Fraud losses on U.S. credit and debit cards, after years of decline, now appear to be on the rise again. And one key culprit, according to experts, is this country's slow adoption of technology that will improve security.
Last week, Discover Financial Services disclosed in its annual report that its fraud losses in fiscal year 2012 totaled $93 million – or 70% higher than they were two years earlier, even after adjusting for rising transaction volumes.
While industry-wide data is scarce, there are signs that other card issuers are seeing similar trends. Capital One Financial, for example, reported a 20% increase in volume-adjusted fraud losses, between 2010 and 2011. It has yet to release fraud data for 2012.
"I am hearing this story across the board from all major issuers," says Julie Conroy, a research director at Aite Group who advises financial institutions on how to combat fraud. "And unfortunately, most issuers I speak to expect this to get worse before it gets better."
By historical standards, U.S. fraud losses remain low, industry sources emphasized. And the loss rates are still small enough that stock analysts generally shrug them off. Even so, the recent trend suggests that criminals have at least temporarily gained the upper hand in the cat-and-mouse game they play with U.S. card issuers.
One major reason for the rising losses here, according to experts, is that it has become harder to commit fraud in countries that have switched over to EMV cards. Those new cards rely on computer-chip technology that makes counterfeiting difficult. So criminals around the world are looking more often to the United States, where magnetic stripe cards remain more vulnerable to breaches.
"We're the weakest link around the world," says Sanjay Sakhrani, a card industry analyst at Keefe, Bruyette & Woods.
Doug Clare, vice president for fraud solutions at Fair Isaac Corp., agrees. "The fraud comes here. And so this is the place fraudsters focus their efforts, because it's easier," he says.
EMV stands for Europay, MasterCard and Visa, the networks that set the global standard for security chips embedded in payment cards.
The major U.S. card brands have all announced that they will require most U.S. merchants to use terminals that can handle EMV cards by October 2015. Those cards are more secure than their predecessors. But the United States lags far behind the rest of the world in making the switch.
The rising U.S. fraud losses could help galvanize industry support for making the switch to EMV cards, which also are expected to encourage the adoption of mobile payments. "Fraud wasn't the initial driver, but it certainly is part of the business case now," Conroy says.
She noted that fraudsters often hold onto stolen credit card data for some amount of time before using it to make illegal purchases, so the October 2015 switchover date also serves as a deadline for the criminals.
"The bad guys are very motivated to use all this counterfeit card data that they have before it becomes much harder to use," she says.
Firms in the card industry are often reluctant to speak publicly about fraudulent transactions, the costs of which they generally cover.
Discover declined to comment for this story. In a document filed with the Securities and Exchange Commission last week, the company stated: "The risk of fraud continues to increase for the financial services industry in general. Additionally, our risk of fraud continues to increase as acceptance of the Discover card grows internationally and we expand our direct banking business."
Capital One, of McLean, Va., also did not respond to a request for comment for this article. Other card issuers, including American Express, do not disclose their fraud losses publicly.
In recent years, the card industry has been beset by data breaches both large and small.
At one end of the spectrum is the installation of skimming devices on gas pumps and at other retail locations. Fraudsters are also installing malware on the payment terminals of small merchants, and then siphoning off customer data. Those kinds of attacks have ramped up in the last two years, according to Conroy.
At the other end are large-scale infiltrations, such as the data breach at Global Payments, first reported in March 2012, which exposed the card data of up to 1.5 million customers.
Card issuers have different strategies for combating fraud, according to Al Pascual, a security risk analyst at Javelin Strategies and Research.
Some companies emphasize the use of analytics to manage their risk, while others focus on issuing replacement cards liberally. "It really is issuer-dependent," he says.
Issuers also have ways of controlling their fraud loss rates. Ultimately, their calculation comes down to how tight they want to be in authorizing transactions, with the goal of fraud prevention bumping up against their desire to keep their customers satisfied.
"They choose an authorization point that balances fraud losses with customer experience," says Fair Isaac's Clare.