DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE

Transcription

1 DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE December 2015 English_General This presentation was prepared exclusively for the benefit and internal use of the J.P. Morgan client or potential client to whom it is directly delivered and/or addressed (including subsidiaries and affiliates, the Company ) in order to assist the Company in evaluating, on a preliminary basis, the feasibility of a possible transaction or transactions or other business relationship and does not carry any right of publication or disclosure, in whole or in part, to any other party. This presentation is for discussion purposes only and is incomplete without reference to, and should be viewed solely in conjunction with, the oral briefing provided by J.P. Morgan. Neither this presentation nor any of its contents may be disclosed or used for any other purpose without the prior written consent of J.P. Morgan. DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE To the extent that the information in this presentation is based upon any management forecasts or other information supplied to us by or on behalf of the Company, it reflects such information as well as prevailing conditions and our views as of this date, all of which are accordingly subject to change. J.P. Morgan s opinions and estimates constitute J.P. Morgan s judgment and should be regarded as indicative, preliminary and for illustrative purposes only. In preparing this presentation, we have relied upon and assumed, without independent verification, the accuracy and completeness of all information available from public sources or which was provided to us by or on behalf of the Company or which was otherwise reviewed by us. J.P. Morgan makes no representations as to the actual value which may be received in connection with a transaction nor the legal, tax or accounting effects of consummating a transaction. Unless expressly contemplated hereby, the information in this presentation does not take into account the effects of a possible transaction or transactions involving an actual or potential change of control, which may have significant valuation and other effects. Notwithstanding anything herein to the contrary, the Company and each of its employees, representatives or other agents may disclose to any and all persons, without limitation of any kind, the U.S. federal and state income tax treatment and the U.S. federal and state income tax structure (if applicable) of the transactions contemplated hereby and all materials of any kind (including opinions or other tax analyses) that are provided to the Company insofar as such treatment and/or structure relates to a U.S. federal or state income tax strategy provided to the Company by J.P. Morgan. J.P. Morgan's policies on data privacy can be found at IRS Circular 230 Disclosure: JPMorgan Chase & Co. and its affiliates do not provide tax advice. Accordingly, any discussion of U.S. tax matters included herein (including any attachments) is not intended or written to be used, and cannot be used, in connection with the promotion, marketing or recommendation by anyone not affiliated with JPMorgan Chase & Co. of any of the matters addressed herein or for the purpose of avoiding U.S. tax-related penalties. Chase, JPMorgan and JPMorgan Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (collectively, JPMC ) and if and as used herein may include as applicable employees or officers of any or all of such entities irrespective of the marketing name used. Products and services may be provided by commercial bank affiliates, securities affiliates or other JPMC affiliates or entities. In particular, securities brokerage services other than those which can be provided by commercial bank affiliates under applicable law will be provided by registered broker/dealer affiliates such as J.P. Morgan Securities LLC or J.P. Morgan Institutional Investments Inc. or by such other affiliates as may be appropriate to provide such services under applicable law. Such securities are not deposits or other obligations of any such commercial bank, are not guaranteed by any such commercial bank and are not insured by the Federal Deposit Insurance Corporation. Not all products and services are available in all geographic areas. Eligibility for particular products and services is subject to final determination by JPMC and or its affiliates/subsidiaries. This presentation does not constitute a commitment by any JPMC entity to extend or arrange credit or to provide any other services. 1

2 Learning objectives After attending this session, you will better understand How PCI compliance fits into an information security culture The latest technology available to help protect the data in your environment The role of EMV as a fraud prevention measure DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE How implementing data security and fraud prevention measures can help decrease risk while maintaining or improving the resident s experience 1 Agenda PCI Compliance and Data Security 2 Data Security Solutions 8 Fraud Prevention 14 DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE 2 2

3 Threats are outpacing most organizations ability to secure their infrastructure 783 Breaches reported in 2014; an increase of 27.5% from ,428,956 Records that were breached in 4,538 data breaches made public since % Percentage of companies NOT fully compliant with all 12 PCI standard requirements 3 PCI COMPLIANCE AND DATA SECURITY Sources: 1 ITRC Breach Report Privacy Rights Clearinghouse 3 Verizon 2015 PCI Compliance Report 3 PCI in brief Data security standards created and maintained by the Payment Card Industry Security Standards Council (PCI SSC) Applies to any system that stores, processes or transmits card data 12 requirements addressing operational and technical areas Specific technology guidelines for encryption and tokenization PCI COMPLIANCE AND DATA SECURITY Organizations often need to combine multiple technologies to secure data and meet PCI requirements 4 3

4 The prioritized approach Six milestones 1. If you don t need it, don t store it 2. Secure the perimeter 3. Secure applications 4. Monitor and control access to your systems 5. Protect stored cardholder data 6. Finalize remaining compliance efforts, and ensure all controls are in place Tools and guidance on the PCI SSC Web site PCI COMPLIANCE AND DATA SECURITY 5 Why NOT compliance? New compliance mandates are potentially endless Government regulation Industry standards Organization policies Achieving compliance is easier than maintaining compliance Becoming compliant is a project Maintaining compliance is a culture change Why information security PCI COMPLIANCE AND DATA SECURITY A single, comprehensive set of enterprise information security polices, standards, baselines, and procedures Simplifies culture change Simplifies compliance mandate responses by Cataloging existing controls Speeding gap analysis Limiting expense and churn caused by new mandates Reduces compliance to a single core competency: Security 6 4

5 Security is a business decision Steps to take Assess the risks Identify the mitigation options Determine how much risk The organization is comfortable accepting The organization is ALLOWED to accept Recognize the constraints Acquire and apply resources IT and information security can then Consolidate data and systems Segment the network PCI COMPLIANCE AND DATA SECURITY Implement the controls Close the gaps 7 Agenda PCI Compliance and Data Security 2 Data Security Solutions 8 Fraud Prevention 14 DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE 8 5

6 Security is Comprehensive A viable security solution to combat today s threats requires a comprehensive combination of security solutions Replaces customer payment data with a benign value that cannot be converted back to card or account information within a merchant s network, protecting that data from security threats. Tokenization EMV Advanced chip card technology that helps prevent skimming, counterfeit and lost/stolen fraud. Encryption PCI DSS Encryption technology that protects the primary account number of a payment card from moment of capture at retail point of sale Fraud Tools A combination of preventative, detective, responsive controls applied to a merchant s process, people, and technologies. DATA SECURITY SOLUTIONS Tools that provide greater visibility into sophisticated fraud patterns, advanced capabilities include proxy piercing and geolocation, which can pinpoint a transaction s origin in real time, and dynamic order linking 9 Encryption 101 What is Encryption? Encryption is a security measure that leverages a cipher algorithm to mathematically transform sensitive data in such a way that only authorized parties can read it Encryption does not prevent interception of data, but rather the access to the content intercepted From the initial swipe, dip, tap, or click, card data can be encrypted to protect the data throughout the payment transmission process How Does it Work? Recipient's Public Key Recipient's Private Key Source: PacketLife.net DATA SECURITY SOLUTIONS Why is Encryption Important? Ideal for Data on the Go: Encryption is particularly useful in secure transmission of sensitive information Open Model with Limited Risk Exposure: Encryption leverages a public and private key model, where a public key is widely available to encrypt messages while a private key is only available to the receiving party for decryption of the message 10 6

7 Tokenization 101 What is Tokenization? Tokenization is the process through which real account data is replaced with a proxy value known as a token These tokens can either be static (never changing) or dynamic (different for each transaction) Some tokens are format-preserving (i.e., they look like regular PANs), while others can be different lengths or alphanumeric in context Tokens were created to minimize risk for merchants who stored live payment account credentials on their servers, but have expanded to minimize risks for issuers, brands, acquirers, and consumers Think of Tokens like Casino Chips You trade cash for chips Cash is valuable in a large context and is easily used Chips are valuable only in a limited context (inside the casino) and can only be used to do certain things defined by the house (e.g. play on certain table games) Why is Tokenization Important? DATA SECURITY SOLUTIONS Renders Previously High Value Data Almost Useless: Cash is higher risk because it can be stolen and used anywhere, while a chip is lower risk because even if it s stolen, it can t be used everywhere Consolidates Risk to a Single Control Point: Tokenization is like going to the cashier and giving cash and receiving tokens and De-Tokenization is like going back to the cashier and trading chips for cash 11 Hosted Pay for Ecommerce A consumer-facing hosted page that captures customer payment data in a PCI compliant manner Creating a secure and seamless payment experience for your customers while keeping your organization compliant Benefits Increases the security of your customers payment data Reduces the cost and scope of PCI compliance Your Website Ecommerce Platform Enables you to maintain complete control of your branding throughout the payment cycle Hosted Pay Minimizes initial and ongoing IT resource impacts How it works A Hosted Pay can clone your payment page so you maintain complete control of the look and feel of your customers checkout experience. There are no static templates to update. Payment Success CLONE¹ Payment Token Payment brands for approval DATA SECURITY SOLUTIONS There is no need to use an acquirer-branded payment page. You can change your payment page elements at any time, and Hosted Pay will capture the changes in real time. You are in control of your brand on the payment page at all times. 12 Your bank account 7

8 encryption What does it do for your organization? Encrypts PAN and CVV data within a customer s browser Provides you with full payment page control; no re-directs Remains invisible to the customer Delivers an effective PCI solution Offers a host-based alternative to a Hosted Pay DATA SECURITY SOLUTIONS 13 Agenda PCI Compliance and Data Security 2 Data Security Solutions 8 Fraud Prevention 14 DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE 14 8

9 EMV The Basics How EMV Chip Cards are Different Chip cards are inserted into chip-reading devices rather than being swiped If PIN is supported on the chip card, it will replace traditional signature In conjunction with PIN, chip cards provide an added layer of authentication Terminals will accept both magnetic stripe and chip cards for years to come Customer Verification Methods (CVM) Chip and Signature Chip and Offline PIN Chip and Online PIN The consumer signs to validate their identity Prevents counterfeit card fraud The chip card and the terminal validate the PIN, then authorize Prevents counterfeit, stolen and never received or issued card fraud The consumer s PIN is sent to the host for validation Prevents counterfeit, stolen and never received or issued card fraud FRAUD PREVENTION Source: EMVCo Q statistics 15 Key points about EMV in the US Benefits of chip technology Confidence EMV has been used globally with cards in Europe for over a decade; and in Canada over the last seven years Security and Fraud Protection dynamic authentication reduces the value of stolen cardholder data; Chip technology is more difficult to duplicate and combining its use with a PIN helps reduce fraud due to lost, stolen or counterfeit cards Reduces Chargebacks the use of PIN with the chip technology can significantly reduce the frequency of chargebacks Global Interoperability and Consistency outside of the U.S., 43.3% of all cards are EMV and 86.8% of terminals are EMV capable US migration drivers Avoid becoming a destination for criminals and global magnetic-stripe fraud activity Increase satisfaction of traveling international cardholders Maintain interoperability with the rest of the world Position the industry for the adoption of other forms of payment, notably NFC mobile contactless payments Payment brand mandates and chargeback liability shifts are forcing the adoption of this technology What is a liability shift? FRAUD PREVENTION Liability Shift is a change in who bears the chargeback related cost of fraudulent transactions The penalty for merchants or issuers missing the October 2015 (non Petro) / October 2017 (Petro) deadline is a shift in fraud related liability. Merchants who have not implemented an EMV certified solution will risk absorbing the cost of all disputed counterfeit and potentially lost/stolen/not received fraudulent transactions they initiate. 16 9

10 EMV in the US: Key Merchant Considerations Keys to EMV Readiness 1. The Right Integration: Direct, Middleware/Third Party (TP) Gateway, Semi-Integrated, or Stand-Alone approach 2. Merchant Readiness: Processes, Procedures, Learning / Development on handling EMV transactions 3. Consumer Readiness: Building Awareness and Understanding of EMV Make The Most of EMV Migration 1. Consider POS modernization holistically PIN Acceptance, E2E Encryption, Tokenization, Contactless, High-Speed IP Connectivity 2. Be prepared for Fraud Increases in Card Not Present (CNP) channels EMV adoption has historically shifted Card Present Fraud to CNP and cross-border Fraud Omni-channel and CNP merchants should prepare by evaluating fraud detection technology AVS/CVV alone is not enough as false positive exposure can be high. Include other fraud detection technology such as Velocity Checks, Positive and Negative Lists, Proxy Piercing/IP Geolocation, and Dynamic Risk Scoring FRAUD PREVENTION 17 Key takeaways PCI Basic security measures but not all that is needed Data protection Any time the card data is exposed, in transit or at rest, it is at risk Layered protection is the only answer Different from data protection Fraud management More risk in CNP space than card present Geolocation, proxy piercing, device fingerprinting FRAUD PREVENTION 18 10

11 Speaker contact information Matthew Leman Vice President, Special Markets Chase Paymentech O: FRAUD PREVENTION 19 11