© 2013 MasterCard. Proprietary and Confidential May 18, 2022 AITEC Banking and Mobile Money COMESA 2013 1 Nairobi, 12 September 2013 James Wainaina, Vice President and Area Business Head, MasterCard East Africa
Mar 31, 2015
©2013 MasterCard.Proprietary and Confidential
April 10, 2023
AITEC Banking and Mobile Money COMESA 2013AITEC Banking and Mobile Money COMESA 2013
1
Nairobi, 12 September 2013
James Wainaina, Vice President and Area Business Head, MasterCard East Africa
©2013 MasterCard.Proprietary and Confidential
Agenda
• The MasterCard Story
• Card Security in East Africa
• Advancing Security, Advancing Commerce
• Role of Partnerships
April 10, 20232
©2013 MasterCard.Proprietary and Confidential
The MasterCard Story
April 10, 20233
©2013 MasterCard.Proprietary and Confidential
MasterCard Today
*This represents MasterCard-branded GDV, does not include Maestro or CirrusAll figures as of Dec. 31, 2012
210countries and territories
35.9 millionacceptance locations
7,542employees
34.2 billiontransactions
US $3.6 trillion* gross dollar volume
April 10, 20234
©2013 MasterCard.Proprietary and Confidential
Four-Party Payment System
ACQUIRER ISSUER
CARDHOLDER
MERCHANT
April 10, 20235
©2013 MasterCard.Proprietary and Confidential
Our Role
Consumers want better ways to pay.We invent them.We invent them.
Checkout linesare too slow.We help themWe help themmove faster.move faster.
Commutersare busy.We speed them We speed them on their way.on their way.
Procurementis complicated.We make it simple.We make it simple.
People have nobank accounts.We find ways to We find ways to serve them.serve them.
April 10, 20236
©2013 MasterCard.Proprietary and Confidential
Card Security in East Africa
April 10, 20237
©2013 MasterCard.Proprietary and Confidential 8
April 10, 2023
Banks reported US $17.52 million lost between April 2012 and April 2013
Loss of Loss of revenuerevenue
Identity theft, electronic funds transfer, bad cheques, credit card fraud, loan fraud and online fraud are some methods used to orchestrate fraud
InfrastructureInfrastructure
Eliminating online and digital insecurities is key as more and more consumers become accepting of online payment channelsCyber securityCyber security
Securing electronic payments
77% of Kenyans willing to 77% of Kenyans willing to buy goods onlinebuy goods online
Kenyan National Payments Kenyan National Payments Systems arm of CBK works Systems arm of CBK works to modernize and increase to modernize and increase efficiencies of the nation’s efficiencies of the nation’s electronic paymentselectronic payments
MasterCard Intelligence: MasterCard Online Shopping Survey 2012
©2013 MasterCard.Proprietary and Confidential
Advancing Security, Advancing Commerce
April 10, 20239
©2013 MasterCard.Proprietary and Confidential
Fraud management for more secure payments
1
2
3
Industry Level Initiatives
Customer Level Fraud Management Initiatives
MasterCard Fraud Management Solutions, Products and Services
• Developing industry standards with stakeholders• Partnering with government agencies• Enabling Strong Authentication: EMV (chip & pin), 3D Secure (MasterCard Secure Code) • Mandated Data Security: PCI-DSS
• MasterCard’s SAFE ( Issuing Bank confirmed reporting fraud to MasterCard)• ADC Account Data Comprise event management (between issuer and acquirer)• Fraud management reviews and fraud consulting services.• Cardholder & Merchant Fraud Prevention Education (Academy, website, conferences). • Excessive Chargeback Program (ECP):
• Expert Monitoring Solutions• Global Merchant Audit Program (GMAP)• Bin Blocking Services• SIS Master Card stand in facility• FRM (ATM covering prepaid and debit)
©2013 MasterCard.Proprietary and Confidential
• EMV Compliance testing has two levels:
– EMV Level 1, which covers physical, electrical and transport level interfaces, (i.e. the hardware) and
– EMV Level 2, which covers payment application selection and credit financial transaction processing (i.e. the software)
If the MPOS features a Chip Reader then both EMV certifications must be in place
EMV / MasterCard Certification
February 19, 2013Page 11
• MasterCard Terminal Integration Process (TIP)
– Check that a Chip terminal meets MasterCard brand requirements
TIP must happen before a terminal can be deployed
• MasterCard Terminal Quality Management (TQM)
– while EMV L1 tests one or two readers this checks that the 200th, 200Kth and 2 millionth devices that are produced are the same as the first!
If the MPOS features Chip then it must have a TQM certificate
Note: Acquirer compliance requirements remains the same as in the case of regular EDC terminal
©2013 MasterCard.Proprietary and Confidential
• PCI Data Security Standard (PCI DSS)– the standard was created to increase
controls around cardholder data to reduce card fraud via its exposure
If card data is being handled, stored, routed then PCI DSS
certifications must be in place
• PCI PIN Transaction Security Standard (PTS)– was specifically designed to protect
consumer PIN data from theft. It is also intended to enforce hardware security of devices that accept consumer PINs and house secret encryption keys of the acquirer
If the MPOS solution can accept consumer PINs, then PCI PTS certifications must be in place
PCI Certification
• PCI Point to Point Encryption Standard (P2PE)
– Secure encryption of payment card data at the point-of-interaction (POI)
Not currently a requirement of MasterCard Rules, however it is an MPOS Best Practice
• PCI Payment Application Security Standard (PA-DSS)
– Secure payment applications, when implemented into a PCI DSS-compliant environment, will help to minimize the potential for security breaches leading to compromises
.
BP
BP = MasterCard Best Practice
https://www.pcisecuritystandards.org
©2013 MasterCard.Proprietary and Confidential Page 13
Securing MPOS Payment Applications PCI SSC is not certifying MPOS payment applications that reside on multi-purpose, consumer
mobile devices (referred by PCI SSC as a Mobile Payment Acceptance Application Category 3). MCW recommends – secure coding / secure software updates / process for handling lost & stolen
devices / remote disablement
Securing Transaction Data Captured by an MPOS Card Reader Accessory P2PE / enciphered data is transmitted via the mobile device to the MPOS solution provider
server / cryptographic authentication for device authentication
Securing Personal Account Numbers (PAN) PAN should not be retained on the mobile device / For Key entered trns – encryption of PAN for
transmission
EMV Chip Transactions EMV level 2 kernel can be on device or on server or split between both Service providers to ensure there is no latency Online only trns allowed
MasterCard mPOS Program – Some best Practices
Service Providers
©2013 MasterCard.Proprietary and Confidential
Control in retail payments
• Giving cardholders greater control over how and where their card is used
• Multi-level transaction blocking
• Geographical limit of the acceptance of cards based on pre-defined regions
• Enhanced controls: apply different authorization limits based on multiple criteria such as Amount, Merchant Category, Transaction Type etc.
• Cardholders create personalized spending profiles for their accounts, setting up alerts and spending limits according to budget goals and account security concerns
Solutions for both individuals & corporates
©2013 MasterCard.Proprietary and Confidential
Role of Partnerships
April 10, 202315
©2013 MasterCard.Proprietary and Confidential
Partnerships to fortify the electronic payments ecosystem
• Enhance efficiency and effectiveness of payment systems
• Provider of payment systems (KEPSS)
Government Action
Industry InitiativesPrivate Investment
• Industry-wide shift for adoption of secure ATM and card transactions
• Joint education drives at customer, issuer and merchant levels
April 10, 2023Page 16
Between 2008-2012, greater usage of electronic payments contributed to 0.8 % increase in GDP in emerging markets and 0.3% increase in GDP in developed markets..
-Moody’s Analytics, February 2013
• Investment in systems upgrade for issuance of EMV chip and PIN cards as banks adopt new systems