No, that is not just an attempt to be clever with the headline—it is what a recent Europol report on credit card fraud in the European Union is telling us. In fact, this is not the first study to come to that conclusion. Douglas King from the Federal Reserve Bank of Atlanta told us precisely the same—and in much greater detail—all the way back in January 2012.
Now, there is a perfectly sensible explanation for such a seemingly oxymoronic outcome. As many of you would know, over the past decade Europe gradually adopted the Europay, MasterCard and VISA (EMV) standard governing the authentication of payment transactions involving chip-carrying credit and debit cards and their compatibility with point-of-sale (POS) terminals and automated teller machines (ATMs). The reason Europe switched to the EMV technology (called chip-and-PIN in the U.K.) is that it is much more secure than the older, magnetic-stripe-based one, which is still dominant in the U.S. However, once they realized just how difficult it had become to commit credit card fraud in Europe post-EMV adoption, criminals decided to take the European cards they stole to the U.S. and take advantage of the older technology while it’s still the norm there. That is a problem whose only solution would be for the U.S. to also switch to EMV and the good news is that that process is about to begin. However, the transition will take years, giving the criminals plenty of time to identify the new technology’s weaknesses and figure out how to exploit them.
Credit Card Fraud Costs Europe €1.5 Billion a Year
Here is the gist of Europol’s findings:
Payment card fraud is a low risk and highly profitable criminal activity which brings organised crime groups originating from the EU a yearly income of around 1.5 billion euros. These criminal assets can be invested in further developing criminal techniques or can be used to finance other criminal activities or start legal businesses.
The EU is increasingly exposed to the threat of illegal transactions undertaken overseas and should develop more efficient solutions to help law enforcement authorities (LEAs) combat the fraud.
The majority of illegal face-to-face card transactions (skimming-related) affecting the European Union take place overseas, mainly in the United States.
As Europol has not provided any specific data on fraud involving European credit cards used in the U.S., I will give you the year-old data from King’s paper.
How European Credit Card Fraud Shifted Overseas
Let’s begin with the U.K. experience. The shift to chip-and-PIN in Britain began in 2004 and by August of 2006 99.8 percent of U.K. card transactions were chip-verified. Yet, the migration to the supposedly safer technology didn’t quite produce the desired effect, at least not immediately. In fact, as seen in the chart below, following the completion of the transition in 2006, fraud losses rose in the two following years.
However, if we looked only at card transactions at U.K. retailers, the picture would be quite different, with fraud falling by 69 percent from its 2004 pre-EMV level:
Where is the difference to be found? Well, one look at the cross-border fraud losses—fraud resulting from the use of U.K.-issued credit cards abroad—tells the whole story:
As you can see, there is a huge spike in cross-border losses, immediately following the completion of the EMV implementation process in Britain.
The French experience is even more telling. France began the migration to EMV in 2002—two years earlier than the U.K.—but the process was completed at the same time as it was across the English Channel—by the end of 2006. Credit card fraud losses promptly increased:
However, just as was the case in the U.K., fraud losses on face-to-face card transactions at French retailers fell quite substantially:
Once again, the culprit is the cross-border transaction segment, in which fraud losses in France rose much more sharply than they did in Britain:
So the British and French experiences clearly demonstrate that EMV adoption reduces domestic fraud levels. Rather than deal with the much tougher domestic environment, the criminals chose to focus their attention on countries that were still reliant on the mag-stripe technology, like the U.S. The charts above illustrate rather convincingly that this has been a winning strategy.
So what should be done to alleviate the problem? Here is Europol’s solution:
The EU should take urgent measures to promote the EMV standard as a global solution against the counterfeiting of payment cards. As full EMV implementation will take time, a temporary solution could be applied, namely the implementation of GeoBlocking — blocking overseas transactions using EU-issued cards unless they have been activated in advance.
I agree with the first part of the proposal—adopting the EMV standard globally—but that is already being done and the U.S. itself is set to begin its transition later this year. However, the second part is a bit confusing, as it implies that it is OK to accept credit cards that have not been activated, at least that is my reading. So, for the record, it is never OK to accept unactivated credit or debit cards. Besides, we shouldn’t forget that consumers are fully protected against fraudulent transactions. Yes, there is inconvenience to be incurred, as forms need to be filled out, but the fraud losses are borne primarily by the card issuers. And the fact that credit card companies had put off the admittedly expensive switch to EMV for so long, choosing instead to keep swallowing preventable fraud losses, makes me less than sympathetic to their plight.
Image credit: MasterCard.