KL
Uploaded byKerri Lorch
155 views

key-trends-in-merchant-security

The document discusses key trends in merchant security and how a multi-layered approach can dramatically reduce risk. It outlines four major trends impacting payments security: EMV, tokenization, contactless payments, and advanced fraud prevention tools. Adopting technologies that complement each other can provide strong defenses throughout the payment processing chain. Early adopters of new security standards will gain a competitive advantage over those who wait.

Embed presentation

Download to read offline
      First Data Market Insight    © 2011 First Data Corporation.  All Rights Reserved.  All trademarks, service marks and trade names referenced in this material are the property of their respective owners.  Key Trends in Merchant Security: A Multi-Layered Approach that Will Dramatically Reduce Risk The world of payments is changing at the point-of-sale and beyond, and opportunities are seemingly endless. The US will adopt EMV standards (even if no one can say how or when). The move from magnetic stripe payment cards to contactless wave-and-go will finally take hold as mobile payments become more main stream. Existing technologies such as tokenization and data analytics are becoming stronger forces as innovations continue to erupt. These opportunities and more extend to merchants, financial institutions, processors, and a host of new-to-the-industry players. Cybercriminals, on the other hand, will have more obstacles to overcome. It is a certainty, though, that fraudsters will adjust, even as heavy-duty security options grow. Criminals will continue to take the path of least resistance. When a merchant plugs one hole in the “security dam,” criminals will move to another hole.
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 2 Any security program that does not include the most up-to-date barricades throughout the payment processing chain will drown. Adding layers of data security and fraud prevention tools will better ensure merchants can manage vulnerabilities throughout the payment processing sequence. You must proactively seek the holes and potential weak spots in the dam and plug them. Along with looking at payment systems holistically, growing with the times is essential. Keeping up with data security and fraud protection tools—and being one step ahead of fraudsters’ schemes—are more critical now than ever. The statistics remain compelling: → For the fifth year in a row, data breach costs have continued to rise, hitting an average of $214 per compromised record in 20101 → US fraud losses (credit, debit, and prepaid cards) were $6.89 billion in 2009, and experts believe that fraud will reach $10 billion per year by 20152 → 43 percent of consumers who have been the victims of fraud stop doing business with the merchant where the incident occurred3 → In 2010 alone, one annual study included investigations of nearly 800 new breach incidents—the same number of breach incidents investigated, in total, over the course of the prior five years (from 2004-2009)4 INTRODUCTION Payment choices are expanding. Technology is progressing. Data security tools are advancing. And cybercriminals are adapting. So what is the solution? There is not one. That is, no single solution exists: a multi-level approach to data security and fraud detection allows flexibility and provides a solid defense. Merchants should base their current and future security plans on technologies that complement one another, solving for many susceptibilities throughout the payment processing chain. To help merchants determine their go-forward approach to data security and fraud detection, First Data has identified four trends impacting payments that, together, are already shaping the way businesses protect their payments and their customers’ personal information. → EMV → Tokenization → Contactless/One-Time Use Account Numbers (Dynamic PAN) → Advanced Fraud Prevention and Detection Tools These industry-changing solutions provide ammunition for significant advances in preventing and protecting from breach and fraud, and guarantee that security will be factored into investment choices and operational plans moving forward. The growing significance of data security and fraud detection requires merchants to look today at the potential impacts of tomorrow. Early adopters will have a distinct competitive advantage.
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 3 EMV EMV (which stands for EuroPay, MasterCard, and Visa, the three companies that devised the standard) is a common set of standards for payment applications that use chip-based cards. A card’s embedded microprocessor chip interacts with an EMV-enabled terminal to validate the integrity of a card number. It also verifies certain static and dynamic data used in a transaction to ensure the card is not fraudulent and the person using it is the owner of that card. As of the end 2010, there were more than 1 billion5 EMV compliant chip-based payment cards in use worldwide. More than 60 countries use the EMV standard, and the US is the only member of the G20 not to have EMV in place6 . It is not a question of “if” but “when” EMV will become standard in the US. “With the rest of the world migrating to EMV, the US will be at the receiving end of hyperbolic growth in card fraud costs.7 ” Implementation of EMV in the US has the potential to dramatically impact merchants, financial institutions, and consumers. Fraud losses resulting from credit, debit, and prepaid cards in the US are growing at a rate of half a billion dollars each year8 . The EMV system provides increased security and authentication measures to help reduce fraud beyond what a traditional magnetic stripe payment card environment provides. Additionally, EMV may bring a payments fraud “liability shift.” In many regions across the world where EMV is in place currently, a non-EMV compliant merchant/issuer is responsible for fraudulent card payment transaction9 . It is not clear if this particular criterion would be included in the US implementation of EMV standards. What to consider There is no set timeline for EMV standards to be adopted in the US; however merchants who wait for widespread implementation will start at a disadvantage when the standard is accepted. To help reduce fraud, many banks and large retailers are already preparing to implement an EMV solution. Additionally, if a “fraud liability” shift occurs, EMV-ready merchants are in a much better place to manage responses related to compliance. Tools you today should be able to evolve as your needs and the industry changes. For example, choose terminals and card readers that are already EMV-capable such as First Data’s EMV- enabled proprietary POS equipment, scheduled for availability in 2011. For your overall security investments, think about a compilation of parallel solutions to help safeguard various points in the payment process. EMV provides protection against common consumer-level attacks such as the fraudulent use of lost or stolen cards. EMV does not offer “With the rest of the world migrating to EMV, the US will be at the receiving end of hyperbolic growth in card fraud costs.”
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 4 that same protection in card-not-present (CNP) environments, however. Nor does it safeguard against the theft of sensitive cardholder information while that data is “in-transit” for processing and acquiring or “at-rest” (stored in terminals or data warehouses). EMV is most effective when used in conjunction with other solutions that protect payment card data once the card is waved or swiped. For a more complete data security resolution, add combinations such as encryption and tokenization to EMV to help safeguard security exposures that exist at various points in the payment process. Tokenization Tokenization is an increasingly popular approach for the protection of sensitive cardholder data. It works by removing Primary Account Numbers (PANs) from the merchant environment and replacing card numbers with random token numbers (or aliases). The alias becomes the customer identifier (as opposed to actual card number’s identifying the customer) in the merchant’s system. This solution vastly reduces a merchant’s risk if a data violation occurs. One of the main breach prospects in the event of a breach is customer payment data that a merchant houses in back- end systems into which criminals can insert malware to extract large amounts of sensitive cardholder information. For example, in 2010, 49 percent of almost 800 breach investigations were attributed to malware10 . The tokenization process eliminates actual cardholder data from entering a merchant’s environment after a transaction has been authorized. If a merchant’s system is breached, the criminals would get the token numbers, which are useless gibberish to a fraudster and cannot be monetized. Compliance management is another important benefit of tokenization. Using token numbers instead of real card data (or even encrypted card data) in back-end business applications shrinks the merchant’s cardholder data environment that is subject to PCI DSS (Payment Card Industry Data Security Standards) compliance requirements and audits. The token number has no value or link back to the original PAN and is therefore out of scope of PCI requirements. This reduction of PCI scope can save merchants significant time and money. What to consider As with all data security and fraud detection solutions, tokenization is only one tier of an effective security program. The tokenization process prevents sensitive cardholder data from entering a merchant’s environment after a transaction has been authorized. Combining this technology with encryption protects the payment process even more effectively. Encryption, which transforms plain text information into a non-readable form, helps protect payment card data prior to authorization. (Encryption on its own is not an all-encompassing solution either: the process meets the PCI requirements for protecting data, but Noncompliance can be costly. In a 2010 survey, the study’s respondents didn’t realize that noncompliance with PCI DSS could include fines of thousands of dollars and a per-card fee for each card that has to be cancelled.
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 5 encrypted data is still considered within the scope of PCI requirements for assessment by the PCI Security Council because the actual data is still present.) Noncompliance can be costly. In a 2010 survey, the study’s respondents didn’t realize that noncompliance with PCI DSS could include fines of thousands of dollars and a per-card fee for each card that has to be cancelled.11 When used together, the tools help protect data from the point of wave or swipe through post- authorization storage. That combination of layered tools, which is available in the First Data® TransArmor® solution, shrinks the risk of stolen card data and can lower the cost and effort of a merchant’s annual PCI DSS audit. Contactless and One-Time Use Account Numbers (Dynamic PAN) More than 28612 million Americans have mobile phones and 68 percent13 will have smartphones by 2015. People are texting (over 1.5 trillion14 text messages sent in 2009) and downloading apps (over 3 billion apps15 in four years). Contactless is a wave-and-go payments model. At checkout lanes with specially equipped readers, consumers with a contactless-enabled payment device can save time by simply waving the device within close proximity to a contactless-enabled reader. The technology uses a Near Field Communication (NFC) chip embedded in the payment device—a phone, a card, a key fob, and much more. Contactless payment methods are not new and many payment cards have been contactless-enabled for several years. However, the adoption of contactless in the form of payment cards has not been fully embraced by consumers or businesses. Mobile phone payments and mobile-delivered promotional offers, though, are emerging and these new tools will cause the usage of contactless technology to skyrocket. Mobile contactless transactions are expected to top 2.2 billion16 in 2011. The question on many minds in the industry today pertains to the security of contactless transactions. An electronic payment must be connected to a user’s Primary Account Number for authorization—so if a PAN is stolen, how do we ensure it is not used over and over in a contactless environment? Traditionally, the PAN is read from the magnetic stripe on the payment card when the swipe occurs at the point-of-sale and that real account information is used to complete the payment, leaving the data vulnerable to breach at almost any point in the payments processing lifecycle. With one-time card number technology (also known as Dynamic PAN), “for each transaction a consumer makes, the chip transmits a card number that is good for only a single use. The consumer’s real account information is not used in the payment transaction and would not be available to criminals hacking into a merchant’s system. (The 2010 version of an annual study noted that hacking impacted 89 percent of the breached records included in their analysis of more than 800 data security investigations17 .) Even in the cases of skimming—intercepting card Payments via magnetic stripe technology are on the way to extinction
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 6 data between the card and the reader—fraudsters would retrieve the one-time card number and not the real card information. Beyond data security, one-time card numbers, like tokenization, help alleviate PCI compliance concerns since customers’ sensitive data is not kept in the merchants’ systems. What to consider Are you prepared for the contactless revolution? Every indication is that contactless payments are the wave of the future. For example, evidence from various pilot programs shows overwhelmingly that once consumers, especially Generation Y users, have tried contactless payments, they have a strong preference for this method. The 35 years-and-under segment of consumers uses contactless methods twice as often as other consumer segments and should be considered a preferred target market for new contactless products18 . The revolution will likely be small spurts of users jumping on board rather than a mad rush. But, as with EMV and the other trends included in this paper, being proactive is in your best interest. Invest in solutions that work for you today and that are prepared for the inevitable industry changes. Now is the moment to equip your business with contactless-enabled point-of-sale devices if you have not already done so. Arguably, the most important preparation as the mobile revolution is poised to erupt is around security. For contactless payments, one-time card number technology is the industry leading technology in single-solution security. But the theme of layers continues. Include one-time card number technology in your overall plan, in conjunction with EMV to reduce fraud prior to the transaction and tokenization for the same purpose post-authorization. Advanced Fraud Prevention and Detection Tools Fraud prevention and detection tools are not new to the market; however the most recent solutions and those on the horizon are far more sophisticated than previous options. The latest innovations are based on the analysis of commerce behaviors, using shoppers’ overall purchase habits and shopping patterns—not just transaction data—to check for anomalies. Through automated transactional risk scoring and associated decisioning engines, suspicious transactions can be identified and examined in real-time. While merchants should still use Address Verification System (AVS) and Card Verification Value (CVV), stronger strategies leverage fraud detection and prevention systems that “score” the risk level of a transaction based on an expanded database of information. The score is used during the authorization process to determine if a transaction should be accepted, rejected or flagged. (Placing the parameter control in the hands of the merchant allows the automated decisions to be tweaked and revised as trends emerge based on the merchant’s risk tolerance and transaction handling preferences.)
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 7 What to consider Accepting eCommerce and other CNP payment options makes automated transactional risk tools even more critical. Online commerce continues to grow; cybercrime is increasingly more prevalent; and customers want more payment options. One of the most difficult challenges with CNP transactions is validating a shopper’s identity: an advanced transactional risk tool is a powerful safeguard to help eCommerce merchants avoid accepting fraudulent payments An experienced, qualified partner is critical to implementing and evolving a sophisticated automated prevention and detection data-based solution—especially to help you manage data-related issues and to identify your risk tolerance. Data is critical to developing the best fraud strategy to protect your business; however, gathering and analyzing the right data is often a challenge. Combining device recognition data with customers’ spending habits and patterns, along with transaction data, is essential to ensuring the right level of protection while maximizing the number of completed sales. CONCLUSION The trends discussed in this paper—EMV; tokenization; contactless and one-time use account numbers; and advanced fraud prevention and detection tools—will define the direction of a successful security strategy going forward. They will impact more than just payment card security and fraud detection: overall business approaches will change as security becomes a higher priority. Savvy merchants are taking more responsibility for their customers’ private data (as evidenced by the recent growth in tokenization use). Staying on top of security requires constant vigilance and growth, however. An approach must be comprehensive and dynamic. Organizations that secure cardholder data with multiple layers of security will be better able to reduce risk and fraud. That, in turn, will enable more business as new payment technologies arise and new ways to steal the sensitive data are devised. Brick-and-mortar, brick-and-click, or completely Web-based, it does not matter where payment transactions take place. Organizations must realize that data security and fraud prevention are essential to the success of their entire business. They are not options; they are a critical to keep the entire dam from bursting. “Money moves and transactions travel but lack of security can stall spending.”19 And customers’ spending is, of course, the basis of all business. Meeting customers’ demands for eCommerce and other card-not-present payment types is good for business. And it yields additional security challenges for merchants
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 8 Additional Reading: White Papers from First Data Top 10 Tips to Help Keep Your Data Safe Why Wait for EMV to Solve Your Fraud Problems? One-Time Use Card Numbers Can Reduce Debit Fraud Now A Primer on Payment Security Technologies: Encryption and Tokenization Implementing Tokenization Is Simpler Than You Think Strategies for Reducing the Risk of eCommerce Fraud Sources                                                              1  2010 Annual Study: U.S. Cost of a Data Breach. Ponemon Institute, LLC. March 2011.  2  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  3  Javelin Strategy and Research. June 2009.  4 . Verizon  2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  5  www.emvco.com  6  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  7  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  8  Ibid.  9  “My Card Club” blog. August 2010.  10  Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  11  Small Merchant Data Security Study. First Data and National Retail Federation. 2010.  12  Mobile Payment Revolution: How Merchants Can Use Mobile Payment Specifications to Manage Transaction  Costs. White paper. First Data. 2010.  13  Mobile Wallets report. Javelin Strategy and Research. January 2011.  14  Mobile Payment Revolution: How Merchants Can Use Mobile Payment Specifications to Manage Transaction  Costs. White paper. First Data. 2010.  15  Ibid.  16  “Smart Cards in the US: Contactless Payment Cards.” Packaged Facts May 2007.  17  Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  18  2010 Study of Consumer Payment Preferences. BAI and Hitachi Consulting. November 2010  19  PYMNTS.com. April 2011.  

More Related Content

PDF
The Path to Payment Security
byTom Cooley
 
DOCX
Target@ Data Breach2edit
byKehinde Adelusi
 
PDF
Multiple tokenization schemes meet the merchant
byUlf Mattsson
 
PDF
EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...
by- Mark - Fullbright
 
PDF
Payments glossary
byEsteve Camps Chust
 
PPTX
Sgsits cyber securityworkshop_4mar2017
byAnil Jain
 
PDF
Point sale-pos-systems-security-35357
byprestamonster
 
PDF
Next generation payment technologies gain acceptance
byDawn Kehr
 
The Path to Payment Security
byTom Cooley
 
Target@ Data Breach2edit
byKehinde Adelusi
 
Multiple tokenization schemes meet the merchant
byUlf Mattsson
 
EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...
by- Mark - Fullbright
 
Payments glossary
byEsteve Camps Chust
 
Sgsits cyber securityworkshop_4mar2017
byAnil Jain
 
Point sale-pos-systems-security-35357
byprestamonster
 
Next generation payment technologies gain acceptance
byDawn Kehr
 

What's hot

PDF
Cover story
byJeff Vogel
 
PDF
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
byArm Igf
 
PDF
FreedomPay_Whitepaper_Solutions_For_Hospitality
byJeff Vogel
 
PDF
How contactless payment can boost your business
byGraeme McGilliard
 
PDF
Tokenization
byCentury Business Solutions
 
DOC
Atm theft
byApurva Sharma
 
PPT
Contactless Payment Pp
bycolleneakard
 
PDF
Tokenization: What's Next After PCI?
byEMC
 
PPTX
Requirement of PCI DSS in India.
byCA Priyadarshan Behera
 
DOCX
Requirement of PCI-DSS in India.
byCA Priyadarshan Behera
 
PDF
ATM Fraud Prevention Management White Paper from ESQ
byESQ Business Services
 
PDF
Software for Payment Cards: Choosing Wisely
byCognizant
 
PDF
Data Security: A field guide for franchisors
byGrant Thornton LLP
 
PDF
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
byNAFCU Services Corporation
 
PDF
Payment industry trends and opportunity
byDebasis Chakraborty
 
PDF
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
byInternational Journal of Business Marketing and Management (IJBMM)
 
PPS
Economic offenses through Credit Card Frauds Dissected
byamiable_indian
 
PDF
Attacks on Point-of-Sales Systems | RapidSSLonline
byRapidSSLOnline.com
 
PPT
Visa master card contactless payment in china_v1
byKelvin Tai
 
Cover story
byJeff Vogel
 
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
byArm Igf
 
FreedomPay_Whitepaper_Solutions_For_Hospitality
byJeff Vogel
 
How contactless payment can boost your business
byGraeme McGilliard
 
Tokenization
byCentury Business Solutions
 
Atm theft
byApurva Sharma
 
Contactless Payment Pp
bycolleneakard
 
Tokenization: What's Next After PCI?
byEMC
 
Requirement of PCI DSS in India.
byCA Priyadarshan Behera
 
Requirement of PCI-DSS in India.
byCA Priyadarshan Behera
 
ATM Fraud Prevention Management White Paper from ESQ
byESQ Business Services
 
Software for Payment Cards: Choosing Wisely
byCognizant
 
Data Security: A field guide for franchisors
byGrant Thornton LLP
 
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
byNAFCU Services Corporation
 
Payment industry trends and opportunity
byDebasis Chakraborty
 
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
byInternational Journal of Business Marketing and Management (IJBMM)
 
Economic offenses through Credit Card Frauds Dissected
byamiable_indian
 
Attacks on Point-of-Sales Systems | RapidSSLonline
byRapidSSLOnline.com
 
Visa master card contactless payment in china_v1
byKelvin Tai
 

Viewers also liked

PPTX
Agua 2 b presentacion
byGuadalupe Najarro
 
PDF
Riso- VIP
byFUNDAÇÃO EDP
 
PPTX
Presentación1 seleccion colombia
byleidycastropin
 
PPTX
P7
byjocavelo
 
PDF
ciha4.pdf
byJeff Smith
 
PDF
NT-33 Report Final
byZack White
 
PDF
Agua 2 b docx
byGuadalupe Najarro
 
PDF
RonButterworthResume2015a
byRon Butterworth
 
PDF
Público - onde o privado tem de ter a primazia é no turismo de saúde - Mig...
byMiguel Guedes de Sousa
 
ODT
Atividade 1.5
byfabrihelmer
 
PDF
C.O.P.S. NOVEMBER 2015 NEWSLETTER
byDC_Police_Union
 
PPTX
LA GERENCIA Y CICLO DE VIDA DE LOS PROYECTOS
byElpale
 
PDF
Ejercicios 1 2-3
byyisellkarin
 
PPS
Enoc martinez insectos en su_esplendor-10715
byEnoc Martinez
 
PDF
Cidades sustentaveis
byblogdoprofbarreto
 
PPS
Enoc martinez surrealismo 4033
byEnoc Martinez
 
PDF
Dica de gestão 4
byAndré Hypolito
 
TXT
Links retocar fotos
byJorge Sánchez
 
DOC
Catarina soares desafio 0 biografias- d. leonor de teles
bycatarinasoares7a
 
DOC
Assignment part 2
byKeith Harrington
 
Agua 2 b presentacion
byGuadalupe Najarro
 
Riso- VIP
byFUNDAÇÃO EDP
 
Presentación1 seleccion colombia
byleidycastropin
 
P7
byjocavelo
 
ciha4.pdf
byJeff Smith
 
NT-33 Report Final
byZack White
 
Agua 2 b docx
byGuadalupe Najarro
 
RonButterworthResume2015a
byRon Butterworth
 
Público - onde o privado tem de ter a primazia é no turismo de saúde - Mig...
byMiguel Guedes de Sousa
 
Atividade 1.5
byfabrihelmer
 
C.O.P.S. NOVEMBER 2015 NEWSLETTER
byDC_Police_Union
 
LA GERENCIA Y CICLO DE VIDA DE LOS PROYECTOS
byElpale
 
Ejercicios 1 2-3
byyisellkarin
 
Enoc martinez insectos en su_esplendor-10715
byEnoc Martinez
 
Cidades sustentaveis
byblogdoprofbarreto
 
Enoc martinez surrealismo 4033
byEnoc Martinez
 
Dica de gestão 4
byAndré Hypolito
 
Links retocar fotos
byJorge Sánchez
 
Catarina soares desafio 0 biografias- d. leonor de teles
bycatarinasoares7a
 
Assignment part 2
byKeith Harrington
 

Similar to key-trends-in-merchant-security

PPTX
Solutionreach Webinar: Will Your Practice Be Ready for EMV by October 2015?
bySolutionreach
 
PPTX
EMV - Is your business ready?
byShannon Walcott
 
PDF
EMV: Preparing for Changes to the Retail Payment Process
by- Mark - Fullbright
 
PPTX
Eight Months of EMV: Early Fraud Shifts and Trajectory
byTransUnion
 
PDF
Card Not Present (CNP) Fraud in a Post-EMV Environment: Combating the Fraud S...
byEMC
 
PPTX
EMV for Merchants
byWCapra
 
PPTX
Emv for merchants 031715
byWCapra
 
PPTX
Hot Topics In Payments DallasAFP Oct 2014
byThabaniNcube8
 
PPTX
Chip Cards: EMV Updates for Parking
byCreditcall
 
PDF
2014 Card and Payments Fraud Forecast
byEMC
 
PPTX
EMV and the consumer Final
byDaniel (Dan) DeBlasio
 
PDF
EMV US whitepaper Bell ID
byNeira Jones
 
PDF
Heartland Secure PPT
byRobert Tarrant
 
PDF
EMV Credit Card Technology in Parking
byParking & Traffic Consultants
 
PPTX
Cybersecurity trends in the banking industry
byMegan Rapp
 
PPTX
Cybersecurity Trends in the Banking Industry1-1
byMegan Rapp
 
PPTX
Cybersecurity trends in the banking industry
byMegan Rapp
 
PDF
Get Ready for EMV and Card Not Present Fraud
byTransUnion
 
PPTX
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
byKen Givens
 
PDF
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
byCognizant
 
Solutionreach Webinar: Will Your Practice Be Ready for EMV by October 2015?
bySolutionreach
 
EMV - Is your business ready?
byShannon Walcott
 
EMV: Preparing for Changes to the Retail Payment Process
by- Mark - Fullbright
 
Eight Months of EMV: Early Fraud Shifts and Trajectory
byTransUnion
 
Card Not Present (CNP) Fraud in a Post-EMV Environment: Combating the Fraud S...
byEMC
 
EMV for Merchants
byWCapra
 
Emv for merchants 031715
byWCapra
 
Hot Topics In Payments DallasAFP Oct 2014
byThabaniNcube8
 
Chip Cards: EMV Updates for Parking
byCreditcall
 
2014 Card and Payments Fraud Forecast
byEMC
 
EMV and the consumer Final
byDaniel (Dan) DeBlasio
 
EMV US whitepaper Bell ID
byNeira Jones
 
Heartland Secure PPT
byRobert Tarrant
 
EMV Credit Card Technology in Parking
byParking & Traffic Consultants
 
Cybersecurity trends in the banking industry
byMegan Rapp
 
Cybersecurity Trends in the Banking Industry1-1
byMegan Rapp
 
Cybersecurity trends in the banking industry
byMegan Rapp
 
Get Ready for EMV and Card Not Present Fraud
byTransUnion
 
EMV - The Chips are Coming - Ken Givens U.S. Merchant Payment Solutions 11-15
byKen Givens
 
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
byCognizant
 

key-trends-in-merchant-security

  • 1.
          First Data Market Insight    © 2011 First Data Corporation.  All Rights Reserved.  All trademarks, service marks and trade names referenced in this material are the property of their respective owners.  Key Trendsin Merchant Security: A Multi-Layered Approach that Will Dramatically Reduce Risk The world of payments is changing at the point-of-sale and beyond, and opportunities are seemingly endless. The US will adopt EMV standards (even if no one can say how or when). The move from magnetic stripe payment cards to contactless wave-and-go will finally take hold as mobile payments become more main stream. Existing technologies such as tokenization and data analytics are becoming stronger forces as innovations continue to erupt. These opportunities and more extend to merchants, financial institutions, processors, and a host of new-to-the-industry players. Cybercriminals, on the other hand, will have more obstacles to overcome. It is a certainty, though, that fraudsters will adjust, even as heavy-duty security options grow. Criminals will continue to take the path of least resistance. When a merchant plugs one hole in the “security dam,” criminals will move to another hole.
  • 2.
    First Data MarketInsight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 2 Any security program that does not include the most up-to-date barricades throughout the payment processing chain will drown. Adding layers of data security and fraud prevention tools will better ensure merchants can manage vulnerabilities throughout the payment processing sequence. You must proactively seek the holes and potential weak spots in the dam and plug them. Along with looking at payment systems holistically, growing with the times is essential. Keeping up with data security and fraud protection tools—and being one step ahead of fraudsters’ schemes—are more critical now than ever. The statistics remain compelling: → For the fifth year in a row, data breach costs have continued to rise, hitting an average of $214 per compromised record in 20101 → US fraud losses (credit, debit, and prepaid cards) were $6.89 billion in 2009, and experts believe that fraud will reach $10 billion per year by 20152 → 43 percent of consumers who have been the victims of fraud stop doing business with the merchant where the incident occurred3 → In 2010 alone, one annual study included investigations of nearly 800 new breach incidents—the same number of breach incidents investigated, in total, over the course of the prior five years (from 2004-2009)4 INTRODUCTION Payment choices are expanding. Technology is progressing. Data security tools are advancing. And cybercriminals are adapting. So what is the solution? There is not one. That is, no single solution exists: a multi-level approach to data security and fraud detection allows flexibility and provides a solid defense. Merchants should base their current and future security plans on technologies that complement one another, solving for many susceptibilities throughout the payment processing chain. To help merchants determine their go-forward approach to data security and fraud detection, First Data has identified four trends impacting payments that, together, are already shaping the way businesses protect their payments and their customers’ personal information. → EMV → Tokenization → Contactless/One-Time Use Account Numbers (Dynamic PAN) → Advanced Fraud Prevention and Detection Tools These industry-changing solutions provide ammunition for significant advances in preventing and protecting from breach and fraud, and guarantee that security will be factored into investment choices and operational plans moving forward. The growing significance of data security and fraud detection requires merchants to look today at the potential impacts of tomorrow. Early adopters will have a distinct competitive advantage.
  • 3.
    First Data MarketInsight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 3 EMV EMV (which stands for EuroPay, MasterCard, and Visa, the three companies that devised the standard) is a common set of standards for payment applications that use chip-based cards. A card’s embedded microprocessor chip interacts with an EMV-enabled terminal to validate the integrity of a card number. It also verifies certain static and dynamic data used in a transaction to ensure the card is not fraudulent and the person using it is the owner of that card. As of the end 2010, there were more than 1 billion5 EMV compliant chip-based payment cards in use worldwide. More than 60 countries use the EMV standard, and the US is the only member of the G20 not to have EMV in place6 . It is not a question of “if” but “when” EMV will become standard in the US. “With the rest of the world migrating to EMV, the US will be at the receiving end of hyperbolic growth in card fraud costs.7 ” Implementation of EMV in the US has the potential to dramatically impact merchants, financial institutions, and consumers. Fraud losses resulting from credit, debit, and prepaid cards in the US are growing at a rate of half a billion dollars each year8 . The EMV system provides increased security and authentication measures to help reduce fraud beyond what a traditional magnetic stripe payment card environment provides. Additionally, EMV may bring a payments fraud “liability shift.” In many regions across the world where EMV is in place currently, a non-EMV compliant merchant/issuer is responsible for fraudulent card payment transaction9 . It is not clear if this particular criterion would be included in the US implementation of EMV standards. What to consider There is no set timeline for EMV standards to be adopted in the US; however merchants who wait for widespread implementation will start at a disadvantage when the standard is accepted. To help reduce fraud, many banks and large retailers are already preparing to implement an EMV solution. Additionally, if a “fraud liability” shift occurs, EMV-ready merchants are in a much better place to manage responses related to compliance. Tools you today should be able to evolve as your needs and the industry changes. For example, choose terminals and card readers that are already EMV-capable such as First Data’s EMV- enabled proprietary POS equipment, scheduled for availability in 2011. For your overall security investments, think about a compilation of parallel solutions to help safeguard various points in the payment process. EMV provides protection against common consumer-level attacks such as the fraudulent use of lost or stolen cards. EMV does not offer “With the rest of the world migrating to EMV, the US will be at the receiving end of hyperbolic growth in card fraud costs.”
  • 4.
    First Data MarketInsight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 4 that same protection in card-not-present (CNP) environments, however. Nor does it safeguard against the theft of sensitive cardholder information while that data is “in-transit” for processing and acquiring or “at-rest” (stored in terminals or data warehouses). EMV is most effective when used in conjunction with other solutions that protect payment card data once the card is waved or swiped. For a more complete data security resolution, add combinations such as encryption and tokenization to EMV to help safeguard security exposures that exist at various points in the payment process. Tokenization Tokenization is an increasingly popular approach for the protection of sensitive cardholder data. It works by removing Primary Account Numbers (PANs) from the merchant environment and replacing card numbers with random token numbers (or aliases). The alias becomes the customer identifier (as opposed to actual card number’s identifying the customer) in the merchant’s system. This solution vastly reduces a merchant’s risk if a data violation occurs. One of the main breach prospects in the event of a breach is customer payment data that a merchant houses in back- end systems into which criminals can insert malware to extract large amounts of sensitive cardholder information. For example, in 2010, 49 percent of almost 800 breach investigations were attributed to malware10 . The tokenization process eliminates actual cardholder data from entering a merchant’s environment after a transaction has been authorized. If a merchant’s system is breached, the criminals would get the token numbers, which are useless gibberish to a fraudster and cannot be monetized. Compliance management is another important benefit of tokenization. Using token numbers instead of real card data (or even encrypted card data) in back-end business applications shrinks the merchant’s cardholder data environment that is subject to PCI DSS (Payment Card Industry Data Security Standards) compliance requirements and audits. The token number has no value or link back to the original PAN and is therefore out of scope of PCI requirements. This reduction of PCI scope can save merchants significant time and money. What to consider As with all data security and fraud detection solutions, tokenization is only one tier of an effective security program. The tokenization process prevents sensitive cardholder data from entering a merchant’s environment after a transaction has been authorized. Combining this technology with encryption protects the payment process even more effectively. Encryption, which transforms plain text information into a non-readable form, helps protect payment card data prior to authorization. (Encryption on its own is not an all-encompassing solution either: the process meets the PCI requirements for protecting data, but Noncompliance can be costly. In a 2010 survey, the study’s respondents didn’t realize that noncompliance with PCI DSS could include fines of thousands of dollars and a per-card fee for each card that has to be cancelled.
  • 5.
    First Data MarketInsight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 5 encrypted data is still considered within the scope of PCI requirements for assessment by the PCI Security Council because the actual data is still present.) Noncompliance can be costly. In a 2010 survey, the study’s respondents didn’t realize that noncompliance with PCI DSS could include fines of thousands of dollars and a per-card fee for each card that has to be cancelled.11 When used together, the tools help protect data from the point of wave or swipe through post- authorization storage. That combination of layered tools, which is available in the First Data® TransArmor® solution, shrinks the risk of stolen card data and can lower the cost and effort of a merchant’s annual PCI DSS audit. Contactless and One-Time Use Account Numbers (Dynamic PAN) More than 28612 million Americans have mobile phones and 68 percent13 will have smartphones by 2015. People are texting (over 1.5 trillion14 text messages sent in 2009) and downloading apps (over 3 billion apps15 in four years). Contactless is a wave-and-go payments model. At checkout lanes with specially equipped readers, consumers with a contactless-enabled payment device can save time by simply waving the device within close proximity to a contactless-enabled reader. The technology uses a Near Field Communication (NFC) chip embedded in the payment device—a phone, a card, a key fob, and much more. Contactless payment methods are not new and many payment cards have been contactless-enabled for several years. However, the adoption of contactless in the form of payment cards has not been fully embraced by consumers or businesses. Mobile phone payments and mobile-delivered promotional offers, though, are emerging and these new tools will cause the usage of contactless technology to skyrocket. Mobile contactless transactions are expected to top 2.2 billion16 in 2011. The question on many minds in the industry today pertains to the security of contactless transactions. An electronic payment must be connected to a user’s Primary Account Number for authorization—so if a PAN is stolen, how do we ensure it is not used over and over in a contactless environment? Traditionally, the PAN is read from the magnetic stripe on the payment card when the swipe occurs at the point-of-sale and that real account information is used to complete the payment, leaving the data vulnerable to breach at almost any point in the payments processing lifecycle. With one-time card number technology (also known as Dynamic PAN), “for each transaction a consumer makes, the chip transmits a card number that is good for only a single use. The consumer’s real account information is not used in the payment transaction and would not be available to criminals hacking into a merchant’s system. (The 2010 version of an annual study noted that hacking impacted 89 percent of the breached records included in their analysis of more than 800 data security investigations17 .) Even in the cases of skimming—intercepting card Payments via magnetic stripe technology are on the way to extinction
  • 6.
    First Data MarketInsight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 6 data between the card and the reader—fraudsters would retrieve the one-time card number and not the real card information. Beyond data security, one-time card numbers, like tokenization, help alleviate PCI compliance concerns since customers’ sensitive data is not kept in the merchants’ systems. What to consider Are you prepared for the contactless revolution? Every indication is that contactless payments are the wave of the future. For example, evidence from various pilot programs shows overwhelmingly that once consumers, especially Generation Y users, have tried contactless payments, they have a strong preference for this method. The 35 years-and-under segment of consumers uses contactless methods twice as often as other consumer segments and should be considered a preferred target market for new contactless products18 . The revolution will likely be small spurts of users jumping on board rather than a mad rush. But, as with EMV and the other trends included in this paper, being proactive is in your best interest. Invest in solutions that work for you today and that are prepared for the inevitable industry changes. Now is the moment to equip your business with contactless-enabled point-of-sale devices if you have not already done so. Arguably, the most important preparation as the mobile revolution is poised to erupt is around security. For contactless payments, one-time card number technology is the industry leading technology in single-solution security. But the theme of layers continues. Include one-time card number technology in your overall plan, in conjunction with EMV to reduce fraud prior to the transaction and tokenization for the same purpose post-authorization. Advanced Fraud Prevention and Detection Tools Fraud prevention and detection tools are not new to the market; however the most recent solutions and those on the horizon are far more sophisticated than previous options. The latest innovations are based on the analysis of commerce behaviors, using shoppers’ overall purchase habits and shopping patterns—not just transaction data—to check for anomalies. Through automated transactional risk scoring and associated decisioning engines, suspicious transactions can be identified and examined in real-time. While merchants should still use Address Verification System (AVS) and Card Verification Value (CVV), stronger strategies leverage fraud detection and prevention systems that “score” the risk level of a transaction based on an expanded database of information. The score is used during the authorization process to determine if a transaction should be accepted, rejected or flagged. (Placing the parameter control in the hands of the merchant allows the automated decisions to be tweaked and revised as trends emerge based on the merchant’s risk tolerance and transaction handling preferences.)
  • 7.
    First Data MarketInsight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 7 What to consider Accepting eCommerce and other CNP payment options makes automated transactional risk tools even more critical. Online commerce continues to grow; cybercrime is increasingly more prevalent; and customers want more payment options. One of the most difficult challenges with CNP transactions is validating a shopper’s identity: an advanced transactional risk tool is a powerful safeguard to help eCommerce merchants avoid accepting fraudulent payments An experienced, qualified partner is critical to implementing and evolving a sophisticated automated prevention and detection data-based solution—especially to help you manage data-related issues and to identify your risk tolerance. Data is critical to developing the best fraud strategy to protect your business; however, gathering and analyzing the right data is often a challenge. Combining device recognition data with customers’ spending habits and patterns, along with transaction data, is essential to ensuring the right level of protection while maximizing the number of completed sales. CONCLUSION The trends discussed in this paper—EMV; tokenization; contactless and one-time use account numbers; and advanced fraud prevention and detection tools—will define the direction of a successful security strategy going forward. They will impact more than just payment card security and fraud detection: overall business approaches will change as security becomes a higher priority. Savvy merchants are taking more responsibility for their customers’ private data (as evidenced by the recent growth in tokenization use). Staying on top of security requires constant vigilance and growth, however. An approach must be comprehensive and dynamic. Organizations that secure cardholder data with multiple layers of security will be better able to reduce risk and fraud. That, in turn, will enable more business as new payment technologies arise and new ways to steal the sensitive data are devised. Brick-and-mortar, brick-and-click, or completely Web-based, it does not matter where payment transactions take place. Organizations must realize that data security and fraud prevention are essential to the success of their entire business. They are not options; they are a critical to keep the entire dam from bursting. “Money moves and transactions travel but lack of security can stall spending.”19 And customers’ spending is, of course, the basis of all business. Meeting customers’ demands for eCommerce and other card-not-present payment types is good for business. And it yields additional security challenges for merchants
  • 8.
    First Data MarketInsight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 8 Additional Reading: White Papers from First Data Top 10 Tips to Help Keep Your Data Safe Why Wait for EMV to Solve Your Fraud Problems? One-Time Use Card Numbers Can Reduce Debit Fraud Now A Primer on Payment Security Technologies: Encryption and Tokenization Implementing Tokenization Is Simpler Than You Think Strategies for Reducing the Risk of eCommerce Fraud Sources                                                              1  2010 Annual Study: U.S. Cost of a Data Breach. Ponemon Institute, LLC. March 2011.  2  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  3  Javelin Strategy and Research. June 2009.  4 . Verizon  2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  5  www.emvco.com  6  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  7  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  8  Ibid.  9  “My Card Club” blog. August 2010.  10  Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  11  Small Merchant Data Security Study. First Data and National Retail Federation. 2010.  12  Mobile Payment Revolution: How Merchants Can Use Mobile Payment Specifications to Manage Transaction  Costs. White paper. First Data. 2010.  13  Mobile Wallets report. Javelin Strategy and Research. January 2011.  14  Mobile Payment Revolution: How Merchants Can Use Mobile Payment Specifications to Manage Transaction  Costs. White paper. First Data. 2010.  15  Ibid.  16  “Smart Cards in the US: Contactless Payment Cards.” Packaged Facts May 2007.  17  Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  18  2010 Study of Consumer Payment Preferences. BAI and Hitachi Consulting. November 2010  19  PYMNTS.com. April 2011.