Professional Documents
Culture Documents
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Executive Summary
Amid the continuing cat-and-mouse game of fraudsters probing
payment infrastructures for vulnerabilities, as well as the passage
of the EMV1 chip card migration deadline, the payments industry
continues its struggle to plug security gaps. Criminals have upped
their game and are attacking organizations on multiple fronts, and
finding new ways to exploit loopholes in new technologies, even
as organizations embrace them. This has increased organizations
risk exposure, undermined consumer confidence in merchants and
issuers, and threatened the integrity of the global payments industry.
To better understand the current state of payment security, we
recently surveyed 509 U.S. consumers, 50 issuers and 52 merchants
and acquirers. The survey findings were quite revealing:
KEEP CHALLENGING
January 2016
$VVHVVLQJ3D\PHQW6HFXULW\$&XVWRPHU,VVXHUDQG0HUFKDQW9LHZ
(PHUJLQJWRROV
WHFKQLTXHVWR
SUHYHQWIUDXG
0HUFKDQW,VVXHU)UDXG
&RQFHUQV
7RNHQL]DWLRQ
6WDWXV
(09
5HDGLQHVV
&DUG1RW
3UHVHQW
0LWLJDWLRQ
6WUDWHJLHV
33
(QFU\SWLRQ
3XVKLQJWKHEDUIRUZDUGWRHQKDQFH
SD\PHQWVHFXULW\DQG
IUDXGGHWHFWLRQSUHGLFWLRQFDSDELOLWLHV
&RQVXPHU)UDXG
&RQFHUQV
y /DFNRIXQGHUVWDQGLQJ
RIKRZIUDXGKDSSHQV
y $EVHQFHRIWHFKQLTXHV
WRGLVWLJXLVK
HFRPPHUFH
PFRPPHUFHIUDXG
y /DFNRIDSSURSULDWH
VROXWLRQVWRWDFNOH
HPHUJLQJIUDXGDQG
GDWDEUHDFKHV
0HUFKDQWV ,VVXHUV
&RQVXPHUV
a
!
1RW9HU\
&RQILGHQW
,QWKHDELOLW\RI
WKHLUFXUUHQW
VROXWLRQVWR
SUHYHQWIUDXG
7UXVW,VVXHUV
7UXVW5HWDLOHUV
y ,QFUHDVHLQIUDXGDQG
GDWDEUHDFKLQFLGHQWV
DWUHWDLOHUV
y ,QDGHTXDWH
SRVWLQFLGHQW
PDQDJHPHQWSURFHVVHV
DWPHUFKDQWVLVVXHUV
y ,QDGHTXDWH
FRPPXQLFDWLRQIURP
LVVXHUVRQIUDXGFRQWURO
VROXWLRQVLQPRELOH
RQOLQHFKDQQHOV
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
0RELOH3D\PHQW7HFKQRORJLHV&XUUHQWO\6XSSRUWHGE\0HUFKDQWV
$SSOH3D\
$QGURLG3D\
3D\3DO
6TXDUH
6DPVXQJ3D\
6XSSRUWHGLQVRPHRUDOOVWRUHV
&XUUHQWO\SODQQLQJ
1RSODQV
5HVSRQVH%DVH
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
,VVXHUVj0RELOH3D\PHQW3ODQV
$OUHDG\VXSSRUWDPRELOHSD\PHQWRSWLRQ
3ODQWRODXQFKRXURZQPRELOHSD\PHQWVROXWLRQ
1RSODQVIRUPRELOHSD\PHQWVROXWLRQLQWKHQHDUIXWXUH
5HVSRQVH%DVH
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
KEEP CHALLENGING
January 2016
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
The impact of fraud and data breaches goes beyond hefty chargebacks, penalties, stolen customer data and goods, and other financial and operational costs.
It causes irreparable damage to an organizations reputation. Our study puts this
in sharp relief.
Merchants affected by fraud or a data breach often struggle to regain customer
trust. Consumers are particularly reluctant to return to merchants when their
own data has been stolen (see Figure 4). In the case of banks, most customers
are likely to switch to the competition if their online account is compromised
(see Figure 5).
&XVWRPHU5HDFWLRQWR5HWDLOHUV
IURPZKLFKWKHLU'DWD+DV%HHQ6WROHQ
&XVWRPHU5HDFWLRQWR5HWDLOHUV
$IIHFWHGE\)UDXG
:LOOQHYHUWUDQVDFW
:LOOWUDQVDFWEXWSD\RQO\LQFDVK
:LOOWUDQVDFWRQO\LIWKHUHWDLOHULPSURYHVVHFXULW\
:LOOWUDQVDFWRQO\ZKHQWKHUHLVQRDOWHUQDWLYH
'RQRWNQRZ
1RWH3HUFHQWDJHVGRQRWDGGXSWRGXHWRURXQGLQJ
5HVSRQVH%DVH
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
30%
58%
6%
6%
Highly likely
Likely
No
Do not know
KEEP CHALLENGING
January 2016
Thieves have increased cross-border fraud in the U.S., which involves using stolen
card data to conduct fraudulent transactions in another country, either through
counterfeit cards or online purchases. As more U.S. merchants embrace EMV technology, which offers protection against counterfeit cards, CNP transactions are
expected to become a bigger target for fraud.
Moreover, as merchants support new payment approaches across physical and digital channels, they are exposed to greater fraud risk. For instance, mobile payments
accounted for just 14% of overall m-commerce transactions in 2014, but contributed to 21% of total fraudulent transactions.13 Further, chargeback rates for CNP
transactions are higher than card-present transactions, which increases fraud costs
for e-commerce and m-commerce players.
Our study reveals that about 78% of issuers and 66% of merchants believe CNP
fraud will grow regardless of EMV adoption as virtual transactions increase and
criminals hunt for new opportunities. Further, the growth in cross-border e-commerce and new forms of payments are likely to increase CNP fraud.
Merchants
Many merchants are implementing technologies such as EMV, tokenization and
encryption to combat card-present fraud but are unprepared to deal with rapidly
evolving CNP fraud.
EMV: The U.S. is the last major country to adopt EMV chip technology in its
payment cards. EMV cards contain embedded chips that generate a one-time
code required to approve a transaction when used at an EMV-enabled PoS
terminal. This validates the integrity of the card and prevents fraud through
counterfeit cards. Also, as of Oct. 1, 2015, merchants and issuers that have
migrated to EMV are exempted from financial liability for any card-present fraud.
Adoption: Nearly 80% of acquirers are working with their merchants on EMV
migration and are focused on high-risk segments, such as retail, gambling
and hospitality. Educating merchants about the ramifications of liability shift
and changes to chargeback processing is still a work in progress for many
acquirers.
Encryption: Point-to-point encryption involves scrambling payment data as
soon as it enters the PoS terminal to minimize exposure to sensitive data. The
data is then sent via a secured network for processing, where it is decrypted by
the payment processor securely without intermediaries. This protects data from
hackers or other outsiders as it moves between various entities in the payments
network.
Adoption: Nearly half of the merchants we surveyed have fully implemented
encryption (see Figure 6, next page).
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
0HUFKDQWVj$GRSWLRQRI(QFU\SWLRQ
)XOO\,PSOHPHQWHG
,QSURJUHVV
3ODQQLQJWRLPSOHPHQW
1RSODQV
'RQ
WNQRZ
5HVSRQVH%DVH
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
19%
In progress
Planning to implement
19%
No plans
KEEP CHALLENGING
January 2016
17%
17%
Fully implemented
Dont know
0HUFKDQWVj7RNHQL]DWLRQ'HSOR\PHQW0RGHO
2QSUHPLVHVROXWLRQ
6RXUFHGWRDWRNHQL]DWLRQ
VHUYLFHSURYLGHU
+\EULGVROXWLRQFRPELQDWLRQRI
RQSUHPLVHDQGVRXUFLQJ
1RWH3HUFHQWDJHVGRQRWDGGXSWRGXHWRURXQGLQJ
5HVSRQVH%DVHLQFOXGHVRQO\WKRVHUHVSRQGHQWVWKDWKDYHDOUHDG\LPSOHPHQWHGRUDUHLQWKH
SURFHVVRILPSOHPHQWLQJWRNHQL]DWLRQ
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
Issuers
Issuers are working to address card-present fraud by replacing magnetic-stripe
cards with new EMV chip cards. They are also providing customers with mobile
tools that enable better control over their card/account security.
EMV: The annual cost of counterfeit card fraud in 2015 was $3.6 billion.14
In the case of card-present fraud, issuers bear a larger share of fraud
losses than merchants, which reinforces the need to quickly replace
magnetic-stripe cards with EMV chip cards.
However, issuers are replacing magnetic-stripe cards at a glacial pace due
to high costs and a large customer base. Approximately 70% of issuers have
replaced less than 25% of magnetic-stripe credit and debit cards with EMV
cards, according to our research (see Figure 10, page 11). Only 42% of issuers
indicated they will replace magnetic-stripe cards completely by year-end-2015,
while another 38% said they plan to do so by year-end-2016.
Many issuers are using more than one criterion for replacing magnetic-stripe
cards with EMV chip cards. Only 42% said they are proactively replacing existing
cards before they expire (see Figure 11, page 11).
Tokenization: Issuers have historically been wary of tokenization, as they
believed the approach ceded too much control to card networks that also act
as TSPs. They were also concerned about strong consumer brands (e.g., Apple,
Google, etc.) coming between them and their customers in the emerging
m-wallet space. However, the benefits of tokenization in reducing issuer and
customer risk, as well as securing actual card data, appear to have mitigated
issuer concerns.
Our research finds that 64% of issuers are currently using tokenization. Visa/
MC/Amex tokenization approach is the preferred solution, followed by product
solutions implemented in-house (see Figure 12, page 12).
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
7RROV(PSOR\HGE\0HUFKDQWVWR3UHYHQW(&RPPHUFHDQG0&RPPHUFH)UDXG
(FRPPHUFH
0FRPPHUFH
$GGUHVVYHULILFDWLRQVHUYLFH$96
&DUGYHULILFDWLRQYDOXH&99RU&9&
,GHQWLW\DXWKHQWLFDWLRQ
9HULILHGE\9LVD
7HOHSKRQHQXPEHULGHQWLILFDWLRQ
0DVWHU&DUG6HFXUH&RGH
7KLUGSDUW\IUDXGVXLWH
,3JHRORFDWLRQ
0DQXDOUHYLHZ
0HUFKDQWPRQLWRULQJ
,QWHUQDOUXOHV
9HORFLW\FKHFNLQJ
)UDXGVFRULQJ
0RGHOLQJ DQDO\WLFV
0RELOHJHRORFDWLRQ
7H[WPHVVDJLQJ
%LRPHWULFV
'6HFXUH
1RWH3HUFHQWDJHVGRQRWDGGXSWREHFDXVHPXOWLSOHUHVSRQVHVZHUHDOORZHG
5HVSRQVH%DVHHFRPPHUFHPHUFKDQWVDQGPFRPPHUFHPHUFKDQWV
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
10
KEEP CHALLENGING
January 2016
Issuers are already using various customer authentication methods to prevent CNP
fraud, with device authentication being the most used (see Figure 14, next page).
Adoption of solutions that offer better protection of CNP fraud, such as 3-D Secure
and biometrics, is still very low.
Empowering Customers
In addition to investing in security improvements, 46% of the issuers we surveyed
are trying to empower customers with more control over their cards/accounts.
Techniques include mobile tools and apps that allow customers to switch cards
on and off remotely, and providing mobile alerts to customers when they detect
suspicious activity (see Figure 15, page 13).
Among issuers offering such controls, 43% said a majority of their customers
use them, and 48% report only partial adoption. Such tools can lead to improved
loyalty, as noted by 75% of customer respondents, in addition to reducing the
financial and security burden on banks.
0DJQHWLF6WULSH&DUGV5HSODFHGE\,VVXHUV
5HSODFHGOHVVWKDQ
RIFDUGV
3HUFHQWDJHRI,VVXHUV
3HUFHQWDJHRI,VVXHUV
5HSODFHGEHWZHHQ
qRIFDUGV
5HSODFHGEHWZHHQ
qRIFDUGV
5HSODFHGPRUHWKDQ
RIFDUGV
5HVSRQVH%DVH
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
$SSURDFKWR5HSODFLQJ0DJQHWLF6WULSH&DUGVZLWK(09&KLS&DUGV
^
Z
Z
Z
Z
K
1RWH3HUFHQWDJHVGRQRWDGGXSWREHFDXVHPXOWLSOHUHVSRQVHVZHUHDOORZHG
5HVSRQVH%DVH
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
11
,VVXHUVj3UHIHUUHG7RNHQL]DWLRQ6ROXWLRQ
sD
W
/
5HVSRQVH%DVHLQFOXGHVRQO\WKRVHLVVXHUVWKDWKDYHLPSOHPHQWHGWRNHQL]DWLRQ
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
,VVXHU8VHRI)UDXG3UHYHQWLRQ7RROV
&XUUHQWO\
XVLQJ
3ODQWRXVH
LQIXWXUH
7UDQVDFWLRQVFUHHQLQJVRIWZDUHGULYHQ
5XOHEDVHGDOHUWV
$QDO\WLFVSUHGLFWLYHSDWWHUQPDWFKLQJHWF
7UDQVDFWLRQVFUHHQLQJPDQXDO
5HDOWLPHIUDXGVFRULQJ
1HXUDOQHWZRUNV
$UWLILFLDOLQWHOOLJHQFH
1RQH
2WKHU
1RWH3HUFHQWDJHVGRQRWDGGXSWREHFDXVHPXOWLSOHUHVSRQVHVZHUHDOORZHG
5HVSRQVH%DVH
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
&XVWRPHU$XWKHQWLFDWLRQ0HWKRGV6XSSRUWHGE\,VVXHUVIRU
2QOLQHDQG0RELOH7UDQVDFWLRQV
'HYLFHDXWKHQWLFDWLRQ
5DQGRPL]HG3,1SDG
0XOWLIDFWRUDXWKHQWLFDWLRQ
'\QDPLFDXWKHQWLFDWLRQRQHWLPHSDVVZRUG
%LRPHWULFVROXWLRQHJILQJHUSULQWYRLFH
'6HFXUH
1RWH3HUFHQWDJHVGRQRWDGGXSWREHFDXVHPXOWLSOHUHVSRQVHVZHUHDOORZHG
5HVSRQVH%DVH
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
12
KEEP CHALLENGING
January 2016
&RQWUROV2IIHUHGWR&XVWRPHUVE\,VVXHUV
6ZLWFKLQJFDUGVRQDQGRIIXVLQJPRELOHSKRQHDSSV
$RQHWLPHYHULILFDWLRQSDVVZRUGVHQWWRPRELOHWRYDOLGDWHDFDUGWUDQVDFWLRQ
8VLQJPRELOHDSSVWRVWRSXQDXWKRUL]HGORJLQDQGWUDQVDFWLRQV
6HQGLQJDWH[WPHVVDJHWRPRELOHLQFDVHRIDEQRUPDODFWLYLW\
6HQGLQJDWH[WPHVVDJHHYHU\WLPHFDUGLVXVHG
1RWH3HUFHQWDJHVGRQRWDGGXSWREHFDXVHPXOWLSOHUHVSRQVHVZHUHDOORZHG
5HVSRQVH%DVHLQFOXGHVRQO\WKRVHLVVXHUVWKDWSURYLGHFRQWUROVWRFXVWRPHUV
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
Consumers affected by fraud indicated that issuers were more quick to respond
than merchants (see Figure 20, page 15); in fact, nearly one-third said merchants
did not respond at all. In addition to communicating with customers, issuers are also
taking swift remedial measures, our survey finds. Following the recent Apple Pay
fraud, 34% of issuers developed more stringent Apple Pay sign-up processes for
customers adding cards; 46% said they are now working with mobile payment
companies to improve security.
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
13
However, merchants that have not yet implemented any of the above technologies
must review all the channels and links that carry card data and secure them using
a holistic approach.
37%
58%
6%
Very confident
Somewhat confident
,VVXHU&RQILGHQFHLQ&XUUHQW3URFHVVHVDQG6ROXWLRQV8VHGWR3UHYHQW)UDXG
&DUG)UDXG
9HU\FRQILGHQW
5HVSRQVH%DVH
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
&13)UDXG
6RPHZKDWFRQILGHQW
1RWYHU\FRQILGHQW
'RQRWNQRZ
54%
30%
6%
Both equally
Retailers/merchants
Banks
14
KEEP CHALLENGING
January 2016
10%
Do not know
&XVWRPHU&RQILGHQFHLQ0HUFKDQWVj$ELOLW\WR3URWHFW&DUGDQG3HUVRQDO'DWD
$FURVV6DOHV&KDQQHOV
0RELOH
:HEVLWH
3K\VLFDOVWRUH
+LJK
5HVSRQVH%DVH
0HGLXP
/RZ
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
%DQNVjDQG0HUFKDQWVj5HVSRQVHWR&XVWRPHUV$IIHFWHGE\)UDXG
&DUG,VVXHUEDQN
9HU\TXLFNUHVSRQVH
0HUFKDQW
5HVSRQGHGVORZO\
5HVSRQGHGDIWHUEHLQJFRQWDFWHG
'LGQ
WERWKHUWRUHVSRQG
5HVSRQVH%DVHLQFOXGHVRQO\WKRVHUHVSRQGHQWVDIIHFWHGE\IUDXG
6RXUFH&RJQL]DQW5HVHDUFK&HQWHU
)LJXUH
$WD*ODQFH7KH6HFXUH3D\PHQWV9DOXH&KDLQ
0DJ
6WULSH
&KLS
&DUGV
3UH7UDQVDFWLRQ
7UDQVDFWLRQ
,Q6WRUH
5HWDLOHU
326
$FTXLUHU
1HWZRUN
*DWHZD\
,VVXHU
&DUG'HWDLOV
DW5HVW
3RVW$XWKRUL]DWLRQ
5HWDLOHU
:HEVLWH
$FTXLUHU
1HWZRUN
*DWHZD\
,VVXHU
&DUG'HWDLOV
RQ)LOH
5HWDLOHU
$SS
$FTXLUHU
1HWZRUN
*DWHZD\
,VVXHU
(09(QFU\SWLRQ
7RNHQL]DWLRQ
(&RPPHUFH
(QFU\SWLRQ
7ZRIDFWRUDXWKHQWLFDWLRQ
2WKHU&13WHFKQLTXHV
0&RPPHUFH
(QFU\SWLRQSOXV
WRNHQL]DWLRQ
$SS
6RXUFH&RJQL]DQW
)LJXUH
$XWKRUL]DWLRQ
763
2SWLRQ
763
2SWLRQ
7KLUG3DUW\
3URGXFW
763
2SWLRQ
&DUG'HWDLOV
DW5HVW
763
2SWLRQ
763
(QFU\SWHGFRQWHQW
)LUHZDOOSURWHFWLRQ
7RNHQL]HGFRQWHQW
$QWLPDOZDUH
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
15
Assessing Vulnerabilities
Transaction Phase
Card data held by merchants for batch settlement at the end of the day and
stored in back-end databases for purposes such as chargebacks, marketing,
customer loyalty programs, etc. Such systems are often targeted by thieves
to gain access to large amounts of aggregated cardholder data.
16
KEEP CHALLENGING
January 2016
should take the plunge by complying with the technical and operational requirements of PCI DSS.16 Although it does not guarantee complete protection as
seen in recent data breaches at merchants that adhered to PCI DSS guidelines
PCI DSS ensures a basic level of security and can form the foundation of a
layered approach.
The next level of defense and the core component of this approach is EMV
adoption. When combined with PCI DSS, EMV can enhance the security of
payments data that reaches merchants systems. However, data
is exposed once it enters the merchants network. Encrypting
data at the PoS using point-to-point encryption can secure
data against hackers while it travels between the merchant and
processor (data in transit). Topping these layers with a tokenization solution with token vault management provided by a
sourcing partner rather than handled in-house reduces the
burden of managing sensitive data, vastly mitigating the fallout
from data breaches (data at rest).
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
17
Merchants with an in-house token vault should use strong authentication to limit physical and virtual access to the vault. To mitigate
the threat of data theft after de-tokenization, merchants should
configure firewalls to restrict IP traffic and limit the number of
applications that make de-tokenization requests to the token vault.
Involve Customers
In addition to bolstering security, training employees and building an incident response team, merchants and issuers should also
incorporate customers into their overall risk management efforts.
We recommend that customers risky behaviors be continually
studied and dealt with by employing a combination of the three Es:
Educate: Customers must be continuously educated on various
forms of fraud, precautions that can protect mobile devices
from rogue apps, malware, etc., and steps to take if they
suspect fraud.
Empower: Empowering customers with tools that give them
greater control over their accounts and improve security can
go a long way toward improving confidence and driving traffic
across channels. Issuers can provide mobile apps that allow
customers to limit card spending in certain geographies, cap
transaction limits, abort transactions, block and unblock cards,
etc., which can mitigate fraud significantly.
18
KEEP CHALLENGING
January 2016
Research Methodology
The survey was conducted online in the U.S. in July 2015, and included 509
customers, 50 issuers and 52 merchants and acquirers.
&RQVXPHUV
*HQGHU3URILOHRI5HVSRQGHQWV
$JH*URXSRI5HVSRQGHQWV
0DOH
)HPDOH
q
q
q
q
q
$ERYH
(PSOR\PHQW6WDWXVRI5HVSRQGHQWV
)XOOWLPHHPSOR\HH
3DUWWLPHHPSOR\HH
6HOIHPSOR\HG
+RPHPDNHU
5HWLUHG
6WXGHQW
8QHPSOR\HG
$QQXDO+RXVHKROG,QFRPHRI5HVSRQGHQWV
/HVVWKDQ
WR
WR
WR
WR
,VVXHUV
5HVSRQGHQWVj/HYHOLQ2UJDQL]DWLRQ
9LFHSUHVLGHQW
$QDO\VW
LQYHVWLJDWRU
&VXLWH&(2&)2
&72DQG&22
'LUHFWRU
6HQLRUPDQDJHU
)UDXGVSHFLDOLVW
2WKHU
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
19
5HVSRQGHQW5ROHV
'HDOZLWKLQWHUQDOFRQWUROVDQGVROXWLRQVWR
SUHYHQWSD\PHQWIUDXG
0RQLWRUDQDO\]HWUDFNUHSRUW
SD\PHQWIUDXG
'HDOZLWKLQYHVWLJDWLQJIUDXG
5HVSRQGHQWVj2UJDQL]DWLRQDO'HSDUWPHQW
,7
)UDXGDQGULVNPDQDJHPHQW
&RPSOLDQFHDQGVHFXULW\
2SHUDWLRQV
2WKHU
$QQXDO5HYHQXHRI5HVSRQGHQW2UJDQL]DWLRQV
ELOOLRQqELOOLRQ
ELOOLRQqELOOLRQ
ELOOLRQqELOOLRQ
ELOOLRQDQGDERYH
0HUFKDQWVDQG$FTXLUHUV
5HVSRQGHQW7\SH
0HUFKDQWRQO\
%RWKPHUFKDQWDQGDFTXLUHU
$FTXLUHURQO\
20
KEEP CHALLENGING
January 2016
5HVSRQGHQWVj6XE6HFWRU
2QOLQH
UHWDLOHU
'HSDUWPHQW
VWRUH
$SSDUHO
6XSHU
PDUNHW
6SRUWLQJ
JRRGV
+RPH
JRRGV
+HDOWK
DQGEHDXW\
'UXJ
VWRUH
+REE\ 6PDOOIRUPDW
0DVV
DQGFUDIW YDOXHVWRUHV PHUFKDQW
5HYHQXHRI5HVSRQGHQW2UJDQL]DWLRQV
/HVVWKDQELOOLRQ
ELOOLRQqELOOLRQ
ELOOLRQqELOOLRQ
ELOOLRQDQGDERYH
5HVSRQGHQWVj/HYHOLQ2UJDQL]DWLRQ
&VXLWH&(2&)2
&72DQG&22
9LFH
SUHVLGHQW
'LUHFWRU
6HQLRU
PDQDJHU
0DQDJHU
'LYLVLRQ
KHDG
3UDFWLWLRQHU
2WKHU
5HVSRQGHQWVj'HSDUWPHQW0L[
)UDXGDQGULVN
PDQDJHPHQW
&RPSOLDQFHDQG
VHFXULW\
2SHUDWLRQV
,7
6DOHVDQG
PDUNHWLQJ
2WKHU
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
21
(&RPPHUFHDQG0&RPPHUFH([SHULHQFHRI5HVSRQGHQW2UJDQ]DWLRQV
0FRPPHUFH
(FRPPHUFH
/HVVWKDQ\HDU
%HWZHHQDQG\HDUV
%HWZHHQDQG\HDUV
0RUHWKDQ\HDUV
1RWH2XWRIUHVSRQGHQWVDUHLQYROYHGZLWKHFRPPHUFHDQGDUHLQYROYHGZLWKERWKHFRPPHUFHDQGPFRPPHUFH
Note: All company names, trade names, copyrights and products referenced in this white paper are the property of their
respective owners. No company referenced in this white paper sponsored this white paper or the contents thereof.
References
Beyond the Point of Sale: Six Steps to Stronger Retail Security, SANS Institute,
Nov. 5, 2015,
https://www.sans.org/reading-room/whitepapers/analyst/point-sale-stepsstronger-retail-security-36102.
Tokenization in Financial Services, Financial Services Roundtable, Mar. 2015,
http://fsroundtable.org/cto-corner-tokenization-financial-services/.
Multi-Layered Security Strengthens Payment Structures: How to Prepare a
Comprehensive Strategy, Verifone, 2014,
http://www.verifone.com/media/4041137/verifone-comprehensive-multilayeredsecurity-white-paper.pdf.
Tokenization Is the Way to Prevent E-commerce Security Breaches, NetworkWorld, Aug. 25, 2014,
http://www.networkworld.com/article/2597398/tech-primers/tokenization-isthe-way-to-prevent-e-commerce-security-breaches.html.
What Data Thieves Dont Want You to Know: The Facts about Encryption and
Tokenization, First Data, 2012, https://www.firstdata.com/downloads/thoughtleadership/TokenizationEncryptionWP.pdf.
How to Enable Multifactor Security on Amazon, Krebsonsecurity.com,
Nov. 15, 2015,
http://krebsonsecurity.com/2015/11/how-to-enable-multifactor-security-onamazon/#more-33033.
The Double-Edged Sword of Tokenization Helps Issuers But Also Poses a Subtle
Threat, Digital Transactions, Oct. 12, 2015,
http://digitaltransactions.net/news/story/The-Double-Edged-Sword-of-Tokenization-Helps-Issuers-But-Also-Poses-a-Subtle-Threat.
Tokenization: Benefits and Challenges for Securing Transaction Data, Security
Week, Nov. 4, 2014,
http://www.securityweek.com/tokenization-benefits-and-challenges-securingtransaction-data.
22
KEEP CHALLENGING
January 2016
Biohackers: Meet London's Living Synths Who Are Implanting Microchips into
Their Own Bodies, Evening Standard, Oct. 29, 2015,
http://www.standard.co.uk/lifestyle/esmagazine/biohackers-meet-londons-livingsynths-who-are-implanting-microchips-into-their-own-bodies-a3101646.html.
Footnotes
EMV stands for the first initials of Europay, MasterCard and Visa, the three
companies that created the standard.
Why Wall Street Is Pouring Money into Companies that Want to Eat its Lunch,
Business Insider, Mar. 21, 2015,
http://www.businessinsider.in/Why-Wall-Street-is-pouring-money-into-companies-that-want-to-eat-its-lunch/articleshow/46640241.cms.
3
MasterCard Launches New Program that Can Turn any Consumer Gadget,
Accessory or Wearable into a Payment Device, MasterCard, Oct. 26, 2015,
http://newsroom.mastercard.com/press-releases/mastercard-launches-new-program-that-can-turn-any-consumer-gadget-accessory-or-wearable-into-a-payment-device/.
5
Global Card Fraud Losses Reach $16.31 Billion Will Exceed $35 Billion in 2020,
according to The Nilson Report, BusinessWire.com, Aug. 4, 2015,
http://www.businesswire.com/news/home/20150804007054/en/Global-CardFraud-Losses-Reach-16.31-Billion.
7
The True Cost of Data Breaches in the Payments Industry, Smart Card Alliance,
Mar. 2015,
http://www.emv-connection.com/downloads/2015/03/The-Cost-of-DataBreaches.pdf.
9
Data Breach at Home Depot Leads to Fraud, Fortune, Sept. 23, 2014,
http://fortune.com/2014/09/23/data-breach-at-home-depot-leads-to-fraud/.
11
SECURE PAYMENTS: HOW CARD ISSUERS AND MERCHANTS CAN STAY AHEAD OF FRAUDSTERS
23
EMV Transition Will Still Leave Security Gaps, Dell, Sept. 2015,
https://powermore.dell.com/technology/emv-transition-will-still-leave-securitygaps/.
14
The Payment Card Industry Data Security Standard (PCI DSS) is a global
standard for organizations accepting cards to protect customers payment card
data throughout the transaction.
16
24
KEEP CHALLENGING
January 2016
World Headquarters
500 Frank W. Burr Blvd.
Teaneck, NJ 07666 USA
Phone: +1 201 801 0233
Fax: +1 201 801 0243
Toll Free: +1 888 937 3277
inquiry@cognizant.com
European Headquarters
1 Kingdom Street
Paddington Central
London W2 6BD
Phone: +44 (0) 207 297 7600
Fax: +44 (0) 207 121 0102
infouk@cognizant.com
Copyright 2016, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to
change without notice. All other trademarks mentioned herein are the property of their respective owners.
Codex: 1565