DRAFT. Six Recommendations to MasterCard and Visa to Improve Credit and Debit Cardholder Security. Presented by

Transcription

1 DRAFT Six Recommendations to MasterCard and Visa to Improve Credit and Debit Cardholder Security Presented by The American Bankers Association National Bank Card Fraud Task Force in an effort to give consumers better protection and comfort while using the payment system. November 2010

2 Decision Item 1 LIABILITY SHIFT IN ACCOUNT DATA COMPROMISED CASES Business Owners: Impact Anticipated Implementation Date Proposal Background Benefit Security and Risk Management Financial accountability has been the linchpin that holds all competing entities together in the payment industry. When one side does not uphold their agreement, the end result can be a shift in the delicate balance resulting in increased liability where it did not belong. This is the impact that recent cases of account data compromises have caused as a result of merchant mismanagement and negligence. As a result, literally millions of dollars in fraud losses have come to bear on unsuspecting consumer cardholders and Issuers. To be determined In cases of confirmed account data compromises not only would Issuers re-coup monitoring costs and re-issuance costs but they also could charge back any fraud losses directly related to the merchant compromise. A separate chargeback reason code would be established for these charge-backs. As the number of account data compromises increase, Issuers clearly are feeling the negative financial effects of these cases and subsequently the consumer. Large numbers of accounts could easily cost an Issuer thousands of dollars per compromise in actual fraud losses. Today those losses are the responsibility of the Issuer even though they were the direct result of Merchant negligence. While holding Acquirers responsible for the actions of their Merchants has long been an established principle of the payment industry, these examples are the one exception to their rule. The consequences of this have lead to merchant complacency as they realize they have limited liability should a compromise occur. This puts the consumer data security at risk. If we held them totally accountable for ALL fraud losses they caused, Merchants would have a greater incentive to ensure their systems were totally secure. Fraud losses will only decrease if all parties, Merchants, Acquirers and Issuers, do their utmost to limit risk. Financial incentives or penalties have long been the catalyst for change. If

3 Merchants/Acquirers are fully accountable for all losses they cause this will lead to behavioral changes which will ultimately lead to lower losses. This will benefit the entire Bankcard community and most importantly, consumers, the unsuspecting victim. Recommendation Pending Action To hold Merchants liable for all fraud losses that are caused as a direct result of an account data compromise. A separate chargeback reason code would be established for Issuers to use in these cases. Both the MasterCard International Security Committee and Visa Risk Advisory Committee are asked to evaluate this proposal and approve it at their next meetings.

4 Decision Item 2 COMMUNICATION REGARDING ALERT NOTIFICATION Business Owners: Impact Anticipated Implementation Date Proposal Background Security and Risk Management Many small and medium sized Issuers do not receive timely notification regarding security breaches thus impacting their ability to protect their customer. Smaller institutions (affiliates) sponsored by another financial institution may never be officially notified of the problem. Better communication between MasterCard and Visa and ALL Issuing Members, regardless of size or sponsoring status, would lead to better consumer notification and information, quicker blocking of potential fraud accounts and less fraud losses. To be determined To allow the direct notification concurrently of all MasterCard and Visa and Issuers principal members, affiliate and agent banks, including processors in instances where an account has been compromised. Immediately upon notification of a security breach, MasterCard through MasterCard Alerts and Visa through CAMS will electronically notify all Issuers of the card numbers that have been affected. The notification will include a Universal Compromise Reference Number (UNICORN) developed by the card brands to indentify each incident. As soon as the source and location of a security breach is determined, that information should be communicated to all affected banks and financial institutions via the UNICORN, so they can protect their customers and themselves. Information must include, but not limited to actual information that was possibly compromised along with the card number (i.e., expiration date, name, address, etc.) With this information, during the process of contacting victimized consumers, banks will be able to properly explain to them how their cards were compromised and what information is at risk. This method of communicating to all Issuers will not supersede the other mechanisms and procedures in place for all other operating procedures. Specifically, these procedures are authorizations, charge-backs, settlement, etc. and they will continue under existing communications lines to Processors, Issuers or Affiliates.

5 Benefit Recommendation Pending Action This simple, but powerful, rule change will enable all MasterCard Members and Visa members, irrespective of status, the ability to provide immediate customer attention on accounts that have been compromised and reduce their risk. Issuers can be proactive in providing positive public relations and customer information instead of reacting and having customers hear about compromised accounts though the news media. These mediums negatively portray banks efforts to safeguard account information and put banks on the defensive. Being informed immediately from MasterCard and Visa would counter and eliminate these negative influences. Both the MasterCard International Security Committee and Visa Risk Advisory Committee are asked to evaluate this proposal and approve it at their next meetings. Mandate that banks receive notification directly from MasterCard or Visa regarding compromised accounts.

6 Decision Item 3 MERCHANT SOFTWARE SYSTEM CERTIFICATION Business Owners: Impact Implementation Date Proposal Background Benefit Recommendation Pending Action Merchant Services The payment systems are losing millions of dollars on a yearly basis due to neglect and poorly designed merchant software systems. MasterCard and Visa s inability to have any control over this vital segment has created a risk to members that needs to be addressed. To be determined All merchant software vendors must register with MasterCard and Visa that they are compliant with minimum standards as set forth by each association. Failure to do so would lead to de-certification and publication of the vendor name and software system in an operation and financial bulletin to all members. In certain instances merchants have purchased software inventory systems that manage multiple tasks including payments, inventory control and billing. To their surprise this software also captures full magnetic stripe data and stores that data. Other examples include third party vendors that provide payment services that are also capturing the data. Neither ignorance of their own system capabilities, or shortcomings, nor that of any third party they contract with should absolve the merchant from liability. All merchants must be certified as PCI compliant as soon as possible. Only by holding merchants financially accountable for all actions that originate with them will they have a vested interest in helping solve this growing risk. By ensuring each vendor and merchant software provider meets stringent standards the threat of penalties will be lessened and the industry will be able to mitigate losses and keep them to a minimum. MasterCard and Visa will establish minimum data requirements and standards for all merchant software systems. After a short grace period each Acquirer must certify, through an audit, they meet these minimum standards. Both the MasterCard International Security Committee and Visa Risk Advisory Committee are asked to evaluate this proposal and approve it at their next meetings.

7 Decision Item 4 COMMUNICATION TO BANKS ON THE SEVERITY OF SECURITY BREACH AND DISCLOSING NAME OF THE MERCHANT Business Owners: Impact Anticipated Implementation Date Proposal Background Benefit Security and Risk Management Security breaches of merchant databases concerning consumer cardholder data have become far too common. Issuers receive so many notices from MasterCard and Visa that security and fraud staffs can sometimes become complacent due to the regularity of these notices. The impact of not understanding the severity of these breaches and not knowing the merchant name can cost members millions of dollars. To be determined MasterCard and Visa must set up a system to more accurately portray the severity of breaches in compromised account data cases. In addition, the Merchant name must be disclosed. The system and definitions must be clearly communicated to all members. This can be accomplished with a non-disclosure agreement. The burden has rested on the Issuing Banks to make a determination, with limited information at best, regarding the actions to be taken regarding account data compromises. A wrong decision, to monitor accounts rather than block and re-issue, could cost Issuers millions of dollars in future losses and place an unfair burden on the consumer. The opposite decision, to block and reissue all affected accounts, could cost the Issuer thousands of dollars in card issuance costs and communication costs to their cardholders. At times these actions provide no tangible benefit. After some cardholders have had their cards re-issued two or three times, these cardholders have lost their trust in the payment systems and no longer use their plastic. Issuers must be informed of the severity of a breach to prevent these all too often occurrences. This problem is compounded by the myriad of state data security statutes that have recently been enacted in response to this problem. Keeping consumers happy is paramount to a successful issuing program. Informed decision making due to better and more

8 complete information from both MasterCard and Visa regarding the security of account data compromise would go a long way in keeping consumers satisfied and their personal information safe. Recommendation Pending Action MasterCard and Visa must set up a system to more accurately describe the severity of a security breach at a merchant and also disclose the merchant name. Both the MasterCard International Security Committee and Visa Risk Advisory Committee are asked to evaluate this proposal and approve it at their next meetings.

9 Decision Item 5 CHANGE IN METHODOLOGY FOR SECURITY BREACHES Business Owners: Impact Anticipated Implementation Date Proposal Background Security and Risk Management Issuers are unfairly bearing the brunt of costs associated with Merchant/Acquirer security breaches. The pre-compliance process devised to allow banks an opportunity to seek reimbursement for expenses related to a security breach they are not responsible for seems to be designed to make it highly unlikely that any financial institution will ever recover any expenses. The process needs to be streamlined for Issuers to seek recovery of costs associated with security breaches for card replacement. As Issuers receive fairer reimbursement, Merchants/Acquirers will be forced to protect customer data or risk extreme financial penalties or liabilities. To be determined To shorten the time frame where Issuers receive reimbursement for monitoring accounts and card losses from compromised accounts. In addition Issuers need to be granted more time to file compromised account data cases, partly because the administrative effort has become more complex. The number of known security incidents has grown from a relatively few cases in 2000 to over 260 million records by one account in 2009, and increases every year. In almost all cases the Merchant/Processor/Acquirer stored cardholder data and this has been acknowledged to be in violation of MasterCard and Visa rules. Despite the massive negative publicity and harm to the consumer these cases have generated, the storage of cardholder data continues, and MasterCard and Visa have been powerless to stop it. As with all business decisions the only true remedy is a financial one. The cost of storing cardholder data must be increased dramatically to ensure all relevant parties cease this practice immediately. Issuers must be given better, more complete and timely information on merchant name, city and state and details of how the data was compromised. This will enable Issuers to respond more proactively with their cardholder, the media and their shareholders and give them an opportunity to better protect their accounts. The time frame must also be extended for Issuers to file a claim and a timetable must be established where by Issuers will be reimbursed. Today a great many months go by before an

10 Issuer is paid and the whole process may take one to two years. In the mean time the Issuer is out these funds and is bankrolling the merchant during this period. Benefit Recommendation Pending Action The current process for reimbursement is long, cumbersome and costly for Issuers. Changing and expediting the reimbursement period, while also providing Issuers additional time to prepare claim submission would lower operational and administration costs and therefore increase profits. Merchants/Acquirers would be held more accountable financially for their actions. To provide a 90 day time frame for Issuers to be reimbursed after claim submission and a 90 period after the security bulletin for a claim to be filed. The committees are asked to evaluate and pass the proposed new rules on changes in methodology.

11 Decision Item 6 SECURE CODE AND VERIFIED BY VISA Business Owners: Impact Implementation Date: Proposal Background Benefits Security and Risk Management The internet is still considered unsafe by many cardholders who constantly are reminded via media (television, newspapers and radio) of identity theft and merchant data base compromises. Consumers are quickly losing confidence in the ability of the payment system to protect their account information and the impact of this is enormous. To be determined All MasterCard and Visa E-Commerce merchants must register that they have complied with all requirements for Secure Code or Verified by Visa. Numerous major vendors/merchants have publicly admitted to withholding the full extent of the number of compromised accounts that have occurred to their databases. This has lead to consumer outrage and congressional hearings on this subject. Merchants can no longer be trusted to protect cardholder data by themselves. The only proper way to achieve full compliance is to mandate that merchants must register and comply with these programs. If they do not, Acquirers must either be forced to terminate their merchant relationship and no longer let them accept MasterCard and Visa Cards and present them into settlement or accept a $25,000 fine per month. (This is the same penalty that Issuers face). While E-Commerce transactions show a steady increase, the number of consumers that will embrace purchasing via non face to face methods will not reach its potential without better security measures. MasterCard, Visa, Acquirers, and Issuers have spent great sums of money on Secure Code and Verified by Visa but have seen relatively few merchants avail themselves of this optional service. While making their programs mandatory will surely decrease the number of merchants accepting credit and debit cards, it will make the merchants left more secure. This will result in greater profitability for Merchants, Acquirers, Issuers, MasterCard and Visa and renewed commitment by consumers to use their debit cards.

12 Recommendation Pending Action Effective as soon as possible, all merchants must register for either Secure Code or Verified by Visa or face a $25,000 fine per month or be terminated. Both the MasterCard International Security Committee and Visa Risk Advisory Committee are asked to evaluate this proposal and approve it at their next meetings.