Don t be tomorrow s headline: Protect and secure payment information Lexi Custis VP ereceivables Consultant Reid Andrews VP Treasury Management Consultant October 2015 Staunton, VA 2014 Wells Fargo Bank, N.A. All rights reserved.
Poll question: Are you familiar with Payment Card Industry (PCI)? A) Yes B) No 1
Agenda What is PCI-DSS & PA-DSS? Common causes of data breaches Tactics to help mitigate these risks Best practices for retail and card not present Best practices for other online transactions Q&A 2
What is PCI-DSS? Payment Card Industry Data Security Standards Industry tools and measurements to ensure the safe handling of sensitive information Applies to all merchants and third party service providers 3
What is PA-DSS? Payment Application Data Security Standard Applies to all vendors that develop payment applications and gateways 4
When does PCI & PA-DSS apply? Processing Storing Transmitting 5
PCI DSS validation requirements Compliance Classification Level Annual submission of compliant PCI DSS Report on Compliance (ROC) Annual submission of compliant Self Assessment Questionnaire (SAQ) Quarterly Network Scan Level 1 >6 MM annual transactions (Any payment network) Level 2* 1 MM to 6 MM annual transactions (Any payment network) Merchant can do either ROC or SAQ Level 3 20K to 1 MM annual transactions (Any payment network) ecommerce only Level 4 (recommended) < 20K e-commerce < 1MM annual transactions *Level 2 merchant Self Assessment Questionnaire (SAQ) must be completed by an ISA (Internal Security Assessor) 6
66% Breaches identified by external parties* 64% Breaches that go undetected for months* *Verizon 2013 Data Breach Investigations Report 7
63% Data breaches that involved a third Party responsible for system support* *Trustwave 2013 Global Security Report 8
Tactics to minimize data breach risk Card present E-commerce Point of sale (POS) system Remote access 9
Poll question: How are most breaches identified? A) By the merchant B) By the customer C) By the card processor D) By the issuing bank E) B,C,D Answer: E 10
Best practices 11
End-to-end encryption Card present transactions Includes tokenization Terminals and Point of sale Merchant 12
Tokenization Card not present transactions Card number: 3456 7890 1112 1314 Tokenized Number: 0176 2190 3475 1314 13
Poll question: The average cost of a data breach to an organization is $7.2 million? A) True B) False Answer: True * Network World March 8, 2011 news article 14
Poll question: Do you know if your company is PCI compliant today? A) Yes B) No 15
Positive payment fraud trends Fraud protection real world perspectives Results of the 2015 AFP Payments Fraud and Control Survey reveal three reasons for optimism: 50% Organizations that have adopted a stronger form of authentication or added layers of security for access to bank services. 2015 AFP Payments Fraud and Control Study 1. Check fraud is on the decline. 2. ACH debit fraud is declining and preventable. 3. Companies are fighting back. 77% of organizations that experienced actual or attempted fraud in 2014 were victims of check fraud down from 90% in 2009. As more businesses switch to electronic payments, expect the decline in check fraud to continue. 25% of organizations experienced ACH debit fraud in 2014 down from 27% in 2012. Of those that lost money, 40% attributed the loss to not using ACH debit blocks or filters. Nearly 28% cited the cause as untimely account reconciliation and 40% untimely ACH returns. Organizations have adopted or plan to adopt additional security measures: Nearly 70% of organizations now reconcile daily. 2 out of 5 are upgrading authentication procedures and devices for accessing their networks. Half are requiring a stronger form of authentication or adding layers of security for access to bank services. 16
Nine ways to foil ACH fraud Fraud protection best practices Three ways ACH fraud occurs 1. Thieves obtain account information from a check s MICR line. 2. Counterfeit and forged checks are converted to ACH debits. 3. Thieves access your online banking system and initiate ACH credits. 20 billion 23 billion Number of transactions Number processed of transactions through the Automated processed Clearing through the House Automated network in Clearing 2011. House network in 2014. NACHA The Electronic Payments NACHA Association, The Electronic April 15, Payments 2015 Association, April 12, 2012 Protect your accounts with these best practices 1. Use ACH Fraud Filter service to stop all ACH debits except those you specifically preauthorize. 2. Initiate online ACH payments using dedicated computers disabled from email and web browsing. 3. Use repetitive ACH payment templates to prevent unauthorized modifications to key fields. 4. Set authorization limits for each individual user of the ACH payment service. 5. Implement dual custody and use it properly. Require payments and user changes initiated by one user to be approved by a second user on a different computer or mobile device before they take effect. 6. Integrate check and electronic payment systems so checks converted to ACH debits flow through the positive pay system. 7. Reconcile accounts daily to identify unauthorized ACH debits. 8. Return unauthorized ACH debits promptly. 9. Implement the Perfect Receivables service to provide proxy account numbers for your customers use. 17
Perfect Receivables service for ACH & Wire Fraud Prevention and Automatic Reconciliation Track payments from each of your remitters Reduce the amount of time your employees spend manually tracking payments Reduce risk of fraudulent activity against your account your actual account number is never used Benefit from improved cash flow money is moved into your account faster How it works: A 17-digit Wells Fargo Payment Identification Code (WPIC) is substituted for your actual account number A unique WPIC is created for each remitter The first 4 digits of the WPIC identify your account at Wells Fargo; the last 13 positions are assigned by you and are unique to the remitter When payments are made using the WPIC, each remitter is identified with 100% accuracy to help speed up your receivables posting process and reduce payment exceptions 18
Supply chain fraud: Verify your vendors Fraud protection essentials Four ways that supply chain fraud occurs: A fraudster, purporting to be a vendor, requests that you change the payment instructions you have on file for them bank, routing transit number, and/or account number. Dual custody is generally not effective against supply chain fraud because approvers routinely approve payments they believe are going to trusted vendors. An employee of your company or a vendor company copies or scans a real vendor invoice and creates a counterfeit invoice from it, directing the payment to their own account. A hacker breaches your email system, studies the payment requests received by your accounts payable department, then submits a fraudulent invoice that looks legitimate. A hacker breaches your vendor s accounts receivable system and generates a fraudulent invoice or phony payment request. Three ways to reduce your risk: 1. Educate your employees 2. Verify payment change requests 3. Authenticate high-dollar invoices with out-of-band vendor communications 19
Imposter Fraud: Verify your executives Fraud protection essentials -----Original Message----- From: Christopher Howard [mailto:choward@hsc.edu] Sent: Tuesday, September 29, 2015 12:59 PM To: MSmith@hsc.edu Subject: Re: Fund Transfer Mike, Dual custody is generally not effective against Imposter fraud because approvers routinely approve payments they believe are going to trusted vendors. I sent the wire instructions to Glenn earlier. Here are the details; Amount: $9,240 Wells Fargo Bank Name on Acc : Patrick Nsan Account number 2054886383 Routing : 111900659 Address : 9715 Westheimer Rd, Houston, TX, 77042 Please process a same-day wire transfer to the beneficiary. Let me know when it is sent. Regards, Christopher Howard 20
Questions? 21
Thank you! 22