Combating online fraud post Chip

1
Combating online fraud post Chip PIN
2
Background

• Card Not Present is a great business to be in!
• Customers love the convenience
• Retailers love the extra sales and lower cost
• CNP is over one quarter of Visas UK turnover
• MOTO grew 30 last year, e-commerce 75
• HOWEVER
• Fraud is a problem

3
Background

• Card Not Present fraud losses grew 15 in 2002
  and a further 6 in 2003
• 2004 figures will be worse, with CNP now the
  biggest single category for losses
• HOWEVER
• As a proportion of turnover, MOTO fraud is
  stable and e-commerce fraud is falling
• So whats the problem?

4
Fraud Migration

• Some things in life are certain
• death
• taxes
• Man Utd to beat Fenerbahce
• card fraud
• Card fraud migrates to the channel of least
  resistance
• For Face-to-Face transactions, Chip and PIN will
  provide
• proven technology
• proven fraud reduction
• simple user interface
• full deployment for all face-to-face transactions

5
Fraud Migration

• Chip and PIN attacks over 200M per annum of
  card fraud in the UK alone
• We must be prepared for this to migrate to to
  less well protected channels
• We need a plan for when the cardholder is not
  present

6
What Is The Plan?

• Fraud is a problem for all parties, so we must
  work together to fight it
• Existing fraud prevention tools are effective
  but not well enough used
• We need to get better use of tools such as CVV2,
  AVS and VbV
• Vigilance and correct procedures can have a huge
  impact
• We are working to define and promote best
  practices for all parties
• In the longer term, an effective technology
  solution for identifying cardholders who are not
  present is required
• We are working on a global, multi-channel
  solution

7
Existing Tools CVV2

• What is it?
• 3-digit value printed on the signature strip of
  the card
• Demonstrates that the customer is in possession
  of the card
• How is it used?
• Customer provides CVV2 to the retailer
  (telephone, mail or internet)
• Retailer includes CVV2 in the authorisation
  request
• Authorisation response advises whether the CVV2
  matches
• Strengths
• Global standard, already on all cards and
  supported by all Issuers
• Highly effective, up to 70 fraud reduction
• Simple for customers to use
• Weaknesses
• Only used for around one in three transactions
• The same value for each transaction
• Doesnt identify the customer, and so doesnt
  move liability to the Issuer

8
Existing Tools Address Verification Service
(AVS)

• What is it?
• Comparison of address data provided by the
  customer with data held by the Card Issuer
• Shows that customer knows the address associated
  with that card and allows cross-check with
  delivery address
• How is it used?
• Customer provides address to the retailer
  (telephone, mail or internet)
• Retailer includes the numerics from the address
  (house number and postcode) in the authorisation
  request
• Authorisation response advises whether the data
  matches
• Partial match (house number but not postcode)
  can also be advised

9
Existing Tools Address Verification Service
(AVS)

• Strengths
• All customers should know their address (!)
• Highly effective (and even better in conjunction
  with CVV2)
• Uses data which is already captured, so no
  customer impact
• Weaknesses
• Currently UK only
• Only used for around one in three UK
  transactions
• The same value for each transaction
• Different address formats limit cross border
  usage
• High error rate means AVS isnt reliable on its
  own
• Doesnt identify the customer, and so doesnt
  move liability to the Issuer

10
Existing Tools Verified by Visa (VbV)

• What is it?
• Use of internet connectivity to get the Card
  Issuer to identify the customer
• Confirms that the customer is entitled to use
  the card
• How is it used?
• Retailer redirects the customer to the Card
  Issuers VbV service
• Customer provides a password or other
  identification to the Issuer, who verifies it
• Issuer returns the customer to the Retailer site
  and sends a digitally-signed confirmation of the
  customers identity
• Retailer includes this confirmation in the
  authorisation request

11
Existing Tools Verified by Visa (VbV)

• Strengths
• Uses global 3-D Secure standard
• Different confirmation value for each
  transaction
• Highly effective, effectively eliminating
  identity disputes where deployed
• Identifies the customer, thereby allowing a
  liability shift to the Issuer
• Retailers can have liability protection even
  when the customer is not enrolled
• Weaknesses
• In the early stages of rollout
• New technology
• Requires customer enrolment with their Issuer
• Requires action from the customer during the
  transaction

12
Existing Tools What should I use?

• e-Commerce
• VbV is the best solution available
• VbV transfers liability for identity disputes to
  the Card Issuer
• All e-commerce merchants should be using VbV, or
  at least have a plan to adopt it
• CVV2/AVS can help in the short term if you are
  delayed in implementing VbV
• MoTo
• CVV2/AVS is the best solution available today
• All MoTo merchants should be using CVV2/AVS

13
Know Your Rights Visa Rules

• VbV gives e-Commerce merchants a liability shift
• CVV2 gives merchants a liability shift if and
  only if the card issuer does not support the CVV2
  service
• To prevent repeated fraud, Issuers must close a
  card account and report it on the Visa Exception
  File before charging back for fraud
• Compelling proof of cardholder participation is
  valid evidence to defend a non-participation
  chargeback

14
Other Solutions

• Best Practices
• Much CNP fraud follows similar patterns
• Staff who process card transactions are the
  frontline of defence against fraud
• Well trained and vigilant staff can
  significantly reduce fraud losses
• The APACS Spot and Stop guide to Card Not
  Present fraud has more details
• www.cardwatch.org.uk or 0207 711 6356

15
Other Solutions

• Name and Address Checking
• Give access to commercial name and address
  databases
• Risk Screening
• Neural network systems
• Use transaction history, user defined rules and
  commercial databases to assign a risk score to
  each transaction
• Data Sharing
• Merchant groups co-operate to share data on
  fraudulent attacks
• The correct combination of these measures will
  depend on individual circumstances
• See the APACS Spot and Stop Guide for contact
  details

16
The Future

• Looking to extend the benefits of Chip and PIN
  to CNP
• proven technology
• proven fraud reduction
• simple user interface
• full global deployment for all CNP transactions
• Token Authentication
• Most promising solution
• Uses EMV chip card and a personal reader to
  capture the PIN
• Output is a numeric code, unique to this
  transaction
• Customer uses the code to replace his VbV
  password, or gives in to a MOTO merchant in place
  of the CVV2
• The technology is understood, next steps are to
  agree common specifications and conduct usability
  trials