This document discusses securing internet payment systems. It begins with discussing trends in online payments and cybercrime threats to the financial sector. It then outlines security measures recommended by the ECB, including strong customer authentication and protection of sensitive payment data. The document discusses Oracle's approach to security, including layered access security and adaptive access management. It provides an example use case of BT's managed fraud reduction service which is based on Oracle technologies and provides real-time fraud screening.

1. Securing Internet Payment Systems
Domenico Catalano
Principal Sales Consultant

2. This document is for informational purposes. It is not a commitment
to deliver any material, code, or functionality, and should not be relied
upon in making purchasing decisions. The development, release,
and timing of any features or functionality described in this document
remains at the sole discretion of Oracle. This document in any form,
software or printed matter, contains proprietary information that is the
exclusive property of Oracle. This document and information
contained herein may not be disclosed, copied, reproduced or
distributed to anyone outside Oracle without prior written consent of
Oracle. This document is not part of your license agreement nor can
it be incorporated into any contractual agreement with Oracle or its
subsidiaries or affiliates.

3. Agenda
• Trends in online Payments
• Cybercrime
• ECB & Security Measures
• Oracle Approach
• Layered Access Security
• Oracle Experience – BT MFR use case
• Q&A

4. Trends in online Payments

5. Payments through the Internet
• Making a remote payment card transaction through the Internet
• Online-banking based credit transfer or direct debits
• Payments through e-payment providers
2014
2009 190 Million
online shoppers
141 Million
online shoppers
EUR 483 per capita EUR 601 per capita
Source: Forrester Research
Towards an integrated European market for card, internet and mobile payments

6. Cybercrime
Threat to the Financial Sector
Account Takeovers
Telecommunication Network Disruption
Insider Access
Third Party Payment Processor
Breaches
Supply Chain Infiltration
Securities and Market Trading
Exploitation
ATM Skimming and Point of Sale
Schemes
Mobile Banking Exploitation
Compromised records by industry group
Source: Verizon – 2011 Data Breach Investigation FBI — Cyber Security: Threats to the Financial Sector

7. Security Measures

8. ECB Recommendation
Security of Internet Payments
Merchant's
Holder Web Site
• General control and security Purchase
environment.
• Specific control and security
measures for Internet Payment
Payments.
• Customer awareness,
education and communication.
Authorization
Issuer Acquirer
Recommendations for the Security of Internet Payments - ECB

9. ECB Recommendation
Specific control and security Measures for Internet Payments
• Initial customer identification, information
• Strong customer authentication
• Enrolment for and provision of strong authentication tools
• Log-in attempts, session time-out, validity of authentication
• Transaction monitoring and authorization
• Protection of sensitive payment data
Recommendations for the Security of Internet Payments - ECB

10. Oracle Approach

11. Oracle Approach
General Control and Security Environment

12. The Identity Platform

13. Comprehensive Database Security

14. Layered Access Security

15. Evolution of Web Access Security
Layered Access Security
Role Based Access Control
Multi-factor Authentication
Single Sign On
“PSPs with no or only weak authentication procedureshas authorisedevent of a
disputed transaction, provide proof that the customer
cannot, in the
the
transaction.” – ECB, Recommendation for the Security of Internet Payments

16. Oracle Adaptive Access Manager
Trust, But Verify
John Smith Password Device Location Data Verify ID Protected
Resources
Sources
Security Layers
Authentication is valid but is this really John Smith?
Is anything suspicious about John’s access request?
Can John answer a challenge if the risk is high?

17. Context-Aware Risk Analysis
ü Analyzes risk in Real-Time Pattern Detection
ü Profiles Behaviors • Dynamic behavioral profiling in real-time
• In the last month has Joe used this
ü Recognizes Patterns device for less than 3% of his access
requests?
• In the last three months have less than
ü Detects Anomalies 1% of all users accessed from the
country?
ü Takes Preventative Actions
Predictive Analysis Static Scenarios
• Indicates probability a situation would • Specific scenarios that always equate to
occur risk
• Is the probability less than 5% that an • If a device appears to be traveling faster
access request would have this the jet speed between logins the risk is
combination of data values? increased.

18. Risk-Based Identity Verification
If the risk is very high:
Deny access and alert
HIGH the security team
If the risk is high:
Send a one-time
MED- password to users
HIGH mobile phone
RISK
If the risk is medium:
Ask a challenge
MED-
LOW
Hacking for Fame
question
If the risk is low:
Do nothing
LOW
RESPONSE
ALLOW DENY

19. Data Relationships
First Class Entities Transaction Data Rule A
[ User, Device, IP, Etc. ] [ Dollar Amount ] [ If a purchase
HTTP [ Item Quantities ] originates from a
Address country not matching
[ Item Numbers ]
[ Street Number ] the country in the billing
SQL [ Coupon Code ] address then create an
[ Street Name ] [ Shipping Priority ] alert. ]
[ Apt. Number ]
Files Entity Instances
[ City ]
[ State ] Rule B
JMS [ Shipping Address ]
[ ZIP Code ] [ If an item has been
Credit Card
[ Country ] purchased more than
[ First Name ] twice in the last week
WS
[ Last Name ] [ Billing Address ] from a single device,
[ Middle Initial ] each using a different
credit card then create
[ Number ] an alert. ]
[ Security Code ] [ Credit Card ]
[ Expiration ]

20. Become Context Aware
Prevent and Detect Anomalous Behavior
Reducing Surface Area of
Attacks
89%
Preventable
Breaches
ROI Payback period Total benefits Total costs Net benefits
106% 12.1 months $6,007,641 ($2,912,513) $3,095,129
Source: “Adaptive Access Management: An ROI Study” a commissioned study conducted by IDC on behalf of Oracle,
2010

21. Oracle Experience
BT Managed Fraud Reduction

22. BT Managed Fraud Reduction (MFR)
• BT MFR is an automated fraud
screening service developed by BT
based on Oracle technologies.
• BT MFR assesses the risk of each e-
Commerce transaction.
• BT MFR makes a risk assessment
based on the behavior of the user.
• BT MFR is complementary to existing
fraud checks performed as part of
payment authorization.
• BT MFR is a real time service.

23. BT MFR: Architecture and Extensibility
Payments
Processor/Merchant
Payments
Processor/Merchant
Aggregated
response
Oracle Service Bus
OSB determines
call routing
OAAM Ethoca BTMA CLI GB Group
URU
Fraud Rules Fraud Strong Calling Line Business
Engine Intelligence Authentication ID Verification Identification Data
Quova Optional Services Future Services
Location
Detection

24. www.oracle.com/Identity
www.facebook.com/OracleIDM
www.twitter.com/OracleIDM
blogs.oracle.com/OracleIDM