D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E. May 2015

Similar documents
Shock to the System:

protect fraudulent against transactions your business Introduction What is a fraudulent transaction? Merchant Responsibilities Card Present

RentWorks Version 4 Credit Card Processing (CCPRO) User Guide

EMV Chargeback Best Practices

A report showing the merchant s settlement. The acquirer settlement report is generated by the acquiring bank at the end of every billing cycle.

Table of Contents. Overview. What is payment processing? Who s Who. Types of Payment Solutions. Online Transactions. Interchange Process

Innovation and Disruption in Payments

Security Rules and Procedures Merchant Edition

Payment Card Industry Training 2014

ADVANTAGES OF A RISK BASED AUTHENTICATION STRATEGY FOR MASTERCARD SECURECODE

Ball State University

Tim Hopkins, Senior Business Leader Dispute Resolution Management. The Ever Changing Fraud Chargeback

State of Card Fraud: 2018

PCI Training. If your department processes credit card information, it is CRITICAL that you understand the importance of protecting this data.

Global Visa Card-Not-Present Merchant Guide to Greater Fraud Control. Protect Your Business and Your Customers with Visa s Layers of Security

Focused on card fraud prevention

MERCHANT MEMBER PACKAGE AGREEMENT & APPLICATION

A to Z Jargon buster. Call +44 (0) to discuss your upgrade options

Administration and Department Credit Card Policy

What is PCI Compliance?

Handling Debit Card Chargebacks

PAI Secure Program Guide

American Express Data Security Operating Policy Thailand

VPSS Certification Frequently Asked Questions

Strong Customer Authentication and PSD2

Payments POCKET GUIDE. in Your Pocket

UPCOMING PAYMENT SCHEMES RULES CHANGES

Card Acceptance Guidelines for Visa Merchants

Protect your business.

Card Acceptance Guidelines for Visa Merchants

Your Guide to. Credit Card Skimming: How to Spot and Avoid Fraudulent Charges

PCI security standards: A high-level overview

Transforming the State and Local Government Payment Process

Dual Interface Test Card Set Summary

minimise card fraud in your business.

S T R I C T L Y P R I V A T E A N D C O N F I D E N T I A L Agenda PRAGUE CONFERENCE ROAD TO COPENHAGEN CONTENTS. Page

Payment Fraud Statistics

CARD ISSUER DUTIES & RESPONSIBILITIES. Copyright 2013 CO-OP Financial Services

Chargebacks 101. Do draft retrievals result in upfront debits? No, draft retrievals are non-monetary.

Payment Fraud Statistics

Chargeback Management Guidelines for Visa Merchants

Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards

AN 1213 Revised Standards Signature Requirements

Corporate, Purchasing and Dynamic Card Funding Visa Cards Terms and Conditions

Payment Card Security Policy

Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards

Exactly what kind of bank is South State Bank?

IDT FINANCIAL SERVICES PREPAID CARD CONDITIONS XXIMO MOBILITY CARD PROGRAMME THE NETHERLANDS

1.4 Cardholder means an individual who activates, receives and/or uses the Card.

XXImo Program Card Conditions

PRIVACY AND CYBER SECURITY

Credit Card Handling Security Standards

Reconsidering Key Entry and Voice Authorizations

Payments 101. An Overview the US Payment Networks. René M Pelegero, President, Retail Payments Global Consulting Group

RETAIL SPECIFIC NEWS Keeping you in the know

France - Domestic Interchange Fees

Year-end 2016 fraud update: Payment cards, remote banking and cheque

Secure Payment Transactions based on the Public Bankcard Ledger! Author: Sead Muftic BIX System Corporation

Payment Processing 101

CARD FRAUD BOOKLET Protect your card and information at all times PAGE: 1 // 42

T H E R A P I D P A C E O F C H A N G E I N T H E P A Y M E N T S L A N D S C A P E

CREDIT CARD PROCESSING AND SECURITY

Your Merchant Facility and Managing Risk

NATIONAL PAYMENT AND SETTLEMENT SYSTEMS DIVISION

General Information for Cardholder s on PIN & PAY

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

2.1.3 CARDHOLDER DATA SECURITY

Payment Card Acceptance Administrative Policy

RETAIL SPECIFIC NEWS Keeping you in the know

- Overview of ATM transactions (cash withdrawals) in credit card fraud (2016)

Business Practices Seminar April 3, 2014

UPCOMING SCHEME CHANGES

BOQ MERCHANT FACILITY

Credit Card Acceptance and Processing Procedures

Data breaches only or disproportionately affect retail merchants.

Visa Payment Acceptance Best Practices for Retail Petroleum Merchants. February 2010

Purchase Card: Strategies for a Secure Program Bank of America Merrill Lynch City of Chandler. October 7, 2010

Payment Card Industry (PCI) Qualification Requirements. For PCI Forensic Investigators (PFIs)

ARC s Guide to Travel Agency Payment Card Acceptance, Risk Mitigation and Chargeback Management

Get the most out of your membership

SCTEM. Preventing Fraud and Misuse in Your Card Program. Presented By: Gonca Latif-Schmitt, Managing Director Citi

Dig Deep into the Root Causes of Fraud to Prevent Future Attacks

Visa response EBA public consultation on the draft RTS on Strong Customer Authentication

Blackbaud Merchant Services TM Portal Features Overview Transaction Management Through the Blackbaud Merchant Services Web Portal

PCI FAQ Q: What is PCI? ALL process, store transmit Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)?

FIGHTING FRAUD & CHARGEBACKS 5 STRATEGIES FOR WINNING

THE STATE OF CHARGEBACKS: 2018 REPORT

Procedure guide. For a smoother operation

Frequently Asked Questions

American Express Merchant Reference Guide - Canada

Terms and Conditions including General explanatory information Information statement effective

Using a terminal to process card transactions

Overview of Card Regulations, Disputes, & Fraud. Tina Giorgio, President & CEO ICBA Bancard Inc.

SUSTAINABLE TREASURY MANAGEMENT: TRENDS, SUCCESSES AND CHALLENGES

Advanced Card Payments Overview Dan Kramer

COMP3441 Lecture 10: Risk/Case Studies

BUSINESS POLICY. TO: All Members of the University Community 2016:07. Credit Card Processing and Security Policy (Supersedes Policy 2009:05 & 2012:12)

Important Information on Security Regarding Electronic Account Access and Regular Payment Arrangements

The person you authorise to hold your additional card will share your credit limit and you will receive one statement for both cards.

Merchant Agreement. PAGE 1 of 10 MERCHANT AGREEMENT PSiGate-Peoples effective Feb _M-M_032718

Transcription:

D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E May 2015

D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E This presentation was prepared exclusively for the benefit and internal use of the J.P. Morgan client or potential client to whom it is directly delivered and/or addressed (including subsidiaries and affiliates, the Company ) in order to assist the Company in evaluating, on a preliminary basis, the feasibility of a possible transaction or transactions or other business relationship and does not carry any right of publication or disclosure, in whole or in part, to any other party. This presentation is for discussion purposes only and is incomplete without reference to, and should be viewed solely in conjunction with, the oral briefing provided by J.P. Morgan. Neither this presentation nor any of its contents may be disclosed or used for any other purpose without the prior written consent of J.P. Morgan. To the extent that the information in this presentation is based upon any management forecasts or other information supplied to us by or on behalf of the Company, it reflects such information as well as prevailing conditions and our views as of this date, all of which are accordingly subject to change. J.P. Morgan s opinions and estimates constitute J.P. Morgan s judgment and should be regarded as indicative, preliminary and for illustrative purposes only. In preparing this presentation, we have relied upon and assumed, without independent verification, the accuracy and completeness of all information available from public sources or which was provided to us by or on behalf of the Company or which was otherwise reviewed by us. J.P. Morgan makes no representations as to the actual value which may be received in connection with neither a transaction nor the legal, tax or accounting effects of consummating a transaction. Unless expressly contemplated hereby, the information in this presentation does not take into account the effects of a possible transaction or transactions involving an actual or potential change of control, which may have significant valuation and other effects. Notwithstanding anything herein to the contrary, the Company and each of its employees, representatives or other agents may disclose to any and all persons, without limitation of any kind, the U.S. federal and state income tax treatment and the U.S. federal and state income tax structure (if applicable) of the transactions contemplated hereby and all materials of any kind (including opinions or other tax analyses) that are provided to the Company insofar as such treatment and/or structure relates to a U.S. federal or state income tax strategy provided to the Company by J.P. Morgan. J.P. Morgan's policies on data privacy can be found at http://www.jpmorgan.com/pages/privacy. IRS Circular 230 Disclosure: JPMorgan Chase & Co. and its affiliates do not provide tax advice. Accordingly, any discussion of U.S. tax matters included herein (including any attachments) is not intended or written to be used, and cannot be used, in connection with the promotion, marketing or recommendation by anyone not affiliated with JPMorgan Chase & Co. of any of the matters addressed herein or for the purpose of avoiding U.S. taxrelated penalties. Chase, J.P. Morgan and JPMorgan Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (collectively, JPMC ) and if and as used herein may include as applicable employees or officers of any or all of such entities irrespective of the marketing name used. Products and services may be provided by commercial bank affiliates, securities affiliates or other JPMC affiliates or entities. In particular, securities brokerage services other than those which can be provided by commercial bank affiliates under applicable law will be provided by registered broker/dealer affiliates such as J.P. Morgan Securities LLC, J.P. Morgan Institutional Investments Inc. or by such other affiliates as may be appropriate to provide such services under applicable law. Such securities are not deposits or other obligations of any such commercial bank, are not guaranteed by any such commercial bank and are not insured by the Federal Deposit Insurance Corporation. This presentation is delivered to you for the purpose of providing you information regarding certain of J.P. Morgan's products or services as described herein. Note that J.P. Morgan may not be able to provide all of the products or services described herein or requested by you unless J.P. Morgan confirms that such requested products or services would not cause J.P. Morgan to be considered a "Municipal Advisor" under Section 15B of the Securities and Exchange Act of 1934, as amended, and the related final rules (the "Municipal Advisor Rules"), or are otherwise excluded or exempt under the Municipal Advisor Rules. J.P. Morgan is not recommending that you take action or refrain from taking action or providing any advice and is not and will not be acting as your advisor, agent or fiduciary with respect to any such products or services. Any portion of this presentation which provides information on municipal financial products or the issuance of municipal securities is given in response to your questions or to demonstrate our general experience or capabilities and is not intended to constitute advice within the meaning of the Municipal Advisor Rules. You should consult with your own financial, legal and other advisors to the extent you deem appropriate in connection with the information provided herein. This presentation does not constitute a commitment by any JPMC entity to extend or arrange credit or to provide any other services.

D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E Agenda Page PCI Compliance and Data Security 1 Data Security Solutions 7 Fraud Prevention 13 1

P C I C O M P L I A N C E A N D D A T A S E C U R I T Y Threats outpacing most organizations 9X The number of cyber attacks in the U.S. has increased ninefold in the last six years 1 58.4 In 2013, there were an estimated 58.4 million unique new strains of malware deployed 2 619 619 breaches reported in 2013; an increase of 31% from 2012 3 863,860,240 Records that were breached in 4,214 data breaches between 2005 and 2013 4 89 % Percentage of companies NOT fully compliant with all 12 PCI standard requirements in 2013 5 Sources: 1 Redwood Capital Market Analysis Feb 2014 2 Aite Group, Cyberthreats: Multiplying Like Tribbles, October 2013 3 ITRC Breach Report 2013 4 Privacy Rights Clearinghouse 5 Verizon 2014 PCI Compliance Report 2

P C I C O M P L I A N C E A N D D A T A S E C U R I T Y PCI in brief Data security standards created and maintained by the Payment Card Industry Security Standards Council (PCI SSC) Applies to any system that stores, processes or transmits card data 12 requirements addressing operational and technical areas Specific technology guidelines for encryption and tokenization Organizations often need to combine multiple technologies to secure data and meet PCI requirements 3

P C I C O M P L I A N C E A N D D A T A S E C U R I T Y The prioritized approach Six milestones 1. If you don t need it, don t store it 2. Secure the perimeter 3. Secure applications 4. Monitor and control access to your systems 5. Protect stored cardholder data 6. Finalize remaining compliance efforts, and ensure all controls are in place Tools and guidance on the PCI SSC Web site 4

P C I C O M P L I A N C E A N D D A T A S E C U R I T Y Why NOT compliance? New compliance mandates are potentially endless Government regulation Industry standards Organization policies Achieving compliance is easier than maintaining compliance Becoming compliant is a project Maintaining compliance is a culture change Why information security A single, comprehensive set of enterprise information security polices, standards, baselines, and procedures Simplifies culture change Simplifies compliance mandate responses by Cataloging existing controls Speeding gap analysis Limiting expense and churn caused by new mandates Reduces compliance to a single core competency: Security 5

P C I C O M P L I A N C E A N D D A T A S E C U R I T Y Security is a business decision Steps to take Assess the risks Identify the mitigation options Determine how much risk The organization is comfortable accepting The organization is ALLOWED to accept Recognize the constraints Acquire and apply resources IT and information security can then Consolidate data and systems Segment the network Implement the controls Close the gaps 6

D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E Agenda Page PCI Compliance and Data Security 1 Data Security Solutions 7 Fraud Prevention 13 7

D A T A S E C U R I T Y S O L U T I O N S Security is Comprehensive A viable security solution to combat today s threats requires a comprehensive combination of security solutions Replaces customer payment data with a benign value that cannot be converted back to card or account information within a merchant s network, protecting that data from security threats. Tokenization EMV Advanced chip card technology that helps prevent skimming, counterfeit and lost/stolen fraud. Encryption PCI DSS Encryption technology that protects the primary account number of a payment card from moment of capture at retail point of sale Fraud Tools A combination of preventative, detective, responsive controls applied to a merchant s process, people, and technologies. Tools that provide greater visibility into sophisticated fraud patterns, advanced capabilities include proxy piercing and geolocation, which can pinpoint a transaction s origin in real time, and dynamic order linking 8

D A T A S E C U R I T Y S O L U T I O N S Encryption 101 What is Encryption? Encryption is a security measure that leverages a cipher algorithm to mathematically transform sensitive data in such a way that only authorized parties can read it Encryption does not prevent interception of data, but rather the access to the content intercepted From the initial swipe, dip, tap, or click, card data can be encrypted to protect the data throughout the payment transmission process How Does it Work? Recipient's Public Key Recipient's Private Key Source: PacketLife.net Why is Encryption Important? Ideal for Data on the Go: Encryption is particularly useful in secure transmission of sensitive information Open Model with Limited Risk Exposure: Encryption leverages a public and private key model, where a public key is widely available to encrypt messages while a private key is only available to the receiving party for decryption of the message 9

D A T A S E C U R I T Y S O L U T I O N S Tokenization 101 What is Tokenization? Tokenization is the process through which real account data is replaced with a proxy value known as a token These tokens can either be static (never changing) or dynamic (different for each transaction) Some tokens are format-preserving (i.e., they look like regular PANs), while others can be different lengths or alphanumeric in context Tokens were created to minimize risk for merchants who stored live payment account credentials on their servers, but have expanded to minimize risks for issuers, brands, acquirers, and consumers Think of Tokens like Casino Chips You trade cash for chips Cash is valuable in a large context and is easily used Chips are valuable only in a limited context (inside the casino) and can only be used to do certain things defined by the house (e.g. play on certain table games) Why is Tokenization Important? Renders Previously High Value Data Almost Useless: Cash is higher risk because it can be stolen and used anywhere, while a chip is lower risk because even if it s stolen, it can t be used everywhere Consolidates Risk to a Single Control Point: Tokenization is like going to the cashier and giving cash and receiving tokens and De-Tokenization is like going back to the cashier and trading chips for cash 10

D A T A S E C U R I T Y S O L U T I O N S Hosted Pay Page for Ecommerce A consumer-facing hosted page that captures customer payment data in a PCI compliant manner Creating a secure and seamless payment experience for your customers while keeping your organization compliant Benefits Increases the security of your customers payment data Reduces the cost and scope of PCI compliance Your Website Ecommerce Platform Enables you to maintain complete control of your branding throughout the payment cycle Hosted Pay Page Minimizes initial and ongoing IT resource impacts How it works A Hosted Pay Page can clone your payment page so you maintain complete control of the look and feel of your customers checkout experience. There are no static templates to update. Payment Page Success Page CLONE¹ Payment Page Token Payment brands for approval There is no need to use an acquirer-branded payment page. You can change your payment page elements at any time, and Hosted Pay Page will capture the changes in real time. You are in control of your brand on the payment page at all times. Your bank account 11

D A T A S E C U R I T Y S O L U T I O N S Page encryption What does it do for your organization? Encrypts PAN and CVV data within a customer s browser Provides you with full payment page control; no re-directs Remains invisible to the customer Delivers an effective PCI solution Offers a host-based alternative to a Hosted Pay Page 12

D A T A S E C U R I T Y, F R A U D P R E V E N T I O N A N D P C I C O M P L I A N C E Agenda Page PCI Compliance and Data Security 1 Data Security Solutions 7 Fraud Prevention 13 13

F R A U D P R E V E N T I O N EMV The Basics How EMV Chip Cards are Different Chip cards are inserted into chip-reading devices rather than being swiped If PIN is supported on the chip card, it will replace traditional signature In conjunction with PIN, chip cards provide an added layer of authentication Terminals will accept both magnetic stripe and chip cards for years to come Customer Verification Methods (CVM) Chip and Signature Chip and Offline PIN Chip and Online PIN The consumer signs to validate their identity Prevents counterfeit card fraud The chip card and the terminal validate the PIN, then authorize Prevents counterfeit, stolen and never received or issued card fraud The consumer s PIN is sent to the host for validation Prevents counterfeit, stolen and never received or issued card fraud Source: EMVCo Q4 2013 statistics 14

F R A U D P R E V E N T I O N Key points about EMV in the US Benefits of chip technology Confidence EMV has been used globally with cards in Europe for over a decade; and in Canada over the last seven years Security and Fraud Protection dynamic authentication reduces the value of stolen cardholder data; Chip technology is more difficult to duplicate and combining its use with a PIN helps reduce fraud due to lost, stolen or counterfeit cards Reduces Chargebacks the use of PIN with the chip technology can significantly reduce the frequency of chargebacks Global Interoperability and Consistency outside of the U.S., 43.3% of all cards are EMV and 86.8% of terminals are EMV capable US migration drivers Avoid becoming a destination for criminals and global magnetic-stripe fraud activity Increase satisfaction of traveling international cardholders Maintain interoperability with the rest of the world Position the industry for the adoption of other forms of payment, notably NFC mobile contactless payments Payment brand mandates and chargeback liability shifts are forcing the adoption of this technology What is a liability shift? Liability Shift is a change in who bears the chargeback related cost of fraudulent transactions The penalty for merchants or issuers missing the October 2015 (non Petro) / October 2017 (Petro) deadline is a shift in fraud related liability. Merchants who have not implemented an EMV certified solution will risk absorbing the cost of all disputed counterfeit and potentially lost/stolen/not received fraudulent transactions they initiate. 15

F R A U D P R E V E N T I O N EMV in the US: Key Merchant Considerations Keys to EMV Readiness 1. The Right Integration: Direct, Middleware/Third Party (TP) Gateway, Semi-Integrated, or Stand-Alone approach 2. Merchant Readiness: Processes, Procedures, Learning / Development on handling EMV transactions 3. Consumer Readiness: Building Awareness and Understanding of EMV Make The Most of EMV Migration 1. Consider POS modernization holistically PIN Acceptance, E2E Encryption, Tokenization, Contactless, High-Speed IP Connectivity 2. Be prepared for Fraud Increases in Card Not Present (CNP) channels EMV adoption has historically shifted Card Present Fraud to CNP and cross-border Fraud Omni-channel and CNP merchants should prepare by evaluating fraud detection technology AVS/CVV alone is not enough as false positive exposure can be high. Include other fraud detection technology such as Velocity Checks, Positive and Negative Lists, Proxy Piercing/IP Geolocation, and Dynamic Risk Scoring 16

F R A U D P R E V E N T I O N Key takeaways PCI Basic security measures but not all that is needed Data protection Any time the card data is exposed, in transit or at rest, it is at risk Layered protection is the only answer Different from data protection Fraud management More risk in CNP space than card present Geolocation, proxy piercing, device fingerprinting 17

F R A U D P R E V E N T I O N Speaker contact information Matthew Leman Public Sector Market Manager Chase Paymentech O: 630.689.1632 Matt.Leman@chasepaymentech.com 18

F R A U D P R E V E N T I O N This presentation is delivered to you for the purpose of providing you information regarding certain of J.P. Morgan's products or services as described herein. Note that J.P. Morgan may not be able to provide all of the products or services described herein or requested by you unless J.P. Morgan confirms that such requested products or services would not cause J.P. Morgan to be considered a "Municipal Advisor" under Section 15B of the Securities and Exchange Act of 1934, as amended, and the related final rules (the "Municipal Advisor Rules"), or are otherwise excluded or exempt under the Municipal Advisor Rules. J.P. Morgan is not recommending that you take action or refrain from taking action or providing any advice and is not and will not be acting as your advisor, agent or fiduciary with respect to any such products or services. Any portion of this presentation which provides information on municipal financial products or the issuance of municipal securities is given in response to your questions or to demonstrate our general experience or capabilities and is not intended to constitute advice within the meaning of the Municipal Advisor Rules. You should consult with your own financial, legal and other advisors to the extent you deem appropriate in connection with the information provided herein. 19

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback