As I described in an earlier post, while doing research on expanding card fraud data collection in the Fed's upcoming 2016 triennial payments study, I came across a gap in publicly available detailed fraud data for the United States compared to what is available in other countries. Fortunately, prospective survey instruments accompanying the Federal Reserve Payments Study posted in the Federal Register for the upcoming study promise to remedy the problem. In particular, the Networks, Processors and Issuers Payments Surveys lists the following fraud classifications; I've included capsule descriptions for each.

  • Lost card: Fraudulent payments result from the use of a lost card.
  • Stolen card: Fraudulent payments result from the use of a stolen card.
  • Card issued but not received: Fraudulent payments result from use of an intercepted new or replacement card in transit to a card holder.
  • Fraudulent application: Fraudulent payments result from a new card that is issued based on a falsified or stolen identity.
  • Counterfeit card: Fraud is perpetrated at the point of sale by someone using an altered or cloned card based on card account details fraudulently obtained.
  • Fraudulent use of account number: Fraud is perpetrated remotely (that is, via phone, mail, or Internet) using card account details fraudulently obtained.
  • Other (including account takeover): All other fraud not covered above. In particular, "other" covers a form of identity theft whereby an unauthorized party gains access to and use of an existing card account.

The last triennial payments study (2013) used a bifurcated classification, distinguishing only card-present and card-not-present fraud across various card payment types. If in its place we used a more detailed classification system, it could offer a richer understanding about whether fraud was perpetrated by gaining possession of an existing card, through a data breach, or through identity theft.

But even this level of specificity may not be enough. If we were to use only the detailed classifications I provide above to map card-present and card-not-present fraud data, we still might assume that card-present fraud encompasses all fraud except for fraudulent use of account number. So by extension, what is excluded must represent card-not-present fraud, right?

But we should not be so hasty in making such assumptions.

The rub is that how each fraudulent payment is classified can depend on the case management system the issuing bank uses. For example, suppose that the skimming of a card results in the rightful card holder reporting 10 fraudulent payments. Two payments are made at the point of sale and the other eight payments are made online. Using the definitions above, some case management systems would treat all of the payments as counterfeit card while other systems may flag two as counterfeit card and the others as fraudulent use of account number. Flagging all 10 of the payments as counterfeit card would lead to overstating the number of overall card-present fraud payments at the expense of understating card-not-present fraud. Without additional detail on where the payments were initiated, we would be uncertain about the shares of card-present and card-not-present fraud.

So given the tradeoffs and trying to anticipate fraud reporting needs in the future, would it not be better to retain and possibly improve existing measurements of fraud while offering other complementary measurements to fill in the gaps? Making this more concrete, I proffer that we should be interested in the distribution of how the card or card information was obtained using the categories above as well as how the fraud was perpetrated by card entry mode and card verification methods. Being specific on the latter, we could report on fraud based on chip versus nonchip cards, point-of-sale payment versus remote payment, signature versus PIN authentication methods, and so forth. In fact, a closer review of the updated survey instruments for 2016 reveals that both survey approaches are in fact what is used.

What suggestions do you have for classifying card fraud data? All comers are encouraged to respond to the Federal Register Notice.

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed