Fraud Prevention and Risk:

Protecting Your Procurement Card Program

Presented By

Patricia Larkin Green, VP, Relationship Manager

J.P.Morgan, Wholesale Card & Procurement Services

Betty Heimansohn, CPPB, Procurement Card Manager

University of Colorado

April 20, 2009

OverviewOverview

Patricia Larkin Green, J.P.Morgan

Evolving History and Trends

Steps J.P.Morgan is taking to Combat Fraud

Betty Heimansohn, University of Colorado

How CU is Keeping Credit Card Fraud at Bay

Addendum

Questions, Concerns

3

Types of FraudTypes of Fraud

Lost: Recovery varies

Stolen: Recovery varies

Non-receipt: NRI - Non-receipt of card

Internet: Card Not Present/MOTO/Internet: Recovery is good

Counterfeit/skimming: Card present - Recovery unlikely thru chargeback process

Stolen/compromised number: Recovery varies

Account takeover: True name fraud

4

Fraud by Type 4Q06 – 3Q07Fraud by Type 4Q06 – 3Q07

SeptJan

MaySept

$0

$3

$5

$8

$10

$13

$15

Acct Takeover

Misc

Counterfeit

Stolen

Lost

Card Not

Present

Consumer Credit and Commercial Card

Counterfeit and Card Not Present Fraud are the fastest growing fraud type Counterfeit and Card Not Present Fraud are the fastest growing fraud type todaytoday

NRI

5

Fraud TrendsFraud Trends

Increase in Counterfeit Cases – 1Q09 trending higher than FY08.

Test Merchants – Method in which fraudsters test the status of the card.

Gift Cards – Counterfeit card used to purchase gift cards from a retail

merchant. Day to Day Living Expenses –

Not easily detected in the tools. Gas Pumps –

Focused on states with fewer controls.

Fraud activity - Dynamic and nimble. “Carder” Sites - Well organized with business like

structures. Wireless Technology - One of the leading drivers in

hacking events. Skimming - Continues to challenge the industry.

Four step process is followed to validate a compromise occurred. Issued after confirmation that account data has been accessed by an intruder. JPM Commercial Card handles about twelve alerts per week. Not a breach involving JPM systems. Assessment is done by JPM to determine level of risk and strategy. JPM cannot reveal the name of the merchant or company involved in the breach.

Fraud Strategy and Case Analytics

Review of fraud cases to identify fraud trends and patterns of test (probe) merchants.

Adjust fraud tools and strategies to target the most recent trends or test merchants.

Review false positive fraud ratios weekly and revise strategies if needed to reduce fraud exposure without impacting spend

Participate in regular meetings with processors, Associations and other issuers to validate industry trending.

Identify Common Points of Purchase(CPP) in relation to confirmed fraud cases. We turn this over to the Associations for forensic investigation.

Work with law enforcement on large fraud cases that involve suspected fraud rings.

Suggest and implement enhancements to further refine fraud detection tools.

Analyze accounts queued in the Fraud Detection Systems or via Association Alerts to detect fraud, misuse or credit related risks (i.e. NSF Payments).

Contact Cardholders to validate transactional activity. Work with the Program Administrators in reaching card

members. Block accounts, flag fraud transaction(s), fraud report

confirmed fraud to Associations. Process replacement card requests. Initiate recommendations on strategic opportunities related

to trends and test merchants. Handle Inbound calls to verify transaction activity. Partner with Program Coordinators on potential misuse in

escalation to the Program Administrators.

10

What is J.P.Morgan Doing to Prevent Fraud?What is J.P.Morgan Doing to Prevent Fraud?

Hologram

Tamper-evident signature panel

Unique Magnetic strip encoding

11

What is J.P.Morgan Doing to Prevent Fraud?What is J.P.Morgan Doing to Prevent Fraud?

E-mail alerts are generated from Visa/MasterCard notifying of account number compromise

J.P.Morgan security representatives review accounts and make proper contact with cardholders or administrators based on information obtained from Visa and MC alerts

J.P.Morgan security representatives contacts appropriate agency – FBI, Secret Service, or other law enforcement agencies with pertinent fraud information based on requirements within the Visa or MC alert

12

What is J.P.Morgan Doing to Prevent Fraud?What is J.P.Morgan Doing to Prevent Fraud?

3. Cardholder and client awareness

J.P.Morgan works with program administrators to develop proper card control to reduce risk i.e:

MCC codes

credit limits

purchase velocity limits

Participate at conferences and forums to educate cardholders and clients on current trends and fraud prevention

13

What is J.P.Morgan Doing to Prevent Fraud?What is J.P.Morgan Doing to Prevent Fraud?

4. Fraud detection systems

Flexible Fraud detection systems are used that provide the ability to target both general fraud trends as well as specific trends

Criteria/rules dynamically defined based on analysis of current fraud trends

Fraud patterns

Specific MCC

Dollar amounts

Geographic location

Specific merchants

14

What is J.P.Morgan Doing to Prevent Fraud?What is J.P.Morgan Doing to Prevent Fraud?

4. Fraud detection systems (cont)

When authorizations meet these pre-defined criteria, the account is sent to queue

J.P.Morgan security representatives analyze account and determine if contact with cardholder and/or program administrator is needed

Merchant referral status put on account if appropriate

15

Fraud Department StructureFraud Department Structure

Partner with Program Coordinators on potential misuse in escalation to Program Administrators.

Initiate recommendations to Clients on strategic opportunities related to improved authorization controls.

Open Fraud Cases Fraud Report to the Associations

Send Affidavit

Request and initiate chargeback for recoveries via Association regulations

Investigate High Risk Merchant Category Codes to identify potential suspect

Analyze for account history for potential point of compromise

Work with various law enforcement agencies

16

Fraud Chargeback ProcessFraud Chargeback Process

SALE

Customer calls to report fraud

Affidavit sent and customer to return within 30 days

J.P.Morgan puts temporary credit on account

Orders copy of sales draft-30 days

Representment of charge to merchant

Merchant can dispute-45 days

Second representment of charge to merchant-30 days

If merchant contests, case in arbitration with Visa-30 days

Settlement of decision by Visa

17

Fraud Department StructureFraud Department Structure

Recovery Investigations

Upon receipt of the signed affidavit the Recovery Investigator will initiate request to the merchant(s) to obtain documentation on the fraud transaction(s) (This process takes approximately 45-90 days)

If JPMorgan Chase recovers the loss via the Association Regulations the Recovery Investigator will issue credit(s) for the fraud dollars to the old (lost/stolen) account to offset the initial debit that was placed on the old account when the case was initially opened.

Use card controls available:

Restrict MCCs when possible, especially high risk MCCs.

Set daily velocity and dollar limits on MCCs.

Review the credit limits and determine based on usage.

Set limits for the expected usage.

Cash access should only be granted as needed. Flag can be set to restrict all foreign transactions in some cases.

Program Monitoring:

Review transactions for exceptions and declines. Educate your cardholders to:

review their transactions and statements.

go into a bank to get cash or use a bank owned ATM. Use account blocking for temporary leaves or infrequent travelers.

Company A Fraud Losses2006 $88,0002007 $86,0002008(YTD) $18,448

Increase in fraud loss trend detected. MCC changes implemented May, 2007. Over $50,000 in fraud losses avoided in two months. Common point of compromise identified and reported to

Association. Investigation resulted in confirmation of a merchant breach.

Denver

campus

Anschutz

Medical campus Colorad

o Springs campus

Boulder campus

$83M in Spend Last Year 309,000 Transactions 5000 Cardholders 900 Approvers Unrecoverable Fraud is Minimal

CU’s Procurement Card ProgramCU’s Procurement Card Program

Controls on the Cards Merchant Category Codes (MCC) Groups

Include Groups No Gas or Travel

Cardholder Limits Maximum Single Purchase Limit $ Limit per Cycle # of Transactions per Day

Keep the End-Users Informed

Bi-Weekly Newsletter

Email Alerts Ad Hoc Immediate Notification of Transactions

Procurement Card Program Handbook

Special Section in the CU Procurement Card Handbook on Security Considerations:

Watch for Red Flags Excessive Declines Unusual Merchants

Cardholder Awareness Small $ Purchases Pay Attention to Notifications of Charges Phishing Emails

Guarding the Data Use Encryption Program (Some are free!)

Don’t Keep Card #s or Personal Information on the Desktop

Work with IT to Make Sure Systems are PCI Compliant

Betty Heimansohn, CPPB

University of Colorado

Procurement Card Manager

303-315-2778

betty.heimansohn@cu.edu

CU Procurement Card Program

https://www.cusys.edu/psc/purchasing/procurementcard/

Patricia Green, VP Product Specialist

JPMorgan

patricia.m.green@jpmchase.com

abuse@jpmc.com to report scams

Top Merchant Category Codes – Fraud Losses 5310 Discount Stores 5411 Grocery Stores and Supermarkets 5200 Home Supply Warehouse 5941 Sporting Goods 5311 Department Stores 5541 Service Station 5542 Automated Gas Pump 5912 Drug Store and Pharmacy (Gift Cards)

Other High Risk Merchant Category Codes 5732 Electronic 5944 Jewelry Watch and Clocks 5945 Hobby Toy and Game Store 5948 Luggage and Leather Goods 5722 Household Appliances 5300 Wholesale Clubs 5734 Computer Software 4812 Telecommunication Equipment Including Telephone

Sales

High Risk MCCs

Block or Data-Mine

These MCCs

Why are my passwords so complex?

Six Characters Example

Combinations Days

All numbers 123456 1,000,000 58

All letters abcdef 309,000,00

0 17,882

Numbers & letters 1a2b3c 2,180,000,0

00126,15

7

Numbers, letters and special characters 1a#2b$ 3,520,000,0

00203,70

4

Lower and upper case letters ABcDeF 19,600,000,

0001,134,2

59

Lower and upper case letters and numbers AB1dE256,800,000,

0003,287,0

37

Lower and upper case letters, numbers and special characters AB1#cD

690,000,000,000

39,930,556

Did you know how long it tacks a hacker to crack a password?

http://www.ic3.govhttp://www.fbi.govhttp://www.ftc.gov

http://www.lookstoogoodtobetrue.com/

Where can I go for more information?

We can all play a significant part in thwarting Fraudulent activity by practicing strong computer

security habits such as updating anti-virus software, using strong passwords and employing

good email and web security practices.