European Regulation Brings New Security Standards This Month

As EMV is largely complete and card not present fraud dominates across the pond, new payments industry security standards are coming to Europe

Figures released this past month by the European Central Bank showed an 8 percent increase in the number of fraud incidences in 2013 for cards either issued or acquired within what is known as the Single Euro Payments Area (or SEPA for short). In terms of monetary value, the ECB study found, card fraud represented as much as $1.4 billion in that year alone, the highest figure through the previous five years.

The data may seem a bit dated, but one can surmise that things have gotten a bit worse — or a lot worse — in the years since. That’s because EMV adoption in the region has spurred criminals to look toward avenues that allow for fraud beyond the physical terminal. And in another report that underscored the growing trend of Europe as a fertile ground for transactional mischief, in July, FICO, an analytical software firm, using data from Euromonitor International, showed a 6 percent boost in fraud across SEPA in 2014. So taken together, the data point toward a growing need for payments security.

Though the FICO score noted the strong gains in EMV technology in efforts to reduce fraud, there are indeed gaps in the chain of safety. FICO found that slightly less than half (47 percent) of cross-border debit transactions, in turn hit by fraud upon originating in the United Kingdom, involved the United States — a country well known for its relatively glacial pace in EMV adoption.

The “favorite” way for fraudsters to ply their trade: As the ECB’s 2013 data show, two-thirds of the value of the $1.4 billion mentioned above came from card-not-present (CNP) payments that used the Internet or physical mail as conduits. The CNP method was indeed the only type of fraud loss to post an increase year over year in 2013, even as POS and ATM fraud loss numbers fell — trends widely attributed by industry-watchers to the near universal adoption of EMV across SEPA, with at least some measurement of growth at the terminals dotting the landscapes outside SEPA’s borders.

Now we are in August, and the first day of the month marked the deadline set in motion by the European Banking Authority for card issuers to adopt a minimum protocol of Internet commerce security standards. Those standards were in turn taken from regulations set up by the EU Payment Services Directive (PSD) across the 28 member states of that union.

In a nutshell, what’s been mandated, as CA Technologies said earlier this year in a white paper, is a “multi-factor, defense-in-depth authentication approach to support Internet card use.”

The key, of course, has been — and still remains — tying together a cardholder friendly transaction, marked by ease of use, to security. CA noted in its February report that vendors operating within the cloud and offering expansive and scalable technology can bring issuers in line with the EU guidelines – and also react to the (possibly) more stringent mandates that may come alongside PSD 2.

One of the more immediate lines of defense available comes through 3D Secure (or 3DS), geared specifically toward CNP transactions. There’s added security in two-factor or other “strong authentication” password verification tools that use, for example, voice or SMS to help verify transactions, according to CA. This would all be within the scope of data that moves between parties online, a potentially porous place for pilfering as EMV adoption in the states makes it otherwise harder for fraudulent activity.

There are more than a dozen EBA guidelines, and the most systematic ones involve setting up a formal security policy, systematically conducting thorough risk assessments, and — along with the multiple layers of defenses just mentioned — limiting the scope of transactions themselves.

For additional information about how to protect yourself from this type of fraud, visit



[gview file=””]