The fraud bug struck debit card issuers last year, and the illness spared neither signature nor PIN-based varieties of debit. Researchers identified a big increase in skimming as part, but only one part, of the cause.
According to the 2016 Debit Issuer Study commissioned by Discover Financial Services’ Pulse electronic funds transfer network, the overall fraud-loss rate on PIN POS transactions jumped to 0.8 cents per transaction in 2015, approximately a three-fold increase from 0.3 cents in 2014.
On non-PIN POS transactions, most of which are signature-authenticated, the fraud rate increased from 2.2 cents per transaction to 2.6 cents.
Expressed another way, fraud losses per active debit card jumped to $5 last year from $3.50 in 2014, according to Oliver Wyman, the New York City-based consulting and research firm that Pulse commissioned to do the study.
Seventy-two banks, both large and small, as well as credit unions participated in Pulse’s 11th yearly survey of the debit market. The financial institutions collectively issue 153 million debit cards generating 48% of U.S. debit transactions, and operate 77,000 ATMs.
Higher losses come at a time when the sources of debit card fraud are shifting. Mass debit breaches accounted for only 33% of 2015’s losses, down from 57% in 2014. But skimming almost tripled to account for 20% of total losses in 2015, up from 7% the year before.
Tony Hayes, an Oliver Wyman partner in Boston who co-led the study, says financial-institution executives have their suspicions about why skimming losses boomed, but there’s no definitive answer. “I’m not sure that any FI knows for sure,” he says.
One theory is that criminals using skimmers that capture magnetic-stripe card data are working harder because their window is closing as more-secure EMV chip cards displace the old mag-stripe cards. “The ability to skim is going to be less and less,” says Hayes.
Besides skimming, card-not-present and lost-and-stolen card fraud showed sizable increases last year. But there isn’t a single answer as to why overall fraud increased, according to Hayes.
One culprit could be that the proliferation of debit card transaction types—from the old PIN versus signature dichotomy to seven iterations within single- and dual-message transaction types—is confounding issuers’ risk-control systems, causing them to flag fewer suspect transactions, he says. In dual messaging, the clearing and settlement message comes after authorization and is common in signature debit, whereas PIN debit traditionally used a single-message format for both functions.
Other highlights of the study:
– EMV Forty-five percent of debit card issuers had begun issuing EMV chip cards by 2015’s fourth quarter, much lower than the 90% last year’s study had predicted. A third of U.S. debit cards were chip-enabled at the end of 2015, but the study predicts that 76% of cards will have a chip by the end of this year. Only 4% of debit transactions last year involved a chip debit card read by an EMV terminal.
– Mobile Payments The average debit card user makes 22.1 transactions per month, but not many of them are linked to mobile payments, even though two-thirds of issuers had cards eligible to be loaded into the major mobile wallets.
Apple Inc.’s Apple Pay dominates, with 3.5% of eligible debit cards loaded. compared with 0.2% each for Samsung Pay and Android Pay. Cardholders, however, used the latter two services more in January 2016—1.8 and 1.7 times per enrolled card for Samsung Pay and Android Pay, respectively, compared with 0.7 transactions for Apple Pay. In all, Pulse says users of the “Pays” generated about 8 million transactions that month.
– Interchange The average blended interchange rate for issuers exempt from the interchange controls imposed by the Dodd-Frank Act’s Durbin Amendment—those with fewer than $10 billion in assets—was 39 cents in 2015, down from 40 cents in 2014. According to Hayes, this decline “was the result of lower rates delivered by both single-message and dual-message networks.” The blended rate for regulated issuers was 24 cents last year.
—Jim Daly