EU law enforcement authorities (LEAs) in hundreds of international investigations of payment card fraud (PCF). The majority of the crimes had an international dimension – taking into account the origins of suspects, places where card data was obtained and illegal transactions made, and the final destination of the criminal proceeds. The specialised team at Europol produce analytical reports and organise meetings to facilitate cooperation on combating PCF crimes.
The majority of illegal transactions took place outside the EU, but affected the EU. Despite the huge number of identified perpetrators, many of them remain unidentified and are still actively involved in payment card fraud.
A criminal structure involved in PCF is usually very complex, highly specialised and hierarchical, with specific roles assigned to each member of the OCG. Europol has coordinated several cross-border investigations against worldwide criminal networks affecting the EU.
For the purpose of this report Europol conducted a research poll among EU payment card fraud investigators about the major challenges for LEAs in this area. Experts reported that the international aspect
of criminal networks, and their highly-organised nature, as the biggest problems faced during the operational phase2. Criminals benefit not only from the lack of global protection standards but also from the legal constraints affecting international police cooperation. As far as the organisational approach is concerned in MS, there are different police units responsible for combating this phenomenon: economic units; forgery of money units; cybercrime units; or specialised PCF units, sometimes supported by representatives from the private sector. This is also seen as a factor that makes international cooperation more difficult due to different perceptions of the crime and its prioritisation in respective units.
Europol, which has an excellent overview on the global activities of the OCGs, has no legal or organisational possibilities to cooperate directly with most of the nonEU police authorities. Despite many attempts, neither the Interpol channel nor the legal provisions of Article 23, p.8, of the Europol Council Decision (ECD)4 have been useful in initiating investigative measures into criminal structures active overseas. Europol, having precise intelligence and information about ongoing criminal activities against the EU, and being aware of the scale of the problem, are entitled to cooperate with non-EU States to support and coordinate investigations in EU Member States.
Ten challenges were reported by Member States and rated on a scale from 1 (no challenge) to 5 (very challenging).
Europol has operational agreements with the following countries: Australia, Canada, Croatia, former Yugoslav Republic of Macedonia,
With the relatively lenient laws for perpetrators and limitations for law enforcement authorities on combating payment card fraud, as well as difficulties in seizing assets, payment card fraud is very attractive and highly profitable for criminal networks. Europol analysis indicates that the same criminals are still active in this criminal market after many years and, after being arrested, they return to the business after just a few months.
4.1. Introduction The implementation of EMV5 (Chip and PIN) technology in the European Union is seen as the key driver to reducing domestic payment card fraud. It should be stressed that cardholders’ confidential data is more secure on a chip-embedded payment card than on a magnetic strip card. Chip-embedded cards support dynamic authentication, requiring dynamic values for each transaction, and cannot be easily copied. The EMV card is considered to be well protected against skimming.
As the EU banking industry migrates to the EMV environment, losses caused by illegal domestic transactions in the EU have gradually decreased since 2008. However, at the same time, the level of illegal transactions overseas has seen a sharp increase. Consequently, in 2011, almost all fraudulent faceto-face transactions with EU cards took place overseas. This phenomenon is determined by the level of technical protection of EU payment card terminals - ATM and Point-of-Sale (POS) terminals are fully EMV compliant. In response, criminal networks have targeted the weak points of the system and have undertaken criminal activities using non-EMV compliant terminals overseas. Due to this phenomenon, and the lack of specific agreements on reimbursement of losses caused by less protected terminals, the majority of the loss burden caused by this fraud is on the EU card issuers – which are specific banks in the EU. It is worth mentioning that there has been no specific solution to this problem proposed by the card industry.
There are several countries operating as a substantial market for illegal transactions with counterfeit EU cards. The problem of illegal transactions in the US has been reported to Europol by all 27 EU Member States (MS). There are also other locations where criminal groups with EU origins are cashing counterfeit cards.
This trend has led to a situation in which, even after huge investments by the EU banking industry to install hardware and software to accept EMV cards, the problem has become even bigger, as it is extremely difficult to prevent and investigate crimes committed outside of EU borders.
The ultimate solution to this problem would be to implement the EMV standard on a global level, including making United States’ merchants compliant. Specific discussions on that are currently ongoing, however it is difficult to predict if, and when, the final stage of compliance might be reached.
As a short term solution, in October 2010 Europol and the European Central Bank recommended that all SEPA (European-issued) cards should be EMV (chip-embedded) only. The first Member State to follow this recommendation is Belgium (BE), where debit cards have chips embedded and the magnetic strip is no longer active. This solution, called GeoBlocking, in practical terms limits the possibility to misuse debit cards in regions without Chip and PIN verification. The implementation of GeoBlocking has been extremely positive from a security point of view with significant falls in skimming incidents and skimming-related losses (a decrease to almost zero in Belgium).
It should be stressed that there are some constraints to such solutions. The baseline for branded cards is that the cards are accepted globally. From this perspective the chip-only cards are not in line with this policy. The use of GeoBlocked cards is also less convenient for card holders as the card must be activated every time before travelling to non-EMV compliant countries. According to a research poll carried out by EAST7, 60% of customers would be in favour of the GeoBlocking solution, including 28% of respondents who would be happy to contact their banks to activate the magnetic strip on their cards, and 12% who would like to hold a chip-only card.
This compromise is the price that card issuers and card holders pay as a result of the criminal activities of organised networks. It can be concluded that organised criminal groups (OCGs) have already managed to affect the EU payment card market to the extent that the use of cards is not cheap for card issuers and is less convenient for cardholders.
4.2. Investigations into card-present (CP) fraud