A recent study by Richard J. Sullivan of the Federal Reserve Bank of Kansas City looked at security within the payment card industry. As its title indicates, “The Changing Nature of U.S. Card Payment Fraud: Issues for Industry and Public Policy,” focuses primarily on potential public policy responses to payment card security. Even so, it offers insight and information of use to accounts payable professionals.
Since 2005, at least 2,221 breaches of card data in the U.S. have been made public; these encompass nearly 500 million records. Just eight extraordinarily large breaches – TJX, TD Ameritrade and Heartland Payment Systems, to name a few – account for about four-fifths of these records. So, while nonbank payment processors accounted for just two percent of the breaches, these covered nearly 40 percent of the records compromised. Nearly two-thirds (64 percent) of breaches are the work of outsiders. However, more than a fifth are a result of accidental disclosures by insiders.
The rate of data breaches rose steadily between 2005 and early 2009, when it began trending down. It’s too early to tell if this downward trend will continue.
The study points out that the rate of payment card fraud is higher in the U.S. than in several other similar countries. Case in point: in 2006, the total loss in the U.S. on debit and credit card payments topped $3.7 billion, or $.092 per $100. In contrast, the loss rates for Australia and Spain were $.024 and $.022 per $100, respectively. That means the loss rate in the U.S. was four times that in Spain.
Several factors likely account for the differing fraud rates: the use of older card technology with relatively weak security, the types of payments being made (Internet versus point-of-sale), and the mix of payment cards, among others. For instance, what are known as “chip-and-PIN” payment cards, which have an embedded computer chip yet also require the user to enter an ID number before starting a transaction, are more secure than magnetic-stripe cards.
That said, several countries that have largely migrated to chip-and-PIN technology have higher fraud rates than countries, such as Spain and Australia, which remain heavier users of older, mag-stripe cards. The study authors theorize that the counter-intuitive findings may be a result of countries that have experienced high rates of payment fraud accelerating their shift to chip-and-PIN cards.
When it comes to implementing efforts to control payment fraud, the U.S. faces several obstacles unique to the payment card industry here, Sullivan says. For starters, businesses and consumers have depended on paper checks for so long that the shift to electronic payments, as well as the security measures they require, still is ongoing. In addition, the need to coordinate efforts between thousands of financial institutions, card issuers and payment processors is, not surprisingly, leading to redundancy and slowing the development of standards. Greater coordination has been successful in developing security for the ACH system, and would be of value with card payments, as well, Sullivan indicates.