fraud management: are you really protected?

8/13/2019 Fraud Management: Are You Really Protected?

1/10

Fraud Management:

Are You Really Protected?October 12, 2011

OmniShield TM

Copyright 2011 Vantiv, LLC. All rights reserved.Vantiv, the Vantiv logo and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA andother countries. indicates USA registration.


2/10

Fraud Management: Are You Really Protected?

Executive SummaryFor years, cybercriminals primary targets have been nancial institutions. In recentyears, U.S. nancial institutions have received the brunt of their attacks as theEuropean, Asian and Middle Eastern regions have adopted EMV technologies ata faster rate than the U.S. region. Recently, Visa announced plans to offer nancialincentives to merchants and payment processors to accelerate chip and PINtechnology adoption. MasterCard has increased its dialogue with larger nancialinstitutions; sharing insights into its technology platform and helping issuers developchip and PIN migration plans. Merchants and payment processors are adoptingemerging technologies, such as end-to-end encryption and tokenization to add anadditional layer of security to transactions and card data. Yet, nancial institutions

have an ever-increasing need to actively protect and respond to their cardholdersinquiries. They are challenged to adequately invest in fraud prevention and detectiontechnologies, hire the expert resources needed to manage resolution and chargebackmanagement services, investigate card compromise events and interface with lawenforcement agencies. In this light, nancial institutions are electing to outsource theseoperational aspects of fraud management, along with some of the liability, to a serviceprovider, enabling them to deliver a higher-quality service to their cardholders, helpreduce their exposure to fraud, and ultimately allow them to treat fraud more like a

xed expense.

Cybercrime Is Here to StayFor years, card networks, processors, issuers, merchants, legislators and law enforcement have been working hard tomeet consumer demands for easier access to their funds and an almost unquenchable need and interest for moresophisticated electronic purchase and payment tools, while insisting on reliability, safety and security to ensure theiridentity and accounts are protected. While this consumer demand presents new opportunities for nancial institutionsto develop new banking and credit products and services, it is not without its cyber challenges.

Cybercriminals are progressively sophisticated in their cyber attacks, and cyber crime is very lucrative. Carding refersto the unauthorized use of credit and debit card information to fraudulently purchase goods and services. Cybercriminals,often known as carders , use online carding forums to facilitate the sale of stolen identity information, commonly

referred to as dumps or full infos . These card forums create a hierarchical organization of buyers, sellers and bosses,provide access to information about how to steal identity information, and the ability to purchase the necessary tools forhacking databases and stealing card data. The most valuable data contains full identity information including addresses,Social Security numbers, credit and debit card numbers with track 1, 2 and CVV2 values, credit history report, mothersmaiden name and other personal identifying information. 1

2

1 Data Breaches: What the Underground World of Carding Reveals. Kimberly Kiefer Peretti, U.S. Department of Justice, ComputerCrime and Intellectual Property Section, Forthcoming in Volume 25 of the Santa Clara Computer and High Technology Journal, 2008.


3/10


3

The common methods that carders use to steal information include skimming (card swipe), phishing (emails), vishing(land line phone calls), smishing (cell phone SMS/texting), and pharming (redirecting web visitors to fake websites).

They use these strategies to execute directed attacks against individuals, ATM operators and data processing companies.In recent years, they have diversi ed their operations to random attacks against speci c high-volume companies usingbotnets, SQL injections, authentication bypass and vulnerability scans; and now include softer targets such as data intransit and a computers running memory.

A recent Symantec research study revealed that the most frequently advertised item observed on underground economyservers were bank account credentials (which consist of account numbers and authentication information) and the valueof credit or debit cardholder information, which can easily be sold for as much as $25 per record. 2

In 2010, Symantec reported a 93% increase in web attacks from 2009, tracking 6,253 new vulnerabilities in 2010 more than in any previous year since starting their report. Their analysis indicates that data breaches caused by hackingresulted in an average of over 260,000 identities exposed per breach far more than any other source. 3

U.S. Financial Institutions Remain the Primary TargetWhile global debit card fraud has remained relatively consistent over the last threeyears, increasing only slightly from 2.9 basis points (bps) in the rst quarter of 2008to 3.3 bps in the fourth quarter of 2010, the regional focus of the cybercriminalshas changed.

In 2010, the U.S. region was the bearer of the most signi cant fraud increases, movingfrom 5.6 bps in 2010 to 6.4 bps in 2011. 4 In 4Q 2010 alone, U.S. nancial institutionsincurred 73% of global issuing fraud. 5

Counterfeit and Card-Not-Present are the Fastest Growing

The fastest-growing card fraud types in the U.S. region continue to be counterfeitand card-not-present (mail, phone and internet). 6 Cybercriminals continuously targetmerchant systems that are not adequately secured, knowing that they can operateremotely with limited risk of capture by law enforcement agencies. They favor card-not-present and counterfeit card schemes.

According to MasterCard Worldwide, in the fourth quarter of 2010, 79% of total global fraud was associated withcard-not-present and counterfeit fraud. This was an increase of 14% as compared with the fourth quarter of 2009. 7 Then in 1Q 2010, the U.S. experienced a counterfeit fraud increase of 16% and card-not-present fraud increase of 11%. 8

The nancial

sector remains the

most heavily targeted

by phishing attacks,

accounting for 74%

of the brands used in

phishing campaigns.

2 Symantec Corp., Report on the Underground Economy, November 2008.3 Symantec Corp., Internet Security Threat Report, Vol. 16.4 MasterCard Worldwide, Data Source: SAFE & QMR, September 2011.5 MasterCard Worldwide, Data Source: SAFE & QMR, April 2011.6 2010 LexisNexis True Cost of Fraud Study.7 MasterCard Worldwide, Data Source: SAFE & QMR, April 2011.8 MasterCard Worldwide, Data Source: SAFE & QMR, April 2011.


4/10


4

When these gures are overlaid with MasterCards evidence that a compromised account is two to three times more likelyto incur fraud in a six to 12-month period after the breach 9, the impact of a card-compromise event on a nancial institution

and its cardholders could be catastrophic. They have potential to impact millions of account holders andcost billions of dollars each year.

Insights into Actual Fraud Losses are IncompleteSo, how extensive is the loss associated with card fraud? On an industry-wide scale, nancial institutions typicallyreported mean fraud losses of 2% to 3% of total payment card volume, suggesting that they could be absorbing

$5 billion to $11 billion in total fraud losses associated with resolving unauthorizedretail transactions. 10

Yet, many nancial institutions nd that they really dont have a comprehensiveview of their own total fraud losses and cant effectively answer this question.This is because fraud losses are often consolidated to a single general ledger account,preventing speci c insight about card compromise-related losses.

In addition, most fraud-related reporting is manual and labor-intensive, naturallylending itself to errors and omissions. In some cases, network reporting is intentionallyincomplete to minimize the negative brand perception associated with fraud. In manycases, institutions are not able to accurately measure, ultimately making it dif cult to

appropriately and accurately budget for fraud management activities and loss reserve allocations. There is always the riskthat the next card compromise could be the event that changes your revenues.

Protecting Payments by Adopting Card and PIN TechnologyMany law enforcement and industry experts have made

arguments that the U.S. has become the prime target forcybercriminals because other countries are aggressivelyadopting chip and PIN technologies as a way to ghtfraud and the U.S. region is not, making it is the easiestprocessing environment to breach. But, rolling out chipand PIN technology in the U.S. is expensive and impactsall parties involved in a transaction: consumer, merchant,issuer and payment processor. Most analysts agree thatit will require a collaborative effort and nancial incentivesto offset the technology investment and PCI DSScompliance costs.

Financial institutions

are absorbing

$5 billion to $11 billion

in total fraud losses.

9 MasterCard Worldwide, Data Source: SAFE & QMR, April 2011.10 LexisNexis


5/10


5

With this goal in mind, Visa and MasterCard continue their efforts toward industry adoption. In August 2011 Visaannounced plans to accelerate the migration to contact chip and contactless EMV chip technology in the U.S., offering

incentives to merchants to upgrade to EMV chip-enabled terminals; indicated they may reduce certain complianceobligations if a merchant complied with certain EMV standards; issued requirements for acquirer processors to supportchip acceptance; and introduced new U.S. liability shift policies for domestic and cross-border counterfeit transactions. 11

In April 2010, Aite Group analyst Julie McNelley conducted a survey of attendees at the MasterCard Academy of RiskManagement (ARM) conference, which indicates that EMV is gaining momentum as a way to address the card securityproblem. The survey discovered that while malware is their number one concern, most of them expect that EMV will bethe preferred response. In the words of the Aite executive summary, card industry executives no longer believe thatEMV in the United States is a matter of if, but a matter of when. Risk management executives are also bullish on theprospect of near eld communications (NFC) making inroads within the next few years. 12

In June 2010, MasterCard Worldwide hosted a MasterCard EMV M/Chip Payment Solutions Symposium. The symposiumpresented the strategic rationale for migrating to MasterCards globally established M/Chip technology. The agendafocused on the EMV architecture, MasterCards M/Chip program and solution set, establishing migration objectives andan implementation from both the acquirer and issuer perspectives. 13

Financial Institutions Struggle to Mitigate Fraud As the momentum to deploy EMV technology in the U.S. region continues, technology companies are developing,and processors are deploying, merchant oriented technologies such as end-to-end encryption and tokenization to helpprotect card data. These emerging technologies focus on securing and replacing the card number in various stages ofprocessing at the POS when the card is swiped, while in the network in transit to the processor, and post authorizationin storage databases.

While these technologies are necessary, nancial institutions are still left with the need to protect your cardholders and

your institution. The primary investment areas in which you should be focusing your investment dollars include:1. Prevention using technology and processes to prevent fraudulent transactions before they occur

2. Detection using technology to identify suspicious or high-risk transactions

3. Resolution working with cardholders and networks to reduce losses

4. Investigation working with law enforcement to identify and prosecute cybercriminals 14

11 Visa Bulletin, August 2011 http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf12 MasterCard Is the U.S. Finally Ready for EMV? Theodore Iacobuzio , July 21, 2011 http://newsroom.mastercard.com/2011/07/21/is-

the-u-s- nally-ready-for-emv/13 MasterCard Press Release, MasterCard Supports Customers Migration to Chip-Based Payment Solutions in the UAE

June 28, 2010 http://newsroom.mastercard.com/press-releases/mastercard-supports-customers-migration-to-chip-based-pay-ment-solutions-in-the-uae/

14 2010 LexisNexis True Cost of Fraud Study


6/10

PREVENTION

DETECTIONINVESTIGATION

RESOLUTION


6

Prevention and Detection Activities: Hire Experts Who Know the SignsPrevention and Detection activities go hand in hand. Prevention activities are focused on using technology and processes

to help prevent fraudulent transactions before they occur.There are many strategies that you can follow to proactively ght fraud, including:

Require card activation Actively manage your card limits Set prudent expiration dates Implement smart authorization parameters Validate track data in the authorization process Educate your cardholders

Detection activities are focused on using technology to identify suspiciousor high-risk transactions. Again, nancial institutions can take an active

role to protect their cardholders by following these strategies: Monitor new fraud trends Review authorizations and verify suspicious transactions Review CAN/CAM network alerts Implement a 24/7 Lost/Stolen service Identify common points of compromise Follow issuing networks report guidelines

These activities require a signi cant and recurring investment in technology, and highly trained experts in fraudidenti cation, or even cyber security.

While you may recognize the need to invest signi cant resources to prevent and detect fraud, budgetary and resourcechallenges limit your ability to do so. You may be unsure how to determine the right amount of money to spend ontechnology and maintenance, where to nd and hire the right experts and how to determine the best allocation ofstaff to assign to the effort.

As a result, a single person or team may take on this area of responsibility, in addition to their primary job responsibilitiesthey may have:

Limited time to spend on fraud-related activities Little to no insight into fraud activities No one to back them up while they are out of the of ce No opportunity for specialized training Limited access to key law enforcement of cials, network and industry experts

This leaves your portfolio vulnerable at critical times and puts you at a severe disadvantage to defend against

sophisticated cyber attacks.


7/10


7

Manage Your Cardholders Security Perceptions with Effective Chargeback ProcessesOnce fraud occurs, your cardholder chargeback programs take over. It is well-known that cardholders are very sensitive

to card fraud and reissue experiences. In fact, consumers cited credit and debit card fraud as their number one fear in themidst of the global nancial crisis. 15

Your cardholders expect you to do everything you can to ensure the safety of their money. When they call you to ask forhelp or le a complaint that results in a chargeback, they expect you to put their funds back in their account immediately,and they expect their card to be reissued as quickly as possible without impacting their ability to make purchases.

A negative experience with this process could change their perception of your institution and cause them to close theiraccounts. According to the 2010 LexisNexis True Cost of Fraud Study, data showed that 18% of consumer fraud victimsleave their issuer after becoming fraud victims. 16

As consumers have multiple payment type choices, they are inclined to select what they perceive as the most secureoption, making it critical for you to have ef cient and transparent customer service processes and to make it easy for

them to understand how you are protecting them.Zero-liability programs, 24/7 fraud-reporting services, next-day replacement of cards and fraud protection services arecommon service offerings designed to offer peace of mind to cardholders and support the feeling of security.

Create Dedicated Fraud Resolution TeamsMany institutions, however, still nd that they are not able to dedicate a team of people or invest in tools to support therecovery efforts. The resources assigned to these efforts may not have the necessary chargeback training and arentfamiliar with changing guidelines and regulations. They struggle to effectively manage these dynamic environmentsbecause they dont have processes that continuously address network rules, track important deadlines and automatecustomer noti cation and reporting tasks.

Prioritize Network ChargebacksJust as it is important for you to have timely processes in place to service your cardholders, it is critical for you toprioritize and complete the chargeback process quickly so you can recover your funds. A 2010 LexisNexis True Cost ofFraud Study found that many nancial institutions are making cost bene t decisions about whether or not to submit thechargeback request or simply absorb the cost of claim. The reality is that the actual cost for managing and reclaimingfunds can exceed the value of the claim.

Managing Card Compromise EventsLeveraging scalability, specialized technologies and expertise becomes even more critical to you when a large cardcompromise event occurs. When the issuing networks release lists of potentially compromised cards, it is critical thatyou quickly evaluate the severity of the compromise, the breadth of impact on your portfolio and the potential fraudloss for your cardholders so you can execute the best response strategy.

15 Unisys Security Index, United States, March 2009.16 2010 LexisNexis True Cost of Fraud Study, Research Provided by Javelin Strategy & Research, p. 20.


8/10


8

Unfortunately, many nancial institutions have no guidelines or practices in place to objectively and consistently assessthe severity of the event, and, as a result, often take no action to protect their cardholders. They erroneously believethat the negative brand perception of a card reissue will do more harm than the current fraud potential.

This is a big risk, increased by a lack of processes. Unless you can continuously monitor the number of times individualcards are listed on compromise reports, understand historical and real-time purchase history and incorporate othermacro-level variables, you may be blind to the ongoing impact of the compromise on your portfolio. Without the rightvisibility and strong fraud management guidelines, this strategy could compound fraud losses, deplete fraud reservesand potentially impact the execution of other strategic business initiatives.

Create Impact Card Compromise Response PlanTo effectively manage a card compromise event, you should prepare a Card Compromise Response Plan that includesthe mobilization of an internal task force. The task force should be responsible for:

Initiating and overseeing impact-assessment activities Recommending cardholder noti cation and reissue strategies Executing the response strategies Interfacing with law enforcement agencies Conducting post-mortem impact analysis studies

InvestigationYour fraud management activities arent limited to returning your cardholders funds, reissuing their cards or resolving achargeback request. Most states have laws that mandate breach reporting to local law enforcement, U. S. Secret Serviceagencies and consumer reporting agencies and require consumer noti cation. Once reported, you will need to supportinvestigative activities to preserve critical evidence, assist undercover investigations and support prosecution efforts.

Although critically important, these activities require a lot of time and attention.

Mobilize the Card Compromise Task Force

When compromise events happen, time is of the essence, and your Card Compromise Task Force should be mobilizedquickly. The team can evaluate the impact the event could have on your cardholders and institution, make reissuedecisions and interface with the necessary law enforcement and network resources.

You Still Own the Risk As nancial institutions continue to face increasing demands for high levels of investment in fraud managementtechnologies, analytics and expert resources, there may not be a tangible return on investment to justify the expense.Experts are scarce, and technology is expensive.

Even if you do make substantial investments, you still may not have a clear understanding of how you have reduced fraudoccurrences or improved customer service. You continue to run the risk of uctuating losses. There is the potential forunderestimating annual fraud loss requirements, and you own all of the nancial liability. Ultimately, your ability to invest

in revenue-generating programs and new banking services may be impacted.

Selecting the Best Fraud Management SolutionsThere are alternatives to building and managing fraud prevention programs internally.

Outsourcing prevention, detection, chargeback and investigative services could allow you to enhance your customerservice levels, budget fraud as more of a xed cost, hand off the day-to-day management activities, and shift someof the nancial liability to the experts.


9/10


9

17 Subject to certain terms, conditions, exclusions and limitations as outlined in a written agreement between Vantiv and your institutionfor the OmniShield services. The amount of nancial protection is based on a historical assessment of your portfolio and is de nedprior to starting the service.

* Financial institution is liable for fraud that exceeds the maximum annual limit covered by the OmniShield product.

OmniShield TM: A Suite of Fraud Management Solutions with Financial ProtectionVantiv is intimately familiar with these challenges and, for years, we have been developing fraud prevention, detection

and resolution solutions, all of which are founded on our extensive industry experience, technology investment and lawenforcement relationships.

Our customers have protected themselves and their cardholders with our real-timedecisioning and proactive fraud detection services, enhanced chargeback services,analytical tools and fraud reporting services.

Still, the primary responsibility for training and support, customer service and nancialliability of fraud losses used to remain your responsibility.

Now, Vantiv is offering OmniShield, a fully outsourced fraud management solutionthat shifts the technology investment, staf ng and resource development, chargebackand card compromise event management to us while providing your institution with

nancial protection.17

With OmniShield, you can treat fraud more like a xed business expense while wedo the work for you:

Manage fraud protection, detection and investigation activities Automate resolution and chargeback processes Oversee card compromise events and make card reissue recommendations Manage network reporting Create better accounting

Vantiv is vigilant in nding new ways to anticipate our customers needs, and weare committed to doing the job right down to the very last detail, said Royal Cole,President, Financial Institution Services at Vantiv. Coupled with our focuson customer service, we can ensure that Vantiv is the whole package.

We keep up with the latest technology: We consistently update it, and we are good atmanaging it. We have access to your cardholder data, and we have all the expertiseand experience necessary to protect your cardholders and your institution. Its our core business to be expertsand to protect your customers. Now, you can concentrate on your business while we concentrate on staying aheadof the cybercriminals.

Learn more about how you can protect your cardholders and your institution with OmniShield. Visit our website atwww.vantiv.com/OmniShield and download the OmniShield product paper; or contact your relationship manager today.

With OmniShield,

I can nally budget

fraud as a xed cost.

I dont have to estimate

a loss reserve for the

year and hope I dont

exceed it. It is a relief

to hand over the day-

to-day operations to

Vantiv and watch

from the sidelines. *

~Gary Edelen, SVP, JeffersonCounty Federal Credit Union


10/10


10

Certain restrictions and limitations of the limited warranty apply. Coverage for unauthorized transactions occurring outside ofthe OmniShield limited warranty are covered under a contractual indemnity insurance policy provided and underwritten by BeazleySyndicate 2623/623 at Lloyds and offered through Marsh USA Inc., acting as insurance producer (Ohio License #24035; CaliforniaLicense #0437153) Coverage is available to those OmniShield customers receiving all of the OmniShield Services, subject to the terms,conditions, exclusions and limitations of coverage of the policy. Coverage under a state insurance guaranty association fund is notavailable for this policy. OmniShield customers will be required to execute a special amendment to their Master Data Processing/Services Agreement.

LEXLibrary 0121209.0585688 476889v1

fraud management: are you really protected?

Documents