网络研讨会：防范无卡交易欺诈.pdf

Guarding Against Card-NotPresent Fraud Sylvia Auyeung – Merchant Risk Nathan Wood – CyberSource Visa Public Disclaimer The information or recommendations contained herein are provided "AS IS" and intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. When implementing any new strategy or practice, you should consult with your legal counsel to determine what laws and regulations may apply to your specific circumstances. The actual costs, savings and benefits of any recommendations or programs may vary based upon your specific business needs and program requirements. By their nature, recommendations are not guarantees of future performance or results and are subject to risks, uncertainties and assumptions that are difficult to predict or quantify. Assumptions were made by us in light of our experience and our perceptions of historical trends, current conditions and expected future developments and other factors that we believe are appropriate under the circumstance. Recommendations are subject to risks and uncertainties, which may cause actual and future results and trends to differ materially from the assumptions or recommendations. Visa is not responsible for your use of the information contained herein (including errors, omissions, inaccuracy or nontimeliness of any kind) or any assumptions or conclusions you might draw from its use. Visa makes no warranty, express or implied, and explicitly disclaims the warranties of merchantability and fitness for a particular purpose, any warranty of non-infringement of any third party's intellectual property rights, any warranty that the information will meet the requirements of a client, or any warranty that the information is updated and will be error free. To the extent permitted by applicable law, Visa shall not be liable to a client or any third party for any damages under any theory of law, including, without limitation, any special, consequential, incidental or punitive damages, nor any damages for loss of business profits, business interruption, loss of business information, or other monetary loss, even if advised of the possibility of such damages. 2 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Agenda • CNP trends • Key mobile trends • How prevalent is mobile commerce? • Is mCommerce riskier than eCommerce? • What is the right fraud strategy for mCommerce transactions? • How do you configure your solution to minimize mCommerce fraud? • Q&A 3 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public The amount of data is enormous and growing Email users send Google receives over Facebook users share messages search queries posts 204,166,667 Twitter users send over 100,000 tweets 4 | Guarding Against Card Not Present Fraud I August 24 2016 2,000,000 644,444 phishing emails sent Visa Public 684,478 every minute. Source: www.domo.com, www.phishing.org What’s driving the massive data creation? In 2015…. 4.9 billion connected devices In 2020…. 25 billion connected devices Source: Gartner 5 | Guarding Against Card Not Present Fraud I August 24 2016 Visa Public Why are we talking about Card Not Present (CNP)? $3.5T GLOBAL ECOMMERCE SALES WILL DOUBLE FROM 2015 TO 2019 $1.7T Challenge: Optimize authorization and fraud management practices to maximize the growth of ecommerce and digital payments Source: eMarketer July 2015, includes online and mobile ecommerce 6 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Mobile Fraud Convert more mCommerce orders with less fraud U.S. smartphone ownership at highest levels 68% of U.S. adults have a smartphone, up from 35% in 2011, and tablet computer ownership has edged up to 45% among adults Source: "Technology Device Ownership: 2015", PewResearchCenter, October 2015 http://pewrsr.ch/1GyFf76 8 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Mobile made its presence known over the holidays 1 in 5 U.S. online holiday purchases made over mobile 1 44% of smartphone users said they made a purchase from their device, up from 41% a year ago 2 Source: 1 "Mobile accounts for nearly 1 in 5 online holiday purchases", Internet Retailer, January 8, 2016 http://bit.ly/1Pjyggm 2 “"Survey Shows Rapid Growth in Online Shopping", Wall Street Journal, June 8, 2016 http://on.wsj.com/1PgQjod 9 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Overall fraud loss by order channel 0.8% 0.5% 0.5% 2015 2015 2015 Webstore Mobile commerce Telephone Source: CyberSource Online Fraud Management Benchmark Report, 2016 10 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Few merchants track mobile fraud Source: CyberSource Online Fraud Management Benchmark Report, 2016 11 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Is mCommerce any riskier? No Yes Customer/ preventions • Omni present • Personal identification number (PIN) lock prevents access and usage • GPS to quickly locate and deactivate • Biometrics (Siri) • Easier to steal • Customer apathy • New threats: Rogue apps, malware, “smishing” • Man-in-the-middle subverts SMS verification Merchant/ mitigations • New data elements to determine identity • Mobile network security more secure than WiFi • New validation methods (short message service (SMS)) • Variable internet protocol (IP) addresses and “diluted” digital fingerprint • App “fatigue” and privacy considerations • New customer behavior/norms/history 12 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Device preferences throughout the day Traditional fraud strategies need to be “tuned” Device Shifting: Daily Trends (Global Q3 2014) 10% 5% 0% 6 AM Noon Desktop 6 PM Tablet Source: OOYALA Global Video Index, Q3 2014 http://bit.ly/1KxEVkb 13 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Phone Midnight What is a “mobile” transaction? All devices are not created equal Percentage of volume by device type iPhone 19.2% Fraud “pressure” by device type (fraud chargebacks + cancels) Windows tablet PC 5.1% Android 16.1% Windows 0.8% iPad 56.4% Source: Decision Manager, January – June 2015 Global credit card transactions for transactions where the device was identified 14 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Global view of mobile rates Mobile volume as a % of total Fraud “pressure” rates by revenue North America North America 40.3% 6.38% Europe Eastern Europe 4.57% 4.90% Asia Pacific 17.7% Europe 12.5% South America South America 12.4% 14.13% Eastern Europe 6.8% Source: Decision Manager, January – June 2015, mobile phones only, Global credit card transactions 15 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Asia Pacific 3.98% Fraud management is a balancing act, including mobile Accurate detection • Reduce fraud rate • Help minimize chargebacks A balancing act Minimize operational costs Efficiency • Maximize automated decisioning • Streamline review process 16 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Positive customer experience • Reduce false positives • Increase acceptance rates • Lower review rates Managing mobile fraud on your platform Channels Order data Detection tools Fraud strategy Accept eCommerce Call center Kiosk POS Mobile Order disposition • Cross-channel activity • Velocities • Risk models • IP geo-location • Device fingerprint • Third-party validations • Business rules • Segmenting/profiling • Manual review • Rule creation • Risk score evaluation • Integrated case management • Operating system • Device type • GPS location (w/app) • Universally unique identifier (UUID) (w/app) • Phone number (w/app) 17 l Guarding Against Card-Not-Present Fraud l August 24 2016 Reject Reporting and analytics • Mobile cancel rates • Mobile fraud rates • Custom reporting Visa Public Fraud Strategy #1 - Mobile data Traditional mobile browser vs. “apps” Browser Apps • New data elements • A more robust mobile experience ‒ Operating system (e.g., Windows, iOS) ‒ Device type (e.g., iPhone 4.0, Kindle) Pros • Advancements in HTML5 • Ideal for certain verticals (travel) • Collect more customized data • Easier server-side updates ‒ ‒ ‒ ‒ • Does not require download Cons • Great for repeat purchases (accounts) Download ID UUID Phone numbers Install ID • Variable IP geo-location (WiFi limited) • Proliferation of apps • True device fingerprint (locked iOS) • More expensive to update and coordinate • Browser strings can be spoofed • Update fatigue • Privacy concerns 18 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Strategy #2 - Identifying mobile device in your fraud management system 1 Select “mobile device” identifier 2 Create custom data 19 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Strategy #3 - Tool usage Merchants tracking mobile fraud 49% Positive lists 46% Device "fingerprinting" 40% Telephone number verification/reverse lookup Order velocity monitoring 37% Customer order history 37% 31% Multi-merchant purchase velocity/identity morphing models 29% Fraud scoring model – company specific 26% IP geolocation information 23% Postal address validation services Two factor phone authentication 20% Shared negative lists – shared hotlists 20% Strategy Credit history check 20% • Multi-factor approach Paid for public records services 11% Social networking sites 9% • Mobile-specific Biometric indicators 9% • Multi-channel Source: CyberSource 2013 Annual Fraud Report 20 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Strategy #4 - Mobile fraud strategy All transactions 1 mCommerce profile A… B… C… 21 l Guarding Against Card-Not-Present Fraud l August 24 2016 Non-mobile profiles 2 Analyse, create and implement specific mobile fraud rules Isolate mobile segment using profiles. These can be established by the device fingerprint or using merchant defined data fields. Mobile fraud rules: Visa Public Strategy #4 - Mobile fraud strategy 22 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Strategy #4 - Mobile fraud strategy 23 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Strategy #5 - Mobile reporting Profile reports Summary comparison of profiles Profile performance comparison report Results: Date: March 01, 2013 – March 31, 2013 | Merchant(s) Active profiles Total transactions Accepted Rejected Review Call center 8,431 21.2% 8,402 99.7% 29 0.3% 0 0.0% Electronic web public 13,459 33.8% 13,075 97.1% 384 2.9% 0 0.0% Web Canada 19,77 5.0% 1,509 76.3% 468 23.7% 0 0.0% Military 18 0.0% 18 100.0% 0 0.0% 0 0.0% Mobile site 108 0.3% 68 63.0% 40 37.0% 0 0.0% Web affiliate 13,878 34.8% 13,824 99.6% 54 0.4% 0 0.0% All rights reserved CyberSource® 2016 24 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Mobile reporting Mobile profile detail (continued) Profile performance comparison report Results: Date: March 01, 2013 – March 31, 2013 | Merchant(s) Active profiles Totals Transactions Accepted Force accepted Rejected Review Accepted Rejected MAS 39,845 24,532 61.57% 14,338 35.98% 975 2.45% 0 0.00% 38,870 975 307 Call center 8,431 4,810 12.07% 3,592 9.01% 29 0.70% 0 0.00% 8,402 29 4 Electronic web public 13,459 9,802 24.60% 3,273 8.21% 384 0.96% 0 0.00% 13,075 384 81 Web Canada 1,977 1,488 3.73% 21 0.05% 468 1.17% 0 0.00% 1,509 468 189 Military 18 15 0.04% 3 0.01% 0 0.00% 0 0.00% 18 0 0 ▼Mobile Mobile Site site 108 50 0.13% 18 0.05% 40 0.10% 0 0.00% 68 40 29 Rules Web affiliate Transactions 13,878 Accepted 13,824 Rejected 54 MAS 4 1,974 0 0 6 Profiles None Trade AVS service is not available Overall Account issued outside of billing country Totals BCountry =/= BIN Country: CA 1,974 Transactions 38,945 Accepted 7,329 18.39% Force accepted 6,495 16.30% 54 Rejected 0.14% 0 Review0.00% 1,038 936 0 0 2.61% Accepted 24,532 6157% 2.35% Force Accepted 14,338 35.98% All rights reserved Copyright CyberSource® 2016 25 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public 0.00% Rejected 975 1 2.45% 0.93% 0.00% Review 0 0.00% Accepted Rejected 38,870 975 MAS 27 307 1 Mobile reporting Ad hoc analysis All rights reserved CyberSource® 2013 26 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Strategy #5 – Fraud management tools Device fingerprinting specialized for mobile • Additional mobile data fields for rule building and reporting • Support iOS and Android software development kits (SDKs) 27 l Guarding Against Card-Not-Present Fraud l August 24 2016 Data for authentication Data for security and fraud • IP address • Root detection • Browser fingerprint data • Crime ware detect • Location ID • Malware detect • Dynamic ID • Location anomaly • Persistent ID • Device languages • Device fingerprint − 1,000+ inputs Visa Public Fraud management tools Mobile risk models for greater accuracy 100% 90% 80% • Built specifically for mobile channel using historical transaction data 70% • Requires sufficient transaction information and “truth” data 50% • Will further segment into additional regions/verticals as warranted 60% 40% 30% 20% 10% 0% 0 28 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public 10 20 30 40 50 60 70 80 Fraud management tools Visual Link Analysis for Case Management • Find common data linkages across transactions (including mobile device fingerprints) • Drill down each linkage to transaction level detail • Select multiple transactions with click through disposition from visual map 29 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Summary • Rapid mCommerce growth but also increasing mobile fraud “pressure” • Supplement traditional fraud-prevention data points, tools, and rules for mobile • Tune fraud strategies specifically for mCommerce • Incorporate mobile as part of overall cross-channel monitoring • Remain flexible and vigilant to anticipate fraud behavior 30 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Resources Upcoming Webinars – Training page on www.visa.com/cisp • September 28, 2016: Effectively Managing Account Data Breaches Visa Data Security Website – www.visa.com/cisp • Alerts, Bulletins • Best Practices, White Papers • Webinar Presentations PCI Security Standards Council Website – www.pcissc.org • Data Security Standards – PCI DSS, PA-DSS, P2PE, and PTS • Programs – QSA, ASV, PA-QSA, PFI, ISA, PCIP, and QIR • Fact Sheets – ATM Security, Mobile Payments Acceptance, Tokenization, Cloud Computing, and many more… 31 l Guarding Against Card-Not-Present Fraud l August 24 2016 Visa Public Questions? 32 | Strategies to Effectively Mitigate Card Not Present (CNP) Fraud | 17 November 2015 Visa Public