More Related Content
Similar to The paypers Vol 5.
Similar to The paypers Vol 5. (20)
The paypers Vol 5.
- 1. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012
News
Verizon, Criterion Systems to develop e-identity solu-
tions for online security 1
Expert Opinion by Phoenix Managed Networks 2
Expert Opinion by Voltage Security 5
Expert Opinion by EastNets 6
The Guardian supplement tackles innovation in pay-
ments 6
Key Trends in financial crime, risk and compliance for
IN THE NEWS 2013
Visa, banks tap India's biometric ID system for new Investment in handling financial crime and compliance will remain a high priority in 2013,
account a recent survey on key security trends for 2013 unveils. According to research by Detica
Visa has teamed up with a group of five Indian banks to tap into the government's Adhaar NetReveal, a business division of BAE Systems Detica, fraud management is a key area with
national identity system, which uses fingerprint and iris biometric information to verify 86 percent of respondents forecasting budget growth (as compared to 45 percent in 2012
users and authorise payments. Read more and 47 percent in 2011) and highlighting the application process, payments, the online
channel and insider fraud as priority areas of focus. Read more
miiCard releases DirectID Check for SMBs ControlScan, Foregenix to enter EMEA alliance
UK-based online identity verification service miiCard has released the DirectID Check, a
US-based PCI compliance services provider ControlScan and Foregenix, a UK-based digital
hosted identity service for small and medium-sized businesses (SMBs) that require identity
forensics company, have entered a strategic alliance to deliver technology solutions to
proofing of clients. Read more
acquiring banks and merchant service providers working with small and mid-sized
businesses (SMBs) across Europe, the Middle East and Africa. Read more
Verizon, Criterion Systems to develop e-identity ReD, TeleSign to deliver authentication solutions to Red
solutions for online security Shield customers
Verizon Wireless, a US mobile telecommunications network and wireless phone provider,
UK payment fraud prevention company ReD has entered a partnership with TeleSign, a
and Criterion Systems, an IT services company, have joined forces to develop a pilot
provider of internet fraud prevention and intelligent authentication. As part of the
program to test new solutions that will create a new online identity system. Read more
agreement, TeleSign's data and authentication products will be integrated and made
available to customers of the ReD Shield fraud prevention service. Read more
1|7 www.thepaypers.com Copyright © The Paypers
- 2. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012
The Paypers introduces the Web Fraud Prevention & E-Identity Expert Opinion
Market Guide 2012
Who cares about protecting small merchants from a
security breach
By Alan Stephenson-Brown, Phoenix Managed Networks
The Paypers has made available the first edition of the Web Fraud Prevention & E-Identity With over 25 years of experience in the global payments industry, Alan has
Market Guide 2012, a complete insight into the e-identity and web fraud ecosystem, a wealth of knowledge on the payments industry gained through high
mapping out ongoing initiatives, success stories and main industry players in this market. level roles within internationally recognised companies including TNS,
HSBC and Tuxedo. In 1997, Alan joined Transaction Networks Services
The Web Fraud Prevention & E-Identity Market Guide 2012 is aimed at online merchants, (TNS) where he was one of the founders of the UK business and ultimately
banks, payment service providers, regulators, MNOs, technology companies, payments became Global VP Business Development, with responsibility for
processors and suppliers, who are keen on keeping up to date with latest security trends expanding the business internationally and researching new initiatives.
and innovative fraud prevention techniques.
Phoenix Managed Networks is a global provider of payments communication, payment
The first edition of the guide comprises valuable input from industry stakeholders and gateway and payment support services, delivering a state-of-the-art, reliable and cost
associations, expert views, customer cases and exposés from industry experts and thought effective solution connecting retailers with the world's banks, acquirers and processors.
leaders as well as detailed company profiles of the web fraud/e-identity services Founded in January 2010 with its global headquarters located in Reston, Va., Phoenix has
providers. Additionally, all service providers will be listed in a new, enhanced online been highly successful in advocating a combination of quality, innovation and
company profiles database, complete with keywords, company logo and advanced search uncompromising customer care.
functionality.
Alan Stephenson-Brown, UK Managing Director for Phoenix Managed Networks believes
The Web Fraud Prevention & E-identity Market Guide 2012 was developed as a response that a multi layered approach to security is required across the board to improve current
to the increasing number of fraudulent activities which can affect all businesses and practices. Segregating card data at a merchant’s site is best practice but it’s only one of a
consumers that use the internet and mobile channel to interact, engage in online large number of security issues that need to be addressed. Merchants need to know how
transactions activities, access and manage their finances and online identities. Thus, online to be secure and the education process required in order to be able to implement this
merchants and payment professionals all over the world will gain access to a valuable level of security needs to start with acquirers, the PCI council and government bodies
resource which provides a complete insight into the e-identity and web fraud landscape. getting more involved.
The 2012 Guide is endorsed by The Merchant Risk Council (MRC), a merchant-led trade Security is not just for merchants and card users to take care of; central governments at
association focused on electronic commerce risk and payment strategies. both the national and European level as well as the payments industry should step up.
2|7 www.thepaypers.com Copyright © The Paypers
- 3. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012
A 2011 report by Trustwave showed that 90% of incidents where card data is legislation globally makes the process fragmented - legislation for breach announcements
compromised have occurred in level 4 merchant environments, typically small to medium as a deterrent should be universal as fraud is global and fraud rings see no boundaries.
sized businesses. Large organisations are better educated, funded and resourced so it is This fragmentation when reporting breaches globally presents a false perception of where
increasingly harder for criminals to target them, although they are not immune as the problems are occurring.
demonstrated by high profile data breaches. It is smaller merchants that are being
targeted and the payments industry needs to help these vulnerable merchants now. In the rest of the world breaches can be brushed under the carpet…
Currently in the UK and Europe there is no legal requirement for the greater majority of
Regularly speaking to retailers has enabled Mr. Stephenson-Brown to get a better businesses to declare breaches; that does not mean they don’t happen. According to UK
understanding of the traumas that PCI compliance causes them. At a recent Association of Fraud Statistics in 2010 more than EUR 417.5 million in the UK card fraud was detected.
Convenience Store (ACS) conference one retailer has declared that the prospect of not The problem the industry currently faces is the fact that smaller retailers do not
being compliant, suffering a breach and the potential reputational damage that would understand the need of increased security.
follow, causes him sleepless nights. The fact that customers may find out about security
breaches could be crippling to his reputation – even though there is no legal obligation to The new European Data Protection Regulation due in 2014 will give the card schemes
report them. additional back up to enforce the fines which are presently seen as hollow threats; this is a
step in the right direction but there needs to be another message alongside it.
Others are overwhelmed by the complexities of achieving compliance. Another retailer
recently asked Mr. Stephenson-Brown about a letter he had received from his bank It needs to be clear that best practice security measures for the payments environment is
informing him that he wasn’t PCI compliant and should he not rectify this he would be good business and will go a long way to protect a business holistically. It shouldn’t be
penalised – they had no idea of the full implications of PCI compliance, how important it is treated as a task where a merchant does as much as they are obliged to and nothing more.
and the severe financial impact to their business, should they suffer a data breach. The Too many merchants are unaware of their obligations to PCI DSS or demonstrate apathy
reality is they are not alone, far too many businesses take far too few steps towards towards the risk they are susceptible to by not adhering to these measures.
adequately securing their payment and non-payment systems.
Merchants found in breach of PCI can be fined GBP1000 per card breached – it takes
A key problem facing the payments security industry in Europe is the lack of publicity minutes to steal thousands of card details electronically; the ramifications for a small
when compared to other countries such as the US business can be crippling. This is not necessarily the fault of the small merchants who were
One of the key differences is the relationship between merchants, banks, government and not the initial focus for the PCI council following the inception in 2004 of the Payments
the requirements imposed upon merchants and payment service providers to publicise Card Industry Data Security Standards (PCI DSS).
such breaches.
Merchants think that there isn’t a problem in the UK as they never hear about it – this
In the US, California was the first state to legislate for publicising data breaches in 2003, an couldn’t be further from the truth. Fraudsters are now targeting small, local, independent
example now replicated by 38 of the 50 states. This is encouraging but the differences in businesses and the PCI council, banks, acquirers and security vendors have a duty to
3|7 www.thepaypers.com Copyright © The Paypers
- 4. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012
educate and provide cost effective quality solutions to these smaller merchants to equip created using digital identity can reach EUR 1 trillion in Europe by 2020, which is 8 percent
them in the fight to maintain security and ultimately their business. of the combined GDP of the EU-27. For European businesses and governments, the use of
personal data will deliver an annual benefit of EUR 330 billion by 2020. For individuals, the
value is expected to reach EUR 670 billion. That is why organisations need to take into
“We have started off with the big retailers and we’ve gone down to the next
account the growth opportunity and make the benefits of digital identity applications very
level and now we’re getting down to the smaller merchants. The brands don’t
clear to consumers. Moreover, they need to adopt the new digital identity paradigm of
differentiate between the big and small merchants when there’s a data breach, responsibility, transparency and user control and promote a reliable flow of data.
they just come in and hit you. For smaller merchants it’s end of game.”
Jeremy King, European Director of the PCI Council On the other hand, the report mentions that, currently, most consumers are not aware of
what happens to their online data. Results show that only 30 percent have a relatively
The Verizon 2012 Data Breach Investigations Report found that 96% of the breach victims comprehensive understanding of which sectors are collecting and using their information.
investigated were not PCI DSS compliant when they were last assessed. Perhaps this is Individuals with higher-than-average awareness of data uses require 26 percent more
because compliance measures are complicated for the average retailer, especially the benefit in return for sharing their data. Additionally, few individuals are in control of their
technical network specifications referred to in self-assessment questionnaires. digital identity. Only 10 percent of respondents have admitted doing six or more out of
eight common privacy-protecting activities such as private browsing, disabling cookies, opt
Security can’t be achieved through regulation and enforcement alone, it needs to be -in/out and other. Yet, consumers who are able to manage and protect their privacy are up
adopted as a culture in business with all parties including banks, acquirers or merchants to 52 percent more willing to share information than those who aren’t in control of their
adopting a collaborative approach to help themselves and their customers. Only when this digital data. This is mostly because they can adapt their data sharing to their individual
is achieved will we be in a position to be truly secure. preferences.
Digital identity: valuable resource for organisations, major concern Consumer’s trust in sharing personal data also varies per sectors. Thus, consumers are on
for consumers? average 30 percent more willing to share data when it comes to e-commerce companies,
cable operators and automobile manufacturers than Web 2.0 communities. Findings
In a digital society where people all over the world need to process, exchange and check unveil that control is important to consumers (82 percent) and convenience as well (63
data at a faster pace, electronic identity has become commonplace. However, this is percent). Overall, given proper privacy controls and sufficient benefits, most consumers
undoubtedly associated with a series of risks and companies as well as individuals are are willing to share their personal data with public and private- sector organisations.
often concerned about having their privacy invaded or losing control over their own The BCG report aims to define what digital identity is, quantifies the current and potential
electronic data. economic value of digital identity for organisations and consumers, identifies important
trends and offers a set of guiding principles that could help responsible organisations
According to “The Value of our digital identity” report by Boston Consulting Group (BCG) benefit from the value of digital identity.
digital data is already a driving force for the entire economy. Data reveals that the value
4|7 www.thepaypers.com Copyright © The Paypers
- 5. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012
card data theft risks. In the last couple of years the PCI Council has also supported the
Expert Opinion approach and called it Point to Point Encryption (P2PE) or end to end encryption.
Stopping "Dexter" malware stealing credit card data
from the POS Merchants, need to addresses this risk by encrypting the payment card data before it even
By Mark Bower, Voltage Security gets to the POS. This might be in the card reader, a reading pin pad, or even inside a
reading "sled" or "wedge" attached to the POS. If POS is breached, the data will be useless
Mark Bower is a data protection expert and VP of product
to the attacker. On the other hand, the secure card readers are very, very difficult to attack
management for data-centric security leader Voltage Security. He
and do not store live data to steal: they encrypt it and pass it up the payment process to
has more than two decades of experience in data protection area.
the POS. If tampered with they are designed to destroy their contents.
His expertise spans electronic banking, smartcard payment
systems, Public Key Infrastructure, identity management systems
The trick is getting it right so that even though the data is protected and secure, it's still
and cloud security for the commercial and government sectors.
compatible to the payment applications in the merchants systems and applications in the
POS itself to permit regular POS functions to continue without change. That's where
Voltage Security is the world leader in data-centric security and simplified key format preserving encryption (FPE) comes in - NIST recognized FFX mode AES in particular.
management for combating new and emerging security threats. With innovative, powerful With FPE, the data stays protected from the moment it is captured as its read or entered.
and easy-to-use solutions for protecting sensitive data (including end-to-end encryption,
tokenization, data-masking, email, file, cloud and mobile), Voltage customers can The magnetic stripe data and track information (Track 1, Track 2 or even EMV data) or
effectively address global privacy regulations and best practices. Customers include a third manually entered credit card numbers are all protected while retaining the track structure,
of the world’s 20 largest organizations and a wide variety of industries including payments, PAN format and integrity. To the POS, it still looks and feels like cardholder data, so low
financial, retail, insurance, healthcare, e-commerce. impact to the way customer payments are handled. To the merchant the PCI DSS scope is
dramatically reduced, the whole POS is potentially out of scope. To an attacker, there's
There is new malware on the loose targeting merchant point of sale systems (POS), often nothing of value to steal.
called checkouts, electronic cash registers (ECR) or tills. Apparently, the impact of this new
"Dexter" virus is perceived worldwide. POS systems are often the weak link in the chain "Dexter" would get nothing but useless encrypted data. Only the other "end" of the
and the choice of malware. They should be isolated from other networks, but they are payment process, usually an acquirer after the payment data has passed through switches,
often connected. And, as a checkout in constant use, they are less frequently patched and gateways, networks and applications, can decrypt the data. For post authorization
updated and thus vulnerable to all types of malware. The good news is that savvy processes, a token might be returned to the merchant for storage and re-use in
merchants are already tackling this risk and giving the malware nothing to steal through applications and databases without needing live PAN data again. Some larger merchants
solutions that also have a dramatic cost reducing benefit to PCI compliance. may also want to decrypt and tokenize in house so they are independent of acquirers.
This new kind of attack requires a service which allows merchants to brush off such credit
5|7 www.thepaypers.com Copyright © The Paypers
- 6. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012
The Guardian recognizes latest opportunities & challenges in the Expert Opinion
evolving payments environment Metamorphosis in the fraud world
By Deya Innab, EastNets
Guardian supplement tackles innovation in payments
Deya Innab is Product Development Manager for EastNets. She has worked for KPMG as
UK daily news provider The Guardian has released its latest Innovation in Payments report, Advisory Services Senior Manager and has over 16 years of experience in software
a multi-page overview mapping out the changes, trends and opportunities in the global development and design, IT and project management, and business development.
payments industry.
EastNets, a provider of global compliance and payment solutions and services with over
The Innovations in Payments report draws on the comment of leading industry experts to 1,000 customers in 120 countries, provides compliance solutions including anti-money
examine what developments are on the horizon and how these are likely to affect the laundering and anti-fraud, Resilient SWIFT Solutions for SWIFT FIN/XML reporting,
payments landscape. Distributed both as an insert and in electronic format, the report duplicate detection management, disaster recovery and outsourced SWIFT connectivity
provides an overview of the constantly evolving payments industry and the way it with its SWIFT Service Bureau and Mobile Remittances Solutions enabling secure,
influences and changing the way consumers buy. compliant mobile remittances.
The Guardian has been a top provider of daily news since 1821 and has recently exceeded Fraud is an evolving world. Creativity in inventing fraud trends has no limits and it keeps
11.8 million unique visitors in the US alone, overtaking even the BBC. Its Innovation in developing. Creating fraud preventive procedures, controls, regulations and systems is
Payments supplement has a circulation of over 214,000 copies and has been distributed very challenging. It is like creating a viral vaccine to a virus that metamorphoses and keeps
both as an insert in The Guardian and in electronic format, made available to the transforming to create new immunity lines.
Guardian’s readership of 1.1 million and beyond.
Even the term fraud has come to encompass many forms of misconduct. Although the
You can download a copy of the report here legal definition of fraud is very specific for most people, the common usage is much
broader and generally covers any attempt to deceive another party to gain a benefit.
Financial institution fraud, mobile fraud, health care fraud, identity theft, padded expense
reports, mortgage fraud, theft of inventory by employees, manipulated financial
statements, insider trading.
The range of possible fraud schemes is large, but at their core, all of these acts involve a
violation of trust. It is this violation, perhaps even more than the resulting financial loss
that makes such crimes so harmful. One of the most critical and challenging fraud
6|7 www.thepaypers.com Copyright © The Paypers
- 7. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012
schema is the internal fraud, also known as occupational fraud; “The use of one’s
occupation for personal enrichment through the deliberate misuse or misapplication of When we talk about establishing healthy anti-fraud framework the Prevention should take
the employing organization’s resources or assets." Different studies showed that more precedence over detection. What we mean by fraud prevention is creating a work
than 50% of fraud attempts are committed by people already working within an environment that values honesty. This includes hiring honest people, paying them
organization and usually act alone. These fraud attempts account for more than a half of competitively, treating them fairyland providing a safe and secure workplace with strong
the total fraud losses and only 1/3 of internal fraud attempts is actually detected. It is internal controls. For us to be able to have a preventive mechanism to minimize internal
known that the finance and insurance sector remains particularly vulnerable to fraud fraud, it is needed to understand the behaviours and the circumstances around the
committed by external parties, typically involved credit cards, lending fraud and fake internal fraud cases and try to eliminate the leakage points.
insurance claims. Nevertheless, the largest fraud attempts where “inside jobs”; theft of Fraud Preventive Solutions
cash, diversion of sales and cheque tampering were the main employee frauds by value. The fact that the regulations related to different schemas of fraud are very limited makes
Why do people commit fraud? the exercise of creating an effective and healthy anti-fraud platform very challenging.
There is no single reason behind fraud and any explanation of it needs to take into account When we look at anti-fraud solutions for financial institutions and corporates in the 80
various factors and that is what makes it very difficult to prevent and/or detect. A common countries that we serve, we look to build a solution that can be configured by building
model that brings together a number of different aspects is the fraud triangle. This model customized scenarios around the internal systems and processes for each organization to
is built on the premise that fraud is likely to result from a combination of three factors: give strong internal control. In addition, an integrated framework enables financial
motivation, opportunity and rationalization. institutions to aggregate data and processes across fraud and AML silos to improve
business insight and streamline operational efficiencies.
Motivation is typically based on either greed or need. In terms of opportunity, fraud is
more likely to happen in companies where there is a weak internal control system, poor
security over company property, little fear of exposure and likelihood of detection, or
About: Online Paypers is a bi-weekly update on developments in online payments by The Paypers, the portal for
unclear policies with regard to acceptable behaviour. As for rationalization, some people payment professionals.
may be able to rationalize fraudulent actions as: Necessary especially when done for
Editors: Adriana Screpnic, Mihaela Mihaila, Ionela Barbuta and Melisande Mual.
business, Harmless because the victim is large enough to absorb the impact or Justified
Website: For more information, please visit our websites: www.thepaypers.com
‘because the victim deserved it’ or ‘because I was misused.’
Contact: For more information, you can contact us at: info@thepaypers.com
Organizations have realized that internal fraud is a main driver in overall financial Subscription info: Online Paypers is a product of The Paypers and is published 24 times per year. Year
subscription price: €495
institution losses, it is emerging almost daily, it has a significant financial consequences
and it is a driver for reputational damage. Because of all of this and more, organizations Copyright: 2011 © The Paypers. All rights reserved. Reproduction or redistribution in any form without explicit
prior written permission of The Paypers is prohibited.
invest heavily in adopting anti-fraud framework that provides a healthy environment. This
framework has to be continuously developing to compete with the daily emerging frauds Disclaimer: The Paypers sees to the utmost reliability of all its news products. Nevertheless we do not accept
any responsibility for any possible inaccuracies.
world.
7|7 www.thepaypers.com Copyright © The Paypers