Shock to the System:

Transcription

1 Shock to the System: The New Normal for ecommerce After Data Breaches September 22, 2015 Bill Cohn Director of Product Management, ecommerce Vantiv

2 What We ll Cover Impact of Data Breaches The New Normal Three-Pronged Approach Tokenization Fraud Detection Account Updating 1

3 2

4 (Image credit:

5 (image credit:

6 (image credit: Marleypeterbenjamindawkins.blogspot.com)

7 Result: A Loss of Trust (Image credit: Mathewwilkinson.co.uk/wp-content/uploads/2012/12/photo6.jpg)

8 The Whole Ecosystem is Impacted (image credit: Bhargavikorlipara.edublogs.org)

9 Data Breaches: The Numbers Tell the Story 783 Data breaches in 2014, a record-high number >50% Percentage of data breaches that go unreported² 78% Percentage of data breaches that take weeks, months or even years to be discovered³ $201 Cost/loss per compromised record⁴ $5.9 M The total average cost paid by breached organizations 5 1. Identity Theft Resource Center; Data Breach Investigative Report ; Verizon ; p Cost of Data Breach Study ; Ponemon Institute LLC; 5. Ibid.

10 Is Your Organization at Risk? There are two types of companies: those who have been hacked and know it, and those who have been hacked and don t know it 1 Richard A. Clarke, cybersecurity czar in the Clinton and Bush administrations (image credit: En.wikipedia.org) 1. Presentation at MRC ecommerce Payments and Risk Conference, Las Vegas, March 2013

11 Image credit:

12 Tokenization Account Updating 3-Pronged Approach Fraud Detection

13 Tokenization

14 A Utility s Challenges Protect customers data Mitigate risk of loss Minimize PCI compliance scope (and costs) Implementing in-house security program And Opportunities Shift card security workload to 3 rd party (e.g. processor) image 13 credits: ww.cyberbrethren.com

15 What is a Token? A benign, untranslatable numerical reference sequence that is useless and worthless outside of the transaction between you and your token service provider (e.g. your processor) Used in place of card numbers (or echeck account numbers) by all of your systems (image credit: graphicsfuel.com)

16 PCI Auditors View of Your Systems Tokenization provides security for data in-transit, at-rest and in-use VT / Call Center Order Entry Chargeback Processing DB Finance Accounting DB Gateway/Processor Online Mktg Analytics CRM Utility Systems Back Office DB Tokenization Service Provider image credits: soapboxsolutions.com Onlinestoreaustrailia.blogpost.com E-orchids.com Mbsbooks.com dreamstime.com 15

17 PCI Compliance Costs Costs: Depends upon PCI Level Level 1 and 2: Initial compliance: $150K - $2.5M Annual compliance validation: $40K - $250K 1 In house labor cost constitutes 21% of PCI costs 1 Mitigation of identified vulnerabilities Also, opportunity cost By reducing the cardholder data environment (CDE) smaller organizations may be able to do a self-assessment (SAQ-A) Self-Assessment Questionnaire A and Attestation of Compliance [1] Gartner Research, PCI Compliance 16 Remains Challenging and Expensive, May 2008, (Image credit:

18 Protection of Retained Data The account number is transmitted to the utility s web server. The transaction is sent to Processor. The transaction is submitted to the card network for approval. The token is returned to the utility s system in the transaction response. Utilities are exposed to PANs on card acceptance, but not after token registration 17

19 Reduce Risk and PCI Scope Further By Tokenizing at Initial Capture Ideally, card data should never enter your systems Reduced exposure limits your risk of breach and lowers your annual PCI compliance costs 18

20 End-to-End Protection The account number is transmitted directly to the application server in exchange a RegID.(lpwvalue token) Card data is scrubbed before the form is submitted to the utility s database. The transaction is sent to Processor using the RegID. Processor submits the transaction to the card network for approval. The token is returned to the utility s system in the transaction response. Protect upon initial capture Protect retained data 19

21 PCI DSS Implications New compliance guidelines effective Jan 1 Expands CDE to include any function that is not fully-outsourced As a result, tokenization at initial capture implementations using javascript require longer attestation questionnaire 20 20

22 Risk Reduced Thieves can t steal what isn t there, and organizations don t need to protect what they no longer store 1 1. TOKENIZATION: WHAT S NEXT AFTER PCI? 21

23 Fraud Detection

24 Data Theft & Fraud: Supply and Demand Supply Black Market Demand 23

25 The Costs of Fraud LOSS OF GOODS TO FRAUDSTER Manual Review - Staff Time Fraud Detection Fees CHARGEBACKS Chargeback fees Chargeback processing costs Network monitoring, program fines and fees The Payment Stream REFUNDS TO LEGITIMATE CARDHOLDER Chargeback prevention service fees REPRESENTMENTS Representment fees Representment processing internal costs REPUTATIONAL DAMAGE 24

26 Fraud is the Primary Source of Chargebacks 68% of all chargebacks are related to fraudulent charges. * * Vantiv analysis of approximately one year of fraud alerts for all merchants in its ecommerce base. 25

27 Challenge: EMV Will Increase CNP Fraud Card-Present 58% United Kingdom Adopted EMV in ~ % Card Not Present Adopted EMV 364% in ~1992 Card Present France 35% Card Not Present Canada Australia Adopted EMV in 37% ~2010 Card Present Adopted EMV in 69% ~2013 Card Present 30% Card Not Present 15% Card Not Present Adoption of chip-and-pin technology across the globe has demonstrated reduced fraud at the terminal with increased fraud online. Source: 26

28 So What Works? Device Fingerprinting IP Geolocation Proxy Piercing Network Effect Fraud Score Diverse, Growing & Adaptable Set of Tools & Techniques Fraud Filters AVS CVV No Match Velocity Prior Fraud Alert Prior CB Prepaid International 27

29 A Multi-Dimensional Approach Employs tools and techniques that together target fraud across three dimensions. E.g.: Device Type & OS True Location E.g.: Address Customer ID Ship-To Address 28

30 Account Updating

31 Cardholders Dilemma Post Data Theft This a colossal waste of time and we did nothing wrong. Do you know what a pain it is to try to contact the FastLane program or Boston Sports Club to update a credit card? Life would be a lot easier if every merchant and government agency subscribed to (an account updater) service. -- Frustrated consumer after receiving new credit card following the Home Depot breach 30 (image credit:

32 Consumer Nightmares The simple mistake of not updating his credit card information turned $157 in unpaid tolls into $11,000 He didn't realize he commuted for three months last year with an expired credit card on his E-ZPass account. 31

33 Account Updating Post Data Theft Normal Response Rates to Account Update Requests New Account # New Exp Date Account Closed Contact Cardholder 1.2% 2.0% 1.3% 1.3% Issuer response after 40 M cards stolen in Target breach Issuer response after 56 M cards stolen in Home Depot breach EMV task force expects 575 M cards will be reissued by Oct ? % of account update requests -- to Visa/MasterCard/Discover -- that received an account number changed response 32 (Source: Vantiv. transactional data) 1) Now/Washington/EMV-task-force-update-- 575M-chip-cards-issued-by-2015/

34 Challenge: Cycle of Card Issuance Without an efficient account updating solution, you will experience significant churn Major Breach EMV Issuance Increased CNP Fraud What s Next? Account Updates Account Updates Account Updates If you have churn of more than 2% per month you re filling a leaky bucket. -- David Skok, Principal, Matrix Partners (VC) 33

35 Anatomy of Payment Breakage Customer Lifetime Value AUTH DECLINE Card account expiration Card number replacement Insufficient funds or credit limit Temporary network problems $ $ $ $ $ $ $ $ $ $ $ $ $ $ Time 34

36 On the Positive Side Lifetime Extension Average 3% Lift on Recurring Revenue $135 Additional Revenue per Updated Card (Source: Vantiv aggregate customer data) 35

37 And Satisfied Customers Account updating has resulted in improved customer satisfaction as our customers love having no interruptions in their service. -- CFO, Nutritional Supplements Merchant 36

38 The New Normal Tokenization Account Updating Protect your customers data And reduce your exposure as well as PCI compliance costs 3-Pronged Approach Provide convenience and service continuity And boost your revenue by extending customer lifetime value Fraud Detection Defend your customers wallet And protect yourself from losses, e.g. chargebacks 37

39 (image credit: seanheritage.com)

40 For more info contact: Bill Cohn Director, ecommerce Product Management Vantiv (image credit: adaptivedealer.wordpress.com)