Thales Blog

PCI DSS Recognised As Contributing Factor To Shrinking UK Card Fraud

March 24, 2011

The latest card fraud stats from the UK Cards Association show some good news for 2010. Fraud losses on UK credit and debit cards were 17 per cent lower than the previous year and this is the lowest level at which such fraud has stood since 2000.

There was a 15 per cent drop in card-not-present fraud (CNP) which, as stated in the report, may well be due not only to ‘the increasing use of sophisticated fraud screening detection tools’, but also increased use of 3DSecure schemes, such as Verified by Visa or MasterCard SecureCode.

Better consumer education could also be playing a part, because (according to the same report) despite a 21 per cent rise in the number of phishing attacks, the money lost to online banking fraud was in fact down by 22 per cent. This decrease is corroborated by the Fraudscape report, published recently by the UK’s fraud prevention service, CIFAS. This report noted that there was a decrease in use of the internet as a ‘bank account fraud facilitator’ from 33 per cent in 2009 to 19 per cent in 2010, and attribute this to “…the considerable efforts made by financial institutions to combat internet fraud, and an increasingly educated public who are less likely to respond to phishing attacks.”

3DSecure has helped stem the rising tide of CNP fraud, so perhaps it’s time to consider wider roll out of two-factor authentication. As long as there are online retail sites that don’t require it, or as long as the systems only request a password, attacks in this area can still happen.

Maybe in the future we will start to see the use of existing online bank card readers as two-factor authentication or mobile based authentication to further secure online shopping.

What was also interesting to see was that PCI DSS was picked out for the first time in the UK Cards Association findings as one of the factors that could have contributed to the decline in card fraud. Certainly, increasing numbers of retailers are now implementing the cardholder data protection processes required of them by version 2.0 of the standard (announced last year).

Protecting cardholder data is of crucial importance in protecting transactions against fraud and many retailers and acquirers are now adopting approaches that have been pioneered in the US, such as end-to-end encryption, where data is encrypted at source, allowing it to travel safely through vulnerable channels.

While there are no standards for end-to-end encryption yet, PCI SSC have an emerging technology white paper on the subject (called point-to-point encryption in the white paper - P2PE) and say they will provide more concrete guidance/requirements over the coming months. Meanwhile, others are working on standards, and this will be covered in another post.