• No results found

ONLINE PAYMENTS: Bridging the Gap between Fraud Prevention and Data Protection

N/A
N/A
Protected

Academic year: 2021

Share "ONLINE PAYMENTS: Bridging the Gap between Fraud Prevention and Data Protection"

Copied!
16
0
0

Loading.... (view fulltext now)

Full text

(1)

19 November 2014

Brussels

WWW.PRIVACYASSOCIATON.ORG/CONGRESS

IAPP EUROPE DATA

PROTECTION CONGRESS 2014

ONLINE PAYMENTS:

Bridging the Gap between Fraud

Prevention and Data Protection

(2)

Page 2

© Bird & Bird AARPI

Increase of Payment Card Fraud on Internet

USA:

• 11 billion $ on payment card fraud in 2012 (+14,6 over 2011)

• 60 % face to face (card transaction at point-of-sale terminals) / 40 % e-commerce

(Source : The Nilson Report for year 2012)

Europe:

Different figures due to the use of chip - and PIN cards but proportion of e-commerce fraud is increasing (36% face to face / 64 % e-commerce, notably internet)

(Source : Observatory on security of means of payment of French Central Bank - Observatoire de la sécurité des moyens de paiement de la Banque de France, Annual Report 2013)

• Losses occur mainly on card-not-present transactions (The Nilson Report)

• The most important source of fraud (64 % of total amounts) is due to the use of stolen or fake card-numbers for e-payments, not to stolen, lost or fake cards (Observatory on security of means of payement of French Central Bank)

Payments made over the internet are subject to higher rates of fraud than traditional payments methods

(3)

Page 3

© Bird & Bird AARPI

Fight Against Fraud versus DP Compliance :

The Great Divide ?

1) Recommandations for the

Security of Internet Payments

from the European Central

Bank :

• Collection of information

• Storing of information

• Monitoring, Profiling, Blacklists

 Need to authentify the cardholder in the absence of use of chips-and PIN

 Increases both the amount and nature of personal data used for monitoring / scoring transactions identify risks and cardholders : card holder's identity but also cardholder's behaviour,

geolocation through IP address, device fingerprinting to distinguish between machines … all this to identify

individual users and devices.

2) DP Requirements:

• Data minimization

• Limited retention period

• Limits to monitoring, profiling and blacklists which are considered as presenting risks for privacy

(4)

European Central Bank Recommandations

for the Security of Internet Payments

10.1 PSPs should use fraud detection and prevention systems to identify suspicious transactions before the PSP finally authorises transactions or e-mandates. Such systems should be based, for example, on parameterised rules (such as black lists of compromised or stolen card data), and monitor abnormal behaviour patterns of the customer or the customer’s access device (such as a change of Internet Protocol (IP) address 24 or IP range during the internet payment services session, sometimes identified by geolocation IP checks,25 atypical e-merchant categories for a specific customer or abnormal transaction data, etc.). Such systems should also be able to detect signs of malware infection in the session (e.g. via script versus human validation) and known fraud scenarios. The extent, complexity and adaptability of the monitoring solutions, while complying with the relevant data protection legislation, should be commensurate with the outcome of the risk assessment”.

Page 4

© Bird & Bird AARPI

“Transaction monitoring mechanisms designed to prevent, detect and block fraudulent

payment transactions should be operated before the PSP’s final authorisation; suspicious or high risk transactions should be subject to a specific screening and evaluation procedure. Equivalent security monitoring and authorisation mechanisms should also be in place for the issuance of e-mandates”.

14 recommandations (January 2013)

(5)

A Challenge for the Industry

Absence of concertation: Rules on fight against fraud do not

sufficiently take into account DP requirements

Page 5

(6)

Differences between jurisdictions accross

Europe : Lack of Harmonisation between EU

Member States

DIFFERENCES

:

Prior Authorization from DPA required for Fraud detection / Risk scoring / black listing in some countries : France, Netherlands (because of processing of criminal data);

Prior Information notice or consent required at different levels depending on jurisdiction;

Legal retention periods vary, or no precise guidance depending on jurisdiction;

Different legal requirements on possibility to process data on offenses, convictions, ciminal data

Different sensitivities depending on the jurisdiction to credit bureaus, to mutualisation of data concerning fraud or debtors, to black lists  resulting in different applicable rules and guidelines

CONSEQUENCES

:

Some actors may feel that they are not allowed to use tools which are efficient enought in order to fight against fraud in the context of online payments, because of DP rules and because of discripencies of DP rules and their interpretations accross EU jurisdictions

Ex : Difficulties to apply guidelines adopted by Art. 29 WP in 2005 on "Terminated Merchant Data base (black list databases designed to reduce fraud on payments);

France : ex. of FEVAD (Federation of e-commerce and on-line Industries)  White Paper on online payments – Oct 2013

Page 6

(7)
(8)

EXAMPLE : FEVAD White – Paper or online payments (Oct. 2013)

Page 8

Questionnaire sent by FEVAD to its members (280 e-merchants) + face to face interviews

 More than 1/3 of e-merchants (mostly the bigger ones) consider that DP requirements have a negative impact on their possibilities to fight against fraud on online payments

(9)

International Payment Card Industry

Security Standards: PCI-DSS

The Payment Card Industry (PCI) Data Security Standards are global data security

requirements created by 5 major payment card brands, for all entities that process, store or transmit cardholder data:

• Technical and Operational Security requirements launched in 2006 and set by the PCI Security Standard Council to protect cardholder data (American Express, Discover Financial Services, JCB, Marstercard, Visa)

• Apply to any debit, credit and pre-paid card branded with one of the 5 brands : Amex, Discover, JCB, Marstercard, Visa

• Apply to ALL businesses that process, store, or transmit payment card information : essentially any merchant accepting cards for the payment of goods or services, and any third party processing credit card information :

- Merchants : online traders, retailers, financial institutions (banks and insurance companies);

- Service providers : payment gateways, e-commerce host providers, credit reporting agencies, back-up management companies

(10)

 12 rules :

Page 10

© Bird & Bird AARPI IAPP EUROPE - DATA PROTECTION CONGRESS 2014|

Goals

PCI DSS Requirements

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect (encrypt) stored cardholder data

4. Encrypt transmission of cardholder data across open / public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access 9. Restrict physical access to premises where cardholder data are stored

Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel on all security aspects

(11)

Focus on Requirement 3 : Protect stored cardholder data

• Do not store the Card Security Code (i.e sensitive authentification data) after

authorization (even if it is encrypted) : PCI DSS standards forbid to store the 3- digit security code on the back of the card, and the 4-digit security code on the front of the Amex card

• PAN truncation: Mask PAN (Privacy Account Number) i.e. the "card number" when

displayed (on a customer receipt). The first 6 and last 4 digits are the maximum number of digits you may display (usually the last 4 digits only) the other digits being replaced by asterisks.

• If your organization stores the PAN, it must be rendered unreadable (encrypted notably)

anywhere it is stored – including on portable digital media, backup media, in logs.

(12)

CNIL's Requirements in France : Technology

Enhanced Privacy ?

• CNIL built up on PCI-DSS standards to rule on processing and storage of payment card data for online payments (Recommandation on the Processing of payment card

data in the context of remote sale of goods or provision of services – Nov.14, 2013):  Prohibition of the storage of the security code of payment cards (CNIL +

PCI-DSS),

 Secured storage of credit card number (encrypted or otherwise rendered unreadable) (CNIL + PCI-DSS)

 Retention of the card data no longer than required to complete the

transaction, unless the cardholder has given specific, express and informed consent (some exceptions apply but only enable to keep data as off-line archives) (CNIL)

 The consent requirement also applies in case the payment is recurrent or fractionated (CNIL)

 Consent as a rule for card data storage, EXCEPT for fighting against

fraud

 Enforcement action: example of "FNAC Direct"

Page 12

(13)

Draft European Regulation: What to expect ?

The legitimate interest of the controller can serve as a legal basis for

processing in the following cases:

• For the purpose of insuring network and information security where "strictly necessary" : Whereas n°39 : "This principle also applies to processing of personal data to restrict abusive access to and use of publicly available network or information systems, such as blacklisting of electronic identifiers" (E.P. – March 12, 2014)

• Whereas n°38 "Provided that they meet the reasonable expectations of the data subject based on his or her relationship with the controller and that the interests of the fundamental rights and freedom of the data subject are not overrinding (E.P. – March 12, 2014).

• Whereas n°38 : "Processing limited to pseudonymous data should be presumed to meet the reasonable expectations of the data subject based on his or her relationship with the controller (E.P. March 12, 2014).

 May apply to tokenisation systems which allow to track transactions performed with a card without identifying the cardholder.

Page 13

(14)

But… Rules on profiling in the Draft European

Regulation do not include the balance of interests

1) Right of the Data Subject to object to profiling at any time (Art

20.1/PE)

2) Only Legal basis for profiling are : (Art. 20.2/PE)

- If profiling is necessary for entering into or for performance of a contract (provided

that suitable measures to safeguard the data subject's legitimate interests have been adduced); or

- If profiling is expressly authorized by a Union or Member State law; or

- If profiling is based on the data subject's consent.

The legitimate interest of the controller cannot be a legal basis for

profiling

 Problematic for processing intended for fraud prevention which cannot be

considered as based on contractual necessity (WP 217 – Art. 29 WP Opinion

06/2014 on the notion of legitimate interests of the data controller under art. 7 of Directive 95/46/EC.)

 Also Art. 21 of Draft Regulation does not allow Member States to restrict the scope

of the obligations and rights provided by Art. 20 on profiling (whereas they can do so for provisions of Articles 11 to 19)

(15)

To conclude :

- Check that your payment service provider is PCI-DSS

compliant (check your contract)

- Watch out for differences between jurisdictions

- Watch out – and hope – for Draft DP Regulation

improvements on legal basis for profiling – Contact

your professional organisations and your DPA.

(16)

Ariane Mole

[email protected]

Co-head of International Data Privacy

Practice, Bird & Bird AARPI

Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address. twobirds.com

References

Related documents

The results of the current study indicate cardiac drift occurs during a prolonged session of rowing without a noticeable stabilization phase. As the graphs in the results

While work on automatic still image retargeting inspired and informs our approach, the video retargeting problem is more challenging for a number of reasons including: determining

Rimage Surveillance Solutions: Rimage Surveillance Software Suite With a growing number of digital surveillance cameras, increased image quality and recording required, along

● From the Start/Finish at the River House Barn, head south and cross Fig Ave into the River Campground and head EAST and connect with Main Loop trail.. ● The main loop trail will

Not to perform any management of the funds into the Account (except funding and withdrawing according to the procedure described in Section 6 of this Agreement) for the term of

Similar the results of the concrete compressive strength of seawater that showed good results, the results of the bending strength of this slab also showed that the

А для того, щоб така системна організація інформаційного забезпечення управління існувала необхідно додержуватися наступних принципів:

A prospective study of thirty myofascial trigger points in upper trapezius were considered to determine the effectiveness of transcutaneous electrical nerve stimulation and