Update on developments in online payments                                         Vol. 5 Issue 20, 14 Dec 2012            ...
Update on developments in online payments                                        Vol. 5 Issue 20, 14 Dec 2012       The Pa...
Update on developments in online payments                                           Vol. 5 Issue 20, 14 Dec 2012A 2011 rep...
Update on developments in online payments                                       Vol. 5 Issue 20, 14 Dec 2012educate and pr...
Update on developments in online payments                                         Vol. 5 Issue 20, 14 Dec 2012            ...
Update on developments in online payments                                         Vol. 5 Issue 20, 14 Dec 2012      The Gu...
Update on developments in online payments                                       Vol. 5 Issue 20, 14 Dec 2012schema is the ...
Upcoming SlideShare
Loading in …5

The paypers Vol 5.


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The paypers Vol 5.

  1. 1. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012 News Verizon, Criterion Systems to develop e-identity solu- tions for online security 1 Expert Opinion by Phoenix Managed Networks 2 Expert Opinion by Voltage Security 5 Expert Opinion by EastNets 6 The Guardian supplement tackles innovation in pay- ments 6 Key Trends in financial crime, risk and compliance for IN THE NEWS 2013Visa, banks tap Indias biometric ID system for new Investment in handling financial crime and compliance will remain a high priority in 2013,account a recent survey on key security trends for 2013 unveils. According to research by DeticaVisa has teamed up with a group of five Indian banks to tap into the governments Adhaar NetReveal, a business division of BAE Systems Detica, fraud management is a key area withnational identity system, which uses fingerprint and iris biometric information to verify 86 percent of respondents forecasting budget growth (as compared to 45 percent in 2012users and authorise payments. Read more and 47 percent in 2011) and highlighting the application process, payments, the online channel and insider fraud as priority areas of focus. Read moremiiCard releases DirectID Check for SMBs ControlScan, Foregenix to enter EMEA allianceUK-based online identity verification service miiCard has released the DirectID Check, a US-based PCI compliance services provider ControlScan and Foregenix, a UK-based digitalhosted identity service for small and medium-sized businesses (SMBs) that require identity forensics company, have entered a strategic alliance to deliver technology solutions toproofing of clients. Read more acquiring banks and merchant service providers working with small and mid-sized businesses (SMBs) across Europe, the Middle East and Africa. Read moreVerizon, Criterion Systems to develop e-identity ReD, TeleSign to deliver authentication solutions to Redsolutions for online security Shield customersVerizon Wireless, a US mobile telecommunications network and wireless phone provider, UK payment fraud prevention company ReD has entered a partnership with TeleSign, aand Criterion Systems, an IT services company, have joined forces to develop a pilot provider of internet fraud prevention and intelligent authentication. As part of theprogram to test new solutions that will create a new online identity system. Read more agreement, TeleSigns data and authentication products will be integrated and made available to customers of the ReD Shield fraud prevention service. Read more 1|7 www.thepaypers.com Copyright © The Paypers
  2. 2. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012 The Paypers introduces the Web Fraud Prevention & E-Identity Expert Opinion Market Guide 2012 Who cares about protecting small merchants from a security breach By Alan Stephenson-Brown, Phoenix Managed NetworksThe Paypers has made available the first edition of the Web Fraud Prevention & E-Identity With over 25 years of experience in the global payments industry, Alan hasMarket Guide 2012, a complete insight into the e-identity and web fraud ecosystem, a wealth of knowledge on the payments industry gained through highmapping out ongoing initiatives, success stories and main industry players in this market. level roles within internationally recognised companies including TNS, HSBC and Tuxedo. In 1997, Alan joined Transaction Networks ServicesThe Web Fraud Prevention & E-Identity Market Guide 2012 is aimed at online merchants, (TNS) where he was one of the founders of the UK business and ultimatelybanks, payment service providers, regulators, MNOs, technology companies, payments became Global VP Business Development, with responsibility forprocessors and suppliers, who are keen on keeping up to date with latest security trends expanding the business internationally and researching new initiatives.and innovative fraud prevention techniques. Phoenix Managed Networks is a global provider of payments communication, paymentThe first edition of the guide comprises valuable input from industry stakeholders and gateway and payment support services, delivering a state-of-the-art, reliable and costassociations, expert views, customer cases and exposés from industry experts and thought effective solution connecting retailers with the worlds banks, acquirers and processors.leaders as well as detailed company profiles of the web fraud/e-identity services Founded in January 2010 with its global headquarters located in Reston, Va., Phoenix hasproviders. Additionally, all service providers will be listed in a new, enhanced online been highly successful in advocating a combination of quality, innovation andcompany profiles database, complete with keywords, company logo and advanced search uncompromising customer care.functionality. Alan Stephenson-Brown, UK Managing Director for Phoenix Managed Networks believesThe Web Fraud Prevention & E-identity Market Guide 2012 was developed as a response that a multi layered approach to security is required across the board to improve currentto the increasing number of fraudulent activities which can affect all businesses and practices. Segregating card data at a merchant’s site is best practice but it’s only one of aconsumers that use the internet and mobile channel to interact, engage in online large number of security issues that need to be addressed. Merchants need to know howtransactions activities, access and manage their finances and online identities. Thus, online to be secure and the education process required in order to be able to implement thismerchants and payment professionals all over the world will gain access to a valuable level of security needs to start with acquirers, the PCI council and government bodiesresource which provides a complete insight into the e-identity and web fraud landscape. getting more involved.The 2012 Guide is endorsed by The Merchant Risk Council (MRC), a merchant-led trade Security is not just for merchants and card users to take care of; central governments atassociation focused on electronic commerce risk and payment strategies. both the national and European level as well as the payments industry should step up. 2|7 www.thepaypers.com Copyright © The Paypers
  3. 3. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012A 2011 report by Trustwave showed that 90% of incidents where card data is legislation globally makes the process fragmented - legislation for breach announcementscompromised have occurred in level 4 merchant environments, typically small to medium as a deterrent should be universal as fraud is global and fraud rings see no boundaries.sized businesses. Large organisations are better educated, funded and resourced so it is This fragmentation when reporting breaches globally presents a false perception of whereincreasingly harder for criminals to target them, although they are not immune as the problems are occurring.demonstrated by high profile data breaches. It is smaller merchants that are beingtargeted and the payments industry needs to help these vulnerable merchants now. In the rest of the world breaches can be brushed under the carpet… Currently in the UK and Europe there is no legal requirement for the greater majority ofRegularly speaking to retailers has enabled Mr. Stephenson-Brown to get a better businesses to declare breaches; that does not mean they don’t happen. According to UKunderstanding of the traumas that PCI compliance causes them. At a recent Association of Fraud Statistics in 2010 more than EUR 417.5 million in the UK card fraud was detected.Convenience Store (ACS) conference one retailer has declared that the prospect of not The problem the industry currently faces is the fact that smaller retailers do notbeing compliant, suffering a breach and the potential reputational damage that would understand the need of increased security.follow, causes him sleepless nights. The fact that customers may find out about securitybreaches could be crippling to his reputation – even though there is no legal obligation to The new European Data Protection Regulation due in 2014 will give the card schemesreport them. additional back up to enforce the fines which are presently seen as hollow threats; this is a step in the right direction but there needs to be another message alongside it.Others are overwhelmed by the complexities of achieving compliance. Another retailerrecently asked Mr. Stephenson-Brown about a letter he had received from his bank It needs to be clear that best practice security measures for the payments environment isinforming him that he wasn’t PCI compliant and should he not rectify this he would be good business and will go a long way to protect a business holistically. It shouldn’t bepenalised – they had no idea of the full implications of PCI compliance, how important it is treated as a task where a merchant does as much as they are obliged to and nothing more.and the severe financial impact to their business, should they suffer a data breach. The Too many merchants are unaware of their obligations to PCI DSS or demonstrate apathyreality is they are not alone, far too many businesses take far too few steps towards towards the risk they are susceptible to by not adhering to these measures.adequately securing their payment and non-payment systems. Merchants found in breach of PCI can be fined GBP1000 per card breached – it takesA key problem facing the payments security industry in Europe is the lack of publicity minutes to steal thousands of card details electronically; the ramifications for a smallwhen compared to other countries such as the US business can be crippling. This is not necessarily the fault of the small merchants who wereOne of the key differences is the relationship between merchants, banks, government and not the initial focus for the PCI council following the inception in 2004 of the Paymentsthe requirements imposed upon merchants and payment service providers to publicise Card Industry Data Security Standards (PCI DSS).such breaches. Merchants think that there isn’t a problem in the UK as they never hear about it – thisIn the US, California was the first state to legislate for publicising data breaches in 2003, an couldn’t be further from the truth. Fraudsters are now targeting small, local, independentexample now replicated by 38 of the 50 states. This is encouraging but the differences in businesses and the PCI council, banks, acquirers and security vendors have a duty to 3|7 www.thepaypers.com Copyright © The Paypers
  4. 4. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012educate and provide cost effective quality solutions to these smaller merchants to equip created using digital identity can reach EUR 1 trillion in Europe by 2020, which is 8 percentthem in the fight to maintain security and ultimately their business. of the combined GDP of the EU-27. For European businesses and governments, the use of personal data will deliver an annual benefit of EUR 330 billion by 2020. For individuals, the value is expected to reach EUR 670 billion. That is why organisations need to take into “We have started off with the big retailers and we’ve gone down to the next account the growth opportunity and make the benefits of digital identity applications very level and now we’re getting down to the smaller merchants. The brands don’t clear to consumers. Moreover, they need to adopt the new digital identity paradigm of differentiate between the big and small merchants when there’s a data breach, responsibility, transparency and user control and promote a reliable flow of data. they just come in and hit you. For smaller merchants it’s end of game.” Jeremy King, European Director of the PCI Council On the other hand, the report mentions that, currently, most consumers are not aware of what happens to their online data. Results show that only 30 percent have a relativelyThe Verizon 2012 Data Breach Investigations Report found that 96% of the breach victims comprehensive understanding of which sectors are collecting and using their information.investigated were not PCI DSS compliant when they were last assessed. Perhaps this is Individuals with higher-than-average awareness of data uses require 26 percent morebecause compliance measures are complicated for the average retailer, especially the benefit in return for sharing their data. Additionally, few individuals are in control of theirtechnical network specifications referred to in self-assessment questionnaires. digital identity. Only 10 percent of respondents have admitted doing six or more out of eight common privacy-protecting activities such as private browsing, disabling cookies, optSecurity can’t be achieved through regulation and enforcement alone, it needs to be -in/out and other. Yet, consumers who are able to manage and protect their privacy are upadopted as a culture in business with all parties including banks, acquirers or merchants to 52 percent more willing to share information than those who aren’t in control of theiradopting a collaborative approach to help themselves and their customers. Only when this digital data. This is mostly because they can adapt their data sharing to their individualis achieved will we be in a position to be truly secure. preferences. Digital identity: valuable resource for organisations, major concern Consumer’s trust in sharing personal data also varies per sectors. Thus, consumers are on for consumers? average 30 percent more willing to share data when it comes to e-commerce companies, cable operators and automobile manufacturers than Web 2.0 communities. FindingsIn a digital society where people all over the world need to process, exchange and check unveil that control is important to consumers (82 percent) and convenience as well (63data at a faster pace, electronic identity has become commonplace. However, this is percent). Overall, given proper privacy controls and sufficient benefits, most consumersundoubtedly associated with a series of risks and companies as well as individuals are are willing to share their personal data with public and private- sector organisations.often concerned about having their privacy invaded or losing control over their own The BCG report aims to define what digital identity is, quantifies the current and potentialelectronic data. economic value of digital identity for organisations and consumers, identifies important trends and offers a set of guiding principles that could help responsible organisationsAccording to “The Value of our digital identity” report by Boston Consulting Group (BCG) benefit from the value of digital identity.digital data is already a driving force for the entire economy. Data reveals that the value 4|7 www.thepaypers.com Copyright © The Paypers
  5. 5. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012 card data theft risks. In the last couple of years the PCI Council has also supported the Expert Opinion approach and called it Point to Point Encryption (P2PE) or end to end encryption. Stopping "Dexter" malware stealing credit card data from the POS Merchants, need to addresses this risk by encrypting the payment card data before it even By Mark Bower, Voltage Security gets to the POS. This might be in the card reader, a reading pin pad, or even inside a reading "sled" or "wedge" attached to the POS. If POS is breached, the data will be useless Mark Bower is a data protection expert and VP of product to the attacker. On the other hand, the secure card readers are very, very difficult to attack management for data-centric security leader Voltage Security. He and do not store live data to steal: they encrypt it and pass it up the payment process to has more than two decades of experience in data protection area. the POS. If tampered with they are designed to destroy their contents. His expertise spans electronic banking, smartcard payment systems, Public Key Infrastructure, identity management systems The trick is getting it right so that even though the data is protected and secure, its still and cloud security for the commercial and government sectors. compatible to the payment applications in the merchants systems and applications in the POS itself to permit regular POS functions to continue without change. Thats whereVoltage Security is the world leader in data-centric security and simplified key format preserving encryption (FPE) comes in - NIST recognized FFX mode AES in particular.management for combating new and emerging security threats. With innovative, powerful With FPE, the data stays protected from the moment it is captured as its read or entered.and easy-to-use solutions for protecting sensitive data (including end-to-end encryption,tokenization, data-masking, email, file, cloud and mobile), Voltage customers can The magnetic stripe data and track information (Track 1, Track 2 or even EMV data) oreffectively address global privacy regulations and best practices. Customers include a third manually entered credit card numbers are all protected while retaining the track structure,of the world’s 20 largest organizations and a wide variety of industries including payments, PAN format and integrity. To the POS, it still looks and feels like cardholder data, so lowfinancial, retail, insurance, healthcare, e-commerce. impact to the way customer payments are handled. To the merchant the PCI DSS scope is dramatically reduced, the whole POS is potentially out of scope. To an attacker, theresThere is new malware on the loose targeting merchant point of sale systems (POS), often nothing of value to steal.called checkouts, electronic cash registers (ECR) or tills. Apparently, the impact of this new"Dexter" virus is perceived worldwide. POS systems are often the weak link in the chain "Dexter" would get nothing but useless encrypted data. Only the other "end" of theand the choice of malware. They should be isolated from other networks, but they are payment process, usually an acquirer after the payment data has passed through switches,often connected. And, as a checkout in constant use, they are less frequently patched and gateways, networks and applications, can decrypt the data. For post authorizationupdated and thus vulnerable to all types of malware. The good news is that savvy processes, a token might be returned to the merchant for storage and re-use inmerchants are already tackling this risk and giving the malware nothing to steal through applications and databases without needing live PAN data again. Some larger merchantssolutions that also have a dramatic cost reducing benefit to PCI compliance. may also want to decrypt and tokenize in house so they are independent of acquirers.This new kind of attack requires a service which allows merchants to brush off such credit 5|7 www.thepaypers.com Copyright © The Paypers
  6. 6. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012 The Guardian recognizes latest opportunities & challenges in the Expert Opinion evolving payments environment Metamorphosis in the fraud world By Deya Innab, EastNetsGuardian supplement tackles innovation in payments Deya Innab is Product Development Manager for EastNets. She has worked for KPMG asUK daily news provider The Guardian has released its latest Innovation in Payments report, Advisory Services Senior Manager and has over 16 years of experience in softwarea multi-page overview mapping out the changes, trends and opportunities in the global development and design, IT and project management, and business development.payments industry. EastNets, a provider of global compliance and payment solutions and services with overThe Innovations in Payments report draws on the comment of leading industry experts to 1,000 customers in 120 countries, provides compliance solutions including anti-moneyexamine what developments are on the horizon and how these are likely to affect the laundering and anti-fraud, Resilient SWIFT Solutions for SWIFT FIN/XML reporting,payments landscape. Distributed both as an insert and in electronic format, the report duplicate detection management, disaster recovery and outsourced SWIFT connectivityprovides an overview of the constantly evolving payments industry and the way it with its SWIFT Service Bureau and Mobile Remittances Solutions enabling secure,influences and changing the way consumers buy. compliant mobile remittances.The Guardian has been a top provider of daily news since 1821 and has recently exceeded Fraud is an evolving world. Creativity in inventing fraud trends has no limits and it keeps11.8 million unique visitors in the US alone, overtaking even the BBC. Its Innovation in developing. Creating fraud preventive procedures, controls, regulations and systems isPayments supplement has a circulation of over 214,000 copies and has been distributed very challenging. It is like creating a viral vaccine to a virus that metamorphoses and keepsboth as an insert in The Guardian and in electronic format, made available to the transforming to create new immunity lines.Guardian’s readership of 1.1 million and beyond. Even the term fraud has come to encompass many forms of misconduct. Although theYou can download a copy of the report here legal definition of fraud is very specific for most people, the common usage is much broader and generally covers any attempt to deceive another party to gain a benefit. Financial institution fraud, mobile fraud, health care fraud, identity theft, padded expense reports, mortgage fraud, theft of inventory by employees, manipulated financial statements, insider trading. The range of possible fraud schemes is large, but at their core, all of these acts involve a violation of trust. It is this violation, perhaps even more than the resulting financial loss that makes such crimes so harmful. One of the most critical and challenging fraud 6|7 www.thepaypers.com Copyright © The Paypers
  7. 7. Update on developments in online payments Vol. 5 Issue 20, 14 Dec 2012schema is the internal fraud, also known as occupational fraud; “The use of one’soccupation for personal enrichment through the deliberate misuse or misapplication of When we talk about establishing healthy anti-fraud framework the Prevention should takethe employing organization’s resources or assets." Different studies showed that more precedence over detection. What we mean by fraud prevention is creating a workthan 50% of fraud attempts are committed by people already working within an environment that values honesty. This includes hiring honest people, paying themorganization and usually act alone. These fraud attempts account for more than a half of competitively, treating them fairyland providing a safe and secure workplace with strongthe total fraud losses and only 1/3 of internal fraud attempts is actually detected. It is internal controls. For us to be able to have a preventive mechanism to minimize internalknown that the finance and insurance sector remains particularly vulnerable to fraud fraud, it is needed to understand the behaviours and the circumstances around thecommitted by external parties, typically involved credit cards, lending fraud and fake internal fraud cases and try to eliminate the leakage points.insurance claims. Nevertheless, the largest fraud attempts where “inside jobs”; theft of Fraud Preventive Solutionscash, diversion of sales and cheque tampering were the main employee frauds by value. The fact that the regulations related to different schemas of fraud are very limited makesWhy do people commit fraud? the exercise of creating an effective and healthy anti-fraud platform very challenging.There is no single reason behind fraud and any explanation of it needs to take into account When we look at anti-fraud solutions for financial institutions and corporates in the 80various factors and that is what makes it very difficult to prevent and/or detect. A common countries that we serve, we look to build a solution that can be configured by buildingmodel that brings together a number of different aspects is the fraud triangle. This model customized scenarios around the internal systems and processes for each organization tois built on the premise that fraud is likely to result from a combination of three factors: give strong internal control. In addition, an integrated framework enables financialmotivation, opportunity and rationalization. institutions to aggregate data and processes across fraud and AML silos to improve business insight and streamline operational efficiencies.Motivation is typically based on either greed or need. In terms of opportunity, fraud ismore likely to happen in companies where there is a weak internal control system, poorsecurity over company property, little fear of exposure and likelihood of detection, or About: Online Paypers is a bi-weekly update on developments in online payments by The Paypers, the portal forunclear policies with regard to acceptable behaviour. As for rationalization, some people payment professionals.may be able to rationalize fraudulent actions as: Necessary especially when done for Editors: Adriana Screpnic, Mihaela Mihaila, Ionela Barbuta and Melisande Mual.business, Harmless because the victim is large enough to absorb the impact or Justified Website: For more information, please visit our websites: www.thepaypers.com‘because the victim deserved it’ or ‘because I was misused.’ Contact: For more information, you can contact us at: info@thepaypers.comOrganizations have realized that internal fraud is a main driver in overall financial Subscription info: Online Paypers is a product of The Paypers and is published 24 times per year. Year subscription price: €495institution losses, it is emerging almost daily, it has a significant financial consequencesand it is a driver for reputational damage. Because of all of this and more, organizations Copyright: 2011 © The Paypers. All rights reserved. Reproduction or redistribution in any form without explicit prior written permission of The Paypers is prohibited.invest heavily in adopting anti-fraud framework that provides a healthy environment. Thisframework has to be continuously developing to compete with the daily emerging frauds Disclaimer: The Paypers sees to the utmost reliability of all its news products. Nevertheless we do not accept any responsibility for any possible inaccuracies.world. 7|7 www.thepaypers.com Copyright © The Paypers