Europol today publishes its Situation Report on Payment Card Fraud in the European Union, based on the analysis of intelligence provided by law enforcement agencies and other key operational partners.
Although the total number of payment cards (debit and credit) issued in the EU in the previous 12 months reached over 726 000 000, card fraud has actually been on a decline in recent years due to technological advances that have increased the security of transactions. However, the report examines how there remains a very active criminal market in payment card fraud in Europe, pulling in around 1.5 billion euros a year for the organised crime groups involved.
The wide adoption of EMV (Chip and PIN) technology in the EU has been a key driver for reducing domestic ‘card-present’ (CP) fraud. Chip and PIN technology offers stronger security features than conventional magnetic strips, both for the physical card (unlike magnetic strips, the chips cannot be easily duplicated), for the technological infrastructure behind the transaction, and for the cardholder whose confidential data is more secure.
However, the level of illegal card-present transactions carried out overseas has seen a sharp increase as criminals target the weak points of the system by committing crimes using non-EMV compliant cash machines and payment card terminals in countries such as the USA, Dominican Republic, Colombia, Russian Federation, Brazil and Mexico. Organised crime groups upgrade their criminal techniques relatively quickly, producing devices to bypass the latest anti-skimming technology and exploring other ways to rip off EU consumers and industry.
As ‘card-not-present’ (CNP) transactions do not benefit from the same security enhancements as Chip and PIN cards, CNP fraud is on an upward trend. In the period analysed, around 60% of losses to card fraud, totalling around 900 million euros, were caused by card-not-present fraud. Credit card information and bank account credentials are some of the most actively traded ‘goods’ on the Internet’s underground economy and this stolen data is used to create cloned cards which are used to make fraudulent card-not-present online purchases with EU suppliers.
Most of the credit card numbers misused in the EU come from data breaches in the USA. Major investments by EU industry in the 3D secure protocol  have increased the security of transactions, however not all transactions are protected with it on an EU or worldwide level.
Since the vast majority of such criminal activities take place online in multiple countries, often involving numerous parties, the most effective law enforcement solution is to task specialised cybercrime teams with such cases.
In the last year, Europol provided support to EU law enforcement authorities in hundreds of international investigations into payment card fraud. The new European Cybercrime Centre (EC3), which officially launches this week at Europol in The Hague, will be the focal point in the EU’s fight against cybercrime, contributing to faster reactions in the event of online crimes. It will support Member States and the European Union’s institutions in building operational and analytical capacity for investigations and cooperation with international partners.
EC3 will officially commence its activities on 1 January 2013 with a mandate to tackle the following areas of cybercrime:
a) That committed by organised groups to generate large criminal profits such as online fraud
b) That which causes serious harm to the victim such as online child sexual exploitation
c) That which affects critical infrastructure and information systems in the European Union.
 Source: European Central Bank (ECB).
 Card-present (CP) transactions are those carried out in the presence of the card and card holder (or someone purporting to be the cardholder).
 Card-not-present (CNP) transactions are those that take place when neither the card nor the cardholder are present, for example purchases made by mail order, over the phone or Internet.
 3D secure protocol includes such schemes as Verified by Visa and MasterCard SecureCode.