Observatory of the security of payment means: Annual Report 2022

Published on 11 July 2023

The general increase in the use of cashless means of payment – a trend observed since the onslaught of the health crisis – has continued throughout 2022 (+8%). Within this trend, certain payment instruments have grown more than others. Contactless payments now account for more than six out of every ten card payments at point of sale. Mobile card payments continue to grow at a sustained rate (up 137% to almost 6% of payments at point of sale), and instant transfers are up 85%.

Chapter 1 of this report, which presents statistical trends on usage and fraud in cashless means of payment, shows a general improvement in security. Overall, despite the growth in flows, fraud fell by 4% in terms of both volume and value, amounting to losses of EUR 1.19 billion. However, trends differ depending on the means of payment:

  • The payment card, which is further consolidating its status as the main payment means for everyday use, has seen its fraud rate fall to 0.053% (from 0.059% in 2021), the lowest level ever recorded by the Observatory. This historic result is the fruit of the significant improvement in the security of payments over the internet, which have benefited for more than a year now from the strong authentication rules introduced by the second European Payments Services Directive (PSD 2). Compared with 2019, when these rules had not yet been implemented, the fraud rate for card payments over the internet has fallen by a third, to 0.165%. Following the initial trends observed in 2021, these figures confirm the very positive results brought about by the implementation of strong authentication for payments over the internet. The report does, however, highlight the still relatively high fraud rate for mobile payments at point of sale (0.061%), which, although down from 2021, is still six times higher than for all card payments at point of sale. This is mainly due to vulnerabilities in the e-wallet enrolment processes, which do not always involve strong authentication of the cardholder under the control of the issuing institution.
  • The cheque fraud rate has also fallen, to 0.073% (from 0.079% in 2021), although it is still the highest fraud rate among all payment methods. The fall in cheque fraud, which comes against a backdrop of declining flows (-8%), marks the first positive results of the Observatory’s action plan adopted in 2021. The new systems for monitoring the cashing of cheques, deployed by banking institutions a number of years ago, are also contributing to this trend. Given the persistently high levels of fraud, users must remain vigilant and efforts must be sustained by industry players. Further progress is expected towards making the postal delivery of cheque books more secure and towards simplifying the procedures for cancelling lost or stolen cheques.
  • Transfers recorded a new annual increase in value defrauded (+9%), while the fraud rate for this instrument remained extremely low (0.001%), highlighting the significant value of the total amounts exchanged through it; credit transfers are the main payment instrument used by businesses and public authorities. Nevertheless, the amount of fraud linked to credit transfers has more than tripled in five years, rising from EUR 78 million in 2017 to EUR 313 million in 2022. While large companies and public authorities continue to be affected, individuals and small businesses were the main victims in 2022. In fact, 70% of the value of fraudulent transfers was initiated from online banking interfaces, which are mainly used by individuals and small businesses. On the other hand, the Observatory is pleased to note that the fraud rate for instant transfers has remained stable (0.044%), which is lower than that for cards, and that the use of instant transfers is set to increase over the next few years. To meet these new security challenges, the Observatory will launch work in September 2023 to identify additional measures to combat credit transfer fraud and accelerate their implementation on the French market.

In the remainder of the report, the Observatory makes a number of recommendations in response to changes in payment practices and fraud techniques.

  • Against a backdrop of general improvement, 2022 was marked by the development of scam techniques and operating methods based on manipulation, in particular those based on a telephone call impersonating bank staff seeking to deceive a customer. Using various means to gain control over their victims, fraudsters are able to elicit the strong authentication of fraudulent transactions. Under these circumstances, victims may have encountered difficulties in obtaining reimbursement from their banks. In response to these frauds, which affect all customer profiles, the Observatory issued a set of 13 recommendations in May 2023 aimed at improving reimbursements to victims while stepping up fraud prevention and combating actions by all the players involved (Chapter 2). The Observatory will closely monitor their implementation, with the support of the French Prudential Supervision and Resolution Authority (ACPR – Autorité de contrôle prudentiel et de résolution) as part of its remit to monitor commercial practices. An initial assessment will be drawn up and published at the end of 2024. It is essential that consumers are assured that their complaints will be dealt with rigorously, so as to reinforce the feeling that they too are fully benefiting from the collective progress made in the fight against fraud.
  • Drawing on its ongoing technology monitoring work, the Observatory also makes a number of recommendations on the use of devices (such as mobile phones and tablets) as card payment terminals (Chapter 3). These solutions, which are very much in the minority and still often in the experimental stage, are beginning to appear on the French market. In 2016, the Observatory highlighted the fact that mobile phones remained a weak link in the security of mobile payment solutions. In 2022, increasing the technical security of these new acceptance solutions is now possible, as long as they are duly audited and certified. However, the Observatory calls on merchants to remain particularly cautious, rigorous and selective when deploying these new “consumer” terminals, so as to maintain the same high standards as for terminals dedicated to electronic payments, as these have proven their safety and robustness in payments with mobile phones. Merchants using this type of “mass market” terminal must also provide an alternative for visually impaired people, who cannot always use the touch screens and virtual keyboards of these solutions.
  • The Observatory’s work during 2022 on strong authentication for online payments is included in Chapter 4. The report provides detailed data on cardholder equipment and online payments for the first time. These highlight the clear path towards progress in strengthening the security of payments over the internet, particularly for so-called “MIT” transactions (merchant initiated transactions) and certain transactions exempt from strong authentication not using 3D-Secure-type authentication protocols. The guidelines published in this report should contribute to a more secure and compliant use of the strong authentication exemption protocols based on transaction risk analysis. Against a backdrop of rapidly evolving payment methods and ever-changing threats, the Observatory remains committed to ensuring the security of all payment methods, guaranteeing for all users, from individuals to businesses, genuine freedom of choice in their day-to-day payments. In its work programme for 2023-2024, the Observatory will focus in particular on intensifying dialogue with the telecommunications sector, which has a key role to play in preventing the risks of identity theft and contributing to the fight against payment fraud

Updated on 5 June 2024