payments 2015 01-29

Copyright © 2014 Oracle and/or its affiliates. All rights reserved.

ORUG SIG Payments in Retail

David Dorf Sr. Director, Technology Strategy 29 January 2015

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Retailers Hate Credit Cards!

•Complex •Direct cost 2-3% •Delay of 1-7 days •Charge-backs •Fraud

$100.00

-1.50

-0.15

-0.35

=$98.00

2% fee

Example

Oracle Confidential – Internal/Restricted/Highly Restricted 2


FINISH

1

2

3

4

5

NFC but limited to subset of phones; HCE

Uses CC or ACH; phone#, beacons, peer-to-peer.

Owned by Telcos; NFC via secure element

NFC, tokens

Owned by retailers; no CC; uses barcodes

3 Oracle Confidential

Emerging Payment Methods


Other Payment Schemes



Methods of Theft

• Hacked main street merchant or restaurant

• Processor breach

• Hacked point-of-sale service company/vendor

• Hacked e-commerce merchant

• ATM or gas pump skimmer

• Crooked employee

• Lost/stolen card

• Malware on consumer’s PC

• Physical record theft

http://krebsonsecurity.com/2015/01/how-was-your-credit-card-stolen/#more-29560

A Bluetooth enabled gas pump skimmer lets thieves retrieve stolen card and PIN data wirelessly while they gas up.


This isn’t just a retail industry

problem.

Oracle Confidential 6

Data Breaches

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential 7

Contact numbers for a small response team. When a threat is detected, you'll want the right people on a conference call to quickly determine next steps. This should include representatives from Legal, Public Relations, and of course IT.

Contact numbers for the FBI and Secret Service. You may also want to have a cyber forensics specialist in mind as well. You can't afford to waste time before asking for help.

Retailer Response Plan

Contact numbers for key vendors that might be able to assist. This might include e-commerce, POS, and credit card processing vendors. Have these relationships established before you need them.

A general plan to isolate systems and stop the breach. An over-reaction can also be costly, so make sure there are lots of options available, with far ranging effects.

The outline for a marketing plan to address the public's concerns. Are you prepared to notify affected customers? How can you quickly re-establish trust?

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential 8

Card Present

Card Not Present

Total Fraud

EMV 17%

EMV 99%

EMV helps but isn’t the complete answer.

We need tokenization and/or E2E encryption.

We need a federal law for notification.

UK Fraud


Online Alternatives

• Chip Authentication Program/Dynamic Passcode Authentication

– Chip reader to verify PIN

– Sweden and UK

• 3D Secure – Bank requests password or similar

– Sometimes uses SMS

• Tokenization

– Bank provides one-time-use number


Visa EMV Liability Shift

The Visa global POS counterfeit liability shift will occur on 1 October 2015 and the ATM and AFD liability shift will be instituted in the U.S. on 1 October 2017. The liability shift only is for counterfeit cards and does not pertain to lost and stolen cards. The party that is the cause of a chip transaction not being conducted (i.e., either the issuer or the merchant’s acquirer or acquirer processor) will be held financially liable for any resulting card-present counterfeit fraud losses.

In the event that a chip card or chip reader is not functioning and the physical magnetic-stripe of the card is read, the terminal will read the service code and prompt the merchant to read the card as a chip card. Merchant staff need to understand the activities that they should perform and the sequence of events they should follow when they are processing fallback transactions. Typically, the merchant staff member will be given a number of chances to read the chip card using the terminal chip reader before the terminal prompts for fallback to be performed using the magnetic-stripe, if permitted.

http://usa.visa.com/download/merchants/visa-merchant-chip-acceptance-readiness-guide.pdf


How Does EMV Work?



1. Chip cards are inserted into the chip reader and must remain inserted until the transaction is completed.

2. Early removal of the chip card from the reader will terminate the transaction.

3. Merchant staff should prompt cardholders to insert the card into the chip reader rather than swiping the magnetic-stripe.

4. Merchant staff should ensure that when the purchase is complete, the cardholder takes their card.

5. If a chip card or chip reader is not functioning and the physical magnetic-stripe of the card is read, the terminal will read the service code and prompt the merchant to read the card as a chip card.

6. If the magnetic-stripe functionality of the card or terminal is not working or an online authorization is not available, merchants may then fallback to existing card acceptance procedures.

7. Ensure merchant staff members clearly understand CVM.

8. Train your back-office personnel about chip-related chargeback issues and dispute resolution actions.

9. Conduct follow-up training as necessary. This is especially given possible high turnover, a high incidence of fallback transactions, or both.

10. Evaluate merchant training needs and materials regularly.

EMV Training



EMV Lessons Learned

• CNP fraud will go up

• Consumers will try to swipe (training & signage)

• Consumers will remove cards prematurely (training & signage)

• Consumers will leave cards behind (training & signage)


Valuable Resources

• http://www.emv-connection.com/

• http://www.emv-usa.com/

• http://krebsonsecurity.com/

http://www.emv-connection.com/



http://www.emv-usa.com/



http://krebsonsecurity.com/


To Learn More:

www.oracle.com/retail

blogs.oracle.com/retail @dordav


http://www.oracle.com/retail

payments 2015 01-29

Business