Payment Trends: Fraud,Risk Management, & EMV

Utility Payment ConferenceOctober 21, 2014

Matt Davies, AAP, CTP, CPPFederal Reserve Bank of Dallas

1

Payments Fraud & Controls (AFP)

2014 AFP Payments Fraud & Control Survey (tenth annual)

Overall, slight decrease in corporate payments fraud and heightened interest in security risks

However, 2013 still saw an increase in credit and debit card fraud

Criminals/schemes becoming increasingly sophisticated

2

Payments Fraud & Controls (AFP)

Changes in payments fraud experienced in 2013 compared to 2012:– 27% - increase;

– 16% - decrease;

– 57% - no change

Payment types targeted by fraudsters:– 82% - Checks

– 43% - Credit/debit cards (corp. & consumer), up from 29% in 2012;

– 22% - ACH debits, down from 27% in 2012;

– 14% - Wires, up from 11% in 2012;

– 9% - ACH credits, up from 8% in 2012

Payments Fraud & Controls (AFP)

70% of companies exposed to actual or attempted fraud in 2013 experienced no financial loss as a result.

For those companies that did incur financial loss, the typical loss incurred was $23,100.

80% of companies that experienced actual or attempted payments fraud found it originated outside the organization.

Check Fraud

Number of incidents of check fraud experienced by organizations in 2013:– 1-5 – 42%

– 6-10 – 15%

– 20+ – 27%

Check Fraud

Check fraud methods:– counterfeiting by altering the MICR line on a check (62%)

– alteration of the payee name on issued checks (52%)

– alteration of the dollar amount on issued checks (37%)

– counterfeited check with a name drawn on a fake or another organization’s account information (31%)

Check Fraud Prevention

Positive Pay/Reverse Positive Pay/Positive Pay with Payee Verification– 2010 check fraud case: Cincinnati Insurance Co. v.

Wachovia Bank

Daily reconciliation

Segregation of accounts

“Post no checks” restriction

Check Fraud Prevention

Internal controls/separation of duties, e.g.:– purchase order;

– establishment of vendor;

– A/P authorizes Cash Mgmt area to print checks;

– Accounting does bank recon

– Financial authorizations policy (e.g., approval/signature thresholds for manager, director, SVP)

– Internal audit/Risk Management

Checks received at “tellers”: If converting to ACH or to images, what is your policy for destruction of physical items? (e.g. 14 days)

Check Fraud Prevention

Make large dollar payments electronically.

Avoid using laser checks.

Use a controlled stock of high security checks, with safety features such as a true watermark, thermochromatic (heat sensitive) ink and reactivity to various chemicals.

Check Fraud

Organizations incurred financial loss from check fraud because:– Check was cashed by check-cashing service (cited by 38% of AFP

survey respondents)

– Account reconciliation or positive pay view was not timely (28%)

– Internal fraud (21%)

– Did not use positive pay, reverse positive pay or payee positive pay (17%)

– Client-initiated check return was untimely (10%)

– Did not use “post no checks” services on electronic payment account (10%)

Mobile RDC

Some FIs—particularly larger ones—are rolling out mobile remote deposit capture (mRDC) to corporate customers.

For risk mitigation, FIs:– Usually have protections in place to block duplicate deposits

– Might not offer mobile RDC to all customers; “qualify”

– Place limits on dollar amount that can be deposited/frequency of deposits

– Use restrictive endorsements

Customer Refund Check Fraud

Issued from separate account? Different check stock?

Customer calls to say check was lost; check is voided and customer instructed not to deposit if found; customer “finds” first check and deposits both; OR

Customer deposits refund check through mobile RDC; cashes paper check at check casher

Positive pay will catch the duplicate, but…

Holder in Due Course

Customer Refund Check Fraud

If customer claims a check was lost, place a stop payment on that check with your bank

Encourage local check cashers to call utility to verify if the check is legitimate?– A utility in Texas did this

Potential for similar situations with employee payroll checks

ACH Fraud

Encourage your customers to use passwords for your Web site that are different from the passwords they use on other sites. (I know, easier said than done!)

Unauthorized return time frames:– NACHA Rules: 60 days from settlement date of transaction

– Regulation E: 60 days from day statement cuts

How does your bank handle unauthorized returns that are made outside of these time frames?

ACH Fraud (Corporate Accounts)

ACH Fraud

Prevention:– ACH Debit Block

– ACH Debit Filter

– ACH Positive Pay

ACH Fraud

Reasons organizations were victims of ACH fraud: – Did not use ACH debit blocks or ACH debit filters (cited by

50% of AFP survey respondents)

– Account reconciliation was not timely (38%)

– ACH return not timely (38%)

– Not using ACH positive pay (38%)

– Internal fraud (13%)

Fraud Prevention at Point of Sale

Check acceptance?– Some merchants (e.g., Wendy’s) do not accept checks

Manual entry of card transactions?– One large convenience store chain has disabled the ability

for its cashiers to key-enter transactions.

– This led to a significant decrease in their in-store fraud

Fraud Prevention for Merchants

Storage/use of customer data?– An airline is working to minimize collection/retention of data;

e.g., trying not to have kiosks used for check-in for a flight collect card # when doing verification.

– Products/services through which merchants share data with others on the platform (e.g., Accertify)• Uses a scoring-based or risk-based method, similar to a negative database.• Airline is no longer using address verification service (AVS) to authenticate

transactions.• Also looking at dropping use of the cardholder verification value (CVV2);

already not using on telephone transactions, and looking at not using it on Web transactions.

Fraud Prevention for Merchants

U.S. Bank is making e-payment kiosks available to its customers

Can help companies shrink lines during busy times

Lines are often not just for making payments; also for customer service, etc.

Kiosks can help steer customers to a more automated option

Targeting companies, government entities, utilities and nonprofits that accept payments from users/ customers

Fraud Prevention for Merchants

Free-standing machines, similar to ATMs

Accept cash, checks, credit and debit cards

Can be customized

View which consumers have used them to make payments

Display targeted messages to kiosk users

Fraud Prevention for Merchants

May be used to reach consumers who have not yet begun to use the Web or mobile devices– According to research cited by the bank, more than 1 in 5 consumers pay

bills in person

Piloted by Detroit Water & Sewage– Installed a self-service kiosk in its downtown Detroit office to collect bills

from residents.

In addition to customer service, kiosks may be beneficial for fraud/risk management purposes– Cashiers are not handling payments

– Reduction in cash “shrinkage”/associated fraud

Call Center Fraud Prevention

Products/Services that allow call centers and/or other groups to confirm the identity, location and type of device used by callers

Voice biometrics and other technology allows for analysis of the audio aspects of calls to identify suspicious call origins, caller ID spoofing and other potential signs of fraud

Corporate Account Takeover (CATO)

What is it?– Malware

• In 2Q13, for example, new types of malware exceeded 18 million (McAfee)

– Keylogging

– “Phishing” Attacks

– “Money Mules”

Global corporate account takeover losses will total US$627m in 2014 (Aite)

23

Corporate Account Takeover

Individual Americans are protected by Reg E & are liable for a maximum $50 if a cyber-thief strikes.

Companies have no such guarantees.

In the US, corporate customer liability is governed by the Uniform Commercial Code (UCC).

Companies are responsible for stolen funds if:– they have agreed to a security procedure with the bank,

– the bank followed it, and

– the procedure was ‘commercially reasonable.’24

FFIEC Guidance

FFIEC Supplemental Guidance on Internet Authentication– Released June 2011

– Supplement to Authentication in an Internet Banking Environment guidance issued October 2005

– Lays out broad steps banks should take to guard against malware attacks.

– Establishes minimum requirements for educating customers about online fraud.

FFIEC Guidance

Prescribes layered security for business accounts

– Includes the ability to detect and respond to suspicious activity when logging in and initiating transactions [anomaly detection].

– Stop relying on tokens, passwords and cookies– Instead, use “layered security,” including software

that flags unusual behavior such as multiple transfers within minutes to new recipients

– Out-of-band authentication

FFIEC Guidance

Directs FIs to add security for business accounts, including enhanced controls over admin functions, where privileged users’ passwords, if stolen, can give hackers direct access to a company’s bank accounts.

Does not endorse any specific technology for doing so

FIs should make clear to business customers that they are not protected by Reg E.

Corporate Account Takeover

Experi-Metal v. Comerica

PATCO Construction v. Peoples United (former Ocean Bank)

Choice Escrow & Land Title v. BancorpSouth Bank

Prevention of CATO

Daily account reconciliation

Employee education – employees should know whom to notify and how regarding any suspicious activity.

Security– Use of firewalls, antivirus, anti-spyware, anti-malware, etc.

– Use products that form a “suite”; “Security programs from multiple companies sometimes do not work well together, often working against each other.”

Multifactor authentication

E-mail alone is insufficient to authorize a wire

Prevention of CATO

Dedicated PC(s) for performing online banking functions

Minimize the number of employee user accounts with admin rights; many malware programs can infect a PC only if the user has admin rights.

Limit use of social networks, personal e-mail, general Internet usage

Restrict use of flash drives to those provided by your IT dept.

Prevention of CATO

Preparedness: A company’s risk profile/risk assessment should include information about CATO.– How will you attempt to prevent it (operational)?

– How will you mitigate the risks associated with it (financial/reputational)?

– Each organization’s plan may vary.

“In Case of Emergency. . .”

Work with FI to ensure online access to user accounts is disabled; all online banking users will need to change online banking passwords, or open new accounts, if necessary.

Review all recent transactions and authorizations on the account; if any are suspicious, cancel or reverse them ASAP (and if possible).

Ensure that hackers have not created any new users or payees, requested a change of information such as address or phone number, changed access levels of any user, altered ACH batch or wire transfer templates, or ordered new cards, checks or other documents.

“In Case of Emergency. . .”

File a police report.

– May help you in working with FIs, insurance companies or other entities that may need to be involved in subsequent investigations.

– Keep detailed records of what has happened and steps you have taken to resolve the situation.

You may need to take additional action if your organization accepts credit cards.

“Masquerading”

Combination of social engineering and a confidence scam, using high-tech tools.

Fraudster sends an email that appears to be from an executive at a company, or calls, spoofing the executive’s phone number.

The fraudster then gets the target at the organization to do something, such as send a wire or initiate an ACH payment.

Source: Penny Crosman, “This Banker Is on a Mission to Warn About ‘Masquerading’ Scams,” Aug. 1, 2014

Tax Return Fraud

Identity thieves file fake federal returns using taxpayers’ SSNs; taxpayer who files subsequently finds his or her return rejected because someone already received a return using that identity.

641,052 taxpayers affected by ID theft in 2011, more than double the number affected in 2010

IRS detected 940,000 fake returns for 2010, in which ID thieves tried to obtain $6.5 billion in refunds

Tax Return Fraud

Prevention:– IRS now uses a code to identify taxpayers who have died, so

their numbers cannot be used by thieves

– IRS has issued more than 250,000 identity protection numbers to ID theft victims to use to prove they are the legitimate taxpayers when they file returns.

– IRS will be implementing measures to resolve cases faster.

– Taxpayers should guard SSN, and file tax returns as early as possible

SOURCE: Eileen Ambrose, “Protect Your Tax Return from Identity Thieves,” The St. Louis Post-Dispatch, Sunday, May 27, 2012, p. D2

Credit Card Acceptance/EMV

Do you have point-of-sale terminals?

Do you have field staff who accept payments via credit card using a Square or Square-like device?

EMV

“EMV” = Europay, MasterCard, and Visa

1994: Founded the global standard for credit and debit payments based on chip card technology.

Today, Europay is owned by MC; EMV standards are set by EMVCo, a joint venture of Visa, MC, AmEx, JCB, Discover and UnionPay.

38

EMV

“Chip cards,” “chip and PIN cards,” and “smart cards” are used interchangeably.– Plastic cards that contain a microchip that sends a dynamic

protected value unique to each transaction

Though “chip and PIN” is often used with EMV, the standards allow for cardholder verification via signature (PIN is most common in other countries).

U.S. Implementation: “Chip and choice”

39

EMV

EMV standards have been adopted in many other countries, but the U.S. has lagged behind.– Reluctance due to the cost of changing payment terminals

to accept chip payments.

– Some U.S. card issuers have begun issuing cards containing EMV chips (e.g., to frequent international travelers so that they don’t have payments problems abroad), but many have yet to move in that direction.

– The cost of terminal and card migration may be as high as $12bn (Javelin).

40

EMV

Two Ways of Accepting Chip Card Payments

Contact (“dipping” the card): Cardholder inserts card into POS device. Card remains in device until completion of the transaction. If a customer removes the card before the charge is approved, the transaction will fail and the customer will be required to provide the card again.

Contactless (“tap-and-go”): Cardholder waves the card by the chip card-enabled POS device to provide payment information. Once the transaction has been authorized, customer might then be prompted to enter PIN or sign a receipt.

Dynamic Authentication

EMV relies on dynamic authentication: use of changing variables unique to each individual card transaction

When mag-stripe cards are swiped at POS terminal, data, such as primary account number (PAN) and expiration date, are transmitted to the card issuer.

The data—known as static data—remains the same for each transaction.

Card Associations & EMV

Visa roadmap to EMV (August 2011)– Expand TIP: Visa will expand its Technology Innovation

Program (TIP) to merchants in the U.S. • TIP ends the mandate for merchants to validate compliance with the PCI

Data Security Standard (PCI DSS) for any year in which 75% of the merchant’s Visa transactions stem from chip-based terminals.

• To accommodate the Visa mandate, merchants must use terminals that support both contact and contactless chip technology.

• “Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable.”

43

Card Associations & EMV

Liability Shift: Visa will institute a U.S. liability shift for domestic and cross-border counterfeit card-present POS transactions, eff. Oct. 1, 2015. – Fuel-selling merchants have until Oct. 1, 2017, before the liability shift

takes effect for transactions at automated fuel dispensers, due to the added expense of updating.

Encourages EMV adoption:– Currently, POS counterfeit fraud is largely absorbed by card issuers.

– With liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant’s acquirer.

– The acquirer will likely shift that liability down to the merchant.

44

Card Issuers & EMV

JPMC– First major card issuer to adopt chip-and-signature model

for U.S. cards

– Announced 2/25/2014 that it would begin issuing chip-and-PIN cards this year. Will others follow suit?

45

Merchants & EMV

Merchants ultimately will bear the cost of new POS hardware, software, and changes in their payment-processing operations to accept chip cards.

Only about 10% of the POS terminals in the U.S. are EMV-ready

Wal-Mart has been pushing for EMV adoption for years.

Wal-Mart, Home Depot and AMC Theaters all prefer PIN in U.S. EMV scheme

Oct. 2011: Wal-Mart turned on EMV acceptance at fewer than 100 stores (of approx. 3,600 in U.S.)– Most in areas that draw foreign visitors, such as Orlando, FL

46

Merchants & EMV

March 2014: Wal-Mart turned on EMV acceptance at about 1,000 of its US stores.

Its whole network of US stores will be ready to accept EMV cards before the end of the year.

Cards in EMV countries typically still come with a mag-stripe.

The US will likely be in this “dual” environment for a long time!

When a cardholder in a Wal-Mart store (for example) equipped with EMV terminals tries to swipe a chip card at a terminal, which would activate the mag-stripe, the terminal prompts the cardholder to “dip” the card in the device so that it reads the chip.

Beyond EMV

Tokenization

Point-to-Point Encryption (P2PE)

3DSecure

Questions?

Matt Davies, AAP, CTP, CPPPayments Outreach Officer

Federal Reserve Bank of DallasPhone: 214-922-5259

E-mail: matt.davies@dal.frb.org

Follow us on:

@DallasFed DallasFed