Source: Deutshe Bank
Christmas is only a few days away, and everyone is rushing to buy presents for family and friends. The tills are ringing and the card terminals are buzzing. But how safe is it to pay by card?
In 2016, approximately 800,000 incidents of card fraud caused EUR 132 m of damage in Germany. This sum is certainly high in absolute terms, but needs to be put into perspective: Overall, 6.3 bn card payments and ATM withdrawals worth a total of EUR 643 bn took place in 2016. The fraud rate thus amounted to 0.02% of the total value and 0.01% of the total number of transactions. Put differently, the per-capita damage from card fraud was EUR 1.61, with EUR 0.26 stemming from cash withdrawals, EUR 0.29 from point-of-sale payments and EUR 1.06 from using cards online. However, the card fraud statistics do not offer information on which party ultimately has to bear the loss: the cardholder, the cardholder’s bank, the merchant or the acquirer (the merchant’s bank).
The risk of card fraud depends to a large extent on the situation in which the card is used. In Germany, ATM withdrawals are the most important type of card transaction in terms of value (EUR 384 bn). At the same time, the fraud rate is lowest for this type of transaction. In theory, the damage from fraud amounts to about 6 cents for every EUR 1,000 withdrawn in cash. Card payments at the point-of-sale amounted to a total of EUR 220 bn, with the average fraud damage for every EUR 1,000 of sales coming to 11 cents. Over the last few years, EMV chips have helped to considerably reduce fraud from card-present transactions, as the chip technology has rendered copying the magnetic stripe obsolete. By now, 84% of all cards in Europe carry an EMV chip and these are used for 98% of all card payments.
The card fraud risk is biggest in virtual payment situations. But even then, the large majority of transactions did not suffer from any fraud. Most of the so-called “card-not-present” (CNP) transactions were online card payments, but the total also includes cases in which payment instructions were given on the phone or by letter. When paying online by card, German customers mostly use credit cards; debit cards play only a marginal role on the internet. Out of a total of EUR 38 bn paid over the internet or on the phone, fraudsters grabbed EUR 87 m or, on average, EUR 2.27 per EUR 1,000 of sales. In most cases, sensitive card or cardholder data had been stolen. But fraud also included incidents where fraudsters claimed back the price of goods which they had indeed ordered online and paid for by card.
Since the damage from CNP transactions is relatively high, banks, card companies and retailers are working hard to prevent online fraud. According to retailers and financial services providers, 3D Secure Authentication (improved procedures to identify both payers and payees) and tokenization (replacement of sensitive card data by a number code during the payment process) have yielded good results. In addition, neuronal IT systems helped to prevent fraud by recognising attempts in time. These and other methods to improve security have been quite successful, in fact. CNP fraud rates dropped in comparison to 2013 (the year in which the previous survey took place), while total online sales rose.
Even though the fraud rates were low and, regardless of the situation in which the card was used, more than 99.7% of all card transactions by value were executed securely, the absolute damage of EUR 132 m is an incentive to continue with efforts to combat fraud. This applies not only to card payments, but also to other payment methods such as credit transfers or online payments, for which no similarly comprehensive figures are available. Experience has shown that fraudsters prefer situations where the potential loot is large or security is lax. Indeed, fraud rates are considerably higher in countries such as France, where cards are used much more often than in Germany. Moreover, new technologies and payment methods do not only improve the quality of service or reduce costs, but at the same time they open up new weak spots which criminals can exploit. Thus, the race between financial services providers and fraudsters will continue.
 Card payments excluding Elektronisches Lastschriftverfahren (debit card payments requiring the customer’s signature).
 From 2019, the PSD2 will oblige payment services providers to use a uniform European template to report fraud incidents for all payment methods to the national supervisory authorities. These figures will be sent on to the ECB and the EBA. However, as of now, it is not yet clear whether the EBA will make the aggregated data publicly available.