Annual Report of the Observatory for the Security of Payment Means

2018 bservatoire de la sécurité des moyens de paiement www.observatoire-paiements.fr 2018 Annual Report of the Observatory for the Security of Payment Means

addressed to

The Minister of the Economy and Finance The President of the Senate The President of the National Assembly

by

François Villeroy de Galhau, Governor of the Banque de France, President of the Observatory for the Security of Payment Means

The Observatoire de la Sécurité des Moyens de Paiement (Observatory for the Security of Payment Means – hereinafter the Observatory), referred to in section I of Article L. 141-4 of the French Code monétaire et financier (Monetary and Financial Code), was created by Law No. 2016-1691 of 9 December 2016. The Observatory is intended to promote information-sharing and consultation between all parties concerned by the smooth operation and security of cashless payment instruments (consumers, merchants, businesses, issuers and public authorities).

Pursuant to the seventh indent of the abovementioned article, the present document reports on the activities of the Observatory. It is addressed to the Minister of the Economy and Finance and transmitted to Parliament.

CONTENTS

SUMMARY 7 1. MIGRATION PLAN FOR AUTHENTICATION SOLUTIONS BASED ON ONE-TIME PASSWORDS RECEIVED VIA SMS (SMS OTP) 11 1.1 Introduction 12 1.2 Monitoring migration towards strong customer authentication solutions 12 1.3 Target migration rate 13 1.4 The migration plan 15 2. FRAUD IN 2018 17 2.1 Overview 17 2.2 Card payment and withdrawal fraud 22 2.3 Cheque fraud 33 2.4 Credit transfer fraud 35 2.5 Direct debit fraud 37 3. TECHNOLOGY WATCH 41

3.1 The security of offline payment methods 41 3.2 The security of mobile payments 64 APPENDICES 87 A1 Security recommendations for the use of payment means 87 A2 Payer protection in the event of unauthorised payments 93 A3 Missions and organisational structure of the Observatory 97 A4 Members of the Observatory 103 A5 Methodological approach used to measure fraud on cashless payment means 107 A6 Statistics 117

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 5

SUMMARY

Summary

his third Annual Report of the Observatoire de la sécurité des moyens de paiement (OSMP - the Observatory for the Security of Payment Means) presents a mixed picture T in terms of cashless payment means fraud. The following trends (discussed in greater detail in Chapter 2) were noticeable in 2018.

• Cheques became the most used means of payment for fraudulent purposes in France, accounting for 43.1% of total fraud (compared with 40% in 2017) and amounting to EUR 450 million (up 52% from EUR 296 million in 2017), despite the continued decline in cheque use (down 11% in value terms).

• The fraud rates for other payment means remained low and relatively stable.

– Thus, while the rate of fraud affecting French payment cards increased very slightly to 0.062%, compared with 0.058% in 2017, the fraud rate by type of card payment in France either (i) remained contained at low levels and relatively stable (0.010%, compared with 0.009% the previous year for face-to-face payments and UPTs – unattended payment terminals), (ii) was unchanged (0.020% in 2017 and 2018 for contactless payments despite them doubling in value in 2018), or (iii) continued to fall, as in the case of remote payment fraud, which declined for the seventh consecutive year to a rate of 0.173%, down from 0.190% in 2017, despite sharp growth in remote payments compared with 2017 (up 22% year on year).

– The fraud rate for international transactions also declined once again from 0.281% in 2017 to 0.270% in 2018.1 Fraud on Single Euro Payments Area (SEPA) transactions remained better contained than on non-SEPA country transactions. It should also be noted that fraud rates for international transactions were higher than the domestic rate, accounting for 54% of total fraud value but only 14% of the total value of transactions.

– The fraud rates for credit transfers and direct debits were still extremely low at 0.0035% and 0.0004%, respectively.

1 French cardholders defrauded abroad and foreign cardholders defrauded in France.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 7 8 SUMMARY for example, bebasedonanappfor smartphones orSIMcards(compatiblewithallmobile solutions will gradually replace the use of a code received by SMS. These solutions may, to complywiththechanging regulations.For example, new strongcustomerauthentication encouragesallpayment operatorstopushonwith theireffortsIn thisregard,theObservatory authentication iffraudratesfor atlow remotetransactionsaremaintained levels). methods for identifyinghigh-risktransactions(which will limittheneedfor strong customer ofstrongcustomerauthenticationforimplementation electronic payments, andalsoof Payment Directive (PSD2). Services provideThese notably for standards the widespread technical solutionsinthesecondEuropean dedicatedtosecurity of theregulatory standards These intoforce latter asfrom14 September 2019 oftheentry issuesunderlinetheimportance mobile phonepayment applications(apps)andtoidentifywarn ofhigh-risktransactions. called upontoimplementstrongcustomerauthentication,bothsecureuserenrolment in made tostakeholders–banks,cardpayment systems andtechnological solutionproviders – 0.04% for alltransactionscombined. This confirmstherelevance oftherecommendations fraud ratefor mobilepayments was particularlywell inFrance contained at 0.03%,risingto still varies depending onthetechnologies adopted.However, notedthatthe theObservatory payment (includingcardidentifiers), data althoughthelevel ofthesystems ofsecurity used • terms ofvigilancepresentedinAppendix1 ofthisreport). the lossortheft ofchequebooks (asmentionedamongtherecommendedbestpracticesin government administrations – must remain on their guard, for example by being attentive to particularly withregardtocheque payment, users–private individuals,companiesorgeneral to refuseatransactionatthepointofsaleinevent ofsuspectedfraud.Inaddition,and banks, for example, toalertaccountholderssuspiciousmovements orwarn merchants calls on all professionals to put measures in place to identify high-risk transactions, enabling thereforeNevertheless, isbothpossibleandnecessary, enhancingsecurity andtheObservatory advanced solutionsandtherefore security remainvulnerabletofalsification andcounterfeiting. • ofmobilepayments.and onthesecurity in carried studies outtwo in 2018In thiscontext, theObservatory and 2019, which are presented ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – As part of the first study, it was found that of cheques areincompatiblewiththeimplementation By contrast,mobilephonesoffer capabilitiesfor advanced payments security andsensitive Chapter 3 of ofcheques thisreport,onthesecurity andoffline payment meansingeneral 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 SUMMARY

devices) and require biometric verification or the entry of a secret code. Institutions will ensure that they offer solutions adapted to their entire customer-base, including the most vulnerable. However, as part of its commitment to supporting in the best possible conditions a complex transition that avoids penalising e-commerce and its users, the Observatory proposes an ambitious but gradual migration to these new solutions, in accordance with the guidance published by the European Banking Authority in its Opinion2 of 21 June 2019. The resulting migration plan for France has been approved by all the stakeholders involved, from banks and merchants to card payment systems and consumer associations (see Chapter 1), and should be implemented for a large majority of customers and transactions by December 2020 and fully in place within three years. The Observatory will publish regular updates in its annual report.

Lastly, the Observatory undertakes to make an active contribution to the objectives of the national cashless payment strategy3 in favour of the development of innovative and secure payment solutions.

2 The Opinion of the European Banking Authority (EBA) is available on its website: https://eba.europa.eu 3 The new national cashless payment strategy for 2019-24 is available online at: https://www.banque-france.fr/en/financial-stability/national-cashless- payments-committee/national-retail-payments-strategy

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 9

1 Migration plan for authentication solutions based on One-Time Passwords received via SMS (SMS OTP)

Box 1 Summary

• In France, the protection of remote card payments, just like sensitive online bank transactions such as the initiation of a credit transfer, relies on a range of systems including strong customer authentication of trans- actions deemed to be risky and facilitated in the vast majority of cases by sending one-time passwords by SMS to the lawful cardholder. • This authentication method has demonstrated its effectiveness in combating online card payment fraud, as the Observatory’s figures attest: for the seventh consecutive year, the fraud rate for these payments is in decline, falling to a historic low of 0.173% (the equivalent of one euro of fraud for every EUR 578 worth of transactions). • European regulatory provisions have been established to further strengthen the security of electronic payments, particularly online, and make internet access to bank services more secure. Thus, from 14 September 2019, arrangements that comply with the new regulations will gradually replace the use of a one-time password received via SMS to authenticate transactions. • These new arrangements may, for example, be based on an app for smartphones or SIM cards (compatible with all mobile devices) and require biometric verification or the entry of a secret code. Banks and payment service providers will ensure that the solutions they select and offer to their customers are best adapted to their entire customer-base, including the most vulnerable. • The Observatory aims to support all market players as they move towards these new solutions to strengthen online transaction security, and has therefore developed a multistep migration plan that should be implemented for a large majority of customers and transactions by December 2020 and fully in place within three years.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 11 12 CHAPTER 1 shown onapayment cardduring an It specified thatenteringthedetails to strongcustomerauthentication. the RTS, andparticularlywithregard of its positionontheimplementation (EBA-Op-2018-04), theEBA set out Opinion publishedon13 June 2018 investors andconsumers.Inits level ofprotectiontodepositors, playing fieldandoffering ahigh practices,creatingalevelvisory European convergence ofsuper (EBA) plays aroleinpromoting The EuropeanBanking Authority or otherabuse”. may imply a risk ofpayment fraud through aremotechannel which transaction orcarries outany action online, initiatesanelectronicpayment payer accessesitspayment account that shouldbeappliedeach timea a “strong customerauthentication and willrequiretheapplicationof into force on14 September 2019 elaborate onthisdirective willcome technical (RTS)latory standards that (EU) 2018/389 with regardtotheregu Commission DelegatedRegulation entered intoforce on13 January 2018. customer authentication(SCA), (EU) 2015/2366, which definesstrong Directive (PSD2), DirectiveServices The secondEuropean Payment 1.1 Introduction ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – - - factor toanexisting arrangement Projects to add a new authentication new regulations. solutions thatfullycomplywiththe theirmigrationtowards PSD2 in affected of by theimplementation wished to support the main players ofPaymentthe Security Means for theObservatory adaptations, needs timetomake thenecessary less recognisingthatthemarket authentication whileneverthe which imposesstrongcustomer tion deadlineof14 September 2019, In ordertomeettheRTS applica comply withtheregulations. sensitive transactionsalsofails to outcertain bank userswhencarrying method usedtoauthenticateonline framework.tory Equally, thissame accordance with the new regula therefore isnotanSCAsolutionin longer beconsidered “strong” and (OTP) received viaSMS, canno andaone-timepassworddetails card payments, i.e.enteringcard France’s mainbanksfor online tication solutionputinplaceby Therefore, thecustomerauthen ofSCA. tation factors requiredfor theimplemen- ered oneofthetwoauthentication online payment cannot be consid - - - - - requiring alengthy implementation This migrationisamajorproject solutions effectively. all usersutilisethenewly deployed same time,itisalsoessentialthat technical implementation. At the significant amountoftime for their the SCAdefinition,bothrequire a cation process, in compliance with or to implement a new authenti non-compliant systems; • the following aspects: needed toreportonprogress and will provide the information a year for collectionpurposes data This will still be sent to banks twice adapted 3DSecurequestionnaire. indicators that will be added to an the Banque deFrance hasdeveloped outthismigration, tions incarrying made by themainbankinginstitu In ordertomonitortheprogress migration Monitoring 1.2 into aseriesofmilestones. period, which mustbe split down the downward trendintheuseof 2018 solutions customer authentication towards strong - - ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 1

Indicators for online card payments and sensitive online bank transactions • the development of authentica- a) Online card payments tion solutions that comply with the Monitoring Indicators new regulation. SMS OTP Number of cardholders enrolled in an authentication arrangement when making trends an online card payment In order to do this, the main French Number of cardholders enrolled in a non SCA-compliant authentication arrangement banking institutions will report on (and not enrolled in a compliant system) when making an online card payment the indicators shown in the table Number of online card payments during the past three months (inset) and the Banque de France Number of online card payments during the past three months requiring strong will compile the results. In addition, customer authentication in compliance with the regulation the Observatory will ensure that Number of online card payments during the past three months triggering the use of a non SCA-compliant authentication arrangement payment market players offer Development of Number of cardholders enrolled in at least one SCA-compliant authentication solutions that are properly adapted SCA-compliant arrangement when making an online card payment and accessible to all their customers, arrangements Number of online card payments during the past three months triggering particularly those whose equipment the use of an SCA-compliant authentication arrangement and consumer habits could impede the use of advanced technologies. b) Sensitive online bank transactions

Monitoring Indicators

OTP SMS Number of customers of online banks, or payment initiation or aggregation services trends enrolled in an authentication arrangement when carrying out sensitive transactions (credit transfer orders, adding account beneficiaries, quarterly renewal of online 1.3 Target migration rate payment account tokens) Number of customers of online banks, or payment initiation or aggregation services The migration’s objectives for enrolled in a non SCA-compliant authentication arrangement (and not enrolled the next three years are shown in a compliant system) when carrying out sensitive transactions in Charts 1 and 2. They will be Number of online bank, or payment initiation or aggregation transactions during the past three months monitored at pre-defined stages and Number of online bank, or payment initiation or aggregation transactions summary updates of the results will during the past three months requiring strong customer authentication in compliance be published. with the regulation Number of online bank, or payment initiation or aggregation transactions during the past three months triggering the use of a non SCA-compliant authentication The following assumptions are arrangement applied in the development of this Development of Number of customers of online banks, or payment initiation or aggregation services extended coverage. SCA-compliant enrolled in at least one SCA-compliant authentication arrangement when carrying out arrangements sensitive transactions on an online banking site or via an initiation or aggregation service • Customers must be equipped Number of online bank, or payment initiation or aggregation transactions during the past three months triggering the use of an SCA-compliant with devices that are compatible authentication arrangement with a ramp-up of transactions Note: SMS OTP, one-time password received by SMS on a mobile phone; SCA – strong customer authentication. authenticated using these new

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 13 14 CHAPTER 1 tory requirements. tory to take in light of PSD2 regula determine thebestapproach OTP usercustomers”inorderto with regardtotheremaining “SMS have tobereviewed inJune 2021 • stragglers onboard. the greatereffort requiredtoget the paceofmigrationwillslow given 80% ofcustomersareequipped, However, itisexpected thatonce arrangements to the general public. widespread introductionofthenew communications andthemore accelerate asaresultofoperators’ migration willbegradual,it • growth in 2021andbeyond. which explains continuedsustained those whowillnotyet have migrated, to generatemoretransactionsthan tions, aresubsequentlyexpected used toperforming onlinetransac- are alreadyequipped,andthusmore methods. However, cardholdersthat ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – Consequently, thesituation will While thebeginningof - Note: SCA–StrongCustomer Authentication. for ofPayment theSecurity Means. Source: Observatory (%) C2 for ofPayment theSecurity Means. Source: Observatory (%) C1 Authentication ofpaymentsrequiringSCA Customer enrolment 1 1 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 0 0 1 1 June June 2019 2019 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Migration objective Migration objective December December June June 2020 2020 December December 2018 June June 2021 2021 December December June June 2022 2022 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 1

1.4 The migration plan • June: stocktake • July: publication of the migration plan 2019 • 14 September: entry into force of the RTS The Observatory will present • December: update at the Observatory’s plenary session

updates during its 2019 plenary • January: launch of communication campaigns aimed at e-merchants sessions held in June and December. • February: launch of an initial communication campaign aimed at cardholders 2020 • June: first update presented at the Observatory’s plenary session The migration plan selected for publi- • July: publication of the first update • December: update at the Observatory’s plenary session cation in the annual report as well as the list of the main PSD2-compliant • June: second update presented at the Observatory’s plenary session 2021 • July: publication of the second update strong authentication technologies • September: launch of a second communication campaign aimed at cardholders implemented by payment service • December: update at the Observatory’s plenary session providers were presented at the • June: third update presented at the Observatory’s plenary session June 2019 meeting. With regard to 2022 • July: publication of the third update this last point, on 21 June 2019, the EBA published an opinion supported by Europe’s central banks and super- visors outlining the main elements players to establish a migration plan be published in the Observatory’s of strong customer authentica- approved by the competent national annual reports. tion under PSD2, with concrete authorities.1 A statement on the examples, and encouraging industry progress made on the migration will 1 See https://eba.europa.eu

Box 2 The communication plan

The following wording has been suggested for use by Observatory representatives in their communications. They are therefore intended for payment service providers, e-merchants and their customers.

Information for payment service providers and e-merchants European regulatory provisions have been established to strengthen the security of electronic – particularly online – payments, and make internet access to bank services more secure. Thus, from 14 September 2019, the use of a one-time password received via SMS to authenticate transactions will no longer suffice and will be progressively strengthened by means of a system that complies with the new regulation. These new arrangements may, for example, be based on an app for smartphones or SIM cards (compatible with all mobile devices) and require biometric verification or the entry of a secret code. These solutions are chosen by banks and payment service providers and offered to their customers. .../...

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 15 16 CHAPTER 1 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – For further details, pleasecontactyourbankorregularpaymentserviceprovider. andofferedby banksandpaymentserviceproviders totheircustomers. all mobiledevices)andrequirebiometricverification or theentryofasecretcode. Thesesolutionsare chosen These newarrangements may, forexample,bebasedonanappsmartphones orSIMcards(compatiblewith strengthenedbymeansofasystemthatcomplieswiththenewregulation. progressively viaSMStoauthenticate transactionswillnolongersufficeuse ofaone-timepasswordreceived andwillbe internetaccesstobankservices more secure. online –payments,andmake Thus, from14 September 2019, the European regulatoryprovisions havebeenestablishedto strengthen thesecurityofelectronic–particularly Information forconsumers [Your newauthenticationsystemwillrequire/willbebasedon…] certain transactionsaccessibleonlineisthereforenolongersufficient. The current arrangement involving viaSMStoensurethesecurityof theentryofaone-timepasswordreceived internetaccesstobankservicesmoresecure. European regulatoryprovisions havebeenestablishedtomake Information foronlinebankusers [Your newauthenticationsystemwillrequire/willbebasedon…] authenticate anonlinecardpaymentisthereforenolongersufficient. online –payments. The current arrangement involving viaSMSto theentryofaone-timepasswordreceived European regulatoryprovisions havebeenestablishedto strengthen thesecurityofelectronic–particularly Information forcardholders For further details,pleasecontactyourbankorregularpaymentservice provider. strengthenedbymeansofasystemthatcomplieswiththenewregulation. progressively viaSMStoauthenticatetransactionswillnolongersufficeuse ofaone-timepasswordreceived andwillbe internetaccesstobankservicesmoresecure. payments,andmake online – Thus, from14 September 2019, the European regulatoryprovisions havebeenestablishedtostrengthenthesecurityofelectronic– particularly their websites] ande-merchants[This wordingisintendedforpaymentserviceproviders tobeprominentlydisplayedon ande-merchants ofpaymentserviceproviders Information forcustomers 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 2 Fraud in 2018

DISCLAIMER C1 Use of cashless means of payment in France in 2018 (%) a) in volume terms b) in value terms Due to a misinterpretation of the 0.9 0.5 0.3 0.0 0.0 0.0 Observatory’s methodology by a 0.3 6 6 2 3 reporting institution, certain data 17 presented in Chapter 2 and Appendix 6 differ from those previously published 53 in the Observatory’s annual reports. The corrections made affect the 16 domestic payment card fraud data for 7 87 the 2015-17 period and are set out in detail in Appendix 6 of this report. This Card payments Credit transfers E-money Card withdrawals Cheques Direct debits Trade bills SCT Insta) chapter uses the corrected figures. Source: Observatory for the Security of Payment Means. a) SCT Inst: SEPA Instant Credit Transfer.

C2 Use of cashless means of payment in France since 2006 (in millions of transactions) 2.1 Overview 14,000

12,000

10,000 Means of payment 8,000

The customers (individuals and 6,000 companies) of French banks and 4,000 payment service providers carried 2,000 out 24.7 billion cashless transactions 0 in 2018 totalling EUR 27,704 billion. By 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Cheques Trade bills Card payments Credit transfers comparison with the previous year, Direct debits E-money Card withdrawals transaction volumes rose by 3% Source: Observatory for the Security of Payment Means.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 17 18 CHAPTER 2 by 0.4%. and thevalues exchanged increased a) for ofPayment theSecurity Means. Source: Observatory (EUR billions) C4 for ofPayment theSecurity Means. Source: Observatory (EUR billions) C3 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – LVT: large-value transfers, issuedvialarge-value payment systems (Target2, Euro1);professional payments only. Value inFrance ofcredittransfers since 2006 Value oftransactionsinFrance excludingcredittransfers 10,000 15,000 20,000 25,000 30,000 1,000 1,500 2,000 2,500 5,000 500 2006 0 2006 0 2007 2007 Trade bills Cheques Direct debits Total credittransfers o/w LVT 2008 2008 a) 2009 2009 2010 2010 2011 2011 2012 2012 Card withdrawals E-money Card payments citizens, whousedtheircardfor 53% preferred payment methodofFrench Payments by card remainedthe 2013 2013 2014 2014 2015 2015 2016 2016 2017 2017 2018 2018 87% of the total value87% ofthetotal cashless business payments, etc.)with pension payments, business-to- large-value and payments (salary be thepreferred instrument for Credit transfers continuedto worth alittle over EUR 136 billion. for 1,439 million transactionsin 2018 withdrawals by card also accounted value ofEUR 568 billion in 2018. Cash of all cashless payments for a total outside theEuropeanUnion. particularly internationaltransfers extent other forms of credit transfers, value ofEUR 2,729, andtoalesser private individuals, with an average arranged by bothbusinessesand SEPA credittransfers, which canbe remainder ismainlycomposedof of alittle over EUR 1 million. The transactions with an average value exclusively business-to-business payment infrastructures. These are transfers passthroughlarge-value one-third (42%)ofissuedcredit and non-SEPA countries. More than SEPA (Single Euro Payments Area) the remaining23%goingabroadto credit transfers)share of total with were primarilydomestic(witha77% card and direct debits. Credit transfers a 16% share,justafter payments by in termsoftransactionvolume, with They theirthirdposition maintained transactions, unchanged from 2017. 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

Direct debit remained the second Fraud targeting payment means 0.0505%, or one euro of fraud for most used cashless payment every EUR 1,980 worth of payments. instrument in terms of volume, In 2018, cashless transaction fraud accounting for 17% of the total number amounted to EUR 1.045 billion for Payment cards1 accounted for of transactions and 6% of their total 6.7 million fraudulent transactions, EUR 439 million, or 42% of total value in 2018. Direct debit transactions up significantly by 36% in value fraud in terms of value (38.4% for were almost exclusively domestic compared with 2017 (EUR 771 million payments and 3.6% for withdrawals), (99%), with cross-border SEPA direct for 5.1 million fraudulent transactions). and, in terms of volume, were used debit transactions accounting for only in almost all fraudulent transactions 1% of all originated flows. This trend is largely due to cheques, (92.4%). After a second consecutive which have become the most used year of decline in 2017, total fraud on The steady decline in cheque use means of payment for fraudulent cards issued in France rose year on observed over several years again purposes in France. Cheque fraud year in 2018 to EUR 439 million from continued in 2018, both in terms of accounts for 43.1% of total fraud EUR 387 million (a 13.4% increase on transaction volume (down 9%) and and amounted to EUR 450 million payments and withdrawals made in value (down 11%). Cheques were in 2018 (up 52% compared with France and abroad). issued to settle 1.7 billion transactions EUR 296 million in 2017) despite for a total value of EUR 891,052 billion. the continued decline in cheque use. The fraud rate for cheques was 1 Cards issued in France. Trade bills (bills of exchange and promissory notes) made up less than 1% of cashless transactions both in terms of volume (0.3%) and C5 Breakdown of fraud on cashless means of payment in 2018 value (0.9%), with 2018 once again (%) confirming the decline observed over a) in volume terms b) in value terms a number of years. 0.0 0.1 0.0 5 2 4 3 6 Lastly, although the use of electronic 9 money (e-money) was still marginal, 38 it reported a slight rise, continuing the trend begun in 2017, to 65 million transactions (up 18%) with a total 43 value of EUR 1,053 million (up 17%). 90 This expansion was encouraged by Card payments Credit transfers Trade bills the development of peer-to-peer Cheques Direct debits Card withdrawals payment solutions. Source: Observatory for the Security of Payment Means.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 19 20 CHAPTER 2 euro for EUR 578. every significant decline–of0.173%, orone remote payments –despiteafurther but withamuch higherratefor EUR 10,000 worth of transactions) (0.010%, oroneeurooffraudfor every of fraud for point-of-sale payments low rate withavery mances, notably rate incorporatescontrastingperfor transactions. However, thisaverage fraud for EUR 1,612 worth every of grew to0.062%,oroneeuroof the fraud rate for card transactions forrelatively several constant years, This meansthatafter remaining Source: Observatory for ofPayment theSecurity Means. Source: Observatory (%) C6 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – Change infraudrateforeach meansofpaymentfrom 2016 to 2018 0 0.7 0 0 0 0 0 0 .0 .01 .02 .03 .04 .05 .06 Credit transfers 0 .0 0 2018 2017 2016 0 0 4 .0 0 0 0 3 .0 0 0 4 0 .0 Trade bills 0 0 0 4 .0 0 0 0 1 .0 0 0 1 0 Direct debits .0 - 0 2 0 7 .0 cashless meansofpayment available the lowest annualfraudvalue of all Direct debitsonceagainrecorded for EUR 244,300 paid. every in 2017)0.0003% oroneeurooffraud (upfrom to individuals,at0.0004% across all payment means available it registered thelowest rate offraud EUR 78 million in 2017. Nevertheless, by 24%year onyear comparedwith for cardsandcheques, itincreased was still well below the levels recorded annual value ofcredit transfer fraud Although atEUR 97 million in 2018 the 0 0 0 6 .0 0 3 5 0 .0 2 5 0 Cheques 2 .0 2 9 6 0 .0 5 0 5 0 .0 6 Cards 8 0.058 0 .0 6 2 EUR 226,000, representingafraud cases offraudaccountedfor unaffected by fraud.In 2018, five Trade billswere stillrelatively debit instructions. originateddirect EUR 28,185 of or oneeurooffraudfor every in 2017),(compared with0.0006% thus rose dramatically to 0.0035% in 2017. The directdebitfraudrate 544% increasefromEUR 9 million in 2018, significant despiteavery to individualswithEUR 58 million EUR 1,115,000 paid. rate of 0.0001%, or one euro for every 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

C7 Total transaction value, French cards C8 Total fraud value, French cards (EUR billions) (EUR millions) 800 500 704 450 436 426 439 700 665 628 396 387 592 400 377 600 576 345 529 549 350 504 307 500 472 300 454 266 269 400 250

300 200 150 200 100 100 50 0 0 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Source: Observatory for the Security of Payment Means. Source: Observatory for the Security of Payment Means.

Box 1 Fraud statistics for payment cards: respondents

To ensure the quality and representativeness of its fraud statistics, the Observatory gathers data from all issuers of “four-party” and “three-party” cards.1 The 2018 statistics calculated by the Observatory thus cover: • EUR 683.7 billion in transactions in France and abroad made with 79 million four-party cards issued in France (including 58 million contactless cards); • EUR 20.8 billion in transactions primarily in France with 9.8 million three-party cards issued in France; • EUR 55.9 billion in transactions in France with foreign three-party and four-party cards. Data was gathered from: • the 120 members of the CB Bank Card Consortium (Groupement des Cartes Bancaires CB ), collected through the Consortium and from MasterCard and Visa Europe France; • eight three-party card issuers: American Express, Oney Bank, BNP Paribas Personal Finance, Crédit Agricole Consumer Finance, Cofidis, Franfinance, JCB and UnionPay International.

1 “Four-party” card payment schemes involve a large number of issuing and acquiring payment service providers, whereas “three-party” schemes involve a smaller number.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 21 22 CHAPTER 2 Source: Observatory for ofPayment theSecurity Means. Source: Observatory (%) C9 Source: Observatory for ofPayment theSecurity Means. Source: Observatory (EUR millions) C11 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 0.00 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 2009 Fraud rate,French cards 0 in French paymentsystems,French andforeigncards Fraud valueontransactionsprocessed .0 5 9 2010 0 100 200 300 400 500 600 .0 0 5 7 2002 245 2011 0 .0 2003 274 6 1 2004 242 2012 0 .0 6 5 2005 236 2013 0 2006 253 .0 6 9 2007 269 2014 0 .0 2008 320 6 9 2009 342 2015 0 .0 7 4 2010 369 2016 0 2011 413 .0 6 8 2012 451 2017 0 .0 5 2013 470 8 0 .0 2014 501 2018 6 2 2015 542 2016 545 Source: Observatory forofPayment theSecurity Means. Source: Observatory (EUR billions) C10 2017 494 100 200 300 400 500 600 700 800 0 2018 538 in French paymentsystems,French andforeign cards Total transactionvaluesprocessed 2002 2 9 9 2003 3 1 8 2004 3 4 5 2005 3 6 9 2006 3 9 5 (up 5.9%on 2017). transaction value of EUR 704.4 billion outofatotal to EUR 439 million compared with 2017) and amounted abroad picked up in 2018 (up 13.4% using French cards in France and payments andwithdrawalstargeting 2017,Following adipin fraud Overview payment Card 2.2 2007 4 3 1 2008 4 6 4 2018 and withdrawal fraud 2009 4 7 7 2010 4 9 8 2011 5 3 4 2012 5 6 2 2013 5 8 7 2014 6 2 5 2015 6 3 6 2016 6 7 3 2017 7 1 5 2018 7 6 0 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

C12 Fraud rate for transactions processed in French payment systems, French and foreign cards (%) 0.10

0.09 0.086 0.082 0.085 0.080 0.080 0.080 0.081 0.077 0.08 0.070 0.071 0.072 0.074 0.069 0.069 0.07 0.064 0.064 0.062 0.06

0.05

0.04

0.03

0.02

0.01

0.00 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Source: Observatory for the Security of Payment Means.

Consequently, the rate of fraud includes payments and withdrawals French cards as well as those made in affecting French payment cards made in France and abroad using France using foreign cards, saw a very deteriorated very slightly to 0.062%, compared with 0.058% in 2017 (see Chart 9), or one euro for every C13 Fraud rate by geographical area (%) EUR 1,612 worth of transactions. 0.40 When transactions carried out in 0.35 0.372 France using cards issued in other 0.380 0.350 0.353 0.30 0.316 countries are also included, the same 0.25 0.281 0.270 trend can be seen, with an 8.9% year- 0.20 on-year rise in the total value of fraud 0.15 to EUR 538 million in 2018, while the 0.10 0.080 0.080 0.080 0.085 0.081 total value of transactions climbed 0.069 0.071 0.05 6.3% to EUR 760 billion. 0.045 0.046 0.043 0.044 0.042 0.037 0.038 0.00 2012 2013 2014 2015 2016 2017 2018 As a result, the overall fraud rate for Domestic transactions International transactions transactions processed by French All transactions electronic banking systems, which Source: Observatory for the Security of Payment Means.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 23 24 CHAPTER 2 an 8.4% upturn in 2018. The value of transaction fraudin 2017, therewas Following areduction in domestic Geographical breakdown offraud effort toavoid detection. inanthe individualamountstaken their fraud attempts while reducing and hasforced fraudsterstostepup deactivation of compromised cards has ledtomorerapiddetectionand SMS alerts sent to cardholders, which transaction scoringsystems and online payments, risk-analysis and such asstrongerauthenticationof make cardpayments moresecure, the strengtheningofmeasuresto with EUR 69.8 in 2017. This isdueto atEUR 70.5 in 2018stable compared fraud, which remained relatively average value of individual cases of did notcoincidewithanupturn inthe to 1,358,819. However, thisincrease increased by 12% comparedwith 2017 transaction was recorded in 2018 for which at least one fraudulent Lastly, thenumberofFrench cards of transactions. fraud for EUR 1,412 worth every This corresponds tooneeuroof to 0.071%in 2017 (seeChart 12). minor increase from 0.069% in 2017 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – following was found: In addition,by geographicalarea,the value oftransactions. the total though they made up only 14% of fraudvalue54% ofthetotal even tional transactionsaccountedfor transactions concerned as interna still highinview ofthevalue ofthe to note that this rate isimportant 0.281% in 2017. Nevertheless, itis low of 0.270%, compared with rate for 2018 declined to a record was better controlled as the fraud fraud oninternationaltransactions compared with 2017. Consequently, grew by 13.4% invalue terms international transactions,which largely duetotheupward trend in value ofEUR 291.9 million,to atotal also increased,by 9.2%year onyear Fraud on international transactions from 2017 (0.037%) transactions –andalmostunchanged approximately EUR 2,600 worth of at 0.038%–oneeurooffraudfor the fraudrateisstillrelatively low in value termscomparedwith 2017, in domestictransactionsof5.2% in 2017. However, given thegrowth compared with EUR 226.5 million increased to EUR 245.6 million made in France using French cards fraud onpayments andwithdrawals 2 -

San Marino. Liechtenstein, Norway, Iceland and States, aswellMonaco,Switzerland, 3 foreign cards. and withdrawalsmadeinFranceusing abroad usingFrenchcardsandpayments 2 from 0.511% in 2017 to0.438%); carried outoutsideSEPA (down in 2018 remained lower thanfor transactions in 2017 to0.352%in 2018 butwhich SEPA, for transactions carried out within slight increaseinthefraudrate • b) Note: SEPA –SingleEuroPayments Area. for of Payment the Security Source: Observatory Means. a) (%) C14 SEPA coversthe28 EuropeanUnionMember Payments andwithdrawalsmade in thecaseofFrench cards,a French cardholders French merchants 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 2012 2012 2018 Fraud ratebygeographicalarea 3 which increased from 0.308% 2013 2013 Domestic transactions SEPA Non-SEPA 2014 2014 2015 2015 2016 2016 2017 2017 2018 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

Box 2 Fraud targeting contactless payments The boom in the use of contactless payments continued in France, with an increase of 82% in volume and 89% in value. Thus, 2.3 billion contactless payments were recorded in 2018, worth a total of EUR 24.4 billion (compared with 1.2 billion transactions for EUR 12.9 billion in 2017), which corresponds to 6% in value and 21% in volume of all face-to-face payments, or one in five card payments. The average contactless payment value amounted to EUR 10.5 in 2018. The total value of contactless transactions including contactless domestic payments carried out in France using foreign cards and contactless payments carried out abroad using French cards reached EUR 25.8 billion for 2.4 billion transactions. This represents a year-on-year increase of 87% in value and 82% in volume. At the same time, the fraud rate for domestic contactless payments stayed stable at 0.020% (for a total fraud value of almost EUR 5 million) and remained at a midway level between the overall rate for face-to-face payments (0.010%) and the rate for withdrawals (0.024%), and thus well below the remote payment fraud rate (0.173%). If contactless domestic payments made in France using foreign cards and contactless payments made abroad using French cards are also taken into consideration, the fraud rate remains almost identical to that of 2017, i.e. 0.021%. In 2018, as in previous years, all contactless payment fraud could be traced back to loss or theft of a card. Card issuers have placed ceilings on individual transactions (usually EUR 30) and on the total consecutive transaction amount possible without entering the PIN (typically EUR 100), thus limiting the loss incurred if a card is lost or stolen. It is also important to remember that cardholders are protected by law in the event of fraud and bear no losses (see Appendix 2). These figures include payments by mobile phone, which also rose even though their share of total domestic face-to-face transactions remained marginal at 0.10%. In 2018, 10.9 million domestic payments were carried out using mobile devices, representing an almost 2.5-fold increase over 2017, while the total value of those payments amounted to nearly EUR 190.9 million compared with EUR 83.5 million in 2017. Including transactions carried out in France using foreign mobile devices and transactions carried out abroad using French mobile phones, the total value of payments in 2018 comes to EUR 219.6 million for 12.4 million transactions. In 2018, some cases of fraud were reported on domestic mobile telephony transactions although the total value was minimal (less than EUR 50,000) and the fraud rate amounted to 0.03%. The overall fraud rate for payments by mobile phone across all regions increased from 0.03% in 2017 to 0.04%, with a total fraud value of a little less than EUR 88,000.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 25 26 CHAPTER 2 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – average fraudrate(seechart below). cultural products”and “telephony andcommunication” account foralowershareoftotalfraudbutarevictimtomuch higherthan of theaveragefraudratesforeach wefindthat sales”, oftheseactivities, toperson “accountloadingandperson “technical and to remote paymentcontinued fraud, to accounting be the most exposedfor 74% sectors of the total fraud value. Based on a comparison “General andsemi-generaltrade”, andprofessionalservices”,“personal “travel andtransportation” and “telephony andcommunication” cover domestictransactionsonly. The Observatorygathers dataproviding informationonthebreakdownofremotepaymentfraudbysectoractivity. These data Box 3 Total (amount inEUR millions,sharein%) Breakdown offraudbysectoractivity Source: Observatory for ofPayment theSecurity Means. Source: Observatory (%) Fraud rateforremotesalesbysectorofactivity, domestictransactions 12 10 11 9 8 7 6 5 4 3 2 1 Insurance Foodstuffs Health, beauty andpersonal care Health, beauty Miscellaneous Online gaming Account loadingandpersontosales Household goods,furnishingsandDIY Technical andcultural products Telephony andcommunication Travel andtransportation Personal andprofessional services General andsemi-generaltrade 0.0 0.1 0.2 0.3 0.4 0.5 0.6 1 2017 Domestic remotepaymentfraud,bysectorofactivity 2 3 2018 4 Average ratein2017:0.190% 5 6 7 8 9 10 Average ratein2018:0.173% 11 12 12 Insurance 11 Foodstuffs Health,beautyandpersonalcare 10 Technicalandculturalproducts 6 Householdgoods,furnishingsandDIY 5 Telephonyandcommunication 4 Travelandtransportation 3 2 Personalandprofessionalservices Onlinegaming 9 8 Miscellaneous Accountloadingandpersontosales 7 Generalandsemi-generaltrade 1 Amount 173.3 24.5 25.7 38.8 39.2 13.2 0.6 2.2 2.3 5.3 5.3 8.8 .4 7. 2018 Share 100.0 22.4 22.6 14.1 14.9 0.3 4.3 3.1 3.1 5.1 .2 1. .3 1. .6 7. ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

• in the case of foreign cards, in 2017). This is partly due to the C15 Comparison of fraud rates a reduction in the fraud rate for growth in contactless payments, by domestic transaction type transactions carried out in France which have a significantly higher fraud (%) 0.250 using cards issued outside SEPA rate (see Box 2 above). Face-to-face

(0.323%), which nevertheless payments and UPTs still account 0.200 0.190 remained elevated at 3.5 times for a major share of total domestic 0.173 higher than the rate for transactions transaction amounts – almost 0.150 in France using cards issued within two-thirds – but only 17% of the value 0.100 SEPA (0.092%). of domestic fraud. 0.050 0.020 0.020 0.0270.024 • For remote payments, despite an 0.009 0.010 0.000 Breakdown of fraud increase in fraud value in 2018, the 1 2 3 4 by transaction type fraud rate declined for the seventh 1 Face-to-face payment 2 o contactess year running to 0.173% from 0.190% 3 Withdrawals at ATMs Fraud targeting domestic transactions in 2017 as a result of the substantial 4 Remote payments 2017 22% year-on-year growth in the 2018 Although the value of fraud on value of remote transactions. This Source: Observatory for the Security of Payment Means. domestic transactions increased improvement is the result of issuers’, Note: ATMs – Automated Teller Machines. in 2018, the fraud rates for the various merchants’ and companies’ efforts to transaction types improved, with the improve customer protection by rolling authentication security requirements exception of face-to-face payments out strong customer authentication set out in the second European and UPTs (unattended payment solutions such as 3D-Secure, and Payment Services Directive (PSD2) terminals), which deteriorated risk-analysis and transaction scoring and particularly the entry into force of very slightly. tools, i.e. expert systems capable provisions to ensure the widespread of assessing the risk level of a given application of strong customer The following observations for the transaction on the basis of its charac- authentication and analysis of risky different transaction types were teristics such as customers’ habits, transactions on 14 September 2019, noted in 2018. location or equipment used. However, should lead to a reduction in online even though remote payment fraud payment fraud. • With regard to face-to-face is declining, it still accounts for the payments and UPTs, and despite majority (70%) of the total value of • With regard to withdrawals, the the increase in fraud in 2018, the domestic fraud and its fraud rate steady decline in the fraud rate that fraud rate remained extremely low remains 17 times higher than the rate began in 2015 continued in 2018, and almost unchanged year on year for face-to-face payments. The imple- edging down to 0.024% from 0.027% at 0.010% (compared with 0.009% mentation of the strong customer in 2017.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 27 28 CHAPTER 2 EUR 50.3 million for afraudrateof in 2017from EUR 60.3 million to carried outoutsideSEPA improved Conversely, fraudontransactions of transactionatthedomesticlevel. greater thanthefraudrate for this type from 0.527% in 2017), i.e.3.5 times in 2018 with a fraud rate of0.594% (up EUR 74.4 million toEUR 118 million whose fraudvalue rosefrom can be traced to online transactions, transactions carried outwithinSEPA the increaseinfraudratefor • ofonlinepayments. security Visa) the EMV(Europay, MasterCardand all cardsandpayment terminalsto the pastseveral years tomigrate to theefforts madeinEuropeover out withnon-SEPA countriesthanks SEPA than for transactions carried controlled for transactions within area, fraudcontinuestobebetter andgeographical transaction type and trendsvaried dependingon transactions increasedin 2018 While fraudoninternational international transactions Fraud targeting ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – In thecaseofFrench cards, 4 standard andenhancethe standard 5 continued tobehighat0.947%. using cardsissuedoutsideSEPA the fraudratefor remotepayments compared with0.386%in 2017), but 0.102% in 2017) andoutside(0.323%, within SEPA (0.092%,down from rates improved for bothcardsissued for transactionsinFrance, fraud • rate of1.168%. increased witharelatively highfraud but fraudonremotepayments 0.438% (down from0.511% in 2017) Notes:  for ofPayment theSecurity Means. Source: Observatory (%) C16 In thecaseofforeign cardsused SEPA –SingleEuroPayments Area; ATMs – Automated Teller Machines. See Appendix 5. Fraud ratebytransactiontypeandgeographicalorigin 0.0 0.2 0.4 0.6 0.8 1.0 1.2 1.4 Domestic Withdrawals atATMs

Remote payment Face-to-face payment => SEPA France => non-SEPA France came intoforceinAugust 2015. to enhancethesecurityofonlinepayments 5 referred toas“ChipandPIN”. secure cardchipandasecretcode,commonly provides fortheuseofacombination face-to-face paymentsandwithdrawalsnotably MasterCard andVisa.TheEMVstandardfor consortium ofAmericanExpress,JCBCards, specifications weredevelopedbytheEMVCo standard forsmartpaymentcards,whose 4 The EuropeanBankingAuthority’s guidelines EMV isaninternationaltechnicalsecurity 2018 => France SEPA Non-SEPA => France ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

Box 4 Indicators provided by law enforcement agencies

Automated Teller Machine (ATM) attacks increased in 2018 Attacks on ATMs and terminals with 125 cases (after 76 in 2017) but still remained at a (number) 1,200 relatively moderate level compared with the levels observed 1,109 1,028 1,048 prior to 2017. There was also a rise in the use of “jackpotting” 1,000 techniques to compromise ATMs in 2018 with a wider variety 800 of operating methods employed. “Jackpotting” involves 640 connecting a computer to take control of the ATM and either 600 545 416 500 targeting the dispense calculation function or installing 400

a malware. 301 156 200 103 125 60 75 35 18 82 By contrast, attacks on card-operated fuel pumps were down 85 76 0 31 10 0 to 64 cases in 2018 from 121 in 2017 and attacks on unattended 2012 2013 2014 2015 2016 2017 2018 payment terminals (UPTs), such as parking pay points also ATMs Card-operated fuel pumps and UPTs decreased from 35 cases in 2017 to 18 in 2018. However, Electronic payment terminals no attacks on merchant payment terminals were reported. Source: Observatory for the Security of Payment Means. Note: ATMs – Automated Teller Machines; UPTs – unattended payment terminals. Regardless of the type of payment terminals or ATMs that are compromised, the payment card data thus obtained by criminal networks are then exploited, either to create counterfeit magnetic stripe cards to make payments and withdrawals abroad, chiefly in countries where EMV smartcard technology is not widely used, or to misappropriate card numbers for use in remote payments, particularly on e-commerce sites that have not implemented cardholder authentication solutions.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 29 30 CHAPTER 2 Against thisbackdrop andwith are needed to secure transactions. upon, such thatothermechanisms cannotberelied and PINentry) in thecardsthemselves (chip reading featuresreasons, security embedded remote payments. For configuration led totheincreasing use of cards for The development ofonlinetradehas solution deployment Monitoring ofauthentication existing EMVsmartcards. schemes for and to enhanced security technologies by card mostthree-party totheadoptionof smartcard butable This low very level is mainly attri 1% of fraudulent domestic payments. Counterfeit cards accounted for just domestic transactionfraud(31%). fraud, makingupalmostone-thirdof the secondmostcommonsourceof Lost orstolencardscontinuedtobe misappropriation techniques in 2018. still themostusedcardnumber and phishing value, representing 66%ofthetotal offraud, still themostcommontype out fraudulent payments was to carry The misappropriationofcardnumbers by transaction type Breakdown offraud ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 6 and malwares 7 were - for Payment issued CardSecurity payment security, the Observatory the objective ofstrongerremote protected usingthe3D-Secure were (of which EUR 26.4 billion EUR 61.2 billion worth oftransactions payment cardsand 66.7 million main banking institutions covered authentication solutionsatthe monitoring of the deployment of period, theObservatory’s statistical For theNovember 2018 to April 2019 dations have beenkept since 2011. oftheserecommen implementation developedStatistics tomonitor the cation arrangements for cardholders. the wideradoptionofsecureauthenti recommendations in 2008, aimedat Note: Domestictransactions,excluding withdrawals, invalue terms. for ofPayment theSecurity Means. Source: Observatory (%) C17 Breakdown ofcardpaymentfraudbytype 100 10 20 30 40 50 60 70 80 90 0 2011 Intercepted cards Lost orstolencards Forged orcounterfeitcards 3 6 6 0 2012 3 6 5 1 2013 3 6 4 5 2014 3 6 - - 2 6 trustworthy sources. user’s knowledgethroughwhatappeartobe They aregenerallydownloadedwithoutthe records thekeystrokesonavictim’s keyboard. “malwares” isknownas“keylogger”and transactions. Oneofthemostcommonthese used moreandregularlyforpayment and, increasingly, mobile phonesthatare personal computersofprivateindividuals, servers oflargecorporationsandthe 7 fraudulent websiteinordertocollectcarddata. receiver, invitingtheirvictimstoconnecta a creditinstitution)thatarerecognisabletothe that misusevisualidentitiesandlogos(e.g.of 6 Misappropriated cardnumbers Other Malicious softwaretargetsboththe Phishing generallyinvolvessendingemails 2015 3 6 2 7 2018 2016 2 7 9 0 2017 3 6 2 6 2018 3 6 1 6 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

C18 Distribution of cardholders provided with customer authentication solutions mechanism), making it possible (%) to measure progress in the imple- 120 mentation of secure authenti- 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 cation methods both quantitatively 98 96 98 98 98 98 98 94 95 89 89 90 93 91 95 and qualitatively. 80 91 93 93 94 77 87 78 80 80 80 78 60 71 75 66 At the end of April 2019, the switch

40 by cardholders to these authenti- cation solutions is almost universal, 20 with an average rate of enrolment of 6 0 98.4%, covering all cardholders who April Oct. April Oct. April Oct. April Oct. April Oct. April Oct. April Oct. April 2012 2013 2014 2015 2016 2017 2018 2019 might carry out transactions online. In Spread containing readings for 50% of institutions the case of e-merchants, while take Proportion of cardholders provided with solutions, least advanced institution up of the 3D-Secure mechanism Proportion of cardholders provided with solutions, most advanced institution Proportion of cardholders provided with solutions, French market continues to increase and now stands Source: Observatory for the Security of Payment Means. at an average rate of 75%, there are nonetheless gaping disparities between different banks, with rates of between 32% and 91%. It is important to note that e-merchants C19 Take-up of 3D-Secure by merchants must have a strong customer authen- (%) tication solution in place to comply 100 95 91 88 89 90 91 91 91 90 87 with PSD2. 81 80 80 81 80 75 72 71 71 71 73 72 70 72 66 The Observatory has observed 60 58 58 52 55 that the failure rate for authen- 50 47 42 42 43 ticated transactions, which has 40 30 settled at 11%, is under control and 32 32 32 32 32 32 20 29 31 31 31 31 remains substantially lower than 10 19 16 16 18 the rate recorded for non-authen- 0 April Oct. April Oct. April Oct. April Oct. April Oct. April Oct. April Oct. April ticated transactions, suggesting 2012 2013 2014 2015 2016 2017 2018 2019 that consumers have become Spread containing readings for 50% of institutions accustomed to such mechanisms. Proportion of merchants supporting 3D-Secure, least advanced institution Proportion of merchants supporting 3D-Secure, most advanced institution This is also a reflection of more Proportion of merchants supporting 3D-Secure, French market effective checks on websites with Source: Observatory for the Security of Payment Means. authentication solutions, which is

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 31 32 CHAPTER 2 into force inJanuary 2018 acrossthe framework ofPSD2,which entered requirementssetoutinthe security tication, andwhich isnow partofthe since 2008 of using strong authen championed by theObservatory hierarchy supportsthe strategy payments (0.173%). This fraudrate rather than the fraud rate for all remote face-to-face payments (0.038%), transactions asawhole,including forfraud rateobserved domestic level more closelyapproximates the from the 2017 rate of 0.06%. This to 0.07%in 2018, almostunchanged the 3D-Secureprotocolamounted transactions authenticated through The fraudratefor domestic April 2019. of remotepayments attheendof accounted for 43% of the value been risingsteadilysince 2011 and by 3D-Secureauthenticationhas the shareofonlinepayments covered the useofauthenticationsolutions, supportive of continued growth in In view ofthesetrends, which are transactions increasesregularly. as thefailure ratefor unsecured of usingthe3D-Securemechanism confirms the benefit to e-merchants by such measures. This therefore on websites thatarenotprotected forcing fraudsterstoconcentrate ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – - of regulatory technicalof regulatory standards in its Opinion on the implementation to remember that point, it is important European Union. regard to this With Source: Observatory for ofPayment theSecurity Means. Source: Observatory (%) C21 for ofPayment theSecurity Means. Source: Observatory (%) C20 Proportion oftotalonlinepaymentsauthenticatedby3D-Secure Distribution of3D-Secure failurerates 10 20 30 40 50 10 15 20 25 30 35 40 45 50 0 0 5 2 2 1 2011 0 0 1 April 3 1 April 2012 1 8 2 2 2 0 Oct. 6 2 3D-Secure failurerate,leastaffectedinstitution Non-3D-Secure failurerate 3D-Secure failurerate,Frenchmarket 3D-Secure failurerate,mostaffectedinstitution Spread containingreadingsfor50%ofinstitutions 4 Oct. 3 3 1 2012 April 1 7 2 1 2 5 April 2013 4 1 Oct. 2 1 7 6 1 2 Oct. 3 2013 April 2 1 8 5 8 2 April 2014 4 Oct. 2 1 8 6 6 2 Oct. 2014 2 April 2 9 1 1 3 5 5 1 April 2015 Oct. 2 9 9 1 1 3 4 6 2015 April 2 Oct. 30 1 online card payments using a one-time online cardpayments usingaone-time deemed thattheauthenticationof European Banking Authority (EBA) (RTS) published on 13 June 2018, the 1 1 3 1 7 Oct. April 3 1 2016 3 7 1 1 2016 2018 April 7 2 3 7 1 Oct. 1 8 1 1 Oct. 3 6 1 6 April 3 2017 1 8 2017 April 1 1 3 6 1 5 7 2 Oct. 0 Oct. 3 1 1 5 1 5 5 April 2018 2 2018 1 April 4 1 1 1 1 7 4 2 Oct. Oct. 3 4 6 1 1 1 1 6 April 2019 2019 2 April 4 3 3 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

password (OTP) received via SMS payment used in terms of annual C22 Value-based breakdown that is widely used in France does not volume of payments and is used of cheque fraud by type comply with PSD2 requirements. In 8.5 times less often than the card. The (%) order to support the French financial average value of a fraudulent cheque 3

sector in the coordinated implemen- remitted for collection also increased 33 tation of PSD2 strong authentication slightly from EUR 2,577 in 2017 to provisions, the Observatory has EUR 2,704 in 2018. drawn up a roadmap, which can be 56 found in Chapter 1 of this report, Improvements to the manual 8 that sets out the modalities of this processing of fraud data have meant

migration, both from a technical that the fraud cases encountered can Misappropriation, replay point of view and in terms of assisting be better categorised. Thus, as in 2017, Theft, loss (fake, apocryphal) Counterfeiting stakeholders, traders and consumers. two categories of fraud made up the Falsification

majority of the fraud value in 2018: Source: Observatory for the Security of Payment Means. (i) the fraudulent use of lost or stolen cheques, which increased sharply replay of cheques continued to be far 2.3 Cheque fraud to 56% of total cheque fraud from less common, representing 8% and 44% in 2017; and (ii) the falsification 3% of total cheque fraud, respectively. of validly-issued cheques, which Overview accounted for 33%. Fraud through There was a general increase in the counterfeiting and misappropriation/ average individual value of cheque For the third consecutive year, there has been an increase in the value C23 Individual fraudulent cheque values by fraud type, 2017-18 of cheque fraud, which amounted (in EUR) to EUR 450 million in 2018, up 52% Average fraudulent 2,577 year on year. Consequently, and cheque value 2,704

given that cheque use is in decline, 8,079 Falsification the cheque fraud rate rose sharply 8,483 3,884 Counterfeiting to 0.0505% in 2018 from 0.0296% 4,540

in 2017. Cheques are thus the most 1,453 Theft, loss (fake, apocryphal) targeted payment instrument 1,827 5,140 above payment cards (43.1% and Misappropriation, replay 5,277 42.0%, respectively, of total fraud 0 2,000 4,000 6,000 8,000 10,000 value), despite being far less widely 2017 used. The cheque is only the fourth 2018 most common form of cashless Source: Observatory for the Security of Payment Means.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 33 34 CHAPTER 2 Source: Observatory for ofPayment theSecurity Means. Source: Observatory (%) C24 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – which arecreditedwithimmediateeffect whencheques aredeposited. funds. This accountsheldby mainlytargets businessesandentrepreneurs, fraudulent cheques tobecashedandimmediatelytransferring thecredited Fraud techniques derived from “kiting” consistingindepositinganumberof cheque tobedrawn onanexisting orfake bank. Counterfeiting ofcheques, throughthecreationfromscratch ofafalse or after thehandwritten amount. • the line; etc.) after ifblankspacesareleft thenameoflawful beneficiary on • beneficiary’s name; • written inweak inkand replacing itwithanothername; • for instance: onit. contained The fraudsterexploits thevulnerabilitiesofastolencheque by, altering astolencheque by scratching, over-writing orerasinginformation Falsification ofa valid cheque interceptedby afraudster, consistingin theft orloss. Chequebook theft wheninpossessionofthecustomer duetobreak-in, documentstocollectachequebook.identity • branches, incustomers’ postboxes; and/or fromwherethey aredispatched, attransportersordeliverers tobank • specimens canbestolenattwolevels: tothecustomer.during transportanddelivery Chequebooksandblankcheque providers outsidethebankareinvolved inthedistributioncircuit,notably Theft ofchequebooks inthedistribution circuit: anumberofservice 1 See https://www.verifiance-fnci.fr adding anamountinletters and/orfiguresifany blankspacesareleft before adding something(for example anameor an acronym, acompany stamp, writing thenameofanewover beneficiary thelegitimate scratching ifithasbeen orerasingthenameof thelawful beneficiary on collectionatbankbranches, where fraudsterscanusestolenorforged before tothecustomer:atplacewhich delivery they aremanufactured Value-based breakdownofcheque fraudbytype, 2016-18 2016 2017 2018 0 2 3 3 Main casesofcheque fraud Theft, loss(fake,apocryphal) Misappropriation, replay 20 4 4 5 4 5 6 40 1 9 2 Falsification Counterfeiting 60 8 4 4 3 2 80 3 3 bank thatmay occurimmediatelyafter acheque isdeposited. in ordertosuspend,ifnecessary, any withdrawals ortransfers towards another Identification ofunusualdepositmovements inlightofthecustomer’s profile, identity (seeabove). In-depth physical examinationofthecheque andofthepayer’s proof of service for unpaidcheques.service register ofirregular cheques) viatheBanque deFrance’s official prevention consulting theFichier nationaldeschèques irréguliers (FNCI, thenational Merchants canprotect themselves against irregular cheques by payer, forbyorproofofhomeaddress. instance, requestingproofofidentity that ithasnotbeenalteredbeforeandtoverifyofthe acceptance, theidentity well aspayer identity. The cheque shouldbephysically examined toensure Systematic examinationofthecheque andoftheinformation onit, as report alossortheft even ifthey have takenoutinsurancetocover such risks. chequebooks andcheque-letters mustbeontheir guard andarerequiredto Issuance ofregular reminders from thebankthatholdersof event ofadelay. expected timeframesothatthecustomercaninform delivery thebankin the customerwhenheorsheappliedfor achequebook, andindicatingan at thebranch orforby delivery post,dependingontheoptionselectedby Notifying thecustomer thatachequebook isavailable, eitherfor collection different transportphases. Traceable shipmentprocessesfor chequebooks andcheque-letters duringthe 100 Preventive measures 1 to offline payment methods. Chapter 3 ofthisreport,withregard below andinthestudy presented in its recommendations, repeated thus reiterates The Observatory priated orreplayed cheques. cheques andEUR 5,277 for misappro cheques, EUR 1,827 for lostorstolen cheques, EUR 4,540 for counterfeit fraud, with EUR 8,483 for falsified 2018 - ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

2.4 Credit transfer fraud The methodological work undertaken C25 Value-based breakdown in 2017 to categorise fraudulent of credit transfer fraud, credit transfers that means that data by geographical area (%) Overview is better measured and assigned (see Appendix 6), confirms that fake 10 In 2018, fraud on credit transfers credit transfers, i.e. the issuance of a 32 issued from accounts held in France fraudulent transfer order by means of amounted to almost EUR 97 million, cyber-attacks, continues to account up 24% from 2017. Consequently, the for a majority of credit transfer fraud fraud rate returned to its 2016 level with 52% of the total value (compared 58 of 0.0004%. These figures confirm with 54% in 2017), followed by fraud that proportionally speaking, credit by misappropriation (41%, down from France transfers were still the cashless 42% in 2017). SEPA excluding France Non-SEPA payment method least affected by Source: Observatory for the Security of Payment Means. fraud, even though they are used Credit transfer fraud is relatively Note: SEPA – Single Euro Payments Area. to move the most significant overall evenly broken down between the values (87% of all cashless payments various payment channels: transfer issued in France). The average initiation from online bank accounts value of a fraudulent credit transfer (via the internet or a mobile phone the use of paper-based transfers is declined from EUR 16,864 in 2017 to application) was still the most affected now very limited, accounting for less EUR 12,586. channel (up from 38% to 42% in 2018 than 10% of issued credit transfers in terms of total fraud value), while in terms of value, its associated fraud Cross-border credit transfers the remainder was divided between rate declined only slightly to 0.0010% accounted for a larger proportion of secure telematic channels (37% from 0.0011% in 2017 and is higher fraud than domestic transfers with compared with 31% in 2017) and than that for credit transfers issued via 68% of the credit transfer fraud paper-based transfers such as letter or electronic channels (0.0004%). value, even though cross-border fax, which declined significantly with transactions made up only 23% of 22% of total fraud value compared the overall issued transfer amount. with 31% in 2017. However, given that

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 35 36 CHAPTER 2 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – channels, such as “smishing” viaSMS. features).or toupdatesecurity There arevariants ofphishingthroughother bill inordertoavoid tolift theinterruption ofaservice, abankingsuspension these emailsisusuallyalarmist,urgingtherecipienttoactquickly (tosettle a the personisusuallyasked toentertheirbankingcredentials. The toneof that takesthemtoafake website (onlinebanking ore-commercesite),where bydetails sendingoutunsolicitedemailsinviting recipientstoclick onalink • fraudulent transfer order. beadded in, requestthatanewforcredittransfers beneficiary orinitiatea retrieve theIDandpassword thatheorshehasenteredandusethemtolog when thecustomerlogsintohisorheronlinebankaccount,malware can trafficcollect data onacustomer’s computerorinformation system. Therefore, USB sticks).peripherals (e.g. Fraudsters canusethismalware toanalyse and open afraudulentemail,browse corrupted websites orconnecttoinfected a person’s orabusiness’ computerwithouttheirknowledge whenthey • mainly perpetratedusingtwomethods. which businessescanexchange fileswithbanks),and automateddata were –aninterbankcommunicationchannelCommunication Standard through telematic channels, such astheEBICSsystem (theElectronicBanking Internet In 2018, cyber-attacks online bankingwebsites essentiallytargeted and extract information. number, thecustomerto generallyinhisorherabsence,andcontacts • passwords, triggerfraudulenttransfers malware. orinstall torun(from thebankfor instance) fake testsinordertorecover log-inIDsand • from thecreditor. sends thenew by bankdetails emailorby postinaproperlyworded letter bills, invoices orrent,misappropriatingthefundsfor themselves. The fraudster there hasbeenachange thatthey inthebankaccountdetails usetopay their or anyofcreditorandfalsely type informs thecustomer, tenantordebtorthat • company itself. on thecompany anditsexecutives viatheinternetordirectlyfrom account. To dothis,thefraudsterusesinformation thatheorshegathers an employee intomakinganurgent,confidentialcredittransfer toa foreign • techniques mainlytookthefollowing forms: In 2018, misappropriation-type fraud through socialengineering Phishing: fraudstersusethistechnique togatherpersonalandbanking Malware: such as Trojan horses,spammers,viruses, etc.,which infect Bank advisorscams:thefraudsterusesbankadvisor’s telephone Technical support scams:thefraudsterimpersonatesanIT technician Bank accountdetailsfraud: thefraudsterimpersonatesasupplier, lessor CEO fraud: thefraudsterimpersonatesaseniorcompany executive totrick Credit transfer fraud encountered heighten awareness amongbusinesses. Initiatives providers ledby to inform banksandpayment service and required, duringthetimedelay. toblockto thecustomergivinghimorherpossibility thetransaction,if towhichthe country thefundsaredestined. A warning messagecanbesent ontheaccount,duetoamountinvolvedconsidering theusualactivity or can suspendtheexecution ofatransfer thathasbeenflagged assuspicious Implementing tools thatcanmonitor anddetect unusualtransactionsand on theirterminals. Providing secure solutionsto customers toscanfor malware-typeinfections Setting maximumtransfer ceilingsononlinebankingsites. transfer beneficiaries are addedononlinebankingsites. Triggering timedelays orstrong customer authentication whennew orders enteredonline. Deploying astrong authenticationsystem to approve credit transfer heighten awareness amongcompaniesandindividuals. Initiatives providers ledby toinform banksandpayment service and customer before execution. which thefundsaredestined. The ordercanthenbecross-checked withthe ontheaccount,duetoamountinvolvedthe usualactivity to orthecountry the execution ofatransfer thathasbeenflagged assuspiciousconsidering Tools thatcanmonitor anddetect unusualtransactions andcansuspend Preventive measures 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

C26 Value-based breakdown C27 Value-based breakdown C28 Value-based breakdown of credit transfer fraud, of credit transfer fraud, of direct debit fraud, by fraud type by transmission channel by geographical area (%) (%) (%)

6 22 24

37 41 52

76 42 1

Fakes Paper France Falsification Online SEPA Misappropriation Telematics Other

Source: Observatory for the Security of Payment Means. Source: Observatory for the Security of Payment Means. Source: Observatory for the Security of Payment Means. Note: SEPA – Single Euro Payments Area.

Main cases of fraud in 2017 2.5 Direct debit fraud in 2018 from 0.0006% in 2017, or and preventive measures the equivalent of one euro of fraud for around every EUR 28,184 worth As in 2017, social engineering8 and Overview of issued direct debit instructions cyber-attacks through malware and (compared with one euro of fraud phishing were the main techniques In 2018, fraud relating to direct for every EUR 180,000 in 2017). used in credit transfer fraud in 2018. debit payments to be debited from The average value of a fraudulent The upturn in the number of phishing accounts held in France increased direct debit transaction amounted cases observed in 2017, following a sharply by 544% from EUR 9 million to EUR 188 in 2018 compared with decline in 2016, continued in 2018. in 2017 to EUR 58 million and EUR 340 in 2017. Improvements to cyber-attack thus returned to the kind of levels detection mechanisms should observed in 2016 (EUR 40 million) therefore be stepped up to counter prior to the substantial 78% year- fraudsters whose increasingly on-year drop. Therefore, given the 8 Social engineering refers to the psychological manipulation of people sophisticated emails can more easily growth in payment flows, the direct into performing actions or divulging deceive account holders. debit fraud rate rose to 0.0035% confidential information.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 37 38 CHAPTER 2 fraud isattributable tofake direct ofthe confirms thatalargemajority is better measured andassigned, direct debits that means that data in 2017 tocategorisefraudulent The methodologicalwork undertaken Source: Observatory for of Payment the Security Source: Observatory Means. (%) breakdown Value-based C29 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – by fraudtype of directdebitfraud, Other Misappropriation Fakes 0.03 99.97 0.00 timate issuanceofdirectdebit Fake directdebits–theillegi preventive measures Main casesoffraud in 2018 and from 99%in 2017. of direct debit fraud in 2018, down transactions thus accounted for 76% compared with1%in 2017). Domestic had beenmarginal(24%in 2018 SEPA countries, which untilrecently cross-border transactions between in domestic direct debit fraud on Lastly, therehasbeenanupturn fraud value. which account for 99.97% of total a mandateby false creditors), of directdebitinstructions without debit instructions (i.e.theorigination - instructions withoutany autho a fraudster of third-party identities and identitiesand a fraudsterofthird-party to alesserextent: misappropriationby techniques were but alsoobserved, was thusnoted. Two otherfraud to cross-borderSEPA countries direct debitsinitiatedfromFrance in 2018. An increaseinthesefake technique directdebits usedtotarget – constitutedreality the main fraud risation orunderlyingeconomic 9 creditor andapayer. and fraudulent collusion between a IBANs International bankaccountnumbers. 2018 9 for subscriptiontoservices; - ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 CHAPTER 2

Direct debit fraud encountered Preventive measures

Illegitimate issuance of direct debit instructions (fake direct debits): Tools to monitor the behaviour of creditors who originate direct debit a false creditor registers as the originator of a direct debit instruction with instructions that can detect any unusual movements based on knowledge of a payment service provider and originates a very large number of direct the customer. It is important to note that a creditor must have a SEPA Creditor debit instructions using IBANs that he or she has acquired illegally without Identifier (SCI) to originate direct debit instructions, which is assigned once its any authorisation. payment service provider is sure of its ability to do so. Transmission of an alert to the customer when a direct debit instruction is first received from a creditor to debit his or her account. Optional services through which a customer can set a maximum amount to be debited by creditor and by country or compile a list of creditors who are authorised to make direct debits on his or her account (white-listed creditors) or, alternatively, a list of creditors who are not authorised to do so (black- listed creditors).

Misappropriation of IBANs for subscription to services: Transmission of an alert to the customer when a direct debit instruction is a debtor with fraudulent intent provides the account details of a third party on first received from a creditor to debit his or her account. the direct debit mandate, enabling him or her to obtain the services without Optional services through which a customer can set a maximum amount to honouring the related payments. be debited by creditor and by country or compile a list of creditors who are authorised to make direct debits on his or her account (white-listed creditors) or, alternatively, a list of creditors who are not authorised to do so (black- listed creditors).

Collusion between the creditor and the payer: a creditor with fraudulent Tools to monitor the behaviour of creditors who originate direct debit intent originates direct debit instructions on an account that is held by an instructions that can detect any unusual movements based on knowledge of accomplice in a regular manner, gradually increasing the amounts. The payer the customer. It is important to note that a creditor must have a SEPA Creditor disputes the debited amounts not long before the end of the statutory Identifier (SCI) to originate direct debit instructions, which is assigned once its cancellation period (13 months after the direct debit is cleared), on the grounds payment service provider is sure of its ability to do so. that he or she did not sign a mandate for the direct debit. When the direct debit is rejected, the balance on the creditor’s account is not sufficient to refund the disputed amounts as the funds have been transferred to an account held abroad.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 39

3 Technology watch

3.1 The security of offline meet different needs; both the second European Payment Services payment methods needs of customers, who are not Directive (PSD2),1 and that are necessarily adequately equipped to intended to combat fraud through make dematerialised payments, and the principle of strong customer Introduction needs related to specific use cases, authentication, offline payments are which, from the point of view of the omitted from these provisions and Since the first smartcards were parties involved in the transaction, by definition cannot benefit from introduced in the early 1990s, trends may be better suited to these offline these security features. in the development of payment payment methods. methods have stood out for their This study provides an overview of use of emerging technologies, such These payment initiation methods, these offline payment methods and as online, contactless and mobile which have thus escaped the notes the various parameters that payments. As a consequence of these digital transformation of payment can contribute to their security. changes, payment means are more solutions, now only account for a and more connected, guaranteeing very small proportion of transaction real‑time communication between flows: less than 8% of the volume Overview of offline payment the various parties involved in of transactions issued in 2018 methods and specific the transaction: the payer, the and 11.3% of their total value (7% associated risks beneficiary and their respective and 3%, respectively, for cheques account‑holding institutions. alone). However, they are still the Scope preferred target of fraudsters, who However, this evolution must from long experience are fully versed This study covers payment means not hide the persistent use of in their vulnerabilities, and therefore as defined by theCode monétaire non‑connected (offline) payment accounted for 47.9% of total fraud et financier (French Monetary methods, particularly those that value in 2018. are paper‑based: cheques, credit 1 The contributions of PSD2 in terms of security were the subject of a dedicated transfers arranged using a slip, However, while payments issued Observatory study (see Chapter 1 of the 2017 order or subscription forms paid by electronically are subject to a gamut Annual Report of the Observatory for the manually completing card number of security requirements laid down Security of Payment Means: https://www. banque-france.fr/en/liste-chronologique/ information, etc. These payments in the regulations, particularly the annual-activity-report).

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 41 42 CHAPTER 3 systematically issued to their PSP creditors’ payment ordersare can involve apaper‑based mandate), payer’s approval isobtained (which irrespective of the way in which the Area) direct debits, because, • in particular. excludes following thetwo methods or by fax, emailortelephone)and paper‑basedcard (using methods by cheque, by transfer and by This scope encompassespayments responsible for executing it. provider (PSP)the payment service theissueroforderand between automated andreal‑timeconnection arrangements thatdonotensurean relies on offline arrangements, i.e. the issuanceofpayment orders and Financial Code) for which ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 that regulatecheque usein France. It was thesource oftheprovisions oftheCodemonétaireetfinancier (French MonetaryandFinancialCode) in thefield. in France bydecreeimplementingthelawof 30 October 1935. This Convention isconsideredtobethe benchmark Later, theConvention providing aUniformLawforChequesenactedinGenevaon 19 March 1931 was introduced textgoverning their use the first was alawof 14 June 1865. Cheques wereintroducedinFrance undertheSecond Empirewiththecreationofmajordeposit banks; Box 1 SEPA (Single EuroPaymentsSEPA (Single Cheque statusandmilestones documents whereby aperson,the Cheques aregenerallydefinedas The chequeandallitsdifferentforms the remitofObservatory. the regulationsanddonotfall within means ofpayment asdefined by are neither “cheques” noreven énergie, in France (chèque, restaurant often incorrectly called “cheques” while thesevouchers arevery services: right ofaccesstocertain private bodies giving the holder • Annual Report.) 2017with direct debits in its measuresassociated and security a thoroughanalysis oftherisks online. (The Observatory published Vouchers issuedby publicand chèque voyage, etc.), they chèque of payment. it isstilltheoldestcashlessmeans their processingandmanagement, to help banks automate standardised have been frequently revised and or tothedrawer. sum toathirdparty, thebeneficiary, LGDJ, 2015. 9th edition,Exercicespratiquescollection, de créditetpaiement,Bonhomme (R.), jurisprudence (LGDJ), 2012;andInstruments collection, Librairiegénéralededroitet difficulté”, Pérochon (F.), 9thedition,Manuel 2 the French and Financial Monetary regime codified in Book I, Part III of governed by acomplex legal This payment instrument is pay on demand (at sight) a certain sight)acertain pay ondemand (at a creditinstitution, thedrawee cheque issuerordrawer See (in French)“Entreprisesen 18 2 Although cheques Although , instructs , to ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

Code, entitled “Les instruments of Geneva, was made compulsory means that a crossed cheque de monnaie scripturale” (cashless by the decree of 5 November 1998 “may be paid by the drawee only payment instruments). approving and making mandatory to a banker, a payment institution, the application of French standards,3 the head of a Postal Cheque Centre In accordance with Article L. 131‑2, more precisely French standard NF or a customer of the drawee”. paragraphs 1 and 2 of the Code, K11‑111, “Banking – Cheque‑form In compliance with this provision, a cheque must bear the word for cheques payable in France”. crossed cheques can only be cashed “cheque” and an “explicit instruction The purpose of this standard is to by the beneficiary’s bank. Equally, to pay a given sum”. This instruction define the form on which cheques an account‑holding institution may is drafted as follows: “Payez are to be written and issued. only accept a crossed cheque from contre ce chèque non endossable its customer or another bank or sauf au profit d’une banque ou There are two characteristics of the similar institution, and therefore may d’un établissement assimilé la cheque format that appear essential, only cash the cheque on behalf of somme de…” (“Pay against this even though they are not compulsory these persons. cheque, non‑transferable except in terms of cheque validity. for the benefit of a bank or similar The format most often made institution, the sum of...”). Failing • The mention of “Payez contre available to customers by their bank this, any payment document that ce chèque non endossable sauf is the chequebook. For professionals does not bear these particulars, even au profit d’une banque ou d’un and businesses, it can also take the if the other mandatory information établissement assimilé la somme form of a cheque‑letter. In addition, is present (see the paragraph de...” is intended to prevent the in specific situations, customers entitled “The cheque” in the section cheque being transferred to a can arrange for banker’s drafts to on “Protecting offline payment person other than a bank or similar be issued. methods” below), is not a cheque. institution. However, it does not prevent the free circulation of a • The cheque‑letter is an automated The formulations used (the paper cheque prior to the designation of cheque printing solution offered by document) to allow the account the beneficiary, although this type banks to corporate clients that issue holder to instruct his or her bank of usage is not recommended for large volumes of cheques. Using this to pay the given amount to the security reasons. solution, clients can also have text beneficiary, are standardised, printed to accompany the cheque and printed by banks and issued to • Crossing of the cheque by the vary the mentions on the cheque. their customers. They are called bank, and more precisely with However, prior to using this format, “pre‑printed forms” (formules two parallel lines pre‑printed on pré‑marquées), and more commonly the cheque, which in compliance “cheques”. This printed format, with Article L. 131‑45 of the French 3 Order published in the Official Journal of the which originates from the convention Monetary and Financial Code, French Republic, No. 264, 14 November 1998.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 43 44 CHAPTER 3 by theBanque deFrance (Article in clearinghousesmadeavailable for clearing purposes on a daily basis, exchanged manuallybetween banks Historically, cheques were Cheque processingcircuits payment means. not allowed of toissuethistype electronic payment institutions) are providers (payment institutions and categories ofpayment service may be drawn”. Consequently, other “keep accountsonwhich cheques authorised, under Article L. 131‑1, to credit institutions, which areuniquely by law, istheexclusive domainof bank instruments whoseissuance, Cheques (including theirvariants) are also have features. additional security professional fees. Banker’s drafts to purchase avehicle orsettle high‑value, cases such as payments specific, and generallyin very banks onthecustomer’s request • and thecompany. of an agreement between the bank conditions withintheframework clients mustsubscribetocertain ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 Banker’s drafts areissuedby cheque clearing. At the same time, in No. 2001‑04 of 29 October 2001 on Regulation et financière (CRBF) bancairede la réglementation with theprovisions of the Comité principle viatheICSinaccordance by cheque are settled as a matter of of thisproject,payment transactions of June 2002. the clearinghousesasfromend clearing system (ICS) of the imagethe implementation clearing systems processthrough to dematerialisetheinterbank modernise thesystem andopted to theeuro,bankswanted to At thetimeofchangeover held intheclearinghouses. between thebanks duringsessions paper cheques were thuspassed through theBanque deFrance. The balances to each bank’s account house thencreditedordebitedthe to generateabalance. The clearing it was owed by each bankinorder bank was offset againsttheamount The amountabankowed toeach other banksattheclearinghouse. it was responsiblefor cashingonthe bank presentedthedifferent cheques and FinancialCode).Inpractice,each L. 131‑34 oftheFrench Monetary 5 Since the completion Sincethecompletion 4 that replaced thatreplaced of cheques for collectionbetween Dematerialising thepresentation requisitions, etc.). for avariety ofreasons (inspections, also exchange copiesofcheques theseinstitutions may In addition, collecting bank and the paying bank. exchanged physically betweenthe large sumsareinvolved, cheques are cases,andparticularlywhen certain 4 in Box 2. schematically inthediagram payment system ispresented processing times. This four‑party andshortened chequeservice banks hasimproved customer télécompensation”, means (see “Lesystèmeinterbancairede of interbankexchangespayment 5 teleclearing system.” interbancaire detélécompensation) payment amount,throughtheSIT (système the magneticstriponcheques,plus the exchangeofelectronicrecordings of paperchequesinclearinghouseswith aims toreplacethephysicalexchange “The exchangeoftruncatedcheques de France (https://www.banque-france.fr ): France, No. 107,November2002). Date ofcompletionthedematerialisation See the 2002AnnualReportoftheBanque 18 Bulletin delaBanque ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

Box 2 Interbank cheque processing system

1. Prior to payment (as a general rule), the payer is issued a chequebook by its bank. 2. The payer (drawer) completes the cheque and gives it to the beneficiary in settlement of an amount. 3. The beneficiary deposits the cheque at his or her bank, usually with a remittance slip or via a self‑service machine. 4. The beneficiary’s bank dematerialises the cheque and transmits the cheque image to the payment clearing system. 5. The payer’s bank then settles the funds due with the beneficiary’s bank.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 45 46 CHAPTER 3 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 in Article L. 131‑59 oftheFrench Monetaryand FinancialCodeandrefusepayment. by the drawee for afurther one‑year period. After that, the draweemayinvoke the prescription referred to and FinancialCode,acheque presentedafter thetime limit forpresentationshouldnonethelessbehonoured by the bearer of the cheque against the drawee. Inaccordance with Article L. 131‑35 of the French Monetary brought The presentationperiodshouldnotbeconfusedwith the prescriptionperiodforactionsofrecourse the cheque forpaymentasquickly aspossible. of to either 20 days foraplaceofissueinEuropeor 70 daysforaplaceofissueoutsideEurope. Although incases Monetary andFinancialCode),althoughthiscanbeextendedforacheque issuedoutsidemetropolitanFrance oftheCodemonétaireetfinancier,Frenchthe presumedissuancedate(Article paragraph 1, L. 131‑32, The rulesforpresentationpaymentsetatimelimitofeightdaysfollowingtheissuancecheque or post‑dating acheque isnotrecommendedasithasnoimpact onwhenthecheque canbepresentedforpayment. post‑dated cheque canbepresentedand thereforelegally paidevenbeforethepresumeddateofissue. Therefore, beneficiary maypresentthe cheque forpaymentirrespective ofthedatementionedon cheque. Indeed,a Once thecheque oncethecheque hasbeendrawnandissued (i.e. hasbeenpresentedtothebeneficiary), Box 3 force majeure these time limits can be extended under certain conditions, the beneficiary is advised to present a)  or outside Europe,orcanbeextended incasesofforce majeure . This timelimitcanbeextended to 20days or 70days dependingonwhetherthecheque France) isissuedinEurope (outsidemetropolitan to beneficiary for paymentwithineightdays Cheque A cheque mustbepresented given given mentioned onthecheque irrespective ofthedate

EIGHT DAYS Statutory timelimitforcashingcheques Presentation for payment Presentation period

a) Prescription period ONE YEAR

after theendoftimelimitforpresentation Prescription periodofoneyear after which thedraweecan refuse payment 18

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

Cheques use is less common but • spread a payment across several by tradespeople or professionals remains popular in specific situations instalments, by giving several not equipped with card payment cheques to the creditor; terminals, or the payment of goods Statistics on the use of cashless and services to itinerant retailers payment means show that cheques • agree with a creditor on a date at markets or fairs, for example, have been in gradual decline for to cash the cheque (the case of or to give a security deposit when more than 15 years, both in terms “deferred cheque transactions” leasing premises or renting seasonal of transaction volumes and value. carried out by certain merchants); property. The work undertaken in this Nevertheless, their use continues respect within the Comité national to be widespread in France, where • pay without first having the des paiements scripturaux (CNPS, in 2018 it accounted for 7% of beneficiary’s bank details; National Cashless Payments payment transactions – 1.7 billion Committee) is intended to promote issued cheques, down 9% • attach details of the services credible alternative card‑payment year on year – for a total value or reimbursements made to the solutions and also SEPA instruments, of EUR 891 billion (down 11% payment (see cheque‑letters); such as the instant credit transfer, compared to 2017). The cheque is which will need time to be now the fourth most used means • use the cheque number to widely adopted. of payment in terms of transaction easily identify payments made in volumes after being gradually companies’ accounting software. In addition, cheques are still offered overtaken by cards, then direct as gifts at weddings or birthdays, debits and credit transfers, giving On the other hand, given the risk of for example, because the people up the number one position it held non‑payment and its vulnerability to receiving them can use the money at the beginning of the 2000s. fraud, merchants can elect to refuse as they wish, unlike gift cards, which, all payments by cheque, provided while certainly more practical, are However, certain business practices that they provide clear, advance generally accepted by a limited contribute to the cheque’s longevity, notification to customers prior to number of point of sale and as it offers the possibility to: purchase, i.e. by displaying the terms online retailers. of payment at the entry to the point • pay substantial sums of money of sale. Lastly, very small companies also (in 2018, the average value of a contribute by issuing large volumes cheque payment was EUR 510 Furthermore, there are certain of cheques: research by the CNPS6 compared to only EUR 43 for bank situations that may currently force cards), particularly at the point of consumers or businesses to use

sale due to the spending limits cheques or cash, particularly for 6 See the 2016 CNPS activity report placed on payment cards; the payment of services provided (https://www.banque-france.fr).

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 47 48 CHAPTER 3 restricting any offull possibility under the convention of Geneva instrument, with their status exclusively paper‑based payment processes, cheques arestillan have broughttobearonhandling Despite theinnovations thatbanks of transactionvolumes. means while accounting for only 7% the value fraud onpayment oftotal of Cheques thusaccountfor 43% every EUR 1,980 worth ofpayments. to 0.0505%, or one euro of fraud for steadily increasedfrom 2016 to 2018 in 2018. The fraud rate for cheques million 450 increased toEUR with anannualfraudvalue that for fraudulentpurposesinFrance, the mostusedmeansofpayment of payment butthey have become fourth most used cashless means Cheques may well only be the A vulnerabilitytofraud with 50 to 249employees. and medium‑sized companies proportion was for still 14% small their transactions,andthatthis use cheques for morethanhalfof with lessthantenemployees would found thataquarterofcompanies ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 transfer order) from the or standing series oftransactions (recurring transfer) oratransaction (single by a beneficiary way ofaone‑off crediting thepayment accountof account, which consistin managing thepayer’s payment provided byservices theinstitution Credit transfers are payment “Offline” credittransfers purposes have alsobeenobserved. are intendedfor money laundering techniques such askitingorthat on thecheque. Moresophisticated or rewriting oraddinginformation scratching, over‑writing orerasing, a variety ofproceduressuch as fraudster canbefalsified using a valid cheque interceptedby a becomes aware ofit.Moreover, even before theaccountholder short time if it is lost or stolen, often 50 opportunities for fraudinavery 50 cheques, which represents 20 to “chequebook” to of between 20 always sentout inthe form of a unchanged. Generally, they are their format remainsrelatively cheques cannotbedigitisedand to other means of payment, dematerialisation; thus,incontrast 7 her account‑holdinginstitution: thecustomerandhisorbetween that ensure a direct connection transfers relyononlineinterfaces The mainchannels for issuingcredit Credit transfermethods his orherauthorisedrepresentative. instructions issuedby thepayer or payer’s payment account, based on report-2017-osmp2017-gb-20181108.pdf). sites/default/files/medias/documents/annual- Annual Report (https://www.banque-france.fr/ are presentedinChapter 2ofthe 2017OSMP 7 volume and 32%invalue. 33%ofissuedtransfers in for transfer orders, which accounts interfaces toissueindividualcredit • volume (64%) andinvalue (58%); transfers issuedinFrance, bothin and accountsfor of themajority pensions orfor supplierservices customers topay salaries and orders isusedmainlyby business severalfiles containing payment • These differentmethodsofchequefraud the automatedtransmissionof the useofonlinebanking 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

Box 4 The SEPA credit transfer process

1. The payer, account holder or authorised representative draws up the payment order, specifying the account to be debited, the account number or IBAN (International Bank Account Number) to be credited, the amount, the date(s) and if necessary the frequency of the transaction, and transmits the order to its account‑holding institution, which debits the payer’s account with the amount. 2. The payment order is exchanged through interbank payment circuits, leading to the payment of the specified funds to the beneficiary’s account‑holding institution. 3. The beneficiary’s account‑holding institution credits the receiving account identified in the payment order.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 49 50 CHAPTER 3 for a very small proportion of issued smallproportion ofissued for avery offline credit transfers accounting by this payment instrument despite the between various channels used fraud isrelatively evenly shared paid.Credittransfer EUR 250,000 oroneeurofor every of 0.0004%, to individualswithafraudrate across all payment means available registered thelowest rateoffraud As areminder, Offline credittransferfraud transactions service. or by a back‑office customer contact (counter, advisor, branch) by the customer’s usual point of instructions, carried outeither is requiredtore‑enterthepayment that theaccount‑holdinginstitution These channels have in common or slipsby fax, postor email. • through abranch; • different channels: They arecarried outthrough ofexchangedand 9% amounts. of the number oftransactions of French credittransfers, with 3% thus accountforsmallshare avery Credit transfer orders issued “offline” ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 transmitting credittransfer orders making ordersby telephoneor 8 credittransfers techniques totrick theaccount social engineeringmanipulation account; and(ii) the fraudsteruses oftheholderdebited identity issues false orders, stealing the fraudster transfer methods:(i) the of techniques commontoallcredit carried maintypes outusingtwo Fraud onoffline transfers canbe to EUR 21 million. paid. Total annualfraudamounted of fraudfor EUR 100,000 every and istheequivalent ofoneeuro rate for thispayment method, times greaterthantheoverall fraud to 0.0010%, which isalmostfour credit transfers thus amounts transfers. The fraudratefor offline Source: Observatory for ofPayment theSecurity Means. Source: Observatory (%) C1 Credit transferfraudratebyinitiationchannel 0.00000 0.00020 0.00040 0.00060 0.00080 0.00100 Offline credittransfers enteredinonlineinterfaces orders Individual Telematic channel (businesses) 0.00026 Credit transfers 0.00052 report-2017-osmp2017-gb-20181108.pdf). sites/default/files/medias/documents/annual- Annual Report (https://www.banque-france.fr/ 8 merchant andthepayment cardor between the is no direct contact exchange). As ageneralrule, there (spoken mail, fax or telephone communication channel such as they arecarried outthrougha mail order/telephone order) as referred toasMOTO payments (for Offline card payments are generally “Offline” useofpaymentcards credit transfer order. holder intoissuinganillegitimate See Chapter 2ofthe 2017OSMP 18 0.00095 8 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

its holder at the time the payment C2 Fraud rate for offline card payments (French cardholders) is initiated, which has a number (%) of consequences. 1.200 1.000 • From the payer’s point of view, 0.800 payment information (card number and expiry date) is transmitted 0.600

through a generally unsecured 0.400 channel and in the majority of cases 0.200 has to be processed manually. The cardholder’s signature is not 0.000 Domestic payments Cross-border payments required, and receipts do not have Face-to-face payments to be printed and issued. Withdrawal Online payments Offline payments (MOTO – mail order/telephone order)

• From the beneficiary’s point of Source: Observatory for the Security of Payment Means. view, the company receiving the orders by mail, fax, telephone or other offline means can initiate the merchants and service providers with the security requirements transactions either through the to ensure they comply with for online payments (EMV11 smart activation of the MOTO function if it the standard’s requirements. card, PCI DSS12 standards for has a terminal or by transmitting the e‑commerce), card fraud has shifted information to its account‑holding However, despite these security to MOTO payments, particularly institution, either by entering the requirements, the fraud rate for cross‑border transactions: two payment information on its website offline card payments is far higher or by sending files that contain this than for other card payment methods. information via a secure interface French cardholders endured 9 The Payment Card Industry Security Standards or another channel such as fax EUR 28.5 million in offline card Council is the leading international body for the or mail. payment fraud in 2018, accounting promotion of payment security standards, with for 7.1% of total card fraud, even members from the main card payment systems. This initiation method is governed though these transactions make up 10 See https://www.pcisecuritystandards. org/documents/protecting_telephone-based_ by specific card payment system only a tiny proportion of the card payment_card_data.pdf regulations: the Payment Card payments made (0.5% and 0.8% 11 Europay MasterCard Visa. Industry Security Standards in volume and value, respectively). 12 The Payment Card Industry Data Security Council (PCI SSC)9 has published Standards are a set of security standards 10 designed to ensure that all companies that an information supplement In particular, as market players accept, process, store or transmit credit card outlining security principles for gradually ensure that they comply information maintain a secure environment.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 51 52 CHAPTER 3 the wording ofthatinstrument; expressed in thelanguageusedfor into thetext oftheinstrument and • in Article L. 131‑2 oftheCode: information considered valid, mandatory certain cheque. Thus, ifacheque istobe which regulatethecreationofa andFinancialCode, Monetary down in the provisions of the French regard tocheques arepartlylaid The measures taken with security Security provisionsfromauserperspective The cheque payment methods Protecting offline online payments. fraudulent transactions,including ofreuse tomake othertypes card numbers,which they then opportunities tocompromise provide fraudsters with significant In addition,MOTO payments international transactions. French cardholdersinvolves thirds oftheMOTO fraudaffecting ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 the word “cheque” inserted is required,stipulated are simply deemed to notbe written Financial Code). These statements L. 131‑8 oftheFrench and Monetary L. 131‑31 and interest (Articles for payment orany stipulationof such as a date for presentation addition ofcertain statements Furthermore, thelaw prohibits the cheque (see Appendix 2). enteringintopossessionofthe party avoid any attempt atfraudby athird completing therestofcheque to should beextremely cautiouswhen However,beneficiary). thepayer no difficulties for theuser (payer or the customerandtherefore present by thebanksoncheques sentto The first four points are pre‑printed the cheque, known asthedrawer. • place wherethecheque isdrawn; • the payment musttakeplace; • that must pay, known as the drawee; • given sum; • the signature ofthepersonissuing an indicationofthedateand an indicationoftheplacewhere the nameofpersonorentity the explicit instruction topay a

cheques issuedby bankstotheir • information. mandatory Lastly, as valid. information is thus recognised implies thatonlythemandatory and therefore nullandvoid, which can beincludedalongsidethe it payable to “Self”, orcandesignate cheque for self‑withdrawal, making (drawer) can write out a payer a bearercheque. Inaddition,a isconsidered of thebeneficiary Code). A cheque withnoindication or thebearer (Article L. 131‑6 ofthe be payable toadesignatedperson expressly asacheque stated may may seemobvious, but itmustbe • and FinancialCode). L. 131‑44 oftheFrench Monetary the wording of Articles L. 131‑4 and cheque butareaconsequenceof not requiredfor thevalidity ofthe cheque –seeabove –which are institution and the crossing of the person otherthanabankorsimilar the transfer ofthecheque toanother difficulty (the prohibiting statement customers, which therefore pose no The pre‑printed elements on Designating thebeneficiary 18 optional information

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

him or herself as the beneficiary drawn by fraudsters usurping certification procedure referred to by name in order to transfer funds other people’s identities. in Article R. 131‑2. from one account to another held by the same person in a different • The statement certifying that Article L. 131‑14 states that the bank (Article L. 131‑7 of the Code). the drawer has adequate funds to drawee can exercise the right to Nevertheless, designating the cover the cheque at the time of replace the certified cheque with beneficiary is still important as it certification (Article L. 131‑14 of a banker’s draft. This has become contributes to combating cheques the Code) must comply with the commonplace as it is advantageous

Box 5 Banker’s draft

A banker’s draft is a cheque issued by a bank drawn on its own funds or those of a correspondent bank to ensure the beneficiary receives payment at any point during its validity. When the banker’s draft is issued, the issuing bank debits the account of the requesting customer after checking for adequate funds and blocks that sum until the draft is cashed by the beneficiary. Practically speaking, the presence of a high‑quality watermark comparable to those on bank notes distinguishes a banker’s draft from an ordinary cheque. This serves as a guarantee of authenticity. • The watermark is standardised, with the same pattern and size for all French banks. • The watermark provides a high degree of protection as it is visible when held against the light and takes up a substantial part of the banker’s draft’s surface. • CHEQUE de BANQUE (banker’s draft) is printed on the back of the cheque and edged above and below by two striped banners. • This mention is flanked on both sides by two maidens sowing seeds, with the darker and lighter tones in the image on the left reversed in the reflected image on the right.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 53 54 CHAPTER 3 merchants, banks,etc. those involved, includingbearers, cheque payment processandby all atalllevelsmust beobserved ofthe In order to combat fraud, precautions Precautions forusers postpones thesale. and holds on to his or her property recommended thatthebeneficiary for example). If doubts persist,itis telephone bookoronlinedirectory, referringon thecheque (by toa without using the telephone number the banker’s draft isauthentic, issuing institution toensurethat theseller shouldalsocontact specific tobanker’s drafts), the banker’s drafts andinformation chequesto bothordinary and and optionalinformation common out the usual checks (mandatory by banker’s draft. After carrying may sometimesdemandpayment such asthesaleofacar, sellers In thecaseofalargevalue transaction cheque amount. year becausethebankcovers the not limitedtoeightdays buttoone from a payment guarantee that is whocanbenefitto thebeneficiary ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 for cheques andchequebooks. In with thesafekeeping guidelines The customer mustalsocomply being usedfor fraudulentpurposes. prevent unreturned cheques from the customer’s attention in order to procedures mustbebroughtto Code). Consequently, thereturn French andFinancial Monetary L. 131‑71account (Article ofthe be returned uponclosureofan insist thatallunusedcheques automatic. Equally, thebankmust time, particularlyifrenewals are received periodof withinacertain the event thatchequebooks arenot of theprecautionstobetaken in Customers mustalsobeinformed to be collected atabranch, etc.). registered delivery, whetherithas letteris sentasanordinary orby renewal is automatic, whether it chequebookagreement (whether must besetoutintheaccount may from bank to bank and vary a chequebook toacustomer and conditionsof delivery be madeavailable. The terms the payment meansthatwill a bankaccountmustmention by thecustomerwhenopening The accountagreementsigned of of

are usedtosettle atransaction. when and thebeneficiary cheques should betakenby thepayer (drawer) Moreover, different precautions more specificadvice. banks generallygive theircustomers boxes, ontopoffurniture, etc.), (car glove unsecured locations chequebooks inplain sight or in rules such asnotleaving addition tosimplecommon‑sense proof of identity is needed (certain isneeded (certain proof ofidentity • the manuallycompleteddetails; leaving free spacebefore andafter with indelibleblack inkandavoiding modified by usingaballpointpen • the drawee; no room forby interpretation drawn, signature), legibly, leaving and placewherethecheque is beneficiary, date–day/month/year – payment amount, pre‑printed (the any information thatisnotalready • drawer When thecheque iswritten, the

carry an officialcarry document in case limit theriskofcheque being fill in the cheque, completing 18 should: ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

merchants or high‑value cheques systems that only print numbers; in numbers and there is a may require two); however, filling in both lines limits difference between the two, the potential for falsification the lowest amount is accepted, • follow several recommendations and thus provides additional with regard to the amount indicated protection for the drawee, – the use of “blank cheques” on the cheque (Article L. 131‑10 of the where the amount is not filled French Monetary and Financial Code): – if there is a difference between in until the cheque is cashed, the amount written in words is dangerous and should – by law the amount does not and the amount in numbers, not be envisaged under any have to be written in words the amount written in words circumstances, even if the and numbers and the practice takes precedence, beneficiary is a close relative of entering the amount twice is of the drawer (the blank declining due to the expansion – if the amount is written several cheque could be lost or stolen, of computerised cheque filling times in words or several times for example),

Box 6 New fraud and scams based on confidence tricks and digital technologies

The Observatory urges all private individuals and companies to be extremely vigilant with regard to increasingly common scams that involve fraudsters using the internet to encourage their victims to cash fraudulent cheques. The scam works in different ways. • Sending a cheque in payment for a service (such as an online purchase) for an amount greater than that required and asking the beneficiary to reimburse the excess by credit transfer. In this situation, it is recommended that the seller delay sending the goods and arranging the credit transfer for a few days until he or she is sure that the cheque will not be rejected, or even cancel the transaction. • Recruiting people via social networks to cash cheques on behalf of a third party (for a variety of reasons such as banking difficulties encountered by the requester, bank account held abroad, cheque‑cashing unavailable, etc.) and then send the sum (or another amount) to the third party by credit transfer. In this type of situation, those participating in the scam, who may have been lured by the prospect of earning a commission, are contributing to a money laundering scheme while becoming victims of the fraud or even accomplices themselves.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 55 56 CHAPTER 3 being cashedby afraudster. stolen, andpossiblyfalsified before of receipttoprevent itbeinglostor • handwritten signature ontheback; • cashing thecheque; a timelimitorotherconditionfor mentions tothecheque, such as • and comparesignatures; • was drawn; and theplacewherecheque numbers, thesignature, thedate including theamountinwords and • payment, thebeneficiaryshould: When thecheque isreceived in ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 check thepayer’s proof ofidentity, deposit thecheque withindays thoroughly verify thecheque, endorse thecheque witha – refuse any requesttoadd

and isclearlylegible. corresponds totheamountdue entered andthattheamount the information is correctly customer mustcheck thatall cash registersystem, the automatically by anin‑store when thecheque iscompleted consulting theFichier national against irregular cheques by Merchants canprotectthemselves filling system. customer’s behalf via an automatic completes thecheque onthe cheque, andalsowhenthemerchant when acceptingpayments by by performing athoroughinspection, apply theseprecautions,particularly It isinthemerchant’s interest to falls standards. shortofacceptable mean that the information provided distributed ink)orsystem settings • recommend theuseofblack ink; • cheque innumbers • given thatinsomecases: and increasetheriskoffalsification, system, which may be imperfect use an automatic cheque filling sector,particularly inthemassretail Most cheque receivingmerchants, to merchants receivingcheques Specific precautionsapplicable problems with printing (low or poorly blue inkisusedwhereasbanks the amountiswritten onthe only; Merchants have theright torefuse based payment guaranteeservice. providers thatoffer theirown risk‑analysis Merchants may alsouse otherservice at through the Vérifiance service cheques. Contractscanbearranged forprevention unpaid service via theBanque deFrance’s official national registerofirregular cheques) des chèques irréguliers receives anassessmentofthe bottom ofthecheque, andinreturn scanning thecodedlineat consults thesystems by simply alternative solution. The merchant Vérifiance (see below) oran Box 7 expert verification system such as cheque irregular after usingan • identity, have notbeenmet. cheque, such asproviding proofof • the pointofsale). be clearly displayed to at the entry general (the termsofpayment must • for avarietyofreasons. payment for purchases by cheque The conditions for acceptinga The merchant may deemthe Cheques may notbeacceptedin https://www.verifiance-fnci.fr. 18 (FNCI, the (FNCI, ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

Box 7 The national register of irregular cheques (FNCI)

The Fichier national des chèques irréguliers (FNCI, the national register of irregular cheques)1 is an IT file managed by the Banque de France that comprises data submitted by the issuing banks. It lists so‑called “irregular” cheques, i.e. cheques that fall into one of the three following categories: • cheques that are disputed due to loss or theft; • cheques drawn on a closed account or on an account that is banned from cheque use; • cheques identified as fake. It can also be used to identify the fraudulent use of a chequebook: the Information multichèques alert warns when a large number of cheques have been drawn on the same account during a given period. It thus averts the risk of fraudulent chequebook use. The FNCI can be consulted by: • cheque beneficiaries subscribed to the Vérifiance (FNCI – Banque de France) service; • any individual who wishes to know if the details of the account(s) they hold are registered and to verify any information that concerns them under the individual right of access.

1 For further information, see https://particuliers.banque-france.fr/fichiers-dincidents/les-trois-fichiers-dincidents-fcc-ficp-fnci/ le-fichier-national-des-cheques-irreguliers-fnci

cheque’s regularity, for example by provide justification for the refusal by the Banque de France, which lists code (Vérifiance uses a colour code and clearly state the service used. all persons banned from issuing system). Here again, merchants are cheques (by banks or by court order) required to inform their customers of Precautions for banks or from using a bank card. the service employed (Vérifiance or other cheque guarantee solutions) by Before providing a customer with a As the drawee, before paying a placing stickers in the windows or near chequebook, the bank must consult cheque, the drawer’s bank must the cash registers. Should a merchant the Fichier central des chèques (FCC, verify that (i) no stop payment refuse a cheque, he or she must the central cheque register) managed request has been made, (ii) the

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 57 58 CHAPTER 3 the ordertopay isirrevocable can above). However, the principle that 3 Box prescription period (see generally untiltheendofone‑year periodexpires and the presentation drawer’s bank mustpay even after andFinancialCode,the Monetary Article L. 131‑35 oftheFrench In addition,inaccordancewith on thecheque. information isincluded mandatory in hisorheraccount,and (iii) all customer hasadequatefunds ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 1 by contactingtheBanquedeFrance). • issuing anotherpaymentinstrumentorgrantingaloan; • The FCCcanbeconsultedby: • • and havenotrectifiedtheirsituation; • The FCClists: that comprisesdatasubmitted bytheissuingbanks. The Box 8 For furtherinformation, seehttps://particuliers.banque-france.fr/fichiers -dincidents/lestroisfichiers-dincidentsfccficpfnci/lefichier any individual who wishes to know if they feature on the register under the individual right of access (exercisedany whowishes toknow iftheyfeature on the register under the individual individual banks, which arerequiredtodosobeforeproviding acustomerwithchequebook andarefreetodosobefore people bannedbycourt orderfromissuingcheques. people whosebankcardhasbeenconfiscatedbytheirduetoanincidentrelateditsuse; people bannedfromhavingachequebook becausetheyissuedacheque whentheyhadinadequatefunds Fichier centraldeschèques (FCC, thecentralcheque register) The centralcheque register (FCC) liquidation ofthebearer. Placinga reorganisation, receivership or use ofthecheque, andthejudicial cheque toloss,theft orfraudulent when astopmay be placed on a article strictlylimitsthecases presented for collection. The same the drawee notto pay acheque or even thebearer, toinstruct • by thedrawee. the cheque, blocking thefundsheld be derogated if a This derogationallows thedrawer, stop is placed on 1 isanITfilemanagedbytheBanquede France invoked in the event that a cheque or herwill;norcanalosstheft be claim thatitwas takenagainsthis he orshecannotsubsequently disputed cheque toabeneficiary, the drawer intentionallyissuesa regard to theftWith or loss, if strictly interpreted by the courts. placing astoponcheque are • could leadtocriminalsanctions. would beconsideredunlawful and stop onacheque for any otherreason However, thejustifications for 18 -centraldescheques-fcc ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

is erroneously sent to a beneficiary All these cheque security rules established the référentiel de for whom it was not intended. that concern both users (drawers sécurité du chèque (RSC, cheque With regard to the fraudulent use and beneficiaries) and banks security oversight framework) of a cheque, the stop may be upheld are supplemented by a cheque that includes a number of security in cases of cheque counterfeiting monitoring system put in place objectives that institutions are or falsification, and also when the by the Banque de France. required to meet. cheque is obtained and used as a result of fraudulent activities. In accordance with Article L. 141‑4 This oversight framework revolves of the French Monetary and around an annual self‑assessment • Lastly, it is important to note that Financial Code establishing its by each cheque‑paying or stopping a cheque in the event of mission to oversee cashless means cheque‑collecting institution of its collective proceedings against the of payment, the Banque de France compliance with the RSC security beneficiary is intended to prevent ensures that cheques are secure objectives, performed on the basis the beneficiary from cashing and that the applicable regulations of answers to a questionnaire the cheque in the case of his or are pertinent. In order to carry out that defines the conditions for the her divestiture. this mission, the Banque de France objectives’ implementation.

Box 9 Security objectives established in the cheque security oversight framework (RSC)

Nine security objectives are defined in theréférentiel de sécurité du chèque (RSC, cheque security oversight framework).1

Objective 1: governance and organisation

Security governance aims to ensure that optimal, appropriate security measures are in place. The players [contributing to the cheque payment system] must have an official and regularly updated set of documents that define this governance framework and the organisation of cheque payment system security, and that cover all related activities, including those that are outsourced.

1 The cheque security oversight framework is publicly available (in French only) on the Banque de France website: https://www.banque-france.fr/sites/default/files/media/2018/03/13/cheque-referentiel-de-securite_v2017.pdf …/…

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 59 60 CHAPTER 3 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 a printedchequebook, theissue orreceiptofacheque, anditspresentation forpayment. itssafekeeping arefullyawareof Institutions shouldensurethattheircustomers oftheprecautions requiredinthesafekeeping monitoring shouldbestructuredaroundaformalprocedure definingtherulesandtypesofalerts. Transaction monitoringisdesignedtoprevent,detectandblock fraudulentpaymenttransactionattempts. This quality, availabilityandtechnical usabilityofthearchived elements. guaranteed protectionofthephysical andlogicaltoolsaswell the transactionscarried out. They ensurethe The physical andlogicalenvironments ofthecheque paymentsystemshouldbesecure,andfacilitatethe shouldensurethesecurityofphysicalThe players cheque paymentsthroughouttheirlifecycle. system aretraceablewithaviewtosupporting anuninterrupted audittrail. shouldhaveaprocedureinplacethatensuresalltransactionscovered by thechequeThe players payment procedure that generates adequate information for governing bodies and also the relevant external stakeholders. which recordofincidents. provides acomprehensive This monitoringsystemshouldincludeanincidentreporting shouldhaveasysteminplacetomonitortransaction‑related incidentsandcustomercomplaints, The players sector’s security policies. shouldimplementadequatesecuritymeasurestomitigate identifiedrisksinlinewiththeThe players protection. Itprovides foraregularassessment ofthemeasuresdeployedtoevaluatetheireffectiveness. the risks incurred and the implementation of organisational, technical and procedural measures to ensure this Security managementreliesontheidentification oftheassetstobeprotected,togetherwithananalysis Objective 9: raisingcustomerawareness regulations ofsecurity Objective 7: oftransaction environments security Objective 8: transactionmonitoringmechanism Objective 4: incidentmonitoringandreporting Objective 3: riskcontrolandmitigation Objective 5: andaudittrail traceability Objective 6: physical cheque security Objective 2: riskassessment 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

Offline credit transfers be regularly conducted by • training employees in the various account‑holding institutions procedures to be followed to combat The protection and security of in order to: attempted fraud (checks, alerts, credit transfer orders must take confirmation calls, implementation into account the methods used • make customers aware of the of transaction security tools) on a by fraudsters. In this respect, different types of fraud through regular basis; offline credit transfers present a regular prevention and awareness greater risk: campaigns (flyers included with • limiting acceptance of payment account statements, appointments orders by fax, paper documents • of fraudsters stealing the identity with customers); or mail and implementing of the payer to issue false orders two‑step validation mechanisms notably by imitating the signature • ensure regular updates of customer for transactions on the basis of of the lawful holder and his or her identification and authentication data payment amounts; proof of identity; (postal address, telephone number, proof of identity, bank details/IBAN, • encouraging locked lists of • of fraudsters amending legitimate physical and digital elements of beneficiaries and ceilings on credit cheques with the intention of authentication) in accordance with transfer amounts depending on the changing the beneficiary prior to the security procedures set out in type of customer. processing by the bank. the account agreement. Lastly, payment service To do this, fraudsters try to obtain In addition, account‑holding providers (PSP) that process credit information by telephone, email or institutions must ensure that their transfer orders are subject to Banque face‑to‑face by impersonating bank fraud prevention arrangements de France payment means security or general government officials or by are always up‑to‑the‑minute, oversight, in accordance with the posing as a customer, supplier or particularly by: provisions of Article L. 141‑4 of even an acquaintance. All account the French Monetary and Financial holders should therefore be on • warning and informing employees Code. This oversight framework their guard when they are asked to of the different types of fraud notably requires that each ACPR13 – divulge sensitive information such through regular prevention and authorised PSP in France includes an as an account number or details of awareness campaigns; appendix on internal control in their their proof of identity. annual report dealing specifically • putting in place payment order From the payer’s perspective validation tools (scoring) to detect, (individuals, companies or general check, alert, delay or reject, when government administrations), necessary, transactions that appear 13 Autorité de contrôle prudentiel et de résolution – ACPR, the French Prudential preventive measures should to carry a high risk of fraud; Supervision and Resolution Authority.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 61 62 CHAPTER 3 host cardnumbers. call centrespaces,allofwhich may of letters andcontrollingthephysical recording oftelephonecalls,storing measures alsoextend to the cardholder data. These security that store,processand/ortransmit protection measuresfor thesystems ofappropriate the implementation Fraud prevention therefore relieson outfraudulentpayments. to carry misappropriating cardnumbers based on techniques aimed at like offline credittransfers, is Fraud on offline cardpayments, that ofbanksorpayment institutions. payment orders is less strict than imposed on merchants that receive similar, framework thesecurity the initiationchannels arebroadly offline credittransfers inthat,while differ fromthosepresentedfor payment ordersbothresembleand featuresThe security ofoffline card “Offline” useofpaymentcards for theissueofcredittransfers. measuresimplemented security of payment andpresentingthe of cashless means with the security ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 features (signatures, visualchecks) to check customer‑identification is possible,encouragingmerchants alternative online payment solution • prevention measures, particularly: of differentimplementation fraud acquirers) mustensurethesound (account‑holding institutions and payment serviceproviders regardtomerchantsWith , their malicious reuse. cards) toprevent any riskof codesfor paymentdynamic security example,non‑replayable data (for • code; particularly thesecurity aslittletheir carddetails aspossible, • regular prevention campaigns; different offraudthrough types • businesses) withtheaimof: (individualsand cardholders preventive actions with their outmust ensurethatthey carry The

encouraging users to communicate encouraging users to communicate offering solutionsthatincorporate informing customersofthe in specificcaseswhereno card‑issuing institutions

Standard) standards for the standards Standard) Security Data Card Industry comply withPCIDSS (Payment centres,hosting) providers (call when necessary, theirservice • in particular)thepayment systems; transactions fromonline payments, (separatingMOTOcategorised that transactionsareproperly a transaction,whileensuring tocompletestrictly necessary and tocollectonlythecarddata transfers, providers payment service Lastly, asisthecasefor credit regular prevention campaigns. of thedifferent of fraudthrough types • codesisprohibited; card security specify that the retention of payment staff andalso trainingorliability) physical andlogicalsecurity, and businesscontinuity,data, control, access tosensitive information and policy (including aspectsrelatingto ofasecurity the implementation etc.), which provide notably for storage, archiving, destruction, handling ofcarddata (transmission, warning andinforming merchants ensuring thatmerchants and, 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

that offer card issuance or card vulnerabilities are aggravated by the • The Observatory calls on payment acquisition services are very large volumes of cheques and merchants to put in place the means subject to Banque de France chequebooks in circulation, before to ensure the transactions they payment means security oversight. and after use, giving fraudsters a initiate are valid, and in particular The appendix to their annual report large range of potential targets, as to ensure an adequate knowledge of on the security of cashless means well as the involvement of operators their customers to make up as much of payment must therefore precisely with inconsistent security levels as possible for the lack of strong detail the security measures in place in the lifecycle of this means of authentication: this mainly involves for payment card‑related activities. payment, particularly in the routing requesting proof of identity and and distribution channels. referring to services so that they can be sure of the validity of cheques for The Observatory’s These vulnerabilities and the face‑to‑face payments, or analysing recommendations multiplication of the fraud opportunities transaction factors (consistency they offer warrant constant vigilance between the identity of the buyer Offline payment methods have from all involved, as the security of and the holder of the payment been shown to have inherent and these payment methods cannot means, place of delivery, etc.) for characteristic limitations in terms be fully ensured by the payment remote purchases. In addition, when of security: on the one hand, the sector’s professional stakeholders. merchants store sensitive payment media used (paper, telephone data, such as card numbers or IBANs, calls, etc.) are incompatible with • From the perspective of payment they must ensure that the technical the implementation of advanced service providers, the lack of measures needed to guarantee their security solutions and make it strong customer authentication security are in place, following, for easier for fraudsters to falsify and at the time of the transaction example, the requirements of the counterfeit payment orders; on the makes the implementation of data security standards.14 Lastly, the other hand, the associated payment advanced solutions to identify Observatory stresses that MOTO processes require numerous risky transactions at the time of card transactions should be reserved physical and logical interventions, processing (i.e. image clearing exclusively for remote sales by mail, both by the payer and the beneficiary or entering the credit transfer or and by their account‑holding card payment order) all the more institutions, thereby multiplying necessary, providing the possibility, 14 Payment Card Industry Data Security fraudsters’ windows of opportunity. when needed, to delay flows and Standards (PCI DSS) for the retention of In the case of cheques, these alert the account holder. card data.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 63 64 CHAPTER 3 to be the most apt approach for offline payments, appears that currently justifytheneed appropriate for useinthecases innovative solutions, anddigital of development methods. The cheques andotheroffline payment developing alternatives to theuseof national payment strategy, aimed at efforts undertaken aspartofthe commitment tothemodernisation Lastly, reaffirms its theObservatory online payments. to fight fraud than is the case for stakeholders have lessleverage offline payment methods, asother these precautionswithregardto allthemorecrucial torespect It is ofthisreport. out in Appendix 2 that they applytheprinciplesset their own payment means,ensuring of remain vigilantastothesecurity government administrations, must individuals, companiesorgeneral the fact thatusers,bethey private • provisions ofPSD2. payment, in compliance with the prompt anauthenticated,offline or m‑commercetransactionshould fax ortelephone. Any e‑commerce ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 The Observatory alsoinsistupon The Observatory régulation descommunications published by theAutorité de France’s Electronic Communications électroniques etdespostes (Arcep, Marketof Digital Barometer 2018 editionAccording tothe Introduction 3.2  they need. services impair users’ accesstothepayment that thesedevelopments donot however, remainattentive toensure use cases. will, The Observatory encountered inthesespecific overcome limitations thesecurity and promisingalternatives thatcan examples ofseveral appropriate solutions businesses, between are electronic invoicing (e‑invoicing) as well as the development of credittransfers,recently instant use ofcredittransfers, andmore and businessesbasedonthe solutions individualsbetween ergonomic interbankpayment of development security. The to providing better transaction mobile payments The security of 15

and mobile payment solutions are hasboomed accessible services number ofoffers for mobile‑phone three outoffour French citizens, the connected device isinthehandsof the assuranceofknowing thata of browsing theinternet. With of themitistheirpreferred means smartphone 75% ofFrench citizens have a and Postal Regulatory Authority), card payments. technology usedwhenmakingcontactless 17 interchangeably throughoutthisreport. “mobile device”and“mobile”areused 16 publication-of-the-2018-edition.html press-releases/p/n/digital-market-barometer- 15 See made atleastonepurchase in 2017 the populationofFrance (26.2%) for example. Just over aquarterof communication (NFC) near‑fieldapplication ofcontactless particularly with the widespread remote andin‑storepurchases, instrument that can be used for developing into a universal payment Little by little, smartphonesare no exception. NFC isthewirelesscommunication The terms“smartphone”,“mobilephone”, https://en.arcep.fr/news/ 18 16 andfor almosthalf 17 technology, ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

using a mobile according to the The Observatory’s technology Overview of Observatoire du commerce mobile watch20 on the development of mobile payment solutions report for the first half of 201818 contactless face‑to‑face payment published by Mobile Marketing techniques by mobile phone was Telephone operator payment Association France. 5.9% of set up in 2007, in anticipation of on the basis of invoices smartphone users in France – more their implementation. As a result, than 2.1 million people – have made the Observatory published its Well before the development of payments using NFC contactless analyses on the development of smartphones, telecommunications technology or a payment application, face‑to‑face payment initiation operators had set up a payment placing France a little below the mechanisms for mobile phones system for premium rate phone European average but at the level based on “card” technologies calls added to the invoiced basic of Germany and Italy in terms of and their security arrangements monthly charge. Subsequently, as mobile payment adoption. in its 2009, 2011 and 2015 Annual technologies have evolved, the Reports. However, the scope of following services have emerged A recent study by the US research these analyses did not include mobile but the operators’ monthly invoices firm Forrester19 also points out payments using non‑electronic are still used: these trends, reporting that 80% money infrastructures.21 of mobile transactions in Europe • SMS+, for premium SMS messages; are remote payments. In‑store This study aims to provide an overview transactions, also known as of all the technologies available in face‑to‑face transactions, carried France that allow users to initiate out using mobile payment payments for goods or services, systems are expected to or to transfer money, using their increase annually by 26% and mobile device. The security issues 18 See http://www.mmaf.fr/publication/ reach EUR 27 billion in 2022 associated with the implementation observatoire-du-commerce-mobile-1er- in seven of the main European of the main mobile payment solutions semestre-2018-extrait/ countries (France, Germany, Italy, around today will be presented, 19 See https://www.forrester.com the Netherlands, Spain, Sweden and excluding (i) payment solutions 20 The remit of the Observatory for Payment the United Kingdom). This would executed in a mobile internet Card Security was expanded in 2016 when it became the Observatory for the Security of 22 represent 10% of all payments made browser environment and (ii) mobile Payment Means. from a mobile phone and slightly payment solutions that are little used 21 Electronic money technologies refer to the less than money transfers between or not used in France, which may be equipment used to carry out card transactions. individuals (EUR 30 billion in 2022). briefly outlined in the boxes. 22 These are not specific to mobile phones.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 65 66 CHAPTER 3 and facilitating purchases and and uses)hasproposedacode multi‑operator multimediaservices association for the development of multi‑opérateurs (AFMM, theFrench etusagesmultimédias services pour le développement des The authentication solutions. in place, and to develop adapted payment throughthemechanisms of complaints andfraudfor thistype operators tocontinuemonitor encourages mobilenetwork code by SMS. The Observatory send a customer authentication operator deemsitnecessary, itcan customer’s home equipment).If the (andtherefore tothe via Wi‑Fi when thesmartphoneisconnected or herinternetlog‑inIDs,particularly may berequested,aswell ashis number subscriber’s telephone on smartphones,the For theInternet+service viasmartphones. services subscriptions of content or digital mobile internet • outlets using WAP billing; • ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 Internet+, for payments using Gallery, for payments insales Association française 24 or Wi‑Fi, 26 23 25

with thesametechnology canthus payment terminals.Smartphones be found ofin‑store in themajority payments andtherefore cannow to make face‑to‑face contactless NFC technology allows customers with NFCtechnology By contactlesscommunication Face‑to‑face payments andUPTs inthisstudy.them infurtherdetail willnotconsider the Observatory contractually withtheircustomers, through the AFMM, andmanaged operatorsandpossiblynetwork were implementedby mobile As thesepayment methods particularly in the event of a dispute. the institution receivingpayment, appear onaninvoice Internet+or SMS+solutionsthat which can be used to trace the onitswebsite, phone look‑upservice the AFMM alsoprovides areverse or content. Forservices consumers, aggregators andpublishersof players inthevalue chain: operators, the contracts signed between offersservice andintegrated into of ethics tobe applied to these 27 back to 28 this communicationstandard. electronic moneyspecificationsarebasedon NFC technology. Inaddition, severalEMV bracelets, allowdatatobeexchangedusing connected objectssuchaswatchesor recent modelsofsmartphones,andeven deployment by 2020,andmore compatible withtheprospectof 100% manufacturers nowoffermodelsthatare exchange information.Allpaymentterminal two devicesafewcentimetresapartto communication (NFC) technologyallows 29 seller ortheseller’s operator. complaint, theusershouldcontacthisorher reverse phonelook‑upserviceandtomakea operators. TheydonotappearintheAFMM’s by contractingdirectlywithmobilenetwork have putsimilarpaymentmethodsinplace of servicesorcontentwithasolidreputation 28 27 See do notfallwithinthescopeofPSD2. 26 communication network. through aterminalconnectedtoterrestrial gives accesstotheinternet,mostoften wireless communicationtechnologythat 25 internet viamobileoperatornetworks. 5G connections,providingaccesstothe 24 inaccessible whenusingthisprotocol. standard internetprotocols).Somesitesare recent smartphonesthatarecompatiblewith network, suchasamobilephone (excluding from adeviceconnectedtomobileoperator internet pagessothattheycanbeconsulted now appearstobeindecline.Itisusedadapt protocol (WAP) wasfirstimplementedin 1999 but 23 at pointofsale. be usedasapayment instrument In France, the wireless application In France,thewirelessapplication As areminder, near‑field It shouldbenotedthatmajorpublishers Note thattheseoperatorbillingpayments A medium‑distance (severalmetres) Therefore using 3G,4G,and,inthefuture, https://annuaire.infoconso-multimedia.fr/ 18 29 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

Box 10 Withdrawals by mobile phone

Since 2014 in France, certain banking institutions have had arrangements in place allowing their customers to carry out withdrawals at certain automated teller machines (ATMs) thanks to the generation of a one‑time password accessible on their mobile phone. Generally, an initial enrolment phase to the mobile withdrawal service is required, during which the customer receives or chooses a secret code (PIN – personal identification number). The user can then access the service via the bank’s website or mobile app to select the amount to be withdrawn and will be given a temporary one‑time password. The PIN and the one‑time password should then be entered at an ATM affiliated to the user’s bank to obtain the cash. This service can be used to get cash in case a customer has forgotten his or her payment card or in an emergency as a temporary measure after a card is lost or stolen. It also allows a trusted third party, such as a family member travelling or working away, to withdraw cash. Outside of France, some major banks have developed withdrawal methods that use contactless near‑field communication (NFC) technologies and have equipped their ATMs with NFC‑compatible readers. The withdrawal is then made in a similar way to contactless payments using a card or mobile phone, i.e. by approaching the card or mobile to the ATM’s reader, with (i) authentication of the card or mobile (just as for a payment, using the contactless security features) and (ii) authentication of the transaction by typing the cardholder’s PIN at the ATM keyboard. Banks consider that contactless withdrawals offer the advantages of speed, with less time needed to carry out a withdrawal, and security, as fraud carried out by copying the magnetic strip of payment cards (card skimming) is reduced.

However, in order to provide a sensitive. The Observatory repeats that that these devices use (Android service that is accessible in all these sensitive payment data must from Google and iOS from Apple)30 circumstances, it should not have always be protected by appropriate facilitate contactless payment to be permanently connected to a measures, particularly when they are mobile network to operate. This is entered and saved, stored and used. why the implementation of this type 30 According to Kantar Worldpanel research into final‑quarter 2018 sales in France, Android of payment service entails the storage The main brands of mobile phone and iOS account for 75.2% and 24.7% of the of payment data that are considered as well as the operating systems market, respectively.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 67 68 CHAPTER 3 be abletooffer amobileapplication Indeed,forpayment a player data. to regard totheprotectionofsensitive requires ever‑greater vigilancewith different technical architectures number of mobile devices with these applicationsacrossavast card payment app.Implementing banking application or a dedicated through their distance service “Paylibcontactless ” sanscontact several bankshave developed the face‑to‑face payments. InFrance, designed tofacilitate contactless that incorporateorarespecifically able tooffer mobileapplications arethusalso and majorretailers those mobiles that have it). Banks (for that use the NFC antenna manufacturers, can offer applications of Googleandmobilephone players,third‑party independent In the Android environment, their own solutionsalone. payment functionstocontactless such as Apple restrictaccessto manufacturersto notethatcertain payments. infrastructure for card contactless based ontheelectronicmoney walletthrough digital solutions, ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 31 However, itisimportant of an electronic money institution. inthebooks simple accountingentry transaction, credit transfer, ora used toinitiateacardpayment inthesecodescanbe contained The interpretation oftheinformation tickets.and entertainment increasingly common on transport Box 12), whichexample (see are codes, such as QR codes registers, or two‑dimensional compatible withtraditionalcash one‑dimensional barcodes andmorespecifically,reading, to offer based on image services playersCertain have thus chosen developing a payment solution. whenconsidered advantageous infrastructure isnotalways Relying ontheelectronicmoney By scanninganimage‑basedcode and willbeactivated. characteristics ofthephonecan only thoseappropriatetothe or options, and during installation measures include arangeofsecurity applicationsgenerally speaking, available. Therefore, smartphones toallthevariousto beadaptable to allitscustomers,theapphas 32 for for 33 33 Swish inSweden, etc.). abroad (Alipay, WeChat Pay in China, both inFrance (Lyf Pay or Lydia) and Several exist solutionsofthistype capabilities arerequired. optical readingand/ordisplay payment devices equippedwith terminals andsmartphones,but need for NFC‑compatiblepayment These solutionsdispensewiththe to themerchant’s account. electronic moneyfromthecustomer’s account a purchasethusinvolvestransferringunitsof money accountswiththatinstitution.Making merchant andthecustomeropenelectronic a paymentsolutionthatrequiresboththe 33 32 French store. rather thantheNFCantenna,especiallyina present theirsmartphoneinfrontofthereader accessible). Theseusersmaythereforehaveto using aswipecard (whenthestripreaderis with theirmobilephonesasiftheywere that allowsitsSouthKoreanuserstopay 31 The institutioninquestionthereforeoffers Quick‑response (QR) codes. Samsung hasalsointegratedatechnology 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

Box 11 Contactless transactions using mobile devices

First, the near‑field communication (NFC) antenna must be enabled. In the Just touch your mobile against the payment terminal case of an Android smartphone, the user must choose an application that will and you’re on your way! handle the payment or that can designate a priority application for this type of service (and that will then launch automatically). The Observatory therefore feels that the user should be left to prioritise the applications accessing the NFC antenna. In France, for all contactless transactions of over EUR 30, mobile payment applications systematically apply strong customer authentication (SCA). Some applications allow the user to lower the transaction value at which SCA is required. When making the payment, the application initiates the transaction when the smartphone is touched to the payment terminal, and then requests authentication from the cardholder. The payment is then validated by touching the smartphone to the terminal a second time.

1. I touch my NFC‑enabled mobile 2. My contactless 3. I touch my phone to the terminal displaying payment application a second time to the terminal. the contactless symbol. activates and I enter A green light, a beep, my code on my mobile. and the payment is approved. I take my receipt.

At this point, user authentication can be through the use of a secret code (referred to in this case as “mPIN” for “mobile PIN”) or a biometric identifier such as a fingerprint or facial recognition. The practicalities of this process can differ. For example, the user can open the application and authenticate a transaction on the mobile device before touching it to the payment terminal to complete the transaction in one single smartphone‑payment terminal movement. Another possibility, which has not been made available by French institutions, involves touching the smartphone to the payment terminal once and then entering a personal identification number (PIN) on the terminal.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 69 70 CHAPTER 3 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 with thetransactionamountandanotificationissenttohismobileapplication. an authorisationrequesttothecustomer’s account‑holding institution. The buyer’s digital wallet isthendebited phone atthetimeofpayment. The scanactsasauniquecustomeridentifier. Themerchant’s terminal thensends involvesThe first the merchant scanninganimagethatispresentedbythebuyeronaphysical deviceormobile Several paymentmethodscanbeappliedaspart ofthepaymentsolutionsthatusethesetypesimages. Data storagetechnologies canbeappliedtoimages,someofwhich areshownbelow. Box 12 Barcodes Transactions byimagereading PDF417s 8.  7. 3.  2.  1.  9.  6.  5.  4.   The PSP sends a payment confirmation to the acquiring bank. The customerpresentsanimagetobescanned. The acquiring bank transfers thepaymentconfirmation The acquiringbanktransfers The merchant’s IT thedatarelated systemtransfers The merchant scanstheimage. to themerchant’s IT system. The integratortransmitsthepaymentconfirmation to theintegrator. The PSPsendsanotificationtoitscustomer. to thecustomer’s payment serviceprovider (PSP). thepaymentrequest The acquiringbanktransfers to themerchant’s (acquiring) bank. The integratorsendsapaymentrequest to theimagehispaymentsystemintegrator. DataMatrix codes

18 QR codes

…/…

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

The reverse process, which involves using a static image that identifies the merchant, can be found outside France, particularly in Asia. In both cases, security is relatively weak as the original image can be copied and reused. The second potential payment method involves enhancing transaction security by employing single‑use images. While the image verification circuit that triggers payment is identical, authentication elements of the application that generated the image as well as transaction data, and even information on the customer or merchant depending on who presented the image for scanning, are added to the image content. Cryptographic mechanisms ensure the integrity of the data generated and verified by both parties.

Innovative uses for remote transactions are being In‑app payments implemented in in‑store payment In addition to these arrangements, environments, particularly through The development of mobile services other mobile phone uses the use of geolocation to detect has necessitated payment solutions for in‑store payments are a customer’s entry and exit from that can be directly integrated within also emerging. For example, a store, and therefore trigger a a given application in order to offer technologies traditionally used payment if necessary. a seamless customer experience.

Box 13 Two other face‑to‑face mobile payment technologies

Other technologies are also used in solutions rarely found in France, two of which are particularly interesting. • BLE (Bluetooth Low Energy), also known as Bluetooth 4.0, is mainly used in Scandinavia. This technology facilitates communication at a distance of a few dozen centimetres between devices that have their own power source, which excludes payment cards. Merchants’ terminals have to be equipped with a compatible beacon to use BLE technology, which generally involves installing an additional dedicated device. • Sound wave technology, which uses sound waves to send and receive encrypted payment data from loudspeakers to microphones using a mobile phone. The transaction initiated by the merchant’s device generates a sound wave containing encrypted data related to the payment. These waves are received on the customer’s mobile phone and the algorithm converts them back into digital data and completes payment. Each transaction has its own unique sound waves and any disturbances during their transmission are managed by error detection codes.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 71 72 CHAPTER 3 consolidated files during the night group transactions and wait to send transactions immediately, others some solutionsprocesspayment In thiscontext, even though their payment information. the correct merchant before entering sure that the application comes from makesanyone usingtheseservices recommendsthat The Observatory merchant’s technical provider. service ora code)witha PSP and security their carddata (number, date expiry enrolling customers and recording These integratedsolutionsrelyon Merchants’ in‑appwallets third parties. belong to merchants and those from wallets:in‑app digital those that ofThere possibletypes aretwo findings remain valid. in its 2011 Annual Report andits wallets of digital on the security published The Observatory a study within the given application. walletsare genuinedigital used payments. In this context, they We therefore speakof “in‑app” ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 amn aa (cardnumbers, payment data when heorsheregistersthecard; the authenticationofcardholder card, which isgenerallyensuredby • environments ofmobiledevices; should beadaptedtothetechnical codes),which dates,security expiry • primarily cover: study, thesemeasuresshould they host. As specified inthe 2011 linked wallets tothedigital that these applicationsarethosedirectly measuresappliedtoThe security In‑app securitymeasures in placeby thePSP’s digital wallet. measuresput relies onthesecurity applications. The merchant thus wallet solutionintotheir digital interfaces allowing themtointegrate PSPs alsoprovide merchants with Third‑parties’ in‑appwallets the cardholder’s bank is impossible. strong customerauthenticationby or atafixed time.Inthelatter case,

the enrolmentofpayment the protection of sensitive private individuals Payments between the event ofsuspectedfraud. strong customerauthenticationin activity, by triggering ifnecessary account when monitoring user wallet,digital often taken into application andtherefore of the • strong customerauthentication. is deemednecessary, must beabletoapplya initiated bythecardholder, theissuer, whenit 34 transfer; and(iii) by payment card. credit of electronicmoney; (ii) by send funds:(i) by exchanging units available toindividualswishing money orfunds. Three solutionsare also known asP2Ptransfers of payments, person‑to‑person (P2P) these solutionsdonotcover but, withafew rareexceptions, by abusiness orby amerchant above for payments aresuitable The payment methods described PSD2 statesthatforalltransactions the fraudulentuseof 18

34 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

By electronic money required. In France, the vast majority Mobile payment security issues of institutions that provide payment One approach to providing this services to individuals have a mobile The main security issue for payments service is to open an electronic online banking application through made using a mobile device is the money (e‑money) account with an which this type of service can be protection of the data used to initiate a approved institution. Transferring performed. In addition, some banks transaction. The innovation and maturity money between the payment offer the “Paylib entre amis” service, of data protection solutions have accounts of two customers of the which allows customers to transfer contributed significantly to the recent same institution results in a simple funds to an individual on the basis boom in mobile payments. However, accounting entry in the PSP’s books. of that person’s mobile phone there is no one‑size‑fits‑all security To simplify their use, electronic money number (the service ensures that solution. The different conditions for institutions provide a mobile app to the number corresponds to the IBAN). each mobile payment, which were their customers so they can consult The advent of instant credit transfers35 presented in the previous chapter, their account balance, review their will encourage this type of use. require different security features. transaction history and transfer funds. This is how the solutions proposed By payment card For face‑to‑face payments as well by Lydia, S‑money, Pumpkin, Leetchi, as mobile P2P payments, the most and, initially, PayPal operate. Card payment systems, particularly common method used to date is Visa and Mastercard, have contactless payment through the The Observatory reiterates that developed solutions that allow an electronic money infrastructure, this activity requires authorisation individual’s account to be credited using a digital wallet associated from the Autorité de contrôle in less than 30 minutes on the basis with a communication channel. prudentiel et de résolution (ACPR, of their card data. The networks This mainly relies on NFC technology Prudential Supervision and concerned ensure that a satisfactory (for face‑to‑face payments) or Resolution Authority). level of security is maintained by QR codes to complete a transaction: insisting that companies wishing By credit transfer to use this solution must seek their authorisation to do so. For example, Another approach is to arrange a Leboncoin and Vinted, two platforms credit transfer to a payment recipient, for individuals who want to offer 35 Within the Single Euro Payments Area (SEPA), funds can be transferred to a for which the latter’s international goods or services for sale, offer this recipient account in less than 10 seconds using bank account number (IBAN) is type of service to their users. the SEPA Instant Credit Transfer.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 73 74 CHAPTER 3 the need for standards security highlighted end, the Observatory payments canbeguaranteed. To this card tothatofcontactless security deployed ifanequivalent level of payment solutionshouldonlybe howeverrestates of thatthistype mobile face‑to‑face payments, it players to innovate in the field of encourages While theObservatory and 2015Reports. Annual payments inits 2007, 2012 2009, recommendations onmobile issuedThe Observatory mobile payments recommendations withregard to Previous Observatory generated codes. the payment applicationsandthe that concentrateonprotecting QR code mainly involves measures • communication interface; particularly thecontactless smartphone’s physical elements, payment applications,aswell asthe securing theoperatingsystem and • the NFCchannel involves both

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 securing mobile payments via securing mobile payments by an additional level by of security solutions, the development of tokenisation reiterated itscommitmentto In addition, the Observatory technical problems. providers intheevent offraudor framework that protects the pilot solutions within a contractual level offered ofsecurity by the trials attempt toassesstheoverall models over theirlifecycle. These various proposedinfrastructural the proceduresfor protectingthe the new functionalitiesandtotest payment schemes to implement involving card issuers and card raised the need for pilot schemes In thisregard,theObservatory into consideration. proposed by the available solutions allthenewto take functionalities these initiatives, which must beable encourages thedevelopment of been introduced. The Observatory and for thewholelifecycle have ofsolutionsintheirentirety security few years, certificationsfor the proposed solutions.Over thepast applied toevaluate andcertifythe payment systems, which canbe adapted tothesenew face‑to‑face 36 which can provide that usesNFCtechnology does The Observatory repeatsitsThe Observatory payment usingmobiledevices. solutions offering in‑storecard implemented inthedifferent by payment cardnetworks and is now arequirementimposed payment data. This recommendation limiting the circulation of sensitive paymentsfor andby non‑contactless theuseofacardnumber reserving payment transactions. technical specificationsthatgoverncard the industryforgrandmajorityof 37 card detailsrequiredforpayment. time‑limited tokenthatisassociatedwiththe 36 to beupgradedsupportthisnew noted thattheterminalswillhave generation. Itshouldhowever be –EMVsecond the EMVstandard as partofthefuture updateto shouldbemadeavailablecapability not allow for this possibility. This MasterCard VISA) (Europay current EMV The theft.mitigate theriskofdata even if tokenisation techniques devices andpayment terminals, communications between mobile of commitment totheencryption The EMVstandardsareappliedby Technique involvingasingle‑useor 18 37 standard ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

standard’s implementation, thus can be used to pay for a purchase. capabilities of smartphones and necessitating a major migration In addition, there are digital wallets cards could also be put to work in over a period of several years. offered mainly by banking or this framework to further streamline e‑money institutions that can be the customer experience.38 used to pay by bank transfer. Enrolling a payment instrument in a digital wallet Enrolling a card in a digital wallet

involves collecting the data on 38 Due to the measures in place to protect At the moment, at least one the card, either through character contactless payment transactions, only specific card data (the card number but not payment instrument must be recognition from a photo or by the cardholder’s name, for example) could thus enrolled in a digital wallet before it manual cardholder entry. The NFC be collected.

Box 14 Tokenisation of a card

1. In order to enrol a new card, the mobile app sends a token request containing the payment card details (number, expiry date and security code).

2. The token requestor (TR) sends a request to the token service provider (TSP) of the card‑issuing bank to generate a token.

3. The TSP asks the issuer to validate the request, particularly by checking that the card is not reported lost or stolen and by confirming the card details.

4. The issuer approves the token request.

5. After generating a new token, the TSP transmits it to the TR.

6. The TR transmits the token to the mobile app to be used in place of the enrolled card’s number.

During this process, the issuer generally asks the cardholder to confirm that he or she has requested the token. This phase can be implemented in different ways, depending on the digital wallet.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 75 76 CHAPTER 3 mobile device. techniques) andtoauthenticatethe encryption sensitive data (using walletdigital publishertoprotect the system implemented by the keys. These functionsform partof wallets, such ascryptographic functions adaptedtodigital wallet, aswell asothersecurity in conjunctionwiththedigital period onlyandcansolelybeused a token, which isvalid for alimited More precisely, the TSP provides that each token requestislegitimate. authentication proceduretoensure the institutions implementan issuer’s criteria.exception, Without process mustcomplywiththe analysis dedicated to the enrolment in placeandtheresultofrisk walletwith the digital must be compatibletokenisation service generated,a to be – thetoken – In order for thiscardnumber “alias” providers. service or oneof its cardissueritself is usually the for thecard‑issuing bank. The TSP provider (TSP) the token service sendsarequestto requestor (TR) identification number, used in‑store.Based onthebank card payment whenthecardis techniques to better secure a walletsDigital applytokenisation ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 39 the token that ofsmartcardsallfocused onthe to reach alevel similarto ofsecurity The first technical solutions proposed by mostmobileapplications. cards arestricterthanthoseapplied requirements for smart payment more widespread, the security mobile device isgraduallybecoming Although in‑storepayment usinga security solutions Cutting edge mobilepayment allows ittocommunicatedirectlywiththenear‑field communication (NFC)interface. integratedintothemobiledevice’s operatingNote: Hostcardemulation (HCE)isaservice system that Figure 1 and hostcardemulation (HCE) Secure element (SE) a service integrated into thea service (hostcardemulation)is HCE their deployment. application wasto amajorobstacle oftheir and commercialcomplexity but thetechnical, organisational achieved through these solutions, high degreeofcertified security was use ofasecureelement (SE). A very corresponds tothefirstsixnumbersonacard. 39 emulation (HCE) technology. solution–hostcardalternative system helpedtopopularisean Android mobilephoneoperating contactless payments,in 2013, the theslowgrowthin mobile Given The bankidentificationnumber (BIN) 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

mobile’s operating system that and storage space for applications. TEE and QR code technologies, allows software applications Thus, when the payment application as well as their advantages installed in the mobile to is running, the TEE isolates it (or its and drawbacks. communicate directly with the NFC most sensitive part) from the rest interface via dedicated application of the applications running on the Secure elements (SE) programming interfaces (APIs). mobile phone. Securing mobile payments Generally speaking, the first solutions therefore relies on the security SE, HCE and TEE‑based solutions for mobile face‑to‑face payments features provided by the operating provide security for contactless established the SE as a central system but these software features payments but can only work if there component through which all NFC do not offer the same level of is an NFC controller (a wireless communications, particularly for security as an SE. Additional antenna that communicates contactless payment transactions, security measures have therefore with the payment terminal). had to pass. To achieve this, the single been applied to compensate. So Entry‑level smartphones rarely wire protocol (SWP) was developed far, the payment industry’s most have this component due to cost to secure the exchanges between commonly adopted measures to reasons. Therefore, a number of the mobile’s NFC component limit the exposure of payment data service providers have decided and the SE. These solutions are to HCE‑induced risks are data and to develop payment solutions called “SE‑centric”. application scrambling40 techniques based on QR codes, which have and tokenisation. The tokenisation the advantage of working on To carry out secure transactions, a process is effective as long as the almost all smartphones. In terms certain number of operations, such tokens are stored in a trusted space of completing the transaction, as authentication, signature and on the phone. this is the most straightforward validation by PIN, must be protected. type of payment for consumers, A second technology known as once a compatible application as TEE, for “trusted execution has been installed on the environment”, is also worthy of smartphone, payment can be 40 In this context, the terms obscuration, mention out of the proposed initiated by simply taking a photo of obfuscation and masking may also be used. compensatory security measures. a QR code with the smartphone’s These techniques consist in protecting applications against reverse‑engineering The TEE is a software solution camera (or by presenting an attacks, which allow a malicious entity to integrated into a number of application‑generated code on the interfere with the normal functioning of a payment application and, for example, to smartphones, which consists in mobile device’s screen for scanning authorise the non‑execution of cardholder an execution environment with by the merchant’s terminal). The authentication. Similarly, sensitive data can be fragmented and stored in a dispersed way a security level similar to that of following sections present the in the device’s memory, complicating their an SE, providing secure memory operating principles of SE, HCE, retrieval by an attacker.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 77 78 CHAPTER 3 secure NFC applicationsanditis secure NFC first to promoteamong thevery Mobile networkoperatorswere providers.mobile payment service who canenableSIM‑carduseby with mobilenetwork operators, and managedinpartnership technology (SIM‑NFC) aredistributed Solutions basedonSIMcardSE SE‑type components Three architecturesoffering card. component oramemory several forms: aSIM card, a mobile In a mobile phone, the SE can take verification.electronic identity such aspayment, accesscontrolor functions for secureapplications protection and backupdata the transaction authentication, payment cardchips. Itperforms principles as those applied in that usesthesamesecurity The SEisahighlysecurecomponent personal data. keysas passwords, encryption and store confidential information, such to and a secure memory services processing provides cryptographic This istheroleofSE,which ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 need for aSIMcardtoprovide the withoutthe secure NFCservices manufacturers tooffer their own configuration allows mobile a separatecomponent. This eSE the mobile’s microprocessor oreven be integratedintotheNFCcontroller, with an NFC antenna. The eSE can in new mobilephonesequipped are becomingincreasinglycommon Embedded secureelements (eSEs) which canprove tobe insufficient. intheSE, the applicationsinstalled the correct functioningofsome available required to enable memory SIM‑NFC format isthe amount of protected. The maindrawback ofthe SIM card, sensitive remain data the event oftheft orlossofthe integrated intotheSIMcard.In directly intheSE,which isitself that the applications are hosted ofthisformatmain advantage is the market involume terms. The of largemajority account for avery bodies, mobilenetwork operators devised throughinternational by buildingoncommonstandards rights viatheirmobilenetworks, and an infrastructure tomanageaccess Bydevelopingare usedasthe SE. entirely natural thattheirSIMcards the leaders of the targeted market. the leadersoftargeted phone manufacturer oratleastwith develop partnerships with each mobile operators, they mustnevertheless partnership with mobile network no longerforced toenter into a providerspayment are service component ofthedevice. While thanks totheSE’s integration asa benefit fromenhancedperformance providers thatrelyonthistechnology means ofsecurity. Payment service must have an NFC antenna‑enabled France afew years ago,customers “SIM‑centric” –modellaunched in solutions, such astheSIM‑NFC–or In order to subscribe to the deployed the ecosystem’s implementation. players andthus complicate marketinterdependence between may createrelationshipsof These three SEarchitectures involving severalplayers A paymentprocess rarelyused. are very operators andmanufacturers, but to thetechnologies offered through cards (SD‑SE) provide analternative SEs onmicroSDslot‑inmemory 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

smartphone, a SIM card with an efforts to standardise solutions in these technologies becoming more integrated SE and a contract with the sector. This slow convergence of widely used. a mobile network operator that is solutions towards a tried‑and‑tested a partner of their bank. The mobile standardised framework (use Faced with these obstacles, some network operator, which owns the cases and customer paths) has market players have developed an SIM card, checks eligibility to the been one of the major obstacles alternative to SE solutions and have requested NFC service in order to to NFC mobile payments based on introduced HCE technology. allow the bank to remotely administer the payment service on the SIM card. A partnership between the operator and the bank must therefore be in place upstream. The bank can then Figure 2 deliver the mobile payment service NFC mobile network operators by accessing a secure area on the for a SIM‑centric model customer’s SIM card.

This model has created the need for a new player, the trusted service manager (TSM), responsible for acting as a reliable interface between the different players involved in the operation of a secure NFC application. The TSM manages the technical relationships between the mobile network operator, the bank and other secure service providers in order to make available, download and maintain the applications in the end user’s mobile. Note: SE – secure element; TSM – trusted service manager. However, in practice, the proliferation Mobile payment service operators are known as MNO (mobile of the players involved has resulted in network operators). problems of interoperability, despite

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 79 80 CHAPTER 3 data associatedwiththepaymentdata flexibility for hostingthesensitive HCE technology offers greater but flexible approach Technology thatallowsasecure banking application’s sensitive data. on thesolutionchosen tohostthe routing whilethe TSM’s role depends channels withthemobilefor data and managingcommunication then limitedtoitsroleofproviding operator’s involvementnetwork is payment applications. The mobile mobile on themobileand(ii) the any other physical component present (i) the NFCcontrollerand contactless a specificsoftware layer between SIM‑centric solutions,by introducing architectures, particularlythatof that untilnow hasreliedonSE‑based and transformsmodel theestablished using theSEasacentralcomponent The HCEarchitecture breaksfrom widely available. at theendof 2013 thatitbecame within the Android operatingsystem only whenitwas adoptedby Google in 2012,first put forward butit was technology wereemulation (HCE) The specificationsfor hostcard Host cardemulation (HCE) ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 solutions basedonpayment card are SEs hostedonaremoteserver hosted paymentcardsoftware SE inthecloud:asecureandremotely a service, TSM isnolongernecessary. directly supported by a remote management of sensitive is data wherethe “SE inthecloud”type, scenarioisofthe implementation • keys;cryptographic over and theadministration ofdata the service, control TSM retains on theuseofanSEora TEE • keys used); management ofthecryptographic that particular attention is paid to the techniques (ensuringand encryption such as,for example, scrambling combining several ofmeasures types andoftensecurity necessitates particular vigilanceintermsof payment application requires • in thecloud”solution): as a cloud (the “SE TEE, or(iii) the a securemobileenvironment such (i) the applicationitself, (ii) an SE application. They can be hosted in

if the chosen solution is based storing sensitive data inthestoring sensitive data if, ontheotherhand, 41 or or entire security component.Keys,entire security thatactsasthe a network server on themobileinordertoaccess a minimalsoftware element security secure environment –the TEE –or common, relyonanintegrated are becomingmoreand connection. These solutions,which mobile, require a mobile internet than using a secure elementon the emulation software, which, rather case, theSEhostsapplicationanddata). executed byanapplicationintheSE(inthis act asafunctionforroutingcommandstobe 41 online, or (B)offline. a transaction,which canbedone (A) out conditions intoaccounttocarry must coveragenetwork take HCE solution, the payment process In the case of an SE in thecloud‑type of smartphones. tothevarious generations adaptation greater flexibility of use andeasier operate theservice. This resultsin and smartphone manufacturers to also ofthemobilenetwork operators capabilities of the mobile itself, and secure server, freeingupthesecurity are thusremotelymanagedonthis certificates andtransactionrights Conceptually, anHCEapplication can simply 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

(A) Online, the transaction is Figure 3 performed synchronously with the HCE SE in the cloud – SE in the cloud server. When the online payment mobile phone is held close to the electronic payment terminal (EPT), it transmits the contactless request to the application hosted in the operating system (1). The application then handles the call to the remote server that hosts the virtual secure element (2) in order to retrieve the data necessary to perform an EMV transaction in real time and transfer them to the mobile’s NFC controller (3). The mobile then transmits the data to the EPT (4). To secure the transaction, certain data, such as the card number, are also sourced from a “tokenisation” service, which generates single‑use application (carried out online) However, in the absence of a numbers, thus preventing the is split from the subsequent sufficiently secure space in the same data from being reused for transaction completion phase mobile, the possibility of using fraudulent purposes. The remainder using the recovered data (carried loaded data must be restricted, for of the transaction is completed in out offline). The first phase is carried example over time. Requirements the same way as a contactless smart out online by querying the remote in this respect have notably been card payment by transmitting the server (1), which sends back the developed by card payment systems transaction to the merchant’s service data that are useful for one or more such as Visa and Mastercard. provider (5). In fact, HCE and its SE transactions (2). These data are then in the cloud mode actually simply loaded on the mobile. The data Trusted execution environment (TEE) involve the contactless acquisition loaded on the mobile are used at the of remotely stored dematerialised moment the contactless transaction The TEE is a space secured by hardware payment card data. is carried out (3), with the connection and software devices, included in to the mobile operator’s network no the mobile’s microprocessor. It only (B) Offline, the initial data recovery longer required and the transaction provides security‑related services and phase of the NFC payment completed as before (4). has its own operating environment

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 81 82 CHAPTER 3 or payment accountidentifiers, etc.) passwords, such bankdata ascard keys, protect data (cryptographic precisely tocontrolaccessand The roleofa TEE ismore all follow thesameconcept. onthemarket, they implementations Although there are several TEE independent of the operating system. ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 Figure 5 Figure 4 online retrievalofpaymentdata HCE SEinthecloud– HCE SEinthecloud– offline payment in particular. and mobile payment applications for bankinguses especially suitable Due toitscharacteristics, TEEs are the mobile’s environment. they areseparated fromtherestof the mobiledevice by ensuringthat internal andexternal attacks on and sensitive applications from smartphone’s camera module. card or bank account, and on the application linked to a payment above. Itisbasedonapayment the secure environments described including thosewithoutacontrolleror available to all smartphone owners, technology using QR codes is mobilepaymentContactless QR codes application that uses them, on both application thatusesthem,onboth is thusessentialthatthepayment deciphered by ahuman being and it However, QRcodescannotbeeasily differentnecessity in appearance. different actions are therefore by visually. Two QRcodesprompting be alteredwithoutbeing The content of a QR code cannot that unalteredQRcodesareused The needtoensure based onthistechnology. solutions between interoperability developed topromotegreater QR Codepayment specifications, models are covered by EMVCo’s (see Box 12). the QR code These code and(ii) the merchant presenting (i) the customerpresentingtheQR paymentcontactless modelsinvolve The two mostcommonQR code 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

the customer and merchant sides, passwords) and payment card or smartphone’s operating system while is authentic. This is the only way to bank account details, are generally encrypted sensitive data are stored ensure that the generated QR codes stored in the payment application. in the smartphone’s environment, are legitimate. These data are encrypted through however, presents a number of risks cryptographic algorithms in order to in terms of data theft and therefore Issues related to prevent theft and fraudulent access. fraud. A more secure solution to the protection of sensitive data protect against such risks would be This configuration, where to deploy the payment application Sensitive data, such as personal the payment application is and store sensitive data in a secure information (PIN codes and installed and executed in the environment such as a TEE.

Box 15 Security assessment of mobile payment solutions

The security of these payment solutions depends both on the security assessment of the devices used and also on the security of the solution’s lifecycle management processes, particularly the process of user enrolment in payment applications. As with EMV (Europay MasterCard Visa) smart payment cards, for solutions based on a physical security component, the existing assessment and certification processes, such as those conducted under the aegis of the Agence nationale de la sécurité des systèmes d’information (ANSSI, the French National Cybersecurity Agency), guarantee a high degree of device security. In the case of software solutions, the scope to be considered is broader than for a physical security component, as it has to take the entire system into account, i.e. the payment app and services potentially hosted on remote servers. The assessment process put in place must provide assurance that the level of security of these software solutions is comparable to solutions based on a physical security component. The main card payment systems (CB bank cards, Visa, Mastercard, American Express) have set up software security solution assessment protocols. The protocols are adapted to these solutions, which develop and evolve more rapidly, and rely on the abilities of testing laboratories, such as those recognised by ANSSI. In addition, certain smartphone manufacturers and mobile security solution providers have decided to have their security solutions (or at least the critical parts) certified by an authority such as ANSSI.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 83 84 CHAPTER 3 mechanisms beputinplacethat recommends that reliable More specifically, the Observatory protects theusersofthesesolutions. • are consideredrisky; authentication for transactionsthat solution managertriggeringsecure • enrolled inthepayment application; provider whenthecardis service mechanism by auser’s payment • bydata alltheplayers involved; • of: the implementation mobile payment solutions,namely payment cardsandalsoadaptedto previously limitedtotheuseof wallets,on digital which were it made in its 2011 Annual Report expands upontherecommendations repeatsandThe Observatory the Observatory recommended by Security measures ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 the protectionofsensitive payment the use of a secure authentication the useofasecureauthentication risk analyses by thepayment a contractual framework that

users whilestressingtheneedto their applicationsmorevisibleto measures integrated into security application providers tomake the encourages mobilepayment theObservatory Generally speaking, of thesystemisidentified. ordata or confidentiality even availability breach likely toaltertheintegrity, to usersassoonasecurity updates to their solutions available providers) tomake corrective or paymentas security solution all otherinvolved parties (such smartphone manufacturers and mobile operatingsystem suppliers, Moreover, callson theObservatory made inits 2014 Annual Report. subject totherecommendations authentication arrangements is as acomponentofsecure reiterates thattheuseofbiometrics In addition, the Observatory exploited aspartofmobilepayments. factors, which areincreasingly particularly thoseinvolving biometric andauthenticationdata, payment data whichdata, includebothsensitive ensure securestorageofconfidential for payment authentication,and requirementsPSD2’s regulatory and payment security, in line with improve boththeuserexperience development of solutions that to continueinnovate inthe urgesplayersThe Observatory these applications. to combattheunauthoriseduseof deploy effective countermeasures numerical sequencessuch as “1234”, with care,avoiding for example, at leasttheirpayment applications, mobile authenticationprocesses,or usedforand any otherpersonaldata • mobile’s operating system; • of mobilepayment applicationsto: Lastly, advisesusers theObservatory particularly onmobiledevices. of paymentof security solutions, for regularassessmentsofthelevel its recommendationontheneed repeats respect, theObservatory Payments Committee. Inthis driven by theNationalCashless with thenationalpayment strategy choose secret codes, passwords regularly update their 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 CHAPTER 3

birthdays or alphabetical sequences, deletion option in case of loss or • avoid as much as possible such as “QWERTY”, and change theft of mobiles; carrying out payment transactions them regularly; on mobile devices when the • use only trusted applications, communication channel is not • activate, if allowed by the particularly those recommended dependable (unsecured public Wi‑Fi operating system, the remote data by payment service providers; connections, for example).

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 85

A1 APPENDIX 1 Security recommendations for the use of payment means

Fraudsters are always trying to find new ways to bypass ever more stringent security mechanisms. This is why the users of cashless payment means (cards, cheques, credit transfers and direct debits) must be increasingly on their guard and make sure they keep abreast of the protection mechanisms in place and recommended secure payment habits.

A number of types of fraud targeting cashless payment means have been identified:

• issuance of fake payment orders, either involving the theft or counterfeiting of a physical payment instrument, or through the misappropriation by a third party of data or banking credentials;

• misappropriation or falsification of a valid payment order, through the duplication of a payment order issued by the lawful holder of the payment instrument or the modification of information contained on it (amount, name of the beneficiary or payer, etc.);

• fraud involving the use or wrongful repudiation by the lawful holder of a payment instrument, whereby a validly issued payment order is disputed without grounds, resulting in the cancellation of the receipt of funds.

These different forms of fraud do not all apply in the same manner to the various payment instruments and vary depending on the payment initiation channel used (face-to-face payments, remote online payments, online banking, etc.).

The security of your payment instruments hinges directly on your own safety habits.

Please follow these basic security recommendations to protect your transactions.

Be responsible

• Your physical payment instruments, such as your card or chequebook, are strictly personal: never lend them to anyone, even your closest friends and relatives. Check regularly that you still have them and keep them in a safe place, preferably separate from your ID documents.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 87 88 APPENDIX 1 • • • When makingpayments to businessesorindividuals Be aware • • • •  your bank,especiallyby phoneoremail. These bodiesarenever likely torequestsuch information. Do notdiscloseyour passwords, personalidentifiers andlog-inIDstoadministrative orjudicialauthoritiesto • •

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – Watch how themerchant uses your card.Donotletyour cardoutofyour sight. terminal, ATM ortelephone withyour otherhand. When enteringyour PINorsecretpassword, make surethatnobodycanseeit.Shieldthekeypad onthe entered, particularlytheamount,before you signthecheque. When a cheque is automatically filled in by a merchant, pay careful attention to the information that they have If the payment instrument comes with a personal identifier (PIN for a card, password for a mobilephone Regularly consult the security adviceprovidedRegularly onyour consultthesecurity bank’s website andmake surethatyour bankhasyour anything, fill in the name of the beneficiary andtheamounttobepaidinfigures andin anything, fillinthenameof thebeneficiary letters without leaving Make sure tocheck theamountdisplayed ontheterminalbefore validating thetransaction. (email address,socialnetwork account,etc.)oncethey have received thepayment. have beenmadeavailable ordelivered toyou; they may befraudsterswhowilldeleteallmeansofcontact Never agreetopay asellerorlessorofgoodswhoyou donotknow by money transfer before thegoods should notdiscloseyour passwords orpersonalidentifiers to thepersoncontacting you. account. Shouldyouryou bankcontact by phoneoremailregardingsuch transactions,rememberthatyou shoulditneedtogetintouch details contact withyou quickly toverify any suspicioustransactionsonyour Read yourcarefullyandregularly. statements do, never keep itwithyour payment instrument orinsuch away thatitcouldbelinked toit. payment, etc.),keep itsecretanddonotdisclosetoanyone. Memoriseit. Avoid writingitdown and,ifyou Certain precautionswhenfillingouta Certain cheque helpreducetheriskoffraud:donotcrossoutor write over 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 APPENDIX 1

any gaps and then draw a line through any unused space. The place of payment and the date must be entered at the same time as the other information. Your signature must not encroach on the line of numbers at the bottom of the cheque. Under no circumstances should only your signature appear on a cheque without the amount and beneficiary, which should be filled in before your signature.

When withdrawing cash from ATMs

• Check the appearance of the ATM. Try not to use machines that appear to have been tampered with.

• Only follow the instructions displayed on the ATM screen: do not let strangers distract you, even if they are offering assistance.

• If the ATM swallows your card and you cannot retrieve it immediately from the branch, report it right away.

When making online payments

• Do not store your bank details on your computer (card number, account number, IBAN – International Bank Account Number and SWIFT codes, etc.), never send them in an ordinary email message and verify the security features of the merchant’s website when you are required to enter them (padlock in the lower corner of the window, URL beginning with “https”, etc.).

• Make sure you are dealing with a reputable company and that you are on the correct site and read the legal notices and general terms of sale carefully.

• Do not reply to an email, SMS, phone call or any other invitation that you find suspicious. It is particularly important never to click on a link in a message that refers to a banking website.

• Protect your computer by running the security updates offered by software editors (usually free) and by installing antivirus software and a firewall.

• Regularly change your passwords and do not select the ’save’ option to memorise them for future use (should your identifiers and bank details be intercepted, you could be exposed to fraud across all of your means of payment).

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 89 90 APPENDIX 1 • Remember totaketheinternationaltelephonenumbersfor reportinglostorstolenpayment instrument. • When travelling to othercountries •  • • • When receiving apayment orapayment order •

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – and thatnothinghasbeencrossedoutorwritten over, which couldbeanindicationoffraud. is consistent(beneficiary, amount, cheque numberontheMICR[MagneticInkCharacter Recognition] line) name ofthepaying bank,andthedateplaceofissue cheques. Check alsothattheinformation Verify thatreceived information,thesignature cheques notably oftheissuer, allthemandatory contain the address) corresponds totheinformationinyour contained contractwithit.Ifyour bankhascompiledalistof When you receive adirectdebitmandate,check thattheinformation onthecreditor(name/company name, creditors authorisedtomake directdebitsfromyour account(whitelist),make sureyou keep thelistup-to-date. card protectionsystems thatmay beimplemented. Find outwhatprecautionsyou your needtotakeandcontact cardissuerbefore leaving tofindoutaboutany validity ofthedocument before finalisingthetransaction. and phonenumberyourself (donotrelyontheinformation provided onthebanker’s draft) toconfirmthe Should you receive a banker’s draft ifyou (e.g. sellyour theissuingbankby car),contact findingitsaddress that thepayer canbe trusted. agreeing to the transaction. If in doubt, check with the payer’s bank that the payment means is valid and sale transaction), verify that the information provided is correct (name, address,payer identifier, etc.) before on which you have anaccount. Should you receive aremotepayment fromapayer you aspartofanonline donotknow personally(e.g. Do not use the same password for your means of payment, your online bank account and any other websites 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 APPENDIX 1

Know what to do

If your payment instrument or banking credentials have been lost or stolen

• Report it immediately by calling the number provided by your bank or the issuer of the payment instrument. Do this for all lost or stolen cards, chequebooks or mobile devices with payment applications. Similarly, inform your bank if you have communicated your bank details (account number, IBAN and SWIFT codes, etc.) to a dubious third party.

• In the event of theft, file a complaint with the police as soon as possible.

If you report a lost or stolen payment instrument promptly, you will be covered by provisions limiting your liability to the first EUR 50 of fraudulent payments. If you fail to act promptly, you could be liable for all fraudulent payments made before you report it missing. Once you have reported it lost or stolen, you can no longer be held liable.

If you notice any unusual transactions involving your means of payment

Contact your bank promptly to verify the validity of any unidentified payment transactions or ones that you are uncertain about. Be sure in particular to contact your bank should you receive information by phone, email or SMS confirming or requesting your approval of payment transactions that you have not initiated.

If you see any unusual transactions on your statement, and your means of payment are still in your possession

Report this promptly so that you are protected against any new fraudulent attempts using misappropriated payment data.

If you file a claim within 13 months of the debit date of the contested transaction (time limit set by law), with your account servicing payment service provider (PSP), the disputed amounts must be immediately refunded to you at no charge. If you do this, you will not be liable. Nevertheless, you will be held liable in the event of gross negligence on your part (e.g. you let someone see your card number and/or PIN and this person has used your card without telling you) or if you deliberately fail to comply with your contractual security obligations

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 91 92 APPENDIX 1 in theaccount). lost orstolen,aswell asanyifthereareinsufficient othercostsresultingfromthesetransactions(e.g. funds will notapplyandyou willbeliablefor allamountsdebitedbefore andafter reportingthepayment instrument Naturally, intheevent onyour offraudulentactivity part,theprotective mechanisms provided for underthelaw your cardwithouttellingyou). you(e.g. have been careless enough to tell someone the card number and/or the PIN and this person has used ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 APPENDIX 2

A2 Payer protection in the event of unauthorised payments

The Order transposing the Second Payment Services Directive (PSD2) which came into force on 13 January 2018, amended the legislative framework concerning payer liability in the event of an unauthorised payment transaction. However, the key principles of the original Payment Services Directive remain unchanged.

The burden of proof lies with the payment service provider (PSP). Accordingly, if a payer denies having authorised a payment transaction, the PSP has to prove that the transaction was authenticated, accurately recorded and entered in the accounts and not affected by a technical failure or some other deficiency. The law strictly governs the arrangements concerning forms of proof, stating that the use of a payment instrument registered by the PSP shall in itself not necessarily be sufficient to prove either that the payment transaction was authorised by the payer or that the payer failed with gross negligence to fulfil one or more of his or her obligations in this regard.

The transposition of PSD2 provides that in the event the disputed payment transaction involved a Payment Initiation Service Provider (PISP), the payer must inform his or her account servicing PSP of the payment transaction. The latter is required to arrange repayment and subsequently address the PISP, which has to prove that the payment transaction was authenticated, accurately recorded and entered in the accounts and not affected by a technical failure or some other deficiency.

However, to determine the extent of the payer’s liability, it is necessary to identify whether the disputed payment transaction was carried out within the territory of the French Republic or within the European Economic Area (EEA).1

1 The European Economic Area is made up of the European Union, Liechtenstein, Iceland and Norway.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 93 94 APPENDIX 2 Polynesia andtheislandsofWallis andFutuna. 3 2 of EUR50). of the PSP, the payer shall not be held liable and shall not be liable for any financial losses (even up to the maximum loss ofhisorherpayment instrument, by orifthelossisresultofactionstaken apersonunder theresponsibility credentials ifitwascarried impossiblefor outwithout usingthepersonalisedsecurity thepayer todetectthetheft or payment transactions,uptoamaximumofEUR50,resultingfromthepayment instrument’s use.Ifthetransactionis Before reportingthepayment instrument lostor stolen,thepayer couldbeliablefor lossesrelatingtoany unauthorised Prior to notificationto block thepayment instrument becoming aware oftheloss,theft ormisappropriation ofthepayment instrument orofitsunauthoriseduse. extended to 13 months, the holder of the payment instrument should notify his or her PSP without undue delay on Further financialcompensationmay alsobepaid. Althoughthemaximumtime for disputingtransactionshasbeen the PSPhasjustcausetosuspectfraudonpartofpayer. Inthiscase, theBanque deFrance mustbenotified. payment transactionnottaken place. The transpositionofPSD2provides for adelay inrepayment intheevent that inwhichwhere applicable,restorethedebitedpayment accounttothestate itwould have beenhadtheunauthorised then requiredtorefundthepayer theamountofunauthorisedpayment transactionwithinonebusinessday and, that heorshedidnotauthorisethepayment transactionwithin13 monthsofthedebitdate. provider is The service fraudulent useorcounterfeiting) ofapayment instrument, mustinform theuserofpayment thePSP service • • These protective measurescover: Domestic andintra-Community transactions As regards unauthorised transactions, i.e. in practice, in cases of loss, theft or misappropriation (including by remote and carried outineuroorthedomesticcurrency ofonethosestates.

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – The Orderof9August2017thattransposesDSP2intoFrenchlawprovides thatthemajorityofitsprovisionsapplytoNewCaledonia,French The CFP(coloniesfrançaisesduPacifique–FrenchPacificcolonies)francorfranc. intra-Community transactionsinwhich andthepayerintra-Community respectively thebeneficiary callonaPSPthatislocated: payment transactionsmadeineuroorCFPfrancs – – in another state party totheEEAagreementonother, party in anotherstate in metropolitan France,in metropolitan inthe French overseas departmentsorinSaintMartin,ontheonehand, 2 within the territory oftheFrench withintheterritory Republic; 2018 3

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 APPENDIX 2

The payer is not liable if the unauthorised payment transaction was carried out through the misappropriation of the payment instrument or data related to it without his or her knowledge. Similarly, the payer is not liable in the event that the payment instrument is counterfeited, if the card was in his or her possession when the unauthorised transaction was carried out.

However, the payer shall bear all the losses relating to any unauthorised payment transactions arising from fraudulent actions on his or her part, or from a failure to fulfil the terms of safety, use or blockage as agreed with the PSP, whether with intent or through gross negligence.

Lastly, if the PSP does not provide appropriate means to report lost, stolen or misappropriated cards, the payer shall not be liable for any of the financial consequences, except where he or she has acted fraudulently.

After notification to block the payment instrument

The payer shall not bear any financial consequences resulting from the use of a payment instrument or misappropriation of the related data after reporting the loss, theft or misappropriation to his or her payment service provider.

Once again, if the payer acts fraudulently, he or she forfeits all protection and becomes liable for any losses associated with the use of the payment instrument.

Notification to block the payment instrument may be made to the payment service provider or to the entity indicated to the customer by the services provider, as applicable, in the payment service agreement or the deposit account agreement.

Once the user has notified the PSP that his or her payment instrument has been lost, stolen, misappropriated or counterfeited, the payment service provider shall supply the user, on request and for 18 months after notification, with the means to prove that he or she made such notification.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 95 96 APPENDIX 2 4 to 120 days. All unauthorised payment transactionsmustberefunded withinonebusinessday. The maximum timelimitfor disputingtransactions hasbeenchanged to70days andmay beextended by agreement • • There arespecificprovisions inplace for payment transactionsmade by cardwhen: payment transactions. Community repayment from hisorherPSPlocatedinFrance underthe sameconditionsasthoseapplicabletodomesticorintra- (or elsewhere whose PSP is located in the United States outside of the EEA), the payer of a beneficiary can request instrument Consequently, isusedintheUnitedStates. intheevent ofanunauthorisedpayment transactiononbehalf that hasapayment instrument issuedby aPSPlocatedinFrance canbenefit fromprotection even ifthepayment quite broadlyapplytothatpartofthepayment transactionthatiscarried outwithintheEEA.For example, apayer ofpaymentoutside theEEA.Inthistype transaction,often referred toas “one-leg transactions”, theDirective’s provisions PSD2 partiallyextends itsscopetopayment transactionsbetween aPSPlocatedwithintheEEAandanother Transactions outsideEurope cards, even ifthepayment transactionwas credentials. carried outwithoutusingpersonalisedsecurity In such cases,themaximumamountofEUR50appliestounauthorisedtransactionsperformed usinglostorstolen

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – A non-Europeanstateisathat is notpartytotheEEAagreement. is located in a state otherthan theFrenchis locatedinastate Republic, irrespective ofthecurrency used. in anon-Europeanstate, the issuerislocatedinSaintPierre andMiquelonorSaintBarthélemy, whosePSPislocated onbehalfofabeneficiary the issuerislocatedinNew Caledonia, French Polynesia or Wallis andFutuna, whosePSP onbehalfofabeneficiary 4 irrespective ofthecurrency denominationofthepayment transaction; 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 A3 APPENDIX 3 Missions and organisational structure of the Observatory

Articles R. 141-1, R. 141-2 and R. 142-22 to R. 142-27 of the Code monétaire et financier (French Monetary and Financial Code) set out the responsibilities, composition and operating procedures of the Observatory for the Security of Payment Means.

Scope

Pursuant to Article 65 of the Law of 9 December 2016 (No. 2016-1691) and in accordance with the national means of payment strategy, Article L. 141-4 of the French Monetary and Financial Code has been amended by extending the missions of the Observatory for Payment Card Security to all cashless payment means. Henceforth, in addition to cards issued by payment service providers or equivalent institutions, all other cashless payment means now fall within the scope of the missions of the Observatory for the Security of Payment Means.

In accordance with Article L. 311-3 of the French Monetary and Financial Code, a means of payment is understood as any instrument that allows any person to transfer funds, regardless of the form that such an instrument takes or the technical process used. The means of payment listed below fall within the remit of the Observatory.

Credit transfers, carried out by the payment service provider that holds the payer’s payment account, consist in crediting a beneficiary’s payment account with a payment transaction or a series of payment transactions from a payer’s payment account, pursuant to instructions from the payer.

Direct debits are used to debit a payer’s payment account, where a payment transaction is initiated by the beneficiary on the basis of the payer’s consent given to the beneficiary, to the beneficiary’s payment service provider or to the payer’s own payment service provider.

Payment cards are payment instruments that enable the holder to withdraw or transfer funds. There are different types of cards.

• Debit cards draw on a payment account and enable their holders to make withdrawals or payments that are debited in accordance with a timeframe set out in the card issuance contract.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 97 98 APPENDIX 3 • • ofPaymentSecurity Meanshasathreefold responsibility. Pursuant to Articles L. 141-4 andR. 141-1 for oftheFrench the andFinancialCode,theObservatory Monetary Responsibilities forand serves thatpayment. Trade billsincludeofexchange notes. andpromissory Trade thatthe bearer holds aclaimfor billsaremarketable securities that state payment of asummoney sumtothedrawerdemand (atsight)acertain ortoathirdparty, thebeneficiary. Cheques aredocumentswhereby aperson,thedrawer, instructs acreditinstitution, thedrawee, topay on otherthantheelectronicmoneyentity issuer. of fundsfor thepurposeofperforming payment transactions.Itcan beacceptedby anatural personorlegal claim ontheissuer. Itisissued(by creditinstitutions orelectronicmoney institutions) againsttheremittance valueElectronic thatisstoredinelectronicform, moneyincludingmagnetically, isamonetary representinga • • •

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 Commercial cardsareissuedtobusinesses,publicbodiesornatural personsengagedinanindependent harmonising procedures for establishing fraud statistics forharmonising proceduresfor fraud statistics the various establishing cashless payment means. of payment meanstotheObservatory’s secretariat. issuesrecommendationsaimedat The Observatory onfraud. It compilesstatistics These arecompiledfromthe information statistics reportedby theissuers ofpaymentthe security means. ofmeasuresadoptedbyIt monitorstheimplementation issuers,merchants andbusinessestostrengthen Prepaid cardscanstoreelectronicmoney. independent activity. with themaredirectlybilledtotheaccountofbusiness,publicbodyornatural personengagedinan activity. Their useisrestrictedtoexpenses incurred inaprofessional capacity, andany payments made particular credit-relateddelay. period. the issuer at the end of a certain The payment acceptor is paid directly by the issuer without any the customer. These tomake serve payments and/orcashwithdrawals. They enabletheirholderstopay Credit cardsarebacked by acreditlinethatcarries aninterestrateandamaximumlimitnegotiatedwith 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 APPENDIX 3

• It maintains a technology watch on cashless payment means, with a view to proposing ways to tackle threats to the security of payment instruments. To this end, it collects all the available information that is liable to reinforce the security of payment means and puts it at the disposal of its members. It organises the exchange of information between its members while respecting confidentiality where necessary.

In accordance with Article R. 141-2 of the French Monetary and Financial Code, the Minister of the Economy and Finance may request the Observatory’s opinion on various issues, setting a time limit for its responses. These opinions may be made public by the Minister.

Composition

The composition of the Observatory is set out in Article R. 142-22 of the French Monetary and Financial Code. Accordingly, the Observatory is made up of:

• a Deputy and a Senator;

• eight general government representatives;

• the Governor of the Banque de France or his representative;

• the Secretary General of the Autorité de contrôle prudentiel et de résolution (ACPR – the French prudential supervision and resolution authority) or his representative;

• a representative of the Commission nationale de l’informatique et des libertés (CNIL – the French data protection body);

• fourteen representatives of issuers of payment means and operators of payment systems;

• five representatives of the Consumer Board of the French National Consumers’ Council;

• eight representatives of merchants’ professional organisations and corporations, notably from the retail sector, the supermarket sector and remote sales and e-commerce channels;

• two qualified prominent persons chosen for their expertise.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 99 100

APPENDIX 3 bound by professional secrecyunder Article R. 142-25 oftheFrench andFinancialCodemust Monetary are and its secretariat reported to them, theGiven members of the Observatory of the data the sensitivity ensuring apayment meanstechnology watch. andthesecond workingfor fraudstatistics groups:thefirstisresponsible for harmonisingandestablishing could provide themwithinformation thatisusefultotheirmandates. hassetuptwostanding The Observatory majority. The groupsreportontheirwork ateach meetingoftheObservatory. They may hearallpersonswho Finance requestsitsopinion. definesthemandate andcompositionofthesegroups by absolute The Observatory may constituteThe working Observatory orstudy whentheMinisterofEconomy groups,notably and Minister oftheEconomy andFinancetransmitted toParliament. the thetechnologymeasures adoptedandmaintain watch inthefield ofpayment means. alsodraftsThe secretariat andcollectingmakingavailablefraud statistics, tomembers the information requiredtomonitorthesecurity and following uponmeetings, centralisingtheinformation requiredforofpayment theestablishment means The oftheObservatory, which secretariat isprovided by theBanque deFrance, isresponsiblefor organising working conditions. the casting vote in the event of a tie. has adopted internal rules of procedure settingThe Observatory out its areadoptedby absolutemajority.within theObservatory Each memberhasonevote andthePresident has a yearat least twice at the invitation of its President. The meetings are held in camera. Measures proposed In accordancewith Article R. 142-23 meets etseq.oftheFrench andFinancialCode,theObservatory Monetary Operating procedures Banque deFrance, isthecurrent President oftheObservatory. she hasathree-year termofoffice, which may berenewed. François Villeroy deGalhau,theGovernor ofthe The President membersby ischosen theMinisterofEconomy andFinance.Heor fromtheObservatory Their appointmentsshallberenewable. Governor oftheBanque Generalofthe deFranceACPR, andtheSecretary areappointedfor athree‑year term. The membersoftheObservatory, otherthanthemembersofParliament, the thoserepresentingthestate, arelistedin Appendix 4tothisreport. The namesofthemembersObservatory ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 Annual Report of the Observatory forofPayment theSecurity Annual Report Meansthatissubmitted oftheObservatory everyyear tothe 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 APPENDIX 3

therefore maintain the confidentiality of the information that is transmitted to them in the course of their work. To this end, the Observatory’s rules of procedure stipulate the members’ obligation to make a commitment to the President to ensure the complete confidentiality of working documents.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 101

A4 APPENDIX 4 Members of the Observatory

Pursuant to Article R142-22 of the Code monétaire et financier (French Monetary and Financial Code), the members of the Observatory, other than the members of Parliament, those representing the state, the Governor of the Banque de France and the Secretary General of the Autorité de contrôle prudentiel et de résolution (ACPR – the French prudential supervision and resolution authority), are appointed for a three-year term by order of the Minister of the Economy. The most recent appointment order was issued on 11 December 2018.

Président François Villeroy de Galhau Governor of the Banque de France

Members of Parliament Representatives of general government

Éric Bocquet Nominated on the recommendation of Senate the General Secretariat for Defence and National Security: Rémi Rebeyrotte • The Director General of the French National Assembly National Cybersecurity Agency or his/her representative: Guillaume Poupard Vincent Strubel Representatives of the General José Araujo Secretariat of the ACPR Nominated on the recommendation of Édouard Fernandez-Bollo the Minister of the Economy, Finance Secretary General and Digital Economy: • The Senior Official for Defence and Security Geoffroy Goffinet or his/her representative: Christian Dufour Jean-Philippe Papillon

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 103 104

APPENDIX 4 • Minister ofDefence: Nominated ontherecommendationof • Minister oftheInterior: Nominated ontherecommendationof • Minister ofJustice: Nominated ontherecommendationof • • • ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – Cyril Piat Arnauld Cheminant nationale orhis/herrepresentative: The Director GeneraloftheGendarmerie François-Xavier Masson or his/herrepresentative: Communication Technologiesand against CrimesLinked toInformation The HeadoftheCentralOffice for theFight Raphaëlle Olive or his/herrepresentative: The Directorfor Criminal Affairs andPardons Madly Meri Aurélien Hauser of Fraud Offences orhis/her representative: Consumer Affairs and thePunishment The DirectorGeneralfor Competition, Romain Bonenfant Thomas Courbe or his/herrepresentative: The DirectorGeneralfor Enterprises Arnaud Delaunay Odile Renaud-Basso or his/herrepresentative: The Headofthe Treasury

• libertés (CNIL): Commission nationaledel’informatique etdes Nominated ontherecommendationof Representatives ofissuers BNP Paribas (BNPP) and Innovative Payments Head ofElectronicBanking Jean-Marie Dragon financières (ASF) Association françaisedessociétés Head ofMarket Research Corinne Denaeyer multi-opérateurs (AFMM) etusagesmultimédias des services Association française pourledéveloppement DelegateGeneral Deputy Nathalie Chabert (Afepame) de paiement etdemonnaieélectronique Association française desétablissements Bureau member Andrée Bertrand of payment systems of payment meansandoperators David Ruiz Clémence Scottez or his/herrepresentative: The HeadofEconomic Affairs 2018

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 APPENDIX 4

Olivier Durand Jean-Marie Vallée Director in charge of Interbank Matters Director General Office de coordination bancaire STET et financière (OCBF) Narinda You Caroline Gaye Head of Strategy and Market Relations Director General Crédit Agricole American Express France (Amex)

Solveig Honoré Hatton Vice-President, Business development Corporate representatives MasterCard France Bernard Cohen-Hadad Philippe Laulanie President of the Business Financing Commission Executive Director Confédération des petites et moyennes Groupement des cartes bancaires (GCB) entreprises (CPME)

Philippe Marquetty Delphine Kosser-Glories Global Head of Payments and Cash Head of the Department of Economic Affairs Management Products Mouvement des entreprises de France (Medef) Société Générale François Soenens Laurence Matterlin President of the electronic banking Head of Risk Management and payment means commission and Fraud Prevention Association française des trésoriers Natixis Payment Solutions d’entreprises (AFTE)

Gérard Nébouy Executive Director Visa Europe France Representatives of the Consumer Board of the French National Consumers’ Council Jérôme Raguénês Head of Digital Solutions and Payment Mélissa Howard Fédération bancaire française (FBF) Lawyer Association Léo Lagrange pour la défense des consommateurs (ALLDC)

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 105 106

APPENDIX 4 Conseil ducommercedeFrance (CdCF) Correspondent onfinancialissues Philippe Joguet et deladistribution(FCD) Fédération ducommerce Member ofthefinancegroup Vincent Depriester Mercatel General Delegate Jean-Michel Chanavas professional organisations Representatives ofmerchants’ et d’information duconsommateur(Adeic) Association dedéfense d’éducation Lawyer Ariane Pommery consommateurs (AFOC) Association Force ouvrière Lawyer Hervé Mondange UFC –Quechoisir Project leaderBanking/Insurance Mathieu Robin familiales (UNAF) Union nationaledesassociations Lawyer Morgane Lenain ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – de régionParis –ÎledeFrance (CCIP) Chambre decommerceetd’industrie Vice-President Philippe Solignac et delavente (Fevad) àdistance Fédération due‑commerce General Delegate Marc Lolivier École normalesupérieure(ENS) Professor David Naccache Worldline Chief OperationsOfficer, France Claude France Persons chosen for theirexpertise 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 A5 APPENDIX 5 Methodological approach used to measure fraud on cashless payment means

General framework

Definition of payment means fraud

In this report, fraud is understood as the illegitimate use of a means of payment or its related data and any act that contributes to the preparation for their illegitimate use and/or effective illegitimate use:

• resulting in financial loss: for the account-holding institution and/or issuer of the means of payment, the holder of the means of payment, the lawful beneficiary of the funds (the acceptor and/or creditor), an insurer, a trusted third party or any party involved in the chain of design, manufacture, transport or distribution of physical or logical data that could incur civil, commercial or criminal liability;

• by whatever means:

– the methods used to obtain, without lawful reason, the means of payment or related data (theft, taking possession of the payment means or data, hacking of acceptance devices, etc.),

– the procedures for using the means of payment or related data (payments/withdrawals, face-to-face or remote payments, via physical use of the means of payment or the related data, etc.),

– the geographical area of issuance or use of the means of payment and related data;

• regardless of the identity of the fraudster: a third party, the account-holding institution and/or issuer of the means of payment, the lawful holder of the means of payment, the lawful beneficiary of the funds, a trusted third party, etc.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 107 108

APPENDIX 5 1 See • they donot allapplyinthesamemannertovarious payment instruments: has defined types, bearing in mind that In order to analysefour fraud payment means fraud, the Observatory Types ofpayment meansfraud its annualreport. andpresented in aremadeavailableonly nationalconsolidatedstatistics tothemembers oftheObservatory depending onthemeansofpayment (seebelow). Duetotheconfidentialnature gathered, ofthepersonaldata The fromall relevant Observatory’s gathers the fraud data secretariat institutions, using different approaches Payment estimated that such Card Security measures reduced the gross estimate of card payment fraud by 5%. damages andinterestsubsequenttolegalproceedings,etc.).Inits 2015 Annual Report, provision, out-of-court agreement to reschedule payment in the event of wrongful repudiation of the payment, the counterpartiestomitigaterelatedlosses(forinterruption orservice instance, ofproductdelivery payment intoaccountany transactionamountswithouttaking measures thatmay subsequentlybetaken by appliesa The“gross approach” Observatory whenmeasuringfraud,which consistsinidentifyingtheinitial • • • have subsequentlybeenrejectedonfraud-relatedgrounds. The following aretherefore notrecordedasfraud: have ontheaccountofatleastonecounterpartiestransactionandwhich given risetoanentry measures fraud by recording all payment transactions that In accordance with this definition, the Observatory

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – improper use of ameans ofpayment by reason only of insufficient in a non-payment; funds and resulting notably misappropriation of data orbankingcredentials; misappropriation ofdata payment instrument (card,chequebook, etc.)thathasbeenlost, stolenorcounterfeited, orthroughthe fakes (theft, loss,counterfeit): fraudinvolving theissuanceoffalse payment orderseitherthroughaphysical of makingpayments. a means of paymentthe use of a false to open an account and/or obtain for or stolen identity the purposes attempted fraud(whentheisfoiled before thetransactionisprocessed); https://www.banque-france.fr/en/annual-report-2015 (page11). 2018 1 the Observatory for theObservatory ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 APPENDIX 5

• falsification: fraud involving the use of a falsified payment instrument (an authentic payment instrument in which the physical characteristics or related data have been modified by the fraudster or an accomplice) or of a validly issued payment order to which one or more alterations have been made (amount, currency, name of the beneficiary, account details of the beneficiary, etc.);

• misappropriation: fraud in which the intention is to use the payment instrument or payment order without forgery or alteration (for example, the cashing of a non-forged cheque in an account that is not held in the name of the lawful beneficiary of the cheque);

• replay : fraud involving the wrongful use of a payment instrument by its lawful holder after it has been reported lost or stolen or through the dispute of a valid payment order by the lawful holder of the payment instrument, acting in bad faith, or the re-use of a payment order that has already been processed.

Measurement of payment card fraud

Transactions covered

Payment card fraud, as measured in this report, covers payments (face-to-face and remote) and withdrawals made using a payment card in France and abroad when one of the counterparties to the transaction is considered to be French (when the issuer is a French financial institution or the transaction acceptor – the merchant or ATM – is located in France). No distinction is made as to the nature of the acceptance network (four-party/open2 or three‑party/closed3 payment schemes) or card category (debit card, credit card, commercial card or prepaid card).

2 Payment card systems that involve a large number of payment service providers, card issuers and payment acquirers. 3 Payment card systems that involve a small number of payment service providers, card issuers and payment acquirers (for example, within a single banking group).

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 109 110 APPENDIX 5 b) A technique thatconsistsinusingissuers’ own rules for creatingpayment cardnumberstogeneratesuch numbers. a) Modificationoftheraisednumbersprintedtoform thecardnumber. payments, themerchant’s sectorofactivity. channel, heldonitand,inthecaseofremote geographicalareaofissuanceandusethecardordata Analysis of payment card fraud takes a number of fraud, of parameters payment into consideration: type initiation Analysis offraud • • gatherspayment cardfraud data: The Observatory Source offraud data Unallocated cardnumbers Misappropriated cardnumbers Withdrawal Remote payment Face-to-face payment Falsified orcounterfeit cards Intercepted cards Lost orstolencards ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – from three-party cardissuersoperatinginFrance.from three-party members’ transactions; from theCBBank CardConsortium(GroupementdescartesbancairesCB),Mastercardand Visa for their Type ofpaymentcardfraud Card usagechannels remote transactions. Use ofatrue cardnumber(orpersonalaccount–PAN) thathasnotbeenattributed toacardholder, generallyin remote transactions. A cardholder’s cardnumberistakenwithouthisorherknowledge orcreatedthroughcardnumbergeneration a card that incorporates the data requiredtodeceive system.a cardthatincorporatesthedata acceptance an unattended payment terminal(UPT)oramerchant’s payment terminal.Inbothcases,thefraudsterendeavours tocreate Counterfeiting acardmeanscreatinganobjectthatappearstobeauthenticpayment cardand/oriscapableofdeceiving Cash withdrawals at ATMs. Payments carried outonline, by mail,by fax ortelephone,any othermeans. Payments madeatapointofsaleorthroughanunattended paymentpayments. terminal(UPT),includingcontactless Falsification ofapayment cardconsistsinmodifyinganauthenticcard’s embossing magneticstripdata, that belongstothem.Insuch cases, thefraudsterseekstoexploit vulnerabilitiesintheproceduresusedtosendcards. However, thedifference isthatitdifficult for thelawfulthatafraudsterisinpossessionofcard cardholdertoascertain The cardisinterceptedwhentheissuersendsittolawful cardholder. This offraudissimilartocardlossortheft. type The fraudsterusesalostorstolencreditcard,withoutthelawful cardholder’s knowledge. Procedures foruse Forms offraud 2018 a) or programming. orprogramming. b) andusedin ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 APPENDIX 5

Geographical area Description

Domestic transaction Both the issuer and the acceptor are established in France. However, for remote payments, the fraudster may operate from abroad. International France  SEPA transaction The issuer is established in France and the acceptor abroad within SEPA. International France  non-SEPA transaction The issuer is established in France and the acceptor abroad outside SEPA. International SEPA  France transaction The issuer is established abroad within SEPA and the acceptor in France. International non-SEPA  France transaction The issuer is established abroad outside SEPA and the acceptor in France. Note: SEPA – Single Euro Payments Area.

Merchant's sector of activity for remote payments Description

Foodstuffs Groceries, supermarkets, hypermarkets, etc. Account loading, person to person sales Sites enabling online sales between private individuals, etc. Insurance Insurance policy subscription. General and semi-general trade Textiles and apparel, department stores, mail-order sales, private sales, etc. Household items Sale of furnishings and DIY products. Online gaming Online gaming and betting sites. Technical and cultural products IT hardware and software, photographic equipment, books, CDs, DVDs, etc. Health, beauty and personal care Sale of pharmaceutical products, personal care products and cosmetics. Personal and professional services Hotels, rental services, box office, charities, office equipment, courier service, etc. Telephony and communication Telecommunication and mobile telephony equipment and services. Travel and transportation Rail, air and sea. Other

Measurement of credit transfer fraud

Payment instruments covered

Credit transfer fraud, as measured in this report, covers payment orders issued by the debtor – the payer – to transfer funds from his or her payment account or electronic purse to the account of a third-party beneficiary. This includes Single Euro Payments Area (SEPA) credit transfers and SEPA instant credit transfers and customer credit transfers issued via large-value payment systems (notably the Target2 system operated by the national central banks of the Eurosystem and the pan-European Euro1 private sector system).

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 111 112 APPENDIX 5 • • following statuseswithinthemeaningofFrenchandEuropeanregulations: 4 Note: SEPA –SingleEuroPayments Area. destination andtheinitiationchannels used. Credit transfer fraud is analysed by referring geographicalareasofissuanceandtransfer tothefraudtypes, Analysis offraud fraudreportsfiled providers.by authorisedpaymentmandatory service relatingtocredittransferThe data fraudisprovided by theBanque deFrance fromtheannual andtaken Source offraud data Non-SEPA transfer European transfer Domestic transfer Misappropriation Falsification Fakes Telematics Online Paper Geographical areaofissuanceand ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – in France. credit institutions,electronicmoneyinstitutionsandpayment incorporated abroadthatareauthorisedtooperateandestablished and paymentinstitutionsincorporatedinFrance; credit institutionsorequivalent(institutionsreferredtoinArticleL.518-1 of theFrenchMonetaryandFinancialCode),electronicmoneyinstitutions Financial institutionsthatareauthorisedtoholdpaymentaccountsonbehalf oftheircustomersandtoissuemeanspayment,whichhavethe Types ofcredittransferfraud credit transferdestination Initiation channels used Transfer issuedfromanaccountheldinFrance towards anaccountheldinanon-SEPA country. Transfer issuedfromanaccountheldinFrance towards anaccountheldinanotherSEPA country. Transfer issuedfromanaccountheldinFrance towards anaccountheldinFrance. reality. due form toanaccountnumberthatisnotofthelawfulordoescorrespond toany payment economic beneficiary dealings: linemanager, supplier, bankclerk,etc.),thefraudsterinduceslawful accountholdertoissueatransfer orderin whichThrough socialengineering, deception(notably involves impersonatingapersonwithwhomthepayer hasbusiness The fraudsterinterceptsandmodifies atransfer orderoralegitimateremittance document. through hacking malware, methods–phishing, etc.–orunderduress). the lawful payer’s onlinebankingcredentialsinordertoinitiateapayment order(inthiscase,thecredentialsmay beobtained The fraudstercounterfeits acredittransfer order, forces thelawful accountholdertoissueatransfer order, orfraudulentlyacquires businesses canexchange fileswithbanks). automateddata the EBICS(ElectronicBankingsystem InternetCommunicationStandard) (interbankcommunicationchannel throughwhich Transfer orderssentviaelectronicchannels otherthanonlinebankingandmobilepayment applicationchannels, such as Transfer orderssentviaanonlinebankoramobilepayment application. Transfer orderssentusingmail,forms, email,fax orphone. Procedures foruse Forms offraud Description 4 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 APPENDIX 5

Measurement of direct debit fraud

Payment instruments covered

Direct debit fraud, as measured in this report, covers payment orders given by a creditor to their payment service provider for them to debit the account of a debtor, in accordance with the authorisation (or direct debit mandate) signed by the debtor. This category is made up of SEPA direct debits.

Source of fraud data

The data relating to direct debit fraud is provided by the Banque de France and taken from the annual mandatory fraud reports filed by authorised payment service providers.

Analysis of fraud

Direct debit fraud is analysed by referring to the fraud types, geographical areas of issuance and direct debit destination and the authorisation channels used.

Types of direct debit fraud Forms of fraud

Fakes The creditor-fraudster originates direct debit instructions using illegally obtained account numbers, without any authorisation or underlying economic reality. Misappropriation The payer-fraudster steals the identity and IBAN of a third party to sign a direct debit mandate on an account that does not belong to him or her. Replay The creditor-fraudster knowingly originates direct debits that have already been issued (that have either already been settled or rejected, for instance following a request by the payer to block the transaction).

Geographical area of issuance and Description direct debit destination Domestic direct debit Direct debit instruction originated by a creditor whose account is held in France for payment from an account held in France. European direct debit Direct debit instruction originated by a creditor whose account is held in France for payment from an account held in another SEPA country. Non-SEPA direct debit Direct debit instruction originated by a creditor whose account is held in France for payment from an account held in a non- SEPA country. Note: SEPA – Single Euro Payments Area.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 113 114 APPENDIX 5 fraud reportsfiled providers.by authorisedpayment service providersThese payment eitherreportas service The relatingtocheque data fraudisprovided by theBanque deFrance and takenfromtheannualmandatory Sources offraud data networks. orinasmallnumberofacceptance used for specific productsandservices universels (CESU, universalvouchers), employment service which spanavarietyofcategoriesandcanonlybe and FinancialCode,such asholiday vouchers, luncheon vouchers, culture cheques andchèques emploi-service not include travellers’ cheques orspecial payment vouchers referred to in Article L.525-4 of theFrench Monetary businesses and This definitionencompassesthe following payment orders:bank cheques, banker’s drafts, cheque-letters for the customersofabankfor depositonsuch accounts. cheques drawn by the customersofabankonaccountsthatareheldby thatbankandcheques received from set forth in Articles L.131-1 to theFrench andFinancialCode. 88 of Monetary This specificallyconcerns case, thecheque isdrawn onapayment accountheldinaforeign currency), falling withinthelegalframework Cheque fraud,asmeasuredinthisreport,covers cheques payable inFrance, ineurooraforeign currency (inthis Scope offraud systems inplacebefore payment. means ofauthenticationby hisorherbank. This makes itimpossible for bankstoputautomaticauthentication Unlike othercashlesspayment means,cheques onlyexist inpaperform andthepayer’s signature istheonly Measurement ofcheque fraud Telematics Online Paper ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – Authorisation channels used titres de travail simplifiés (TTS, simplified employment cheques for small businesses). It does Direct debitmandatessentviaelectronicchannels otherthanonlinebankingandmobilepayment applicationchannels. Direct debitmandatessentviaanonlinebankoramobilepayment application. Direct debitmandatessentusingmail,forms, email,fax orphone. Procedures foruse 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 APPENDIX 5

the financial institution that receives cheques to be cashed from their customers (the collecting bank) or as the institution that holds the payer’s account (the paying bank).

Analysis of fraud data

Cheque fraud data are analysed by referring to the main fraud types defined by the Observatory. The following table summarises the typology of the most common forms of fraud observed.

Types of cheque fraud Forms of fraud

Fakes (theft, loss, counterfeit Use by the fraudster of a cheque that has been lost by or stolen from the lawful owner, which carries a forged signature that or apocryphal)a) corresponds to neither the signature of the account holder or of their authorised representative. Unlawful issuance of a cheque by a fraudster using a blank cheque specimenb) (including transactions carried out under duress by the legitimate account holder). Fake cheque entirely fabricated by the fraudster to be drawn on an existing or fake bank. Falsification Valid cheque intercepted by a fraudster who deliberately alters it by scratching, over-writing or erasing the information contained on it. Misappropriation/replay Re-cashing of a cheque that was lost or stolen after being cleared in the payment systems. Lost or stolen valid cheque, intercepted on its way to the beneficiary and cashed on an account other than that of the lawful beneficiary. The cheque specimen is correct, the name of the beneficiary unchanged and the MICR (Magnetic Ink Character Recognition) line of numbers and characters at the bottom is valid, as is the customer’s signature. Deliberate issuance of a cheque by the account holder after a request to block the cheque. a) Apocryphal: a term that some banks use to qualify a document that is of doubtful authenticity. b) Blank cheque specimen: made available to the customer by the account-holding bank.

Measurement of trade bill fraud

Payment instruments covered

Trade bill fraud, as measured in this report, covers two payment instruments:

• truncated bills of exchange: payment instruments in paper or electronic form by means of which the payer (generally the supplier) issues an order for the debtor (its customer) to pay it a particular sum of money;

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 115 116 APPENDIX 5 • credittransfers, whenthee-money isstoredin online accounts. • incorporatesthe measurementofe-money fraudintoitsmeasurementofinvolving:The Observatory • • Electronic money canbestoredintwoways: otherthantheelectronicmoneyor legalentity issuer. must be pre-charged usinganother payment instrument, andcan be acceptedas payment by anatural person value that is stored in electronic form,Electronic money representing a claim on the issuer, is a monetary which Specific provisions relating to fraud one-money transactions as theinstitution that holdsthepayer’s account(thepaying bank). the financialinstitution thatreceives tradebillstobehonouredfromtheircustomers(thecollectingbank)or fraud reportsfiled providers.by authorisedpayment service providersThese paymenteitherreportas service The relatingtotradebillfraudisprovided data by theBanque deFrance andtaken fromtheannualmandatory The oftradebillfraudarethesameasthosedefined types for cheques. Types andsource offraud data •

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – payment cards, whenthee-money isstoredinphysical form (prepaid cards); online, inaccountsheldby the issuingbank. physically, for onprepaidcards; instance specified onthenote. towards andundertakes topaysumofmoney acertain date,bothofwhich thebeneficiary by acertain are truncated promissory notes:electronicpaymenttruncated ordersby promissory meansofwhich thepayer acknowledges itsliability 2018 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS – 2018 APPENDIX 6

A6 Statistics

Overview

T1 Cashless payment means used in France in 2018 (number in millions, amount in EUR billions, average amount in EUR, change in %) Number of transactions Transaction amounts Average 2018 Change 2018 Change amount 2018/2017 2018/2017 Card paymentsa) 13,179 +5 568 +7.0 43 Direct debits 4,211 +3 1,644 +4.0 391 Credit transfers 4,037 +4 24,211 +0.6 5,997 o/w LVTb) 10 0 10,130 +7.0 1,038,473 Cheques 1,747 -9 891 -11.0 510 Trade bills 81 0 252 -3.0 3,150 E-money 65 +18 1 +17.0 16 Total 23,320 +3 27,567 +0.5 1,182 Card withdrawalsa) 1,439 -3 137 +1.0 94 Total transactions 24,759 +3 27,704 +0.5 1,119 Source: Observatory for the Security of Payment Means. a) Cards issued in France only. b) LVT: large-value transfers, issued via large-value payment systems (Target2, Euro1). Professional payments only.

T2 Breakdown of payment means fraud in amount and volume in 2018 (amount in EUR, volume in units, share in %, average amount in EUR) Amount Volume Average 2018 Share 2018 Share amount Card paymentsa) 401,604,986 38 6,068,959 90 66 Cheques 450,108,464 43 166,421 3 2,704 Credit transfers 97,307,108 9 7,731 0 12,586 Direct debits 58,346,253 6 309,377 5 188 Trade bills 226,217 0 5 0 45,243 Total payments 1,007,593,028 96 6,552,493 98 154 Card withdrawalsa) 37,630,659 4 158,908 2 237 Total transactions 1,044,953,687 100 6,711,401 100 156 Source: Observatory for the Security of Payment Means. a) Cards issued in France only.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 117 118 APPENDIX 6 1 Around 1,358,819 cards were cancelledasthey were reportedlostorstolen • • In 2018, therewere 88.8 millioncardsincirculation,ofwhich: • • gatherspayment from: cardfraud data The Observatory Fraud statistics for payment cards

ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 Cards reportedlostorstolenandfor which atleastonefraudulenttransactionwasrecorded. 9.8 million three-party cards. 9.8 million three-party 79 million four-party cards(“CB”, Mastercard, Visa, etc.); JCB andUnionPay. and Cofinoga),Crédit Agricole ConsumerFinance(FinarefandSofinco),Cofidis,DinersClub, Franfinance, the 120 members of the CB Bank Card Consortium, through the consortium, Mastercard and Visa Europe France; nine three-party card issuers: nine three-party American Express, Oney Bank, BNP Paribas Personal Finance (Aurore, Cetelem 1 in 2018. 18 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 APPENDIX 6

T3 The payment card market in France – Issuance (volume in millions, value in EUR billions) French issuer, French issuer, French issuer, French acquirer foreign SEPA acquirer foreign non-SEPA acquirer Volume Value Volume Value Volume Value Four-party cards Face-to-face payments and UPT 10,739.13 407.58 281.25 14.14 59.85 4.58 Remote payments excluding online 31.86 2.39 21.04 1.53 4.35 0.41 Remote payments online 1,504.89 95.78 340.04 18.70 27.62 2.07 Withdrawals 1,383.99 129.63 32.45 3.69 21.24 3.16 Sub-total 13,659.87 635.38 674.78 38.06 113.06 10.22 Three-party cards Face-to-face payments and UPT 125.65 14.40 10.64 1.46 6.42 1.04 Remote payments excluding online 3.03 0.31 2.48 0.03 0.25 0.02 Remote payments online 11. 10 1.98 8.44 1. 17 1.35 0.20 Withdrawals 1.73 0.16 0.00 0.00 0.00 0.00 Sub-total 141.51 16.85 21.56 2.66 8.02 1.26 Total 13,801.38 652.23 696.34 40.72 121.08 11.48 Source: Observatory for the Security of Payment Means. Note: SEPA – Single Euro Payments Area; UPT – unattended payment terminal.

T4 The payment card market in France – Acceptance (volume in millions, value in EUR billions) French issuer, Foreign SEPA issuer, Foreign non-SEPA issuer, French acquirer French acquirer French acquirer Volume Value Volume Value Volume Value Four-party cards Face-to-face payments and UPT 10,739.13 407.58 308.82 17.32 92.74 8.48 Remote payments excluding online 31.86 2.39 9.95 1.73 5.32 1.30 Remote payments online 1,504.90 95.78 101.70 10.46 32.40 3.86 Withdrawals 1,384.00 129.63 24.88 4.26 7.82 1.94 Sub-total 13,659.89 635.38 445.35 33.77 138.28 15.58 Three-party cards Face-to-face payments and UPT 125.65 14.40 9.19 1.56 10.98 4.27 Remote payments excluding online 3.03 0.31 0.24 0.01 0.14 0.00 Remote payments online 11. 10 1.98 1.83 0.29 0.97 0.24 Withdrawals 1.73 0.16 0.00 0.00 0.49 0.22 Sub-total 141.51 16.85 11.26 1.86 12.58 4.73 Total 13,801.40 652.23 456.61 35.63 150.86 20.31 Source: Observatory for the Security of Payment Means. Note: SEPA – Single Euro Payments Area; UPT – unattended payment terminal.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 119 120

APPENDIX 6 Payments French card–French acceptor Domestic transactions(French cardandFrench acceptor) Four-party cards Note: UPT–unattended payment terminal. largely attributable toachange methodologyusedby inthestatistical theCBBank CardConsortium. A slightadjustmentwas alsomadein 2015. Seethe 2014 Annual Report for moredetails. a) The declinebetween 2013 substantial and 2014 intheamountoffraudremotepayments madeby postorphoneand thecorresponding increaseintheamountfor online payments are for ofPayment theSecurity Means. Source: Observatory (rate in%,amountbrackets inEURmillions) T7 Note: SEPA –SingleEuroPayments Area. for ofPayment theSecurity Means. Source: Observatory (rate in%,amountbrackets inEURmillions) T6 (rate in%,amountbrackets inEURmillions) T5 Source: Observatory for ofPayment theSecurity Means. Source: Observatory Withdrawals International transactions Three-party cards Total Total Total ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 o/w foreign non-SEPA cardandFrench acceptor o/w face-to-face andUPT o/w remote o/w foreign SEPA cardandFrench acceptor o/w French cardand non-SEPA acceptor o/w French cardand SEPA acceptor – o/wonline – o/wby post/phone Breakdown ofdomesticfraudbytransactiontype Geographical breakdownoffraud Breakdown offraudbycardtype 0.080 0.065 0.080 2013 (469.9) (455.9) (14.0) 0.050 0.046 0.404 0.229 0.033 0.269 0.350 0.046 0.688 0.080 0.366 0.135 0.013 1.122 2013 2013 (238.6) (469.9) (238.6) (199.9) (125.0) (154.2) (231.3) 0.080 (64.1) (45.8) (38.6) 0.062 (29.2) (29.1) (70.2) 0.080 (67.9) 2014 (500.6) (486.4) 0.046 0.043 0.336 0.251 0.034 0.248 0.043 0.636 0.080 0.316 0.147 0.134 0.374 0.010 (14.2) 2014 2014 (500.6) (234.6) (266.0) (234.6) (193.2) (153.2) (156.0) (65.6) (39.3) (70.0) (91.0) (41.5) (37.1) (2.8) 0.086 0.068 0.085 a) a) Fraud rate(andamount) 2015 0.047 0.044 0.239 0.372 0.353 0.033 0.244 0.372 0.044 0.692 0.085 0.459 0.153 0.012 (542.3) (526.8) (15.5) Fraud rate(andamount) Fraud rate(andamount) 2015 2015 (542.3) (244.4) (244.4) (204.5) (152.0) (116.8) (297.9) (161.1) (69.7) (36.9) (43.4) (39.9) (74.5) (9.1) 0.082 0.060 0.081 2016 0.009 0.045 0.239 0.280 0.042 0.029 0.449 0.241 0.042 0.353 0.081 0.370 0.158 0.713 (544.8) (531.3) 2016 2016 (13.5) (244.5) (544.8) (300.3) (208.6) (244.5) (165.7) (175.0) (113.9) (33.6) (35.9) (73.7) (44.7) (68.0) (9.3) 18 0.070 0.043 0.069 0.009 0.039 0.357 0.037 0.027 0.386 0.037 0.281 0.069 0.308 0.186 0.190 0.102 0.511 2017 2017 2017 (493.8) (482.2) (11.6) (226.5) (493.8) (226.5) (148.7) (156.1) (100.7) (191.9) (267.3) (35.8) (34.6) (32.3) (60.3) (74.1) (7.4) 0.072 0.040 0.071 0.041 0.351 0.038 0.024 0.323 0.038 0.270 0.092 0.438 0.071 0.352 0.168 0.173 0.010 2018 2018 2018 (526.5) (537.5) (245.6) (214.7) (163.8) (143.3) (537.5) (173.3) (291.9) (30.9) (65.5) 245.6 (32.8) (50.3) (11.0) (41.4) (9.5) ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 APPENDIX 6

T8 Breakdown of international fraud by transaction type – French cards (rate in %, amount in brackets in EUR millions) Fraud rate (and amount) 2014 2015 2016 2017 2018 French card – Foreign non-SEPA acceptor Payments 0.532 (41.7) 0.735 (56.3) 0.862 (56.2) 0.608 (53.3) 0.534 (44.4) o/w face-to-face and UPT 0.350 (19.2) 0.509 (25.8) 0.485 (22.9) 0.252 (12.7) 0.230 (12.9) o/w remote 0.960 (22.5) 1. 174 (30.5) 1.862 (33.3) 1.096 (40.6) 1.168 (31.5) – o/w by post/phone 4.955 (7.5) 2.345 (9.5) 2.783 (9.4) 1.499 (8.4) 1.127 (4.8) – o/w online 0.682 (14.9) 0.959 (21.1) 1.648 (23.9) 1.025 (32.3) 1.175 (26.7) Withdrawals 0.890 (28.3) 0.586 (18.1) 0.390 (11.8) 0.229 (7.0) 0.184 (5.9) Total 0.636 (70.0) 0.692 (74.4) 0.713 (68.0) 0.511 (60.3) 0.438 50.3 French card – Foreign SEPA acceptor Payments 0.434 (89.8) 0.526 (115.7) 0.422 (112.9) 0.342 (99.8) 0.385 (142.4) o/w face-to-face and UPT 0.067 (7.8) 0.071 (8.0) 0.066 (8.3) 0.075 (10.5) 0.066 (10.2) o/w remote 0.910 (82.0) 1.004 (107.7) 0.754 (104.5) 0.591 (89.2) 0.617 (132.2) – o/w by post/phone 1.317 (13.9) 1.399 (18.7) 1.317 (19.7) 1.489 (14.9) 0.911 (14.2) – o/w online 0.856 (68.1) 0.948 (89.0) 0.687 (84.9) 0.527 (74.4) 0.594 (118.0) Withdrawals 0.033 (1.2) 0.033 (1.1) 0.024 (0.9) 0.025 (0.9) 0.025 (0.9) Total 0.374 (91.0) 0.459 (116.8) 0.370 (113.8) 0.308 (100.7) 0.352 (143.3) Source: Observatory for the Security of Payment Means. Note: SEPA – Single Euro Payments Area; UPT – unattended payment terminal.

T9 Breakdown of international fraud by transaction type – Foreign cards (rate in %, amount in brackets in EUR millions) Fraud rate (and amount) 2014 2015 2016 2017 2018 Foreign non-SEPA card – French acceptor Payments 0.380 (65.0) 0.391 (68.1) 0.507 (73.2) 0.429 (73.3) 0.357 (64.8) o/w face-to-face and UPT 0.162 (21.9) 0.168 (22.8) 0.169 (17.4) 0.135 (16.3) 0.108 (13.7) o/w remote 1.213 (43.1) 1.185 (45.3) 1.341 (55.8) 1.143 (57.0) 0.947 (51.1) – o/w by post/phone 1. 018 (7.7) 1.159 (10.8) 1.748 (18.2) 1.488 (19.8) 0.886 (11.5) – o/w online 1.265 (35.4) 1.193 (34.5) 1.206 (37.7) 1. 017 (37.2) 0.967 (39.6) Withdrawals 0.026 (0.6) 0.069 (1.6) 0.024 (0.5) 0.038 (0.8) 0.031 (0.7) Total 0.336 (65.6) 0.353 (69.7) 0.449 (73.7) 0.386 (74.1) 0.323 (65.5) Foreign SEPA card – French acceptor Payments 0.156 (38.5) 0.175 (36.0) 0.178 (43.8) 0.114 (31.5) 0.102 (32.0) o/w face-to-face and UPT 0.026 (5.1) 0.033 (4.8) 0.024 (3.7) 0.018 (3.5) 0.018 (3.4) o/w remote 0.476 (33.1) 0.528 (31.3) 0.456 (40.0) 0.337 (28.0) 0.229 (28.6) – o/w by post/phone 0.397 (4.8) 0.734 (7.7) 0.695 (11.0) 0.564 (8.9) 0.357 (6.2) – o/w online 0.492 (28.6) 0.484 (23.6) 0.403 (29.0) 0.284 (19.1) 0.208 (22.4) Withdrawals 0.018 (0.9) 0.025 (0.9) 0.024 (0.9) 0.019 (0.7) 0.019 (0.8) Total 0.134 (39.3) 0.153 (36.9) 0.158 (44.7) 0.102 (32.3) 0.092 (32.8) Source: Observatory for the Security of Payment Means. Note: SEPA – Single Euro Payments Area; UPT – unattended payment terminal.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 121 122

APPENDIX 6 Total Other Misappropriated cardnumbers Forged orcounterfeit cards Intercepted cards Source: Observatory for ofPayment theSecurity Means. Source: Observatory (amount inEURmillions,share%) T10 Forged orcounterfeit cards Intercepted cards Lost orstolencards Face-to-face payments andUPT Other Misappropriated cardnumbers Lost orstolencards Remote payments excluding online Intercepted cards Forged orcounterfeit cards Other Misappropriated cardnumbers Intercepted cards Lost orstolencards Remote payments online Other Misappropriated cardnumbers Forged orcounterfeit cards Forged orcounterfeit cards Intercepted cards Lost orstolencards Withdrawals Misappropriated cardnumbers Total Other Lost orstolencards Note: SEPA –SingleEuroPayments Area; UPT–unattended payment terminal. for ofPayment theSecurity Means. Source: Observatory (volume inthousands,value inEURthousands) T11 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 Breakdown ofdomesticfraudbytypeandcard Breakdown offour-party cardfraudbytypeoftransaction,andgeographicalzone –Issuance 2018 Amount Volume 3,415.8 2,131.3 2,177.9 245.7 164.0 904.3 109.0 971.1 76.4 157.8 107.0 30.0 98.2 59.0 14.6 2.4 41.8 .4 1. .5 1. .3 7. 1 4.9 0.1 0.4 0.1 0.1 0.4 4.3 0.0 0.1 0.7 .2 1. French acquirer French issuer, All cardtypes 242,356.6 162,975.9 157,883.0 39,404.0 35,770.9 30,786.3 30,267.8 Share 100.0 5,343.5 4,670.2 Value 9,190.4 3,760.1 1,321.7

66.7 31.1 979.3 863.0 469.1 380.9 413.6 0.6 0.6 .0 1. 35.6 91.1 77.6 4.7 4.5 6.2 6.5 .3 7. Amount 2,002.0 Volume 2,289.1 1,876.3 242.4 163.0 194.0 178.9 76.1 foreign SEPA acquirer 88.9 53.3 95.7 18.4 0.6 27.1 .3 1. .4 1. 1 8 11. 1 7 11. 0.4 5.0 0.1 2.9 0.4 0.8 2.1 0.1 3.0 4.2 0.2 0.3 0.6 Four-party cards French issuer, 141,153.0 116,824.5 107,599.6 13,523.9 12,157.1 9,900.5 4,659.6 1,036.9 6,698.5 2,359.4 2,514.5 Share 100.0 1,801.5 Value

823.3 296.1 733.2 904.1 31.4 133.7 67.2 101.6 0.2 0.6 0.6 33.3 23.1 28.8 99.6 19.4 27.0 6.8 18 Amount foreign non-SEPA acquirer Volume 293.6 472.1 3.3 0.1 0.1 0.3 317.4 .8 1. .0 1. 72.6 42.9 32.2 44.8 36.5 16.2 16.5 37.3 0.3 8.7 4.5 3.7 0.0 0.2 0.1 0.9 6.3 0.3 5.2 0.8 2.0 Three-party cards .2 1. French issuer, 26,288.1 12,522.1 24,123.5 49,221.1 Share 100.0 2,960.6 1,826.2 6,945.0 4,066.8 1,538.0 5,833.1 4,626.0 Value

4,577.8 55.0 30.2 805.4 132.0 274.8 531.2 737.0 367.6 3.4 9.5 101.3 .9 1. 53.3 25.6 91.1 3.2 8.2 4.3 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 APPENDIX 6

T12 Breakdown of four-party card fraud by type of transaction, fraud type and geographical zone – Acceptance (volume in thousands, value in EUR thousands) French issuer, Foreign SEPA issuer, Foreign non-SEPA issuer, French acquirer French acquirer French acquirer Volume Value Volume Value Volume Value Face-to-face payments and UPT 971.1 39,404.0 27.6 3,275.3 56.6 12,541.2 Lost or stolen cards 904.3 35,770.9 15.9 1,977.9 31.2 6,986.2 Intercepted cards 14.6 979.3 0.5 61.2 0.5 66.4 Forged or counterfeit cards 30.0 863.0 4.2 281.3 16.1 3,579.2 Misappropriated card numbers 1 7. 3 1,321.7 6.6 833.3 7. 0 1,609.5 Other 4.9 469.1 0.4 121.6 1. 8 299.9 Remote payments excluding online 157.8 9,190.4 19.3 5,806.7 24.6 10,430.6 Lost or stolen cards 98.2 5,343.5 0.5 94.8 1. 2 524.8 Intercepted cards 0.1 4.7 0.1 8.6 0.0 5.0 Forged or counterfeit cards 0.4 77.6 0.9 317.1 2.1 782.7 Misappropriated card numbers 59.0 3,760.1 1 7. 7 5,351.5 21.1 9,020.1 Other 0.1 4.5 0.1 34.7 0.2 98.0 Remote payments online 2,177.9 162,975.9 135.5 21,860.6 216.3 38,508.3 Lost or stolen cards 41.8 4,670.2 2.2 267.0 9.0 1,401.5 Intercepted cards 0.1 6.2 0.3 20.7 0.3 43.8 Forged or counterfeit cards 4.3 380.9 4.3 686.0 19.7 3,710.0 Misappropriated card numbers 2,131.3 157,883.0 127.7 20,681.3 185.6 32,879.1 Other 0.4 35.6 1. 0 205.6 1. 7 474.0 Withdrawals 109.0 30,786.3 3.1 795.0 1. 4 557.2 Lost or stolen cards 107.0 30,267.8 2.7 700.7 0.8 222.9 Intercepted cards 1. 2 413.6 0.1 24.5 0.0 26.1 Forged or counterfeit cards 0.0 6.5 0.1 24.8 0.4 140.1 Misappropriated card numbers 0.1 7. 3 0.2 34.6 0.0 6.7 Other 0.7 91.1 0.0 10.4 0.2 161.4 Total 3,415.8 242,356.6 185.5 31,737.6 298.9 62,037.3 Source: Observatory for the Security of Payment Means. Note: SEPA – Single Euro Payments Area; UPT – unattended payment terminal.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 123 124

APPENDIX 6 Total Other Misappropriated cardnumbers Forged orcounterfeit cards Intercepted cards Lost orstolencards Withdrawals Other Misappropriated cardnumbers Forged orcounterfeit cards Intercepted cards Lost orstolencards Remote payments online Other Misappropriated cardnumbers Forged orcounterfeit cards Intercepted cards Lost orstolencards Remote payments excluding online Other Misappropriated cardnumbers Forged orcounterfeit cards Intercepted cards Lost orstolencards Face-to-face payments andUPT Note: SEPA –SingleEuroPayments Area; UPT–unattended payment terminal. for ofPayment theSecurity Means. Source: Observatory (volume inthousands,value inEURthousands) T13 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 Breakdown ofthree-party cardfraudbytypeoftransaction,andgeographicalzone –Issuance Volume 11.8 0.0 0.0 0.0 0.4 0.4 0.8 0.3 0.1 0.0 0.1 2.4 0.2 0.0 0.0 0.1 2.1 4.9 0.4 0.1 0.1 6.5 .9 1. .8 1. .0 1. French acquirer French issuer, 3,256.6 1,979.0 1,616.1 Value 659.1 849.0 286.3 153.6

321.6 207.6 107.0 29.0 34.4 56.6 64.3 19.6 12.3 41.1 61.4 0.0 4.5 0.0 4.2 3.1 2.0 .4 1. Volume 29.0 14.1 15.3 12.4 1 1 11. 0.0 0.0 0.0 foreign SEPA acquirer 0.0 0.0 0.0 0.5 0.2 0.0 0.5 0.4 0.2 0.0 0.7 0.2 0.3 0.2 0.0 0.6 .3 1. French issuer, 1,002.7 2,190.3 1,137.9 Value 690.7

641.0 361.7 127.4 111.6 46.8 72.0 97.3 27.8 27.0 1 2 11. 1 3 11. 0.0 0.0 0.0 0.0 0.0 0.0 9.2 0.9 0.2 3.8 18 foreign non-SEPA acquirer Volume 10.1 0.0 0.0 0.0 0.0 0.0 0.0 0.1 4.0 0.1 0.0 0.2 4.4 0.0 2.8 0.1 0.0 0.2 3.1 0.0 0.6 0.0 0.7 2.6 .3 1. French issuer, 1,057.2 Value 398.2 420.1 243.7 379.5

130.2 139.4 104.5 257.6 4.32 0.0 0.0 0.0 0.0 0.0 0.0 8.5 5.2 0.0 8.2 0.9 6.3 0.1 6.6 .1 1. ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 APPENDIX 6

T14 Breakdown of third-party card fraud by type of transaction, fraud type and geographical zone – Acceptance (volume in thousands, value in EUR thousands) French issuer, Foreign SEPA issuer, Foreign non-SEPA issuer, French acquirer French acquirer French acquirer Volume Value Volume Value Volume Value Face-to-face payments and UPT 6.5 1,979.0 0.3 93.7 2.8 1,192.1 Lost or stolen cards 1. 0 207.6 0.1 63.7 1. 0 505.6 Intercepted cards 0.1 64.3 0.0 1. 3 0.0 0.4 Forged or counterfeit cards 0.1 56.6 0.0 5.8 1. 3 560.8 Misappropriated card numbers 0.4 34.4 0.2 20.9 0.3 100.5 Other 4.9 1,616.1 0.0 2.0 0.2 24.8 Remote payments excluding online 2.1 321.2 0.9 438.4 2.3 1,086.7 Lost or stolen cards 0.1 12.3 0.0 5.5 0.1 32.3 Intercepted cards 0.0 1. 4 0.0 0.0 0.0 0.3 Forged or counterfeit cards 0.0 2.0 0.0 3.9 0.4 159.7 Misappropriated card numbers 1. 8 286.3 0.9 426.0 1. 8 860.5 Other 0.2 19.6 0.0 3.0 0.0 33.9 Remote payments online 2.4 849.0 1. 2 500.4 3.8 1,124.9 Lost or stolen cards 0.1 29.0 0.0 0.8 0.1 16.9 Intercepted cards 0.0 3.1 0.0 1. 2 0.0 1. 7 Forged or counterfeit cards 0.1 4.2 0.0 10.5 0.8 167.8 Misappropriated card numbers 1. 9 659.1 1. 2 480.6 2.9 926.1 Other 0.3 153.6 0.0 7. 3 0.0 12.4 Withdrawals 0.8 107.0 0.0 0.0 0.3 107.3 Lost or stolen cards 0.4 61.4 0.0 0.0 0.0 0.0 Intercepted cards 0.4 41.1 0.0 0.0 0.0 0.0 Forged or counterfeit cards 0.0 0.0 0.0 0.0 0.3 103.1 Misappropriated card numbers 0.0 4.5 0.0 0.0 0.0 0.0 Other 0.0 0.0 0.0 0.0 0.0 4.2 Total 11.8 3,256.2 2.4 1,032.5 9.2 3,511.0 Source: Observatory for the Security of Payment Means. Note: SEPA – Single Euro Payments Area; UPT – unattended payment terminal.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 125 126

APPENDIX 6 Fraud statisticsfor cheques Fraud statisticsfor direct debits Fraud statistics for credit transfers Total Falsification Counterfeiting Theft, loss(fake, apocryphal) Total SEPA outsideFrance France Total Non-SEPA SEPA outsideFrance France Note: SEPA –SingleEuroPayments Area. for ofPayment theSecurity Means. Source: Observatory Note: SEPA –SingleEuroPayments Area. for ofPayment theSecurity Means. Source: Observatory Source: Observatory for ofPayment theSecurity Means. Source: Observatory (amount inEUR,shareofamount%,volume inunits,average amountinEUR) T17 (amount inEUR,share%) T16 (amount inEUR,share%) T15 Misappropriation, replay ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 Breakdown byfraudtypein2018 Geographical breakdownofdirectdebitfraud Geographical breakdownofcredittransferfraud 252,890,727 450,108,464 145,737,424 36,739,051 14,741,262 Amount 58,346,253 44,399,031 56,882,385 31,359,143 13,946,376 97,307,108 Amount Amount 9,065,580 Share 100 33 56 8 3 2018 2018 166,421 138,358 Volume 17,178 8,092 2,793 18 Share Share 100 100 24 58 32 76 10 Average amount 2,704 8,483 4,540 1,827 5,277 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 APPENDIX 6

2015-17 card fraud data – correction

Due to a misinterpretation of the Observatory’s methodology by a reporting institution, certain data previously published in the Observatory’s annual reports have been corrected. As a result, the domestic fraud (French card and French acceptor) amounts for 2015, 2016 and 2017 have been revised upwards by EUR 19.4 million, EUR 27.4 million and EUR 26.8 million, respectively. The following tables and charts present the various corrections made to the figures published for 2015, 2016 and 2017 based on the amended domestic fraud amounts.

T18 Corrected fraud figures for 2015 to 2017 (EUR millions) 2015 2016 2017 French card – French acceptor 244.4 244.5 226.5 o/w face-to-face and UPT 43.4 33.6 35.8 o/w remote payments excluding online 9.1 9.3 7. 4 o/w remote payments online 152.0 165.7 148.7 o/w withdrawals 39.9 35.9 34.6 French card – French and foreign SEPA and non-SEPA acceptors 435.7 426.4 387.4 French and foreign cards – French and foreign SEPA and non-SEPA acceptors 542.3 544.8 493.8 Source: Observatory for the Security of Payment Means. Note: UPT – unattended payment terminal; SEPA – Single Euro Payments Area.

C1 Change in fraud figures, after correction, for 2015 to 2017 (EUR millions) 600

500

400

300

200

100

0 2007 2008 2009 2010 2 011 2012 2013 2014 2015 2016 2017 French fraud after correction French fraud prior to correction French card fraud after correction French and foreign card fraud prior to correction French and foreign card fraud after correction French and foreign card fraud prior to correction

Source: Observatory for the Security of Payment Means.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 127 128

APPENDIX 6 Domestic fraud rate –French card, French acceptor Fraud rate –French andforeign cards andFrench andforeign SEPA andnon-SEPA acceptors Fraud rate –French cards andFrench andforeign SEPA andnon-SEPA acceptors Source: Observatory for ofPayment theSecurity Means. Source: Observatory (%) C2 Note: UPT–unattended payment terminal;SEPA –SingleEuroPayments Area. for ofPayment theSecurity Means. Source: Observatory (%) T19 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 o/w withdrawals o/w remote o/w face-to-face andUPT Change infraudrate,after correction, for2015 to2017 Corrected fraudratefor2015 to2017 0.020 0.030 0.040 0.050 0.060 0.070 0.080 0.090 2007 French cardfraudpriortocorrection French cardfraudafter correction French andforeigncardfraudpriortocorrection Domestic fraudafter correction Domestic fraudpriortocorrection French andforeigncardfraudafter correction 2008 2009 2010 011 2 2012 2013 2014 2015 2016 2017 0.044 0.033 0.244 0.085 0.074 0.012 2015 18 0.009 0.042 0.029 0.241 0.081 0.068 2016 0.009 0.037 0.027 0.069 0.058 0.190 2017 ANNUAL REPORTOFTHE OBSERVATORY FORTHESECURITY OFPAYMENT MEANS –20 18 APPENDIX 6

C3 Change in domestic fraud rate by transaction type, after correction, for 2015 to 2017 (%) 0.350

0.300

0.250

0.200

0.150

0.100

0.050

0.000 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Fraud on face-to-face payments prior to correction Fraud on face-to-face payments after correction Fraud on remote payments prior to correction Fraud on remote payments after correction Fraud on withdrawals prior to correction Fraud on withdrawals after correction

Source: Observatory for the Security of Payment Means.

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 129

Published by Banque de France 39 rue Croix-des-Petits-Champs 75001 Paris

Managing Editor Nathalie Aufauvre Director General, Financial Stability and Market Operations Banque de France

Editor-in-Chief Valérie Fasquelle Director of Payment Systems and Market Infrastructure Banque de France

Editorial Secretariat Véronique Bugaj, Olivier Catau, Guylène Chotard, Caroline Corcy, Tony Dare, Bernard Darrius, Florian Dintilhac, Christelle Guiheneuc, Trân Huynh, Julien Lasalle, Lucas Nozahic, Scott Oldale, Alexandre Stervinou, Mathieu Vileyn

Technical production Studio Creation Press and Communication Directorate Banque de France

Contact Observatory for the Security of Payment Means 011-2323 31 rue Croix-des-Petits-Champs The Annual Report of the Observatory 75049 Paris Cedex 01 for the Security of Payment Means can be downloaded for free on the Banque de France’s Website website (www.banque-france.fr). www.observatoire-paiements.fr

ANNUAL REPORT OF THE OBSERVATORY FOR THE SECURITY OF PAYMENT MEANS – 2018 131