MRC
BuildingBetter CommerceFraud & Payments Professionals
LATEST TRENDS AND INSIGHTS INTO SECURING DIGITAL IDENTITIES AND TRANSACTIONS
WEB FRAUD PREVENTION,
ONLINE AUTHENTICATION
& DIGITAL IDENTITY
MARKET GUIDE 2015 / 2016
In the ever evolving and highly complex
ecommerce industry, The Paypers’ Web
Fraud Guide is a vital resource for fraud
professionals. It encompasses a wealth
of information on the latest security
developments, fraud prevention strategies,
digital challenges and upcoming web
trends. This Guide is of great value
because it is a compilation of past year
insights and future expectations.
Danielle Nagao - CEO MRC
Ecommerce Europe is pleased to endorse
The Paypers’ Web Fraud Prevention,
Online Authentication & Digital Identity
Market Guide. The analysis is a reliable
reference source on the latest trends in
the digital identity & web fraud ecosystem
for both payment fraud professionals and
readers interested in getting more in-depth
information in this field.Elaine Oldhoff Ecommerce Europe
2 3LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Title
Companyname
Platte tekst
2 3LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
LATEST TRENDS AND INSIGHTS INTO SECURING DIGITAL IDENTITIES AND TRANSACTIONS
AUTHORS
Mirela AmarieiTiberiu Avram
Ionela BarbutaSimona Cristea
Oana Ifrim Sebastian LupuMihaela Mihaila
Andreea NitaAdriana Screpnic
RELEASE
VERSION 1.0
DECEMBER 2015
COPYRIGHT © THE PAYPERS BV
ALL RIGHTS RESERVED
4 5LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Introduction
When it comes to security and fraud, we can safely state that
2015 has been a ‘time of great change’ - and 2016 will definitely
follow the same trend. The online world as well as the payments
landscape have been witnessing considerable transformation for a
while now. Latest technology developments, regulatory changes,
the entire digital revolution that has been undergoing for the last
couple of years, have made a significant impact on virtually every
aspect of the financial and payments industry. However, in the
middle of all these groundbreaking changes, internet fraud remains
a constant reminder of the fact that with greater opportunities,
come greater risks. The numerous, almost never-ending data
breaches and tremendous rise of cybercrime in basically every
sector have shaken consumers’ confidence regarding privacy and
data protection.
Considering this ‘evil face’ of the transaction space, it has become
quite clear for all market players that measures ought to be taken
to block further increasing levels of payments fraud. With this in
mind, retailers, fraud prevention services providers, payment
service providers and policy makers have begun to feel the
pressure and are currently struggling to develop advanced fraud
prevention solutions and establish a legal framework in order to
keep fraudsters at bay and maintain sensitive data secure.
Therefore, taking into account that fraud detection & prevention,
online security, risk management, digital identity and consumer
authentication are instrumental in defining and securing the
transactional ecosystem, special attention must continue to be
paid to these aspects. As The Paypers is committed to deliver an
annual analysis of the current state-of-affaires of the industry and
point out the key participants that are aimed at setting the scene
for future developments in the fight against fraud, a new edition of
the Web Fraud Prevention, Online Authentication & Digital Identity
Market Guide has been compiled.
Featuring a two-part structure, the latest edition provides payment
professionals with up-to-date data on the major cybersecurity
highlights that have influenced the industry in 2015. Part 1 is a
series of insightful perspectives on key aspects of the global
digital identity transactional & web fraud detection space from
industry associations and leading market players. In 2015, the
transactional space has been mostly influenced by the long-
awaited October deadline for the US EMV migration. With the
new chip embedded credit and debit cards as well as the new
POS terminals, experts from the Smart Payment Association
express their fear that fraudsters will focus their efforts on
other vulnerabilities in the payments ecosystem, including
ecommerce and m-commerce channels. Moreover, according to
a survey conducted by Fattmerchant, despite the fact that 72%
of businesses have not adopted EMV-compliant technology, the
migration is still expected to lead to a considerable increase in
card-not-present (CNP) fraud. The topic of EMV and its impact
on US businesses is also approached by CardinalCommerce,
which provides a piece of advice on how merchants can protect
themselves against CNP fraud.
Part 1 also includes valuable input regarding projects and
measures aimed at regulating the way data is collected, stored
and processed. Hence, Time.lex provides an insight into the Safe
Harbour agreement and what it means to merchants and web
shops. Additionally, on the regulation front, the EPC shares an
interesting perspective on the EBA Guidelines on the security of
internet payments.
Key matters such as machine learning and the need for a more
coordinated collaboration between technology and human
development have been highly debated by ACI Worldwide and
Feedzai and briefly addressed by Risk Ident in an interview.
As always, cross-border ecommerce is at the forefront of the
industry. Bearing in mind that an increasing number of companies
decide to expand across borders, it became more obvious that
fraud is one of the most challenging barriers that needs to be
overcome. Ecommerce Europe presents e-ID schemes as a
solution to improve data protection and to increase convenience
and consumer trust. All these major points are complemented
by interesting perspectives on the Internet of Things and a new
concept in managing identities – the Identity of Things (IDoT).
4 5LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Additionally, in the case fraud vs consumer authentication &
verification, contributions from Consult Hyperion, the Biometrics
Institute, MyBank, Natural Security Alliance and Wirecard
feature unique views on the importance of authenticating online
transactions. Finally, other thought leaders and some of the major
industry associations which have provided their valuable input
include Accertify, Signicat, the MRC, Neira Jones and Perseuss.
They all have provided a resourceful analysis on the ever-changing
digital identity, web fraud prevention and detection landscape.
Part 2 of the Guide is an outline of in-depth company profiles
which allows readers unprecedented access to the global digital
identity & web fraud market and complements the industry
analysis.
The Web Fraud Prevention, Online Authentication & Digital
Identity Market Guide is an insightful reference source
highlighting key facts & trends into the global digital identity
transactional and web fraud prevention & detection ecosystem.
Table of contents
6 WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
4 INTRODUCTION
8 THOUGHT LEADERSHIP SECTION
9 TRENDS & DEVELOPMENTS IN SECURING THE TRANSACTIONAL ECOSYSTEM
10 Securing the User's Shopping Experience: Five Fraud Trends from 2015 | Markus Bergthaler, Global Director of Programs
and Marketing, MRC and Mike Splichal, Program Manager, MRC US
12 Confronting Card Fraud in the Global Travel Industry 2005 -2015 | Jan-Jaap Kramer, Chairman, Perseuss
14 Transacting with Retailers Is Now Omnichannel and So Is Fraud | Mark Beresford Director, Edgar, Dunn & Company
16 Exclusive interview with Neira Jones | Advisory Board Member & Ambassador, Emerging Payments Association
19 BEST PRACTICES IN IDENTIFYING FRAUDSTERS & PREVENTING FRAUD LOSSES
20 Machine Learning – Keeping US One Step Ahead of Fraudsters | Jackie Barwell, Director of Fraud and Risk Product Management,
ACI Worldwide
22 AddressingDeliveryandReturnsFraudtoProtectProfits| Catherine Tong, General Manager, Accertify
24 Exclusive interview with Roberto Valerio | CEO, Risk Ident
26 Myths About Machine Learning | Dr. Pedro Bizarro, Chief Science Officer, Feedzai
28 Work Smart – Does Your Fraud Team Suffer from Decision Fatigue | Mark Goldspink, Chief Executive Officer, ai Corporation
30 The Future is Mobile | Neil Caldwell, VP European Sales, CyberSource
32 360-Degrees Fraud Management: Securing the Customer Journey | Hugo Löwinger, Digital Identity & Fraud Management, Innopay
34 E-ID: Fraud and Risk Prevention in Cross-Border Ecommerce | Elaine Oldhoff, Ecommerce Europe
37 REGULATION, PRIVACY AND DATA PROTECTION
38 Security of Internet Payments: the EBA Two-Step Approach | Javier Santamaría, Chair, The European Payments Council
40 How EMV will Change Online Business in the US | Michael Roche, VP of Consumer Authentication, CardinalCommerce
42 Doing Business in Europe? Mandatory Data Protection Compliance in Every Single Country | Edwin Jacobs, Partner, time.lex
44 Will EMV Eliminate Card Fraud in the US? | Nicolas Raffin, President, Smart Payment Association
47 STRONGER CONSUMER AUTHENTICATION TO COMBAT ECOMMERCE FRAUD
48 Moving Beyond Passwords: Next Steps in Consumer Authentication | Carlos Häuser, Executive Vice President, Wirecard AG
50 Tokenization: From Account Security to Digital Identity | Tim Richards, Principal Consultant, Consult Hyperion
52 Exclusive interview with Isabelle Moeller | Chief Executive, Biometrics Institute
54 Bring Your Own Authentication: The Next Revolution against Web Fraud | André Delaforge, Head of Communication Advisory
Committee, Natural Security Alliance
57 INSIGHTS INTO ELECTRONIC IDENTITIES IN EUROPE
58 Digital ‘Marble’ - Onboarding in the Age of Electronic Identity | Gunnar Nordseth, CEO, Signicat
60 ElectronicIdentityVerification:HowMyBankCanHelp| Fatouma Sy, Head of Product Development, MyBank and John Broxis,
Managing Director, MyBank
63 DIGITAL IDENTITIES AND TECHNOLOGIES AT THE HEART OF SECURITY
64 Identity of Things (IDoT): A New Concept in Managing Identities | Emma Lindley, Managing Director, Innovate Identity
66 The Advent of IoT: Are We Facing A Trade-off Between Convenience & Security? | Ionela Barbuta, Senior Editor, The Paypers
68 COMPANY PROFILES
110 GLOSSARY
7LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
THOUGHT LEADERSHIP
TRENDS & DEVELOPMENTS IN SECURING THE TRANSACTIONAL ECOSYSTEM
10 11LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Securing the User's Shopping Experience: Five Fraud Trends from 2015
MRC
3. Mobile fraudWorldwide, mobile commerce sales will account for nearly half
of total internet sales by 2018, according to Goldman Sachs.
As more businesses introduce mobile apps and/or mobile-friendly
websites, fraudsters will try to exploit merchants' fraud checks.
Businesses must do more than just extend their fraud solutions
to mobile platforms from the start. Merchants should leverage
mobile-specific identifiers wherever possible, such as Mobile
Equipment Identifiers (MEIDs) and International Mobile Subscriber
Identities (IMSIs). As consumers increasingly use mobile phones
and tablets to order goods and services online, businesses should
also ensure their fraud solutions support any mobile-specific or
mobile-friendly features, such as letting consumers use a mobile
number in place of an e-mail address when creating an account.
4. Digital goodsFor merchants offering downloadable content, such as games,
apps/software, music, videos, and e-books, a big challenge to
fraud prevention efforts is customers' expectation of near-instant
fulfillment. Merchants need to strike a balance between debt
from fraud, chargebacks, etc. and revenue. As quick reviews
are essential in preventing legitimate customers from shopping
elsewhere, it is imperative that companies leverage the power
of data to help make decisions, whether those decisions are
automated or manual. By joining a professional organisation such
as the Merchant Risk Council (MRC), key fraud and payments
personnel can gain valuable insights, discuss emergent threats and
trends, and share best practices with other industry professionals.
5. US EMV rolloutAs of October 1st, liability for card-present transactions in the
US has shifted. Now, merchants can be held liable, unless they
replace their point-of-sale hardware with technology compatible
with the card chip standard known as EMV.
As ecommerce enters its third decade, competition among
companies to attract and retain customers is as intense as ever.
While global Business-to-Consumer ecommerce sales (excluding
travel and event tickets) are projected to hit a staggering USD 1.6
trillion in 2015, this total represents less than 7% of worldwide
retail sales. It is clear that ecommerce still has tremendous growth
potential. With that in mind, we have examined five ecommerce
fraud trends as 2015 draws to a close.
1. Account takeoverFraudsters can and will target any company or consumer who is
vulnerable. As larger businesses invest more resources to prevent
large scale compromises and breaches, a greater number of
small and medium-sized businesses are expected to be targeted.
The use of mobile two-factor authentication is a growing trend
to help protect customer accounts. In this case, a one-time use
code is sent to the consumer's mobile phone via SMS or a special
app as an additional layer of account validation. Biometrics are
also expected to play a larger role in consumer authentication as
more smartphone models with fingerprint readers are sold and
companies experiment with alternatives to passwords such as
selfies.
2. Omnichannel / multichannel retailingAs more businesses integrate their physical retail presences with
their online presences, companies need to ensure they have
systems and processes in place to address potential exploits from
all channels. For example, if a merchant offers in-store pickup
on its website, fraud checks should still be performed, including
scenarios in which the delivery method is changed from one
channel to another (delivery to in-store pickup, for example). Store
personnel should also be trained on the importance of validating
in-store pickup orders and need to be prepared to handle more
complex circumstances such as identity theft.
10 11LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Markus Bergthaler: Markus Bergthaler, MRC Global Director of Programs and Marketing, oversees benchmarking, education, committees, communities, marketing and event content.
About Mike Splichal: Mike Splichal, MRC US Program Manager, coordinates content for committees, presentation archives and community forums. He also develops member training and certification programs.
About MRC: The MRC is an unbiased global community providing a platform for ecommerce fraud and payments professionals to come together and share information. As a not-for-profit entity, the MRC’s vision is to make commerce safe and profitable by offering proprietary education, training and networking as well as a forum for timely and relevant discussions.
www.merchantriskcouncil.org
Mike SplichalProgram Manager
MRC US
Markus BergthalerGlobal Director of
Programs and Marketing
MRC
MRC
BuildingBetter CommerceFraud & Payments Professionals
However, until merchants switch to authenticating purchases
using the chips on EMV cards, instead of magnetic stripes, the
change is unlikely to significantly reduce the incidence of fraud
lost to counterfeit cards. Also, unlike the European rollout of EMV,
the US rollout is less coordinated and PINs are not mandated.
As a result, it is doubtful that there will be a drastic shift in fraud
from the card-present to the card-not-present environment, at
least initially. Ecommerce companies cannot become complacent,
however. The MRC recommends most companies to use a layered
approach with machine learning and manual reviews, with a focus
on reducing friction for legitimate customers.
ConclusionA common theme with these trends is customer experience.
Fraud detection is more than just preventing illegitimate transactions
from being processed, it is also about ensuring legitimate
customers are not adversely impacted by automated and manual
reviews. While online fraud remains a challenging space, we believe
that those companies which balance prevention with customer
experience will be best positioned to reap the rewards of the rapidly
growing ecommerce landscape.
12 13LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Confronting Card Fraud in the Global Travel Industry 2005 - 2015
Perseuss
long time online, but occasional meetings in person re-inforce and
accelerate that trust.
Technology-wise collaborationThe next step in industry-wide collaboration is sharing data. When
the working group is small, this can be done via e-mail messages,
but once groups start to grow, automation is vital. Groups will need
to establish steering committees to choose a neutral technology
supplier who develops the various online forums and databases.
The data-sharing technology itself has to be cloud-based and highly
secure. It has to enable businesses to submit and share suspected
fraud data legally, while always retaining ownership of the data.
This way, a business can remain completely in control of its data,
even after it has shared it. The database must be developed with a
high degree of participation and input from working fraud analysts
so the screens and layouts blend naturally into the operational
workflow. This increases efficiency and improves decision-making.
For the past ten years, service suppliers in the travel industry
(airlines, train companies, shipping lines, online travel agents) have
progressed from taking their first baby steps in online payments
to a point where online transactions represent the vast majority
of all ticket purchases. This period has seen significant change
right across the sector. The industry has faced an extraordinary
battering from card fraudsters and has had to reorganise rapidly to
face this unexpected threat.
Looking back, we can now see that there were certain key
developments which, collectively, led to a reversal of fortunes for
the initially successful fraudsters. Businesses are now back in
control of their payment operations and fraud has been reduced to
manageable levels.
Collaboration between competitorsBy far, the most important development has been the ability of
fraud analysts to exchange information between each other
in an informal manner: first, in meetings, secondly, in secure
online forums. There are two main types of information, namely,
structured data such as names and e-mails that need to be cross-
checked against a database, and tips and best practices that can
be shared informally.
Some of the meetings and online forums are for members only.
Others are open to verified fraud analysts and professionals from
any accredited organisation. For an individual who may be the
only fraud-fighter in their organisation and with no-one else nearby
to offer advice, these forums are like a life-support machine.
Collaboration between corporatesAt a strategic level, the travel sector has created an industry-wide
body where executives can meet and coordinate actions, both
regionally and globally. There is a regular program of working
groups that takes place at venues across Europe, Asia-Pacific and
elsewhere in the world.
Key to the success of both personal and corporate collaboration
is that people from different organisations continue to meet
regularly face-to-face. Bonds of trust, once formed, can last a
SHAREDDATABASE
MerchantSees suspect transaction
so checks details against
database. This shows two
other instances of same
details used fraudulently.
Analyst reviews case and
declines booking.
MerchantNotices that a particular
pattern is frequently
used by fraudsters.
Focuses own fraud
detection efforts on that
pattern and identifies
many costly fraudulent
transactions.
Data sharing
12 13LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Jan-Jaap Kramer: As Payments Manager for Martinair, Jan-Jaap was responsible for processing all ecommerce and call centre bookings. In 2011, he both established his own consultancy to help other businesses fight fraud and was elected Chairman of the Perseuss Steering Group.
About Perseuss: Perseuss is the global travel industry's own solution to the battle against fraud. Its flagship offering is an online shared negative database, recently updated to include email age verification and artificial intelligence. It also operates FraudChasers, an online forum for anti-fraud professionals. Perseuss plays a major role in cross-border police Action Days to apprehend fraudsters.
www.perseuss.com
Jan-Jaap KramerChairman
Perseuss Steering Group
Collaboration with partnersMerchants who provide travel services rely on a vast network of
partners to oil the wheels of the industry and make everything
work. Among these partners are payment service providers,
software suppliers, banks, card schemes, industry associations,
legal entities, national police forces, as well as international law
enforcement agencies.
The travel industry had the foresight long ago to involve all of these
bodies in the global war against card fraud. Since 2013, all of these
organisations have been mobilised into a number of concerted
drives to break up fraud gangs and arrest their members at the
moment of committing crime. Hundreds of perpetrators have been
charged with offences including human smuggling, drug trafficking
and international prostitution. In many cases, the secondary crimes
are far more serious than the card fraud, which first brought them to
the attention of the authorities.
All this collaboration has allowed the travel industry to present a
truly joined-up front against fraud gangs. The gangs themselves
are becoming increasingly sophisticated and technology-savvy.
It is vital that the industry continues to make and strengthen
connections with its partners to counter this ever-present threat.
Cross-industry collaborationA very exciting prospect is for the travel industry to work with
entirely different business sectors to fight fraud. Criminals do not
recognise industry boundaries, so why should we?
Of course, the scale of operations will be significantly increased.
There will be problems and challenges. But the lesson of the last
ten years is that we must all collaborate more in order to isolate
criminal gangs. If we do not, they will exploit the gaps between
us and take the initiative. Then, we will find ourselves cut off,
surrounded and struggling to catch up. That must not be permitted
to happen.
14 15LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Transacting with Retailers Is Now Omnichannel and So Is Fraud
Edgar, Dunn & Company
This can lead to customers revealing information about the transaction
and fraudsters are able to change the arrangements for collection
of the goods. The call will seem genuine and fraudsters will often
quote titbits of the individual’s confidential transaction history
information, such as their full name, address, account numbers,
all information that the fraudster gleaned from an earlier hack of
a retailer or financial institution. The ability to create a profile of
a target customer is progressively easier to achieve by organised
criminals operating at a distance.
Data miningUsually, the fraudster will spoof the collection arrangements and
change the location to a store more convenient for him to pick-
up the goods. This information is meant to make the conversation
more credible, luring the customer into revealing additional
information that can be used to arrange the collection of their new
purchased items. These products can be quickly sold on auction
websites afterwards.
Another example would be fraudsters who send targeted phishing
emails on behalf of the retailer or the bank in order to capture
information about the customer. Fraud protection vendors are most
concerned about evolving methods of phone fraud, especially
because it is the least protected area when it comes to card-not-
protected (CNP) transactions and, therefore, the most vulnerable
means of attack in a multi-channel environment, as found in large
modern retailers.
Alternative forms of paymentA lot of retailers and fraud prevention vendors commonly collect
fraud statistics for legacy products such as debit and credit
cards. The more innovative retailers are issuing and accepting
mobile wallets, carrier billing, prepaid payment products, loyalty
and reward products, gift cards, social and peer-to-peer payment
products. Multichannel retailers are even starting to accept bank
transfers such as Barclay’s Pingit.
As retailers have enhanced their technical and business operations
to better serve consumers across several channels, there has
been a gap in dealing with fraudsters who are also adopting
a cross-channel approach. In this respect, it is interesting to
see that there are several exceptions to a standard ‘purchase’
transaction, particularly returned goods. It has been a specific
area where different customer points of interaction did not
properly communicate with each other. This means that fraudsters
are targeting the loopholes that have appeared due to the lack of
connectivity across channels.
Edgar, Dunn & Company (EDC) has found that many retailers do
not treat different customer points of interaction individually.
Instead, they take into account consumer behaviour and location
to build a fraud strategy for each point of interaction – be it call
centre, in-store customer service desk, a click-and-collect service
desk, online, or at the point-of-sale. Retailers are aiming to ensure
a seamless customer experience across channels and they should
equally tackle fraud across all channels. They need a cross-channel
view of their customer’s purchasing history, browsing history and
preferred channel history - in-store, smartphone, tablet, laptop,
desktop, in-store kiosk - to ensure that a customer is a good
customer and is not deviating from their normal channel behaviour.
Transacting with retailers is now omnichannel.
False positivesDeclining a customer that is a good customer can lead to dramatic
and detrimental customer behaviours. This is commonly the case
where a customer could be known to be ‘good’ on a certain
device but, then, uses a different device and he is declined when
engaging with the retailer simply because the fraud detection rules
are not updated for the new device.
As merchants aim to serve customers across channels, fraudsters
are also using the lack of joined up thinking by impersonating
a service centre. They will cold call a customer, for example,
claiming that their credit card or bank account has been subject to
fraud during the transaction with the retailer.
14 15LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Mark Beresford: Mark Beresford, Director at Edgar, Dunn & Company, has over 20 years’ experience in the payments sector. He heads the Retailer Payments Practice at EDC and works on strategic client engagements for major omnichannel retailers and payment service providers globally.
About Edgar, Dunn & Company: Edgar, Dunn & Company is an independent global payments consultancy founded in 1978. The company is widely regarded as a trusted adviser, providing a full range of strategy consulting services, expertise and market insight. EDC clients include payment brands, issuer and acquiring banks, processors and merchants.
www.edgardunn.com
Mark BeresfordDirector
Edgar, Dunn & Company
As consumers become more familiar with Apple Pay and
in-app purchases, they are expected to gradually become more
adventurous in the selection of different methods of payment
at different points of interaction with the retailer. If the store is
closed, the Pingit app can be used by scanning a QR code on
the shop window next to the goods on sale. However, the point of
interaction could most likely be on an advertisement at a bus stop
or at the back of a taxi, not necessarily in the store.
Fraudsters are able to program a smartphone to act as a false POS
terminal, deface a QR code to redirect funds to another account,
or even make a smartphone to act as a false payment card. An
attack that used to require insightful hardware engineering at
the POS to by-pass EMV technology is now just a software
app. The emergence of new sales channels (and the integration
between these channels) unfortunately enables fraudsters to
‘play one channel against another’, or identify potential cracks in
omnichannel processes.
Fraud is an ever-evolving art and fraudsters are very creative
in leveraging the retailers’ lack of fully integrated multichannel
solutions. They are already preparing for a new wave of cross-
channel fraudulent strategies in order to trick consumers at a wide
variety of retailer interactions.
16 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
The online landscape is changing at a faster pace and fraudsters are getting better at stealing money and identities. The industry needs a more reliable authentication system to create a safer environment. What do you see as a next step in consumer authentication?By the end of 2015, there will be 7.2 billion people with an employment
ratio of 60% representing 4.3 billion people (International Labour
Organisation, World Bank). By then, 1.3 billion people (30%) will
routinely work remotely (Symantec, August 2014) and by 2019,
there will be 24 billion networked devices around the world, with an
average of 3.2 connections per person. The pace of technological
advancement, as well as increased sophistication and adaptability
of criminals, have made identity theft and social engineering most
successful. Indeed, in the UK, ID crime represented 48% of all
fraud in 2014, with 82% of ID-related crimes committed online
(CIFAS Fraudscape 2015). Worryingly, 23% of recipients open
phishing e-mails and 11% click on attachments, and a phishing
campaign of just 10 e-mails has a 90% success rate (Verizon DBIR
2015). In addition, machine-to-machine connections will triple to
10.5 billion by 2019 (CISCO, May 2015). All this connectivity means
new opportunities for countries, businesses, people, as well as,
unfortunately, fraudsters.
I like to link identity and authentication to social engineering
because, if legitimate credentials fall into the hands of criminals,
all bets are off. Technology alone cannot stop fraud, as evidenced
many times, and most recently, when a UK company handed over
an unprecedented GBP 1 million to a phone scammer that led
an employee to transfer the money to bogus bank accounts, or
when BitPay lost USD 1.8 million through a spear phishing attack.
I believe consumer-centric Identity & Access Management
(IAM) vendors will start to provide enterprise grade solutions
and enterprise IAM vendors will start moving from role-based
access control (RBAC) to attribute-based access control (ABAC).
Biometrics, behavioural/contextual analysis and low-latency
threat monitoring/ fraud prevention will all play a role in building a
successful ecosystem.
So, it is not so much that we need an ‘authentication system’.
We actually need several ways to manage identity and authentication
that are proportional and commensurate to the potential risk
associated with any interaction (be it human or machine) and with
the necessary addition of appropriate operational processes to
support them. The most sophisticated identity or authentication
technologies can be deployed, but if appropriate governance
processes are not equally matched, it will only be money down
the drain.
Cybercrime has also gone mobile, do you think there is a need for multichannel fraud detection & prevention solutions to detect and manage fraud effectively, irrespective of channel?Cybercrime has indeed gone mobile and, with the growth of the
Internet of Things (IoT), equally hyper-connected. There is, however,
at this stage, little evidence of serious harm. Indeed, with the rise
of mobile devices and BYOD, we could have expected significant
threats to organisations. But, as suggested by the Verizon DBIR
2015, there were less than 0.03% mobile devices infected with
mobile malware each year, and the rise of the IoT did not exhibit
a surge of attacks through that channel. Instead, criminals relied
on phishing attacks, misuse of credentials and new varieties of
malware that plague organisations of all sizes. Managing fraud in this
hyper-connected environment will force businesses to manage risk
effectively to support growth, performance and reputation. In this
environment, comprehensive, real-time analytics will play a key role.
Emerging Payments Association
In the interview, Neira Jones points out that managing fraud in a hyper-connected environment will force businesses to manage risk effectively to support growth, performance and reputation.
17LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
Neira JonesAdvisory Board Member
& Ambassador
Emerging Payments Association
About Neira Jones: Neira chairs the Advisory Board for mobile innovator Ensygnia & the Global Advisory Board for the Centre for Strategic Cybercrime & Security Science and is a Founding Advisory Board Member for GiveADay UK. She sits on the Advisory Board of the Emerging Payments Association.
Twitter: twitter.com/neirajonesLinkedIn: www.linkedin.com/in/neirajones
About Emerging Payments Association: The Emerging Payments Association (EPA) is a community for the world’s most progressive payments companies. The EPA helps them to have influence over the payments landscape and get access to the people operating in it, whether they are buyers, sellers or partners.
www.emergingpayments.org
In this hyper-connected environment,
comprehensive, real-time analytics will
play a key role
IoT promises to be "the next big thing". Apart from the innovation and convenience that it brings, the system is not flawless. What are the main vulnerabilities we need to be aware of?As the IoT evolves, so should the understanding of its security
requirements. The online web environment has had years to
mature, in line with the understanding of what needs to be done
to secure it. As we all know, data breaches continue to happen
in the traditional online channel and old vulnerabilities continue
to be exploited. Exciting developments in the IoT should take
advantage of what has already been learned in online and other
digital channels, and implement security by design rather than
as an afterthought. Key to this will be authentication of devices
(and individuals) and data security as these technologies will
increasingly collect more and more personal data. From a process
and regulatory stance, data will be key as are the many contractual
implications that will ensue due to an ever extended supply chain.
Would wearable technology transform the payments industry? And where do we stand from a security point of view?Wearable technology is only a subset of the IoT and, therefore, the
same issues apply, with the added emphasis on data collection,
protection and privacy as there is a direct link to individuals.
Will it "transform" the payments industry? I don’t think so. Will it
contribute to its evolution towards a payments ecosystem that is
frictionless and secure? I sincerely hope so. We are already seeing
some interesting deployments in the loyalty and engagement space
as well as in the production of new form factors (e.g. contactless
rings), which is where, I think, wearables will make the most impact
in payments.
Experience the excitement at MRC Vegas 2016 with over 1,500 attendees, 65 educational sessions, 450 companies and individuals from over 30 countries.
65EDUCATIONAL
SESSIONS
1,500+
ATTENDEES
450 COMPANIES
COUNTRIES
MARCH 7-10 | ARIA RESORT & CASINO
MERCHANTRISKCOUNCIL.ORG/EVENTS/MRCVEGAS
EARLY BIRD DISCOUNT$800SA
VE WITH
OUR
MRC
BuildingBetter CommerceFraud & Payments Professionals
Register now for one of the largest and most rewarding events uniting online and
multi-channel retailers, card networks and issuers, law enforcement and solution
providers all committed to making eCommerce safe and profi table.
Experience the excitement at MRC Vegas 2016 with over 1,500 attendees, 65 educational sessions, 450 companies and individuals from over 30 countries.
EDUCATIONALSESSIONS
1,500+
ATTENDEES
450 COMPANIES
COUNTRIES
BEST PRACTICES IN IDENTIFYING FRAUDSTERS & PREVENTING FRAUD LOSSES
20 21LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Machine Learning – Keeping US One Step Ahead of Fraudsters
ACI Worldwide
more complex scale. This allows fraud analysts to understand both
localised and widespread occurrences of fraud. It also enables
these complex processes to be accomplished faster, frequently in
real-time.
Additionally, other information, such as data resulting from web-
behaviour analysis, can be fed into the predictive models, creating
a new and valuable dimension to the model’s accuracy.
The development of new algorithms, machine learning techniques
and programming expertise have also all kept pace with changes
in the payments and ecommerce landscape, with these latest
techniques giving businesses the power to explore a much larger
search area in the model optimisation space and increase detection
rates.
While it is clear that machine learning has a lot to offer to financial
institutions and merchants in an effort to detect and prevent fraud,
the approach does have its limitations.
Because they learn from experience, predictive models cannot
learn or spot monolithic events such as data breaches. For these
you need to be running a rules-based model which uses negative
lists and, preferably, consortium data.
Predictive models are also less adaptive at learning one-off events
or transient phenomena. Our experience with customers around
the world has taught us that combining predictive models with
a customised rules engine delivers the optimal fraud prevention
solution. The ability and flexibility of a comprehensive rules
engine to deal with seasonal changes, emerging trends and one-
time events complements the sophisticated pattern recognition
techniques deployed by predictive models.
At ACI, we firmly believe in the future of advanced machine learning
and predictive models as an integral and vital part of a winning
fraud strategy. We have our own patented predictive models
which have been used by customers for many years. Backed by
these predictive models, ACI’s rules-based systems are constantly
updated to augment performance and provide multifaceted
Machine learning is a hot topic in fraud prevention, with both
financial institutions and merchants looking to exploit advances
in IT infrastructure and intelligent computing to protect their
businesses from risk. But, what really is machine learning and how
effective is it in detecting and preventing fraud?
Machine learning relies on algorithms which employ pattern
recognition techniques to explore and learn the underlying
structures in the data. By using past transaction data from fraudulent
activity, alongside information from genuine customer transactions,
these algorithms can be used to build predictive models which can
forecast the probability of a transaction being fraudulent.
Predictive models deliver very tangible results in fraud detection.
Their ability to extract meaning from complicated data means that
they can be used to identify patterns and highlight trends which
are too complex to be noticed either by humans or through other
automated techniques. By running specific, effective algorithms
and using them to make automated decisions, or generate alerts
for suspicious activity, these techniques can save manual review
time, reduce the number of false positives and quickly stop
attempted fraud.
But this approach is by no means new. In fact, predictive models
first became popular almost two decades ago, particularly with
financial institutions which successfully used models to detect
significant volumes of card-present fraudulent transactions and
save millions.
Back then, however, fraud problems were simpler and patterns
were easier to identify. Fraudsters have since become savvier
and more innovative, driving demand for further change in fraud
detection techniques to ensure that defensive capabilities can
match fraudsters’ offensive capabilities.
Technology advances over the last decade in particular have aided
the evolution of machine learning and ensured it has remained an
effective fraud prevention measure. For instance, the increased
availability and scale of raw computing power means that we can
now process, segment and analyse data on a much larger and
20 21LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Jackie Barwell: Jackie is the Director of Fraud and Risk Product Management at ACI Worldwide, having joined the ACI family as part of their acquisition of ReD in 2014. Jackie has more than 27 years’ experience within the financial crime arena.
About ACI Worldwide: ACI Worldwide, the Universal Payments company, powers electronic payments and banking for more than 5,600 financial institutions, retailers, billers and processors worldwide. ACI software processes USD 13 trillion each day in payments and securities transactions.
www.aciworldwide.com
Jackie BarwellDirector of Fraud and Risk
Product Management
ACI Worldwide
coverage and protection. It is this holistic approach to fraud
prevention that provides effective protection against the risk
of fraud without compromising customer service, driving costs
further upwards, or increasing the demand on scarce in-house
resources.
Predictive models - part of a multi-dimensional fraud management solution
Developments and enhancements will, of course, need to continue to
meet the ever-changing needs of the industry as both consumers
and fraudsters adapt their behaviour. At ACI, we are now exploring
the use of smaller, more focused and tactical models, trained
specifically on a closely targeted set of data – for example, a
specific merchant sector or geography. This will enable merchants
to benefit from more sophisticated solutions which are faster to
deploy and designed to address their specific trading landscapes.
As fraud develops, predictive models will too, enabling us to keep
one step ahead.
22 23LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
AddressingDeliveryandReturnsFraudtoProtectProfits
Accertify
The many guises of delivery and returns fraudOne of the challenges of fighting this type of fraud is that there are
multiple guises it can take.
• Wardrobing – Want to go to a party and wear that expensive dress
or tuxedo? With this tactic, you don’t have to pay a penny to have
that special outfit. Wardrobing is making a legitimate purchase
with the intention of using the item and returning it for the full value.
• Delivery denial – “I never received my goods and want a refund!”
But you did receive the goods. You didn’t have to sign for the
parcel and so who knows whether the delivery driver did in fact
leave it. Or, if you were to claim you never saw it, even though it is
on your kitchen table, who’s to know?
• Bait-and-switch – That 1 year guarantee seems to be timed
perfectly to when something breaks, and it is only a couple of
weeks outside that timeframe. Purchasing a working item and
returning a damaged or defective identical item that was already
owned, however, is still not a legitimate transaction.
• Courier fraud – orders are intercepted and never received by
the consumer. It is worth remembering that it is not always the
end customer who is committing the fraud. Multiple people are
involved in the supply of a product from retailer to customer and
understanding if it is someone involved before reaching your
customer is just as important.
The common theme here is that each of these tactics can result in
the retailer losing a product and sale from it, therefore impacting
profitability - but in many cases without recognising the underlying
causes of this decreased profitability.
Monitoring and addressing delivery and returns fraudRetailers have been applying various methods to address
this issue, with many being very manual and non-sustainable
processes. Many have struggled with being able to track regular
offenders and stop them before they attempt this type of fraud
again. Many have also faced the challenge that some customers
only show this behaviour once or twice.
A fraud team usually focuses on the actions of professional
fraudsters. These are the criminal pros who attempt to steal on
a large scale using automation and thousands of stolen payment
cards. It makes sense to aim the artillery at big threats. Now, a
different kind of smaller scale fraud scenario perpetrated by
amateurs is gaining traction on the fraud battlefront. It’s called
delivery and returns fraud.
The unknown challenge How many retailers really understand all the areas of shrinkage
or loss in their business and quantify these losses accurately?
Delivery and returns fraud, the act of defrauding a retailer via
the returns process, is an increasing issue where fraudsters
are exploiting supply chain processes. We are not talking false
payment data here, but something a bit harder to detect. Akin to
electronic shoplifting, an individual attempts one low-value fraud
action, one retailer at a time. Some incidents involve fraud via a
delivery channel, while others use variants of fraudulent returns.
Sometimes customers come across this type of fraud by accident
as they realise weaknesses in retailer processes, but because they
see it as a small scale cost to a retailer, they do not perceive it to
be fraud. Whether on a small scale, or something which becomes
a customer habit, ultimately the customer is ending up with either
product or refunds they should not have received.
Historically, retailers have focused on chargeback losses. However,
as retailers have brought this area of risk under control, either new
areas of risk have become more visible, or the fraudsters have
started to change their behavior. Delivery and returns fraud may
seem small scale even to the retailer, but collectively the losses
can add up quickly. Many businesses do not have the visibility
of how big a problem this is becoming. According to the 2014
National Retail Federation Return Fraud Survey, the industry
was estimated to lose USD 10.9 billion in 2014 alone.
22 23LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Catherine Tong: Catherine Tong is General Manager for Accertify in EMEA leading a team of fraud specialists, and partnering with companies from a variety of industries on their fraud management strategies as they enter and grow in new markets. Before joining Accertify, Catherine held various senior risk roles at retailer, Tesco and PwC.
About Accertify: Accertify Inc., a wholly owned subsidiary of American Express, is a leading provider of fraud prevention, chargeback management and payment gateway solutions to merchant customers spanning diverse industries worldwide. Accertify’s suite of products and services, including machine learning, help ecommerce companies grow their business by driving down the total cost of fraud and protecting their brand.
www.accertify.com
Catherine TongGeneral Manager
Accertify
Accertify believes the key to reducing delivery and returns fraud
is to target who is involved in the delivery or return of the product.
Retailers can leverage our platform to analyse each consumer’s
behaviour and identify out-of-pattern returns and other delivery
anomalies.
Our multi-merchant database allows each participating retailer to
benefit from collective knowledge about returns fraud and thereby
try to limit its losses. Retailers learning from each other is invaluable,
they can now use this tool to benefit from other participating
customers who have already leveraged data associated with prior
fraudulent deliveries and returns.
Retailers are now able to manage a much broader set of risks in
one place, improving efficiency for their business, whilst bringing on
new ways to help protect themselves. They can still have different
teams managing these different aspects of their business, but
managing all the data and fraudulent behaviour in the same place
enables them to be able to track changes in fraudster behaviour
more easily and collaborate internally.
24 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
In today’s ever-changing online environment, identifying fraudulent transactions has become a major hurdle. How can companies like Risk Ident help merchants detect and stop suspicious transactions? Ecommerce is in a continuous state of evolution and is expected to
be worth GBP 185.44 billion (EUR 219.44 billion) in 2016. This makes
online payments more and more of an attractive option for fraudsters
whose increasingly sophisticated techniques create a moving target
for merchants looking to identify and tackle fraudulent transactions.
At Risk Ident we deliver the best use of quality anti-fraud data in
Europe by using machine learning and behavioural analytics to
help support fraud managers by intelligently processing a wide
range of input sources, such as device identification. Using rules
alone or monitoring single transactions is no longer as effective
at detecting and stopping suspicious transactions. Establishing
relationships between transactions helps merchants recognise
potential fraud patterns without the need for expensive additional
databases, acting fast to protect them from fraud.
Some herald the combination of machine learning and 'human detectives' as the next major revolution in fighting fraud. How do you feel about this combination of man and machine to find and fix weaknesses of the system?We are passionate in our belief that man and machine – together
– offer the strongest possible defence against fraud when used in
combination. Machine-led intelligence has undoubtedly enhanced
the proficiency of fraud prevention thanks to advanced algorithms
which outshine the more traditional rule-based approach. It is
important that companies take advantage of this technology and
use it to further boost their fraud managers’ knowledge of their
own fraud problems.
Machine learning should not be used to the detriment of human
detectives, who are crucial for judging data choices to ensure
legal compliance, and for giving individual consideration to any
borderline cases that need the application of human processing.
Modern methods of data science and software engineering help
provide smarter technology that works more intelligently than
traditional anti-fraud processes, pooling data for analysis that
helps guard against repeat fraudsters without requiring private
personal information. Ultimately, technology should not replace
fraud managers. Instead, it should be used to empower them to
take an educated, proactive approach by identifying and tackling
fraud at the source.
What are some of the main changes that you would expect to impact the fraud prevention landscape following the Safe Harbour ruling from the ECJ?The recent ECJ decision to suspend Safe Harbour could catalyse
major changes for the fraud prevention landscape, affecting the
data privacy and anti-fraud processes of businesses on both
sides of the Atlantic. The ruling will have especially significant
ramifications for businesses which depend on sharing data with
organisations in the US in order to stay secure. Companies that
want to establish more local, European-based data centres for
customers’ data in the EU will have to adhere to European data
privacy laws, which are traditionally much stricter. However, this
still does not offer a total solution to EU businesses as the US
Freedom Act, Section 702 (FAA 702) remains in use by the US
government, which allows them to obtain data stored in Europe by
US companies.
The ruling is potentially good news for European businesses and
customers however, as it has brought the focus back to customer
privacy. We do not expect it to be a huge barrier to businesses.
Risk Ident
Risk Ident points out that technology should not replace fraud managers. Instead, it should be used to empower them to take an educated, proactive approach by identifying and tackling fraud at the source.
25LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
About Roberto Valerio: Roberto Valerio is the CEO of Risk Ident, leading the day-to-day management of the company. He is responsible for driving the development of the business to serve merchants in need of a modern, intelligent approach to online fraud prevention.
About Risk Ident: Risk Ident offers anti-fraud solutions for companies within the ecommerce and financial sectors, empowering fraud managers with intelligence and self-learning machine technology to provide stronger fraud prevention. Risk Ident are experts in device fingerprinting and behavioural analytics, while its products are specifically tailored to comply with European data privacy regulations.
www.riskident.com/en
Roberto ValerioCEO
Risk IdentToo many organisations argue that it’s
in the users’ best interest to give up
more privacy as it will keep them safer
online. This is not necessarily true…
But, it will undoubtedly cause friction and uncertainty before an
alternative is agreed on in 2016. The ruling, together with the recent
high-profile Weltimmo and Schrems cases, has certainly brought
data privacy and the ethics of data sharing into concentration for EU
businesses. It is still possible to promote security while maintaining
privacy by anonymising data, and it is something we very strongly
believe in.
From your point of view, what is the best approach to gaining customers’ trust when it comes to data privacy and fraud protection?Risk Ident was founded and built specifically with European privacy
laws in mind and we strongly believe in smarter fraud prevention
technology that helps maintain privacy without compromising
security. We welcome moves by the European authorities that
publically and legislatively recognise the importance of data privacy
in Europe.
There are far too many organisations out there that give customers
the impression that giving up more of their privacy is in their
best interests in order to stay safer online in the long run. This is
definitely not the case. It is possible for personalised information
to be kept separate from anonymised data, such as device
identification, and to gain customers’ trust while keeping their
payments safe. It is paramount that businesses are transparent
with their customers and fully available to help manage any data
sharing concerns.
26 27LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Myths about Machine Learning
Feedzai
community grows, more developers are creating new applications
and APIs that are highly specific to your business or technology
stack. Open-source machine learning services are already available
in C++ and Python with more languages to follow. Lastly, the growth
of cloud computing provides access to shared machine processing
infrastructure. The cloud, open-source adoption, combined with
APIs, are the factors that are removing technology barriers for
machine learning adoption.
Myth 2: Machine learning takes away my ability to control my businessAs machines do more work and make more decisions, the fear of
losing control or not understanding the ‘blackbox’ machine logic
is understandable. However, advances in human-to-machine
interfaces have been made in recent years, such as ‘whitebox
scoring’ methods, that demystify the underlying decision-making.
Whitebox approach is essentially a semantic layer, turning data and
decisions into descriptions that anyone can read without resorting to
complicated and obscure machine logic or reason codes.
Additionally, as you implement machine learning in your business,
it frees up time for your fraud and risk management team. They spend
less time manually reviewing orders and payments or manually
processing numerous chargebacks every week. These alone result
in huge time-saver for your team, time which is reclaimed to spend
running your business.
Myth 3: I want the Uber-model that is best for allFirst, there is no single best machine learning model that is
universally better in all situations. Choosing the best model
depends on the problem type, size, available resources, etc.
However, just like teams of people working together, groups
can often make better decisions than individual members.
That’s because individuals each have their own biases.
The same is true in the case of machine learning with the use
of ‘ensemble methods’. Ensemble methods is using multiple
models together in order to help compensate for individual bias.
Ensemble methods combine the opinion of multiple learners to
achieve superior collective performance. Moreover, ensembles are
The fintech revolution has begun and machine learning is at the
forefront of this next wave of innovation. Machine learning, a branch
of artificial intelligence, is now enabling computer systems to have
sophisticated judgment and decision-making capabilities (remember
that self-driving cars were thought impossible only a few years ago).
Machine learning, I think, will have a larger impact over the
next 20 years, than mobile had over the past 20.
-Sun Microsystems co-founder and venture capitalist Vinod
Khosla-
As Google and Facebook continue to usher in the era of machine
learning, the ripple effects can be felt in the financial services
industry. Machine learning is radically changing the nature of
money and financial services. Now is a great time to dispel the
common myths about machine learning.
Myth 1: Machine learning is only for big companiesThe declining cost of computing - due to factors such as improvements
in computer processing speeds, cheaper data storage, increased
communications bandwidth, and broader availability of data
sources, to name a few - have leveled the playing field for companies
and businesses of all sizes to be able to use machine learning
technologies. The range of businesses that can now use machine
learning is very wide - ranging from giants like Google and First
Data, to ecommerce startup merchants like LongboardsUSA.
Source: Deloitte, Computing Cost-performance (1992-2012)
Furthermore, with the advances in software development technology,
machine learning can be integrated into your system seamlessly
using APIs or plug-ins. At the same time, as the open-sourced
26 27LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Dr. Pedro Bizarro: Pedro is the Chief Science Officer at Feedzai where he leads a team of data scientists who are keeping commerce safe. He is a recognized researcher in machine learning and holds a PhD from the University of Wisconsin at Madison.
About Feedzai: Feedzai was founded in 2009 by data scientists and aerospace engineers to make commerce safe for business customers through the use of artificially intelligent machine learning. Feedzai’s Fraud Prevention That Learns technology is used by large financial services companies to risk-score over USD 1 billion of commerce transactions each day. Feedzai is a US-based company and is funded by major venture capital investors including OAK HC/FT, Sapphire Ventures and Data Collective.
www.feedzai.com
Dr. Pedro BizarroChief Science OfficerFeedzai
inherently parallel, which means they work efficiently side by side.
For fraud prevention systems, this is vital because it requires far
less training time to set up the initial models.
Not only does combining multiple models make the system safer, it
also keeps it more relevant. By including different models, evolution
will take place at a much faster rate, with less need for human
supervision.
Myth 4: Machine learning is all about the modelIt cannot be denied that you need a good model or ensemble of
models to make machine learning efforts effective. However, simply
having effective models isn’t enough. Fraudsters are incessantly
finding new loopholes and cracks in your system. The only way to
stay one step ahead of them is to continually feed new data sources
and strengthen the intelligence by introducing new real-world data
and connections. A machine-learning model is only as good as
what data it ingests.
Data Sources
The fintech revolution is well underway. As electronic commerce
continues to rise, fraudsters have access to more sophisticated
tools and increased channels to commit fraud. To combat fast-
evolving fraud, organisations must adopt more sophisticated
methods. Machine learning, when combined with human intelligence
and intuition, can now have superior judgment and decision-making
capabilities so organisations can eradicate fraud.
28 29LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Work Smart – Does Your Fraud Team Suffer from Decision Fatigue?
ai Corporation
Many young graduates join a fraud team in order to start a corporate
career. Invariably they would start by managing alerts after some
kind of induction programme. It is now well-evidenced in the field
of behavioural economics that as familiarity regarding a role grows,
other human biases start to become more pronounced; in other
words, the greater experience a fraud analyst has, the greater the
risk that they will subconsciously be influenced to wander from
the ideal resolution. At ai we have spent a lot of time studying
the psychology associated with this ‘decision fatigue’ and have
developed our software to mitigate its damaging effects.
The below graph demonstrates the otherwise hidden trend in
human behaviour being influenced by external factors. In this case,
judges presiding over a parole board discover their decisions are
being dramatically influenced by something entirely human - their
appetite. Do fraud analysts suffer from this?
Let machines handle the repetitive tasksai’s mantra to ‘automate tedious routines to release human
creativity’ aligns with the mounting scientific evidence presented in
the field of behavioural economics. In fact, one of the International
Institute of Analytics top ten predictions for 2015 was that analytics,
machine learning and automated decision-making would come of
age in 2015.
Right now, consumers have never had such a broad range of
options to pay for goods and services. What is more, the channels
through which the consumer may purchase their goods and
services have never been more diverse.
The cost of these new payment options and omni-channel
engagement methods has increased the complexity and associated
costs for issuing banks, acquiring banks and merchants; it is a cost
they must bear in order to stay competitive through this ‘consumer
self-service’ point of sales revolution.
The increase in complexity has created both opportunity and great
risk for three key groups. Firstly, consumers have the opportunity
to choose how and where to buy like never before. This creates
the opportunity for the second group, sellers, to increase volume
of sales. But with complexity comes confusion, and the third
group, fraudsters, has taken full advantage.
Today’s fraudsters are highly sophisticated and very well
organised. To combat this, legitimate businesses that want to stay
competitive need to be both equipped to stop the fraud, and able
to do this in an efficient and cost-effective manner.
A balance between man and machineIt is this need for efficiency and effectiveness in the face of ever-
increasing and more complex fraudulent activity that drives
ai’s product development. Our automated systems have been
developed to be more effective than manual human decision-
making. The efficiency improvements that come with reliable and
consistent performance are beyond what any human could be
expected to achieve.
It is often said of ai that we are a ‘people business’. We agree – it
is people that drive any successful business and, as our clients
testify, it is often our people that help drive other businesses. So,
in the case of the fraud management world, what are we doing to
ensure we support this principle? If we think about the motivation
for a fraudster versus an employee in an increasingly burdened
fraud department, you could argue that it is incredible we manage
to stop fraud the way we do. So how do we tackle this imbalance?
28 29LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Mark Goldspink : Mark has spent 25 years in general management roles. Mark joined ai Corporation (ai) in 2013 to work with Ashley Head on developing and expanding a whole series of inter-related payment businesses globally, but with main focus on ai.
About ai Corporation: ai provides fraud prevention solutions to some of the world’s largest financial institutions, merchants and PSPs. Our unique self-service solutions, including our new ‘state-of-the-art neural technology, protect and enrich payments experiences for more than 100 banks, 3 million multichannel merchants monitoring over 20 billion transactions a year.
www.aicorporation.com
Mark Goldspink Chief Executive Officerai Corporation
With the 2015 launch of ai’s neural modelling and automated rule
set engines, we believe they were right.
ai is very proud of our technical relationship with one of the world’s
leading academic institution who is helping us provide “state of
the art” machine learning solutions. Over the past 2 years we have
invested over 40% of revenues into research and development.
At ai, we believe some jobs are best done by machines, leaving
creative decisions to humans. Therefore, our tools have been
designed to complement business teams, automating many of the
repetitive activities and allowing our customers to focus on the
more complex issues.
Scientifically provenThere is undeniable evidence through peer-reviewed studies that
external influences cause human decision-making to change
during the day, leading to intraday inconsistencies. Isn’t it human
nature to think about the weekend and evening events rather than
maintain complete focus through a work shift? For fraud teams,
such distraction could result in serious financial repercussions, but
is entirely foreseeable and indeed natural for humans to become
distracted like this, more so when working in an increasingly
complex payments environment.
The questions you should perhaps be asking are: could your fraud
team or fraud service provider be suffering from decision fatigue
and if so, how can you counter this?
30 31LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
The Future is Mobile
CyberSource
The data available from mobile devices is different from non-
mobile devices, and even differs via type of mobile device.
For example, Apple devices provide a more diluted device
fingerprint than Android due to the ‘locked down’ nature of
Apples OS.
The detection tools used in fraud management may not change,
but the importance of them may vary, depending on the information
available via different devices.
All the differences in behaviour, data and tools require a set of rules
specifically for the mobile channel, and a channel specific mobile
fraud strategy. The rules created at first will no doubt depend on
the data that you can capture, the behavioural patterns and fraud
trends that are understood to be relevant by your business, and the
level of sophistication that suits your organisation’s requirements
and risk profile.
Managing mCommerce Fraud Risk – A Framework for Action
The framework above provides a process-based approach to work through the differences between mCommerce and eCommerce for fraud management. Working through the process step by step can help you understand the implications of the mobile channel for fraud management, and equip you to decide on the best course of action for your organisation.
When I talk to businesses about their ambitions for digital
commerce growth, one of the key messages I consistently hear is
that the future is mobile. Whatever the size or industry, businesses
understandably want to take advantage of the continuing growth of
smartphone and tablet penetration, and their use by consumers to
purchase goods and services.
Whilst most businesses appreciate the need to tailor their ecommerce
experience and user interface for mobile websites and apps, many
are not tailoring their fraud management strategy in the same way.
The latest CyberSource fraud survey reports that 45% of survey
respondents cite the ‘inability to accurately measure fraud rates
by sales channels (causing operational efficiencies)’ as one of the
fraud challenges of greatest concern (CyberSource 2015 UK Fraud
Report Series: Part 1 – The World of Mobile Fraud). Which is not
surprising when the following findings are also reported:
- 43% of respondents track fraud from mobile commerce channels
- 89% of those who do track mobile orders, use the same fraud
tools as used to screen ecommerce orders
When businesses don’t track or adapt their fraud strategies to the
mobile channel, they can become vulnerable in two ways risking
higher rates of fraud coming via the mobile channel, or they risk
blocking orders from genuine customers. The last thing needed in
trying to grow the mobile channel is that customers may have a less
than ideal experience.
mCommerce fraud strategyWhile there are many similarities between eCommerce and
mCommerce, there is a number of important differences particularly
relevant for fraud management:
Consumer behaviour is different on a mobile device than on a
normal PC (laptop or desktop) with purchases being made at
different times of the day and the type of purchases made: thus,
rules designed for traditional eCommerce purchases may flag
mobile behaviour as anomalous.
30 31LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Neil Caldwell: Neil Caldwell, VP of European Sales, is responsible for spearheading the expansion of CyberSource’s European business and overseeing the sales and account management functions within the company. An accomplished and dynamic sales leader, Neil’s background has given him outstanding expertise in financial services and eCommerce payments.
About CyberSource: CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 400,000 businesses worldwide use CyberSource and Authorize.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. CyberSource operates in Europe under agreement with Visa Europe.
www.cybersource.co.uk
Neil CaldwellVice President
European Sales
CyberSource
For those just starting out with a fraud management strategy,
I recommend three simple steps to help get started:
- Start tracking mobile transactions. Measuring mobile chargebacks,
rejection and review rates will enable informed decisions to be
made about when and how to act.
- Create a distinct mobile profile, even if at first the rules applied
are an exact copy of existing ecommerce rules.
- Start capturing the device type and operating system, even if no
rules are immediately implemented based on the differences in
fraud pressure between the devices.
You can’t manage what you can’t measureThe mobile space is relatively new and, as it grows and matures,
fraudster strategies and exploits are likely to evolve. Consumer
behaviours and purchasing patterns are likely to continue to change.
So, in my opinion, it is important to monitor, measure, analyse and
fine-tune fraud management strategies, more than established
channels.
Fraudsters will move between channels as they try to exploit both
eCommerce and mCommerce. As important as it is to segment
these channels, it is equally as important to be able to integrate
them for analysis and to spot activity and patterns in one channel
that affect actions in another.
In my experience, businesses that actively manage mobile fraud can
achieve fraud rates similar to rates achieved on other channels, and
for those experiencing above average rates, it is usually a sign that a
mobile-specific fraud strategy either is not in place, or needs to be
fine-tuned.
The ability to understand how consumer behaviour differs on mobile
devices; to capture the data that is relevant to the mobile channel
and implement appropriate fraud management tools and rules; to
track and analyse mcommerce chargeback, rejection and review
rates and fine tune your mobile strategy in response – all have clear
implications for the experience that both customers and fraudsters
have when they interact with you through your mobile channel.
32 33LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
360-Degrees Fraud Management: Securing the Customer Journey
Innopay
Don’t get me wrong: we desperately need these experts, today
more than ever! However, just as we would do not rely exclusively
on the finance department to be profitable, we cannot expect the
risk-, security, or fraud department to, by themselves, keep our
customers’ data and money safe, especially not from within the
‘second line’. How then do we close this gap?
It starts with an integrated, customer centric viewAt Innopay we use a three-tiered approach called “360-degrees
fraud management” which consists of a comprehensive set of
tools enabling organisations to come to grips with the wicked-
problem that fraud is. Below you will find a primer.
Tier 1: Mission controlIt is important to define clear roles and responsibilities that are
as integrated with ‘regular’ governance as possible to avoid
unnecessary cost and preserve organisational agility.
Proper orchestration will allow the organisation to take action when
a new M.O. (modus operandi or specific fraud pattern) emerges,
before fraudsters get a chance to ramp-up and/or branch-out their
operation. It will also help the organisation identify consolidation
opportunities for fraud measures, which is important given the
ongoing commoditization of available solutions.
Tier 2: Customer journeyThe customer journey is at the heart of the approach, because
ultimately this is what the organisation is all about: providing
convenient, secure and cost effective service to their customers.
It is paramount that we strike the right balance and make sure that
the most convenient options are secure. There is nothing like a
burdensome security measure to make customers look for easier,
and often less secure alternatives, sometimes at the competition.
Customer authentication (during login and transaction signing) and
fraud detection are the key ingredients of this defence layer. Today
we see new technologies being implemented such as mobile centric
authentication, fingerprint-, behavioural- and voice recognition
resulting in an easier and truly omnichannel customer experience if
and when properly designed.
When asked in the 1930s why he robbed banks Willie ‘Slick’ Sutton
replied: “because that’s where the money is”. Sure, banking has
since then largely moved online, and so have criminals. However,
what was true then remains as true today: criminals target financial
institutions because that’s where the money is. As a result, both the
top- and bottom line suffer.
Fraud: an inevitable surpriseWe know that at some point we will be confronted with fraud,
we just don’t know exactly when and in which form. We are in a
constant balancing act between customer convenience, fraud
control and cost containment.
The top line suffers as customer journeys are cut short for being
overly burdensome because of security measures. Think of
prospects having to come to the branch, or getting stuck in paper
heavy processes during onboarding, hampering conversion rates.
The bottom line hurts because implementing and maintaining anti-
fraud measures can have serious (opportunity) costs that come on
top of actual fraud loss- and repair cost.
Fundamentally, fraud is a business issue so let’s treat it as as such So, why is it that something with as much impact on both the
organisation and its customers as fraud is often treated like an
afterthought, and is still frequently offloaded to risk managers,
security officers and fraud advisors outside the primary process?
32 33LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Hugo Löwinger: Hugo Löwinger brings over a decade of experience in business driven fraud and authentication strategy at large financial institutions. Hugo leads the digital identity practice at Innopay and previously fulfilled strategic positions at a.o. ING Bank and Capgemini Consulting.
About Innopay: Innopay is an independent consulting company, specialised in online payments, digital identity and e-business. We help our clients, including financial institutions, governments and corporates, develop the compelling strategies and digital services for consumers and companies that are key for successful competition in a rapidly digitising world.
www.innopay.com
Hugo LöwingerDigital Identity & Fraud
Management
Innopay
Tier 3: Knowledge position Last but certainly not least is the knowledge position of the organisation
which is essential in taking well informed decisions and action.
Many organisations are exchanging fraud intelligence, both quid-
pro-quo and commercially. This intelligence ranges from stolen
credentials (e.g. usernames, passwords) retrieved from underground
forums, to suspicious IP addresses, skimmed cards and sometimes
even alerts from risk engines.
Not only should knowledge be shared with peers. It is also important
we do not shun our customers out of fear of spooking them. As a
result of high profile fraud incidents and security breaches, customers
are much more aware of potential risks. We should acknowledge
their concern by providing them with actionable information.
When applied the right way, knowledge can be a true multiplier of
defence effectiveness.
Putting it all together: a 360-degree approach to business driven defence-in-depth fraud managementTo meet customer expectations in a secure manner, organisations
make fraud management a natural part of the design, continuous
development and management of their customer journeys. This takes
tools and methods that business owners feel comfortable applying
and is exactly where the 360-degrees approach can help.
When asked: “why is fraud managed driven from within the business”
at Innopay we reply: “because that’s where the solutions are”!
34 35LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
E-ID: Fraud and Risk Prevention in Cross-border Ecommerce
Ecommerce Europe
e-ID as a solutionFortunately, in order to improve data protection and to increase
convenience and consumer trust, many Member States are
currently working on (or already working with) national e-ID
schemes. Interoperable online identities verified directly by the
government, or indirectly by other trusted parties, will help reduce
risks of cybercrime and (payment) fraud. e-ID can guarantee the
unambiguous identification of a consumer and enables effective
age verification for age-dependent services (such as online
gambling) or certain product markets (such as alcohol, tobacco
and medication).
Especially with regard to payments, e-identification brings great
opportunities to solve problems caused by complicated check-
out processes. By reusing formerly verified information, delivery
and payment preferences, the checkout solution can be simplified,
which adds much to the seamless shopping experience of the
consumer. At the same time, this so-called one-click-buy solution
guarantees maximum reach and conversion at fair cost for
merchants and consumers.
Cross-border ecommerceThe growth rate of the European B2C ecommerce sector reached
double digits in 2014. However, the full potential of the European
ecommerce market has not been achieved yet. Currently, only
15% of consumers shop online from another EU country. In order
to stimulate cross-border ecommerce, European stakeholders
should work together in removing remaining barriers.
Ecommerce Europe believes interoperable e-identification is a
precondition to unlock the potential of cross-border ecommerce.
In the online payments sphere, fraud is believed to be one of the
main barriers, with identity theft as one of the fastest growing
crimes. e-ID solutions enable the prevention of fraud and identity
theft, and stimulate the development of consumer trust and
convenience. The e-ID landscape develops quickly. However,
for interoperable e-identification to evolve, hurdles should be
overcome.
Barriers for cross border ecommerceAs a recent survey by Experian shows, most of organisations
(78%) across Europe, the Middle East and Africa consider online
fraud the biggest challenge at the moment. In particular, identity
theft, which is currently a major issue for 24% of businesses in
EMEA, is expected to double in the next five years and become
a serious concern for 48% of businesses. Ecommerce Europe
believes that the main reason for this problem is the lack of safe,
reusable and interoperable e-identities. This deficiency forces
online services providers to each provide their own consumer
registration and login solutions. Within the variety of solutions,
safe and secure digital interactions between businesses and
consumers are not always guaranteed.
In June 2015, Ecommerce Europe published the outcome of
the survey “Barriers to Growth” in ecommerce. Consumer
identification was specifically mentioned as a concrete example
when it came to barriers linked to online payments. The absence
of reusable e-identities proved to be a barrier for merchants who
wanted to participate in cross-border ecommerce.
34 35LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Elaine Oldhoff: Elaine Oldhoff works as a policy advisor for the Dutch association for online stores Thuiswinkel.org. She is a member of the e-Regulations Committee and the e-Payments Committee of Ecommerce Europe. On a daily basis she focusses on the potential of e-identification for the digital economy.
About Ecommerce Europe: Ecommerce Europe is the association representing around 25,000 companies selling products and/or services online to consumers in Europe. Ecommerce Europe offers to be a one-stop-shop for the European Institutions for all ecommerce related issues. Ecommerce Europe can be consulted on market research and data, policy questions and in-depth country knowledge.
www.ecommerce-europe.eu
Elaine OldhoffPolicy Advisor
Thuiswinkel.org
eIDAS Regulation: interoperability on its wayIn order to fully benefit from e-ID opportunities, interoperability
between e-ID schemes in different Member States should be
stimulated. The recently adopted eIDAS Regulation requires
Member States to recognise each other’s e-ID means; if under its
national law or administrative practice, it is required to access a
public service. This applies as long as the means is issued under
an electronic identification scheme that is notified to and included
in the list published by the European Commission.
The effort done by the Commission in drafting the eIDAS regulation
looks like a step in the right direction. The interoperability of national
electronic identification schemes across borders is however still in
its infancy. Ecommerce Europe believes that the eIDAS regulation
lacks the obligation for Member States to notify their national
schemes to the European Commission.
Ecommerce Europe calls upon national governments to notify
their national schemes to the European Commission in order
to enable an interoperable e-ID landscape throughout Europe.
An interoperable e-ID will be a driver for innovation and, eventually,
will reduce cybercrime and fraud risk. To continue the growth rate
of B2C ecommerce, consumer trust should be reinforced.
The Global Event for Payment/Identification/Mobility
y
www.cartes.com
Nov. 2015 17 19 HALLS 3 & 4
P a r i s N o r dV i l l ep in te France
BECOMES
Register now on www.cartes.com
tcommeterre.com
ANNONCE PRESSE-changement de nom-210x297 5mmFP exe.indd 1 07/07/15 11:23
REGULATION, PRIVACY AND DATA PROTECTION
38 39LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Security of Internet Payments: the EBA Two-Step Approach
The European Payments Council
In response to the consultation, the EPC recommended a third
option (called ‘option c’): a scenario whereby the EBA guidelines
would be issued only after the entry into force of PSD2 and the
publication of the regulatory technical standards as mandated by
PSD2, following a consultation of the market and safeguarding an
adequate timeframe for implementation.
If the EBA were to not accept the recommended ‘option c’, the EPC
had a preference for ‘option a’, i.e. the two-step approach.
The EPC also pointed out that, in the last two decades, many
security solutions were implemented, only to have been rendered
obsolete and be replaced by safer solutions as technology
evolved. Therefore, stakeholders are permanently in search of
solutions that master the subtle balance between security and
user convenience. Since 2010, new threats have appeared,
authentication solutions have evolved and the preferred platform
for internet payments has changed from PCs to mobile devices.
This field of expertise is highly dynamic. The EPC, therefore,
suggested that new developments (e.g. tokenization, risk-based
authentication) should be taken into account when finalising the
guidelines.
Finalised EBA guidelines on the security of internet paymentsThe finalised guidelines, published by the EBA in December 2014,
set the minimum security requirements that Payment Service
Providers (PSPs) in the EU were expected to implement. The EBA
retained the two-step approach whereby the guidelines, which
were implemented on 1 August 2015, will be replaced at a later
stage by more stringent requirements necessary under the PSD2.
The EBA therefore concluded that a delay in the implementation
of the guidelines until the transposition of the PSD2 in 2017/2018
would not be feasible in view of the continuously high and growing
levels of fraud in the domain of internet payments.
The European Banking Authority (EBA), as part of its mission to
ensure effective, consistent and prudential regulation, as well
as supervision across the European banking sector, drafted
implementation guidelines on the security of internet payments in
2014. The guidelines were based on the recommendations issued
in January 2013 by the European Forum on the Security of Retail
Payments (SecuRe Pay) for the security of internet payments.
The EBA consulted the payment stakeholder community on those
guidelines in late 2014. Due to the fact that the finalised EBA
implementation guidelines would apply prior to the entry into force
of the revised Payment Services Directive 2 (PSD2), the European
Payments Council (EPC) suggested an alternative approach.
The EBA, however, decided that the implementation guidelines
would come into force on 1 August 2015 and, then, stronger
requirements would emerge at a later date under the PSD2.
The EPC is now looking forward to the EBA’s consultative process
on the updated security requirements of internet payments, which
should meet the more stringent principles of the PSD2.
The 2014 EBA consultation on implementation guidelines for internet payments and the EPC responseDuring the consultation process, the EBA focused specifically on
implementation rather than the substance of the requirements as
the negotiations of the PSD2 could have affected them. The EBA
issued these guidelines to ensure consistent regulation across
the European Union (EU) and provide legal certainty for market
participants.
The consultation on these guidelines asked the question: “Do you
prefer for the EBA guidelines to:
a) Enter into force, as consulted on 1 August 2015 with the
substance set out in this consultation paper, which means
they would apply during a transitional period until stronger
requirements enter into force at a later date under PSD2
(‘option a’)
b) Anticipate these stronger PSD2 requirements and include
them in the final guidelines under PSD1 that enter into force on
1 August 2015, the substance of which would then continue to
apply under PSD2” (‘option b’)?
38 39LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Javier Santamaría: Javier Santamaría is the Chair of the EPC and a Senior Vice President with Banco Santander. He is a member of the Board of the Euro Banking Association, a Director of the SWIFT Board and Chair of the Iberpay Board.
About The European Payments Council: The European Payments Council is an international not-for-profit association, representing payment service providers, which aims to support and promote European payments integration and development, notably the Single Euro Payments Area (SEPA), through the development and management of pan-European payment schemes and the formulation of positions on European payment issues.
www.europeanpaymentscouncil.eu
Javier SantamaríaChair
The European Payments Council
Some countries announced they were unable to comply with the EBA guidelinesThe EBA guidelines are based on a 'comply or explain' principle:
national competent authorities need to inform the EBA about
whether they will be able to comply and, if not, they are asked
to provide an explanation. The majority of the national competent
authorities advised that they would comply or intend to comply
with the EBA guidelines on the security of internet payments.
However, the UK, Slovakia, Estonia and Iceland communicated
that they are unable to, while Cyprus and Sweden will partially
comply.
Towards more stringent EBA guidelines compliant with the PSD2A key question covered in the PSD2, though with certain ambiguities,
is the authentication of the payment service user. To this end, the
EBA is tasked with developing and drafting regulatory technical
standards on strong customer authentication, which should be
submitted to the European Commission within 12 months of the
PSD2 entering into force, i.e. by the end of 2016.
In this context, the EPC strongly advises against the possibility
for third-party PSPs to use the personal security credentials of
the customer to get access to its account. The EPC reiterates
that personalised security credentials should not be shared with
third parties and hopes that the EBA will take this concern into
consideration.
The EPC, furthermore, looks forward to the EBA’s consultative
process in this area and the opportunity it will provide to contribute
to achieving secure and convenient internet payments, as well as
technological neutrality.
40 41LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
How EMV Will Change Online Business in the US
CardinalCommerce
Historically, in other regions, as EMV cards have been rolled out,
POS-related fraud, as would be expected, went down. CNP fraud,
however, skyrocketed. In the UK, online fraud jumped from GBP
45 million the year before the cards were introduced to GBP 181.7
million five years later. Experts expect the same to happen in the
US. To combat the threat of CNP fraud, the use of 3D Secure was
mandated in other regions, and merchants implemented protocols
like Verified by Visa, MasterCard Secure Code, American Express
SafeKey, and others. As a result, CNP fraud in those areas has
decreased, but has recently started to rise in the US.
How can online merchants protect themselves?To thwart the influx of online fraud, many ecommerce merchants
have dialed up their fraud tools. This helps control the increasing
levels of fraud, but also creates false positives, such as transactions
that the fraud tool flags as potential threats and the merchant
declines what are actually good orders. This is almost as harmful to
a merchant as the fraud attack itself because it results in lost sales
and potential insults to good consumers.
This puts online merchants in a difficult spot. Because EMV cards
cannot be used for in-person fraud, the fraudsters look for the path
of least resistance, the CNP world. But there is a way to prevent
fraud. Cardinal Consumer Authentication (CCA) protects online
transactions the way EMV cards prevent fraud at the cash register.
CCA’s patented technology works with the 3D Secure protocols to
authenticate transactions with the card-issuing bank during online
transactions. Our more than 15 years of experience in protecting
CNP transactions benefits merchants. And, by combining CCA
with a fraud tool, merchants can increase their good orders by up
to 15% vs using a fraud tool alone.
Its rules-based approach gives merchants choice in how each
transaction is authenticated, and control over the amount of
consumer friction during checkout. In some cases, where a
merchant has high ticket items (like fine jewelry or travel) or SKUs
that have a history of fraud, introducing friction into the checkout
experience in the form of a challenge can be what the merchant
intends. The authentication rules allow merchants to balance the
risk of the transaction with the consumer experience.
Everyone in the payments ecosystem is talking about EMV and the
October 2015 deadline for liability shift in the US. For merchants
who have installed the EMV card readers in their brick-and-mortar
locations, this means that they will not be liable for fraud at the
point-of-sale terminal (or point-of-sale fraud). But, for omnichannel
and online merchants, how will the use of EMV cards impact their
ecommerce fraud level?
Many banks and retailers in the US are now using the EMV system
because of recent data breaches. Long used in Europe and other
regions, this system uses credit cards with an embedded chip, thus
requiring new POS readers on the merchant side. The chip makes
cards more difficult to counterfeit for in-person use. This new
system, though expensive to implement for both merchants and
banks, will make POS transactions much more secure. However,
it also introduces the threat of fraud in card-not-present (CNP
transactions) because the chip provides no benefit when the card
is not present.
History of EMVEMV is not a new technology, even though it is ‘news’ in the US.
Introduced in the ‘90s, EMV has almost completely replaced the
magnetic stripe cards in Europe, and is in wide use in Asia, South
America, Canada and Mexico. The US, the last major holdout, is
converting now, with a recent liability shift deadline in October 2015.
One of the major benefits of EMV cards is around how the chip
works. Each time the card is used in person, the chip creates a
unique transaction code that cannot be re-used. Therefore, if a card
number is stolen in a breach, and a counterfeit card created, the
stolen number and transaction code would not be usable and any
fraudulent attempts at point-of sale would be denied. This is also
a drawback because the chip is not ‘read’ for a CNP transaction,
whereas a stolen EMV card number can be – and increasingly are –
used to make fraudulent CNP transactions.
40 41LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Michael Roche: Michael Roche is the VP of Consumer Authentication and focuses on improving current products and shaping new product development, as well as developing and strengthening relationships with enterprise partners in order to provide them with ecommerce solutions tailored to their needs.
About CardinalCommerce: CardinalCommerce is the pioneer and global leader in enabling authenticated payment transactions in the card-not-present payments industry, and the largest authentication network in the world. Through One Connection to the proprietary Cardinal SafeCloud, we enable friction-free, technology-neutral authentication and alternative payment services (including digital wallets and mobile commerce services).
www.cardinalcommerce.com
Michael RocheVP of Consumer
Authentication
CardinalCommerce
Passive authentication happens behind the scenes, with no friction
during checkout for the consumer, using things the merchant
and the issuer know about the cardholder - like IP address,
device identification, buying patterns, or any other data point the
merchant collects.
Consumer Authentication has other benefits for online and mobile
transactions. Merchants usually benefit from increased sales,
liability shift on chargebacks, less manual review and potential
interchange fee savings. Merchants see a sales increase with
a Consumer Authentication solution because there are fewer
‘false positives’ that might ordinarily be declined, internally and
externally. Merchants also enjoy a liability shift with fraudulent
chargebacks on Cardinal Consumer Authentication transactions
because the issuing banks take on the risk if any transactions
result in fraud.
To wrap up, EMV’s rollout in the US is a good thing for brick-
and-mortar merchants, but will open up opportunity for fraud for
CNP merchants. Online merchants in the US should be aware of
the shift from fraud at POS to CNP fraud due to EMV, and protect
their online business with the 3D Secure protocols (like MasterCard
SecureCode, Verified by Visa and others), as well as take advantage
of the liability shift on authenticated transactions and potential
savings on interchange and manual review.
42 43LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Doing Business in Europe? Mandatory Data Protection Compliance in Every Single Country
time.lex
2. How to transfer data from Europe to the USIn the Schrems case, the Court of Justice of the European Union
found that the existence of the European Commission Decision
about the so-called 'Safe Harbour' arrangement with the US did
not prevent a national data protection authority from investigating
individual complaints relating to the transfer of personal data to
the US. The CJEU found the Safe Harbour Decision to be invalid.
The so-called Article 29 Working Party, the body of representatives
which includes representatives from the European Member States'
data protection authorities, as well as representatives from
the European Commission and the European Data Protection
Supervisor, clarified a number of consequences that derived
from the decision in the Schrems case. Meanwhile, the European
Commission issued a communication on 6 November 2015 as
well, with a practical guidance.
What are the practical consequences for (ecommerce) merchants in
Europe, cloud computing providers, or social media platforms etc.?
No transfer to the US may be based solely on the invalidated
regime. This means that you can only transfer data to the US using
the means still allowed. Transfers are only allowed if you:
• Make use of the Model Contractual Clauses issued by the European
Commission and properly notified to the local data protection
authority (in Belgium there is the Privacy commission);
• Make use of Binding Corporate Rules issued as outlined in the
templates drafted by the Article 29 Working Party and again
properly notified to the local authorities;
• There are also exceptions - such as transfer based on consent -
but this can only be used in exceptional circumstances and not
for systematic transfers to the US.
• In some EU member states you can make use of your own ad
hoc contractual provisions or binding corporate rules which
have been properly notified and/or approved according to local
legislation;
A lot has been written about two recent court cases related
to Facebook. The first one is the case of the Austrian student
Maximilian Schrems against the Data Protection Commissioner
(European Court of Justice, case C-362/14, of 6 October 2015),
finding the Safe Harbour arrangement invalid for the transfer of
personal data from Europe to the US. The second case is the
one by the Belgian privacy commission against Facebook of
9 November 2015 in Brussels. But what is the impact for cross-
border ecommerce business in the European Union? Here are
three takeaways for every company doing business in Europe,
from merchants selling goods or services online in Europe to cloud
computing providers, social media platforms and many others.
1. Comply in every single country, or else …The first clear message from both court cases is that data
protection and privacy compliance must be taken seriously,
especially when personal data is transferred outside the European
Union. Ensuring cross-border compliance with data protection
law has become a top priority for data protection authorities and
courts all over Europe.
A much-debated issue in the Brussels court was the territorial
application of the national data protection legislation and the
international jurisdiction of the local courts. Facebook argued
that, because Facebook’s European headquarters are in Ireland,
only the Irish data protection legislation apply and that only the
Irish courts have jurisdiction. The Brussels court disagreed.
All international companies with several establishments in the EU
must comply with national data privacy laws, and not just with
the law of the company’s main European establishment, which
was recently confirmed by the CJEU in its Weltimmo judgement
(C-230/14). The same goes for companies without any EU
establishments, but which make use of so-called 'equipment'
located on the territory of several EU member states. Such
companies will be subject to the regulatory regime of multiple
national data protection authorities.
42 43LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Edwin Jacobs: Edwin Jacobs is a partner at time.lex and a lecturer at the University of Leuven and Antwerp.
About time.lex: time.lex is a law firm specialised in fintech, information and technology law in the broadest sense, including privacy protection, data and information management, e-business, intel lectual property, onl ine media and telecommunications.
www.timelex.eu
Edwin JacobsPartner
time.lex
Note that the Article 29 Working Party has indicated that, for now,
the model contractual clauses or the binding corporate rules
are still accepted but that they too may be re-evaluated in 2016
if no progress has been made on a political level to come to an
acceptable and valid regime for data transfers between the US
and the EU. Meanwhile, a new Safe Harbour regime between the
US and the EU is expected early 2016. Any new Safe Harbour
agreement should include obligations on the necessary oversight
of access by public authorities, transparency, proportionality and
redress. A new Safe Harbour agreement will probably not mean
that the national data protection authorities will suddenly back
down.
3. Using social media plug-ins on your company website?
The owner of a website must properly inform its website visitors of
the kind of information he is collecting, the purposes for which it
is used, the types of cookies, the social media plug-ins he is using
and the duration of storage of the cookie or plug-in on the surfer’s
computer. But that is not all. Before activating some types of
cookies and plug-ins, the surfer’s prior express consent is needed.
Even the mere collection of your visitors’ IP address by using
cookies or social plugins is already considered as processing of
personal data.
44 45LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Will EMV Eliminate Card Fraud in the US?
Smart Payment Association
And at least one of the authenticators must be ‘dynamic’; which
is to say it must be unique by payment transaction, and the
authenticators must be independent from a security perspective.
Translating experience to the USWhat we, at the SPA, find most striking and most encouraging
about the PSD2 is its global nature. Its objectives and its principles
can be considered of universal importance when seeking to
combat CNP fraud. The principles laid out in the PSD2 are not
constrained by geography or specific regulatory environment and,
thus, offer a hugely exciting opportunity for global standardisation.
Certainly, the outlined principles are entirely consistent with the
Criteria Discussion Draft document for a better payment system
released by the Federal Reserve-backed US Faster Payments
Task Force.
The EMVCo’s announcement that, in 2016, its EMV 3DS 2.0
specification will be published alongside corresponding testing
and approval processes, points to a growing desire for global
transparency and constitutes a major step forward.
Multi-functional benefits of EMV payment cardsWhile PSD2 is technology agnostic, it seems logical that today’s
multi-functional card technologies offer a powerful balance of
assurance and convenience to satisfy both regulatory objective
and consumer demand.
EMV chip and pin cards often support functions such as one-
time-password (OTP) generator, on-card displays or the possibility
to use the EMV card with a card reader connected to a personal
computer, for example.
These functionalities allow providers to provide, and users to
use, the “strong authentication”, now defined in law - generating
dynamic proof that both the legitimate card and the legitimate user
are present during the CNP transaction.
Does the end of ‘swipe and sign’ means the end of card payment
fraud in the US? It is a simple question. And the answer is simple
too: No.
The case for EMV adoption is beyond doubt. Countries with
completed EMV implementations have registered significantly
lower rates for card fraud. In 2012, for example, the card fraud
loss ratio across the European Union stood at 0.038%. In a pre-
EMV US, the figure was over two and a half times higher, reaching
more than 1%.
But, as we see, even in mature EMV markets fraud does not
disappear. It just moves online. Card-Not-Present (CNP) fraud is
nothing new, of course. Back in 2007, France’s Observatory for
Payment Card Security estimated that half of all card payment
fraud was committed without the card being present. Currently,
this figure exceeds some 70%. Therefore, the following question
arises: “what to do about CNP fraud in the broader context of EMV
implementation in the US and supporting programmes across the
world?”
Addressing CNP fraud in SEPACertainly, the European SEPA region (among others) has taken
steps to address the problems of CNP fraud - albeit with differing
levels of success. And, while CNP authentication exists, there are
few commonly adopted authentication methods that mirror the
integrity of a face-to-face POS transaction.
The European Payment Service Directive (PSD2), approved in
October 2015 by the European Parliament, is set out to change
all this by providing a European Regulatory framework for retail
payments and introducing a range of provisions designed to
tackle CNP fraud.
In particular, the PSD2 provides a legal definition for strong
authentication. It is the first time this has happened and is, therefore,
of great significance. According to the definition, a secure payment
process must include at least two out of the three classical
authentication mechanisms (something you have, something you
know, something you are).
44 45LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Nicolas Raffin: Nicolas Raffin is President of the Smart payment Association (SPA) and Head of Strategic Marketing, Payments at Oberthur Technologies. Nicolas started his career with numeric photo group PhotoMe as product manager. He holds a Master in Marketing and a MSc in Technology & Innovation Management.
About Smart Payment Association: The Smart Payment Association addresses the challenges of the evolving payment ecosystem, offering leadership and expert guidance to help its members and their financial institution customers realize the opportunities of smart, secure and personalised payment systems & services both now and for the future.
www.smartpaymentassociation.com
NicolasRaffinPresident
Smart Payment Association
Global answers to the CNP questionSo, if a new generation of EMV cards can offer a much more secure
CNP environment, the US’ move in this direction will potentially be
significant in addressing both card-present and card not present
fraud. And it’s also an exciting opportunity to address CNP security
on a global level.
With such high levels of consistency between US and EU objectives,
harmonising regulatory approaches will certainly create a more
secure ecommerce environment.
Indeed, by sharing experiences and best practice, and delivering
that consistent global approach, we can accelerate the adoption
of appropriate CNP protections by merchants and banks across
the world.
And, while it’s impossible to entirely eliminate card payment fraud, a
global collaboration around a set of shared principles seems a logical
place to begin.
For our part, having already contributed to the European Banking
Authority’s (EBA) public consultations on secure ecommerce, the
SPA will continue to advocate a comprehensive set of security
rules for CNP based on the aforementioned seven principles as
PSD2 moves into its next phase of life.
Not only will we continue to work with the wider card payment
industry, but also with standards bodies and regulators to help
deliver on the promise of a global approach to protecting online
payments.
DON'T MISS THE OPPORTUNITY OF BEING PART OF LARGE-SCALE PAYMENTS INDUSTRY OVERVIEW
The Paypers offers the most valuable source of information and guidance for all parties
interested in the current state of affairs of the payments industry
Paul Alfing, Chairman e-Payments Committee, Ecommerce Europe
Once a year, The Paypers releases three large-scale industry overviews covering the latest trends, developments, disruptive innovations and challenges that define the global online/mobile payments, e-invoicing, B2B payments, ecommerce and web fraud prevention & digital identity space. Industry consultants, policy makers, service providers, merchants from all over the world share their views and expertise on different key topics within the industry. Listings and advertorial options are also part of the Guides for the purpose of ensuring effective company exposure at a global level.
For the latest edition, please check the Reports section
ONLINE PAYMENTS:An all-in-one reference guide
on (online) payments & ecommerce industry trends,
evolving business models, top
players and relevant (alternative) payment methods.
B2B PAYMENTS, SCF & E-INVOICING:Industry voices from the online
finance space share insights into the dynamic B2B payment,
e-invoicing, supply chain finance industries to support innovative
solutions & thriving businesses.
WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY:In-depth source of information
highlighting key facts &
trends into the global digital
identity transactional and web
fraud prevention & detection
ecosystem.
STRONGER CONSUMER AUTHENTICATION TO COMBAT ECOMMERCE FRAUD
48 49LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Moving Beyond Passwords: Next Steps in Consumer Authentication
Wirecard AG
and simple to install, meaning that they can be integrated into
different payment channels, such as point-of-sale terminals or
ATMs. Therefore, they increase the recognition factor within the
context of financial transactions.
On account of their great potential, further biometric identification
measures are currently being discussed. For example, there is
heartbeat authentication, although it will admittedly take a while for
identification methods such as these to become reality, let alone
accepted. However, in the future, further ‘multi-modal’ means of
biometric identification are expected – that is to say, processes
which react to a combination of biometric sensors as a security
feature. These range from face and iris recognition to keystroke
dynamics.
New EU rules reduce online payment risk The European Banking Authority (EBA) has stated that online
merchants will require two mutually independent customer
identifiers before accepting payment in the future. Directives such
as the Secure Pay Directive (PSD II) demonstrate the European
Commission’s commitment to making cross-border payments
quicker and safer, while also reducing the risk to the end customer.
Linked to this is an effective method of combating data theft and
abuse. This is known as two-factor authentication.
This involves the user being asked for specific identifiers and the
combination of two different communication channels. For example,
a customer may be asked only for their card number and CVC code
online. Afterwards, via a second level of security, they receive a
one-time password or verification code delivered via SMS to their
smartphone, which they use to confirm the transaction.
Additional biometric identifiers, or the use of (hardware) tokens,
are also possible. Ensuring a simple and brief form of media
disruption is involved in the payment process that makes it much
harder for hackers to attack, without compromising its customer-
friendly nature.
The way in which consumers verify their identity is rapidly changing,
a development which is being driven forward by biometric data.
Consumers should probably not be too surprised if they soon
find themselves being addressed queries like: “Dear customer,
please turn on your webcam and have your ID at the ready. We will
shortly conduct a brief ID check”. This kind of procedure may, for
example, be introduced for opening an online account in order to
verify a customer’s identity, thereby making the personal signature
a thing of the past.
But what does this trend mean for customers, online merchants
and banks who, up until now, have traditionally used passwords
and signatures? Moreover, how safe are these new means of
identification?
The fact is that traditional passwords are increasingly being
supplemented by new means of authentication. One of the reasons
is that customer identification has become one of the most
important aspects of payment processing. In case of doubt, it offers
more effective protection against fraud than a credit check, as it will
rarely detect falsified customer identity. In contrast, modern means
of authentication are able to do this.
Increased importance assigned to biometric dataIt is for this exact reason that measures are being put in place.
The measures go further than conventional password authentication.
It is very likely that biometric data will become more important as a
result of the strong growth in the m-commerce market. Consulting
company Acuity Market Intelligence has recently stated that they
expect biometric data to be integrated in approximately 65% of all
m commerce transactions by 2020. Furthermore, a global study
conducted by Mobey Forum shows that 22% of banks already use
some form of biometric data for the purpose of authentication, while
a further 65% plan to introduce this type of service in the future.
Initial studies have shown, for example, that the use of fingerprint
sensors increases user friendliness. Thus, users can quickly use
the fingerprint recognition service on their smartphone to confirm
a mobile transaction. Scanners have now become relatively cheap
48 49LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Carlos Häuser: Carlos Häuser is Executive Vice President responsible for the Payment & Risk/Shared Services divisions at Wirecard AG. He is also Managing Director of Wirecard Technologies GmbH and, therefore, responsible for strategic development at the Munich-based payment processing firm.
About Wirecard AG: Wirecard AG is a global technology group that supports companies in accepting electronic payments from all sales channels. As a leading supplier, the Wirecard Group offers outsourcing and white label solutions for electronic payments. A global platform bundles international payment acceptances and methods with supplementary fraud prevention solutions. Wirecard AG is listed on the Frankfurt Securities Exchange.
www.wirecard.com
Carlos HäuserExecutive Vice President
Wirecard AG
Further safety standards may increase acceptanceObviously, there are some critics who fear that surplus data will
be stored alongside the electronically captured personal, physical
and behavioural data. Additional information may relate to a
person’s character, their health or ethnic background.
This means that all users of biometric identification methods are
obliged not to pass on the respective data to any third-parties.
Confidential data must also be deleted immediately after it is
no longer relevant for its original, stipulated use. The European
Commission will therefore be required to issue directives aimed at
ensuring mass suitability of new security measures.
Biometric identification methods can increase the acceptance and
use of electronic payments such as mobile payments around the
world. The use of fingerprint sensors improves user-friendliness.
For example, a user can quickly enter information without the
need to remember a PIN, password or a swipe pattern. At the
same time, the function increases the customer’s sense of security
because a mobile payment can only be made once a fingerprint
reading has been approved. These are decisive factors in the
acceptance of all new electronic payment methods.
50 51LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Tokenization: From Account Security to Digital Identity
Consult Hyperion
Then, they need to pass requests back to the schemes in order to
de-tokenize and have to pay for the privilege. Unsurprisingly, there
is a move to unbundle tokenization services so that such issuers
can tokenize their own cards using either in-house or non-scheme
outsourced TSPs.
Managing risk in a tokenized environmentTokenization improves bank account security because the fewer
places the real PAN is stored in, the less likely it is to be stolen.
The obvious downside of this is that the additional processes of
tokenizing and de-tokenizing add processing time and costs to
the issuing and authorisation processes. Perhaps the less obvious
downside is that tokenization moves the locus of attacks away
from retailers and onto the TSPs who hold the Token Vaults linking
PANs and Tokens. It is not hard to see how these organisations
will become attractive targets for organised crime.
Despite this, placing the security of PANs in the hands of a relatively
small number of specialist TSPs should improve the overall security
of the payments ecosystem. It also reduces the security burden on
retailers and mobile wallet providers who can concentrate on their
primary objective of satisfying the consumer.
Risk management is the current hole in tokenization solutions.
A token is not just a PAN, it is a PAN plus a set of domain controls
determining who and where it can be used. A token issued to a
retailer can only be used by that retailer, a token issued to a mobile
device can only be used from that device, a token issued for a
specific time period can only be used during that period, and so on.
More work is needed on these domain controls to refine and make
them properly usable and interoperable. Additionally, having the
same card tokenized to lots of different locations makes risk-
based transaction analysis difficult – someone’s behaviour when
using a physical card may be different to how they use a mobile
NFC device or an ecommerce website. These are all recognised
issues and are being worked on by standardisation groups and
vendors, but it serves to remind us that tokenization is still a work
in progress.
Tokenization, the process of replacing a card account number (PAN)
with an alias (token) which can only be used in defined domains, is
a technology that has been around for years. However, in a world
in which consumers can pay from multiple devices using the same
bank account, tokenization is now a core technology for payment
companies, rather than an esoteric sideline.
Simplifying the multi-device payment challengeIf consumers want to store their card details on a website to
simplify future payments, then their PAN can be sent to a Token
Service Provider (TSP) to generate and return a token. The retailer
stores the token and uses it when the consumer wants to transact
by sending the tokenized payment transaction to the TSP to
de-tokenize the token back to the PAN before it is passed onto the
issuer for authorisation. Because the merchant stores the token
and not the PAN and because the token can only be used on that
specific website, the impact of any data breach at the merchant is
vastly reduced.
Added to this mix is the use of tokens for mobile EMV payment
methods like Apple Pay and Android Pay. The rationale for using
tokens in the mobile EMV space is twofold: firstly, a stolen token
is of little use without the handset, which constitutes its domain of
use and, secondly, the issuer does not have to issue a new card
– they can simply create a token for an existing one and use the
same underlying bank account. Neatly, this allows mobile EMV
issuance to be done in real-time, because all that is being issued
is a tokenized replica of an already issued physical card – so KYC
and AML processes are already complete.
Currently, the most popular model of TSP deployment is within
the payment networks – for example, Visa and MasterCard have
developed their own tokenization services. For the schemes, this
has the advantage of driving traffic through their networks and it
offers a straightforward solution for issuers. It is less popular with
issuers who acquire their own transactions, bypassing the scheme
networks.
51LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
About Tim Richards: Tim Richards has over 25 years’ experience designing secure smart card solutions across payments, mobile, transit, identity, passport, healthcare and loyalty solutions covering both issuance and transaction processing.
About Consult Hyperion: Consult Hyperion is an independent consultancy. We hold a key position at the forefront of innovation and the future of transactions technology, identity and payments. We are globally recognised as thought leaders and experts in the areas of mobile, identity, contactless and NFC payments, EMV and ticketing.
www.chyp.com
Tim RichardsPrincipal Consultant
Consult Hyperion
Tokenizing identityTokenization offers issuers other opportunities. At the moment,
some merchants use PANs as a rudimentary form of digital
identity. However, because this ‘identity’ is linked directly to a bank
account, they risk exposing the cardholder details to attackers,
as seen in the Ashley Madison attack: a token does not carry the
same risk. As a token is linked to a bank account at the TSP, not
the retailer, and as most bank accounts require that the cardholder
has already undergone identity checks, a token can be used as a
form of digital identity. A token issued for this purpose, with the
appropriate domain controls in place, could then be authorised
by the issuer without compromising the security of the account.
So, ‘digital identity’ tokens could be used for age verification or
geographical location checking without revealing any underlying
details of the cardholder or the account.
In summary, tokenization increases account security with the
downside of increased costs which may not be able to be passed
onto merchants and cardholders. But, it also opens up new
business opportunities for issuers and, in a densely connected
digital environment, the value of these opportunities will vastly
outweigh the costs.
52 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
What is the mission of the Institute?Our mission is to promote the responsible use of biometrics in an
independent and impartial international organisation. I would like to
highlight a few of our achievements starting with the development
of a first Biometrics Privacy Code, which was approved by the
Australian Privacy Commissioner in 2006. It has now developed
into international privacy guidelines promoting best practices for
biometrics.
In 2008, we developed a Biometric Vulnerability Assessment
Methodology, which led us to setting up the Biometrics Institute
Vulnerability Assessment Expert Group (BVAEG) in 2010. It consists of
UK and German government representatives, as well as academics
from the US, Europe and Japan. The BVAEG has regular exchanges
to raise awareness about the need for vulnerability testing, to find a
common methodology and engage with the standards community
at the same time.
Biometr ic authent icat ion seems to become commonplace in the payments industry. Is the biometrics-based recognition system a friend or foe when it comes to privacy?If implemented responsibly, it is certainly a privacy enhancing
technology. Biometric authentication has the potential to ease
the burden of security given its simplicity and usability. All security
technologies have flaws, including PINs and passwords.
Under determined attack, none will guarantee absolute security.
Most biometrics are not ‘secret’ and should be used with a secure
second factor. Security relies not only on one factor but also on
combining them, such as relying on a PIN and fingerprint.
There are a number of technologies, both software and hardware,
which can be used to detect such spoofing attacks. When we
provide a biometric or other sensitive personal data, it does come
down to a question of trust and control. Governments are typically
required to put very robust trust models in place to ensure end-to-
end security is provided through government accredited networks,
compliance processes for privacy and record keeping legislation,
assurance mechanisms involving partnerships and processes
around access to data, for example. When some organisations
are involved, the end-to-end security and assurance just might
not exist – what happens with your face, your fingerprints in that
environment is potentially riskier and requires far more than just a
technology solution.
Another question is control and data retention. What happens to that
biometric? Who looks after it, at what point in time is it destroyed?
Should it be after a person leaves school or a particular job?
What processes exist for managing any compromise of identity data,
for re-establishing confidence in identity, for redress?
We have seen many successful implementations where biometrics
have helped transform identity management, privacy protection
and identity security like electronic passports facilitating a better
and more secure travel experience. Likewise, large-scale identity
management systems, such as the Indian Unique Identity (UID)
scheme, facilitate the delivery of government’s services to the poor
and marginalised. If we get the privacy and vulnerability issues
addressed and create trust and control for the consumer, I think
biometrics have a great future.
When it comes to wearable technologies and authentication, what are the implications of using personal biometric data as the virtual keys that unlock our very real lives? We are seeing biometrics appear more and more in everyday
life, as predicted by the Biometrics Institute survey in 2014 and
again 2015. Their use offers consumers great convenience and
increased security at the same time. We are seeing a growing
number of wearable devices and the use of fingerprint biometrics
on mobile devices.
Biometrics Institute
Biometric authentication has become commonplace in an array of fields, payments included. In this interview, the Biometrics Institute emphasizes on how biometrics could be a privacy enhancing technology, if implemented responsibly.
53LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
About Isabelle Moeller: Isabelle is a biometrics expert instrumental in the growing network of The Biometrics Institute. She has played a key role in the establishment of independent and impartial international Biometrics Institute in particular through bringing together biometrics experts from around the world.
About Biometrics Institute: The Biometrics Institute is a not-for-profit membership organisation with offices in the UK and Australia. Since 2001 it has been promoting the responsible use of biometrics and providing an un-biased forum offering information, education and training on biometrics.
www.biometricsinstitute.org
Isabelle MoellerChief Executive
Biometrics InstituteBiometric authentication has the
potential to ease the burden of security
given its simplicity and usability
With a biometric on a wearable device, users are now able to
query that device and authenticate themselves as the user of
that device. If that device is stolen, that authentication does not
work. So, it provides that extra level of security which allows those
devices to be used securely, for payments purposes, for example.
The person gets identified more accurately and securely than with
PINs and passwords.
Do you know if there is any legislation and regulation in place to cover the privacy and security aspects of biometric technology?The public requires assurance that biometrics managers are giving
due consideration to privacy and data protection when they are
considering, designing, implementing and managing biometrics-
based projects. The Institute, for instance, has therefore developed
several best practice documents to help guide members along the
way, namely the Biometrics Institute Privacy Awareness Checklist
and Biometrics Privacy Guideline.
Different countries have different legislation. Australia, for example,
introduced new privacy principles in March 2014. Science and
Technology Committee of the UK government proposed
an open and public debate around the use of biometrics by the
Government to build trust in biometrics. The Committee released
its "Science and Technology - Sixth Report: Current and
future uses of biometric data and technologies".
The Biometrics Institute is also working on a proposal to create
a trustmark. The trustmark is aimed at giving consumers in the
private sector and users of government services access to personal
records and confidence in the responsible use of an identity product
or service that incorporates biometrics. This will give biometric
solutions providers and operators a tool to demonstrate that due
consideration has been given to privacy and trust during planning
and implementation.
54 55LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Bring Your Own Authentication: The Next Revolution against Web Fraud
Natural Security Alliance
But, the generalisation of biometrics is not restricted to simply
becoming a standard for unlocking telephones. It opens the world
of the telephone to proximity payments (Apple Pay, Samsung
Pay) and especially to in-app payments. Users can thus make a
transaction on their mobile phone without having to enter a card
number or password.
We are also witnessing the generalisation of Bring Your Own
Authentication (BYOA), following on from Bring Your Own Device.
These technologies and new approaches to ergonomics break
with the authentication systems traditionally provided by banks.
Up to now, they have provided technologies chosen by them: they
will now have to rely on third-party systems, without having full
visibility of performance. These new systems are opening the way
for new payment players (e.g. wallet, electronic cash, SEPA) by
offering a wider choice for the end user in terms of online payment.
However, many questions concerning implementation, openness
and evaluation have not been sufficiently addressed. A prime
example of the consequences can be seen in the recent disclosure
that the Android OS contains malware capable of potentially
stealing fingerprint data from devices, such as Samsung Galaxy
S5’s fingerprint reader, before they reach a secure processor. The
market is clearly waiting for certain key details to be fleshed out
before biometrics can really take off.
There is still work to be done on evaluating the different implemen-
tations for authenticating access to value-added services.
The spread of biometric solutions also signals a change in business
models, as new actors become a necessary link in the transaction
and value chains.
In this rationale of IT consumerisation, we will see new devices
(for example, SesameTouch developed by Trust Designer) emerge,
devices which can be used to authenticate oneself and make
online payments without having to use a system provided by a
bank. These devices represent a third avenue as they are in line
with open logics, depending on evaluation and certification
schemes, for example.
Two major trends in the field of online payments have been confirmed
in the past two years. First of all, the increase in fraud is undeniable,
while users are turning to smooth systems to authenticate their online
transactions.
We will quickly look at the first trend by illustrating it with a few
figures for the French market. A study published by the French
National Supervisory Body on Crime and Punishment (ONDRP)
revealed that more than 800,000 households have been victims
of banking fraud. Of those that managed to identify how they
were scammed, one third had their payment details stolen while
shopping online.
To resolve this, regulators have issued a number of recommendations
at the European level: Revised Payment Services Directive (PSD2)
and Guidelines on the Security of Internet Payments (European
Banking Authority’s Guidelines).
But, in terms of technology, the power is in the users' hands. They decide
whether to use and adopt a technology or not. A few years ago,
there were those who refused standard office automation tools and
turned to tablets (more mobile, better suited for viewing content) and
smartphones (to be connected without being at a desk) instead.
The Bring Your Own Device (BYOD) system, which is a rejection
of over-complex systems, has spread in the field of payments.
Users massively refused One Time Password (OTP) and, in
general, all systems which require fastidious data entry to make
an online payment.
These examples illustrate that users always opt for simplicity.
The position of smartphone manufacturers (Apple, Samsung)
and of social networks (Facebook, Twitter, LinkedIn) is a good
illustration of the need for simplification and standardisation.
To unlock a telephone, all you need to do is put your finger on a
biometric sensor. To connect to a social network account, you just
have to enter a password. Easy access is now the first condition
for using a service.
54 55LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About André Delaforge: André joined Natural Security in February 2010 to lead various aspects of marketing and business development. Prior to joining Natural Security, André was in charge of business development for biometric and RFID technologies for a large electronic manufacturer.
About Natural Security Alliance: The Natural Security Alliance is a global community of preeminent companies dedicated to accelerating the adoption and ongoing development of Natural Security Technology based solutions. It is comprised of some of the most influential companies in world from the retail, banking, payment and IT communities.
www.naturalsecurityalliance.org
André DelaforgeHead of Communication Advisory Committee
Natural Security Alliance
A study recently published by Mobey Forum (Mobey Forum’s
Biometrics Survey Results, July 2015) clearly shows strong
demand for open interfaces. 83% of surveyed companies
considered open interface implementation of fingerprint sensors
as an opportunity, allowing banks or trusted service providers to
control the authentication data.
In the BYOA rationale, there is clearly a place and demand for
authenticators which make online transactions possible where the
user can choose the platform of the transaction.
Broadly speaking, the term ‘authenticator’ refers to any technology
that can authenticate a user before he or she reaches an interface
that provides access to a service. Authenticators can come in
different formats, such as a chip card and reader (e.g. for payment
in a store), an OTP token or even a simple login and password
on a computer. Biometrics is becoming increasingly commonplace
for authenticators, but, as previously stated, there still are a couple
of issues that need to be addressed. For example, interoperability
must be made standard, so that service providers can accept the
authenticators deployed, and consumers are not limited to where
they can shop for goods and services.
These authenticators will, and should, rely on an open architecture
paving the way for an "Implementing an evaluation scheme"
in order to create an open ecosystem of technologies suited to
different use cases.
Don’t miss...The international gathering of leading payment’s professionals to pool their insights about what is driving success in digital payments.
ThemesRetail, Mobile and Banking
AN ANNUAL CONFERENCE BY THE EPA 27-28 June 2016, Liverpool Exhibition Centre, Liverpool
Register your interest [email protected] code Paypers10 to save 10% off our current registration rate.
Join the conversation
@EPAssoc #EPADigital
Interested in Sponsorship opportunities?
[email protected]+44 20 7378 9890
PAY360DIGITAL
PAYMENTS
Lead sponsor
In partnership with
SPONSORSHIP AND EXHIBITION OPPORTUNITIES AVAILABLE
INSIGHTS INTO ELECTRONIC IDENTITIES IN EUROPE
58 59LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Digital ‘Marble’ - Onboarding in the Age of Electronic Identity
Signicat
infrastructure. The new European regulation on electronic identity
and trust services (eIDAS), which was approved in 2014, will also
contribute to driving acceptance and interoperability of e-ID and
e-signature in the European market.
However, the ongoing establishment of cross-industry schemes or
federations for e-ID is equally interesting. These are established
by banks, telecommunications companies and others who want
to exploit the network effect of providing electronic identity
across industries and businesses. Examples of such ecosystems
include the recent partnership between Dutch banks to establish a
federation of electronic identity, the MyBank initiative by the EBA
and GSMA Mobile Connect.
What is common to these initiatives is that they connect existing
electronic identity in federations. Thus, a customer of a Dutch
bank can use his online banking login to establish a customer
relationship with an ecommerce retailer. Initiatives like the Dutch
interbank login and MyBank hold significant potential for the rapid
deployment of digital onboarding. They build on existing electronic
identity that already is in frequent use for internet banking,
sidestepping the need for costly and time consuming deployment
of new electronic identity.
Uniting the fragmented e-ID landscapeThe development of e-ID in Europe has mainly been done within
a national scope, with limited degree of coordination. This has
resulted in a fragmented infrastructure that presents challenges to
service providers aiming to reach a broad audience.
For instance, a service provider in Norway who wants to address
the largest possible audience would need to implement support not
only for Norwegian BankID and the Buypass eID, but also for the
MinID eID and the Commfides eID.
If service providers run a pan-Nordic operation, which is often the
case, they would need to implement support for up to 12 different
e-IDs. In the absence of a universal (or at least regional) e-ID
scheme, the implementation effort soon becomes unmanageable.
This situation will prevail also in a post-eIDAS Europe: while eIDAS
BackgroundA century ago, banks managed to establish trust in the public at
large by building bank palaces made of marble.
Nowadays, banks need to establish trust in a virtual world.
In particular, they need to prove the identity of their customers
online. This is difficult enough for banks operating in a single
market. For banks operating in a pan-European market, it becomes
an even major hurdle.
Luckily, a digital ‘marble’ that can be used to establish trust online
exists in the form of electronic identity. In markets where electronic
identity is readily available, experience shows that using electronic
identity for online onboarding can lead to a dramatic increase in
conversion rates.
Nordic practiceThe Nordic countries – Denmark, Finland, Norway and Sweden,
stand out among the regions where electronic identity has been
widely deployed. In these countries, a large majority of the adult
population has access to electronic identity that has been issued by
the banks, the government or a telco.
Key to the success of these identities is that they can be utilised
across a wide range of services in the public and private sector.
This ensures a high frequency of usage, which lowers the barrier
for using the e-ID. Cooperation between the parties involved is
based on acknowledging that the value of a common platform is
greater than the sum of its parts. This has led to the emergence
of common technology and regulations ensuring the electronic ID
interoperability across sectors.
The European dimensionThe Nordic countries have been pioneers in the use of electronic
identity for digital onboarding. However, the rest of Europe is now
following suit.
Countries like Germany and Spain continue to develop their
national infrastructure for electronic ID, while Estonia and Belgium
have made considerable progress in deploying a national e-ID
58 59LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Gunnar Nordseth: Gunnar is a veteran of the software industry and a founder of three software companies all based in Trondheim. Since 2007 he has been involved in establishing Signicat as a global leader of cloud-based services for electronic identity and electronic signature.
About Signicat: Signicat is a leading provider of identity services in Northern Europe. The company offers a unique identity-as-a-Service, giving multinational, national companies and government institutions easy access to a range of national e-ID infrastructures through a single point of integration. Customers use Signicat services for authentication, digital signature of documents/text and long term validation and archiving.
www.signicat.com
Gunnar NordsethCEO
Signicat
ensures a common framework for electronic identity and electronic
signature, it will not guarantee technical interoperability in any way.
Identity hubs as new paradigm for solving fragmentationA new kind of service offering has emerged to address the need for
simple integration with the e-ID infrastructure. Currently, Signicat
has over 150 customers hooked up to its online identity hub.
Signicat’s customers are typically banks, finance and insurance
companies that want to use publicly available e-ID for strong
authentication or electronic signatures. The company operates
as an identity hub or identity broker. Its customers select which
e-IDs they want to accept and Signicat sets up a service providing
access to them. In addition to giving access to third-party e-IDs,
Signicat can also play the part of an e-ID issuer for customers who
want to provide their end-customers with a proprietary e-ID.
Vision for EuropeTrust and digital identity is a prerequisite for cross-border
transactions. Without them, the growth potential will be limited.
Merchants wishing to do cross-border commerce need to
know their customers, and the only realistic way to do this is
through electronic identity. The best solution is to outsource the
complexity of identification and authentication to specialists, just
as the merchants did with payments. Identity providers do not
only specialise in protecting customers from identity theft, but also
in allowing customers to re-use their existing IDs and credentials,
thus preventing the build-up of a ‘digital key chain’.
60 61LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
ElectronicIdentityVerification:HowMyBankCanHelp
MyBank
transactions, particularly for reasons of security: avoiding fraud,
securing against identity theft, complying with anti-terrorism
concerns and so forth.
In a traditional brick-and-mortar business, identity verification is
relatively straightforward: a merchant requests your ID (national ID
card, passport etc.), you hand it over and, presuming everything is
OK, you receive your goods (e.g. alcohol in a supermarket). But,
in other settings, this can be onerously time consuming. If you
want to apply for a loan, you will probably have to manually fill out
sheets of paper and send them all through the mail.
Digital has its challenges. How can merchants be sure their
customers are who they say they are when both sides never
physically interact? Can merchants be confident that purchases
carried out are not tainted by fraudulent activity?
Digital experts at Innopay [Internal MyBank research conducted
in conjunction with Innopay Consulting] estimate that there are
currently 225 billion authentication transactions per year across
e-mail, social media, ecommerce and e-government. Ecommerce
and e-government account for 5.5 billion transactions.
How will MyBank play a role in this area?MyBank and their Payment Service Providers (PSPs) partners with
their experience of processing complex, sensitive transactions,
can bring real value to the market. With MyBank, consumers
and businesses can already re-use their existing online banking
account credentials to safely instruct their banks to provide
account-related data to third-parties and purchase items online.
The online bank account is already the central repository for
sensitive data in the form of payment information - it makes sense
to re-use information linked to existing processes to facilitate the
expansion of new services. Account Servicing PSPs are legally
obliged to investigate that you are who you say you are before
letting you create an account.
MyBank is distributed to participants (PSPs) which, in turn,
contract with their clients (e.g. merchants) to make use of the
service. The standard MyBank four corner model, which underpins
all MyBank services, is detailed below.
In recent years, ecommerce has been experiencing a great degree of
technological upheaval: e-wallets, NFC (near field communication),
Apple/Samsung/Google ‘’pay’’, third-party access to the account –
how you pay for things is now becoming as important as what you
pay for.
Underlying these changes is trustworthy identity verification,
which means customers and other actors identify themselves
digitally to third-parties that require their information. This is the
keystone that future online commerce will be built on.
Electronic identity verification (or e-identity for short) has been
featured prominently in regulatory discussions in recent years.
Electronic identity legislative frameworks (either directly or indirectly)
have moved to the front of the agenda” at the beginning of the
phrase. This is due to the revised Payment Services Directive (PSD2),
the recommendations developed by the European Forum on the
Security of Retail Payments (SecuRe Pay), the ‘Regulation (EU) No
910/2014 on electronic identification and trust services for electronic
transactions in the internal market and repealing Directive 1999/93/
EC’ (e-IDAS) and the 4th Anti-Money Laundering (AML) Directive’.
Furthermore, businesses are daily being confronted with new
challenges as society switches to digital channels. Some of the
most common are:
• How to verify identity: who are businesses really dealing with?
• How to verify age?
• How to perform customer due diligence?
• How to obtain consent to sign up services?
With no standardised electronic means of verifying such functions,
businesses face rising costs and are often obliged to implement
workarounds that usually involve consumers physically handing
over large quantities of private data, or filling out paper forms.
How does online identity verification work?Online identity verification is an electronic means of proving that
you are who you say you are and that the attributes you claim
to possess (name, age, address, passport number etc.) really
are yours. This is of highest importance in facilitating online
60 61LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Fatouma Sy: Fatouma Sy is Head of Product Development at MyBank. She has worked on the development of the solution since EBA Clearing decided to launch an E-services initiative in 2010.
About John Broxis: John Broxis is the Managing Director of MyBank. Prior to heading up MyBank, John was director of STEP2 at EBA Clearing.
About MyBank: MyBank is a pan-European e-authorisation solution which enables safe digital payments and identity authentication through a consumer’s own online banking portal or mobile device. With its participant banks, MyBank went live in March 2013 with SEPA Credit Transfers. Since then, MyBank has launched SEPA electronic mandate services and is now piloting ‘’MyBank Identity Verification’’.
www.mybank.eu
John BroxisManaging Director
MyBank
Fatouma SyHead of Product Development
MyBank
Figure 1: MyBank Operating Model
Banks and other payment service providers (PSPs) are important
players in this arena for a number of reasons:
a. Rich and accurate customer data (''Know your Customer‟
information).
b. Proven, fraud-resistant authentication mechanisms.
c. Experience of a collaborative network.
d. Reach encompassing all citizens.
e. Trustworthiness. Consumers trust their own bank.
The online bank account is primed to become a central hub for
online activity. Most of us already consult our account balance on
our computer or mobile app on a regular basis. Some of us also
hold insurance through our bank. We already trust our bank with
much of our most precious data. It is clear why consumers would
be eager to extend the benefits of the online bank account to
validate their age or other sensitive information.
As a pan-European solution, MyBank facilitates the:
• Unbundling of valuable authentication services from payments.
• Enabling of controlled online availability of valuable information.
• Creation and positioning of digital identity services toward the
market via a harmonised and recognised user experience.
• Elimination of fragmentation.
The MyBank Identity Verification pilot involving PSPs, merchants
and technical integrators began in November 2015 and will
continue into early 2016. The objective of the pilot is to test the
use cases, refine the business model and ensure that the technical
model is best fitted to the market’s needs.
VISIT OUR ENHANCED ONLINE COMPANY PROFILES DATABASE
ALL COMPANY PROFILES IN THE WEB FRAUD PREVENTION,ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE AREAVAILABLE ONLINE IN AN ENHANCED COMPANY PROFILESDATABASE, COMPLETE WITH KEYWORDS, COMPANY LOGO
AND ADVANCED SEARCH FUNCTIONALITY
http://webfraud-eidentity.thepaypers.com/
DIGITAL IDENTITIES AND TECHNOLOGIES AT THE HEART OF SECURITY
64 65LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Identity of Things (IDoT): A New Concept in Managing Identities
Innovate Identity
With more connections and points of entry, IoT inherently increases
exposure to cyber risk. And, within the hyper-connected domain
of IoT, one small data breach can have a domino effect across
several connections. This data also creates issues for the user
around privacy, consent and control over their personal data.
Who owns the data? Who can share it? Where is it stored? Can it
be shared with third-parties without the user’s knowledge?
Why identity underpins IoT So, what do we mean by identity? Identity is the collective aspect of
the characteristics set via which a ‘thing’ is definitively recognisable
or known. As the IoT network gets more sophisticated, and more
data is taken, the more links are made between person and device.
Moreover, as this length of time increases, the more valuable
that data becomes. Identity is therefore intrinsically linked to IoT.
Additionally, as the IoT network grows, so do the issues around
security of data, user consent, control and privacy.
Identity is generally proved through a sophisticated and complex
set of identity verification and authentication techniques. However,
there are no set standards across the board on how we should deal
with identity, which leaves multiple threat vectors for fraudsters to
exploit.
Gartner predicts that there will be 4.9 billion connected ‘things’ in
use by 2015. This figure is expected to rise to anywhere between
25 billion or 50 billion by 2020, depending on which report you
read.
The Identity of Things (IDoT) is an extension to identity management
and encompasses all entity identities, whatever form the entities
may take. The identities are then used to define relationships
among the entities, namely between a device and an individual, a
device and another device, a device and an application/service, or
(as in traditional Identity Access Management) an individual and an
application/service.
This skyrocketing growth, in connected devices such as those
in the health sector, means that, in many cases, the user and
the device are linked to each other. By having the users sharing
data with the device, they gain more value from the device itself.
The more data users share, the more value they get back.
The Internet of Things, therefore, means an increase of data
production, location data, personal preference data, health data,
usage data and so on.
This data is incredibly valuable for the organisations collecting
it. If a user had a health band, it means that insurance could be
underwritten based on the individual’s level of fitness, allowing
access to better insurance premiums. Affiliated marketing would
target the users around sports they enjoy or even offer location-
based special offers for local stores. This data is also valuable for
the users to share amongst their peers, allowing them to bench
mark their fitness against others.
But, what are the security consequences of generating and storing
such data? Central repositories of data create attractive targets for
hackers and, with high profile data breaches in the press, daily,
this issue shows no sign of slowing down.
64 65LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Emma Lindley: Emma has over a decade of experience working with technology led identity and age verification systems. Her focus is the intersection of technology, digital life, identity and privacy, and she is passionate about solutions which enable trust and inclusion on the Internet. Emma founded Innovate Identity in 2012 to address the need to provide thought leadership, clarity and practical solutions into a changing and increasing complex identity market place.
About Innovate Identity: Innovate Identity (InID) is an independent consultancy working with clients from fintech start ups through to major blue chip supporting their identity needs. From Know Your Customer and Anti Money Laundering regulatory requirements, fraud prevention, security and data privacy, through to delivery of new identity propositions such as attribute exchange, personal data stores and blockchain technologies.
www.innovateidentity.com
Emma LindleyCEO
Innovate Identity
Some countries have centralised government systems for identity.
However, these centralised systems are open to attack. In some
cases, due to vulnerabilities, these centralised systems have be
subject to widespread identity fraud at a national level.
Organisations creating connected devices have their own ways
of dealing with security and identity. Still, they too are effectively
mini-centralised systems, meaning that they are no less vulnerable
to attackers, but arguably less attractive due to their size.
ConclusionAs we hand over more and more of our decision-making to our
connected devices, it is imperative that we have identity-focused
and secure infrastructures in place that are capable of managing
the growing complexity of the emerging connected world.
An overall decentralised identity scheme, similar in size and scale
to the payments scheme, is required to deal with the security,
privacy, consent and control issues we have with identities. Such a
scheme would allow many organisations to offer identity solutions
developed to the standards set, and those developing connected
devices to adopt those solutions.
IoT devices will need to be mapped to this scheme, which will
need to ensure there are ways to make it easy for the end user (the
ultimate data owner) to understand and embrace. IoT presents a
huge opportunity. However, in order to grow, it requires an identity
layer to underpin it and allow scale in a secure way.
66 67LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
The Advent of IoT: Are We Facing A Trade-off Between Convenience & Security?
The Paypers
Furthermore, data jointly released by Cisco and logistics service
provider DHL reveals there are actually expected to be around 50
billion internet-connected devices by 2020, which would represent
a significant increase in the number of connections. And this
is not all. The IoT will definitely continue to grow. According to
estimations by the McKinsey Global Institute, the IoT will have a
total economic impact of up to USD 11 trillion by 2025. The same
source mentions that more than two thirds of the value will
be generated in business-to-business settings and business
customers and consumers will likely capture more than 90% of
the value created.
The IoT – a force that is driving innovation and digital transformation in financial servicesThe impact of such connectivity provided by the IoT cannot be
fully grasped yet. The IoT is expected to transform all industries,
including banking. A Deloitte analysis suggests that as many
as one quarter of sensors deployed in 2013 could be of use to
financial institutions, rising to one third in 2015 and then to about
50% by 2020. In total, the growth in sensor deployments for
financial services is expected to be very strong, ranging from just
over 20% to 100% annually on a compounded basis, depending
on the sector. Big data analytics, combined with a large number
of connected devices and environments through the IoT, are set
to empower data-driven management, reshape processes and
deliver significant benefits. The banking and securities industry will
continue to innovate around mobile and micropayment technology
using POS terminals and will invest in improved physical security
systems.
The IoT from a security and privacy perspectiveThe IoT really seems to be ‘the next big thing’. However, this ‘giant’
that presents tremendous opportunities for development, that
promises convenience and amazing experiences, is not without its
shortcomings. The first and most important ‘side effect’ that comes
up is the issue of security and privacy. How can businesses and
consumers be certain their data is protected with such an explosion
of devices and sensors?
The online world has never been more dynamic or more challenging
than it is nowadays. The internet and groundbreaking technology
enhancements have reshaped our lives and transformed the way
we do things, both in a business environment and in our personal
space. Over the past few years, technologies such as cloud, mobile
solutions, big data and analytics, which were once the frontier of the
payments industry, have become commonplace. And most recently,
the Internet of Things (IoT) has been perceived as the new game
changer. But what exactly is the IoT and why has it been heralded
as the next major revolution in business computing?
The Internet of Things refers to the networking of physical objects
through the use of embedded sensors, actuators and other devices
that can collect or transmit information about the objects. Basically,
via the IoT, individual components communicate with each other
and a service center, allowing for virtually endless connections to
take place. Additionally, a business model can now include not only
services, but also position those services in the center of the model
– the so-called ‘everything-as-a-service’ trend. Intelligent products,
connected in real-time to the internet and managed via intelligent
network, allow organisations to develop new business models and
become digital disruptors. Until now, the IoT has been mostly linked
with machine-to-machine (M2M) communication. Products built
with M2M communication capabilities are often referred to as being
‘smart’. The IoT is expected to connect many of the devices we
have in our homes, from smart thermostats to smart fridges. Big
market players such as Google and Samsung already understand
this and are active participants in this transformation. Google
bought smart thermostat maker, Nest Labs, for USD 3.2 billion,
while Samsung purchased connected home company SmartThings
for USD 200 million.
According to a report from Gartner, by the end of 2015, there will
be almost 5 billion ‘things’ connected to the internet. By the end of
2020, the figure is forecasted to rise to over 25 billion. In other words,
there will be more than three things connected to the internet for
each person on the planet.
66 67LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
About Ionela Barbuta: As Senior Editor at The Paypers, Ionela is in charge of managing projects and writing research articles on Security & Fraud. Ionela holds a Master's Degree in International Business and Intercultural Strategies.
About The Paypers: The Paypers is the leading independent source of news and analysis for professionals in the global payment community. Our products are created by payment experts and have a special focus on all major developments in payments - related industries including online/mobile payment, ecommerce, e-invoicing, online fraud prevention innovations and the most significant trends in the digital identity space.
www.thepaypers.com
Ionela BarbutaSenior Editor
The Paypers
Cybersecurity will definitely take on a whole new dimension and
digital vulnerabilities are likely to expand in more ways than we can
currently imagine. Therefore, one of the most pressing problems
for businesses planning to take advantage of the IoT is protecting
company and customer data. Numerous IoT-based applications
depend on access to consumer data, including data collected
passively from customers’ behaviour. For instance, one use of the
technology could be fully automated checkout in retail settings.
Customers could literally walk out the door of a store without having
to wait in line or even swipe a card: data-gathering ‘beacons’ can
scan tags on all the items in a shopping cart, total the bill and debit
the customer’s account, perhaps even deducting money from the
customer’s smartphone.
In this context, each sensor could be a potential entry point for
hackers and the consequences of a data breach can be devastating.
To prevent this, companies should take on the responsibility to
work with technology vendors and heavily invest in data-security
capabilities. They should also build protections for their own
data and intellectual property when they implement IoT systems.
Notwithstanding the high risk of IoT, there is a lot of potential.
With greater connectivity, there comes greater convenience and
customers have a higher expectation of services and support.
Title
Companyname
Platte tekst
COMPANY PROFILES
69COMPANY PROFILES
Company AccertifyAccertify Inc., a wholly owned subsidiary of American Express, is a leading provider of fraud prevention, chargeback management, and payment gateway solutions to merchant customers spanning diverse industries worldwide. Accertify’s suite of products and services help ecommerce companies grow their business by driving down the total cost of fraud and protecting their brand.
Website www.accertify.com
Keywords for online profile fraud, chargeback, payment gateway, risk, protect, loss, Accertify
Business model Software-as-a-service (SaaS)
Target market Online shoppers, financial institutions, payment services providers, online communities / web merchants, gaming & gambling, other online businesses
Contact [email protected]
Geographical presence Global
Active since 2007
Service provider type Digital identity service provider, technology vendor, web fraud detection company, payment service provider (PSP)
Member of industry association and or initiatives
Merchant Risk Council, Direct Response Forum, Vendorcom, AMIPCI
Services
Unique selling points Accertify leverages its flexible platform to enable merchants to screen for multiple fraud use cases, including, but not limited to payment, loyalty, claims, staff and social media reputation. Our unique capabilities allow genuine customers to be efficiently removed from fraud processes, supporting merchant growth.
Core services Accertify’s core suite of services includes fraud management, chargeback management, and payment gateway.
Pricing Model For more details contact our sales team at [email protected].
Fraud prevention partners Accertify is integrated to multiple third party services which includes, but not limited to: Lexis Nexis, Whitepagespro, Experian, InAuth, iovation, Threat Metrix, Perseuss, emailage, Neustar, Maxmind, ebureau, Mastercard, Discover.
Other services Professional Fraud Services, Decision Sciences, Manual Review outsourcing 24/7, Support Services, Rule Management and improvement, Best Practice consulting,Training services.
Third party connection United Parcel Services (UPS) and FedEx to obtain proof of delivery signatures; eFax (inbound and outbound fax receipt).
Technology: anti-fraud detection tools available
Address verifications services Yes
CNP transactions Yes
Card Verification Value (CVV) Yes
Bin lookup Yes
Geo-location Checks Yes
Device Fingerprint Yes through integrated partners
Payer Authentication Yes
Velocity Rules – Purchase Limit Rules
Yes
White list/black list database: Yes
KYC – Know Your Customer Yes; complemented with integrated partners
Credit Rating No
Follow up action Additional authentication (out of band authentication) and transaction verification capabilities.Other Profiling (dynamic summarization and aggregation)
70 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Authentication Context
Online Yes
Mobile Yes
ATM No
POS Yes
Call centre Yes
other Kiosk (unattended terminal)
Reference Data connectivity
Connectivity to governmental data No (unless provided via partner – for example Experian or Lexis Nexis)
Other databases BIN, Oanda, Global latitude/longitude, Accertify Risk ID (multi-merchant negative dB), Accertify Index (multi-merchant positive dB), Amex Risk Information Management dB
Fraud management system type
Single-channel fraud prevention system
Yes
Multi-channel fraud prevention system
Yes
CertificationType PCIDSS Level 1, ISO 27001
Regulation For more details contact our sales team at [email protected].
Other quality programms For more details contact our sales team at [email protected].
Other remarks For more details contact our sales team at [email protected].
Clients
Main clients / references Marks and Spencer, British Airways, easyJet, Autotrader, Bazaarvoice, TUIFuture developments For more details contact our sales team at [email protected].
TURN SUSCEPTIBLE INTO SECURE.
Protect your online payments while driving business growth.
aciworldwide.com/onlinefraudprevention
73COMPANY PROFILES
Company ACI WorldwideSpecialist provider of fraud prevention and management solutions for all payment transaction types to merchants, issuers, acquirers, processors and switches. Through our ACI ReD Shield®, ACI ReDi™, ACI ReD Fraud Xchange™ and ACI ReD Alerts we deliver real-time, multi-tiered fraud solutions which are managed by our expert risk analysts. Our analysts – and systems – are informed by our unrivalled access to data and business intelligence and its ability to connect merchants, acquirers and issuers in the fight against fraud.
Website www.aciworldwide.com
Keywords for online profile online fraud prevention, ecommerce, online fraud, fraud analytics, Card Not Present (CNP)
Business model Direct and via our PSP channel.
Target market Online ecommerce merchants, financial institutions, payment services providers, government services, acquirers, gaming, retail, hospitality, loyalty, telecommunications, travel and entertainment
Contact Andy McDonald ([email protected] or +44 (0)7785 627494)
Geographical presence Global
Active since 1975
Service provider type Digital identity service provider, technology vendor, web fraud detection company, payment service provider (PSP), issuer, acquirer
Member of industry association and or initiatives
Merchant Risk Council, IMRG, Direct Response Forum, Vendorcom, Cross-Border eCommerce Community
Services
Unique selling points Automated processes and dedicated support from expert risk analysts. Global fraud data, fraud solutions tailored to sector and customer needs, predictive models and unlimited, flexible rules. Holistic fraud management – real-time and post-transaction monitoring using our unrivalled business intelligence solution. Presence across the payments chain, supporting merchant and issuer collaboration in the fight against fraud.
Core services Card Not Present (online, IVR, call centre and mobile) and card present fraud prevention; fraud and risk consultancy; payment services
Pricing Model Flexible
Fraud prevention partners ACI partners with leading PSPs around the globe (see a full list at http://www.aciworldwide.com/who-we-are/partners/our-partners.aspx).
Other services Payment services: Base 24 – EPS, Postilion, ACI Proactive Risk Manager, ACI Universal Online Banker. Please visit www.aciworldwide.com to view all services available from ACI
Third party connection For more information, please contact ACI.
Technology: anti-fraud detection tools available
Address verifications services Yes
CNP transactions Yes
Card Verification Value (CVV) Yes
Bin lookup Yes
Geo-location Checks Yes
Device Fingerprint Yes
Payer Authentication Yes
Velocity Rules – Purchase Limit Rules
Yes, unlimited and flexible.
White list/black list database: Yes
KYC – Know Your Customer Yes
Credit Rating No
Follow up action Yes
Other Compliance list checking, AML, additional black lists
74 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Authentication Context
Online Yes
Mobile Yes
ATM Yes
POS Yes
Call centre Yes
Other For more information, please contact the sales team.
Reference Data connectivity
Connectivity to governmental data For more information, please contact ACI.
Other databases Commercial attribute providers, e.g. credit databases
Fraud management system type
Single-channel fraud prevention system
Yes
Multi-channel fraud prevention system
Yes
CertificationType PCI DSS v3.0, ISO 27001, SAS70
Regulation EU Data Protection
Other quality programms UK Payments Administration accreditation, Visa Account Information Security (AIS and CISP) accreditation, Amex Data Security Operating Policy
Other remarks For more information, please contact the sales team.
Clients
Main clients / references Upon Request
Future developments For more information, please contact ACI.
75COMPANY PROFILES
Company The ai Corporationai provides fraud prevention solutions to some of the world’s largest financial institutions, merchants and PSPs. Our unique self-service solutions, including our new “state of the art” neural technology, protect and enrich payments experiences for more than 100 banks, 3 million multi-channel merchants monitoring over 20 billion transaction a year.
Website www.aicorporation.com
Keywords for online profile fraud prevention, analytics, neural, risk, detection, self-service, white label
Business model Direct and indirect licenced software sales through select partners. SaaS – Direct hosting and/or managed service
Target market Online merchants, multi channel merchants (traditional, mobile and online), financial institutions, card issuers – credit, debit, prepaid, fuel card, T E, card acquirers/ISO’s/payment facilitators, alternative payment providers (e-vouchers, e-wallets), payment services providers, government services, online communities/web merchants, gaming gambling, other online businesses
Contact Nick Walker ([email protected] or +44 7901 920573)
Geographical presence Global
Active since 1998
Service provider type Software technology vendor, SaaS managed service provider
Member of industry association and or initiatives
None
Services
Unique selling points Self-service real-time rules engine and neural model builder, empowering the user to easily build, deploy and operate their own fraud strategies quickly and efficiently without the need for expensive, lengthy and often ineffective third party services. The software also allows for non fraud analytics and rules deployment.
Core services Omni-channel and enterprise wide fraud prevention technology and managed services.
Pricing Model Licence fees or service fees
Fraud prevention partners PayVector, InAuth, FISH, PanInteligence, AzukaOther services Business intelligence, cardholder/consumer engagement, enterprise case managementThird party connection Data providers, card management systems, transaction switches, PSPs
Technology: anti-fraud detection tools available
Address verifications services Partner
CNP transactions Yes
Card Verification Value (CVV) Yes
Bin lookup Yes
Geo-location Checks Partner
Device Fingerprint Partner
Payer Authentication Yes
Velocity Rules – Purchase Limit Rules
Yes with auto rule generator SmartRule.
White list/black list database: Yes
KYC – Know Your Customer Partner
Credit Rating Partner
Follow up action Enterprise wide case management.
Other More information available upon request.
76 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Authentication Context
Online Yes
Mobile Yes
ATM Yes
POS Yes
Call centre Yes
Other Yes
Reference Data connectivity
Connectivity to governmental data Partner
Other databases Partner
Fraud management system type
Single-channel fraud prevention system
Yes
Multi-channel fraud prevention system
Yes
CertificationType ISO 27001 in progress.
Regulation PCI
Other quality programs KII, SmartMinds
Other remarks More information available upon request.
Clients
Main clients / references Shell, Barclaycard, Nedbank, Mashreq, AFS, Global Payments, IBQ
Future developments More data feeds, more third party interfaces, full automation of fraud detection.
How EMV will Change Online Business in the U.S.Everyone in the payments world is talking about EMV in the U.S. But for omni-channel and online merchants, how will the use of EMV cards impact their eCommerce fraud?
Benefits of EMV CardsA major benefit of chip cards is how the chips work at POS. Each time the card is used
in person, the chip creates a unique code that cannot be re-used. So if a card number
is stolen in a breach, the stolen number and transaction code would not be usable and
any fraudulent attempts at point-of sale would be denied.
Another benefit of the chip card is that the chips cannot be cloned by counterfeiters if
they steal a card number, so counterfeit cards cannot be used for in-person
transactions. This is also a drawback: because the chips are not “read” for a
card-not-present transaction, stolen chip card numbers can be – and increasingly
are – used to make fraudulent CNP transactions.
visit: www.cardinalcommerce.com call: (877) 352-8444
Other benefits of Cardinal Consumer Authentication include: • Increased sales – fewer false positives and the opportunity to sell in regions where 3-D Secure is mandated.
• Improved margins – liability shift on fraudulent chargebacks, potential interchange savings, and less manual review.
• Enhanced consumer experience – the merchant controls the amount of friction during checkout with dynamic rules that
can be applied transaction by transaction.
To learn more about how EMV can affect your CNP business, and what you can do to protect yourself, contact Cardinal.
ADVERTISEMENT
How Can Online Merchants Protect Themselves?To thwart the influx of online fraud, many eCommerce merchants have dialed
up their fraud tools. This helps control the increased fraud, but also creates
false positives – transactions that the fraud tool flags and the merchant declines
that are actually good orders. This is almost as harmful to a merchant as the
fraud because it results in lost sales and insults to good consumers.
This puts online merchants in a difficult spot. Because chip cards can’t be used
for in-person fraud, the fraudsters look for the path of least resistance, the
card-not-present world. But there is a way to prevent fraud.
Cardinal Consumer Authentication (CCA) protects online
transactions the way chip cards prevent fraud at the cash register.
And combining CCA with a fraud tool, merchants can increase
their good orders by up to 15% vs using a fraud tool alone.
CCA’s rules-based approach gives merchants choice in how each
transaction is authenticated, and control over the amount of
consumer friction during checkout. In many cases, using CCA,
authentication happens behind the scenes, with no friction during
checkout for the consumer, using things like IP address, device
identification, buying patterns, or any data point the merchant
collects.
79COMPANY PROFILES
Company CardinalCommerce CorporationCardinalCommerce is the pioneer and global leader in enabling authenticated payment transactions in the card-not-present payments industry, and the largest authentication network in the world. Through One Connection to the proprietary Cardinal SafeCloud, we enable friction-free, technology-neutral authentication and alternative payment services (including digital wallets and mobile commerce services).
Website www.cardinalcommerce.com
Keywords for online profile consumer authentication, 3-D Secure, prevent online fraud, prevent fraudulent chargebacks
Business model Sell directly to online merchants and financial institutions; sell through partnersTarget market Financial institutions, payment services providers, online communities/web merchants, gaming and
gambling
Contact [email protected]
Geographical presence Global – we do business in Europe, Asia, Africa, Australia, North and South America
Active since 1999
Service provider type Technology vendor
Member of industry association and or initiatives
Member of Merchant Risk Council (MRC) and Merchant Advisory Group (MAG); North American Board member of MRC
Services
Unique selling points With Cardinal Consumer Authentication you can increase sales, improve margins, control consumer friction during checkout and eliminate fraudulent chargebacks for your online business. With your One Connection to Cardinal, you can add alternative payment brands and digital wallets quickly and easily, to give your consumers the payment options they want.
Core services Cardinal Consumer Authentication, leveraging the 3-D Secure protocols to give merchants choice of which transactions to authenticate and control over checkout friction.
Pricing Model Transaction volume based pricing, starting at USD 29.99 US per month.
Fraud prevention partners Visa(CyberSource), ACI (Retail Decisions)
Other services Consumer authentication, alternative payment brands, digital wallets
Third party connection Visa (CyberSource), ACI (Retail Decisions), PayPal
Technology: anti-fraud detection tools available
Address verifications services Through a partner
CNP transactions Yes
Card Verification Value (CVV) Yes
Bin lookup Through a partner
Geo-location Checks Through a partner
Device Fingerprint Yes
Payer Authentication Cardinal Consumer Authentication
Velocity Rules – Purchase Limit Rules
Yes
White list/black list database: Yes
KYC – Know Your Customer Yes
Credit Rating No
Follow up action Additional authentication (out of band authentication) and transaction verification capabilities.Other N/A
Authentication Context
Online Yes
Mobile Yes
ATM N/APOS N/A
80 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Call centre N/AOther N/A
Reference Data connectivity
Connectivity to governmental data N/AOther databases N/A
Fraud management system type
Single-channel fraud prevention system
N/A
Multi-channel fraud prevention system
N/A
CertificationType N/ARegulation N/AOther quality programms N/AOther remarks N/A
Clients
Main clients / references Contact Cardinal Commerce for specific information.Future developments Contact Cardinal Commerce for specific information.
81COMPANY PROFILES
Company CashRun
RUNCASHFraud Protection & Global Payment Solution
CashRun has vast experience in the fraud industry protecting online merchants from high risk and costs associated with online fraud. Our 100% chargeback protection allows merchants to focus on their core business competencies and at the same time achieve higher revenue growth through effective fraud risk management.
Website www.cashshield.com
Keywords for online profile fraud solution, big data, machine learning, optimizationBusiness model CashRun offers leading fraud protection technology, solely designed and developed by us.
Target market Online communities/web merchants, financial institutions, payment services providers, government services, gaming and gambling, other online businesses
Contact [email protected]
Geographical presence Global
Active since 2007
Service provider type Web fraud detection company, payment service provider (PSP), technology vendor, digital identity service provider
Member of industry association and or initiatives
MRC Premium Sponsor
Services
Unique selling points CashShield’s fraud management solution is based on a combination of fraud detection technology, big data, machine learning that are optimized through a risk management algorithm. Our fully managed service helps you fight fraud hassle-free, with an added protection of an unprecedented 100% chargeback protection, for both tangible and intangible goods.
Core services Comprehensive online fraud risk management for online merchants and PSPs.
Pricing Model Unsecured Transactions (Paypal, Non 3D-Secured ) – CashShield Enterprise (100% Chargeback Guarantee) fee – a percentage of the value of transactions depending on industry risk. Secured Transactions (3D-Secured transactions) – CashShield Core fee – fixed fee per transaction.
Fraud prevention partners CashRun designs and develops its own fraud protection solutions.
Other services Online payment service provider
Third party connection N/A
Technology: anti-fraud detection tools available
Address verifications services Yes
CNP transactions Yes
Card Verification Value (CVV) Yes
Bin lookup Yes
Geo-location Checks Yes
Device Fingerprint Yes
Payer Authentication Yes
Velocity Rules – Purchase Limit Rules
No – CashShield does not use hard rules and limits that hampers growth.
White list/black list database: Yes
KYC – Know Your Customer No
Credit Rating No
Follow up action Our fully managed service tailors and configures the merchant’s risk template for them, giving them only two optimized decisions: accept or reject. We make decisions, not predictions.
Other CashShield’s machine learning system is updated daily with new fraud trends and data, to raise alerts on potential threats.
82 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Authentication Context
Online Yes
Mobile Yes
ATM No
POS No
Call centre No
Other Yes – Mobile Apps
Reference Data connectivity
Connectivity to governmental data No
Other databases Yes
Fraud management system type
Single-channel fraud prevention system
Yes
Multi-channel fraud prevention system
Yes
CertificationType More information available upon request.
Regulation More information available upon request.
Other quality programms PCI Compliance
Other remarks More information available upon request.
Clients
Main clients / references Telecommunications, gaming publishers, prepaid products, software, digital goods, PSPs, acquirers, marketplaces, travels, airlines, ticketing, hotels, ecommerce retailers
Future developments Constantly enhancing our system to stay one step ahead of the latest fraud schemes and provide online merchants with the most comprehensive verification.
We make decisions,not predictions.
ACCEPT REJECT
CashShield is here to simplify your verification process. We configure the risk template for you, which allows us to take full responsibility of our risk decisions instead of passing this responsibility back to you, while ensuring that we boost your sales conversion rates with two straight forward decisions: accept or reject.
Get ahead of fraud with our unprecedented 100
For more information, please visit www.cashshield.com
ACCEPT MORE ORDERS, WITH LESS FRAUD.Our integrated payment, fraud and security management services can help speed up time-to-market, streamline operations and help you accept payments securely – online and through mobile devices, across the globe.
Contact us: [email protected] +44 (0)118 990 7300 cybersource.co.uk
IF YOU ARE A MERCHANT SELLING ONLINE, WE CAN HELP YOU:MANAGE MOBILE FRAUD
Our range of tools can help you to confidently sell through the mobile channel, while managing fraud to the same levels as with traditional eCommerce channels.
We can help you optimise your fraud management operations to protect the customer experience and accept more genuine orders.
INCREASE ORDER ACCEPTANCE
Our range of solutions can help you accept orders from international markets with confidence.
MANAGE GLOBAL FRAUD
About CyberSource: CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 400,000 businesses worldwide use CyberSource and Authorise.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. The company is headquartered in Foster City, California and maintains offices throughout the world, with regional headquarters in Singapore, Tokyo, Miami/Sao Paulo and Reading, UK. CyberSource operates in Europe under agreement with Visa Europe. For more information, please visit www.cybersource.co.uk
© 2015 CyberSource Corporation. All rights reserved.
Learn more about our fraud management solutions www.cybersource.co.uk
85COMPANY PROFILES
Company Name CyberSource Ltd.CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 400,000 businesses worldwide use CyberSource and Authorize.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. The company is headquartered in Foster City, California and maintains offices throughout the world, with regional headquarters in Singapore, Tokyo, Miami / Sao Paulo and Reading, UK. CyberSource operates in Europe under agreement with Visa Europe. For more information, please visit www.cybersource.co.uk.
Website www.cybersource.co.uk
Keywords for online profile fraud management, risk management, payment security, ecommerce, payments, payment gateway, rules based payer authentication
Business model Software as a Service (SaaS)
Target market Retail, travel, financial institutions, media and entertainmentContact CyberSource Ltd. Reading International Business Park, Reading, Berkshire RG2 6DH
VAT No: GB 927 433123
Geographical presence Worldwide
Active since 1994
Service provider type Payment Service Provider (PSP), fraud management company, web fraud detection, device identification
Member of industry association and or initiatives
Merchant Risk Council, IMRG, Vendorcom
Services
Unique selling points The only global payment management platform built on secure Visa infrastructure—with integrations to the world’s largest network of connected commerce partners and transaction insights—CyberSource solutions power businesses to create new brand experiences, grow sales and engagement, and keep payment operations safe.
Core services CyberSource provides fraud management services to help manage the entire life cycle of payment fraud, including account creation and takeover risk.
Pricing Model Tiered SaaS-based pricing model.
Fraud prevention partners ThreatMetrix, Cardinal Commerce, Neustar
Other services More information available upon request.
Third party connection Neustar, LexisNexis, Whitepages.com, Perseuss, Computer Services
Technology: anti-fraud detection tools available
Address verifications services Yes
CNP transactions Yes
Card Verification Value (CVV) Yes
Bin lookup Yes
Geo-location Checks Yes
Device Fingerprint Yes
Payer Authentication Yes
Velocity Rules – Purchase Limit Rules
Yes
White list/black list database: Yes
KYC – Know Your Customer No
Credit Rating No
Follow up action Additional authentication (out of band authentication) and transaction verification capabilities.Other More information available upon request.
86 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Authentication Context
Online Yes
Mobile Yes
ATM No
POS No
Call centre Yes
other More information available upon request
Reference Data connectivity
Connectivity to governmental data No
Other databases Commercial attribute providers, e.g. credit databases
Fraud management system type
Single-channel fraud prevention system
No
Multi-channel fraud prevention system
Yes
CertificationType More information available upon request.
Regulation More information available upon request.
Other quality programms More information available upon request.
Other remarks Contact [email protected] for more information.
Clients
Main clients / references Turkish Airlines, China Eastern, Cin polis, Webjet, Backcountry, ESETFuture developments For more information contact [email protected].
87COMPANY PROFILES
Company EntersektPlease use the version without the ® mark in very large or very small applicationsEntersekt is an innovator in transaction authentication, securing digital banking and payments by
harnessing the power of electronic certificate technology with the convenience of mobile phones. Financial institutions look to Entersekt to strengthen the bonds of trust they share with their customers and to deepen those relationships through innovative new services.
Website www.entersekt.com
Keywords for online profile Mobile security, mobile banking, online banking, card-not-present, out-of-band authentication, multi-factor authentication, push-based authentication, 3-D Secure
Business model Direct and through partners
Target market Financial institutions, card issuers, insurers, payment service providers
Contact Entersekt sales team: [email protected]
Geographical presence Africa, Europe, Middle East, North America
Active since 2008
Service provider type Digital identity service provider
Member of industry associations and intiatives
FIDO Alliance, WASPA
Services
Core services Mobile-app–based, multi-factor authentication and transaction signing of online banking, mobile banking, and card-not-present payments.
Other services Authentication in the consumer space (LastPass, Google Chrome), non-app-based out-of-band authentication and SIM-swap protection through push USSD.
Unique selling points Entersekt’s patented emCert technology generates public/private key pairs to uniquely identify enrolled mobile devices and validate two-way communications. A self-contained cryptographic stack and communications layer enables an end-to-end encrypted channel distinct from that initiated by the device, so transactions originating from the phone can still be authenticated out of band.
Pricing model Per user subscription
Partners Amazon Web Services, Citrix, IBM, Netcetera, Visa, MasterCard, American Express
Offering: authentication technology used
Technology used Industry-standard .509 digital certificates; proprietary validation techniques developed specifically for the mobile phone; FIPS 140-2 Level 3 on-premise hardware appliance; dynamic public key pinning; secure browser pattern; device and application context for context-based risk scoring; advanced detection of rooting, jailbreaking, or similar mobile operating system security bypass hacks; support for fingerprint biometrics; NI USSD for non-app-based out-of-band authentication and SIM-swap protection.
Authentication context
Online Yes
Mobile Yes
ATM No
Branch/Point of Sale No
Call Centre Yes
Other: Card-not-present payments (3-D Secure), e-mail
Issuing process (if applicable)
Assurance levels conformity N/AOnline issuing process (incl lead time in working days)
Yes. Identity proofing and enrolment processes are set by the implementing institution, but there is no reason why remote device registration should take more than a few minutes. Options available for enroling a user include phone-based registration via one-time password, scanning a printed QR code, and a combination of scanning a bank card and inputting the associated PIN.
Face-to-face issuing (incl lead time in working days)
Yes. Identity proofing and enrolment processes are set by the implementing institution, but there is no reason why in-branch device registration should take more than a few minutes.
Issuing network Bank branches, online services
88 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Attributes offered
Persons Level of trust (e.g. biometric data, password); signed authentication message
Companies For more information, please contact our sales team.
Reference data connectivity
Connectivity to governmental data N/AOther databases N/A
CertificationType Entersekt’s flagship product, Transakt, is FIDO Certified as a U2F (universal second factor)
authenticator. Transakt is also validated with the Ready for IBM Security Intelligence program and Citrix XenApp. Entersekt’s card-not-present authentication solution is fully accredited by Visa, MasterCard, and American Express.
Regulation Entersekt’s solutions are engineered specifically for the heavily regulated financial sector and adhere to all major digital banking security mandates, including the requirements set out by the European Central Bank, the FFIEC, and the Monetary Authority of Singapore. They are compliant with ISO 211 :2006 (Public key infrastructure for financial services) and utilize hardware security modules certified as FIPS 140-2 Security evel 3 for encrypting and decrypting all authentication data.
Other quality programs The underlying technology is regularly validated by independent third parties to ensure it is invulnerable to new attack vectors.
Other remarks For more information, please contact our sales team.
Clients
Main clients / references Those listed in the public domain: Capitec Bank; Equity Bank; Investec; Nedbank; Old Mutual; Swisscard. For others, please contact our sales team.
Future developments For more information, please contact our sales team.
Digital banking and payments are a work in progress. Their future will be built on trust.Banks around the world look to Entersekt to strengthen the bonds of trust they share with their customers, and to help deepen those relationships by launching innovative new digital services.
Discover how our mobile-enabled authentication product Transakt™ can help your organization build richer, more satisfying online and mobile banking experiences, unrestricted by security concerns.
Transakt opens up digital banking.
entersekt.com
U2F
Security in your pocket
aMobile SDK or app
aPush-based
aOut of band
aMulti-factor
It’s modern fraud science made simple. Feedzai is the easy, straightforward solution for risk teams to upgrade to advanced machine learning fraud models. With Feedzai, today’s risk professionals in businesses large and small can now have the power of advanced data science to fight fraud and false alarms.
[email protected]: 650-260-8924EUR: +351-239-402-166
Using artificially intelligent algorithms, Feedzai keeps your payment safe and your commerce moving.
Reduce fraud by up to 80% with Feedzai. Schedule a demo today to see what Feedzai can do in real-time for your own business data.
91COMPANY PROFILES
Company FeedzaiFeedzai was founded in 2009 by data scientists and aerospace engineers to make commerce safe for business customers through the use of artificially intelligent machine learning. Feedzai’s Fraud Prevention That earns technology is used by large financial services companies to risk-score over USD 1 billion of commerce transactions each day.
Website www.feedzai.comKeywords for online profile Machine learning platform to manage risk and prevent fraud.
Business model Software-as-a-service (SaaS)
Target market Online shoppers,financial institutions,payment services providers, government services, online communities / web merchants, gaming and gambling, other online businesses
Contact info feedzai.comGeographical presence Global
Active since 2009
Service provider type Technology vendor, web fraud detection company
Member of industry association and or initiatives
More information available upon request.
Services
Unique selling points Feedzai makes commerce safe for business customers and creates a better experience for their consumers through artificially intelligent machine learning. Financial services companies use Feedzai’s anti-fraud technology to keep commerce moving safely.
Core services Feedzai offers a machine learning platform to manage risk and prevent fraud that can process transactions at big data scale.
Pricing Model For more details contact our sales team at sales feedzai.com.
Fraud prevention partners SAP, Emailage, Socure, Deloitte, EnCap Security, Azul Systems, Cloudera, DatastaxOther services More information available upon request.
Third party connection More information available upon request.
Technology: anti-fraud detection tools available
Address verifications services Yes
CNP transactions Yes
Card Verification Value (CVV) No
Bin lookup Yes
Geo-location Checks Yes
Device Fingerprint Yes
Payer Authentication Yes
Velocity Rules – Purchase Limit Rules
Yes
White list/black list database: Yes
KYC – Know Your Customer Yes
Credit Rating Yes
Follow up action Additional authentication (out of band authentication) and transaction verification capabilities.Other Machine learning
Authentication Context
Online Yes
Mobile Yes
ATM Yes
POS Yes
Call centre Yes
Other More information available upon request.
92 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Reference Data connectivity
Connectivity to governmental data More information available upon request.
Other databases More information available upon request.
Fraud management system type
Single-channel fraud prevention system
No
Multi-channel fraud prevention system
Yes
CertificationType PCIDSS Level 1
Regulation Directive 95/46/ECOther quality programms More information available upon request.
Other remarks More information available upon request.
Clients
Main clients / references First Data, top-tier banks
Future developments Deep learning
93COMPANY PROFILES
Company iovation Inc.iovation protects online businesses and their end users against fraud and abuse, and identifies trustworthy customers through a combination of advanced device identification, shared device reputation, device-based authentication and real-time risk evaluation.
Website www.iovation.com
Keywords for online profile device identification, device reputation, online fraud prevention, mobile fraud, account takeover prevention, device-based authentication, customer authentication, trust scoring
Business model SaaS
Target market Online businesses such as retailers, financial institutions, lenders, prepaid cards, insurers, social networks and dating sites, logistics, gaming/MMO, gambling operators, online auction sites, and travel and ticketing companies.
Contact Connie Gougler, Director of Marketing, [email protected], 503-943-6748
Geographical presence Global: iovation’s business is 51% US and 49% international
Active since 2004
Service provider type Device Identification Web Fraud Detection, Customer Authentication
Member of industry association and or initiatives
Merchant Risk Council, Online Lenders Association
Services
Unique selling points iovation provides real-time SaaS for authentication and fraud prevention that tells our clients if a customer visiting their site is risky based upon specific criteria for evaluating the transaction or activity. iovation provides a score and result (allow, review, deny) for every transaction, allowing our clients to use an automated workflow. iovation’s global consortium contains the reputations of nearly 3 billion devices and 25 million fraud events such as chargebacks, identity theft, account takeovers, online scams and many more.
Core services iovation offers fraud prevention, customer authentication services and trust scoring/services.Pricing Model Per transaction fee based on system usage depending on volume, type of transaction, and length
of contract.
Fraud prevention partners Fiserv, Equifax, ID Analytics, Accertify, Kaspersky, ACI Worldwide, Verisk, Callcredit, Imperva, Zoot
Other services Our clients have access to the Fraud Force Community, an exclusive private B2B network of the world’s foremost security experts sharing intelligence about cybercrime prevention, device identification, new threats and other fraud-related topics.
Third party connection iovation delivers data in XML format, allowing output to be integrated easily with third-party systems.
Technology: anti-fraud detection tools available
Address verifications services No: While we do not offer AVS services, we capture the IP address and its geolocation. We can flag transactions from ‘blocked’ countries, as well as notify clients when mismatches occur between the IP address shown by the user’s browser and the IP address we collect with our Real IP proxy unmasking feature.
CNP transactions Yes: iovation’s service is primarily used to detect high risk activity at login, account creation, fund transfer and checkout. In addition, our iovation score helps identity the most trustworthy customers in our clients’ review queues so that they can take good business immediately, and offer higher-value promotions to their preferred customers.
Card Verification Value (CVV) No: This service is handled through our client’s payment processor.
Bin lookup No: This service is handled through our client’s payment processor.
Geo-location Checks Yes: iovation’s clients can flag transactions when activity is coming from an unauthorized country or through a proxy, and they can use our Real IP technology to pinpoint the user’s actual location.
Device Fingerprint Yes: iovation offers a defense-in-depth approach to device recognition, supporting native and web integrations for mobile, tablet and desktop devices.
Payer Authentication No: This service is handled through our client’s payment processor.
Device-based Authentication Yes: iovation’s authentication service allows clients to use their customer’s known devices to help verify identity. Authentication happens in real-time, behind the scenes, reducing unnecessary friction.
94 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Velocity Rules – Purchase Limit Rules
Yes: iovation’s velocity rules flag transactions when thresholds are exceeded. These may include situations where too many accounts are accessed per device, or too many new accounts are created within a timeframe. Specific rules include Accounts per Device, Accounts Created per Device, Countries per Account, Countries per Device, Transactions per Account, and Transactions per Device. Our service also flags transaction value thresholds, and other transactional velocities.
White list/black list database: Yes: iovation clients can flag transactions based on custom-built lists. These can be positive or negative lists. List types include accounts, devices, IP ranges, ISPs, locations and others, and are easily managed across rule sets.
Device Anomalies Yes: iovation clients can flag transactions when device settings are anomalous and indicative of risk. While individual device characteristics may not be proof of risk, certain characteristics may be worth monitoring, and several in combination with each other may indicate attempts by the user to evade detection.
Fraud and Abuse Records Yes: iovation clients can flag transactions that originate from an account or device already associated with fraud or abuse. Previous fraud or abuse is recorded in our system as evidence. The customer sets the types of evidence they want to consider, and decides whether to leverage only the evidence they log, or consider the evidence of other iovation subscribers.
KYC – Know Your Customer No
Credit Rating No
Follow up action iovation’s fraud prevention service provides an Allow, Review or Deny result for each transaction. Clients then decide the best course of action to take in response to these results. iovation also returns detailed information about the device associated with the transaction; clients can store this data and correlate it back to identity management and other systems as needed.
Authentication Context
Online Yes
Mobile Yes: iovation’s mobile SDK for iOS and Android identifies jailbroken or rooted devices, and captures device location through IP address, network-based geo-location information, and GPS data. The location services expose mismatches between the reported time zone and location, long distances between transactions made in short periods of time, and other location-based anomalies. It also detects transactions originating from virtual machines or emulators.
ATM No
POS No
Call centre No
Reference Data connectivity
Connectivity to governmental data No
Other databases MaxMind – IP geolcation
Fraud management system type
Single-channel fraud prevention system
Yes: iovation delivers comprehensive online fraud prevention for mobile, tablet and PC-based transactions.
Multi-channel fraud prevention system
Our services focus on online transactions and complement a multi-channel prevention system.
CertificationType
Regulation iovation supports FFIEC compliance by providing device identification and device-based authentication services.
Other quality programms iovation follows strict Quality Assurance processes for new products and services, and offers Service Level Agreements (SLAs) which include 99.9% uptime as a part of all customer agreements.
Other remarks
Clients
Main clients / references NetSpend, Bazaarvoice, Intuit, CashStar, Aviva Insurance, New Era Tickets, AT T Performing Arts Center, SG North and hundreds more.
Future developments For more information, please contact iovation at [email protected]
95COMPANY PROFILES
Company Mitek (formerly IDChecker)Mitek (NASDA : MITK) is a global leader in mobile capture and identity verification software solutions. Mitek’s ID document verification and facial recognition allow an enterprise to verify a user’s identity during a mobile transaction, enabling financial institutions, payments companies and other businesses operating in highly regulated markets to transact business safely while increasing revenue from the mobile channel. Mitek acquired IDChecker in June of 2015.
Website www.miteksystems.com
Keywords for online profile ID document verification, biometric authenticationBusiness model Transaction model
Target market Card issuers, acquirers, payment processors, government services, business services
Contact [email protected]
Geographical presence Global
Active since 2004
Service provider type Identity verificationMember of industry associations and intiatives
More information available upon request.
Services
Core services Mobile capture, ID document verification and biometric authentication.Other services More information available upon request.
Unique selling points Mobile ID verification bridges the gap between usability and security with mobile capture and ID docment verification. This boosts conversion rates, lowers onboarding costs and allows you to safely and securely approve more good customers for mobile transactions.
Pricing model Transaction based
Partners Experian – Contego – Crif – Vix
Offering: authentication technology used
Technology used Saas
Authentication context
Online Yes
Mobile Yes
ATM No
Branch/Point of Sale Yes
Call Centre No
Other: Document Expert Examination
Issuing proces (if applicable)
Assurance levels conformity ISO 27001
Online issuing process (incl lead time in working days)
N/A
Face-to-face issuing (incl lead time in working days)
N/A
Issuing network N/A
Attributes offered
Persons ID document Verification – including age verificationCompanies N/A
Reference data connectivity
Connectivity to governmental data N/AOther databases N/A
96 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
CertificationType ISO 27001
Regulation KYC
Other quality programs N/AOther remarks N/A
Clients
Main clients / references Paypal – GWK Travelex – Experian – Randstad Group
Future developments N/A
97COMPANY PROFILES
Company PerseussPerseuss is the global travel industry’s own solution to the battle against fraud. Its flagship offering is an online shared negative database, recently updated to include email age verification and artificial intelligence. It also operates FraudChasers, an online forum for anti-fraud professionals. Perseuss plays a major role in cross-border police Action Days to apprehend fraudsters.
Website www.perseuss.com
Keywords for online profile fraud prevention, data sharing, collaboration, artificial intelligence, trusted platform, fraud data, negative database, positive database
Business model Subscription service
Target market Airlines, online travel agents, rail companies, hotels, car rentals, gaming and gambling, other online businesses
Contact [email protected]
Geographical presence Global
Active since 2009
Service provider type Technology vendor
Member of industry association and or initiatives
IATA
Services
Unique selling points Perseuss is a secure community platform where merchants can legally share information about fraud cases they have encountered. Each member has access to the common database containing details of online purchases which were involved in either suspicious transactions or in confirmed fraud. It allows each business to verify their own sales data to identify any suspicious transactions.
Core services Data sharing platform including analysis, reporting, scoring and e-mail age verification.Pricing Model Please ask company for more information.
Fraud prevention partners Please ask company for more information.
Other services Please ask company for more information.
Third party connection Accertify, ACI Universal Payments, Adyen, DataCash, Ingenico Payment Services, Wirecard, Worldpay, Ypsilon
Technology: anti-fraud detection tools available
Address verifications services No
CNP transactions No
Card Verification Value (CVV) No
Bin lookup Yes
Geo-location Checks No
Device Fingerprint No
Payer Authentication No
Velocity Rules – Purchase Limit Rules
No
White list/black list database: Yes; watch list
KYC – Know Your Customer No
Credit Rating No
Follow up action No
Other E-mail age verification, Social Media check
Authentication Context
Online More information available upon request.
Mobile More information available upon request.
ATM More information available upon request.
POS More information available upon request.
98 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Call centre More information available upon request.
Other More information available upon request.
Reference Data connectivity
Connectivity to governmental data No
Other databases No
Fraud management system type
Single-channel fraud prevention system
More information available upon request.
Multi-channel fraud prevention system
More information available upon request.
CertificationType More information available upon request.
Regulation More information available upon request.
Other quality programms More information available upon request.
Other remarks More information available upon request.
Clients
Main clients / references Please ask company for more information.
Future developments Please ask company for more information.
The global travel industry’s own solution to battle against fraud
Contact Us
PerseussSchellingweg 17DNL-1507 DR. ZaandamThe Netherlands
+31 75 653 94 04
Travel companies upload fraudulent bookings data
PERSEUSSDATABASECompany A
(e.g. Travel Agent)Sees suspect transaction so checks
details against database. This shows two other instances of same details used fraudulently. Analyst reviews
case, decides to decline booking and adds the booking data to Perseuss.
How Perseuss members use the system in everyday operations
Company B(e.g. Airline)
A few hours later Company B has a match with one of the data
elements uploaded by Company A. This uncovers a whole series of
bookings that turn out to be fraud.
ALWAYS ONE STEP AHEAD OF THE FRAUDSTERSReduce fraud and grow profits with smarter fraud prevention from Risk Ident
We protect millions of transactions every week, so your customers can buy securely and with confidence.
Contact us today: www.riskident.com | +44 (0) 203 668 3611 | [email protected]
RETAIL TRAVEL TELECOMS PAYMENTS FINANCIAL SERVICES GAMING
✓ BOOST CUSTOMER NUMBERS
✓ REDUCE FALSE POSITIVES
✓ ACCURATELY PINPOINT GENUINE FRAUD
✓ IDENTIFY ACCOUNT TAKEOVERS
✓ CUT AFFILIATE FRAUD
✓ PREVENT IDENTITY FRAUD
J711-SkyParlour-Risk-Ident-A4-Paypers-Advert-AW.indd 1 25/11/2015 12:59
101COMPANY PROFILES
ALWAYS ONE STEP AHEAD OF THE FRAUDSTERSReduce fraud and grow profits with smarter fraud prevention from Risk Ident
We protect millions of transactions every week, so your customers can buy securely and with confidence.
Contact us today: www.riskident.com | +44 (0) 203 668 3611 | [email protected]
RETAIL TRAVEL TELECOMS PAYMENTS FINANCIAL SERVICES GAMING
✓ BOOST CUSTOMER NUMBERS
✓ REDUCE FALSE POSITIVES
✓ ACCURATELY PINPOINT GENUINE FRAUD
✓ IDENTIFY ACCOUNT TAKEOVERS
✓ CUT AFFILIATE FRAUD
✓ PREVENT IDENTITY FRAUD
J711-SkyParlour-Risk-Ident-A4-Paypers-Advert-AW.indd 1 25/11/2015 12:59
Company Risk IdentRisk Ident offers anti-fraud solutions for companies within the ecommerce and financial sectors, empowering fraud managers with intelligence and self-learning machine technology to provide stronger fraud prevention. Risk Ident are experts in device fingerprinting and behavioural analytics, while its products are specifically tailored to comply with European data privacy regulations.
Website http://riskident.comKeywords for online profile online fraud prevention, account takeover prevention, device indentification, worlwide device pool,
automatic fraud detection, fraud case processing, credit risk evaluation, credit scoring
Business model Direct and through partners within the credit scoring industry.
Target market Web merchants, financial institutions, payment services providers, online communities, gaming and gambling, other online businesses
Contact [email protected]
Geographical presence 90% Europe, 10% international
Active since 2013
Service provider type Technology vendor, web fraud detection company
Member of industry association and or initiatives
Merchant Risk Council
Services
Unique selling points Risk Ident is a leading software developer for credit risk and fraud prevention tools. We are experts in applying trending algorythms and other machine learing components on different data feeds to indentify consumer credit and fraud risks in ecommerce. We also offer our own device fingerprinting solution, specializing in recognition of mobile devices.
Core services Fraud detection, credit scoring software and device fingerprinting services.Pricing Model Monthly fees per user (fraud and credit software) / per transaction (device fingerprinting)Fraud prevention partners Credit References Agencies: SCHUFA, CRIF
Other services More information available upon request.
Third party connection Yes
Technology: anti-fraud detection tools available
Address verifications services Yes
CNP transactions Yes
Card Verification Value (CVV) Yes
Bin lookup Yes
Geo-location Checks Yes
Device Fingerprint Yes
Payer Authentication Yes
Velocity Rules – Purchase Limit Rules
Yes
White list/black list database: Yes
KYC – Know Your Customer Yes
Credit Rating Yes
Follow up action Various
Other More information available upon request.
Authentication Context
Online Yes
Mobile Yes
ATM More information available upon request.
POS (Yes)
102 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Call centre More information available upon request.
Other More information available upon request.
Reference Data connectivity
Connectivity to governmental data More information available upon request.
Other databases Identity & Address Providers, Credit Scoring Providers
Fraud management system type
Single-channel fraud prevention system
Yes
Multi-channel fraud prevention system
Yes
CertificationType ISO 27001 Data Center
Regulation More information available upon request.
Other quality programms More information available upon request.
Other remarks Fully EU data privacy compliance
Clients
Main clients / references Client lists for DE, CH, AT, UK, FR on request / Key investor Otto Group ( 2 European online merchant)
Future developments Full credit and fraud risk service for online merchants and financial institutions.
103COMPANY PROFILES
Company SignicatSignicat is a secure identity cloud service provider with deep expertise in online electronic id (e-ID), advanced electronic signatures and PKI solutions. Wide coverage of national and public e-IDs in Europe accessible through one single point of integration. Signicat offers a secure and smooth integration for more than 150 customers cross border in industries like financial services, ecommerce and public sector. The services are available cross channel on multiple devices.
Website www.signicat.com
Keywords for online profile European e-IDs and eSignatures as a Service.
Business model Cloud Services (SaaS)
Target market Horizontal, with focus on financial services industry including card issuers and PSPs, telco and government
Contact Arne Vidar Haug, VP Bus Dev & Ole Christian Olssøn, VP Sales
Geographical presence Norway, Sweden, Denmark, Finland, the Netherlands, Estonia, Lithuania, Latvia, Spain
Active since 2007
Service provider type E-identity service provider and eSignature services.
Member of industry associations and intiatives
Kantara Initiative, STORK 2.0, ePractice.eu, OSWALD,
Services
Core services Signicat offers customers access to wide range of European national e-IDs and eSignature services including timestamping, long term archiving and re-signing as a service. The company also provides issuing of IDs like password with SMS-otp and app-based Mobile ID in addition to single sign-on and identity services.
Other services Secure Web Forms, Single Sign-On based on pure SAM 1/2, ready made integration with IBM Tivoli, JAVA, .NET, SharePoint Oracle IAM and WebCenter/UCM.
Unique selling points Extend customer relationships, dialogue and self-service capabilities through our range of services. Connecting to available services through one standard interface (saml 1/2 etc.) that shortens time to market, improves ROI and offers customers the ability to focus on their core business.
Pricing model One time connection fee, pluss combination of monthly subscription and transaction fees.
Partners Close relationships with ISVs, Sis, tech companies (IBM, Oracle, Microsoft) and Biznode among others. Plug-ins to SalesForce and SuperOffice among others.
Offering: authentication technology used
Technology used Cloud based services on industrial standardized protocols like M , SOAP, SAM and HTTP.
Authentication context
Online Yes, through our own cloud service including eSignature.
Mobile Yes, through our own cloud service including eSignature.
ATM N/ABranch/Point of Sale Standardized interfaces available for integration.Call Centre Standardized interfaces available for integration.Other: Standardized interfaces available for integration for multiple services in need of authentication and
digital signatures.
Issuing proces (if applicable)
Assurance levels conformity N/AOnline issuing process (incl lead time in working days)
Self service process, issued in a minute. Establishment of solution takes approx 2-5 days.
Face-to-face issuing (incl lead time in working days)
Issuer process face-to-face is handled by public or national eID issuer dependant on country.
Issuing network Online services like e-mail and SMS in addition to postal network, bank branches, notaries.
104 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Attributes offered
Persons Name, address, SSN, birthplace, age, country, etc. Information available depends on selected e-ID used.
Companies Name, address, company registration no.(where applicable), procurists, signatory rights
Reference data connectivity
Connectivity to governmental data Citizens public register, company registerOther databases Commercial attribute providers, e.g. credit databases
CertificationType ISA 3000 revision on ISO 27001 Information Security Policy in progress.
Regulation EU Signature Directive, ETSI in addition to the national directives for countries in Europe based on the EU Directive.
Other quality programs OWASP, ETSI
Other remarks Winner of IDDY (Identity Deployment of the Year)-award 2009.
Clients
Main clients / references Norwegian Post, SEB, If, Santander, Nykredit, Bank Norwegian and Norwegian Educational State Fund among others.
Future developments Continued support for new e-IDs in Europe including enhancements to Signature solutions, for example German nPA, Dutch eHerkenning and Swiss SwissID.
105COMPANY PROFILES
Company SocureSocure is the leader in digital identity verification. By applying machine-learning techniques with biometrics and intelligence from e-mail, phone, IP and online/offline and social media data, Socure bolsters fraud prevention and KYC/OFAC compliance programs for enterprises conducting business in over 180 countries, helping them to combat identity fraud, prevent account takeover, and increase consumer acceptance.
Website www.socure.com
Keywords for online profile identity verification, biometrics, fraud risk mitigation, KYC compliance, AM , OFAC, technologyBusiness model Subscription-based SaaS
Target market Financial institutions
Contact [email protected] +1.866.932.9013
Geographical presence Headquarters in New York City, used in over 180 countries worldwide
Active since 2012
Service provider type Digital identity service provider, technology vendor, web fraud detection company
Member of industry association and or initiatives
ETA, BAI, MRC, SafeHarbor Certified
Services
Unique selling points Patented technology that uniquely blends trusted email, phone, online and offline data including social media network data and facial recognition. Ability to resolve identities across broad population using alternative data and provide fraud risk estimation assistance, easily integrates into existing processes. Technology is adaptive machine learning, where AI compensates to learn from false positives and improve predictive power over time, both globally and on a per-client basis.
Core services Socure provides identity verification services, fraud risk mitigation, CIP/KYC program compliance, financial inclusion, facial biometrics for transation verification.
Pricing Model Annual subscription, billed per API call.
Fraud prevention partners Feedzai, oot, SphonicOther services Transaction authentication, facial recognition, biometric identificationThird party connection More information available upon request.
Technology: anti-fraud detection tools available
Address verifications services Yes
CNP transactions Yes
Card Verification Value (CVV) No
Bin lookup No
Geo-location Checks Yes
Device Fingerprint Yes
Payer Authentication Yes
Velocity Rules – Purchase Limit Rules
No
White list/black list database: Yes
KYC – Know Your Customer Yes
Credit Rating No
Follow up action Additional authentication (out of band authentication) and transaction verification capabilities.Other OFAC checks
Authentication Context
Online Yes
Mobile Yes
ATM No
POS Yes
106 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Call centre No
other More information available upon request.
Reference Data connectivity
Connectivity to governmental data CustomizableOther databases Commercial attribute providers, e.g. credit databases
Fraud management system type
Single-channel fraud prevention system
Yes
Multi-channel fraud prevention system
Yes
CertificationType US/EU Safe Harbor, US SOC-2 (imminent) Regulation KYC, CIP, AML, OFAC
Other quality programms Privacy compliance
Other remarks More information available upon request.
Clients
Main clients / references More information available upon request.
Future developments More information available upon request.
107COMPANY PROFILES
Company Wirecard AGWirecard AG is one of the world’s leading independent providers of outsourcing and white label solutions for electronic payment transactions. Wirecard`s global multi-channel platform bundles international payment acceptances, methods and fraud prevention. Wirecard provides companies with an end-to-end infrastructure for issuing products, including the requisite licenses for card and account products.
Website www.wirecard.com
Keywords for online profile ecommerce, mobile payment, risk management, acquiring, issuing, credit cards, online banking, POS payment processing
Business model Please contact Wirecard for more information.
Target market Online shoppers, financial institutions, payment services providers, government services, online communities/web merchants, gaming and gambling, other online businesses
Contact [email protected] I +49 89 4424 1400
Geographical presence Europe, Middle East/Africa, Asia/PacificActive since 1999
Service provider type Digital identity service provider, technology vendor, web fraud detection company, payment service provider (PSP), issuer, acquirer
Member of industry association and or initiatives
Please contact Wirecard for more information.
Services
Unique selling points Industry-specific and customizable fraud prevention models, continuous improvement of fraud prevention models based on direct access to fraud notifications of issuing banks, check of all transactions per merchant on every sales channel (eCom, mobile/mPOS, MOTO, POS BSP/ATO/CTO for airlines) due to close technical integration with Wirecard Bank as acquirer.
Core services Fraud prevention for card payments and alternative payment methods, credit scoring, decision logics for credit limit calculation, transaction checks, merchant monitoring
Pricing Model Flexible pricing models, depending on requirements and volumes.
Fraud prevention partners Wirecard is integrated into multiple third party fraud prevention partners.
Other services Fraud analytics for customers, international address verificationThird party connection Providers of negative databases, credit agencies, international phone number verification
Technology: anti-fraud detection tools available
Address verifications services Yes
CNP transactions Yes
Card Verification Value (CVV) Yes
Bin lookup Yes
Geo-location Checks Yes
Device Fingerprint Yes
Payer Authentication Yes
Velocity Rules – Purchase Limit Rules
Yes
White list/black list database: Yes
KYC – Know Your Customer Yes
Credit Rating Yes
Follow up action Additional authentication (out of band authentication) and transaction verification capabilities.Other Fraud Prevention Suite with detailled Business Intelligence tools, 3D-Secure, CUP-Secure, Trust
Evaluation Suite
108 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Authentication Context
Online Yes
Mobile Yes
ATM Yes
POS Yes
Call centre Yes
Other Industry-specific sales channels, e.g. BSP/ATO/CTO for airlines, mPOS
Reference Data connectivity
Connectivity to governmental data Sanction lists, e.g. EG 25 0/2001, EG 1/2002, US DP , US SDN, US entity listOther databases Commercial attribute providers, e.g. credit databases, PEP screening
Fraud management system type
Single-channel fraud prevention system
Yes
Multi-channel fraud prevention system
Yes
CertificationType e.g. PCI-DSS certified; for more information please contact Wirecard.Regulation KYC (KWG 24c), Anti Money Loundering (AML)
Other quality programms N/AOther remarks N/A
Clients
Main clients / references More than 20,000 merchants from various industries.
Future developments Not to be disclosed.
FINANCIAL TECHNOLOGY FOR MORE THAN 20,000
CUSTOMERS.
Wirecard is the leading specialist for payment
processing and issuing.
wirecard.com
110 WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
Glossary
A Account takeover A form of identity theft where a criminal gains complete control of
a consumer’s account, such as obtaining the PIN or changing the
statement mailing address.
Account Creation FraudUsing stolen, compromised or synthetic identities, typically through
a spoofed location, to create a new account to access online
services or obtain lines of credit.
Account Login FraudAttacks targeted at taking over user accounts using previously
stolen credentials available in the wild or credentials compromised
by malware or Man-in-the-Middle attacks.
Address Verification System (AVS) A system used to verify the address of a person claiming to own a
credit card. The system will check the billing address of the credit
card provided by the user with the address on file at the credit
card company. The other security features for the credit card
include the CVV2 number.
Anti-Money Laundering (AML)Procedures, laws or regulations designed to stop the practice of
making money that comes from illegal sources look like it came
from legitimate sources. The sum of legal controls that require
financial institutions and other regulated entities to prevent, detect,
and report money laundering activities
Application fraud A form of identity theft where a criminal uses the user’s personal
information to open new accounts and applications without his/her
knowledge.
ATM fraudFraud related to ATM card accounts where a card is used to
withdraw funds from a consumer’s account using a PIN-based
transaction at an ATM.
AuthenticationThe methods used to verify the origin of a message or to verify the
identity of a participant connected to a system and to confirm that
a message has not been modified or replaced in transit.
AuthorizationIs the function of specifying access rights to resources related
to information security and computer security in general and to
access control in particular.
BBank Identification Numbers (BIN) The first four to six digits on a credit card, which can be used to
identify the Issuing Bank that issued the card. BINs are traditionally
used by online merchants as a way to detect fraud by matching the
geographic area where the cardholder is located to the geographic
area identified in the Bank Identification Number.
Big DataLarge data sets that may be analysed computationally to reveal
patterns, trends, and associations relating to human behaviour
and interactions. By developing predictive models based on both
historical and real-time data, companies can identify suspected
fraudulent claims in the early stages.
Biometrics The use of a computer user's unique physical characteristics such
as fingerprints, voice and retina to identify that user.
Biometric DataA general term used to refer to any computer data that is created
during a biometric process. This includes samples, models,
fingerprints, similarity scores and all verification or identification
data excluding the individual's name and demographics.
Biometric Verification Any means by which a person can be either a) Identified or b) Verified
(authenticated), by evaluating one or more distinguishing biological
traits. An identification system (eg AFIS) consists of the original trait
and a database of stored traits, by comparing of a sample for close
matches.
111GLOSSARY
BYODBring your own device (BYOD) is an IT policy where employees
are allowed or encouraged to use their personal mobile devices
— and, increasingly, notebook PCs — to access enterprise data
and systems.
CCard Capture DeviceA device inserted into an ATM card slot which captures the data
contained on the card.
Cardholder-not-present fraudUsing stolen cards or card details and personal information, a
fraudster purchases good or services remotely - online, by telephone
or by mail order.
Change of address fraudOccurs when the fraudster obtains details of a genuine customer’s
account and then contacts the business to advise that he has
changed address. This is usually accompanied or followed by
a request for items of value such as a chequebook, debit card
or statement of account to be sent to the bogus ‘new’ address.
A false change of address is used to facilitate previous address
fraud and account/facility takeover fraud.
ChargebackChargeback occurs when a credit cardholder contacts their credit
card-issuing bank to initiate a refund for a purchase made on their
credit card. Chargebacks are generally the result of a cardholder
changing their mind, being dissatisfied with their purchase or a
case of fraud. The fraud can result from the unauthorized use of
their credit card (stolen card) or the cardholder purposely seeking
to dispute a legitimate purchase they made (see ‘delivery and
returns fraud’).
Consumer authenticationThe term used to describe tools intended to verify that the person
making the transaction is actually the person authorized to do so,
in both in-person and Card-Not-Present transactions.
CookieA small data file that is automatically stored on a user’s computer
for record-keeping purposes. It contains information about the
user in relation to a particular website, such as their username and
preferences.
CredentialData issued to an individual by a third party with a relevant authority
or assumed competence to do so that is presented to provide
evidence of a claim. A credential is a piece of information asserting
to the integrity of certain stated facts.
Credit card fraud Fraud committed using a credit card or any similar payment mechanism
as a fraudulent source of funds in a transaction. The purpose may be
to obtain goods without paying, or to obtain unauthorized funds
from an account. Credit card fraud is also an adjunct to identity
theft.
Crimeware ToolsCrimeware refers to malware specifically designed to automate
cybercrime. These tools help fraudsters create, customize and
distribute malware to perpetrate identity theft through social
engineering or technical stealth.
Criminal organisationA group of individuals who collude together to commit fraud.
CounterfeitingThe fraudulent reproduction of original documents/instruments in
a manner that enables the fraudster to pass them off as genuine/
original items.
Cybercrime (cyber fraud)The term encompasses criminal actions that target computer, internet,
or network utility, damaging functionality or infiltrating systems and
processes. Specifically, cybercrime can include malware, spyware,
phishing, pharming, viruses and worms.
112 WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
Cryptography Protecting information or hiding its meaning by converting it into a
secret code before sending it out over a public network.
DData breachUnintentional release of secure information to an untrusted environment.
Data captureThe action or process of gathering data, especially from an automatic
device, control system, or sensor.
Delivery and returns fraudIs the act of defrauding a store via the return process. Delivery and
return fraud (also known as ‘friendly fraud’) involves legitimate
customers using valid payment cards and is akin to electronic.
Device ID The unique serial number or ‘fingerprint’ that a particular device has
embedded in it. It can be the combination of several components
(e.g. CPU + graphics card) and can include a threshold (i.e. less
than 100% matching) to allow for partial upgrades, such as with
the iPass (proprietary) solution.
Device SpoofingHackers delete and change browser settings in order to change
their device identity or fingerprint, or attempt to appear to come
from a victim’s device. Cookieless device identification is able
to detect returning visitors even when cookies are deleted or
changes are made to browser settings.
Debit card fraudFraud related to debit card accounts where a card is used to withdraw
funds from a consumer’s account.
Denial of Service AttackAn attack on a computer system or network that causes a loss
of service to users. A network of computers is used to bombard
and overwhelm another network of computers with the intention
of causing the server to ‘crash’. A Distributed Denial of Service
(DDoS) attack relies on brute force by using attacks from multiple
computers. These attacks can be used to extort money from the
businesses targeted.
Detection rateThe amount of fraud detected by a fraud prevention system at a
given level of account reviews.
Digital IdentityA collection of identity attributes, an identity in an electronic form
(e.g. electronic identity).
Dual-Factor Identification Rules Requirement that banks implement another type of password in
addition to the standard username and password combination. Many
banks present a picture that the consumer chooses in addition to
their password in order to recognize the bank.
EE-ID servicesServices for entity authentication and signing data.
Electronic data interchange (EDI) Is an electronic communication method that provides standards for
exchanging data. By adhering to the same standard, companies
that use EDI can transfer data from one branch to another and even
across the world.
EncryptionThe process of converting data into cipher text to prevent it from
being understood by an unauthorized party.
End-to-end encryptionUninterrupted protection of the integrity and confidentiality of
transmitted data by encoding it at the start and decoding it at the
end of the transaction.
Endpoint authenticationA security system that verifies the identity of a remotely connected
device (and its user) such as a PDA or laptop before allowing
access to enterprise network resources or data.
EMV EMV stands for Europay, MasterCard and Visa, a global standard for
inter-operation of integrated circuit cards (IC cards or "chip cards") and
IC card capable point-of-sale (POS) terminals and automated teller
machines (ATMs), for authenticating credit and debit card transactions.
113GLOSSARY
FFace recognitionBiometric modality that uses an image of the visible physical
structure of an individual face for recognition purposes.
False PositiveThe amount of good or true accounts flagged by the fraud prevention
system as fraudulent.
FirewallComputer hardware or software designed to prevent unauthorised
access to the system via the internet.
Fraud detectionA rule-based, image-enabled suite of products that offers a variety
of fraud detection capabilities at the point of presentment used to
prevent or mitigate losses associated with deposit and payment
fraud.
Federated identity A single user identity that can be used to access a group of websites
bound by the ties of federation. Without federated identity, users are
forced to manage different credentials for every site they use. This
collection of IDs and passwords becomes difficult to manage and
control over time, offering inroads for identity theft.
Fingerprint recognitionBiometric modality that uses the physical structure of the user
fingerprint for recognition. In most of fingerprint recognition
processes the biometric samples are compressed in minutiae points
that reduce the size of data and accelerate the process.
First-party fraudFraud committed against a financial institution by one of its own
customers.
ForgeryThe process of making or adapting documents, such as checks,
with the intent to deceive.
Fraud preventionPro-active steps taken by a company to insure itself against fraudulent
activity. This is usually in the form of enacted policies, systems and
controls in place to detect and monitor for fraudulent activity, and
communications to employees that instill ethical behavior.
Fraud screeningA checking system that identifies potentially fraudulent transactions.
Fraud screening helps reduce fraudulent credit card transactions,
reducing the need for manual reviews, minimizing bad sales and
improving a company’s bottom line.
Friendly fraudWhen a consumer (or someone with access to a credit card) makes
a purchase and then initiates a chargeback, saying they did not
make the purchase and/or did not receive the goods or services.
GGeo Location DetectionSet of diverse and ideally automated tests which help fraud protection
solutions assess the risk of fraud involved in a specific order passing
through a merchant’s website. These tests might include IP to Zip
Code, IP to Billing Address, High IP Cross Referencing, IP Geo
Location & Proxy Detection, and NPA NXX Area Code Web Service.
Geographical IP Detector (GID) A web shop or a fraud protection solution equipped with a GID
can easily locate the real physical (geographical) location of the
device, by tracking the IP Address.
Ghost terminalSkimming device where a fake ATM touch pad and reader are
placed over a legitimate ATM. Reader obtains card information and
PIN, but will not process the transaction since the legitimate ATM
does not function.
Global Address Verification DirectoriesThis feature enables fraud protection solutions compare the address
introduced by the visitor with the existing address, detecting any
fake data. It also helps e‐merchants keep their customers easily
reachable.
114 WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
HHackerA person who uses computers to gain unauthorized access to data,
or a person who seeks and exploits weaknesses in a computer
system or network.
Hash functionA function that can be used to map digital data of arbitrary size to
digital data of fixed size. The values returned by a hash function
are called hash values, hash codes, hash sums, or simply hashes.
With Bitcoin, a cryptographic hash function takes input data of
any size, and transforms it into a compact string.
Host Card Emulation (HCE)On-device technology that permits a phone to perform card
emulation on an NFC-enabled device. With HCE, critical payment
credentials are stored in a secure shared repository (the issuer
data center or private cloud) rather than on the phone. Limited
use credentials are delivered to the phone in advance to enable
contactless transactions to take place.
IIdentityThe fact of being what an entity (person or a thing) is, and the
characteristics determining this. It is a collection of attributes.
Identity of Things (IDoT) An area of endeavor that involves assigning unique identifiers
(UID) with associated metadata to devices and objects (things),
enabling them to connect and communicate effectively with other
entities over the internet.
Identity providerA service provider that creates, maintains and manages identity
information for principals and may provide user authentication to
service providers (e.g within a federation).
Identity SpoofingUsing a stolen identity, credit card or compromised username /
password combination to attempt fraud or account takeover. Typically,
identity spoofing is detected based on high velocity of identity usage
for a given device, detecting the same device accessing multiple
unrelated user accounts or unusual identity linkages and usage.
Identity theftIdentity theft happens when fraudsters access enough information
about someone’s identity (such as their name, date of birth,
current or previous addresses) to commit identity fraud. Identity
theft can take place whether the fraud victim is alive or deceased.
Identity Provider Also known as Identity Assertion Provider is an authentication
module which verifies a security token as an alternative to
explicitly authenticating a user within a security realm.
InfoSec (information security)The practice of defending information from unauthorized access,
use, disclosure, disruption, modification, perusal, inspection,
recording or destruction.
Interchange feesThe interchange fee, also called the discount rate or swipe fee,
is the sum paid by merchants to the credit card processor as a
fee for accepting credit cards. The amount of the rate will vary
depending on the type of transaction, but averages about 2% of
the purchase amount. The interchange fee is typically higher for
online purchases than for in-person purchases, because in the
latter, the card is physically present and available for inspection.
Internet of Things (IoT) The network of physical objects that feature an IP address for
internet connectivity, and the communication that occurs between
these objects and other internet-enabled devices and systems.
InteroperabilityA situation in which payment instruments belonging to a given
scheme may be used in other countries and in systems installed
by other schemes. Interoperability requires technical compatibility
between systems, but can only take effect where commercial
agreements have been concluded between the schemes concerned.
Internet fraudAn illegal activity wherein a person in possession of internet banking
details of another person, impersonates them to use their funds.
115GLOSSARY
IP Address SpoofingCybercriminals use proxies to bypass traditional IP geolocation
filters, and use IP spoofing techniques to evade velocity filters
and blacklists. ThreatMetrix directly detects IP spoofing via both
active and passive browser and network packet fingerprinting
techniques.
KKey Stroke LoggerHardware or software that records the keystrokes and mouse
movements made on a particular computer. Hardware loggers can
be placed by dishonest staff or unauthorised visitors. Software
loggers can be installed in the same way, or more usually by
malicious email or malware. Authorised key loggers may be used
in order to facilitate an audit trail.
Know Your Customer (KYC) The term refers to due diligence activities that financial institutions
and other regulated companies must perform to ascertain relevant
information from their clients for the purpose of doing business
with them. Know your customer policies are becoming increasingly
important globally to prevent identity theft, financial fraud, money
laundering and terrorist financing.
LLevel of assurance (LoA) A quality-indicator for digital identity. It describes four identity
authentication assurance levels for e-government transactions.
Each assurance level describes the agency’s degree of certainty
that the user has presented an identifier (a credential in this context)
that refers to his or her identity. In this context, assurance is defined
as the degree of confidence in the vetting process used to establish
the identity of the individual to whom the credential was issued, and
the degree of confidence that the individual who uses the credential
is the individual to whom the credential was issued.
MMachine learningAn artificial intelligence (AI) discipline geared toward the
technological development of human knowledge. Machine learning
allows computers to handle new situations via analysis, self-
training, observation and experience.
MalwareOr malicious software, is software used or created to disrupt
computer operation, gather sensitive information, or gain access
to private computer systems. It can appear in the form of code,
scripts, active content and other software.
Man-in-the-browser A form of internet threat related to man-in-the-middle (MITM),
is a proxy Trojan horse that infects a web browser by taking
the advantage of vulnerabilities in browser security to modify
web pages, modify transaction content or insert additional
transactions, all in a completely covert fashion invisible to both the
user and host web application.
Man-in-the-middle In cryptography and computer security it is a form of active
eavesdropping in which the attacker makes independent
connections with the victims and relays messages between them,
making them believe that they are talking directly to each other
over a private connection, when in fact the entire conversation is
controlled by the attacker.
Mail Order – Telephone Order (MOTO)MOTO accounts are required when more than 30% of credit
cards cannot be physically swiped. Merchants that have a
MOTO merchant account usually process credit card payments
by entering the credit card information directly into a terminal
that contains a keypad, by using terminal software installed on a
personal computer, or by using a “virtual” terminal that allows the
merchant to use a normal web browser to process transactions on
a payment service provider’s website.
Money laundering The process of concealing the source of money obtained by
illicit means. The methods by which money may be laundered
are varied and can range in sophistication. Many regulatory
and governmental authorities quote estimates each year for the
amount of money laundered, either worldwide or within their
national economy.
116 WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
Multi-factor authentication An approach to security authentication, which requires that the user
of a system provide more than one form of verification in order to
prove their identity and allow access to the system. Multi-factor
authentication takes advantage of a combination of several factors of
authentication, three major factors include verification by something
a user knows (such as a password), something the user has (such as
a smart card or a security token), and something the user is (such as
the use of biometrics).
OOne-time passwordA password that can be used only once, usually randomly generated
by special software.
Online fraudAny kind of fraudulent and/or criminal activity which is made via
online services such as e‐mail, messaging applications or websites.
The most common forms of online fraud affecting e‐merchants are
in the form of chargebacks, identity theft and credit card fraud.
Online fraudsterA person who commits fraud online, especially in business dealings.
OpenID An open standard that describes how users can be authenticated
in a decentralized manner, eliminating the need for services
to provide their own ad hoc systems and allowing users to
consolidate their digital identities. Users may create accounts
with their preferred OpenID identity providers, and then use those
accounts as the basis for signing on to any website which accepts
OpenID authentication.
PPasswordA word or other collection of characters used for authentication.
It serves as a security device to gain access to a resource.
PA DSSAlso known as Payment Application Data Security Standard, it is a
system designed by the Payment Card Industry Security Standards
Council and adopted worldwide. This system prevents payment
application from third parties from storing prohibited secured data.
Payment Card Industry Data Security Standard (PCI-DSS)A mandatory set of rules and regulations created to reduce credit
card fraud. PCI Compliance currently has six objectives: to build
and maintain a secure network, to protect cardholder data, to
maintain a vulnerability management program, implement strong
access control measures, regularly monitor and test networks, and
to maintain an information security policy. The PCI requirements
have been developed by the PCI Security Standards Council,
which includes American Express, Discover, JCB International,
MasterCard and Visa.
PharmingOccurs when a divert is set-up from a company’s real website,
without their knowledge, to a bogus website. When customers
attempt to access the real website the fraudsters gather customers’
account details and passwords which can then be used to facilitate
frauds.
Phishing A method which allows criminals to gain access to sensitive
information (like usernames or passwords). It is a method of social
engineering. Very often, phishing is done by electronic mail. This
mail appears to come from a bank or other service provider. It
usually says that because of some change in the system, the users
need to re-enter their usernames/passwords to confirm them. The
emails usually have a link to a page which is similar to the one of
the real bank.
PINA numeric code that is used as confirmation to finish a transaction
via payment card. The PIN number is used by entering it into a
keypad which grants authorisation.
Public Key Infrastructure (PKI)The infrastructure needed to support the use of Digital Certificates.
It includes Registration Authorities, Certificate Authorities, relying
parties, servers, PKCS and OCSP protocols, validation services,
revocation lists. Uses include secure e-mail, file transfer, document
management services, remote access, web-based transactions,
services, non-repudiation, wireless networks and virtual private
networks, corporate networks, encryption, and ecommerce.
117GLOSSARY
Point-to-point encryption (P2PE)A solution that encrypts card data from the entry point of a merchant's
point-of-sale (POS) device to a point of secure decryption outside
the merchant's environment, such as a payment processor like TSYS
Acquiring Solutions. The purpose of P2PE is to address the risk of
unauthorized interception associated with cardholder data-in-motion
during the transmission from the POS terminal to the payment
processor.
PrivacyPrivacy is the ability of a person to control the availability of information
about and exposure of himself or herself. It is related to being able to
function in society anonymously (including pseudonymous or blind
credential identification).
ProofingIdentity proofing is a common term used to describe the act of
verifying a person’s identity, as in verifying the “proof of an ID”.
Other terms to describe this process include identity verification and
identity vetting.
RReal-time risk managementA process which allows risk associated with payments between
payment system participants to be managed immediately and
continuously.
Relying party (RP) A website or application that wants to verify the end-user's identifier.
Other terms for this party include "service provider" or the now
obsolete "consumer".
Retail loss prevention A set of practices employed by retail companies to reduce and deter
losses from theft and fraud, colloquially known as "shrink reduction".
Risk assessment The process of studying the vulnerabilities, threats to, and likelihood
of attacks on a computer system or network.
Risk-Based AuthenticationRisk-based authentication uses multiple factors to determine
whether or not a person is who they claim to be online. Typically, this t
echnique includes the traditional username and password in
addition to who the user is, from where they are logging in, and
what kind of device they are using. Information such as historical
data is also used, which includes attributes provided from the
session as well as user behavior and transaction patterns.
SSmart card An access card that contains encoded information used to identify
the user.
Secure elementA tamper-proof Smart Card chip capable to embed smart card-
grade applications with the required level of security and features.
In the NFC architecture, the secure element will embed contactless
and NFC-related applications and is connected to the NFC chip
acting as the contactless front end. The secure element could be
integrated in various form factors: SIM cards, embedded in the
handset or SD Card.
SecurityIn ecommerce terms, security is ensuring that transactions are not
open to fraud. In ecommerce systems, security protocols protect
the consumer, the merchant and the bank from hackers and
fraudsters.
Security threat and risk assessmentA method that identifies general business and security risks for the
purpose of determining the adequacy of security controls with the
service and mitigating those risks.
Security token (authentication token)Is a small hardware device that the owner carries to authorize access
to a network service. The device may be in the form of a smart card
or may be embedded in a commonly used object such as a key fob.
118 WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
Skimming Card skimming is the illegal copying of information from the magnetic
strip of a credit or ATM card. It is a more direct version of a phishing
scam. In biometrics and ID it could be the act of obtaining data from
an unknowing end user who is not willing to submit the sample at
that time.
Social engineeringManipulating people so they give up confidential information.
The types of information these criminals are seeking can vary, but
when individuals are targeted the criminals are usually trying to
trick people into giving their passwords or bank information, or
access their computer to secretly install malicious software that
will give them access to passwords and bank information as well
as giving them control over their computer.
Social Security FraudOccurs when a fraudster uses one’s Social Security Number in order
to get other personal information. An example of this would include
applying for more credit in one’s name and not paying the bills.
Spear PhishingA phishing e-mail that looks as if it came from someone the user
knows. Typically the e-mail contains a file that, when opened, will
infect the computer with a bot or a key logger.
SpoofsVarious scams in which fraudsters attempt to gather personal
information directly from unwitting individuals. The methods could
include letters, telephone calls, canvassing, websites, e-mails or
street surveys.
3D‐Secure3D Secure (3DS) is the program jointly developed by Visa and
MasterCard to combat online credit card fraud. Cardholders
introduce their password to verify their identity whenever they
make an online purchase. E-merchants willing to offer this security
service to its customers must be registered as a participating
merchant in the program. Only cardholders registered at Verify
by Visa or MasterCard SecureCode can actually be requested to
verify their data when purchasing online.
TThreatA threat consists of an adverse action performed by a threat agent
on an asset.
Examples of threats are:
• a hacker (with substantial expertise, standard equipment, and
being paid to do so) remotely copying confidential files from a
company network or from card;
• a worm seriously degrading the performance of a wide-area
network;
• a system administrator violating user privacy;
• someone on the internet listening in on confidential electronic
communication.
Third-party fraudFraud committed against an individual by an unrelated or unknown
third-party.
Third-partyA security authority trusted by other entities with respect to security
related activities.
TokenAny hardware or software that contains credentials related to
attributes. Tokens may take any form, ranging from a digital data
set to smart cards or mobile phones. Tokens can be used for both
data/entity authentication (authentication tokens) and authorisation
purposes (authorisation tokens).
Tokenization The process of substituting a sensitive data with an easily reversible
benign substitute. In the payment card industry, tokenization is one
means of protecting sensitive cardholder PII in order to comply with
industry standards and government regulations. The technology is
meant to prevent the theft of the credit card information in storage.
TrustThe firm belief in the competence of an entity to act dependably,
securely, and reliably within a specified context.
119GLOSSARY
Trusted framework A certification program that enables a party who accepts a digital
identity credential (called the relying party) to trust the identity,
security and privacy policies of the party who issues the credential
(called the identity service provider) and vice versa.
Trusted third-partyAn entity trusted by multiple other entities within a specific context
and which is alien to their internal relationship.
Two-factor authenticationTwo-factor authentication is a security process in which the user
provides two means of identification, one of which is typically a
physical token, such as a card, and the other of which is typically
something memorized, such as a security code.
UUser accountThe collection of data used by a system to identify a single user,
authenticate a user and control that user's access to resources.
Unique identityA partial identity in which at least a part of the attributes are
identifiers. Since at least some of the attributes (or combinations
thereof) are identifiers, the entity can be uniquely identified through
the unique identity within a certain context. A unique identity is an
identifier such as a unique number or any set of attributes that
allows one to determine precisely who or what the entity is.
VValidationConfirming that information given is correct, often by seeking
independent corroboration or assurance.
VerificationThe process or an instance of establishing the truth or validity of
something.
VirusA program that can replicate itself by inserting (possibly modified)
copies of itself into other programs, documents or file systems;
this process is described as the infection of a host.
VishingThe act of using the telephone in an attempt to scam the user into
surrendering private information that will be used for identity theft.
The scammer usually pretends to be a legitimate business, and
fools the victim into thinking he or she will profit.
Voice authorizationAn approval response that is obtained through interactive
communication between an issuer and an acquirer, their authorizing
processors or stand-in processing or through telephone, facsimile
or telex communications.
Voice over IP (VoIP, or voice over Internet Protocol) Refers to the communication protocols, technologies, methodologies
and transmission techniques involved in the delivery of voice
communications and multimedia sessions over Internet Protocol (IP)
networks, such as the internet. Other terms commonly associated
with VoIP are IP telephony, internet telephony, voice over broadband
(VoBB), broadband telephony, IP communications and broadband
phone.