Professional Documents
Culture Documents
Mike Cornish
Kathleen Delpha
Mary Erslon
November 2004 1
Agenda
MasterCard Organization
Credit Card 101
Credit Card Fraud
Case Studies
Card Not Present Fraud
Identity Theft Fraud
Best Practices for Credit Card Security
2
MasterCard Organization
3
MasterCard’s
IT & Security Organizations1
CIO & SEVP
Global Technology
CIO reports to the President & CEO
& Operations
SVP Technology
SVP GTO Human SVP Computer SVP Security & SVP GTO SVP Member SVP Systems SVP Debit VP Technology
Business
Resources & Network Services Risk Management Administration Services Development Services Communications
Management
Business IT Investment
Data Center Security & Risk Global Member Business Debit Systems
Requirements Management
Operations Analysis Operations Support Systems Development
Management Office
Technology
Network GTO Plans & 1-800-MasterCard Technology Global Debit
Sales Field Operations
Operations Budgets Call Center Infrastructure Operations
Organization
Project
Management
Office
Offshore
Partnership
Management
& Sales
6
Metrics
8
Open System:
Interchange Model
Account
Cardholder Relationship
Merchant
Statementing
Relationship
*
Acquiring Issuing
Bank Bank
Transaction
Processing
Relationship
Relationship
Acquiring Issuing
Processor Processor Biggest threats
come from
outside the
9
* Structure for Visa is similar. payment system!
Open System:
Interchange Transaction Flow
*
Merchant Deposit
Merchant Payment
First Presentment Notice
Settlement
Statement
Payment
10
* Flow is similar for Visa.
Closed System
Cardholder
Merchant Account
Relationship
Transaction
Relationship *
Acquiring
Processor Biggest threats
come from
outside the 11
* Structure for Discover is similar. payment system!
Closed System:
Typical Transaction Flow
*
Merchant Deposit
Merchant Payment
Statement
Payment
12
* Flow is similar for Discover.
MasterCard’s Space
MasterCard International is a global payments
company2
Membership corporation of 25,000 financial institutions
that issue MasterCard, Maestro, and Cirrus branded cards
Licensor and franchisor for the MasterCard, Maestro, and
Cirrus payment brands
14
Credit Card Fraud
MasterCard’s Strategies
15
Headlines
“ ”
Jan 23, 2003
“
”
“
Sep 12, 2003
”
Aug 5, 2004 “ ”
Oct 24, 2003
“ ”
Feb 19, 2003
“
”
March 17, 2003
“
“
”
Nov 20, 2001
”
Feb 27, 2003
“ ”
Sep 12, 2003 16
Types of Fraud9
Identity Theft *
Application Fraud
Account Takeover Incidence of Fraud by Method
g
t
er
it
ed
ef
Never Received after Issue
in
le
rfe
th
Th
iv
to
O
te
e
im
/S
ec
ID
n
st
ou
Sk
Merchant Fraud
R
Lo
er
ev
Collusion
N
Triangulation
* Increasing and gaining a lot of attention in recent years, especially in the online space
17
Industry Fraud Estimates*
10
11
12
13
18
* There is no true consolidated source for credit card fraud statistics in the industry
MasterCard’s
Security & Risk Mission
14
Mission:
“Protect brand integrity and manage fraud
risk through best in class core and value
added services with integrated end to end
solutions to help position MasterCard as
the Global Payments Leader ”
19
ID Theft
Counterfeit
Never Received
Merchant Fraud
Card Not Present
P
P
P
A
cc
P
P
o
A un
dd t
D
D
M
C res an
om s
D
D
D
D
V ag
Fr mo eri em
P
au n fic en
Is d V Poi atio t S
su e n y
A
A
A
e lo ts n S ste
M rs ci o y m
as C ty f P st
P
P
P
e
M terC lear Mo urc m
as a in ni h
P
P
t a
P
te r
M rC I ts e S d
er us g
er n
D
ch ard ter er
M a vi
D
er nt Se net ce
D
D
ch A cu G
N
am an ler reC ate
t w
D
D
D
D
D
ts
R eP On to ode ay
is ro li
P
P
kF te ne Co Se
Si in ct S nt rv
ic
A
A
A
A
A
A
te de P ta ro
a t
rt us H l es
Sy Da r
Applications & Services5
st ta ne T ig
em r P rs ra h R
o hi ck is
p in k
to tec
A tio g
vo n
id
Fr
Application or Service
au
Security & Risk Management
d
Ef
fe
ct
iv
el
y
20
Case Study
21
“Card Not Present” Defined
Definition9:
Neither the card nor the cardholder is
present at the point-of-sale
Merchants are unable to check the physical
security features of the card to determine if it
is genuine
Ecommerce; online or telephone
transactions
No way to dispute a cardholder claim that a
purchase wasn’t made
22
Ecommerce Market15
23
Statistics
MasterCard CNP incidents account for between 80
and 84% of credit card fraud16
Online fraud rates up to 30x higher than in the
physical world17
2003- $1.6B or ~2% of all online sales lost to credit
care fraud17
2004 credit card fraud rate has decreased by 0.5%
since 2000, but the amount lost has increased by
60%19
Projected losses to internet merchants in 2005
expected to be $5 - $15 billion9
24
Statistics (continued)
25
Examples of Card Not Present
Credit Card Fraud
Low-Tech:
Dumpster Diving
Card Loss/Theft
High Tech:
Phishing or site
cloning
Account number
generators
Online “auctions” or
false merchant
sites
26
Card Not Present
May be caused by
Less-than-diligent cardholder (dumpster
diving, theft)
Cardholder response to plausible ploy
(phishing)
May be out of cardholder’s control
(numbers generator, hacking)
27
Combating CNP Fraud:
Legislative Examples
29
Combating CNP Fraud:
Consumer
30
Combating CNP Fraud:
Merchant
31
Case Study: SecureCode™
Licensed MasterCard cardholder
authentication solution15 enables
cardholders to authenticate
themselves to their issuer through
the use of a unique personal code
(PIN)
A VISA counterpart is
“Verified by VISA” or
“VbyV.”
32
SecureCode15
Cardholders enter their
secure code in a
separate browser
window before an on-
line transaction can be
authorized
Requires a merchant
“plug-in,” or software
module, to be deployed
on the merchant’s
website
Requires the merchant to
use a data transport
mechanism and
processing support
33
SecureCode15
The participating merchant gets
explicit evidence of an authorized
purchase (authentication data)
Fully guaranteed online payments –
protection from chargebacks
MasterCard mandated that issuers
implement support for MasterCard
Secure Code by November 1, 2004
34
SecureCode and eTronics22
A Top Ten Internet consumer electronics
retailer
>200,000 customers and 300,000 orders
annually
Over $65 million in yearly sale
In 2002, eTronics had credit card
chargeback costs of over 1 million/year
Implemented SecureCode in 2003
“Too soon to tell” impact since SecureCode
is not yet implemented globally, but eTronics
is “optimistic and enthusiastic” about its
success
35
“Phishing Attack” –
Mike’s Experience
36
Phishing Attack Website Authentic MyCiti Website
Case Study: RiskFinder™
A “neural network” system
Fair Isaac’s proprietary
profiling technology for fraud
prevention – RiskFinder23 is
a MasterCard-specific
application
Enables transactions to be
“scored” based on highly
detailed cardholder
patterns/behavior, existing
patterns of fraud, and
merchant trend data23
37
Case Study: RiskFinder™
www.fightidentitytheft.com/video/babe_magnet.mpeg,
Viewed, October 30, 2004
39
RiskFinder and Kathleen’s Story
40
Case Study
41
Identity Theft: The neoteric crime of the IT era 24
42
Citibank Identity Theft
www.fightidentitytheft.com/video/flaps_mpls_te_mpg.mpeg,
Viewed, October 30, 2004
43
Identity Theft: The neoteric crime of the IT era
44
Identity Theft: The neoteric crime of the IT era
26
45
Identity Theft: The neoteric crime of the IT era
46
Identity Theft: The neoteric crime of the IT era
47
Identity Theft: The neoteric crime of the IT era
29
48
Identity Theft: Causes
Phishing
“Stealing corporations’ identities as a
means to impersonating individuals”30
Greater number pieces of personal
information = greater chance of Identity Theft
49
Identity Theft:
50
Identity Theft: High Tech Causes
51
Identity Theft: High Tech Causes
52
Identity Theft: High tech Causes
53
Identity Theft: Low tech Causes
54
Identity Theft: Actions to Combat
Legislative
Identity Theft and Assumption Deterrence Act of
199824
Privacy Act of 200135
Consumer Privacy Protection Act, May 200229
Identity Theft Prevention Act, Jan 200329
SSN Misuse Prevention Act, Jan 200329
Fair and Accurate Credit Transactions Act of
200336
Anti-Phishing Act of 2004 20
55
Identity Theft: Actions to Combat
56
Identity Theft: Actions to Combat
Identity Authentication Technologies
Biometrics
Face recognition
Retina scans
Fingerprint authentication
57
Identity Theft: Actions to Combat
58
Identity Theft: Actions to Combat
59
Identity Theft: Actions to Combat
Smart Cards
Contain embedded CPU (electronic chip).
32-kilobyte mini-processors are capable of
generating 72 quadrillion encryption keys.
Can be programmed to perform tasks & store
information.
Practically impossible to fraudulently
decode.9
60
Identity Theft: Actions to Combat
61
Identity Theft: Actions to Combat
Designate a Privacy Officer –could be the
Information Manager
63
Issuers Clearinghouse
64
NameProtect®
65
Identity Theft
66
Best Practices
67
Best Practices:
All Industries40
68
Best Practices:
All Industries40
69
Best Practices:
All Industries41
71
Best Practices:
IT Functions43
73
Best Practices:
Consumers44
75
Best Practices:
Merchants46
Card Present
Check that the embossing extends into the
hologram
Check the hologram and indent printing
Compare the signature on the card and sales
draft
Check that the magnetic strip appears authentic
Call for a “Code 10” authorization if something
doesn’t feel right
76
Best Practices:
Merchants21
77
Best Practices:
Merchants21
78
Best Practices:
Merchants21
79
Best Practices:
Acquirers & Merchant Processors
80
Best Practices:
Issuers & Card Processors
81
Best Practices:
Payment Companies
Payment Companies
Create, refresh & enforce standards
Monitor to detect shifts in types and
volumes of fraudulent activity
Conduct research to innovate new fraud
detection and prevention mechanisms
82
Questions & Answers
83
References
84
References
1. Fisher, Bill. Pers. Comm. VP Processing Strategy, MasterCard
International. Interviewed by telephone by Mike Cornish, October
26, 2004.
2. “MasterCard Corporate Fact Sheet,”
www.mastercardinternational.com/docs/corporate_fact_sheet_0804
.pdf, viewed October 18, 2004.
3. “Global Technology and Operations,” Fact Sheet.
www.mastercardinternational.com/newsroom/gto.html, viewed
October 18, 2004.
4. “Total Cost of Ownership Analysis.” Internal document: Powerpoint
Presentation. Technology & Architecture Services, MasterCard
International, February 26, 2003, page 4.
5. “Application Portfolio: Security & Risk Applications.” Internal
document: Word document. MasterCard International, March 27,
2003.
6. “2003 GTO & Division Level Financial Data.” Internal document:
Excel Sheet. GTO Division, MasterCard International, January 3, 85
2003.
References
7. MasterCard International SEC Form10K – March 4, 2004,
www.sec.gov/Archives/edgar/data/1141391/000095012304002820/
y94488e10vk.htm, pages 6, 22-24, viewed October 19, 2004.
8. MasterCard International SEC Form 8K – February 3, 2004,
www.sec.gov/Archives/edgar/data/1141391/000095012304001154/
y93767e8vk.txt, viewed October 18, 2004, pages 3.
9. Bhatla, TP, Prabhu, V, and Dua, A. “Understanding Credit Card
Frauds”. Card Business Review #2003-01, June 2003, pp 1-15.
10. “Taking a Bite our of Credit Card Fraud,” Celent Communications,
www.celent.com/PressReleases/20030121/CreditCardFraud.htm,
viewed October 28, 2004.
11. “Identity Theft: Protecting the Customer – Protecting the Institution,”
Celent Communications,
www.celent.com/PressReleases/20020731(2)/IDTheft.htm, viewed
October 28, 2004.
12. “Online Payment Fraud: The Grinch who stole Christmas?” Celent
Communications,
www.celent.com/PressReleases/20001218/OnlineFraud.htm,
viewed October 28, 2004. 86
References
13. Valentine, Lisa. “The Fraudsters’ Playground.” American Bankers
Association. ABA Banking Journal, 95(8), Aug. 2003, p. 39.
14. “Security & Risk Mission & Overview.” Document, MasterCard
International, February 24, 2003.
15. “MasterCard SecureCode for Online Merchants.” Online security
document for merchants.
http://www.mastercardmerchant.com/docs/securecode/Merchant_B
rochure.pdf, viewed October 20, 2004.
16. Bennett, RA. “I didn’t do it.”. USBanker 111(12), December 2001,
p. 48.
17. “Online fraudsters take $1.6B out of 2003 eCommerce.”
CyberSource,
www.retailindustry.about.com/cs/lp_internet/a/bl_cs111803.htm,
viewed October 20, 2004.
18. US Credit Card Fraud Statistics 2000-2007. Celent
Communications, www.epaynews.com/statistics/fraud.html, viewed
October 18, 2004.
87
References
19. Merchant Risk Council Press Release,
www.merchantriskcouncil.org/press.php?p_press_id+13, February
3, 2003, viewed October 21, 2004.
20. “New Leahy Bill Targets INTERNET “PHISHING” That Steals $2
b./yr. from Consumers.” July 2004.
www.leahy.senate.gov/press/200404/070904c.html.
21. Micci-Barreca, D. “Unawed by Fraud.” Security Management
47(9), p. 75.
22. “MasterCard SecureCode Case Study: eTronics.” 2003.
http://www.mastercardmerchant.com/docs/SC_Case_Study-
eTronics.pdf., viewed October 21, 2004.
23. MasterCard RiskFinder. “Solutions.” http://www.fairisaac.com/cgi-
bin/MsmGo.exe?grab_id=13&page_id=655872&query=RiskFinder&
hiword=RiskFinder+, viewed October 21,2004.
88
References
24. Saunders, Kurt M., and Zucker, Bruce, “Counteracting Identity
Fraud in the Information Age: The Identity Theft and Assumption of
Deterrence Act” International Review of Law, Computers &
Technology, August 1999, 183– 192.
25. Groves, Shanna, “Protecting Your Identity” Information
Management Journal, May/June 2002, 27-31.
26. Myron, David, “Stolen Names, Big Numbers” American
Demographics, September 2004, 36-38.
27. Bielski, Lauren, “Identity Theft” ABA Banking Journal, January
2001, 27-30.
28. Diller-Haas, Amy, “Identity Theft: It Can Happen to You” The CPA
Journal, April 2004, 42-44.
29. Riordan, Diane A., and Riordan, Michael P., “Who Has Your
Numbers?” Strategic Finance, April 2003, 22-26.
89
References
30. O’Sullivan, Orla, “Gone ‘Phishing’” ABA Banking Journal, November
2003, 7-8.
31. Bauerle, James F., “Pattern Recognition Software and Dramas of
Deception: New Challenges in Electronic Financial Services”
The RMA Journal, October 2004, 2-5.
32. Bielski, Lauren, “Striving to Create a Safe Haven Online” ABA
Banking Journal, May 2003, 53-59.
33. Krebs, Brian, “28 Identity Theft Suspects Arrested in Transatlantic
Sting,” The Washington Post, October 29, 2004.
34. Bauerle, James F., “Golden Eye Redux” The Banking Law Journal,
March 2003, 1-15.
35. Heller, Jason, “New Senate Privacy Bill Addresses Personally
Identifiable Information” Intellectual Property & Technology Law
Journal, September 2001, 31-32.
36. http://frwebgate.access.gpo.gov/cgi-
bin/useftp.cgi?IPaddress=162.140.64.21&filename=h2622eas.pdf&
directory=/diskb/wais/data/108_cong_bills , viewed October 25,
2004. 90
References
37. Phillips, John T., “Privacy vs. Cybersecurity” Information
Management Journal, May/June 2002, 46-50.
38. https://www.merchantconnect.com/CWRWeb/glossary.do?glossary
Letter=i , Viewed October 30, 2004.
39. http://www.nameprotect.com/html/services/id_theft/credit_card.html,
Viewed October 30, 2004.
40. “How can I protect my customers from identify theft?” Colorado
Attorney General: ID Theft Prevention & Information,
www.ago.state.co.us/idtheft/clients.htm, viewed November 3, 2003.
41. “Network Security Policy: Best Practices White Paper,” Cisco
Systems, www.cisco.com/warp/public/126/secpol.html, Page 2,
viewed November 2, 2004.
42. CERT® Security Improvement Modules, CERT® Coordination
Center, www.cert.org/security-improvement, viewed November 2,
2004.
43. “Webserver Security Best Practices”, PC Magazine,
www.pcmag.com/article2/0,4149,11525,00.asp, viewed November
2, 2004.
91
References
44. “Tips for Preventing Credit Card Fraud,” MasterCard International,
www.mastercardinternational.com/newsroom/security_risk.html,
viewed October 22, 2004.
45. “Best Practices for Preventing Online identity Theft”, Public Safety
and Emergency Preparedness Canada, www.ocipep-
bpiepc.gc.ca/opsprods/info_notes/IN04-002_e.asp, viewed
November 2, 2004.
46. “Preventing Fraud: Fighting Fraud is a Shared Responsibility,”
MasterCard International,
www.mastercardmerchant.com/preventing_fraud, viewed October
28, 2004.
92