ASC X9 Card-not-Present Fraud Mitigation in the U.S. Overview ...

ASC X9 Card-not-Present Fraud Mitigation in the U.S. Overview ...

ASC X9 Card-not-Present Fraud Mitigation in the U.S. Overview of March 2018 Technical Report November 2, 2018 12:00 1:00 PM ET Susan Pandy, Ph.D., Director, Payment Strategies Federal Reserve Bank of Boston Adam Marzolf, Director, eCommerce Fraud Risk, Best Buy Andrew McGloin, Sr. Director, N. America Risk, Visa Agenda Rationale for a Technical Report Audience: Merchants, acquirers, issuers, payment networks, online payment service providers Purpose and Scope Key issues covered in Technical Report Protect against Data Theft Landscape of CNP Fraud Attacks Detect and Prevent CNP Fraud: Stakeholder Tools & Approaches Respond: Implement Adaptive CNP Fraud Mitigation Model Discussion

2 Increasing U.S. E-commerce/Mcommerce Desktop Mobile % share of ecommerce 9.6% of Total U.S. Retail Sales in Q2 2018 from e-Commerce $500 $ Billions Mobile 22.7% 25% $450 19.9% $400

$101.0 $350 16.1% $300 11.7% $31.5 $250 $200 $150 $100 $20.1 9.8% $72.5 15% $49.2

$24.7 10.5% $186 $211 2012 2013 20% 10% $237 $256 2014 2015 $292

$336 5% $50 $0 2016 2017 0% Source: U.S. Department of Commerce,Census Bureau 2018, ComScore, and eMarketer 3 CNP Fraud Trends CNP vs. POS Fraud 20102016 4 TR Objectives and Scope

Provide information to CNP industry stakeholders to understand, prevent, detect and manage risk and fraud Help stakeholders understand: 1) Landscape of CNP fraud attacks (e.g., vulnerabilities) 2) How to protect against data theft 3) How to detect and prevent CNP fraud using mitigation tools and processes 4) How to respond and implement an adaptive CNP fraud mitigation model. Provide a benchmark checklist of the CNP mitigation tools, procedures, and strategies for effective CNP fraud mitigation 5 First Line of Defense: Protect Against Data Theft Provides baseline guidelines to data protection modeled after NISTs Framework for Improving Critical Infrastructure Cybersecurity Emphasize role of data security in CNP fraud mitigation 1. Identify, control and protect sensitive data (e.g., cardholder data and sensitive authentication data) 2. Use tokenization and encryption to protect data at rest or in transit 3. Identify and secure systems, networks, facilities used to process

sensitive data 4. Identify roles with access to sensitive data and apply controls 5. Manage third party, processor, and vendor risk 6. Demonstrate senior management commitment, leadership and accountability 6 Landscape of CNP Fraud Attacks Malware/spyware attacks Botnet and scripted attacks (a form of malware) Identity testing or velocity attacks Spoofing attacks Account takeover attacks New account or application fraud Call center fraud attacks 7 Landscape of CNP Fraud Attacks (Continued)

Malware and spyware attacks Malware records a users activity to gain access to sensitive credentials or login information, which is then used to make fraudulent purchases if payment data is captured Includes Man-in-the-Middle (MiTM) or Man-in-the Browser (MiTB) attacks Spyware Rogue program code installs itself on a users PC or mobile device without the users knowledge or consent and reports device usage and Internet activity to the attacker Social engineering Used to gain initial access to a customer account (with merchant) to request changes to the contact information 8 Landscape of CNP Fraud Attacks (Cont.) Botnet and scripted attacks

Bots pretend to be legitimate traffic by masking their true context Basic bot attack can perform velocity-based functions and account validation attacks to monetize stolen ID data Complex botnet attacks use more advanced methods to spoof IP addresses, emulate browsers, or spoof applications Large and well-known retailers often subject to relentless botnet and other scripted attacks Digital goods are often a prime target, given the immediacy of the transaction, as well as luxury goods Detecting and preventing botnet and scripted attacks User identity and behavioral analytics; global shared intelligence, web application firewalls 9 Landscape of CNP Fraud Attacks (Cont.) Identity testing or velocity attacks Fraudsters test stolen payment credentials with online/m-commerce sites (a.k.a., card testing, card probing, or account validation attacks) Detecting and preventing identity testing or velocity attacks

Velocity checking tools/data elements (e.g., email, device ID, billing address, shipping address, phone number, IP address, IP geolocation, PAN) Transaction monitoring Strong authentication and validation tools Spoofing attacks (e.g., IP address or mobile phone number) Fraudster or program falsifies data to gain access (e.g., ID data, geolocation, device, IP address, or using a MiTB or bot attack to spoof a website, mobile app or device, phone number, or a call center) Preventing and Detecting Spoofing Attacks Spoofing detection software, cryptographic network protocols, KYC, and strong customer authentication 10 Landscape of CNP Fraud Attacks (Cont.) Account Takeover Attacks Fraudsters use stolen consumer login credentials to access consumer online accounts and steal PII to change account settings and take over the account to make purchases using the consumers payment information that is stored on file Different from ATO attacks that target consumer financial accounts through

online or mobile banking, which are not within the scope of this TR Detect and Prevent ATO Attacks Critical to quickly and accurately detect fraudulent logins to protect customers and brand reputation without creating friction with legitimate users Prevent unauthorized access and malicious account changes Login history management Behavioral analytics and risk scoring Machine learning Multifactor authentication Customer service 11 Landscape of CNP Fraud Attacks (Cont.) New Account/Application Fraud A consumers stolen/compromised PII, synthetic identities, or compromised PANs are used (with malware, phishing, or bots) to open new accounts or access online services to open new accounts or to obtain lines of credit without the consumers consent 2016 Javelin Strategy & Research Study showed new account fraud is growing rapidly and more than doubled in 2015 with PII stolen from 1.5 million consumers used to create fraudulent checking, credit card, loan, and other accounts

Preventing and Detecting New Account/Application Fraud Employ integrated suite of real-time defenses at the time and channel of application Real-time processes for ID verification and out-of-wallet authentication Apply different fraud mitigation solutions to different types of fraud, and robust leveraging of internal and external data sources, supported by appropriate analytics Employ strong KYC methods and practices Tools include: Fraud detection software, botnet detection, authentication and ID verification (KYC), behavioral biometrics, machine learning 12 Landscape of CNP Fraud Attacks (Cont.) Call Center Fraud Attacks Stakeholders need to be aware of types of social engineering attacks targeting call centers as fraudsters often target susceptible agents Requires enhanced security controls and policies, including policies to prevent insider fraud (e.g., background checks, cameras, other controls for CSRs) Preventing and Detecting Call Center Fraud Phone printing: can detect illegitimate/fraudulent callers (similar to device fingerprinting) Voice recognition technology Uses software to analyze callers voice and validate its authenticity by matching to a known

voice (e.g., recorded on previous phone calls or interactions) Businesses may also maintain a database of known fraudulent voiceprints and identify when software is being used to change a voice Replace the traditional knowledge verification process Do not rely on traditional knowledge-based authentication questions to challenge the identity of the customer (e.g., date of birth, mailing address, or other easily obtainable personal information) Integrate call center systems and customer relationship management (CRM) solutions to enhance customer behavior analytics Designate specific fraud-trained individuals within your call center 13 Detect and Prevent CNP Fraud: Stakeholder Tools & Approaches This section discusses the types of tools and approaches, including authentication methods that can be used to address CNP transaction fraud for merchants, acquirers or processors, issuers, payment gateways, and payment card networks 14 MERCHANT Tools & Approaches

Begin with comprehensive assessment and robust analysis of customer and transaction history data to fully understand their customer base and fraud in relation to their business With this understanding of the data, develop a comprehensive fraud detection strategy, based on the merchants overall risk tolerance, which will depend on the type of industry, transaction/dollar volume, and other factors Cornerstone of any strategy is to create flexible rules and models to differentiate legitimate transactions from potentially fraudulent ones A sound fraud detection strategy considers multiple layers of data elements (e.g., IP geolocation, multi-merchant transaction histories, global delivery address, and phone number verification) Many fraud detection strategies will include an automated and manual process for monitoring and reviewing transactions Merchants should also continually adjust and refine an existing strategy by analyzing previous transactions to identify the most useful fraud management

settings 15 Merchant Tools & Approaches (Cont.) Authentication Transaction monitoring and customer validation services Manual review fraud prevention Order online and pick-up merchandise in store Mail or telephone order (MOTO) Summary recommendations Understand your data Understand your business and the types of products that are high risk Know your fraud rates and fraud loss rates Understand how your fraud tools talk to each other (e.g., device ID and behavioral analytics) Most important fraud tools Leverage industry resources Deploy a data security solution Seek solutions that offer collaboration services between merchants and issuers to combat fraud 16

MERCHANT ACQUIRER Tools & Approaches Merchant acquirer Risk management, reporting tools and transactional risk scoring Merchant acquirer summary recommendations Manage, monitor and analyze customer payments and fraud data effectively Given the fast-changing nature of fraud, timely access to high quality data and comprehensive view of customer behavior across channels are critical to fraud detection and prevention underpinning well-informed, tailored, and adaptive fraud management strategies Implement adequate tools to support effective fraud management Real-time interdiction/decisioning and user-friendly interfaces are the most needed capabilities Machine learning models are preferred over predictive models and rules-based systems that rely heavily on known fraud types 17

PAYMENT GATEWAY Tools & Approaches Provide infrastructure to enable merchants to accept payment card and e-check payments from websites, MOTO, call centers, and retail and mobile locations in secure fashion Provide tools/solutions to help merchants manually submit transactions, protect their business/customers from fraud, secure online access to transaction records so merchants can track sales, and customer support Other tools include transaction fraud screening to identify, manage, and prevent suspicious and potentially costly fraudulent transactions using customizable, rules-based filters and tools Offer merchant integration to instantly analyze a large volume of data to determine if a transaction is fraudulent or not and examine transactions across an entire network of sites, including device fingerprinting and more May also offer security tools such as encryption and tokenization

Many are also integrated with the payment card network EMV 3DS programs Offer a broad range of rules-based filters to merchants to help evaluate CNP transactions: AVS, CSC, card issuing country, Device fingerprinting, geo IP tracking, Negative database Velocity filters and dollar amount thresholds (e.g., set max/min dollar and risk amounts) 18 ISSUER Tools & Approaches Issuers seek to optimize transaction approvals while minimizing fraud risk. It is imperative to balance approvals with suspected fraud declines to identify and eliminate potentially fraudulent transactions Fraud mitigation strategies vary substantially based on customer base, customer service policies and objectives, and risk management policies and objectives Payment transaction authentication analytics Customer authentication/cardholder verification (3DS and biometrics)

Payment Card Authentication PAN, card security code, expiry date, street address/zip code, compromised card list Payment Transaction Fraud Risk Analysis (Rules-based models) Portfolio segmentation, MCC, geography, transaction velocity New account risk, transaction size, spending patterns / anomaly analysis Electronic fingerprints such as Device ID/IP address/MAC address Transaction scoring 19 ISSUER Tools & Approaches (Cont.) Cardholder Controls and Issuer Alerts Front-end programs to engage cardholders to validate suspicious transactions and represent opportunity to prevent a string of fraud losses Issuer alerts Some card networks mandate that their issuers offer consumers opt-in alerts via email, text, or push notifications for potentially fraudulent transactions

Payment card network alert programs for issuers For issuers that have not created in-house alert programs, some card networks have programs available as a paid service to comply with the mandate enabling both large and small issuers to offer these security features Cardholder controls Allow customers to create their own notification parameters based on criteria such as dollar amount, geography 20 ISSUER Tools & Approaches (Cont.) Post-transaction Analysis

Manual review Manual reviews of previous fraud and or high risk transactions are an important component of an issuers fraud strategy Common points of purchase analysis (CPP) Proactive fraud management tool to help identify probable merchant locations responsible for stolen PANs via skimming or other type of data breach Account profile changes Routinely monitor cardholders online accounts for potential ATO fraud Any changes to customer account data fields such as billing address or contact info may indicate potential fraud Lost and stolen payment card list Cardholders usually contact their issuer when they recognize fraudulent activity on their account statement or lose their payment card, in which the issuer may deactivate or replaces the payment card Continual adjustment of fraud rules Most effective fraud rules provide layers of coverage within the overall CNP fraud mitigation strategy (e.g., fundamental rules such as dollar or velocity thresholds, basic rules to address local trends, and more complex rules to prevent catastrophes) 21 CARD NETWORK Tools & Approaches Most card networks offer tools to industry stakeholders to help prevent, detect, and manage CNP fraud Card networks see all the transaction data from their brand enabling them to recognize fraud patterns across

wide geographies, product categories, and stakeholder groups Data provides a robust view of cardholder behavior based on historical usage, allowing networks to develop a detailed profile of normal account usage over time, across channels (CNP, card-present, recurring, etc.), and by transaction type 22 CARD NETWORK Tools & Approaches (Cont.) Payment Card Network Authentication EMV 3-Domain Secure Designed to make online payments more secure by enabling an issuer to authenticate its cardholders to ensure payments are made by the legitimate owner of the account Authentication happens during the online checkout process before authorization, and is enabled by a separate platform and separate set of messages Authentication can take many forms (e.g. one-time password, biometric, or risk-based authentication (RBA)) RBA uses contextual information to help assess the risk of a transaction and allows issuer to authenticate its cardholders without requesting additional info Biometrics Increasing availability and consumer acceptance is also supporting additional

multifactor authentication options Biometrics are being leveraged more as the default method of user authentication (distinct from transaction authentication) for customers with devices that it Fingerprint and facial recognition enable consumers to validate their identity with their device in lieu of passwords 23 CARD NETWORK Tools & Approaches (Cont.) Transaction Authentication Validation of card security code (CSC or CVV) Address verification service (AVS) Transaction alerts Consumer transaction controls Tokenization services Automated billing account update services Authentication integrity (anti-spoofing, -replay) Enhanced authorization tools Transaction risk scoring Monitoring and Security: Second layer defense systems 24 Respond: Implement Adaptive CNP Fraud Mitigation Model

CNP attack methods continuously evolve Fraudsters aggressively test fraud mitigation strategies of merchants and issuers to expose vulnerabilities and take advantage of gaps Stakeholders need similar agility in their fraud mitigation tools and strategies To keep pace with the evolving nature of CNP fraud attacks, stakeholders need to shift from a reactive to an adaptive approach, striving for continual improvement in the efficiency and effectiveness of fraud mitigation strategies, policies, procedures, and tools Identify, Measure, and Track Key Metrics And Trends Identify key performance metrics and implementation of an ongoing process to analyze, report, and track these measurements over time Leverage these metrics to effectively and rapidly guide calibrations for fraud screening models and to identify opportunities for improvement Stakeholders must know their business and their data, identify their weaknesses and gaps, and address them 25 Respond: Implement Adaptive CNP Fraud Mitigation Model (Cont.) Merchants

Track trends in CNP fraud rates and losses in comparison to overall dollar and transaction volumes (Compare to industry averages in similar market segments) Track and analyze fraud by product, channel, delivery method, payment type, and geography Track trends in chargebacks in dollar and transaction volume and analyze by reason code Track cancellation rates to determine level of fraud mitigated or missed (in transaction and dollar volume) Issuers Track CNP fraud rate and loss trends compared to transaction and dollar volumes (Compare to industry averages in similar market segments) Analyze fraud by payment type (debit or credit), geography, MCC, and, where appropriate, to the individual merchant Track and analyze correlations between approved transactions with AVS exceptions or CSC mismatches to transactions that were later confirmed fraudulent 26 Respond: Implement Adaptive CNP Fraud Mitigation Model (Cont.) Use Post-Transaction Analysis to Establish Fraud Feedback Loop

Merchants and issuers should research/analyze suspected/confirmed fraud for new attack methods that expose vulnerabilities Establish manual review process to research/analyze high risk/fraudulent transactions and chargebacks Review process will uncover new attack methods, vulnerabilities, and potential issues related to unauthorized access Establish formal process to ensure all newly identified fraud attack patterns are conveyed in a timely manner to the risk management professionals that develop and implement fraud mitigation strategies Monitor Industry Trends Stay current on industry-wide CNP fraud intelligence to identify new fraud trends and attacks and corresponding fraud mitigation strategies Leverage industry groups to identify best practices and other improvement opportunities and advice for effective fraud mitigation tools and techniques 27 Respond: Implement Adaptive CNP Fraud Mitigation Model (Cont.) Perform an Annual Assessment and Update of Strategies, Policies, And

Practices Periodically (at least annually) re-assess adequacy and effectiveness of each organizations key fraud risk mitigation strategies, policies, and practices Many changes occur throughout the year that can impact an organizations exposure and ability to mitigate fraud Review and Adjust the CNP Fraud Mitigation Plan and Models Review full CNP fraud mitigation strategy at least annually, regardless of frequency of fraud rule updates Review may start with updating fraud rules/risk scores assigned to data elements in current model Next step may be to identify and address any gaps in the data elements that are part of the fraud model Review and Update the Payment Information Security Plan Periodically review, update, and train impacted personnel on the payment information security plan Verify Third Party Providers/Vendors Meet Security Requirements Review and update list of third party providers, vendors, and processors with access to sensitive payment data or involved in the payment process Verify with legal counsel that appropriate contractual agreements and/or non-disclosure agreements are effect to ensure accountability for compliance with your information security and fraud mitigation controls

28 Questions & Discussion Download the full report at https:// webstore.ansi.org/RecordDetail.aspx?sku=ASC+X9+TR+48-2 018 Susan Pandy, Federal Reserve Bank of Boston [email protected] Adam Marzolf, Best Buy [email protected] Andrew McGloin, Visa [email protected] 29

Recently Viewed Presentations

  • Big Data Analytics

    Big Data Analytics

    the software team picks and chooses the appropriate set of work actions and tasks. ... A group of logically-related SE sub-activities in a software process is referred to as a . stage. ... A process is a systemised and logicalsequence...
  • Foundations of Biology

    Foundations of Biology

    On the question of human nature, we need a philosophical fresh start that cannot be provided by genomics alone. Alex Mauron. 2001. ESSAYS ON SCIENCE AND SOCIETY: Is the Genome the Secular Equivalent of the Soul? Science 291:831-832. ©2000 Timothy...
  • Capercaillie Skye Waulking Song

    Capercaillie Skye Waulking Song

    They play traditional folk instruments (uilleannn pipes, flute, fiddle, accordian & bouzouki) over more modern instruments like drums, keyboard & bass guitar. Their singer, Karen Matheson, mainly sings in Scots Gaelic. Their music is a . mix. of traditional Celtic...
  • Presenter Training Presenting in a Presentation  You will

    Presenter Training Presenting in a Presentation You will

    Make sure you printout the same PPT file that has been uploaded. In case your computer or internet connection fails, you can reference your slides while your Production Manager flips the slides for you. A wired internet connection. Wireless. can...
  • SPO Strategic 5 Year Plan Rev. 0 Judy Wente

    SPO Strategic 5 Year Plan Rev. 0 Judy Wente

    SPO Organization Chart-Summary . Procure AZ . Christy Garza. Technology . Joel Munter. Physical Commodities. Punit Chhabra. State Compliance Office. Jason Rutka
  • Rehabilitation Engineering Option Senior Capstone Design Projects that

    Rehabilitation Engineering Option Senior Capstone Design Projects that

    Instructor, ME Sr Design Asst Professor of Practice, BME [email protected]du [email protected] Department of Mechanical and Aerospace Engineering Senior Design: Course Format Fall Semester First ½-mester: ME 4900 'Capstone Design I' Project selection occurs in Week 4-5…some overlap.
  • EPLI Effective Practice Leadership Initiative

    EPLI Effective Practice Leadership Initiative

    Read the first paragraph and point out the "wiggle" words. Then stop and point out that IDEA helped to clarify what "maximum extent appropriate" meant by defining it further in the next paragraph. Point out, however, that that paragraph also...
  • Chapter 1: Starting a Project

    Chapter 1: Starting a Project

    Manage It! Your Guide to Modern, Pragmatic Project Management. Johanna Rothman . Chapter 9 - Maintaining Project Rhythm "Any project can develop a rhythm and then maintain it.