Risk assessment for EMV cards

The requirements of the IPU relate primarily to off-line monitoring, other monitoring options are not mandatory at the moment. In this regard, the bank should develop its own risk management policy in the PS and choose the monitoring system that corresponds to the adopted policy, and not just implement the most functional technical solution at the moment. In addition, it is necessary to achieve an acceptable balance between the following indicators:
* making inadequate decisions to restrict transactions for non-fraudulent transactions;
* skipping fraudulent transactions;
* the number of messages generated by the monitoring system about operations that are not fraudulent;
* the magnitude of risks in the PS, taking into account the work of the monitoring system and decisions made on its basis.
Features of monitoring some operations
1. Operations in different countries at a set time interval. Transactions on a fake card used in a country other than the one in which the client himself performs transactions can be detected using a monitoring system. To assess the principal possibility of finding a client in two countries at the time of two transactions, it is necessary to take into account:
• distance between the cities of the transaction;
* the minimum time it takes to move between two points.
If the time between operations is too short for the real holder to move from one point to another, then fraud on a fake card takes place.
2. Unauthorized fraudulent transactions on counterfeit cards. Unsuccessful attempts to carry out operations on fake cards are a kind of “gift” from fraudsters — the fact of fraud itself can be detected by the monitoring system and measures will be taken, while the client’s account will not be affected.
3. Operations at ATMs using salary cards. To date, the volume of cash withdrawal operations at ATMs accounts for most of all transactions (over 90%), while cards are often obtained as part of salary projects. Therefore, it often happens that the card is used by the client as a kind of “savings book” — money is simply accumulated in the account, and then withdrawn from ATMs for a short period of time. From the point of view of uncharacteristic behavior for a bank card holder, these operations can be regarded as fraudulent, although in fact they are not.


The PS transaction monitoring system should be a necessary element of a set of measures taken to ensure information security. In order to manage risks in the PS related to fraud, it is necessary to organize a continuous process of collecting and analyzing statistics, on the basis of which it is possible to assess risks, take measures to process them and formally assess the impact of decisions on the magnitude of risks.

Application of numerical methods for risk assessment during monitoring

Monitoring is undoubtedly a very effective way to control fraud and reduce potential losses of banks. According to the requirements of international payment systems (IPS), issuers and acquirers are required to generate and periodically analyze monitoring data on a daily basis.
In particular, Visa CEMEA prescribes issuers to generate 16 requests for authorizations only and 23 requests for acquirers for authorizations (9) and transactions (14).
If you strictly formally and impartially fulfill the requirements of the Ministry of Internal Affairs, then even with a relatively small number of cards (TSP), the number of requests and reports will amount to several dozen per day, which will inevitably lead to a monstrous increase in unnecessary papers and personnel.
Almost all currently known software solutions for the card business in one way or another implement the requirements of Visa CEMEA in terms of mandatory monitoring, offering customers to generate 39 or even more reports that really meet all the parameters, but are terribly inconvenient to work with!

In this section, it is proposed to familiarize yourself with the original method of using point estimates (scoring) for the simultaneous successful solution of several tasks:
1) formal satisfaction of the requirements of the IPU;
2) minimization of labor costs and document flow;
3) building a monitoring and reporting system that really works and allows you to detect suspicious transactions in a timely manner.
Since in the modern world, the vast majority of card transactions are performed in real time (authorizations are performed), it is proposed to focus solely on monitoring authorizations, which, however, does not reduce the obligations of banks in relation to transaction monitoring, solely for the purpose of mastering the basic idea of the numerical evaluation method. Accordingly, although examples from the monitoring of the issuing bank’s authorizations will be given below, the numerical methods described can be implemented in exactly the same way for acquiring, with the only exception: if absolute values are used almost everywhere in the issue, then in acquiring the MPS prescribe to use in some cases the ratio of absolute values to the average for a period of at least 90 calendar days. From the point of view of calculations, the calculation of averages for the period is not difficult, therefore numerical estimation methods can easily be implemented both by issue and by acquiring — for the analysis of authorizations and for transactions.
So, what’s the problem? According to the requirements of the IPU, banks working with cards need to generate and analyze several dozen reports daily, which in itself is not an easy task, especially in terms of analysis. Imagine, even with a small portfolio (2-3 thousand active cards), what kind of good memory does an employee who analyzes reports need to have in order to notice that a card with the same number got, say, into reports numbered 1, 5 and 12? And if there are hundreds of thousands of active cards? What should I do?
The solution is quite simple, but working, proven and proven to be effective and convenient.
Recall that issuers must “skip” each card through 16 requests — the total amount of transactions, the total number of transactions, the analysis of the response code (ISO), MSS, risky countries, the number of refusals, transactions in one TSP, the analysis of POS Entry Mode (PEM), cross-border, etc.

Let’s try to assign a certain number of points to the card based on the results of passing through each request. The logic is clear and simple: suppose if there was 1 operation on the card, we assign this card 1 point (or 10 – as you like), if 2 – then 2 (or 20, 25, 50), if 3 – then 3 (or 30, 50, 100 – as much as you like).
The main idea: the more operations— the more points. The larger the amount of the operation— the more points. The more bounces— the more points. The dependence does not have to be linear at all, but it must be direct (with an increase in the number (amounts) of authorization requests (refusals), the amount of points scored by the card increases).
Acquiring is a complete analogy, but instead of card numbers, the numbers of terminal devices (ATMs, electronic terminals, imprinters) will act.
Thus, if we pass the cards through all 16 mandatory requests and assign a certain number of points to each card based on the results of each request, based on the principle “the worse, the more points”, and then sum up all 16 values obtained for each card, the cards that are the most “unfavorable” and require attention and analysis will gain the largest amounts.

Note that integers (of the integer or long type) are contained, and therefore they are not repeated in the minimum and maximum columns; therefore, when constructing a query, it will be necessary to use non-strict equalities on both sides.
In exactly the same way, all other mandatory requests related to the analysis of the amounts of authorization requests and their number are constructed. It is recommended to use the equivalent in a single currency for the analysis of authorization amounts, for which you should select the appropriate field from the authorization message stored in the table of the front-end program. As experience shows, it is better to use the equivalent of the amount of the authorization request in US dollars to monitor the issue (since the cards of one bank can visit almost anywhere in the world), for acquiring monitoring.

Weights are assigned in exactly the same way for such requests as analyzing the number of refusals and the amount of card transactions in terminals whose POS Entry Mode differs from “90” (formally, this is some deviation towards expansion from the requirements for IPS requests, which state that only operations performed with POS entry mode = “02” or “01” in percentage terms should be detected).
What about the implementation of requests in which it is required to analyze the activity of cards in countries and TSPS with high-risk MSS? It is proposed to solve this problem as follows. You need to create the appropriate tables — for example, tblMCC and tbiCountries.

It goes without saying that the values of the MSS and ISO codes of the countries in the corresponding tables must be unique (repetition is not allowed).
The lists of high-risk countries and MSS are presented in the relevant publications of the IPU and are sent quarterly to issuers and acquirers with updates. It is the quarterly IPU data that serve as a reliable source of updating the tables of weights of MSS and high-risk countries.

In the same way, all other formal requirements of the MPS are implemented in terms of generating mandatory reports: a request is made for each of them, the output of which is two columns – the first contains the card number, the second contains the amount of points scored for each card for this request.