World®’16
SecuringMobilePayments:ApplyingLessonsLearnedintheRealWorldJamesRendell- VPPaymentSecurityStrategy– CATechnologies
SCX34S
SECURITY
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ForInformationalPurposesOnlyTermsofthisPresentation
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2016isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.
CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i)affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember1,2016,andissubjecttochangeorwithdrawalbyCAatanytimewithout notice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.
Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Mobileisthenewblack—thewaypeoplework,shopandconnect.Takingacuefromthepaymentpointofview,thissessionwillpresentbestpracticesforsecuringmobilepaymentsandhowthesepracticesarerelevantacrosstheenterprise.
JamesRendellCATechnologiesVPPaymentSecurityStrategy
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
INTRODUCTION:SECURINGMOBILEPAYMENTS
MOBILEAUTHENTICATION
SUMMARY
RISKANALYTICSREAL-TIMENETWORK
NFCMOBILEWALLETPROVISIONING
SECURINGMOBILEIN-APPPURCHASES
1
2
3
4
5
6
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAStrategyforSecureMobilePayments
SecureMobilePayment
MobileAuthentication
In-Apppurchase
Mobilewallet
Real-TimeRisk
MobilePushNotification• Multi-factorauthentication• PushNotificationanddisconnectedOTPoptions• Complieswithemergingmandates,e.g.PSD2
MasterCardIdentityCheck• Biometricauthenticationoptions
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MobileAuthentication:MobilePushNotification
§ Mobiledeviceasvirtualidentity
§ Out-of-BandAuthentication
§ TransactioninflightPushNotificationonmobile
§ FingerprintAuthenticationonAppledevices– RoadmapwillincorporateAndroidetc.deviceswith
similarcapabilities
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DeploymentOptions:MobileOTP*
§ PasscodeGenerationonMobileDevice
§ OfflineOTPgeneration
§ SupportsmultiplecardsonsingleApp
§ AvailableinbothOAuthandEMVmodes
*PlannedServiceAvailabilityforPaymentSecurityduring2017
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
FeatureHighlights
§ Out-Of-BandAuthenticationfor3-DSecure2.0
§ Easy-to-useOver-the-Airprovisioningforcardholders
§ BasedonIndustrystandardEMVAlgorithm(CAPCertifiedandDPACompliant)
§ Credentialsaresoftwarelockedtotheprovisioneddevice
§ StrongprotectionagainstSIM-Swap
§ CryptographicCamouflagetechnologypreventsbruteforceattack
§ Fine-GrainedAuthenticationControlsusingCARiskAnalytics
§ SuitableforEnterpriseandConsumerdigitalchannels
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MultipleProvisioningOptions
§ During3-DSecureTransactionFlow
§ ViaOnlineBankingChannel– OnlineBankingprovidesanoptiontoenrollinMobileAuthentication
byintegratingwithourexposedWebService
§ ViaIssuerMobileApp– Usingan“AddAccount”optionfromwithintheIssuerMobileApp
§ ViaAPIsforenterprisesystemintegration
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Busin
ess
functio
n
Channe
ls
Onlineservicing
CA-Stron
gAu
then
tication
Payments(3-DSecure)
Enterpriseapplication
Riskevaluationandscoring• Rules• Machine
learning• Statistical• Behavioral
3-DSecure
BiometricDeviceID
CaseManagement/Reporting
Wearables
MFA
Mobilebrowser
Notification
CNP Traditionalbrowser
In-storetablet
Telephone/IVR
OmniChannelEnabler:EnterpriseandConsumer
ApplePay AndroidPay
GoogleWallet
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAStrategyforSecureMobilePayments
SecureMobilePayment
MobileAuthentication
In-Apppurchase
Mobilewallet
Real-TimeRisk
RiskAnalyticsReal-TimeNetwork• DeviceIdentityisakeyfraud
indicator• Leverageglobaldeviceidentity/
reputation• Real-Timemodelupdates
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RiskAnalyticsReal-TimeNetwork
1. Predictivemodellearnsbank-specificcardholderbehaviorandfraudpatterns.
2. Devicesmaybeusedacrossbanks,hencecomplementaryDeviceDistillatesareincorporatedintheRiskAnalyticsNetworkmodel.
3. DeviceDistillatesupdatedinreal-timeastransactionsareprocessed.
4. Scorewillbehigherwhendevicespreviouslyassociatedwithprobablefraudareused.
Bank1 Bank2 Bank3
Real-timeupdate
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RiskAnalyticsReal-TimeNetworkExplainedFraudNotDetectedbyCurrentRiskAnalyticsModel
Time
CardPivotCARD1
BSYKB,12.5GBPDEVICE1
20130411:14:48:03
20130502:12:01:45
20130527:19:09:36
53
88
510
20130508:10:03:12
405
GOAL8.0GBPDEVICE2
RAModelScore
HUNGRYHOUSE20.7GBPDEVICE1
TRADEMEDIA47.38GBPDEVICE3
NonFraud
Fraud
• Thereare4transactionsonCARD1,twolegitandtwofraud
• CurrentRiskAnalyticsModelscoringnothighenoughtodetecttwofraudulenttransactions
• Lackingvisibilityintohistoricaltransactionsacrossagivendevice
Date/TimeofTransaction
MerchantName
TransactionValue
DeviceIDRiskscoresnothighenough(<600)tobedeemedfraud.
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RiskAnalyticsReal-TimeNetworkExplainedImprovedFraudDetectionbyRiskAnalyticsNetworkModel
NonFraud
Fraud
Time
CardPivotCARD1
BSYKB,12.5GBPDEVICE1
20130411:14:48:03
20130502:12:01:45
20130527:19:09:36
20130508:10:03:12
GOAL8.0GBPDEVICE2
HUNGRYHOUSE20.7GBPDEVICE1
TRADEMEDIA47.38GBPDEVICE3
62
114
RANetworkModelScore
992De
vicePivot
DEVICE
2
20130508:09:49:36
GOAL
8.0GB
PCA
RD3 610
20130508:09:48:16
GOAL
8.0GB
PCA
RD2 237
20130508:09:56:39
GOAL
8.0GB
PCA
RD4 997
20130508:10:37:43
GOAL
8.0GB
PCA
RD5 976
20130508:10:49:01
GOAL
8.0GB
PCA
RD6 994
960
DevicePivot
DEVICE
3TRAD
EMED
IA47.38GB
PCA
RD5
20130527:15:57:24
142
TRAD
EMED
IA47.38GB
PCA
RD7
20130527:16:46:40
801
TRAD
EMED
IA47.38GB
PCA
RD8
20130527:19:06:05
942
TRAD
EMED
IA47.38GB
PCA
RD4
20130527:19:24:13
978
• Newdevicepivots(i.e.DEVICE2andDEVICE3)areincludedinRiskAnalyticsNetworkmodel.
• Allowsustoalsoconsiderthehistoricaltransactionsbydeviceinevaluationscoring.
• ResultisthatthenewmodelscoreshighonthetwofraudulenttransactionsonCARD1;stoppingthefraud.
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAStrategyforSecureMobilePayments
SecureMobilePayment
MobileAuthentication
In-Apppurchase
Mobilewallet
Real-TimeRisk
NFCMobileWalletProvisioning• Cardholderauthenticationwhenprovisioning
carddatatomobiledevice• Acceleratetime-to-marketforissuerswantingto
embrace“*Pay”programs.
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatIsMobilePaymentEnablement
Addingacustomer’spaymentmethodtoamobileplatform
orwallet
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WalletsAreNotNew…TheyAreNotMatureEither
FinancialServicesPayPal
Venmo
Chase
CurrentC
Square
RetailMerchants
Starbucks
Amazon
Walmart
Wholefoods
TraditionalPaymentsMasterCard
Visa
Amex
VeriFone
DeviceMakers
Apple
Samsung
ExistingWalletMarket…EveryoneWantstoCapturetheLoyalty
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MobileWallets:ApplePayProvisioningSecurity
§ EarlyNFCMobilewalletdeploymentshadprovisioningweaknesses
§ StolencarddatacouldbeprovisionedtoNFCMobiledevices– CoupledwithcontactlessPointofSale,effectivelycloningEMVcards!!
§ CAdevelopedanincubatorofferingtodoOTPcardholderauthenticationduringNFCMobileWalletprovisioning,increasingtheassurancethatcarddataisbeingprovisionedtothecardholder’sphoneandnotafraudster’s
§ AcceleratedTime-to-Marketfor“*Pay”NFCMobileimplementations
Onboarding Provisioning Transaction Support
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ProvisioningFlow
Enroll Eligible?
Authenticate OTP
Activation
Walletprovider CardScheme
CAonIssuer’sbehalf
ReturnActivation
data
OTPDelivery
OTPValidation/authentication
Token
Confirmation
AmericanExpress
ApplePay
AndroidPay
GoogleWallet
SamsungPay
AndroidPay
MasterCard
Visa
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAStrategyforSecureMobilePayments
SecureMobilePayment
MobileAuthentication
In-Apppurchase
Mobilewallet
Real-TimeRisk
In-apppurchase• 3-DSecure2.0nativesupportfor
in-apppurchase• Richdataevaluation,fraudrisk
scoring,andmobileauthenticationchallenge.
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Evolutionof3-DSecure
BuildingTrust
Goals
Actions
Results
Buildconfidenceine-commerce
ReducefrauddisplacedbyEMVimplementation
ImprovecustomerExperience.Reduceabandonments.
Betterauthorizationrates.Accesstomorechannels.
Liabilityshiftforparticipatingmerchants
Simplifyenrolmenttodriveadoption.Strengthenauthenticationoptions
Firststepsinapplicationofanalyticsandpredictivemodelling
3-DSecure2.0.SophisticatedDataScience.AuthorizationIntegration.
Fragmentationandscheme-by-schemeserviceintroduction
Adoptionratesincreaseworldwide
Moreeffectivefraudreduction
Increaseauthorizationratesandlending.Accesstomoretransactions.ReduceFraud.Optimizeduserexperience.
FightingFraud
MinimizingFriction
“SmartAuthorization”
2001
2006
2010
2016
2018
InsightandPersonalization
Reachnewmarketsandcustomersegmentsbyleveragingrichdata.
Analytics.DataFeedstomarketing,personalization,andCRMsystems.
Growcustomerbase.Develophighvaluepartnershipsandrelationships.Reinforcebrandstrength.
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ProblemsWith3-DSecure1.0.2
§ 3-DSecure1.0.2wasdesignedforthePC-basedonlineshoppingworld
§ Userexperienceonmobilebrowsersisoftenpoor
§ Merchantswaryofinvoking3-DSecurewithmobiletransactions
§ Nosupportforin-apppurchase
Materialderivedbyreferencetopublicdomaininformation.See:https://www.emvco.com/about_emvco.aspx?id=306http://www.emvco.com/faq.aspx?id=305
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
3-DSecure2.0
§ DevelopedandownedbyEMVCo– ManagesandcontrolstheEMVstandards
§ Designedforin-apppurchase– NativeappandHTMLUIsupport– Flexibleauthenticationoptions
§ Browserspecificationreplacementfor1.0.2
§ Designedtooptimizeuserexperience– Bypassingdetaileddatafromthemobiledeviceonlyasmallpercentageoftransactions
wouldneedtobechallenged– =>Theleadersinthisnewworldwillbethosewhocanleverageworld-classDataScience
Materialderivedbyreferencetopublicdomaininformation.See:https://www.emvco.com/about_emvco.aspx?id=306http://www.emvco.com/faq.aspx?id=305
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
What’sNewin3-DSecure2.0?
§ Richdata
§ Earlyriskevaluation
§ Frictionless,Challenge,andOutofBandAuthenticationFlows
§ In-apppurchaseintegration
§ Newbrowserspecification
§ ID&VFlows
Materialderivedbyreferencetopublicdomaininformation.See:https://www.emvco.com/about_emvco.aspx?id=306http://www.emvco.com/faq.aspx?id=305
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EarlyRichData
§ Enhanceddatapassedup-frontintheequivalentoftheVEReqmessage– DeviceID/fingerprint– MerchantCategoryCode– Purchaseamount,currency– Optionalcardholderbilling/deliverydetails
§ Enhancedfrauddetection
§ Optimizeuserexperience– Majorityoftransactionswillneverbechallenged
Materialderivedbyreferencetopublicdomaininformation.See:https://www.emvco.com/about_emvco.aspx?id=306http://www.emvco.com/faq.aspx?id=305
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TyingItAllTogether
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Summary:CAStrategyforSecuringMobilePayments
••Nativemobileuserexperience
••Richdataevaluation
••Provisioningsecurity
••Cardholderauthentication
••MobileStrongAuthentication
••OmniChannelenablement
••NeuralNetworks
••DeviceIdentity
TransactionRisk Authentication
MobileappsMobileWallets
NeuralNetworks
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tMissOurINTERACTIVESecurityDemoExperience!
SNEAKPEEK!
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thankyou.
Stayconnectedatcommunities.ca.com
32 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Security
FormoreinformationonSecurity,pleasevisit:http://cainc.to/EtfYyw