The EU began its work to assure the security of non-cash payments with the 2001-2003 fraud prevention action plan (FPAP), which culminated in a 2003 conference on
payments and confidence
. This plan saw the setting up of the EU fraud prevention
, a study on the security of e-payments and a feasibility
on a single EU phone number for reporting lost or stolen cards,
card stop Europe
This work continued through the 2004-2007 FPAP which the Commission saw as a complement to legislation on the single European payments area (see our Links Dossier) and on the payment services market (see our Links Dossier). It aims to boost consumer confidence and so encourage cross-border payments by:
clarification of data protection law (new legislation if necessary);
co-operation between public and private authorities;
specialised member state enforcement units;
training and awareness schemes for enforcement authorities;
encouraging development of new technologies.
A report on the implementation of 2004-2007 FPAP has been published by the Commission in April 2008 and confirmed that the security of means of payment is key for improving consumer confidence and trust in new payment services.
The Commission also has an i2010 strategy (see our Links Dossier), part of which includes internet security. Established in March 2004, the European Network and Information Security Agency (
also advises the Commission on network security generally.
Scams to counterfeit/copy bank and credit cards and to illegally obtain card numbers have been around since cards themselves. Some of the methods used, apart from straightforward theft, are:
Cold calls: consumers receive phone calls purportedly from their bank asking to check account details.
False cash machines: criminals cover the card slots in cash machines with a fake which copies the card. Cameras may be placed above the machine to record PIN numbers.
ID theft: using someone else’s identity to apply for a credit card or a loan.
There are numerous initiatives from banks, credit card companies, online commerce associations, e-technology companies and consumer associations to help individuals and businesses to guard against fraud.
The rise in the use of e-payments has drastically increased the scope for fraud and, as anti-card fraud measures become more sophisticated, fraudsters have turned to the internet to get access to other people's money. Some of the schemes used are:
Phishing: spam e-mail purporting to be from a bank or online retail service is used to direct consumers to fake websites where they are encouraged to enter financial details. Toolbars that block phishing sites are increasingly available.
Pharming: criminals create false websites with a web address very similar to bank or credit card company sites and collect details of anyone who uses them unawares.
Hacking: criminals hack into personal computers to get financial details.
Identity theft: getting hold of consumers bank details can be done through accessing online bank services, using viruses or, in the old-fashioned way - by digging in rubbish bags. Fraudulent loans, credit cards etc are then taken out using the consumer’s details.
Gas stations: thieves have found ways to tap into and steal data from satellite systems which transfer details of cards swiped in petrol stations to credit card companies.
Mobile phone: Payments can now be made using a mobile. Rates of fraudulent purchases via mobile phones are even higher than those for internet purchases
Chip & Pin
New technology is replacing the old magnetic strip on bank and credit cards that was often used with a signature. New cards have data embedded in a computerised chip and must be used with a personal identity number (PIN). All UK cards have already been converted to this new technology.
Alternative payment solutions
Two-factor authentication: Ways are being developed to protect online card payments which require the use of two separate identifiers. This may be through single-use passwords, SMS authentication or the use of card readers attached to the computer into which the PIN number must be entered.
Mobile phones: It is expected that payment via mobile phone, usually through prepaid systems, will increase, particularly for small transactions. To this end the EU adopted in 2007 the Payment Services Directive that relaxed rules to allow payments directly related to the phone (see our Links Dossier).
Pay By Touch: Schemes where consumers register biometric and payment card details with intermediary companies are developing in the US and in Japan. Here there is no card: the consumer places a finger on a reader and enters a pass number. They then choose a payment method from personalised options displayed on a screen. There are also schemes where the card is used but is simply tapped on a reader, with no PIN or swiping necessary.
Smart cards: The traditional credit or bank card is also being replaced by ‘electronic wallets’ with built-in microchips to store credit. These cards, unlike early swipe cards like Belgium’s Proton, need only to be waved over a reader and can be used to pay for transport, car parks, vending machine items etc (some can also be used to access buildings). Most can be reloaded at shops, banks, ATMs. Examples are Octopus in Hong Kong,
cards for London transport and Visa Wave.
After the publication of the report on financial frauds in April 2008, Internal Market and Services Commissioner Charlie McCreevy said: "Payment fraud affects consumer confidence in non-cash means of payment and therefore remains a threat to the success of the single market for payments. The Commission is working actively to minimise the payment fraud threat, for the benefit of consumers and financial services providers alike".
Eurochambres, in a review of the Commission’s E-Europe plan to increase business done over the internet, saw security as one of the major issues. It pointed to the damage done by viruses, increasingly out-of-control spam and the problem of hacking. It recommends encryption of financially sensitive e-mail, increased police co-operation across borders and more emphasis on enforcement of existing legislation.
Some advocate attacking fraud by attacking spam through use of the Trusted Email Open Standard (TEOS). This involves transmitting with the email additional information to verify the identity of the sender and recipient. The US ePrivacy Group believes enforceable standards on the use of email should be introduced, policed by a Trusted Email Oversight Board.
The European smart card organisation, Eurosmart, has carried out a survey on security standards and cost-effectiveness. It recommends the adoption of a global security certification which could be used by all card manufacturers and banking organisations.
Many in industry view biometrics as the solution, arguing that it provides a unique identifier, which, with the use of home reader systems, can be used for in-person purchases and online transactions. A survey carried out by IT company Fujitsu Services in the UK showed that fears over payment security were leading consumers to favour the use of biometrics.