securing mobile payments: applying lessons learned in the real world

World®’16

SecuringMobilePayments:ApplyingLessonsLearnedintheRealWorldJamesRendell- VPPaymentSecurityStrategy– CATechnologies

SCX34S

SECURITY

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

ForInformationalPurposesOnlyTermsofthisPresentation

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2016isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.

CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i)affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember1,2016,andissubjecttochangeorwithdrawalbyCAatanytimewithout notice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.

Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.


©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract

Mobileisthenewblack—thewaypeoplework,shopandconnect.Takingacuefromthepaymentpointofview,thissessionwillpresentbestpracticesforsecuringmobilepaymentsandhowthesepracticesarerelevantacrosstheenterprise.

JamesRendellCATechnologiesVPPaymentSecurityStrategy


Agenda

INTRODUCTION:SECURINGMOBILEPAYMENTS

MOBILEAUTHENTICATION

SUMMARY

RISKANALYTICSREAL-TIMENETWORK

NFCMOBILEWALLETPROVISIONING

SECURINGMOBILEIN-APPPURCHASES

1

2

3

4

5

6


CAStrategyforSecureMobilePayments

SecureMobilePayment

MobileAuthentication

In-Apppurchase

Mobilewallet

Real-TimeRisk

MobilePushNotification• Multi-factorauthentication• PushNotificationanddisconnectedOTPoptions• Complieswithemergingmandates,e.g.PSD2

MasterCardIdentityCheck• Biometricauthenticationoptions


MobileAuthentication:MobilePushNotification

§ Mobiledeviceasvirtualidentity

§ Out-of-BandAuthentication

§ TransactioninflightPushNotificationonmobile

§ FingerprintAuthenticationonAppledevices– RoadmapwillincorporateAndroidetc.deviceswith

similarcapabilities


DeploymentOptions:MobileOTP*

§ PasscodeGenerationonMobileDevice

§ OfflineOTPgeneration

§ SupportsmultiplecardsonsingleApp

§ AvailableinbothOAuthandEMVmodes

*PlannedServiceAvailabilityforPaymentSecurityduring2017


FeatureHighlights

§ Out-Of-BandAuthenticationfor3-DSecure2.0

§ Easy-to-useOver-the-Airprovisioningforcardholders

§ BasedonIndustrystandardEMVAlgorithm(CAPCertifiedandDPACompliant)

§ Credentialsaresoftwarelockedtotheprovisioneddevice

§ StrongprotectionagainstSIM-Swap

§ CryptographicCamouflagetechnologypreventsbruteforceattack

§ Fine-GrainedAuthenticationControlsusingCARiskAnalytics

§ SuitableforEnterpriseandConsumerdigitalchannels


MultipleProvisioningOptions

§ During3-DSecureTransactionFlow

§ ViaOnlineBankingChannel– OnlineBankingprovidesanoptiontoenrollinMobileAuthentication

byintegratingwithourexposedWebService

§ ViaIssuerMobileApp– Usingan“AddAccount”optionfromwithintheIssuerMobileApp

§ ViaAPIsforenterprisesystemintegration


Busin

ess

functio

n

Channe

ls

Onlineservicing

CA-Stron

gAu

then

tication

Payments(3-DSecure)

Enterpriseapplication

Riskevaluationandscoring• Rules• Machine

learning• Statistical• Behavioral

3-DSecure

BiometricDeviceID

CaseManagement/Reporting

Wearables

MFA

Mobilebrowser

Notification

CNP Traditionalbrowser

In-storetablet

Telephone/IVR

OmniChannelEnabler:EnterpriseandConsumer

ApplePay AndroidPay

GoogleWallet



SecureMobilePayment


In-Apppurchase

Mobilewallet

Real-TimeRisk

RiskAnalyticsReal-TimeNetwork• DeviceIdentityisakeyfraud

indicator• Leverageglobaldeviceidentity/

reputation• Real-Timemodelupdates


RiskAnalyticsReal-TimeNetwork

1. Predictivemodellearnsbank-specificcardholderbehaviorandfraudpatterns.

2. Devicesmaybeusedacrossbanks,hencecomplementaryDeviceDistillatesareincorporatedintheRiskAnalyticsNetworkmodel.

3. DeviceDistillatesupdatedinreal-timeastransactionsareprocessed.

4. Scorewillbehigherwhendevicespreviouslyassociatedwithprobablefraudareused.

Bank1 Bank2 Bank3

Real-timeupdate


RiskAnalyticsReal-TimeNetworkExplainedFraudNotDetectedbyCurrentRiskAnalyticsModel

Time

CardPivotCARD1

BSYKB,12.5GBPDEVICE1

20130411:14:48:03

20130502:12:01:45

20130527:19:09:36

53

88

510

20130508:10:03:12

405

GOAL8.0GBPDEVICE2

RAModelScore

HUNGRYHOUSE20.7GBPDEVICE1

TRADEMEDIA47.38GBPDEVICE3

NonFraud

Fraud

• Thereare4transactionsonCARD1,twolegitandtwofraud

• CurrentRiskAnalyticsModelscoringnothighenoughtodetecttwofraudulenttransactions

• Lackingvisibilityintohistoricaltransactionsacrossagivendevice

Date/TimeofTransaction

MerchantName

TransactionValue

DeviceIDRiskscoresnothighenough(<600)tobedeemedfraud.


RiskAnalyticsReal-TimeNetworkExplainedImprovedFraudDetectionbyRiskAnalyticsNetworkModel

NonFraud

Fraud

Time

CardPivotCARD1

BSYKB,12.5GBPDEVICE1

20130411:14:48:03

20130502:12:01:45

20130527:19:09:36

20130508:10:03:12

GOAL8.0GBPDEVICE2

HUNGRYHOUSE20.7GBPDEVICE1

TRADEMEDIA47.38GBPDEVICE3

62

114

RANetworkModelScore

992De

vicePivot

DEVICE

2

20130508:09:49:36

GOAL

8.0GB

PCA

RD3 610

20130508:09:48:16

GOAL

8.0GB

PCA

RD2 237

20130508:09:56:39

GOAL

8.0GB

PCA

RD4 997

20130508:10:37:43

GOAL

8.0GB

PCA

RD5 976

20130508:10:49:01

GOAL

8.0GB

PCA

RD6 994

960

DevicePivot

DEVICE

3TRAD

EMED

IA47.38GB

PCA

RD5

20130527:15:57:24

142

TRAD

EMED

IA47.38GB

PCA

RD7

20130527:16:46:40

801

TRAD

EMED

IA47.38GB

PCA

RD8

20130527:19:06:05

942

TRAD

EMED

IA47.38GB

PCA

RD4

20130527:19:24:13

978

• Newdevicepivots(i.e.DEVICE2andDEVICE3)areincludedinRiskAnalyticsNetworkmodel.

• Allowsustoalsoconsiderthehistoricaltransactionsbydeviceinevaluationscoring.

• ResultisthatthenewmodelscoreshighonthetwofraudulenttransactionsonCARD1;stoppingthefraud.



SecureMobilePayment


In-Apppurchase

Mobilewallet

Real-TimeRisk

NFCMobileWalletProvisioning• Cardholderauthenticationwhenprovisioning

carddatatomobiledevice• Acceleratetime-to-marketforissuerswantingto

embrace“*Pay”programs.


WhatIsMobilePaymentEnablement

Addingacustomer’spaymentmethodtoamobileplatform

orwallet


WalletsAreNotNew…TheyAreNotMatureEither

FinancialServicesPayPal

Venmo

Chase

CurrentC

Square

RetailMerchants

Starbucks

Amazon

Walmart

Wholefoods

TraditionalPaymentsMasterCard

Visa

Amex

VeriFone

DeviceMakers

Google

Apple

Samsung

ExistingWalletMarket…EveryoneWantstoCapturetheLoyalty


MobileWallets:ApplePayProvisioningSecurity

§ EarlyNFCMobilewalletdeploymentshadprovisioningweaknesses

§ StolencarddatacouldbeprovisionedtoNFCMobiledevices– CoupledwithcontactlessPointofSale,effectivelycloningEMVcards!!

§ CAdevelopedanincubatorofferingtodoOTPcardholderauthenticationduringNFCMobileWalletprovisioning,increasingtheassurancethatcarddataisbeingprovisionedtothecardholder’sphoneandnotafraudster’s

§ AcceleratedTime-to-Marketfor“*Pay”NFCMobileimplementations

Onboarding Provisioning Transaction Support


ProvisioningFlow

Enroll Eligible?

Authenticate OTP

Activation

Walletprovider CardScheme

CAonIssuer’sbehalf

ReturnActivation

data

OTPDelivery

OTPValidation/authentication

Token

Confirmation

AmericanExpress

ApplePay

AndroidPay

GoogleWallet

SamsungPay

AndroidPay

MasterCard

Visa



SecureMobilePayment


In-Apppurchase

Mobilewallet

Real-TimeRisk

In-apppurchase• 3-DSecure2.0nativesupportfor

in-apppurchase• Richdataevaluation,fraudrisk

scoring,andmobileauthenticationchallenge.


Evolutionof3-DSecure

BuildingTrust

Goals

Actions

Results

Buildconfidenceine-commerce

ReducefrauddisplacedbyEMVimplementation

ImprovecustomerExperience.Reduceabandonments.

Betterauthorizationrates.Accesstomorechannels.

Liabilityshiftforparticipatingmerchants

Simplifyenrolmenttodriveadoption.Strengthenauthenticationoptions

Firststepsinapplicationofanalyticsandpredictivemodelling

3-DSecure2.0.SophisticatedDataScience.AuthorizationIntegration.

Fragmentationandscheme-by-schemeserviceintroduction

Adoptionratesincreaseworldwide

Moreeffectivefraudreduction

Increaseauthorizationratesandlending.Accesstomoretransactions.ReduceFraud.Optimizeduserexperience.

FightingFraud

MinimizingFriction

“SmartAuthorization”

2001

2006

2010

2016

2018

InsightandPersonalization

Reachnewmarketsandcustomersegmentsbyleveragingrichdata.

Analytics.DataFeedstomarketing,personalization,andCRMsystems.

Growcustomerbase.Develophighvaluepartnershipsandrelationships.Reinforcebrandstrength.


ProblemsWith3-DSecure1.0.2

§ 3-DSecure1.0.2wasdesignedforthePC-basedonlineshoppingworld

§ Userexperienceonmobilebrowsersisoftenpoor

§ Merchantswaryofinvoking3-DSecurewithmobiletransactions

§ Nosupportforin-apppurchase

Materialderivedbyreferencetopublicdomaininformation.See:https://www.emvco.com/about_emvco.aspx?id=306http://www.emvco.com/faq.aspx?id=305


3-DSecure2.0

§ DevelopedandownedbyEMVCo– ManagesandcontrolstheEMVstandards

§ Designedforin-apppurchase– NativeappandHTMLUIsupport– Flexibleauthenticationoptions

§ Browserspecificationreplacementfor1.0.2

§ Designedtooptimizeuserexperience– Bypassingdetaileddatafromthemobiledeviceonlyasmallpercentageoftransactions

wouldneedtobechallenged– =>Theleadersinthisnewworldwillbethosewhocanleverageworld-classDataScience



What’sNewin3-DSecure2.0?

§ Richdata

§ Earlyriskevaluation

§ Frictionless,Challenge,andOutofBandAuthenticationFlows

§ In-apppurchaseintegration

§ Newbrowserspecification

§ ID&VFlows



EarlyRichData

§ Enhanceddatapassedup-frontintheequivalentoftheVEReqmessage– DeviceID/fingerprint– MerchantCategoryCode– Purchaseamount,currency– Optionalcardholderbilling/deliverydetails

§ Enhancedfrauddetection

§ Optimizeuserexperience– Majorityoftransactionswillneverbechallenged



TyingItAllTogether


Summary:CAStrategyforSecuringMobilePayments

••Nativemobileuserexperience

••Richdataevaluation

••Provisioningsecurity

••Cardholderauthentication

••MobileStrongAuthentication

••OmniChannelenablement

••NeuralNetworks

••DeviceIdentity

TransactionRisk Authentication

MobileappsMobileWallets

NeuralNetworks


Don’tMissOurINTERACTIVESecurityDemoExperience!

SNEAKPEEK!



Questions?


Thankyou.

Stayconnectedatcommunities.ca.com


Security

FormoreinformationonSecurity,pleasevisit:http://cainc.to/EtfYyw

securing mobile payments: applying lessons learned in the real world

Technology