DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE



Similar documents
Electronic Payment Processing: Electronic Arts European Cash Management CALIFORNIA ASSOCIATION OF COUNTY TREASURERS & TAX COLLECTORS

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

What Merchants Need to Know About EMV

EMV and Restaurants What you need to know! November 19, 2014

EMV and Small Merchants:

What is EMV? What is different?

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Your Reference Guide to EMV Integration: Understanding the Liability Shift

Visa Recommended Practices for EMV Chip Implementation in the U.S.

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

OpenEdge Research & Development Group April 2015

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Introductions 1 min 4

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

Payments Transformation - EMV comes to the US

Preparing for EMV chip card acceptance

EMV FAQs for developers

A Brand New Checkout Experience

A Brand New Checkout Experience

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

The Relationship Between PCI, Encryption and Tokenization: What you need to know

E U R O P E A N B A N K F U N D I N G I N A B A I L - I N W O R L D

EMV in Hotels Observations and Considerations

Practically Thinking: What Small Merchants Should Know about EMV

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

A CHASE PAYMENTECH WHITE PAPER. Expanding internationally: Strategies to combat online fraud

Healthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016

Fighting Today s Cybercrime

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

PCI Compliance Overview

EMV EMV TABLE OF CONTENTS

PCI and EMV Compliance Checkup

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

Mitigating Fraud Risk Through Card Data Verification

welcome to liber8:payment

How to Prepare. Point of sale requirements are changing. Get ready now.

EMV and Encryption + Tokenization: A Layered Approach to Security

How To Comply With The New Credit Card Chip And Pin Card Standards

IS YOUR CUSTOMERS PAYMENT DATA REALLY THAT SAFE? A Chase Paymentech Paper

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

Mobile Near-Field Communications (NFC) Payments

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Changing Consumer Purchasing Patterns. John Mayleben, CPP SVP, Technology and Product Development Michigan Retailers Association

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

Target Security Breach

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

EMV : Frequently Asked Questions for Merchants

SellWise User Group. Thursday, February 19, 2015

Guideline on Debit or Credit Cards Usage

Transitions in Payments: PCI Compliance, EMV & True Transactions Security

Credit Card Processing, Point of Sale, ecommerce

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

How To Understand The Law Of Credit Card Usage

Fall Conference November 19 21, 2013 Merchant Card Processing Overview

How Multi-Pay Tokens Can Reduce Security Risks and the PCI Compliance Burden for ecommerce Merchants

Prevention Is Better Than Cure EMV and PCI

Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014

NEWS BULLETIN

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Testimony of Scott Talbott, Sr. V.P. for Government Relations, Electronic Transactions Association (ETA)

Understand the Business Impact of EMV Chip Cards

mobile payment acceptance Solutions Visa security best practices version 3.0

EMV Frequently Asked Questions for Merchants May, 2014

E M V I M P L E M E N TAT I O N T O O L S F O R S U C C E S S, P C I & S E C U R I T Y. February 2014

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

Mobile Payment Solutions: Best Practices and Guidelines

Newtek, The Small Business Authority 855-2thesba thesba.com 855-2thesba

Payment Card Industry Data Security Standards

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

Digital Payment Solutions TSYS Enterprise Tokenization:

Statement of Stephen W. Orfei General Manager PCI Security Standards Council

OpenEdge Research & Development Group April 2015

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Payments Fraud Best Practices

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Chip Card (EMV ) CAL-Card FAQs

PREPARING FOR THE MIGRATION TO EMV IN

CardControl. Credit Card Processing 101. Overview. Contents

Frequently Asked Questions

American Express Contactless Payments

Drive your fraud rates down

Secure Payments Framework Workgroup

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

Frequently asked questions - Visa paywave

U.S. House Small Business Committee. On Behalf of the National Grocers Association. October 6, 2015

PREVENTING PAYMENT CARD DATA BREACHES

Credit Card Processing Overview

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

A CHASE PAYMENTECH WHITEPAPER. Building customer loyalty in a multi-channel world Creating an optimised approach for e-tailers

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

EMV mobile Point of Sale (mpos) Initial Considerations

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE

Transcription:

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE December 2015 English_General This presentation was prepared exclusively for the benefit and internal use of the J.P. Morgan client or potential client to whom it is directly delivered and/or addressed (including subsidiaries and affiliates, the Company ) in order to assist the Company in evaluating, on a preliminary basis, the feasibility of a possible transaction or transactions or other business relationship and does not carry any right of publication or disclosure, in whole or in part, to any other party. This presentation is for discussion purposes only and is incomplete without reference to, and should be viewed solely in conjunction with, the oral briefing provided by J.P. Morgan. Neither this presentation nor any of its contents may be disclosed or used for any other purpose without the prior written consent of J.P. Morgan. DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE To the extent that the information in this presentation is based upon any management forecasts or other information supplied to us by or on behalf of the Company, it reflects such information as well as prevailing conditions and our views as of this date, all of which are accordingly subject to change. J.P. Morgan s opinions and estimates constitute J.P. Morgan s judgment and should be regarded as indicative, preliminary and for illustrative purposes only. In preparing this presentation, we have relied upon and assumed, without independent verification, the accuracy and completeness of all information available from public sources or which was provided to us by or on behalf of the Company or which was otherwise reviewed by us. J.P. Morgan makes no representations as to the actual value which may be received in connection with a transaction nor the legal, tax or accounting effects of consummating a transaction. Unless expressly contemplated hereby, the information in this presentation does not take into account the effects of a possible transaction or transactions involving an actual or potential change of control, which may have significant valuation and other effects. Notwithstanding anything herein to the contrary, the Company and each of its employees, representatives or other agents may disclose to any and all persons, without limitation of any kind, the U.S. federal and state income tax treatment and the U.S. federal and state income tax structure (if applicable) of the transactions contemplated hereby and all materials of any kind (including opinions or other tax analyses) that are provided to the Company insofar as such treatment and/or structure relates to a U.S. federal or state income tax strategy provided to the Company by J.P. Morgan. J.P. Morgan's policies on data privacy can be found at http://www.jpmorgan.com/pages/privacy. IRS Circular 230 Disclosure: JPMorgan Chase & Co. and its affiliates do not provide tax advice. Accordingly, any discussion of U.S. tax matters included herein (including any attachments) is not intended or written to be used, and cannot be used, in connection with the promotion, marketing or recommendation by anyone not affiliated with JPMorgan Chase & Co. of any of the matters addressed herein or for the purpose of avoiding U.S. tax-related penalties. Chase, JPMorgan and JPMorgan Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (collectively, JPMC ) and if and as used herein may include as applicable employees or officers of any or all of such entities irrespective of the marketing name used. Products and services may be provided by commercial bank affiliates, securities affiliates or other JPMC affiliates or entities. In particular, securities brokerage services other than those which can be provided by commercial bank affiliates under applicable law will be provided by registered broker/dealer affiliates such as J.P. Morgan Securities LLC or J.P. Morgan Institutional Investments Inc. or by such other affiliates as may be appropriate to provide such services under applicable law. Such securities are not deposits or other obligations of any such commercial bank, are not guaranteed by any such commercial bank and are not insured by the Federal Deposit Insurance Corporation. Not all products and services are available in all geographic areas. Eligibility for particular products and services is subject to final determination by JPMC and or its affiliates/subsidiaries. This presentation does not constitute a commitment by any JPMC entity to extend or arrange credit or to provide any other services. 1

Learning objectives After attending this session, you will better understand How PCI compliance fits into an information security culture The latest technology available to help protect the data in your environment The role of EMV as a fraud prevention measure DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE How implementing data security and fraud prevention measures can help decrease risk while maintaining or improving the resident s experience 1 Agenda PCI Compliance and Data Security 2 Data Security Solutions 8 Fraud Prevention 14 DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE 2 2

Threats are outpacing most organizations ability to secure their infrastructure 783 Breaches reported in 2014; an increase of 27.5% from 2013 1 827,428,956 Records that were breached in 4,538 data breaches made public since 2005 2 80 % Percentage of companies NOT fully compliant with all 12 PCI standard requirements 3 PCI COMPLIANCE AND DATA SECURITY Sources: 1 ITRC Breach Report 2013 2 Privacy Rights Clearinghouse 3 Verizon 2015 PCI Compliance Report 3 PCI in brief Data security standards created and maintained by the Payment Card Industry Security Standards Council (PCI SSC) Applies to any system that stores, processes or transmits card data 12 requirements addressing operational and technical areas Specific technology guidelines for encryption and tokenization PCI COMPLIANCE AND DATA SECURITY Organizations often need to combine multiple technologies to secure data and meet PCI requirements 4 3

The prioritized approach Six milestones 1. If you don t need it, don t store it 2. Secure the perimeter 3. Secure applications 4. Monitor and control access to your systems 5. Protect stored cardholder data 6. Finalize remaining compliance efforts, and ensure all controls are in place Tools and guidance on the PCI SSC Web site PCI COMPLIANCE AND DATA SECURITY 5 Why NOT compliance? New compliance mandates are potentially endless Government regulation Industry standards Organization policies Achieving compliance is easier than maintaining compliance Becoming compliant is a project Maintaining compliance is a culture change Why information security PCI COMPLIANCE AND DATA SECURITY A single, comprehensive set of enterprise information security polices, standards, baselines, and procedures Simplifies culture change Simplifies compliance mandate responses by Cataloging existing controls Speeding gap analysis Limiting expense and churn caused by new mandates Reduces compliance to a single core competency: Security 6 4

Security is a business decision Steps to take Assess the risks Identify the mitigation options Determine how much risk The organization is comfortable accepting The organization is ALLOWED to accept Recognize the constraints Acquire and apply resources IT and information security can then Consolidate data and systems Segment the network PCI COMPLIANCE AND DATA SECURITY Implement the controls Close the gaps 7 Agenda PCI Compliance and Data Security 2 Data Security Solutions 8 Fraud Prevention 14 DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE 8 5

Security is Comprehensive A viable security solution to combat today s threats requires a comprehensive combination of security solutions Replaces customer payment data with a benign value that cannot be converted back to card or account information within a merchant s network, protecting that data from security threats. Tokenization EMV Advanced chip card technology that helps prevent skimming, counterfeit and lost/stolen fraud. Encryption PCI DSS Encryption technology that protects the primary account number of a payment card from moment of capture at retail point of sale Fraud Tools A combination of preventative, detective, responsive controls applied to a merchant s process, people, and technologies. DATA SECURITY SOLUTIONS Tools that provide greater visibility into sophisticated fraud patterns, advanced capabilities include proxy piercing and geolocation, which can pinpoint a transaction s origin in real time, and dynamic order linking 9 Encryption 101 What is Encryption? Encryption is a security measure that leverages a cipher algorithm to mathematically transform sensitive data in such a way that only authorized parties can read it Encryption does not prevent interception of data, but rather the access to the content intercepted From the initial swipe, dip, tap, or click, card data can be encrypted to protect the data throughout the payment transmission process How Does it Work? Recipient's Public Key Recipient's Private Key Source: PacketLife.net DATA SECURITY SOLUTIONS Why is Encryption Important? Ideal for Data on the Go: Encryption is particularly useful in secure transmission of sensitive information Open Model with Limited Risk Exposure: Encryption leverages a public and private key model, where a public key is widely available to encrypt messages while a private key is only available to the receiving party for decryption of the message 10 6

Tokenization 101 What is Tokenization? Tokenization is the process through which real account data is replaced with a proxy value known as a token These tokens can either be static (never changing) or dynamic (different for each transaction) Some tokens are format-preserving (i.e., they look like regular PANs), while others can be different lengths or alphanumeric in context Tokens were created to minimize risk for merchants who stored live payment account credentials on their servers, but have expanded to minimize risks for issuers, brands, acquirers, and consumers Think of Tokens like Casino Chips You trade cash for chips Cash is valuable in a large context and is easily used Chips are valuable only in a limited context (inside the casino) and can only be used to do certain things defined by the house (e.g. play on certain table games) Why is Tokenization Important? DATA SECURITY SOLUTIONS Renders Previously High Value Data Almost Useless: Cash is higher risk because it can be stolen and used anywhere, while a chip is lower risk because even if it s stolen, it can t be used everywhere Consolidates Risk to a Single Control Point: Tokenization is like going to the cashier and giving cash and receiving tokens and De-Tokenization is like going back to the cashier and trading chips for cash 11 Hosted Pay for Ecommerce A consumer-facing hosted page that captures customer payment data in a PCI compliant manner Creating a secure and seamless payment experience for your customers while keeping your organization compliant Benefits Increases the security of your customers payment data Reduces the cost and scope of PCI compliance Your Website Ecommerce Platform Enables you to maintain complete control of your branding throughout the payment cycle Hosted Pay Minimizes initial and ongoing IT resource impacts How it works A Hosted Pay can clone your payment page so you maintain complete control of the look and feel of your customers checkout experience. There are no static templates to update. Payment Success CLONE¹ Payment Token Payment brands for approval DATA SECURITY SOLUTIONS There is no need to use an acquirer-branded payment page. You can change your payment page elements at any time, and Hosted Pay will capture the changes in real time. You are in control of your brand on the payment page at all times. 12 Your bank account 7

encryption What does it do for your organization? Encrypts PAN and CVV data within a customer s browser Provides you with full payment page control; no re-directs Remains invisible to the customer Delivers an effective PCI solution Offers a host-based alternative to a Hosted Pay DATA SECURITY SOLUTIONS 13 Agenda PCI Compliance and Data Security 2 Data Security Solutions 8 Fraud Prevention 14 DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE 14 8

EMV The Basics How EMV Chip Cards are Different Chip cards are inserted into chip-reading devices rather than being swiped If PIN is supported on the chip card, it will replace traditional signature In conjunction with PIN, chip cards provide an added layer of authentication Terminals will accept both magnetic stripe and chip cards for years to come Customer Verification Methods (CVM) Chip and Signature Chip and Offline PIN Chip and Online PIN The consumer signs to validate their identity Prevents counterfeit card fraud The chip card and the terminal validate the PIN, then authorize Prevents counterfeit, stolen and never received or issued card fraud The consumer s PIN is sent to the host for validation Prevents counterfeit, stolen and never received or issued card fraud FRAUD PREVENTION Source: EMVCo Q4 2013 statistics 15 Key points about EMV in the US Benefits of chip technology Confidence EMV has been used globally with cards in Europe for over a decade; and in Canada over the last seven years Security and Fraud Protection dynamic authentication reduces the value of stolen cardholder data; Chip technology is more difficult to duplicate and combining its use with a PIN helps reduce fraud due to lost, stolen or counterfeit cards Reduces Chargebacks the use of PIN with the chip technology can significantly reduce the frequency of chargebacks Global Interoperability and Consistency outside of the U.S., 43.3% of all cards are EMV and 86.8% of terminals are EMV capable US migration drivers Avoid becoming a destination for criminals and global magnetic-stripe fraud activity Increase satisfaction of traveling international cardholders Maintain interoperability with the rest of the world Position the industry for the adoption of other forms of payment, notably NFC mobile contactless payments Payment brand mandates and chargeback liability shifts are forcing the adoption of this technology What is a liability shift? FRAUD PREVENTION Liability Shift is a change in who bears the chargeback related cost of fraudulent transactions The penalty for merchants or issuers missing the October 2015 (non Petro) / October 2017 (Petro) deadline is a shift in fraud related liability. Merchants who have not implemented an EMV certified solution will risk absorbing the cost of all disputed counterfeit and potentially lost/stolen/not received fraudulent transactions they initiate. 16 9

EMV in the US: Key Merchant Considerations Keys to EMV Readiness 1. The Right Integration: Direct, Middleware/Third Party (TP) Gateway, Semi-Integrated, or Stand-Alone approach 2. Merchant Readiness: Processes, Procedures, Learning / Development on handling EMV transactions 3. Consumer Readiness: Building Awareness and Understanding of EMV Make The Most of EMV Migration 1. Consider POS modernization holistically PIN Acceptance, E2E Encryption, Tokenization, Contactless, High-Speed IP Connectivity 2. Be prepared for Fraud Increases in Card Not Present (CNP) channels EMV adoption has historically shifted Card Present Fraud to CNP and cross-border Fraud Omni-channel and CNP merchants should prepare by evaluating fraud detection technology AVS/CVV alone is not enough as false positive exposure can be high. Include other fraud detection technology such as Velocity Checks, Positive and Negative Lists, Proxy Piercing/IP Geolocation, and Dynamic Risk Scoring FRAUD PREVENTION 17 Key takeaways PCI Basic security measures but not all that is needed Data protection Any time the card data is exposed, in transit or at rest, it is at risk Layered protection is the only answer Different from data protection Fraud management More risk in CNP space than card present Geolocation, proxy piercing, device fingerprinting FRAUD PREVENTION 18 10

Speaker contact information Matthew Leman Vice President, Special Markets Chase Paymentech O: 630.689.1632 Matt.Leman@chasepaymentech.com FRAUD PREVENTION 19 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information