Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Mobile Payments: Applying Lessons Learned in the Real World

623 views

Published on

Securing Mobile Payments: Applying Lessons Learned in the Real World

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Securing Mobile Payments: Applying Lessons Learned in the Real World

  1. 1. World® ’16 Securing Mobile Payments: Applying Lessons Learned in the Real World James Rendell - VP Payment Security Strategy – CA Technologies SCX34S SECURITY
  2. 2. 2 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For Informational Purposes Only Terms of this Presentation © 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA World 2016 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to customer's specific use and experience of CA products and solutions so actual results may vary. Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current information and resource allocations as of November 1, 2016, and is subject to change or withdrawal by CA at any time without notice. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if- available basis. The information in this presentation is not deemed to be incorporated into any contract.
  3. 3. 3 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  4. 4. 4 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract Mobile is the new black—the way people work, shop and connect. Taking a cue from the payment point of view, this session will present best practices for securing mobile payments and how these practices are relevant across the enterprise. James Rendell CA Technologies VP Payment Security Strategy
  5. 5. 5 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda INTRODUCTION: SECURING MOBILE PAYMENTS MOBILE AUTHENTICATION SUMMARY RISK ANALYTICS REAL-TIME NETWORK NFC MOBILE WALLET PROVISIONING SECURING MOBILE IN-APP PURCHASES 1 2 3 4 5 6
  6. 6. 6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Strategy for Secure Mobile Payments Secure Mobile Payment Mobile Authentication In-App purchase Mobile wallet Real-Time Risk Mobile Push Notification • Multi-factor authentication • Push Notification and disconnected OTP options • Complies with emerging mandates, e.g. PSD2 MasterCard Identity Check • Biometric authentication options
  7. 7. 7 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Mobile Authentication: Mobile Push Notification § Mobile device as virtual identity § Out-of-Band Authentication § Transaction inflight Push Notification on mobile § Fingerprint Authentication on Apple devices – Roadmap will incorporate Android etc. devices with similar capabilities
  8. 8. 8 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Deployment Options: Mobile OTP* § Passcode Generation on Mobile Device § Offline OTP generation § Supports multiple cards on single App § Available in both OAuth and EMV modes *Planned Service Availability for Payment Security during 2017
  9. 9. 9 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Feature Highlights § Out-Of-Band Authentication for 3-D Secure 2.0 § Easy-to-use Over-the-Air provisioning for cardholders § Based on Industry standard EMV Algorithm (CAP Certified and DPA Compliant) § Credentials are software locked to the provisioned device § Strong protection against SIM-Swap § Cryptographic Camouflage technology prevents brute force attack § Fine-Grained Authentication Controls using CA Risk Analytics § Suitable for Enterprise and Consumer digital channels
  10. 10. 10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Multiple Provisioning Options § During 3-D Secure Transaction Flow § Via Online Banking Channel – Online Banking provides an option to enroll in Mobile Authentication by integrating with our exposed Web Service § Via Issuer Mobile App – Using an “Add Account” option from within the Issuer Mobile App § Via APIs for enterprise system integration
  11. 11. 11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Business function Channels Online servicing CA-Strong Authentication Payments (3-D Secure) Enterprise application Risk evaluation and scoring • Rules • Machine learning • Statistical • Behavioral 3-D Secure Biometric Device ID Case Management / Reporting Wearables MFA Mobile browser Notification CNP Traditional browser In-store tablet Telephone / IVR OmniChannel Enabler: Enterprise and Consumer Apple Pay Android Pay Google Wallet
  12. 12. 12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Strategy for Secure Mobile Payments Secure Mobile Payment Mobile Authentication In-App purchase Mobile wallet Real-Time Risk Risk Analytics Real-Time Network • Device Identity is a key fraud indicator • Leverage global device identity / reputation • Real-Time model updates
  13. 13. 13 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Risk Analytics Real-Time Network 1. Predictive model learns bank-specific cardholder behavior and fraud patterns. 2. Devices may be used across banks, hence complementary Device Distillates are incorporated in the Risk Analytics Network model. 3. Device Distillates updated in real-time as transactions are processed. 4. Score will be higher when devices previously associated with probable fraud are used. Bank 1 Bank 2 Bank 3 Real-time update
  14. 14. 14 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Risk Analytics Real-Time Network Explained Fraud Not Detected by Current Risk Analytics Model Time Card Pivot CARD1 BSYKB, 12.5 GBP DEVICE1 20130411:14:48:03 20130502:12:01:45 20130527:19:09:36 5 3 8 8 51 0 20130508:10:03:12 40 5 GOAL 8.0 GBP DEVICE2 RA Model Score HUNGRYHOUSE 20.7 GBP DEVICE1 TRADE MEDIA 47.38 GBP DEVICE3 Non Fraud Fraud • There are 4 transactions on CARD1, two legit and two fraud • Current Risk Analytics Model scoring not high enough to detect two fraudulent transactions • Lacking visibility into historical transactions across a given device Date/Time of Transaction Merchant Name Transaction Value Device ID Risk scores not high enough (<600) to be deemed fraud.
  15. 15. 15 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Risk Analytics Real-Time Network Explained Improved Fraud Detection by Risk Analytics Network Model Non Fraud Fraud Time Card Pivot CARD1 BSYKB, 12.5 GBP DEVICE1 20130411:14:48:03 20130502:12:01:45 20130527:19:09:36 20130508:10:03:12 GOAL 8.0 GBP DEVICE2 HUNGRYHOUSE 20.7 GBP DEVICE1 TRADE MEDIA 47.38 GBP DEVICE3 6 2 11 4 RA Network Model Score 99 2 Device Pivot DEVICE2 20130508:09:49:36 GOAL 8.0 GBP CARD3 610 20130508:09:48:16 GOAL 8.0 GBP CARD2 237 20130508:09:56:39 GOAL 8.0 GBP CARD4 997 20130508:10:37:43 GOAL 8.0 GBP CARD5 976 20130508:10:49:01 GOAL 8.0 GBP CARD6 994 96 0 Device Pivot DEVICE3 TRADE MEDIA 47.38 GBP CARD5 20130527:15:57:24 142 TRADE MEDIA 47.38 GBP CARD7 20130527:16:46:40 801 TRADE MEDIA 47.38 GBP CARD8 20130527:19:06:05 942 TRADE MEDIA 47.38 GBP CARD4 20130527:19:24:13 978 • New device pivots (i.e. DEVICE2 and DEVICE3) are included in Risk Analytics Network model. • Allows us to also consider the historical transactions by device in evaluation scoring. • Result is that the new model scores high on the two fraudulent transactions on CARD1; stopping the fraud.
  16. 16. 16 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Strategy for Secure Mobile Payments Secure Mobile Payment Mobile Authentication In-App purchase Mobile wallet Real-Time Risk NFC Mobile Wallet Provisioning • Cardholder authentication when provisioning card data to mobile device • Accelerate time-to-market for issuers wanting to embrace “*Pay” programs.
  17. 17. 17 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What Is Mobile Payment Enablement Adding a customer’s payment method to a mobile platform or wallet
  18. 18. 18 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Wallets Are Not New… They Are Not Mature Either Financial Services PayPal Venmo Chase CurrentC Square Retail Merchants Starbucks Amazon Walmart Wholefoods Traditional Payments MasterCard Visa Amex VeriFone Device Makers Google Apple Samsung Existing Wallet Market… Everyone Wants to Capture the Loyalty
  19. 19. 19 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Mobile Wallets: Apple Pay Provisioning Security § Early NFC Mobile wallet deployments had provisioning weaknesses § Stolen card data could be provisioned to NFC Mobile devices – Coupled with contactless Point of Sale, effectively cloning EMV cards!! § CA developed an incubator offering to do OTP cardholder authentication during NFC Mobile Wallet provisioning, increasing the assurance that card data is being provisioned to the cardholder’s phone and not a fraudster’s § Accelerated Time-to-Market for “*Pay” NFC Mobile implementations Onboarding Provisioning Transaction Support
  20. 20. 20 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Provisioning Flow Enroll Eligible? Authenticate OTP Activation Wallet provider Card Scheme CA on Issuer’s behalf Return Activation data OTP Delivery OTP Validation / authentication Token Confirmation American Express Apple Pay Android Pay Google Wallet Samsung Pay Android Pay MasterCard Visa
  21. 21. 21 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD CA Strategy for Secure Mobile Payments Secure Mobile Payment Mobile Authentication In-App purchase Mobile wallet Real-Time Risk In-app purchase • 3-D Secure 2.0 native support for in-app purchase • Rich data evaluation, fraud risk scoring, and mobile authentication challenge.
  22. 22. 22 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Evolution of 3-D Secure Building Trust Goals Actions Results Build confidence in e-commerce Reduce fraud displaced by EMV implementation Improve customer Experience. Reduce abandonments. Better authorization rates. Access to more channels. Liability shift for participating merchants Simplify enrolment to drive adoption. Strengthen authentication options First steps in application of analytics and predictive modelling 3-D Secure 2.0. Sophisticated Data Science. Authorization Integration. Fragmentation and scheme-by- scheme service introduction Adoption rates increase worldwide More effective fraud reduction Increase authorization rates and lending. Access to more transactions. Reduce Fraud. Optimized user experience. Fighting Fraud Minimizing Friction “Smart Authorization” 2001 2006 2010 2016 2018 Insight and Personalization Reach new markets and customer segments by leveraging rich data. Analytics. Data Feeds to marketing, personalization, and CRM systems. Grow customer base. Develop high value partnerships and relationships. Reinforce brand strength.
  23. 23. 23 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Problems With 3-D Secure 1.0.2 § 3-D Secure 1.0.2 was designed for the PC-based online shopping world § User experience on mobile browsers is often poor § Merchants wary of invoking 3-D Secure with mobile transactions § No support for in-app purchase Material derived by reference to public domain information. See: https://www.emvco.com/about_emvco.aspx?id=306 http://www.emvco.com/faq.aspx?id=305
  24. 24. 24 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD 3-D Secure 2.0 § Developed and owned by EMVCo – Manages and controls the EMV standards § Designed for in-app purchase – Native app and HTML UI support – Flexible authentication options § Browser specification replacement for 1.0.2 § Designed to optimize user experience – By passing detailed data from the mobile device only a small percentage of transactions would need to be challenged – => The leaders in this new world will be those who can leverage world-class Data Science Material derived by reference to public domain information. See: https://www.emvco.com/about_emvco.aspx?id=306 http://www.emvco.com/faq.aspx?id=305
  25. 25. 25 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What’s New in 3-D Secure 2.0? § Rich data § Early risk evaluation § Frictionless, Challenge, and Out of Band Authentication Flows § In-app purchase integration § New browser specification § ID&V Flows Material derived by reference to public domain information. See: https://www.emvco.com/about_emvco.aspx?id=306 http://www.emvco.com/faq.aspx?id=305
  26. 26. 26 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Early Rich Data § Enhanced data passed up-front in the equivalent of the VEReq message – Device ID / fingerprint – Merchant Category Code – Purchase amount, currency – Optional cardholder billing / delivery details § Enhanced fraud detection § Optimize user experience – Majority of transactions will never be challenged Material derived by reference to public domain information. See: https://www.emvco.com/about_emvco.aspx?id=306 http://www.emvco.com/faq.aspx?id=305
  27. 27. 27 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Tying It All Together
  28. 28. 28 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Summary: CA Strategy for Securing Mobile Payments ••Native mobile user experience ••Rich data evaluation ••Provisioning security ••Cardholder authentication ••Mobile Strong Authentication ••Omni Channel enablement ••Neural Networks ••Device Identity Transaction Risk Authentication Mobile appsMobile Wallets Neural Networks
  29. 29. 29 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Don’t Miss Our INTERACTIVE Security Demo Experience! SNEAK PEEK! 29 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
  30. 30. 30 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Questions?
  31. 31. 31 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Thank you. Stay connected at communities.ca.com
  32. 32. 32 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security For more information on Security, please visit: http://cainc.to/EtfYyw

×