Sponsored by Sponsored By

Transcription

1 CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited CUNA Mutual Group Sponsored by Sponsored By

2 Plastic Card Risk Exposures

3 Disclaimer This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions. For general information, please contact our company Sales Executive. The Plastic Card Policy is underwritten by CUMIS Insurance Society, Inc., a member of the CUNA Mutual Group. 3

4 Polling Question What type of payment fraud is the most common type your credit union is experiencing today? A) ACH (includes both ODFI/RDFI) B) Paper checks C) Home banking D) Wire E) Debit cards F) Credit cards G) ATM Network cards 4

5 Agenda Emerging trends and risk exposures Current exposures Data compromises Lesson s learned Best practices loss prevention techniques 5

6 Objectives Understand past and current risk identified in plastic cards Identify new emerging risks based on new technology, services and products offered Discuss loss prevention and controls to prevent plastic card loss 6

7 Emerging Trends and Risk Exposures Mobile banking channel Compliance and regulations Competitive pressure New payment alternatives Technology today and into the future 7

8 Understanding the Nature of Fraud Criminals are sophisticated Crooks identify the weaknesses Fraud scheme is used as long as there is a victim Cross-channel fraud new concept to manage risk 8

9 Targeted fraud exposure Counterfeit skimming PIN fraud Current Exposures Criminals find the weakest link Ongoing data breaches Increase in phishing, smishing and vishing System intrusions (Malware) Recruitment Fraud 9

10 Difference Between Phishing vs Skimming Phishing Cardholder has their card in their possession at time of fraud Fraud transaction is magnetic stripe read (POS 90) CVV/CVC value is not validated in the magnetic stripe authorization-member cannot see this value! To stop magnetic stripe phishing validate CVV/CVC and decline missing/mismatched CVV/CVC values Skimming Cardholder has their card in their possession at time of fraud Fraud transaction is magnetic stripe read (POS 90) CVV/CVC value matches in the magnetic stripe authorization Somehow the fraudster obtained the full unaltered magnetic stripe track data ie: merchant breaches/skimming devices 10

11 Future Payment Trends Mobile devices cell, PDA ATM capture (web) Contactless (wave-tap and go) Prepaid Cards Decoupled debit (attaches to a checking account) Instant Account Opening (id verification and funding) Home banking A2A and P2P 11

12 Wireless Technology Contactless Cards - What are they? How do they work? What are the exposures? Radio frequency card transmissions and chip technology dcvv authentication 12

13 Mobile Banking and Payment Risk What is it? Its an extension of your online banking for your membership which provides a Mobile banking channel. How does it work? Provides your members the opportunity to perform a wide variety of banking and payment functions anytime, anywhere using their mobile phone, PDA or other mobile devices. What are the Best practices to minimize risk exposures? Utilize a fraud management system to identify and block suspect transactions Deactivate the mobile device in the event of theft or loss Encryption of locally stored data Implement PIN authorization and lockout Federal Financial Institutions Examination Council (FFIEC) compliance Secure registration of mobile device Secure socket layer (SSL) connection requirement Validate and confirm the security layers are working effectively As you enter into the mobile banking, you will want to talk to your peers and your vendors to share what is working to continue to help manage the mobile payment risk. 13

14 MOBILE BANKING CHANNEL Mobile Players Mobile Devices Risk Exposure Equipment vendors Mobile operators Retailers Financial Institutionsvalidate the network service provider *Format is a critical component Note: Industry has settled on the Use of Near Field Communication (NFC) technology - Enabled mobile Payments Cell Phone PDA-BlackBerrys iphones Smartphones Mobile Application to use the devices (Text messaging option and wireless banking) Web based connection to home banking from the device OR Downloadable program that resides on the mobile device Mobile Payment Options View account balances Transaction history Transfer funds Pay bills Inquiry last transaction Failure to delete text messages stored on the mobile device Failure to meet the compliance/rules Not encrypted on both ends Undetected intrusions Not compatible with the technology Risk Prevention (Best Practices) Password protected Multi factor authentication Capability to remotely delete the application from the payment device Utilize a fraud management system to identify and block suspect transactions Deactivate the mobile device in the event of theft or loss Encryption of locally stored data Secure registration of mobile device Secure socket layer (SSL) connection requirement 14

15 New Card Programs What should I know about the Stored Value (prepaid) card programs? What type of stored value-prepaid card programs is the credit union offering? Gift Cards Payroll Cards Teen/Student Cards Health Savings Cards (limit the merchant category codes-mcc) What loss prevention layers of security does the credit union have in place? 15

16 Data Compromises ID theft and ID fraud Merchant Payment Card Industry (PCI) compliant Structured Query Language (SQL) injection web applications Merchant not Payment Card Industry (PCI) compliant Storage of Card Verification Code (Visa-CVV) Card Verification Value (MasterCard-CVC), Card Verification Value 2 (Visa-CVV2), Card Verification Code (MasterCardCVC2) or PIN block information subsequent to an authorization Legislation - Data Breach Protection Act 16

17 Lesson s Learned Best practices do work to prevent card fraud Measure the $ saved by the effectiveness of the loss prevention tool Sharing of information amongst each other Getting to the root causation of the loss Being proactive vs reactive 17

18 Re-Cap of Best Practices Fraud management solution 24x7/365 alert notification CVVCVC with response set to decline Name matching track 1 magnetic stripe Expiration date matching Maximum daily $ limits Card activation 18

19 Re-Cap of Best Practices Authorization strategies CVV2/CVC2 Verified by Visa/MasterCard Secure Code (online transactions only) Address verification service PIN management Issuer s clearinghouse service 19

20 1 ICS (Issuers Clearinghouse Service) Who performs the ICS system for application request? New /Existing address validation How does your credit union handle address validations? Card Transaction Starts here Card Present Starts LIFE OF A CARD TRANSACTION Credit Union Name: Card Program Type: Transaction Type: Card Processor: Data Processor: (Host System): Daily $ Limit CAP for all Credit-signature Credit-PIN, Debit-Signature and Debit PIN Credit (S) Credit (P) Debit (S) Debit (P) Cardholder Dispute + Recovery Who performs your chargeback and compliance recovery? Card Activation- Activation method? SIGNATURE (Pinless) Who performs Signature (pinless) authorization? PIN Who performs the PIN authorization? Response to merchant Card Transaction Ends Card Transaction Starts here Card Not Present Primary=P auth Stand-in=S auth Neural Network Fraud Management Who is providing fraud management for all card transactions? P S CVV/CVC Checking Who holds the CVV/CVC key to validate CVV/CVC? P S Name Mismatch Who holds the cardholder files to perform name matching? P S Expiration Date Checking Who holds the cardholder files to validate? exact expiration date matching? P S CU does not perform the authorization Who performs your authorizations and parameter settings? P S Address Verification Service Who holds the cardholder files to validate Address Verification Service? P S CVV2/CVC2 Checking Who holds the CVV2/CVC2 key to validate CVV2/CVC2? P S Verified by Visa MasterCard SecureCode (Internet transactions only) Who performs VBV/MCSC validation? P S PIN Management How are you validating PINs? P S CU performs the authorization (Data Processing- Host Systems) Which security features are performed on your host system? P S 20

21 PIN Transaction Flow PIN capture- How do the fraudsters get the PIN? Foreign device at an automated teller machine/pin pad/camera Phishing voice/ /text to credit union member Counterfeit credit union link to a phony credit union website PIN Transaction 16 digit account # PIN validation PIN Authorization Network Card Non Visa/MasterCard logo card Debit Check Card Visa/MasterCard logo check card 1. Card Verification Value (Visa-CVV)/Card Verification Code (MasterCard-CVC) 2. Exact Card Expiration Date 3. Fraud Management System CU to utilize and validate all available card security on PIN authorizations PIN validation at point-of-sale (POS) or automated teller machine (ATM) devices Authorization strategies 21

22 Payment Types Get Connected ACH Electronic Payments Home Banking Bill Pay Credit Cards Wire Transfer Debit Cards (Debit Check + ATM Network) Paper Checks 22

23 Visa Announcement to Accelerate Chip Migration Migration to EMV contact and contactless chip technology in the U.S. Speed up the adoption of mobile payments and improve security Secure payments through the use of dynamic values for each transaction Account data less attractive to steal Three initiatives: Expand the Technology Innovation Program to Merchants in the U.S. Build Processing Infrastructure for Chip Acceptance Establish a Counterfeit Fraud Liability Shift 23

24 Credit Unions Action! By adopting a more holistic approach that includes integration of systems across products, channels and geographies, credit unions can operate more efficiently and proactively in the fight against fraud! 24

25 Resources Visit CUNA Mutual s Protection Resource Center at to access: Loss Prevention Library RISK Alerts Webinar library Ask a risk manager Loss Prevention Library Resources Online Plastic Card Risk Assessment Best Practice Brochure RISK Alerts Member Education on Phishing Attacks ( ) PINs Under Attack ( ) Plastic Card Fraud Still Strong ( ) 25

26 Thank you for working together to continue to prevent card fraud! Questions? 26

27 CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited CUNA Mutual Group Ann Davidson Risk Manager CUNA Mutual Group , ext