Web Fraud Prevention, Online Authentication & Digital ... · PDF filesimona cristea oana ifrim sebastian ... online authentication & digital identity market guide 2015/2016...

MRC

BuildingBetter CommerceFraud & Payments Professionals

LATEST TRENDS AND INSIGHTS INTO SECURING DIGITAL IDENTITIES AND TRANSACTIONS

WEB FRAUD PREVENTION,

ONLINE AUTHENTICATION

& DIGITAL IDENTITY

MARKET GUIDE 2015 / 2016

In the ever evolving and highly complex ecommerce industry, The Paypers’ Web Fraud Guide is a vital resource for fraud professionals. It encompasses a wealth of information on the latest security developments, fraud prevention strategies, digital challenges and upcoming web trends. This Guide is of great value because it is a compilation of past year insights and future expectations.Danielle Nagao - CEO MRC

Ecommerce Europe is pleased to endorse The Paypers’ Web Fraud Prevention, Online Authentication & Digital Identity Market Guide. The analysis is a reliable reference source on the latest trends in the digital identity & web fraud ecosystem for both payment fraud professionals and readers interested in getting more in-depth information in this field.Elaine Oldhoff Ecommerce Europe

https://plus.google.com/+Thepayperscommunity/posts

https://twitter.com/ThePaypers

https://www.facebook.com/ThePaypers

https://www.linkedin.com/groups?home=&gid=2459067&trk=anet_ug_hm

2 3LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONSWEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Title

Companyname

Platte tekst


WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

LATEST TRENDS AND INSIGHTS INTO SECURING DIGITAL IDENTITIES AND TRANSACTIONS

AUTHORS

Mirela Amariei

Tiberiu Avram

Ionela Barbuta

Simona Cristea

Oana Ifrim

Sebastian Lupu

Mihaela Mihaila

Andreea Nita

Adriana Screpnic

RELEASE

VERSION 1.0

DECEMBER 2015

COPYRIGHT © THE PAYPERS BV

ALL RIGHTS RESERVED






Introduction

When it comes to security and fraud, we can safely state that

2015 has been a ‘time of great change’ - and 2016 will definitely

follow the same trend. The online world as well as the payments

landscape have been witnessing considerable transformation for a

while now. Latest technology developments, regulatory changes,

the entire digital revolution that has been undergoing for the last

couple of years, have made a significant impact on virtually every

aspect of the financial and payments industry. However, in the

middle of all these groundbreaking changes, internet fraud remains

a constant reminder of the fact that with greater opportunities,

come greater risks. The numerous, almost never-ending data

breaches and tremendous rise of cybercrime in basically every

sector have shaken consumers’ confidence regarding privacy and

data protection.

Considering this ‘evil face’ of the transaction space, it has become

quite clear for all market players that measures ought to be taken

to block further increasing levels of payments fraud. With this in

mind, retailers, fraud prevention services providers, payment

service providers and policy makers have begun to feel the

pressure and are currently struggling to develop advanced fraud

prevention solutions and establish a legal framework in order to

keep fraudsters at bay and maintain sensitive data secure.

Therefore, taking into account that fraud detection & prevention,

online security, risk management, digital identity and consumer

authentication are instrumental in defining and securing the

transactional ecosystem, special attention must continue to be

paid to these aspects. As The Paypers is committed to deliver an

annual analysis of the current state-of-affaires of the industry and

point out the key participants that are aimed at setting the scene

for future developments in the fight against fraud, a new edition of

the Web Fraud Prevention, Online Authentication & Digital Identity

Market Guide has been compiled.

Featuring a two-part structure, the latest edition provides payment

professionals with up-to-date data on the major cybersecurity

highlights that have influenced the industry in 2015. Part 1 is a

series of insightful perspectives on key aspects of the global

digital identity transactional & web fraud detection space from

industry associations and leading market players. In 2015, the

transactional space has been mostly influenced by the long-

awaited October deadline for the US EMV migration. With the

new chip embedded credit and debit cards as well as the new

POS terminals, experts from the Smart Payment Association

express their fear that fraudsters will focus their efforts on

other vulnerabilities in the payments ecosystem, including

ecommerce and m-commerce channels. Moreover, according to

a survey conducted by Fattmerchant, despite the fact that 72%

of businesses have not adopted EMV-compliant technology, the

migration is still expected to lead to a considerable increase in

card-not-present (CNP) fraud. The topic of EMV and its impact

on US businesses is also approached by CardinalCommerce,

which provides a piece of advice on how merchants can protect

themselves against CNP fraud.

Part 1 also includes valuable input regarding projects and

measures aimed at regulating the way data is collected, stored

and processed. Hence, Time.lex provides an insight into the Safe

Harbour agreement and what it means to merchants and web

shops. Additionally, on the regulation front, the EPC shares an

interesting perspective on the EBA Guidelines on the security of

internet payments.

Key matters such as machine learning and the need for a more

coordinated collaboration between technology and human

development have been highly debated by ACI Worldwide and

Feedzai and briefly addressed by Risk Ident in an interview.

As always, cross-border ecommerce is at the forefront of the

industry. Bearing in mind that an increasing number of companies

decide to expand across borders, it became more obvious that

fraud is one of the most challenging barriers that needs to be

overcome. Ecommerce Europe presents e-ID schemes as a

solution to improve data protection and to increase convenience

and consumer trust. All these major points are complemented

by interesting perspectives on the Internet of Things and a new

concept in managing identities – the Identity of Things (IDoT).


Additionally, in the case fraud vs consumer authentication &

verification, contributions from Consult Hyperion, the Biometrics

Institute, MyBank, Natural Security Alliance and Wirecard

feature unique views on the importance of authenticating online

transactions. Finally, other thought leaders and some of the major

industry associations which have provided their valuable input

include Accertify, Signicat, the MRC, Neira Jones and Perseuss.

They all have provided a resourceful analysis on the ever-changing

digital identity, web fraud prevention and detection landscape.

Part 2 of the Guide is an outline of in-depth company profiles

which allows readers unprecedented access to the global digital

identity & web fraud market and complements the industry

analysis.

The Web Fraud Prevention, Online Authentication & Digital

Identity Market Guide is an insightful reference source

highlighting key facts & trends into the global digital identity

transactional and web fraud prevention & detection ecosystem.

Table of contents

6 WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015

4 INTRODUCTION

8 THOUGHT LEADERSHIP SECTION

9 TRENDS & DEVELOPMENTS IN SECURING THE TRANSACTIONAL ECOSYSTEM

10 Securing the User's Shopping Experience: Five Fraud Trends from 2015 | Markus Bergthaler, Global Director of Programs

and Marketing, MRC and Mike Splichal, Program Manager, MRC US

12 Confronting Card Fraud in the Global Travel Industry 2005 -2015 | Jan-Jaap Kramer, Chairman, Perseuss

14 Transacting with Retailers Is Now Omnichannel and So Is Fraud | Mark Beresford Director, Edgar, Dunn & Company

16 Exclusive interview with Neira Jones | Advisory Board Member & Ambassador, Emerging Payments Association

19 BEST PRACTICES IN IDENTIFYING FRAUDSTERS & PREVENTING FRAUD LOSSES

20 Machine Learning – Keeping US One Step Ahead of Fraudsters | Jackie Barwell, Director of Fraud and Risk Product Management,

ACI Worldwide

22 AddressingDeliveryandReturnsFraudtoProtectProfits| Catherine Tong, General Manager, Accertify

24 Exclusive interview with Roberto Valerio | CEO, Risk Ident

26 Myths About Machine Learning | Dr. Pedro Bizarro, Chief Science Officer, Feedzai

28 Work Smart – Does Your Fraud Team Suffer from Decision Fatigue | Mark Goldspink, Chief Executive Officer, ai Corporation

30 The Future is Mobile | Neil Caldwell, VP European Sales, CyberSource

32 360-Degrees Fraud Management: Securing the Customer Journey | Hugo Löwinger, Digital Identity & Fraud Management, Innopay

34 E-ID: Fraud and Risk Prevention in Cross-Border Ecommerce | Elaine Oldhoff, Ecommerce Europe

37 REGULATION, PRIVACY AND DATA PROTECTION

38 Security of Internet Payments: the EBA Two-Step Approach | Javier Santamaría, Chair, The European Payments Council

40 How EMV will Change Online Business in the US | Michael Roche, VP of Consumer Authentication, CardinalCommerce

42 Doing Business in Europe? Mandatory Data Protection Compliance in Every Single Country | Edwin Jacobs, Partner, time.lex

44 Will EMV Eliminate Card Fraud in the US? | Nicolas Raffin, President, Smart Payment Association





47 STRONGER CONSUMER AUTHENTICATION TO COMBAT ECOMMERCE FRAUD

48 Moving Beyond Passwords: Next Steps in Consumer Authentication | Carlos Häuser, Executive Vice President, Wirecard AG

50 Tokenization: From Account Security to Digital Identity | Tim Richards, Principal Consultant, Consult Hyperion

52 Exclusive interview with Isabelle Moeller | Chief Executive, Biometrics Institute

54 Bring Your Own Authentication: The Next Revolution against Web Fraud | André Delaforge, Head of Communication Advisory

Committee, Natural Security Alliance

57 INSIGHTS INTO ELECTRONIC IDENTITIES IN EUROPE

58 Digital ‘Marble’ - Onboarding in the Age of Electronic Identity | Gunnar Nordseth, CEO, Signicat

60 ElectronicIdentityVerification:HowMyBankCanHelp| Fatouma Sy, Head of Product Development, MyBank and John Broxis,

Managing Director, MyBank

63 DIGITAL IDENTITIES AND TECHNOLOGIES AT THE HEART OF SECURITY

64 Identity of Things (IDoT): A New Concept in Managing Identities | Emma Lindley, Managing Director, Innovate Identity

66 The Advent of IoT: Are We Facing A Trade-off Between Convenience & Security? | Ionela Barbuta, Senior Editor, The Paypers

68 COMPANY PROFILES

110 GLOSSARY

7LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

THOUGHT LEADERSHIP

THOUGHT LEADERSHIP

TRENDS & DEVELOPMENTS IN SECURING THE TRANSACTIONAL ECOSYSTEM


Securing the User's Shopping Experience: Five Fraud Trends from 2015

MRC

3. Mobile fraudWorldwide, mobile commerce sales will account for nearly half

of total internet sales by 2018, according to Goldman Sachs.

As more businesses introduce mobile apps and/or mobile-friendly

websites, fraudsters will try to exploit merchants' fraud checks.

Businesses must do more than just extend their fraud solutions

to mobile platforms from the start. Merchants should leverage

mobile-specific identifiers wherever possible, such as Mobile

Equipment Identifiers (MEIDs) and International Mobile Subscriber

Identities (IMSIs). As consumers increasingly use mobile phones

and tablets to order goods and services online, businesses should

also ensure their fraud solutions support any mobile-specific or

mobile-friendly features, such as letting consumers use a mobile

number in place of an e-mail address when creating an account.

4. Digital goodsFor merchants offering downloadable content, such as games,

apps/software, music, videos, and e-books, a big challenge to

fraud prevention efforts is customers' expectation of near-instant

fulfillment. Merchants need to strike a balance between debt

from fraud, chargebacks, etc. and revenue. As quick reviews

are essential in preventing legitimate customers from shopping

elsewhere, it is imperative that companies leverage the power

of data to help make decisions, whether those decisions are

automated or manual. By joining a professional organisation such

as the Merchant Risk Council (MRC), key fraud and payments

personnel can gain valuable insights, discuss emergent threats and

trends, and share best practices with other industry professionals.

5. US EMV rolloutAs of October 1st, liability for card-present transactions in the

US has shifted. Now, merchants can be held liable, unless they

replace their point-of-sale hardware with technology compatible

with the card chip standard known as EMV.

As ecommerce enters its third decade, competition among

companies to attract and retain customers is as intense as ever.

While global Business-to-Consumer ecommerce sales (excluding

travel and event tickets) are projected to hit a staggering USD 1.6

trillion in 2015, this total represents less than 7% of worldwide

retail sales. It is clear that ecommerce still has tremendous growth

potential. With that in mind, we have examined five ecommerce

fraud trends as 2015 draws to a close.

1. Account takeoverFraudsters can and will target any company or consumer who is

vulnerable. As larger businesses invest more resources to prevent

large scale compromises and breaches, a greater number of

small and medium-sized businesses are expected to be targeted.

The use of mobile two-factor authentication is a growing trend

to help protect customer accounts. In this case, a one-time use

code is sent to the consumer's mobile phone via SMS or a special

app as an additional layer of account validation. Biometrics are

also expected to play a larger role in consumer authentication as

more smartphone models with fingerprint readers are sold and

companies experiment with alternatives to passwords such as

selfies.

2. Omnichannel / multichannel retailingAs more businesses integrate their physical retail presences with

their online presences, companies need to ensure they have

systems and processes in place to address potential exploits from

all channels. For example, if a merchant offers in-store pickup

on its website, fraud checks should still be performed, including

scenarios in which the delivery method is changed from one

channel to another (delivery to in-store pickup, for example). Store

personnel should also be trained on the importance of validating

in-store pickup orders and need to be prepared to handle more

complex circumstances such as identity theft.

http://www.cio.com/article/2866080/e-commerce/how-ecommerce-businesses-can-beat-the-competition-in-2015.html

http://www.emarketer.com/article/retail-sales-worldwide-will-top-22-trillion-this-year/1011765

http://www.emarketer.com/article/retail-sales-worldwide-will-top-22-trillion-this-year/1011765

http://www.telegraph.co.uk/technology/news/11907711/selfies-to-kill-off-passwords-within-five-years-says-mastercard.html


About Markus Bergthaler: Markus Bergthaler, MRC Global Director of Programs and Marketing, oversees benchmarking, education, committees, communities, marketing and event content.

About Mike Splichal: Mike Splichal, MRC US Program Manager, coordinates content for committees, presentation archives and community forums. He also develops member training and certification programs.

About MRC: The MRC is an unbiased global community providing a platform for ecommerce fraud and payments professionals to come together and share information. As a not-for-profit entity, the MRC’s vision is to make commerce safe and profitable by offering proprietary education, training and networking as well as a forum for timely and relevant discussions.

www.merchantriskcouncil.org

Mike SplichalProgram ManagerMRC US

Markus BergthalerGlobal Director of Programs and MarketingMRC

MRC


However, until merchants switch to authenticating purchases

using the chips on EMV cards, instead of magnetic stripes, the

change is unlikely to significantly reduce the incidence of fraud

lost to counterfeit cards. Also, unlike the European rollout of EMV,

the US rollout is less coordinated and PINs are not mandated.

As a result, it is doubtful that there will be a drastic shift in fraud

from the card-present to the card-not-present environment, at

least initially. Ecommerce companies cannot become complacent,

however. The MRC recommends most companies to use a layered

approach with machine learning and manual reviews, with a focus

on reducing friction for legitimate customers.

ConclusionA common theme with these trends is customer experience.

Fraud detection is more than just preventing illegitimate transactions

from being processed, it is also about ensuring legitimate

customers are not adversely impacted by automated and manual

reviews. While online fraud remains a challenging space, we believe

that those companies which balance prevention with customer

experience will be best positioned to reap the rewards of the rapidly

growing ecommerce landscape.

http://www.merchantriskcouncil.org

http://www.merchantriskcouncil.org


Confronting Card Fraud in the Global Travel Industry 2005 - 2015

Perseuss

long time online, but occasional meetings in person re-inforce and

accelerate that trust.

Technology-wise collaborationThe next step in industry-wide collaboration is sharing data. When

the working group is small, this can be done via e-mail messages,

but once groups start to grow, automation is vital. Groups will need

to establish steering committees to choose a neutral technology

supplier who develops the various online forums and databases.

The data-sharing technology itself has to be cloud-based and highly

secure. It has to enable businesses to submit and share suspected

fraud data legally, while always retaining ownership of the data.

This way, a business can remain completely in control of its data,

even after it has shared it. The database must be developed with a

high degree of participation and input from working fraud analysts

so the screens and layouts blend naturally into the operational

workflow. This increases efficiency and improves decision-making.

For the past ten years, service suppliers in the travel industry

(airlines, train companies, shipping lines, online travel agents) have

progressed from taking their first baby steps in online payments

to a point where online transactions represent the vast majority

of all ticket purchases. This period has seen significant change

right across the sector. The industry has faced an extraordinary

battering from card fraudsters and has had to reorganise rapidly to

face this unexpected threat.

Looking back, we can now see that there were certain key

developments which, collectively, led to a reversal of fortunes for

the initially successful fraudsters. Businesses are now back in

control of their payment operations and fraud has been reduced to

manageable levels.

Collaboration between competitorsBy far, the most important development has been the ability of

fraud analysts to exchange information between each other

in an informal manner: first, in meetings, secondly, in secure

online forums. There are two main types of information, namely,

structured data such as names and e-mails that need to be cross-

checked against a database, and tips and best practices that can

be shared informally.

Some of the meetings and online forums are for members only.

Others are open to verified fraud analysts and professionals from

any accredited organisation. For an individual who may be the

only fraud-fighter in their organisation and with no-one else nearby

to offer advice, these forums are like a life-support machine.

Collaboration between corporatesAt a strategic level, the travel sector has created an industry-wide

body where executives can meet and coordinate actions, both

regionally and globally. There is a regular program of working

groups that takes place at venues across Europe, Asia-Pacific and

elsewhere in the world.

Key to the success of both personal and corporate collaboration

is that people from different organisations continue to meet

regularly face-to-face. Bonds of trust, once formed, can last a

SHAREDDATABASE

MerchantSees suspect transaction

so checks details against

database. This shows two

other instances of same

details used fraudulently.

Analyst reviews case and

declines booking.

MerchantNotices that a particular

pattern is frequently

used by fraudsters.

Focuses own fraud

detection efforts on that

pattern and identifies

many costly fraudulent

transactions.

Data sharing


About Jan-Jaap Kramer: As Payments Manager for Martinair, Jan-Jaap was responsible for processing all ecommerce and call centre bookings. In 2011, he both established his own consultancy to help other businesses fight fraud and was elected Chairman of the Perseuss Steering Group.

About Perseuss: Perseuss is the global travel industry's own solution to the battle against fraud. Its flagship offering is an online shared negative database, recently updated to include email age verification and artificial intelligence. It also operates FraudChasers, an online forum for anti-fraud professionals. Perseuss plays a major role in cross-border police Action Days to apprehend fraudsters.

www.perseuss.com

Jan-Jaap KramerChairmanPerseuss Steering Group

Collaboration with partnersMerchants who provide travel services rely on a vast network of

partners to oil the wheels of the industry and make everything

work. Among these partners are payment service providers,

software suppliers, banks, card schemes, industry associations,

legal entities, national police forces, as well as international law

enforcement agencies.

The travel industry had the foresight long ago to involve all of these

bodies in the global war against card fraud. Since 2013, all of these

organisations have been mobilised into a number of concerted

drives to break up fraud gangs and arrest their members at the

moment of committing crime. Hundreds of perpetrators have been

charged with offences including human smuggling, drug trafficking

and international prostitution. In many cases, the secondary crimes

are far more serious than the card fraud, which first brought them to

the attention of the authorities.

All this collaboration has allowed the travel industry to present a

truly joined-up front against fraud gangs. The gangs themselves

are becoming increasingly sophisticated and technology-savvy.

It is vital that the industry continues to make and strengthen

connections with its partners to counter this ever-present threat.

Cross-industry collaborationA very exciting prospect is for the travel industry to work with

entirely different business sectors to fight fraud. Criminals do not

recognise industry boundaries, so why should we?

Of course, the scale of operations will be significantly increased.

There will be problems and challenges. But the lesson of the last

ten years is that we must all collaborate more in order to isolate

criminal gangs. If we do not, they will exploit the gaps between

us and take the initiative. Then, we will find ourselves cut off,

surrounded and struggling to catch up. That must not be permitted

to happen.

http://www.perseuss.com

http://www.perseuss.com


Transacting with Retailers Is Now Omnichannel and So Is Fraud

Edgar, Dunn & Company

This can lead to customers revealing information about the transaction

and fraudsters are able to change the arrangements for collection

of the goods. The call will seem genuine and fraudsters will often

quote titbits of the individual’s confidential transaction history

information, such as their full name, address, account numbers,

all information that the fraudster gleaned from an earlier hack of

a retailer or financial institution. The ability to create a profile of

a target customer is progressively easier to achieve by organised

criminals operating at a distance.

Data miningUsually, the fraudster will spoof the collection arrangements and

change the location to a store more convenient for him to pick-

up the goods. This information is meant to make the conversation

more credible, luring the customer into revealing additional

information that can be used to arrange the collection of their new

purchased items. These products can be quickly sold on auction

websites afterwards.

Another example would be fraudsters who send targeted phishing

emails on behalf of the retailer or the bank in order to capture

information about the customer. Fraud protection vendors are most

concerned about evolving methods of phone fraud, especially

because it is the least protected area when it comes to card-not-

protected (CNP) transactions and, therefore, the most vulnerable

means of attack in a multi-channel environment, as found in large

modern retailers.

Alternative forms of paymentA lot of retailers and fraud prevention vendors commonly collect

fraud statistics for legacy products such as debit and credit

cards. The more innovative retailers are issuing and accepting

mobile wallets, carrier billing, prepaid payment products, loyalty

and reward products, gift cards, social and peer-to-peer payment

products. Multichannel retailers are even starting to accept bank

transfers such as Barclay’s Pingit.

As retailers have enhanced their technical and business operations

to better serve consumers across several channels, there has

been a gap in dealing with fraudsters who are also adopting

a cross-channel approach. In this respect, it is interesting to

see that there are several exceptions to a standard ‘purchase’

transaction, particularly returned goods. It has been a specific

area where different customer points of interaction did not

properly communicate with each other. This means that fraudsters

are targeting the loopholes that have appeared due to the lack of

connectivity across channels.

Edgar, Dunn & Company (EDC) has found that many retailers do

not treat different customer points of interaction individually.

Instead, they take into account consumer behaviour and location

to build a fraud strategy for each point of interaction – be it call

centre, in-store customer service desk, a click-and-collect service

desk, online, or at the point-of-sale. Retailers are aiming to ensure

a seamless customer experience across channels and they should

equally tackle fraud across all channels. They need a cross-channel

view of their customer’s purchasing history, browsing history and

preferred channel history - in-store, smartphone, tablet, laptop,

desktop, in-store kiosk - to ensure that a customer is a good

customer and is not deviating from their normal channel behaviour.

Transacting with retailers is now omnichannel.

False positivesDeclining a customer that is a good customer can lead to dramatic

and detrimental customer behaviours. This is commonly the case

where a customer could be known to be ‘good’ on a certain

device but, then, uses a different device and he is declined when

engaging with the retailer simply because the fraud detection rules

are not updated for the new device.

As merchants aim to serve customers across channels, fraudsters

are also using the lack of joined up thinking by impersonating

a service centre. They will cold call a customer, for example,

claiming that their credit card or bank account has been subject to

fraud during the transaction with the retailer.


About Mark Beresford: Mark Beresford, Director at Edgar, Dunn & Company, has over 20 years’ experience in the payments sector. He heads the Retailer Payments Practice at EDC and works on strategic client engagements for major omnichannel retailers and payment service providers globally.

About Edgar, Dunn & Company: Edgar, Dunn & Company is an independent global payments consultancy founded in 1978. The company is widely regarded as a trusted adviser, providing a full range of strategy consulting services, expertise and market insight. EDC clients include payment brands, issuer and acquiring banks, processors and merchants.

www.edgardunn.com

Mark BeresfordDirectorEdgar, Dunn & Company

As consumers become more familiar with Apple Pay and

in-app purchases, they are expected to gradually become more

adventurous in the selection of different methods of payment

at different points of interaction with the retailer. If the store is

closed, the Pingit app can be used by scanning a QR code on

the shop window next to the goods on sale. However, the point of

interaction could most likely be on an advertisement at a bus stop

or at the back of a taxi, not necessarily in the store.

Fraudsters are able to program a smartphone to act as a false POS

terminal, deface a QR code to redirect funds to another account,

or even make a smartphone to act as a false payment card. An

attack that used to require insightful hardware engineering at

the POS to by-pass EMV technology is now just a software

app. The emergence of new sales channels (and the integration

between these channels) unfortunately enables fraudsters to

‘play one channel against another’, or identify potential cracks in

omnichannel processes.

Fraud is an ever-evolving art and fraudsters are very creative

in leveraging the retailers’ lack of fully integrated multichannel

solutions. They are already preparing for a new wave of cross-

channel fraudulent strategies in order to trick consumers at a wide

variety of retailer interactions.

http://www.edgardunn.com

http://www.edgardunn.com

16 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

The online landscape is changing at a faster pace and fraudsters are getting better at stealing money and identities. The industry needs a more reliable authentication system to create a safer environment. What do you see as a next step in consumer authentication?By the end of 2015, there will be 7.2 billion people with an employment

ratio of 60% representing 4.3 billion people (International Labour

Organisation, World Bank). By then, 1.3 billion people (30%) will

routinely work remotely (Symantec, August 2014) and by 2019,

there will be 24 billion networked devices around the world, with an

average of 3.2 connections per person. The pace of technological

advancement, as well as increased sophistication and adaptability

of criminals, have made identity theft and social engineering most

successful. Indeed, in the UK, ID crime represented 48% of all

fraud in 2014, with 82% of ID-related crimes committed online

(CIFAS Fraudscape 2015). Worryingly, 23% of recipients open

phishing e-mails and 11% click on attachments, and a phishing

campaign of just 10 e-mails has a 90% success rate (Verizon DBIR

2015). In addition, machine-to-machine connections will triple to

10.5 billion by 2019 (CISCO, May 2015). All this connectivity means

new opportunities for countries, businesses, people, as well as,

unfortunately, fraudsters.

I like to link identity and authentication to social engineering

because, if legitimate credentials fall into the hands of criminals,

all bets are off. Technology alone cannot stop fraud, as evidenced

many times, and most recently, when a UK company handed over

an unprecedented GBP 1 million to a phone scammer that led

an employee to transfer the money to bogus bank accounts, or

when BitPay lost USD 1.8 million through a spear phishing attack.

I believe consumer-centric Identity & Access Management

(IAM) vendors will start to provide enterprise grade solutions

and enterprise IAM vendors will start moving from role-based

access control (RBAC) to attribute-based access control (ABAC).

Biometrics, behavioural/contextual analysis and low-latency

threat monitoring/ fraud prevention will all play a role in building a

successful ecosystem.

So, it is not so much that we need an ‘authentication system’.

We actually need several ways to manage identity and authentication

that are proportional and commensurate to the potential risk

associated with any interaction (be it human or machine) and with

the necessary addition of appropriate operational processes to

support them. The most sophisticated identity or authentication

technologies can be deployed, but if appropriate governance

processes are not equally matched, it will only be money down

the drain.

Cybercrime has also gone mobile, do you think there is a need for multichannel fraud detection & prevention solutions to detect and manage fraud effectively, irrespective of channel?Cybercrime has indeed gone mobile and, with the growth of the

Internet of Things (IoT), equally hyper-connected. There is, however,

at this stage, little evidence of serious harm. Indeed, with the rise

of mobile devices and BYOD, we could have expected significant

threats to organisations. But, as suggested by the Verizon DBIR

2015, there were less than 0.03% mobile devices infected with

mobile malware each year, and the rise of the IoT did not exhibit

a surge of attacks through that channel. Instead, criminals relied

on phishing attacks, misuse of credentials and new varieties of

malware that plague organisations of all sizes. Managing fraud in this

hyper-connected environment will force businesses to manage risk

effectively to support growth, performance and reputation. In this

environment, comprehensive, real-time analytics will play a key role.

Emerging Payments Association

In the interview, Neira Jones points out that managing fraud in a hyper-connected environment will force businesses to manage risk effectively to support growth, performance and reputation.

http://www.telegraph.co.uk/news/uknews/crime/11878125/Business-scammed-into-handing-over-1million-to-bogus-caller.html

https://nakedsecurity.sophos.com/2015/09/18/bitpay-spearphished-and-loses-1-8-million-insurer-refuses-to-pay/

http://www.emergingpayments.org


Neira JonesAdvisory Board Member & AmbassadorEmerging Payments Association

About Neira Jones: Neira chairs the Advisory Board for mobile innovator Ensygnia & the Global Advisory Board for the Centre for Strategic Cybercrime & Security Science and is a Founding Advisory Board Member for GiveADay UK. She sits on the Advisory Board of the Emerging Payments Association.

Twitter: twitter.com/neirajonesLinkedIn: www.linkedin.com/in/neirajones

About Emerging Payments Association: The Emerging Payments Association (EPA) is a community for the world’s most progressive payments companies. The EPA helps them to have influence over the payments landscape and get access to the people operating in it, whether they are buyers, sellers or partners.

www.emergingpayments.org

In this hyper-connected environment, comprehensive, real-time analytics will play a key role

IoT promises to be "the next big thing". Apart from the innovation and convenience that it brings, the system is not flawless. What are the main vulnerabilities we need to be aware of?As the IoT evolves, so should the understanding of its security

requirements. The online web environment has had years to

mature, in line with the understanding of what needs to be done

to secure it. As we all know, data breaches continue to happen

in the traditional online channel and old vulnerabilities continue

to be exploited. Exciting developments in the IoT should take

advantage of what has already been learned in online and other

digital channels, and implement security by design rather than

as an afterthought. Key to this will be authentication of devices

(and individuals) and data security as these technologies will

increasingly collect more and more personal data. From a process

and regulatory stance, data will be key as are the many contractual

implications that will ensue due to an ever extended supply chain.

Would wearable technology transform the payments industry? And where do we stand from a security point of view?Wearable technology is only a subset of the IoT and, therefore, the

same issues apply, with the added emphasis on data collection,

protection and privacy as there is a direct link to individuals.

Will it "transform" the payments industry? I don’t think so. Will it

contribute to its evolution towards a payments ecosystem that is

frictionless and secure? I sincerely hope so. We are already seeing

some interesting deployments in the loyalty and engagement space

as well as in the production of new form factors (e.g. contactless

rings), which is where, I think, wearables will make the most impact

in payments.

https://twitter.com/neirajones

http://www.linkedin.com/in/neirajones

http://www.emergingpayments.org

Experience the excitement at MRC Vegas 2016 with over 1,500 attendees, 65 educational sessions, 450 companies and individuals from over 30 countries.

65EDUCATIONAL

SESSIONS

1,500+

ATTENDEES

450 COMPANIES

COUNTRIES

MARCH 7-10 | ARIA RESORT & CASINO

MERCHANTRISKCOUNCIL.ORG/EVENTS/MRCVEGAS

EARLY BIRD DISCOUNT$800SA

VE

WITHOUR

MRC


Register now for one of the largest and most rewarding events uniting online and

multi-channel retailers, card networks and issuers, law enforcement and solution

providers all committed to making eCommerce safe and profi table.

Experience the excitement at MRC Vegas 2016 with over 1,500 attendees, 65 educational sessions, 450 companies and individuals from over 30 countries.

EDUCATIONALSESSIONS

1,500+

ATTENDEES

450 COMPANIES

COUNTRIES

BEST PRACTICES IN IDENTIFYING FRAUDSTERS & PREVENTING FRAUD LOSSES


Machine Learning – Keeping US One Step Ahead of Fraudsters

ACI Worldwide

more complex scale. This allows fraud analysts to understand both

localised and widespread occurrences of fraud. It also enables

these complex processes to be accomplished faster, frequently in

real-time.

Additionally, other information, such as data resulting from web-

behaviour analysis, can be fed into the predictive models, creating

a new and valuable dimension to the model’s accuracy.

The development of new algorithms, machine learning techniques

and programming expertise have also all kept pace with changes

in the payments and ecommerce landscape, with these latest

techniques giving businesses the power to explore a much larger

search area in the model optimisation space and increase detection

rates.

While it is clear that machine learning has a lot to offer to financial

institutions and merchants in an effort to detect and prevent fraud,

the approach does have its limitations.

Because they learn from experience, predictive models cannot

learn or spot monolithic events such as data breaches. For these

you need to be running a rules-based model which uses negative

lists and, preferably, consortium data.

Predictive models are also less adaptive at learning one-off events

or transient phenomena. Our experience with customers around

the world has taught us that combining predictive models with

a customised rules engine delivers the optimal fraud prevention

solution. The ability and flexibility of a comprehensive rules

engine to deal with seasonal changes, emerging trends and one-

time events complements the sophisticated pattern recognition

techniques deployed by predictive models.

At ACI, we firmly believe in the future of advanced machine learning

and predictive models as an integral and vital part of a winning

fraud strategy. We have our own patented predictive models

which have been used by customers for many years. Backed by

these predictive models, ACI’s rules-based systems are constantly

updated to augment performance and provide multifaceted

Machine learning is a hot topic in fraud prevention, with both

financial institutions and merchants looking to exploit advances

in IT infrastructure and intelligent computing to protect their

businesses from risk. But, what really is machine learning and how

effective is it in detecting and preventing fraud?

Machine learning relies on algorithms which employ pattern

recognition techniques to explore and learn the underlying

structures in the data. By using past transaction data from fraudulent

activity, alongside information from genuine customer transactions,

these algorithms can be used to build predictive models which can

forecast the probability of a transaction being fraudulent.

Predictive models deliver very tangible results in fraud detection.

Their ability to extract meaning from complicated data means that

they can be used to identify patterns and highlight trends which

are too complex to be noticed either by humans or through other

automated techniques. By running specific, effective algorithms

and using them to make automated decisions, or generate alerts

for suspicious activity, these techniques can save manual review

time, reduce the number of false positives and quickly stop

attempted fraud.

But this approach is by no means new. In fact, predictive models

first became popular almost two decades ago, particularly with

financial institutions which successfully used models to detect

significant volumes of card-present fraudulent transactions and

save millions.

Back then, however, fraud problems were simpler and patterns

were easier to identify. Fraudsters have since become savvier

and more innovative, driving demand for further change in fraud

detection techniques to ensure that defensive capabilities can

match fraudsters’ offensive capabilities.

Technology advances over the last decade in particular have aided

the evolution of machine learning and ensured it has remained an

effective fraud prevention measure. For instance, the increased

availability and scale of raw computing power means that we can

now process, segment and analyse data on a much larger and


About Jackie Barwell: Jackie is the Director of Fraud and Risk Product Management at ACI Worldwide, having joined the ACI family as part of their acquisition of ReD in 2014. Jackie has more than 27 years’ experience within the financial crime arena.

About ACI Worldwide: ACI Worldwide, the Universal Payments company, powers electronic payments and banking for more than 5,600 financial institutions, retailers, billers and processors worldwide. ACI software processes USD 13 trillion each day in payments and securities transactions.

www.aciworldwide.com

Jackie BarwellDirector of Fraud and Risk Product ManagementACI Worldwide

coverage and protection. It is this holistic approach to fraud

prevention that provides effective protection against the risk

of fraud without compromising customer service, driving costs

further upwards, or increasing the demand on scarce in-house

resources.

Predictive models - part of a multi-dimensional fraud management solution

Developments and enhancements will, of course, need to continue to

meet the ever-changing needs of the industry as both consumers

and fraudsters adapt their behaviour. At ACI, we are now exploring

the use of smaller, more focused and tactical models, trained

specifically on a closely targeted set of data – for example, a

specific merchant sector or geography. This will enable merchants

to benefit from more sophisticated solutions which are faster to

deploy and designed to address their specific trading landscapes.

As fraud develops, predictive models will too, enabling us to keep

one step ahead.

http://www.aciworldwide.com

http://www.aciworldwide.com


AddressingDeliveryandReturnsFraudtoProtectProfits

Accertify

The many guises of delivery and returns fraudOne of the challenges of fighting this type of fraud is that there are

multiple guises it can take.

• Wardrobing – Want to go to a party and wear that expensive dress

or tuxedo? With this tactic, you don’t have to pay a penny to have

that special outfit. Wardrobing is making a legitimate purchase

with the intention of using the item and returning it for the full value.

• Delivery denial – “I never received my goods and want a refund!”

But you did receive the goods. You didn’t have to sign for the

parcel and so who knows whether the delivery driver did in fact

leave it. Or, if you were to claim you never saw it, even though it is

on your kitchen table, who’s to know?

• Bait-and-switch – That 1 year guarantee seems to be timed

perfectly to when something breaks, and it is only a couple of

weeks outside that timeframe. Purchasing a working item and

returning a damaged or defective identical item that was already

owned, however, is still not a legitimate transaction.

• Courier fraud – orders are intercepted and never received by

the consumer. It is worth remembering that it is not always the

end customer who is committing the fraud. Multiple people are

involved in the supply of a product from retailer to customer and

understanding if it is someone involved before reaching your

customer is just as important.

The common theme here is that each of these tactics can result in

the retailer losing a product and sale from it, therefore impacting

profitability - but in many cases without recognising the underlying

causes of this decreased profitability.

Monitoring and addressing delivery and returns fraudRetailers have been applying various methods to address

this issue, with many being very manual and non-sustainable

processes. Many have struggled with being able to track regular

offenders and stop them before they attempt this type of fraud

again. Many have also faced the challenge that some customers

only show this behaviour once or twice.

A fraud team usually focuses on the actions of professional

fraudsters. These are the criminal pros who attempt to steal on

a large scale using automation and thousands of stolen payment

cards. It makes sense to aim the artillery at big threats. Now, a

different kind of smaller scale fraud scenario perpetrated by

amateurs is gaining traction on the fraud battlefront. It’s called

delivery and returns fraud.

The unknown challenge How many retailers really understand all the areas of shrinkage

or loss in their business and quantify these losses accurately?

Delivery and returns fraud, the act of defrauding a retailer via

the returns process, is an increasing issue where fraudsters

are exploiting supply chain processes. We are not talking false

payment data here, but something a bit harder to detect. Akin to

electronic shoplifting, an individual attempts one low-value fraud

action, one retailer at a time. Some incidents involve fraud via a

delivery channel, while others use variants of fraudulent returns.

Sometimes customers come across this type of fraud by accident

as they realise weaknesses in retailer processes, but because they

see it as a small scale cost to a retailer, they do not perceive it to

be fraud. Whether on a small scale, or something which becomes

a customer habit, ultimately the customer is ending up with either

product or refunds they should not have received.

Historically, retailers have focused on chargeback losses. However,

as retailers have brought this area of risk under control, either new

areas of risk have become more visible, or the fraudsters have

started to change their behavior. Delivery and returns fraud may

seem small scale even to the retailer, but collectively the losses

can add up quickly. Many businesses do not have the visibility

of how big a problem this is becoming. According to the 2014

National Retail Federation Return Fraud Survey, the industry

was estimated to lose USD 10.9 billion in 2014 alone.

https://nrf.com/media/press-releases/retailers-estimate-holiday-return-fraud-will-cost-them-38-billion-according-nrf

https://nrf.com/media/press-releases/retailers-estimate-holiday-return-fraud-will-cost-them-38-billion-according-nrf


About Catherine Tong: Catherine Tong is General Manager for Accertify in EMEA leading a team of fraud specialists, and partnering with companies from a variety of industries on their fraud management strategies as they enter and grow in new markets. Before joining Accertify, Catherine held various senior risk roles at retailer, Tesco and PwC.

About Accertify: Accertify Inc., a wholly owned subsidiary of American Express, is a leading provider of fraud prevention, chargeback management and payment gateway solutions to merchant customers spanning diverse industries worldwide. Accertify’s suite of products and services, including machine learning, help ecommerce companies grow their business by driving down the total cost of fraud and protecting their brand.

www.accertify.com

Catherine TongGeneral ManagerAccertify

Accertify believes the key to reducing delivery and returns fraud

is to target who is involved in the delivery or return of the product.

Retailers can leverage our platform to analyse each consumer’s

behaviour and identify out-of-pattern returns and other delivery

anomalies.

Our multi-merchant database allows each participating retailer to

benefit from collective knowledge about returns fraud and thereby

try to limit its losses. Retailers learning from each other is invaluable,

they can now use this tool to benefit from other participating

customers who have already leveraged data associated with prior

fraudulent deliveries and returns.

Retailers are now able to manage a much broader set of risks in

one place, improving efficiency for their business, whilst bringing on

new ways to help protect themselves. They can still have different

teams managing these different aspects of their business, but

managing all the data and fraudulent behaviour in the same place

enables them to be able to track changes in fraudster behaviour

more easily and collaborate internally.

http://www.accertify.com

http://www.accertify.com


In today’s ever-changing online environment, identifying fraudulent transactions has become a major hurdle. How can companies like Risk Ident help merchants detect and stop suspicious transactions? Ecommerce is in a continuous state of evolution and is expected to

be worth GBP 185.44 billion (EUR 219.44 billion) in 2016. This makes

online payments more and more of an attractive option for fraudsters

whose increasingly sophisticated techniques create a moving target

for merchants looking to identify and tackle fraudulent transactions.

At Risk Ident we deliver the best use of quality anti-fraud data in

Europe by using machine learning and behavioural analytics to

help support fraud managers by intelligently processing a wide

range of input sources, such as device identification. Using rules

alone or monitoring single transactions is no longer as effective

at detecting and stopping suspicious transactions. Establishing

relationships between transactions helps merchants recognise

potential fraud patterns without the need for expensive additional

databases, acting fast to protect them from fraud.

Some herald the combination of machine learning and 'human detectives' as the next major revolution in fighting fraud. How do you feel about this combination of man and machine to find and fix weaknesses of the system?We are passionate in our belief that man and machine – together

– offer the strongest possible defence against fraud when used in

combination. Machine-led intelligence has undoubtedly enhanced

the proficiency of fraud prevention thanks to advanced algorithms

which outshine the more traditional rule-based approach. It is

important that companies take advantage of this technology and

use it to further boost their fraud managers’ knowledge of their

own fraud problems.

Machine learning should not be used to the detriment of human

detectives, who are crucial for judging data choices to ensure

legal compliance, and for giving individual consideration to any

borderline cases that need the application of human processing.

Modern methods of data science and software engineering help

provide smarter technology that works more intelligently than

traditional anti-fraud processes, pooling data for analysis that

helps guard against repeat fraudsters without requiring private

personal information. Ultimately, technology should not replace

fraud managers. Instead, it should be used to empower them to

take an educated, proactive approach by identifying and tackling

fraud at the source.

What are some of the main changes that you would expect to impact the fraud prevention landscape following the Safe Harbour ruling from the ECJ?The recent ECJ decision to suspend Safe Harbour could catalyse

major changes for the fraud prevention landscape, affecting the

data privacy and anti-fraud processes of businesses on both

sides of the Atlantic. The ruling will have especially significant

ramifications for businesses which depend on sharing data with

organisations in the US in order to stay secure. Companies that

want to establish more local, European-based data centres for

customers’ data in the EU will have to adhere to European data

privacy laws, which are traditionally much stricter. However, this

still does not offer a total solution to EU businesses as the US

Freedom Act, Section 702 (FAA 702) remains in use by the US

government, which allows them to obtain data stored in Europe by

US companies.

The ruling is potentially good news for European businesses and

customers however, as it has brought the focus back to customer

privacy. We do not expect it to be a huge barrier to businesses.

Risk Ident

Risk Ident points out that technology should not replace fraud managers. Instead, it should be used to empower them to take an educated, proactive approach by identifying and tackling fraud at the source.

http://www.riskident.com/en


About Roberto Valerio: Roberto Valerio is the CEO of Risk Ident, leading the day-to-day management of the company. He is responsible for driving the development of the business to serve merchants in need of a modern, intelligent approach to online fraud prevention.

About Risk Ident: Risk Ident offers anti-fraud solutions for companies within the ecommerce and financial sectors, empowering fraud managers with intelligence and self-learning machine technology to provide stronger fraud prevention. Risk Ident are experts in device fingerprinting and behavioural analytics, while its products are specifically tailored to comply with European data privacy regulations.

www.riskident.com/en

Roberto ValerioCEORisk Ident

Too many organisations argue that it’s in the users’ best interest to give up more privacy as it will keep them safer online. This is not necessarily true…

But, it will undoubtedly cause friction and uncertainty before an

alternative is agreed on in 2016. The ruling, together with the recent

high-profile Weltimmo and Schrems cases, has certainly brought

data privacy and the ethics of data sharing into concentration for EU

businesses. It is still possible to promote security while maintaining

privacy by anonymising data, and it is something we very strongly

believe in.

From your point of view, what is the best approach to gaining customers’ trust when it comes to data privacy and fraud protection?Risk Ident was founded and built specifically with European privacy

laws in mind and we strongly believe in smarter fraud prevention

technology that helps maintain privacy without compromising

security. We welcome moves by the European authorities that

publically and legislatively recognise the importance of data privacy

in Europe.

There are far too many organisations out there that give customers

the impression that giving up more of their privacy is in their

best interests in order to stay safer online in the long run. This is

definitely not the case. It is possible for personalised information

to be kept separate from anonymised data, such as device

identification, and to gain customers’ trust while keeping their

payments safe. It is paramount that businesses are transparent

with their customers and fully available to help manage any data

sharing concerns.

http://www.riskident.com/en

http://Zanders


Myths about Machine Learning

Feedzai

community grows, more developers are creating new applications

and APIs that are highly specific to your business or technology

stack. Open-source machine learning services are already available

in C++ and Python with more languages to follow. Lastly, the growth

of cloud computing provides access to shared machine processing

infrastructure. The cloud, open-source adoption, combined with

APIs, are the factors that are removing technology barriers for

machine learning adoption.

Myth 2: Machine learning takes away my ability to control my businessAs machines do more work and make more decisions, the fear of

losing control or not understanding the ‘blackbox’ machine logic

is understandable. However, advances in human-to-machine

interfaces have been made in recent years, such as ‘whitebox

scoring’ methods, that demystify the underlying decision-making.

Whitebox approach is essentially a semantic layer, turning data and

decisions into descriptions that anyone can read without resorting to

complicated and obscure machine logic or reason codes.

Additionally, as you implement machine learning in your business,

it frees up time for your fraud and risk management team. They spend

less time manually reviewing orders and payments or manually

processing numerous chargebacks every week. These alone result

in huge time-saver for your team, time which is reclaimed to spend

running your business.

Myth 3: I want the Uber-model that is best for allFirst, there is no single best machine learning model that is

universally better in all situations. Choosing the best model

depends on the problem type, size, available resources, etc.

However, just like teams of people working together, groups

can often make better decisions than individual members.

That’s because individuals each have their own biases.

The same is true in the case of machine learning with the use

of ‘ensemble methods’. Ensemble methods is using multiple

models together in order to help compensate for individual bias.

Ensemble methods combine the opinion of multiple learners to

achieve superior collective performance. Moreover, ensembles are

The fintech revolution has begun and machine learning is at the

forefront of this next wave of innovation. Machine learning, a branch

of artificial intelligence, is now enabling computer systems to have

sophisticated judgment and decision-making capabilities (remember

that self-driving cars were thought impossible only a few years ago).

Machine learning, I think, will have a larger impact over the next 20 years, than mobile had over the past 20.

-Sun Microsystems co-founder and venture capitalist Vinod

Khosla-

As Google and Facebook continue to usher in the era of machine

learning, the ripple effects can be felt in the financial services

industry. Machine learning is radically changing the nature of

money and financial services. Now is a great time to dispel the

common myths about machine learning.

Myth 1: Machine learning is only for big companiesThe declining cost of computing - due to factors such as improvements

in computer processing speeds, cheaper data storage, increased

communications bandwidth, and broader availability of data

sources, to name a few - have leveled the playing field for companies

and businesses of all sizes to be able to use machine learning

technologies. The range of businesses that can now use machine

learning is very wide - ranging from giants like Google and First

Data, to ecommerce startup merchants like LongboardsUSA.

Source: Deloitte, Computing Cost-performance (1992-2012)

Furthermore, with the advances in software development technology,

machine learning can be integrated into your system seamlessly

using APIs or plug-ins. At the same time, as the open-sourced

https://www2.deloitte.com/content/dam/Deloitte/es/Documents/sector-publico/Deloitte_ES_Sector-Publico_From-exponential-technologies-to-exponential-innovation.pdf


About Dr. Pedro Bizarro: Pedro is the Chief Science Officer at Feedzai where he leads a team of data scientists who are keeping commerce safe. He is a recognized researcher in machine learning and holds a PhD from the University of Wisconsin at Madison.

About Feedzai: Feedzai was founded in 2009 by data scientists and aerospace engineers to make commerce safe for business customers through the use of artificially intelligent machine learning. Feedzai’s Fraud Prevention That Learns technology is used by large financial services companies to risk-score over USD 1 billion of commerce transactions each day. Feedzai is a US-based company and is funded by major venture capital investors including OAK HC/FT, Sapphire Ventures and Data Collective.

www.feedzai.com

Dr. Pedro BizarroChief Science OfficerFeedzai

inherently parallel, which means they work efficiently side by side.

For fraud prevention systems, this is vital because it requires far

less training time to set up the initial models.

Not only does combining multiple models make the system safer, it

also keeps it more relevant. By including different models, evolution

will take place at a much faster rate, with less need for human

supervision.

Myth 4: Machine learning is all about the modelIt cannot be denied that you need a good model or ensemble of

models to make machine learning efforts effective. However, simply

having effective models isn’t enough. Fraudsters are incessantly

finding new loopholes and cracks in your system. The only way to

stay one step ahead of them is to continually feed new data sources

and strengthen the intelligence by introducing new real-world data

and connections. A machine-learning model is only as good as

what data it ingests.

Data Sources

The fintech revolution is well underway. As electronic commerce

continues to rise, fraudsters have access to more sophisticated

tools and increased channels to commit fraud. To combat fast-

evolving fraud, organisations must adopt more sophisticated

methods. Machine learning, when combined with human intelligence

and intuition, can now have superior judgment and decision-making

capabilities so organisations can eradicate fraud.

http://www.feedzai.com

http://www.feedzai.com


Work Smart – Does Your Fraud Team Suffer from Decision Fatigue?

ai Corporation

Many young graduates join a fraud team in order to start a corporate

career. Invariably they would start by managing alerts after some

kind of induction programme. It is now well-evidenced in the field

of behavioural economics that as familiarity regarding a role grows,

other human biases start to become more pronounced; in other

words, the greater experience a fraud analyst has, the greater the

risk that they will subconsciously be influenced to wander from

the ideal resolution. At ai we have spent a lot of time studying

the psychology associated with this ‘decision fatigue’ and have

developed our software to mitigate its damaging effects.

The below graph demonstrates the otherwise hidden trend in

human behaviour being influenced by external factors. In this case,

judges presiding over a parole board discover their decisions are

being dramatically influenced by something entirely human - their

appetite. Do fraud analysts suffer from this?

Let machines handle the repetitive tasksai’s mantra to ‘automate tedious routines to release human

creativity’ aligns with the mounting scientific evidence presented in

the field of behavioural economics. In fact, one of the International

Institute of Analytics top ten predictions for 2015 was that analytics,

machine learning and automated decision-making would come of

age in 2015.

Right now, consumers have never had such a broad range of

options to pay for goods and services. What is more, the channels

through which the consumer may purchase their goods and

services have never been more diverse.

The cost of these new payment options and omni-channel

engagement methods has increased the complexity and associated

costs for issuing banks, acquiring banks and merchants; it is a cost

they must bear in order to stay competitive through this ‘consumer

self-service’ point of sales revolution.

The increase in complexity has created both opportunity and great

risk for three key groups. Firstly, consumers have the opportunity

to choose how and where to buy like never before. This creates

the opportunity for the second group, sellers, to increase volume

of sales. But with complexity comes confusion, and the third

group, fraudsters, has taken full advantage.

Today’s fraudsters are highly sophisticated and very well

organised. To combat this, legitimate businesses that want to stay

competitive need to be both equipped to stop the fraud, and able

to do this in an efficient and cost-effective manner.

A balance between man and machineIt is this need for efficiency and effectiveness in the face of ever-

increasing and more complex fraudulent activity that drives

ai’s product development. Our automated systems have been

developed to be more effective than manual human decision-

making. The efficiency improvements that come with reliable and

consistent performance are beyond what any human could be

expected to achieve.

It is often said of ai that we are a ‘people business’. We agree – it

is people that drive any successful business and, as our clients

testify, it is often our people that help drive other businesses. So,

in the case of the fraud management world, what are we doing to

ensure we support this principle? If we think about the motivation

for a fraudster versus an employee in an increasingly burdened

fraud department, you could argue that it is incredible we manage

to stop fraud the way we do. So how do we tackle this imbalance?


About Mark Goldspink : Mark has spent 25 years in general management roles. Mark joined ai Corporation (ai) in 2013 to work with Ashley Head on developing and expanding a whole series of inter-related payment businesses globally, but with main focus on ai.

About ai Corporation: ai provides fraud prevention solutions to some of the world’s largest financial institutions, merchants and PSPs. Our unique self-service solutions, including our new ‘state-of-the-art neural technology, protect and enrich payments experiences for more than 100 banks, 3 million multichannel merchants monitoring over 20 billion transactions a year.

www.aicorporation.com

Mark Goldspink Chief Executive Officerai Corporation

With the 2015 launch of ai’s neural modelling and automated rule

set engines, we believe they were right.

ai is very proud of our technical relationship with one of the world’s

leading academic institution who is helping us provide “state of

the art” machine learning solutions. Over the past 2 years we have

invested over 40% of revenues into research and development.

At ai, we believe some jobs are best done by machines, leaving

creative decisions to humans. Therefore, our tools have been

designed to complement business teams, automating many of the

repetitive activities and allowing our customers to focus on the

more complex issues.

Scientifically provenThere is undeniable evidence through peer-reviewed studies that

external influences cause human decision-making to change

during the day, leading to intraday inconsistencies. Isn’t it human

nature to think about the weekend and evening events rather than

maintain complete focus through a work shift? For fraud teams,

such distraction could result in serious financial repercussions, but

is entirely foreseeable and indeed natural for humans to become

distracted like this, more so when working in an increasingly

complex payments environment.

The questions you should perhaps be asking are: could your fraud

team or fraud service provider be suffering from decision fatigue

and if so, how can you counter this?

http://www.aicorporation.com

http://www.aicorporation.com


The Future is Mobile

CyberSource

The data available from mobile devices is different from non-

mobile devices, and even differs via type of mobile device.

For example, Apple devices provide a more diluted device

fingerprint than Android due to the ‘locked down’ nature of

Apples OS.

The detection tools used in fraud management may not change,

but the importance of them may vary, depending on the information

available via different devices.

All the differences in behaviour, data and tools require a set of rules

specifically for the mobile channel, and a channel specific mobile

fraud strategy. The rules created at first will no doubt depend on

the data that you can capture, the behavioural patterns and fraud

trends that are understood to be relevant by your business, and the

level of sophistication that suits your organisation’s requirements

and risk profile.

Managing mCommerce Fraud Risk – A Framework for Action

The framework above provides a process-based approach to work through the differences between mCommerce and eCommerce for fraud management. Working through the process step by step can help you understand the implications of the mobile channel for fraud management, and equip you to decide on the best course of action for your organisation.

When I talk to businesses about their ambitions for digital

commerce growth, one of the key messages I consistently hear is

that the future is mobile. Whatever the size or industry, businesses

understandably want to take advantage of the continuing growth of

smartphone and tablet penetration, and their use by consumers to

purchase goods and services.

Whilst most businesses appreciate the need to tailor their ecommerce

experience and user interface for mobile websites and apps, many

are not tailoring their fraud management strategy in the same way.

The latest CyberSource fraud survey reports that 45% of survey

respondents cite the ‘inability to accurately measure fraud rates

by sales channels (causing operational efficiencies)’ as one of the

fraud challenges of greatest concern (CyberSource 2015 UK Fraud

Report Series: Part 1 – The World of Mobile Fraud). Which is not

surprising when the following findings are also reported:

- 43% of respondents track fraud from mobile commerce channels

- 89% of those who do track mobile orders, use the same fraud

tools as used to screen ecommerce orders

When businesses don’t track or adapt their fraud strategies to the

mobile channel, they can become vulnerable in two ways risking

higher rates of fraud coming via the mobile channel, or they risk

blocking orders from genuine customers. The last thing needed in

trying to grow the mobile channel is that customers may have a less

than ideal experience.

mCommerce fraud strategyWhile there are many similarities between eCommerce and

mCommerce, there is a number of important differences particularly

relevant for fraud management:

Consumer behaviour is different on a mobile device than on a

normal PC (laptop or desktop) with purchases being made at

different times of the day and the type of purchases made: thus,

rules designed for traditional eCommerce purchases may flag

mobile behaviour as anomalous.


About Neil Caldwell: Neil Caldwell, VP of European Sales, is responsible for spearheading the expansion of CyberSource’s European business and overseeing the sales and account management functions within the company. An accomplished and dynamic sales leader, Neil’s background has given him outstanding expertise in financial services and eCommerce payments.

About CyberSource: CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 400,000 businesses worldwide use CyberSource and Authorize.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. CyberSource operates in Europe under agreement with Visa Europe.

www.cybersource.co.uk

Neil CaldwellVice President European SalesCyberSource

For those just starting out with a fraud management strategy,

I recommend three simple steps to help get started:

- Start tracking mobile transactions. Measuring mobile chargebacks,

rejection and review rates will enable informed decisions to be

made about when and how to act.

- Create a distinct mobile profile, even if at first the rules applied

are an exact copy of existing ecommerce rules.

- Start capturing the device type and operating system, even if no

rules are immediately implemented based on the differences in

fraud pressure between the devices.

You can’t manage what you can’t measureThe mobile space is relatively new and, as it grows and matures,

fraudster strategies and exploits are likely to evolve. Consumer

behaviours and purchasing patterns are likely to continue to change.

So, in my opinion, it is important to monitor, measure, analyse and

fine-tune fraud management strategies, more than established

channels.

Fraudsters will move between channels as they try to exploit both

eCommerce and mCommerce. As important as it is to segment

these channels, it is equally as important to be able to integrate

them for analysis and to spot activity and patterns in one channel

that affect actions in another.

In my experience, businesses that actively manage mobile fraud can

achieve fraud rates similar to rates achieved on other channels, and

for those experiencing above average rates, it is usually a sign that a

mobile-specific fraud strategy either is not in place, or needs to be

fine-tuned.

The ability to understand how consumer behaviour differs on mobile

devices; to capture the data that is relevant to the mobile channel

and implement appropriate fraud management tools and rules; to

track and analyse mcommerce chargeback, rejection and review

rates and fine tune your mobile strategy in response – all have clear

implications for the experience that both customers and fraudsters

have when they interact with you through your mobile channel.

http://www.cybersource.co.uk

http://www.cybersource.co.uk


360-Degrees Fraud Management: Securing the Customer Journey

Innopay

Don’t get me wrong: we desperately need these experts, today

more than ever! However, just as we would do not rely exclusively

on the finance department to be profitable, we cannot expect the

risk-, security, or fraud department to, by themselves, keep our

customers’ data and money safe, especially not from within the

‘second line’. How then do we close this gap?

It starts with an integrated, customer centric viewAt Innopay we use a three-tiered approach called “360-degrees

fraud management” which consists of a comprehensive set of

tools enabling organisations to come to grips with the wicked-

problem that fraud is. Below you will find a primer.

Tier 1: Mission controlIt is important to define clear roles and responsibilities that are

as integrated with ‘regular’ governance as possible to avoid

unnecessary cost and preserve organisational agility.

Proper orchestration will allow the organisation to take action when

a new M.O. (modus operandi or specific fraud pattern) emerges,

before fraudsters get a chance to ramp-up and/or branch-out their

operation. It will also help the organisation identify consolidation

opportunities for fraud measures, which is important given the

ongoing commoditization of available solutions.

Tier 2: Customer journeyThe customer journey is at the heart of the approach, because

ultimately this is what the organisation is all about: providing

convenient, secure and cost effective service to their customers.

It is paramount that we strike the right balance and make sure that

the most convenient options are secure. There is nothing like a

burdensome security measure to make customers look for easier,

and often less secure alternatives, sometimes at the competition.

Customer authentication (during login and transaction signing) and

fraud detection are the key ingredients of this defence layer. Today

we see new technologies being implemented such as mobile centric

authentication, fingerprint-, behavioural- and voice recognition

resulting in an easier and truly omnichannel customer experience if

and when properly designed.

When asked in the 1930s why he robbed banks Willie ‘Slick’ Sutton

replied: “because that’s where the money is”. Sure, banking has

since then largely moved online, and so have criminals. However,

what was true then remains as true today: criminals target financial

institutions because that’s where the money is. As a result, both the

top- and bottom line suffer.

Fraud: an inevitable surpriseWe know that at some point we will be confronted with fraud,

we just don’t know exactly when and in which form. We are in a

constant balancing act between customer convenience, fraud

control and cost containment.

The top line suffers as customer journeys are cut short for being

overly burdensome because of security measures. Think of

prospects having to come to the branch, or getting stuck in paper

heavy processes during onboarding, hampering conversion rates.

The bottom line hurts because implementing and maintaining anti-

fraud measures can have serious (opportunity) costs that come on

top of actual fraud loss- and repair cost.

Fundamentally, fraud is a business issue so let’s treat it as as such So, why is it that something with as much impact on both the

organisation and its customers as fraud is often treated like an

afterthought, and is still frequently offloaded to risk managers,

security officers and fraud advisors outside the primary process?


About Hugo Löwinger: Hugo Löwinger brings over a decade of experience in business driven fraud and authentication strategy at large financial institutions. Hugo leads the digital identity practice at Innopay and previously fulfilled strategic positions at a.o. ING Bank and Capgemini Consulting.

About Innopay: Innopay is an independent consulting company, specialised in online payments, digital identity and e-business. We help our clients, including financial institutions, governments and corporates, develop the compelling strategies and digital services for consumers and companies that are key for successful competition in a rapidly digitising world.

www.innopay.com

Hugo LöwingerDigital Identity & Fraud ManagementInnopay

Tier 3: Knowledge position Last but certainly not least is the knowledge position of the organisation

which is essential in taking well informed decisions and action.

Many organisations are exchanging fraud intelligence, both quid-

pro-quo and commercially. This intelligence ranges from stolen

credentials (e.g. usernames, passwords) retrieved from underground

forums, to suspicious IP addresses, skimmed cards and sometimes

even alerts from risk engines.

Not only should knowledge be shared with peers. It is also important

we do not shun our customers out of fear of spooking them. As a

result of high profile fraud incidents and security breaches, customers

are much more aware of potential risks. We should acknowledge

their concern by providing them with actionable information.

When applied the right way, knowledge can be a true multiplier of

defence effectiveness.

Putting it all together: a 360-degree approach to business driven defence-in-depth fraud managementTo meet customer expectations in a secure manner, organisations

make fraud management a natural part of the design, continuous

development and management of their customer journeys. This takes

tools and methods that business owners feel comfortable applying

and is exactly where the 360-degrees approach can help.

When asked: “why is fraud managed driven from within the business”

at Innopay we reply: “because that’s where the solutions are”!

http://www.innopay.com

http://www.innopay.com


E-ID: Fraud and Risk Prevention in Cross-border Ecommerce

Ecommerce Europe

e-ID as a solutionFortunately, in order to improve data protection and to increase

convenience and consumer trust, many Member States are

currently working on (or already working with) national e-ID

schemes. Interoperable online identities verified directly by the

government, or indirectly by other trusted parties, will help reduce

risks of cybercrime and (payment) fraud. e-ID can guarantee the

unambiguous identification of a consumer and enables effective

age verification for age-dependent services (such as online

gambling) or certain product markets (such as alcohol, tobacco

and medication).

Especially with regard to payments, e-identification brings great

opportunities to solve problems caused by complicated check-

out processes. By reusing formerly verified information, delivery

and payment preferences, the checkout solution can be simplified,

which adds much to the seamless shopping experience of the

consumer. At the same time, this so-called one-click-buy solution

guarantees maximum reach and conversion at fair cost for

merchants and consumers.

Cross-border ecommerceThe growth rate of the European B2C ecommerce sector reached

double digits in 2014. However, the full potential of the European

ecommerce market has not been achieved yet. Currently, only

15% of consumers shop online from another EU country. In order

to stimulate cross-border ecommerce, European stakeholders

should work together in removing remaining barriers.

Ecommerce Europe believes interoperable e-identification is a

precondition to unlock the potential of cross-border ecommerce.

In the online payments sphere, fraud is believed to be one of the

main barriers, with identity theft as one of the fastest growing

crimes. e-ID solutions enable the prevention of fraud and identity

theft, and stimulate the development of consumer trust and

convenience. The e-ID landscape develops quickly. However,

for interoperable e-identification to evolve, hurdles should be

overcome.

Barriers for cross border ecommerceAs a recent survey by Experian shows, most of organisations

(78%) across Europe, the Middle East and Africa consider online

fraud the biggest challenge at the moment. In particular, identity

theft, which is currently a major issue for 24% of businesses in

EMEA, is expected to double in the next five years and become

a serious concern for 48% of businesses. Ecommerce Europe

believes that the main reason for this problem is the lack of safe,

reusable and interoperable e-identities. This deficiency forces

online services providers to each provide their own consumer

registration and login solutions. Within the variety of solutions,

safe and secure digital interactions between businesses and

consumers are not always guaranteed.

In June 2015, Ecommerce Europe published the outcome of

the survey “Barriers to Growth” in ecommerce. Consumer

identification was specifically mentioned as a concrete example

when it came to barriers linked to online payments. The absence

of reusable e-identities proved to be a barrier for merchants who

wanted to participate in cross-border ecommerce.

http://www.thepaypers.com/digital-identity-security-online-fraud/78-percent-of-businesses-across-emea-consider-online-fraud-as-the-biggest-challenge/760696-26

http://www.ecommerce-europe.eu/public-affairs/survey-barriers-to-growth


About Elaine Oldhoff: Elaine Oldhoff works as a policy advisor for the Dutch association for online stores Thuiswinkel.org. She is a member of the e-Regulations Committee and the e-Payments Committee of Ecommerce Europe. On a daily basis she focusses on the potential of e-identification for the digital economy.

About Ecommerce Europe: Ecommerce Europe is the association representing around 25,000 companies selling products and/or services online to consumers in Europe. Ecommerce Europe offers to be a one-stop-shop for the European Institutions for all ecommerce related issues. Ecommerce Europe can be consulted on market research and data, policy questions and in-depth country knowledge.

www.ecommerce-europe.eu

Elaine OldhoffPolicy AdvisorThuiswinkel.org

eIDAS Regulation: interoperability on its wayIn order to fully benefit from e-ID opportunities, interoperability

between e-ID schemes in different Member States should be

stimulated. The recently adopted eIDAS Regulation requires

Member States to recognise each other’s e-ID means; if under its

national law or administrative practice, it is required to access a

public service. This applies as long as the means is issued under

an electronic identification scheme that is notified to and included

in the list published by the European Commission.

The effort done by the Commission in drafting the eIDAS regulation

looks like a step in the right direction. The interoperability of national

electronic identification schemes across borders is however still in

its infancy. Ecommerce Europe believes that the eIDAS regulation

lacks the obligation for Member States to notify their national

schemes to the European Commission.

Ecommerce Europe calls upon national governments to notify

their national schemes to the European Commission in order

to enable an interoperable e-ID landscape throughout Europe.

An interoperable e-ID will be a driver for innovation and, eventually,

will reduce cybercrime and fraud risk. To continue the growth rate

of B2C ecommerce, consumer trust should be reinforced.

http://www.ecommerce-europe.eu

http://www.ecommerce-europe.eu

The Global Event for Payment/Identification/Mobility

y

www.cartes.com

Nov. 2015 17 19 HALLS 3 & 4

P a r i s N o r dV i l l ep in te France

BECOMES

Register now on www.cartes.com

tco

mm

ete

rre

.co

m

ANNONCE PRESSE-changement de nom-210x297 5mmFP exe.indd 1 07/07/15 11:23

http://www.cartes.com/

REGULATION, PRIVACY AND DATA PROTECTION


Security of Internet Payments: the EBA Two-Step Approach

The European Payments Council

In response to the consultation, the EPC recommended a third

option (called ‘option c’): a scenario whereby the EBA guidelines

would be issued only after the entry into force of PSD2 and the

publication of the regulatory technical standards as mandated by

PSD2, following a consultation of the market and safeguarding an

adequate timeframe for implementation.

If the EBA were to not accept the recommended ‘option c’, the EPC

had a preference for ‘option a’, i.e. the two-step approach.

The EPC also pointed out that, in the last two decades, many

security solutions were implemented, only to have been rendered

obsolete and be replaced by safer solutions as technology

evolved. Therefore, stakeholders are permanently in search of

solutions that master the subtle balance between security and

user convenience. Since 2010, new threats have appeared,

authentication solutions have evolved and the preferred platform

for internet payments has changed from PCs to mobile devices.

This field of expertise is highly dynamic. The EPC, therefore,

suggested that new developments (e.g. tokenization, risk-based

authentication) should be taken into account when finalising the

guidelines.

Finalised EBA guidelines on the security of internet paymentsThe finalised guidelines, published by the EBA in December 2014,

set the minimum security requirements that Payment Service

Providers (PSPs) in the EU were expected to implement. The EBA

retained the two-step approach whereby the guidelines, which

were implemented on 1 August 2015, will be replaced at a later

stage by more stringent requirements necessary under the PSD2.

The EBA therefore concluded that a delay in the implementation

of the guidelines until the transposition of the PSD2 in 2017/2018

would not be feasible in view of the continuously high and growing

levels of fraud in the domain of internet payments.

The European Banking Authority (EBA), as part of its mission to

ensure effective, consistent and prudential regulation, as well

as supervision across the European banking sector, drafted

implementation guidelines on the security of internet payments in

2014. The guidelines were based on the recommendations issued

in January 2013 by the European Forum on the Security of Retail

Payments (SecuRe Pay) for the security of internet payments.

The EBA consulted the payment stakeholder community on those

guidelines in late 2014. Due to the fact that the finalised EBA

implementation guidelines would apply prior to the entry into force

of the revised Payment Services Directive 2 (PSD2), the European

Payments Council (EPC) suggested an alternative approach.

The EBA, however, decided that the implementation guidelines

would come into force on 1 August 2015 and, then, stronger

requirements would emerge at a later date under the PSD2.

The EPC is now looking forward to the EBA’s consultative process

on the updated security requirements of internet payments, which

should meet the more stringent principles of the PSD2.

The 2014 EBA consultation on implementation guidelines for internet payments and the EPC responseDuring the consultation process, the EBA focused specifically on

implementation rather than the substance of the requirements as

the negotiations of the PSD2 could have affected them. The EBA

issued these guidelines to ensure consistent regulation across

the European Union (EU) and provide legal certainty for market

participants.

The consultation on these guidelines asked the question: “Do you

prefer for the EBA guidelines to:

a) Enter into force, as consulted on 1 August 2015 with the

substance set out in this consultation paper, which means

they would apply during a transitional period until stronger

requirements enter into force at a later date under PSD2

(‘option a’)

b) Anticipate these stronger PSD2 requirements and include

them in the final guidelines under PSD1 that enter into force on

1 August 2015, the substance of which would then continue to

apply under PSD2” (‘option b’)?


About Javier Santamaría: Javier Santamaría is the Chair of the EPC and a Senior Vice President with Banco Santander. He is a member of the Board of the Euro Banking Association, a Director of the SWIFT Board and Chair of the Iberpay Board.

About The European Payments Council: The European Payments Council is an international not-for-profit association, representing payment service providers, which aims to support and promote European payments integration and development, notably the Single Euro Payments Area (SEPA), through the development and management of pan-European payment schemes and the formulation of positions on European payment issues.

www.europeanpaymentscouncil.eu

Javier SantamaríaChairThe European Payments Council

Some countries announced they were unable to comply with the EBA guidelinesThe EBA guidelines are based on a 'comply or explain' principle:

national competent authorities need to inform the EBA about

whether they will be able to comply and, if not, they are asked

to provide an explanation. The majority of the national competent

authorities advised that they would comply or intend to comply

with the EBA guidelines on the security of internet payments.

However, the UK, Slovakia, Estonia and Iceland communicated

that they are unable to, while Cyprus and Sweden will partially

comply.

Towards more stringent EBA guidelines compliant with the PSD2A key question covered in the PSD2, though with certain ambiguities,

is the authentication of the payment service user. To this end, the

EBA is tasked with developing and drafting regulatory technical

standards on strong customer authentication, which should be

submitted to the European Commission within 12 months of the

PSD2 entering into force, i.e. by the end of 2016.

In this context, the EPC strongly advises against the possibility

for third-party PSPs to use the personal security credentials of

the customer to get access to its account. The EPC reiterates

that personalised security credentials should not be shared with

third parties and hopes that the EBA will take this concern into

consideration.

The EPC, furthermore, looks forward to the EBA’s consultative

process in this area and the opportunity it will provide to contribute

to achieving secure and convenient internet payments, as well as

technological neutrality.

http://www.europeanpaymentscouncil.eu

http://www.europeanpaymentscouncil.eu

https://www.eba.europa.eu/documents/10180/934179/EBA-GL-2014-12+Compliance+Table-GL+security+of+internet+payments.pdf/34be3c3e-5521-4036-9805-3ee97162c4db


How EMV Will Change Online Business in the US

CardinalCommerce

Historically, in other regions, as EMV cards have been rolled out,

POS-related fraud, as would be expected, went down. CNP fraud,

however, skyrocketed. In the UK, online fraud jumped from GBP

45 million the year before the cards were introduced to GBP 181.7

million five years later. Experts expect the same to happen in the

US. To combat the threat of CNP fraud, the use of 3D Secure was

mandated in other regions, and merchants implemented protocols

like Verified by Visa, MasterCard Secure Code, American Express

SafeKey, and others. As a result, CNP fraud in those areas has

decreased, but has recently started to rise in the US.

How can online merchants protect themselves?To thwart the influx of online fraud, many ecommerce merchants

have dialed up their fraud tools. This helps control the increasing

levels of fraud, but also creates false positives, such as transactions

that the fraud tool flags as potential threats and the merchant

declines what are actually good orders. This is almost as harmful to

a merchant as the fraud attack itself because it results in lost sales

and potential insults to good consumers.

This puts online merchants in a difficult spot. Because EMV cards

cannot be used for in-person fraud, the fraudsters look for the path

of least resistance, the CNP world. But there is a way to prevent

fraud. Cardinal Consumer Authentication (CCA) protects online

transactions the way EMV cards prevent fraud at the cash register.

CCA’s patented technology works with the 3D Secure protocols to

authenticate transactions with the card-issuing bank during online

transactions. Our more than 15 years of experience in protecting

CNP transactions benefits merchants. And, by combining CCA

with a fraud tool, merchants can increase their good orders by up

to 15% vs using a fraud tool alone.

Its rules-based approach gives merchants choice in how each

transaction is authenticated, and control over the amount of

consumer friction during checkout. In some cases, where a

merchant has high ticket items (like fine jewelry or travel) or SKUs

that have a history of fraud, introducing friction into the checkout

experience in the form of a challenge can be what the merchant

intends. The authentication rules allow merchants to balance the

risk of the transaction with the consumer experience.

Everyone in the payments ecosystem is talking about EMV and the

October 2015 deadline for liability shift in the US. For merchants

who have installed the EMV card readers in their brick-and-mortar

locations, this means that they will not be liable for fraud at the

point-of-sale terminal (or point-of-sale fraud). But, for omnichannel

and online merchants, how will the use of EMV cards impact their

ecommerce fraud level?

Many banks and retailers in the US are now using the EMV system

because of recent data breaches. Long used in Europe and other

regions, this system uses credit cards with an embedded chip, thus

requiring new POS readers on the merchant side. The chip makes

cards more difficult to counterfeit for in-person use. This new

system, though expensive to implement for both merchants and

banks, will make POS transactions much more secure. However,

it also introduces the threat of fraud in card-not-present (CNP

transactions) because the chip provides no benefit when the card

is not present.

History of EMVEMV is not a new technology, even though it is ‘news’ in the US.

Introduced in the ‘90s, EMV has almost completely replaced the

magnetic stripe cards in Europe, and is in wide use in Asia, South

America, Canada and Mexico. The US, the last major holdout, is

converting now, with a recent liability shift deadline in October 2015.

One of the major benefits of EMV cards is around how the chip

works. Each time the card is used in person, the chip creates a

unique transaction code that cannot be re-used. Therefore, if a card

number is stolen in a breach, and a counterfeit card created, the

stolen number and transaction code would not be usable and any

fraudulent attempts at point-of sale would be denied. This is also

a drawback because the chip is not ‘read’ for a CNP transaction,

whereas a stolen EMV card number can be – and increasingly are –

used to make fraudulent CNP transactions.


About Michael Roche: Michael Roche is the VP of Consumer Authentication and focuses on improving current products and shaping new product development, as well as developing and strengthening relationships with enterprise partners in order to provide them with ecommerce solutions tailored to their needs.

About CardinalCommerce: CardinalCommerce is the pioneer and global leader in enabling authenticated payment transactions in the card-not-present payments industry, and the largest authentication network in the world. Through One Connection to the proprietary Cardinal SafeCloud, we enable friction-free, technology-neutral authentication and alternative payment services (including digital wallets and mobile commerce services).

www.cardinalcommerce.com

Michael RocheVP of Consumer AuthenticationCardinalCommerce

Passive authentication happens behind the scenes, with no friction

during checkout for the consumer, using things the merchant

and the issuer know about the cardholder - like IP address,

device identification, buying patterns, or any other data point the

merchant collects.

Consumer Authentication has other benefits for online and mobile

transactions. Merchants usually benefit from increased sales,

liability shift on chargebacks, less manual review and potential

interchange fee savings. Merchants see a sales increase with

a Consumer Authentication solution because there are fewer

‘false positives’ that might ordinarily be declined, internally and

externally. Merchants also enjoy a liability shift with fraudulent

chargebacks on Cardinal Consumer Authentication transactions

because the issuing banks take on the risk if any transactions

result in fraud.

To wrap up, EMV’s rollout in the US is a good thing for brick-

and-mortar merchants, but will open up opportunity for fraud for

CNP merchants. Online merchants in the US should be aware of

the shift from fraud at POS to CNP fraud due to EMV, and protect

their online business with the 3D Secure protocols (like MasterCard

SecureCode, Verified by Visa and others), as well as take advantage

of the liability shift on authenticated transactions and potential

savings on interchange and manual review.

http://www.cardinalcommerce.com

http://www.cardinalcommerce.com


Doing Business in Europe? Mandatory Data Protection Compliance in Every Single Country

time.lex

2. How to transfer data from Europe to the USIn the Schrems case, the Court of Justice of the European Union

found that the existence of the European Commission Decision

about the so-called 'Safe Harbour' arrangement with the US did

not prevent a national data protection authority from investigating

individual complaints relating to the transfer of personal data to

the US. The CJEU found the Safe Harbour Decision to be invalid.

The so-called Article 29 Working Party, the body of representatives

which includes representatives from the European Member States'

data protection authorities, as well as representatives from

the European Commission and the European Data Protection

Supervisor, clarified a number of consequences that derived

from the decision in the Schrems case. Meanwhile, the European

Commission issued a communication on 6 November 2015 as

well, with a practical guidance.

What are the practical consequences for (ecommerce) merchants in

Europe, cloud computing providers, or social media platforms etc.?

No transfer to the US may be based solely on the invalidated

regime. This means that you can only transfer data to the US using

the means still allowed. Transfers are only allowed if you:

• Make use of the Model Contractual Clauses issued by the European

Commission and properly notified to the local data protection

authority (in Belgium there is the Privacy commission);

• Make use of Binding Corporate Rules issued as outlined in the

templates drafted by the Article 29 Working Party and again

properly notified to the local authorities;

• There are also exceptions - such as transfer based on consent -

but this can only be used in exceptional circumstances and not

for systematic transfers to the US.

• In some EU member states you can make use of your own ad

hoc contractual provisions or binding corporate rules which

have been properly notified and/or approved according to local

legislation;

A lot has been written about two recent court cases related

to Facebook. The first one is the case of the Austrian student

Maximilian Schrems against the Data Protection Commissioner

(European Court of Justice, case C-362/14, of 6 October 2015),

finding the Safe Harbour arrangement invalid for the transfer of

personal data from Europe to the US. The second case is the

one by the Belgian privacy commission against Facebook of

9 November 2015 in Brussels. But what is the impact for cross-

border ecommerce business in the European Union? Here are

three takeaways for every company doing business in Europe,

from merchants selling goods or services online in Europe to cloud

computing providers, social media platforms and many others.

1. Comply in every single country, or else …The first clear message from both court cases is that data

protection and privacy compliance must be taken seriously,

especially when personal data is transferred outside the European

Union. Ensuring cross-border compliance with data protection

law has become a top priority for data protection authorities and

courts all over Europe.

A much-debated issue in the Brussels court was the territorial

application of the national data protection legislation and the

international jurisdiction of the local courts. Facebook argued

that, because Facebook’s European headquarters are in Ireland,

only the Irish data protection legislation apply and that only the

Irish courts have jurisdiction. The Brussels court disagreed.

All international companies with several establishments in the EU

must comply with national data privacy laws, and not just with

the law of the company’s main European establishment, which

was recently confirmed by the CJEU in its Weltimmo judgement

(C-230/14). The same goes for companies without any EU

establishments, but which make use of so-called 'equipment'

located on the territory of several EU member states. Such

companies will be subject to the regulatory regime of multiple

national data protection authorities.


About Edwin Jacobs: Edwin Jacobs is a partner at time.lex and a lecturer at the University of Leuven and Antwerp.

[email protected]

About time.lex: time.lex is a law firm specialised in fintech, information and technology law in the broadest sense, including privacy protection, data and information management, e-business, intel lectual property, onl ine media and telecommunications.

www.timelex.eu

Edwin JacobsPartnertime.lex

Note that the Article 29 Working Party has indicated that, for now,

the model contractual clauses or the binding corporate rules

are still accepted but that they too may be re-evaluated in 2016

if no progress has been made on a political level to come to an

acceptable and valid regime for data transfers between the US

and the EU. Meanwhile, a new Safe Harbour regime between the

US and the EU is expected early 2016. Any new Safe Harbour

agreement should include obligations on the necessary oversight

of access by public authorities, transparency, proportionality and

redress. A new Safe Harbour agreement will probably not mean

that the national data protection authorities will suddenly back

down.

3. Using social media plug-ins on your company website?

The owner of a website must properly inform its website visitors of

the kind of information he is collecting, the purposes for which it

is used, the types of cookies, the social media plug-ins he is using

and the duration of storage of the cookie or plug-in on the surfer’s

computer. But that is not all. Before activating some types of

cookies and plug-ins, the surfer’s prior express consent is needed.

Even the mere collection of your visitors’ IP address by using

cookies or social plugins is already considered as processing of

personal data.

mailto:edwin.jacobs%40timelex.eu?subject=

http://www.timelex.eu

http://www.timelex.eu


Will EMV Eliminate Card Fraud in the US?

Smart Payment Association

And at least one of the authenticators must be ‘dynamic’; which

is to say it must be unique by payment transaction, and the

authenticators must be independent from a security perspective.

Translating experience to the USWhat we, at the SPA, find most striking and most encouraging

about the PSD2 is its global nature. Its objectives and its principles

can be considered of universal importance when seeking to

combat CNP fraud. The principles laid out in the PSD2 are not

constrained by geography or specific regulatory environment and,

thus, offer a hugely exciting opportunity for global standardisation.

Certainly, the outlined principles are entirely consistent with the

Criteria Discussion Draft document for a better payment system

released by the Federal Reserve-backed US Faster Payments

Task Force.

The EMVCo’s announcement that, in 2016, its EMV 3DS 2.0

specification will be published alongside corresponding testing

and approval processes, points to a growing desire for global

transparency and constitutes a major step forward.

Multi-functional benefits of EMV payment cardsWhile PSD2 is technology agnostic, it seems logical that today’s

multi-functional card technologies offer a powerful balance of

assurance and convenience to satisfy both regulatory objective

and consumer demand.

EMV chip and pin cards often support functions such as one-

time-password (OTP) generator, on-card displays or the possibility

to use the EMV card with a card reader connected to a personal

computer, for example.

These functionalities allow providers to provide, and users to

use, the “strong authentication”, now defined in law - generating

dynamic proof that both the legitimate card and the legitimate user

are present during the CNP transaction.

Does the end of ‘swipe and sign’ means the end of card payment

fraud in the US? It is a simple question. And the answer is simple

too: No.

The case for EMV adoption is beyond doubt. Countries with

completed EMV implementations have registered significantly

lower rates for card fraud. In 2012, for example, the card fraud

loss ratio across the European Union stood at 0.038%. In a pre-

EMV US, the figure was over two and a half times higher, reaching

more than 1%.

But, as we see, even in mature EMV markets fraud does not

disappear. It just moves online. Card-Not-Present (CNP) fraud is

nothing new, of course. Back in 2007, France’s Observatory for

Payment Card Security estimated that half of all card payment

fraud was committed without the card being present. Currently,

this figure exceeds some 70%. Therefore, the following question

arises: “what to do about CNP fraud in the broader context of EMV

implementation in the US and supporting programmes across the

world?”

Addressing CNP fraud in SEPACertainly, the European SEPA region (among others) has taken

steps to address the problems of CNP fraud - albeit with differing

levels of success. And, while CNP authentication exists, there are

few commonly adopted authentication methods that mirror the

integrity of a face-to-face POS transaction.

The European Payment Service Directive (PSD2), approved in

October 2015 by the European Parliament, is set out to change

all this by providing a European Regulatory framework for retail

payments and introducing a range of provisions designed to

tackle CNP fraud.

In particular, the PSD2 provides a legal definition for strong

authentication. It is the first time this has happened and is, therefore,

of great significance. According to the definition, a secure payment

process must include at least two out of the three classical

authentication mechanisms (something you have, something you

know, something you are).


About Nicolas Raffin: Nicolas Raffin is President of the Smart payment Association (SPA) and Head of Strategic Marketing, Payments at Oberthur Technologies. Nicolas started his career with numeric photo group PhotoMe as product manager. He holds a Master in Marketing and a MSc in Technology & Innovation Management.

About Smart Payment Association: The Smart Payment Association addresses the challenges of the evolving payment ecosystem, offering leadership and expert guidance to help its members and their financial institution customers realize the opportunities of smart, secure and personalised payment systems & services both now and for the future.

www.smartpaymentassociation.com

NicolasRaffinPresidentSmart Payment Association

Global answers to the CNP questionSo, if a new generation of EMV cards can offer a much more secure

CNP environment, the US’ move in this direction will potentially be

significant in addressing both card-present and card not present

fraud. And it’s also an exciting opportunity to address CNP security

on a global level.

With such high levels of consistency between US and EU objectives,

harmonising regulatory approaches will certainly create a more

secure ecommerce environment.

Indeed, by sharing experiences and best practice, and delivering

that consistent global approach, we can accelerate the adoption

of appropriate CNP protections by merchants and banks across

the world.

And, while it’s impossible to entirely eliminate card payment fraud, a

global collaboration around a set of shared principles seems a logical

place to begin.

For our part, having already contributed to the European Banking

Authority’s (EBA) public consultations on secure ecommerce, the

SPA will continue to advocate a comprehensive set of security

rules for CNP based on the aforementioned seven principles as

PSD2 moves into its next phase of life.

Not only will we continue to work with the wider card payment

industry, but also with standards bodies and regulators to help

deliver on the promise of a global approach to protecting online

payments.

http://www.smartpaymentassociation.com

http://www.smartpaymentassociation.com

DON'T MISS THE OPPORTUNITY OF BEING PART OF LARGE-SCALE PAYMENTS INDUSTRY OVERVIEW

The Paypers offers the most valuable source of information and guidance for all parties interested in the current state of affairs of the payments industry

Paul Alfing, Chairman e-Payments Committee, Ecommerce Europe

Once a year, The Paypers releases three large-scale industry overviews covering the latest trends, developments, disruptive innovations and challenges that define the global online/mobile payments, e-invoicing, B2B payments, ecommerce and web fraud prevention & digital identity space. Industry consultants, policy makers, service providers, merchants from all over the world share their views and expertise on different key topics within the industry. Listings and advertorial options are also part of the Guides for the purpose of ensuring effective company exposure at a global level.

For the latest edition, please check the Reports section

ONLINE PAYMENTS:An all-in-one reference guide on (online) payments & ecommerce industry trends, evolving business models, top players and relevant (alternative) payment methods.

B2B PAYMENTS, SCF & E-INVOICING:Industry voices from the online finance space share insights into the dynamic B2B payment, e-invoicing, supply chain finance industries to support innovative solutions & thriving businesses.

WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY:In-depth source of information highlighting key facts & trends into the global digital identity transactional and web fraud prevention & detection ecosystem.

http://www.thepaypers.com/reports





mailto:editor%40thepaypers.com?subject=

STRONGER CONSUMER AUTHENTICATION TO COMBAT ECOMMERCE FRAUD


Moving Beyond Passwords: Next Steps in Consumer Authentication

Wirecard AG

and simple to install, meaning that they can be integrated into

different payment channels, such as point-of-sale terminals or

ATMs. Therefore, they increase the recognition factor within the

context of financial transactions.

On account of their great potential, further biometric identification

measures are currently being discussed. For example, there is

heartbeat authentication, although it will admittedly take a while for

identification methods such as these to become reality, let alone

accepted. However, in the future, further ‘multi-modal’ means of

biometric identification are expected – that is to say, processes

which react to a combination of biometric sensors as a security

feature. These range from face and iris recognition to keystroke

dynamics.

New EU rules reduce online payment risk The European Banking Authority (EBA) has stated that online

merchants will require two mutually independent customer

identifiers before accepting payment in the future. Directives such

as the Secure Pay Directive (PSD II) demonstrate the European

Commission’s commitment to making cross-border payments

quicker and safer, while also reducing the risk to the end customer.

Linked to this is an effective method of combating data theft and

abuse. This is known as two-factor authentication.

This involves the user being asked for specific identifiers and the

combination of two different communication channels. For example,

a customer may be asked only for their card number and CVC code

online. Afterwards, via a second level of security, they receive a

one-time password or verification code delivered via SMS to their

smartphone, which they use to confirm the transaction.

Additional biometric identifiers, or the use of (hardware) tokens,

are also possible. Ensuring a simple and brief form of media

disruption is involved in the payment process that makes it much

harder for hackers to attack, without compromising its customer-

friendly nature.

The way in which consumers verify their identity is rapidly changing,

a development which is being driven forward by biometric data.

Consumers should probably not be too surprised if they soon

find themselves being addressed queries like: “Dear customer,

please turn on your webcam and have your ID at the ready. We will

shortly conduct a brief ID check”. This kind of procedure may, for

example, be introduced for opening an online account in order to

verify a customer’s identity, thereby making the personal signature

a thing of the past.

But what does this trend mean for customers, online merchants

and banks who, up until now, have traditionally used passwords

and signatures? Moreover, how safe are these new means of

identification?

The fact is that traditional passwords are increasingly being

supplemented by new means of authentication. One of the reasons

is that customer identification has become one of the most

important aspects of payment processing. In case of doubt, it offers

more effective protection against fraud than a credit check, as it will

rarely detect falsified customer identity. In contrast, modern means

of authentication are able to do this.

Increased importance assigned to biometric dataIt is for this exact reason that measures are being put in place.

The measures go further than conventional password authentication.

It is very likely that biometric data will become more important as a

result of the strong growth in the m-commerce market. Consulting

company Acuity Market Intelligence has recently stated that they

expect biometric data to be integrated in approximately 65% of all

m commerce transactions by 2020. Furthermore, a global study

conducted by Mobey Forum shows that 22% of banks already use

some form of biometric data for the purpose of authentication, while

a further 65% plan to introduce this type of service in the future.

Initial studies have shown, for example, that the use of fingerprint

sensors increases user friendliness. Thus, users can quickly use

the fingerprint recognition service on their smartphone to confirm

a mobile transaction. Scanners have now become relatively cheap


About Carlos Häuser: Carlos Häuser is Executive Vice President responsible for the Payment & Risk/Shared Services divisions at Wirecard AG. He is also Managing Director of Wirecard Technologies GmbH and, therefore, responsible for strategic development at the Munich-based payment processing firm.

About Wirecard AG: Wirecard AG is a global technology group that supports companies in accepting electronic payments from all sales channels. As a leading supplier, the Wirecard Group offers outsourcing and white label solutions for electronic payments. A global platform bundles international payment acceptances and methods with supplementary fraud prevention solutions. Wirecard AG is listed on the Frankfurt Securities Exchange.

www.wirecard.com

Carlos HäuserExecutive Vice PresidentWirecard AG

Further safety standards may increase acceptanceObviously, there are some critics who fear that surplus data will

be stored alongside the electronically captured personal, physical

and behavioural data. Additional information may relate to a

person’s character, their health or ethnic background.

This means that all users of biometric identification methods are

obliged not to pass on the respective data to any third-parties.

Confidential data must also be deleted immediately after it is

no longer relevant for its original, stipulated use. The European

Commission will therefore be required to issue directives aimed at

ensuring mass suitability of new security measures.

Biometric identification methods can increase the acceptance and

use of electronic payments such as mobile payments around the

world. The use of fingerprint sensors improves user-friendliness.

For example, a user can quickly enter information without the

need to remember a PIN, password or a swipe pattern. At the

same time, the function increases the customer’s sense of security

because a mobile payment can only be made once a fingerprint

reading has been approved. These are decisive factors in the

acceptance of all new electronic payment methods.

http://www.wirecard.com

http://www.wirecard.com


Tokenization: From Account Security to Digital Identity

Consult Hyperion

Then, they need to pass requests back to the schemes in order to

de-tokenize and have to pay for the privilege. Unsurprisingly, there

is a move to unbundle tokenization services so that such issuers

can tokenize their own cards using either in-house or non-scheme

outsourced TSPs.

Managing risk in a tokenized environmentTokenization improves bank account security because the fewer

places the real PAN is stored in, the less likely it is to be stolen.

The obvious downside of this is that the additional processes of

tokenizing and de-tokenizing add processing time and costs to

the issuing and authorisation processes. Perhaps the less obvious

downside is that tokenization moves the locus of attacks away

from retailers and onto the TSPs who hold the Token Vaults linking

PANs and Tokens. It is not hard to see how these organisations

will become attractive targets for organised crime.

Despite this, placing the security of PANs in the hands of a relatively

small number of specialist TSPs should improve the overall security

of the payments ecosystem. It also reduces the security burden on

retailers and mobile wallet providers who can concentrate on their

primary objective of satisfying the consumer.

Risk management is the current hole in tokenization solutions.

A token is not just a PAN, it is a PAN plus a set of domain controls

determining who and where it can be used. A token issued to a

retailer can only be used by that retailer, a token issued to a mobile

device can only be used from that device, a token issued for a

specific time period can only be used during that period, and so on.

More work is needed on these domain controls to refine and make

them properly usable and interoperable. Additionally, having the

same card tokenized to lots of different locations makes risk-

based transaction analysis difficult – someone’s behaviour when

using a physical card may be different to how they use a mobile

NFC device or an ecommerce website. These are all recognised

issues and are being worked on by standardisation groups and

vendors, but it serves to remind us that tokenization is still a work

in progress.

Tokenization, the process of replacing a card account number (PAN)

with an alias (token) which can only be used in defined domains, is

a technology that has been around for years. However, in a world

in which consumers can pay from multiple devices using the same

bank account, tokenization is now a core technology for payment

companies, rather than an esoteric sideline.

Simplifying the multi-device payment challengeIf consumers want to store their card details on a website to

simplify future payments, then their PAN can be sent to a Token

Service Provider (TSP) to generate and return a token. The retailer

stores the token and uses it when the consumer wants to transact

by sending the tokenized payment transaction to the TSP to

de-tokenize the token back to the PAN before it is passed onto the

issuer for authorisation. Because the merchant stores the token

and not the PAN and because the token can only be used on that

specific website, the impact of any data breach at the merchant is

vastly reduced.

Added to this mix is the use of tokens for mobile EMV payment

methods like Apple Pay and Android Pay. The rationale for using

tokens in the mobile EMV space is twofold: firstly, a stolen token

is of little use without the handset, which constitutes its domain of

use and, secondly, the issuer does not have to issue a new card

– they can simply create a token for an existing one and use the

same underlying bank account. Neatly, this allows mobile EMV

issuance to be done in real-time, because all that is being issued

is a tokenized replica of an already issued physical card – so KYC

and AML processes are already complete.

Currently, the most popular model of TSP deployment is within

the payment networks – for example, Visa and MasterCard have

developed their own tokenization services. For the schemes, this

has the advantage of driving traffic through their networks and it

offers a straightforward solution for issuers. It is less popular with

issuers who acquire their own transactions, bypassing the scheme

networks.


About Tim Richards: Tim Richards has over 25 years’ experience designing secure smart card solutions across payments, mobile, transit, identity, passport, healthcare and loyalty solutions covering both issuance and transaction processing.

About Consult Hyperion: Consult Hyperion is an independent consultancy. We hold a key position at the forefront of innovation and the future of transactions technology, identity and payments. We are globally recognised as thought leaders and experts in the areas of mobile, identity, contactless and NFC payments, EMV and ticketing.

www.chyp.com

Tim RichardsPrincipal ConsultantConsult Hyperion

Tokenizing identityTokenization offers issuers other opportunities. At the moment,

some merchants use PANs as a rudimentary form of digital

identity. However, because this ‘identity’ is linked directly to a bank

account, they risk exposing the cardholder details to attackers,

as seen in the Ashley Madison attack: a token does not carry the

same risk. As a token is linked to a bank account at the TSP, not

the retailer, and as most bank accounts require that the cardholder

has already undergone identity checks, a token can be used as a

form of digital identity. A token issued for this purpose, with the

appropriate domain controls in place, could then be authorised

by the issuer without compromising the security of the account.

So, ‘digital identity’ tokens could be used for age verification or

geographical location checking without revealing any underlying

details of the cardholder or the account.

In summary, tokenization increases account security with the

downside of increased costs which may not be able to be passed

onto merchants and cardholders. But, it also opens up new

business opportunities for issuers and, in a densely connected

digital environment, the value of these opportunities will vastly

outweigh the costs.

www.chyp.com

http://www.chyp.com


What is the mission of the Institute?Our mission is to promote the responsible use of biometrics in an

independent and impartial international organisation. I would like to

highlight a few of our achievements starting with the development

of a first Biometrics Privacy Code, which was approved by the

Australian Privacy Commissioner in 2006. It has now developed

into international privacy guidelines promoting best practices for

biometrics.

In 2008, we developed a Biometric Vulnerability Assessment

Methodology, which led us to setting up the Biometrics Institute

Vulnerability Assessment Expert Group (BVAEG) in 2010. It consists of

UK and German government representatives, as well as academics

from the US, Europe and Japan. The BVAEG has regular exchanges

to raise awareness about the need for vulnerability testing, to find a

common methodology and engage with the standards community

at the same time.

Biometr ic authent icat ion seems to become commonplace in the payments industry. Is the biometrics-based recognition system a friend or foe when it comes to privacy?If implemented responsibly, it is certainly a privacy enhancing

technology. Biometric authentication has the potential to ease

the burden of security given its simplicity and usability. All security

technologies have flaws, including PINs and passwords.

Under determined attack, none will guarantee absolute security.

Most biometrics are not ‘secret’ and should be used with a secure

second factor. Security relies not only on one factor but also on

combining them, such as relying on a PIN and fingerprint.

There are a number of technologies, both software and hardware,

which can be used to detect such spoofing attacks. When we

provide a biometric or other sensitive personal data, it does come

down to a question of trust and control. Governments are typically

required to put very robust trust models in place to ensure end-to-

end security is provided through government accredited networks,

compliance processes for privacy and record keeping legislation,

assurance mechanisms involving partnerships and processes

around access to data, for example. When some organisations

are involved, the end-to-end security and assurance just might

not exist – what happens with your face, your fingerprints in that

environment is potentially riskier and requires far more than just a

technology solution.

Another question is control and data retention. What happens to that

biometric? Who looks after it, at what point in time is it destroyed?

Should it be after a person leaves school or a particular job?

What processes exist for managing any compromise of identity data,

for re-establishing confidence in identity, for redress?

We have seen many successful implementations where biometrics

have helped transform identity management, privacy protection

and identity security like electronic passports facilitating a better

and more secure travel experience. Likewise, large-scale identity

management systems, such as the Indian Unique Identity (UID)

scheme, facilitate the delivery of government’s services to the poor

and marginalised. If we get the privacy and vulnerability issues

addressed and create trust and control for the consumer, I think

biometrics have a great future.

When it comes to wearable technologies and authentication, what are the implications of using personal biometric data as the virtual keys that unlock our very real lives? We are seeing biometrics appear more and more in everyday

life, as predicted by the Biometrics Institute survey in 2014 and

again 2015. Their use offers consumers great convenience and

increased security at the same time. We are seeing a growing

number of wearable devices and the use of fingerprint biometrics

on mobile devices.

Biometrics Institute

Biometric authentication has become commonplace in an array of fields, payments included. In this interview, the Biometrics Institute emphasizes on how biometrics could be a privacy enhancing technology, if implemented responsibly.

http://www.biometricsinstitute.org


About Isabelle Moeller: Isabelle is a biometrics expert instrumental in the growing network of The Biometrics Institute. She has played a key role in the establishment of independent and impartial international Biometrics Institute in particular through bringing together biometrics experts from around the world.

About Biometrics Institute: The Biometrics Institute is a not-for-profit membership organisation with offices in the UK and Australia. Since 2001 it has been promoting the responsible use of biometrics and providing an un-biased forum offering information, education and training on biometrics.

www.biometricsinstitute.org

Isabelle MoellerChief ExecutiveBiometrics Institute

Biometric authentication has the potential to ease the burden of security given its simplicity and usability

With a biometric on a wearable device, users are now able to

query that device and authenticate themselves as the user of

that device. If that device is stolen, that authentication does not

work. So, it provides that extra level of security which allows those

devices to be used securely, for payments purposes, for example.

The person gets identified more accurately and securely than with

PINs and passwords.

Do you know if there is any legislation and regulation in place to cover the privacy and security aspects of biometric technology?The public requires assurance that biometrics managers are giving

due consideration to privacy and data protection when they are

considering, designing, implementing and managing biometrics-

based projects. The Institute, for instance, has therefore developed

several best practice documents to help guide members along the

way, namely the Biometrics Institute Privacy Awareness Checklist

and Biometrics Privacy Guideline.

Different countries have different legislation. Australia, for example,

introduced new privacy principles in March 2014. Science and

Technology Committee of the UK government proposed

an open and public debate around the use of biometrics by the

Government to build trust in biometrics. The Committee released

its "Science and Technology - Sixth Report: Current and

future uses of biometric data and technologies".

The Biometrics Institute is also working on a proposal to create

a trustmark. The trustmark is aimed at giving consumers in the

private sector and users of government services access to personal

records and confidence in the responsible use of an identity product

or service that incorporates biometrics. This will give biometric

solutions providers and operators a tool to demonstrate that due

consideration has been given to privacy and trust during planning

and implementation.

http://www.biometricsinstitute.org

http://www.parliament.uk/business/committees/committees-a-z/commons-select/science-and-technology-committee/role/

http://www.parliament.uk/business/committees/committees-a-z/commons-select/science-and-technology-committee/role/

http://www.publications.parliament.uk/pa/cm201415/cmselect/cmsctech/734/73402.htm

http://www.publications.parliament.uk/pa/cm201415/cmselect/cmsctech/734/73402.htm


Bring Your Own Authentication: The Next Revolution against Web Fraud

Natural Security Alliance

But, the generalisation of biometrics is not restricted to simply

becoming a standard for unlocking telephones. It opens the world

of the telephone to proximity payments (Apple Pay, Samsung

Pay) and especially to in-app payments. Users can thus make a

transaction on their mobile phone without having to enter a card

number or password.

We are also witnessing the generalisation of Bring Your Own

Authentication (BYOA), following on from Bring Your Own Device.

These technologies and new approaches to ergonomics break

with the authentication systems traditionally provided by banks.

Up to now, they have provided technologies chosen by them: they

will now have to rely on third-party systems, without having full

visibility of performance. These new systems are opening the way

for new payment players (e.g. wallet, electronic cash, SEPA) by

offering a wider choice for the end user in terms of online payment.

However, many questions concerning implementation, openness

and evaluation have not been sufficiently addressed. A prime

example of the consequences can be seen in the recent disclosure

that the Android OS contains malware capable of potentially

stealing fingerprint data from devices, such as Samsung Galaxy

S5’s fingerprint reader, before they reach a secure processor. The

market is clearly waiting for certain key details to be fleshed out

before biometrics can really take off.

There is still work to be done on evaluating the different implemen-

tations for authenticating access to value-added services.

The spread of biometric solutions also signals a change in business

models, as new actors become a necessary link in the transaction

and value chains.

In this rationale of IT consumerisation, we will see new devices

(for example, SesameTouch developed by Trust Designer) emerge,

devices which can be used to authenticate oneself and make

online payments without having to use a system provided by a

bank. These devices represent a third avenue as they are in line

with open logics, depending on evaluation and certification

schemes, for example.

Two major trends in the field of online payments have been confirmed

in the past two years. First of all, the increase in fraud is undeniable,

while users are turning to smooth systems to authenticate their online

transactions.

We will quickly look at the first trend by illustrating it with a few

figures for the French market. A study published by the French

National Supervisory Body on Crime and Punishment (ONDRP)

revealed that more than 800,000 households have been victims

of banking fraud. Of those that managed to identify how they

were scammed, one third had their payment details stolen while

shopping online.

To resolve this, regulators have issued a number of recommendations

at the European level: Revised Payment Services Directive (PSD2)

and Guidelines on the Security of Internet Payments (European

Banking Authority’s Guidelines).

But, in terms of technology, the power is in the users' hands. They decide

whether to use and adopt a technology or not. A few years ago,

there were those who refused standard office automation tools and

turned to tablets (more mobile, better suited for viewing content) and

smartphones (to be connected without being at a desk) instead.

The Bring Your Own Device (BYOD) system, which is a rejection

of over-complex systems, has spread in the field of payments.

Users massively refused One Time Password (OTP) and, in

general, all systems which require fastidious data entry to make

an online payment.

These examples illustrate that users always opt for simplicity.

The position of smartphone manufacturers (Apple, Samsung)

and of social networks (Facebook, Twitter, LinkedIn) is a good

illustration of the need for simplification and standardisation.

To unlock a telephone, all you need to do is put your finger on a

biometric sensor. To connect to a social network account, you just

have to enter a password. Easy access is now the first condition

for using a service.

http://www.networkworld.com/article/2458760/security0/byoa-bring-your-own-authentication.html

http://www.networkworld.com/article/2458760/security0/byoa-bring-your-own-authentication.html


About André Delaforge: André joined Natural Security in February 2010 to lead various aspects of marketing and business development. Prior to joining Natural Security, André was in charge of business development for biometric and RFID technologies for a large electronic manufacturer.

About Natural Security Alliance: The Natural Security Alliance is a global community of preeminent companies dedicated to accelerating the adoption and ongoing development of Natural Security Technology based solutions. It is comprised of some of the most influential companies in world from the retail, banking, payment and IT communities.

www.naturalsecurityalliance.org

André DelaforgeHead of Communication Advisory CommitteeNatural Security Alliance

A study recently published by Mobey Forum (Mobey Forum’s

Biometrics Survey Results, July 2015) clearly shows strong

demand for open interfaces. 83% of surveyed companies

considered open interface implementation of fingerprint sensors

as an opportunity, allowing banks or trusted service providers to

control the authentication data.

In the BYOA rationale, there is clearly a place and demand for

authenticators which make online transactions possible where the

user can choose the platform of the transaction.

Broadly speaking, the term ‘authenticator’ refers to any technology

that can authenticate a user before he or she reaches an interface

that provides access to a service. Authenticators can come in

different formats, such as a chip card and reader (e.g. for payment

in a store), an OTP token or even a simple login and password

on a computer. Biometrics is becoming increasingly commonplace

for authenticators, but, as previously stated, there still are a couple

of issues that need to be addressed. For example, interoperability

must be made standard, so that service providers can accept the

authenticators deployed, and consumers are not limited to where

they can shop for goods and services.

These authenticators will, and should, rely on an open architecture

paving the way for an "Implementing an evaluation scheme"

in order to create an open ecosystem of technologies suited to

different use cases.

http://www.naturalsecurityalliance.org

http://www.naturalsecurityalliance.org

Don’t miss...

The international gathering of leading payment’s professionals to pool their insights about what is driving success in digital payments.

Themes

Retail, Mobile and Banking

AN ANNUAL CONFERENCE BY THE EPA 27-28 June 2016, Liverpool Exhibition Centre, Liverpool

Register your interest [email protected] code Paypers10 to save 10% off our current registration rate.

Join the conversation

@EPAssoc #EPADigital

Interested in Sponsorship opportunities?

[email protected]

+44 20 7378 9890

PAY360DIGITAL

PAYMENTS

Lead sponsor

In partnership with

SPONSORSHIP AND EXHIBITION OPPORTUNITIES

AVAILABLE

INSIGHTS INTO ELECTRONIC IDENTITIES IN EUROPE


Digital ‘Marble’ - Onboarding in the Age of Electronic Identity

Signicat

infrastructure. The new European regulation on electronic identity

and trust services (eIDAS), which was approved in 2014, will also

contribute to driving acceptance and interoperability of e-ID and

e-signature in the European market.

However, the ongoing establishment of cross-industry schemes or

federations for e-ID is equally interesting. These are established

by banks, telecommunications companies and others who want

to exploit the network effect of providing electronic identity

across industries and businesses. Examples of such ecosystems

include the recent partnership between Dutch banks to establish a

federation of electronic identity, the MyBank initiative by the EBA

and GSMA Mobile Connect.

What is common to these initiatives is that they connect existing

electronic identity in federations. Thus, a customer of a Dutch

bank can use his online banking login to establish a customer

relationship with an ecommerce retailer. Initiatives like the Dutch

interbank login and MyBank hold significant potential for the rapid

deployment of digital onboarding. They build on existing electronic

identity that already is in frequent use for internet banking,

sidestepping the need for costly and time consuming deployment

of new electronic identity.

Uniting the fragmented e-ID landscapeThe development of e-ID in Europe has mainly been done within

a national scope, with limited degree of coordination. This has

resulted in a fragmented infrastructure that presents challenges to

service providers aiming to reach a broad audience.

For instance, a service provider in Norway who wants to address

the largest possible audience would need to implement support not

only for Norwegian BankID and the Buypass eID, but also for the

MinID eID and the Commfides eID.

If service providers run a pan-Nordic operation, which is often the

case, they would need to implement support for up to 12 different

e-IDs. In the absence of a universal (or at least regional) e-ID

scheme, the implementation effort soon becomes unmanageable.

This situation will prevail also in a post-eIDAS Europe: while eIDAS

BackgroundA century ago, banks managed to establish trust in the public at

large by building bank palaces made of marble.

Nowadays, banks need to establish trust in a virtual world.

In particular, they need to prove the identity of their customers

online. This is difficult enough for banks operating in a single

market. For banks operating in a pan-European market, it becomes

an even major hurdle.

Luckily, a digital ‘marble’ that can be used to establish trust online

exists in the form of electronic identity. In markets where electronic

identity is readily available, experience shows that using electronic

identity for online onboarding can lead to a dramatic increase in

conversion rates.

Nordic practiceThe Nordic countries – Denmark, Finland, Norway and Sweden,

stand out among the regions where electronic identity has been

widely deployed. In these countries, a large majority of the adult

population has access to electronic identity that has been issued by

the banks, the government or a telco.

Key to the success of these identities is that they can be utilised

across a wide range of services in the public and private sector.

This ensures a high frequency of usage, which lowers the barrier

for using the e-ID. Cooperation between the parties involved is

based on acknowledging that the value of a common platform is

greater than the sum of its parts. This has led to the emergence

of common technology and regulations ensuring the electronic ID

interoperability across sectors.

The European dimensionThe Nordic countries have been pioneers in the use of electronic

identity for digital onboarding. However, the rest of Europe is now

following suit.

Countries like Germany and Spain continue to develop their

national infrastructure for electronic ID, while Estonia and Belgium

have made considerable progress in deploying a national e-ID


About Gunnar Nordseth: Gunnar is a veteran of the software industry and a founder of three software companies all based in Trondheim. Since 2007 he has been involved in establishing Signicat as a global leader of cloud-based services for electronic identity and electronic signature.

About Signicat: Signicat is a leading provider of identity services in Northern Europe. The company offers a unique identity-as-a-Service, giving multinational, national companies and government institutions easy access to a range of national e-ID infrastructures through a single point of integration. Customers use Signicat services for authentication, digital signature of documents/text and long term validation and archiving.

www.signicat.com

Gunnar NordsethCEOSignicat

ensures a common framework for electronic identity and electronic

signature, it will not guarantee technical interoperability in any way.

Identity hubs as new paradigm for solving fragmentationA new kind of service offering has emerged to address the need for

simple integration with the e-ID infrastructure. Currently, Signicat

has over 150 customers hooked up to its online identity hub.

Signicat’s customers are typically banks, finance and insurance

companies that want to use publicly available e-ID for strong

authentication or electronic signatures. The company operates

as an identity hub or identity broker. Its customers select which

e-IDs they want to accept and Signicat sets up a service providing

access to them. In addition to giving access to third-party e-IDs,

Signicat can also play the part of an e-ID issuer for customers who

want to provide their end-customers with a proprietary e-ID.

Vision for EuropeTrust and digital identity is a prerequisite for cross-border

transactions. Without them, the growth potential will be limited.

Merchants wishing to do cross-border commerce need to

know their customers, and the only realistic way to do this is

through electronic identity. The best solution is to outsource the

complexity of identification and authentication to specialists, just

as the merchants did with payments. Identity providers do not

only specialise in protecting customers from identity theft, but also

in allowing customers to re-use their existing IDs and credentials,

thus preventing the build-up of a ‘digital key chain’.

http://www.signicat.com

http://www.signicat.com


ElectronicIdentityVerification:HowMyBankCanHelp

MyBank

transactions, particularly for reasons of security: avoiding fraud,

securing against identity theft, complying with anti-terrorism

concerns and so forth.

In a traditional brick-and-mortar business, identity verification is

relatively straightforward: a merchant requests your ID (national ID

card, passport etc.), you hand it over and, presuming everything is

OK, you receive your goods (e.g. alcohol in a supermarket). But,

in other settings, this can be onerously time consuming. If you

want to apply for a loan, you will probably have to manually fill out

sheets of paper and send them all through the mail.

Digital has its challenges. How can merchants be sure their

customers are who they say they are when both sides never

physically interact? Can merchants be confident that purchases

carried out are not tainted by fraudulent activity?

Digital experts at Innopay [Internal MyBank research conducted

in conjunction with Innopay Consulting] estimate that there are

currently 225 billion authentication transactions per year across

e-mail, social media, ecommerce and e-government. Ecommerce

and e-government account for 5.5 billion transactions.

How will MyBank play a role in this area?MyBank and their Payment Service Providers (PSPs) partners with

their experience of processing complex, sensitive transactions,

can bring real value to the market. With MyBank, consumers

and businesses can already re-use their existing online banking

account credentials to safely instruct their banks to provide

account-related data to third-parties and purchase items online.

The online bank account is already the central repository for

sensitive data in the form of payment information - it makes sense

to re-use information linked to existing processes to facilitate the

expansion of new services. Account Servicing PSPs are legally

obliged to investigate that you are who you say you are before

letting you create an account.

MyBank is distributed to participants (PSPs) which, in turn,

contract with their clients (e.g. merchants) to make use of the

service. The standard MyBank four corner model, which underpins

all MyBank services, is detailed below.

In recent years, ecommerce has been experiencing a great degree of

technological upheaval: e-wallets, NFC (near field communication),

Apple/Samsung/Google ‘’pay’’, third-party access to the account –

how you pay for things is now becoming as important as what you

pay for.

Underlying these changes is trustworthy identity verification,

which means customers and other actors identify themselves

digitally to third-parties that require their information. This is the

keystone that future online commerce will be built on.

Electronic identity verification (or e-identity for short) has been

featured prominently in regulatory discussions in recent years.

Electronic identity legislative frameworks (either directly or indirectly)

have moved to the front of the agenda” at the beginning of the

phrase. This is due to the revised Payment Services Directive (PSD2),

the recommendations developed by the European Forum on the

Security of Retail Payments (SecuRe Pay), the ‘Regulation (EU) No

910/2014 on electronic identification and trust services for electronic

transactions in the internal market and repealing Directive 1999/93/

EC’ (e-IDAS) and the 4th Anti-Money Laundering (AML) Directive’.

Furthermore, businesses are daily being confronted with new

challenges as society switches to digital channels. Some of the

most common are:

• How to verify identity: who are businesses really dealing with?

• How to verify age?

• How to perform customer due diligence?

• How to obtain consent to sign up services?

With no standardised electronic means of verifying such functions,

businesses face rising costs and are often obliged to implement

workarounds that usually involve consumers physically handing

over large quantities of private data, or filling out paper forms.

How does online identity verification work?Online identity verification is an electronic means of proving that

you are who you say you are and that the attributes you claim

to possess (name, age, address, passport number etc.) really

are yours. This is of highest importance in facilitating online

http://www.thepaypers.com/digital-identity-security-online-fraud/ecommerce-fraud-attempts-register-30-increase-in-2015/762152-26?utm_campaign=20151123-automatic-newsletter&utm_medium=email&utm_source=newsletter&utm_

http://www.thepaypers.com/cryptocurrencies-bitcoin-virtual-currencies/eu-clamps-down-on-virtual-currencies-and-anonymous-payments/762178-39


About Fatouma Sy: Fatouma Sy is Head of Product Development at MyBank. She has worked on the development of the solution since EBA Clearing decided to launch an E-services initiative in 2010.

About John Broxis: John Broxis is the Managing Director of MyBank. Prior to heading up MyBank, John was director of STEP2 at EBA Clearing.

About MyBank: MyBank is a pan-European e-authorisation solution which enables safe digital payments and identity authentication through a consumer’s own online banking portal or mobile device. With its participant banks, MyBank went live in March 2013 with SEPA Credit Transfers. Since then, MyBank has launched SEPA electronic mandate services and is now piloting ‘’MyBank Identity Verification’’.

www.mybank.eu

John BroxisManaging DirectorMyBank

Fatouma SyHead of Product DevelopmentMyBank

Figure 1: MyBank Operating Model

Banks and other payment service providers (PSPs) are important

players in this arena for a number of reasons:

a. Rich and accurate customer data (''Know your Customer‟

information).

b. Proven, fraud-resistant authentication mechanisms.

c. Experience of a collaborative network.

d. Reach encompassing all citizens.

e. Trustworthiness. Consumers trust their own bank.

The online bank account is primed to become a central hub for

online activity. Most of us already consult our account balance on

our computer or mobile app on a regular basis. Some of us also

hold insurance through our bank. We already trust our bank with

much of our most precious data. It is clear why consumers would

be eager to extend the benefits of the online bank account to

validate their age or other sensitive information.

As a pan-European solution, MyBank facilitates the:

• Unbundling of valuable authentication services from payments.

• Enabling of controlled online availability of valuable information.

• Creation and positioning of digital identity services toward the

market via a harmonised and recognised user experience.

• Elimination of fragmentation.

The MyBank Identity Verification pilot involving PSPs, merchants

and technical integrators began in November 2015 and will

continue into early 2016. The objective of the pilot is to test the

use cases, refine the business model and ensure that the technical

model is best fitted to the market’s needs.

http://www.mybank.eu

http://www.mybank.eu

VISIT OUR ENHANCED ONLINE COMPANY PROFILES DATABASE

ALL COMPANY PROFILES IN THE WEB FRAUD PREVENTION,ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE AREAVAILABLE ONLINE IN AN ENHANCED COMPANY PROFILESDATABASE, COMPLETE WITH KEYWORDS, COMPANY LOGO

AND ADVANCED SEARCH FUNCTIONALITY

http://webfraud-eidentity.thepaypers.com/

DIGITAL IDENTITIES AND TECHNOLOGIES AT THE HEART OF SECURITY


Identity of Things (IDoT): A New Concept in Managing Identities

Innovate Identity

With more connections and points of entry, IoT inherently increases

exposure to cyber risk. And, within the hyper-connected domain

of IoT, one small data breach can have a domino effect across

several connections. This data also creates issues for the user

around privacy, consent and control over their personal data.

Who owns the data? Who can share it? Where is it stored? Can it

be shared with third-parties without the user’s knowledge?

Why identity underpins IoT So, what do we mean by identity? Identity is the collective aspect of

the characteristics set via which a ‘thing’ is definitively recognisable

or known. As the IoT network gets more sophisticated, and more

data is taken, the more links are made between person and device.

Moreover, as this length of time increases, the more valuable

that data becomes. Identity is therefore intrinsically linked to IoT.

Additionally, as the IoT network grows, so do the issues around

security of data, user consent, control and privacy.

Identity is generally proved through a sophisticated and complex

set of identity verification and authentication techniques. However,

there are no set standards across the board on how we should deal

with identity, which leaves multiple threat vectors for fraudsters to

exploit.

Gartner predicts that there will be 4.9 billion connected ‘things’ in

use by 2015. This figure is expected to rise to anywhere between

25 billion or 50 billion by 2020, depending on which report you

read.

The Identity of Things (IDoT) is an extension to identity management

and encompasses all entity identities, whatever form the entities

may take. The identities are then used to define relationships

among the entities, namely between a device and an individual, a

device and another device, a device and an application/service, or

(as in traditional Identity Access Management) an individual and an

application/service.

This skyrocketing growth, in connected devices such as those

in the health sector, means that, in many cases, the user and

the device are linked to each other. By having the users sharing

data with the device, they gain more value from the device itself.

The more data users share, the more value they get back.

The Internet of Things, therefore, means an increase of data

production, location data, personal preference data, health data,

usage data and so on.

This data is incredibly valuable for the organisations collecting

it. If a user had a health band, it means that insurance could be

underwritten based on the individual’s level of fitness, allowing

access to better insurance premiums. Affiliated marketing would

target the users around sports they enjoy or even offer location-

based special offers for local stores. This data is also valuable for

the users to share amongst their peers, allowing them to bench

mark their fitness against others.

But, what are the security consequences of generating and storing

such data? Central repositories of data create attractive targets for

hackers and, with high profile data breaches in the press, daily,

this issue shows no sign of slowing down.

http://www.thefreedictionary.com/identity

http://www.gartner.com/newsroom/id/2905717

http://www.cisco.com./web/about/ac123/ac147/archived_issues/ipj_15-3/153_internet.html

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


About Emma Lindley: Emma has over a decade of experience working with technology led identity and age verification systems. Her focus is the intersection of technology, digital life, identity and privacy, and she is passionate about solutions which enable trust and inclusion on the Internet. Emma founded Innovate Identity in 2012 to address the need to provide thought leadership, clarity and practical solutions into a changing and increasing complex identity market place.

About Innovate Identity: Innovate Identity (InID) is an independent consultancy working with clients from fintech start ups through to major blue chip supporting their identity needs. From Know Your Customer and Anti Money Laundering regulatory requirements, fraud prevention, security and data privacy, through to delivery of new identity propositions such as attribute exchange, personal data stores and blockchain technologies.

www.innovateidentity.com

Emma LindleyCEOInnovate Identity

Some countries have centralised government systems for identity.

However, these centralised systems are open to attack. In some

cases, due to vulnerabilities, these centralised systems have be

subject to widespread identity fraud at a national level.

Organisations creating connected devices have their own ways

of dealing with security and identity. Still, they too are effectively

mini-centralised systems, meaning that they are no less vulnerable

to attackers, but arguably less attractive due to their size.

ConclusionAs we hand over more and more of our decision-making to our

connected devices, it is imperative that we have identity-focused

and secure infrastructures in place that are capable of managing

the growing complexity of the emerging connected world.

An overall decentralised identity scheme, similar in size and scale

to the payments scheme, is required to deal with the security,

privacy, consent and control issues we have with identities. Such a

scheme would allow many organisations to offer identity solutions

developed to the standards set, and those developing connected

devices to adopt those solutions.

IoT devices will need to be mapped to this scheme, which will

need to ensure there are ways to make it easy for the end user (the

ultimate data owner) to understand and embrace. IoT presents a

huge opportunity. However, in order to grow, it requires an identity

layer to underpin it and allow scale in a secure way.

http://www.innovateidentity.com

http://www.innovateidentity.com

http://www.theregister.co.uk/2014/10/14/south_korea_national_identity_system_hacked/


The Advent of IoT: Are We Facing A Trade-off Between Convenience & Security?

The Paypers

Furthermore, data jointly released by Cisco and logistics service

provider DHL reveals there are actually expected to be around 50

billion internet-connected devices by 2020, which would represent

a significant increase in the number of connections. And this

is not all. The IoT will definitely continue to grow. According to

estimations by the McKinsey Global Institute, the IoT will have a

total economic impact of up to USD 11 trillion by 2025. The same

source mentions that more than two thirds of the value will

be generated in business-to-business settings and business

customers and consumers will likely capture more than 90% of

the value created.

The IoT – a force that is driving innovation and digital transformation in financial servicesThe impact of such connectivity provided by the IoT cannot be

fully grasped yet. The IoT is expected to transform all industries,

including banking. A Deloitte analysis suggests that as many

as one quarter of sensors deployed in 2013 could be of use to

financial institutions, rising to one third in 2015 and then to about

50% by 2020. In total, the growth in sensor deployments for

financial services is expected to be very strong, ranging from just

over 20% to 100% annually on a compounded basis, depending

on the sector. Big data analytics, combined with a large number

of connected devices and environments through the IoT, are set

to empower data-driven management, reshape processes and

deliver significant benefits. The banking and securities industry will

continue to innovate around mobile and micropayment technology

using POS terminals and will invest in improved physical security

systems.

The IoT from a security and privacy perspectiveThe IoT really seems to be ‘the next big thing’. However, this ‘giant’

that presents tremendous opportunities for development, that

promises convenience and amazing experiences, is not without its

shortcomings. The first and most important ‘side effect’ that comes

up is the issue of security and privacy. How can businesses and

consumers be certain their data is protected with such an explosion

of devices and sensors?

The online world has never been more dynamic or more challenging

than it is nowadays. The internet and groundbreaking technology

enhancements have reshaped our lives and transformed the way

we do things, both in a business environment and in our personal

space. Over the past few years, technologies such as cloud, mobile

solutions, big data and analytics, which were once the frontier of the

payments industry, have become commonplace. And most recently,

the Internet of Things (IoT) has been perceived as the new game

changer. But what exactly is the IoT and why has it been heralded

as the next major revolution in business computing?

The Internet of Things refers to the networking of physical objects

through the use of embedded sensors, actuators and other devices

that can collect or transmit information about the objects. Basically,

via the IoT, individual components communicate with each other

and a service center, allowing for virtually endless connections to

take place. Additionally, a business model can now include not only

services, but also position those services in the center of the model

– the so-called ‘everything-as-a-service’ trend. Intelligent products,

connected in real-time to the internet and managed via intelligent

network, allow organisations to develop new business models and

become digital disruptors. Until now, the IoT has been mostly linked

with machine-to-machine (M2M) communication. Products built

with M2M communication capabilities are often referred to as being

‘smart’. The IoT is expected to connect many of the devices we

have in our homes, from smart thermostats to smart fridges. Big

market players such as Google and Samsung already understand

this and are active participants in this transformation. Google

bought smart thermostat maker, Nest Labs, for USD 3.2 billion,

while Samsung purchased connected home company SmartThings

for USD 200 million.

According to a report from Gartner, by the end of 2015, there will

be almost 5 billion ‘things’ connected to the internet. By the end of

2020, the figure is forecasted to rise to over 25 billion. In other words,

there will be more than three things connected to the internet for

each person on the planet.

http://dupress.com/articles/internet-of-things-iot-in-financial-services-industry/?icid=hp:ft:01

http://www.gartner.com/newsroom/id/2905717


About Ionela Barbuta: As Senior Editor at The Paypers, Ionela is in charge of managing projects and writing research articles on Security & Fraud. Ionela holds a Master's Degree in International Business and Intercultural Strategies.

About The Paypers: The Paypers is the leading independent source of news and analysis for professionals in the global payment community. Our products are created by payment experts and have a special focus on all major developments in payments - related industries including online/mobile payment, ecommerce, e-invoicing, online fraud prevention innovations and the most significant trends in the digital identity space.

www.thepaypers.com

Ionela BarbutaSenior EditorThe Paypers

Cybersecurity will definitely take on a whole new dimension and

digital vulnerabilities are likely to expand in more ways than we can

currently imagine. Therefore, one of the most pressing problems

for businesses planning to take advantage of the IoT is protecting

company and customer data. Numerous IoT-based applications

depend on access to consumer data, including data collected

passively from customers’ behaviour. For instance, one use of the

technology could be fully automated checkout in retail settings.

Customers could literally walk out the door of a store without having

to wait in line or even swipe a card: data-gathering ‘beacons’ can

scan tags on all the items in a shopping cart, total the bill and debit

the customer’s account, perhaps even deducting money from the

customer’s smartphone.

In this context, each sensor could be a potential entry point for

hackers and the consequences of a data breach can be devastating.

To prevent this, companies should take on the responsibility to

work with technology vendors and heavily invest in data-security

capabilities. They should also build protections for their own

data and intellectual property when they implement IoT systems.

Notwithstanding the high risk of IoT, there is a lot of potential.

With greater connectivity, there comes greater convenience and

customers have a higher expectation of services and support.

http://www.thepaypers.com

http://www.thepaypers.com

Title

Companyname

Platte tekst

COMPANY PROFILES

69COMPANY PROFILES

Company AccertifyAccertify Inc., a wholly owned subsidiary of American Express, is a leading provider of fraud prevention, chargeback management, and payment gateway solutions to merchant customers spanning diverse industries worldwide. Accertify’s suite of products and services help ecommerce companies grow their business by driving down the total cost of fraud and protecting their brand.

Website www.accertify.com

Keywords for online profile fraud, chargeback, payment gateway, risk, protect, loss, Accertify

Business model Software-as-a-service (SaaS)

Target market Online shoppers, financial institutions, payment services providers, online communities / web merchants, gaming & gambling, other online businesses

Contact [email protected]

Geographical presence Global

Active since 2007

Service provider type Digital identity service provider, technology vendor, web fraud detection company, payment service provider (PSP)

Member of industry association and or initiatives

Merchant Risk Council, Direct Response Forum, Vendorcom, AMIPCI

Services

Unique selling points Accertify leverages its flexible platform to enable merchants to screen for multiple fraud use cases, including, but not limited to payment, loyalty, claims, staff and social media reputation. Our unique capabilities allow genuine customers to be efficiently removed from fraud processes, supporting merchant growth.

Core services Accertify’s core suite of services includes fraud management, chargeback management, and payment gateway.

Pricing Model For more details contact our sales team at [email protected].

Fraud prevention partners Accertify is integrated to multiple third party services which includes, but not limited to: Lexis Nexis, Whitepagespro, Experian, InAuth, iovation, Threat Metrix, Perseuss, emailage, Neustar, Maxmind, ebureau, Mastercard, Discover.

Other services Professional Fraud Services, Decision Sciences, Manual Review outsourcing 24/7, Support Services, Rule Management and improvement, Best Practice consulting,Training services.

Third party connection United Parcel Services (UPS) and FedEx to obtain proof of delivery signatures; eFax (inbound and outbound fax receipt).

Technology: anti-fraud detection tools available

Address verifications services Yes

CNP transactions Yes

Card Verification Value (CVV) Yes

Bin lookup Yes

Geo-location Checks Yes

Device Fingerprint Yes through integrated partners

Payer Authentication Yes

Velocity Rules – Purchase Limit Rules

Yes

White list/black list database: Yes

KYC – Know Your Customer Yes; complemented with integrated partners

Credit Rating No

Follow up action Additional authentication (out of band authentication) and transaction verification capabilities.

Other Profiling (dynamic summarization and aggregation)

www.accertify.com

mailto:emea%40accertify.com?subject=


70 WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Authentication Context

Online Yes

Mobile Yes

ATM No

POS Yes

Call centre Yes

other Kiosk (unattended terminal)

Reference Data connectivity

Connectivity to governmental data No (unless provided via partner – for example Experian or Lexis Nexis)

Other databases BIN, Oanda, Global latitude/longitude, Accertify Risk ID (multi-merchant negative dB), Accertify Index (multi-merchant positive dB), Amex Risk Information Management dB

Fraud management system type

Single-channel fraud prevention system

Yes

Multi-channel fraud prevention system

Yes

Certification

Type PCIDSS Level 1, ISO 27001

Regulation For more details contact our sales team at [email protected].

Other quality programms For more details contact our sales team at [email protected].

Other remarks For more details contact our sales team at [email protected].

Clients

Main clients / references Marks and Spencer, British Airways, easyJet, Autotrader, Bazaarvoice, TUI

Future developments For more details contact our sales team at [email protected].





www.accertify.com


TURN SUSCEPTIBLE INTO SECURE.Protect your online payments while driving business growth.

aciworldwide.com/onlinefraudprevention

http://www.aciworldwide.com/onlinefraudprevention

73COMPANY PROFILES

Company ACI WorldwideSpecialist provider of fraud prevention and management solutions for all payment transaction types to merchants, issuers, acquirers, processors and switches. Through our ACI ReD Shield®, ACI ReDi™, ACI ReD Fraud Xchange™ and ACI ReD Alerts we deliver real-time, multi-tiered fraud solutions which are managed by our expert risk analysts. Our analysts – and systems – are informed by our unrivalled access to data and business intelligence and its ability to connect merchants, acquirers and issuers in the fight against fraud.

Website www.aciworldwide.com

Keywords for online profile online fraud prevention, ecommerce, online fraud, fraud analytics, Card Not Present (CNP)

Business model Direct and via our PSP channel.

Target market Online ecommerce merchants, financial institutions, payment services providers, government services, acquirers, gaming, retail, hospitality, loyalty, telecommunications, travel and entertainment

Contact Andy McDonald ([email protected] or +44 (0)7785 627494)


Active since 1975

Service provider type Digital identity service provider, technology vendor, web fraud detection company, payment service provider (PSP), issuer, acquirer


Merchant Risk Council, IMRG, Direct Response Forum, Vendorcom, Cross-Border eCommerce Community

Services

Unique selling points Automated processes and dedicated support from expert risk analysts. Global fraud data, fraud solutions tailored to sector and customer needs, predictive models and unlimited, flexible rules. Holistic fraud management – real-time and post-transaction monitoring using our unrivalled business intelligence solution. Presence across the payments chain, supporting merchant and issuer collaboration in the fight against fraud.

Core services Card Not Present (online, IVR, call centre and mobile) and card present fraud prevention; fraud and risk consultancy; payment services

Pricing Model Flexible

Fraud prevention partners ACI partners with leading PSPs around the globe (see a full list at http://www.aciworldwide.com/who-we-are/partners/our-partners.aspx).

Other services Payment services: Base 24 – EPS, Postilion, ACI Proactive Risk Manager, ACI Universal Online Banker. Please visit www.aciworldwide.com to view all services available from ACI

Third party connection For more information, please contact ACI.





Bin lookup Yes


Device Fingerprint Yes



Yes, unlimited and flexible.


KYC – Know Your Customer Yes

Credit Rating No

Follow up action Yes

Other Compliance list checking, AML, additional black lists

www.aciworldwide.com

mailto:andy.mcdonald%40aciworldwide.com?subject=

http://www.aciworldwide.com/who-we-are/partners/our-partners.aspx

http://www.aciworldwide.com/who-we-are/partners/our-partners.aspx



Online Yes

Mobile Yes

ATM Yes

POS Yes

Call centre Yes

Other For more information, please contact the sales team.


Connectivity to governmental data For more information, please contact ACI.

Other databases Commercial attribute providers, e.g. credit databases



Yes


Yes

Certification

Type PCI DSS v3.0, ISO 27001, SAS70

Regulation EU Data Protection

Other quality programms UK Payments Administration accreditation, Visa Account Information Security (AIS and CISP) accreditation, Amex Data Security Operating Policy

Other remarks For more information, please contact the sales team.

Clients

Main clients / references Upon Request

Future developments For more information, please contact ACI.

75COMPANY PROFILES

Company The ai Corporationai provides fraud prevention solutions to some of the world’s largest financial institutions, merchants and PSPs. Our unique self-service solutions, including our new “state of the art” neural technology, protect and enrich payments experiences for more than 100 banks, 3 million multi-channel merchants monitoring over 20 billion transaction a year.

Website www.aicorporation.com

Keywords for online profile fraud prevention, analytics, neural, risk, detection, self-service, white label

Business model Direct and indirect licenced software sales through select partners. SaaS – Direct hosting and/or managed service

Target market Online merchants, multi channel merchants (traditional, mobile and online), financial institutions, card issuers – credit, debit, prepaid, fuel card, T&E, card acquirers/ISO’s/payment facilitators, alternative payment providers (e-vouchers, e-wallets), payment services providers, government services, online communities/web merchants, gaming & gambling, other online businesses

Contact Nick Walker ([email protected] or +44 7901 920573)


Active since 1998

Service provider type Software technology vendor, SaaS managed service provider


None

Services

Unique selling points Self-service real-time rules engine and neural model builder, empowering the user to easily build, deploy and operate their own fraud strategies quickly and efficiently without the need for expensive, lengthy and often ineffective third party services. The software also allows for non fraud analytics and rules deployment.

Core services Omni-channel and enterprise wide fraud prevention technology and managed services.

Pricing Model Licence fees or service fees

Fraud prevention partners PayVector, InAuth, FISH, PanInteligence, Azuka

Other services Business intelligence, cardholder/consumer engagement, enterprise case management

Third party connection Data providers, card management systems, transaction switches, PSPs


Address verifications services Partner



Bin lookup Yes

Geo-location Checks Partner

Device Fingerprint Partner



Yes with auto rule generator SmartRule.


KYC – Know Your Customer Partner

Credit Rating Partner

Follow up action Enterprise wide case management.

Other More information available upon request.

www.aicorporation.com

mailto:nick.walker%40aicorporation.com?subject=



Online Yes

Mobile Yes

ATM Yes

POS Yes

Call centre Yes

Other Yes


Connectivity to governmental data Partner

Other databases Partner



Yes


Yes

Certification

Type ISO 27001 in progress.

Regulation PCI

Other quality programs KII, SmartMinds

Other remarks More information available upon request.

Clients

Main clients / references Shell, Barclaycard, Nedbank, Mashreq, AFS, Global Payments, IBQ

Future developments More data feeds, more third party interfaces, full automation of fraud detection.

mailto:info%40aicorporation.com?subject=

How EMV will Change Online Business in the U.S.Everyone in the payments world is talking about EMV in the U.S. But for omni-channel and online merchants, how will the use of EMV cards impact their eCommerce fraud?

Benefits of EMV CardsA major benefit of chip cards is how the chips work at POS. Each time the card is usedin person, the chip creates a unique code that cannot be re-used. So if a card number is stolen in a breach, the stolen number and transaction code would not be usable and any fraudulent attempts at point-of sale would be denied.

Another benefit of the chip card is that the chips cannot be cloned by counterfeiters if they steal a card number, so counterfeit cards cannot be used for in-person transactions. This is also a drawback: because the chips are not “read” for a card-not-present transaction, stolen chip card numbers can be – and increasingly are – used to make fraudulent CNP transactions.

visit: www.cardinalcommerce.com call: (877) 352-8444

Other benefits of Cardinal Consumer Authentication include: • Increased sales – fewer false positives and the opportunity to sell in regions where 3-D Secure is mandated.

• Improved margins – liability shift on fraudulent chargebacks, potential interchange savings, and less manual review.

• Enhanced consumer experience – the merchant controls the amount of friction during checkout with dynamic rules that can be applied transaction by transaction.

To learn more about how EMV can affect your CNP business, and what you can do to protect yourself, contact Cardinal.

ADVERTISEMENT

How Can Online Merchants Protect Themselves?To thwart the influx of online fraud, many eCommerce merchants have dialed up their fraud tools. This helps control the increased fraud, but also creates false positives – transactions that the fraud tool flags and the merchant declines that are actually good orders. This is almost as harmful to a merchant as the fraud because it results in lost sales and insults to good consumers.

This puts online merchants in a difficult spot. Because chip cards can’t be used for in-person fraud, the fraudsters look for the path of least resistance, the card-not-present world. But there is a way to prevent fraud.

Cardinal Consumer Authentication (CCA) protects online transactions the way chip cards prevent fraud at the cash register. And combining CCA with a fraud tool, merchants can increase their good orders by up to 15% vs using a fraud tool alone.

CCA’s rules-based approach gives merchants choice in how each transaction is authenticated, and control over the amount of consumer friction during checkout. In many cases, using CCA, authentication happens behind the scenes, with no friction during checkout for the consumer, using things like IP address, device identification, buying patterns, or any data point the merchant collects.


79COMPANY PROFILES

Company CardinalCommerce CorporationCardinalCommerce is the pioneer and global leader in enabling authenticated payment transactions in the card-not-present payments industry, and the largest authentication network in the world. Through One Connection to the proprietary Cardinal SafeCloud, we enable friction-free, technology-neutral authentication and alternative payment services (including digital wallets and mobile commerce services).

Website www.cardinalcommerce.com

Keywords for online profile consumer authentication, 3-D Secure, prevent online fraud, prevent fraudulent chargebacks

Business model Sell directly to online merchants and financial institutions; sell through partners

Target market Financial institutions, payment services providers, online communities/web merchants, gaming and gambling


Geographical presence Global – we do business in Europe, Asia, Africa, Australia, North and South America

Active since 1999

Service provider type Technology vendor


Member of Merchant Risk Council (MRC) and Merchant Advisory Group (MAG); North American Board member of MRC

Services

Unique selling points With Cardinal Consumer Authentication you can increase sales, improve margins, control consumer friction during checkout and eliminate fraudulent chargebacks for your online business. With your One Connection to Cardinal, you can add alternative payment brands and digital wallets quickly and easily, to give your consumers the payment options they want.

Core services Cardinal Consumer Authentication, leveraging the 3-D Secure protocols to give merchants choice of which transactions to authenticate and control over checkout friction.

Pricing Model Transaction volume based pricing, starting at USD 29.99 US per month.

Fraud prevention partners Visa(CyberSource), ACI (Retail Decisions)

Other services Consumer authentication, alternative payment brands, digital wallets

Third party connection Visa (CyberSource), ACI (Retail Decisions), PayPal


Address verifications services Through a partner



Bin lookup Through a partner

Geo-location Checks Through a partner


Payer Authentication Cardinal Consumer Authentication


Yes



Credit Rating No


Other N/A


Online Yes

Mobile Yes

ATM N/A

POS N/A

How EMV will Change Online Business in the U.S.Everyone in the payments world is talking about EMV in the U.S. But for omni-channel and online merchants, how will the use of EMV cards impact their eCommerce fraud?

Benefits of EMV CardsA major benefit of chip cards is how the chips work at POS. Each time the card is usedin person, the chip creates a unique code that cannot be re-used. So if a card number is stolen in a breach, the stolen number and transaction code would not be usable and any fraudulent attempts at point-of sale would be denied.

Another benefit of the chip card is that the chips cannot be cloned by counterfeiters if they steal a card number, so counterfeit cards cannot be used for in-person transactions. This is also a drawback: because the chips are not “read” for a card-not-present transaction, stolen chip card numbers can be – and increasingly are – used to make fraudulent CNP transactions.

visit: www.cardinalcommerce.com call: (877) 352-8444

Other benefits of Cardinal Consumer Authentication include: • Increased sales – fewer false positives and the opportunity to sell in regions where 3-D Secure is mandated.

• Improved margins – liability shift on fraudulent chargebacks, potential interchange savings, and less manual review.

• Enhanced consumer experience – the merchant controls the amount of friction during checkout with dynamic rules that can be applied transaction by transaction.

To learn more about how EMV can affect your CNP business, and what you can do to protect yourself, contact Cardinal.

ADVERTISEMENT

How Can Online Merchants Protect Themselves?To thwart the influx of online fraud, many eCommerce merchants have dialed up their fraud tools. This helps control the increased fraud, but also creates false positives – transactions that the fraud tool flags and the merchant declines that are actually good orders. This is almost as harmful to a merchant as the fraud because it results in lost sales and insults to good consumers.

This puts online merchants in a difficult spot. Because chip cards can’t be used for in-person fraud, the fraudsters look for the path of least resistance, the card-not-present world. But there is a way to prevent fraud.

Cardinal Consumer Authentication (CCA) protects online transactions the way chip cards prevent fraud at the cash register. And combining CCA with a fraud tool, merchants can increase their good orders by up to 15% vs using a fraud tool alone.

CCA’s rules-based approach gives merchants choice in how each transaction is authenticated, and control over the amount of consumer friction during checkout. In many cases, using CCA, authentication happens behind the scenes, with no friction during checkout for the consumer, using things like IP address, device identification, buying patterns, or any data point the merchant collects.


mailto:info%40cardinalcommerce.com?subject=


Call centre N/A

Other N/A


Connectivity to governmental data N/A

Other databases N/A



N/A


N/A

Certification

Type N/A

Regulation N/A

Other quality programms N/A

Other remarks N/A

Clients

Main clients / references Contact Cardinal Commerce for specific information.

Future developments Contact Cardinal Commerce for specific information.

81COMPANY PROFILES

Company CashRun

RUNCASHFraud Protection & Global Payment Solution

CashRun has vast experience in the fraud industry protecting online merchants from high risk and costs associated with online fraud. Our 100% chargeback protection allows merchants to focus on their core business competencies and at the same time achieve higher revenue growth through effective fraud risk management.

Website www.cashshield.com

Keywords for online profile fraud solution, big data, machine learning, optimization

Business model CashRun offers leading fraud protection technology, solely designed and developed by us.

Target market Online communities/web merchants, financial institutions, payment services providers, government services, gaming and gambling, other online businesses



Active since 2007

Service provider type Web fraud detection company, payment service provider (PSP), technology vendor, digital identity service provider


MRC Premium Sponsor

Services

Unique selling points CashShield’s fraud management solution is based on a combination of fraud detection technology, big data, machine learning that are optimized through a risk management algorithm. Our fully managed service helps you fight fraud hassle-free, with an added protection of an unprecedented 100% chargeback protection, for both tangible and intangible goods.

Core services Comprehensive online fraud risk management for online merchants and PSPs.

Pricing Model Unsecured Transactions (Paypal, Non 3D-Secured ) – CashShield Enterprise (100% Chargeback Guarantee) fee – a percentage of the value of transactions depending on industry risk. Secured Transactions (3D-Secured transactions) – CashShield Core fee – fixed fee per transaction.

Fraud prevention partners CashRun designs and develops its own fraud protection solutions.

Other services Online payment service provider

Third party connection N/A





Bin lookup Yes





No – CashShield does not use hard rules and limits that hampers growth.


KYC – Know Your Customer No

Credit Rating No

Follow up action Our fully managed service tailors and configures the merchant’s risk template for them, giving them only two optimized decisions: accept or reject. We make decisions, not predictions.

Other CashShield’s machine learning system is updated daily with new fraud trends and data, to raise alerts on potential threats.

www.cashshield.com

mailto:enquiries%40cashrun.com?subject=



Online Yes

Mobile Yes

ATM No

POS No

Call centre No

Other Yes – Mobile Apps


Connectivity to governmental data No

Other databases Yes



Yes


Yes

Certification

Type More information available upon request.

Regulation More information available upon request.

Other quality programms PCI Compliance


Clients

Main clients / references Telecommunications, gaming publishers, prepaid products, software, digital goods, PSPs, acquirers, marketplaces, travels, airlines, ticketing, hotels, ecommerce retailers

Future developments Constantly enhancing our system to stay one step ahead of the latest fraud schemes and provide online merchants with the most comprehensive verification.

We make decisions,not predictions.

ACCEPT REJECT

CashShield is here to simplify your verification process. We configure the risk template for you, which allows us to take full responsibility of our risk decisions instead of passing this responsibility back to you, while ensuring that we boost your sales conversion rates with two straight forward decisions: accept or reject.

Get ahead of fraud with our unprecedented 100% Chargeback Protection (including digital goods) and intelligent technology that combines machine learning, big data and risk optimization. CashShield secures both 3DS and non-3DS transactions and eliminates hard limits. Boost your sales and say goodbye to false positives, unnecessary buying restrictions, and most importantly, fraud.

For more information, please visit www.cashshield.com

Accept more orders, with less frAud.Our integrated payment, fraud and security management services can help speed up time-to-market, streamline operations and help you accept payments securely – online and through mobile devices, across the globe.

Contact us: [email protected] +44 (0)118 990 7300 cybersource.co.uk

if you Are A merchAnt selling online, we cAn help you:

mAnAge moBile frAud

Our range of tools can help you to confidently sell through the mobile channel, while managing fraud to the same levels as with traditional eCommerce channels.

We can help you optimise your fraud management operations to protect the customer experience and accept more genuine orders.

increAse order AcceptAnce

Our range of solutions can help you accept orders from international markets with confidence.

mAnAge gloBAl frAud

About cybersource: CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 400,000 businesses worldwide use CyberSource and Authorise.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. The company is headquartered in Foster City, California and maintains offices throughout the world, with regional headquarters in Singapore, Tokyo, Miami/Sao Paulo and Reading, UK. CyberSource operates in Europe under agreement with Visa Europe. For more information, please visit www.cybersource.co.uk

© 2015 CyberSource Corporation. All rights reserved.

Learn more about our fraud management solutions www.cybersource.co.uk

cybersource.co.uk

mailto:europe%40cybersource.co.uk?subject=

85COMPANY PROFILES

Company Name CyberSource Ltd.CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 400,000 businesses worldwide use CyberSource and Authorize.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. The company is headquartered in Foster City, California and maintains offices throughout the world, with regional headquarters in Singapore, Tokyo, Miami / Sao Paulo and Reading, UK. CyberSource operates in Europe under agreement with Visa Europe. For more information, please visit www.cybersource.co.uk.

Website www.cybersource.co.uk

Keywords for online profile fraud management, risk management, payment security, ecommerce, payments, payment gateway, rules based payer authentication

Business model Software as a Service (SaaS)

Target market Retail, travel, financial institutions, media and entertainment

Contact CyberSource Ltd. Reading International Business Park, Reading, Berkshire RG2 6DH VAT No: GB 927 433123

Geographical presence Worldwide

Active since 1994

Service provider type Payment Service Provider (PSP), fraud management company, web fraud detection, device identification


Merchant Risk Council, IMRG, Vendorcom

Services

Unique selling points The only global payment management platform built on secure Visa infrastructure—with integrations to the world’s largest network of connected commerce partners and transaction insights—CyberSource solutions power businesses to create new brand experiences, grow sales and engagement, and keep payment operations safe.

Core services CyberSource provides fraud management services to help manage the entire life cycle of payment fraud, including account creation and takeover risk.

Pricing Model Tiered SaaS-based pricing model.

Fraud prevention partners ThreatMetrix, Cardinal Commerce, Neustar

Other services More information available upon request.

Third party connection Neustar, LexisNexis, Whitepages.com, Perseuss, Computer Services





Bin lookup Yes





Yes



Credit Rating No



Accept more orders, with less frAud.Our integrated payment, fraud and security management services can help speed up time-to-market, streamline operations and help you accept payments securely – online and through mobile devices, across the globe.

Contact us: [email protected] +44 (0)118 990 7300 cybersource.co.uk

if you Are A merchAnt selling online, we cAn help you:

mAnAge moBile frAud

Our range of tools can help you to confidently sell through the mobile channel, while managing fraud to the same levels as with traditional eCommerce channels.

We can help you optimise your fraud management operations to protect the customer experience and accept more genuine orders.

increAse order AcceptAnce

Our range of solutions can help you accept orders from international markets with confidence.

mAnAge gloBAl frAud

About cybersource: CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 400,000 businesses worldwide use CyberSource and Authorise.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. The company is headquartered in Foster City, California and maintains offices throughout the world, with regional headquarters in Singapore, Tokyo, Miami/Sao Paulo and Reading, UK. CyberSource operates in Europe under agreement with Visa Europe. For more information, please visit www.cybersource.co.uk

© 2015 CyberSource Corporation. All rights reserved.

Learn more about our fraud management solutions www.cybersource.co.uk





Online Yes

Mobile Yes

ATM No

POS No

Call centre Yes

other More information available upon request






No


Yes

Certification



Other quality programms More information available upon request.

Other remarks Contact [email protected] for more information.

Clients

Main clients / references Turkish Airlines, China Eastern, Cinépolis, Webjet, Backcountry, ESET

Future developments For more information contact [email protected].

mailto:europe%40cybersource.com?subject=

mailto:europe%40cybersource.com?subject=

87COMPANY PROFILES

Company EntersektPlease use the version without the ® mark in very large or very small applicationsEntersekt is an innovator in transaction authentication, securing digital banking and payments by

harnessing the power of electronic certificate technology with the convenience of mobile phones. Financial institutions look to Entersekt to strengthen the bonds of trust they share with their customers and to deepen those relationships through innovative new services.

Website www.entersekt.com

Keywords for online profile Mobile security, mobile banking, online banking, card-not-present, out-of-band authentication, multi-factor authentication, push-based authentication, 3-D Secure

Business model Direct and through partners

Target market Financial institutions, card issuers, insurers, payment service providers

Contact Entersekt sales team: [email protected]

Geographical presence Africa, Europe, Middle East, North America

Active since 2008

Service provider type Digital identity service provider

Member of industry associations and intiatives

FIDO Alliance, WASPA

Services

Core services Mobile-app–based, multi-factor authentication and transaction signing of online banking, mobile banking, and card-not-present payments.

Other services Authentication in the consumer space (LastPass, Google Chrome), non-app-based out-of-band authentication and SIM-swap protection through push USSD.

Unique selling points Entersekt’s patented emCert technology generates public/private key pairs to uniquely identify enrolled mobile devices and validate two-way communications. A self-contained cryptographic stack and communications layer enables an end-to-end encrypted channel distinct from that initiated by the device, so transactions originating from the phone can still be authenticated out of band.

Pricing model Per user subscription

Partners Amazon Web Services, Citrix, IBM, Netcetera, Visa, MasterCard, American Express

Offering: authentication technology used

Technology used Industry-standard X.509 digital certificates; proprietary validation techniques developed specifically for the mobile phone; FIPS 140-2 Level 3 on-premise hardware appliance; dynamic public key pinning; secure browser pattern; device and application context for context-based risk scoring; advanced detection of rooting, jailbreaking, or similar mobile operating system security bypass hacks; support for fingerprint biometrics; NI USSD for non-app-based out-of-band authentication and SIM-swap protection.

Authentication context

Online Yes

Mobile Yes

ATM No

Branch/Point of Sale No

Call Centre Yes

Other: Card-not-present payments (3-D Secure), e-mail

Issuing process (if applicable)

Assurance levels conformity N/A

Online issuing process (incl lead time in working days)

Yes. Identity proofing and enrolment processes are set by the implementing institution, but there is no reason why remote device registration should take more than a few minutes. Options available for enroling a user include phone-based registration via one-time password, scanning a printed QR code, and a combination of scanning a bank card and inputting the associated PIN.

Face-to-face issuing (incl lead time in working days)

Yes. Identity proofing and enrolment processes are set by the implementing institution, but there is no reason why in-branch device registration should take more than a few minutes.

Issuing network Bank branches, online services

www.entersekt.com

mailto:sales%40entersekt.com?subject=


Attributes offered

Persons Level of trust (e.g. biometric data, password); signed authentication message

Companies For more information, please contact our sales team.

Reference data connectivity


Other databases N/A

Certification

Type Entersekt’s flagship product, Transakt, is FIDO Certified as a U2F (universal second factor) authenticator. Transakt is also validated with the Ready for IBM Security Intelligence program and Citrix XenApp. Entersekt’s card-not-present authentication solution is fully accredited by Visa, MasterCard, and American Express.

Regulation Entersekt’s solutions are engineered specifically for the heavily regulated financial sector and adhere to all major digital banking security mandates, including the requirements set out by the European Central Bank, the FFIEC, and the Monetary Authority of Singapore. They are compliant with ISO 21188:2006 (Public key infrastructure for financial services) and utilize hardware security modules certified as FIPS 140-2 Security Level 3 for encrypting and decrypting all authentication data.

Other quality programs The underlying technology is regularly validated by independent third parties to ensure it is invulnerable to new attack vectors.

Other remarks For more information, please contact our sales team.

Clients

Main clients / references Those listed in the public domain: Capitec Bank; Equity Bank; Investec; Nedbank; Old Mutual; Swisscard. For others, please contact our sales team.

Future developments For more information, please contact our sales team.

Digital banking and payments are a work in progress. Their future will be built on trust.Banks around the world look to Entersekt to strengthen the bonds of trust they share with their customers, and to help deepen those relationships by launching innovative new digital services.

Discover how our mobile-enabled authentication product Transakt™ can help your organization build richer, more satisfying online and mobile banking experiences, unrestricted by security concerns.

Transakt opens up digital banking.

entersekt.com

U2F

Security in your pocket

aMobile SDK or app

aPush-based

aOut of band

aMulti-factor

https://www.entersekt.com/

It’s modern fraud science made simple. Feedzai is the easy, straightforward solution for risk teams to upgrade to advanced machine learning fraud models. With Feedzai, today’s risk professionals in businesses large and small can now have the power of advanced data science to fight fraud and false alarms.

[email protected]: 650-260-8924EUR: +351-239-402-166

Using artificially intelligent algorithms, Feedzai keeps your payment safe and your commerce moving.

Reduce fraud by up to 80% with Feedzai. Schedule a demo today to see what Feedzai can do in real-time for your own business data.

mailto:info%40feedzai.com?subject=

91COMPANY PROFILES

It’s modern fraud science made simple. Feedzai is the easy, straightforward solution for risk teams to upgrade to advanced machine learning fraud models. With Feedzai, today’s risk professionals in businesses large and small can now have the power of advanced data science to fight fraud and false alarms.

[email protected]: 650-260-8924EUR: +351-239-402-166

Using artificially intelligent algorithms, Feedzai keeps your payment safe and your commerce moving.

Reduce fraud by up to 80% with Feedzai. Schedule a demo today to see what Feedzai can do in real-time for your own business data.

Company FeedzaiFeedzai was founded in 2009 by data scientists and aerospace engineers to make commerce safe for business customers through the use of artificially intelligent machine learning. Feedzai’s Fraud Prevention That Learns technology is used by large financial services companies to risk-score over USD 1 billion of commerce transactions each day.

Website www.feedzai.com

Keywords for online profile Machine learning platform to manage risk and prevent fraud.

Business model Software-as-a-service (SaaS)

Target market Online shoppers,financial institutions,payment services providers, government services, online communities / web merchants, gaming and gambling, other online businesses



Active since 2009

Service provider type Technology vendor, web fraud detection company


More information available upon request.

Services

Unique selling points Feedzai makes commerce safe for business customers and creates a better experience for their consumers through artificially intelligent machine learning. Financial services companies use Feedzai’s anti-fraud technology to keep commerce moving safely.

Core services Feedzai offers a machine learning platform to manage risk and prevent fraud that can process transactions at big data scale.

Pricing Model For more details contact our sales team at [email protected].

Fraud prevention partners SAP, Emailage, Socure, Deloitte, EnCap Security, Azul Systems, Cloudera, Datastax


Third party connection More information available upon request.




Card Verification Value (CVV) No

Bin lookup Yes





Yes



Credit Rating Yes


Other Machine learning


Online Yes

Mobile Yes

ATM Yes

POS Yes

Call centre Yes


www.feedzai.com

mailto:info%40feedzai.com?subject=

mailto:sales%40feedzai.com?subject=



Connectivity to governmental data More information available upon request.

Other databases More information available upon request.



No


Yes

Certification

Type PCIDSS Level 1

Regulation Directive 95/46/EC



Clients

Main clients / references First Data, top-tier banks

Future developments Deep learning

93COMPANY PROFILES

Company iovation Inc.iovation protects online businesses and their end users against fraud and abuse, and identifies trustworthy customers through a combination of advanced device identification, shared device reputation, device-based authentication and real-time risk evaluation.

Website www.iovation.com

Keywords for online profile device identification, device reputation, online fraud prevention, mobile fraud, account takeover prevention, device-based authentication, customer authentication, trust scoring

Business model SaaS

Target market Online businesses such as retailers, financial institutions, lenders, prepaid cards, insurers, social networks and dating sites, logistics, gaming/MMO, gambling operators, online auction sites, and travel and ticketing companies.

Contact Connie Gougler, Director of Marketing, [email protected], 503-943-6748

Geographical presence Global: iovation’s business is 51% US and 49% international

Active since 2004

Service provider type Device Identification Web Fraud Detection, Customer Authentication


Merchant Risk Council, Online Lenders Association

Services

Unique selling points iovation provides real-time SaaS for authentication and fraud prevention that tells our clients if a customer visiting their site is risky based upon specific criteria for evaluating the transaction or activity. iovation provides a score and result (allow, review, deny) for every transaction, allowing our clients to use an automated workflow. iovation’s global consortium contains the reputations of nearly 3 billion devices and 25 million fraud events such as chargebacks, identity theft, account takeovers, online scams and many more.

Core services iovation offers fraud prevention, customer authentication services and trust scoring/services.

Pricing Model Per transaction fee based on system usage depending on volume, type of transaction, and length of contract.

Fraud prevention partners Fiserv, Equifax, ID Analytics, Accertify, Kaspersky, ACI Worldwide, Verisk, Callcredit, Imperva, Zoot

Other services Our clients have access to the Fraud Force Community, an exclusive private B2B network of the world’s foremost security experts sharing intelligence about cybercrime prevention, device identification, new threats and other fraud-related topics.

Third party connection iovation delivers data in XML format, allowing output to be integrated easily with third-party systems.


Address verifications services No: While we do not offer AVS services, we capture the IP address and its geolocation. We can flag transactions from ‘blocked’ countries, as well as notify clients when mismatches occur between the IP address shown by the user’s browser and the IP address we collect with our Real IP proxy unmasking feature.

CNP transactions Yes: iovation’s service is primarily used to detect high risk activity at login, account creation, fund transfer and checkout. In addition, our iovation score helps identity the most trustworthy customers in our clients’ review queues so that they can take good business immediately, and offer higher-value promotions to their preferred customers.

Card Verification Value (CVV) No: This service is handled through our client’s payment processor.

Bin lookup No: This service is handled through our client’s payment processor.

Geo-location Checks Yes: iovation’s clients can flag transactions when activity is coming from an unauthorized country or through a proxy, and they can use our Real IP technology to pinpoint the user’s actual location.

Device Fingerprint Yes: iovation offers a defense-in-depth approach to device recognition, supporting native and web integrations for mobile, tablet and desktop devices.

Payer Authentication No: This service is handled through our client’s payment processor.

Device-based Authentication Yes: iovation’s authentication service allows clients to use their customer’s known devices to help verify identity. Authentication happens in real-time, behind the scenes, reducing unnecessary friction.

www.iovation.com

mailto:connie.gougler%40iovation.com?subject=



Yes: iovation’s velocity rules flag transactions when thresholds are exceeded. These may include situations where too many accounts are accessed per device, or too many new accounts are created within a timeframe. Specific rules include Accounts per Device, Accounts Created per Device, Countries per Account, Countries per Device, Transactions per Account, and Transactions per Device. Our service also flags transaction value thresholds, and other transactional velocities.

White list/black list database: Yes: iovation clients can flag transactions based on custom-built lists. These can be positive or negative lists. List types include accounts, devices, IP ranges, ISPs, locations and others, and are easily managed across rule sets.

Device Anomalies Yes: iovation clients can flag transactions when device settings are anomalous and indicative of risk. While individual device characteristics may not be proof of risk, certain characteristics may be worth monitoring, and several in combination with each other may indicate attempts by the user to evade detection.

Fraud and Abuse Records Yes: iovation clients can flag transactions that originate from an account or device already associated with fraud or abuse. Previous fraud or abuse is recorded in our system as evidence. The customer sets the types of evidence they want to consider, and decides whether to leverage only the evidence they log, or consider the evidence of other iovation subscribers.


Credit Rating No

Follow up action iovation’s fraud prevention service provides an Allow, Review or Deny result for each transaction. Clients then decide the best course of action to take in response to these results. iovation also returns detailed information about the device associated with the transaction; clients can store this data and correlate it back to identity management and other systems as needed.


Online Yes

Mobile Yes: iovation’s mobile SDK for iOS and Android identifies jailbroken or rooted devices, and captures device location through IP address, network-based geo-location information, and GPS data. The location services expose mismatches between the reported time zone and location, long distances between transactions made in short periods of time, and other location-based anomalies. It also detects transactions originating from virtual machines or emulators.

ATM No

POS No

Call centre No



Other databases MaxMind – IP geolcation



Yes: iovation delivers comprehensive online fraud prevention for mobile, tablet and PC-based transactions.


Our services focus on online transactions and complement a multi-channel prevention system.

Certification

Type

Regulation iovation supports FFIEC compliance by providing device identification and device-based authentication services.

Other quality programms iovation follows strict Quality Assurance processes for new products and services, and offers Service Level Agreements (SLAs) which include 99.9% uptime as a part of all customer agreements.

Other remarks

Clients

Main clients / references NetSpend, Bazaarvoice, Intuit, CashStar, Aviva Insurance, New Era Tickets, AT&T Performing Arts Center, SG North and hundreds more.

Future developments For more information, please contact iovation at [email protected]

mailto:connie.gougler%40iovation.com?subject=

95COMPANY PROFILES

Company Mitek (formerly IDChecker)Mitek (NASDAQ: MITK) is a global leader in mobile capture and identity verification software solutions. Mitek’s ID document verification and facial recognition allow an enterprise to verify a user’s identity during a mobile transaction, enabling financial institutions, payments companies and other businesses operating in highly regulated markets to transact business safely while increasing revenue from the mobile channel. Mitek acquired IDChecker in June of 2015.

Website www.miteksystems.com

Keywords for online profile ID document verification, biometric authentication

Business model Transaction model

Target market Card issuers, acquirers, payment processors, government services, business services



Active since 2004

Service provider type Identity verification



Services

Core services Mobile capture, ID document verification and biometric authentication.


Unique selling points Mobile ID verification bridges the gap between usability and security with mobile capture and ID docment verification. This boosts conversion rates, lowers onboarding costs and allows you to safely and securely approve more good customers for mobile transactions.

Pricing model Transaction based

Partners Experian – Contego – Crif – Vix


Technology used Saas


Online Yes

Mobile Yes

ATM No

Branch/Point of Sale Yes

Call Centre No

Other: Document Expert Examination

Issuing proces (if applicable)

Assurance levels conformity ISO 27001


N/A


N/A

Issuing network N/A

Attributes offered

Persons ID document Verification – including age verification

Companies N/A



Other databases N/A

www.miteksystems.com

mailto:sales%40miteksystems.com?subject=


Certification

Type ISO 27001

Regulation KYC

Other quality programs N/A

Other remarks N/A

Clients

Main clients / references Paypal – GWK Travelex – Experian – Randstad Group

Future developments N/A

97COMPANY PROFILES

Company PerseussPerseuss is the global travel industry’s own solution to the battle against fraud. Its flagship offering is an online shared negative database, recently updated to include email age verification and artificial intelligence. It also operates FraudChasers, an online forum for anti-fraud professionals. Perseuss plays a major role in cross-border police Action Days to apprehend fraudsters.

Website www.perseuss.com

Keywords for online profile fraud prevention, data sharing, collaboration, artificial intelligence, trusted platform, fraud data, negative database, positive database

Business model Subscription service

Target market Airlines, online travel agents, rail companies, hotels, car rentals, gaming and gambling, other online businesses



Active since 2009

Service provider type Technology vendor


IATA

Services

Unique selling points Perseuss is a secure community platform where merchants can legally share information about fraud cases they have encountered. Each member has access to the common database containing details of online purchases which were involved in either suspicious transactions or in confirmed fraud. It allows each business to verify their own sales data to identify any suspicious transactions.

Core services Data sharing platform including analysis, reporting, scoring and e-mail age verification.

Pricing Model Please ask company for more information.

Fraud prevention partners Please ask company for more information.

Other services Please ask company for more information.

Third party connection Accertify, ACI Universal Payments, Adyen, DataCash, Ingenico Payment Services, Wirecard, Worldpay, Ypsilon


Address verifications services No

CNP transactions No


Bin lookup Yes

Geo-location Checks No

Device Fingerprint No

Payer Authentication No


No

White list/black list database: Yes; watch list


Credit Rating No

Follow up action No

Other E-mail age verification, Social Media check


Online More information available upon request.

Mobile More information available upon request.

ATM More information available upon request.

POS More information available upon request.

www.perseuss.com

mailto:info%40perseuss.com?subject=


Call centre More information available upon request.




Other databases No






Certification





Clients

Main clients / references Please ask company for more information.

Future developments Please ask company for more information.

The global travel industry’s own solution to battle against fraud

Contact Us

PerseussSchellingweg 17DNL-1507 DR. ZaandamThe Netherlands

+31 75 653 94 04

[email protected]

Travel companies upload fraudulent bookings data

PERSEUSSDATABASECompany A

(e.g. Travel Agent)Sees suspect transaction so checks

details against database. This shows two other instances of same details used fraudulently. Analyst reviews

case, decides to decline booking and adds the booking data to Perseuss.

How Perseuss members use the system in everyday operations

Company B(e.g. Airline)

A few hours later Company B has a match with one of the data

elements uploaded by Company A. This uncovers a whole series of

bookings that turn out to be fraud.

mailto:info%40perseuss.com?subject=

ALWAYS ONE STEP AHEAD OF THE FRAUDSTERSReduce fraud and grow profits with smarter fraud prevention from Risk Ident

We protect millions of transactions every week, so your customers can buy securely and with confidence.

Contact us today: www.riskident.com | +44 (0) 203 668 3611 | [email protected]

RETAIL TRAVEL TELECOMS PAYMENTS FINANCIAL SERVICES GAMING

✓ BOOST CUSTOMER NUMBERS

✓ REDUCE FALSE POSITIVES

✓ ACCURATELY PINPOINT GENUINE FRAUD

✓ IDENTIFY ACCOUNT TAKEOVERS

✓ CUT AFFILIATE FRAUD

✓ PREVENT IDENTITY FRAUD

J711-SkyParlour-Risk-Ident-A4-Paypers-Advert-AW.indd 1 25/11/2015 12:59

http://riskident.com

101COMPANY PROFILES

ALWAYS ONE STEP AHEAD OF THE FRAUDSTERSReduce fraud and grow profits with smarter fraud prevention from Risk Ident

We protect millions of transactions every week, so your customers can buy securely and with confidence.

Contact us today: www.riskident.com | +44 (0) 203 668 3611 | [email protected]

RETAIL TRAVEL TELECOMS PAYMENTS FINANCIAL SERVICES GAMING

✓ BOOST CUSTOMER NUMBERS

✓ REDUCE FALSE POSITIVES

✓ ACCURATELY PINPOINT GENUINE FRAUD

✓ IDENTIFY ACCOUNT TAKEOVERS

✓ CUT AFFILIATE FRAUD

✓ PREVENT IDENTITY FRAUD

J711-SkyParlour-Risk-Ident-A4-Paypers-Advert-AW.indd 1 25/11/2015 12:59

Company Risk IdentRisk Ident offers anti-fraud solutions for companies within the ecommerce and financial sectors, empowering fraud managers with intelligence and self-learning machine technology to provide stronger fraud prevention. Risk Ident are experts in device fingerprinting and behavioural analytics, while its products are specifically tailored to comply with European data privacy regulations.

Website http://riskident.com

Keywords for online profile online fraud prevention, account takeover prevention, device indentification, worlwide device pool, automatic fraud detection, fraud case processing, credit risk evaluation, credit scoring

Business model Direct and through partners within the credit scoring industry.

Target market Web merchants, financial institutions, payment services providers, online communities, gaming and gambling, other online businesses


Geographical presence 90% Europe, 10% international

Active since 2013

Service provider type Technology vendor, web fraud detection company


Merchant Risk Council

Services

Unique selling points Risk Ident is a leading software developer for credit risk and fraud prevention tools. We are experts in applying trending algorythms and other machine learing components on different data feeds to indentify consumer credit and fraud risks in ecommerce. We also offer our own device fingerprinting solution, specializing in recognition of mobile devices.

Core services Fraud detection, credit scoring software and device fingerprinting services.

Pricing Model Monthly fees per user (fraud and credit software) / per transaction (device fingerprinting)

Fraud prevention partners Credit References Agencies: SCHUFA, CRIF


Third party connection Yes





Bin lookup Yes





Yes



Credit Rating Yes

Follow up action Various



Online Yes

Mobile Yes

ATM More information available upon request.

POS (Yes)

http://riskident.com

mailto:contact%40riskident.com?subject=


Call centre More information available upon request.



Connectivity to governmental data More information available upon request.

Other databases Identity & Address Providers, Credit Scoring Providers



Yes


Yes

Certification

Type ISO 27001 Data Center



Other remarks Fully EU data privacy compliance

Clients

Main clients / references Client lists for DE, CH, AT, UK, FR on request / Key investor Otto Group (#2 European online merchant)

Future developments Full credit and fraud risk service for online merchants and financial institutions.

103COMPANY PROFILES

Company SignicatSignicat is a secure identity cloud service provider with deep expertise in online electronic id (e-ID), advanced electronic signatures and PKI solutions. Wide coverage of national and public e-IDs in Europe accessible through one single point of integration. Signicat offers a secure and smooth integration for more than 150 customers cross border in industries like financial services, ecommerce and public sector. The services are available cross channel on multiple devices.

Website www.signicat.com

Keywords for online profile European e-IDs and eSignatures as a Service.

Business model Cloud Services (SaaS)

Target market Horizontal, with focus on financial services industry including card issuers and PSPs, telco and government

Contact Arne Vidar Haug, VP Bus Dev & Ole Christian Olssøn, VP Sales

Geographical presence Norway, Sweden, Denmark, Finland, the Netherlands, Estonia, Lithuania, Latvia, Spain

Active since 2007

Service provider type E-identity service provider and eSignature services.


Kantara Initiative, STORK 2.0, ePractice.eu, OSWALD,

Services

Core services Signicat offers customers access to wide range of European national e-IDs and eSignature services including timestamping, long term archiving and re-signing as a service. The company also provides issuing of IDs like password with SMS-otp and app-based Mobile ID in addition to single sign-on and identity services.

Other services Secure Web Forms, Single Sign-On based on pure SAML 1/2, ready made integration with IBM Tivoli, JAVA, .NET, SharePoint Oracle IAM and WebCenter/UCM.

Unique selling points Extend customer relationships, dialogue and self-service capabilities through our range of services. Connecting to available services through one standard interface (saml 1/2 etc.) that shortens time to market, improves ROI and offers customers the ability to focus on their core business.

Pricing model One time connection fee, pluss combination of monthly subscription and transaction fees.

Partners Close relationships with ISVs, Sis, tech companies (IBM, Oracle, Microsoft) and Biznode among others. Plug-ins to SalesForce and SuperOffice among others.


Technology used Cloud based services on industrial standardized protocols like XML, SOAP, SAML and HTTP.


Online Yes, through our own cloud service including eSignature.

Mobile Yes, through our own cloud service including eSignature.

ATM N/A

Branch/Point of Sale Standardized interfaces available for integration.

Call Centre Standardized interfaces available for integration.

Other: Standardized interfaces available for integration for multiple services in need of authentication and digital signatures.

Issuing proces (if applicable)

Assurance levels conformity N/A


Self service process, issued in a minute. Establishment of solution takes approx 2-5 days.


Issuer process face-to-face is handled by public or national eID issuer dependant on country.

Issuing network Online services like e-mail and SMS in addition to postal network, bank branches, notaries.

www.signicat.com


Attributes offered

Persons Name, address, SSN, birthplace, age, country, etc. Information available depends on selected e-ID used.

Companies Name, address, company registration no.(where applicable), procurists, signatory rights


Connectivity to governmental data Citizens public register, company register


Certification

Type ISA 3000 revision on ISO 27001 Information Security Policy in progress.

Regulation EU Signature Directive, ETSI in addition to the national directives for countries in Europe based on the EU Directive.

Other quality programs OWASP, ETSI

Other remarks Winner of IDDY (Identity Deployment of the Year)-award 2009.

Clients

Main clients / references Norwegian Post, SEB, If, Santander, Nykredit, Bank Norwegian and Norwegian Educational State Fund among others.

Future developments Continued support for new e-IDs in Europe including enhancements to Signature solutions, for example German nPA, Dutch eHerkenning and Swiss SwissID.

105COMPANY PROFILES

Company SocureSocure is the leader in digital identity verification. By applying machine-learning techniques with biometrics and intelligence from e-mail, phone, IP and online/offline and social media data, Socure bolsters fraud prevention and KYC/OFAC compliance programs for enterprises conducting business in over 180 countries, helping them to combat identity fraud, prevent account takeover, and increase consumer acceptance.

Website www.socure.com

Keywords for online profile identity verification, biometrics, fraud risk mitigation, KYC compliance, AML, OFAC, technology

Business model Subscription-based SaaS

Target market Financial institutions

Contact [email protected] +1.866.932.9013

Geographical presence Headquarters in New York City, used in over 180 countries worldwide

Active since 2012

Service provider type Digital identity service provider, technology vendor, web fraud detection company


ETA, BAI, MRC, SafeHarbor Certified

Services

Unique selling points Patented technology that uniquely blends trusted email, phone, online and offline data including social media network data and facial recognition. Ability to resolve identities across broad population using alternative data and provide fraud risk estimation assistance, easily integrates into existing processes. Technology is adaptive machine learning, where AI compensates to learn from false positives and improve predictive power over time, both globally and on a per-client basis.

Core services Socure provides identity verification services, fraud risk mitigation, CIP/KYC program compliance, financial inclusion, facial biometrics for transation verification.

Pricing Model Annual subscription, billed per API call.

Fraud prevention partners Feedzai, Zoot, Sphonic

Other services Transaction authentication, facial recognition, biometric identification

Third party connection More information available upon request.





Bin lookup No





No



Credit Rating No


Other OFAC checks


Online Yes

Mobile Yes

ATM No

POS Yes

www.socure.com

mailto:info%40socure.com?subject=


Call centre No

other More information available upon request.


Connectivity to governmental data Customizable




Yes


Yes

Certification

Type US/EU Safe Harbor, US SOC-2 (imminent)

Regulation KYC, CIP, AML, OFAC

Other quality programms Privacy compliance


Clients

Main clients / references More information available upon request.

Future developments More information available upon request.

107COMPANY PROFILES

Company Wirecard AGWirecard AG is one of the world’s leading independent providers of outsourcing and white label solutions for electronic payment transactions. Wirecard`s global multi-channel platform bundles international payment acceptances, methods and fraud prevention. Wirecard provides companies with an end-to-end infrastructure for issuing products, including the requisite licenses for card and account products.

Website www.wirecard.com

Keywords for online profile ecommerce, mobile payment, risk management, acquiring, issuing, credit cards, online banking, POS payment processing

Business model Please contact Wirecard for more information.

Target market Online shoppers, financial institutions, payment services providers, government services, online communities/web merchants, gaming and gambling, other online businesses

Contact [email protected] I +49 89 4424 1400

Geographical presence Europe, Middle East/Africa, Asia/Pacific

Active since 1999

Service provider type Digital identity service provider, technology vendor, web fraud detection company, payment service provider (PSP), issuer, acquirer


Please contact Wirecard for more information.

Services

Unique selling points Industry-specific and customizable fraud prevention models, continuous improvement of fraud prevention models based on direct access to fraud notifications of issuing banks, check of all transactions per merchant on every sales channel (eCom, mobile/mPOS, MOTO, POS + BSP/ATO/CTO for airlines) due to close technical integration with Wirecard Bank as acquirer.

Core services Fraud prevention for card payments and alternative payment methods, credit scoring, decision logics for credit limit calculation, transaction checks, merchant monitoring

Pricing Model Flexible pricing models, depending on requirements and volumes.

Fraud prevention partners Wirecard is integrated into multiple third party fraud prevention partners.

Other services Fraud analytics for customers, international address verification

Third party connection Providers of negative databases, credit agencies, international phone number verification





Bin lookup Yes





Yes



Credit Rating Yes


Other Fraud Prevention Suite with detailled Business Intelligence tools, 3D-Secure, CUP-Secure, Trust Evaluation Suite

www.wirecard.com

mailto:sales%40wirecard.com?subject=



Online Yes

Mobile Yes

ATM Yes

POS Yes

Call centre Yes

Other Industry-specific sales channels, e.g. BSP/ATO/CTO for airlines, mPOS


Connectivity to governmental data Sanction lists, e.g. EG 2580/2001, EG 881/2002, US DPL, US SDN, US entity list

Other databases Commercial attribute providers, e.g. credit databases, PEP screening



Yes


Yes

Certification

Type e.g. PCI-DSS certified; for more information please contact Wirecard.

Regulation KYC (KWG 24c), Anti Money Loundering (AML)

Other quality programms N/A

Other remarks N/A

Clients

Main clients / references More than 20,000 merchants from various industries.

Future developments Not to be disclosed.

FINANCIAL TECHNOLOGY FOR MORE THAN 20,000

CUSTOMERS.

Wirecard is the leading specialist for payment

processing and issuing.

wirecard.com

https://www.wirecard.com/


Glossary

A Account takeover A form of identity theft where a criminal gains complete control of

a consumer’s account, such as obtaining the PIN or changing the

statement mailing address.

Account Creation FraudUsing stolen, compromised or synthetic identities, typically through

a spoofed location, to create a new account to access online

services or obtain lines of credit.

Account Login FraudAttacks targeted at taking over user accounts using previously

stolen credentials available in the wild or credentials compromised

by malware or Man-in-the-Middle attacks.

Address Verification System (AVS) A system used to verify the address of a person claiming to own a

credit card. The system will check the billing address of the credit

card provided by the user with the address on file at the credit

card company. The other security features for the credit card

include the CVV2 number.

Anti-Money Laundering (AML)Procedures, laws or regulations designed to stop the practice of

making money that comes from illegal sources look like it came

from legitimate sources. The sum of legal controls that require

financial institutions and other regulated entities to prevent, detect,

and report money laundering activities

Application fraud A form of identity theft where a criminal uses the user’s personal

information to open new accounts and applications without his/her

knowledge.

ATM fraudFraud related to ATM card accounts where a card is used to

withdraw funds from a consumer’s account using a PIN-based

transaction at an ATM.

AuthenticationThe methods used to verify the origin of a message or to verify the

identity of a participant connected to a system and to confirm that

a message has not been modified or replaced in transit.

AuthorizationIs the function of specifying access rights to resources related

to information security and computer security in general and to

access control in particular.

BBank Identification Numbers (BIN) The first four to six digits on a credit card, which can be used to

identify the Issuing Bank that issued the card. BINs are traditionally

used by online merchants as a way to detect fraud by matching the

geographic area where the cardholder is located to the geographic

area identified in the Bank Identification Number.

Big DataLarge data sets that may be analysed computationally to reveal

patterns, trends, and associations relating to human behaviour

and interactions. By developing predictive models based on both

historical and real-time data, companies can identify suspected

fraudulent claims in the early stages.

Biometrics The use of a computer user's unique physical characteristics such

as fingerprints, voice and retina to identify that user.

Biometric DataA general term used to refer to any computer data that is created

during a biometric process. This includes samples, models,

fingerprints, similarity scores and all verification or identification

data excluding the individual's name and demographics.

Biometric Verification Any means by which a person can be either a) Identified or b) Verified

(authenticated), by evaluating one or more distinguishing biological

traits. An identification system (eg AFIS) consists of the original trait

and a database of stored traits, by comparing of a sample for close

matches.

111GLOSSARY

BYODBring your own device (BYOD) is an IT policy where employees

are allowed or encouraged to use their personal mobile devices

— and, increasingly, notebook PCs — to access enterprise data

and systems.

CCard Capture DeviceA device inserted into an ATM card slot which captures the data

contained on the card.

Cardholder-not-present fraudUsing stolen cards or card details and personal information, a

fraudster purchases good or services remotely - online, by telephone

or by mail order.

Change of address fraudOccurs when the fraudster obtains details of a genuine customer’s

account and then contacts the business to advise that he has

changed address. This is usually accompanied or followed by

a request for items of value such as a chequebook, debit card

or statement of account to be sent to the bogus ‘new’ address.

A false change of address is used to facilitate previous address

fraud and account/facility takeover fraud.

ChargebackChargeback occurs when a credit cardholder contacts their credit

card-issuing bank to initiate a refund for a purchase made on their

credit card. Chargebacks are generally the result of a cardholder

changing their mind, being dissatisfied with their purchase or a

case of fraud. The fraud can result from the unauthorized use of

their credit card (stolen card) or the cardholder purposely seeking

to dispute a legitimate purchase they made (see ‘delivery and

returns fraud’).

Consumer authenticationThe term used to describe tools intended to verify that the person

making the transaction is actually the person authorized to do so,

in both in-person and Card-Not-Present transactions.

CookieA small data file that is automatically stored on a user’s computer

for record-keeping purposes. It contains information about the

user in relation to a particular website, such as their username and

preferences.

CredentialData issued to an individual by a third party with a relevant authority

or assumed competence to do so that is presented to provide

evidence of a claim. A credential is a piece of information asserting

to the integrity of certain stated facts.

Credit card fraud Fraud committed using a credit card or any similar payment mechanism

as a fraudulent source of funds in a transaction. The purpose may be

to obtain goods without paying, or to obtain unauthorized funds

from an account. Credit card fraud is also an adjunct to identity

theft.

Crimeware ToolsCrimeware refers to malware specifically designed to automate

cybercrime. These tools help fraudsters create, customize and

distribute malware to perpetrate identity theft through social

engineering or technical stealth.

Criminal organisationA group of individuals who collude together to commit fraud.

CounterfeitingThe fraudulent reproduction of original documents/instruments in

a manner that enables the fraudster to pass them off as genuine/

original items.

Cybercrime (cyber fraud)The term encompasses criminal actions that target computer, internet,

or network utility, damaging functionality or infiltrating systems and

processes. Specifically, cybercrime can include malware, spyware,

phishing, pharming, viruses and worms.


Cryptography Protecting information or hiding its meaning by converting it into a

secret code before sending it out over a public network.

DData breachUnintentional release of secure information to an untrusted environment.

Data captureThe action or process of gathering data, especially from an automatic

device, control system, or sensor.

Delivery and returns fraudIs the act of defrauding a store via the return process. Delivery and

return fraud (also known as ‘friendly fraud’) involves legitimate

customers using valid payment cards and is akin to electronic.

Device ID The unique serial number or ‘fingerprint’ that a particular device has

embedded in it. It can be the combination of several components

(e.g. CPU + graphics card) and can include a threshold (i.e. less

than 100% matching) to allow for partial upgrades, such as with

the iPass (proprietary) solution.

Device SpoofingHackers delete and change browser settings in order to change

their device identity or fingerprint, or attempt to appear to come

from a victim’s device. Cookieless device identification is able

to detect returning visitors even when cookies are deleted or

changes are made to browser settings.

Debit card fraudFraud related to debit card accounts where a card is used to withdraw

funds from a consumer’s account.

Denial of Service AttackAn attack on a computer system or network that causes a loss

of service to users. A network of computers is used to bombard

and overwhelm another network of computers with the intention

of causing the server to ‘crash’. A Distributed Denial of Service

(DDoS) attack relies on brute force by using attacks from multiple

computers. These attacks can be used to extort money from the

businesses targeted.

Detection rateThe amount of fraud detected by a fraud prevention system at a

given level of account reviews.

Digital IdentityA collection of identity attributes, an identity in an electronic form

(e.g. electronic identity).

Dual-Factor Identification Rules Requirement that banks implement another type of password in

addition to the standard username and password combination. Many

banks present a picture that the consumer chooses in addition to

their password in order to recognize the bank.

EE-ID servicesServices for entity authentication and signing data.

Electronic data interchange (EDI) Is an electronic communication method that provides standards for

exchanging data. By adhering to the same standard, companies

that use EDI can transfer data from one branch to another and even

across the world.

EncryptionThe process of converting data into cipher text to prevent it from

being understood by an unauthorized party.

End-to-end encryptionUninterrupted protection of the integrity and confidentiality of

transmitted data by encoding it at the start and decoding it at the

end of the transaction.

Endpoint authenticationA security system that verifies the identity of a remotely connected

device (and its user) such as a PDA or laptop before allowing

access to enterprise network resources or data.

EMV EMV stands for Europay, MasterCard and Visa, a global standard for

inter-operation of integrated circuit cards (IC cards or "chip cards") and

IC card capable point-of-sale (POS) terminals and automated teller

machines (ATMs), for authenticating credit and debit card transactions.

113GLOSSARY

FFace recognitionBiometric modality that uses an image of the visible physical

structure of an individual face for recognition purposes.

False PositiveThe amount of good or true accounts flagged by the fraud prevention

system as fraudulent.

FirewallComputer hardware or software designed to prevent unauthorised

access to the system via the internet.

Fraud detectionA rule-based, image-enabled suite of products that offers a variety

of fraud detection capabilities at the point of presentment used to

prevent or mitigate losses associated with deposit and payment

fraud.

Federated identity A single user identity that can be used to access a group of websites

bound by the ties of federation. Without federated identity, users are

forced to manage different credentials for every site they use. This

collection of IDs and passwords becomes difficult to manage and

control over time, offering inroads for identity theft.

Fingerprint recognitionBiometric modality that uses the physical structure of the user

fingerprint for recognition. In most of fingerprint recognition

processes the biometric samples are compressed in minutiae points

that reduce the size of data and accelerate the process.

First-party fraudFraud committed against a financial institution by one of its own

customers.

ForgeryThe process of making or adapting documents, such as checks,

with the intent to deceive.

Fraud preventionPro-active steps taken by a company to insure itself against fraudulent

activity. This is usually in the form of enacted policies, systems and

controls in place to detect and monitor for fraudulent activity, and

communications to employees that instill ethical behavior.

Fraud screeningA checking system that identifies potentially fraudulent transactions.

Fraud screening helps reduce fraudulent credit card transactions,

reducing the need for manual reviews, minimizing bad sales and

improving a company’s bottom line.

Friendly fraudWhen a consumer (or someone with access to a credit card) makes

a purchase and then initiates a chargeback, saying they did not

make the purchase and/or did not receive the goods or services.

GGeo Location DetectionSet of diverse and ideally automated tests which help fraud protection

solutions assess the risk of fraud involved in a specific order passing

through a merchant’s website. These tests might include IP to Zip

Code, IP to Billing Address, High IP Cross Referencing, IP Geo

Location & Proxy Detection, and NPA NXX Area Code Web Service.

Geographical IP Detector (GID) A web shop or a fraud protection solution equipped with a GID

can easily locate the real physical (geographical) location of the

device, by tracking the IP Address.

Ghost terminalSkimming device where a fake ATM touch pad and reader are

placed over a legitimate ATM. Reader obtains card information and

PIN, but will not process the transaction since the legitimate ATM

does not function.

Global Address Verification DirectoriesThis feature enables fraud protection solutions compare the address

introduced by the visitor with the existing address, detecting any

fake data. It also helps e‐merchants keep their customers easily

reachable.


HHackerA person who uses computers to gain unauthorized access to data,

or a person who seeks and exploits weaknesses in a computer

system or network.

Hash functionA function that can be used to map digital data of arbitrary size to

digital data of fixed size. The values returned by a hash function

are called hash values, hash codes, hash sums, or simply hashes.

With Bitcoin, a cryptographic hash function takes input data of

any size, and transforms it into a compact string.

Host Card Emulation (HCE)On-device technology that permits a phone to perform card

emulation on an NFC-enabled device. With HCE, critical payment

credentials are stored in a secure shared repository (the issuer

data center or private cloud) rather than on the phone. Limited

use credentials are delivered to the phone in advance to enable

contactless transactions to take place.

IIdentityThe fact of being what an entity (person or a thing) is, and the

characteristics determining this. It is a collection of attributes.

Identity of Things (IDoT) An area of endeavor that involves assigning unique identifiers

(UID) with associated metadata to devices and objects (things),

enabling them to connect and communicate effectively with other

entities over the internet.

Identity providerA service provider that creates, maintains and manages identity

information for principals and may provide user authentication to

service providers (e.g within a federation).

Identity SpoofingUsing a stolen identity, credit card or compromised username /

password combination to attempt fraud or account takeover. Typically,

identity spoofing is detected based on high velocity of identity usage

for a given device, detecting the same device accessing multiple

unrelated user accounts or unusual identity linkages and usage.

Identity theftIdentity theft happens when fraudsters access enough information

about someone’s identity (such as their name, date of birth,

current or previous addresses) to commit identity fraud. Identity

theft can take place whether the fraud victim is alive or deceased.

Identity Provider Also known as Identity Assertion Provider is an authentication

module which verifies a security token as an alternative to

explicitly authenticating a user within a security realm.

InfoSec (information security)The practice of defending information from unauthorized access,

use, disclosure, disruption, modification, perusal, inspection,

recording or destruction.

Interchange feesThe interchange fee, also called the discount rate or swipe fee,

is the sum paid by merchants to the credit card processor as a

fee for accepting credit cards. The amount of the rate will vary

depending on the type of transaction, but averages about 2% of

the purchase amount. The interchange fee is typically higher for

online purchases than for in-person purchases, because in the

latter, the card is physically present and available for inspection.

Internet of Things (IoT) The network of physical objects that feature an IP address for

internet connectivity, and the communication that occurs between

these objects and other internet-enabled devices and systems.

InteroperabilityA situation in which payment instruments belonging to a given

scheme may be used in other countries and in systems installed

by other schemes. Interoperability requires technical compatibility

between systems, but can only take effect where commercial

agreements have been concluded between the schemes concerned.

Internet fraudAn illegal activity wherein a person in possession of internet banking

details of another person, impersonates them to use their funds.

115GLOSSARY

IP Address SpoofingCybercriminals use proxies to bypass traditional IP geolocation

filters, and use IP spoofing techniques to evade velocity filters

and blacklists. ThreatMetrix directly detects IP spoofing via both

active and passive browser and network packet fingerprinting

techniques.

KKey Stroke LoggerHardware or software that records the keystrokes and mouse

movements made on a particular computer. Hardware loggers can

be placed by dishonest staff or unauthorised visitors. Software

loggers can be installed in the same way, or more usually by

malicious email or malware. Authorised key loggers may be used

in order to facilitate an audit trail.

Know Your Customer (KYC) The term refers to due diligence activities that financial institutions

and other regulated companies must perform to ascertain relevant

information from their clients for the purpose of doing business

with them. Know your customer policies are becoming increasingly

important globally to prevent identity theft, financial fraud, money

laundering and terrorist financing.

LLevel of assurance (LoA) A quality-indicator for digital identity. It describes four identity

authentication assurance levels for e-government transactions.

Each assurance level describes the agency’s degree of certainty

that the user has presented an identifier (a credential in this context)

that refers to his or her identity. In this context, assurance is defined

as the degree of confidence in the vetting process used to establish

the identity of the individual to whom the credential was issued, and

the degree of confidence that the individual who uses the credential

is the individual to whom the credential was issued.

MMachine learningAn artificial intelligence (AI) discipline geared toward the

technological development of human knowledge. Machine learning

allows computers to handle new situations via analysis, self-

training, observation and experience.

MalwareOr malicious software, is software used or created to disrupt

computer operation, gather sensitive information, or gain access

to private computer systems. It can appear in the form of code,

scripts, active content and other software.

Man-in-the-browser A form of internet threat related to man-in-the-middle (MITM),

is a proxy Trojan horse that infects a web browser by taking

the advantage of vulnerabilities in browser security to modify

web pages, modify transaction content or insert additional

transactions, all in a completely covert fashion invisible to both the

user and host web application.

Man-in-the-middle In cryptography and computer security it is a form of active

eavesdropping in which the attacker makes independent

connections with the victims and relays messages between them,

making them believe that they are talking directly to each other

over a private connection, when in fact the entire conversation is

controlled by the attacker.

Mail Order – Telephone Order (MOTO)MOTO accounts are required when more than 30% of credit

cards cannot be physically swiped. Merchants that have a

MOTO merchant account usually process credit card payments

by entering the credit card information directly into a terminal

that contains a keypad, by using terminal software installed on a

personal computer, or by using a “virtual” terminal that allows the

merchant to use a normal web browser to process transactions on

a payment service provider’s website.

Money laundering The process of concealing the source of money obtained by

illicit means. The methods by which money may be laundered

are varied and can range in sophistication. Many regulatory

and governmental authorities quote estimates each year for the

amount of money laundered, either worldwide or within their

national economy.


Multi-factor authentication An approach to security authentication, which requires that the user

of a system provide more than one form of verification in order to

prove their identity and allow access to the system. Multi-factor

authentication takes advantage of a combination of several factors of

authentication, three major factors include verification by something

a user knows (such as a password), something the user has (such as

a smart card or a security token), and something the user is (such as

the use of biometrics).

OOne-time passwordA password that can be used only once, usually randomly generated

by special software.

Online fraudAny kind of fraudulent and/or criminal activity which is made via

online services such as e‐mail, messaging applications or websites.

The most common forms of online fraud affecting e‐merchants are

in the form of chargebacks, identity theft and credit card fraud.

Online fraudsterA person who commits fraud online, especially in business dealings.

OpenID An open standard that describes how users can be authenticated

in a decentralized manner, eliminating the need for services

to provide their own ad hoc systems and allowing users to

consolidate their digital identities. Users may create accounts

with their preferred OpenID identity providers, and then use those

accounts as the basis for signing on to any website which accepts

OpenID authentication.

PPasswordA word or other collection of characters used for authentication.

It serves as a security device to gain access to a resource.

PA DSSAlso known as Payment Application Data Security Standard, it is a

system designed by the Payment Card Industry Security Standards

Council and adopted worldwide. This system prevents payment

application from third parties from storing prohibited secured data.

Payment Card Industry Data Security Standard (PCI-DSS)A mandatory set of rules and regulations created to reduce credit

card fraud. PCI Compliance currently has six objectives: to build

and maintain a secure network, to protect cardholder data, to

maintain a vulnerability management program, implement strong

access control measures, regularly monitor and test networks, and

to maintain an information security policy. The PCI requirements

have been developed by the PCI Security Standards Council,

which includes American Express, Discover, JCB International,

MasterCard and Visa.

PharmingOccurs when a divert is set-up from a company’s real website,

without their knowledge, to a bogus website. When customers

attempt to access the real website the fraudsters gather customers’

account details and passwords which can then be used to facilitate

frauds.

Phishing A method which allows criminals to gain access to sensitive

information (like usernames or passwords). It is a method of social

engineering. Very often, phishing is done by electronic mail. This

mail appears to come from a bank or other service provider. It

usually says that because of some change in the system, the users

need to re-enter their usernames/passwords to confirm them. The

emails usually have a link to a page which is similar to the one of

the real bank.

PINA numeric code that is used as confirmation to finish a transaction

via payment card. The PIN number is used by entering it into a

keypad which grants authorisation.

Public Key Infrastructure (PKI)The infrastructure needed to support the use of Digital Certificates.

It includes Registration Authorities, Certificate Authorities, relying

parties, servers, PKCS and OCSP protocols, validation services,

revocation lists. Uses include secure e-mail, file transfer, document

management services, remote access, web-based transactions,

services, non-repudiation, wireless networks and virtual private

networks, corporate networks, encryption, and ecommerce.

117GLOSSARY

Point-to-point encryption (P2PE)A solution that encrypts card data from the entry point of a merchant's

point-of-sale (POS) device to a point of secure decryption outside

the merchant's environment, such as a payment processor like TSYS

Acquiring Solutions. The purpose of P2PE is to address the risk of

unauthorized interception associated with cardholder data-in-motion

during the transmission from the POS terminal to the payment

processor.

PrivacyPrivacy is the ability of a person to control the availability of information

about and exposure of himself or herself. It is related to being able to

function in society anonymously (including pseudonymous or blind

credential identification).

ProofingIdentity proofing is a common term used to describe the act of

verifying a person’s identity, as in verifying the “proof of an ID”.

Other terms to describe this process include identity verification and

identity vetting.

RReal-time risk managementA process which allows risk associated with payments between

payment system participants to be managed immediately and

continuously.

Relying party (RP) A website or application that wants to verify the end-user's identifier.

Other terms for this party include "service provider" or the now

obsolete "consumer".

Retail loss prevention A set of practices employed by retail companies to reduce and deter

losses from theft and fraud, colloquially known as "shrink reduction".

Risk assessment The process of studying the vulnerabilities, threats to, and likelihood

of attacks on a computer system or network.

Risk-Based AuthenticationRisk-based authentication uses multiple factors to determine

whether or not a person is who they claim to be online. Typically, this t

echnique includes the traditional username and password in

addition to who the user is, from where they are logging in, and

what kind of device they are using. Information such as historical

data is also used, which includes attributes provided from the

session as well as user behavior and transaction patterns.

SSmart card An access card that contains encoded information used to identify

the user.

Secure elementA tamper-proof Smart Card chip capable to embed smart card-

grade applications with the required level of security and features.

In the NFC architecture, the secure element will embed contactless

and NFC-related applications and is connected to the NFC chip

acting as the contactless front end. The secure element could be

integrated in various form factors: SIM cards, embedded in the

handset or SD Card.

SecurityIn ecommerce terms, security is ensuring that transactions are not

open to fraud. In ecommerce systems, security protocols protect

the consumer, the merchant and the bank from hackers and

fraudsters.

Security threat and risk assessmentA method that identifies general business and security risks for the

purpose of determining the adequacy of security controls with the

service and mitigating those risks.

Security token (authentication token)Is a small hardware device that the owner carries to authorize access

to a network service. The device may be in the form of a smart card

or may be embedded in a commonly used object such as a key fob.


Skimming Card skimming is the illegal copying of information from the magnetic

strip of a credit or ATM card. It is a more direct version of a phishing

scam. In biometrics and ID it could be the act of obtaining data from

an unknowing end user who is not willing to submit the sample at

that time.

Social engineeringManipulating people so they give up confidential information.

The types of information these criminals are seeking can vary, but

when individuals are targeted the criminals are usually trying to

trick people into giving their passwords or bank information, or

access their computer to secretly install malicious software that

will give them access to passwords and bank information as well

as giving them control over their computer.

Social Security FraudOccurs when a fraudster uses one’s Social Security Number in order

to get other personal information. An example of this would include

applying for more credit in one’s name and not paying the bills.

Spear PhishingA phishing e-mail that looks as if it came from someone the user

knows. Typically the e-mail contains a file that, when opened, will

infect the computer with a bot or a key logger.

SpoofsVarious scams in which fraudsters attempt to gather personal

information directly from unwitting individuals. The methods could

include letters, telephone calls, canvassing, websites, e-mails or

street surveys.

3D‐Secure3D Secure (3DS) is the program jointly developed by Visa and

MasterCard to combat online credit card fraud. Cardholders

introduce their password to verify their identity whenever they

make an online purchase. E-merchants willing to offer this security

service to its customers must be registered as a participating

merchant in the program. Only cardholders registered at Verify

by Visa or MasterCard SecureCode can actually be requested to

verify their data when purchasing online.

TThreatA threat consists of an adverse action performed by a threat agent

on an asset.

Examples of threats are:

• a hacker (with substantial expertise, standard equipment, and

being paid to do so) remotely copying confidential files from a

company network or from card;

• a worm seriously degrading the performance of a wide-area

network;

• a system administrator violating user privacy;

• someone on the internet listening in on confidential electronic

communication.

Third-party fraudFraud committed against an individual by an unrelated or unknown

third-party.

Third-partyA security authority trusted by other entities with respect to security

related activities.

TokenAny hardware or software that contains credentials related to

attributes. Tokens may take any form, ranging from a digital data

set to smart cards or mobile phones. Tokens can be used for both

data/entity authentication (authentication tokens) and authorisation

purposes (authorisation tokens).

Tokenization The process of substituting a sensitive data with an easily reversible

benign substitute. In the payment card industry, tokenization is one

means of protecting sensitive cardholder PII in order to comply with

industry standards and government regulations. The technology is

meant to prevent the theft of the credit card information in storage.

TrustThe firm belief in the competence of an entity to act dependably,

securely, and reliably within a specified context.

119GLOSSARY

Trusted framework A certification program that enables a party who accepts a digital

identity credential (called the relying party) to trust the identity,

security and privacy policies of the party who issues the credential

(called the identity service provider) and vice versa.

Trusted third-partyAn entity trusted by multiple other entities within a specific context

and which is alien to their internal relationship.

Two-factor authenticationTwo-factor authentication is a security process in which the user

provides two means of identification, one of which is typically a

physical token, such as a card, and the other of which is typically

something memorized, such as a security code.

UUser accountThe collection of data used by a system to identify a single user,

authenticate a user and control that user's access to resources.

Unique identityA partial identity in which at least a part of the attributes are

identifiers. Since at least some of the attributes (or combinations

thereof) are identifiers, the entity can be uniquely identified through

the unique identity within a certain context. A unique identity is an

identifier such as a unique number or any set of attributes that

allows one to determine precisely who or what the entity is.

VValidationConfirming that information given is correct, often by seeking

independent corroboration or assurance.

VerificationThe process or an instance of establishing the truth or validity of

something.

VirusA program that can replicate itself by inserting (possibly modified)

copies of itself into other programs, documents or file systems;

this process is described as the infection of a host.

VishingThe act of using the telephone in an attempt to scam the user into

surrendering private information that will be used for identity theft.

The scammer usually pretends to be a legitimate business, and

fools the victim into thinking he or she will profit.

Voice authorizationAn approval response that is obtained through interactive

communication between an issuer and an acquirer, their authorizing

processors or stand-in processing or through telephone, facsimile

or telex communications.

Voice over IP (VoIP, or voice over Internet Protocol) Refers to the communication protocols, technologies, methodologies

and transmission techniques involved in the delivery of voice

communications and multimedia sessions over Internet Protocol (IP)

networks, such as the internet. Other terms commonly associated

with VoIP are IP telephony, internet telephony, voice over broadband

(VoBB), broadband telephony, IP communications and broadband

phone.