Any ideas to curtail CNP fraud?

The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures and plots the trend data. The latest stats were released this week, for FY 2012.

Here’s the latest picture of Australian payment card fraud growth over the past seven financial years FY2006-12.

Compared with FY2011:

  • Total card fraud is up 25%
  • CNP fraud is up 27%
  • CNP fraud represents three quarters (72%) of all card fraud.
  • Card Not Present fraud as a proportion of all fraud remains at just under three quarters (72%).

As with the CY2011 stats we discussed last July, card fraud has again grown in all categories at once, not just Card Not Present, and this is unusual. The explanation may be a burst of skimming and counterfeiting in late 2011 which would be reflected in both the FY2012 and CY2011 numbers.

APCA’s press release this week notes that card fraud has dropped in the past six months, contrasting financial 2012 ($189M) with calendar 2011 ($198M). This may not be a statistically valid comparison. We should expect seasonal buying habits will cause asymmetries within 12 months, making FY against CY a case of apples and oranges. Indeed, this looks like the first time APCA themselves have plotted CY and FY stats together. It certainly makes the latest figures look better.

Time will tell whether the trend is changing. The long term trend is that CNP fraud has grown at 38% p.a. on average, from $27M in FY2006 to $189M in FY2012. A 5% drop in the past six months may not mean much. The $189M loss most recently reported is probably close to the true trend.

APCA saysBroadly, the value of CNP fraud reflects growing retail activity in the online space, with many more businesses … moving online“. That’s true but the question is: What will we do about it? Bank robbers rob banks because that’s where the money is. Think about high road tolls: they reflect the popularity of driving, but we don’t put up with them!

In any case, a cardholder’s exposure to CNP fraud has nothing to do with whether they themselves shop online! Stolen card data are replayed online by criminals because they can. The online boom provides more places to use stolen cards but it’s not where the criminals get most of their cards. Instead, it appears that account numbers are mostly obtained from massive database breaches at processors and large bricks-and-mortar retailers, like Heartland Payments, Global Payments, and Hannaford. So it’s not fair to play down CNP fraud as relating to the cost of going digital, because it hurts people who haven’t gone digital.

I’m afraid payments regulators seem light on ideas for actually rectifying CNP fraud.

Until recently, APCA actively promoted 3D Secure (Verified by Visa or Mastercard SecureCode) as a response to CNP fraud. In June 2011, APCA went so far as to say “retailers should be looking at a 3D Secure solution for their online checkout”. But their most recent press release makes no mention of 3D Secure at all.

It looks to me that 3D Secure, after many years of disappointing performance and terrible take-up, is now too contentious to rate a mention from Australia’s regulators.

In my view, the industry needs to treat CNP fraud as seriously as it did skimming and carding. The industry should not resign itself to increasing rates of fraud just because online shopping is on the rise.

CNP fraud is not a technologically tough problem. It’s just the digital equivalent of analogue skimming and carding, and it could be stopped just as effectively by using chips to protect cardholder data online.