Mitigating Fraud Risk Through Card Data Verification



Similar documents
Visa Recommended Practices for EMV Chip Implementation in the U.S.

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

EMV EMV TABLE OF CONTENTS

Acceptance to Minimize Fraud

How To Protect A Smart Card From Being Hacked

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

EMV and Small Merchants:

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

How To Understand The Law Of Credit Card Usage

Prevention Is Better Than Cure EMV and PCI

Chip Card (EMV ) CAL-Card FAQs

Visa Canada Interchange Reimbursement Fees

PREVENTING PAYMENT CARD DATA BREACHES

Retrieval & Chargeback Best Practices

What Merchants Need to Know About EMV

Preparing for EMV chip card acceptance

Merchant Guide to the Visa Address Verification Service

Address Verification System (AVS) Checking

The need for a secure & trusted payment instrument in e-commerce. Ali AlMeshal

Credit Card Processing Glossary

Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation

Card Acceptance Best Practices Playing it Safe at the Point of Sale

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

Rules for Visa Merchants. Card Acceptance and Chargeback Management Guidelines

Card Acceptance Guidelines for Visa Merchants

Visa global Compromised Account

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Payments Transformation - EMV comes to the US

Card Acceptance Guidelines for Visa Merchants

Understand the Business Impact of EMV Chip Cards

mobile payment acceptance Solutions Visa security best practices version 3.0

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization

General Industry terms

UNIVERSITY CONTROLLER S OFFICE

Guide to Data Field Encryption

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

How to Help Prevent Fraud

Fundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors

A multi-layered approach to payment card security.

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

How Secure are Contactless Payment Systems?

Clark Brands Payment Methods Manual. First Data Locations

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

FAQ EMV. EMV Overview

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

What To Do if Compromised. Visa USA Fraud Investigations and Incident Management Procedures

What is EMV? What is different?

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

Credit/Debit Card Processing Requirements and Best Practices. Adele Honeyman Oregon State Treasury Training Specialist

JCB Terminal Requirements

Policy Title: Payment Cards Policy Effective Date: 5/5/2010. Policy Number: FA-PO-1214 Date of Last Revision: 11/5/2014

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

How To Comply With The New Credit Card Chip And Pin Card Standards

Visa U.S. Merchant EMV Chip Acceptance Readiness Guide. 10 Steps to Planning Chip Implementation for Contact and Contactless Transactions

EMV and Restaurants What you need to know! November 19, 2014

Registry of Service Providers

Card Acceptance Guidelines for Visa Merchants

Credit Card Processing Overview

Card Acceptance and Chargeback Management Guidelines for Visa Merchants

EMV Frequently Asked Questions for Merchants May, 2014

EMV : Frequently Asked Questions for Merchants

Figure 1: Attacker home-made terminal can read some data from your payment card in your pocket

How To Complete A Pci Ds Self Assessment Questionnaire

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

What To Do if Compromised. Visa USA Fraud Investigations and Incident Management Procedures

Chip & PIN is definitely broken. Credit Card skimming and PIN harvesting in an EMV world

Payments Industry Glossary

FAQ on EMV Chip Debit Card and Online Usage

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE

Global Airline Merchant Best Practices Guide

Visa Acceptance Guide for the Car Rental Industry

Visa Tips for Restaurant Staff

Global Visa Card-Not-Present Merchant Guide to Greater Fraud Control. Protect Your Business and Your Customers with Visa s Layers of Security

FAQ Credit Card (PIN & PAY)

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

CardControl. Credit Card Processing 101. Overview. Contents

How To Prevent Fraud On A Credit Card

Visa Debit processing. For ecommerce and telephone order merchants

Smart Cards for Payment Systems

Agent Registration. Program Guide. (For use in Asia Pacific, Central Europe, Middle East, Africa)

New Account Reference Guide

RETHINKING CARDS BUSINESS. Erick Ho, Head of Payment Services, SunGard 17 September Break through.

The Canadian Migration to EMV. Prepared By:

PROTECT YOUR BUSINESS FROM LOSSES WHILE ACCEPTING CREDIT CARDS

PayPass M/Chip Requirements. 10 April 2014

EMV Acquiring at the ATM: Early Planning for Credit Unions

Electronic Payments Part 1

Frequently asked questions - Visa paywave

Visa Debit ecommerce merchant acceptance. Frequently asked questions and flowchart

CREDIT CARD PROCESSING GLOSSARY OF TERMS

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

Fraud Prevention and Program Security Gord Jamieson Director Risk Management & Security Visa Canada Association

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Risk Mitigation in Travel. New Trends to Reduce Fraud and Increase Revenue

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

EMV: A to Z (Terms and Definitions)

Transcription:

Risk Management Best Practices 11 September 2014 Mitigating Fraud Risk Through Card Data Verification AP, Canada, CEMEA, LAC, U.S. Issuers, Processors With a number of cardholder payment options (e.g., magnetic stripe, contact chip and contactless chip) and methods in development (e.g., mobile and cloud-based), it is increasingly important for issuers to take a holistic approach across the different form factors and interfaces through which a Visa payment can be made in order to manage the risk associated with each type of transaction. To help mitigate fraud, issuers should adopt the following tools and data elements to determine the level of fraud risk associated with a transaction before an approve or decline decision is made. Additionally, Visa encourages issuers to consider the combination of transaction attributes when implementing fraud mitigation measures. These tools and data elements are applicable to all form factors and across multiple interfaces, utilizing authorization solutions that offer real-time and stand-in support. Card Verification Data Fraudsters target issuers that neglect to validate Card Verification Value (CVV) a unique and distinct code that verifies that a card is in the possession of the cardholder in conjunction with other authentication factors to prevent counterfeit, primary account number (PAN) key-entered and card-not-present fraud. As such, issuer validation of the CVV and understanding of the significance of other data elements present in an authorization message during a transaction is key to controlling fraud losses both in the card-present and card-not-present environments. The CVV can be used to detect a counterfeit card in cases where a magnetic stripe has been encoded or reencoded with valid account information from other sources. Visa requires that all cards including emergency replacement cards are encoded with the CVV, which is calculated by applying a cryptographic algorithm to the encoded account information (card account number, expiration date and service code). In addition, to prevent fraud from occurring, variations of CVV exist across the different interfaces of Visa transactions: Magnetic-Stripe Interface CVV: A unique three-digit code encoded in Track 1 and the Discretionary Data field in Track 2 of the magnetic stripe or the chip magnetic-stripe image (MSI). CVV should always be validated for magnetic-stripe transactions, even if the PIN is present and verified. Card-Not-Present Interface CVV2: A fraud prevention technique used in the card-not-present environment to ensure the card is valid. The CVV2 is a three-digit value printed on the back of all Visa cards which can be submitted by the merchant as part of the authorization request. The CVV2 is different than the CVV contained on the magnetic stripe and is validated using a different calculation. CVV2 failures may indicate fraudulent use of an account number where the fraudster does not have the card in hand, and as a result, does not know the CVV2 value.

Contactless Interface Dynamic Card Verification Value (dcvv): An authentication technique on the magnetic-stripe data version of Visa paywave contactless transactions used to reduce the threat of data compromises and counterfeiting. Chip Interface Integrated Card Verification Value (icvv): A tool used to protect against data being copied from a chip card and applied to the magnetic stripe of a counterfeited plastic card. Chip Cryptogram: A cryptogram included in the authorization message of chip-based transactions using chip data. The cryptogram should be verified to ensure authenticity of the chip card. CVV failures during authentication may indicate a counterfeit card was created from compromised magneticstripe or chip data. They may also signal a problem with the card itself; repeated failures on a card should be investigated to avoid repeated declines for a cardholder in good standing. Fraudsters may also attempt to identify a CVV or other authentication value through brute force by rapidly submitting consecutive transactions until they get a positive authorization from the issuer. Point-of-Sale Entry Mode The point-of-sale (POS) entry mode (Field 22) sent in each Visa transaction tells the issuer how the transaction data was acquired at the merchant. Because the POS entry mode identifies the acceptance channel in combination with other authorization parameters (e.g., the POS condition code), verification of this information is an essential step to identifying and preventing fraud. The most common POS entry modes include: 01 Manual key entry 02 or 90 Magnetic stripe read 05 or 95 Chip read 07 Contactless, using chip data rules 91 Contactless, using magnetic-stripe data rules Service Code The service code is a sequence of digits that taken as a whole allows the issuer to define various services, differentiates card usage in international or domestic interchange, designates PIN and authorization requirements and identifies card restrictions. The use of a service code is applicable to all Visa products. Typical service code examples are: 101 International-use credit and debit cards 120 International-use credit and debit cards where PIN is required 201 EMV chip credit card 221 EMV chip debit card 601 Domestic-use EMV chip credit and debit cards

Note: Service codes of 000 or 999 are not valid as identifiers of the card capability or usage, but rather are used in the calculation of CVV2 or icvv. Therefore, service codes of 000 or 999 should not be encoded on a magnetic stripe. Visa is aware of scenarios in which either 000 or 999 has been encoded on the magnetic stripe of counterfeit cards, resulting in issuer fraud losses. Use of Data Elements to Mitigate Fraud CVV values, POS entry modes and service codes should be used in combination to identify logical conflicts and mitigate preventable counterfeit and card-not-present fraud. Issuers need to ensure that the POS entry mode identifies a supported payment interface and that the service code is valid. After reviewing an authorization request, issuers must incorporate the corresponding CVV result as part of the decision process. When an issuer validates the POS entry mode, the appropriate service code and the corresponding CVV, they can automatically identify potential fraud, as illustrated in the following examples: Card-present fraud using card-not-present data: Data stolen from a card-not-present transaction are applied to a face-to-face interface. The expected CVV code on the card-present interface would not match up to the CVV2. Issuers validation should identify this discrepancy and decline the transaction. Counterfeiting a magnetic-stripe card: Data stolen from a mobile phone are applied to a magneticstripe interface. The magnetic-stripe transaction would have a POS entry mode of 90 (magnetic stripe) instead of 91 (mobile contactless). Verification of the CVV would reveal that it is incorrect for a magneticstripe transaction. Counterfeiting skimmed chip data: Data stolen from a chip card are applied to a magnetic-stripe interface. The magnetic-stripe transaction would have a POS entry mode of 90 (magnetic stripe) instead of 05 or 95 (chip) and the service code should support the type of card that is being used. A service code of 999, used to calculate the icvv value, is not valid for a swiped transaction. Verification of the icvv would reveal that it is incorrect for a magnetic-stripe transaction and the transaction should be declined as suspected fraud. Contactless fraud using compromised magnetic-stripe data: A fraudster has counterfeited a magneticstripe card onto a contactless interface on a mobile device. When using the contactless interface, the bank should first recognize that this transaction has a POS entry mode of 91 or 07 (contactless) instead of 90 (magnetic stripe). The expected CVV for a contactless interface should be dcvv or icvv. The validation of CVV itself may be sufficient to deny a fraud transaction. However, with the introduction of different form factors for usage across multiple interfaces, Visa recommends that issuers consider additional data elements in order to appropriately decline fraudulent transactions. Issuers are provided with multiple CVV processing options, including the option to allow Visa to perform CVV validation on the issuer s behalf if the issuer has delegated the validation to Visa. VisaNet has edits in place that will look for invalid CVV, POS entry mode and service code combinations, and will decline the transaction and send a decline advice to the issuer / processor. Visa encourages issuers that are validating CVV on their own to perform the same checks on all authorization requests. Issuers can also setup the Visa Risk Manager Real-Time Decisioning (RTD) system to decline transactions that do not meet their approved criteria (e.g., invalid service code).

Best Practices 1. When reviewing an authorization request, issuers should incorporate the CVV result, POS entry mode and service code as part of the decision process. Regardless of cardholder verification method (CVM), this should include a review of authorization requests on chip cards (i.e., signature, PIN or no CVM). 2. Issuers should decline transactions where the service code is invalid, such as when 999 or 000 is encoded on the magnetic stripe and the attempted POS entry mode is 02, 90 or 91. 3. Issuers should review and authorize all failed CVV transactions at the host level rather than leaving the decision to stand-in processing. Use one of the following CVV-processing scenarios: o o Always: To ensure that if the CVV fails in stand-in processing, the transaction will be switched to issuer processing, if available. All Respond: To ensure that the default response code for invalid CVV transactions is 05 decline. Note: These are VisaNet-specific configurations. 4. After identifying an approved transaction with an invalid CVV, issuers should consider a soft block until the account activity has been confirmed with the cardholder. This will reduce the fraud transaction count in the event that the transaction is denied, and will in turn lessen the fraud amount loss per account. 5. Issuers should consider using a decline response for a card that has an invalid CVV when the transaction originates at an ATM, as invalid CVVs are rarely seen on ATM transactions. It is irrelevant if PIN verification may have been successful in this scenario. 6. In addition to using CVV2 as a card authentication tool, issuers should consider using it to enhance fraud protection in other situations, such as verifying cardholder address changes (requested by phone) or new card activations. 7. Issuers should enact velocity rules to identify and stop brute-force, testing or probing attacks, where fraudsters may rapidly submit multiple successive low-value transactions until they get a positive authorization from the issuer. Typically, once the fraudsters obtain an authorization they will immediately conduct higher-value fraudulent payments until the issuer detects the suspicious activity. Clients that use proven fraud-prevention tools and make use of multiple data elements that are present in authorization requests will be better prepared to mitigate fraud across their portfolio, regardless of the form factor or interface. Valid values for POS Entry Mode can be found in the BASE I Technical Specifications, Volume 1 V.I.P. System. For a full description of service code digit values, refer to Section A.5, Data Elements Descriptions of the Payment Technology Standards Manual.

For more information or for clarification related to the validation of CVV, POS entry mode and/or service code, contact your Visa representative or email inforisk@visa.com with Card Data Validation in the subject line. Notice: This Visa communication is furnished to you solely in your capacity as a customer of Visa Inc. (or its authorized agent) or a participant in the Visa payments system. By accepting this Visa communication, you acknowledge that the information contained herein (the "Information") is confidential and subject to the confidentiality restrictions contained in Visa's operating regulations, which limit your use of the Information. You agree to keep the Information confidential and not to use the Information for any purpose other than in your capacity as a customer of Visa Inc. or a participant in the Visa payments system. The Information may only be disseminated within your organization on a need-to-know basis to enable your participation in the Visa payments system. Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. This information may change from time to time. Please contact your Visa representative to verify current information. Visa is not responsible for errors in this publication. The Visa Non- Disclosure Agreement can be obtained from your Visa Account Manager or the nearest Visa Office.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information