Page 2 EPC and a SEPA for cards The timelines EPC Cards Working Group (Chair: Claude Brun) EPC SEPA Card Framework (SCF) Cards Standardisation TF (Chair: Peter Blasche) Minimumrequirements Recommendedspecifications Card Fraud Prevention TF (Chair: Cédric Sarazin)
Page 3 SEPA Cards Framework (SCF) The SCF was approved by the EPC Plenary on 8 March 2006 The SCF spells out high level principles and rules which when implemented by banks, schemes, and other stakeholders, will enable European customers to use general purpose cards to make payments and cash withdrawals in euro throughout the SEPA area with the same ease and convenience than they do in their home country. There should be no differences whether they use their card(s) in their home country or somewhere else within SEPA. The SCF creates the potential for any SCF terminal to accept any SCF card with a SEPA based acquirer of the merchants choice. SCF only covers euro card payments and cash withdrawals Provides a single framework for banks, for schemes and for processors/infrastructures to become SEPA compliant (self-assessment procedure with EPC monitoring)
Page 4 Highlights from the SCF Acquirers will offer merchants the option to acquire SCF compliant card transactions from one or more SCF compliant schemes from 1 January 2008 onwards. As fraud prevention is one of the priorities, the SCF indicates that the EMV chip will be the supporting technology for cards as well as the support of PIN on the acquiring side. The SCF sets out the high level principles to foster the competition between providers of technical infrastructure and payment services and to remove legal and technical barriers. SCF compliant card schemes will separate governance from processing functions. The SCF contains both a number of short term objectives and a longer term vision on the standardisation of the elements of the payment chain. The European Central Bank recently commented the proposed migration towards a SEPA for card and recently acknowledged the importance of the SCF.
Page 5 Impacts of EPC activities on the different elements of card payment schemes Certification Authorisation Switching Clearing & Settlement Product Definition & Rules Security & Risk Management Technical Standards Interlinking (Gateways to other systems) Card Fraud Prevention TF SEPA Cards Framework (separation of the gouvernance from processing functions & EMV) Cards Standardisation TF
Page 6 Card Fraud Prevention TF Mission, Work & Resolutions 1 Two-days Forum "Fighting Card Fraud across Europe" (Paris 8-9 October 2003) 1 Resolution on "Preventing and Fighting Card Fraud across Europe" (Approved by the Plenary in December 2003) 1 Resolution "Preventing Card Fraud in the New SEPA Environment" (Approved by the Plenary in March 2007) The mission of the Card Fraud Prevention Task Force is to promote card fraud prevention tools within the banking industry and to develop tactical initiatives to fight against card fraud across SEPA. To complete its mission the Task Force will follow a continuous process of: - Identification of issues (sharing of information about new threats) - Prediction of trends (sharing and development of statistics) - Promotion of prevention tools (Chip/PIN, databases, authentication methods…) - Development of innovative tactical initiatives - Commitment of industry (EPC resolutions and recommendations)
Page 7 Card Fraud Trends in SEPA In most of SEPA countries: –Counterfeit fraud –Magstripe skimming compromission cases (& subsequent fraud outside of chip countries) –Card Not Present fraud (e-commerce notably) –Fraudsters targetting weak point / sector / environment –See (next slides) examples in a few countries
Page 8 Evolution of Fraud on CB Cards , , CB SystemWorldwide out of which EU CB System Worldwide out of which EU CB SystemWorldwide out of which EU CB System Worldwide out of which EU Lost/StolenMS Skimming "Yescard"MOTO * Million Most important evolutions: Dynamic Data Authentication Fight against skimming Securing e-commerce Fraud Rate CB: 0,034% 0,033% 0,035% 0,034% Fraud Rate-Cross system: 0,71% 0,49% 0,47% 0,50%
Page 9 Chip and PIN successfully combating targeted fraud types In 24 months: losses at UK high street retailers down £147mn Initial impact of chip and PIN on fraud on UK cards Benefits of EMV being starting to be realised Source: APACS Statistics
Page 10 Fraud to sales turnover at UK retail Fraud to sales levels at UK high street retailers their lowest for six years. For all card products combined the rate is below 10 basis points Source: APACS Statistics
Page 11 Card Fraud Prevention TF Current Priorities Preventing the use of counterfeit cards at SEPA terminals –Completing EMV migration – Monitoring EMV migration => Currently 56% of cards, 59% of POS, 72% of ATMs in EU –Eliminating magstripe fallback at EMV terminals Combating Card Not Present (CNP) fraud –E-commerce environment: CVX2 full implementation –MO/TO environment: CVX2 –E-commerce environment: 3D-Secure implementation Collecting aggregated statistics on card fraud in SEPA … and also: –Work on card anti-skimming measures –Fraud in specific environments (such as airlines) –Work on cardholder authentication methods in e-commerce
Page 12 Examples of Anti-Fishing/ Anti-Skimming (AFAS) Devices
Page 13 Securing e-commerce CVX2 Mandatory in all e-commerce transactions (EPC Resolution: by 1st January 2008) 3D Secure : liability shift on card issuers if the merchant is 3D-Secure equipped (EPC Resolution: by 1st January 2009) Strong authentification of cardholders to be promoted, notably using EMV chip.
Page 14 Strong Authentification using Chip: Some pilotes or tests
Page 15 SEPA Card Standardisation Activities, including Security Requirements Cardholder Acceptor EPAS Consortium ( Harmonised Acquirer to Terminal Exchanges at SEPA Level ) ERIDANE Project (Harmonised Terminal Architecture at SEPA Level) ISO8583 / ISO20022 EPC Expert Group (Harmonised Issuer to Acquirer Exchanges at SEPA Level) EMV Standard + CIR Working Group (Harmonised EMV Implementations at SEPA Level) Issuer Acquirer + CAS Project ( Harmonised Security Requirements and Evaluations at SEPA Level ) PCI Standards EPC as Project Coordinator CIR: Common Implementation Requirements – EPAS: Electronic Protocols Application Software - PCI: Payment Card Industry – CAS: Common Approval Scheme PSP
Page 16 EPC Standards for Card Terminals Terminal Architectur e Terminal Architectur Applicatio n n Terminal Architectur e Terminal Architecture Applicatio n Application EPAS CIR / TWG (SEPA-FAST) Electronic Cash Register EPAS Acquirer Terminal Manager Transaction: Acquirer Protocol EPAS Terminal Management Issuer Terminal : ERIDANE Acquirer-to-Issuer Protocols Retailer Protocol CAS (Security & Certification)
Page 17 EPC Card Standards Implementation Plan SCF implementation Application of Recommended Specifications Only minimum reqs elements All schemes SCF compliant Promotion by schemes Promotion by schemes Schemes include support SCF is the framework for all SEPA cards schemes Minimum reqs available Recommended specs available Application of Minimum Requirements 2010 Implemen- Implemen-tation