Fraud Prevention and Program Security Gord Jamieson Director Risk Management & Security Visa Canada Association

Transcription

1 Fraud Prevention and Program Security Gord Jamieson Director Risk Management & Security Visa Canada Association

2 Evolution of Risk Management Controls Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here.

3 Trends Shaping Risk Management In order to continue to provide the highest level of consumer and stakeholder confidence in the payment system, current risk and fraud management practices need to be continuously assessed and retooled to meet the challenges. Key Internal & External Influences Shift in the Nature of Compromise Events Growing Regulatory Scrutiny Proliferation of new Products and Technology Competitive Pressures Diversity of Stakeholders Implications to the Implications Risk to the Enterprise Risk Enterprise Redefining fraud control strategies Optimizing channel delivery and performance Providing value added services Establishing interoperability across platforms and ensure minimal impact and seamless to stakeholders Systems Priorities Re-architect Fraud Detection / Prevention and Analysis Systems Improve risk data provisioning Enhance the risk service delivery infrastructure

4 Canadian Credit Card Fraud Canada - Fraud 3 Year Trend 12 Months Ending June (CDN $ Millions) 100% 90% $223.3 $266.1 $ % % of Total Fraud 70% 60% 50% 40% 30% Misc/ID Theft/Acct Takeover Card Not Present Counterfeit Fraud Apps Non Receipt Stolen Lost 20% 10% % Source: CBA - Payment Card Partners (VISA CANADA ; MASTERCARD CANADA ; AMEX CANADA)

5 How is Data Compromised Skimming at merchant locations continues to be the dominant source of credit card compromises, however the criminals are using more sophisticated techniques such as bogus merchant terminals and overlays on POS terminals and ATMS. These devices can capture both card and PIN information without the need for a covert camera Card-Not-Present (Card Absent) Fraud Increasing use of the internet for business and personal use has created other opportunities for the criminal element to gain access to more credit card data than can be obtained at traditional bricks & mortar merchants. These schemes involve phishing, spoofing and hacking merchant databases Account Compromises / Identity Theft Hacking and Account Compromise Attacks

6 Counterfeit Growth Canadian counterfeit losses have been experiencing growth 12 Months Ending June (CDN $ Millions) $139.8 Total Fraud CDN$ Millions $86.6 $46.9 $ % +25% $88.1 $ % -1% Counterfeit Card Not Present Source: CBA - Payment Card Partners (VISA CANADA ; MASTERCARD CANADA ; AMEX CANADA)

7 Counterfeit Growth Counterfeit growth can be attributed to: Advances in applied technology Sophisticated and technologically advanced criminal element Globalization of criminal organizations Insufficient penalties

8 Counterfeit Fraud grew 25% from 2005 to 2006 and fell 7% from 2006 to 2007 (4 quarters ending March Amounts in CDN$ Millions) 100% 90% 80% 70% 60% 50% 40% 30% Visa Credit Card Fraud $161.5 $177.7 $166.8 $24.1 $23.8 $22.7 $5.0 $3.5 $4.9 $3.7 $2.9 $4.9 $3.7 $2.9 $2.5 $62.2 $77.9 $72.8 Lost/Stolen Non Received Misc Fraud Application Counterfeit CNP 20% $61.8 $65.7 $ % 0% Visa fraud data source: CDI High-Risk File Access

9 Counterfeit Growth Visa has seen a decrease in counterfeit growth in 2007 and this can be attributed to: Member s neural networks are able to identify suspicious transactions and respond in real time Credit on Fraud Alert System (CoFAS) Common Point of Purchase (CPP) management database Criminal displacement Visa s long term strategy to address counterfeit is Chip & PIN which begins this October 2007.

10 Fraud on Commercial Products Decline in Fraud-to-CSV was experienced for all products Commercial products experienced the most significant decrease in Fraudto-Sales Fraud-to-Sales % 0.140% 0.120% 0.100% 0.080% 0.060% 0.040% 0.020% 0.000% Category Product % Growth (2006 to 2007) Commercial Business 0.058% 0.058% 0.055% -5% Corporate 0.245% 0.450% 0.272% -39% Purchase 0.164% 0.205% 0.100% -51% Commercial Total 0.092% 0.111% 0.076% -32% Consumer Classic 0.114% 0.109% 0.098% -10% Gold/Premier 0.122% 0.119% 0.100% -17% Consumer Total 0.119% 0.115% 0.099% -14% All Products 0.116% 0.114% 0.096% -16% 0.119% 0.116% 0.111% 0.115% 0.114% 0.092% 0.099% 0.096% 0.076% Commercial Consumer All Products Visa fraud data source: CDI High-Risk File Access Visa sales data source: Operating Certificate

11 Fraud Growth Fraud on Commercial Products has fallen 17%, whereas, Consumer Products fell 5% Commercial Products Consumer Products 0.120% % 162 Fraud-to-Sales Ratio 0.100% 0.080% 0.060% 0.040% 0.020% 0.092% 0.111% +21% 0.076% -32% Fraud Amount CDN$ Millions Fraud-to-Sales Ratio 0.120% 0.100% 0.080% 0.060% 0.040% 0.020% 0.119% 0.115% -3% 0.099% -14% Fraud Amount CDN$ Millions 0.000% % Fraud-to-Sales % Fraud Amount Fraud-to-Sales % Fraud Amount For 4 quarters ending March Visa fraud data source: CDI High-Risk File Access Visa sales data source: Operating Certificate

12 Fraud on Commercial Products Fraud on Commercial Products account for only 9% of total fraud dollar losses 58% of fraud on Commercial products occur on Business cards Fraud-to-Sales decreased by 5% from 2006 to % of fraud on Commercial products occur on Corporate cards Fraud-to-Sales decreased by 39% from 2006 to % of fraud on Commercial products occur on Purchase cards Fraud-to-Sales decreased by 51% from 2006 to 2007 Fraud-to-Sales Fraud-to-Sales Fraud-to-Sales Ratio Ratio Ratio 0.500% 0.400% 0.300% 0.200% 0.100% 0.000% 0.500% 0.400% 0.300% 0.200% 0.100% 0.000% 0.500% 0.400% 0.300% 0.200% 0.100% 0.000% Business Products 0.058% 0% Fraud-to-Sales % Fraud Amount Corporate Products 0.450% +84% Fraud-to-Sales % Fraud Amount Purchase Products 0.055% -5% 0.272% -39% 0.205% +25% % -51% Fraud-to-Sales % Fraud Amount For 4 quarters ending March CDN$ Millions CDN$ Millions CDN$ Millions Fraud Amount Fraud Amount Fraud Amount Visa fraud data source: CDI High-Risk File Access

13 Fraud on Consumer Products Fraud on Consumer Products account for only 91% of total fraud dollar losses Fraud-to-Sales Ratio 0.130% 0.120% 0.110% 0.100% 0.090% Classic Products 0.109% -5% 0.098% -10% Fraud-to-Sales % Fraud Amount Fraud A CDN$ M m ill ount ions 40% of fraud on Consumer products occur on Classic cards Fraud-to-Sales decreased by 10% from 2006 to 2007 Fraud-to-Sales Ratio 0.150% 0.100% 0.050% 0.000% Gold/Premier Products 0.119% -2% 0.100% -17% Fraud-to-Sales % Fraud Amount Fraud Amount CDN$ Millions 60% of fraud on Consumer products occur on Gold/Premier cards Fraud-to-Sales decreased by 17% from 2006 to 2007 For 4 quarters ending March Visa fraud data source: CDI High-Risk File Access Visa sales data source: Operating Certificate

14 All Fraud Types CNP and Counterfeit account for 79% of fraud on Canadian Cards All Products 38% Commercial Products 36% 43% 42% 18% 0% 0% 2% CNP Counterfeit Fraud Application Misc Non Received Lost/Stolen 14% CNP Fraud Application Non Received 2% 3% 2% Counterfeit Misc Lost/Stolen 36% 44% 13% 2% 3% 2% Consumer Products CNP Fraud Type Distribution for 4 quarters ending March 2007 Counterfeit Fraud Application Misc Non Received Lost/Stolen Visa fraud data source: CDI High-Risk File Access

15 Fraud on Commercial Products 62% of Commercial losses is domestic (Canadian Issued Cards used in Canada) Commercial Products 40% Domestic Spend 42% CNP Fraud Application Non Received 38% 18% Counterfeit Misc Lost/Stolen 0% 0% 2% 23% 0% 1% 3% 33% CNP 10% 0% 0% 55% 35% Counterfeit Fraud Application Misc Non Received Lost/Stolen Cross Border Spend CNP Counterfeit Fraud Application Misc Non Received Lost/Stolen Fraud Type Distribution for 4 quarters ending March 2007 Visa fraud data source: CDI High-Risk File Access

16 Impact of Fraud Direct cost of Member and Merchant fraud charge-offs Indirect costs of exception management, dispute resolution and customer service Goodwill damage to Members and Merchants Reputation risk to Visa and industry: Law enforcement community Regulatory authorities Consumer advocates and ombudsman agencies Consumer confidence in electronic payment services The Media / Press

17 Visa fraud data source: CDI High-Risk File Access Top 10 Fraud Merchants for Commercial Products Top 10 MCCs for Commercial Cards MCC MCC Description Fraud Amount (CAD) % of Fraud $ to Total Fraud $ 5732 Electronic Stores 681, Grocery Stores/ Supermarkets 532, Telecommunication Equipment 504, Service Stations 468, Air Canada 468, Automated Fuel Dispensers 466, Discount Stores 409, Jewelry Stores 405, Home Supply Warehouse Stores 384, Grocery Stores/ Supermarkets 343,660 Top 10 MCC Total 4,664,121 All MCC Total 14,400,

18 Visa fraud data source: CDI High-Risk File Access Top 10 Counterfeit Merchants - Commercial Products MCC MCC Description Fraud Amount (CAD) % of Fraud $ to Total CNFT Fraud $ 5411 Grocery Stores 360, Automated Fuel Dispensers 339, Electronic Stores 336, Service Stations 267, Discount Stores 241, Home Supply Warehouse Stores 234, Department Stores 230, Jewelry Stores 220, Restaurants 175, Drug Stores & Pharmacies 143,152 Top 10 MCC Total 2,550,005 All MCC Total 5,445,

19 Visa fraud data source: CDI High-Risk File Access Top 10 CNP Merchants for Commercial Products MCC MCC Description Fraud Amount (CAD) % of Fraud $ to Total CNP Fraud $ 3009 Air Canada 366, Telecommunications Equipment 364, Other Direct Marketers 211, British Airways 193, Combination Catalog & Retail 181, Telecommunication Services 167, Computer Network/ Info Services 143, Computer Software Stores 141, Travel Agencies 138, Misc Specialty Retail 130,504 Top 10 MCC Total 2,040,029 All MCC Total 5,955,

20 General Best Security Practices Do Stay informed and follow any new security practices that may emerge over time. Protect your PIN and Passwords Memorize your PIN. Choose PIN/passwords that cannot be guessed by others and do not write them down. Don't give out your personal information freely. Destroy old and expired bank and credit cards.

21 General Best Security Practices Do Shred documents that contain personal information (i.e., bank statements). Destroy carbons and receipts that may contain account numbers and/or signatures. Tear up or shred any pre-approved credit card offers to which you do not respond. Review your credit report at least once every year. Make sure all information is up-to-date and accurate.

22 General Best Security Practices Don t Don't respond to unsolicited s that request personal information such as your banking card number, ABM PIN, online/telephone banking passwords, credit card numbers etc. Do not leave your bank and credit cards unattended. Don't confidential information such as account numbers, date of birth, etc. Don t leave personal information (bank statements) lying around.

23 Visa Uses a Multi-Layered Approach to Security Zero Liability Policy Visa E-Promise Chip and PIN Card Security Features Consumer Protection Counterfeit and Lost / Stolen Fraud Mitigation Verified by Visa Address Verification Service Card-Not-Present Fraud Mitigation Three-digit code (CVV2) Account Information Security Neural Networks Data Security & Early Warning

24 Visa Uses a Multi-Layered Approach to Security

25 Commercial Products are Exempt for CNP Risk Tools Commercial products have been exempt from the liability shift associated with the implementation of Verified by Visa (VbV) and Address Verification Service (AVS). Criminals will target the weakness link and that may turn out to be commercial cards in the CNP environment if effective cardholder authentication tools are not used. Scotiabank is certified for use of VbV, Card Verification Value 2 (CVV2), and AVS. For their Commercial products, on average, CVV2 is used in about 25% of their CNP authorization volume and AVS is used about 40% of the time. Levels of usage for Scotiabank commercial cards are well above our regional average of 15% for CVV2 and 28% for AVS.

26 CVV2 and AVS Penetration Both of these risk mitigation tools are under utilized within the Canadian acceptance environment, but where used have proved effective. CVV2 is requested in only 15% of Domestic CNP volume and has a performance match rate of 93%. AVS is requested in 28% of Domestic CNP volume and has a performance match/partial match rate of 71%. Analysis from the US Region, has proven that transactions where the results of CVV2 & AVS were No Match were 15 times more likely to be fraudulent. Further, if merchants employed both fraud mitigation tools during a CNP transaction, overall fraud would decline substantially.

27 Card-Not-Present Environment Realities Card-Not-Present is fundamentally different from Face-to-Face Transactions Fraud liability Fraud opportunity Growth rates Applying face-to-face mentality for risk mitigation may not yield the best results Merchants need to remember they are in charge of controlling fraud & risk and decide which transactions to approve or review further Deploy Know Your Customer (KYC) logic and analysis to mitigate review volumes

28 Card-Not-Present Realities The CNP environment has significant advantages to fraudsters More anonymous (don t show your face) Lower cost of entry (don t need to make cards) More efficient ( less travel time and expense) Issuer and Visa technologies have reduced face-to-face opportunity There may be more fraud than meets the eye Merchant reported fraud rates may exceed chargebacks that Visa sees and fraud reported volumes / ratios Merchants often issue credits

29 CNP Fraud Control Needs Varied Approach Visa authentication / verification (VbV, CVV2, AVS) offers several benefits for many CNP transactions Layered approach provides a better authentication/verification Transactions with stronger approach to authentication have lower risk to dispute than those with weaker authentication Issuers are often less well positioned than merchants to know when authentication is necessary or adequate No single authentication / verification method is a silver bullet CVV2 and AVS non-matches can occur on legitimate transactions Blunt instrument solutions to address high risk merchants can have negative impacts on low risk merchants, issuers, and cardholders

30 Phishing s Use caution before answering online and requests for your personal information. Scotiabank will never present you with unexpected webpages or send you unsolicited s asking for your confidential information, such as your password, PIN, Access Code, credit card, account number, etc. Scotiabank will never ask you to validate or restore your account access through unsolicited . Do not respond to unsolicited s or websites that request personal information. Report any suspicious requests to Scotiabank immediately at SCOTIA ( ).

31 Use Anti-Virus Software: Phishing s Potential risk of contracting a computer virus or the possibility of infiltration by intrusion software commonly known as "Trojan Horses". Computer viruses can modify programs, delete files and erase the contents of hard drives. "Trojan Horses" are able to capture keystrokes, including passwords or other secret information. Spyware and other deceptive software can also conduct certain activities on your computer without your knowledge or consent.

32 Best Practices to Address Phishing s Install and frequently update a proven anti-virus product. Only accept or download software from a source that you believe to be trusted. Never accept files or attachments when accessing websites, newsgroups and chat rooms unless you are very sure of their authenticity. Install and update a your personal firewall product

33 Fraud Prevention Best Practices Commercial Cards Ensure employee records are updated on a regular basis to ensure reissued cards are delivered to active employees at their current address Limit use of cards by blocking transactions originating from specific high risk merchant categories and/or limiting use of cards to specific merchant types. This will help to reduce fraud losses and unauthorized personal use of expense cards. Encourage employees to reconcile statements and expenses on a timely basis and to report suspicious or unauthorized transactions immediately Educate end users about benefits of using card verification tools i.e. CVV2 & AVS

34 Fraud Prevention Best Practices Commercial Cards Utilize real-time or near real-time fraud detection systems incorporating business patterns Know your customer and the manner and patterns in which they conduct their business Systematically flag card requests preceded by address changes for validation review. Generate referrals for high fraud risk transactions Evaluate CVV2 & AVS results in authorization risk decision

35 Visa Proposals CNP Liability Shift Proposal for CVV2 & AVS "No Match" Promote the adoption of the CNP tools by merchants and a balanced and fair approach to shift in liability. Commercial Cards Attempts Exclusion on Verified by Visa Currently, there is an exemption on liability shift for inter-regional commercial card e-commerce transactions where the merchant/acquirer has attempted authentication VbV. Proposed to extended commercial cards to the VbV framework with liability shift for intra-regional transactions. Extension of Zero Liability to Business Cards Currently, Business Credit Card products are not required to comply with Visa s Zero Liability policy. In the market, there is a lack of consistency in our brand offering, as Issuers will apply their own policies. It is proposed to extend the Zero Liability policy to Business Credit products.

36 Summary Fraud is an ongoing concern and a moving target The Canadian Payment Industry works hard on continuing to educate consumers to recognize it, report it, stop it Maintaining business and consumer confidence and growth in the payment card industry Fraud causes significant injury to consumers and harms public confidence in the payment industry The value of the BRAND and it s protection is priority