darren muise head of commercial partnerships state and local government fraud awareness and...

Darren MuiseHead of Commercial PartnershipsState and Local Government

Fraud Awareness and Prevention

2

Roles and Responsibilities

Issuer• Issue cards• Assume credit risk• Fraud monitorng• Risk mitigation• Provide EAS • Provide customer service• Provide custom products

and enhancements

Visa • Sets standards and rules• Provides systems/operations• Move money and data• Provides risk management• Balance the needs of Issuers,

Acquirers, Merchants, Cardholders and Businesses

• Provide expert service/support to Issuers, Acquirers, Merchants, Cardholders and Businesses

Acquirers• Process Transactions• Underwrite supplier risk• Generate reports• Provider customer

service• Differentiate service with

custom productsand enhancements

• Assess processing fees to suppliers

Visa Inc Fraud and Misuse 2011

Payment System Risk

PROTECTProtecting vulnerable

account data

RESPOND

Monitor andmanage events

that occur

PREVENTMinimize fraud in

the payment system

Trustand

Partnership

Maintaining and enhancing stakeholder trust in Visa as the most secure way to pay and be paid


Multi-Layered Strategy

To address security concerns we need toalign rules, strategies, programs, initiatives and solutions

Laws and Regulations

Industry Standards

Visa Rules and Regulations

Visa Programs and Solutions

Risk Information and Benchmarking

PROTECT

RESPOND

Trustand

Partnership

PREVENT

Education, Awareness and Best Practices


Fraud, Abuse, & Misuse: Definitions

• Fraud – The theft card information by fraudsters

Abuse – Intentionally or unintentionally violating policies and procedures for personal gain

Misuse – Intentionally or unintentionally violating policies and procedures for work related gain

• Account takeover (information change)

• Mail thefts

• Counterfeit cards

• Lost/Stolen cards

• Mail order/telephone order

• Skimming

• Database Hacking

• Franchise Software Hacking

• Sniffing

• Phishing


Reported “Loss” to Organizations

• The differences in card misuse between the Corporate and Government and Not-for-Profit segments. Overall, losses due to fraud and misrepresentation as a percentage of purchasing card spending are higher in the Corporate or private sector

A summary of loss experienced by the card-using organizations related to misrepresentation and internal and external fraud. The median dollar loss per incident and the total loss to the organization as a percent of total purchasing card spending for each category of misuse are consistent with the overall study findings

•Source: Purchasing Card Benchmark Survey Report, R. Palmer and M. Gupta, RPMG Research, 2010

6Visa Inc Fraud and Misuse 2011

Perception of Risk

• In comparison to other payment methods, purchasing card spending at my organization is associated with a _%_ likelihood of fraudulent/misrepresented spending

The comparison to other payment methods, 84% and 76% of respondents believe that purchasing card spending is associated with a similar or lower likelihood of fraudulent or misrepresented spending, respectively


16%24%

54%49%

30% 27%

Fradulent Spending Misrepresented Spending

•Significantly Lower

•Similar

•Significantly Higher


Loss Due to Policy Violations

• The loss associated with purchase card policy violations remains relatively insignificant, accounting for .006% of purchasing card spending – which is the equivalent of $60 of policy violations for every $1 million of purchasing card spending



9

Fraud, Abuse, & Misuse:Prevention & Detection

Strategies for success:

• Program management

• Metrics

• Internal controls

• Reconciliation

• Audits

• Training and communication

Program Management:

• Data Mining– Business rules

• Statistical Sampling– Statistically-valid sampling

plans

• Machine Learning Tools– Neural networks

– Smart algorithms


External Data Compromises:

• Data breach that occurs at merchant, merchant processor, or other 3 rd party processor • Compromises increased 35% 2009 and expect similar trends in 2010 • 2009 single event impacted 130 Million Debit and Credit Accounts

Phishing Emails/Telephone Calls:

• Fraudster with limited and uses email or telephone to solicit remaining data needed to commit attack • Attacks increased 25% in 2010 across industry • Newest trend is Spearphishing which targets same organization with mass emails or telephone calls

Client Internal Fraud:

• Many clients have limited internal audits to identify internal fraud attempts• Fraud increased 15% across industry for clients in 2010

Reported Top Fraud Risks


• This device can capture over 2500 credit card account numbers, expiration dates and CVV codes in the palm of your hand.

• The unit can operate continuously for 40 hours on a single 3V battery (6000 swipes).

• Skimmed data can be downloaded to any PC with software provided.

• At a moment’s notice, or the moment of arrest, the contents can be deleted with the press of a button to avoid prosecution.

• Cost = $500

And An Old Favorite – “The Handheld Skimmer”


• False fronts on ATM terminals with built in magnetic stripe readers.

• Hidden camera captures PIN and transmits the information to a nearby crook

• Increasingly common

ATM Skimmers


• Sniffing devices installed in ATMs or other Point of Sale devices allow fraudsters to compromise a Debit card PIN. In this example, the PIN and magnetic stripe information are captured before encryption.

• Recent cases have Bluetooth transmission to remote receiver.

Sniffing Devices


Internal Audit Process Internal Audit Process Sample Metrics Sample Metrics

Card Industry Best Practices

• Audits should be scheduled, random, and unannounced

• Audit representative samples - within 60-90 days

• Review span of control

• Focus resources on areas of weakness or opportunity

• Combine filter development and automation of monthly review process

• Streamlines review and audit process

• Eliminates the need for 100% transaction review

• Documents the review process

• Ensures timely review of transactions within the span of control

• Improves the recovery potential

• Improve communication of audit findings to card program participants

• Develop a sampling audit strategy for current cycle transactions

• Audit the first statement cycle following cardholder training or change in process

• Audit high-risk transactions monthly

• Cardholders with the highest number of transactions

• Cardholders with the highest dollar amount spent

• Employees with multiple disputes

• Purchases charged to clients

• Increase frequency for those cardholders with exceptions Audit representative samples - within 60-90 days new account

• Vendors

• Number of vendors utilized

• Transactions per vendor

• Transactions between a cardholder and same vendor

• Reconciliation

• # and $ of Transactions between a cardholder and same vendor

• Review items not submitted or duplicate expense reports for same transaction

• Accountable property transactions logged

• Transactions from approved suppliers

• Transactions reconciled using default funding

• Split purchase occurrences to avoid dollar thresholds


Program Administrator Program Administrator

Cardholder Cardholder

Card Industry Best Practices

• Insure cardholder statement reconciliation is performed in a timely manner

• Monitor declined authorizations for signs of merchant and/or employee abuse

• Manage credit limits based on individual cardholder spending needs

• Consider MCC (Merchant Category Codes) restrictions and $ thresholds to prevent internal and fraud abuse

• Complete internal audits of transaction monitoring at MCC and cardholder levels

• Provide your issuing bank with after hours contacts or cell phone telephone numbers and emails for prompt contact to detect and prevent fraud

• Partner with fraud team future or current authorization needs to ensure control with least amount of cardholder impact

• Report non-received cards to your issuing bank immediately

• Examine cards received for evidence of tampering during transit

• Do not provide your individual account number to a merchant to keep on file unless approved by company

• Contact Fraud team prior to international trips and provide alternate contact phone number as needed

• Create guidelines for card issuance and handling• Determine who should be eligible to apply for a card• Determine approval levels required • Segregate duties of ordering and receiving of cards

• Create internal procedures• Requirements for obtaining a card• Administrative / Management• Usage / Purchasing• Accounts Payable/Accounting• Reconciliation• Audit

• Create policies or business rules• Business versus Personal Use • Cash access• Card sharing• Ghost cards• Roles and responsibilities• Training• Audit exceptions

Client Controls Client Controls


16

Questions?
