Tackling Card Not Present fraud

in the mobile business

Rome, 17.04.2012

Stefano M. de’ Rossi

GRUPPO TELECOM ITALIA

Agenda

Telecom Italia facts & figure

Non cash payment & credit card fraud

Credit card fraud: the mobile experience

2

Agenda

Telecom Italia facts & figure

Non cash payment & credit card fraud

Credit card fraud: the mobile experience

3

Company profile

Employees

84,154

Customers

135,300,000

Revenues (2011 €)

29,958,000,000

Telecom Italy is the Italian leading

company in Telecommunications and

ICT, and

one of the most important in Latin

America and among the top 10 global

telecommunications operators since

1999.

4

Television

Office &

System solutions

ICT Services Telephony

Telecom Italia Group: …more than simply a phone company

Web

5

Agenda

Telecom Italia facts & figure

Non cash payment & credit card fraud

Credit card fraud: the mobile experience

6

Non cash payment evolution

7

Overall non-cash payments volumes

grew by 5% in 2009 to 260 billion,

continuing the growth trend from 2008

of 9%, albeit at a slower pace.

Globally, cards remain the preferred

non-cash payment instrument, with

global transaction volumes up almost

10% and a market share of more than

40% in most markets.

7

In the fight against card fraud

• As the use of non-cash payments instruments grows, so does concern about the potential for fraud.

• Global card fraud has increased consistently along with card usage in recent years

(World payment report 2011)

8

Necessary

resources

Type of

cards

targeted

Leading

fraud types

Target

Fraudster

Audacity

Technical expertise

Insider information

Global connections

All types of credit cards

Debit cards

Prepaid cards

Cross-border data

compromise

CNP fraud

ATM fraud

Banks

Processors

International

crime rings

Today

Technical

knowhow

Mass market

credit cards

Identity theft

Phishing

Rudimentary data

compromise

Larger retailers

Local crime rings

2000

Opportunism

Travel &

Entertainment

cards

Lost/stolen

Intercepted

Consumers

Individuals

1980

Rudimentary

knowledge

Premium credit

cards

Domestic

counterfeiting/

skimming

Small retailers

Teams

1990

The evolution of credit card fraud

(Source Visa Europe)

9

Credit Card Fraud – brief history on video

10

Source: Osservatorio Assofin - CRIF Decision Solutions - GfK Eurisko sulle carte di credito, vol.9, 2011

Credit card transaction 2006-2010 (volume)

Non cash payment in Italy

While our country is still characterized by a low usage of non cash payments, credit card usage showed up, in the last years, a steady increase in transaction volumes (both in number and value of transactions)

11

Credit card and e-commerce in Italy

Credit Card has become the mostly used payment method for any on line transactions

Source: Casaleggio Associati, 2011

Credit card

PayPal Cash to delivery

Other Bank Transfer

12

Credit card fraud analysis in 2009 / 2010

13

Source: Rapporto statistico sulle frodi con le carte di credito 1/2011 - UCAMP

As well as in the rest of the world, what can be set in Italy in the last 2 years, is a very close trend between the total number of credit card transactions and the number of fraudulent operations detected.

# fraudulent operation (2009-1=100)

Agenda

Telecom Italia facts & figure

Non cash payment & credit card fraud

Credit card fraud: the mobile experience

Card not present fraud: our experience

14

2011 CFCA Global Fraud Loss Survey

In tandem with the growth in the use of credit cards fraud has become a significant problem for GSM operators.

• Compromised PBX/Voicemail systems

• Subscription/Identity (ID) Theft

• International Revenue Share Fraud (IRSF)

• GSM-Box & Bypass Fraud

• Credit Card Fraud

Communications Fraud Control Association

15

2011 CFCA Global Fraud Loss Survey

Communications Fraud Control Association

16

Credit Card Fraud: a GSMA perspective

SUB POINT

Card Not Present Transactions

Credit Card Fraud

Card Present

Transactions

17

Credit Card Fraud

Card Present

Transactions

Card present transactions for services or products are payments and requests made directly by the cardholder at the point of sale.

Counterfeit card fraud

Skimming

Lost and stolen card fraud

Mail non-receipt card fraud

Identity theft on cards

Card present transactions

18

Card Not Present Transactions

Credit Card Fraud

Card is not physically present as it would be in a retail store.

First card data is stolen in the real world and then criminals use it for the purchases.

There’s no face to face contact, no tangible card and no physical signature on the sales draft.

Card Not Present (CNP) transaction

19

15%

3%

11%

64%

7%

2011

28%

7%

38%

23%

4%

2001

Card fraud losses split by type

Source: FRAUD THE FACTS 2012 – FFA Uk

20

Card-not-present fraud accounts for 64 % of all card fraud in 2011

Card fraud losses split by type in Italy

18%

2%

70%

7% 3%

2009

24%

3%

58%

11% 4%

2011

21

Figures are defintely different in Italy where counterfeit accounts for the large majority of card fraud

Source: Rapporto statistico sulle frodi con le carte di credito 1/2011 - UCAMP

Most card details used in CNP Fraud are compromised cards,

not stolen.

22

Global payment breach – short video

23

CNP Fraud and GSM Operators

Mobile operators offer payment options for a variety of services that are card-not-present transactions:

PREPAY RECHARGE

HANDSET PURCHASE

PAYMENT OF INVOICES

ACCESS TO PREMIUM CONTENT

24

What are the losses?

• Loss of the value of the transaction (Chargeback's)

• Costs of processing these transactions

• Interconnection costs & Revenue share

• Potential loss of Merchant status

25

Service

Payment

Pre-registration process

Restriction

Unique IMEI association

Telephone authentication

Prevention & Detection measures for CNP transaction

Product

Payment

Strict delivery procedures

26

Mail

Order

A layered security approach for CNP fraud prevention

Internet

Address verification service (AVS)

Card Verification Value 2 (CVV2)

Verified by VISA (VbV)

PCI - DSS

Telephone

Order

27

Payment Card Industry – Data Security Standard

• The PCI DSS is intended to help protect Visa cardholder data— wherever it resides—ensuring that customers, merchants, and service providers maintain the highest information security standard.

• It offers a single approach to safeguarding sensitive data for all card brands.

• PCI DSS compliance is required of all entities that store, process, or transmit Visa cardholder data.

28

Implement Strong Access Control Measures

Maintain an Information Security Policy

PCI-DSS PILLARS

Build and Maintain a Secure Network 1

Maintain a Vulnerability Management Program

3

4

Regularly Monitor and Test Networks 5

6

Protect Cardholder Data 2

PCI-DSS main pillars

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized

29

Things to take away

• As the use of non-cash payments instruments grows, so does

concern about the potential for fraud.

• The payments industry is pursuing various innovations to tackle

fraud and better secure non-cash transactions—and thereby

bolster consumer confidence.

• Attention is focused most, however, on e-commerce transactions,

especially as electronic thefts increasingly hit the headlines.

• Managing risk against the threat of credit card fraud is certainly

not an easy task.

• We remain committed to containing and reducing all areas of fraud

and will continue to work with key partners to achieve this end.