Post on 26-Jul-2015
GET READY FOR EMV AND CARD NOT PRESENT FRAUD
September 9, 2014
iovation and CEB TowerGroup
2 © COPYRIGHT • IOVATION 2 © COPYRIGHT • IOVATION
TODAY’S SPEAKERS
• Scott Olson Vice President of Product iovation
• Brian Riley Senior Research Director, Retail Banking CEB Tower Group
EMV IMPLEMENTION: A Partial Solution to Fraud Management
FINANCIAL SERVICES PRACTICE
CEB TOWERGROUP RETAIL BANKING
September 2014
Brian Riley Senior Research Director Retail Banking
4 © 2014 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Research
RO AD M AP F O R T HE P RE S E NTAT I O N
Q&A EMV Is Not the “Silver Bullet” Background Fundamental
Change
5 © 2014 The Corporate Executive Board Company. All Rights Reserved.
CARDS S P E NDI NG W I L L E X CE E D $26 T R I L L I O N BY 2018 Global card transaction
volume will double between 2012 and 2018. • Transactions for
American Express, Discover, JCB, MasterCard, Union Pay, Visa card and electronic payments will account for 35 of the gross global domestic product (GDP)
• Developing economies in APAC, MEA and LAC transactions will more than double.
• Mature economies such as Canada, Europe and US will experience between 60%and 72% growth.
2012: $4.2 2018: $7.2
US
2012: $.6 2018: $1.2
LAC
2012: $.5 2018: $.8
CA
2012: $.6 2018: $1.2
MEA
2012: $.6 2018: $1.2
APAC
Source: Nilson
2012: $13.3 2018: $26.9
Worldwide Branded Card Transaction Volume by Major Market in USD Trillions, 2012-2018
CEB TowerGroup Research
6 © 2014 The Corporate Executive Board Company. All Rights Reserved.
M ARKE T S FACE D I F F E RE NT CHAL L E NG E S
Low cost telephony in the US allowed card issuers to require authorization on all transactions.
US Develops Logical Controls, Other Markets Rely on Physical Controls Magnetic Strips and Smart Cards Disrupt Interoperability
Markets outside the US often incurred communication expenses that were 8 to 10 times the cost of a US transaction made it less profitable to authorize transactions.
The ability to identify counterfeit fraud varied significantly, as US issuers were able to identify high risk transactions, in contrast to markets without the reconnaissance from online systems.
An effective countermeasure developed outside of the US which provided a tool for real time authentication.
The market now contends with two formats that do not interact in a cohesive manner.
Credit Cards in Nascent Form, Primarily US, UK,
AU
Mass Market US Growth, Global
Rollout to developed economies by local banks
Credit Loss and Fraud Begins to Gain Scale
Counterfeit and Unauthorized Fraud
Begins to Grow
Real Time Transaction Authorization Becomes Common in US Market
Non-US FIs find Telecom Costs Too Expensive for All Accounts, while US
runs at 100%
ISO Standards Developed for Payment Cards, EU Market Fast to adopt
US Market Reject Smart Cards, Master Predictive
Analytics
Market is Split into Mag-Stripe and Chip Worlds
1970
1980-90
1980
1991
1985 1985
1990-95 2012
SOURCE: CEB
CEB TowerGroup Research
7 © 2014 The Corporate Executive Board Company. All Rights Reserved.
E M V T E R M I N A L I Z AT I O N I N U S L A G S G L O B A L T R E N D
SOURCE: EMVCO, CEB
<1% of cards <10% OF terminals
CEB TowerGroup Research
8 © 2014 The Corporate Executive Board Company. All Rights Reserved.
F R A U D M A N A G E M E N T R E Q U I R E S A L AY E R E D A P P R O A C H
Physical • PCI DSS • Card Features • EMV
Logical • Adaptive
Analytics • Business Rules • Link Analysis • Predictive
Scoring • Profiling • Transaction
Monitoring
Procedural • Awareness • Enforcement • Policies • Rules
CEB TowerGroup Research
9 © 2014 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Research
RO AD M AP F O R T HE P RE S E NTAT I O N
Q&A EMV Is Not the “Silver Bullet” Background Fundamental
Change
10 © 2014 The Corporate Executive Board Company. All Rights Reserved.
D E V E L O P M E N T S I N I N P U T F O R M AT S C H A N G E W I T H E M V
SOURCE: EMVCO, SMITHSONIAN, CEB
Transaction Vehicles: 1955 to 2014
Embossed Card Magnetic Stripe Chip Card Paper Card Stock
Transcribe data Impress Card Information Stream of Data Real Time Interaction
New Card Formats Require New Acceptance Devices
11 © 2014 The Corporate Executive Board Company. All Rights Reserved.
I S O S TA N D A R D S A R E E S S E N T I A L I N A G L O B A L B U S I N E S S
CEB TowerGroup Research
12 © 2014 The Corporate Executive Board Company. All Rights Reserved.
S TA N D A R D I Z E D E M V C H I P H A S E X PA N S I O N C A PA B I L I T Y
SOURCE: INDIAN INSTITUTE OF TECHNOLOGY, CEB
13 © 2014 The Corporate Executive Board Company. All Rights Reserved.
I M P L E M E N TAT I O N D AT E S A R E F I R M ( B U T M I G H T S L I P )
DATE MILESTONE
October 2012
Merchants with Compliant Terminals Receive PCI Audit Relief
April 2013 (MC & V) October 2013 (D)
Acquirers & Processors EMV Functionality
April 2013 (MC) October 2015 (V)
ATM Counterfeit Liability Shift
October 2015 Point of Sale Liability Shift (Excluding Automated Fuel Dispensers)
October 2017 Automated Fuel Dispensers
SOURCE: CEB TOWERGROUP
14 © 2014 The Corporate Executive Board Company. All Rights Reserved.
T H E L I A B I L I T Y S H I F T C R E AT E S N E W I S S U E R R I S K
Liability for Unauthorized Transaction
CARDHOLDER ISSUER PROCESSOR MERCHANT
Before October 2015
No Liability
Place Onus on Merchant to Prove Customer Identity
Refer Issue to Merchant for Resolution but Ultimately Accountable
Responsible for Confirming Authorized Use
After October 2015 Liability falls on Least Compliant Party
SOURCE: CEB TOWERGROUP
15 © 2014 The Corporate Executive Board Company. All Rights Reserved.
I S S UE RS M US T E S TABL I S H RO L L O UT P RO CE DURE S
Large issuers that handle their own platforms have flexibility in selecting their implementation strategies; smaller issuers might just align with strategies offered by their service companies.
Networks Mandate Liability but Do Not Make Issuing Requirements
Issuers Must Choose an Implementation Strategy
Strategic Designs Require Forethought Big Bang Phase In Targeted Rollout
Scope All Accounts Reissue Date Selected Segments first (int’l travelers, High Spenders, Early Adopters)
Cost Highest Initial Cost
Spread out over N months
Large
Benefits Consistency Cost Segmentation
Vision Simplicity Ease Product Feature
•EMV implementation can be used as a strategic tool to illustrate an issuer’s ability to adapt to a more technically driven market.
SOURCE: CEB TOWERGROUP
16 © 2014 The Corporate Executive Board Company. All Rights Reserved.
O R G A N I Z E D C H A O S F O R A L L : E M V PA I N P O I N T S
Cardholders (650 million US cards) • New payment card that must stay in the machine during authorization • Improperly trained sales staff • Fall-back positions that might require magnetic stripe processing
Merchants (2+ million US terminals) • Training high turn-over staff on new transaction requirements • Confused customers blocking the point of sale • Dispute handling
Processors (15 major Processors) • Merchant training • EMV chargeback and dispute coding
Issuers (12 major, 6,500 regional, community, and credit unions) • Reissuance strategies • Dispute processing • Staff training • Customer training
SOURCE: CEB TOWERGROUP
17 © 2014 The Corporate Executive Board Company. All Rights Reserved.
Source: Financial Fraud Action UK
E M V I M P L E M E NTAT I O N: T HE UK E X P E RI E NCE
EMV became fully functional in the United Kingdom in 2006.
EMV Proved to be Effective Against Certain Types of Fraud Card Not Present Transactions is the Weakest Link
Major Fraud Components as a Percent of Total Fraud
67%
10%
8%
13%
2%
29%
26%
7%
27%
11%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Card Not Present
Counterfeit
Identity Theft
Lost/Stolen
Not Received
2003 2013
•During the observation period between 2003 and 2013, counterfeit fraud as a percent of total fraud plummeted from 26% of all fraud to 10%.
•In the same period, Card Not Present fraud skyrocketed from 29% to 67%.
CEB TowerGroup Research
18 © 2014 The Corporate Executive Board Company. All Rights Reserved.
RO AD M AP F O R T HE P RE S E NTAT I O N
Q&A EMV Is Not the “Silver Bullet” Background Fundamental
Change
CEB TowerGroup Research
19 © 2014 The Corporate Executive Board Company. All Rights Reserved.
E M V O N LY P R O T E C T S A S I N G L E R I S K A R E A
• Card Data • File Backups • Repositories
Data at Rest
• Point of Interaction • Card Present • Card Not Present
Data in Use • Online Access • Transaction
Processing
Data in Motion
EMV replaces static card data with technology capable of providing cryptographic authentication
CEB TowerGroup Research
Fraud Risk Impacts Data in Each of Its Three States
20 © 2014 The Corporate Executive Board Company. All Rights Reserved.
T H E T I P O F T H E I C E B E R G : E M V O N LY P R O T E C T S A G A I N S T C O U N T E R F E I T F R A U D
Data Breaches
Unauthorized Use
First Party Fraud
Counterfeit Fraud
Lost and Stolen Cards
Friendly Fraud
Merchant Fraud
Unidentified Fraud
21 © 2014 The Corporate Executive Board Company. All Rights Reserved.
C A R D N O T P R E S E N T T R A N S A C T I O N S : AT R I S K
SOURCE: CEB
61 65 69 73 78 84 89 93
101
10 11
12 14
15 17
20 24
28
0
20
40
60
80
100
120
140
2012 2013 2014 2015 2016 2017 2018 2019 2020
Card Present Card Not Present
Projected Growth in Internet Transactions Calls for a more sophisticated approach to online payments Number of Transactions in Billions, 2012-2020 (P)
CEB TowerGroup Research
22 © 2014 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Research
RO AD M AP F O R T HE P RE S E NTAT I O N
Q&A EMV Is Not the “Silver Bullet” Background Fundamental
Change
23 © 2014 The Corporate Executive Board Company. All Rights Reserved.
TA K E AWAY S
CEB TowerGroup Research
Squeezing the Balloon
Fraudsters Will Find the Next Weakest Spot
1. EMV Adoption is long overdue in the US market, where we operate with an easy to copy, easy to read static account number.
2. EMV addresses a minor component of fraud; it does not address data in motion or data in use.
3. Card issuers should not expect to receive benefits from EMV in the US market for the next 4-5 years.
4. EMV is an industry mandate; failure to conform will push liability to the least compliant party.
5. As has been seen in other markets, such as mature adopters like the United Kingdom, fraudsters will shift their efforts to the next weakest spot in the ecosystem, which will most likely be card not present fraud.
24 © 2014 The Corporate Executive Board Company. All Rights Reserved.
E I G H T E M V TA L K I N G P O I N T S
1. EMV implementation will help reduce counterfeit fraud (a minor problem in the US); Issuers will not likely receive benefits before 2020, despite a 2015 implementation
2. The US market has been passive aggressive for 20 years because the cost of implementation exceeds the cost of fraud expense.
3. This implementation of EMV is likely the first in a series of steps to improve digital security.
4. The biggest industry gain is to ensure interoperability of the card networks.
5. Cost of magnetic stripe cards: 15-30 cents; cost of an EMV card, $2-3.
6. The liability shift is used to get banks motivated towards EMV implementation; in the current world, disputed transactions fall on the merchant shoulders. After the EMV 10/15 cutover, it will fall to the least compliant party.
7. Expect plenty of frustration at the point of sale, in the back office and from cardholders.
8. EMV is a logical step for the card industry but other solutions are still necessary to protect from data breaches and unauthorized use; CNP fraud is a key risk area.
CEB TowerGroup Research
Fight CNP Fraud with Device Reputation
September 9, 2014
Scott Olson, VP of Product, iovation
26 © COPYRIGHT • IOVATION 26 © COPYRIGHT • IOVATION
From smartphones to gaming consoles, if a device can access the Internet, iovation will recognize it.
Iovation mobile eCommerce traffic increased from 3.2% to 33.6% in 3 years.
RECOGNIZING EVERY DEVICE
27 © COPYRIGHT • IOVATION 27 © COPYRIGHT • IOVATION
WHAT IS DEVICE REPUTATION?
1. IDENTIFICATION
2. EVIDENCE
3. ASSOCIATIONS
4. ANOMALIES
Has anyone seen this device?
Has the device abused other businesses?
Is the device tied to known bad devices?
What anomalies may indicate risk?
This round-trip takes about 300 milliseconds!
28 © COPYRIGHT • IOVATION 28 © COPYRIGHT • IOVATION
DEVICE REPUTATION AUTHORITY
Total Reputation Checks
Known Devices
Verified Frauds
Reputation Checks per Day
Incidents Stopped per Day
Active Fraud Analysts
14 Billion
2 Billion
18 Million
10 Million
200,000
3,000
29 © COPYRIGHT • IOVATION 29 © COPYRIGHT • IOVATION
VALUE OF SHARING
Sharing automatically gives you access to fraud evidence placed by other iovation clients.
3X INCREASE IN FRAUD CATCH
4X INCREASE IN FRAUD CATCH
30 © COPYRIGHT • IOVATION 30 © COPYRIGHT • IOVATION
• Protect points of risk across your customer’s site. ‒ Payment/checkout
• Protects against chargebacks resulting
from account takeover or identity theft.
‒ Checkout/order submission,
order tracking
• Protects against payment , shipping fraud
‒ Login, account creation, account
update; retrieve/reset password
• Protects against account takeover
PROTECTION AT CNP TOUCH POINTS
31 © COPYRIGHT • IOVATION 31 © COPYRIGHT • IOVATION
Electronics Retailer Stopped 25% More Fraud Challenge
‒ Fraudsters constant evolve new techniques to escape detection
‒ Use of stolen payment credentials to purchase goods
‒ Difficulty shutting down international fraud rings
Solution ‒ Find and link previously unrelated fraud accounts
‒ Reduce manual reviews by fine-tuning business rules
‒ Use specific device characteristics to identify fraud and high-risk transactions
Results
‒ 25% reduction in fraudulent online shipments ‒ Reduced reviews and gained operational efficiency
‒ Increased fraud detection using fraud evidence from related businesses
CNP USE CASE: ONLINE ELECTRONIC RETAILER
32 © COPYRIGHT • IOVATION 32 © COPYRIGHT • IOVATION
AT&T Performing Arts Center Cuts Ticket Fraud, Gains 318% ROI
Challenge
‒ $55,000+ losses in nine months from chargebacks
‒ Difficulty winning chargeback battles, wasting staff time and resources
‒ Fraudulent broker activity disrupted customer experience
Solution ‒ Proactive identification of fraudulent ticket brokers
‒ Seamless post-integration with not delay in transaction process
‒ Intuitive and user-friendly interface for fraud managers
Results ‒ $50,000+ savings in one year from reduced chargebacks fraud loss
‒ 318% ROI with device reputation
‒ Stopped repeat offenders from purchasing tickets
CNP USE CASE: ONLINE TICKETING
Thank You