Although it is difficult to calculate the exact amount of money lost to cyber fraud each year, it is clear that European cyber fraud is on the rise. European card fraud losses increased over 6% (approximately €1.55bn) between 2012 and 2013. In a recent report done by FICOTM, based on data gathered by Euromonitor International, card fraud losses reached a new high in 2013 and experts anticipate the fraud numbers to exceed that of 2013 after 2014 data is collected and analyzed.The majority of the cyber fraud is card-not-present (CNP) payments via the Internet, emphasizing the critical importance of complete and comprehensive internet security systems.
In an effort to combat cyber fraud, the European Banking Authority (EBA) recently released their report, “Final Guidelines on the Security of Internet Payments”. The report collects detailed online fraud statistics of European businesses and also sets parameters for banking institutions to follow in an attempt to prevent future losses due to cybercrimes. The guidelines created are divided into 14 steps that financial institutions must follow. Each step addresses a specific factor that needs to be considered when dealing with electronic transfers of capital. The European Banking Authority will require complete compliance by August 2015.
The 14 steps include:
- Governance: Payment Service Providers (PSPs) should implement and regularly review a formal security policy for internet payment services.
- Risk assessment: PSPs should execute and document thorough risk assessments of the security of internet payments and related services, both prior to establishing the service(s) and regularly thereafter.
- Incident monitoring and reporting: PSPs should ensure the consistent and integrated monitoring, handling and follow-up of security incidents and establish a procedure for reporting such incidents to management and, in the event of major payment security incidents, the competent authorities.
- Risk control and mitigation: PSPs should implement security measures in line with their respective security policies in order to mitigate identified risks. These measures should incorporate a ‘defense in depth’, multiple layers of security defense, where the failure of one line of defense is caught by the next line of defense.
- Traceability: PSPs should establish processes ensuring that all transactions, as well as the e-mandate process flow, are appropriately traced.
- Initial customer identification, information: Customers should be properly identified in line with the European anti-money laundering legislation11 and confirm their willingness to make internet payments using the services before being granted access to such services. PSPs should provide adequate ‘prior’, ‘regular’ or, where applicable, ‘ad hoc’ information to the customer about the necessary requirements for performing secure payment transactions.
- Strong customer authentication: The initiation of internet payments, as well as access to sensitive payment data, should be protected by strong customer authentication.
- Enrolment for, and provision of, authentication tools and/or software delivered to the customer: PSPs should ensure that customer enrolment for and the initial provision of the authentication tools required to use the internet payment service and/or the delivery of payment-related software to customers is carried out in a secure manner.
- Log-in attempts, session time out, validity of authentication: PSPs should limit the number of log-in or authentication attempts, define rules for internet payment services session ‘time out’ and set time limits for the validity of authentication.
- Transaction monitoring: Transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions should be operated before the PSP’s final authorization.
- Protection of sensitive payment data: Sensitive payment data should be protected when stored, processed or transmitted.
- Customer awareness, education, and communication: PSPs should provide assistance and guidance to customers, with regard to internet payment services security.
- Notifications, setting of limits: PSPs should set limits for internet payment services and provide their customers with options for further risk limitation within these limits.
- Customer access to information on the status of payment initiation and execution: PSPs should confirm the payment initiation and provide customers with the information necessary to check that a payment transaction has been correctly initiated and/or executed in a timely manner.
The new European Online Payments Regulations apply to any organization that touches consumer card data, including banks, merchants, credit card processors, hosting providers, and other organizations that store, process or transmit payment card data. Failure to comply with the requirements may have economic impacts for both merchants and financial institutions.
The biggest takeaway from these new regulations is that there is no one single way to stop online payment fraud. A ‘defense in depth’ protection strategy, covering all critical areas of the transactional process is the best way to provide consistent and comprehensive fraud prevention. As cyber criminals are innovating and adapting to singular or one-dimensional security systems, banking institutions and merchants need to take a holistic approach to security and how they protect their costumers.