OmniShield
TM
Fraud Management: Are You Really Protected? October 12, 2011
Š Copyright 2011 Vantiv, LLC. All rights reserved. Vantiv, the Vantiv logo and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA and other countries. Ž indicates USA registration.
Fraud Management: Are You Really Protected?
Executive Summary
For years, cybercriminals’ primary targets have been financial institutions. In recent years, U.S. financial institutions have received the brunt of their attacks as the European, Asian and Middle Eastern regions have adopted EMV technologies at a faster rate than the U.S. region. Recently, Visa® announced plans to offer financial incentives to merchants and payment processors to accelerate chip and PIN technology adoption. MasterCard® has increased its dialogue with larger financial institutions; sharing insights into its technology platform and helping issuers develop chip and PIN migration plans. Merchants and payment processors are adopting emerging technologies, such as end-to-end encryption and tokenization to add an additional layer of security to transactions and card data. Yet, financial institutions have an ever-increasing need to actively protect and respond to their cardholders’ inquiries. They are challenged to adequately invest in fraud prevention and detection technologies, hire the expert resources needed to manage resolution and chargeback management services, investigate card compromise events and interface with law enforcement agencies. In this light, financial institutions are electing to outsource these operational aspects of fraud management, along with some of the liability, to a service provider, enabling them to deliver a higher-quality service to their cardholders, help reduce their exposure to fraud, and ultimately allow them to treat fraud more like a fixed expense. Cybercrime Is Here to Stay
For years, card networks, processors, issuers, merchants, legislators and law enforcement have been working hard to meet consumer demands for easier access to their funds and an almost unquenchable need and interest for more sophisticated electronic purchase and payment tools, while insisting on reliability, safety and security to ensure their identity and accounts are protected. While this consumer demand presents new opportunities for financial institutions to develop new banking and credit products and services, it is not without its cyber challenges. Cybercriminals are progressively sophisticated in their cyber attacks, and cyber crime is very lucrative. “Carding” refers to the unauthorized use of credit and debit card information to fraudulently purchase goods and services. Cybercriminals, often known as “carders,” use online “carding forums” to facilitate the sale of stolen identity information, commonly referred to as “dumps” or “full infos.” These card forums create a hierarchical organization of buyers, sellers and bosses, provide access to information about how to steal identity information, and the ability to purchase the necessary tools for hacking databases and stealing card data. The most valuable data contains full identity information including addresses, Social Security numbers, credit and debit card numbers with track 1, 2 and CVV2 values, credit history report, mother’s maiden name and other personal identifying information.1
1
Data Breaches: What the Underground World of “Carding” Reveals. Kimberly Kiefer Peretti, U.S. Department of Justice, Computer Crime and Intellectual Property Section, Forthcoming in Volume 25 of the Santa Clara Computer and High Technology Journal, 2008.
2
Fraud Management: Are You Really Protected?
The common methods that carders use to steal information include skimming (card swipe), phishing (emails), vishing (land line phone calls), smishing (cell phone SMS/texting), and pharming (redirecting web visitors to fake websites). They use these strategies to execute directed attacks against individuals, ATM operators and data processing companies. In recent years, they have diversified their operations to random attacks against specific high-volume companies using botnets, SQL injections, authentication bypass and vulnerability scans; and now include softer targets such as data in transit and a computer’s running memory. A recent Symantec research study revealed that the most frequently advertised item observed on underground economy servers were bank account credentials (which consist of account numbers and authentication information) and the value of credit or debit cardholder information, which can easily be sold for as much as $25 per record.2 In 2010, Symantec reported a 93% increase in web attacks from 2009, tracking 6,253 new vulnerabilities in 2010 – more than in any previous year since starting their report. Their analysis indicates that data breaches caused by hacking resulted in an average of over 260,000 identities exposed per breach – far more than any other source.3
U.S. Financial Institutions Remain the Primary Target
While global debit card fraud has remained relatively consistent over the last three years, increasing only slightly from 2.9 basis points (bps) in the first quarter of 2008 to 3.3 bps in the fourth quarter of 2010, the regional focus of the cybercriminals has changed. In 2010, the U.S. region was the bearer of the most significant fraud increases, moving from 5.6 bps in 2010 to 6.4 bps in 2011.4 In 4Q 2010 alone, U.S. financial institutions incurred 73% of global issuing fraud.5
Counterfeit and Card-Not-Present are the Fastest Growing
The fastest-growing card fraud types in the U.S. region continue to be counterfeit and card-not-present (mail, phone and internet).6 Cybercriminals continuously target merchant systems that are not adequately secured, knowing that they can operate remotely with limited risk of capture by law enforcement agencies. They favor cardnot-present and counterfeit card schemes.
The financial sector remains the most heavily targeted by phishing attacks, accounting for 74% of the brands used in phishing campaigns.
According to MasterCard Worldwide, in the fourth quarter of 2010, 79% of total global fraud was associated with card-not-present and counterfeit fraud. This was an increase of 14% as compared with the fourth quarter of 2009.7 Then in 1Q 2010, the U.S. experienced a counterfeit fraud increase of 16% and card-not-present fraud increase of 11%. 8
2
Symantec Corp., Report on the Underground Economy, November 2008.
3
Symantec Corp., Internet Security Threat Report, Vol. 16.
4
MasterCard Worldwide, Data Source: SAFE & QMR, September 2011.
5
MasterCard Worldwide, Data Source: SAFE & QMR, April 2011.
6
2010 LexisNexis True Cost of Fraud Study.
7
MasterCard Worldwide, Data Source: SAFE & QMR, April 2011.
8
MasterCard Worldwide, Data Source: SAFE & QMR, April 2011.
3
Fraud Management: Are You Really Protected?
When these figures are overlaid with MasterCard’s evidence that a compromised account is two to three times more likely to incur fraud in a six to 12-month period after the breach9, the impact of a card-compromise event on a financial institution and its cardholders could be catastrophic. They have potential to impact millions of account holders and cost billions of dollars each year.
Insights into Actual Fraud Losses are Incomplete
So, how extensive is the loss associated with card fraud? On an industry-wide scale, financial institutions typically reported mean fraud losses of 2% to 3% of total payment card volume, suggesting that they could be absorbing $5 billion to $11 billion in total fraud losses associated with resolving unauthorized retail transactions.10
Financial institutions are absorbing
$5 billion to $11 billion
Yet, many financial institutions find that they really don’t have a comprehensive view of their own total fraud losses and can’t effectively answer this question. This is because fraud losses are often consolidated to a single general ledger account, preventing specific insight about card compromise-related losses.
In addition, most fraud-related reporting is manual and labor-intensive, naturally lending itself to errors and omissions. In some cases, network reporting is intentionally in total fraud losses. incomplete to minimize the negative brand perception associated with fraud. In many cases, institutions are not able to accurately measure, ultimately making it difficult to appropriately and accurately budget for fraud management activities and loss reserve allocations. There is always the risk that the next card compromise could be the event that changes your revenues.
Protecting Payments by Adopting Card and PIN Technology Many law enforcement and industry experts have made arguments that the U.S. has become the prime target for cybercriminals because other countries are aggressively adopting chip and PIN technologies as a way to fight fraud and the U.S. region is not, making it is the easiest processing environment to breach. But, rolling out chip and PIN technology in the U.S. is expensive and impacts all parties involved in a transaction: consumer, merchant, issuer and payment processor. Most analysts agree that it will require a collaborative effort and financial incentives to offset the technology investment and PCI DSS compliance costs.
9
MasterCard Worldwide, Data Source: SAFE & QMR, April 2011.
10
LexisNexis
4
Fraud Management: Are You Really Protected?
With this goal in mind, Visa and MasterCard continue their efforts toward industry adoption. In August 2011 Visa announced plans to accelerate the migration to contact chip and contactless EMV chip technology in the U.S., offering incentives to merchants to upgrade to EMV chip-enabled terminals; indicated they may reduce certain compliance obligations if a merchant complied with certain EMV standards; issued requirements for acquirer processors to support chip acceptance; and introduced new U.S. liability shift policies for domestic and cross-border counterfeit transactions.11 In April 2010, Aite Group analyst Julie McNelley conducted a survey of attendees at the MasterCard Academy of Risk Management (ARM) conference, which indicates that EMV is gaining momentum as a way to address the card security problem. The survey discovered that while malware is their number one concern, most of them expect that EMV will be the preferred response. In the words of the Aite executive summary, “…card industry executives no longer believe that EMV in the United States is a matter of ‘if’, but a matter of ‘when’. Risk management executives are also bullish on the prospect of near field communications (NFC) making inroads within the next few years.”12 In June 2010, MasterCard Worldwide hosted a MasterCard EMV M/Chip Payment Solutions Symposium. The symposium presented the strategic rationale for migrating to MasterCard’s globally established M/Chip technology. The agenda focused on the EMV architecture, MasterCard’s M/Chip program and solution set, establishing migration objectives and an implementation from both the acquirer and issuer perspectives.13
Financial Institutions Struggle to Mitigate Fraud
As the momentum to deploy EMV technology in the U.S. region continues, technology companies are developing, and processors are deploying, merchant oriented technologies such as end-to-end encryption and tokenization to help protect card data. These emerging technologies focus on securing and replacing the card number in various stages of processing at the POS when the card is swiped, while in the network in transit to the processor, and post authorization in storage databases. While these technologies are necessary, financial institutions are still left with the need to protect your cardholders and your institution. The primary investment areas in which you should be focusing your investment dollars include: 1. Prevention – using technology and processes to prevent fraudulent transactions before they occur 2. Detection – using technology to identify suspicious or high-risk transactions 3. Resolution – working with cardholders and networks to reduce losses 4. Investigation – working with law enforcement to identify and prosecute cybercriminals14
11
Visa Bulletin, August 2011 http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf
12
MasterCard Is the U.S. Finally Ready for EMV? Theodore Iacobuzio, July 21, 2011 http://newsroom.mastercard.com/2011/07/21/isthe-u-s-finally-ready-for-emv/
13
MasterCard Press Release, MasterCard Supports Customers Migration to Chip-Based Payment Solutions in the UAE June 28, 2010 http://newsroom.mastercard.com/press-releases/mastercard-supports-customers-migration-to-chip-based-payment-solutions-in-the-uae/
14
2010 LexisNexis True Cost of Fraud Study
5
Fraud Management: Are You Really Protected?
Prevention and Detection Activities: Hire Experts Who Know the Signs
Prevention and Detection activities go hand in hand. Prevention activities are focused on using technology and processes to help prevent fraudulent transactions before they occur. There are many strategies that you can follow to proactively fight fraud, including: • Require card activation • Actively manage your card limits PREVENTION • Set prudent expiration dates • Implement smart authorization parameters • Validate track data in the authorization process • Educate your cardholders INVESTIGATION
DETECTION
RESOLUTION
Detection activities are focused on using technology to identify suspicious or high-risk transactions. Again, financial institutions can take an active role to protect their cardholders by following these strategies: • Monitor new fraud trends • Review authorizations and verify suspicious transactions • Review CAN/CAM network alerts • Implement a 24/7 Lost/Stolen service • Identify common points of compromise • Follow issuing networks’ report guidelines
These activities require a significant and recurring investment in technology, and highly trained experts in fraud identification, or even cyber security. While you may recognize the need to invest significant resources to prevent and detect fraud, budgetary and resource challenges limit your ability to do so. You may be unsure how to determine the right amount of money to spend on technology and maintenance, where to find and hire the right experts and how to determine the best allocation of staff to assign to the effort. As a result, a single person or team may take on this area of responsibility, in addition to their primary job responsibilities they may have: • Limited time to spend on fraud-related activities • Little to no insight into fraud activities • No one to back them up while they are out of the office • No opportunity for specialized training • Limited access to key law enforcement officials, network and industry experts This leaves your portfolio vulnerable at critical times and puts you at a severe disadvantage to defend against sophisticated cyber attacks.
6
Fraud Management: Are You Really Protected?
Manage Your Cardholders’ Security Perceptions with Effective Chargeback Processes
Once fraud occurs, your cardholder chargeback programs take over. It is well-known that cardholders are very sensitive to card fraud and reissue experiences. In fact, consumers cited credit and debit card fraud as their number one fear in the midst of the global financial crisis.15 Your cardholders expect you to do everything you can to ensure the safety of their money. When they call you to ask for help or file a complaint that results in a chargeback, they expect you to put their funds back in their account immediately, and they expect their card to be reissued as quickly as possible without impacting their ability to make purchases. A negative experience with this process could change their perception of your institution and cause them to close their accounts. According to the 2010 LexisNexis True Cost of Fraud Study, data showed that 18% of consumer fraud victims leave their issuer after becoming fraud victims.16 As consumers have multiple payment type choices, they are inclined to select what they perceive as the “most secure” option, making it critical for you to have efficient and transparent customer service processes and to make it easy for them to understand how you are protecting them. Zero-liability programs, 24/7 fraud-reporting services, next-day replacement of cards and fraud protection services are common service offerings designed to offer peace of mind to cardholders and support the feeling of security. Create Dedicated Fraud Resolution Teams Many institutions, however, still find that they are not able to dedicate a team of people or invest in tools to support the recovery efforts. The resources assigned to these efforts may not have the necessary chargeback training and aren’t familiar with changing guidelines and regulations. They struggle to effectively manage these dynamic environments because they don’t have processes that continuously address network rules, track important deadlines and automate customer notification and reporting tasks. Prioritize Network Chargebacks Just as it is important for you to have timely processes in place to service your cardholders, it is critical for you to prioritize and complete the chargeback process quickly so you can recover your funds. A 2010 LexisNexis True Cost of Fraud Study found that many financial institutions are making cost benefit decisions about whether or not to submit the chargeback request or simply absorb the cost of claim. The reality is that the actual cost for managing and reclaiming funds can exceed the value of the claim. Managing Card Compromise Events Leveraging scalability, specialized technologies and expertise becomes even more critical to you when a large card compromise event occurs. When the issuing networks release lists of potentially compromised cards, it is critical that you quickly evaluate the severity of the compromise, the breadth of impact on your portfolio and the potential fraud loss for your cardholders so you can execute the best response strategy.
15
Unisys Security Index, United States, March 2009.
16
2010 LexisNexis True Cost of Fraud Study, Research Provided by Javelin Strategy & Research, p. 20.
7
Fraud Management: Are You Really Protected?
Unfortunately, many financial institutions have no guidelines or practices in place to objectively and consistently assess the severity of the event, and, as a result, often take no action to protect their cardholders. They erroneously believe that the negative brand perception of a card reissue will do more harm than the current fraud potential. This is a big risk, increased by a lack of processes. Unless you can continuously monitor the number of times individual cards are listed on compromise reports, understand historical and real-time purchase history and incorporate other macro-level variables, you may be blind to the ongoing impact of the compromise on your portfolio. Without the right visibility and strong fraud management guidelines, this strategy could compound fraud losses, deplete fraud reserves and potentially impact the execution of other strategic business initiatives. Create Impact Card Compromise Response Plan To effectively manage a card compromise event, you should prepare a Card Compromise Response Plan that includes the mobilization of an internal task force. The task force should be responsible for: • Initiating and overseeing impact-assessment activities • Recommending cardholder notification and reissue strategies • Executing the response strategies • Interfacing with law enforcement agencies • Conducting post-mortem impact analysis studies
Investigation
Your fraud management activities aren’t limited to returning your cardholders’ funds, reissuing their cards or resolving a chargeback request. Most states have laws that mandate breach reporting to local law enforcement, U. S. Secret Service agencies and consumer reporting agencies and require consumer notification. Once reported, you will need to support investigative activities to preserve critical evidence, assist undercover investigations and support prosecution efforts. Although critically important, these activities require a lot of time and attention. Mobilize the Card Compromise Task Force When compromise events happen, time is of the essence, and your Card Compromise Task Force should be mobilized quickly. The team can evaluate the impact the event could have on your cardholders and institution, make reissue decisions and interface with the necessary law enforcement and network resources.
You Still Own the Risk
As financial institutions continue to face increasing demands for high levels of investment in fraud management technologies, analytics and expert resources, there may not be a tangible return on investment to justify the expense. Experts are scarce, and technology is expensive. Even if you do make substantial investments, you still may not have a clear understanding of how you have reduced fraud occurrences or improved customer service. You continue to run the risk of fluctuating losses. There is the potential for underestimating annual fraud loss requirements, and you own all of the financial liability. Ultimately, your ability to invest in revenue-generating programs and new banking services may be impacted.
Selecting the Best Fraud Management Solutions
There are alternatives to building and managing fraud prevention programs internally. Outsourcing prevention, detection, chargeback and investigative services could allow you to enhance your customer service levels, budget fraud as more of a fixed cost, hand off the day-to-day management activities, and shift some of the financial liability to the experts.
8
Fraud Management: Are You Really Protected?
OmniShieldTM: A Suite of Fraud Management Solutions with Financial Protection
Vantiv is intimately familiar with these challenges and, for years, we have been developing fraud prevention, detection and resolution solutions, all of which are founded on our extensive industry experience, technology investment and law enforcement relationships. Our customers have protected themselves and their cardholders with our real-time decisioning and proactive fraud detection services, enhanced chargeback services, analytical tools and fraud reporting services. Still, the primary responsibility for training and support, customer service and financial liability of fraud losses used to remain your responsibility. Now, Vantiv is offering OmniShield, a fully outsourced fraud management solution that shifts the technology investment, staffing and resource development, chargeback and card compromise event management to us while providing your institution with financial protection.17 With OmniShield, you can treat fraud more like a fixed business expense while we do the work for you: • Manage fraud protection, detection and investigation activities • Automate resolution and chargeback processes • Oversee card compromise events and make card reissue recommendations • Manage network reporting • Create better accounting “Vantiv is vigilant in finding new ways to anticipate our customers’ needs, and we are committed to doing the job right down to the very last detail,” said Royal Cole, President, Financial Institution Services at Vantiv. “Coupled with our focus on customer service, we can ensure that Vantiv is the whole package.”
“With OmniShield, I can finally budget fraud as a fixed cost. I don’t have to estimate a loss reserve for the year and hope I don’t exceed it. It is a relief to hand over the dayto-day operations to Vantiv and watch from the sidelines.”* ~Gary Edelen, SVP, Jefferson County Federal Credit Union
We keep up with the latest technology: We consistently update it, and we are good at managing it. We have access to your cardholder data, and we have all the expertise and experience necessary to protect your cardholders and your institution. It’s our core business to be experts and to protect your customers. Now, you can concentrate on your business while we concentrate on staying ahead of the cybercriminals.
Learn more about how you can protect your cardholders and your institution with OmniShield. Visit our website at www.vantiv.com/OmniShield and download the OmniShield product paper; or contact your relationship manager today.
17
Subject to certain terms, conditions, exclusions and limitations as outlined in a written agreement between Vantiv and your institution for the OmniShield services. The amount of financial protection is based on a historical assessment of your portfolio and is defined prior to starting the service.
* Financial institution is liable for fraud that exceeds the maximum annual limit covered by the OmniShield product.
9
Fraud Management: Are You Really Protected?
Certain restrictions and limitations of the limited warranty apply. Coverage for unauthorized transactions occurring outside of the OmniShield limited warranty are covered under a contractual indemnity insurance policy provided and underwritten by Beazley Syndicate 2623/623 at Lloyd’s and offered through Marsh USA Inc., acting as insurance producer (Ohio License #24035; California License #0437153) Coverage is available to those OmniShield customers receiving all of the OmniShield Services, subject to the terms, conditions, exclusions and limitations of coverage of the policy. Coverage under a state insurance guaranty association fund is not available for this policy. OmniShield customers will be required to execute a special amendment to their Master Data Processing/ Services Agreement. LEXLibrary 0121209.0585688 476889v1
10