Since the earliest days, payment fraud has existed, from fake conch shells, gold-covered lead bars, forged banknotes and coins, fake cheques, and cheque guarantee cards, to cloned debit cards and fake ecommerce transactions. Criminals always try to find a way of defrauding merchants, banks, and individuals. They also use payment systems to move the results of crime around and legitimise money by ‘laundering it’ – which means it has been ‘cleaned’ of its illegal origins by passing it through a legitimate bank

Encrypted Networks

Because of the risk of fraud and criminal activity, payment systems are normally highly encrypted, but it is not unknown for breaches to occur because of poor physical security or crypto security, or fraudulent activity by employees, either individually or with criminals. In fact, it is widely believed that most fraud originates inside institutions.

Card Fraud

Banks wishing to issue or acquire cards must undergo assessment of their internal and external risk management and fraud prevention processes before they are accepted into the scheme. Merchants wishing to join a card scheme undergo similar vetting.

There are several types of anti-fraud measures used by merchants, card schemes and banks, including:

  • ‘Cardholder-not-present’ transactions, normally conducted using ecommerce sites or over the telephone represent the greatest risk to merchants, issuing banks and acquiring banks. A criminal in possession of the card does not require the PIN to authenticate a transaction and can attempt to do so using the CVV2 number on the card. Online transactions have been subject to security checks, but these were sometimes circumnavigated by social conditioning and manipulation. Strong Customer Authentication (SCA) and EMV 3D Secure processes prevent such fraud;
  • The CVV (Card Verification value) acts as a security system. The CVV2 code is a three- or four-digit number, usually on the back of the card that is used in ‘cardholder-not-present’ transactions to prove that the user has the card. (CVV1 code is in the card’s magnetic stripe that is used in ‘swipe’ card readers and ATMs less frequently than it was);
  • Merchants can use an AVS (Address Verification System) that verifies the cardholder’s address at the issuing bank;
  • Chip & PIN is a secure method of preventing fraud, where the cardholder must enter the correct PIN to authenticate the transaction.


Payment Card Industry Data Security Standards (PCI DSS) are a set of technical and operational rules for any organisation that accepts or processes card transactions, as well as manufacturers and developers who produce devices or software used in these transactions. It is governed by the major card schemes and ensures that cardholder information is transmitted, stored, and handled securely. It requires any business taking or involved with taking card payments to comply with the rules.

PCI DSS requires, amongst many requirements, that card numbers are not shown in full, often showing the last four digits of the number and not displaying PINs to bank employees.