D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E. May 2015

Transcription

1 D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E May 2015

2 D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E This presentation was prepared exclusively for the benefit and internal use of the J.P. Morgan client or potential client to whom it is directly delivered and/or addressed (including subsidiaries and affiliates, the Company ) in order to assist the Company in evaluating, on a preliminary basis, the feasibility of a possible transaction or transactions or other business relationship and does not carry any right of publication or disclosure, in whole or in part, to any other party. This presentation is for discussion purposes only and is incomplete without reference to, and should be viewed solely in conjunction with, the oral briefing provided by J.P. Morgan. Neither this presentation nor any of its contents may be disclosed or used for any other purpose without the prior written consent of J.P. Morgan. To the extent that the information in this presentation is based upon any management forecasts or other information supplied to us by or on behalf of the Company, it reflects such information as well as prevailing conditions and our views as of this date, all of which are accordingly subject to change. J.P. Morgan s opinions and estimates constitute J.P. Morgan s judgment and should be regarded as indicative, preliminary and for illustrative purposes only. In preparing this presentation, we have relied upon and assumed, without independent verification, the accuracy and completeness of all information available from public sources or which was provided to us by or on behalf of the Company or which was otherwise reviewed by us. J.P. Morgan makes no representations as to the actual value which may be received in connection with neither a transaction nor the legal, tax or accounting effects of consummating a transaction. Unless expressly contemplated hereby, the information in this presentation does not take into account the effects of a possible transaction or transactions involving an actual or potential change of control, which may have significant valuation and other effects. Notwithstanding anything herein to the contrary, the Company and each of its employees, representatives or other agents may disclose to any and all persons, without limitation of any kind, the U.S. federal and state income tax treatment and the U.S. federal and state income tax structure (if applicable) of the transactions contemplated hereby and all materials of any kind (including opinions or other tax analyses) that are provided to the Company insofar as such treatment and/or structure relates to a U.S. federal or state income tax strategy provided to the Company by J.P. Morgan. J.P. Morgan's policies on data privacy can be found at IRS Circular 230 Disclosure: JPMorgan Chase & Co. and its affiliates do not provide tax advice. Accordingly, any discussion of U.S. tax matters included herein (including any attachments) is not intended or written to be used, and cannot be used, in connection with the promotion, marketing or recommendation by anyone not affiliated with JPMorgan Chase & Co. of any of the matters addressed herein or for the purpose of avoiding U.S. taxrelated penalties. Chase, J.P. Morgan and JPMorgan Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (collectively, JPMC ) and if and as used herein may include as applicable employees or officers of any or all of such entities irrespective of the marketing name used. Products and services may be provided by commercial bank affiliates, securities affiliates or other JPMC affiliates or entities. In particular, securities brokerage services other than those which can be provided by commercial bank affiliates under applicable law will be provided by registered broker/dealer affiliates such as J.P. Morgan Securities LLC, J.P. Morgan Institutional Investments Inc. or by such other affiliates as may be appropriate to provide such services under applicable law. Such securities are not deposits or other obligations of any such commercial bank, are not guaranteed by any such commercial bank and are not insured by the Federal Deposit Insurance Corporation. This presentation is delivered to you for the purpose of providing you information regarding certain of J.P. Morgan's products or services as described herein. Note that J.P. Morgan may not be able to provide all of the products or services described herein or requested by you unless J.P. Morgan confirms that such requested products or services would not cause J.P. Morgan to be considered a "Municipal Advisor" under Section 15B of the Securities and Exchange Act of 1934, as amended, and the related final rules (the "Municipal Advisor Rules"), or are otherwise excluded or exempt under the Municipal Advisor Rules. J.P. Morgan is not recommending that you take action or refrain from taking action or providing any advice and is not and will not be acting as your advisor, agent or fiduciary with respect to any such products or services. Any portion of this presentation which provides information on municipal financial products or the issuance of municipal securities is given in response to your questions or to demonstrate our general experience or capabilities and is not intended to constitute advice within the meaning of the Municipal Advisor Rules. You should consult with your own financial, legal and other advisors to the extent you deem appropriate in connection with the information provided herein. This presentation does not constitute a commitment by any JPMC entity to extend or arrange credit or to provide any other services.

3 D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E Agenda Page PCI Compliance and Data Security 1 Data Security Solutions 7 Fraud Prevention 13 1

4 P C I C O M P L I A N C E A N D D A T A S E C U R I T Y Threats outpacing most organizations 9X The number of cyber attacks in the U.S. has increased ninefold in the last six years In 2013, there were an estimated 58.4 million unique new strains of malware deployed breaches reported in 2013; an increase of 31% from ,860,240 Records that were breached in 4,214 data breaches between 2005 and % Percentage of companies NOT fully compliant with all 12 PCI standard requirements in Sources: 1 Redwood Capital Market Analysis Feb Aite Group, Cyberthreats: Multiplying Like Tribbles, October ITRC Breach Report Privacy Rights Clearinghouse 5 Verizon 2014 PCI Compliance Report 2

5 P C I C O M P L I A N C E A N D D A T A S E C U R I T Y PCI in brief Data security standards created and maintained by the Payment Card Industry Security Standards Council (PCI SSC) Applies to any system that stores, processes or transmits card data 12 requirements addressing operational and technical areas Specific technology guidelines for encryption and tokenization Organizations often need to combine multiple technologies to secure data and meet PCI requirements 3

6 P C I C O M P L I A N C E A N D D A T A S E C U R I T Y The prioritized approach Six milestones 1. If you don t need it, don t store it 2. Secure the perimeter 3. Secure applications 4. Monitor and control access to your systems 5. Protect stored cardholder data 6. Finalize remaining compliance efforts, and ensure all controls are in place Tools and guidance on the PCI SSC Web site 4

7 P C I C O M P L I A N C E A N D D A T A S E C U R I T Y Why NOT compliance? New compliance mandates are potentially endless Government regulation Industry standards Organization policies Achieving compliance is easier than maintaining compliance Becoming compliant is a project Maintaining compliance is a culture change Why information security A single, comprehensive set of enterprise information security polices, standards, baselines, and procedures Simplifies culture change Simplifies compliance mandate responses by Cataloging existing controls Speeding gap analysis Limiting expense and churn caused by new mandates Reduces compliance to a single core competency: Security 5

8 P C I C O M P L I A N C E A N D D A T A S E C U R I T Y Security is a business decision Steps to take Assess the risks Identify the mitigation options Determine how much risk The organization is comfortable accepting The organization is ALLOWED to accept Recognize the constraints Acquire and apply resources IT and information security can then Consolidate data and systems Segment the network Implement the controls Close the gaps 6

9 D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E Agenda Page PCI Compliance and Data Security 1 Data Security Solutions 7 Fraud Prevention 13 7

10 D A T A S E C U R I T Y S O L U T I O N S Security is Comprehensive A viable security solution to combat today s threats requires a comprehensive combination of security solutions Replaces customer payment data with a benign value that cannot be converted back to card or account information within a merchant s network, protecting that data from security threats. Tokenization EMV Advanced chip card technology that helps prevent skimming, counterfeit and lost/stolen fraud. Encryption PCI DSS Encryption technology that protects the primary account number of a payment card from moment of capture at retail point of sale Fraud Tools A combination of preventative, detective, responsive controls applied to a merchant s process, people, and technologies. Tools that provide greater visibility into sophisticated fraud patterns, advanced capabilities include proxy piercing and geolocation, which can pinpoint a transaction s origin in real time, and dynamic order linking 8

11 D A T A S E C U R I T Y S O L U T I O N S Encryption 101 What is Encryption? Encryption is a security measure that leverages a cipher algorithm to mathematically transform sensitive data in such a way that only authorized parties can read it Encryption does not prevent interception of data, but rather the access to the content intercepted From the initial swipe, dip, tap, or click, card data can be encrypted to protect the data throughout the payment transmission process How Does it Work? Recipient's Public Key Recipient's Private Key Source: PacketLife.net Why is Encryption Important? Ideal for Data on the Go: Encryption is particularly useful in secure transmission of sensitive information Open Model with Limited Risk Exposure: Encryption leverages a public and private key model, where a public key is widely available to encrypt messages while a private key is only available to the receiving party for decryption of the message 9

12 D A T A S E C U R I T Y S O L U T I O N S Tokenization 101 What is Tokenization? Tokenization is the process through which real account data is replaced with a proxy value known as a token These tokens can either be static (never changing) or dynamic (different for each transaction) Some tokens are format-preserving (i.e., they look like regular PANs), while others can be different lengths or alphanumeric in context Tokens were created to minimize risk for merchants who stored live payment account credentials on their servers, but have expanded to minimize risks for issuers, brands, acquirers, and consumers Think of Tokens like Casino Chips You trade cash for chips Cash is valuable in a large context and is easily used Chips are valuable only in a limited context (inside the casino) and can only be used to do certain things defined by the house (e.g. play on certain table games) Why is Tokenization Important? Renders Previously High Value Data Almost Useless: Cash is higher risk because it can be stolen and used anywhere, while a chip is lower risk because even if it s stolen, it can t be used everywhere Consolidates Risk to a Single Control Point: Tokenization is like going to the cashier and giving cash and receiving tokens and De-Tokenization is like going back to the cashier and trading chips for cash 10

13 D A T A S E C U R I T Y S O L U T I O N S Hosted Pay Page for Ecommerce A consumer-facing hosted page that captures customer payment data in a PCI compliant manner Creating a secure and seamless payment experience for your customers while keeping your organization compliant Benefits Increases the security of your customers payment data Reduces the cost and scope of PCI compliance Your Website Ecommerce Platform Enables you to maintain complete control of your branding throughout the payment cycle Hosted Pay Page Minimizes initial and ongoing IT resource impacts How it works A Hosted Pay Page can clone your payment page so you maintain complete control of the look and feel of your customers checkout experience. There are no static templates to update. Payment Page Success Page CLONE¹ Payment Page Token Payment brands for approval There is no need to use an acquirer-branded payment page. You can change your payment page elements at any time, and Hosted Pay Page will capture the changes in real time. You are in control of your brand on the payment page at all times. Your bank account 11

14 D A T A S E C U R I T Y S O L U T I O N S Page encryption What does it do for your organization? Encrypts PAN and CVV data within a customer s browser Provides you with full payment page control; no re-directs Remains invisible to the customer Delivers an effective PCI solution Offers a host-based alternative to a Hosted Pay Page 12

15 D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E Agenda Page PCI Compliance and Data Security 1 Data Security Solutions 7 Fraud Prevention 13 13

16 F R A U D P R E V E N T I O N EMV The Basics How EMV Chip Cards are Different Chip cards are inserted into chip-reading devices rather than being swiped If PIN is supported on the chip card, it will replace traditional signature In conjunction with PIN, chip cards provide an added layer of authentication Terminals will accept both magnetic stripe and chip cards for years to come Customer Verification Methods (CVM) Chip and Signature Chip and Offline PIN Chip and Online PIN The consumer signs to validate their identity Prevents counterfeit card fraud The chip card and the terminal validate the PIN, then authorize Prevents counterfeit, stolen and never received or issued card fraud The consumer s PIN is sent to the host for validation Prevents counterfeit, stolen and never received or issued card fraud Source: EMVCo Q statistics 14

17 F R A U D P R E V E N T I O N Key points about EMV in the US Benefits of chip technology Confidence EMV has been used globally with cards in Europe for over a decade; and in Canada over the last seven years Security and Fraud Protection dynamic authentication reduces the value of stolen cardholder data; Chip technology is more difficult to duplicate and combining its use with a PIN helps reduce fraud due to lost, stolen or counterfeit cards Reduces Chargebacks the use of PIN with the chip technology can significantly reduce the frequency of chargebacks Global Interoperability and Consistency outside of the U.S., 43.3% of all cards are EMV and 86.8% of terminals are EMV capable US migration drivers Avoid becoming a destination for criminals and global magnetic-stripe fraud activity Increase satisfaction of traveling international cardholders Maintain interoperability with the rest of the world Position the industry for the adoption of other forms of payment, notably NFC mobile contactless payments Payment brand mandates and chargeback liability shifts are forcing the adoption of this technology What is a liability shift? Liability Shift is a change in who bears the chargeback related cost of fraudulent transactions The penalty for merchants or issuers missing the October 2015 (non Petro) / October 2017 (Petro) deadline is a shift in fraud related liability. Merchants who have not implemented an EMV certified solution will risk absorbing the cost of all disputed counterfeit and potentially lost/stolen/not received fraudulent transactions they initiate. 15

18 F R A U D P R E V E N T I O N EMV in the US: Key Merchant Considerations Keys to EMV Readiness 1. The Right Integration: Direct, Middleware/Third Party (TP) Gateway, Semi-Integrated, or Stand-Alone approach 2. Merchant Readiness: Processes, Procedures, Learning / Development on handling EMV transactions 3. Consumer Readiness: Building Awareness and Understanding of EMV Make The Most of EMV Migration 1. Consider POS modernization holistically PIN Acceptance, E2E Encryption, Tokenization, Contactless, High-Speed IP Connectivity 2. Be prepared for Fraud Increases in Card Not Present (CNP) channels EMV adoption has historically shifted Card Present Fraud to CNP and cross-border Fraud Omni-channel and CNP merchants should prepare by evaluating fraud detection technology AVS/CVV alone is not enough as false positive exposure can be high. Include other fraud detection technology such as Velocity Checks, Positive and Negative Lists, Proxy Piercing/IP Geolocation, and Dynamic Risk Scoring 16

19 F R A U D P R E V E N T I O N Key takeaways PCI Basic security measures but not all that is needed Data protection Any time the card data is exposed, in transit or at rest, it is at risk Layered protection is the only answer Different from data protection Fraud management More risk in CNP space than card present Geolocation, proxy piercing, device fingerprinting 17

20 F R A U D P R E V E N T I O N Speaker contact information Matthew Leman Public Sector Market Manager Chase Paymentech O: Matt.Leman@chasepaymentech.com 18

21 F R A U D P R E V E N T I O N This presentation is delivered to you for the purpose of providing you information regarding certain of J.P. Morgan's products or services as described herein. Note that J.P. Morgan may not be able to provide all of the products or services described herein or requested by you unless J.P. Morgan confirms that such requested products or services would not cause J.P. Morgan to be considered a "Municipal Advisor" under Section 15B of the Securities and Exchange Act of 1934, as amended, and the related final rules (the "Municipal Advisor Rules"), or are otherwise excluded or exempt under the Municipal Advisor Rules. J.P. Morgan is not recommending that you take action or refrain from taking action or providing any advice and is not and will not be acting as your advisor, agent or fiduciary with respect to any such products or services. Any portion of this presentation which provides information on municipal financial products or the issuance of municipal securities is given in response to your questions or to demonstrate our general experience or capabilities and is not intended to constitute advice within the meaning of the Municipal Advisor Rules. You should consult with your own financial, legal and other advisors to the extent you deem appropriate in connection with the information provided herein. 19