Post on 21-May-2020
2010 Scotiabank Commercial Card Conference
Credit Card Fraud Trends
Gord JamiesonVisa Canada
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Agenda
• Global Fraud Trends • Canadian Fraud Landscape• Data Compromises• Chip & PIN• Responding to the Challenge• Summary
2010 Scotiabank Commercial Card Conference
Global Fraud Trends
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Industry Risk Overview Data Security and Fraud Environment
Public Data Loss Statistics Tracked by Datalossdb
All Data Loss Events
Lost/StolenCounterfeit
All OthersCNP
Gross Fraud Rate
‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08
0.09%
0.08%
0.07%
0.06%
0.05%
0.04%
0.03%
0.02%
0.01%
0.00%
Global Fraud Rate
4
RecordsAffected Credit Card Users
Incidents Card Breach Events
Number of Records
Number of Breach Events
0
100
200
300
400
500
600
700
800
0
50,000,000
100,000,000
150,000,000
200,000,000
250,000,000
2001 2002 2003 2004 2005 2006 2007 2008 2009
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
To combat the threat, Visa has led the development of innovative:
• Risk solutions• Standards and oversight• Education and partnership
Terminal Placement and CVV
First Fraud Detection System
EMV Co
CAMS II
Advanced Authorization
PEDPCI SSCVbV
CVV2
First Commercial
Chip Security
AIS-CISP
PABP
CAMS
CAP
DSS
CAP II
PADSS
Industry Risk Overview Historic Fraud Trends - Global
5
Glo
bal F
raud
to S
ales
Rat
e
Source: Visa Inc. - Reported fraud to Sales Volume2009 through September
Account Data Compromises
*
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference6
Industry Risk Overview PCI DSS Compliance Update
• Visa’s PCI DSS compliance requirements
• VisaNet processors
• Third party agents
• Large merchants
• Compliance Acceleration Program (CAP)
• Combination of payments and fines
• Achieved:
- PCI DSS compliance validation among the largest merchants has reached 96% in the U.S. and 79% worldwide
- 96% of Level 1 and 2 merchants worldwide have confirmed that they do not store prohibited data*
• Small merchant security compliance program
PCI DSS - A key pillar in Visa’s compromise prevention strategy
* Data as of 12/31/09
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Industry Risk Overview Data Security and Fraud Environment
Number of compromise incidents involving cardholder information leveling off in the U.S., but growing around the world
Criminals targeting full track data, Card Verification Value 2 (CVV2) and PINs
Leading to increases in counterfeit and card-not-present (CNP) fraud
Increasing financial impact to all stakeholders in the payment system
Increased industry, regulatory and legislative focus
Consumer confidence adversely impacted
7
Fraud rates remain at historic lows, however data security threats pose continuing challenges
CNPCounterfeit
Lost/Stolen
All Others
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
•Major compromises dominating the fraud landscape
•Criminals move quickly / can access 1000’s of accounts simultaneously
•Cross-border fraud continues to rise disproportionate to sales
•Fraud perpetrated over the Internet across multiple accounts and issuers
As a result:•Real-time fraud mitigation tools are becoming increasingly critical•Growing need for new sources of risk predictive data
Industry Risk Overview Industry Fraud Trends
2010 Scotiabank Commercial Card Conference
Canadian Fraud Landscape
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Credit Card Fraud in Canada Losses (CDN $ Millions) 1999-2008 By Calendar Year
$0
$50
$100
$150
$200
$250
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
$CD
N M
illio
ns
Counterfeit CNP Lost & Stolen Non Receipt Fraud Apps Miscellaneous
Source:
Canadian Bankers Association - Payment Card Partners Working Group (VISA Canada; MasterCard Canada; American Express Canada)
2008 Data may not be complete.
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Total fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total
Canadian Bankers Association (2009). Payment Card Partners Working Group (VISA Canada; MasterCard
Canada; American Express Canada). Data for 12‐month periods ending 30 June.
Jun-05 Jun-09Jun-08Jun-07Jun-06
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Total fraud on Canadian Cards (2000 vs 2009) Card fraud losses split by type (as percentage of total losses)
Canadian Bankers Association (2009). Payment Card Partners Working Group (VISA Canada; MasterCard
Canada; American Express Canada). Data for 12‐month periods ending 30 June.
2000 2009
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Counterfeit fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total
Canadian Bankers Association (2009). Payment Card Partners Working Group (VISA Canada; MasterCard
Canada; American Express Canada). Data for 12‐month periods ending 30 June.
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Card-not-present fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total
Canadian Bankers Association (2009). Payment Card Partners Working Group (VISA Canada; MasterCard
Canada; American Express Canada). Data for 12‐month periods ending 30 June.
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Lost/stolen fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total
Canadian Bankers Association (2009). Payment Card Partners Working Group (VISA Canada; MasterCard
Canada; American Express Canada). Data for 12‐month periods ending 30 June.
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Non-receipt fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total
Canadian Bankers Association (2009). Payment Card Partners Working Group (VISA Canada; MasterCard
Canada; American Express Canada). Data for 12‐month periods ending 30 June.
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Fraud Applications on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total
Canadian Bankers Association (2009). Payment Card Partners Working Group (VISA Canada; MasterCard Canada; American Express
Canada). Data for 12‐month periods ending 30 June.
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Miscellaneous fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total
Canadian Bankers Association (2009). Payment Card Partners Working Group (VISA Canada; MasterCard
Canada; American Express Canada). Data for 12‐month periods ending 30 June.
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Canadian Debit Card Fraud Losses in Millions 2004-2009
Source – Interac Association http://www.interac.ca/media/stats.php
Credit and debit fraud losses in Canada in 2009 exceeded $500 million dollars.
2010 Scotiabank Commercial Card Conference
Data Compromises
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Fraud Trends Over the Decades
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Why the increase in fraudulent activity?
Insufficient penalties in Canada – little or no deterrent.
Globalization of Transnational Organized Crime groups.
- Very mobile and organized- No International boundaries- Criminals responding to fraud mitigation
tactics by developing ways to “beat the system”
- Underground market for distribution - Operate on carder forums and IRC channels
for the exchange of credit card data, data compromise tools and software
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Why the increase in fraudulent activity?
Source: Nexussec
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Why the increase in fraudulent activity?
Advances in applied technology- Processing power of computers today- Commercially available equipment- Attacks on payment infrastructure -
Internet
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Why the increase in fraudulent activity?
Sophisticated and educated criminals- Skimming- Wiretapping- ATM and POS Tampering- Evolution of phishing and pharming- Data compromise incidents
Skimming Data compromises: Compromise of data in
transit
POS Tampering
Source: TD Canada Trust
ATM Tampering
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Data Compromise Events in the News
Source: Computerworld Jan 2009
Source: Network World March 2008
Source: IntenetNews.com Dec 2008
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Global System Compromises by Channel
2007Brick and Mortar Total: 121 eCommerce Total: 101Unknown*: 48
2008Brick and Mortar Total: 179eCommerce Total: 194
14 12 117 6 3
158 11 12 11
7
21 17 1410
18 19 19 1813
815
23 20
8
26
11
2116
22
715 15 13 14
1 2 32
4
39
11 94
8
55
9
106
1311
13
7
10 21
15
14
3026
17
9 20
20
1818
24
18
18
2731
37
20
47
24
1820
11
51065
0
10
20
30
40
50
60
Jan-07
Mar-07
May-07
Jul-0
7Sep
-07Nov
-07Ja
n-08
Mar-08
May-08
Jul-0
8Sep
-08Nov
-08Ja
n-09
Mar-09
May-09
Jul-0
9Sep
-09Nov
-09Ja
n-10
Brick & Mortar Unknown* eCommerce
2009Brick & Mortar Total: 197eCommerce Total: 300
Global system compromises are 44% brick and mortar and 52% e- commerce merchants
*Unknown entity types reported by VE
2010Brick & Mortar : 14
eCommerce : 20
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
5%
24%
5%
20%
9%
5%6%3%
6%
14% 15%
21%
3% 3%0%
Clothing Retailers Direct Marketing Sporting Goods Restaurants Lodging/ Hotels
2008 2009 2010
Restaurant compromises had been the focus for the last two years, but hotels targeted globally in 2009 - 2010
Top 5 MCC for Global Compromise Incidents January 2008 through January 2010
Total Number of Compromise Incidents for Top 5 MCCs = 437Total Number of Compromised Accounts for Top 5 MCCs = 10.6M
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
As PCI DSS compliance rates rise, new compromise trends emerge
Compromise Trends
Compliance Milestone Compromise Trend
• PCI DSS compliance is adopted by acquiring participants in the U.S.
• Merchants and service providers reduce historical storage of cardholder data
• PCI DSS compliance improves among large merchants
• E-commerce and payment channel websites better secured
• Issuers and processors increasingly targeted; non-U.S. compromises increasing rapidly
• Data criminals seek capture of cardholder data in transit through sniffer attacks
• Compromises of small and medium size merchants increase
• SQL injection attacks on non- payment sites to gain access to payment environment
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference30
Divergence in Data Security Focus
ROW FocusUS Focus
Harder to Steal
VisaNet Security Solutions
Data Elimination
Data Protection
Authentication
Stat
ic D
ata
Harder to Use
Data Elimination
Data Protection
Authentication
Dyn
amic
Dat
a
VisaNet Security Solutions
. .............
.
.. ... ... .....
.
Global Chip Card Deployment
Visa Inc – 252.7 M cards Visa Europe – 205.1 M cards
Level 1 Merchants
Level 2 Merchants
US PCI DSS Compliance
95%97%
2010 Scotiabank Commercial Card Conference
Chip & PIN
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
. .........
....
.
..
.. .
.. .
.
....
.
483.2 million1 Contact cards issued in 113 countries
LAC 98.5m contact cards
CEMEA 16.9m contact cards
AP 142.6m contact cards
VE2
212.8m contact cards
1 As of SEP, 2009. As reported by member financial institutions globally and therefore may be subject to change.2 Visa Europe is the exclusive licensee of Visa Inc. in the territory covered by the European Union
Visa Inc. – 270.4m Contact chip cards issued
Visa Europe – 212.8m Contact chip cards issued
North America12.5m contact cards
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
. .........
....
.
..
.. .
.. .
.
....
.
Percentage of international card-present transactions that originate from chip terminals during 3rd Quarter 2009 (Jul – Sep)
LAC POS 21.2%
ATM 0.07%
CEMEA POS 65.2%
ATM 59.8%
AP POS 50.4%
ATM 3.6%
Visa Europe 1
POS 69.4%
ATM 91.2 %
As of SEP, 2009. Source VisaNet clearing & settlement counts.1 Visa Europe is the exclusive licensee of Visa Inc. in the territory covered by the European Union
Visa Inc. – POS 26.1% ATM 23.8%
Visa World-Wide – POS 49.8% ATM 58.7%
Visa Chip Cards Global acceptance status – Q3 2009
CANADAPOS 33.7%
ATM 64.5%
USAPOS 2.9%
ATM < 0.01%
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Chip and PIN Fraud Experience in the UK – Positive Impacts
Between 2004 and 2007, domestic face-to-face fraud on UK-issued plastic cards declined by 67% from £218.8m in 2004 to £73.0m in 2007.
Lost, Stolen, and mail non-receipt fraud losses on UK-issued cards are now at their lowest levels in 10 years.
Domestic cash machine fraud on UK-issued cards decreased by 44% in 2007
Domestic levels of counterfeit fraud on UK-issued cards decreased by 32% in 2007.
Source: APACS (Administration) Ltd April 2008. Fraud the Facts 2008. www.apacs.org.uk
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Chip and PIN Fraud Experience in the UK – Fraud Migration Overseas
Driven fraudsters overseas to commit fraud in countries where chip and PIN is not yet in place
Cross border fraud now accounts for over one third (39%) of total card fraud losses on UK-issued cards
It is expected that fraud will continue to shift toward countries where no plans are in place to implement Chip
Source: APACS (Administration) Ltd April 2008. Fraud the Facts 2008. www.apacs.org.uk
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Chip and PIN Fraud Experience in the UK – Fraud Migration to CNP
UK-issuer fraud in the Card Not Present environment continues to increase year-on-year, rising 37% in 2007 to over £290 million
Card Not Present fraud is now the largest type of card fraud in the UK
CNP fraud should be seen in context of vast increase in online sales volume and activity.
Source: APACS (Administration) Ltd April 2008. Fraud the Facts 2008. www.apacs.org.uk
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Chip Migration - Canada
Chip migration in Canada began in the fall of 2008 and will continue for the next 3 to 4 years.
Canadian Issuers are reissuing Chip cards as their current card base expire.
As of the end of February 2010 – 54% of Canadian issued cards were Chip and approx 43% of our POS terminals in Canada have been converted to Chip enabled devices*.
Visa Canada will introduce a Liability Shift as of the 1st October 2010.
Counterfeit and Lost/Stolen represent 60% of our fraud losses today**. *Source: Visa Canada Issuers and Acquirers
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Impact of Chip and PIN
Fraud migrationShift to other forms of fraud:
Card not present, fraud application, non-receiptABM Cash Fraud
Shift to non-chip regions/countriesNew methods of payment
Rapid introduction of new payment typesNew methods of attack
Criminals making their next move in response to introduction of fraud mitigation tools
Migration of domestic skimming incidentsMag stripe still exists and still at risk to skimmingForced to exploit cards internationallyNarrows focus of monitoring/detection
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Impact of Chip & PIN
Card Not PresentExpect to see a migration of fraud to the CNP channel as Canada becomes a mature Chip region. The growth in CNP fraud can be addressed with:
Increase and extend the usage of existing risk tools such as CVV2, AVS and VbV.Invest in new solutions
- Replace static authentication data with dynamic data
- Alerts and notifications to cardholders- Two factor authentication
Issuer monitoring programs
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Impact of Chip & PIN
Chip & PIN is a data devaluation strategyUse of iCVV (for Chip) and CVV (for mag stripe) Captured Chip data cannot be used to create a counterfeit Chip card because of the Issuer cryptographic keysCaptured magnetic stripe data (from a Chip card) cannot be used as a enabled Chip POS Terminal . Offline PIN at the POS ensures that PIN is not transmitted with the Chip data during authorization request.
2010 Scotiabank Commercial Card Conference
Responding to the Challenge
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Use of Visa Risk Tools
(VbV, CVV2, AVS) Fraud
Detection Rules
Industry & “Customer-specific”
Tools & Rules
Neural Network
Risk Scoring Systems
Databases and
Negative Files
Pattern Detection Engines
Advanced artificially
intelligent models to detect
behavior and patterns
Card Industry and customer-specific
databases
Engines (rule sets) that
detect very specific fraud
patterns
Manual Review, utilization of customer-
specific intuitive knowledge
Professional Expertise
Responding to the ChallengesMulti-Layered Approach
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Responding to the Challenges
Reduce Risk Exposure with the Right Intelligence
• Identify probability of fraud using risk scores
• Authorize/decline in real-time with data-driven decisioning
• Dynamically adjust authorization rules
Authorization Request
Approve/ Decline
VisaNet Authorization
Message Stream
In-Flight Scoring Engine
• Visa Global Profiles• Global Transaction & Fraud Data• Compromised Accounts• Risk Condition Codes• Neural Networks• Statistical Models
• Issuer Authorization Strategies
• Visa Risk Manager– Real Time Decisioning– Case Manager– CAMS
Authorization Request
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Visa Advanced Authorization• Risk Score: indicates the degree of fraud
risk for a given transaction• Compromised Account Risk Condition
Code: provides descriptive information about high-risk compromise events
• Compromise Event Reference (CER) ID: provides the association between an account and its specific compromise event
Visa Risk Manager• Real Time Decisioning: based on your pre-
defined criteria, Visa declines high-risk transactions on your behalf
• Case Manager: w- work queues to manage suspicious purchase activity
• Compromised Account Management System (CAMS): notifies you when your accounts are at risk due to a compromise
Real Time Decisioning
Advanced Authorization
Responding to the Challenges Risk Intelligence – Risk Decisioning
Fraud Reporting
Visa Risk Manager• Case Manager• Rules Manager• Real-Time Decisioning• Compromised Account
Management System
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference45
Strategic Response: Aligned Approach
We must align global security initiatives to respond to the evolving threat, make the system more intrinsically secure, and take stakeholders “out of harm’s way”
DevaluationProtection El
imin
atio
nTo
keni
zatio
n
Encr
yptio
n
Data Security StandardsEMV Chip3D-Secure
VisaNet Security
Solutions
Grow the size and our slice of the global payments pie by
advancing stakeholder trust
Cor
e
Maintain effective security where vulnerable data must remain in the systemDeploy VisaNet Security Solutions that offer value-added benefits
Eliminate vulnerable data from the system where possible
• Eliminate need to store vulnerable data • Promote encryption for data in transit• Adopt tokenization to remove need for
dataSho
rt Te
rmLo
ng T
erm
Migrate to dynamic authentication across all markets and channels
• EMV chip for the physical point of sale• 3D Secure platform for e-commerce
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Fraud seeks the path of least resistance and criminal organizations will react quickly to innovations or fraud prevention solutions.
Under utilization of existing tools and inconsistent business framework for their deployment will prevent us from achieving optimal performance from our fraud tools.
As Canada migrates to Chip we expect to see a fraud migration to other fraud types and regions.
Visa as a Global organization must remain one step ahead of the criminal organizations in the technology race.
Summary
G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference
Questions
Gord JamiesonHead of Payment System Risk
Visa Canadagjamieso@visa.com