Fraud Prevention and Program Security Gord Jamieson Director Risk Management & Security Visa Canada Association
Evolution of Risk Management Controls Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here.
Trends Shaping Risk Management In order to continue to provide the highest level of consumer and stakeholder confidence in the payment system, current risk and fraud management practices need to be continuously assessed and retooled to meet the challenges. Key Internal & External Influences Shift in the Nature of Compromise Events Growing Regulatory Scrutiny Proliferation of new Products and Technology Competitive Pressures Diversity of Stakeholders Implications to the Implications Risk to the Enterprise Risk Enterprise Redefining fraud control strategies Optimizing channel delivery and performance Providing value added services Establishing interoperability across platforms and ensure minimal impact and seamless to stakeholders Systems Priorities Re-architect Fraud Detection / Prevention and Analysis Systems Improve risk data provisioning Enhance the risk service delivery infrastructure
Canadian Credit Card Fraud Canada - Fraud 3 Year Trend 12 Months Ending June (CDN $ Millions) 100% 90% $223.3 $266.1 $291.8 20.1 6.2 7.2 80% 46.9 88.1 87.1 % of Total Fraud 70% 60% 50% 40% 30% 86.6 10.4 111.8 139.8 Misc/ID Theft/Acct Takeover Card Not Present Counterfeit Fraud Apps Non Receipt Stolen Lost 20% 10% 15.9 28.8 9.2 9.3 8.5 6.7 26.2 26.5 0% 14.6 15.3 16.0 2004 2005 2006 Source: CBA - Payment Card Partners (VISA CANADA ; MASTERCARD CANADA ; AMEX CANADA)
How is Data Compromised Skimming at merchant locations continues to be the dominant source of credit card compromises, however the criminals are using more sophisticated techniques such as bogus merchant terminals and overlays on POS terminals and ATMS. These devices can capture both card and PIN information without the need for a covert camera Card-Not-Present (Card Absent) Fraud Increasing use of the internet for business and personal use has created other opportunities for the criminal element to gain access to more credit card data than can be obtained at traditional bricks & mortar merchants. These schemes involve phishing, spoofing and hacking merchant databases Account Compromises / Identity Theft Hacking and Account Compromise Attacks
Counterfeit Growth Canadian counterfeit losses have been experiencing growth 12 Months Ending June (CDN $ Millions) 160 140 $139.8 Total Fraud CDN$ Millions 120 100 80 60 40 $86.6 $46.9 $111.8 29% +25% $88.1 $87.1 +88% -1% Counterfeit Card Not Present 20 0 2004 2005 2006 Source: CBA - Payment Card Partners (VISA CANADA ; MASTERCARD CANADA ; AMEX CANADA)
Counterfeit Growth Counterfeit growth can be attributed to: Advances in applied technology Sophisticated and technologically advanced criminal element Globalization of criminal organizations Insufficient penalties
Counterfeit Fraud grew 25% from 2005 to 2006 and fell 7% from 2006 to 2007 (4 quarters ending March Amounts in CDN$ Millions) 100% 90% 80% 70% 60% 50% 40% 30% Visa Credit Card Fraud $161.5 $177.7 $166.8 $24.1 $23.8 $22.7 $5.0 $3.5 $4.9 $3.7 $2.9 $4.9 $3.7 $2.9 $2.5 $62.2 $77.9 $72.8 Lost/Stolen Non Received Misc Fraud Application Counterfeit CNP 20% $61.8 $65.7 $61.0 10% 0% 2005 2006 2007 Visa fraud data source: CDI High-Risk File Access
Counterfeit Growth Visa has seen a decrease in counterfeit growth in 2007 and this can be attributed to: Member s neural networks are able to identify suspicious transactions and respond in real time Credit on Fraud Alert System (CoFAS) Common Point of Purchase (CPP) management database Criminal displacement Visa s long term strategy to address counterfeit is Chip & PIN which begins this October 2007.
Fraud on Commercial Products Decline in Fraud-to-CSV was experienced for all products Commercial products experienced the most significant decrease in Fraudto-Sales Fraud-to-Sales % 0.140% 0.120% 0.100% 0.080% 0.060% 0.040% 0.020% 0.000% Category Product 2005 2006 2007 % Growth (2006 to 2007) Commercial Business 0.058% 0.058% 0.055% -5% Corporate 0.245% 0.450% 0.272% -39% Purchase 0.164% 0.205% 0.100% -51% Commercial Total 0.092% 0.111% 0.076% -32% Consumer Classic 0.114% 0.109% 0.098% -10% Gold/Premier 0.122% 0.119% 0.100% -17% Consumer Total 0.119% 0.115% 0.099% -14% All Products 0.116% 0.114% 0.096% -16% 0.119% 0.116% 0.111% 0.115% 0.114% 0.092% 0.099% 0.096% 0.076% 2005 2006 2007 Commercial Consumer All Products Visa fraud data source: CDI High-Risk File Access Visa sales data source: Operating Certificate
Fraud Growth Fraud on Commercial Products has fallen 17%, whereas, Consumer Products fell 5% Commercial Products Consumer Products 0.120% 20 0.140% 162 Fraud-to-Sales Ratio 0.100% 0.080% 0.060% 0.040% 0.020% 0.092% 0.111% +21% 0.076% -32% 18 16 14 12 10 8 6 4 2 Fraud Amount CDN$ Millions Fraud-to-Sales Ratio 0.120% 0.100% 0.080% 0.060% 0.040% 0.020% 0.119% 0.115% -3% 0.099% -14% 160 158 156 154 152 150 148 146 Fraud Amount CDN$ Millions 0.000% 0 0.000% 144 2005 2006 2007 2005 2006 2007 Fraud-to-Sales % Fraud Amount Fraud-to-Sales % Fraud Amount For 4 quarters ending March Visa fraud data source: CDI High-Risk File Access Visa sales data source: Operating Certificate
Fraud on Commercial Products Fraud on Commercial Products account for only 9% of total fraud dollar losses 58% of fraud on Commercial products occur on Business cards Fraud-to-Sales decreased by 5% from 2006 to 2007 24% of fraud on Commercial products occur on Corporate cards Fraud-to-Sales decreased by 39% from 2006 to 2007 17% of fraud on Commercial products occur on Purchase cards Fraud-to-Sales decreased by 51% from 2006 to 2007 Fraud-to-Sales Fraud-to-Sales Fraud-to-Sales Ratio Ratio Ratio 0.500% 0.400% 0.300% 0.200% 0.100% 0.000% 0.500% 0.400% 0.300% 0.200% 0.100% 0.000% 0.500% 0.400% 0.300% 0.200% 0.100% 0.000% Business Products 0.058% 0% 2005 2006 2007 Fraud-to-Sales % Fraud Amount Corporate Products 0.450% +84% 2005 2006 2007 Fraud-to-Sales % Fraud Amount Purchase Products 0.055% -5% 0.272% -39% 0.205% +25% 0. 100% -51% 2005 2006 2007 Fraud-to-Sales % Fraud Amount For 4 quarters ending March 10 5 0 10 5 0 10 5 0 CDN$ Millions CDN$ Millions CDN$ Millions Fraud Amount Fraud Amount Fraud Amount Visa fraud data source: CDI High-Risk File Access
Fraud on Consumer Products Fraud on Consumer Products account for only 91% of total fraud dollar losses Fraud-to-Sales Ratio 0.130% 0.120% 0.110% 0.100% 0.090% Classic Products 0.109% -5% 0.098% -10% 2005 2006 2007 Fraud-to-Sales % Fraud Amount 64 62 60 58 Fraud A CDN$ M m ill ount ions 40% of fraud on Consumer products occur on Classic cards Fraud-to-Sales decreased by 10% from 2006 to 2007 Fraud-to-Sales Ratio 0.150% 0.100% 0.050% 0.000% Gold/Premier Products 0.119% -2% 0.100% -17% 2005 2006 2007 Fraud-to-Sales % Fraud Amount 100 95 90 85 Fraud Amount CDN$ Millions 60% of fraud on Consumer products occur on Gold/Premier cards Fraud-to-Sales decreased by 17% from 2006 to 2007 For 4 quarters ending March Visa fraud data source: CDI High-Risk File Access Visa sales data source: Operating Certificate
All Fraud Types CNP and Counterfeit account for 79% of fraud on Canadian Cards All Products 38% Commercial Products 36% 43% 42% 18% 0% 0% 2% CNP Counterfeit Fraud Application Misc Non Received Lost/Stolen 14% CNP Fraud Application Non Received 2% 3% 2% Counterfeit Misc Lost/Stolen 36% 44% 13% 2% 3% 2% Consumer Products CNP Fraud Type Distribution for 4 quarters ending March 2007 Counterfeit Fraud Application Misc Non Received Lost/Stolen Visa fraud data source: CDI High-Risk File Access
Fraud on Commercial Products 62% of Commercial losses is domestic (Canadian Issued Cards used in Canada) Commercial Products 40% Domestic Spend 42% CNP Fraud Application Non Received 38% 18% Counterfeit Misc Lost/Stolen 0% 0% 2% 23% 0% 1% 3% 33% CNP 10% 0% 0% 55% 35% Counterfeit Fraud Application Misc Non Received Lost/Stolen Cross Border Spend CNP Counterfeit Fraud Application Misc Non Received Lost/Stolen Fraud Type Distribution for 4 quarters ending March 2007 Visa fraud data source: CDI High-Risk File Access
Impact of Fraud Direct cost of Member and Merchant fraud charge-offs Indirect costs of exception management, dispute resolution and customer service Goodwill damage to Members and Merchants Reputation risk to Visa and industry: Law enforcement community Regulatory authorities Consumer advocates and ombudsman agencies Consumer confidence in electronic payment services The Media / Press
Visa fraud data source: CDI High-Risk File Access Top 10 Fraud Merchants for Commercial Products Top 10 MCCs for Commercial Cards MCC MCC Description Fraud Amount (CAD) % of Fraud $ to Total Fraud $ 5732 Electronic Stores 681,556 4.7 5411 Grocery Stores/ Supermarkets 532,055 4812 Telecommunication Equipment 504,675 5541 Service Stations 468,396 3.7 3.5 3.3 3009 Air Canada 468,180 3.3 5542 Automated Fuel Dispensers 466,492 3.2 5310 Discount Stores 409,012 2.8 5944 Jewelry Stores 405,462 2.8 5200 Home Supply Warehouse Stores 384,631 2.7 5411 Grocery Stores/ Supermarkets 343,660 Top 10 MCC Total 4,664,121 All MCC Total 14,400,656 2.4 32.4 100
Visa fraud data source: CDI High-Risk File Access Top 10 Counterfeit Merchants - Commercial Products MCC MCC Description Fraud Amount (CAD) % of Fraud $ to Total CNFT Fraud $ 5411 Grocery Stores 360,982 6.6 5542 Automated Fuel Dispensers 339,701 5732 Electronic Stores 336,231 5541 Service Stations 267,071 6.2 6.2 4.9 5310 Discount Stores 241,863 4.4 5200 Home Supply Warehouse Stores 234,790 4.3 5311 Department Stores 230,875 4.2 5944 Jewelry Stores 220,211 4.0 5812 Restaurants 175,130 3.2 5912 Drug Stores & Pharmacies 143,152 Top 10 MCC Total 2,550,005 All MCC Total 5,445,110 2.6 46.8 100
Visa fraud data source: CDI High-Risk File Access Top 10 CNP Merchants for Commercial Products MCC MCC Description Fraud Amount (CAD) % of Fraud $ to Total CNP Fraud $ 3009 Air Canada 366,600 6.2 4812 Telecommunications Equipment 364,557 5969 Other Direct Marketers 211,637 3005 British Airways 193,218 6.1 3.6 3.2 5965 Combination Catalog & Retail 181,720 3.1 4814 Telecommunication Services 167,536 2.8 4816 Computer Network/ Info Services 143,822 2.4 5734 Computer Software Stores 141,893 2.4 4722 Travel Agencies 138,540 2.3 5999 Misc Specialty Retail 130,504 Top 10 MCC Total 2,040,029 All MCC Total 5,955,582 2.2 34.3 100
General Best Security Practices Do Stay informed and follow any new security practices that may emerge over time. Protect your PIN and Passwords Memorize your PIN. Choose PIN/passwords that cannot be guessed by others and do not write them down. Don't give out your personal information freely. Destroy old and expired bank and credit cards.
General Best Security Practices Do Shred documents that contain personal information (i.e., bank statements). Destroy carbons and receipts that may contain account numbers and/or signatures. Tear up or shred any pre-approved credit card offers to which you do not respond. Review your credit report at least once every year. Make sure all information is up-to-date and accurate.
General Best Security Practices Don t Don't respond to unsolicited emails that request personal information such as your banking card number, ABM PIN, online/telephone banking passwords, credit card numbers etc. Do not leave your bank and credit cards unattended. Don't email confidential information such as account numbers, date of birth, etc. Don t leave personal information (bank statements) lying around.
Visa Uses a Multi-Layered Approach to Security Zero Liability Policy Visa E-Promise Chip and PIN Card Security Features Consumer Protection Counterfeit and Lost / Stolen Fraud Mitigation Verified by Visa Address Verification Service Card-Not-Present Fraud Mitigation Three-digit code (CVV2) Account Information Security Neural Networks Data Security & Early Warning
Visa Uses a Multi-Layered Approach to Security
Commercial Products are Exempt for CNP Risk Tools Commercial products have been exempt from the liability shift associated with the implementation of Verified by Visa (VbV) and Address Verification Service (AVS). Criminals will target the weakness link and that may turn out to be commercial cards in the CNP environment if effective cardholder authentication tools are not used. Scotiabank is certified for use of VbV, Card Verification Value 2 (CVV2), and AVS. For their Commercial products, on average, CVV2 is used in about 25% of their CNP authorization volume and AVS is used about 40% of the time. Levels of usage for Scotiabank commercial cards are well above our regional average of 15% for CVV2 and 28% for AVS.
CVV2 and AVS Penetration Both of these risk mitigation tools are under utilized within the Canadian acceptance environment, but where used have proved effective. CVV2 is requested in only 15% of Domestic CNP volume and has a performance match rate of 93%. AVS is requested in 28% of Domestic CNP volume and has a performance match/partial match rate of 71%. Analysis from the US Region, has proven that transactions where the results of CVV2 & AVS were No Match were 15 times more likely to be fraudulent. Further, if merchants employed both fraud mitigation tools during a CNP transaction, overall fraud would decline substantially.
Card-Not-Present Environment Realities Card-Not-Present is fundamentally different from Face-to-Face Transactions Fraud liability Fraud opportunity Growth rates Applying face-to-face mentality for risk mitigation may not yield the best results Merchants need to remember they are in charge of controlling fraud & risk and decide which transactions to approve or review further Deploy Know Your Customer (KYC) logic and analysis to mitigate review volumes
Card-Not-Present Realities The CNP environment has significant advantages to fraudsters More anonymous (don t show your face) Lower cost of entry (don t need to make cards) More efficient ( less travel time and expense) Issuer and Visa technologies have reduced face-to-face opportunity There may be more fraud than meets the eye Merchant reported fraud rates may exceed chargebacks that Visa sees and fraud reported volumes / ratios Merchants often issue credits
CNP Fraud Control Needs Varied Approach Visa authentication / verification (VbV, CVV2, AVS) offers several benefits for many CNP transactions Layered approach provides a better authentication/verification Transactions with stronger approach to authentication have lower risk to dispute than those with weaker authentication Issuers are often less well positioned than merchants to know when authentication is necessary or adequate No single authentication / verification method is a silver bullet CVV2 and AVS non-matches can occur on legitimate transactions Blunt instrument solutions to address high risk merchants can have negative impacts on low risk merchants, issuers, and cardholders
Phishing Emails Use caution before answering online and email requests for your personal information. Scotiabank will never present you with unexpected webpages or send you unsolicited emails asking for your confidential information, such as your password, PIN, Access Code, credit card, account number, etc. Scotiabank will never ask you to validate or restore your account access through unsolicited email. Do not respond to unsolicited emails or websites that request personal information. Report any suspicious requests to Scotiabank immediately at 1-800-4SCOTIA (1-800-472-6842).
Use Anti-Virus Software: Phishing Emails Potential risk of contracting a computer virus or the possibility of infiltration by intrusion software commonly known as "Trojan Horses". Computer viruses can modify programs, delete files and erase the contents of hard drives. "Trojan Horses" are able to capture keystrokes, including passwords or other secret information. Spyware and other deceptive software can also conduct certain activities on your computer without your knowledge or consent.
Best Practices to Address Phishing Emails Install and frequently update a proven anti-virus product. Only accept or download software from a source that you believe to be trusted. Never accept files or attachments when accessing websites, newsgroups and chat rooms unless you are very sure of their authenticity. Install and update a your personal firewall product
Fraud Prevention Best Practices Commercial Cards Ensure employee records are updated on a regular basis to ensure reissued cards are delivered to active employees at their current address Limit use of cards by blocking transactions originating from specific high risk merchant categories and/or limiting use of cards to specific merchant types. This will help to reduce fraud losses and unauthorized personal use of expense cards. Encourage employees to reconcile statements and expenses on a timely basis and to report suspicious or unauthorized transactions immediately Educate end users about benefits of using card verification tools i.e. CVV2 & AVS
Fraud Prevention Best Practices Commercial Cards Utilize real-time or near real-time fraud detection systems incorporating business patterns Know your customer and the manner and patterns in which they conduct their business Systematically flag card requests preceded by address changes for validation review. Generate referrals for high fraud risk transactions Evaluate CVV2 & AVS results in authorization risk decision
Visa Proposals CNP Liability Shift Proposal for CVV2 & AVS "No Match" Promote the adoption of the CNP tools by merchants and a balanced and fair approach to shift in liability. Commercial Cards Attempts Exclusion on Verified by Visa Currently, there is an exemption on liability shift for inter-regional commercial card e-commerce transactions where the merchant/acquirer has attempted authentication VbV. Proposed to extended commercial cards to the VbV framework with liability shift for intra-regional transactions. Extension of Zero Liability to Business Cards Currently, Business Credit Card products are not required to comply with Visa s Zero Liability policy. In the market, there is a lack of consistency in our brand offering, as Issuers will apply their own policies. It is proposed to extend the Zero Liability policy to Business Credit products.
Summary Fraud is an ongoing concern and a moving target The Canadian Payment Industry works hard on continuing to educate consumers to recognize it, report it, stop it Maintaining business and consumer confidence and growth in the payment card industry Fraud causes significant injury to consumers and harms public confidence in the payment industry The value of the BRAND and it s protection is priority