French payment companies are stepping up the use technology that can spot certain types of card fraud that are not prevented by EMV-chip security.
EMV technology, which is still new to the U.S., has been deployed in France for more than a decade long enough for crooks to adapt to what is essentially an anti-counterfeiting measure.
"The criminals are very clever in finding ways to work around any kind of physical fraud prevention such as a chip cards," said Constantin von Altrock, a managing director at IRIS Analytics, which has deployed a network-based transaction scoring system with Group Cartes Bancaires CB, an interbank network in France.
France's migration to the EMV standard finished in 2003. That year, "card fraud went down to zero," von Altrock said.
But fraudsters soon adapted.
Crooks avoided counterfeiting and instead used a mix of hacking and other computer-based measures to attack French accounts, making France one of the most dangerous countries in Europe for card fraud. "After a couple of years fraud had reached pre-chip card levels," von Altrock said.
EMV doesn't protect card-not-present transactions. The technology also can't analyze bad transactions performed by a "good" card that has been stolen, von Altrock said.
IRIS addresses these weaknesses though behavioral analysis. It examines cardholder and merchant behavior, with a goal of scoring transactions in about five milliseconds for decisions at the point of sale. The system searches for patterns that can spot fraud that can't be deterred by EMV.
"If there's a number of cards that are used at the same ATM to make the exact same transaction, that's one clue. Or if there's a pattern that involves the use of a counterparty, that could be a clue," he said, adding any single factor may not spot fraud alone.
These red flags are combined with historical data, or other information such as reports of lost or damaged cards, and are quickly run through scoring models to measure risk, von Altrock said. "A small transaction may not seem like a big deal, but you can determine if it's part of a larger scheme by examining a broad set of data."
While the French project is driven by mostly private companies, the IRIS deployment will examine payments that use a national transaction switch that's used by France's seven largest banks, covering about 75% of all debit and credit cards, as well as most cross-border payments that involve a French party.
The U.K. has also suffered from similar fraud trends, said Zil Bareisis, a senior analyst at Celent, adding the U.K.'s lost, stolen and counterfeit fraud declined from 26% and 35% to 14% and 11% in the ten years after the U.K.'s EMV migration. But the share of card not present fraud increased from 26% to 64% in the same period.
"Real-time transaction scoring based on behavioral analytics can be an effective fraud management tool for all transactions, and especially card not present fraud," Bareisis said, noting that while this is happening on a national infrastructural level in France, issuers in other countries are taking this step on their own.
Even in the U.S., which has not fully switched over to EMV, many financial institutions are focusing on shoring up the card-not-present channel through investments in tokenization and updates to 3 D Secure technology, said Julie Conroy, a research director at Aite Group, which is based in Boston.
"However, there are lots of other places that fraud will go application fraud will rise, so financial institutions need to be looking to bolster controls in that regard, and [in the U.S.] we will certainly see the rise in fraudulent merchant storefronts as France has experienced," Conroy said. "More robust analytics and data sharing at both the issuer and network levels will be key to stem the migration of fraud."