Traditional Chinese Simplified Chinese Email this article news.gov.hk
LCQ10: Measures to prevent stealing of credit card account information for online purchases
***********************************************************

     Following is a question by the Hon Christopher Cheung and a written reply by the Secretary for Financial Services and the Treasury, Professor K C Chan, in the Legislative Council today (May 20):

Question:

     The total number of credit card accounts in Hong Kong was as high as 17 million in the fourth quarter of last year while the population in Hong Kong stood at 7.26 million in the same period, representing that each member of the public had, on average, more than two credit cards, which indicated that the penetration rate of credit cards was quite high. Moreover, while online shopping has become increasingly popular at present, it has been reported that some lawbreakers, exploiting the security loopholes in credit card online payment systems, made online purchases using stolen credit card account information. In this connection, will the Government inform this Council:

(1) of the number of reports received by the Police on credit card account information being stolen and used for online purchases, the number of such cases detected, the total amount of money involved and the number of persons arrested, in each of the past three years;

(2) as I have learnt that newly issued credit cards these days are pre-set with the function for online transactions, whether the Hong Kong Monetary Authority (HKMA) will ask card-issuing banks to require that the online transaction function of credit cards will be activated only after the relevant cardholders have completed a confirmation process; if HKMA will, of the implementation time; if not, the reasons for that; and

(3) as there may be loopholes in the security measures of some shopping web sites at present, such as online purchases requiring only the provision of the credit card number, the year and month of card expiry, the cardholder's name and the verification code on the back of the card for payment by credit cards, whether HKMA will require card-issuing banks to enhance the authentication process for online purchases by credit cards, such as introducing a two-factor authentication; if HKMA will, of the details; if not, the reasons for that?

Reply:

President,

(1) The Police do not maintain a statistical breakdown for crime cases involving stolen credit cards for online purchases.

(2) The Hong Kong Monetary Authority (HKMA) has been concerned about fraudsters using stolen credit card information for online shopping, and has required card issuing banks to send notifications to cardholders via Short Message Service when they have identified high risk online transactions so as to facilitate cardholders to detect promptly suspicious transactions. The HKMA is discussing with the banking industry how to enhance and expand the scope and channels of notifications for online transactions.

     In addition, the HKMA notes that some cardholders can perform online credit card transactions only after the function for such transactions are activated in advance. However, the operation of that function is affected by certain factors. For example, in the event that a cardholder has not activated the function but the merchant has misclassified the cardholder's non-online transaction as an online transaction, the relevant non-online transaction would be rejected. In view of this, the HKMA is considering with the banking industry whether the effectiveness of the relevant arrangement can be enhanced, and whether it is appropriate for banks to offer similar arrangements to more cardholders.

(3) According to the HKMA's understanding, some card issuing banks now support additional authentication security measures (e.g. Verified by Visa and MasterCard SecureCode) for online credit card transactions. In fact, whether an online credit card transaction requires additional authentication also depends on the readiness of merchants' systems and the requirement of merchants for cardholders to provide additional authentication information when transactions are being executed.

     As there are still some merchants (both overseas and local) not having systems to support the above security measures and not requiring cardholders to provide additional authentication information, the HKMA is gathering information from the banking industry on how to encourage local merchants to enhance their systems to support such measures and require cardholders to provide additional authentication information, to step up efforts in educating cardholders about the features and use of the relevant measures, and to explore the enhancement of card issuing banks' support for such measures.

Ends/Wednesday, May 20, 2015
Issued at HKT 16:30

NNNN

Print this page