In several posts I have touched on regional card blocking, often known as geo-blocking. What is it? Why is it done? How is it done? Where is it done? Does it work? In this post I will try to briefly answer these questions.
What is Geo-blocking?
Many European card-issuers have spent a lot of money issuing EMV (Chip and PIN) compliant cards. When a card present payment transaction takes place the terminal reads the EMV chip on the card, while it is authenticated by the cardholder's PIN (either online or offline). Geo-blocking is when an EMV card issuer blocks its cards from being used in certain countries or regions where magnetic stripe transactions are routinely performed. All EMV cards are blocked unless they are 'white-listed' (i.e. the card holder intends to travel to a high risk country/region).
Why is it done?
Most EMV cards still have a magnetic stripe on the back. This allows magnetic stripe transactions to take place (if the card issuer allows them). This means that if the card data from the magnetic stripe is illegally copied (or skimmed) it can be used to make cloned cards. These cloned cards can't be used to make card present transactions in EMV compliant regions, as the ATMs and payment terminals read the chip - which does not of course exist on a cloned card. Therefore the criminals are being forced to use these cloned cards at terminals in parts of the world where magnetic stripe transactions are still routinely conducted. The latest EAST European ATM Crime Report states that ATM related skimming losses are rising again - mainly outside Europe. One way of stopping such losses is to block the cards from usage in areas outside Europe deemed to be high risk - such as the USA.
How is it done?
Typically geo-blocking can be 'Opt-in' or 'Opt-out'. In some countries an EMV card issuer will explains the risks to its card holders and give them the opportunity to sign up and have their card blocked outside Europe. In other countries EMV card issuers will automatically block all their cards and the card holder can then request to 'opt-out'. In either scenario card holders wishing to travel to high risk areas can notify their bank and have their cards 'white-listed' for travel.
Where is it done?
EMV card issuers in an increasing number of European countries have implemented (or are in the process of implementing) geo-blocking. According to EAST Fraud Update 2/2012 "Six countries have introduced some form of geo-blocking by which payment cards are blocked for usage outside of designated EMV Chip liability shift areas." This number is expected to continue to rise.
Does it work?
When implemented, geo-blocking does appear to be reducing fraud losses for the EMV card issuers concerned. EAST Fraud Update 2/2012 also states that, with regard to geo-blocking, "The results continue to be extremely positive with significant falls in skimming incidents and skimming related losses reported." Why the drop in incidents as well as losses? Because once the criminals understand that EMV cards in a country or region or being blocked for usage in high risk areas, there is little point in trying to illegally obtain such card data.
What do you think? In 2010 EAST ran a website research poll on smart card security and 60% of the respondents agreed that some form of action should be taken: 28% felt that they would be happy to contact their bank to activate the stripe on their card before travelling outside Europe, 12% felt that they would be happy to carry a Chip only card, and to apply for a separate card should they need to travel outside Europe, and 20% were happy to do either. Now that geo-blocking is more widely in use EAST is running the same poll again. Take the EAST poll to express your view.