Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters [Part 2]

Cognizant SECURE PAYMENTS PAΥΜENTS A**** PART 2 How Card Issuers and Merchants Can Stay Ahead of Fraudsters Fraudsters continue to up their game, probing payment infrastructures for vulnerabilities and attacking organizations on multiple fronts. To better understand the current state of payment security and the efforts undertaken by organizations, we recently surveyed 509 U.S. consumers, 50 issuers and 52 merchants and acquirers. The insights from the survey are presented in this infographic, which is the second in a two-part series. Merchants' and Issuers' Low Confidence in Current Security Measures: A Reason to Worry Merchant Confidence in Current Processes and Solutions Used to Prevent Fraud and Data Breaches 37% 58% 6% Somewhat Not very Very confident confident confident Note: Percentages do not add to 100 due to rounding. Response Base: 52 Source: Cognizant Research Center • Issuers are more confident of card-present than card-not-present (CNP) fraud prevention solutions, but overall confidence remains low. Issuer Confidence in Current Processes and Solutions Used to Prevent Fraud Card Fraud CNP Fraud 42% 20% Very confident 50% 60% Somewhat confident 6% 14% Not very confident 2% 6% Do not know Response Base: 50 Source: Cognizant Research Center • About 60% of issuers do not know whether their organization takes an integrated or siloed approach to fraud prevention. Consumer View of Fraud Varies by Channel • Less than 30% of consumers expressed confidence in merchants. • More than 60% of consumers expressed high to very high confidence in their card issuers. Consumer Opinion on Who Is More Accountable for Fraud 54% 30% 6% 10% Issuers and Merchants Retailers/Merchants Banks Do not know Response Base: 509 Source: Cognizant Research Center • More consumers are concerned about security when shopping on their mobile device than online and in physical stores. Consumer Confidence in Merchants' Ability to Protect Card and Personal Data Across Sales Channels Mobile 26% 40% 34% Website 43% 43% 14% Physical Store 50% 37% 13% Response Base: 509 High Medium Low Source: Cognizant Research Center • Issuers are quicker than merchants to respond to consumers affected by fraud. Banks' and Merchants' Response to Consumers Affected by Fraud 81% 22% Card Issuer (bank) Merchant 00 8% 29% BANK 9% 21% 2% 28% Very quick response Responded slowly - Responded after being contacted Didn't bother to respond Response Base: 199 (includes only those respondents affected by fraud) Source: Cognizant Research Center Understanding Key Areas of Vulnerability in the Transaction Lifecycle Transaction Phase Points of Vulnerability • Pos device: The physical device that captures payment card credentials in a physical store. • CNP channels: Virtual PoS, such as e-commerce websites, m-commerce apps, etc., that capture card credentials. Pre-authorization: Request initiated for transaction authorization. • Mobile devices: Smartphones, tablets and other smart devices used to execute transactions and run apps that store and manage token credentials. Transmission of data that is encrypted using symmetric encryption (which uses the same key to encrypt and decrypt data), as intruders who steal encryption keys can crack the encrypted data. Authorization Processing: Captured payment Transmission of card data sent by merchants in clear form to a TSP for tokenization, as hackers can attempt to steal the clearly readable data. credentials transmitted from the PoS terminal to the issuer host for authorization. De-tokenization of payment tokens while they are sent to the issuer host for authorization, as it reveals a clear PAN, making it susceptible to theft. Card data held by merchants for batch settlement at the end of the day and stored in back-end databases for purposes Post-authorization and Back-office Processing: such as chargebacks, marketing, customer loyalty programs, etc. Such systems are often targeted by thieves to gain access to large amounts of aggregated cardholder data. Cardholder data stored in merchant systems. Source: Cognizant Research Center A Holistic Approach to Addressing Payment Fraud Merchants should adopt a layered security approach to prevent fraud. Securing card-present transactions • PCI DSS to ensure a basic level of security and form the foundation of a layered approach. • EMV to secure payments data that reaches merchants' PoS systems. • Encryption (using point-to-point encryption at PoS) to secure data while it travels between the merchant and processor (data in transit). 10010000 011 00 101 0100 111 110 100001 • Tokenization (with token vault management provided by a sourcing partner) to reduce the burden of managing sensitive data, vastly mitigating the fallout from data breaches (data at rest). Securing CNP transactions • Multi-factor authentication to verify the authenticity of customers using at least two inputs, such as card number, PIN and biometric factors. Password: *** • Device authentication to identify devices that customers normally use for shopping before sending the transaction for authorization. • 3-D Secure, which requires cardholders to enter a static password (stored with the issuer) or a one-time password (generated by the issuer) sent to their mobile phones before paying for purchases. xx x Issuers should centralize fraud risk efforts. Use advanced analytics to detect anomalies early in purchasing behavior and to gain insights from various data sources, such as organizational data, social media, etc. Integrate disparate risk management efforts in a centralized unit to better apply the intelligence gained from one channel or product to other risk areas. Consolidate large amounts of consumer Use the insights to provide alerts to and transactional data residing within silos and identify consumers uniquely consumers, such as across channels and interactions to provide a unified view. location-based fraud warnings, and reduce false positives. Merchants and issuers should involve customers in their fraud prevention efforts. Educate Empower Engage consumers with tools that give them greater control over their accounts and consumerS consumers continuously on various forms of through regular communication, improve security. For example, apps that limit card spending in certain geographies, cap transaction limits, abort using relevant channels in fraud, as well as precautions for protecting mobile devices from rogue post-incident management to increase apps, malware, etc., and steps to take if they suspect fraud. transactions, block and unblock cards, etc. confidence and ensure loyalty. Survey Methodology The survey was conducted online in the U.S. in July 2015. The respondent details are as follows: Consumers A total of 509 U.S. consumers across various age groups, employment status and annual household income levels were surveyed. Issuers A total of 50 senior executives from U.S.-based card issuers/banks ranging from fraud specialist to vice-president were contacted. Merchants and Acquirers A total of 52 senior executives from U.S.-based merchant and acquirer organizations were surveyed as part of the study. While 65% were retail organizations, 2% were acquirers, and 33% were both retailers and acquirers. For a full report on the study, please read our whitepaper "Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters." http://cogniz.at/securepayments © Copyright 2016, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. Code HaloTM is a trademark of Cognizant Technology Solutions. All other trademarks mentioned herein are the property of their respective owners. KEEP CHALLENGING™ Codex 1940 CII