In these times of billion pound bank bailouts, these figures might seem small fry, but we should remember these fraud costs are indirectly paid for by all of us payment card holders, and are recouped by card providers through higher interest rates and various charges. The card issuers and banks do cover consumers against payment card fraud losses and usually reimburse all fraudulent card transactoins, but just as insurance fraud losses are factored into our insurance premiums, payment card fraud losses are passed on to consumers, so in the grand scheme of things we all foot the bill for payment card fraud in UK. So we really ought to care more about these rising trends in UK payment card fraud, which increased by 14% in 2008. We should be questioning what the payment card industry and merchants are doing in tackling this problem and protecting our payment card information.
I’ll break down the APACS stats in another blog entry over the next couple days, explaining the trend, and the impact of the introduction of Chip & Pin in the UK.
As APACS released UK payment card fraud losses stats for 2008, the BBC published an undercover investigation report, which exposed how UK payment cards and personal details can be stolen to order from an India Call Centre. BBC Overseas credit card scam exposed Call Centres are one of the prime locations for targeted information theft, and particularly with internal based payment card information theft. It’s can be such a lucrative trade, so no surprisingly Call Centres are actively specifically targeted and even infiltrated by criminal gangs.
UK based Call Centres are problematic enough to secure against these types of threats, however where UK companies outsource or move their call centre function offshore to save money, so the risk of fraud, in my view, increases. Why? Well to be perfectly blunt crime rates are just a lot higher and less controlled in places like India than in the UK. Secondly UK companies generally do a very poor job of validating the security of their offshore and are mostly third party operated Call Centre due to the distant location. Companies often assume the required security policies and procedures are being practiced, and rarely conduct on-site security audits of the offshore Call Centre. Finally it is extremely difficult to criminal and credit check nationals in countries like India, because of the population size and commonality of names. So it is of no real surprise to me when I read these types of stories, as it’s been happening for years now. I guess due to quick reimbursement process with UK card fraud, UK consumers tend not to question how their card details were stolen in the first place, and so such Call Centre operations aren’t put under the required scrutiny. I always avoid providing my card details over phone to anyone at all costs; it’s actually safer to pay online or in person than to tell someone you can’t even see your card and personal information.
The Payment Card Industry (PCI) has a Data Security Standard (PCI-DSS), which all merchants and payment processes are suppose to comply with, but what I find interesting in my card fraud research, is most Call Centres, UK based or not, just aren’t complying with the PCI standard. It’s routine to record all calls, so these voice recordings end holding volumes of card information and are often left unprotected, while operators routinely write down full payment card details, including the 3 digit security code, often known as the CVV2 number. According to PCI DSS requirements, the three digit security code is not allowed to be stored (written down), and that’s for a good reason, to help prevent card fraud.