19 November 2014
Brussels
WWW.PRIVACYASSOCIATON.ORG/CONGRESS
IAPP EUROPE DATA
PROTECTION CONGRESS 2014
ONLINE PAYMENTS:
Bridging the Gap between Fraud
Prevention and Data Protection
Page 2
© Bird & Bird AARPI
Increase of Payment Card Fraud on Internet
USA:
• 11 billion $ on payment card fraud in 2012 (+14,6 over 2011)
• 60 % face to face (card transaction at point-of-sale terminals) / 40 % e-commerce
(Source : The Nilson Report for year 2012)
Europe:
Different figures due to the use of chip - and PIN cards but proportion of e-commerce fraud is increasing (36% face to face / 64 % e-commerce, notably internet)
(Source : Observatory on security of means of payment of French Central Bank - Observatoire de la sécurité des moyens de paiement de la Banque de France, Annual Report 2013)
• Losses occur mainly on card-not-present transactions (The Nilson Report)
• The most important source of fraud (64 % of total amounts) is due to the use of stolen or fake card-numbers for e-payments, not to stolen, lost or fake cards (Observatory on security of means of payement of French Central Bank)
Payments made over the internet are subject to higher rates of fraud than traditional payments methods
Page 3
© Bird & Bird AARPI
Fight Against Fraud versus DP Compliance :
The Great Divide ?
1) Recommandations for the
Security of Internet Payments
from the European Central
Bank :
• Collection of information
• Storing of information
• Monitoring, Profiling, Blacklists
Need to authentify the cardholder in the absence of use of chips-and PIN
Increases both the amount and nature of personal data used for monitoring / scoring transactions identify risks and cardholders : card holder's identity but also cardholder's behaviour,
geolocation through IP address, device fingerprinting to distinguish between machines … all this to identify
individual users and devices.
2) DP Requirements:
• Data minimization
• Limited retention period
• Limits to monitoring, profiling and blacklists which are considered as presenting risks for privacy
European Central Bank Recommandations
for the Security of Internet Payments
10.1 PSPs should use fraud detection and prevention systems to identify suspicious transactions before the PSP finally authorises transactions or e-mandates. Such systems should be based, for example, on parameterised rules (such as black lists of compromised or stolen card data), and monitor abnormal behaviour patterns of the customer or the customer’s access device (such as a change of Internet Protocol (IP) address 24 or IP range during the internet payment services session, sometimes identified by geolocation IP checks,25 atypical e-merchant categories for a specific customer or abnormal transaction data, etc.). Such systems should also be able to detect signs of malware infection in the session (e.g. via script versus human validation) and known fraud scenarios. The extent, complexity and adaptability of the monitoring solutions, while complying with the relevant data protection legislation, should be commensurate with the outcome of the risk assessment”.
Page 4
© Bird & Bird AARPI
“Transaction monitoring mechanisms designed to prevent, detect and block fraudulent
payment transactions should be operated before the PSP’s final authorisation; suspicious or high risk transactions should be subject to a specific screening and evaluation procedure. Equivalent security monitoring and authorisation mechanisms should also be in place for the issuance of e-mandates”.
14 recommandations (January 2013)
A Challenge for the Industry
•
Absence of concertation: Rules on fight against fraud do not
sufficiently take into account DP requirements
Page 5
Differences between jurisdictions accross
Europe : Lack of Harmonisation between EU
Member States
DIFFERENCES
:
• Prior Authorization from DPA required for Fraud detection / Risk scoring / black listing in some countries : France, Netherlands (because of processing of criminal data);
• Prior Information notice or consent required at different levels depending on jurisdiction;
• Legal retention periods vary, or no precise guidance depending on jurisdiction;
• Different legal requirements on possibility to process data on offenses, convictions, ciminal data
• Different sensitivities depending on the jurisdiction to credit bureaus, to mutualisation of data concerning fraud or debtors, to black lists resulting in different applicable rules and guidelines
CONSEQUENCES
:
Some actors may feel that they are not allowed to use tools which are efficient enought in order to fight against fraud in the context of online payments, because of DP rules and because of discripencies of DP rules and their interpretations accross EU jurisdictions
• Ex : Difficulties to apply guidelines adopted by Art. 29 WP in 2005 on "Terminated Merchant Data base (black list databases designed to reduce fraud on payments);
• France : ex. of FEVAD (Federation of e-commerce and on-line Industries) White Paper on online payments – Oct 2013
Page 6
EXAMPLE : FEVAD White – Paper or online payments (Oct. 2013)
Page 8
Questionnaire sent by FEVAD to its members (280 e-merchants) + face to face interviews
More than 1/3 of e-merchants (mostly the bigger ones) consider that DP requirements have a negative impact on their possibilities to fight against fraud on online payments
International Payment Card Industry
Security Standards: PCI-DSS
The Payment Card Industry (PCI) Data Security Standards are global data security
requirements created by 5 major payment card brands, for all entities that process, store or transmit cardholder data:
• Technical and Operational Security requirements launched in 2006 and set by the PCI Security Standard Council to protect cardholder data (American Express, Discover Financial Services, JCB, Marstercard, Visa)
• Apply to any debit, credit and pre-paid card branded with one of the 5 brands : Amex, Discover, JCB, Marstercard, Visa
• Apply to ALL businesses that process, store, or transmit payment card information : essentially any merchant accepting cards for the payment of goods or services, and any third party processing credit card information :
- Merchants : online traders, retailers, financial institutions (banks and insurance companies);
- Service providers : payment gateways, e-commerce host providers, credit reporting agencies, back-up management companies
12 rules :
Page 10
© Bird & Bird AARPI IAPP EUROPE - DATA PROTECTION CONGRESS 2014|
Goals
PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect (encrypt) stored cardholder data
4. Encrypt transmission of cardholder data across open / public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access 9. Restrict physical access to premises where cardholder data are stored
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel on all security aspects
Focus on Requirement 3 : Protect stored cardholder data
• Do not store the Card Security Code (i.e sensitive authentification data) after
authorization (even if it is encrypted) : PCI DSS standards forbid to store the 3- digit security code on the back of the card, and the 4-digit security code on the front of the Amex card
• PAN truncation: Mask PAN (Privacy Account Number) i.e. the "card number" when
displayed (on a customer receipt). The first 6 and last 4 digits are the maximum number of digits you may display (usually the last 4 digits only) the other digits being replaced by asterisks.
• If your organization stores the PAN, it must be rendered unreadable (encrypted notably)
anywhere it is stored – including on portable digital media, backup media, in logs.
CNIL's Requirements in France : Technology
Enhanced Privacy ?
• CNIL built up on PCI-DSS standards to rule on processing and storage of payment card data for online payments (Recommandation on the Processing of payment card
data in the context of remote sale of goods or provision of services – Nov.14, 2013): Prohibition of the storage of the security code of payment cards (CNIL +
PCI-DSS),
Secured storage of credit card number (encrypted or otherwise rendered unreadable) (CNIL + PCI-DSS)
Retention of the card data no longer than required to complete the
transaction, unless the cardholder has given specific, express and informed consent (some exceptions apply but only enable to keep data as off-line archives) (CNIL)
The consent requirement also applies in case the payment is recurrent or fractionated (CNIL)
Consent as a rule for card data storage, EXCEPT for fighting against
fraud
Enforcement action: example of "FNAC Direct"
Page 12
Draft European Regulation: What to expect ?
The legitimate interest of the controller can serve as a legal basis for
processing in the following cases:
• For the purpose of insuring network and information security where "strictly necessary" : Whereas n°39 : "This principle also applies to processing of personal data to restrict abusive access to and use of publicly available network or information systems, such as blacklisting of electronic identifiers" (E.P. – March 12, 2014)
• Whereas n°38 "Provided that they meet the reasonable expectations of the data subject based on his or her relationship with the controller and that the interests of the fundamental rights and freedom of the data subject are not overrinding (E.P. – March 12, 2014).
• Whereas n°38 : "Processing limited to pseudonymous data should be presumed to meet the reasonable expectations of the data subject based on his or her relationship with the controller (E.P. March 12, 2014).
May apply to tokenisation systems which allow to track transactions performed with a card without identifying the cardholder.
Page 13
But… Rules on profiling in the Draft European
Regulation do not include the balance of interests
1) Right of the Data Subject to object to profiling at any time (Art
20.1/PE)
2) Only Legal basis for profiling are : (Art. 20.2/PE)
- If profiling is necessary for entering into or for performance of a contract (provided
that suitable measures to safeguard the data subject's legitimate interests have been adduced); or
- If profiling is expressly authorized by a Union or Member State law; or
- If profiling is based on the data subject's consent.
The legitimate interest of the controller cannot be a legal basis for
profiling
Problematic for processing intended for fraud prevention which cannot be
considered as based on contractual necessity (WP 217 – Art. 29 WP Opinion
06/2014 on the notion of legitimate interests of the data controller under art. 7 of Directive 95/46/EC.)
Also Art. 21 of Draft Regulation does not allow Member States to restrict the scope
of the obligations and rights provided by Art. 20 on profiling (whereas they can do so for provisions of Articles 11 to 19)
To conclude :
- Check that your payment service provider is PCI-DSS
compliant (check your contract)
- Watch out for differences between jurisdictions
- Watch out – and hope – for Draft DP Regulation
improvements on legal basis for profiling – Contact
your professional organisations and your DPA.
Ariane Mole
[email protected]
Co-head of International Data Privacy
Practice, Bird & Bird AARPI
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 15 Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address. twobirds.com