Credit Card Fraud Trends

2010 Scotiabank Commercial Card Conference

Credit Card Fraud Trends

Gord JamiesonVisa Canada

G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference

Agenda

• Global Fraud Trends • Canadian Fraud Landscape• Data Compromises• Chip & PIN• Responding to the Challenge• Summary


Global Fraud Trends


Industry Risk Overview Data Security and Fraud Environment

Public Data Loss Statistics Tracked by Datalossdb

All Data Loss Events

Lost/StolenCounterfeit

All OthersCNP

Gross Fraud Rate

‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08

0.09%

0.08%

0.07%

0.06%

0.05%

0.04%

0.03%

0.02%

0.01%

0.00%

Global Fraud Rate

4

RecordsAffected Credit Card Users

Incidents Card Breach Events

Number of Records

Number of Breach Events

0

100

200

300

400

500

600

700

800

0

50,000,000

100,000,000

150,000,000

200,000,000

250,000,000

2001 2002 2003 2004 2005 2006 2007 2008 2009


1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

To combat the threat, Visa has led the development of innovative:

• Risk solutions• Standards and oversight• Education and partnership

Terminal Placement and CVV

First Fraud Detection System

EMV Co

CAMS II

Advanced Authorization

PEDPCI SSCVbV

CVV2

First Commercial

Chip Security

AIS-CISP

PABP

CAMS

CAP

DSS

CAP II

PADSS

Industry Risk Overview Historic Fraud Trends - Global

5

Glo

bal F

raud

to S

ales

Rat

e

Source: Visa Inc. - Reported fraud to Sales Volume2009 through September

Account Data Compromises

*

G L O B A L T R A N S A C T I O N B A N K I N G2010 Scotiabank Commercial Card Conference6

Industry Risk Overview PCI DSS Compliance Update

• Visa’s PCI DSS compliance requirements

• VisaNet processors

• Third party agents

• Large merchants

• Compliance Acceleration Program (CAP)

• Combination of payments and fines

• Achieved:

- PCI DSS compliance validation among the largest merchants has reached 96% in the U.S. and 79% worldwide

- 96% of Level 1 and 2 merchants worldwide have confirmed that they do not store prohibited data*

• Small merchant security compliance program

PCI DSS - A key pillar in Visa’s compromise prevention strategy

* Data as of 12/31/09


Industry Risk Overview Data Security and Fraud Environment

Number of compromise incidents involving cardholder information leveling off in the U.S., but growing around the world

Criminals targeting full track data, Card Verification Value 2 (CVV2) and PINs

Leading to increases in counterfeit and card-not-present (CNP) fraud

Increasing financial impact to all stakeholders in the payment system

Increased industry, regulatory and legislative focus

Consumer confidence adversely impacted

7

Fraud rates remain at historic lows, however data security threats pose continuing challenges

CNPCounterfeit

Lost/Stolen

All Others


•Major compromises dominating the fraud landscape

•Criminals move quickly / can access 1000’s of accounts simultaneously

•Cross-border fraud continues to rise disproportionate to sales

•Fraud perpetrated over the Internet across multiple accounts and issuers

As a result:•Real-time fraud mitigation tools are becoming increasingly critical•Growing need for new sources of risk predictive data

Industry Risk Overview Industry Fraud Trends


Canadian Fraud Landscape


Credit Card Fraud in Canada Losses (CDN $ Millions) 1999-2008 By Calendar Year

$0

$50

$100

$150

$200

$250

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008

$CD

N M

illio

ns

Counterfeit CNP Lost & Stolen Non Receipt Fraud Apps Miscellaneous

Source:

Canadian Bankers Association - Payment Card Partners Working Group (VISA Canada; MasterCard Canada; American Express Canada)

2008 Data may not be complete.


Total fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total

Canadian Bankers Association (2009). Payment Card Partners Working Group (VISA Canada; MasterCard

Canada; American Express Canada). Data for 12‐month periods ending 30 June.

Jun-05 Jun-09Jun-08Jun-07Jun-06


Total fraud on Canadian Cards (2000 vs 2009) Card fraud losses split by type (as percentage of total losses)



2000 2009


Counterfeit fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total




Card-not-present fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total




Lost/stolen fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total




Non-receipt fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total




Fraud Applications on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total

Canadian Bankers Association (2009). Payment Card Partners Working Group (VISA Canada; MasterCard Canada; American Express

Canada). Data for 12‐month periods ending 30 June.


Miscellaneous fraud on Canadian Cards (2005-2009) Figures in grey show percentage change over previous year’s total




Canadian Debit Card Fraud Losses in Millions 2004-2009

Source – Interac Association http://www.interac.ca/media/stats.php

Credit and debit fraud losses in Canada in 2009 exceeded $500 million dollars.


Data Compromises


Fraud Trends Over the Decades


Why the increase in fraudulent activity?

Insufficient penalties in Canada – little or no deterrent.

Globalization of Transnational Organized Crime groups.

- Very mobile and organized- No International boundaries- Criminals responding to fraud mitigation

tactics by developing ways to “beat the system”

- Underground market for distribution - Operate on carder forums and IRC channels

for the exchange of credit card data, data compromise tools and software



Source: Nexussec



Advances in applied technology- Processing power of computers today- Commercially available equipment- Attacks on payment infrastructure -

Internet

http://www.smarter.com/stats/scripts/redir.php?bt=0&ch=2&oi=310206386&mc=10&dp=1&bp=1&pr=0&rr=0&ca=99&sb=

http://www.devside.net/blog/wp-content/uploads/2007/09/walmart_linux_laptop_425px.jpg

http://images.google.ca/imgres?imgurl=http://www.migrantcard.co.za/images/products/E-300%2520CardEmbosser(Manual).jpg&imgrefurl=http://www.migrantcard.co.za/prod.asp%3Fcat%3D7&usg=__iYIGfvS_zoltLMDag7d8vB0K5-A=&h=600&w=600&sz=64&hl=en&start=1&um=1&tbnid=5ZpZ_U1yOvvK7M:&tbnh=135&tbnw=135&prev=/images%3Fq%3Dcard%2Bembosser%26hl%3Den%26sa%3DG%26um%3D1



Sophisticated and educated criminals- Skimming- Wiretapping- ATM and POS Tampering- Evolution of phishing and pharming- Data compromise incidents

Skimming Data compromises: Compromise of data in

transit

POS Tampering

Source: TD Canada Trust

ATM Tampering

http://consumerist.com/assets/resources/2007/11/skimmerdevice.jpg


Data Compromise Events in the News

Source: Computerworld Jan 2009

Source: Network World March 2008

Source: IntenetNews.com Dec 2008


Global System Compromises by Channel

2007Brick and Mortar Total: 121 eCommerce Total: 101Unknown*: 48

2008Brick and Mortar Total: 179eCommerce Total: 194

14 12 117 6 3

158 11 12 11

7

21 17 1410

18 19 19 1813

815

23 20

8

26

11

2116

22

715 15 13 14

1 2 32

4

39

11 94

8

55

9

106

1311

13

7

10 21

15

14

3026

17

9 20

20

1818

24

18

18

2731

37

20

47

24

1820

11

51065

0

10

20

30

40

50

60

Jan-07

Mar-07

May-07

Jul-0

7Sep

-07Nov

-07Ja

n-08

Mar-08

May-08

Jul-0

8Sep

-08Nov

-08Ja

n-09

Mar-09

May-09

Jul-0

9Sep

-09Nov

-09Ja

n-10

Brick & Mortar Unknown* eCommerce

2009Brick & Mortar Total: 197eCommerce Total: 300

Global system compromises are 44% brick and mortar and 52% e- commerce merchants

*Unknown entity types reported by VE

2010Brick & Mortar : 14

eCommerce : 20


5%

24%

5%

20%

9%

5%6%3%

6%

14% 15%

21%

3% 3%0%

Clothing Retailers Direct Marketing Sporting Goods Restaurants Lodging/ Hotels

2008 2009 2010

Restaurant compromises had been the focus for the last two years, but hotels targeted globally in 2009 - 2010

Top 5 MCC for Global Compromise Incidents January 2008 through January 2010

Total Number of Compromise Incidents for Top 5 MCCs = 437Total Number of Compromised Accounts for Top 5 MCCs = 10.6M


As PCI DSS compliance rates rise, new compromise trends emerge

Compromise Trends

Compliance Milestone Compromise Trend

• PCI DSS compliance is adopted by acquiring participants in the U.S.

• Merchants and service providers reduce historical storage of cardholder data

• PCI DSS compliance improves among large merchants

• E-commerce and payment channel websites better secured

• Issuers and processors increasingly targeted; non-U.S. compromises increasing rapidly

• Data criminals seek capture of cardholder data in transit through sniffer attacks

• Compromises of small and medium size merchants increase

• SQL injection attacks on non- payment sites to gain access to payment environment


Divergence in Data Security Focus

ROW FocusUS Focus

Harder to Steal

VisaNet Security Solutions

Data Elimination

Data Protection

Authentication

Stat

ic D

ata

Harder to Use

Data Elimination

Data Protection

Authentication

Dyn

amic

Dat

a

VisaNet Security Solutions

. .............

.

.. ... ... .....

.

Global Chip Card Deployment

Visa Inc – 252.7 M cards Visa Europe – 205.1 M cards

Level 1 Merchants

Level 2 Merchants

US PCI DSS Compliance

95%97%


Chip & PIN


. .........

....

.

..

.. .

.. .

.

....

.

483.2 million1 Contact cards issued in 113 countries

LAC 98.5m contact cards

CEMEA 16.9m contact cards

AP 142.6m contact cards

VE2

212.8m contact cards

1 As of SEP, 2009. As reported by member financial institutions globally and therefore may be subject to change.2 Visa Europe is the exclusive licensee of Visa Inc. in the territory covered by the European Union

Visa Inc. – 270.4m Contact chip cards issued

Visa Europe – 212.8m Contact chip cards issued

North America12.5m contact cards


. .........

....

.

..

.. .

.. .

.

....

.

Percentage of international card-present transactions that originate from chip terminals during 3rd Quarter 2009 (Jul – Sep)

LAC POS 21.2%

ATM 0.07%

CEMEA POS 65.2%

ATM 59.8%

AP POS 50.4%

ATM 3.6%

Visa Europe 1

POS 69.4%

ATM 91.2 %

As of SEP, 2009. Source VisaNet clearing & settlement counts.1 Visa Europe is the exclusive licensee of Visa Inc. in the territory covered by the European Union

Visa Inc. – POS 26.1% ATM 23.8%

Visa World-Wide – POS 49.8% ATM 58.7%

Visa Chip Cards Global acceptance status – Q3 2009

CANADAPOS 33.7%

ATM 64.5%

USAPOS 2.9%

ATM < 0.01%


Chip and PIN Fraud Experience in the UK – Positive Impacts

Between 2004 and 2007, domestic face-to-face fraud on UK-issued plastic cards declined by 67% from £218.8m in 2004 to £73.0m in 2007.

Lost, Stolen, and mail non-receipt fraud losses on UK-issued cards are now at their lowest levels in 10 years.

Domestic cash machine fraud on UK-issued cards decreased by 44% in 2007

Domestic levels of counterfeit fraud on UK-issued cards decreased by 32% in 2007.

Source: APACS (Administration) Ltd April 2008. Fraud the Facts 2008. www.apacs.org.uk


Chip and PIN Fraud Experience in the UK – Fraud Migration Overseas

Driven fraudsters overseas to commit fraud in countries where chip and PIN is not yet in place

Cross border fraud now accounts for over one third (39%) of total card fraud losses on UK-issued cards

It is expected that fraud will continue to shift toward countries where no plans are in place to implement Chip



Chip and PIN Fraud Experience in the UK – Fraud Migration to CNP

UK-issuer fraud in the Card Not Present environment continues to increase year-on-year, rising 37% in 2007 to over £290 million

Card Not Present fraud is now the largest type of card fraud in the UK

CNP fraud should be seen in context of vast increase in online sales volume and activity.



Chip Migration - Canada

Chip migration in Canada began in the fall of 2008 and will continue for the next 3 to 4 years.

Canadian Issuers are reissuing Chip cards as their current card base expire.

As of the end of February 2010 – 54% of Canadian issued cards were Chip and approx 43% of our POS terminals in Canada have been converted to Chip enabled devices*.

Visa Canada will introduce a Liability Shift as of the 1st October 2010.

Counterfeit and Lost/Stolen represent 60% of our fraud losses today**. *Source: Visa Canada Issuers and Acquirers


Impact of Chip and PIN

Fraud migrationShift to other forms of fraud:

Card not present, fraud application, non-receiptABM Cash Fraud

Shift to non-chip regions/countriesNew methods of payment

Rapid introduction of new payment typesNew methods of attack

Criminals making their next move in response to introduction of fraud mitigation tools

Migration of domestic skimming incidentsMag stripe still exists and still at risk to skimmingForced to exploit cards internationallyNarrows focus of monitoring/detection


Impact of Chip & PIN

Card Not PresentExpect to see a migration of fraud to the CNP channel as Canada becomes a mature Chip region. The growth in CNP fraud can be addressed with:

Increase and extend the usage of existing risk tools such as CVV2, AVS and VbV.Invest in new solutions

- Replace static authentication data with dynamic data

- Alerts and notifications to cardholders- Two factor authentication

Issuer monitoring programs


Impact of Chip & PIN

Chip & PIN is a data devaluation strategyUse of iCVV (for Chip) and CVV (for mag stripe) Captured Chip data cannot be used to create a counterfeit Chip card because of the Issuer cryptographic keysCaptured magnetic stripe data (from a Chip card) cannot be used as a enabled Chip POS Terminal . Offline PIN at the POS ensures that PIN is not transmitted with the Chip data during authorization request.


Responding to the Challenge


Use of Visa Risk Tools

(VbV, CVV2, AVS) Fraud

Detection Rules

Industry & “Customer-specific”

Tools & Rules

Neural Network

Risk Scoring Systems

Databases and

Negative Files

Pattern Detection Engines

Advanced artificially

intelligent models to detect

behavior and patterns

Card Industry and customer-specific

databases

Engines (rule sets) that

detect very specific fraud

patterns

Manual Review, utilization of customer-

specific intuitive knowledge

Professional Expertise

Responding to the ChallengesMulti-Layered Approach


Responding to the Challenges

Reduce Risk Exposure with the Right Intelligence

• Identify probability of fraud using risk scores

• Authorize/decline in real-time with data-driven decisioning

• Dynamically adjust authorization rules

Authorization Request

Approve/ Decline

VisaNet Authorization

Message Stream

In-Flight Scoring Engine

• Visa Global Profiles• Global Transaction & Fraud Data• Compromised Accounts• Risk Condition Codes• Neural Networks• Statistical Models

• Issuer Authorization Strategies

• Visa Risk Manager– Real Time Decisioning– Case Manager– CAMS

Authorization Request


Visa Advanced Authorization• Risk Score: indicates the degree of fraud

risk for a given transaction• Compromised Account Risk Condition

Code: provides descriptive information about high-risk compromise events

• Compromise Event Reference (CER) ID: provides the association between an account and its specific compromise event

Visa Risk Manager• Real Time Decisioning: based on your pre-

defined criteria, Visa declines high-risk transactions on your behalf

• Case Manager: w- work queues to manage suspicious purchase activity

• Compromised Account Management System (CAMS): notifies you when your accounts are at risk due to a compromise

Real Time Decisioning

Advanced Authorization

Responding to the Challenges Risk Intelligence – Risk Decisioning

Fraud Reporting

Visa Risk Manager• Case Manager• Rules Manager• Real-Time Decisioning• Compromised Account

Management System


Strategic Response: Aligned Approach

We must align global security initiatives to respond to the evolving threat, make the system more intrinsically secure, and take stakeholders “out of harm’s way”

DevaluationProtection El

imin

atio

nTo

keni

zatio

n

Encr

yptio

n

Data Security StandardsEMV Chip3D-Secure

VisaNet Security

Solutions

Grow the size and our slice of the global payments pie by

advancing stakeholder trust

Cor

e

Maintain effective security where vulnerable data must remain in the systemDeploy VisaNet Security Solutions that offer value-added benefits

Eliminate vulnerable data from the system where possible

• Eliminate need to store vulnerable data • Promote encryption for data in transit• Adopt tokenization to remove need for

dataSho

rt Te

rmLo

ng T

erm

Migrate to dynamic authentication across all markets and channels

• EMV chip for the physical point of sale• 3D Secure platform for e-commerce


Fraud seeks the path of least resistance and criminal organizations will react quickly to innovations or fraud prevention solutions.

Under utilization of existing tools and inconsistent business framework for their deployment will prevent us from achieving optimal performance from our fraud tools.

As Canada migrates to Chip we expect to see a fraud migration to other fraud types and regions.

Visa as a Global organization must remain one step ahead of the criminal organizations in the technology race.

Summary


Questions

Gord JamiesonHead of Payment System Risk

Visa [email protected]

Credit Card Fraud Trends

Documents

Transcript of Credit Card Fraud Trends