fraud prevention and risk: protecting your procurement card program
DESCRIPTION
Fraud Prevention and Risk: Protecting Your Procurement Card Program. Presented By Patricia Larkin Green, VP, Relationship Manager J.P.Morgan, Wholesale Card & Procurement Services Betty Heimansohn, CPPB, Procurement Card Manager University of Colorado April 20, 2009. Overview. - PowerPoint PPT PresentationTRANSCRIPT
Fraud Prevention and Risk:
Protecting Your Procurement Card Program
Presented By
Patricia Larkin Green, VP, Relationship Manager
J.P.Morgan, Wholesale Card & Procurement Services
Betty Heimansohn, CPPB, Procurement Card Manager
University of Colorado
April 20, 2009
OverviewOverview
Patricia Larkin Green, J.P.Morgan
Evolving History and Trends
Steps J.P.Morgan is taking to Combat Fraud
Betty Heimansohn, University of Colorado
How CU is Keeping Credit Card Fraud at Bay
Addendum
Questions, Concerns
3
Types of FraudTypes of Fraud
Lost: Recovery varies
Stolen: Recovery varies
Non-receipt: NRI - Non-receipt of card
Internet: Card Not Present/MOTO/Internet: Recovery is good
Counterfeit/skimming: Card present - Recovery unlikely thru chargeback process
Stolen/compromised number: Recovery varies
Account takeover: True name fraud
4
Fraud by Type 4Q06 – 3Q07Fraud by Type 4Q06 – 3Q07
SeptJan
MaySept
$0
$3
$5
$8
$10
$13
$15
Acct Takeover
Misc
Counterfeit
Stolen
Lost
Card Not
Present
Consumer Credit and Commercial Card
Counterfeit and Card Not Present Fraud are the fastest growing fraud type Counterfeit and Card Not Present Fraud are the fastest growing fraud type todaytoday
NRI
5
Fraud TrendsFraud Trends
Increase in Counterfeit Cases – 1Q09 trending higher than FY08.
Test Merchants – Method in which fraudsters test the status of the card.
Gift Cards – Counterfeit card used to purchase gift cards from a retail
merchant. Day to Day Living Expenses –
Not easily detected in the tools. Gas Pumps –
Focused on states with fewer controls.
Fraud activity - Dynamic and nimble. “Carder” Sites - Well organized with business like
structures. Wireless Technology - One of the leading drivers in
hacking events. Skimming - Continues to challenge the industry.
Four step process is followed to validate a compromise occurred. Issued after confirmation that account data has been accessed by an intruder. JPM Commercial Card handles about twelve alerts per week. Not a breach involving JPM systems. Assessment is done by JPM to determine level of risk and strategy. JPM cannot reveal the name of the merchant or company involved in the breach.
Fraud Strategy and Case Analytics
Review of fraud cases to identify fraud trends and patterns of test (probe) merchants.
Adjust fraud tools and strategies to target the most recent trends or test merchants.
Review false positive fraud ratios weekly and revise strategies if needed to reduce fraud exposure without impacting spend
Participate in regular meetings with processors, Associations and other issuers to validate industry trending.
Identify Common Points of Purchase(CPP) in relation to confirmed fraud cases. We turn this over to the Associations for forensic investigation.
Work with law enforcement on large fraud cases that involve suspected fraud rings.
Suggest and implement enhancements to further refine fraud detection tools.
Analyze accounts queued in the Fraud Detection Systems or via Association Alerts to detect fraud, misuse or credit related risks (i.e. NSF Payments).
Contact Cardholders to validate transactional activity. Work with the Program Administrators in reaching card
members. Block accounts, flag fraud transaction(s), fraud report
confirmed fraud to Associations. Process replacement card requests. Initiate recommendations on strategic opportunities related
to trends and test merchants. Handle Inbound calls to verify transaction activity. Partner with Program Coordinators on potential misuse in
escalation to the Program Administrators.
10
What is J.P.Morgan Doing to Prevent Fraud?What is J.P.Morgan Doing to Prevent Fraud?
Hologram
Tamper-evident signature panel
Unique Magnetic strip encoding
11
What is J.P.Morgan Doing to Prevent Fraud?What is J.P.Morgan Doing to Prevent Fraud?
E-mail alerts are generated from Visa/MasterCard notifying of account number compromise
J.P.Morgan security representatives review accounts and make proper contact with cardholders or administrators based on information obtained from Visa and MC alerts
J.P.Morgan security representatives contacts appropriate agency – FBI, Secret Service, or other law enforcement agencies with pertinent fraud information based on requirements within the Visa or MC alert
12
What is J.P.Morgan Doing to Prevent Fraud?What is J.P.Morgan Doing to Prevent Fraud?
3. Cardholder and client awareness
J.P.Morgan works with program administrators to develop proper card control to reduce risk i.e:
MCC codes
credit limits
purchase velocity limits
Participate at conferences and forums to educate cardholders and clients on current trends and fraud prevention
13
What is J.P.Morgan Doing to Prevent Fraud?What is J.P.Morgan Doing to Prevent Fraud?
4. Fraud detection systems
Flexible Fraud detection systems are used that provide the ability to target both general fraud trends as well as specific trends
Criteria/rules dynamically defined based on analysis of current fraud trends
Fraud patterns
Specific MCC
Dollar amounts
Geographic location
Specific merchants
14
What is J.P.Morgan Doing to Prevent Fraud?What is J.P.Morgan Doing to Prevent Fraud?
4. Fraud detection systems (cont)
When authorizations meet these pre-defined criteria, the account is sent to queue
J.P.Morgan security representatives analyze account and determine if contact with cardholder and/or program administrator is needed
Merchant referral status put on account if appropriate
15
Fraud Department StructureFraud Department Structure
Partner with Program Coordinators on potential misuse in escalation to Program Administrators.
Initiate recommendations to Clients on strategic opportunities related to improved authorization controls.
Open Fraud Cases Fraud Report to the Associations
Send Affidavit
Request and initiate chargeback for recoveries via Association regulations
Investigate High Risk Merchant Category Codes to identify potential suspect
Analyze for account history for potential point of compromise
Work with various law enforcement agencies
16
Fraud Chargeback ProcessFraud Chargeback Process
SALE
Customer calls to report fraud
Affidavit sent and customer to return within 30 days
J.P.Morgan puts temporary credit on account
Orders copy of sales draft-30 days
Representment of charge to merchant
Merchant can dispute-45 days
Second representment of charge to merchant-30 days
If merchant contests, case in arbitration with Visa-30 days
Settlement of decision by Visa
17
Fraud Department StructureFraud Department Structure
Recovery Investigations
Upon receipt of the signed affidavit the Recovery Investigator will initiate request to the merchant(s) to obtain documentation on the fraud transaction(s) (This process takes approximately 45-90 days)
If JPMorgan Chase recovers the loss via the Association Regulations the Recovery Investigator will issue credit(s) for the fraud dollars to the old (lost/stolen) account to offset the initial debit that was placed on the old account when the case was initially opened.
Use card controls available:
Restrict MCCs when possible, especially high risk MCCs.
Set daily velocity and dollar limits on MCCs.
Review the credit limits and determine based on usage.
Set limits for the expected usage.
Cash access should only be granted as needed. Flag can be set to restrict all foreign transactions in some cases.
Program Monitoring:
Review transactions for exceptions and declines. Educate your cardholders to:
review their transactions and statements.
go into a bank to get cash or use a bank owned ATM. Use account blocking for temporary leaves or infrequent travelers.
Company A Fraud Losses2006 $88,0002007 $86,0002008(YTD) $18,448
Increase in fraud loss trend detected. MCC changes implemented May, 2007. Over $50,000 in fraud losses avoided in two months. Common point of compromise identified and reported to
Association. Investigation resulted in confirmation of a merchant breach.
Denver
campus
Anschutz
Medical campus Colorad
o Springs campus
Boulder campus
$83M in Spend Last Year 309,000 Transactions 5000 Cardholders 900 Approvers Unrecoverable Fraud is Minimal
CU’s Procurement Card ProgramCU’s Procurement Card Program
Controls on the Cards Merchant Category Codes (MCC) Groups
Include Groups No Gas or Travel
Cardholder Limits Maximum Single Purchase Limit $ Limit per Cycle # of Transactions per Day
Keep the End-Users Informed
Bi-Weekly Newsletter
Email Alerts Ad Hoc Immediate Notification of Transactions
Procurement Card Program Handbook
Special Section in the CU Procurement Card Handbook on Security Considerations:
Watch for Red Flags Excessive Declines Unusual Merchants
Cardholder Awareness Small $ Purchases Pay Attention to Notifications of Charges Phishing Emails
Guarding the Data Use Encryption Program (Some are free!)
Don’t Keep Card #s or Personal Information on the Desktop
Work with IT to Make Sure Systems are PCI Compliant
Betty Heimansohn, CPPB
University of Colorado
Procurement Card Manager
303-315-2778
CU Procurement Card Program
https://www.cusys.edu/psc/purchasing/procurementcard/
Patricia Green, VP Product Specialist
JPMorgan
[email protected] to report scams
Top Merchant Category Codes – Fraud Losses 5310 Discount Stores 5411 Grocery Stores and Supermarkets 5200 Home Supply Warehouse 5941 Sporting Goods 5311 Department Stores 5541 Service Station 5542 Automated Gas Pump 5912 Drug Store and Pharmacy (Gift Cards)
Other High Risk Merchant Category Codes 5732 Electronic 5944 Jewelry Watch and Clocks 5945 Hobby Toy and Game Store 5948 Luggage and Leather Goods 5722 Household Appliances 5300 Wholesale Clubs 5734 Computer Software 4812 Telecommunication Equipment Including Telephone
Sales
High Risk MCCs
Block or Data-Mine
These MCCs
Why are my passwords so complex?
Six Characters Example
Combinations Days
All numbers 123456 1,000,000 58
All letters abcdef 309,000,00
0 17,882
Numbers & letters 1a2b3c 2,180,000,0
00126,15
7
Numbers, letters and special characters 1a#2b$ 3,520,000,0
00203,70
4
Lower and upper case letters ABcDeF 19,600,000,
0001,134,2
59
Lower and upper case letters and numbers AB1dE256,800,000,
0003,287,0
37
Lower and upper case letters, numbers and special characters AB1#cD
690,000,000,000
39,930,556
Did you know how long it tacks a hacker to crack a password?
http://www.ic3.govhttp://www.fbi.govhttp://www.ftc.gov
http://www.lookstoogoodtobetrue.com/
Where can I go for more information?
We can all play a significant part in thwarting Fraudulent activity by practicing strong computer
security habits such as updating anti-virus software, using strong passwords and employing
good email and web security practices.