WEB FRAUD
PREVENTION,
ONLINE
AUTHENTICATION
&
DIGITAL IDENTITY
MARKET GUIDE
2015 / 2016
LATEST TRENDS
AND INSIGHTS INTO
SECURING DIGITAL
IDENTITIES AND
TRANSACTIONS
Building
MRC
Better Commerce
Fraud & Payments Professionals
In the ever evolving and highly complex
ecommerce industry, The Paypers’ Web
Fraud Guide is a vital resource for fraud
professionals. It encompasses a wealth
of information on the latest security
developments, fraud prevention strategies,
digital challenges and upcoming web
trends. This Guide is of great value
because it is a compilation of past year
insights and future expectations.
Danielle Nagao - CEO
MRC
Ecommerce Europe is pleased to endorse
The Paypers’ Web Fraud Prevention,
Online Authentication & Digital Identity
Market Guide. The analysis is a reliable
reference source on the latest trends in
the digital identity & web fraud ecosystem
for both payment fraud professionals and
readers interested in getting more in-depth
information in this field.
Elaine Oldhoff
Ecommerce Europe
Companyname
Title
Platte tekst
2
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
WEB FRAUD PREVENTION,
ONLINE AUTHENTICATION & DIGITAL
IDENTITY MARKET GUIDE 2015 / 2016
LATEST TRENDS AND
INSIGHTS INTO SECURING
DIGITAL IDENTITIES AND
TRANSACTIONS
AUTHORS
Mirela Amariei
RELEASE
Tiberiu Avram
VERSION 1.0
Ionela Barbuta
Simona Cristea
Oana Ifrim
DECEMBER 2015
COPYRIGHT © THE PAYPERS BV
ALL RIGHTS RESERVED
Sebastian Lupu
Mihaela Mihaila
Andreea Nita
Adriana Screpnic
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
3
Introduction
When it comes to security and fraud, we can safely state that
industry associations and leading market players. In 2015, the
2015 has been a ‘time of great change’ - and 2016 will definitely
transactional space has been mostly influenced by the long-
follow the same trend. The online world as well as the payments
awaited October deadline for the US EMV migration. With the
landscape have been witnessing considerable transformation for a
new chip embedded credit and debit cards as well as the new
while now. Latest technology developments, regulatory changes,
POS terminals, experts from the Smart Payment Association
the entire digital revolution that has been undergoing for the last
express their fear that fraudsters will focus their efforts on
couple of years, have made a significant impact on virtually every
other vulnerabilities in the payments ecosystem, including
aspect of the financial and payments industry. However, in the
ecommerce and m-commerce channels. Moreover, according to
middle of all these groundbreaking changes, internet fraud remains
a survey conducted by Fattmerchant, despite the fact that 72%
a constant reminder of the fact that with greater opportunities,
of businesses have not adopted EMV-compliant technology, the
come greater risks. The numerous, almost never-ending data
migration is still expected to lead to a considerable increase in
breaches and tremendous rise of cybercrime in basically every
card-not-present (CNP) fraud. The topic of EMV and its impact
sector have shaken consumers’ confidence regarding privacy and
on US businesses is also approached by CardinalCommerce,
data protection.
which provides a piece of advice on how merchants can protect
themselves against CNP fraud.
Considering this ‘evil face’ of the transaction space, it has become
quite clear for all market players that measures ought to be taken
Part 1 also includes valuable input regarding projects and
to block further increasing levels of payments fraud. With this in
measures aimed at regulating the way data is collected, stored
mind, retailers, fraud prevention services providers, payment
and processed. Hence, Time.lex provides an insight into the Safe
service providers and policy makers have begun to feel the
Harbour agreement and what it means to merchants and web
pressure and are currently struggling to develop advanced fraud
shops. Additionally, on the regulation front, the EPC shares an
prevention solutions and establish a legal framework in order to
interesting perspective on the EBA Guidelines on the security of
keep fraudsters at bay and maintain sensitive data secure.
internet payments.
Therefore, taking into account that fraud detection & prevention,
Key matters such as machine learning and the need for a more
online security, risk management, digital identity and consumer
coordinated collaboration between technology and human
authentication are instrumental in defining and securing the
development have been highly debated by ACI Worldwide and
transactional ecosystem, special attention must continue to be
Feedzai and briefly addressed by Risk Ident in an interview.
paid to these aspects. As The Paypers is committed to deliver an
As always, cross-border ecommerce is at the forefront of the
annual analysis of the current state-of-affaires of the industry and
industry. Bearing in mind that an increasing number of companies
point out the key participants that are aimed at setting the scene
decide to expand across borders, it became more obvious that
for future developments in the fight against fraud, a new edition of
fraud is one of the most challenging barriers that needs to be
the Web Fraud Prevention, Online Authentication & Digital Identity
overcome. Ecommerce Europe presents e-ID schemes as a
Market Guide has been compiled.
solution to improve data protection and to increase convenience
and consumer trust. All these major points are complemented
Featuring a two-part structure, the latest edition provides payment
by interesting perspectives on the Internet of Things and a new
professionals with up-to-date data on the major cybersecurity
concept in managing identities – the Identity of Things (IDoT).
highlights that have influenced the industry in 2015. Part 1 is a
series of insightful perspectives on key aspects of the global
digital identity transactional & web fraud detection space from
4
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Additionally, in the case fraud vs consumer authentication &
verification, contributions from Consult Hyperion, the Biometrics
Institute, MyBank, Natural Security Alliance and Wirecard
feature unique views on the importance of authenticating online
transactions. Finally, other thought leaders and some of the major
industry associations which have provided their valuable input
include Accertify, Signicat, the MRC, Neira Jones and Perseuss.
They all have provided a resourceful analysis on the ever-changing
digital identity, web fraud prevention and detection landscape.
Part 2 of the Guide is an outline of in-depth company profiles
which allows readers unprecedented access to the global digital
identity & web fraud market and complements the industry
analysis.
The Web Fraud Prevention, Online Authentication & Digital
Identity Market Guide is an insightful reference source
highlighting key facts & trends into the global digital identity
transactional and web fraud prevention & detection ecosystem.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
5
Table of contents
4
INTRODUCTION
8
THOUGHT LEADERSHIP SECTION
9
TRENDS & DEVELOPMENTS IN SECURING THE TRANSACTIONAL ECOSYSTEM
10Securing the User's Shopping Experience: Five Fraud Trends from 2015 | Markus Bergthaler, Global Director of Programs
and Marketing, MRC and Mike Splichal, Program Manager, MRC US
12
Confronting Card Fraud in the Global Travel Industry 2005 -2015 | Jan-Jaap Kramer, Chairman, Perseuss
14
Transacting with Retailers Is Now Omnichannel and So Is Fraud | Mark Beresford Director, Edgar, Dunn & Company
16
Exclusive interview with Neira Jones | Advisory Board Member & Ambassador, Emerging Payments Association
19
BEST PRACTICES IN IDENTIFYING FRAUDSTERS & PREVENTING FRAUD LOSSES
20Machine Learning – Keeping US One Step Ahead of Fraudsters | Jackie Barwell, Director of Fraud and Risk Product Management,
ACI Worldwide
6
22
Addressing Delivery and Returns Fraud to Protect Profits | Catherine Tong, General Manager, Accertify
24
Exclusive interview with Roberto Valerio | CEO, Risk Ident
26
Myths About Machine Learning | Dr. Pedro Bizarro, Chief Science Officer, Feedzai
28
Work Smart – Does Your Fraud Team Suffer from Decision Fatigue | Mark Goldspink, Chief Executive Officer, ai Corporation
30
The Future is Mobile | Neil Caldwell, VP European Sales, CyberSource
32
360-Degrees Fraud Management: Securing the Customer Journey | Hugo Löwinger, Digital Identity & Fraud Management, Innopay
34
E-ID: Fraud and Risk Prevention in Cross-Border Ecommerce | Elaine Oldhoff, Ecommerce Europe
37
REGULATION, PRIVACY AND DATA PROTECTION
38
Security of Internet Payments: the EBA Two-Step Approach | Javier Santamaría, Chair, The European Payments Council
40
How EMV will Change Online Business in the US | Michael Roche, VP of Consumer Authentication, CardinalCommerce
42
Doing Business in Europe? Mandatory Data Protection Compliance in Every Single Country | Edwin Jacobs, Partner, time.lex
44
Will EMV Eliminate Card Fraud in the US? | Nicolas Raffin, President, Smart Payment Association
WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
47
STRONGER CONSUMER AUTHENTICATION TO COMBAT ECOMMERCE FRAUD
48
Moving Beyond Passwords: Next Steps in Consumer Authentication | Carlos Häuser, Executive Vice President, Wirecard AG
50
Tokenization: From Account Security to Digital Identity | Tim Richards, Principal Consultant, Consult Hyperion
52
Exclusive interview with Isabelle Moeller | Chief Executive, Biometrics Institute
54Bring Your Own Authentication: The Next Revolution against Web Fraud | André Delaforge, Head of Communication Advisory
Committee, Natural Security Alliance
57
INSIGHTS INTO ELECTRONIC IDENTITIES IN EUROPE
58
Digital ‘Marble’ - Onboarding in the Age of Electronic Identity | Gunnar Nordseth, CEO, Signicat
60
Electronic Identity Verification: How MyBank Can Help | Fatouma Sy, Head of Product Development, MyBank and John Broxis,
Managing Director, MyBank
63
DIGITAL IDENTITIES AND TECHNOLOGIES AT THE HEART OF SECURITY
64
Identity of Things (IDoT): A New Concept in Managing Identities | Emma Lindley, Managing Director, Innovate Identity
66
The Advent of IoT: Are We Facing A Trade-off Between Convenience & Security? | Ionela Barbuta, Senior Editor, The Paypers
68 COMPANY PROFILES
110 GLOSSARY
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
7
THOUGHT
LEADERSHIP
TRENDS &
DEVELOPMENTS
IN SECURING THE
TRANSACTIONAL
ECOSYSTEM
MRC
Securing the User's Shopping Experience: Five Fraud Trends from 2015
As ecommerce enters its third decade, competition among
3. Mobile fraud
companies to attract and retain customers is as intense as ever.
Worldwide, mobile commerce sales will account for nearly half
While global Business-to-Consumer ecommerce sales (excluding
of total internet sales by 2018, according to Goldman Sachs.
travel and event tickets) are projected to hit a staggering USD 1.6
As more businesses introduce mobile apps and/or mobile-friendly
trillion in 2015, this total represents less than 7% of worldwide
websites, fraudsters will try to exploit merchants' fraud checks.
retail sales. It is clear that ecommerce still has tremendous growth
Businesses must do more than just extend their fraud solutions
potential. With that in mind, we have examined five ecommerce
to mobile platforms from the start. Merchants should leverage
fraud trends as 2015 draws to a close.
mobile-specific identifiers wherever possible, such as Mobile
Equipment Identifiers (MEIDs) and International Mobile Subscriber
1. Account takeover
Identities (IMSIs). As consumers increasingly use mobile phones
Fraudsters can and will target any company or consumer who is
and tablets to order goods and services online, businesses should
vulnerable. As larger businesses invest more resources to prevent
also ensure their fraud solutions support any mobile-specific or
large scale compromises and breaches, a greater number of
mobile-friendly features, such as letting consumers use a mobile
small and medium-sized businesses are expected to be targeted.
number in place of an e-mail address when creating an account.
The use of mobile two-factor authentication is a growing trend
to help protect customer accounts. In this case, a one-time use
4. Digital goods
code is sent to the consumer's mobile phone via SMS or a special
For merchants offering downloadable content, such as games,
app as an additional layer of account validation. Biometrics are
apps/software, music, videos, and e-books, a big challenge to
also expected to play a larger role in consumer authentication as
fraud prevention efforts is customers' expectation of near-instant
more smartphone models with fingerprint readers are sold and
fulfillment. Merchants need to strike a balance between debt
companies experiment with alternatives to passwords such as
from fraud, chargebacks, etc. and revenue. As quick reviews
selfies.
are essential in preventing legitimate customers from shopping
elsewhere, it is imperative that companies leverage the power
2. Omnichannel / multichannel retailing
of data to help make decisions, whether those decisions are
As more businesses integrate their physical retail presences with
automated or manual. By joining a professional organisation such
their online presences, companies need to ensure they have
as the Merchant Risk Council (MRC), key fraud and payments
systems and processes in place to address potential exploits from
personnel can gain valuable insights, discuss emergent threats and
all channels. For example, if a merchant offers in-store pickup
trends, and share best practices with other industry professionals.
on its website, fraud checks should still be performed, including
scenarios in which the delivery method is changed from one
channel to another (delivery to in-store pickup, for example). Store
5. US EMV rollout
personnel should also be trained on the importance of validating
As of October 1st, liability for card-present transactions in the
in-store pickup orders and need to be prepared to handle more
US has shifted. Now, merchants can be held liable, unless they
complex circumstances such as identity theft.
replace their point-of-sale hardware with technology compatible
with the card chip standard known as EMV.
10
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Markus Bergthaler
Building
MRC
Global Director of
Better Commerce
Programs and Marketing
Fraud & Payments Professionals
MRC
However, until merchants switch to authenticating purchases
using the chips on EMV cards, instead of magnetic stripes, the
change is unlikely to significantly reduce the incidence of fraud
Mike Splichal
lost to counterfeit cards. Also, unlike the European rollout of EMV,
Program Manager
the US rollout is less coordinated and PINs are not mandated.
MRC US
As a result, it is doubtful that there will be a drastic shift in fraud
from the card-present to the card-not-present environment, at
least initially. Ecommerce companies cannot become complacent,
however. The MRC recommends most companies to use a layered
approach with machine learning and manual reviews, with a focus
About Markus Bergthaler: Markus Bergthaler,
on reducing friction for legitimate customers.
MRC Global Director of Programs and Marketing,
oversees benchmarking, education, committees,
Conclusion
communities, marketing and event content.
A common theme with these trends is customer experience.
Fraud detection is more than just preventing illegitimate transactions
About Mike Splichal: Mike Splichal, MRC
from being processed, it is also about ensuring legitimate
US Program Manager, coordinates content
customers are not adversely impacted by automated and manual
for committees, presentation archives and
reviews. While online fraud remains a challenging space, we believe
community forums. He also develops member
that those companies which balance prevention with customer
training and certification programs.
experience will be best positioned to reap the rewards of the rapidly
growing ecommerce landscape.
About MRC: The MRC is an unbiased global
community providing a platform for ecommerce
fraud and payments professionals to come
together and share information. As a not-for-profit
entity, the MRC’s vision is to make commerce
safe and profitable by offering proprietary
education, training and networking as well as a
forum for timely and relevant discussions.
www.merchantriskcouncil.org
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
11
Perseuss
Confronting Card Fraud in the Global Travel Industry 2005 - 2015
For the past ten years, service suppliers in the travel industry
long time online, but occasional meetings in person re-inforce and
(airlines, train companies, shipping lines, online travel agents) have
accelerate that trust.
progressed from taking their first baby steps in online payments
to a point where online transactions represent the vast majority
Technology-wise collaboration
of all ticket purchases. This period has seen significant change
The next step in industry-wide collaboration is sharing data. When
right across the sector. The industry has faced an extraordinary
the working group is small, this can be done via e-mail messages,
battering from card fraudsters and has had to reorganise rapidly to
but once groups start to grow, automation is vital. Groups will need
face this unexpected threat.
to establish steering committees to choose a neutral technology
supplier who develops the various online forums and databases.
Looking back, we can now see that there were certain key
developments which, collectively, led to a reversal of fortunes for
the initially successful fraudsters. Businesses are now back in
Data sharing
control of their payment operations and fraud has been reduced to
manageable levels.
Collaboration between competitors
By far, the most important development has been the ability of
fraud analysts to exchange information between each other
in an informal manner: first, in meetings, secondly, in secure
online forums. There are two main types of information, namely,
structured data such as names and e-mails that need to be crosschecked against a database, and tips and best practices that can
be shared informally.
Merchant
Sees suspect transaction
so checks details against
Merchant
SHARED
DATABASE
Notices that a particular
pattern is frequently
database. This shows two
other instances of same
details used fraudulently.
used by fraudsters.
Focuses own fraud
detection efforts on that
Analyst reviews case and
pattern and identifies
many costly fraudulent
transactions.
declines booking.
Some of the meetings and online forums are for members only.
Others are open to verified fraud analysts and professionals from
any accredited organisation. For an individual who may be the
only fraud-fighter in their organisation and with no-one else nearby
to offer advice, these forums are like a life-support machine.
Collaboration between corporates
The data-sharing technology itself has to be cloud-based and highly
At a strategic level, the travel sector has created an industry-wide
secure. It has to enable businesses to submit and share suspected
body where executives can meet and coordinate actions, both
fraud data legally, while always retaining ownership of the data.
regionally and globally. There is a regular program of working
This way, a business can remain completely in control of its data,
groups that takes place at venues across Europe, Asia-Pacific and
even after it has shared it. The database must be developed with a
elsewhere in the world.
high degree of participation and input from working fraud analysts
so the screens and layouts blend naturally into the operational
Key to the success of both personal and corporate collaboration
workflow. This increases efficiency and improves decision-making.
is that people from different organisations continue to meet
regularly face-to-face. Bonds of trust, once formed, can last a
12
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Jan-Jaap Kramer
Chairman
Perseuss Steering Group
Collaboration with partners
Merchants who provide travel services rely on a vast network of
partners to oil the wheels of the industry and make everything
About Jan-Jaap Kramer: As Payments Manager
work. Among these partners are payment service providers,
for Martinair, Jan-Jaap was responsible for
software suppliers, banks, card schemes, industry associations,
processing all ecommerce and call centre
legal entities, national police forces, as well as international law
bookings. In 2011, he both established his own
enforcement agencies.
consultancy to help other businesses fight fraud
and was elected Chairman of the Perseuss
The travel industry had the foresight long ago to involve all of these
Steering Group.
bodies in the global war against card fraud. Since 2013, all of these
organisations have been mobilised into a number of concerted
About Perseuss: Perseuss is the global travel
drives to break up fraud gangs and arrest their members at the
industry's own solution to the battle against
moment of committing crime. Hundreds of perpetrators have been
fraud. Its flagship offering is an online shared
charged with offences including human smuggling, drug trafficking
negative database, recently updated to include
and international prostitution. In many cases, the secondary crimes
email age verification and artificial intelligence.
are far more serious than the card fraud, which first brought them to
It also operates FraudChasers, an online forum
the attention of the authorities.
for anti-fraud professionals. Perseuss plays a
major role in cross-border police Action Days to
All this collaboration has allowed the travel industry to present a
apprehend fraudsters.
truly joined-up front against fraud gangs. The gangs themselves
are becoming increasingly sophisticated and technology-savvy.
www.perseuss.com
It is vital that the industry continues to make and strengthen
connections with its partners to counter this ever-present threat.
Cross-industry collaboration
A very exciting prospect is for the travel industry to work with
entirely different business sectors to fight fraud. Criminals do not
recognise industry boundaries, so why should we?
Of course, the scale of operations will be significantly increased.
There will be problems and challenges. But the lesson of the last
ten years is that we must all collaborate more in order to isolate
criminal gangs. If we do not, they will exploit the gaps between
us and take the initiative. Then, we will find ourselves cut off,
surrounded and struggling to catch up. That must not be permitted
to happen.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
13
Edgar, Dunn & Company
Transacting with Retailers Is Now Omnichannel and So Is Fraud
As retailers have enhanced their technical and business operations
This can lead to customers revealing information about the transaction
to better serve consumers across several channels, there has
and fraudsters are able to change the arrangements for collection
been a gap in dealing with fraudsters who are also adopting
of the goods. The call will seem genuine and fraudsters will often
a cross-channel approach. In this respect, it is interesting to
quote titbits of the individual’s confidential transaction history
see that there are several exceptions to a standard ‘purchase’
information, such as their full name, address, account numbers,
transaction, particularly returned goods. It has been a specific
all information that the fraudster gleaned from an earlier hack of
area where different customer points of interaction did not
a retailer or financial institution. The ability to create a profile of
properly communicate with each other. This means that fraudsters
a target customer is progressively easier to achieve by organised
are targeting the loopholes that have appeared due to the lack of
criminals operating at a distance.
connectivity across channels.
Data mining
Edgar, Dunn & Company (EDC) has found that many retailers do
Usually, the fraudster will spoof the collection arrangements and
not treat different customer points of interaction individually.
change the location to a store more convenient for him to pick-
Instead, they take into account consumer behaviour and location
up the goods. This information is meant to make the conversation
to build a fraud strategy for each point of interaction – be it call
more credible, luring the customer into revealing additional
centre, in-store customer service desk, a click-and-collect service
information that can be used to arrange the collection of their new
desk, online, or at the point-of-sale. Retailers are aiming to ensure
purchased items. These products can be quickly sold on auction
a seamless customer experience across channels and they should
websites afterwards.
equally tackle fraud across all channels. They need a cross-channel
view of their customer’s purchasing history, browsing history and
Another example would be fraudsters who send targeted phishing
preferred channel history - in-store, smartphone, tablet, laptop,
emails on behalf of the retailer or the bank in order to capture
desktop, in-store kiosk - to ensure that a customer is a good
information about the customer. Fraud protection vendors are most
customer and is not deviating from their normal channel behaviour.
concerned about evolving methods of phone fraud, especially
Transacting with retailers is now omnichannel.
because it is the least protected area when it comes to card-notprotected (CNP) transactions and, therefore, the most vulnerable
False positives
means of attack in a multi-channel environment, as found in large
Declining a customer that is a good customer can lead to dramatic
modern retailers.
and detrimental customer behaviours. This is commonly the case
where a customer could be known to be ‘good’ on a certain
Alternative forms of payment
device but, then, uses a different device and he is declined when
A lot of retailers and fraud prevention vendors commonly collect
engaging with the retailer simply because the fraud detection rules
fraud statistics for legacy products such as debit and credit
are not updated for the new device.
cards. The more innovative retailers are issuing and accepting
mobile wallets, carrier billing, prepaid payment products, loyalty
As merchants aim to serve customers across channels, fraudsters
and reward products, gift cards, social and peer-to-peer payment
are also using the lack of joined up thinking by impersonating
products. Multichannel retailers are even starting to accept bank
a service centre. They will cold call a customer, for example,
transfers such as Barclay’s Pingit.
claiming that their credit card or bank account has been subject to
fraud during the transaction with the retailer.
14
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Mark Beresford
Director
Edgar, Dunn & Company
As consumers become more familiar with Apple Pay and
in-app purchases, they are expected to gradually become more
adventurous in the selection of different methods of payment
About Mark Beresford: Mark Beresford,
at different points of interaction with the retailer. If the store is
Director at Edgar, Dunn & Company, has over
closed, the Pingit app can be used by scanning a QR code on
20 years’ experience in the payments sector.
the shop window next to the goods on sale. However, the point of
He heads the Retailer Payments Practice at
interaction could most likely be on an advertisement at a bus stop
EDC and works on strategic client engagements
or at the back of a taxi, not necessarily in the store.
for major omnichannel retailers and payment
service providers globally.
Fraudsters are able to program a smartphone to act as a false POS
terminal, deface a QR code to redirect funds to another account,
About Edgar, Dunn & Company: Edgar, Dunn
or even make a smartphone to act as a false payment card. An
& Company is an independent global payments
attack that used to require insightful hardware engineering at
consultancy founded in 1978. The company is
the POS to by-pass EMV technology is now just a software
widely regarded as a trusted adviser, providing
app. The emergence of new sales channels (and the integration
a full range of strategy consulting services,
between these channels) unfortunately enables fraudsters to
expertise and market insight. EDC clients
‘play one channel against another’, or identify potential cracks in
include payment brands, issuer and acquiring
omnichannel processes.
banks, processors and merchants.
Fraud is an ever-evolving art and fraudsters are very creative
www.edgardunn.com
in leveraging the retailers’ lack of fully integrated multichannel
solutions. They are already preparing for a new wave of crosschannel fraudulent strategies in order to trick consumers at a wide
variety of retailer interactions.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
15
Emerging Payments Association
In the interview, Neira Jones points out that managing fraud in a hyper-connected environment will force businesses to
manage risk effectively to support growth, performance and reputation.
The online landscape is changing at a faster pace
I believe consumer-centric Identity & Access Management
and fraudsters are getting better at stealing money
(IAM) vendors will start to provide enterprise grade solutions
and identities. The industry needs a more reliable
and enterprise IAM vendors will start moving from role-based
authentication system to create a safer environment.
access control (RBAC) to attribute-based access control (ABAC).
What do you see as a next step in consumer
Biometrics, behavioural/contextual analysis and low-latency
authentication?
threat monitoring/ fraud prevention will all play a role in building a
By the end of 2015, there will be 7.2 billion people with an employment
successful ecosystem.
ratio of 60% representing 4.3 billion people (International Labour
Organisation, World Bank). By then, 1.3 billion people (30%) will
So, it is not so much that we need an ‘authentication system’.
routinely work remotely (Symantec, August 2014) and by 2019,
We actually need several ways to manage identity and authentication
there will be 24 billion networked devices around the world, with an
that are proportional and commensurate to the potential risk
average of 3.2 connections per person. The pace of technological
associated with any interaction (be it human or machine) and with
advancement, as well as increased sophistication and adaptability
the necessary addition of appropriate operational processes to
of criminals, have made identity theft and social engineering most
support them. The most sophisticated identity or authentication
successful. Indeed, in the UK, ID crime represented 48% of all
technologies can be deployed, but if appropriate governance
fraud in 2014, with 82% of ID-related crimes committed online
processes are not equally matched, it will only be money down
(CIFAS Fraudscape 2015). Worryingly, 23% of recipients open
the drain.
phishing e-mails and 11% click on attachments, and a phishing
campaign of just 10 e-mails has a 90% success rate (Verizon DBIR
Cybercrime has also gone mobile, do you think there
2015). In addition, machine-to-machine connections will triple to
is a need for multichannel fraud detection & prevention
10.5 billion by 2019 (CISCO, May 2015). All this connectivity means
solutions to detect and manage fraud effectively,
new opportunities for countries, businesses, people, as well as,
irrespective of channel?
unfortunately, fraudsters.
Cybercrime has indeed gone mobile and, with the growth of the
Internet of Things (IoT), equally hyper-connected. There is, however,
I like to link identity and authentication to social engineering
at this stage, little evidence of serious harm. Indeed, with the rise
because, if legitimate credentials fall into the hands of criminals,
of mobile devices and BYOD, we could have expected significant
all bets are off. Technology alone cannot stop fraud, as evidenced
threats to organisations. But, as suggested by the Verizon DBIR
many times, and most recently, when a UK company handed over
2015, there were less than 0.03% mobile devices infected with
an unprecedented GBP 1 million to a phone scammer that led
mobile malware each year, and the rise of the IoT did not exhibit
an employee to transfer the money to bogus bank accounts, or
a surge of attacks through that channel. Instead, criminals relied
when BitPay lost USD 1.8 million through a spear phishing attack.
on phishing attacks, misuse of credentials and new varieties of
malware that plague organisations of all sizes. Managing fraud in this
hyper-connected environment will force businesses to manage risk
effectively to support growth, performance and reputation. In this
environment, comprehensive, real-time analytics will play a key role.
16
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Neira Jones
In this hyper-connected environment,
comprehensive, real-time analytics will
play a key role
Advisory Board Member
& Ambassador
Emerging Payments
Association
IoT promises to be "the next big thing". Apart from the
About Neira Jones: Neira chairs the Advisory
innovation and convenience that it brings, the system
Board for mobile innovator Ensygnia & the
is not flawless. What are the main vulnerabilities we
Global Advisory Board for the Centre for
need to be aware of?
Strategic Cybercrime & Security Science and
As the IoT evolves, so should the understanding of its security
is a Founding Advisory Board Member for
requirements. The online web environment has had years to
GiveADay UK. She sits on the Advisory Board
mature, in line with the understanding of what needs to be done
of the Emerging Payments Association.
to secure it. As we all know, data breaches continue to happen
in the traditional online channel and old vulnerabilities continue
to be exploited. Exciting developments in the IoT should take
Twitter: twitter.com/neirajones
LinkedIn: www.linkedin.com/in/neirajones
advantage of what has already been learned in online and other
digital channels, and implement security by design rather than
About Emerging Payments Association:
as an afterthought. Key to this will be authentication of devices
The Emerging Payments Association (EPA) is
(and individuals) and data security as these technologies will
a community for the world’s most progressive
increasingly collect more and more personal data. From a process
payments companies. The EPA helps them to
and regulatory stance, data will be key as are the many contractual
have influence over the payments landscape
implications that will ensue due to an ever extended supply chain.
and get access to the people operating in it,
whether they are buyers, sellers or partners.
Would wearable technology transform the payments
industry? And where do we stand from a security point
www.emergingpayments.org
of view?
Wearable technology is only a subset of the IoT and, therefore, the
same issues apply, with the added emphasis on data collection,
protection and privacy as there is a direct link to individuals.
Will it "transform" the payments industry? I don’t think so. Will it
contribute to its evolution towards a payments ecosystem that is
frictionless and secure? I sincerely hope so. We are already seeing
some interesting deployments in the loyalty and engagement space
as well as in the production of new form factors (e.g. contactless
rings), which is where, I think, wearables will make the most impact
in payments.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
17
MARCH 7-10 | ARIA RESORT & CASINO
Experience the excitement
at MRC Vegas 2016 with
over 1,500 attendees, 65
educational sessions, 450
companies and individuals
from over 30 countries.
1,500+
ATTENDEES
65
450 COMPANIES
COUNTRIES
EDUCATIONAL
SESSIONS
SAVE
$800
WITH
OUR
EARLY BIRD DISCOUNT
Register now for one of the largest and
most rewarding events uniting online and
multi-channel retailers, card networks
and issuers, law enforcement and solution
providers all committed to making
eCommerce safe and profitable.
Building
MRC
MERCHANTRISKCOUNCIL.ORG/EVENTS/MRCVEGAS
Better Commerce
Fraud & Payments Professionals
BEST PRACTICES
IN IDENTIFYING
FRAUDSTERS
& PREVENTING
FRAUD LOSSES
ACI Worldwide
Machine Learning – Keeping US One Step Ahead of Fraudsters
Machine learning is a hot topic in fraud prevention, with both
more complex scale. This allows fraud analysts to understand both
financial institutions and merchants looking to exploit advances
localised and widespread occurrences of fraud. It also enables
in IT infrastructure and intelligent computing to protect their
these complex processes to be accomplished faster, frequently in
businesses from risk. But, what really is machine learning and how
real-time.
effective is it in detecting and preventing fraud?
Additionally, other information, such as data resulting from webMachine learning relies on algorithms which employ pattern
behaviour analysis, can be fed into the predictive models, creating
recognition techniques to explore and learn the underlying
a new and valuable dimension to the model’s accuracy.
structures in the data. By using past transaction data from fraudulent
activity, alongside information from genuine customer transactions,
The development of new algorithms, machine learning techniques
these algorithms can be used to build predictive models which can
and programming expertise have also all kept pace with changes
forecast the probability of a transaction being fraudulent.
in the payments and ecommerce landscape, with these latest
techniques giving businesses the power to explore a much larger
Predictive models deliver very tangible results in fraud detection.
search area in the model optimisation space and increase detection
Their ability to extract meaning from complicated data means that
rates.
they can be used to identify patterns and highlight trends which
are too complex to be noticed either by humans or through other
While it is clear that machine learning has a lot to offer to financial
automated techniques. By running specific, effective algorithms
institutions and merchants in an effort to detect and prevent fraud,
and using them to make automated decisions, or generate alerts
the approach does have its limitations.
for suspicious activity, these techniques can save manual review
time, reduce the number of false positives and quickly stop
Because they learn from experience, predictive models cannot
attempted fraud.
learn or spot monolithic events such as data breaches. For these
you need to be running a rules-based model which uses negative
But this approach is by no means new. In fact, predictive models
lists and, preferably, consortium data.
first became popular almost two decades ago, particularly with
financial institutions which successfully used models to detect
Predictive models are also less adaptive at learning one-off events
significant volumes of card-present fraudulent transactions and
or transient phenomena. Our experience with customers around
save millions.
the world has taught us that combining predictive models with
a customised rules engine delivers the optimal fraud prevention
Back then, however, fraud problems were simpler and patterns
solution. The ability and flexibility of a comprehensive rules
were easier to identify. Fraudsters have since become savvier
engine to deal with seasonal changes, emerging trends and one-
and more innovative, driving demand for further change in fraud
time events complements the sophisticated pattern recognition
detection techniques to ensure that defensive capabilities can
techniques deployed by predictive models.
match fraudsters’ offensive capabilities.
At ACI, we firmly believe in the future of advanced machine learning
20
Technology advances over the last decade in particular have aided
and predictive models as an integral and vital part of a winning
the evolution of machine learning and ensured it has remained an
fraud strategy. We have our own patented predictive models
effective fraud prevention measure. For instance, the increased
which have been used by customers for many years. Backed by
availability and scale of raw computing power means that we can
these predictive models, ACI’s rules-based systems are constantly
now process, segment and analyse data on a much larger and
updated to augment performance and provide multifaceted
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Jackie Barwell
Director of Fraud and Risk
Product Management
ACI Worldwide
coverage and protection. It is this holistic approach to fraud
prevention that provides effective protection against the risk
of fraud without compromising customer service, driving costs
About Jackie Barwell: Jackie is the Director
further upwards, or increasing the demand on scarce in-house
of Fraud and Risk Product Management at
resources.
ACI Worldwide, having joined the ACI family as
part of their acquisition of ReD in 2014. Jackie
has more than 27 years’ experience within the
financial crime arena.
About ACI Worldwide: ACI Worldwide,
the Universal Payments company, powers
electronic payments and banking for more than
5,600 financial institutions, retailers, billers and
processors worldwide. ACI software processes
USD 13 trillion each day in payments and
securities transactions.
www.aciworldwide.com
Predictive models - part of a multi-dimensional fraud management
solution
Developments and enhancements will, of course, need to continue to
meet the ever-changing needs of the industry as both consumers
and fraudsters adapt their behaviour. At ACI, we are now exploring
the use of smaller, more focused and tactical models, trained
specifically on a closely targeted set of data – for example, a
specific merchant sector or geography. This will enable merchants
to benefit from more sophisticated solutions which are faster to
deploy and designed to address their specific trading landscapes.
As fraud develops, predictive models will too, enabling us to keep
one step ahead.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
21
Accertify
Addressing Delivery and Returns Fraud to Protect Profits
A fraud team usually focuses on the actions of professional
The many guises of delivery and returns fraud
fraudsters. These are the criminal pros who attempt to steal on
One of the challenges of fighting this type of fraud is that there are
a large scale using automation and thousands of stolen payment
multiple guises it can take.
cards. It makes sense to aim the artillery at big threats. Now, a
different kind of smaller scale fraud scenario perpetrated by
• Wardrobing – Want to go to a party and wear that expensive dress
amateurs is gaining traction on the fraud battlefront. It’s called
or tuxedo? With this tactic, you don’t have to pay a penny to have
delivery and returns fraud.
that special outfit. Wardrobing is making a legitimate purchase
with the intention of using the item and returning it for the full value.
The unknown challenge
• Delivery denial – “I never received my goods and want a refund!”
How many retailers really understand all the areas of shrinkage
But you did receive the goods. You didn’t have to sign for the
or loss in their business and quantify these losses accurately?
parcel and so who knows whether the delivery driver did in fact
Delivery and returns fraud, the act of defrauding a retailer via
leave it. Or, if you were to claim you never saw it, even though it is
the returns process, is an increasing issue where fraudsters
on your kitchen table, who’s to know?
are exploiting supply chain processes. We are not talking false
• B ait-and-switch – That 1 year guarantee seems to be timed
payment data here, but something a bit harder to detect. Akin to
perfectly to when something breaks, and it is only a couple of
electronic shoplifting, an individual attempts one low-value fraud
weeks outside that timeframe. Purchasing a working item and
action, one retailer at a time. Some incidents involve fraud via a
returning a damaged or defective identical item that was already
delivery channel, while others use variants of fraudulent returns.
owned, however, is still not a legitimate transaction.
Sometimes customers come across this type of fraud by accident
• C ourier fraud – orders are intercepted and never received by
as they realise weaknesses in retailer processes, but because they
the consumer. It is worth remembering that it is not always the
see it as a small scale cost to a retailer, they do not perceive it to
end customer who is committing the fraud. Multiple people are
be fraud. Whether on a small scale, or something which becomes
involved in the supply of a product from retailer to customer and
a customer habit, ultimately the customer is ending up with either
understanding if it is someone involved before reaching your
product or refunds they should not have received.
customer is just as important.
The common theme here is that each of these tactics can result in
Historically, retailers have focused on chargeback losses. However,
the retailer losing a product and sale from it, therefore impacting
as retailers have brought this area of risk under control, either new
profitability - but in many cases without recognising the underlying
areas of risk have become more visible, or the fraudsters have
causes of this decreased profitability.
started to change their behavior. Delivery and returns fraud may
seem small scale even to the retailer, but collectively the losses
Monitoring and addressing delivery and returns fraud
can add up quickly. Many businesses do not have the visibility
Retailers have been applying various methods to address
of how big a problem this is becoming. According to the 2014
this issue, with many being very manual and non-sustainable
National Retail Federation Return Fraud Survey, the industry
processes. Many have struggled with being able to track regular
was estimated to lose USD 10.9 billion in 2014 alone.
offenders and stop them before they attempt this type of fraud
again. Many have also faced the challenge that some customers
only show this behaviour once or twice.
22
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Catherine Tong
General Manager
Accertify
Accertify believes the key to reducing delivery and returns fraud
is to target who is involved in the delivery or return of the product.
Retailers can leverage our platform to analyse each consumer’s
About Catherine Tong: Catherine Tong is
behaviour and identify out-of-pattern returns and other delivery
General Manager for Accertify in EMEA leading
anomalies.
a team of fraud specialists, and partnering with
companies from a variety of industries on their
Our multi-merchant database allows each participating retailer to
fraud management strategies as they enter and
benefit from collective knowledge about returns fraud and thereby
grow in new markets. Before joining Accertify,
try to limit its losses. Retailers learning from each other is invaluable,
Catherine held various senior risk roles at
they can now use this tool to benefit from other participating
retailer, Tesco and PwC.
customers who have already leveraged data associated with prior
About Accertify: Accertify Inc., a wholly owned
fraudulent deliveries and returns.
subsidiary of American Express, is a leading
Retailers are now able to manage a much broader set of risks in
provider of fraud prevention, chargeback
one place, improving efficiency for their business, whilst bringing on
management and payment gateway solutions to
new ways to help protect themselves. They can still have different
merchant customers spanning diverse industries
teams managing these different aspects of their business, but
worldwide. Accertify’s suite of products and
managing all the data and fraudulent behaviour in the same place
services, including machine learning, help
enables them to be able to track changes in fraudster behaviour
ecommerce companies grow their business
more easily and collaborate internally.
by driving down the total cost of fraud and
protecting their brand.
www.accertify.com
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
23
Risk Ident
Risk Ident points out that technology should not replace fraud managers. Instead, it should be used to empower them
to take an educated, proactive approach by identifying and tackling fraud at the source.
In today’s ever-changing online environment, identifying
Machine learning should not be used to the detriment of human
fraudulent transactions has become a major hurdle.
detectives, who are crucial for judging data choices to ensure
How can companies like Risk Ident help merchants
legal compliance, and for giving individual consideration to any
detect and stop suspicious transactions?
borderline cases that need the application of human processing.
Ecommerce is in a continuous state of evolution and is expected to
be worth GBP 185.44 billion (EUR 219.44 billion) in 2016. This makes
Modern methods of data science and software engineering help
online payments more and more of an attractive option for fraudsters
provide smarter technology that works more intelligently than
whose increasingly sophisticated techniques create a moving target
traditional anti-fraud processes, pooling data for analysis that
for merchants looking to identify and tackle fraudulent transactions.
helps guard against repeat fraudsters without requiring private
personal information. Ultimately, technology should not replace
At Risk Ident we deliver the best use of quality anti-fraud data in
fraud managers. Instead, it should be used to empower them to
Europe by using machine learning and behavioural analytics to
take an educated, proactive approach by identifying and tackling
help support fraud managers by intelligently processing a wide
fraud at the source.
range of input sources, such as device identification. Using rules
alone or monitoring single transactions is no longer as effective
What are some of the main changes that you would
at detecting and stopping suspicious transactions. Establishing
expect to impact the fraud prevention landscape
relationships between transactions helps merchants recognise
following the Safe Harbour ruling from the ECJ?
potential fraud patterns without the need for expensive additional
The recent ECJ decision to suspend Safe Harbour could catalyse
databases, acting fast to protect them from fraud.
major changes for the fraud prevention landscape, affecting the
data privacy and anti-fraud processes of businesses on both
Some herald the combination of machine learning
sides of the Atlantic. The ruling will have especially significant
and 'human detectives' as the next major revolution in
ramifications for businesses which depend on sharing data with
fighting fraud. How do you feel about this combination
organisations in the US in order to stay secure. Companies that
of man and machine to find and fix weaknesses of the
want to establish more local, European-based data centres for
system?
customers’ data in the EU will have to adhere to European data
We are passionate in our belief that man and machine – together
privacy laws, which are traditionally much stricter. However, this
– offer the strongest possible defence against fraud when used in
still does not offer a total solution to EU businesses as the US
combination. Machine-led intelligence has undoubtedly enhanced
Freedom Act, Section 702 (FAA 702) remains in use by the US
the proficiency of fraud prevention thanks to advanced algorithms
government, which allows them to obtain data stored in Europe by
which outshine the more traditional rule-based approach. It is
US companies.
important that companies take advantage of this technology and
use it to further boost their fraud managers’ knowledge of their
The ruling is potentially good news for European businesses and
own fraud problems.
customers however, as it has brought the focus back to customer
privacy. We do not expect it to be a huge barrier to businesses.
24
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Too many organisations argue that it’s
in the users’ best interest to give up
more privacy as it will keep them safer
online. This is not necessarily true…
Roberto Valerio
CEO
Risk Ident
But, it will undoubtedly cause friction and uncertainty before an
About Roberto Valerio: Roberto Valerio is
alternative is agreed on in 2016. The ruling, together with the recent
the CEO of Risk Ident, leading the day-to-day
high-profile Weltimmo and Schrems cases, has certainly brought
management of the company. He is responsible
data privacy and the ethics of data sharing into concentration for EU
for driving the development of the business to
businesses. It is still possible to promote security while maintaining
serve merchants in need of a modern, intelligent
privacy by anonymising data, and it is something we very strongly
approach to online fraud prevention.
believe in.
About Risk Ident: Risk Ident offers anti-fraud
From your point of view, what is the best approach
solutions for companies within the ecommerce
to gaining customers’ trust when it comes to data
and financial sectors, empowering fraud
privacy and fraud protection?
managers with intelligence and self-learning
Risk Ident was founded and built specifically with European privacy
machine technology to provide stronger fraud
laws in mind and we strongly believe in smarter fraud prevention
prevention. Risk Ident are experts in device
technology that helps maintain privacy without compromising
fingerprinting and behavioural analytics, while
security. We welcome moves by the European authorities that
its products are specifically tailored to comply
publically and legislatively recognise the importance of data privacy
with European data privacy regulations.
in Europe.
www.riskident.com/en
There are far too many organisations out there that give customers
the impression that giving up more of their privacy is in their
best interests in order to stay safer online in the long run. This is
definitely not the case. It is possible for personalised information
to be kept separate from anonymised data, such as device
identification, and to gain customers’ trust while keeping their
payments safe. It is paramount that businesses are transparent
with their customers and fully available to help manage any data
sharing concerns.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
25
Feedzai
Myths about Machine Learning
The fintech revolution has begun and machine learning is at the
community grows, more developers are creating new applications
forefront of this next wave of innovation. Machine learning, a branch
and APIs that are highly specific to your business or technology
of artificial intelligence, is now enabling computer systems to have
stack. Open-source machine learning services are already available
sophisticated judgment and decision-making capabilities (remember
in C++ and Python with more languages to follow. Lastly, the growth
that self-driving cars were thought impossible only a few years ago).
of cloud computing provides access to shared machine processing
infrastructure. The cloud, open-source adoption, combined with
Machine learning, I think, will have a larger impact over the
APIs, are the factors that are removing technology barriers for
next 20 years, than mobile had over the past 20.
machine learning adoption.
-Sun Microsystems co-founder and venture capitalist Vinod
Myth 2: Machine learning takes away my ability to
Khosla-
control my business
As machines do more work and make more decisions, the fear of
As Google and Facebook continue to usher in the era of machine
losing control or not understanding the ‘blackbox’ machine logic
learning, the ripple effects can be felt in the financial services
is understandable. However, advances in human-to-machine
industry. Machine learning is radically changing the nature of
interfaces have been made in recent years, such as ‘whitebox
money and financial services. Now is a great time to dispel the
scoring’ methods, that demystify the underlying decision-making.
common myths about machine learning.
Whitebox approach is essentially a semantic layer, turning data and
decisions into descriptions that anyone can read without resorting to
Myth 1: Machine learning is only for big companies
complicated and obscure machine logic or reason codes.
The declining cost of computing - due to factors such as improvements
in computer processing speeds, cheaper data storage, increased
Additionally, as you implement machine learning in your business,
communications bandwidth, and broader availability of data
it frees up time for your fraud and risk management team. They spend
sources, to name a few - have leveled the playing field for companies
less time manually reviewing orders and payments or manually
and businesses of all sizes to be able to use machine learning
processing numerous chargebacks every week. These alone result
technologies. The range of businesses that can now use machine
in huge time-saver for your team, time which is reclaimed to spend
learning is very wide - ranging from giants like Google and First
running your business.
Data, to ecommerce startup merchants like LongboardsUSA.
Myth 3: I want the Uber-model that is best for all
First, there is no single best machine learning model that is
universally better in all situations. Choosing the best model
depends on the problem type, size, available resources, etc.
However, just like teams of people working together, groups
can often make better decisions than individual members.
That’s because individuals each have their own biases.
26
Source: Deloitte, Computing Cost-performance (1992-2012)
The same is true in the case of machine learning with the use
Furthermore, with the advances in software development technology,
models together in order to help compensate for individual bias.
machine learning can be integrated into your system seamlessly
Ensemble methods combine the opinion of multiple learners to
using APIs or plug-ins. At the same time, as the open-sourced
achieve superior collective performance. Moreover, ensembles are
of ‘ensemble methods’. Ensemble methods is using multiple
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Dr. Pedro Bizarro
Chief Science Officer
Feedzai
inherently parallel, which means they work efficiently side by side.
For fraud prevention systems, this is vital because it requires far
About Dr. Pedro Bizarro: Pedro is the Chief
less training time to set up the initial models.
Science Officer at Feedzai where he leads
Not only does combining multiple models make the system safer, it
a team of data scientists who are keeping
also keeps it more relevant. By including different models, evolution
commerce safe. He is a recognized researcher
will take place at a much faster rate, with less need for human
in machine learning and holds a PhD from the
supervision.
University of Wisconsin at Madison.
Myth 4: Machine learning is all about the model
About Feedzai: Feedzai was founded in 2009
It cannot be denied that you need a good model or ensemble of
by data scientists and aerospace engineers to
models to make machine learning efforts effective. However, simply
make commerce safe for business customers
having effective models isn’t enough. Fraudsters are incessantly
through the use of artificially intelligent machine
finding new loopholes and cracks in your system. The only way to
learning. Feedzai’s Fraud Prevention That
stay one step ahead of them is to continually feed new data sources
Learns technology is used by large financial
and strengthen the intelligence by introducing new real-world data
services companies to risk-score over USD
and connections. A machine-learning model is only as good as
1 billion of commerce transactions each day.
what data it ingests.
Feedzai is a US-based company and is funded
by major venture capital investors including
OAK HC/FT, Sapphire Ventures and Data
Collective.
www.feedzai.com
Data Sources
The fintech revolution is well underway. As electronic commerce
continues to rise, fraudsters have access to more sophisticated
tools and increased channels to commit fraud. To combat fastevolving fraud, organisations must adopt more sophisticated
methods. Machine learning, when combined with human intelligence
and intuition, can now have superior judgment and decision-making
capabilities so organisations can eradicate fraud.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
27
ai Corporation
Work Smart – Does Your Fraud Team Suffer from Decision Fatigue?
Right now, consumers have never had such a broad range of
Many young graduates join a fraud team in order to start a corporate
options to pay for goods and services. What is more, the channels
career. Invariably they would start by managing alerts after some
through which the consumer may purchase their goods and
kind of induction programme. It is now well-evidenced in the field
services have never been more diverse.
of behavioural economics that as familiarity regarding a role grows,
other human biases start to become more pronounced; in other
The cost of these new payment options and omni-channel
words, the greater experience a fraud analyst has, the greater the
engagement methods has increased the complexity and associated
risk that they will subconsciously be influenced to wander from
costs for issuing banks, acquiring banks and merchants; it is a cost
the ideal resolution. At ai we have spent a lot of time studying
they must bear in order to stay competitive through this ‘consumer
the psychology associated with this ‘decision fatigue’ and have
self-service’ point of sales revolution.
developed our software to mitigate its damaging effects.
The increase in complexity has created both opportunity and great
The below graph demonstrates the otherwise hidden trend in
risk for three key groups. Firstly, consumers have the opportunity
human behaviour being influenced by external factors. In this case,
to choose how and where to buy like never before. This creates
judges presiding over a parole board discover their decisions are
the opportunity for the second group, sellers, to increase volume
being dramatically influenced by something entirely human - their
of sales. But with complexity comes confusion, and the third
appetite. Do fraud analysts suffer from this?
group, fraudsters, has taken full advantage.
Today’s fraudsters are highly sophisticated and very well
organised. To combat this, legitimate businesses that want to stay
competitive need to be both equipped to stop the fraud, and able
to do this in an efficient and cost-effective manner.
A balance between man and machine
It is this need for efficiency and effectiveness in the face of everincreasing and more complex fraudulent activity that drives
ai’s product development. Our automated systems have been
developed to be more effective than manual human decisionmaking. The efficiency improvements that come with reliable and
consistent performance are beyond what any human could be
expected to achieve.
It is often said of ai that we are a ‘people business’. We agree – it
28
is people that drive any successful business and, as our clients
Let machines handle the repetitive tasks
testify, it is often our people that help drive other businesses. So,
ai’s mantra to ‘automate tedious routines to release human
in the case of the fraud management world, what are we doing to
creativity’ aligns with the mounting scientific evidence presented in
ensure we support this principle? If we think about the motivation
the field of behavioural economics. In fact, one of the International
for a fraudster versus an employee in an increasingly burdened
Institute of Analytics top ten predictions for 2015 was that analytics,
fraud department, you could argue that it is incredible we manage
machine learning and automated decision-making would come of
to stop fraud the way we do. So how do we tackle this imbalance?
age in 2015.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Mark Goldspink
Chief Executive Officer
ai Corporation
With the 2015 launch of ai’s neural modelling and automated rule
set engines, we believe they were right.
About Mark Goldspink : Mark has spent 25
ai is very proud of our technical relationship with one of the world’s
years in general management roles. Mark joined
leading academic institution who is helping us provide “state of
ai Corporation (ai) in 2013 to work with Ashley
the art” machine learning solutions. Over the past 2 years we have
Head on developing and expanding a whole
invested over 40% of revenues into research and development.
series of inter-related payment businesses
globally, but with main focus on ai.
About ai Corporation: ai provides fraud
prevention solutions to some of the world’s
largest financial institutions, merchants and
PSPs. Our unique self-service solutions,
including our new ‘state-of-the-art neural
technology, protect and enrich payments
experiences for more than 100 banks, 3 million
multichannel merchants monitoring over 20
billion transactions a year.
www.aicorporation.com
At ai, we believe some jobs are best done by machines, leaving
creative decisions to humans. Therefore, our tools have been
designed to complement business teams, automating many of the
repetitive activities and allowing our customers to focus on the
more complex issues.
Scientifically proven
There is undeniable evidence through peer-reviewed studies that
external influences cause human decision-making to change
during the day, leading to intraday inconsistencies. Isn’t it human
nature to think about the weekend and evening events rather than
maintain complete focus through a work shift? For fraud teams,
such distraction could result in serious financial repercussions, but
is entirely foreseeable and indeed natural for humans to become
distracted like this, more so when working in an increasingly
complex payments environment.
The questions you should perhaps be asking are: could your fraud
team or fraud service provider be suffering from decision fatigue
and if so, how can you counter this?
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
29
CyberSource
The Future is Mobile
When I talk to businesses about their ambitions for digital
The data available from mobile devices is different from non-
commerce growth, one of the key messages I consistently hear is
mobile devices, and even differs via type of mobile device.
that the future is mobile. Whatever the size or industry, businesses
For example, Apple devices provide a more diluted device
understandably want to take advantage of the continuing growth of
fingerprint than Android due to the ‘locked down’ nature of
smartphone and tablet penetration, and their use by consumers to
Apples OS.
purchase goods and services.
The detection tools used in fraud management may not change,
Whilst most businesses appreciate the need to tailor their ecommerce
but the importance of them may vary, depending on the information
experience and user interface for mobile websites and apps, many
available via different devices.
are not tailoring their fraud management strategy in the same way.
All the differences in behaviour, data and tools require a set of rules
The latest CyberSource fraud survey reports that 45% of survey
specifically for the mobile channel, and a channel specific mobile
respondents cite the ‘inability to accurately measure fraud rates
fraud strategy. The rules created at first will no doubt depend on
by sales channels (causing operational efficiencies)’ as one of the
the data that you can capture, the behavioural patterns and fraud
fraud challenges of greatest concern (CyberSource 2015 UK Fraud
trends that are understood to be relevant by your business, and the
Report Series: Part 1 – The World of Mobile Fraud). Which is not
level of sophistication that suits your organisation’s requirements
surprising when the following findings are also reported:
and risk profile.
- 43% of respondents track fraud from mobile commerce channels
- 89% of those who do track mobile orders, use the same fraud
Managing mCommerce Fraud Risk – A Framework for Action
tools as used to screen ecommerce orders
When businesses don’t track or adapt their fraud strategies to the
mobile channel, they can become vulnerable in two ways risking
higher rates of fraud coming via the mobile channel, or they risk
blocking orders from genuine customers. The last thing needed in
trying to grow the mobile channel is that customers may have a less
than ideal experience.
mCommerce fraud strategy
While there are many similarities between eCommerce and
mCommerce, there is a number of important differences particularly
relevant for fraud management:
Consumer behaviour is different on a mobile device than on a
normal PC (laptop or desktop) with purchases being made at
different times of the day and the type of purchases made: thus,
rules designed for traditional eCommerce purchases may flag
mobile behaviour as anomalous.
30
The framework above provides a process-based approach to work
through the differences between mCommerce and eCommerce for
fraud management. Working through the process step by step can
help you understand the implications of the mobile channel for
fraud management, and equip you to decide on the best course of
action for your organisation.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Neil Caldwell
Vice President
European Sales
CyberSource
For those just starting out with a fraud management strategy,
I recommend three simple steps to help get started:
- Start tracking mobile transactions. Measuring mobile chargebacks,
About Neil Caldwell: Neil Caldwell, VP of
rejection and review rates will enable informed decisions to be
European Sales, is responsible for spearheading
made about when and how to act.
the expansion of CyberSource’s European
- Create a distinct mobile profile, even if at first the rules applied
business and overseeing the sales and account
management functions within the company.
are an exact copy of existing ecommerce rules.
- Start capturing the device type and operating system, even if no
An accomplished and dynamic sales leader,
rules are immediately implemented based on the differences in
Neil’s background has given him outstanding
fraud pressure between the devices.
expertise in financial services and eCommerce
payments.
You can’t manage what you can’t measure
The mobile space is relatively new and, as it grows and matures,
About CyberSource: CyberSource, a wholly-
fraudster strategies and exploits are likely to evolve. Consumer
owned subsidiary of Visa Inc., is a payment
behaviours and purchasing patterns are likely to continue to change.
management company. Over 400,000 businesses
So, in my opinion, it is important to monitor, measure, analyse and
worldwide use CyberSource and Authorize.Net
fine-tune fraud management strategies, more than established
brand solutions to process online payments,
channels.
streamline fraud management, and simplify
payment security. CyberSource operates in
Fraudsters will move between channels as they try to exploit both
Europe under agreement with Visa Europe.
eCommerce and mCommerce. As important as it is to segment
these channels, it is equally as important to be able to integrate
www.cybersource.co.uk
them for analysis and to spot activity and patterns in one channel
that affect actions in another.
In my experience, businesses that actively manage mobile fraud can
achieve fraud rates similar to rates achieved on other channels, and
for those experiencing above average rates, it is usually a sign that a
mobile-specific fraud strategy either is not in place, or needs to be
fine-tuned.
The ability to understand how consumer behaviour differs on mobile
devices; to capture the data that is relevant to the mobile channel
and implement appropriate fraud management tools and rules; to
track and analyse mcommerce chargeback, rejection and review
rates and fine tune your mobile strategy in response – all have clear
implications for the experience that both customers and fraudsters
have when they interact with you through your mobile channel.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
31
Innopay
360-Degrees Fraud Management: Securing the Customer Journey
When asked in the 1930s why he robbed banks Willie ‘Slick’ Sutton
Don’t get me wrong: we desperately need these experts, today
replied: “because that’s where the money is”. Sure, banking has
more than ever! However, just as we would do not rely exclusively
since then largely moved online, and so have criminals. However,
on the finance department to be profitable, we cannot expect the
what was true then remains as true today: criminals target financial
risk-, security, or fraud department to, by themselves, keep our
institutions because that’s where the money is. As a result, both the
customers’ data and money safe, especially not from within the
top- and bottom line suffer.
‘second line’. How then do we close this gap?
Fraud: an inevitable surprise
It starts with an integrated, customer centric view
We know that at some point we will be confronted with fraud,
At Innopay we use a three-tiered approach called “360-degrees
we just don’t know exactly when and in which form. We are in a
fraud management” which consists of a comprehensive set of
constant balancing act between customer convenience, fraud
tools enabling organisations to come to grips with the wicked-
control and cost containment.
problem that fraud is. Below you will find a primer.
The top line suffers as customer journeys are cut short for being
Tier 1: Mission control
overly burdensome because of security measures. Think of
It is important to define clear roles and responsibilities that are
prospects having to come to the branch, or getting stuck in paper
as integrated with ‘regular’ governance as possible to avoid
heavy processes during onboarding, hampering conversion rates.
unnecessary cost and preserve organisational agility.
The bottom line hurts because implementing and maintaining anti-
Proper orchestration will allow the organisation to take action when
fraud measures can have serious (opportunity) costs that come on
a new M.O. (modus operandi or specific fraud pattern) emerges,
top of actual fraud loss- and repair cost.
before fraudsters get a chance to ramp-up and/or branch-out their
operation. It will also help the organisation identify consolidation
Fundamentally, fraud is a business issue so let’s treat
opportunities for fraud measures, which is important given the
it as as such
ongoing commoditization of available solutions.
So, why is it that something with as much impact on both the
organisation and its customers as fraud is often treated like an
Tier 2: Customer journey
afterthought, and is still frequently offloaded to risk managers,
The customer journey is at the heart of the approach, because
security officers and fraud advisors outside the primary process?
ultimately this is what the organisation is all about: providing
convenient, secure and cost effective service to their customers.
It is paramount that we strike the right balance and make sure that
the most convenient options are secure. There is nothing like a
burdensome security measure to make customers look for easier,
and often less secure alternatives, sometimes at the competition.
Customer authentication (during login and transaction signing) and
fraud detection are the key ingredients of this defence layer. Today
we see new technologies being implemented such as mobile centric
authentication, fingerprint-, behavioural- and voice recognition
resulting in an easier and truly omnichannel customer experience if
and when properly designed.
32
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Hugo Löwinger
Digital Identity & Fraud
Management
Innopay
Tier 3: Knowledge position
Last but certainly not least is the knowledge position of the organisation
which is essential in taking well informed decisions and action.
About Hugo Löwinger: Hugo Löwinger brings
Many organisations are exchanging fraud intelligence, both quid-
over a decade of experience in business driven
pro-quo and commercially. This intelligence ranges from stolen
fraud and authentication strategy at large
credentials (e.g. usernames, passwords) retrieved from underground
financial institutions. Hugo leads the digital
forums, to suspicious IP addresses, skimmed cards and sometimes
identity practice at Innopay and previously
even alerts from risk engines.
fulfilled strategic positions at a.o. ING Bank and
Not only should knowledge be shared with peers. It is also important
Capgemini Consulting.
we do not shun our customers out of fear of spooking them. As a
result of high profile fraud incidents and security breaches, customers
About Innopay: Innopay is an independent
are much more aware of potential risks. We should acknowledge
consulting company, specialised in online
their concern by providing them with actionable information.
payments, digital identity and e-business. We
When applied the right way, knowledge can be a true multiplier of
help our clients, including financial institutions,
defence effectiveness.
governments and corporates, develop the
compelling strategies and digital services for
Putting it all together: a 360-degree approach to
consumers and companies that are key for
business driven defence-in-depth fraud management
successful competition in a rapidly digitising
To meet customer expectations in a secure manner, organisations
world.
make fraud management a natural part of the design, continuous
development and management of their customer journeys. This takes
www.innopay.com
tools and methods that business owners feel comfortable applying
and is exactly where the 360-degrees approach can help.
When asked: “why is fraud managed driven from within the business”
at Innopay we reply: “because that’s where the solutions are”!
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
33
Ecommerce Europe
E-ID: Fraud and Risk Prevention in Cross-border Ecommerce
Cross-border ecommerce
e-ID as a solution
The growth rate of the European B2C ecommerce sector reached
Fortunately, in order to improve data protection and to increase
double digits in 2014. However, the full potential of the European
convenience and consumer trust, many Member States are
ecommerce market has not been achieved yet. Currently, only
currently working on (or already working with) national e-ID
15% of consumers shop online from another EU country. In order
schemes. Interoperable online identities verified directly by the
to stimulate cross-border ecommerce, European stakeholders
government, or indirectly by other trusted parties, will help reduce
should work together in removing remaining barriers.
risks of cybercrime and (payment) fraud. e-ID can guarantee the
unambiguous identification of a consumer and enables effective
Ecommerce Europe believes interoperable e-identification is a
age verification for age-dependent services (such as online
precondition to unlock the potential of cross-border ecommerce.
gambling) or certain product markets (such as alcohol, tobacco
In the online payments sphere, fraud is believed to be one of the
and medication).
main barriers, with identity theft as one of the fastest growing
crimes. e-ID solutions enable the prevention of fraud and identity
Especially with regard to payments, e-identification brings great
theft, and stimulate the development of consumer trust and
opportunities to solve problems caused by complicated check-
convenience. The e-ID landscape develops quickly. However,
out processes. By reusing formerly verified information, delivery
for interoperable e-identification to evolve, hurdles should be
and payment preferences, the checkout solution can be simplified,
overcome.
which adds much to the seamless shopping experience of the
consumer. At the same time, this so-called one-click-buy solution
Barriers for cross border ecommerce
guarantees maximum reach and conversion at fair cost for
As a recent survey by Experian shows, most of organisations
merchants and consumers.
(78%) across Europe, the Middle East and Africa consider online
fraud the biggest challenge at the moment. In particular, identity
theft, which is currently a major issue for 24% of businesses in
EMEA, is expected to double in the next five years and become
a serious concern for 48% of businesses. Ecommerce Europe
believes that the main reason for this problem is the lack of safe,
reusable and interoperable e-identities. This deficiency forces
online services providers to each provide their own consumer
registration and login solutions. Within the variety of solutions,
safe and secure digital interactions between businesses and
consumers are not always guaranteed.
In June 2015, Ecommerce Europe published the outcome of
the survey “ Barriers to Growth ” in ecommerce. Consumer
identification was specifically mentioned as a concrete example
when it came to barriers linked to online payments. The absence
of reusable e-identities proved to be a barrier for merchants who
wanted to participate in cross-border ecommerce.
34
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Elaine Oldhoff
Policy Advisor
Thuiswinkel.org
eIDAS Regulation: interoperability on its way
In order to fully benefit from e-ID opportunities, interoperability
between e-ID schemes in different Member States should be
About Elaine Oldhoff: Elaine Oldhoff works as
stimulated. The recently adopted eIDAS Regulation requires
a policy advisor for the Dutch association for
Member States to recognise each other’s e-ID means; if under its
online stores Thuiswinkel.org. She is a member
national law or administrative practice, it is required to access a
of the e-Regulations Committee and the
public service. This applies as long as the means is issued under
e-Payments Committee of Ecommerce Europe.
an electronic identification scheme that is notified to and included
On a daily basis she focusses on the potential
in the list published by the European Commission.
of e-identification for the digital economy.
The effort done by the Commission in drafting the eIDAS regulation
About Ecommerce Europe: Ecommerce
looks like a step in the right direction. The interoperability of national
Europe is the association representing around
electronic identification schemes across borders is however still in
25,000 companies selling products and/
its infancy. Ecommerce Europe believes that the eIDAS regulation
or services online to consumers in Europe.
lacks the obligation for Member States to notify their national
Ecommerce Europe offers to be a one-stop-
schemes to the European Commission.
shop for the European Institutions for all
ecommerce related issues. Ecommerce Europe
Ecommerce Europe calls upon national governments to notify
can be consulted on market research and
their national schemes to the European Commission in order
data, policy questions and in-depth country
to enable an interoperable e-ID landscape throughout Europe.
knowledge.
An interoperable e-ID will be a driver for innovation and, eventually,
will reduce cybercrime and fraud risk. To continue the growth rate
www.ecommerce-europe.eu
of B2C ecommerce, consumer trust should be reinforced.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
35
The Global Event for
Payment/Identification/Mobility
tcommeterre.com
BECOMES
Register now on www.cartes.com
17 19
Nov. 2015
HALLS 3 & 4
Paris Nord
Villepinte
France
y
www.cartes.com
REGULATION,
PRIVACY
AND DATA
PROTECTION
The European Payments Council
Security of Internet Payments: the EBA Two-Step Approach
The European Banking Authority (EBA), as part of its mission to
In response to the consultation, the EPC recommended a third
ensure effective, consistent and prudential regulation, as well
option (called ‘option c’): a scenario whereby the EBA guidelines
as supervision across the European banking sector, drafted
would be issued only after the entry into force of PSD2 and the
implementation guidelines on the security of internet payments in
publication of the regulatory technical standards as mandated by
2014. The guidelines were based on the recommendations issued
PSD2, following a consultation of the market and safeguarding an
in January 2013 by the European Forum on the Security of Retail
adequate timeframe for implementation.
Payments (SecuRe Pay) for the security of internet payments.
The EBA consulted the payment stakeholder community on those
If the EBA were to not accept the recommended ‘option c’, the EPC
guidelines in late 2014. Due to the fact that the finalised EBA
had a preference for ‘option a’, i.e. the two-step approach.
implementation guidelines would apply prior to the entry into force
of the revised Payment Services Directive 2 (PSD2), the European
The EPC also pointed out that, in the last two decades, many
Payments Council (EPC) suggested an alternative approach.
security solutions were implemented, only to have been rendered
The EBA, however, decided that the implementation guidelines
obsolete and be replaced by safer solutions as technology
would come into force on 1 August 2015 and, then, stronger
evolved. Therefore, stakeholders are permanently in search of
requirements would emerge at a later date under the PSD2.
solutions that master the subtle balance between security and
The EPC is now looking forward to the EBA’s consultative process
user convenience. Since 2010, new threats have appeared,
on the updated security requirements of internet payments, which
authentication solutions have evolved and the preferred platform
should meet the more stringent principles of the PSD2.
for internet payments has changed from PCs to mobile devices.
This field of expertise is highly dynamic. The EPC, therefore,
The 2014 EBA consultation on implementation
suggested that new developments (e.g. tokenization, risk-based
guidelines for internet payments and the EPC
authentication) should be taken into account when finalising the
response
guidelines.
During the consultation process, the EBA focused specifically on
implementation rather than the substance of the requirements as
Finalised EBA guidelines on the security of internet
the negotiations of the PSD2 could have affected them. The EBA
payments
issued these guidelines to ensure consistent regulation across
The finalised guidelines, published by the EBA in December 2014,
the European Union (EU) and provide legal certainty for market
set the minimum security requirements that Payment Service
participants.
Providers (PSPs) in the EU were expected to implement. The EBA
retained the two-step approach whereby the guidelines, which
The consultation on these guidelines asked the question: “Do you
were implemented on 1 August 2015, will be replaced at a later
prefer for the EBA guidelines to:
stage by more stringent requirements necessary under the PSD2.
a) E nter into force, as consulted on 1 August 2015 with the
The EBA therefore concluded that a delay in the implementation
substance set out in this consultation paper, which means
of the guidelines until the transposition of the PSD2 in 2017/2018
they would apply during a transitional period until stronger
would not be feasible in view of the continuously high and growing
requirements enter into force at a later date under PSD2
levels of fraud in the domain of internet payments.
(‘option a’)
b) A nticipate these stronger PSD2 requirements and include
them in the final guidelines under PSD1 that enter into force on
1 August 2015, the substance of which would then continue to
apply under PSD2” (‘option b’)?
38
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Javier Santamaría
Chair
The European Payments
Council
Some countries announced they were unable to
comply with the EBA guidelines
The EBA guidelines are based on a 'comply or explain' principle:
About Javier Santamaría: Javier Santamaría
national competent authorities need to inform the EBA about
is the Chair of the EPC and a Senior Vice
whether they will be able to comply and, if not, they are asked
President with Banco Santander. He is a member
to provide an explanation. The majority of the national competent
of the Board of the Euro Banking Association, a
authorities advised that they would comply or intend to comply
Director of the SWIFT Board and Chair of the
with the EBA guidelines on the security of internet payments.
Iberpay Board.
However, the UK, Slovakia, Estonia and Iceland communicated
that they are unable to, while Cyprus and Sweden will partially
About The European Payments Council: The
comply.
European Payments Council is an international
not-for-profit association, representing payment
Towards more stringent EBA guidelines compliant
service providers, which aims to support
with the PSD2
and promote European payments integration
A key question covered in the PSD2, though with certain ambiguities,
and development, notably the Single Euro
is the authentication of the payment service user. To this end, the
Payments Area (SEPA), through the development
EBA is tasked with developing and drafting regulatory technical
and management of pan-European payment
standards on strong customer authentication, which should be
schemes and the formulation of positions on
submitted to the European Commission within 12 months of the
European payment issues.
PSD2 entering into force, i.e. by the end of 2016.
www.europeanpaymentscouncil.eu
In this context, the EPC strongly advises against the possibility
for third-party PSPs to use the personal security credentials of
the customer to get access to its account. The EPC reiterates
that personalised security credentials should not be shared with
third parties and hopes that the EBA will take this concern into
consideration.
The EPC, furthermore, looks forward to the EBA’s consultative
process in this area and the opportunity it will provide to contribute
to achieving secure and convenient internet payments, as well as
technological neutrality.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
39
CardinalCommerce
How EMV Will Change Online Business in the US
Everyone in the payments ecosystem is talking about EMV and the
Historically, in other regions, as EMV cards have been rolled out,
October 2015 deadline for liability shift in the US. For merchants
POS-related fraud, as would be expected, went down. CNP fraud,
who have installed the EMV card readers in their brick-and-mortar
however, skyrocketed. In the UK, online fraud jumped from GBP
locations, this means that they will not be liable for fraud at the
45 million the year before the cards were introduced to GBP 181.7
point-of-sale terminal (or point-of-sale fraud). But, for omnichannel
million five years later. Experts expect the same to happen in the
and online merchants, how will the use of EMV cards impact their
US. To combat the threat of CNP fraud, the use of 3D Secure was
ecommerce fraud level?
mandated in other regions, and merchants implemented protocols
like Verified by Visa, MasterCard Secure Code, American Express
Many banks and retailers in the US are now using the EMV system
SafeKey, and others. As a result, CNP fraud in those areas has
because of recent data breaches. Long used in Europe and other
decreased, but has recently started to rise in the US.
regions, this system uses credit cards with an embedded chip, thus
requiring new POS readers on the merchant side. The chip makes
How can online merchants protect themselves?
cards more difficult to counterfeit for in-person use. This new
To thwart the influx of online fraud, many ecommerce merchants
system, though expensive to implement for both merchants and
have dialed up their fraud tools. This helps control the increasing
banks, will make POS transactions much more secure. However,
levels of fraud, but also creates false positives, such as transactions
it also introduces the threat of fraud in card-not-present (CNP
that the fraud tool flags as potential threats and the merchant
transactions) because the chip provides no benefit when the card
declines what are actually good orders. This is almost as harmful to
is not present.
a merchant as the fraud attack itself because it results in lost sales
and potential insults to good consumers.
History of EMV
EMV is not a new technology, even though it is ‘news’ in the US.
This puts online merchants in a difficult spot. Because EMV cards
Introduced in the ‘90s, EMV has almost completely replaced the
cannot be used for in-person fraud, the fraudsters look for the path
magnetic stripe cards in Europe, and is in wide use in Asia, South
of least resistance, the CNP world. But there is a way to prevent
America, Canada and Mexico. The US, the last major holdout, is
fraud. Cardinal Consumer Authentication (CCA) protects online
converting now, with a recent liability shift deadline in October 2015.
transactions the way EMV cards prevent fraud at the cash register.
CCA’s patented technology works with the 3D Secure protocols to
One of the major benefits of EMV cards is around how the chip
authenticate transactions with the card-issuing bank during online
works. Each time the card is used in person, the chip creates a
transactions. Our more than 15 years of experience in protecting
unique transaction code that cannot be re-used. Therefore, if a card
CNP transactions benefits merchants. And, by combining CCA
number is stolen in a breach, and a counterfeit card created, the
with a fraud tool, merchants can increase their good orders by up
stolen number and transaction code would not be usable and any
to 15% vs using a fraud tool alone.
fraudulent attempts at point-of sale would be denied. This is also
a drawback because the chip is not ‘read’ for a CNP transaction,
Its rules-based approach gives merchants choice in how each
whereas a stolen EMV card number can be – and increasingly are –
transaction is authenticated, and control over the amount of
used to make fraudulent CNP transactions.
consumer friction during checkout. In some cases, where a
merchant has high ticket items (like fine jewelry or travel) or SKUs
that have a history of fraud, introducing friction into the checkout
experience in the form of a challenge can be what the merchant
intends. The authentication rules allow merchants to balance the
risk of the transaction with the consumer experience.
40
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Michael Roche
VP of Consumer
Authentication
CardinalCommerce
Passive authentication happens behind the scenes, with no friction
during checkout for the consumer, using things the merchant
and the issuer know about the cardholder - like IP address,
About Michael Roche: Michael Roche is the
device identification, buying patterns, or any other data point the
VP of Consumer Authentication and focuses on
merchant collects.
improving current products and shaping new
product development, as well as developing
Consumer Authentication has other benefits for online and mobile
and strengthening relationships with enterprise
transactions. Merchants usually benefit from increased sales,
partners in order to provide them with ecommerce
liability shift on chargebacks, less manual review and potential
solutions tailored to their needs.
interchange fee savings. Merchants see a sales increase with
a Consumer Authentication solution because there are fewer
About CardinalCommerce: CardinalCommerce
‘false positives’ that might ordinarily be declined, internally and
is the pioneer and global leader in enabling
externally. Merchants also enjoy a liability shift with fraudulent
authenticated payment transactions in the card-
chargebacks on Cardinal Consumer Authentication transactions
not-present payments industry, and the largest
because the issuing banks take on the risk if any transactions
authentication network in the world. Through
result in fraud.
One Connection to the proprietary Cardinal
SafeCloud, we enable friction-free, technology-
To wrap up, EMV’s rollout in the US is a good thing for brick-
neutral authentication and alternative payment
and-mortar merchants, but will open up opportunity for fraud for
services (including digital wallets and mobile
CNP merchants. Online merchants in the US should be aware of
commerce services).
the shift from fraud at POS to CNP fraud due to EMV, and protect
their online business with the 3D Secure protocols (like MasterCard
www.cardinalcommerce.com
SecureCode, Verified by Visa and others), as well as take advantage
of the liability shift on authenticated transactions and potential
savings on interchange and manual review.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
41
time.lex
Doing Business in Europe? Mandatory Data Protection Compliance in Every
Single Country
A lot has been written about two recent court cases related
2. How to transfer data from Europe to the US
to Facebook. The first one is the case of the Austrian student
In the Schrems case, the Court of Justice of the European Union
Maximilian Schrems against the Data Protection Commissioner
found that the existence of the European Commission Decision
(European Court of Justice, case C-362/14, of 6 October 2015),
about the so-called 'Safe Harbour' arrangement with the US did
finding the Safe Harbour arrangement invalid for the transfer of
not prevent a national data protection authority from investigating
personal data from Europe to the US. The second case is the
individual complaints relating to the transfer of personal data to
one by the Belgian privacy commission against Facebook of
the US. The CJEU found the Safe Harbour Decision to be invalid.
9 November 2015 in Brussels. But what is the impact for cross-
The so-called Article 29 Working Party, the body of representatives
border ecommerce business in the European Union? Here are
which includes representatives from the European Member States'
three takeaways for every company doing business in Europe,
data protection authorities, as well as representatives from
from merchants selling goods or services online in Europe to cloud
the European Commission and the European Data Protection
computing providers, social media platforms and many others.
Supervisor, clarified a number of consequences that derived
from the decision in the Schrems case. Meanwhile, the European
1. Comply in every single country, or else …
Commission issued a communication on 6 November 2015 as
The first clear message from both court cases is that data
well, with a practical guidance.
protection and privacy compliance must be taken seriously,
especially when personal data is transferred outside the European
What are the practical consequences for (ecommerce) merchants in
Union. Ensuring cross-border compliance with data protection
Europe, cloud computing providers, or social media platforms etc.?
law has become a top priority for data protection authorities and
courts all over Europe.
No transfer to the US may be based solely on the invalidated
regime. This means that you can only transfer data to the US using
A much-debated issue in the Brussels court was the territorial
the means still allowed. Transfers are only allowed if you:
application of the national data protection legislation and the
•M
ake use of the Model Contractual Clauses issued by the European
international jurisdiction of the local courts. Facebook argued
Commission and properly notified to the local data protection
that, because Facebook’s European headquarters are in Ireland,
authority (in Belgium there is the Privacy commission);
only the Irish data protection legislation apply and that only the
• Make use of Binding Corporate Rules issued as outlined in the
Irish courts have jurisdiction. The Brussels court disagreed.
templates drafted by the Article 29 Working Party and again
All international companies with several establishments in the EU
properly notified to the local authorities;
must comply with national data privacy laws, and not just with
• There are also exceptions - such as transfer based on consent -
the law of the company’s main European establishment, which
but this can only be used in exceptional circumstances and not
was recently confirmed by the CJEU in its Weltimmo judgement
for systematic transfers to the US.
(C-230/14). The same goes for companies without any EU
• In some EU member states you can make use of your own ad
establishments, but which make use of so-called 'equipment'
hoc contractual provisions or binding corporate rules which
located on the territory of several EU member states. Such
have been properly notified and/or approved according to local
companies will be subject to the regulatory regime of multiple
legislation;
national data protection authorities.
42
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Edwin Jacobs
Partner
time.lex
Note that the Article 29 Working Party has indicated that, for now,
the model contractual clauses or the binding corporate rules
are still accepted but that they too may be re-evaluated in 2016
About Edwin Jacobs: Edwin Jacobs is a partner
if no progress has been made on a political level to come to an
at time.lex and a lecturer at the University of
acceptable and valid regime for data transfers between the US
Leuven and Antwerp.
and the EU. Meanwhile, a new Safe Harbour regime between the
US and the EU is expected early 2016. Any new Safe Harbour
edwin.jacobs@timelex.eu
agreement should include obligations on the necessary oversight
of access by public authorities, transparency, proportionality and
About time.lex: time.lex is a law firm specialised
redress. A new Safe Harbour agreement will probably not mean
in fintech, information and technology law in the
that the national data protection authorities will suddenly back
broadest sense, including privacy protection,
down.
data and information management, e-business,
intellectual property, online media and
3. U sing social media plug-ins on your company
website?
The owner of a website must properly inform its website visitors of
telecommunications.
www.timelex.eu
the kind of information he is collecting, the purposes for which it
is used, the types of cookies, the social media plug-ins he is using
and the duration of storage of the cookie or plug-in on the surfer’s
computer. But that is not all. Before activating some types of
cookies and plug-ins, the surfer’s prior express consent is needed.
Even the mere collection of your visitors’ IP address by using
cookies or social plugins is already considered as processing of
personal data.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
43
Smart Payment Association
Will EMV Eliminate Card Fraud in the US?
Does the end of ‘swipe and sign’ means the end of card payment
And at least one of the authenticators must be ‘dynamic’; which
fraud in the US? It is a simple question. And the answer is simple
is to say it must be unique by payment transaction, and the
too: No.
authenticators must be independent from a security perspective.
The case for EMV adoption is beyond doubt. Countries with
Translating experience to the US
completed EMV implementations have registered significantly
What we, at the SPA, find most striking and most encouraging
lower rates for card fraud. In 2012, for example, the card fraud
about the PSD2 is its global nature. Its objectives and its principles
loss ratio across the European Union stood at 0.038%. In a pre-
can be considered of universal importance when seeking to
EMV US, the figure was over two and a half times higher, reaching
combat CNP fraud. The principles laid out in the PSD2 are not
more than 1%.
constrained by geography or specific regulatory environment and,
thus, offer a hugely exciting opportunity for global standardisation.
But, as we see, even in mature EMV markets fraud does not
disappear. It just moves online. Card-Not-Present (CNP) fraud is
Certainly, the outlined principles are entirely consistent with the
nothing new, of course. Back in 2007, France’s Observatory for
Criteria Discussion Draft document for a better payment system
Payment Card Security estimated that half of all card payment
released by the Federal Reserve-backed US Faster Payments
fraud was committed without the card being present. Currently,
Task Force.
this figure exceeds some 70%. Therefore, the following question
arises: “what to do about CNP fraud in the broader context of EMV
implementation in the US and supporting programmes across the
The EMVCo’s announcement that, in 2016, its EMV 3DS 2.0
world?”
specification will be published alongside corresponding testing
and approval processes, points to a growing desire for global
Addressing CNP fraud in SEPA
transparency and constitutes a major step forward.
Certainly, the European SEPA region (among others) has taken
steps to address the problems of CNP fraud - albeit with differing
Multi-functional benefits of EMV payment cards
levels of success. And, while CNP authentication exists, there are
While PSD2 is technology agnostic, it seems logical that today’s
few commonly adopted authentication methods that mirror the
multi-functional card technologies offer a powerful balance of
integrity of a face-to-face POS transaction.
assurance and convenience to satisfy both regulatory objective
and consumer demand.
The European Payment Service Directive (PSD2), approved in
October 2015 by the European Parliament, is set out to change
EMV chip and pin cards often support functions such as one-
all this by providing a European Regulatory framework for retail
time-password (OTP) generator, on-card displays or the possibility
payments and introducing a range of provisions designed to
to use the EMV card with a card reader connected to a personal
tackle CNP fraud.
computer, for example.
In particular, the PSD2 provides a legal definition for strong
These functionalities allow providers to provide, and users to
authentication. It is the first time this has happened and is, therefore,
use, the “strong authentication”, now defined in law - generating
of great significance. According to the definition, a secure payment
dynamic proof that both the legitimate card and the legitimate user
process must include at least two out of the three classical
are present during the CNP transaction.
authentication mechanisms (something you have, something you
know, something you are).
44
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Nicolas Raffin
President
Smart Payment
Association
Global answers to the CNP question
So, if a new generation of EMV cards can offer a much more secure
CNP environment, the US’ move in this direction will potentially be
About Nicolas Raffin: Nicolas Raffin is
significant in addressing both card-present and card not present
President of the Smart payment Association
fraud. And it’s also an exciting opportunity to address CNP security
(SPA) and Head of Strategic Marketing,
on a global level.
Payments at Oberthur Technologies. Nicolas
started his career with numeric photo group
With such high levels of consistency between US and EU objectives,
PhotoMe as product manager. He holds a
harmonising regulatory approaches will certainly create a more
Master in Marketing and a MSc in Technology &
secure ecommerce environment.
Innovation Management.
Indeed, by sharing experiences and best practice, and delivering
About Smart Payment Association: The
that consistent global approach, we can accelerate the adoption
Smart Payment Association addresses the
of appropriate CNP protections by merchants and banks across
challenges of the evolving payment ecosystem,
the world.
offering leadership and expert guidance to
help its members and their financial institution
And, while it’s impossible to entirely eliminate card payment fraud, a
customers realize the opportunities of smart,
global collaboration around a set of shared principles seems a logical
secure and personalised payment systems &
place to begin.
services both now and for the future.
For our part, having already contributed to the European Banking
www.smartpaymentassociation.com
Authority’s (EBA) public consultations on secure ecommerce, the
SPA will continue to advocate a comprehensive set of security
rules for CNP based on the aforementioned seven principles as
PSD2 moves into its next phase of life.
Not only will we continue to work with the wider card payment
industry, but also with standards bodies and regulators to help
deliver on the promise of a global approach to protecting online
payments.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
45
DON'T MISS THE OPPORTUNITY OF BEING PART OF
LARGE-SCALE PAYMENTS INDUSTRY OVERVIEW
The Paypers offers the most valuable source of information and guidance for all parties
interested in the current state of affairs of the payments industry
Paul Alfing, Chairman e-Payments Committee, Ecommerce Europe
Once a year, The Paypers releases three large-scale industry overviews covering the latest trends, developments, disruptive
innovations and challenges that define the global online/mobile payments, e-invoicing, B2B payments, ecommerce and web
fraud prevention & digital identity space. Industry consultants, policy makers, service providers, merchants from all over the world
share their views and expertise on different key topics within the industry. Listings and advertorial options are also part of the
Guides for the purpose of ensuring effective company exposure at a global level.
ONLINE PAYMENTS:
An all-in-one reference guide
on (online) payments
& ecommerce industry trends,
evolving business models, top
players and relevant (alternative)
payment methods.
B2B PAYMENTS, SCF
WEB FRAUD PREVENTION,
Industry voices from the online
IDENTITY:
& E-INVOICING:
finance space share insights
into the dynamic B2B payment,
e-invoicing, supply chain finance
industries to support innovative
solutions & thriving businesses.
ONLINE SECURITY & DIGITAL
In-depth source of information
highlighting key facts &
trends into the global digital
identity transactional and web
fraud prevention & detection
ecosystem.
For the latest edition, please check the Reports section
STRONGER
CONSUMER
AUTHENTICATION
TO COMBAT
ECOMMERCE
FRAUD
Wirecard AG
Moving Beyond Passwords: Next Steps in Consumer Authentication
The way in which consumers verify their identity is rapidly changing,
and simple to install, meaning that they can be integrated into
a development which is being driven forward by biometric data.
different payment channels, such as point-of-sale terminals or
ATMs. Therefore, they increase the recognition factor within the
Consumers should probably not be too surprised if they soon
context of financial transactions.
find themselves being addressed queries like: “Dear customer,
please turn on your webcam and have your ID at the ready. We will
On account of their great potential, further biometric identification
shortly conduct a brief ID check”. This kind of procedure may, for
measures are currently being discussed. For example, there is
example, be introduced for opening an online account in order to
heartbeat authentication, although it will admittedly take a while for
verify a customer’s identity, thereby making the personal signature
identification methods such as these to become reality, let alone
a thing of the past.
accepted. However, in the future, further ‘multi-modal’ means of
biometric identification are expected – that is to say, processes
But what does this trend mean for customers, online merchants
which react to a combination of biometric sensors as a security
and banks who, up until now, have traditionally used passwords
feature. These range from face and iris recognition to keystroke
and signatures? Moreover, how safe are these new means of
dynamics.
identification?
New EU rules reduce online payment risk
The fact is that traditional passwords are increasingly being
The European Banking Authority (EBA) has stated that online
supplemented by new means of authentication. One of the reasons
merchants will require two mutually independent customer
is that customer identification has become one of the most
identifiers before accepting payment in the future. Directives such
important aspects of payment processing. In case of doubt, it offers
as the Secure Pay Directive (PSD II) demonstrate the European
more effective protection against fraud than a credit check, as it will
Commission’s commitment to making cross-border payments
rarely detect falsified customer identity. In contrast, modern means
quicker and safer, while also reducing the risk to the end customer.
of authentication are able to do this.
Linked to this is an effective method of combating data theft and
abuse. This is known as two-factor authentication.
Increased importance assigned to biometric data
It is for this exact reason that measures are being put in place.
This involves the user being asked for specific identifiers and the
The measures go further than conventional password authentication.
combination of two different communication channels. For example,
It is very likely that biometric data will become more important as a
a customer may be asked only for their card number and CVC code
result of the strong growth in the m-commerce market. Consulting
online. Afterwards, via a second level of security, they receive a
company Acuity Market Intelligence has recently stated that they
one-time password or verification code delivered via SMS to their
expect biometric data to be integrated in approximately 65% of all
smartphone, which they use to confirm the transaction.
m commerce transactions by 2020. Furthermore, a global study
conducted by Mobey Forum shows that 22% of banks already use
Additional biometric identifiers, or the use of (hardware) tokens,
some form of biometric data for the purpose of authentication, while
are also possible. Ensuring a simple and brief form of media
a further 65% plan to introduce this type of service in the future.
disruption is involved in the payment process that makes it much
harder for hackers to attack, without compromising its customer-
Initial studies have shown, for example, that the use of fingerprint
friendly nature.
sensors increases user friendliness. Thus, users can quickly use
the fingerprint recognition service on their smartphone to confirm
a mobile transaction. Scanners have now become relatively cheap
48
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Carlos Häuser
Executive Vice President
Wirecard AG
Further safety standards may increase acceptance
Obviously, there are some critics who fear that surplus data will
be stored alongside the electronically captured personal, physical
About Carlos Häuser: Carlos Häuser is
and behavioural data. Additional information may relate to a
Executive Vice President responsible for the
person’s character, their health or ethnic background.
Payment & Risk/Shared Services divisions at
Wirecard AG. He is also Managing Director of
Wirecard Technologies GmbH and, therefore,
responsible for strategic development at the
Munich-based payment processing firm.
About Wirecard AG: Wirecard AG is a global
technology group that supports companies
in accepting electronic payments from all
sales channels. As a leading supplier, the
Wirecard Group offers outsourcing and white
label solutions for electronic payments.
A global platform bundles international payment
acceptances and methods with supplementary
fraud prevention solutions. Wirecard AG is listed
on the Frankfurt Securities Exchange.
www.wirecard.com
This means that all users of biometric identification methods are
obliged not to pass on the respective data to any third-parties.
Confidential data must also be deleted immediately after it is
no longer relevant for its original, stipulated use. The European
Commission will therefore be required to issue directives aimed at
ensuring mass suitability of new security measures.
Biometric identification methods can increase the acceptance and
use of electronic payments such as mobile payments around the
world. The use of fingerprint sensors improves user-friendliness.
For example, a user can quickly enter information without the
need to remember a PIN, password or a swipe pattern. At the
same time, the function increases the customer’s sense of security
because a mobile payment can only be made once a fingerprint
reading has been approved. These are decisive factors in the
acceptance of all new electronic payment methods.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
49
Consult Hyperion
Tokenization: From Account Security to Digital Identity
Tokenization, the process of replacing a card account number (PAN)
Then, they need to pass requests back to the schemes in order to
with an alias (token) which can only be used in defined domains, is
de-tokenize and have to pay for the privilege. Unsurprisingly, there
a technology that has been around for years. However, in a world
is a move to unbundle tokenization services so that such issuers
in which consumers can pay from multiple devices using the same
can tokenize their own cards using either in-house or non-scheme
bank account, tokenization is now a core technology for payment
outsourced TSPs.
companies, rather than an esoteric sideline.
Managing risk in a tokenized environment
Simplifying the multi-device payment challenge
Tokenization improves bank account security because the fewer
If consumers want to store their card details on a website to
places the real PAN is stored in, the less likely it is to be stolen.
simplify future payments, then their PAN can be sent to a Token
The obvious downside of this is that the additional processes of
Service Provider (TSP) to generate and return a token. The retailer
tokenizing and de-tokenizing add processing time and costs to
stores the token and uses it when the consumer wants to transact
the issuing and authorisation processes. Perhaps the less obvious
by sending the tokenized payment transaction to the TSP to
downside is that tokenization moves the locus of attacks away
de-tokenize the token back to the PAN before it is passed onto the
from retailers and onto the TSPs who hold the Token Vaults linking
issuer for authorisation. Because the merchant stores the token
PANs and Tokens. It is not hard to see how these organisations
and not the PAN and because the token can only be used on that
will become attractive targets for organised crime.
specific website, the impact of any data breach at the merchant is
vastly reduced.
Despite this, placing the security of PANs in the hands of a relatively
small number of specialist TSPs should improve the overall security
Added to this mix is the use of tokens for mobile EMV payment
of the payments ecosystem. It also reduces the security burden on
methods like Apple Pay and Android Pay. The rationale for using
retailers and mobile wallet providers who can concentrate on their
tokens in the mobile EMV space is twofold: firstly, a stolen token
primary objective of satisfying the consumer.
is of little use without the handset, which constitutes its domain of
use and, secondly, the issuer does not have to issue a new card
Risk management is the current hole in tokenization solutions.
– they can simply create a token for an existing one and use the
A token is not just a PAN, it is a PAN plus a set of domain controls
same underlying bank account. Neatly, this allows mobile EMV
determining who and where it can be used. A token issued to a
issuance to be done in real-time, because all that is being issued
retailer can only be used by that retailer, a token issued to a mobile
is a tokenized replica of an already issued physical card – so KYC
device can only be used from that device, a token issued for a
and AML processes are already complete.
specific time period can only be used during that period, and so on.
Currently, the most popular model of TSP deployment is within
More work is needed on these domain controls to refine and make
the payment networks – for example, Visa and MasterCard have
them properly usable and interoperable. Additionally, having the
developed their own tokenization services. For the schemes, this
same card tokenized to lots of different locations makes risk-
has the advantage of driving traffic through their networks and it
based transaction analysis difficult – someone’s behaviour when
offers a straightforward solution for issuers. It is less popular with
using a physical card may be different to how they use a mobile
issuers who acquire their own transactions, bypassing the scheme
NFC device or an ecommerce website. These are all recognised
networks.
issues and are being worked on by standardisation groups and
vendors, but it serves to remind us that tokenization is still a work
in progress.
50
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Tim Richards
Principal Consultant
Consult Hyperion
Tokenizing identity
Tokenization offers issuers other opportunities. At the moment,
some merchants use PANs as a rudimentary form of digital
About Tim Richards: Tim Richards has over
identity. However, because this ‘identity’ is linked directly to a bank
25 years’ experience designing secure smart
account, they risk exposing the cardholder details to attackers,
card solutions across payments, mobile,
as seen in the Ashley Madison attack: a token does not carry the
transit, identity, passport, healthcare and
same risk. As a token is linked to a bank account at the TSP, not
loyalty solutions covering both issuance and
the retailer, and as most bank accounts require that the cardholder
transaction processing.
has already undergone identity checks, a token can be used as a
form of digital identity. A token issued for this purpose, with the
About Consult Hyperion: Consult Hyperion
appropriate domain controls in place, could then be authorised
is an independent consultancy. We hold a key
by the issuer without compromising the security of the account.
position at the forefront of innovation and the
So, ‘digital identity’ tokens could be used for age verification or
future of transactions technology, identity
geographical location checking without revealing any underlying
and payments. We are globally recognised
details of the cardholder or the account.
as thought leaders and experts in the areas
of mobile, identity, contactless and NFC
In summary, tokenization increases account security with the
payments, EMV and ticketing.
downside of increased costs which may not be able to be passed
onto merchants and cardholders. But, it also opens up new
www.chyp.com
business opportunities for issuers and, in a densely connected
digital environment, the value of these opportunities will vastly
outweigh the costs.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
51
Biometrics Institute
Biometric authentication has become commonplace in an array of fields, payments included. In this interview, the
Biometrics Institute emphasizes on how biometrics could be a privacy enhancing technology, if implemented responsibly.
What is the mission of the Institute?
end security is provided through government accredited networks,
Our mission is to promote the responsible use of biometrics in an
compliance processes for privacy and record keeping legislation,
independent and impartial international organisation. I would like to
assurance mechanisms involving partnerships and processes
highlight a few of our achievements starting with the development
around access to data, for example. When some organisations
of a first Biometrics Privacy Code, which was approved by the
are involved, the end-to-end security and assurance just might
Australian Privacy Commissioner in 2006. It has now developed
not exist – what happens with your face, your fingerprints in that
into international privacy guidelines promoting best practices for
environment is potentially riskier and requires far more than just a
biometrics.
technology solution.
In 2008, we developed a Biometric Vulnerability Assessment
Another question is control and data retention. What happens to that
Methodology, which led us to setting up the Biometrics Institute
biometric? Who looks after it, at what point in time is it destroyed?
Vulnerability Assessment Expert Group (BVAEG) in 2010. It consists of
Should it be after a person leaves school or a particular job?
UK and German government representatives, as well as academics
What processes exist for managing any compromise of identity data,
from the US, Europe and Japan. The BVAEG has regular exchanges
for re-establishing confidence in identity, for redress?
to raise awareness about the need for vulnerability testing, to find a
common methodology and engage with the standards community
We have seen many successful implementations where biometrics
at the same time.
have helped transform identity management, privacy protection
and identity security like electronic passports facilitating a better
Biometric authentication seems to become
and more secure travel experience. Likewise, large-scale identity
commonplace in the payments industry. Is the
management systems, such as the Indian Unique Identity (UID)
biometrics-based recognition system a friend or foe
scheme, facilitate the delivery of government’s services to the poor
when it comes to privacy?
and marginalised. If we get the privacy and vulnerability issues
If implemented responsibly, it is certainly a privacy enhancing
addressed and create trust and control for the consumer, I think
technology. Biometric authentication has the potential to ease
biometrics have a great future.
the burden of security given its simplicity and usability. All security
technologies have flaws, including PINs and passwords.
When it comes to wearable technologies and
Under determined attack, none will guarantee absolute security.
authentication, what are the implications of using
Most biometrics are not ‘secret’ and should be used with a secure
personal biometric data as the virtual keys that
second factor. Security relies not only on one factor but also on
unlock our very real lives?
combining them, such as relying on a PIN and fingerprint.
We are seeing biometrics appear more and more in everyday
life, as predicted by the Biometrics Institute survey in 2014 and
There are a number of technologies, both software and hardware,
again 2015. Their use offers consumers great convenience and
which can be used to detect such spoofing attacks. When we
increased security at the same time. We are seeing a growing
provide a biometric or other sensitive personal data, it does come
number of wearable devices and the use of fingerprint biometrics
down to a question of trust and control. Governments are typically
on mobile devices.
required to put very robust trust models in place to ensure end-to-
52
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Isabelle Moeller
Biometric authentication has the
potential to ease the burden of security
given its simplicity and usability
Chief Executive
Biometrics Institute
With a biometric on a wearable device, users are now able to
About Isabelle Moeller: Isabelle is a biometrics
query that device and authenticate themselves as the user of
expert instrumental in the growing network of
that device. If that device is stolen, that authentication does not
The Biometrics Institute. She has played a key
work. So, it provides that extra level of security which allows those
role in the establishment of independent and
devices to be used securely, for payments purposes, for example.
impartial international Biometrics Institute in
The person gets identified more accurately and securely than with
particular through bringing together biometrics
PINs and passwords.
experts from around the world.
Do you know if there is any legislation and regulation
About Biometrics Institute: The Biometrics
in place to cover the privacy and security aspects of
Institute is a not-for-profit membership organisation
biometric technology?
with offices in the UK and Australia. Since 2001
The public requires assurance that biometrics managers are giving
it has been promoting the responsible use of
due consideration to privacy and data protection when they are
biometrics and providing an un-biased forum
considering, designing, implementing and managing biometrics-
offering information, education and training on
based projects. The Institute, for instance, has therefore developed
biometrics.
several best practice documents to help guide members along the
way, namely the Biometrics Institute Privacy Awareness Checklist
www.biometricsinstitute.org
and Biometrics Privacy Guideline.
Different countries have different legislation. Australia, for example,
introduced new privacy principles in March 2014. Science and
Technology Committee of the UK government proposed
an open and public debate around the use of biometrics by the
Government to build trust in biometrics. The Committee released
its "Science and Technology - Sixth Report: Current and
future uses of biometric data and technologies".
The Biometrics Institute is also working on a proposal to create
a trustmark. The trustmark is aimed at giving consumers in the
private sector and users of government services access to personal
records and confidence in the responsible use of an identity product
or service that incorporates biometrics. This will give biometric
solutions providers and operators a tool to demonstrate that due
consideration has been given to privacy and trust during planning
and implementation.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
53
Natural Security Alliance
Bring Your Own Authentication: The Next Revolution against Web Fraud
Two major trends in the field of online payments have been confirmed
But, the generalisation of biometrics is not restricted to simply
in the past two years. First of all, the increase in fraud is undeniable,
becoming a standard for unlocking telephones. It opens the world
while users are turning to smooth systems to authenticate their online
of the telephone to proximity payments (Apple Pay, Samsung
transactions.
Pay) and especially to in-app payments. Users can thus make a
transaction on their mobile phone without having to enter a card
We will quickly look at the first trend by illustrating it with a few
number or password.
figures for the French market. A study published by the French
National Supervisory Body on Crime and Punishment (ONDRP)
We are also witnessing the generalisation of Bring Your Own
revealed that more than 800,000 households have been victims
Authentication (BYOA), following on from Bring Your Own Device.
of banking fraud. Of those that managed to identify how they
These technologies and new approaches to ergonomics break
were scammed, one third had their payment details stolen while
with the authentication systems traditionally provided by banks.
shopping online.
Up to now, they have provided technologies chosen by them: they
will now have to rely on third-party systems, without having full
To resolve this, regulators have issued a number of recommendations
visibility of performance. These new systems are opening the way
at the European level: Revised Payment Services Directive (PSD2)
for new payment players (e.g. wallet, electronic cash, SEPA) by
and Guidelines on the Security of Internet Payments (European
offering a wider choice for the end user in terms of online payment.
Banking Authority’s Guidelines).
However, many questions concerning implementation, openness
But, in terms of technology, the power is in the users' hands. They decide
and evaluation have not been sufficiently addressed. A prime
whether to use and adopt a technology or not. A few years ago,
example of the consequences can be seen in the recent disclosure
there were those who refused standard office automation tools and
that the Android OS contains malware capable of potentially
turned to tablets (more mobile, better suited for viewing content) and
stealing fingerprint data from devices, such as Samsung Galaxy
smartphones (to be connected without being at a desk) instead.
S5’s fingerprint reader, before they reach a secure processor. The
market is clearly waiting for certain key details to be fleshed out
The Bring Your Own Device (BYOD) system, which is a rejection
before biometrics can really take off.
of over-complex systems, has spread in the field of payments.
Users massively refused One Time Password (OTP) and, in
There is still work to be done on evaluating the different implemen­
general, all systems which require fastidious data entry to make
tations for authenticating access to value-added services.
an online payment.
The spread of biometric solutions also signals a change in business
models, as new actors become a necessary link in the transaction
These examples illustrate that users always opt for simplicity.
and value chains.
The position of smartphone manufacturers (Apple, Samsung)
and of social networks (Facebook, Twitter, LinkedIn) is a good
In this rationale of IT consumerisation, we will see new devices
illustration of the need for simplification and standardisation.
(for example, SesameTouch developed by Trust Designer) emerge,
To unlock a telephone, all you need to do is put your finger on a
devices which can be used to authenticate oneself and make
biometric sensor. To connect to a social network account, you just
online payments without having to use a system provided by a
have to enter a password. Easy access is now the first condition
bank. These devices represent a third avenue as they are in line
for using a service.
with open logics, depending on evaluation and certification
schemes, for example.
54
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
André Delaforge
Head of Communication
Advisory Committee
Natural Security Alliance
A study recently published by Mobey Forum (Mobey Forum’s
Biometrics Survey Results, July 2015) clearly shows strong
demand for open interfaces. 83% of surveyed companies
About André Delaforge: André joined Natural
considered open interface implementation of fingerprint sensors
Security in February 2010 to lead various aspects
as an opportunity, allowing banks or trusted service providers to
of marketing and business development.
control the authentication data.
Prior to joining Natural Security, André was in
charge of business development for biometric
In the BYOA rationale, there is clearly a place and demand for
and RFID technologies for a large electronic
authenticators which make online transactions possible where the
manufacturer.
user can choose the platform of the transaction.
About Natural Security Alliance: The Natural
Broadly speaking, the term ‘authenticator’ refers to any technology
Security Alliance is a global community of
that can authenticate a user before he or she reaches an interface
preeminent companies dedicated to accelerating
that provides access to a service. Authenticators can come in
the adoption and ongoing development of
different formats, such as a chip card and reader (e.g. for payment
Natural Security Technology based solutions.
in a store), an OTP token or even a simple login and password
It is comprised of some of the most influential
on a computer. Biometrics is becoming increasingly commonplace
companies in world from the retail, banking,
for authenticators, but, as previously stated, there still are a couple
payment and IT communities.
of issues that need to be addressed. For example, interoperability
must be made standard, so that service providers can accept the
www.naturalsecurityalliance.org
authenticators deployed, and consumers are not limited to where
they can shop for goods and services.
These authenticators will, and should, rely on an open architecture
paving the way for an "Implementing an evaluation scheme"
in order to create an open ecosystem of technologies suited to
different use cases.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
55
PAY360
DIGITAL
PAYMENTS
SPONSORSHIP
AND EXHIBITION
OPPORTUNITIES
AVAILABLE
AN ANNUAL CONFERENCE BY THE EPA
27-28 June 2016, Liverpool Exhibition Centre, Liverpool
Don’t miss...
The international gathering of leading payment’s
professionals to pool their insights about what is
driving success in digital payments.
Lead sponsor
Themes
In partnership with
Retail, Mobile and Banking
Interested in Sponsorship opportunities?
Keri.Farrell@emergingpayments.org
+44 20 7378 9890
Join the conversation
@EPAssoc #EPADigital
Register your interest events@emergingpayments.org
Use code Paypers10 to save 10% off our current registration rate.
INSIGHTS INTO
ELECTRONIC
IDENTITIES IN
EUROPE
Signicat
Digital ‘Marble’ - Onboarding in the Age of Electronic Identity
Background
infrastructure. The new European regulation on electronic identity
A century ago, banks managed to establish trust in the public at
and trust services (eIDAS), which was approved in 2014, will also
large by building bank palaces made of marble.
contribute to driving acceptance and interoperability of e-ID and
e-signature in the European market.
Nowadays, banks need to establish trust in a virtual world.
In particular, they need to prove the identity of their customers
However, the ongoing establishment of cross-industry schemes or
online. This is difficult enough for banks operating in a single
federations for e-ID is equally interesting. These are established
market. For banks operating in a pan-European market, it becomes
by banks, telecommunications companies and others who want
an even major hurdle.
to exploit the network effect of providing electronic identity
across industries and businesses. Examples of such ecosystems
Luckily, a digital ‘marble’ that can be used to establish trust online
include the recent partnership between Dutch banks to establish a
exists in the form of electronic identity. In markets where electronic
federation of electronic identity, the MyBank initiative by the EBA
identity is readily available, experience shows that using electronic
and GSMA Mobile Connect.
identity for online onboarding can lead to a dramatic increase in
conversion rates.
What is common to these initiatives is that they connect existing
electronic identity in federations. Thus, a customer of a Dutch
Nordic practice
bank can use his online banking login to establish a customer
The Nordic countries – Denmark, Finland, Norway and Sweden,
relationship with an ecommerce retailer. Initiatives like the Dutch
stand out among the regions where electronic identity has been
interbank login and MyBank hold significant potential for the rapid
widely deployed. In these countries, a large majority of the adult
deployment of digital onboarding. They build on existing electronic
population has access to electronic identity that has been issued by
identity that already is in frequent use for internet banking,
the banks, the government or a telco.
sidestepping the need for costly and time consuming deployment
of new electronic identity.
Key to the success of these identities is that they can be utilised
across a wide range of services in the public and private sector.
Uniting the fragmented e-ID landscape
This ensures a high frequency of usage, which lowers the barrier
The development of e-ID in Europe has mainly been done within
for using the e-ID. Cooperation between the parties involved is
a national scope, with limited degree of coordination. This has
based on acknowledging that the value of a common platform is
resulted in a fragmented infrastructure that presents challenges to
greater than the sum of its parts. This has led to the emergence
service providers aiming to reach a broad audience.
of common technology and regulations ensuring the electronic ID
interoperability across sectors.
For instance, a service provider in Norway who wants to address
the largest possible audience would need to implement support not
The European dimension
only for Norwegian BankID and the Buypass eID, but also for the
The Nordic countries have been pioneers in the use of electronic
MinID eID and the Commfides eID.
identity for digital onboarding. However, the rest of Europe is now
following suit.
If service providers run a pan-Nordic operation, which is often the
case, they would need to implement support for up to 12 different
58
Countries like Germany and Spain continue to develop their
e-IDs. In the absence of a universal (or at least regional) e-ID
national infrastructure for electronic ID, while Estonia and Belgium
scheme, the implementation effort soon becomes unmanageable.
have made considerable progress in deploying a national e-ID
This situation will prevail also in a post-eIDAS Europe: while eIDAS
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Gunnar Nordseth
CEO
Signicat
ensures a common framework for electronic identity and electronic
signature, it will not guarantee technical interoperability in any way.
About Gunnar Nordseth: Gunnar is a veteran
Identity hubs as new paradigm for solving fragmentation
of the software industry and a founder of three
A new kind of service offering has emerged to address the need for
software companies all based in Trondheim.
simple integration with the e-ID infrastructure. Currently, Signicat
Since 2007 he has been involved in establishing
has over 150 customers hooked up to its online identity hub.
Signicat as a global leader of cloud-based
services for electronic identity and electronic
Signicat’s customers are typically banks, finance and insurance
signature.
companies that want to use publicly available e-ID for strong
authentication or electronic signatures. The company operates
About Signicat: Signicat is a leading provider
as an identity hub or identity broker. Its customers select which
of identity services in Northern Europe.
e-IDs they want to accept and Signicat sets up a service providing
The company offers a unique identity-as-
access to them. In addition to giving access to third-party e-IDs,
a-Service, giving multinational, national
Signicat can also play the part of an e-ID issuer for customers who
companies and government institutions easy
want to provide their end-customers with a proprietary e-ID.
access to a range of national e-ID infrastructures
through a single point of integration. Customers
use Signicat services for authentication, digital
signature of documents/text and long term
validation and archiving.
www.signicat.com
Vision for Europe
Trust and digital identity is a prerequisite for cross-border
transactions. Without them, the growth potential will be limited.
Merchants wishing to do cross-border commerce need to
know their customers, and the only realistic way to do this is
through electronic identity. The best solution is to outsource the
complexity of identification and authentication to specialists, just
as the merchants did with payments. Identity providers do not
only specialise in protecting customers from identity theft, but also
in allowing customers to re-use their existing IDs and credentials,
thus preventing the build-up of a ‘digital key chain’.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
59
MyBank
Electronic Identity Verification: How MyBank Can Help
In recent years, ecommerce has been experiencing a great degree of
transactions, particularly for reasons of security: avoiding fraud,
technological upheaval: e-wallets, NFC (near field communication),
securing against identity theft, complying with anti-terrorism
Apple/Samsung/Google ‘’pay’’, third-party access to the account –
concerns and so forth.
how you pay for things is now becoming as important as what you
pay for.
In a traditional brick-and-mortar business, identity verification is
relatively straightforward: a merchant requests your ID (national ID
Underlying these changes is trustworthy identity verification,
card, passport etc.), you hand it over and, presuming everything is
which means customers and other actors identify themselves
OK, you receive your goods (e.g. alcohol in a supermarket). But,
digitally to third-parties that require their information. This is the
in other settings, this can be onerously time consuming. If you
keystone that future online commerce will be built on.
want to apply for a loan, you will probably have to manually fill out
sheets of paper and send them all through the mail.
Electronic identity verification (or e-identity for short) has been
Digital has its challenges. How can merchants be sure their
featured prominently in regulatory discussions in recent years.
customers are who they say they are when both sides never
Electronic identity legislative frameworks (either directly or indirectly)
physically interact? Can merchants be confident that purchases
have moved to the front of the agenda” at the beginning of the
carried out are not tainted by fraudulent activity?
phrase. This is due to the revised Payment Services Directive (PSD2),
Digital experts at Innopay [Internal MyBank research conducted
the recommendations developed by the European Forum on the
in conjunction with Innopay Consulting] estimate that there are
Security of Retail Payments (SecuRe Pay), the ‘Regulation (EU) No
currently 225 billion authentication transactions per year across
910/2014 on electronic identification and trust services for electronic
e-mail, social media, ecommerce and e-government. Ecommerce
transactions in the internal market and repealing Directive 1999/93/
and e-government account for 5.5 billion transactions.
EC’ (e-IDAS) and the 4th Anti-Money Laundering (AML) Directive’.
How will MyBank play a role in this area?
Furthermore, businesses are daily being confronted with new
MyBank and their Payment Service Providers (PSPs) partners with
challenges as society switches to digital channels. Some of the
their experience of processing complex, sensitive transactions,
most common are:
can bring real value to the market. With MyBank, consumers
• How to verify identity: who are businesses really dealing with?
and businesses can already re-use their existing online banking
• How to verify age?
account credentials to safely instruct their banks to provide
• How to perform customer due diligence?
account-related data to third-parties and purchase items online.
• How to obtain consent to sign up services?
The online bank account is already the central repository for
With no standardised electronic means of verifying such functions,
sensitive data in the form of payment information - it makes sense
businesses face rising costs and are often obliged to implement
to re-use information linked to existing processes to facilitate the
workarounds that usually involve consumers physically handing
expansion of new services. Account Servicing PSPs are legally
over large quantities of private data, or filling out paper forms.
obliged to investigate that you are who you say you are before
letting you create an account.
How does online identity verification work?
60
Online identity verification is an electronic means of proving that
MyBank is distributed to participants (PSPs) which, in turn,
you are who you say you are and that the attributes you claim
contract with their clients (e.g. merchants) to make use of the
to possess (name, age, address, passport number etc.) really
service. The standard MyBank four corner model, which underpins
are yours. This is of highest importance in facilitating online
all MyBank services, is detailed below.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Fatouma Sy
Head of Product
Development
MyBank
John Broxis
Managing Director
MyBank
Figure 1: MyBank Operating Model
About Fatouma Sy: Fatouma Sy is Head of
Banks and other payment service providers (PSPs) are important
Product Development at MyBank. She has
players in this arena for a number of reasons:
worked on the development of the solution since
a. R ich and accurate customer data (''Know your Customer‟
EBA Clearing decided to launch an E-services
initiative in 2010.
information).
b. Proven, fraud-resistant authentication mechanisms.
c. Experience of a collaborative network.
About John Broxis: John Broxis is the Managing
d. Reach encompassing all citizens.
Director of MyBank. Prior to heading up MyBank,
e. Trustworthiness. Consumers trust their own bank.
John was director of STEP2 at EBA Clearing.
The online bank account is primed to become a central hub for
About MyBank: MyBank is a pan-European
online activity. Most of us already consult our account balance on
e-authorisation solution which enables safe
our computer or mobile app on a regular basis. Some of us also
digital payments and identity authentication
hold insurance through our bank. We already trust our bank with
through a consumer’s own online banking
much of our most precious data. It is clear why consumers would
portal or mobile device. With its participant
be eager to extend the benefits of the online bank account to
banks, MyBank went live in March 2013 with
validate their age or other sensitive information.
SEPA Credit Transfers. Since then, MyBank
has launched SEPA electronic mandate
As a pan-European solution, MyBank facilitates the:
services and is now piloting ‘’MyBank Identity
• Unbundling of valuable authentication services from payments.
Verification’’.
• Enabling of controlled online availability of valuable information.
• Creation and positioning of digital identity services toward the
www.mybank.eu
market via a harmonised and recognised user experience.
• Elimination of fragmentation.
The MyBank Identity Verification pilot involving PSPs, merchants
and technical integrators began in November 2015 and will
continue into early 2016. The objective of the pilot is to test the
use cases, refine the business model and ensure that the technical
model is best fitted to the market’s needs.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
61
VISIT OUR ENHANCED ONLINE
COMPANY PROFILES DATABASE
ALL COMPANY PROFILES IN THE WEB FRAUD PREVENTION,
ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE ARE
AVAILABLE ONLINE IN AN ENHANCED COMPANY PROFILES
DATABASE, COMPLETE WITH KEYWORDS, COMPANY LOGO
AND ADVANCED SEARCH FUNCTIONALITY
http://webfraud-eidentity.thepaypers.com/
DIGITAL
IDENTITIES AND
TECHNOLOGIES
AT THE HEART
OF SECURITY
Innovate Identity
Identity of Things (IDoT): A New Concept in Managing Identities
Gartner predicts that there will be 4.9 billion connected ‘things’ in
With more connections and points of entry, IoT inherently increases
use by 2015. This figure is expected to rise to anywhere between
exposure to cyber risk. And, within the hyper-connected domain
25 billion or 50 billion by 2020, depending on which report you
of IoT, one small data breach can have a domino effect across
read.
several connections. This data also creates issues for the user
around privacy, consent and control over their personal data.
The Identity of Things (IDoT) is an extension to identity management
Who owns the data? Who can share it? Where is it stored? Can it
and encompasses all entity identities, whatever form the entities
be shared with third-parties without the user’s knowledge?
may take. The identities are then used to define relationships
among the entities, namely between a device and an individual, a
device and another device, a device and an application/service, or
(as in traditional Identity Access Management) an individual and an
application/service.
This skyrocketing growth, in connected devices such as those
in the health sector, means that, in many cases, the user and
the device are linked to each other. By having the users sharing
data with the device, they gain more value from the device itself.
The more data users share, the more value they get back.
The Internet of Things, therefore, means an increase of data
production, location data, personal preference data, health data,
usage data and so on.
This data is incredibly valuable for the organisations collecting
Why identity underpins IoT
it. If a user had a health band, it means that insurance could be
So, what do we mean by identity? Identity is the collective aspect of
underwritten based on the individual’s level of fitness, allowing
the characteristics set via which a ‘thing’ is definitively recognisable
access to better insurance premiums. Affiliated marketing would
or known. As the IoT network gets more sophisticated, and more
target the users around sports they enjoy or even offer location-
data is taken, the more links are made between person and device.
based special offers for local stores. This data is also valuable for
Moreover, as this length of time increases, the more valuable
the users to share amongst their peers, allowing them to bench
that data becomes. Identity is therefore intrinsically linked to IoT.
mark their fitness against others.
Additionally, as the IoT network grows, so do the issues around
security of data, user consent, control and privacy.
But, what are the security consequences of generating and storing
such data? Central repositories of data create attractive targets for
Identity is generally proved through a sophisticated and complex
hackers and, with high profile data breaches in the press, daily,
set of identity verification and authentication techniques. However,
this issue shows no sign of slowing down.
there are no set standards across the board on how we should deal
with identity, which leaves multiple threat vectors for fraudsters to
exploit.
64
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Emma Lindley
CEO
Innovate Identity
Some countries have centralised government systems for identity.
However, these centralised systems are open to attack. In some
cases, due to vulnerabilities, these centralised systems have be
About Emma Lindley: Emma has over a decade
subject to widespread identity fraud at a national level.
of experience working with technology led
identity and age verification systems. Her focus
Organisations creating connected devices have their own ways
is the intersection of technology, digital life,
of dealing with security and identity. Still, they too are effectively
identity and privacy, and she is passionate about
mini-centralised systems, meaning that they are no less vulnerable
solutions which enable trust and inclusion on
to attackers, but arguably less attractive due to their size.
the Internet. Emma founded Innovate Identity
in 2012 to address the need to provide thought
Conclusion
leadership, clarity and practical solutions into
As we hand over more and more of our decision-making to our
a changing and increasing complex identity
connected devices, it is imperative that we have identity-focused
market place. and secure infrastructures in place that are capable of managing
the growing complexity of the emerging connected world.
About Innovate Identity: Innovate Identity
(InID) is an independent consultancy working
An overall decentralised identity scheme, similar in size and scale
with clients from fintech start ups through to
to the payments scheme, is required to deal with the security,
major blue chip supporting their identity needs.
privacy, consent and control issues we have with identities. Such a
From Know Your Customer and Anti Money
scheme would allow many organisations to offer identity solutions
Laundering regulatory requirements, fraud
developed to the standards set, and those developing connected
prevention, security and data privacy, through
devices to adopt those solutions.
to delivery of new identity propositions such as
attribute exchange, personal data stores and
IoT devices will need to be mapped to this scheme, which will
blockchain technologies.
need to ensure there are ways to make it easy for the end user (the
ultimate data owner) to understand and embrace. IoT presents a
www.innovateidentity.com
huge opportunity. However, in order to grow, it requires an identity
layer to underpin it and allow scale in a secure way.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
65
The Paypers
The Advent of IoT: Are We Facing A Trade-off Between Convenience &
Security?
The online world has never been more dynamic or more challenging
Furthermore, data jointly released by Cisco and logistics service
than it is nowadays. The internet and groundbreaking technology
provider DHL reveals there are actually expected to be around 50
enhancements have reshaped our lives and transformed the way
billion internet-connected devices by 2020, which would represent
we do things, both in a business environment and in our personal
a significant increase in the number of connections. And this
space. Over the past few years, technologies such as cloud, mobile
is not all. The IoT will definitely continue to grow. According to
solutions, big data and analytics, which were once the frontier of the
estimations by the McKinsey Global Institute, the IoT will have a
payments industry, have become commonplace. And most recently,
total economic impact of up to USD 11 trillion by 2025. The same
the Internet of Things (IoT) has been perceived as the new game
source mentions that more than two thirds of the value will
changer. But what exactly is the IoT and why has it been heralded
be generated in business-to-business settings and business
as the next major revolution in business computing?
customers and consumers will likely capture more than 90% of
the value created.
The Internet of Things refers to the networking of physical objects
through the use of embedded sensors, actuators and other devices
The IoT – a force that is driving innovation and digital
that can collect or transmit information about the objects. Basically,
transformation in financial services
via the IoT, individual components communicate with each other
The impact of such connectivity provided by the IoT cannot be
and a service center, allowing for virtually endless connections to
fully grasped yet. The IoT is expected to transform all industries,
take place. Additionally, a business model can now include not only
including banking. A Deloitte analysis suggests that as many
services, but also position those services in the center of the model
as one quarter of sensors deployed in 2013 could be of use to
– the so-called ‘everything-as-a-service’ trend. Intelligent products,
financial institutions, rising to one third in 2015 and then to about
connected in real-time to the internet and managed via intelligent
50% by 2020. In total, the growth in sensor deployments for
network, allow organisations to develop new business models and
financial services is expected to be very strong, ranging from just
become digital disruptors. Until now, the IoT has been mostly linked
over 20% to 100% annually on a compounded basis, depending
with machine-to-machine (M2M) communication. Products built
on the sector. Big data analytics, combined with a large number
with M2M communication capabilities are often referred to as being
of connected devices and environments through the IoT, are set
‘smart’. The IoT is expected to connect many of the devices we
to empower data-driven management, reshape processes and
have in our homes, from smart thermostats to smart fridges. Big
deliver significant benefits. The banking and securities industry will
market players such as Google and Samsung already understand
continue to innovate around mobile and micropayment technology
this and are active participants in this transformation. Google
using POS terminals and will invest in improved physical security
bought smart thermostat maker, Nest Labs, for USD 3.2 billion,
systems.
while Samsung purchased connected home company SmartThings
for USD 200 million.
The IoT from a security and privacy perspective
The IoT really seems to be ‘the next big thing’. However, this ‘giant’
According to a report from Gartner, by the end of 2015, there will
that presents tremendous opportunities for development, that
be almost 5 billion ‘things’ connected to the internet. By the end of
promises convenience and amazing experiences, is not without its
2020, the figure is forecasted to rise to over 25 billion. In other words,
shortcomings. The first and most important ‘side effect’ that comes
there will be more than three things connected to the internet for
up is the issue of security and privacy. How can businesses and
each person on the planet.
consumers be certain their data is protected with such an explosion
of devices and sensors?
66
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016
Ionela Barbuta
Senior Editor
The Paypers
Cybersecurity will definitely take on a whole new dimension and
digital vulnerabilities are likely to expand in more ways than we can
currently imagine. Therefore, one of the most pressing problems
About Ionela Barbuta: As Senior Editor at The
for businesses planning to take advantage of the IoT is protecting
Paypers, Ionela is in charge of managing projects
company and customer data. Numerous IoT-based applications
and writing research articles on Security & Fraud.
depend on access to consumer data, including data collected
Ionela holds a Master's Degree in International
passively from customers’ behaviour. For instance, one use of the
Business and Intercultural Strategies.
technology could be fully automated checkout in retail settings.
Customers could literally walk out the door of a store without having
About The Paypers: The Paypers is the
to wait in line or even swipe a card: data-gathering ‘beacons’ can
leading independent source of news and
scan tags on all the items in a shopping cart, total the bill and debit
analysis for professionals in the global payment
the customer’s account, perhaps even deducting money from the
community. Our products are created by
customer’s smartphone.
payment experts and have a special focus on
all major developments in payments - related
In this context, each sensor could be a potential entry point for
industries including online/mobile payment,
hackers and the consequences of a data breach can be devastating.
ecommerce, e-invoicing, online fraud prevention
To prevent this, companies should take on the responsibility to
innovations and the most significant trends in
work with technology vendors and heavily invest in data-security
the digital identity space.
capabilities. They should also build protections for their own
data and intellectual property when they implement IoT systems.
www.thepaypers.com
Notwithstanding the high risk of IoT, there is a lot of potential.
With greater connectivity, there comes greater convenience and
customers have a higher expectation of services and support.
LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS
67
Companyname
Title
Platte tekst
COMPANY
PROFILES
Company
Accertify
Accertify Inc., a wholly owned subsidiary of American Express, is a leading provider of fraud
prevention, chargeback management, and payment gateway solutions to merchant customers
spanning diverse industries worldwide. Accertify’s suite of products and services help ecommerce
companies grow their business by driving down the total cost of fraud and protecting their brand.
Website
www.accertify.com
Keywords for online profile
fraud, chargeback, payment gateway, risk, protect, loss, Accertify
Business model
Software-as-a-service (SaaS)
Target market
Online shoppers, financial institutions, payment services providers, online communities / web
merchants, gaming & gambling, other online businesses
Contact
emea@accertify.com
Geographical presence
Global
Active since
2007
Service provider type
Digital identity service provider, technology vendor, web fraud detection company, payment service
provider (PSP)
Member of industry association
and or initiatives
Merchant Risk Council, Direct Response Forum, Vendorcom, AMIPCI
Services
Unique selling points
Accertify leverages its flexible platform to enable merchants to screen for multiple fraud use cases,
including, but not limited to payment, loyalty, claims, staff and social media reputation. Our unique
capabilities allow genuine customers to be efficiently removed from fraud processes, supporting
merchant growth.
Core services
Accertify’s core suite of services includes fraud management, chargeback management, and
payment gateway.
Pricing Model
For more details contact our sales team at emea@accertify.com.
Fraud prevention partners
Accertify is integrated to multiple third party services which includes, but not limited to: Lexis
Nexis, Whitepagespro, Experian, InAuth, iovation, Threat Metrix, Perseuss, emailage, Neustar,
Maxmind, ebureau, Mastercard, Discover.
Other services
Professional Fraud Services, Decision Sciences, Manual Review outsourcing 24/7, Support
Services, Rule Management and improvement, Best Practice consulting,Training services.
Third party connection
United Parcel Services (UPS) and FedEx to obtain proof of delivery signatures; eFax (inbound and
outbound fax receipt).
Technology: anti-fraud detection tools available
Address verifications services
Yes
CNP transactions
Yes
Card Verification Value (CVV)
Yes
Bin lookup
Yes
Geo-location Checks
Yes
Device Fingerprint
Yes through integrated partners
Payer Authentication
Yes
Velocity Rules – Purchase Limit
Rules
Yes
White list/black list database:
Yes
KYC – Know Your Customer
Yes; complemented with integrated partners
Credit Rating
No
Follow up action
Additional authentication (out of band authentication) and transaction verification capabilities.
Other
Profiling (dynamic summarization and aggregation)
COMPANY PROFILES
69
Authentication Context
Online
Yes
Mobile
Yes
ATM
No
POS
Yes
Call centre
Yes
other
Kiosk (unattended terminal)
Reference Data connectivity
Connectivity to governmental data
No (unless provided via partner – for example Experian or Lexis Nexis)
Other databases
BIN, Oanda, Global latitude/longitude, Accertify Risk ID (multi-merchant negative dB), Accertify
Index (multi-merchant positive dB), Amex Risk Information Management dB
Fraud management system type
Single-channel fraud prevention
system
Yes
Multi-channel fraud prevention
system
Yes
Certification
Type
PCIDSS Level 1, ISO 27001
Regulation
For more details contact our sales team at emea@accertify.com.
Other quality programms
For more details contact our sales team at emea@accertify.com.
Other remarks
For more details contact our sales team at emea@accertify.com.
Clients
70
Main clients / references
Marks and Spencer, British Airways, easyJet, Autotrader, Bazaarvoice, TUI
Future developments
For more details contact our sales team at emea@accertify.com.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
TURN SUSCEPTIBLE INTO SECURE.
Protect your online payments while driving business growth.
aciworldwide.com/onlinefraudprevention
Company
ACI Worldwide
Specialist provider of fraud prevention and management solutions for all payment transaction
types to merchants, issuers, acquirers, processors and switches. Through our ACI ReD Shield®,
ACI ReDi™, ACI ReD Fraud Xchange™ and ACI ReD Alerts we deliver real-time, multi-tiered
fraud solutions which are managed by our expert risk analysts. Our analysts – and systems – are
informed by our unrivalled access to data and business intelligence and its ability to connect
merchants, acquirers and issuers in the fight against fraud.
Website
www.aciworldwide.com
Keywords for online profile
online fraud prevention, ecommerce, online fraud, fraud analytics, Card Not Present (CNP)
Business model
Direct and via our PSP channel.
Target market
Online ecommerce merchants, financial institutions, payment services providers, government
services, acquirers, gaming, retail, hospitality, loyalty, telecommunications, travel and entertainment
Contact
Andy McDonald (andy.mcdonald@aciworldwide.com or +44 (0)7785 627494)
Geographical presence
Global
Active since
1975
Service provider type
Digital identity service provider, technology vendor, web fraud detection company, payment service
provider (PSP), issuer, acquirer
Member of industry association
and or initiatives
Merchant Risk Council, IMRG, Direct Response Forum, Vendorcom, Cross-Border eCommerce
Community
Services
Unique selling points
Automated processes and dedicated support from expert risk analysts. Global fraud data, fraud
solutions tailored to sector and customer needs, predictive models and unlimited, flexible rules.
Holistic fraud management – real-time and post-transaction monitoring using our unrivalled
business intelligence solution. Presence across the payments chain, supporting merchant and
issuer collaboration in the fight against fraud.
Core services
Card Not Present (online, IVR, call centre and mobile) and card present fraud prevention; fraud and
risk consultancy; payment services
Pricing Model
Flexible
Fraud prevention partners
ACI partners with leading PSPs around the globe (see a full list at http://www.aciworldwide.com/
who-we-are/partners/our-partners.aspx).
Other services
Payment services: Base 24 – EPS, Postilion, ACI Proactive Risk Manager, ACI Universal Online
Banker. Please visit www.aciworldwide.com to view all services available from ACI
Third party connection
For more information, please contact ACI.
Technology: anti-fraud detection tools available
Address verifications services
Yes
CNP transactions
Yes
Card Verification Value (CVV)
Yes
Bin lookup
Yes
Geo-location Checks
Yes
Device Fingerprint
Yes
Payer Authentication
Yes
Velocity Rules – Purchase Limit
Rules
Yes, unlimited and flexible.
White list/black list database:
Yes
KYC – Know Your Customer
Yes
Credit Rating
No
Follow up action
Yes
Other
Compliance list checking, AML, additional black lists
COMPANY PROFILES
73
Authentication Context
Online
Yes
Mobile
Yes
ATM
Yes
POS
Yes
Call centre
Yes
Other
For more information, please contact the sales team.
Reference Data connectivity
Connectivity to governmental data
For more information, please contact ACI.
Other databases
Commercial attribute providers, e.g. credit databases
Fraud management system type
Single-channel fraud prevention
system
Yes
Multi-channel fraud prevention
system
Yes
Certification
Type
PCI DSS v3.0, ISO 27001, SAS70
Regulation
EU Data Protection
Other quality programms
UK Payments Administration accreditation, Visa Account Information Security (AIS and CISP)
accreditation, Amex Data Security Operating Policy
Other remarks
For more information, please contact the sales team.
Clients
74
Main clients / references
Upon Request
Future developments
For more information, please contact ACI.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Company
The ai Corporation
ai provides fraud prevention solutions to some of the world’s largest financial institutions,
merchants and PSPs. Our unique self-service solutions, including our new “state of the art” neural
technology, protect and enrich payments experiences for more than 100 banks, 3 million multichannel merchants monitoring over 20 billion transaction a year.
Website
www.aicorporation.com
Keywords for online profile
fraud prevention, analytics, neural, risk, detection, self-service, white label
Business model
Direct and indirect licenced software sales through select partners.
SaaS – Direct hosting and/or managed service
Target market
Online merchants, multi channel merchants (traditional, mobile and online), financial institutions,
card issuers – credit, debit, prepaid, fuel card, T&E, card acquirers/ISO’s/payment facilitators,
alternative payment providers (e-vouchers, e-wallets), payment services providers, government
services, online communities/web merchants, gaming & gambling, other online businesses
Contact
Nick Walker (nick.walker@aicorporation.com or +44 7901 920573)
Geographical presence
Global
Active since
1998
Service provider type
Software technology vendor, SaaS managed service provider
Member of industry association
and or initiatives
None
Services
Unique selling points
Self-service real-time rules engine and neural model builder, empowering the user to easily
build, deploy and operate their own fraud strategies quickly and efficiently without the need for
expensive, lengthy and often ineffective third party services. The software also allows for non fraud
analytics and rules deployment.
Core services
Omni-channel and enterprise wide fraud prevention technology and managed services.
Pricing Model
Licence fees or service fees
Fraud prevention partners
PayVector, InAuth, FISH, PanInteligence, Azuka
Other services
Business intelligence, cardholder/consumer engagement, enterprise case management
Third party connection
Data providers, card management systems, transaction switches, PSPs
Technology: anti-fraud detection tools available
Address verifications services
Partner
CNP transactions
Yes
Card Verification Value (CVV)
Yes
Bin lookup
Yes
Geo-location Checks
Partner
Device Fingerprint
Partner
Payer Authentication
Yes
Velocity Rules – Purchase Limit
Rules
Yes with auto rule generator SmartRule.
White list/black list database:
Yes
KYC – Know Your Customer
Partner
Credit Rating
Partner
Follow up action
Enterprise wide case management.
Other
More information available upon request.
COMPANY PROFILES
75
Authentication Context
Online
Yes
Mobile
Yes
ATM
Yes
POS
Yes
Call centre
Yes
Other
Yes
Reference Data connectivity
Connectivity to governmental data
Partner
Other databases
Partner
Fraud management system type
Single-channel fraud prevention
system
Yes
Multi-channel fraud prevention
system
Yes
Certification
Type
ISO 27001 in progress.
Regulation
PCI
Other quality programs
KII, SmartMinds
Other remarks
More information available upon request.
Clients
76
Main clients / references
Shell, Barclaycard, Nedbank, Mashreq, AFS, Global Payments, IBQ
Future developments
More data feeds, more third party interfaces, full automation of fraud detection.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
ADVERTISEMENT
How EMV will Change
Online Business in the U.S.
Everyone in the payments world is talking about EMV in the U.S.
But for omni-channel and online merchants, how will the use of
EMV cards impact their eCommerce fraud?
Benefits of EMV Cards
A major benefit of chip cards is how the chips work at POS. Each time the card is used
in person, the chip creates a unique code that cannot be re-used. So if a card number
is stolen in a breach, the stolen number and transaction code would not be usable and
any fraudulent attempts at point-of sale would be denied.
Another benefit of the chip card is that the chips cannot be cloned by counterfeiters if
they steal a card number, so counterfeit cards cannot be used for in-person
transactions. This is also a drawback: because the chips are not “read” for a
card-not-present transaction, stolen chip card numbers can be – and increasingly
are – used to make fraudulent CNP transactions.
How Can Online Merchants Protect
Themselves?
To thwart the influx of online fraud, many eCommerce merchants have dialed
up their fraud tools. This helps control the increased fraud, but also creates
false positives – transactions that the fraud tool flags and the merchant declines
that are actually good orders. This is almost as harmful to a merchant as the
fraud because it results in lost sales and insults to good consumers.
This puts online merchants in a difficult spot. Because chip cards can’t be used
for in-person fraud, the fraudsters look for the path of least resistance, the
card-not-present world. But there is a way to prevent fraud.
Cardinal Consumer Authentication (CCA) protects online
transactions the way chip cards prevent fraud at the cash register.
And combining CCA with a fraud tool, merchants can increase
their good orders by up to 15% vs using a fraud tool alone.
CCA’s rules-based approach gives merchants choice in how each
transaction is authenticated, and control over the amount of
consumer friction during checkout. In many cases, using CCA,
authentication happens behind the scenes, with no friction during
checkout for the consumer, using things like IP address, device
identification, buying patterns, or any data point the merchant
collects.
Other benefits of Cardinal Consumer
Authentication include:
• Increased sales – fewer false positives and the opportunity to sell in regions where 3-D Secure is mandated.
• Improved margins – liability shift on fraudulent chargebacks, potential interchange savings, and less manual review.
• Enhanced consumer experience – the merchant controls the amount of friction during checkout with dynamic rules that
can be applied transaction by transaction.
To learn more about how EMV can affect your CNP business, and what you can do to protect yourself, contact Cardinal.
visit: www.cardinalcommerce.com
call: (877) 352-8444
Company
CardinalCommerce Corporation
CardinalCommerce is the pioneer and global leader in enabling authenticated payment transactions
in the card-not-present payments industry, and the largest authentication network in the
world. Through One Connection to the proprietary Cardinal SafeCloud, we enable friction-free,
technology-neutral authentication and alternative payment services (including digital wallets and
mobile commerce services).
Website
www.cardinalcommerce.com
Keywords for online profile
consumer authentication, 3-D Secure, prevent online fraud, prevent fraudulent chargebacks
Business model
Sell directly to online merchants and financial institutions; sell through partners
Target market
Financial institutions, payment services providers, online communities/web merchants, gaming and
gambling
Contact
info@cardinalcommerce.com
Geographical presence
Global – we do business in Europe, Asia, Africa, Australia, North and South America
Active since
1999
Service provider type
Technology vendor
Member of industry association
and or initiatives
Member of Merchant Risk Council (MRC) and Merchant Advisory Group (MAG); North American
Board member of MRC
Services
Unique selling points
With Cardinal Consumer Authentication you can increase sales, improve margins, control consumer
friction during checkout and eliminate fraudulent chargebacks for your online business. With your
One Connection to Cardinal, you can add alternative payment brands and digital wallets quickly
and easily, to give your consumers the payment options they want.
Core services
Cardinal Consumer Authentication, leveraging the 3-D Secure protocols to give merchants choice
of which transactions to authenticate and control over checkout friction.
Pricing Model
Transaction volume based pricing, starting at USD 29.99 US per month.
Fraud prevention partners
Visa(CyberSource), ACI (Retail Decisions)
Other services
Consumer authentication, alternative payment brands, digital wallets
Third party connection
Visa (CyberSource), ACI (Retail Decisions), PayPal
Technology: anti-fraud detection tools available
Address verifications services
Through a partner
CNP transactions
Yes
Card Verification Value (CVV)
Yes
Bin lookup
Through a partner
Geo-location Checks
Through a partner
Device Fingerprint
Yes
Payer Authentication
Cardinal Consumer Authentication
Velocity Rules – Purchase Limit
Rules
Yes
White list/black list database:
Yes
KYC – Know Your Customer
Yes
Credit Rating
No
Follow up action
Additional authentication (out of band authentication) and transaction verification capabilities.
Other
N/A
Authentication Context
Online
Yes
Mobile
Yes
ATM
N/A
POS
N/A
COMPANY PROFILES
79
Call centre
N/A
Other
N/A
Reference Data connectivity
Connectivity to governmental data
N/A
Other databases
N/A
Fraud management system type
Single-channel fraud prevention
system
N/A
Multi-channel fraud prevention
system
N/A
Certification
Type
N/A
Regulation
N/A
Other quality programms
N/A
Other remarks
N/A
Clients
80
Main clients / references
Contact Cardinal Commerce for specific information.
Future developments
Contact Cardinal Commerce for specific information.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Company
CASHRUN
Fraud Protection & Global Payment Solution
CashRun
CashRun has vast experience in the fraud industry protecting online merchants from high risk and
costs associated with online fraud. Our 100% chargeback protection allows merchants to focus
on their core business competencies and at the same time achieve higher revenue growth through
effective fraud risk management.
Website
www.cashshield.com
Keywords for online profile
fraud solution, big data, machine learning, optimization
Business model
CashRun offers leading fraud protection technology, solely designed and developed by us.
Target market
Online communities/web merchants, financial institutions, payment services providers, government
services, gaming and gambling, other online businesses
Contact
enquiries@cashrun.com
Geographical presence
Global
Active since
2007
Service provider type
Web fraud detection company, payment service provider (PSP), technology vendor, digital identity
service provider
Member of industry association
and or initiatives
MRC Premium Sponsor
Services
Unique selling points
CashShield’s fraud management solution is based on a combination of fraud detection technology,
big data, machine learning that are optimized through a risk management algorithm. Our fully
managed service helps you fight fraud hassle-free, with an added protection of an unprecedented
100% chargeback protection, for both tangible and intangible goods.
Core services
Comprehensive online fraud risk management for online merchants and PSPs.
Pricing Model
Unsecured Transactions (Paypal, Non 3D-Secured ) – CashShield Enterprise (100% Chargeback
Guarantee) fee – a percentage of the value of transactions depending on industry risk. Secured
Transactions (3D-Secured transactions) – CashShield Core fee – fixed fee per transaction.
Fraud prevention partners
CashRun designs and develops its own fraud protection solutions.
Other services
Online payment service provider
Third party connection
N/A
Technology: anti-fraud detection tools available
Address verifications services
Yes
CNP transactions
Yes
Card Verification Value (CVV)
Yes
Bin lookup
Yes
Geo-location Checks
Yes
Device Fingerprint
Yes
Payer Authentication
Yes
Velocity Rules – Purchase Limit
Rules
No – CashShield does not use hard rules and limits that hampers growth.
White list/black list database:
Yes
KYC – Know Your Customer
No
Credit Rating
No
Follow up action
Our fully managed service tailors and configures the merchant’s risk template for them, giving them
only two optimized decisions: accept or reject. We make decisions, not predictions.
Other
CashShield’s machine learning system is updated daily with new fraud trends and data, to raise
alerts on potential threats.
COMPANY PROFILES
81
Authentication Context
Online
Yes
Mobile
Yes
ATM
No
POS
No
Call centre
No
Other
Yes – Mobile Apps
Reference Data connectivity
Connectivity to governmental data
No
Other databases
Yes
Fraud management system type
Single-channel fraud prevention
system
Yes
Multi-channel fraud prevention
system
Yes
Certification
Type
More information available upon request.
Regulation
More information available upon request.
Other quality programms
PCI Compliance
Other remarks
More information available upon request.
Clients
82
Main clients / references
Telecommunications, gaming publishers, prepaid products, software, digital goods, PSPs,
acquirers, marketplaces, travels, airlines, ticketing, hotels, ecommerce retailers
Future developments
Constantly enhancing our system to stay one step ahead of the latest fraud schemes and provide
online merchants with the most comprehensive verification.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
We make decisions,
not predictions.
ACCEPT
REJECT
CashShield is here to simplify your verification process. We configure the risk
template for you, which allows us to take full responsibility of our risk decisions
instead of passing this responsibility back to you, while ensuring that we boost
your sales conversion rates with two straight forward decisions: accept or reject.
Get ahead of fraud with our unprecedented 100% Chargeback Protection (including
digital goods) and intelligent technology that combines machine learning, big data
and risk optimization. CashShield secures both 3DS and non-3DS transactions and
eliminates hard limits. Boost your sales and say goodbye to false positives,
unnecessary buying restrictions, and most importantly, fraud.
For more information, please visit
www.cashshield.com
Accept more orders,
with less frAud.
Our integrated payment, fraud and security management
services can help speed up time-to-market, streamline
operations and help you accept payments securely –
online and through mobile devices, across the globe.
if you Are A merchAnt selling online, we cAn help you:
mAnAge
moBile
frAud
mAnAge
gloBAl
frAud
increAse
order
AcceptAnce
Our range of tools can help
you to confidently sell through
the mobile channel, while
managing fraud to the same
levels as with traditional
eCommerce channels.
We can help you optimise your
fraud management operations
to protect the customer
experience and accept more
genuine orders.
Our range of solutions can
help you accept orders
from international markets
with confidence.
Learn more about our fraud management solutions
www.cybersource.co.uk
Contact us:
europe@cybersource.co.uk
+44 (0)118 990 7300
cybersource.co.uk
About cybersource: CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 400,000 businesses worldwide use CyberSource and
Authorise.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. The company is headquartered in Foster City,
California and maintains offices throughout the world, with regional headquarters in Singapore, Tokyo, Miami/Sao Paulo and Reading, UK. CyberSource operates in Europe
under agreement with Visa Europe. For more information, please visit www.cybersource.co.uk
© 2015 CyberSource Corporation. All rights reserved.
Company Name
CyberSource Ltd.
CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over
400,000 businesses worldwide use CyberSource and Authorize.Net brand solutions to process
online payments, streamline fraud management, and simplify payment security. The company
is headquartered in Foster City, California and maintains offices throughout the world, with
regional headquarters in Singapore, Tokyo, Miami / Sao Paulo and Reading, UK. CyberSource
operates in Europe under agreement with Visa Europe. For more information, please visit
www.cybersource.co.uk.
Website
www.cybersource.co.uk
Keywords for online profile
fraud management, risk management, payment security, ecommerce, payments, payment gateway,
rules based payer authentication
Business model
Software as a Service (SaaS)
Target market
Retail, travel, financial institutions, media and entertainment
Contact
CyberSource Ltd. Reading International Business Park, Reading, Berkshire RG2 6DH
VAT No: GB 927 433123
Geographical presence
Worldwide
Active since
1994
Service provider type
Payment Service Provider (PSP), fraud management company, web fraud detection, device
identification
Member of industry association
and or initiatives
Merchant Risk Council, IMRG, Vendorcom
Services
Unique selling points
The only global payment management platform built on secure Visa infrastructure—with
integrations to the world’s largest network of connected commerce partners and transaction
insights—CyberSource solutions power businesses to create new brand experiences, grow sales
and engagement, and keep payment operations safe.
Core services
CyberSource provides fraud management services to help manage the entire life cycle of payment
fraud, including account creation and takeover risk.
Pricing Model
Tiered SaaS-based pricing model.
Fraud prevention partners
ThreatMetrix, Cardinal Commerce, Neustar
Other services
More information available upon request.
Third party connection
Neustar, LexisNexis, Whitepages.com, Perseuss, Computer Services
Technology: anti-fraud detection tools available
Address verifications services
Yes
CNP transactions
Yes
Card Verification Value (CVV)
Yes
Bin lookup
Yes
Geo-location Checks
Yes
Device Fingerprint
Yes
Payer Authentication
Yes
Velocity Rules – Purchase Limit
Rules
Yes
White list/black list database:
Yes
KYC – Know Your Customer
No
Credit Rating
No
Follow up action
Additional authentication (out of band authentication) and transaction verification capabilities.
Other
More information available upon request.
COMPANY PROFILES
85
Authentication Context
Online
Yes
Mobile
Yes
ATM
No
POS
No
Call centre
Yes
other
More information available upon request
Reference Data connectivity
Connectivity to governmental data
No
Other databases
Commercial attribute providers, e.g. credit databases
Fraud management system type
Single-channel fraud prevention
system
No
Multi-channel fraud prevention
system
Yes
Certification
Type
More information available upon request.
Regulation
More information available upon request.
Other quality programms
More information available upon request.
Other remarks
Contact europe@cybersource.com for more information.
Clients
86
Main clients / references
Turkish Airlines, China Eastern, Cinépolis, Webjet, Backcountry, ESET
Future developments
For more information contact europe@cybersource.com.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Company
Entersekt
Please use the version without the ® mark in
very large or very small applications
Entersekt is an innovator in transaction authentication, securing digital banking and payments by
harnessing the power of electronic certificate technology with the convenience of mobile phones.
Financial institutions look to Entersekt to strengthen the bonds of trust they share with their
customers and to deepen those relationships through innovative new services.
Website
www.entersekt.com
Keywords for online profile
Mobile security, mobile banking, online banking, card-not-present, out-of-band authentication,
multi-factor authentication, push-based authentication, 3-D Secure
Business model
Direct and through partners
Target market
Financial institutions, card issuers, insurers, payment service providers
Contact
Entersekt sales team: sales@entersekt.com
Geographical presence
Africa, Europe, Middle East, North America
Active since
2008
Service provider type
Digital identity service provider
Member of industry associations
and intiatives
FIDO Alliance, WASPA
Services
Core services
Mobile-app–based, multi-factor authentication and transaction signing of online banking, mobile
banking, and card-not-present payments.
Other services
Authentication in the consumer space (LastPass, Google Chrome), non-app-based out-of-band
authentication and SIM-swap protection through push USSD.
Unique selling points
Entersekt’s patented emCert technology generates public/private key pairs to uniquely identify
enrolled mobile devices and validate two-way communications. A self-contained cryptographic
stack and communications layer enables an end-to-end encrypted channel distinct from that
initiated by the device, so transactions originating from the phone can still be authenticated out
of band.
Pricing model
Per user subscription
Partners
Amazon Web Services, Citrix, IBM, Netcetera, Visa, MasterCard, American Express
Offering: authentication technology used
Technology used
Industry-standard X.509 digital certificates; proprietary validation techniques developed specifically
for the mobile phone; FIPS 140-2 Level 3 on-premise hardware appliance; dynamic public key
pinning; secure browser pattern; device and application context for context-based risk scoring;
advanced detection of rooting, jailbreaking, or similar mobile operating system security bypass
hacks; support for fingerprint biometrics; NI USSD for non-app-based out-of-band authentication
and SIM-swap protection.
Authentication context
Online
Yes
Mobile
Yes
ATM
No
Branch/Point of Sale
No
Call Centre
Yes
Other:
Card-not-present payments (3-D Secure), e-mail
Issuing process (if applicable)
Assurance levels conformity
N/A
Online issuing process (incl lead
time in working days)
Yes. Identity proofing and enrolment processes are set by the implementing institution, but there is
no reason why remote device registration should take more than a few minutes. Options available
for enroling a user include phone-based registration via one-time password, scanning a printed QR
code, and a combination of scanning a bank card and inputting the associated PIN.
Face-to-face issuing (incl lead time
in working days)
Yes. Identity proofing and enrolment processes are set by the implementing institution, but there is
no reason why in-branch device registration should take more than a few minutes.
Issuing network
Bank branches, online services
COMPANY PROFILES
87
Attributes offered
Persons
Level of trust (e.g. biometric data, password); signed authentication message
Companies
For more information, please contact our sales team.
Reference data connectivity
Connectivity to governmental data
N/A
Other databases
N/A
Certification
Type
Entersekt’s flagship product, Transakt, is FIDO Certified as a U2F (universal second factor)
authenticator. Transakt is also validated with the Ready for IBM Security Intelligence program and
Citrix XenApp. Entersekt’s card-not-present authentication solution is fully accredited by Visa,
MasterCard, and American Express.
Regulation
Entersekt’s solutions are engineered specifically for the heavily regulated financial sector and
adhere to all major digital banking security mandates, including the requirements set out by the
European Central Bank, the FFIEC, and the Monetary Authority of Singapore. They are compliant
with ISO 21188:2006 (Public key infrastructure for financial services) and utilize hardware
security modules certified as FIPS 140-2 Security Level 3 for encrypting and decrypting all
authentication data.
Other quality programs
The underlying technology is regularly validated by independent third parties to ensure it is
invulnerable to new attack vectors.
Other remarks
For more information, please contact our sales team.
Clients
88
Main clients / references
Those listed in the public domain: Capitec Bank; Equity Bank; Investec; Nedbank; Old Mutual;
Swisscard. For others, please contact our sales team.
Future developments
For more information, please contact our sales team.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Digital banking and payments are a
work in progress. Their future will
be built on trust.
Banks around the world look to Entersekt to strengthen the bonds
of trust they share with their customers, and to help deepen those
relationships by launching innovative new digital services.
Discover how our mobile-enabled authentication product Transakt
can help your organization build richer, more satisfying online and
mobile banking experiences, unrestricted by security concerns.
™
entersekt.com
aMobile SDK or app
aPush-based
aOut of band
aMulti-factor
U2F
Transakt opens up digital banking.
Security in your pocket
Using artificially intelligent algorithms, Feedzai
keeps your payment safe and your commerce moving.
It’s modern fraud science made simple.
Feedzai is the easy, straightforward solution
for risk teams to upgrade to advanced
machine learning fraud models. With
Feedzai, today’s risk professionals in
businesses large and small can now have
the power of advanced data science to fight
fraud and false alarms.
Reduce fraud by up to
80% with Feedzai.
Schedule a demo today to
see what Feedzai can do
in real-time for your own
business data.
info@feedzai.com
US: 650-260-8924
EUR: +351-239-402-166
Company
Feedzai
Feedzai was founded in 2009 by data scientists and aerospace engineers to make commerce safe
for business customers through the use of artificially intelligent machine learning. Feedzai’s Fraud
Prevention That Learns technology is used by large financial services companies to risk-score over
USD 1 billion of commerce transactions each day.
Website
www.feedzai.com
Keywords for online profile
Machine learning platform to manage risk and prevent fraud.
Business model
Software-as-a-service (SaaS)
Target market
Online shoppers,financial institutions,payment services providers, government services, online
communities / web merchants, gaming and gambling, other online businesses
Contact
info@feedzai.com
Geographical presence
Global
Active since
2009
Service provider type
Technology vendor, web fraud detection company
Member of industry association
and or initiatives
More information available upon request.
Services
Unique selling points
Feedzai makes commerce safe for business customers and creates a better experience for their
consumers through artificially intelligent machine learning. Financial services companies use
Feedzai’s anti-fraud technology to keep commerce moving safely.
Core services
Feedzai offers a machine learning platform to manage risk and prevent fraud that can process
transactions at big data scale.
Pricing Model
For more details contact our sales team at sales@feedzai.com.
Fraud prevention partners
SAP, Emailage, Socure, Deloitte, EnCap Security, Azul Systems, Cloudera, Datastax
Other services
More information available upon request.
Third party connection
More information available upon request.
Technology: anti-fraud detection tools available
Address verifications services
Yes
CNP transactions
Yes
Card Verification Value (CVV)
No
Bin lookup
Yes
Geo-location Checks
Yes
Device Fingerprint
Yes
Payer Authentication
Yes
Velocity Rules – Purchase Limit
Rules
Yes
White list/black list database:
Yes
KYC – Know Your Customer
Yes
Credit Rating
Yes
Follow up action
Additional authentication (out of band authentication) and transaction verification capabilities.
Other
Machine learning
Authentication Context
Online
Yes
Mobile
Yes
ATM
Yes
POS
Yes
Call centre
Yes
Other
More information available upon request.
COMPANY PROFILES
91
Reference Data connectivity
Connectivity to governmental data
More information available upon request.
Other databases
More information available upon request.
Fraud management system type
Single-channel fraud prevention
system
No
Multi-channel fraud prevention
system
Yes
Certification
Type
PCIDSS Level 1
Regulation
Directive 95/46/EC
Other quality programms
More information available upon request.
Other remarks
More information available upon request.
Clients
92
Main clients / references
First Data, top-tier banks
Future developments
Deep learning
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Company
iovation Inc.
iovation protects online businesses and their end users against fraud and abuse, and identifies
trustworthy customers through a combination of advanced device identification, shared device
reputation, device-based authentication and real-time risk evaluation. Website
www.iovation.com
Keywords for online profile
device identification, device reputation, online fraud prevention, mobile fraud, account takeover
prevention, device-based authentication, customer authentication, trust scoring
Business model
SaaS
Target market
Online businesses such as retailers, financial institutions, lenders, prepaid cards, insurers, social
networks and dating sites, logistics, gaming/MMO, gambling operators, online auction sites, and
travel and ticketing companies.
Contact
Connie Gougler, Director of Marketing, connie.gougler@iovation.com, 503-943-6748
Geographical presence
Global: iovation’s business is 51% US and 49% international
Active since
2004
Service provider type
Device Identification
Web Fraud Detection, Customer Authentication
Member of industry association
and or initiatives
Merchant Risk Council, Online Lenders Association
Services
Unique selling points
iovation provides real-time SaaS for authentication and fraud prevention that tells our clients if a
customer visiting their site is risky based upon specific criteria for evaluating the transaction or
activity. iovation provides a score and result (allow, review, deny) for every transaction, allowing
our clients to use an automated workflow. iovation’s global consortium contains the reputations
of nearly 3 billion devices and 25 million fraud events such as chargebacks, identity theft, account
takeovers, online scams and many more.
Core services
iovation offers fraud prevention, customer authentication services and trust scoring/services.
Pricing Model
Per transaction fee based on system usage depending on volume, type of transaction, and length
of contract.
Fraud prevention partners
Fiserv, Equifax, ID Analytics, Accertify, Kaspersky, ACI Worldwide, Verisk, Callcredit, Imperva, Zoot
Other services
Our clients have access to the Fraud Force Community, an exclusive private B2B network of
the world’s foremost security experts sharing intelligence about cybercrime prevention, device
identification, new threats and other fraud-related topics.
Third party connection
iovation delivers data in XML format, allowing output to be integrated easily with third-party systems.
Technology: anti-fraud detection tools available
Address verifications services
No: While we do not offer AVS services, we capture the IP address and its geolocation. We can flag
transactions from ‘blocked’ countries, as well as notify clients when mismatches occur between
the IP address shown by the user’s browser and the IP address we collect with our Real IP proxy
unmasking feature.
CNP transactions
Yes: iovation’s service is primarily used to detect high risk activity at login, account creation, fund
transfer and checkout. In addition, our iovation score helps identity the most trustworthy customers
in our clients’ review queues so that they can take good business immediately, and offer highervalue promotions to their preferred customers.
Card Verification Value (CVV)
No: This service is handled through our client’s payment processor.
Bin lookup
No: This service is handled through our client’s payment processor.
Geo-location Checks
Yes: iovation’s clients can flag transactions when activity is coming from an unauthorized country
or through a proxy, and they can use our Real IP technology to pinpoint the user’s actual location.
Device Fingerprint
Yes: iovation offers a defense-in-depth approach to device recognition, supporting native and web
integrations for mobile, tablet and desktop devices.
Payer Authentication
No: This service is handled through our client’s payment processor.
Device-based Authentication
Yes: iovation’s authentication service allows clients to use their customer’s known devices to help
verify identity. Authentication happens in real-time, behind the scenes, reducing unnecessary friction.
COMPANY PROFILES
93
Velocity Rules – Purchase Limit
Rules
Yes: iovation’s velocity rules flag transactions when thresholds are exceeded. These may include
situations where too many accounts are accessed per device, or too many new accounts are
created within a timeframe. Specific rules include Accounts per Device, Accounts Created per
Device, Countries per Account, Countries per Device, Transactions per Account, and Transactions
per Device. Our service also flags transaction value thresholds, and other transactional velocities.
White list/black list database:
Yes: iovation clients can flag transactions based on custom-built lists. These can be positive or
negative lists. List types include accounts, devices, IP ranges, ISPs, locations and others, and are
easily managed across rule sets.
Device Anomalies
Yes: iovation clients can flag transactions when device settings are anomalous and indicative of
risk. While individual device characteristics may not be proof of risk, certain characteristics may be
worth monitoring, and several in combination with each other may indicate attempts by the user to
evade detection.
Fraud and Abuse Records
Yes: iovation clients can flag transactions that originate from an account or device already
associated with fraud or abuse. Previous fraud or abuse is recorded in our system as evidence. The
customer sets the types of evidence they want to consider, and decides whether to leverage only
the evidence they log, or consider the evidence of other iovation subscribers.
KYC – Know Your Customer
No
Credit Rating
No
Follow up action
iovation’s fraud prevention service provides an Allow, Review or Deny result for each transaction.
Clients then decide the best course of action to take in response to these results. iovation also
returns detailed information about the device associated with the transaction; clients can store this
data and correlate it back to identity management and other systems as needed.
Authentication Context
Online
Yes
Mobile
Yes: iovation’s mobile SDK for iOS and Android identifies jailbroken or rooted devices, and captures
device location through IP address, network-based geo-location information, and GPS data. The
location services expose mismatches between the reported time zone and location, long distances
between transactions made in short periods of time, and other location-based anomalies. It also
detects transactions originating from virtual machines or emulators.
ATM
No
POS
No
Call centre
No
Reference Data connectivity
Connectivity to governmental data
No
Other databases
MaxMind – IP geolcation
Fraud management system type
Single-channel fraud prevention
system
Yes: iovation delivers comprehensive online fraud prevention for mobile, tablet and PC-based
transactions.
Multi-channel fraud prevention
system
Our services focus on online transactions and complement a multi-channel prevention system.
Certification
Type
Regulation
iovation supports FFIEC compliance by providing device identification and device-based
authentication services.
Other quality programms
iovation follows strict Quality Assurance processes for new products and services, and offers
Service Level Agreements (SLAs) which include 99.9% uptime as a part of all customer
agreements.
Other remarks
Clients
94
Main clients / references
NetSpend, Bazaarvoice, Intuit, CashStar, Aviva Insurance, New Era Tickets, AT&T Performing Arts
Center, SG North and hundreds more.
Future developments
For more information, please contact iovation at info@iovation.com
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Company
Mitek (formerly IDChecker)
Mitek (NASDAQ: MITK) is a global leader in mobile capture and identity verification software
solutions. Mitek’s ID document verification and facial recognition allow an enterprise to verify a
user’s identity during a mobile transaction, enabling financial institutions, payments companies and
other businesses operating in highly regulated markets to transact business safely while increasing
revenue from the mobile channel. Mitek acquired IDChecker in June of 2015.
Website
www.miteksystems.com
Keywords for online profile
ID document verification, biometric authentication
Business model
Transaction model
Target market
Card issuers, acquirers, payment processors, government services, business services
Contact
sales@miteksystems.com
Geographical presence
Global
Active since
2004
Service provider type
Identity verification
Member of industry associations
and intiatives
More information available upon request.
Services
Core services
Mobile capture, ID document verification and biometric authentication.
Other services
More information available upon request.
Unique selling points
Mobile ID verification bridges the gap between usability and security with mobile capture and ID
docment verification. This boosts conversion rates, lowers onboarding costs and allows you to
safely and securely approve more good customers for mobile transactions.
Pricing model
Transaction based
Partners
Experian – Contego – Crif – Vix
Offering: authentication technology used
Technology used
Saas
Authentication context
Online
Yes
Mobile
Yes
ATM
No
Branch/Point of Sale
Yes
Call Centre
No
Other:
Document Expert Examination
Issuing proces (if applicable)
Assurance levels conformity
ISO 27001
Online issuing process (incl lead
time in working days)
N/A
Face-to-face issuing (incl lead time
in working days)
N/A
Issuing network
N/A
Attributes offered
Persons
ID document Verification – including age verification
Companies
N/A
Reference data connectivity
Connectivity to governmental data
N/A
Other databases
N/A
COMPANY PROFILES
95
Certification
Type
ISO 27001
Regulation
KYC
Other quality programs
N/A
Other remarks
N/A
Clients
96
Main clients / references
Paypal – GWK Travelex – Experian – Randstad Group
Future developments
N/A
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Company
Perseuss
Perseuss is the global travel industry’s own solution to the battle against fraud. Its flagship offering
is an online shared negative database, recently updated to include email age verification and
artificial intelligence. It also operates FraudChasers, an online forum for anti-fraud professionals.
Perseuss plays a major role in cross-border police Action Days to apprehend fraudsters.
Website
www.perseuss.com
Keywords for online profile
fraud prevention, data sharing, collaboration, artificial intelligence, trusted platform, fraud data,
negative database, positive database
Business model
Subscription service
Target market
Airlines, online travel agents, rail companies, hotels, car rentals, gaming and gambling, other online
businesses
Contact
info@perseuss.com
Geographical presence
Global
Active since
2009
Service provider type
Technology vendor
Member of industry association
and or initiatives
IATA
Services
Unique selling points
Perseuss is a secure community platform where merchants can legally share information about
fraud cases they have encountered. Each member has access to the common database containing
details of online purchases which were involved in either suspicious transactions or in confirmed
fraud. It allows each business to verify their own sales data to identify any suspicious transactions.
Core services
Data sharing platform including analysis, reporting, scoring and e-mail age verification.
Pricing Model
Please ask company for more information.
Fraud prevention partners
Please ask company for more information.
Other services
Please ask company for more information.
Third party connection
Accertify, ACI Universal Payments, Adyen, DataCash, Ingenico Payment Services, Wirecard,
Worldpay, Ypsilon
Technology: anti-fraud detection tools available
Address verifications services
No
CNP transactions
No
Card Verification Value (CVV)
No
Bin lookup
Yes
Geo-location Checks
No
Device Fingerprint
No
Payer Authentication
No
Velocity Rules – Purchase Limit
Rules
No
White list/black list database:
Yes; watch list
KYC – Know Your Customer
No
Credit Rating
No
Follow up action
No
Other
E-mail age verification, Social Media check
Authentication Context
Online
More information available upon request.
Mobile
More information available upon request.
ATM
More information available upon request.
POS
More information available upon request.
COMPANY PROFILES
97
Call centre
More information available upon request.
Other
More information available upon request.
Reference Data connectivity
Connectivity to governmental data
No
Other databases
No
Fraud management system type
Single-channel fraud prevention
system
More information available upon request.
Multi-channel fraud prevention
system
More information available upon request.
Certification
Type
More information available upon request.
Regulation
More information available upon request.
Other quality programms
More information available upon request.
Other remarks
More information available upon request.
Clients
98
Main clients / references
Please ask company for more information.
Future developments
Please ask company for more information.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
The global travel industry’s own
solution to battle against fraud
How Perseuss members use the system in everyday operations
Company A
(e.g. Travel Agent)
Sees suspect transaction so checks
details against database. This shows
two other instances of same details
used fraudulently. Analyst reviews
case, decides to decline booking and
adds the booking data to Perseuss.
PERSEUSS
DATABASE
Company B
(e.g. Airline)
A few hours later Company B has
a match with one of the data
elements uploaded by Company
A. This uncovers a whole series of
bookings that turn out to be fraud.
Travel companies upload fraudulent bookings data
Contact Us
Perseuss
Schellingweg 17D
NL-1507 DR. Zaandam
The Netherlands
+31 75 653 94 04
info@perseuss.com
ALWAYS ONE
STEP AHEAD OF THE
FRAUDSTERS
Reduce fraud and grow profits with smarter fraud prevention from Risk Ident
✓ BOOST CUSTOMER NUMBERS
✓ REDUCE FALSE POSITIVES
✓ ACCURATELY PINPOINT GENUINE FRAUD
✓ IDENTIFY ACCOUNT TAKEOVERS
✓ CUT AFFILIATE FRAUD
✓ PREVENT IDENTITY FRAUD
We protect millions of transactions every week,
so your customers can buy securely and with confidence.
Contact us today:
www.riskident.com | +44 (0) 203 668 3611 | contact@riskident.uk
RETAIL
TRAVEL
TELECOMS
PAYMENTS
FINANCIAL SERVICES
GAMING
Company
Risk Ident
Risk Ident offers anti-fraud solutions for companies within the ecommerce and financial sectors,
empowering fraud managers with intelligence and self-learning machine technology to provide
stronger fraud prevention. Risk Ident are experts in device fingerprinting and behavioural analytics,
while its products are specifically tailored to comply with European data privacy regulations.
Website
http://riskident.com
Keywords for online profile
online fraud prevention, account takeover prevention, device indentification, worlwide device pool,
automatic fraud detection, fraud case processing, credit risk evaluation, credit scoring
Business model
Direct and through partners within the credit scoring industry.
Target market
Web merchants, financial institutions, payment services providers, online communities, gaming and
gambling, other online businesses
Contact
contact@riskident.com
Geographical presence
90% Europe, 10% international
Active since
2013
Service provider type
Technology vendor, web fraud detection company
Member of industry association
and or initiatives
Merchant Risk Council
Services
Unique selling points
Risk Ident is a leading software developer for credit risk and fraud prevention tools. We are
experts in applying trending algorythms and other machine learing components on different data
feeds to indentify consumer credit and fraud risks in ecommerce. We also offer our own device
fingerprinting solution, specializing in recognition of mobile devices.
Core services
Fraud detection, credit scoring software and device fingerprinting services.
Pricing Model
Monthly fees per user (fraud and credit software) / per transaction (device fingerprinting)
Fraud prevention partners
Credit References Agencies: SCHUFA, CRIF
Other services
More information available upon request.
Third party connection
Yes
Technology: anti-fraud detection tools available
Address verifications services
Yes
CNP transactions
Yes
Card Verification Value (CVV)
Yes
Bin lookup
Yes
Geo-location Checks
Yes
Device Fingerprint
Yes
Payer Authentication
Yes
Velocity Rules – Purchase Limit
Rules
Yes
White list/black list database:
Yes
KYC – Know Your Customer
Yes
Credit Rating
Yes
Follow up action
Various
Other
More information available upon request.
Authentication Context
Online
Yes
Mobile
Yes
ATM
More information available upon request.
POS
(Yes)
COMPANY PROFILES
101
Call centre
More information available upon request.
Other
More information available upon request.
Reference Data connectivity
Connectivity to governmental data
More information available upon request.
Other databases
Identity & Address Providers, Credit Scoring Providers
Fraud management system type
Single-channel fraud prevention
system
Yes
Multi-channel fraud prevention
system
Yes
Certification
Type
ISO 27001 Data Center
Regulation
More information available upon request.
Other quality programms
More information available upon request.
Other remarks
Fully EU data privacy compliance
Clients
102
Main clients / references
Client lists for DE, CH, AT, UK, FR on request / Key investor Otto Group (#2 European online
merchant)
Future developments
Full credit and fraud risk service for online merchants and financial institutions.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Company
Signicat
Signicat is a secure identity cloud service provider with deep expertise in online electronic id
(e-ID), advanced electronic signatures and PKI solutions. Wide coverage of national and public
e-IDs in Europe accessible through one single point of integration. Signicat offers a secure and
smooth integration for more than 150 customers cross border in industries like financial services,
ecommerce and public sector. The services are available cross channel on multiple devices.
Website
www.signicat.com
Keywords for online profile
European e-IDs and eSignatures as a Service.
Business model
Cloud Services (SaaS)
Target market
Horizontal, with focus on financial services industry including card issuers and PSPs, telco and
government
Contact
Arne Vidar Haug, VP Bus Dev & Ole Christian Olssøn, VP Sales
Geographical presence
Norway, Sweden, Denmark, Finland, the Netherlands, Estonia, Lithuania, Latvia, Spain
Active since
2007
Service provider type
E-identity service provider and eSignature services.
Member of industry associations
and intiatives
Kantara Initiative, STORK 2.0, ePractice.eu, OSWALD,
Services
Core services
Signicat offers customers access to wide range of European national e-IDs and eSignature services
including timestamping, long term archiving and re-signing as a service. The company also
provides issuing of IDs like password with SMS-otp and app-based Mobile ID in addition to single
sign-on and identity services.
Other services
Secure Web Forms, Single Sign-On based on pure SAML 1/2, ready made integration with IBM
Tivoli, JAVA, .NET, SharePoint Oracle IAM and WebCenter/UCM.
Unique selling points
Extend customer relationships, dialogue and self-service capabilities through our range of services.
Connecting to available services through one standard interface (saml 1/2 etc.) that shortens time
to market, improves ROI and offers customers the ability to focus on their core business.
Pricing model
One time connection fee, pluss combination of monthly subscription and transaction fees.
Partners
Close relationships with ISVs, Sis, tech companies (IBM, Oracle, Microsoft) and Biznode among
others. Plug-ins to SalesForce and SuperOffice among others.
Offering: authentication technology used
Technology used
Cloud based services on industrial standardized protocols like XML, SOAP, SAML and HTTP.
Authentication context
Online
Yes, through our own cloud service including eSignature.
Mobile
Yes, through our own cloud service including eSignature.
ATM
N/A
Branch/Point of Sale
Standardized interfaces available for integration.
Call Centre
Standardized interfaces available for integration.
Other:
Standardized interfaces available for integration for multiple services in need of authentication and
digital signatures.
Issuing proces (if applicable)
Assurance levels conformity
N/A
Online issuing process (incl lead
time in working days)
Self service process, issued in a minute. Establishment of solution takes approx 2-5 days.
Face-to-face issuing (incl lead time
in working days)
Issuer process face-to-face is handled by public or national eID issuer dependant on country.
Issuing network
Online services like e-mail and SMS in addition to postal network, bank branches, notaries.
COMPANY PROFILES
103
Attributes offered
Persons
Name, address, SSN, birthplace, age, country, etc. Information available depends on selected
e-ID used.
Companies
Name, address, company registration no.(where applicable), procurists, signatory rights
Reference data connectivity
Connectivity to governmental data
Citizens public register, company register
Other databases
Commercial attribute providers, e.g. credit databases
Certification
Type
ISA 3000 revision on ISO 27001 Information Security Policy in progress.
Regulation
EU Signature Directive, ETSI in addition to the national directives for countries in Europe based on
the EU Directive.
Other quality programs
OWASP, ETSI
Other remarks
Winner of IDDY (Identity Deployment of the Year)-award 2009.
Clients
104
Main clients / references
Norwegian Post, SEB, If, Santander, Nykredit, Bank Norwegian and Norwegian Educational State
Fund among others.
Future developments
Continued support for new e-IDs in Europe including enhancements to Signature solutions, for
example German nPA, Dutch eHerkenning and Swiss SwissID.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Company
Socure
Socure is the leader in digital identity verification. By applying machine-learning techniques
with biometrics and intelligence from e-mail, phone, IP and online/offline and social media data,
Socure bolsters fraud prevention and KYC/OFAC compliance programs for enterprises conducting
business in over 180 countries, helping them to combat identity fraud, prevent account takeover,
and increase consumer acceptance.
Website
www.socure.com
Keywords for online profile
identity verification, biometrics, fraud risk mitigation, KYC compliance, AML, OFAC, technology
Business model
Subscription-based SaaS
Target market
Financial institutions
Contact
info@socure.com +1.866.932.9013
Geographical presence
Headquarters in New York City, used in over 180 countries worldwide
Active since
2012
Service provider type
Digital identity service provider, technology vendor, web fraud detection company
Member of industry association
and or initiatives
ETA, BAI, MRC, SafeHarbor Certified
Services
Unique selling points
Patented technology that uniquely blends trusted email, phone, online and offline data including
social media network data and facial recognition. Ability to resolve identities across broad
population using alternative data and provide fraud risk estimation assistance, easily integrates into
existing processes. Technology is adaptive machine learning, where AI compensates to learn from
false positives and improve predictive power over time, both globally and on a per-client basis.
Core services
Socure provides identity verification services, fraud risk mitigation, CIP/KYC program compliance,
financial inclusion, facial biometrics for transation verification.
Pricing Model
Annual subscription, billed per API call.
Fraud prevention partners
Feedzai, Zoot, Sphonic
Other services
Transaction authentication, facial recognition, biometric identification
Third party connection
More information available upon request.
Technology: anti-fraud detection tools available
Address verifications services
Yes
CNP transactions
Yes
Card Verification Value (CVV)
No
Bin lookup
No
Geo-location Checks
Yes
Device Fingerprint
Yes
Payer Authentication
Yes
Velocity Rules – Purchase Limit
Rules
No
White list/black list database:
Yes
KYC – Know Your Customer
Yes
Credit Rating
No
Follow up action
Additional authentication (out of band authentication) and transaction verification capabilities.
Other
OFAC checks
Authentication Context
Online
Yes
Mobile
Yes
ATM
No
POS
Yes
COMPANY PROFILES
105
Call centre
No
other
More information available upon request.
Reference Data connectivity
Connectivity to governmental data
Customizable
Other databases
Commercial attribute providers, e.g. credit databases
Fraud management system type
Single-channel fraud prevention
system
Yes
Multi-channel fraud prevention
system
Yes
Certification
Type
US/EU Safe Harbor, US SOC-2 (imminent)
Regulation
KYC, CIP, AML, OFAC
Other quality programms
Privacy compliance
Other remarks
More information available upon request.
Clients
106
Main clients / references
More information available upon request.
Future developments
More information available upon request.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
Company
Wirecard AG
Wirecard AG is one of the world’s leading independent providers of outsourcing and white label
solutions for electronic payment transactions. Wirecard`s global multi-channel platform bundles
international payment acceptances, methods and fraud prevention. Wirecard provides companies
with an end-to-end infrastructure for issuing products, including the requisite licenses for card and
account products.
Website
www.wirecard.com
Keywords for online profile
ecommerce, mobile payment, risk management, acquiring, issuing, credit cards, online banking,
POS payment processing
Business model
Please contact Wirecard for more information.
Target market
Online shoppers, financial institutions, payment services providers, government services, online
communities/web merchants, gaming and gambling, other online businesses
Contact
sales@wirecard.com I +49 89 4424 1400
Geographical presence
Europe, Middle East/Africa, Asia/Pacific
Active since
1999
Service provider type
Digital identity service provider, technology vendor, web fraud detection company, payment service
provider (PSP), issuer, acquirer
Member of industry association
and or initiatives
Please contact Wirecard for more information.
Services
Unique selling points
Industry-specific and customizable fraud prevention models, continuous improvement of fraud
prevention models based on direct access to fraud notifications of issuing banks, check of all
transactions per merchant on every sales channel (eCom, mobile/mPOS, MOTO, POS + BSP/ATO/
CTO for airlines) due to close technical integration with Wirecard Bank as acquirer.
Core services
Fraud prevention for card payments and alternative payment methods, credit scoring, decision
logics for credit limit calculation, transaction checks, merchant monitoring
Pricing Model
Flexible pricing models, depending on requirements and volumes.
Fraud prevention partners
Wirecard is integrated into multiple third party fraud prevention partners.
Other services
Fraud analytics for customers, international address verification
Third party connection
Providers of negative databases, credit agencies, international phone number verification
Technology: anti-fraud detection tools available
Address verifications services
Yes
CNP transactions
Yes
Card Verification Value (CVV)
Yes
Bin lookup
Yes
Geo-location Checks
Yes
Device Fingerprint
Yes
Payer Authentication
Yes
Velocity Rules – Purchase Limit
Rules
Yes
White list/black list database:
Yes
KYC – Know Your Customer
Yes
Credit Rating
Yes
Follow up action
Additional authentication (out of band authentication) and transaction verification capabilities.
Other
Fraud Prevention Suite with detailled Business Intelligence tools, 3D-Secure, CUP-Secure, Trust
Evaluation Suite
COMPANY PROFILES
107
Authentication Context
Online
Yes
Mobile
Yes
ATM
Yes
POS
Yes
Call centre
Yes
Other
Industry-specific sales channels, e.g. BSP/ATO/CTO for airlines, mPOS
Reference Data connectivity
Connectivity to governmental data
Sanction lists, e.g. EG 2580/2001, EG 881/2002, US DPL, US SDN, US entity list
Other databases
Commercial attribute providers, e.g. credit databases, PEP screening
Fraud management system type
Single-channel fraud prevention
system
Yes
Multi-channel fraud prevention
system
Yes
Certification
Type
e.g. PCI-DSS certified; for more information please contact Wirecard.
Regulation
KYC (KWG 24c), Anti Money Loundering (AML)
Other quality programms
N/A
Other remarks
N/A
Clients
108
Main clients / references
More than 20,000 merchants from various industries.
Future developments
Not to be disclosed.
WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016
FINANCIAL
TECHNOLOGY FOR
MORE THAN 20,000
CUSTOMERS.
Wirecard is the leading
specialist for payment
processing and issuing.
wirecard.com
Glossary
A
Authentication
Account takeover
The methods used to verify the origin of a message or to verify the
A form of identity theft where a criminal gains complete control of
identity of a participant connected to a system and to confirm that
a consumer’s account, such as obtaining the PIN or changing the
a message has not been modified or replaced in transit.
statement mailing address.
Authorization
Account Creation Fraud
Is the function of specifying access rights to resources related
Using stolen, compromised or synthetic identities, typically through
to information security and computer security in general and to
a spoofed location, to create a new account to access online
access control in particular.
services or obtain lines of credit.
Account Login Fraud
B
Bank Identification Numbers (BIN)
Attacks targeted at taking over user accounts using previously
The first four to six digits on a credit card, which can be used to
stolen credentials available in the wild or credentials compromised
identify the Issuing Bank that issued the card. BINs are traditionally
by malware or Man-in-the-Middle attacks.
used by online merchants as a way to detect fraud by matching the
geographic area where the cardholder is located to the geographic
Address Verification System (AVS)
area identified in the Bank Identification Number.
A system used to verify the address of a person claiming to own a
credit card. The system will check the billing address of the credit
Big Data
card provided by the user with the address on file at the credit
Large data sets that may be analysed computationally to reveal
card company. The other security features for the credit card
patterns, trends, and associations relating to human behaviour
include the CVV2 number.
and interactions. By developing predictive models based on both
historical and real-time data, companies can identify suspected
Anti-Money Laundering (AML)
fraudulent claims in the early stages.
Procedures, laws or regulations designed to stop the practice of
making money that comes from illegal sources look like it came
Biometrics
from legitimate sources. The sum of legal controls that require
The use of a computer user's unique physical characteristics such
financial institutions and other regulated entities to prevent, detect,
as fingerprints, voice and retina to identify that user.
and report money laundering activities
Biometric Data
Application fraud
A general term used to refer to any computer data that is created
A form of identity theft where a criminal uses the user’s personal
during a biometric process. This includes samples, models,
information to open new accounts and applications without his/her
fingerprints, similarity scores and all verification or identification
knowledge.
data excluding the individual's name and demographics.
ATM fraud
Biometric Verification
Fraud related to ATM card accounts where a card is used to
Any means by which a person can be either a) Identified or b) Verified
withdraw funds from a consumer’s account using a PIN-based
(authenticated), by evaluating one or more distinguishing biological
transaction at an ATM.
traits. An identification system (eg AFIS) consists of the original trait
and a database of stored traits, by comparing of a sample for close
matches.
110
WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
BYOD
Cookie
Bring your own device (BYOD) is an IT policy where employees
A small data file that is automatically stored on a user’s computer
are allowed or encouraged to use their personal mobile devices
for record-keeping purposes. It contains information about the
— and, increasingly, notebook PCs — to access enterprise data
user in relation to a particular website, such as their username and
and systems.
preferences.
C
Credential
Card Capture Device
Data issued to an individual by a third party with a relevant authority
A device inserted into an ATM card slot which captures the data
or assumed competence to do so that is presented to provide
contained on the card.
evidence of a claim. A credential is a piece of information asserting
to the integrity of certain stated facts.
Cardholder-not-present fraud
Using stolen cards or card details and personal information, a
Credit card fraud
fraudster purchases good or services remotely - online, by telephone
Fraud committed using a credit card or any similar payment mechanism
or by mail order.
as a fraudulent source of funds in a transaction. The purpose may be
to obtain goods without paying, or to obtain unauthorized funds
Change of address fraud
from an account. Credit card fraud is also an adjunct to identity
Occurs when the fraudster obtains details of a genuine customer’s
theft.
account and then contacts the business to advise that he has
changed address. This is usually accompanied or followed by
Crimeware Tools
a request for items of value such as a chequebook, debit card
Crimeware refers to malware specifically designed to automate
or statement of account to be sent to the bogus ‘new’ address.
cybercrime. These tools help fraudsters create, customize and
A false change of address is used to facilitate previous address
distribute malware to perpetrate identity theft through social
fraud and account/facility takeover fraud.
engineering or technical stealth.
Chargeback
Criminal organisation
Chargeback occurs when a credit cardholder contacts their credit
A group of individuals who collude together to commit fraud.
card-issuing bank to initiate a refund for a purchase made on their
credit card. Chargebacks are generally the result of a cardholder
Counterfeiting
changing their mind, being dissatisfied with their purchase or a
The fraudulent reproduction of original documents/instruments in
case of fraud. The fraud can result from the unauthorized use of
a manner that enables the fraudster to pass them off as genuine/
their credit card (stolen card) or the cardholder purposely seeking
original items.
to dispute a legitimate purchase they made (see ‘delivery and
returns fraud’).
Cybercrime (cyber fraud)
The term encompasses criminal actions that target computer, internet,
Consumer authentication
or network utility, damaging functionality or infiltrating systems and
The term used to describe tools intended to verify that the person
processes. Specifically, cybercrime can include malware, spyware,
making the transaction is actually the person authorized to do so,
phishing, pharming, viruses and worms.
in both in-person and Card-Not-Present transactions.
GLOSSARY
111
Cryptography
Detection rate
Protecting information or hiding its meaning by converting it into a
The amount of fraud detected by a fraud prevention system at a
secret code before sending it out over a public network.
given level of account reviews.
D
Digital Identity
Data breach
A collection of identity attributes, an identity in an electronic form
Unintentional release of secure information to an untrusted environment.
(e.g. electronic identity).
Data capture
Dual-Factor Identification Rules
The action or process of gathering data, especially from an automatic
Requirement that banks implement another type of password in
device, control system, or sensor.
addition to the standard username and password combination. Many
banks present a picture that the consumer chooses in addition to
Delivery and returns fraud
Is the act of defrauding a store via the return process. Delivery and
return fraud (also known as ‘friendly fraud’) involves legitimate
customers using valid payment cards and is akin to electronic.
their password in order to recognize the bank.
E
E-ID services
Services for entity authentication and signing data.
Device ID
The unique serial number or ‘fingerprint’ that a particular device has
Electronic data interchange (EDI)
embedded in it. It can be the combination of several components
Is an electronic communication method that provides standards for
(e.g. CPU + graphics card) and can include a threshold (i.e. less
exchanging data. By adhering to the same standard, companies
than 100% matching) to allow for partial upgrades, such as with
that use EDI can transfer data from one branch to another and even
the iPass (proprietary) solution.
across the world.
Device Spoofing
Encryption
Hackers delete and change browser settings in order to change
The process of converting data into cipher text to prevent it from
their device identity or fingerprint, or attempt to appear to come
being understood by an unauthorized party.
from a victim’s device. Cookieless device identification is able
to detect returning visitors even when cookies are deleted or
End-to-end encryption
changes are made to browser settings.
Uninterrupted protection of the integrity and confidentiality of
transmitted data by encoding it at the start and decoding it at the
Debit card fraud
end of the transaction.
Fraud related to debit card accounts where a card is used to withdraw
funds from a consumer’s account.
Endpoint authentication
A security system that verifies the identity of a remotely connected
Denial of Service Attack
device (and its user) such as a PDA or laptop before allowing
An attack on a computer system or network that causes a loss
access to enterprise network resources or data.
of service to users. A network of computers is used to bombard
112
and overwhelm another network of computers with the intention
EMV
of causing the server to ‘crash’. A Distributed Denial of Service
EMV stands for Europay, MasterCard and Visa, a global standard for
(DDoS) attack relies on brute force by using attacks from multiple
inter-operation of integrated circuit cards (IC cards or "chip cards") and
computers. These attacks can be used to extort money from the
IC card capable point-of-sale (POS) terminals and automated teller
businesses targeted.
machines (ATMs), for authenticating credit and debit card transactions.
WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
F
Fraud prevention
Face recognition
Pro-active steps taken by a company to insure itself against fraudulent
Biometric modality that uses an image of the visible physical
activity. This is usually in the form of enacted policies, systems and
structure of an individual face for recognition purposes.
controls in place to detect and monitor for fraudulent activity, and
communications to employees that instill ethical behavior.
False Positive
The amount of good or true accounts flagged by the fraud prevention
Fraud screening
system as fraudulent.
A checking system that identifies potentially fraudulent transactions.
Fraud screening helps reduce fraudulent credit card transactions,
Firewall
reducing the need for manual reviews, minimizing bad sales and
Computer hardware or software designed to prevent unauthorised
improving a company’s bottom line.
access to the system via the internet.
Friendly fraud
Fraud detection
When a consumer (or someone with access to a credit card) makes
A rule-based, image-enabled suite of products that offers a variety
a purchase and then initiates a chargeback, saying they did not
of fraud detection capabilities at the point of presentment used to
make the purchase and/or did not receive the goods or services.
prevent or mitigate losses associated with deposit and payment
fraud.
G
Geo Location Detection
Federated identity
Set of diverse and ideally automated tests which help fraud protection
A single user identity that can be used to access a group of websites
solutions assess the risk of fraud involved in a specific order passing
bound by the ties of federation. Without federated identity, users are
through a merchant’s website. These tests might include IP to Zip
forced to manage different credentials for every site they use. This
Code, IP to Billing Address, High IP Cross Referencing, IP Geo
collection of IDs and passwords becomes difficult to manage and
Location & Proxy Detection, and NPA NXX Area Code Web Service.
control over time, offering inroads for identity theft.
Geographical IP Detector (GID)
Fingerprint recognition
A web shop or a fraud protection solution equipped with a GID
Biometric modality that uses the physical structure of the user
can easily locate the real physical (geographical) location of the
fingerprint for recognition. In most of fingerprint recognition
device, by tracking the IP Address.
processes the biometric samples are compressed in minutiae points
that reduce the size of data and accelerate the process.
Ghost terminal
Skimming device where a fake ATM touch pad and reader are
First-party fraud
placed over a legitimate ATM. Reader obtains card information and
Fraud committed against a financial institution by one of its own
PIN, but will not process the transaction since the legitimate ATM
customers.
does not function.
Forgery
Global Address Verification Directories
The process of making or adapting documents, such as checks,
This feature enables fraud protection solutions compare the address
with the intent to deceive.
introduced by the visitor with the existing address, detecting any
fake data. It also helps e‐merchants keep their customers easily
reachable.
GLOSSARY
113
H
Identity theft
Hacker
Identity theft happens when fraudsters access enough information
A person who uses computers to gain unauthorized access to data,
about someone’s identity (such as their name, date of birth,
or a person who seeks and exploits weaknesses in a computer
current or previous addresses) to commit identity fraud. Identity
system or network.
theft can take place whether the fraud victim is alive or deceased.
Hash function
Identity Provider
A function that can be used to map digital data of arbitrary size to
Also known as Identity Assertion Provider is an authentication
digital data of fixed size. The values returned by a hash function
module which verifies a security token as an alternative to
are called hash values, hash codes, hash sums, or simply hashes.
explicitly authenticating a user within a security realm.
With Bitcoin, a cryptographic hash function takes input data of
any size, and transforms it into a compact string.
InfoSec (information security)
The practice of defending information from unauthorized access,
Host Card Emulation (HCE)
use, disclosure, disruption, modification, perusal, inspection,
On-device technology that permits a phone to perform card
recording or destruction.
emulation on an NFC-enabled device. With HCE, critical payment
credentials are stored in a secure shared repository (the issuer
Interchange fees
data center or private cloud) rather than on the phone. Limited
The interchange fee, also called the discount rate or swipe fee,
use credentials are delivered to the phone in advance to enable
is the sum paid by merchants to the credit card processor as a
contactless transactions to take place.
fee for accepting credit cards. The amount of the rate will vary
depending on the type of transaction, but averages about 2% of
I
the purchase amount. The interchange fee is typically higher for
Identity
online purchases than for in-person purchases, because in the
The fact of being what an entity (person or a thing) is, and the
latter, the card is physically present and available for inspection.
characteristics determining this. It is a collection of attributes.
Internet of Things (IoT)
Identity of Things (IDoT)
The network of physical objects that feature an IP address for
An area of endeavor that involves assigning unique identifiers
internet connectivity, and the communication that occurs between
(UID) with associated metadata to devices and objects (things),
these objects and other internet-enabled devices and systems.
enabling them to connect and communicate effectively with other
entities over the internet.
Interoperability
A situation in which payment instruments belonging to a given
Identity provider
scheme may be used in other countries and in systems installed
A service provider that creates, maintains and manages identity
by other schemes. Interoperability requires technical compatibility
information for principals and may provide user authentication to
between systems, but can only take effect where commercial
service providers (e.g within a federation).
agreements have been concluded between the schemes concerned.
Identity Spoofing
Internet fraud
Using a stolen identity, credit card or compromised username /
An illegal activity wherein a person in possession of internet banking
password combination to attempt fraud or account takeover. Typically,
details of another person, impersonates them to use their funds.
identity spoofing is detected based on high velocity of identity usage
for a given device, detecting the same device accessing multiple
unrelated user accounts or unusual identity linkages and usage.
114
WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
IP Address Spoofing
Malware
Cybercriminals use proxies to bypass traditional IP geolocation
Or malicious software, is software used or created to disrupt
filters, and use IP spoofing techniques to evade velocity filters
computer operation, gather sensitive information, or gain access
and blacklists. ThreatMetrix directly detects IP spoofing via both
to private computer systems. It can appear in the form of code,
active and passive browser and network packet fingerprinting
scripts, active content and other software.
techniques.
K
Man-in-the-browser
A form of internet threat related to man-in-the-middle (MITM),
Key Stroke Logger
is a proxy Trojan horse that infects a web browser by taking
Hardware or software that records the keystrokes and mouse
the advantage of vulnerabilities in browser security to modify
movements made on a particular computer. Hardware loggers can
web pages, modify transaction content or insert additional
be placed by dishonest staff or unauthorised visitors. Software
transactions, all in a completely covert fashion invisible to both the
loggers can be installed in the same way, or more usually by
user and host web application.
malicious email or malware. Authorised key loggers may be used
in order to facilitate an audit trail.
Man-in-the-middle
In cryptography and computer security it is a form of active
Know Your Customer (KYC)
eavesdropping in which the attacker makes independent
The term refers to due diligence activities that financial institutions
connections with the victims and relays messages between them,
and other regulated companies must perform to ascertain relevant
making them believe that they are talking directly to each other
information from their clients for the purpose of doing business
over a private connection, when in fact the entire conversation is
with them. Know your customer policies are becoming increasingly
controlled by the attacker.
important globally to prevent identity theft, financial fraud, money
laundering and terrorist financing.
L
Mail Order – Telephone Order (MOTO)
MOTO accounts are required when more than 30% of credit
cards cannot be physically swiped. Merchants that have a
Level of assurance (LoA)
MOTO merchant account usually process credit card payments
A quality-indicator for digital identity. It describes four identity
by entering the credit card information directly into a terminal
authentication assurance levels for e-government transactions.
that contains a keypad, by using terminal software installed on a
Each assurance level describes the agency’s degree of certainty
personal computer, or by using a “virtual” terminal that allows the
that the user has presented an identifier (a credential in this context)
merchant to use a normal web browser to process transactions on
that refers to his or her identity. In this context, assurance is defined
a payment service provider’s website.
as the degree of confidence in the vetting process used to establish
the identity of the individual to whom the credential was issued, and
Money laundering
the degree of confidence that the individual who uses the credential
The process of concealing the source of money obtained by
is the individual to whom the credential was issued.
illicit means. The methods by which money may be laundered
M
are varied and can range in sophistication. Many regulatory
and governmental authorities quote estimates each year for the
Machine learning
amount of money laundered, either worldwide or within their
An artificial intelligence (AI) discipline geared toward the
national economy.
technological development of human knowledge. Machine learning
allows computers to handle new situations via analysis, selftraining, observation and experience.
GLOSSARY
115
Multi-factor authentication
Payment Card Industry Data Security Standard (PCI-DSS)
An approach to security authentication, which requires that the user
A mandatory set of rules and regulations created to reduce credit
of a system provide more than one form of verification in order to
card fraud. PCI Compliance currently has six objectives: to build
prove their identity and allow access to the system. Multi-factor
and maintain a secure network, to protect cardholder data, to
authentication takes advantage of a combination of several factors of
maintain a vulnerability management program, implement strong
authentication, three major factors include verification by something
access control measures, regularly monitor and test networks, and
a user knows (such as a password), something the user has (such as
to maintain an information security policy. The PCI requirements
a smart card or a security token), and something the user is (such as
have been developed by the PCI Security Standards Council,
the use of biometrics).
which includes American Express, Discover, JCB International,
MasterCard and Visa.
O
One-time password
Pharming
A password that can be used only once, usually randomly generated
Occurs when a divert is set-up from a company’s real website,
by special software.
without their knowledge, to a bogus website. When customers
attempt to access the real website the fraudsters gather customers’
Online fraud
account details and passwords which can then be used to facilitate
Any kind of fraudulent and/or criminal activity which is made via
frauds.
online services such as e‐mail, messaging applications or websites.
The most common forms of online fraud affecting e‐merchants are
Phishing
in the form of chargebacks, identity theft and credit card fraud.
A method which allows criminals to gain access to sensitive
information (like usernames or passwords). It is a method of social
Online fraudster
engineering. Very often, phishing is done by electronic mail. This
A person who commits fraud online, especially in business dealings.
mail appears to come from a bank or other service provider. It
usually says that because of some change in the system, the users
OpenID
need to re-enter their usernames/passwords to confirm them. The
An open standard that describes how users can be authenticated
emails usually have a link to a page which is similar to the one of
in a decentralized manner, eliminating the need for services
the real bank.
to provide their own ad hoc systems and allowing users to
consolidate their digital identities. Users may create accounts
PIN
with their preferred OpenID identity providers, and then use those
A numeric code that is used as confirmation to finish a transaction
accounts as the basis for signing on to any website which accepts
via payment card. The PIN number is used by entering it into a
OpenID authentication.
keypad which grants authorisation.
P
Public Key Infrastructure (PKI)
Password
The infrastructure needed to support the use of Digital Certificates.
A word or other collection of characters used for authentication.
It includes Registration Authorities, Certificate Authorities, relying
It serves as a security device to gain access to a resource.
parties, servers, PKCS and OCSP protocols, validation services,
revocation lists. Uses include secure e-mail, file transfer, document
PA DSS
management services, remote access, web-based transactions,
Also known as Payment Application Data Security Standard, it is a
services, non-repudiation, wireless networks and virtual private
system designed by the Payment Card Industry Security Standards
networks, corporate networks, encryption, and ecommerce.
Council and adopted worldwide. This system prevents payment
application from third parties from storing prohibited secured data.
116
WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
Point-to-point encryption (P2PE)
Risk-Based Authentication
A solution that encrypts card data from the entry point of a merchant's
Risk-based authentication uses multiple factors to determine
point-of-sale (POS) device to a point of secure decryption outside
whether or not a person is who they claim to be online. Typically, this t
the merchant's environment, such as a payment processor like TSYS
echnique includes the traditional username and password in
Acquiring Solutions. The purpose of P2PE is to address the risk of
addition to who the user is, from where they are logging in, and
unauthorized interception associated with cardholder data-in-motion
what kind of device they are using. Information such as historical
during the transmission from the POS terminal to the payment
data is also used, which includes attributes provided from the
processor.
session as well as user behavior and transaction patterns.
Privacy
S
Privacy is the ability of a person to control the availability of information
Smart card
about and exposure of himself or herself. It is related to being able to
An access card that contains encoded information used to identify
function in society anonymously (including pseudonymous or blind
the user.
credential identification).
Secure element
Proofing
A tamper-proof Smart Card chip capable to embed smart card-
Identity proofing is a common term used to describe the act of
grade applications with the required level of security and features.
verifying a person’s identity, as in verifying the “proof of an ID”.
In the NFC architecture, the secure element will embed contactless
Other terms to describe this process include identity verification and
and NFC-related applications and is connected to the NFC chip
identity vetting.
acting as the contactless front end. The secure element could be
R
integrated in various form factors: SIM cards, embedded in the
handset or SD Card.
Real-time risk management
A process which allows risk associated with payments between
Security
payment system participants to be managed immediately and
In ecommerce terms, security is ensuring that transactions are not
continuously.
open to fraud. In ecommerce systems, security protocols protect
the consumer, the merchant and the bank from hackers and
Relying party (RP)
fraudsters.
A website or application that wants to verify the end-user's identifier.
Other terms for this party include "service provider" or the now
Security threat and risk assessment
obsolete "consumer".
A method that identifies general business and security risks for the
purpose of determining the adequacy of security controls with the
Retail loss prevention
service and mitigating those risks.
A set of practices employed by retail companies to reduce and deter
losses from theft and fraud, colloquially known as "shrink reduction".
Security token (authentication token)
Is a small hardware device that the owner carries to authorize access
Risk assessment
to a network service. The device may be in the form of a smart card
The process of studying the vulnerabilities, threats to, and likelihood
or may be embedded in a commonly used object such as a key fob.
of attacks on a computer system or network.
GLOSSARY
117
Skimming
T
Card skimming is the illegal copying of information from the magnetic
Threat
strip of a credit or ATM card. It is a more direct version of a phishing
A threat consists of an adverse action performed by a threat agent
scam. In biometrics and ID it could be the act of obtaining data from
on an asset.
an unknowing end user who is not willing to submit the sample at
that time.
Examples of threats are:
• a hacker (with substantial expertise, standard equipment, and
Social engineering
being paid to do so) remotely copying confidential files from a
Manipulating people so they give up confidential information.
company network or from card;
The types of information these criminals are seeking can vary, but
when individuals are targeted the criminals are usually trying to
• a worm seriously degrading the performance of a wide-area
network;
trick people into giving their passwords or bank information, or
• a system administrator violating user privacy;
access their computer to secretly install malicious software that
• someone on the internet listening in on confidential electronic
will give them access to passwords and bank information as well
communication.
as giving them control over their computer.
Third-party fraud
Social Security Fraud
Fraud committed against an individual by an unrelated or unknown
Occurs when a fraudster uses one’s Social Security Number in order
third-party.
to get other personal information. An example of this would include
applying for more credit in one’s name and not paying the bills.
Third-party
A security authority trusted by other entities with respect to security
Spear Phishing
related activities.
A phishing e-mail that looks as if it came from someone the user
knows. Typically the e-mail contains a file that, when opened, will
Token
infect the computer with a bot or a key logger.
Any hardware or software that contains credentials related to
attributes. Tokens may take any form, ranging from a digital data
Spoofs
set to smart cards or mobile phones. Tokens can be used for both
Various scams in which fraudsters attempt to gather personal
data/entity authentication (authentication tokens) and authorisation
information directly from unwitting individuals. The methods could
purposes (authorisation tokens).
include letters, telephone calls, canvassing, websites, e-mails or
street surveys.
Tokenization
The process of substituting a sensitive data with an easily reversible
3D‐Secure
benign substitute. In the payment card industry, tokenization is one
3D Secure (3DS) is the program jointly developed by Visa and
means of protecting sensitive cardholder PII in order to comply with
MasterCard to combat online credit card fraud. Cardholders
industry standards and government regulations. The technology is
introduce their password to verify their identity whenever they
meant to prevent the theft of the credit card information in storage.
make an online purchase. E-merchants willing to offer this security
service to its customers must be registered as a participating
Trust
merchant in the program. Only cardholders registered at Verify
The firm belief in the competence of an entity to act dependably,
by Visa or MasterCard SecureCode can actually be requested to
securely, and reliably within a specified context.
verify their data when purchasing online.
118
WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015
Trusted framework
Vishing
A certification program that enables a party who accepts a digital
The act of using the telephone in an attempt to scam the user into
identity credential (called the relying party) to trust the identity,
surrendering private information that will be used for identity theft.
security and privacy policies of the party who issues the credential
The scammer usually pretends to be a legitimate business, and
(called the identity service provider) and vice versa.
fools the victim into thinking he or she will profit.
Trusted third-party
Voice authorization
An entity trusted by multiple other entities within a specific context
An approval response that is obtained through interactive
and which is alien to their internal relationship.
communication between an issuer and an acquirer, their authorizing
processors or stand-in processing or through telephone, facsimile
Two-factor authentication
or telex communications.
Two-factor authentication is a security process in which the user
provides two means of identification, one of which is typically a
Voice over IP (VoIP, or voice over Internet Protocol)
physical token, such as a card, and the other of which is typically
Refers to the communication protocols, technologies, methodologies
something memorized, such as a security code.
and transmission techniques involved in the delivery of voice
U
communications and multimedia sessions over Internet Protocol (IP)
networks, such as the internet. Other terms commonly associated
User account
with VoIP are IP telephony, internet telephony, voice over broadband
The collection of data used by a system to identify a single user,
(VoBB), broadband telephony, IP communications and broadband
authenticate a user and control that user's access to resources.
phone.
Unique identity
A partial identity in which at least a part of the attributes are
identifiers. Since at least some of the attributes (or combinations
thereof) are identifiers, the entity can be uniquely identified through
the unique identity within a certain context. A unique identity is an
identifier such as a unique number or any set of attributes that
allows one to determine precisely who or what the entity is.
V
Validation
Confirming that information given is correct, often by seeking
independent corroboration or assurance.
Verification
The process or an instance of establishing the truth or validity of
something.
Virus
A program that can replicate itself by inserting (possibly modified)
copies of itself into other programs, documents or file systems;
this process is described as the infection of a host.
GLOSSARY
119