SlideShare a Scribd company logo

key-trends-in-merchant-security

K
Kerri Lorch

The document discusses key trends in merchant security and how a multi-layered approach can dramatically reduce risk. It outlines four major trends impacting payments security: EMV, tokenization, contactless payments, and advanced fraud prevention tools. Adopting technologies that complement each other can provide strong defenses throughout the payment processing chain. Early adopters of new security standards will gain a competitive advantage over those who wait.

1 of 8
Download to read offline
      First Data Market Insight    © 2011 First Data Corporation.  All Rights Reserved.  All trademarks, service marks and trade names referenced in this material are the property of their respective owners.  Key Trends in Merchant Security: A Multi-Layered Approach that Will Dramatically Reduce Risk The world of payments is changing at the point-of-sale and beyond, and opportunities are seemingly endless. The US will adopt EMV standards (even if no one can say how or when). The move from magnetic stripe payment cards to contactless wave-and-go will finally take hold as mobile payments become more main stream. Existing technologies such as tokenization and data analytics are becoming stronger forces as innovations continue to erupt. These opportunities and more extend to merchants, financial institutions, processors, and a host of new-to-the-industry players. Cybercriminals, on the other hand, will have more obstacles to overcome. It is a certainty, though, that fraudsters will adjust, even as heavy-duty security options grow. Criminals will continue to take the path of least resistance. When a merchant plugs one hole in the “security dam,” criminals will move to another hole.
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 2 Any security program that does not include the most up-to-date barricades throughout the payment processing chain will drown. Adding layers of data security and fraud prevention tools will better ensure merchants can manage vulnerabilities throughout the payment processing sequence. You must proactively seek the holes and potential weak spots in the dam and plug them. Along with looking at payment systems holistically, growing with the times is essential. Keeping up with data security and fraud protection tools—and being one step ahead of fraudsters’ schemes—are more critical now than ever. The statistics remain compelling: → For the fifth year in a row, data breach costs have continued to rise, hitting an average of $214 per compromised record in 20101 → US fraud losses (credit, debit, and prepaid cards) were $6.89 billion in 2009, and experts believe that fraud will reach $10 billion per year by 20152 → 43 percent of consumers who have been the victims of fraud stop doing business with the merchant where the incident occurred3 → In 2010 alone, one annual study included investigations of nearly 800 new breach incidents—the same number of breach incidents investigated, in total, over the course of the prior five years (from 2004-2009)4 INTRODUCTION Payment choices are expanding. Technology is progressing. Data security tools are advancing. And cybercriminals are adapting. So what is the solution? There is not one. That is, no single solution exists: a multi-level approach to data security and fraud detection allows flexibility and provides a solid defense. Merchants should base their current and future security plans on technologies that complement one another, solving for many susceptibilities throughout the payment processing chain. To help merchants determine their go-forward approach to data security and fraud detection, First Data has identified four trends impacting payments that, together, are already shaping the way businesses protect their payments and their customers’ personal information. → EMV → Tokenization → Contactless/One-Time Use Account Numbers (Dynamic PAN) → Advanced Fraud Prevention and Detection Tools These industry-changing solutions provide ammunition for significant advances in preventing and protecting from breach and fraud, and guarantee that security will be factored into investment choices and operational plans moving forward. The growing significance of data security and fraud detection requires merchants to look today at the potential impacts of tomorrow. Early adopters will have a distinct competitive advantage.
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 3 EMV EMV (which stands for EuroPay, MasterCard, and Visa, the three companies that devised the standard) is a common set of standards for payment applications that use chip-based cards. A card’s embedded microprocessor chip interacts with an EMV-enabled terminal to validate the integrity of a card number. It also verifies certain static and dynamic data used in a transaction to ensure the card is not fraudulent and the person using it is the owner of that card. As of the end 2010, there were more than 1 billion5 EMV compliant chip-based payment cards in use worldwide. More than 60 countries use the EMV standard, and the US is the only member of the G20 not to have EMV in place6 . It is not a question of “if” but “when” EMV will become standard in the US. “With the rest of the world migrating to EMV, the US will be at the receiving end of hyperbolic growth in card fraud costs.7 ” Implementation of EMV in the US has the potential to dramatically impact merchants, financial institutions, and consumers. Fraud losses resulting from credit, debit, and prepaid cards in the US are growing at a rate of half a billion dollars each year8 . The EMV system provides increased security and authentication measures to help reduce fraud beyond what a traditional magnetic stripe payment card environment provides. Additionally, EMV may bring a payments fraud “liability shift.” In many regions across the world where EMV is in place currently, a non-EMV compliant merchant/issuer is responsible for fraudulent card payment transaction9 . It is not clear if this particular criterion would be included in the US implementation of EMV standards. What to consider There is no set timeline for EMV standards to be adopted in the US; however merchants who wait for widespread implementation will start at a disadvantage when the standard is accepted. To help reduce fraud, many banks and large retailers are already preparing to implement an EMV solution. Additionally, if a “fraud liability” shift occurs, EMV-ready merchants are in a much better place to manage responses related to compliance. Tools you today should be able to evolve as your needs and the industry changes. For example, choose terminals and card readers that are already EMV-capable such as First Data’s EMV- enabled proprietary POS equipment, scheduled for availability in 2011. For your overall security investments, think about a compilation of parallel solutions to help safeguard various points in the payment process. EMV provides protection against common consumer-level attacks such as the fraudulent use of lost or stolen cards. EMV does not offer “With the rest of the world migrating to EMV, the US will be at the receiving end of hyperbolic growth in card fraud costs.”
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 4 that same protection in card-not-present (CNP) environments, however. Nor does it safeguard against the theft of sensitive cardholder information while that data is “in-transit” for processing and acquiring or “at-rest” (stored in terminals or data warehouses). EMV is most effective when used in conjunction with other solutions that protect payment card data once the card is waved or swiped. For a more complete data security resolution, add combinations such as encryption and tokenization to EMV to help safeguard security exposures that exist at various points in the payment process. Tokenization Tokenization is an increasingly popular approach for the protection of sensitive cardholder data. It works by removing Primary Account Numbers (PANs) from the merchant environment and replacing card numbers with random token numbers (or aliases). The alias becomes the customer identifier (as opposed to actual card number’s identifying the customer) in the merchant’s system. This solution vastly reduces a merchant’s risk if a data violation occurs. One of the main breach prospects in the event of a breach is customer payment data that a merchant houses in back- end systems into which criminals can insert malware to extract large amounts of sensitive cardholder information. For example, in 2010, 49 percent of almost 800 breach investigations were attributed to malware10 . The tokenization process eliminates actual cardholder data from entering a merchant’s environment after a transaction has been authorized. If a merchant’s system is breached, the criminals would get the token numbers, which are useless gibberish to a fraudster and cannot be monetized. Compliance management is another important benefit of tokenization. Using token numbers instead of real card data (or even encrypted card data) in back-end business applications shrinks the merchant’s cardholder data environment that is subject to PCI DSS (Payment Card Industry Data Security Standards) compliance requirements and audits. The token number has no value or link back to the original PAN and is therefore out of scope of PCI requirements. This reduction of PCI scope can save merchants significant time and money. What to consider As with all data security and fraud detection solutions, tokenization is only one tier of an effective security program. The tokenization process prevents sensitive cardholder data from entering a merchant’s environment after a transaction has been authorized. Combining this technology with encryption protects the payment process even more effectively. Encryption, which transforms plain text information into a non-readable form, helps protect payment card data prior to authorization. (Encryption on its own is not an all-encompassing solution either: the process meets the PCI requirements for protecting data, but Noncompliance can be costly. In a 2010 survey, the study’s respondents didn’t realize that noncompliance with PCI DSS could include fines of thousands of dollars and a per-card fee for each card that has to be cancelled.
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 5 encrypted data is still considered within the scope of PCI requirements for assessment by the PCI Security Council because the actual data is still present.) Noncompliance can be costly. In a 2010 survey, the study’s respondents didn’t realize that noncompliance with PCI DSS could include fines of thousands of dollars and a per-card fee for each card that has to be cancelled.11 When used together, the tools help protect data from the point of wave or swipe through post- authorization storage. That combination of layered tools, which is available in the First Data® TransArmor® solution, shrinks the risk of stolen card data and can lower the cost and effort of a merchant’s annual PCI DSS audit. Contactless and One-Time Use Account Numbers (Dynamic PAN) More than 28612 million Americans have mobile phones and 68 percent13 will have smartphones by 2015. People are texting (over 1.5 trillion14 text messages sent in 2009) and downloading apps (over 3 billion apps15 in four years). Contactless is a wave-and-go payments model. At checkout lanes with specially equipped readers, consumers with a contactless-enabled payment device can save time by simply waving the device within close proximity to a contactless-enabled reader. The technology uses a Near Field Communication (NFC) chip embedded in the payment device—a phone, a card, a key fob, and much more. Contactless payment methods are not new and many payment cards have been contactless-enabled for several years. However, the adoption of contactless in the form of payment cards has not been fully embraced by consumers or businesses. Mobile phone payments and mobile-delivered promotional offers, though, are emerging and these new tools will cause the usage of contactless technology to skyrocket. Mobile contactless transactions are expected to top 2.2 billion16 in 2011. The question on many minds in the industry today pertains to the security of contactless transactions. An electronic payment must be connected to a user’s Primary Account Number for authorization—so if a PAN is stolen, how do we ensure it is not used over and over in a contactless environment? Traditionally, the PAN is read from the magnetic stripe on the payment card when the swipe occurs at the point-of-sale and that real account information is used to complete the payment, leaving the data vulnerable to breach at almost any point in the payments processing lifecycle. With one-time card number technology (also known as Dynamic PAN), “for each transaction a consumer makes, the chip transmits a card number that is good for only a single use. The consumer’s real account information is not used in the payment transaction and would not be available to criminals hacking into a merchant’s system. (The 2010 version of an annual study noted that hacking impacted 89 percent of the breached records included in their analysis of more than 800 data security investigations17 .) Even in the cases of skimming—intercepting card Payments via magnetic stripe technology are on the way to extinction
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 6 data between the card and the reader—fraudsters would retrieve the one-time card number and not the real card information. Beyond data security, one-time card numbers, like tokenization, help alleviate PCI compliance concerns since customers’ sensitive data is not kept in the merchants’ systems. What to consider Are you prepared for the contactless revolution? Every indication is that contactless payments are the wave of the future. For example, evidence from various pilot programs shows overwhelmingly that once consumers, especially Generation Y users, have tried contactless payments, they have a strong preference for this method. The 35 years-and-under segment of consumers uses contactless methods twice as often as other consumer segments and should be considered a preferred target market for new contactless products18 . The revolution will likely be small spurts of users jumping on board rather than a mad rush. But, as with EMV and the other trends included in this paper, being proactive is in your best interest. Invest in solutions that work for you today and that are prepared for the inevitable industry changes. Now is the moment to equip your business with contactless-enabled point-of-sale devices if you have not already done so. Arguably, the most important preparation as the mobile revolution is poised to erupt is around security. For contactless payments, one-time card number technology is the industry leading technology in single-solution security. But the theme of layers continues. Include one-time card number technology in your overall plan, in conjunction with EMV to reduce fraud prior to the transaction and tokenization for the same purpose post-authorization. Advanced Fraud Prevention and Detection Tools Fraud prevention and detection tools are not new to the market; however the most recent solutions and those on the horizon are far more sophisticated than previous options. The latest innovations are based on the analysis of commerce behaviors, using shoppers’ overall purchase habits and shopping patterns—not just transaction data—to check for anomalies. Through automated transactional risk scoring and associated decisioning engines, suspicious transactions can be identified and examined in real-time. While merchants should still use Address Verification System (AVS) and Card Verification Value (CVV), stronger strategies leverage fraud detection and prevention systems that “score” the risk level of a transaction based on an expanded database of information. The score is used during the authorization process to determine if a transaction should be accepted, rejected or flagged. (Placing the parameter control in the hands of the merchant allows the automated decisions to be tweaked and revised as trends emerge based on the merchant’s risk tolerance and transaction handling preferences.)
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 7 What to consider Accepting eCommerce and other CNP payment options makes automated transactional risk tools even more critical. Online commerce continues to grow; cybercrime is increasingly more prevalent; and customers want more payment options. One of the most difficult challenges with CNP transactions is validating a shopper’s identity: an advanced transactional risk tool is a powerful safeguard to help eCommerce merchants avoid accepting fraudulent payments An experienced, qualified partner is critical to implementing and evolving a sophisticated automated prevention and detection data-based solution—especially to help you manage data-related issues and to identify your risk tolerance. Data is critical to developing the best fraud strategy to protect your business; however, gathering and analyzing the right data is often a challenge. Combining device recognition data with customers’ spending habits and patterns, along with transaction data, is essential to ensuring the right level of protection while maximizing the number of completed sales. CONCLUSION The trends discussed in this paper—EMV; tokenization; contactless and one-time use account numbers; and advanced fraud prevention and detection tools—will define the direction of a successful security strategy going forward. They will impact more than just payment card security and fraud detection: overall business approaches will change as security becomes a higher priority. Savvy merchants are taking more responsibility for their customers’ private data (as evidenced by the recent growth in tokenization use). Staying on top of security requires constant vigilance and growth, however. An approach must be comprehensive and dynamic. Organizations that secure cardholder data with multiple layers of security will be better able to reduce risk and fraud. That, in turn, will enable more business as new payment technologies arise and new ways to steal the sensitive data are devised. Brick-and-mortar, brick-and-click, or completely Web-based, it does not matter where payment transactions take place. Organizations must realize that data security and fraud prevention are essential to the success of their entire business. They are not options; they are a critical to keep the entire dam from bursting. “Money moves and transactions travel but lack of security can stall spending.”19 And customers’ spending is, of course, the basis of all business. Meeting customers’ demands for eCommerce and other card-not-present payment types is good for business. And it yields additional security challenges for merchants
First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 8 Additional Reading: White Papers from First Data Top 10 Tips to Help Keep Your Data Safe Why Wait for EMV to Solve Your Fraud Problems? One-Time Use Card Numbers Can Reduce Debit Fraud Now A Primer on Payment Security Technologies: Encryption and Tokenization Implementing Tokenization Is Simpler Than You Think Strategies for Reducing the Risk of eCommerce Fraud Sources                                                              1  2010 Annual Study: U.S. Cost of a Data Breach. Ponemon Institute, LLC. March 2011.  2  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  3  Javelin Strategy and Research. June 2009.  4 . Verizon  2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  5  www.emvco.com  6  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  7  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  8  Ibid.  9  “My Card Club” blog. August 2010.  10  Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  11  Small Merchant Data Security Study. First Data and National Retail Federation. 2010.  12  Mobile Payment Revolution: How Merchants Can Use Mobile Payment Specifications to Manage Transaction  Costs. White paper. First Data. 2010.  13  Mobile Wallets report. Javelin Strategy and Research. January 2011.  14  Mobile Payment Revolution: How Merchants Can Use Mobile Payment Specifications to Manage Transaction  Costs. White paper. First Data. 2010.  15  Ibid.  16  “Smart Cards in the US: Contactless Payment Cards.” Packaged Facts May 2007.  17  Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  18  2010 Study of Consumer Payment Preferences. BAI and Hitachi Consulting. November 2010  19  PYMNTS.com. April 2011.  

Recommended

The Path to Payment Security
The Path to Payment SecurityThe Path to Payment Security
The Path to Payment SecurityTom Cooley
 
Target@ Data Breach2edit
Target@ Data Breach2editTarget@ Data Breach2edit
Target@ Data Breach2editKehinde Adelusi
 
Multiple tokenization schemes meet the merchant
Multiple tokenization schemes meet the merchantMultiple tokenization schemes meet the merchant
Multiple tokenization schemes meet the merchant
Ulf Mattsson
 
EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...
EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...
EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...
- Mark - Fullbright
 
Payments glossary
Payments glossaryPayments glossary
Payments glossary
Esteve Camps Chust
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017
Anil Jain
 
Point sale-pos-systems-security-35357
Point sale-pos-systems-security-35357Point sale-pos-systems-security-35357
Point sale-pos-systems-security-35357
prestamonster
 
Next generation payment technologies gain acceptance
Next generation payment technologies gain acceptanceNext generation payment technologies gain acceptance
Next generation payment technologies gain acceptance
Dawn Kehr
 

Recommended

The Path to Payment Security
The Path to Payment SecurityThe Path to Payment Security
The Path to Payment SecurityTom Cooley
 
Target@ Data Breach2edit
Target@ Data Breach2editTarget@ Data Breach2edit
Target@ Data Breach2editKehinde Adelusi
 
Multiple tokenization schemes meet the merchant
Multiple tokenization schemes meet the merchantMultiple tokenization schemes meet the merchant
Multiple tokenization schemes meet the merchant
Ulf Mattsson
 
EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...
EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...
EMV in the U.S.: Putting It into Perspective for Merchants and Financial Inst...
- Mark - Fullbright
 
Payments glossary
Payments glossaryPayments glossary
Payments glossary
Esteve Camps Chust
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017
Anil Jain
 
Point sale-pos-systems-security-35357
Point sale-pos-systems-security-35357Point sale-pos-systems-security-35357
Point sale-pos-systems-security-35357
prestamonster
 
Next generation payment technologies gain acceptance
Next generation payment technologies gain acceptanceNext generation payment technologies gain acceptance
Next generation payment technologies gain acceptance
Dawn Kehr
 
Cover story
Cover storyCover story
Cover storyJeff Vogel
 
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Arm Igf
 
FreedomPay_Whitepaper_Solutions_For_Hospitality
FreedomPay_Whitepaper_Solutions_For_HospitalityFreedomPay_Whitepaper_Solutions_For_Hospitality
FreedomPay_Whitepaper_Solutions_For_HospitalityJeff Vogel
 
How contactless payment can boost your business
How contactless payment can boost your businessHow contactless payment can boost your business
How contactless payment can boost your business
Graeme McGilliard
 
Tokenization
TokenizationTokenization
TokenizationCentury Business Solutions
 
Atm theft
Atm theftAtm theft
Atm theftApurva Sharma
 
Contactless Payment Pp
Contactless Payment PpContactless Payment Pp
Contactless Payment Ppcolleneakard
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
EMC
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.CA Priyadarshan Behera
 
Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.CA Priyadarshan Behera
 
ATM Fraud Prevention Management White Paper from ESQ
ATM Fraud Prevention Management White Paper from ESQ ATM Fraud Prevention Management White Paper from ESQ
ATM Fraud Prevention Management White Paper from ESQ
ESQ Business Services
 
Software for Payment Cards: Choosing Wisely
Software for Payment Cards: Choosing WiselySoftware for Payment Cards: Choosing Wisely
Software for Payment Cards: Choosing Wisely
Cognizant
 
Data Security: A field guide for franchisors
Data Security: A field guide for franchisorsData Security: A field guide for franchisors
Data Security: A field guide for franchisors
Grant Thornton LLP
 
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
NAFCU Services Corporation
 
Payment industry trends and opportunity
Payment industry trends and opportunityPayment industry trends and opportunity
Payment industry trends and opportunityDebasis Chakraborty
 
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
International Journal of Business Marketing and Management (IJBMM)
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonline
RapidSSLOnline.com
 
Visa master card contactless payment in china_v1
Visa master card contactless payment in china_v1Visa master card contactless payment in china_v1
Visa master card contactless payment in china_v1
Kelvin Tai
 
Agua 2 b presentacion
Agua 2 b presentacionAgua 2 b presentacion
Agua 2 b presentacion
Guadalupe Najarro
 
Riso- VIP
Riso- VIPRiso- VIP
Riso- VIPFUNDAÇÃO EDP
 
Presentación1 seleccion colombia
Presentación1 seleccion colombiaPresentación1 seleccion colombia
Presentación1 seleccion colombia
leidycastropin
 

More Related Content

What's hot

Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Arm Igf
 
FreedomPay_Whitepaper_Solutions_For_Hospitality
FreedomPay_Whitepaper_Solutions_For_HospitalityFreedomPay_Whitepaper_Solutions_For_Hospitality
FreedomPay_Whitepaper_Solutions_For_HospitalityJeff Vogel
 
How contactless payment can boost your business
How contactless payment can boost your businessHow contactless payment can boost your business
How contactless payment can boost your business
Graeme McGilliard
 
Contactless Payment Pp
Contactless Payment PpContactless Payment Pp
Contactless Payment Ppcolleneakard
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
EMC
 
ATM Fraud Prevention Management White Paper from ESQ
ATM Fraud Prevention Management White Paper from ESQ ATM Fraud Prevention Management White Paper from ESQ
ATM Fraud Prevention Management White Paper from ESQ
ESQ Business Services
 
Software for Payment Cards: Choosing Wisely
Software for Payment Cards: Choosing WiselySoftware for Payment Cards: Choosing Wisely
Software for Payment Cards: Choosing Wisely
Cognizant
 
Data Security: A field guide for franchisors
Data Security: A field guide for franchisorsData Security: A field guide for franchisors
Data Security: A field guide for franchisors
Grant Thornton LLP
 
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
NAFCU Services Corporation
 
Payment industry trends and opportunity
Payment industry trends and opportunityPayment industry trends and opportunity
Payment industry trends and opportunityDebasis Chakraborty
 
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
International Journal of Business Marketing and Management (IJBMM)
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonline
RapidSSLOnline.com
 
Visa master card contactless payment in china_v1
Visa master card contactless payment in china_v1Visa master card contactless payment in china_v1
Visa master card contactless payment in china_v1
Kelvin Tai
 

What's hot (19)

Cover story
Cover storyCover story
Cover story
 
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
Ali AlMeshal - The need for a secure & trusted payment - ArmIGF 2015
 
FreedomPay_Whitepaper_Solutions_For_Hospitality
FreedomPay_Whitepaper_Solutions_For_HospitalityFreedomPay_Whitepaper_Solutions_For_Hospitality
FreedomPay_Whitepaper_Solutions_For_Hospitality
 
How contactless payment can boost your business
How contactless payment can boost your businessHow contactless payment can boost your business
How contactless payment can boost your business
 
Tokenization
TokenizationTokenization
Tokenization
 
Atm theft
Atm theftAtm theft
Atm theft
 
Contactless Payment Pp
Contactless Payment PpContactless Payment Pp
Contactless Payment Pp
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.
 
Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.
 
ATM Fraud Prevention Management White Paper from ESQ
ATM Fraud Prevention Management White Paper from ESQ ATM Fraud Prevention Management White Paper from ESQ
ATM Fraud Prevention Management White Paper from ESQ
 
Software for Payment Cards: Choosing Wisely
Software for Payment Cards: Choosing WiselySoftware for Payment Cards: Choosing Wisely
Software for Payment Cards: Choosing Wisely
 
Data Security: A field guide for franchisors
Data Security: A field guide for franchisorsData Security: A field guide for franchisors
Data Security: A field guide for franchisors
 
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line...
 
Payment industry trends and opportunity
Payment industry trends and opportunityPayment industry trends and opportunity
Payment industry trends and opportunity
 
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
The Acceptability of the Cash Loading System on On-Line Purchases and Other O...
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Attacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonlineAttacks on Point-of-Sales Systems | RapidSSLonline
Attacks on Point-of-Sales Systems | RapidSSLonline
 
Visa master card contactless payment in china_v1
Visa master card contactless payment in china_v1Visa master card contactless payment in china_v1
Visa master card contactless payment in china_v1
 

Viewers also liked

Agua 2 b presentacion
Agua 2 b presentacionAgua 2 b presentacion
Agua 2 b presentacion
Guadalupe Najarro
 
Presentación1 seleccion colombia
Presentación1 seleccion colombiaPresentación1 seleccion colombia
Presentación1 seleccion colombia
leidycastropin
 
P7
P7P7
P7
jocavelo
 
ciha4.pdf
ciha4.pdfciha4.pdf
ciha4.pdf
Jeff Smith
 
NT-33 Report Final
NT-33 Report FinalNT-33 Report Final
NT-33 Report FinalZack White
 
Agua 2 b docx
Agua 2 b docxAgua 2 b docx
Agua 2 b docx
Guadalupe Najarro
 
RonButterworthResume2015a
RonButterworthResume2015aRonButterworthResume2015a
RonButterworthResume2015aRon Butterworth
 
Público - onde o privado tem de ter a primazia é no turismo de saúde - Mig...
Público - onde o privado tem de ter a primazia é no turismo de saúde - Mig...Público - onde o privado tem de ter a primazia é no turismo de saúde - Mig...
Público - onde o privado tem de ter a primazia é no turismo de saúde - Mig...
Miguel Guedes de Sousa
 
C.O.P.S. NOVEMBER 2015 NEWSLETTER
C.O.P.S. NOVEMBER 2015 NEWSLETTERC.O.P.S. NOVEMBER 2015 NEWSLETTER
C.O.P.S. NOVEMBER 2015 NEWSLETTER
DC_Police_Union
 
LA GERENCIA Y CICLO DE VIDA DE LOS PROYECTOS
LA GERENCIA Y CICLO DE VIDA DE LOS PROYECTOSLA GERENCIA Y CICLO DE VIDA DE LOS PROYECTOS
LA GERENCIA Y CICLO DE VIDA DE LOS PROYECTOS
Elpale
 
Ejercicios 1 2-3
Ejercicios 1 2-3Ejercicios 1 2-3
Ejercicios 1 2-3
yisellkarin
 
Enoc martinez insectos en su_esplendor-10715
Enoc martinez insectos en su_esplendor-10715Enoc martinez insectos en su_esplendor-10715
Enoc martinez insectos en su_esplendor-10715
Enoc Martinez
 
Enoc martinez surrealismo 4033
Enoc martinez surrealismo 4033Enoc martinez surrealismo 4033
Enoc martinez surrealismo 4033
Enoc Martinez
 
Dica de gestão 4
Dica de gestão 4Dica de gestão 4
Dica de gestão 4
André Hypolito
 
Links retocar fotos
Links retocar fotosLinks retocar fotos
Links retocar fotos
Jorge Sánchez
 
Catarina soares desafio 0 biografias- d. leonor de teles
Catarina soares desafio 0 biografias- d. leonor de telesCatarina soares desafio 0 biografias- d. leonor de teles
Catarina soares desafio 0 biografias- d. leonor de telescatarinasoares7a
 

Viewers also liked (20)

Agua 2 b presentacion
Agua 2 b presentacionAgua 2 b presentacion
Agua 2 b presentacion
 
Riso- VIP
Riso- VIPRiso- VIP
Riso- VIP
 
Presentación1 seleccion colombia
Presentación1 seleccion colombiaPresentación1 seleccion colombia
Presentación1 seleccion colombia
 
P7
P7P7
P7
 
ciha4.pdf
ciha4.pdfciha4.pdf
ciha4.pdf
 
NT-33 Report Final
NT-33 Report FinalNT-33 Report Final
NT-33 Report Final
 
Agua 2 b docx
Agua 2 b docxAgua 2 b docx
Agua 2 b docx
 
RonButterworthResume2015a
RonButterworthResume2015aRonButterworthResume2015a
RonButterworthResume2015a
 
Público - onde o privado tem de ter a primazia é no turismo de saúde - Mig...
Público - onde o privado tem de ter a primazia é no turismo de saúde - Mig...Público - onde o privado tem de ter a primazia é no turismo de saúde - Mig...
Público - onde o privado tem de ter a primazia é no turismo de saúde - Mig...
 
Atividade 1.5
Atividade 1.5Atividade 1.5
Atividade 1.5
 
C.O.P.S. NOVEMBER 2015 NEWSLETTER
C.O.P.S. NOVEMBER 2015 NEWSLETTERC.O.P.S. NOVEMBER 2015 NEWSLETTER
C.O.P.S. NOVEMBER 2015 NEWSLETTER
 
LA GERENCIA Y CICLO DE VIDA DE LOS PROYECTOS
LA GERENCIA Y CICLO DE VIDA DE LOS PROYECTOSLA GERENCIA Y CICLO DE VIDA DE LOS PROYECTOS
LA GERENCIA Y CICLO DE VIDA DE LOS PROYECTOS
 
Ejercicios 1 2-3
Ejercicios 1 2-3Ejercicios 1 2-3
Ejercicios 1 2-3
 
Enoc martinez insectos en su_esplendor-10715
Enoc martinez insectos en su_esplendor-10715Enoc martinez insectos en su_esplendor-10715
Enoc martinez insectos en su_esplendor-10715
 
Cidades sustentaveis
Cidades sustentaveisCidades sustentaveis
Cidades sustentaveis
 
Enoc martinez surrealismo 4033
Enoc martinez surrealismo 4033Enoc martinez surrealismo 4033
Enoc martinez surrealismo 4033
 
Dica de gestão 4
Dica de gestão 4Dica de gestão 4
Dica de gestão 4
 
Links retocar fotos
Links retocar fotosLinks retocar fotos
Links retocar fotos
 
Catarina soares desafio 0 biografias- d. leonor de teles
Catarina soares desafio 0 biografias- d. leonor de telesCatarina soares desafio 0 biografias- d. leonor de teles
Catarina soares desafio 0 biografias- d. leonor de teles
 
Assignment part 2
Assignment part 2Assignment part 2
Assignment part 2
 

Similar to key-trends-in-merchant-security

Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of FraudstersSecure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Cognizant
 
Hacking Point of Sale
Hacking Point of SaleHacking Point of Sale
Hacking Point of Sale
Tripwire
 
EMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment ProcessEMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment Process
- Mark - Fullbright
 
QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011jhatch9418
 
EMV - Is your business ready?
EMV - Is your business ready?EMV - Is your business ready?
EMV - Is your business ready?
Shannon Walcott
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
ITIO Innovex
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By Symantec
CheapSSLsecurity
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheyPeter Tran
 
White paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaWhite paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usa
CMR WORLD TECH
 
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners / Financial Technology Partners
 
Chip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attackChip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attack
- Mark - Fullbright
 
Man in-the-middle-defence
Man in-the-middle-defenceMan in-the-middle-defence
Man in-the-middle-defenceHai Nguyen
 
EMV Chip Cards
EMV Chip CardsEMV Chip Cards
EMV Chip Cardstxheaven
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
theijes
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
Symantec
 
Small_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSmall_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSteve Abrams
 
EMV: What you Need to Know
EMV: What you Need to KnowEMV: What you Need to Know
EMV: What you Need to Know
Total Merchant Services
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
BPalmer13
 

Similar to key-trends-in-merchant-security (20)

Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of FraudstersSecure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
 
Hacking Point of Sale
Hacking Point of SaleHacking Point of Sale
Hacking Point of Sale
 
EMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment ProcessEMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment Process
 
QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011QSecure Presentation at RSA 2011
QSecure Presentation at RSA 2011
 
EMV - Is your business ready?
EMV - Is your business ready?EMV - Is your business ready?
EMV - Is your business ready?
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
 
Attacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By SymantecAttacks on Point of Sale systems - By Symantec
Attacks on Point of Sale systems - By Symantec
 
Senate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_RicheySenate_2014_Data_Breach_Testimony_Richey
Senate_2014_Data_Breach_Testimony_Richey
 
White paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usaWhite paper-safe-secure-payments-master card-approach-usa
White paper-safe-secure-payments-master card-approach-usa
 
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
FT Partners Research: Transaction Security - At the Nexus of E-Commerce, Paym...
 
EMV and the consumer Final
EMV and the consumer FinalEMV and the consumer Final
EMV and the consumer Final
 
Chip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attackChip and Skim: cloning EMV cards with the pre-play attack
Chip and Skim: cloning EMV cards with the pre-play attack
 
Man in-the-middle-defence
Man in-the-middle-defenceMan in-the-middle-defence
Man in-the-middle-defence
 
EMV Chip Cards
EMV Chip CardsEMV Chip Cards
EMV Chip Cards
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
SBMS EMV Doc
SBMS EMV Doc SBMS EMV Doc
SBMS EMV Doc
 
Demystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales SystemsDemystifying Attacks on Point of Sales Systems
Demystifying Attacks on Point of Sales Systems
 
Small_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSmall_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_Payments
 
EMV: What you Need to Know
EMV: What you Need to KnowEMV: What you Need to Know
EMV: What you Need to Know
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
 

key-trends-in-merchant-security

  • 1.       First Data Market Insight    © 2011 First Data Corporation.  All Rights Reserved.  All trademarks, service marks and trade names referenced in this material are the property of their respective owners.  Key Trends in Merchant Security: A Multi-Layered Approach that Will Dramatically Reduce Risk The world of payments is changing at the point-of-sale and beyond, and opportunities are seemingly endless. The US will adopt EMV standards (even if no one can say how or when). The move from magnetic stripe payment cards to contactless wave-and-go will finally take hold as mobile payments become more main stream. Existing technologies such as tokenization and data analytics are becoming stronger forces as innovations continue to erupt. These opportunities and more extend to merchants, financial institutions, processors, and a host of new-to-the-industry players. Cybercriminals, on the other hand, will have more obstacles to overcome. It is a certainty, though, that fraudsters will adjust, even as heavy-duty security options grow. Criminals will continue to take the path of least resistance. When a merchant plugs one hole in the “security dam,” criminals will move to another hole.
  • 2. First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 2 Any security program that does not include the most up-to-date barricades throughout the payment processing chain will drown. Adding layers of data security and fraud prevention tools will better ensure merchants can manage vulnerabilities throughout the payment processing sequence. You must proactively seek the holes and potential weak spots in the dam and plug them. Along with looking at payment systems holistically, growing with the times is essential. Keeping up with data security and fraud protection tools—and being one step ahead of fraudsters’ schemes—are more critical now than ever. The statistics remain compelling: → For the fifth year in a row, data breach costs have continued to rise, hitting an average of $214 per compromised record in 20101 → US fraud losses (credit, debit, and prepaid cards) were $6.89 billion in 2009, and experts believe that fraud will reach $10 billion per year by 20152 → 43 percent of consumers who have been the victims of fraud stop doing business with the merchant where the incident occurred3 → In 2010 alone, one annual study included investigations of nearly 800 new breach incidents—the same number of breach incidents investigated, in total, over the course of the prior five years (from 2004-2009)4 INTRODUCTION Payment choices are expanding. Technology is progressing. Data security tools are advancing. And cybercriminals are adapting. So what is the solution? There is not one. That is, no single solution exists: a multi-level approach to data security and fraud detection allows flexibility and provides a solid defense. Merchants should base their current and future security plans on technologies that complement one another, solving for many susceptibilities throughout the payment processing chain. To help merchants determine their go-forward approach to data security and fraud detection, First Data has identified four trends impacting payments that, together, are already shaping the way businesses protect their payments and their customers’ personal information. → EMV → Tokenization → Contactless/One-Time Use Account Numbers (Dynamic PAN) → Advanced Fraud Prevention and Detection Tools These industry-changing solutions provide ammunition for significant advances in preventing and protecting from breach and fraud, and guarantee that security will be factored into investment choices and operational plans moving forward. The growing significance of data security and fraud detection requires merchants to look today at the potential impacts of tomorrow. Early adopters will have a distinct competitive advantage.
  • 3. First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 3 EMV EMV (which stands for EuroPay, MasterCard, and Visa, the three companies that devised the standard) is a common set of standards for payment applications that use chip-based cards. A card’s embedded microprocessor chip interacts with an EMV-enabled terminal to validate the integrity of a card number. It also verifies certain static and dynamic data used in a transaction to ensure the card is not fraudulent and the person using it is the owner of that card. As of the end 2010, there were more than 1 billion5 EMV compliant chip-based payment cards in use worldwide. More than 60 countries use the EMV standard, and the US is the only member of the G20 not to have EMV in place6 . It is not a question of “if” but “when” EMV will become standard in the US. “With the rest of the world migrating to EMV, the US will be at the receiving end of hyperbolic growth in card fraud costs.7 ” Implementation of EMV in the US has the potential to dramatically impact merchants, financial institutions, and consumers. Fraud losses resulting from credit, debit, and prepaid cards in the US are growing at a rate of half a billion dollars each year8 . The EMV system provides increased security and authentication measures to help reduce fraud beyond what a traditional magnetic stripe payment card environment provides. Additionally, EMV may bring a payments fraud “liability shift.” In many regions across the world where EMV is in place currently, a non-EMV compliant merchant/issuer is responsible for fraudulent card payment transaction9 . It is not clear if this particular criterion would be included in the US implementation of EMV standards. What to consider There is no set timeline for EMV standards to be adopted in the US; however merchants who wait for widespread implementation will start at a disadvantage when the standard is accepted. To help reduce fraud, many banks and large retailers are already preparing to implement an EMV solution. Additionally, if a “fraud liability” shift occurs, EMV-ready merchants are in a much better place to manage responses related to compliance. Tools you today should be able to evolve as your needs and the industry changes. For example, choose terminals and card readers that are already EMV-capable such as First Data’s EMV- enabled proprietary POS equipment, scheduled for availability in 2011. For your overall security investments, think about a compilation of parallel solutions to help safeguard various points in the payment process. EMV provides protection against common consumer-level attacks such as the fraudulent use of lost or stolen cards. EMV does not offer “With the rest of the world migrating to EMV, the US will be at the receiving end of hyperbolic growth in card fraud costs.”
  • 4. First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 4 that same protection in card-not-present (CNP) environments, however. Nor does it safeguard against the theft of sensitive cardholder information while that data is “in-transit” for processing and acquiring or “at-rest” (stored in terminals or data warehouses). EMV is most effective when used in conjunction with other solutions that protect payment card data once the card is waved or swiped. For a more complete data security resolution, add combinations such as encryption and tokenization to EMV to help safeguard security exposures that exist at various points in the payment process. Tokenization Tokenization is an increasingly popular approach for the protection of sensitive cardholder data. It works by removing Primary Account Numbers (PANs) from the merchant environment and replacing card numbers with random token numbers (or aliases). The alias becomes the customer identifier (as opposed to actual card number’s identifying the customer) in the merchant’s system. This solution vastly reduces a merchant’s risk if a data violation occurs. One of the main breach prospects in the event of a breach is customer payment data that a merchant houses in back- end systems into which criminals can insert malware to extract large amounts of sensitive cardholder information. For example, in 2010, 49 percent of almost 800 breach investigations were attributed to malware10 . The tokenization process eliminates actual cardholder data from entering a merchant’s environment after a transaction has been authorized. If a merchant’s system is breached, the criminals would get the token numbers, which are useless gibberish to a fraudster and cannot be monetized. Compliance management is another important benefit of tokenization. Using token numbers instead of real card data (or even encrypted card data) in back-end business applications shrinks the merchant’s cardholder data environment that is subject to PCI DSS (Payment Card Industry Data Security Standards) compliance requirements and audits. The token number has no value or link back to the original PAN and is therefore out of scope of PCI requirements. This reduction of PCI scope can save merchants significant time and money. What to consider As with all data security and fraud detection solutions, tokenization is only one tier of an effective security program. The tokenization process prevents sensitive cardholder data from entering a merchant’s environment after a transaction has been authorized. Combining this technology with encryption protects the payment process even more effectively. Encryption, which transforms plain text information into a non-readable form, helps protect payment card data prior to authorization. (Encryption on its own is not an all-encompassing solution either: the process meets the PCI requirements for protecting data, but Noncompliance can be costly. In a 2010 survey, the study’s respondents didn’t realize that noncompliance with PCI DSS could include fines of thousands of dollars and a per-card fee for each card that has to be cancelled.
  • 5. First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 5 encrypted data is still considered within the scope of PCI requirements for assessment by the PCI Security Council because the actual data is still present.) Noncompliance can be costly. In a 2010 survey, the study’s respondents didn’t realize that noncompliance with PCI DSS could include fines of thousands of dollars and a per-card fee for each card that has to be cancelled.11 When used together, the tools help protect data from the point of wave or swipe through post- authorization storage. That combination of layered tools, which is available in the First Data® TransArmor® solution, shrinks the risk of stolen card data and can lower the cost and effort of a merchant’s annual PCI DSS audit. Contactless and One-Time Use Account Numbers (Dynamic PAN) More than 28612 million Americans have mobile phones and 68 percent13 will have smartphones by 2015. People are texting (over 1.5 trillion14 text messages sent in 2009) and downloading apps (over 3 billion apps15 in four years). Contactless is a wave-and-go payments model. At checkout lanes with specially equipped readers, consumers with a contactless-enabled payment device can save time by simply waving the device within close proximity to a contactless-enabled reader. The technology uses a Near Field Communication (NFC) chip embedded in the payment device—a phone, a card, a key fob, and much more. Contactless payment methods are not new and many payment cards have been contactless-enabled for several years. However, the adoption of contactless in the form of payment cards has not been fully embraced by consumers or businesses. Mobile phone payments and mobile-delivered promotional offers, though, are emerging and these new tools will cause the usage of contactless technology to skyrocket. Mobile contactless transactions are expected to top 2.2 billion16 in 2011. The question on many minds in the industry today pertains to the security of contactless transactions. An electronic payment must be connected to a user’s Primary Account Number for authorization—so if a PAN is stolen, how do we ensure it is not used over and over in a contactless environment? Traditionally, the PAN is read from the magnetic stripe on the payment card when the swipe occurs at the point-of-sale and that real account information is used to complete the payment, leaving the data vulnerable to breach at almost any point in the payments processing lifecycle. With one-time card number technology (also known as Dynamic PAN), “for each transaction a consumer makes, the chip transmits a card number that is good for only a single use. The consumer’s real account information is not used in the payment transaction and would not be available to criminals hacking into a merchant’s system. (The 2010 version of an annual study noted that hacking impacted 89 percent of the breached records included in their analysis of more than 800 data security investigations17 .) Even in the cases of skimming—intercepting card Payments via magnetic stripe technology are on the way to extinction
  • 6. First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 6 data between the card and the reader—fraudsters would retrieve the one-time card number and not the real card information. Beyond data security, one-time card numbers, like tokenization, help alleviate PCI compliance concerns since customers’ sensitive data is not kept in the merchants’ systems. What to consider Are you prepared for the contactless revolution? Every indication is that contactless payments are the wave of the future. For example, evidence from various pilot programs shows overwhelmingly that once consumers, especially Generation Y users, have tried contactless payments, they have a strong preference for this method. The 35 years-and-under segment of consumers uses contactless methods twice as often as other consumer segments and should be considered a preferred target market for new contactless products18 . The revolution will likely be small spurts of users jumping on board rather than a mad rush. But, as with EMV and the other trends included in this paper, being proactive is in your best interest. Invest in solutions that work for you today and that are prepared for the inevitable industry changes. Now is the moment to equip your business with contactless-enabled point-of-sale devices if you have not already done so. Arguably, the most important preparation as the mobile revolution is poised to erupt is around security. For contactless payments, one-time card number technology is the industry leading technology in single-solution security. But the theme of layers continues. Include one-time card number technology in your overall plan, in conjunction with EMV to reduce fraud prior to the transaction and tokenization for the same purpose post-authorization. Advanced Fraud Prevention and Detection Tools Fraud prevention and detection tools are not new to the market; however the most recent solutions and those on the horizon are far more sophisticated than previous options. The latest innovations are based on the analysis of commerce behaviors, using shoppers’ overall purchase habits and shopping patterns—not just transaction data—to check for anomalies. Through automated transactional risk scoring and associated decisioning engines, suspicious transactions can be identified and examined in real-time. While merchants should still use Address Verification System (AVS) and Card Verification Value (CVV), stronger strategies leverage fraud detection and prevention systems that “score” the risk level of a transaction based on an expanded database of information. The score is used during the authorization process to determine if a transaction should be accepted, rejected or flagged. (Placing the parameter control in the hands of the merchant allows the automated decisions to be tweaked and revised as trends emerge based on the merchant’s risk tolerance and transaction handling preferences.)
  • 7. First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 7 What to consider Accepting eCommerce and other CNP payment options makes automated transactional risk tools even more critical. Online commerce continues to grow; cybercrime is increasingly more prevalent; and customers want more payment options. One of the most difficult challenges with CNP transactions is validating a shopper’s identity: an advanced transactional risk tool is a powerful safeguard to help eCommerce merchants avoid accepting fraudulent payments An experienced, qualified partner is critical to implementing and evolving a sophisticated automated prevention and detection data-based solution—especially to help you manage data-related issues and to identify your risk tolerance. Data is critical to developing the best fraud strategy to protect your business; however, gathering and analyzing the right data is often a challenge. Combining device recognition data with customers’ spending habits and patterns, along with transaction data, is essential to ensuring the right level of protection while maximizing the number of completed sales. CONCLUSION The trends discussed in this paper—EMV; tokenization; contactless and one-time use account numbers; and advanced fraud prevention and detection tools—will define the direction of a successful security strategy going forward. They will impact more than just payment card security and fraud detection: overall business approaches will change as security becomes a higher priority. Savvy merchants are taking more responsibility for their customers’ private data (as evidenced by the recent growth in tokenization use). Staying on top of security requires constant vigilance and growth, however. An approach must be comprehensive and dynamic. Organizations that secure cardholder data with multiple layers of security will be better able to reduce risk and fraud. That, in turn, will enable more business as new payment technologies arise and new ways to steal the sensitive data are devised. Brick-and-mortar, brick-and-click, or completely Web-based, it does not matter where payment transactions take place. Organizations must realize that data security and fraud prevention are essential to the success of their entire business. They are not options; they are a critical to keep the entire dam from bursting. “Money moves and transactions travel but lack of security can stall spending.”19 And customers’ spending is, of course, the basis of all business. Meeting customers’ demands for eCommerce and other card-not-present payment types is good for business. And it yields additional security challenges for merchants
  • 8. First Data Market Insight © 2011 First Data Corporation. All Rights Reserved. firstdata.com page 8 Additional Reading: White Papers from First Data Top 10 Tips to Help Keep Your Data Safe Why Wait for EMV to Solve Your Fraud Problems? One-Time Use Card Numbers Can Reduce Debit Fraud Now A Primer on Payment Security Technologies: Encryption and Tokenization Implementing Tokenization Is Simpler Than You Think Strategies for Reducing the Risk of eCommerce Fraud Sources                                                              1  2010 Annual Study: U.S. Cost of a Data Breach. Ponemon Institute, LLC. March 2011.  2  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  3  Javelin Strategy and Research. June 2009.  4 . Verizon  2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  5  www.emvco.com  6  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  7  Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011.  8  Ibid.  9  “My Card Club” blog. August 2010.  10  Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  11  Small Merchant Data Security Study. First Data and National Retail Federation. 2010.  12  Mobile Payment Revolution: How Merchants Can Use Mobile Payment Specifications to Manage Transaction  Costs. White paper. First Data. 2010.  13  Mobile Wallets report. Javelin Strategy and Research. January 2011.  14  Mobile Payment Revolution: How Merchants Can Use Mobile Payment Specifications to Manage Transaction  Costs. White paper. First Data. 2010.  15  Ibid.  16  “Smart Cards in the US: Contactless Payment Cards.” Packaged Facts May 2007.  17  Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United  States Secret Service. 2010.  18  2010 Study of Consumer Payment Preferences. BAI and Hitachi Consulting. November 2010  19  PYMNTS.com. April 2011.