Not all banks are equal and the EU should adopt more rules to secure online banking, Zafar told EurActiv in an interview.
Zafar, who advises banks and telecoms companies in the City of London on the EU's Payments Services Directive (PSD), says that fraudsters are getting better and better at tricking consumers to part with their personal data.
"Banks need an always-evolving online (and now also mobile) security strategy that keeps one step ahead of the criminals," according to Zafar.
Critics of the PSD argue it should say more on data protection, especially given the growing scale of online and mobile payments.
The directive creates the same standards and rights on domestic and cross-border payments across the EU/EEA including Switzerland but so far 11 countries are shy of full implementation.
Zafar warns that the online organised crime game is a highly-evolved industry that targets the travel and entertainment sectors, where criminals use credit cards to buy products.
Databases at companies that process payments are particularly vulnerable, he adds.
Zafar also laments the lack of a common EU policy on data protection across the 27-member bloc, but argues that some banks and card companies are better than others.
In addition the PSD extends payment services to non-bank companies such as utilities or mobile phone operators and these institutions, which will not have same level of supervision or capital on their balance sheets, will have to be extra vigilant in policing payments, according to Zafar.
Last October, EU Information Society Commissioner Viviane Reding said the EU would be reviewing its data protection guidelines this year (EurActiv 27/10/09). Since then, EU officials have started studying ways to notify users of data breaches.
But in the absence of an EU response to online organised crime, Zafar says the best solutions in existence today are the good old-fashioned electronic chips and personal identification numbers (PINs) already available on payment cards.
Used at sales terminals in shops, chips and PINs are now also being used for online transactions and almost indefinitely negate fraud, Zafar argues.