get ready for emv and card not present fraud

GET READY FOR EMV AND CARD NOT PRESENT FRAUD

September 9, 2014

iovation and CEB TowerGroup

2 © COPYRIGHT • IOVATION 2 © COPYRIGHT • IOVATION

TODAY’S SPEAKERS

• Scott Olson Vice President of Product iovation

• Brian Riley Senior Research Director, Retail Banking CEB Tower Group

EMV IMPLEMENTION: A Partial Solution to Fraud Management

FINANCIAL SERVICES PRACTICE

CEB TOWERGROUP RETAIL BANKING

September 2014

Brian Riley Senior Research Director Retail Banking

4 © 2014 The Corporate Executive Board Company. All Rights Reserved.

CEB TowerGroup Research

RO AD M AP F O R T HE P RE S E NTAT I O N

Q&A EMV Is Not the “Silver Bullet” Background Fundamental

Change


CARDS S P E NDI NG W I L L E X CE E D $26 T R I L L I O N BY 2018 Global card transaction

volume will double between 2012 and 2018. • Transactions for

American Express, Discover, JCB, MasterCard, Union Pay, Visa card and electronic payments will account for 35 of the gross global domestic product (GDP)

• Developing economies in APAC, MEA and LAC transactions will more than double.

• Mature economies such as Canada, Europe and US will experience between 60%and 72% growth.

2012: $4.2 2018: $7.2

US

2012: $.6 2018: $1.2

LAC

2012: $.5 2018: $.8

CA

2012: $.6 2018: $1.2

MEA

2012: $.6 2018: $1.2

APAC

Source: Nilson

2012: $13.3 2018: $26.9

Worldwide Branded Card Transaction Volume by Major Market in USD Trillions, 2012-2018



M ARKE T S FACE D I F F E RE NT CHAL L E NG E S

Low cost telephony in the US allowed card issuers to require authorization on all transactions.

US Develops Logical Controls, Other Markets Rely on Physical Controls Magnetic Strips and Smart Cards Disrupt Interoperability

Markets outside the US often incurred communication expenses that were 8 to 10 times the cost of a US transaction made it less profitable to authorize transactions.

The ability to identify counterfeit fraud varied significantly, as US issuers were able to identify high risk transactions, in contrast to markets without the reconnaissance from online systems.

An effective countermeasure developed outside of the US which provided a tool for real time authentication.

The market now contends with two formats that do not interact in a cohesive manner.

Credit Cards in Nascent Form, Primarily US, UK,

AU

Mass Market US Growth, Global

Rollout to developed economies by local banks

Credit Loss and Fraud Begins to Gain Scale

Counterfeit and Unauthorized Fraud

Begins to Grow

Real Time Transaction Authorization Becomes Common in US Market

Non-US FIs find Telecom Costs Too Expensive for All Accounts, while US

runs at 100%

ISO Standards Developed for Payment Cards, EU Market Fast to adopt

US Market Reject Smart Cards, Master Predictive

Analytics

Market is Split into Mag-Stripe and Chip Worlds

1970

1980-90

1980

1991

1985 1985

1990-95 2012

SOURCE: CEB



E M V T E R M I N A L I Z AT I O N I N U S L A G S G L O B A L T R E N D

SOURCE: EMVCO, CEB

<1% of cards <10% OF terminals



F R A U D M A N A G E M E N T R E Q U I R E S A L AY E R E D A P P R O A C H

Physical • PCI DSS • Card Features • EMV

Logical • Adaptive

Analytics • Business Rules • Link Analysis • Predictive

Scoring • Profiling • Transaction

Monitoring

Procedural • Awareness • Enforcement • Policies • Rules






Change


D E V E L O P M E N T S I N I N P U T F O R M AT S C H A N G E W I T H E M V

SOURCE: EMVCO, SMITHSONIAN, CEB

Transaction Vehicles: 1955 to 2014

Embossed Card Magnetic Stripe Chip Card Paper Card Stock

Transcribe data Impress Card Information Stream of Data Real Time Interaction

New Card Formats Require New Acceptance Devices


I S O S TA N D A R D S A R E E S S E N T I A L I N A G L O B A L B U S I N E S S



S TA N D A R D I Z E D E M V C H I P H A S E X PA N S I O N C A PA B I L I T Y

SOURCE: INDIAN INSTITUTE OF TECHNOLOGY, CEB


I M P L E M E N TAT I O N D AT E S A R E F I R M ( B U T M I G H T S L I P )

DATE MILESTONE

October 2012

Merchants with Compliant Terminals Receive PCI Audit Relief

April 2013 (MC & V) October 2013 (D)

Acquirers & Processors EMV Functionality

April 2013 (MC) October 2015 (V)

ATM Counterfeit Liability Shift

October 2015 Point of Sale Liability Shift (Excluding Automated Fuel Dispensers)

October 2017 Automated Fuel Dispensers

SOURCE: CEB TOWERGROUP


T H E L I A B I L I T Y S H I F T C R E AT E S N E W I S S U E R R I S K

Liability for Unauthorized Transaction

CARDHOLDER ISSUER PROCESSOR MERCHANT

Before October 2015

No Liability

Place Onus on Merchant to Prove Customer Identity

Refer Issue to Merchant for Resolution but Ultimately Accountable

Responsible for Confirming Authorized Use

After October 2015 Liability falls on Least Compliant Party



I S S UE RS M US T E S TABL I S H RO L L O UT P RO CE DURE S

Large issuers that handle their own platforms have flexibility in selecting their implementation strategies; smaller issuers might just align with strategies offered by their service companies.

Networks Mandate Liability but Do Not Make Issuing Requirements

Issuers Must Choose an Implementation Strategy

Strategic Designs Require Forethought Big Bang Phase In Targeted Rollout

Scope All Accounts Reissue Date Selected Segments first (int’l travelers, High Spenders, Early Adopters)

Cost Highest Initial Cost

Spread out over N months

Large

Benefits Consistency Cost Segmentation

Vision Simplicity Ease Product Feature

•EMV implementation can be used as a strategic tool to illustrate an issuer’s ability to adapt to a more technically driven market.



O R G A N I Z E D C H A O S F O R A L L : E M V PA I N P O I N T S

Cardholders (650 million US cards) • New payment card that must stay in the machine during authorization • Improperly trained sales staff • Fall-back positions that might require magnetic stripe processing

Merchants (2+ million US terminals) • Training high turn-over staff on new transaction requirements • Confused customers blocking the point of sale • Dispute handling

Processors (15 major Processors) • Merchant training • EMV chargeback and dispute coding

Issuers (12 major, 6,500 regional, community, and credit unions) • Reissuance strategies • Dispute processing • Staff training • Customer training



Source: Financial Fraud Action UK

E M V I M P L E M E NTAT I O N: T HE UK E X P E RI E NCE

EMV became fully functional in the United Kingdom in 2006.

EMV Proved to be Effective Against Certain Types of Fraud Card Not Present Transactions is the Weakest Link

Major Fraud Components as a Percent of Total Fraud

67%

10%

8%

13%

2%

29%

26%

7%

27%

11%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Card Not Present

Counterfeit

Identity Theft

Lost/Stolen

Not Received

2003 2013

•During the observation period between 2003 and 2013, counterfeit fraud as a percent of total fraud plummeted from 26% of all fraud to 10%.

•In the same period, Card Not Present fraud skyrocketed from 29% to 67%.





Change



E M V O N LY P R O T E C T S A S I N G L E R I S K A R E A

• Card Data • File Backups • Repositories

Data at Rest

• Point of Interaction • Card Present • Card Not Present

Data in Use • Online Access • Transaction

Processing

Data in Motion

EMV replaces static card data with technology capable of providing cryptographic authentication


Fraud Risk Impacts Data in Each of Its Three States


T H E T I P O F T H E I C E B E R G : E M V O N LY P R O T E C T S A G A I N S T C O U N T E R F E I T F R A U D

Data Breaches

Unauthorized Use

First Party Fraud

Counterfeit Fraud

Lost and Stolen Cards

Friendly Fraud

Merchant Fraud

Unidentified Fraud


C A R D N O T P R E S E N T T R A N S A C T I O N S : AT R I S K

SOURCE: CEB

61 65 69 73 78 84 89 93

101

10 11

12 14

15 17

20 24

28

0

20

40

60

80

100

120

140

2012 2013 2014 2015 2016 2017 2018 2019 2020

Card Present Card Not Present

Projected Growth in Internet Transactions Calls for a more sophisticated approach to online payments Number of Transactions in Billions, 2012-2020 (P)






Change


TA K E AWAY S


Squeezing the Balloon

Fraudsters Will Find the Next Weakest Spot

1. EMV Adoption is long overdue in the US market, where we operate with an easy to copy, easy to read static account number.

2. EMV addresses a minor component of fraud; it does not address data in motion or data in use.

3. Card issuers should not expect to receive benefits from EMV in the US market for the next 4-5 years.

4. EMV is an industry mandate; failure to conform will push liability to the least compliant party.

5. As has been seen in other markets, such as mature adopters like the United Kingdom, fraudsters will shift their efforts to the next weakest spot in the ecosystem, which will most likely be card not present fraud.


E I G H T E M V TA L K I N G P O I N T S

1. EMV implementation will help reduce counterfeit fraud (a minor problem in the US); Issuers will not likely receive benefits before 2020, despite a 2015 implementation

2. The US market has been passive aggressive for 20 years because the cost of implementation exceeds the cost of fraud expense.

3. This implementation of EMV is likely the first in a series of steps to improve digital security.

4. The biggest industry gain is to ensure interoperability of the card networks.

5. Cost of magnetic stripe cards: 15-30 cents; cost of an EMV card, $2-3.

6. The liability shift is used to get banks motivated towards EMV implementation; in the current world, disputed transactions fall on the merchant shoulders. After the EMV 10/15 cutover, it will fall to the least compliant party.

7. Expect plenty of frustration at the point of sale, in the back office and from cardholders.

8. EMV is a logical step for the card industry but other solutions are still necessary to protect from data breaches and unauthorized use; CNP fraud is a key risk area.


Fight CNP Fraud with Device Reputation

September 9, 2014

Scott Olson, VP of Product, iovation


From smartphones to gaming consoles, if a device can access the Internet, iovation will recognize it.

Iovation mobile eCommerce traffic increased from 3.2% to 33.6% in 3 years.

RECOGNIZING EVERY DEVICE


WHAT IS DEVICE REPUTATION?

1. IDENTIFICATION

2. EVIDENCE

3. ASSOCIATIONS

4. ANOMALIES

Has anyone seen this device?

Has the device abused other businesses?

Is the device tied to known bad devices?

What anomalies may indicate risk?

This round-trip takes about 300 milliseconds!


DEVICE REPUTATION AUTHORITY

Total Reputation Checks

Known Devices

Verified Frauds

Reputation Checks per Day

Incidents Stopped per Day

Active Fraud Analysts

14 Billion

2 Billion

18 Million

10 Million

200,000

3,000


VALUE OF SHARING

Sharing automatically gives you access to fraud evidence placed by other iovation clients.

3X INCREASE IN FRAUD CATCH

4X INCREASE IN FRAUD CATCH


• Protect points of risk across your customer’s site. ‒ Payment/checkout

• Protects against chargebacks resulting

from account takeover or identity theft.

‒ Checkout/order submission,

order tracking

• Protects against payment , shipping fraud

‒ Login, account creation, account

update; retrieve/reset password

• Protects against account takeover

PROTECTION AT CNP TOUCH POINTS


Electronics Retailer Stopped 25% More Fraud Challenge

‒ Fraudsters constant evolve new techniques to escape detection

‒ Use of stolen payment credentials to purchase goods

‒ Difficulty shutting down international fraud rings

Solution ‒ Find and link previously unrelated fraud accounts

‒ Reduce manual reviews by fine-tuning business rules

‒ Use specific device characteristics to identify fraud and high-risk transactions

Results

‒ 25% reduction in fraudulent online shipments ‒ Reduced reviews and gained operational efficiency

‒ Increased fraud detection using fraud evidence from related businesses

CNP USE CASE: ONLINE ELECTRONIC RETAILER


AT&T Performing Arts Center Cuts Ticket Fraud, Gains 318% ROI

Challenge

‒ $55,000+ losses in nine months from chargebacks

‒ Difficulty winning chargeback battles, wasting staff time and resources

‒ Fraudulent broker activity disrupted customer experience

Solution ‒ Proactive identification of fraudulent ticket brokers

‒ Seamless post-integration with not delay in transaction process

‒ Intuitive and user-friendly interface for fraud managers

Results ‒ $50,000+ savings in one year from reduced chargebacks fraud loss

‒ 318% ROI with device reputation

‒ Stopped repeat offenders from purchasing tickets

CNP USE CASE: ONLINE TICKETING

Thank You

get ready for emv and card not present fraud

Technology

us transaction

us issuers

us market nonus fis

ceb ceb towergroup research

au mass market us growth

us lags global trend

major market

global card transaction