ONLINE PAYMENTS: Bridging the Gap between Fraud Prevention and Data Protection

Transcription

1 ONLINE PAYMENTS: Bridging the Gap between Fraud Prevention and Data Protection IAPP EUROPE DATA PROTECTION CONGRESS November 2014 Brussels

2 Increase of Payment Card Fraud on Internet Europe: USA: 11 billion $ on payment card fraud in 2012 (+14,6 over 2011) 60 % face to face (card transaction at point-ofsale terminals) / 40 % e-commerce (Source : The Nilson Report for year 2012) Different figures due to the use of chip - and PIN cards but proportion of e-commerce fraud is increasing (36% face to face / 64 % e-commerce, notably internet) (Source : Observatory on security of means of payment of French Central Bank - Observatoire de la sécurité des moyens de paiement de la Banque de France, Annual Report 2013) Losses occur mainly on card-not-present transactions (The Nilson Report) The most important source of fraud (64 % of total amounts) is due to the use of stolen or fake card-numbers for e-payments, not to stolen, lost or fake cards (Observatory on security of means of payement of French Central Bank) Payments made over the internet are subject to higher rates of fraud than traditional payments methods Page 2 Bird & Bird AARPI

3 Fight Against Fraud versus DP Compliance : The Great Divide? 1) Recommandations for the Security of Internet Payments from the European Central Bank : Collection of information Storing of information Monitoring, Profiling, Blacklists Need to authentify the cardholder in the absence of use of chips-and PIN Increases both the amount and nature of personal data used for monitoring / scoring transactions identify risks and cardholders : card holder's identity but also cardholder's behaviour, geolocation through IP address, device fingerprinting to distinguish between machines all this to identify individual users and devices. 2) DP Requirements: Data minimization Limited retention period Limits to monitoring, profiling and blacklists which are considered as presenting risks for privacy Page 3 Bird & Bird AARPI

4 European Central Bank Recommandations for the Security of Internet Payments 14 recommandations (January 2013) Recommandation 10 : "Transaction Monitoring" Transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions should be operated before the PSP s final authorisation; suspicious or high risk transactions should be subject to a specific screening and evaluation procedure. Equivalent security monitoring and authorisation mechanisms should also be in place for the issuance of e-mandates PSPs should use fraud detection and prevention systems to identify suspicious transactions before the PSP finally authorises transactions or e-mandates. Such systems should be based, for example, on parameterised rules (such as black lists of compromised or stolen card data), and monitor abnormal behaviour patterns of the customer or the customer s access device (such as a change of Internet Protocol (IP) address 24 or IP range during the internet payment services session, sometimes identified by geolocation IP checks,25 atypical e-merchant categories for a specific customer or abnormal transaction data, etc.). Such systems should also be able to detect signs of malware infection in the session (e.g. via script versus human validation) and known fraud scenarios. The extent, complexity and adaptability of the monitoring solutions, while complying with the relevant data protection legislation, should be commensurate with the outcome of the risk assessment. Page 4 Bird & Bird AARPI

5 A Challenge for the Industry Absence of concertation: Rules on fight against fraud do not sufficiently take into account DP requirements Page 5 Bird & Bird AARPI

6 Differences between jurisdictions accross Europe : Lack of Harmonisation between EU Member States DIFFERENCES: Prior Authorization from DPA required for Fraud detection / Risk scoring / black listing in some countries : France, Netherlands (because of processing of criminal data); Prior Information notice or consent required at different levels depending on jurisdiction; Legal retention periods vary, or no precise guidance depending on jurisdiction; Different legal requirements on possibility to process data on offenses, convictions, ciminal data Different sensitivities depending on the jurisdiction to credit bureaus, to mutualisation of data concerning fraud or debtors, to black lists resulting in different applicable rules and guidelines CONSEQUENCES: Some actors may feel that they are not allowed to use tools which are efficient enought in order to fight against fraud in the context of online payments, because of DP rules and because of discripencies of DP rules and their interpretations accross EU jurisdictions Ex : Difficulties to apply guidelines adopted by Art. 29 WP in 2005 on "Terminated Merchant Data base (black list databases designed to reduce fraud on payments); France : ex. of FEVAD (Federation of e-commerce and on-line Industries) White Paper on online payments Oct 2013 Page 6 Bird & Bird AARPI

7 Page 7

8 EXAMPLE : FEVAD White Paper or online payments (Oct. 2013) Questionnaire sent by FEVAD to its members (280 e-merchants) + face to face interviews More than 1/3 of e-merchants (mostly the bigger ones) consider that DP requirements have a negative impact on their possibilities to fight against fraud on online payments Question : "How do you consider the impact of CNIL's requirements on your possiblities to fight against fraud?" Page 8

9 International Payment Card Industry Security Standards: PCI-DSS The Payment Card Industry (PCI) Data Security Standards are global data security requirements created by 5 major payment card brands, for all entities that process, store or transmit cardholder data: Technical and Operational Security requirements launched in 2006 and set by the PCI Security Standard Council to protect cardholder data (American Express, Discover Financial Services, JCB, Marstercard, Visa) Apply to any debit, credit and pre-paid card branded with one of the 5 brands : Amex, Discover, JCB, Marstercard, Visa Apply to ALL businesses that process, store, or transmit payment card information : essentially any merchant accepting cards for the payment of goods or services, and any third party processing credit card information : - Merchants : online traders, retailers, financial institutions (banks and insurance companies); - Service providers : payment gateways, e-commerce host providers, credit reporting agencies, back-up management companies Page 9

10 12 rules : Goals Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect (encrypt) stored cardholder data 4. Encrypt transmission of cardholder data across open / public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to premises where cardholder data are stored 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel on all security aspects Page 10 Bird & Bird AARPI IAPP EUROPE - DATA PROTECTION CONGRESS 2014

11 Focus on Requirement 3 : Protect stored cardholder data Do not store the Card Security Code (i.e sensitive authentification data) after authorization (even if it is encrypted) : PCI DSS standards forbid to store the 3- digit security code on the back of the card, and the 4-digit security code on the front of the Amex card PAN truncation: Mask PAN (Privacy Account Number) i.e. the "card number" when displayed (on a customer receipt). The first 6 and last 4 digits are the maximum number of digits you may display (usually the last 4 digits only) the other digits being replaced by asterisks. If your organization stores the PAN, it must be rendered unreadable (encrypted notably) anywhere it is stored including on portable digital media, backup media, in logs. Page 11

12 CNIL's Requirements in France : Technology Enhanced Privacy? CNIL built up on PCI-DSS standards to rule on processing and storage of payment card data for online payments (Recommandation on the Processing of payment card data in the context of remote sale of goods or provision of services Nov.14, 2013): Prohibition of the storage of the security code of payment cards (CNIL + PCI- DSS), Secured storage of credit card number (encrypted or otherwise rendered unreadable) (CNIL + PCI-DSS) Retention of the card data no longer than required to complete the transaction, unless the cardholder has given specific, express and informed consent (some exceptions apply but only enable to keep data as off-line archives) (CNIL) The consent requirement also applies in case the payment is recurrent or fractionated (CNIL) Consent as a rule for card data storage, EXCEPT for fighting against fraud Enforcement action: example of "FNAC Direct" Page 12 Bird & Bird AARPI IAPP EUROPE - DATA PROTECTION CONGRESS 2014

13 Draft European Regulation: What to expect? The legitimate interest of the controller can serve as a legal basis for processing in the following cases: For the purpose of insuring network and information security where "strictly necessary" : Whereas n 39 : "This principle also applies to processing of personal data to restrict abusive access to and use of publicly available network or information systems, such as blacklisting of electronic identifiers" (E.P. March 12, 2014) Whereas n 38 "Provided that they meet the reasonable expectations of the data subject based on his or her relationship with the controller and that the interests of the fundamental rights and freedom of the data subject are not overrinding (E.P. March 12, 2014). Whereas n 38 : "Processing limited to pseudonymous data should be presumed to meet the reasonable expectations of the data subject based on his or her relationship with the controller (E.P. March 12, 2014). May apply to tokenisation systems which allow to track transactions performed with a card without identifying the cardholder. Page 13 Bird & Bird AARPI IAPP EUROPE - DATA PROTECTION CONGRESS 2014

14 But Rules on profiling in the Draft European Regulation do not include the balance of interests 1) Right of the Data Subject to object to profiling at any time (Art 20.1/PE) 2) Only Legal basis for profiling are : (Art. 20.2/PE) Page 14 - If profiling is necessary for entering into or for performance of a contract (provided that suitable measures to safeguard the data subject's legitimate interests have been adduced); or - If profiling is expressly authorized by a Union or Member State law; or - If profiling is based on the data subject's consent. The legitimate interest of the controller cannot be a legal basis for profiling Problematic for processing intended for fraud prevention which cannot be considered as based on contractual necessity (WP 217 Art. 29 WP Opinion 06/2014 on the notion of legitimate interests of the data controller under art. 7 of Directive 95/46/EC.) Also Art. 21 of Draft Regulation does not allow Member States to restrict the scope of the obligations and rights provided by Art. 20 on profiling (whereas they can do so for provisions of Articles 11 to 19)

15 To conclude : - Check that your payment service provider is PCI-DSS compliant (check your contract) - Watch out for differences between jurisdictions - Watch out and hope for Draft DP Regulation improvements on legal basis for profiling Contact your professional organisations and your DPA. Page 15

16 Thank you Ariane Mole Co-head of International Data Privacy Practice, Bird & Bird AARPI Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address. twobirds.com