BREAKING THE CYCLE OF PAYMENT FRAUD WITH LAYERED SECURITY

Transcription

1 tokenex.com BREAKING THE CYCLE OF PAYMENT FRAUD WITH LAYERED SECURITY Synergy White Paper

2 White Paper BREAKING THE CYCLE OF PAYMENT FRAUD WITH LAYERED SECURITY THREE HORSEMAN OF THE DATA APOCALYPSE: DATA BREACHES, PCI COMPLIANCE COSTS AND FRAUD Data breaches, PCI compliance costs, and payment fraud are the modern equivalent of the Three Horseman of the Data Apocalypse scourges of modern business wreaking economic, brand, and legal havoc on organizations of all types and sizes. To stretch the metaphor a little more, because all three of these scourges have their source in the malfeasance of data thieves, it would be appropriate to portray hackers as symbolizing the Fourth Horseman of the Data Apocalypse. So while the occasional data breach by hackers used to be an annoyance and acceptable cost of doing business, now, with a growing number of new laws and regulations in place addressing liability for payment data theft and fraud, a breach can destroy your brand, your profits, and your customer base a data apocalypse indeed. When your business is breached, payment, personal, and even healthcare information is siphoned off to the far corners of the data bazaars where it is typically resold for use in fraudulent purchases and identity theft. This creates a costly ripple that spreads from business to business, touching charities, institutions of government and education, and of course customers, students, and charitable donors. Fortunately, economical security solutions to this problem are available: tokenization integrated with fraud detection are keystones to a layered security approach that protect against data theft, minimize PCI compliance costs, and control payment card fraud. In fact, together these technologies break the cycle of fraud by preventing the theft of payment data in the first place, and by detecting and stopping the reuse of fraudulent payment data that is already on the market. Synergy White Paper Page 1 of 10

3 DATA BREACHES ARE INEVITABLE - TOKENIZE NOW Data theft is here to stay. No business is immune. No security wall is impenetrable. As long as sensitive data resides in your business systems, you are a target. A data breach in your organization can result in much more pain than the initial penalties from Payment Card Industry (PCI) Data Security Standards (DSS) and the card issuers. Recent court rulings are in favor of data breach victims those whose data you lost and the resulting class action lawsuits will add tremendous costs to data theft breaches. This is in addition to business downtime while zealous DSS agents scrutinize the breach looking for weaknesses; not to mention the loss of customer trust and thus future business. Even the FTC is now authorized to penalize organizations for breaches of privacy policy when personal data is stolen, adding even more cost and regulatory burden to the insult of a security breach. The data apocalypse is here and it s costing your organization time, profits, and legal hassles and hurting your brand. Examples from the headlines are abundant: Target Stores: Payment card information pilfered from POS terminals - $162,000,000 in fines and recovery costs; CEO fired; customer trust compromised. Anthem Blue-Cross and UCLA Health System - Stolen protected healthcare information (PHI) 80,000,000 and 4,500,000 records respectively. Anthem Blue-Cross costs likely to exceed insurance coverage of $100,000,000. Office of Personnel Management 2,100,000 current federal employees and an additional 2,000,000 federal retirees and former employees personally identifiable information (PII) siphoned off by state-sponsored spies. Ashely-Madison - Exposed both payment and personally identifiable information to the utter embarrassment of the organization s paying membership. Privacy policy will doubtless be under FTC scrutiny. CEO quits. Need more painful examples? Look up Krebs on Security Recent Data Breaches. These organizations represent just a small sample of recent infamous headline-grabbing hacks. They were targets of technically-sophisticated black market hackers, anonymous vigilantes, and statesponsored spies. Since no security service on the market today can stop all the actual breaches, is there a way to stop the repercussions? The actual answer is rather simple If there is no sensitive data to steal, there is no reason to hack. Tokenization intercepts sensitive data at the edges of an organization s business systems, before it can be stored, processed, and re-transmitted or stolen. This paper addresses the ways in which tokenization eliminates data theft risk, reduces the cost of PCI compliance, and acts as a central point of integration among payment processors and payment service providers to break the cycle of payment fraud. Synergy White Paper Page 2 of 10

4 TOKENIZATION ELIMINATES DATA THEFT RISK, REDUCES THE COST OF PCI COMPLIANCE Every organization that takes payment card information via the many acceptance channels available today, needs to comply with PCI DSS. As every IT security professional knows, this is an arduous and expensive task. The more complex a business, the more acceptance channels employed, the more operations are spread internationally, the greater the cost of compliance and monitoring. Every part of the business systems that receive, store, or transmit payment data must be audited to comply with the PCI DSS regulations. If they do not, and a breach occurs, the fines are considerable, not to mention the closing down of payment channels until proven secure. Even if an organization is in compliance, losing payment data is still costly and dangerous to brands. It s really a no-win situation no matter how hard you try. Cloud Tokenization of all payment data keeps all your business systems at the lowest level of PCI compliance. Replacing payment data locally and storing the actual payment data in a Cloud Security Platform such as TokenEx provides, ensures that when hackers do breach a business system, there s nothing of value to steal. Payment data is intercepted at the farthest entry points to your business web page shopping cart, retail POS, call center swipe pads so that it never enters your IT network or business systems. With cloud tokenization, not only is data theft risk eliminated, but the cost of PCI compliance drops to a very manageable line item in your IT budget. Personal, health, and any type of data can be tokenized and vaulted along with payment data, ensuring that customer data of all types is protected during a data breach. Figure 1. TokenEx Tokenization Processes. Synergy White Paper Page 3 of 10

5 After implementing a cloud tokenization solution, you limit your payment acceptance worries to avoiding fraudulent charges, chargebacks, and keeping recurring accounts up to date. The TokenEx Cloud Security Platform can integrate these essential support services into your payment stream and secure batch file processes. FIGHTING THE MANY FORMS OF PAYMENT FRAUD The modern incarnation of the Third Horseman of the Data Apocalypse is payment fraud in its many forms. The most common and well known form of fraud is the use of stolen payment card accounts to make card-not-present (CNP) transactions via web shopping sites. The options for dealing with this form depends on the type of business the sale of costly high-value B2B equipment, moderately-priced consumer goods, or inexpensive digital downloads and gaming assets, to cite a few examples. Each of these requires a different assessment of risk and appropriate counter measures. Reacting to fraudulent charges range from the time-consuming manual review processes for orders over a certain amount, to assigning risk levels to orders coming from IP addresses or proxies known for stolen card data. While it may be prudent to manually review an order for restaurant equipment coming from a newly opened account, it s uneconomical to manually review a $.99 digital song download. When fraud detection measures are applied with broad brush strokes, the measures can result in lower fraud but also in lost sales. For example, one popular body-building supplement site was turning down sales from certain regions outside the US that were known fraud centers, without being able to determine that the orders were coming from legitimate purchasers stationed at military bases in those areas. Yes, the perceived risk was high, but so was the potential business. Fraud attacks come in a variety of ways that are difficult to deal with on a piecemeal basis. Account Takeover Fraud Identify fraudsters at the login page and deny access to an existing account. Fraudulent Account Creation Stop fraudsters from creating a new account or applying for services. Brute Force Attacks Stop massive login attempts by automated programs. Card Number Testing Prevent automated authorization requests (costing the merchant $0.15 or more each, and amounting to hundreds a day). Account Sharing Detection Prevent sharing of passwords to conform with licensing obligations. Multiple Account Detection Keep fraudsters from creating multiple accounts to gain or regain access to web store discounts and special offers. Synergy White Paper Page 4 of 10

6 Chargebacks are the other major costs associated with stolen payment card fraud. Multiple incidents of fraud that result in chargebacks place a merchant account at the reporting bank on a watch list, raising the card authorization standards, which in turn effectively turns away an increased percentage of valid orders. And then there are the rapidly growing number of payment transactions from apps and browsers on mobile devices, creating more channels for hackers to spoof and steal data. One technique in the fraud detection arsenal is device fingerprinting, which works by uniquely identifying PCs, tablets, mobile phones and other devices that access a merchant s site. A device s fingerprint is recognized by reading dozens of device characteristics, such as software versions, browser configurations, font lists, and dozens of other signals that, in aggregate, are characteristic of a specific device. Fraud detection software using artificial intelligence can quickly analyze and cross-index these attributes to detect patterns and flag potential instances of mobile fraud activity. Mobile transactions are an example of how the payment ecosystems is changing from static data (one card/one PAN) to dynamic payment data using EMV chip cards, GPS location tracking, NFC, and device fingerprinting. While this evolution is making commerce more frictionless and enables merchants to use customer data in novel ways for marketing, it also provides additional avenues for fraud. Many businesses have cobbled together their own collection of fraud detection modules to deal with these various points of attack and the evolving dynamic payment channels. And therein lies the problem. Often a software fraud detection add-on will deal with one risk point but not the others. So another module gets tacked on, creating another dashboard to monitor. And on it goes, with no unifying strategy for understanding what is actually happening, but lots of alarms to monitor. KOUNT COMPLETE FRAUD DETECTION SERVICES Cobbling together multiple fraud technologies may provide limited relief to ad hoc payment fraud attempts, but to provide more comprehensive and automated protection, all the detection points need to be united under one system that combines artificial intelligence with human reasoning for accurate and lightning fast decisions. Kount Complete s Software as a Service (SaaS) platform is designed for companies operating in card-not-present environments, simplifying fraud detection and dramatically improving bottom line profitability. Kount s services combine an artificial intelligence engine with human-supervised machine learning. The supervised component adds human reasoning to assist with analyzing transactions in your real time payment stream that the AI feels are in the grey area. In milliseconds, Kount provides a fraud score, a status, and about sixty data points that the business systems can use to decide the level of acceptable risk that will help you to increase sales while decreasing chargebacks. The risk levels for different acceptance channels can be adjusted to fine tune the number of orders accepted versus rejected until the appropriate level of sales is attained. Synergy White Paper Page 5 of 10

7 Figure 2. Kount Fraud Prevention Platform Kount uses several patented and proprietary technologies such as artificial intelligence, order linking, device ID, geo-location, mobile signals and others, to screen fraudulent transactions. Many other solutions on the market only use one or two tools to detect and limit fraud. Kount reviews hundreds of data points associated with each transaction to determine whether the transaction is valid or not. In fact, with the AI monitoring client payment streams from all over the world, the more data points analyzed, the smarter and more efficient the system becomes. Incorporating Kount s real time fraud analysis into your payment stream along with tokenization, provides two layers of security that breaks the payment fraud cycle. TokenEx makes it easy to do. TOKENIZATION AND FRAUD PREVENTION WORK IN HARMONY TO PROTECT YOUR BUSINESS With TokenEx as the integrator between your business systems and payment service providers, you never have to receive, store, or transmit PANs or other sensitive payment data in order to use services such as fraud detection, account refresh, and marketing analytics. TokenEx takes care of passing the values such as a specifically formatted hash value to represent a PAN to the other services. For your systems, it s business as usual, processing tokens instead of sensitive information. Synergy White Paper Page 6 of 10

8 INTEGRATING KOUNT FRAUD DETECTION WITH TOKENIZATION Kount is a premier partner of TokenEx, with a growing number of mutual customers. TokenEx has pre-built integration with Kount s real-time Risk Advisory Services, so as with all TokenEx supported services, your systems never have to accept, store, or transmit actual payment data. The integration among web stores, TokenEx Vaults, and Kount is seamless and very efficient, so there is no detectable latency in the payment transaction or change to the customer buying experience. The e-commerce software accepting the order can use the TokenEx Web API, TokenEx Browser-based Encryption, or the TokenEx Hosted Web Page. The combined processes occur in milliseconds. 1. A customer enters payment card information at a web store shopping checkout page. To ascertain the risk of fraud with the payment number, the merchant s e-commerce software calls the TokenEx Fraud Services API. a) For a new customer and payment card, TokenEx immediately encrypts the PAN, stores it in the merchant s secure data vault on the TokenEx Cloud Security Platform, and returns a token to the Merchant s e-commerce software, along with the appropriate KHASH value that the Kount system expects. b) The KHASH is an encrypted combination of the PAN and other Merchant-supplied data, such as customer name, zip code, location, etc., that the Kount Risk Inquiry Service uses to evaluate the probability that the transaction may be fraudulent. c) For a customer with an existing account, or for a recurring transaction, the merchant s e-commerce database already has the token stored for the customer s PAN, and can choose to call the TokenEx Fraud Services API for a fraud check, or to process the transaction immediately through the TokenEx Web API which works with the payment processor. 2. When a fraud check is required for a transaction, the Merchant system transmits the TokenExsupplied KHASH value to Kount where all the data factors are analyzed and scored. 3. Kount returns a Risk Score directly to the merchant s e-commerce software, which is programmed to accept or reject the payment card based on a customizable risk setting. a) Merchants retain full control over the Kount interface, adjusting and fine-tuning the risk variables to achieve the right level of protection for card-not-present transactions. b) Merchants can experiment with different risk levels to attain the most sales and least number of chargebacks. Synergy White Paper Page 7 of 10

9 Figure 3. TokenEx and Kount Fraud Integration IMPLEMENTING A LAYERED SECURITY STRATEGY AT BOLDER ROAD The twin goals of preventing data theft and payment fraud are particularly appealing to businesses that specialize in building web stores for third party clients. What better service differentiator than to offer an e-commerce platform that eliminates the risk of customer being stolen by hackers thus, protecting your clients reputation combined with seamless fraud detection to mitigate chargebacks? That is just what Bolder Road, a joint client of TokenEx and Kount, achieved for their marquee entertainment customers. Bolder Road designs, builds, and supports e-commerce web stores for some of the biggest names in the entertainment industry. Through these branded web stores, customers can buy a wide range of movie-related collectibles. Unfortunately, these web stores aren t immune to the data thieves and fraudsters who are eager to steal customer data and purchase easily-resalable merchandise paid for with stolen payment cards. Bolder Road CEO Nevin Shalit says that When you read the headlines about the latest data breaches and the resulting inconvenience to customers and damage to your company s reputation and you have the additional responsibility to protect your clients brands this can lead to some sleepless nights. Synergy White Paper Page 8 of 10

10 Bolder Road selected both TokenEx and Kount as security service providers to protect all of its clients web stores. Incorporating tokenization from TokenEx and fraud prevention from Kount was one of the smartest decisions we made to differentiate our e-commerce services from our competitors, says Shalit. Using a layered approach to prevent data theft and payment fraud creates a secure foundation that keeps data safe from breaches and the cost of fraudulent purchases down. When customers of Bolder Road s clients make a purchase at the websites checkout pages, their card data is instantly encrypted, tokenized, and stored in the clients secure TokenEx data vault. To mitigate fraudulent charges, TokenEx returns the KHASH value of the payment number directly to the entertainment store s e-commerce system which sends it to Kount to rate the associated payment card for fraud potential. The time to complete the security loop takes milliseconds, so there is no perceptible delay in the checkout process. Knowing that all the sensitive payment data of our customers is safely tokenized and vaulted out of the e-commerce systems is a huge relief. And pairing this with a robust fraud detection system protects us and individual cardholders from fraudulent charges. So yes, our layered approach to data security lets us all sleep a little easier knowing we ve built an e-commerce environment that protects us and our clients brands, and breaks the cycle of payment fraud. LAYERING SECURITY SOLUTIONS WITH PAYMENT SERVICE PROVIDERS Fraud analysis and chargeback mitigation is only one example of the payment service processes that TokenEx can integrate into your tokenized payment stream. TokenEx provides all the necessary formatting and translations of payment data required by a service provider s software APIs. A card refresh vendor, for example, usually provides updates via secure file transfer into your business systems. When TokenEx is the integration point, the file of refreshed PANs is routed to your Secure Data Vault where TokenEx replaces the PANs with corresponding tokens and securely transmits the tokenized file to your systems. Your business processes don t change because TokenEx takes care of all the integration with your chosen vendors. Synergy White Paper Page 9 of 10

11 BREAK THE CYCLE OF PAYMENT FRAUD A layered approach to payment data security not only protects you against data theft, payment card fraud, and chargebacks, but it greatly reduces the cost of PCI compliance, enabling savings both from the compliance standpoint and the cost of chargebacks and lost goods. Many clients of TokenEx and Kount have found that these savings can pay for most if not all of the cost of the layered security solutions. It s not too late to defeat the Four Horseman of the Data Apocalypse: data breaches, PCI compliance, fraud, and the data thieves who cause the problems in the first place. A layered security model combining tokenization and fraud detection is your primary defense against the data apocalypse that can ruin your business s profits and reputation. Call TokenEx today and let us demonstrate how tokenization and fraud detection can work in your organization. Contact us at sales@tokenex.com or call TOKENEX 1350 South Boulder Suite 1100 Tulsa, Oklahoma Synergy White Paper Page 10 of 10