corporate strategies for preventing payments fraud corp strategies for... · —notify your bank of...
TRANSCRIPT
![Page 1: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/1.jpg)
Corporate Strategies for
Preventing Payments Fraud
MAAFP Annual Financial Forum
March 16, 2016
Karen Nash-GoetzVice President & Senior Legal Counsel
T. Rowe Price Associates, Inc.
![Page 2: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/2.jpg)
2
Discussion Topics
Payments Fraud Landscape
Understanding Your Risk
Fraud by Payment Type
Check Fraud
Card Fraud
ACH & Wire Fraud
Payment Security Practices
Disclaimer
The opinions expressed are those of the presenter and are not those of
T. Rowe Price
![Page 3: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/3.jpg)
3
Payments Fraud
Landscape
![Page 4: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/4.jpg)
44
Corporate Fraud Attacks & Losses
62% of organizations reported payments fraud attacks in 2014; of
those, 30% suffered losses
55%68% 72% 71% 71% 73% 71% 66% 61% 60% 62%
17% 19%
58%
37% 37% 30% 29% 26% 27% 30% 30%
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
% of Organizations Subject to Fraud Attacks & Losses
Subject to Fraud Subject to Fraud w/ Losses
Source: 2015 AFP Payments Fraud & Control Survey, Association for Financial Professionals
![Page 5: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/5.jpg)
55
Corporate Experiences with
Attempted Fraud &/or Losses
Fraud Experience by Payment Type
Source: 2015 AFP Payments Fraud & Control Survey, Association for Financial Professionals
Payment Types Check ACH Cards Wire
Subject to Fraud
Attacks77%
25% Debit
10% Credit34% 27%
Financial Loss from
Fraud15% 11% 15%
Not
Available
Responsible for
Greatest Financial
Loss to Company
45%7% Debits
1% Credits
2% Debit
25% Credit20%
![Page 6: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/6.jpg)
6
Understanding Your
Risk
![Page 7: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/7.jpg)
77
Assess Your Risk
Know your customers, vendors & suppliers
– Who do you conduct payment transactions with?
Probability of fraud attempts by payment type
Probability & size of financial loss from successful fraud
![Page 8: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/8.jpg)
8
Who’s on the Hook for Fraud Liability
Understanding fraud liability
Liability for payments fraud is governed by laws, regulations, &/or private
contracts
Liability varies by payment type
It is complicated by market dynamics & innovation
Divergent case law makes it hard to know with certainty who is liable for
payments fraud: check images, account takeover
“Remote” payments may change the nature of liability: card not present (CNP)
fraud
Practical matter of recovering lost funds & timing of recovery
![Page 9: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/9.jpg)
9
Prevention Costs versus Actual Fraud Losses
For every payment type, a higher percentage of businesses respond
that prevention costs exceed actual losses
0%
20%
40%
60%
80%
100%
ACH Wire Checks Creditcards
Cash Debit PIN Debitsignature
Mobile Prepaidcards
Fraud Prevention Costs versus Actual Fraud Losses by % of Businesses (N=186 to 239)
PreventionCosts
ActualFraud Loss
Don’t Offer/Use Payment
Source: 2014 Federal Reserve Payments Fraud Survey – Summary of Consolidated Results
![Page 10: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/10.jpg)
10
Account Takeovers
Target Victim (Business)
Malware Installed
Online Banking
Collect & Transmit Data
Transfers Funds to Mule Accounts via ACH or Wire
Mule Accounts Emptied & Abandoned
Mule accounts are
emptied shortly after
money is received &
abandoned
Once the money is
sent, it is hard to get
it back
Fraudster targets business by way of
phishing, spear phishing, social
engineering, or computer hacking
If successful,
malware is installed
on computer—e.g.,
key logging or
screen shot
capabilities
Victim visits online
banking; logs in using
normal processes
Malware collects & transmits data
(including online banking
credentials) back to fraudster
Using compromised
online banking
credentials, fraudster
initiates funds transfers
(via ACH credits or
wires) to mule accounts
1.
2.6.
5.
4.
3.
How
Account
Takeovers
Work
(Example)
![Page 11: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/11.jpg)
11
Business Email Compromise (BEC)
Version 1
— A business, which often has a long-standing relationship with a supplier, is
asked to wire funds for invoice payment to an alternate, fraudulent account.
Request is made via fax, telephone or email & appears legitimate.
Version 2 — The email account of c-suite executive is compromised.
A request for a wire transfer from the compromised email account
is made to a second employee within the company who is normally
responsible for processing these requests.
Version 3
— An employee of a business has his/her personal email hacked. Requests for
invoice payments to bank accounts controlled by fraudster are sent from this
employee’s personal email to multiple vendors identified from this employee’s
contact list.
Source: FBI Public Service Announcement, Business E-Mail Compromise Alert, January 2015
![Page 12: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/12.jpg)
12
Industry Sectors Targeted by Phishing
Attacks
Retail/Service, 29.4%
Payment Services,
25.1%
Financial, 20.8%
Email, 12.4%
Social Networking,
6.4%
ISP, 2.8% Other, 3.1%
Source: APWG Phishing Activity Trends Report 4th Quarter 2014, April 2015
Retail/Service was
the most-targeted
industry sector in the
Q4, 2014, with
Payment Services
close behind
![Page 13: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/13.jpg)
13
Fraud by Payment Type
![Page 14: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/14.jpg)
14
Check Fraud
Low barriers & costs to entry
Account & other information
needed is accessible
Attributes of paper facilitate
fraud
Common types of fraud:
Counterfeits, Alterations,
Forgeries
Remote deposit capture creates
different fraud risks
Checks had highest average
value of unauthorized
transactions
$104 $136$199
$736
$1,272
Average value of unauthorized
transactions, non-cash retail
payments 2012
Debit* Credit ATM ACH Check
Source: 2013 Federal Reserve Payments Study (study excluded wires)
*Debit card includes prepaid cards
![Page 15: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/15.jpg)
15
Methods to Mitigate Check Fraud Risk
Implement strong internal controls & procedures around key
payment functions
— Reconcile accounts daily
— Address exceptions & make timely returns
— Secure checks – stock, deposit slips, canceled checks
— Securely store & systematically destroy original paper checks of RDC items
— Separate employee’s duties to lessen possibility of internal fraud
— Use secure financial document destruction processes
![Page 16: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/16.jpg)
16
Methods to Mitigate Check Fraud Risk
Use proven tools & services
from your bank & other
providers—e.g., positive pay,
reverse positive pay, RDC
duplicate deposit detection,
etc.
Educate & train employees on
check fraud prevention
Limit/reduce the number of
checks issued
How do you detect
altered checks?
![Page 17: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/17.jpg)
17
Card Fraud
Common Types of Card Fraud
On purchasing cards (p-cards) or commercial cards
— Employee misuse
— Use of lost or stolen cards
• Fraudsters may “ping” an account with a small purchase to see if the transaction goes through before escalating the attack
— Counterfeit cards used online or at point of sale
When accepting card payments
— Counterfeit, lost, or stolen cards
• Used at point of sale (card present)
• Used online (card-not-present)
![Page 18: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/18.jpg)
1818
Methods to Mitigate P-Card Fraud
Establish policies & processes for P-card program
Monitor transaction activity
Use P-card program tools & controls offered
by the card issuer
— Set dollar limits
— Apply merchant category code (MCC)
restrictions
Educate & train employees X
![Page 19: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/19.jpg)
1919
Methods to Mitigate Fraud on Cards
Accepted
Educate & train employees
— Establish a card acceptance policy & make sure employees are familiar with it & follow it
Be cautious about accepting international orders
Know your customers
Use automated tools such as security code verification or real-time decision
support
Get an authorization for the full amount of the sale
Inspect the card, verify data matches—e.g., account number to what’s on
terminal, card name that prints on the receipt to name embossed on the card
Consider upgrading POS card readers to accept EMV cards
![Page 20: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/20.jpg)
2020
What Is EMV?
EMV (Europay, MasterCard &
Visa) is a set of global
proprietary specifications for
credit & debit payment cards,
point-of-sale terminals & card
transaction processing networks
based on “smart chip” card
technology
EMV chip cards use an embedded microprocessor for payment transactions
![Page 21: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/21.jpg)
21
Main Benefits of Chip Cards
Improved usability of U.S. cards in worldwide EMV markets
Reduced POS counterfeit fraud
Harder to skim data from EMV transactions
— Chips authenticate card readers & EMV cards to one another at POS, and
can detect tampering
Reduced fraud from foreign EMV cards used as mag stripe cards in
U.S.
But, based on what has happened for countries that have already
adopted, fraud rates for “card-not-present” transactions are expected
to rise in the U.S.
![Page 22: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/22.jpg)
22
ACH Fraud that Affects Businesses
Unauthorized debits to accounts
— Your business’s account information is obtained & used to create unauthorized ACH
debits against your business bank account
Check positive pay rejects represented as ACH debits
Email scams—e.g., reverse phishing
— A fraudster impersonates one of your vendors
— Business receives email instructing a change to the payment account information
for your outgoing payments to that vendor
— Your accounts payable sends ACH credits to updated account without realizing it is
a fraud scheme
— Business email compromise schemes involving wire & ACH
Fraudulent claims of unauthorized debits
— Your customer claims they did not authorize payment via an ACH debit
Origination of fraudulent ACH items by an insider
Account takeovers that issue fraudulent ACH & Wire payments
![Page 23: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/23.jpg)
23
Combating ACH Debit Fraud Losses
Establish & follow internal procedures & controls
— Reconcile accounts daily
— Notify your bank of any suspicious transactions
— Address exceptions & make timely returns
— Separate duties
— Use dual controls
— Secure your bank account information
— Limit access to sensitive online data & restrict access to computers used for
payment process
— Use strong passwords & change them often
Limit ACH debit activity to one or two accounts
Use fraud prevention services offered by your bank
— ACH blocks on all accounts where ACH debit activity will not be used
— ACH filters
— ACH positive pay or payee positive pay
— ACH debit alerts that notify you when ACH debits arrive
![Page 24: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/24.jpg)
24
Combating ACH Credit & Wire Fraud
Implement best practices for online & IT data security, such as
— Adopt stronger form of authentication or added layers of security
— Dedicate a PC for ACH & wire origination
— Use logical & physical controls to payment processing
Use dual controls for payment origination & account set-up
— Verify against whitelists or directories
— Use out-of-band communication to verify significant transactions
— Be aware of sudden changes in business practices
— Implement proactive detection & monitoring
— Check with your bank on services—e.g., single item authorization, notice of new payee added,
transaction limits
Use files of known fraudulent recipients—e.g., blacklists
Require due diligence of 3rd party processors; do background checks before
hiring employees that will have access to sensitive data & payment processes
Update business continuity plans to include events such as DDOS & account
takeovers
Start thinking about changes needed for same-day ACH payments
![Page 25: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/25.jpg)
25
Payments Security Practices
Ensure fraud prevention & detection is an
organizational objective— Complete a risk assessment, set policies, establish
procedures, monitor compliance, & take action
on exceptions
Leverage cost-effective tools & processes to address
vulnerabilities
— Talk to your banker about fraud monitoring services & tools they offer
Educate & train employees on fraud prevention
![Page 26: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/26.jpg)
26
Payments Security Practices
Check accounts daily
Secure your bank account information, lock up paper documents, limit
access to sensitive online data
Use strong passwords & change them often
Monitor & measure fraud attempts & losses
Update defenses; best practices today may not be
best practices tomorrow
![Page 27: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/27.jpg)
27
Payments Security Practices:
Online
Educate employees about security practices
Use dual control for origination of ACH files & wire
transfers—so that one person alone cannot complete
a transaction
Use multifactor authentication to access your online
banking—factors are something you have, something
you know & something you are
Dedicate a PC for online banking; don’t use it for other purposes
Keep anti-virus & malware detection software up-to-date; install
security apps on mobile devices
![Page 28: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/28.jpg)
2828
Shut down your work PCs at night
Follow recommendations for strong
passwords & change passwords frequently
Don’t open email attachments or click on links
in emails from someone you don’t know or if the email seems
suspicious
Be cautious about sharing personally identifiable information,
especially on your website & social media—What information are you
sharing with fraudsters?
Payments Security Practices:
Online
![Page 29: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/29.jpg)
29
Questions
![Page 30: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/30.jpg)
3030
Association for Financial Professionals www.afponline.org
The Remittance Coalition https://fedpaymentsimprovement.org/get-involved/remittance-coalition/
— Small Business Payments Toolkit https://fedpaymentsimprovement.org/wp-content/uploads/small-business-toolkit.pdf
— B2B Directory Concept Paper https://fedpaymentsimprovement.org/wp-content/uploads/remittance_coalition_b2b_directory_paper.pdf
Federal Reserve Bank of Minneapolis www.minneapolisfed.org & our Payments Information Resources https://www.minneapolisfed.org/about/what-we-do/payments-information
— 2014 Federal Reserve Payments Fraud Survey – Regional & Consolidated Results
— Industry & Government Information-Sharing Resources Related to Payments Fraud
— Payments Fraud Liability Matrix
Strategies for Improving the U.S. Payment System https://fedpaymentsimprovement.org/
Resources
![Page 31: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/31.jpg)
31
Resources
Federal Reserve System 2013 Federal Reserve Payments Study
http://www.frbservices.org/communications/payment_system_research.html
EMV Migration Forum public educational website http://www.emv-connection.com
Multi-State Information Sharing & Analysis Center www.msisac.org
Financial Services Information Sharing and Analysis Center (FS ISAC)
http://www.fsisac.com/
— Securing Merchant Card Payment Systems from the Risks of Remote Access
7/7/2015 https://www.fsisac.com/sites/default/files/news/Alert%20--
%20Securing%20Merchant%20Terminals%20Remote%20Access%20FINAL%207
%20July%202015.pdf
— Business E-mail Compromise Continues to Swindle and Defraud U.S. Businesses
6/19/2015
http://www.fsisac.com/sites/default/files/news/BEC_Joint_Product_Final.pdf
![Page 32: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/32.jpg)
3232
Internet Crime Complaint Center (IC3) www.ic3.gov
— IC3 Alert, 1/22/2015 Business E-mail Compromise
http://www.ic3.gov/media/2015/150122.aspx
Talk to your banker
— Discuss tools, services & best practices for preventing payments fraud
Anti-Phishing Work Group (APWG) http://apwg.org/
— Phishing Activity Trends Reports http://apwg.org/resources/apwg-reports/
National Association of Credit Management www.nacm.org
Association for Certified Fraud Examiners www.acfe.com
Federal Financial Institutions Examination Council www.ffiec.gov
International Association of Financial Crimes Investigators www.iafci.org
National Automated Clearing House Association www.nacha.org
Resources
![Page 33: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/33.jpg)
3333
Appendix
![Page 34: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/34.jpg)
3434
$9.15
$11.58
$10.23 $3.74
$1.70
$10.90
$12.45
$6.91 $0.43
$0.05
$0.13
$0.09 $0.37
$- $2 $4 $6 $8 $10 $12
Loss per $10,000 Spent
Unauthorized Transactions in the U.S. by
Payment Method
All TransactionsAll ACH Transactions
Debit
Credit
All Check Transactions
All Debit Card Transactions
Signature, card-present
Signature, card-not-present
PIN
ATM withdrawal
All Credit Card Transactions
Card-not-present
Card-present
Source: 2013 Federal Reserve Payments Study
![Page 35: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/35.jpg)
3535
0.5
1.2
0.9
13.7
16.1
ACH Credits
ACH Debits
Check
General PurposeCredit Cards
General PurposeDebit Cards
Unauthorized Volume in U.S. 32.3 Million
8.8
12.9
18.3
23.8
55.9
ACH Credits
ACH Debits
Check
General PurposeCredit Cards
General PurposeDebit Cards
Transaction Volume in U.S. 119.7 Billion
Source: 2013 Federal Reserve Payments Study
Card Total Volume Is High & So Is Fraud
Volume
![Page 36: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/36.jpg)
3636
2.2
2.6
25.9
66.7
77.4
General PurposeCredit Cards
General PurposeDebit Cards
Check
ACH Debits
ACH Credits
Transaction Value in U.S. $174.7 Trillion
2.3
1.8
1.1
0.8
0.4
General PurposeCredit Cards
General PurposeDebit Cards
Check
ACH Debits
ACH Credits
Unauthorized Value in U.S. $6.4 Billion
Card Is Small in Total Value But Highest in
Terms of Fraud Value
Source: 2013 Federal Reserve Payments Study
![Page 37: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/37.jpg)
3737
October 2012
April 2013 October 2013
April 2015 October 2015 October 2016
October 2017
Visa PCI audit relief
Acquirers & processors required to support merchant acceptance of EMV transactions
3rd party ATM acquirer processors & sub-processors required to support EMV data
Card-present counterfeit liability takes effect excluding automated fuel dispensers (AFD)
ATM liability shift
Card-present counterfeit liability takes effect for automated fuel dispensers
MasterCard Account Data Compromise (ADC) relief (50%)
ADC relief (95% -100%)
ATM liability shift
Lost or stolen liability shift for AFD
Lost or stolenliability shift
Discover PCI audit relief
American Express
PCI reporting relief
U.S. EMV Migration Key Dates
![Page 38: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/38.jpg)
3838
CNP fraud in other countries increased after EMV
adoption
U.S. Card-Not-Present Fraud Expected to
Rise after EMV
0
100
200
300
400
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Lo
cal C
urr
en
cy
UK France Canada (credit only) Australia
Sources: Financial Fraud Action UK, The Observatory for Payment Card Security, Canadian Bankers Association, Australian Payments Clearing Association. 2013 data cited in Digital Transactions, September 2014, page 34.
![Page 39: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/39.jpg)
3939
One-Time Password (valid for only one transaction or online session)
Randomized Pin Pad (scrambles the key pad & captures XY coordinates)
Device Authentication (authenticates the device not the cardholder)
Biometrics (iris, retina, hand, voice, fingerprint, etc.)
3D Secure (enables real-time cardholder authentication during an online transaction)
Tokenization (replaces personal account number with surrogate values)
Proprietary Data/Transactional Data (collecting, analyzing & scoring data to determine out of pattern activity against the customers history)
Validation Services (card security code, address verification)
Source: EMV Migration Forum, Card-Not-Present Fraud Working Committee
Near-Term Solutions to Address the Growing Threat of Card-Not-Present Fraud, April 2015
Fighting Card-Not-Present Fraud
![Page 40: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/40.jpg)
4040
Online
Phishing
Spear Phishing
Spoofing
Hacking
Social Engineering
Telephone
Smishing
Vishing
Impersonator Fraud
Social Engineering
Eavesdropping
Physical Hardware, Documents, & Mail
Device Tampering
Dumpster Diving
Theft
Employee Misuse
Points of Interaction Are Potential Points of
Compromise
![Page 41: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/41.jpg)
41
Payment Security Practices:
Telephones
Educate employees
Don’t disclose your online password or banking credentials over the
phone; your bank will not ask you for this information
Establish procedures to verify identity of caller, including call back
procedures using contact information you maintain
Don’t respond to automated voice messages from unknown or blocked
numbers
Be aware of your surroundings—can employees, customers, vendors, or
strangers overhear your conversation when sensitive information might
be discussed?
![Page 42: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/42.jpg)
42
Payment Security Practices:
Telephones
For mobile devices:
— Don’t respond to text messages from unknown
or blocked numbers
— Treat your mobile phone like you would your computer; install anti-virus & malware detection software apps & keep them up-to-date; install a phone locator/remote erase app; use passwords to access device; don’t download anything unless you trust the source
— Don’t respond to unsolicited e-mails, texts, or phone calls requesting personal information
— Don’t click on links or attachments contained in unsolicited e-mails
— Prohibit use of personal devices for company business purposes
— Limit payment functions that can be performed via a mobile phone
— Don’t log into accounts & conduct any sensitive transactions, such as banking, while using public Wi-Fi; disable the “automatically connect to Wi-Fi” setting on your device
![Page 43: Corporate Strategies for Preventing Payments Fraud Corp Strategies for... · —Notify your bank of any suspicious transactions —Address exceptions & make timely returns —Separate](https://reader034.vdocuments.mx/reader034/viewer/2022050120/5f50e8ad2242b334f77c863e/html5/thumbnails/43.jpg)
43
Payment Security Practices: Devices,
Documents, & Mail
Take steps to protect sensitive information that could
be used to perpetrate payments fraud
Know where sensitive information is stored, lock it up,
& limit access to those that need it
Only collect information that you need
Establish procedures to dispose of sensitive information
after it is no longer needed, such as subscribing to a records
destruction service or shredding documents
Don’t leave incoming or outgoing mail with sensitive information,
financial information, or checks in a location where anyone can steal it
Take security measures to protect & detect physical tampering of devices
such as a card reader