Despite constant calls to action, U.S. credit card issuers may still be too complacent about card fraud — even as the fallout from massive data breaches snowballs.
The June 26 arrest by the Federal Bureau of Investigation of 24 people allegedly connected to a global card-fraud crime ring tied to more than $205 million in losses originating from 411,000 compromised credit and debit cards is the latest trigger for concern.
The FBI's two-year undercover investigation revealed detailed information about criminals buying and selling stolen identities to commit fraud. And that underscores the risk of further card-fraud losses to issuers from consumer data exposed in breaches within the last two years, Doug Clare, FICO's vice president for fraud, said in an interview.
"U.S. credit and debit card issuers for years had lower fraud rates than other countries, but that may no longer be the case as more fraud migrates here," Clare says.
Card fraud in the U.S. currently accounts for about 5 basis points for every $100 spent on credit or debit cards, according to estimates. Those numbers have held steady for the past few years after a long-steady decline when card issuers began using neural networks to track unusual activity that stops a lot of fraud, Clare says.
But U.S. card issuers' overall losses are based on estimates, Clare contends, because issuers' actual losses vary widely based on their individual exposure to fraud.
Some 90% of U.S. credit card issuers and 65% of debit card issuers use FICO's Falcon fraud-detection and neural network technology to interrupt transactions that appear to be suspicious, enabling issuers to confirm with cardholders before authorizing transactions, Clare says.
Since the introduction of neural networks about 20 years ago, overall U.S. card fraud had declined significantly, from as high as 20 basis points for every $100 spent on cards for certain issuers, he notes.
But the uptick of recent fraud attacks tied to data breaches, plus the rise of malware to perpetrate credit card scams are likely to put fresh pressure on existing fraud-detection systems in the U.S., he warns.
Another risk from card fraud is the reputational damage it causes with consumers, Clare says.
"Issuers should not be complacent about the relatively low fraud rates the U.S. has had over the last several years, because consumer confidence in cards is at risk, which is only going to provide fuel to alternative payment providers like PayPal, that are perceived to be safer," he says.
As a result, issuers should run, not walk, to embrace EMV chip technology for their cards, Clare advises.
"Now that Visa and MasterCard are encouraging issuers and merchants to adopt EMV it is becoming more urgent that issuers get on board with it to prevent more fraud migrating to the U.S.," he says.
The card networks have established that beginning in 2015 liability will shift from issuers to merchants for counterfeit card fraud that EMV could have prevented. But between now and then, the U.S. presents a "wide-open opportunity" for certain types of card fraud, especially with the recent rise of data breaches and availability of stolen consumer credit card data, Clare says.
Counterfeit point of sale card-fraud rates in the United Kingdom plummeted after the nation broadly adopted EMV in 2006. Fraud rates on card-not-present transactions in the U.K. are even declining.
"It's true that card fraud in the U.S. has been on a steady decline over the last couple of decades, but issuers should not take that for granted as the risks and the environment for fraud changes around us," Clare warns.