Fraud Prevention and Program Security Gord Jamieson Director Risk Management & Security Visa Canada Association

(1)

Fraud Prevention and Program Security

Gord Jamieson

Director Risk Management & Security Visa Canada Association

(2)

Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here. Presentation text goes here.

(3)

Trends Shaping Risk Management

In order to continue to provide the highest level of consumer and stakeholder confidence in the payment system, current risk and fraud management practices need to be continuously assessed and retooled to meet the challenges.

• Shift in the Nature of Compromise Events • Growing Regulatory

Scrutiny

• Proliferation of new

Products and Technology • Competitive Pressures • Diversity of Stakeholders

Implications to the Risk Enterprise

• Redefining fraud control strategies

• Optimizing channel

delivery and performance • Providing value added

services

• Establishing

interoperability across platforms and ensure minimal impact and seamless to stakeholders Systems Priorities Implications to the Risk Enterprise Key Internal &

External Influences • Re-architect Fraud Detection / Prevention and Analysis Systems • Improve risk data

provisioning

• Enhance the risk service delivery infrastructure

(4)

Canada - Fraud 3 Year Trend

12 Months Ending June (CDN $ Millions)

14.6 15.3 16.0 28.8 26.2 26.5 15.9 9.3 6.7 10.4 9.2 8.5 86.6 111.8 139.8 46.9 88.1 87.1 20.1 6.2 7.2 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2004 2005 2006 % of T ot a l Fr a u d

Misc/ID Theft/Acct Takeover Card Not Present

Counterfeit Fraud Apps Non Receipt Stolen Lost $223.3 $266.1 $291.8

Source: CBA - Payment Card Partners (VISA CANADA ; MASTERCARD CANADA ; AMEX CANADA)

(5)

Skimming at merchant locations continues to be the dominant source of

credit card compromises, however the criminals are using more sophisticated techniques such as bogus merchant terminals and

overlays on POS terminals and ATMS. These devices can capture both card and PIN information without the need for a covert camera

Card-Not-Present (Card Absent) Fraud

Increasing use of the internet for business and personal use has created other opportunities for the criminal element to gain access to more credit card data than can be obtained at traditional bricks & mortar merchants. These schemes involve phishing, spoofing and hacking merchant

databases

Account Compromises / Identity Theft

Hacking and Account Compromise Attacks

(6)

Canadian counterfeit losses have been experiencing growth 12 Months Ending June (CDN $ Millions)

$86.6 $111.8 $139.8 $46.9 $88.1 $87.1 0 20 40 60 80 100 120 140 160 2004 2005 2006 T o ta l F ra u d C D N $ M illio n s Counterfeit Card Not Present

29%

+88%

+25

%

-1%

Source: CBA - Payment Card Partners (VISA CANADA ; MASTERCARD CANADA ; AMEX CANADA)

(7)

Counterfeit growth can be attributed to:

•Advances in applied technology

•Sophisticated and technologically advanced criminal element

•Globalization of criminal organizations

•Insufficient penalties

(8)

Counterfeit Fraud grew 25% from 2005 to 2006 and fell 7% from 2006 to 2007

(4 quarters ending March – Amounts in CDN$ Millions)

$61.8 $65.7 $61.0 $62.2 $77.9 $72.8 $3.5 $2.9 $24.1 $23.8 $22.7 $4.9 $3.7 $2.9$2.5 $5.0 $3.7 $4.9 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2005 2006 2007 Lost/Stolen Non Received Misc Fraud Application Counterfeit CNP $161.5 $177.7 $166.8

Visa fraud data source: CDI High-Risk File Access

(9)

Visa has seen a decrease in counterfeit growth in 2007 and this can be attributed to:

• Member’s neural networks are able to identify suspicious transactions and respond in “real time”

• Credit on Fraud Alert System (CoFAS) – Common Point of Purchase (CPP) management database

• Criminal displacement

Visa’s long term strategy to address counterfeit is Chip & PIN which begins this October 2007.

(10)

• Decline in Fraud-to-CSV was experienced for all products

• Commercial products experienced the most

significant decrease in Fraud-to-Sales

Category Product 2005 2006 2007 % Growth (2006 to 2007) Business 0.058% 0.058% 0.055% -5% Corporate 0.245% 0.450% 0.272% -39% Purchase 0.164% 0.205% 0.100% -51% 0.092% 0.111% 0.076% -32% Classic 0.114% 0.109% 0.098% -10% Gold/Premier 0.122% 0.119% 0.100% -17% 0.119% 0.115% 0.099% -14% 0.116% 0.114% 0.096% -16% All Products Commercial Commercial Total Consumer Consumer Total 0.092% 0.111% 0.076% 0.119% _0.115% 0.099% 0.116% _0.114% 0.096% 0.000% 0.020% 0.040% 0.060% 0.080% 0.100% 0.120% 0.140% 2005 2006 2007 F ra u d -to -S a le s %

Commercial Consumer All Products

Visa sales data source: Operating Certificate Visa fraud data source: CDI High-Risk File Access

(11)

Fraud on Commercial Products has fallen 17%, whereas, Consumer Products fell 5% Commercial Products 0.000% 0.020% 0.040% 0.060% 0.080% 0.100% 0.120% 2005 2006 2007 Fr aud- to-S al es Rat io 0 2 4 6 8 10 12 14 16 18 20 Fr aud Am ount CDN$ Mi lli ons

Fraud-to-Sales % Fraud Amount

Consumer Products 0.000% 0.020% 0.040% 0.060% 0.080% 0.100% 0.120% 0.140% 2005 2006 2007 Fr aud- to-S al es Rat io 144 146 148 150 152 154 156 158 160 162 Fr aud Am ount CDN$ Mi lli ons

Fraud-to-Sales % Fraud Amount

0. 111 % +21% 0.076 % -3 2% 0.115 % -3% 0.099 % -14% 0.092 % 0.119 %

For 4 quarters ending March

(12)

Fraud on Commercial Products account for only 9% of total fraud dollar losses Business Products 0.000% 0.100% 0.200% 0.300% 0.400% 0.500% 2005 2006 2007 F raud-to -S a les Ra ti o 0 5 10 Fraud A m ount CD N$ M illi o n s

Fraud-to-Sales % Fraud Amount

Corporate Products 0.000% 0.100% 0.200% 0.300% 0.400% 0.500% 2005 2006 2007 F raud-to -S a les Ra ti o 0 5 10 F_{raud A} m ount CD N$ M illi o n s

Purchase Products 0.000% 0.100% 0.200% 0.300% 0.400% 0.500% 2005 2006 2007 F raud-to -S a les Ra ti o 0 5 10 Fraud A m ount CD N$ M illi o n s

0.058% 0% 0.055% -5% 0.450% +84% 0.272% -39% 0.205% +25% 0. 100% -51%

• 24% of fraud on Commercial products occur on Corporate cards

• Fraud-to-Sales decreased by 39% from 2006 to 2007

• 17% of fraud on Commercial products occur on Purchase cards

• 58% of fraud on Commercial products occur on Business cards

(13)

Fraud on Consumer Products account for only 91% of total fraud dollar losses Classic Products 0.090% 0.100% 0.110% 0.120% 0.130% 2005 2006 2007 F raud- to-S al es Ra ti o 60 m ill 58 oun t ions 62 64 CD F_{raud A} N $ M

Gold/Premier Products 0.000% 0.050% 0.100% 0.150% 2005 2006 2007 F raud- to-S al es Ra ti o 85 90 95 100 Fraud A m o unt CDN$ M ill io n s

0.109% -5% 0.098% -10% 0.119% -2% 0.100% -17%

• 60% of fraud on Consumer products occur on Gold/Premier cards

Fraud on Consumer Products

• 40% of fraud on Consumer products occur on Classic cards

(14)

CNP and Counterfeit account for 79% of fraud on Canadian Cards All Products 43% 3% 2% 2% 14% 36% CNP Counterfeit

Fraud Application Misc

Non Received Lost/Stolen

Commercial Products 38% 0% 0% 2% 18% 42% CNP_Counterfeit Fraud Application Misc Non Received Lost/Stolen Consumer Products 44% 2% 3% 2% 36% 13% CNP Counterfeit Fraud Application Misc Non Received Lost/Stolen

Fraud Type Distribution for 4 quarters ending March 2007

(15)

62% of Commercial losses is domestic (Canadian Issued Cards used in Canada)

Commercial Products 38% 2% 0% 0% 18% 42% CNP Counterfeit

Fraud Application Misc

Non Received Lost/Stolen

Domestic Spend 40% 0% 1% 3% 23% 33% CNP Counterfeit Fraud Application Misc Non Received Lost/Stolen Cross Border Spend 35% 0% 0% 0% 55% 10% CNP Counterfeit Fraud Application Misc Non Received Lost/Stolen

Fraud Type Distribution for 4 quarters ending March 2007

(16)

• Direct cost of Member and Merchant fraud charge-offs

• Indirect costs of exception management, dispute resolution and customer service

• Goodwill damage to Members and Merchants

• Reputation risk to Visa and industry:

• Law enforcement community • Regulatory authorities

• Consumer advocates and ombudsman agencies

• Consumer confidence in electronic payment services • The Media / Press

(17)

Top 10 Fraud Merchants for Commercial Products

Top 10 MCCs for Commercial Cards

MCC MCC Description Fraud Amount

(CAD) % of Fraud $ to Total Fraud $ 5732 Electronic Stores 681,556 4.7 3.7 3.5 3.3 3009 Air Canada 468,180 3.3

5542 Automated Fuel Dispensers 466,492 3.2

5310 Discount Stores 409,012 2.8

5944 Jewelry Stores 405,462 2.8

5200 Home Supply Warehouse Stores 384,631 2.7

2.4

32.4

100

5411 Grocery Stores/ Supermarkets 532,055

4812 Telecommunication Equipment 504,675

5541 Service Stations 468,396

5411 Grocery Stores/ Supermarkets 343,660

Top 10 MCC Total 4,664,121

All MCC Total 14,400,656

(18)

Top 10 Counterfeit Merchants - Commercial Products

(CAD) % of Fraud $ to Total CNFT Fraud $ 5411 Grocery Stores 360,982 6.6 6.2 6.2 4.9 5310 Discount Stores 241,863 4.4

5200 Home Supply Warehouse

Stores 234,790 4.3 5311 Department Stores 230,875 4.2 5944 Jewelry Stores 220,211 4.0 5812 Restaurants 175,130 3.2 2.6 46.8 100

5542 Automated Fuel Dispensers 339,701

5732 Electronic Stores 336,231

5541 Service Stations 267,071

5912 Drug Stores & Pharmacies 143,152

Top 10 MCC Total 2,550,005

(19)

Top 10 CNP Merchants for Commercial Products

(CAD) % of Fraud $ to Total CNP Fraud $ 3009 Air Canada 366,600 6.2 6.1 3.6 3.2

5965 Combination Catalog & Retail 181,720 3.1

4814 Telecommunication Services 167,536 2.8

4816 Computer Network/ Info Services 143,822 2.4

5734 Computer Software Stores 141,893 2.4

4722 Travel Agencies 138,540 2.3

2.2

34.3

100

4812 Telecommunications Equipment 364,557

5969 Other Direct Marketers 211,637

3005 British Airways 193,218

5999 Misc Specialty Retail 130,504

Top 10 MCC Total 2,040,029

All MCC Total 5,955,582

(20)

Do

• Stay informed and follow any new security practices that may emerge over time.

• Protect your PIN and Passwords

• Memorize your PIN. Choose PIN/passwords that cannot be guessed by others and do not write them down.

• Don't give out your personal information freely.

• Destroy old and expired bank and credit cards.

(21)

Do

• Shred documents that contain personal information (i.e., bank statements).

• Destroy carbons and receipts that may contain account numbers and/or signatures.

• Tear up or shred any pre-approved credit card offers to which you do not respond.

• Review your credit report at least once every year. Make sure all information is up-to-date and accurate.

(22)

Don’t

• Don't respond to unsolicited emails that request personal information such as your banking card number, ABM PIN, online/telephone banking passwords, credit card numbers etc.

• Do not leave your bank and credit cards unattended.

• Don't email confidential information such as account numbers, date of birth, etc.

• Don’t leave personal information (bank statements) lying around.

(23)

Visa Uses a Multi-Layered Approach to Security

Zero Liability Policy

Visa E-Promise

Chip and PIN

Card Security Features

Verified by Visa

Address Verification Service

Three-digit code (CVV2)

Account Information Security

Neural Networks

Consumer Protection

Counterfeit and Lost / Stolen Fraud

Mitigation

Card-Not-Present Fraud Mitigation

Data Security & Early Warning

(24)

(25)

Commercial Products are Exempt for CNP Risk Tools

Commercial products have been exempt from the liability shift

associated with the implementation of Verified by Visa (VbV) and Address Verification Service (AVS).

Criminals will target the “weakness link” and that may turn out to be commercial cards in the CNP environment if effective cardholder authentication tools are not used.

Scotiabank is certified for use of VbV, Card Verification Value 2

(CVV2), and AVS. For their Commercial products, on average, CVV2 is used in about 25% of their CNP authorization volume and AVS is used about 40% of the time.

Levels of usage for Scotiabank commercial cards are well above our regional average of 15% for CVV2 and 28% for AVS.

(26)

Both of these risk mitigation tools are under utilized within the Canadian acceptance environment, but where used have proved effective.

CVV2 is requested in only 15% of Domestic CNP volume and has a performance match rate of 93%.

AVS is requested in 28% of Domestic CNP volume and has a performance match/partial match rate of 71%.

Analysis from the US Region, has proven that transactions where the results of CVV2 & AVS were “No Match” were 15 times more likely to be fraudulent.

Further, if merchants employed both fraud mitigation tools during a CNP transaction, overall fraud would decline substantially.

(27)

Card-Not-Present is fundamentally different from Face-to-Face Transactions

• Fraud liability

• Fraud opportunity • Growth rates

Applying face-to-face mentality for risk mitigation may not yield the best results

Merchants need to remember they are in charge of controlling fraud & risk and decide which transactions to approve or review further

Deploy “Know Your Customer” (KYC) logic and analysis to mitigate review volumes

(28)

The CNP environment has significant advantages to fraudsters

• More anonymous (don’t show your face)

• Lower cost of entry (don’t need to make cards) • More efficient (‘less’ travel time and expense)

• Issuer and Visa technologies have reduced face-to-face opportunity

There may be more fraud than meets the eye

• Merchant reported fraud rates may exceed chargebacks that Visa sees and fraud reported volumes / ratios

• Merchants often issue credits

(29)

Visa authentication / verification (VbV, CVV2, AVS) offers several benefits for many CNP transactions

• Layered approach provides a better authentication/verification

• Transactions with stronger approach to authentication have lower risk to dispute than those with weaker authentication

• Issuers are often less well positioned than merchants to know when ‘authentication’ is necessary or adequate

• No single authentication / verification method is a “silver bullet”

• CVV2 and AVS non-matches can occur on legitimate transactions

• Blunt instrument solutions to address high risk merchants can have negative impacts on low risk merchants, issuers, and cardholders

(30)

Use caution before answering online and email requests for your personal information.

Scotiabank will never present you with unexpected webpages or send you unsolicited emails asking for your confidential information, such as your password, PIN, Access Code, credit card, account number, etc. Scotiabank will never ask you to validate or restore your account access through unsolicited email.

Do not respond to unsolicited emails or websites that request personal information.

Report any suspicious requests to Scotiabank immediately at 1-800-4SCOTIA (1-800-472-6842).

(31)

Use Anti-Virus Software:

• Potential risk of contracting a computer virus or the possibility of infiltration by intrusion software commonly known as "Trojan Horses".

• Computer viruses can modify programs, delete files and erase the contents of hard drives.

• "Trojan Horses" are able to capture keystrokes, including passwords or other secret information.

• Spyware and other deceptive software can also conduct certain activities on your computer without your knowledge or consent.

(32)

•

Install and frequently update a proven anti-virus product.

• Only accept or download software from a source that you believe to be trusted.

• Never accept files or attachments when accessing websites, newsgroups and chat rooms unless you are very sure of their authenticity.

• Install and update a your personal firewall product

(33)

•

Ensure employee records are updated on a regular basis to ensure re-issued cards are delivered to active employees at their current address

• Limit use of cards by blocking transactions originating from specific “high risk” merchant categories and/or limiting use of cards to specific merchant types. This will help to reduce fraud losses and unauthorized personal use of expense cards.

• Encourage employees to reconcile statements and expenses on a timely basis and to report suspicious or unauthorized transactions immediately

• Educate end users about benefits of using card verification tools i.e. CVV2 & AVS

(34)

• Utilize real-time or near real-time fraud detection systems incorporating business patterns

• Know your customer and the manner and patterns in which they conduct their business

• Systematically flag card requests preceded by address changes for validation review.

• Generate referrals for high fraud risk transactions

• Evaluate CVV2 & AVS results in authorization risk decision

(35)

CNP Liability Shift Proposal for CVV2 & AVS "No Match"

Promote the adoption of the CNP tools by merchants and a balanced and fair approach to shift in liability.

Commercial Cards Attempts Exclusion on Verified by Visa

Currently, there is an exemption on liability shift for inter-regional commercial card e-commerce transactions where the merchant/acquirer has attempted authentication VbV. Proposed to extended commercial cards to the VbV framework with liability shift for intra-regional transactions.

Extension of Zero Liability to Business Cards

Currently, Business Credit Card products are not required to comply with

Visa’s Zero Liability policy. In the market, there is a lack of consistency in our brand offering, as Issuers will apply their own policies. It is proposed to

extend the Zero Liability policy to Business Credit products.

(36)

• Fraud is an ongoing concern and a moving target

• The Canadian Payment Industry works hard on continuing to educate consumers to “recognize it, report it, stop it”

• Maintaining business and consumer confidence and growth in the payment card industry

• Fraud causes significant injury to consumers and harms public confidence in the payment industry

• The value of the BRAND and it’s protection is priority