EU: Flights and restaurants risky for payment cards


Purchasing plane tickets online is one of the least secure transactions that can be carried out with a payment card and chances are high that customers will be targeted by fraudsters, according to a report published yesterday (28 April) by the European Commission.

Gaming and gambling on the Web are also fraud-prone activities, while away from the online world, the most common crime against non-cash payments is fast becoming so-called ‘skimming’, the copying of card details by specific reading machines mainly used in restaurants, where waiters collect cards at the tables for the payments and can easily copy them when not seen by the owners.

The European Commission is determined to increase the use of electronic means of payment to replace the more expensive and less secure cash option. The adoption of the Payment Services Directive and the establishment of the Single Euro Payment Area (SEPA) both push in this direction.

Nevertheless, the transition from cash to electronic money is not without side effects. The study published yesterday gathers the results of a three-year EU action plan meant to increase the security of non-cash payments, and shows concerns are increasing over new techniques for abusing the weaknesses of electronic means.

Online fraud is considered easiest due to the relative simplicity of stealing an identity in the online world. The Commission has identified a number of eCommerce activities that are most likely to end up in fraud cases due to the low use of protection systems.

“The airlines, travel agencies and gaming and gambling sectors have been identified as weak areas,” states the report. Also crimes related to eBanking – the use of online bank accounts – are increasing as new useful Web services continue to spread. These threats have a clear impact on eCommerce, meaning that is not yet taking off in Europe: less than one European out of five makes purchases online, according to recent EU figures.

Brussels regrets that while there are already systems in place to prevent electronic crimes, they are not regularly applied. One example is the insufficient use by merchants of the three-number code on the back of payment cards, also known as the CVX2 number.

While the card number can easily be skimmed in a restaurant or in altered ATMs, the CVX2 number cannot be copied. Nevertheless retailers do not request it regularly, allowing stolen cards to be used.

Chip and PIN technology is another example of an efficient anti-fraud system. It is applied to all payment cards that request a PIN code to execute a purchase. A thief is therefore obliged to steal not only the card but also the PIN. The method replaces signatures, which are less secure and often not even present on the card but still used as proof of ownership.

As of the end of 2007, 56% of the payment cards issued by EU-based banks used the chip and PIN technology, while 59% of the points of sale were capable of conducting secure transactions by requesting PINs. What’s more 72% of the ATMs in the EU are equipped with cheap reader tools, according to the findings reported in the Commission study.

Nevertheless, the magnetic strips that make cards vulnerable to skimming are still maintained in the majority of cards, therefore reducing the positive effects of the chip and PIN technology. The strips are kept to make cards usable across the world, as the average penetration of the new system is much lower elsewhere than in the EU.

Regarding Internet payments, requesting a card PIN for any eCommerce transaction has proven to be a secure method – as is already the case for online eBanking transfers. This decreases the chances of using a stolen card on the Web. However, only a few banks across Europe apply this system to the cards they issue.

Subscribe to our newsletters