As the introduction of Chip and PIN celebrates its first anniversary, the UK credit card industry looks to tackle the migration of fraud to card-not-present (CNP) transactions.
Apacs, the UK payments association, released figures revealing that chip and PIN cards now account for 97% of the payment cards in circulation in the UK. This increase in adoption has had a clear effect on card fraud, with Apacs figures showing a decline.
But at the same time, the payments body turned its attention to online, telephone and mail order fraud where the card need not be present to authorise a transaction. This method of theft now accounts for the largest proportion of credit card losses, which were £209 million in total last year. CNP losses for the last six months of 2006 were £95.3m alone.
Working with the card issuers, Apacs has also unveiled its pilot of a two-factor authentication system, where the customer is issued with a card reader that prompts them to enter their PIN. The reader then issues a one-off code that can be entered at the point of purchase to verify it is the cardholder using the card.
Other schemes using fingerprint recognition from the likes of payment vendor Pay-by-Touch are also designed to give the cardholder the security edge by splitting authentication between the card and a unique identifier.
And last month the two major card companies Visa and MasterCard said they were launching a major trial of contactless payment technology in London this autumn, allowing customers to pay for small transactions using the microchip embedded in the credit card communicating with a peripheral reader. It is hoped this will drive further investment by retailers in chip and PIN, as well as offer additional functionality for the chip technology like the collaboration of the London Transport Oyster card system with Barclaycard also announced last month.
CA’s Steven Cox believes companies need to be as vigilant as ever as the success of chip and PIN means the threat landscape has changed, with hackers looking to use more sophisticated ways to steal information.
Cox believes companies also need to really clamp down on fraud and address these new threats by adopting ‘MasterCard secure code’ and ‘verified by Visa’ on a more widespread basis. And he urged that good ID and access management is crucial to countering the internal threat as criminals target back-end systems.