White Paper

Similar documents
PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

The Honest Advantage

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Clearing the Path to PCI DSS Version 2.0 Compliance

PCI COMPLIANCE IS NO LONGER OPTIONAL

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

June 2012 First Data PCI RAPID COMPLY SM Solution

Will you be PCI DSS Compliant by September 2010?

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Safeguarding Cardholder Account Data

Clearing the Path to PCI DSS Version 2.0 Compliance

Site Data Protection (SDP) Program Update

Product Security Briefing

GUIDE TO STAYING OUT OF PCI SCOPE

Wirecard CEE Integration Documentation

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Authentication and Fraud Detection Buyer s Guide

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

PCI DSS and VNC Connect

REDUCING THE RISK OF CARD NOT PRESENT FRAUD

Merchant Guide to PCI DSS

Navigating the PCI DSS Challenge. 29 April 2011

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

PCI DSS and the VNC SDK

MasterPass Guide. Business Gateway. V1.1 February Use this guide to:

The Future of PCI: Securing payments in a changing world

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

PCI compliance the what and the why Executing through excellence

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

Comodo HackerGuardian PCI Approved Scanning Vendor

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

PCI Compliance. What is it? Who uses it? Why is it important?

Maintaining Trust: Visa Inc. Payment Security Strategy

Payment Card Industry Data Security Standards Version 1.1, September 2006

PCI DSS COMPLIANCE DATA

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

A QUICK PRIMER ON PCI DSS VERSION 3.0

Complying with PCI DSS 3.0

Motorola AirDefense Retail Solutions Wireless Security Solutions For Retail

COMPLETING THE PAYMENT SECURITY PUZZLE

PCI Compliance: It's Required, and It's Good for Your Business

SECURITY PRACTICES OVERVIEW

Commerce PCI: A Four-Letter Word of E-Commerce

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Payment Card Industry - Data Security Standard (PCI-DSS)

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

WHITE PAPER. Achieve PCI Compliance and Protect Against Data Breaches with LightCyber

Think big, think Brazil

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

IP Pay. End User System Reference Manual. Document revision October 2008

Target Breach Overview

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Payment Card Industry (PCI) Data Security Standard

Merchant e-solutions Payment Acceptance User Guide for Magento version 2.x ( M2 )

Table of Contents. PCI Information Security Policy

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Cybersecurity The Evolving Landscape

Vulnerability Management

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

CYBER SECURITY OPERATION CENTER

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

2016 ConCardis GmbH. Fraud Detection Module (basic)

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Re-using Existing Global Financial Networks to authenticate Card Not Present (CNP) Payments

Express Interface. Certification Details.

Guide to credit card security

Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server

PCI DSS Q & A to get you started

The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services

Payment Security: Attacks & Defences

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

90% of data breaches are caused by software vulnerabilities.

This Online Gaming Company Didn t Want to Roll the Dice on Security That s Why it Worked with BlackBerry

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Protect Your Data the Way Banks Protect Your Money

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Choosing the Right Solution for Strategic Deployment of Encryption

Payment Card Industry (PCI) Data Security Standard

TRUE SECURITY-AS-A-SERVICE

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Introduction to the PCI DSS: What Merchants Need to Know

paladin vendor report 2017

Keep the Door Open for Users and Closed to Hackers

Data Security Standard

Customer Compliance Portal. User Guide V2.0

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

Transcription:

White Paper 12.07.11 Augmenting 3-D Secure with Comprehensive Controls for Fraud Prevention Accertify supplements the 3-D Secure authentication tool with fully-integrated risk management for all payment brands and data types

3-D Secure for Fraud Prevention An advisory guide by Accertify Fraud Management and the Role of 3-D Secure 5 A Tool for Authentication of Online Purchasing 6 Deployment Considerations 6 Potential Risks and Drawbacks 6 Augmenting 3-D Secure for Fraud Prevention 8 Monitor All Transaction Data 8 Use Advanced Analytics 8 Automate End-to-End Fraud Controls 8 Recommendations 9 1

An Advisory Guide by Accertify Who should read this guide: Enterprise merchant fraud team and chargeback managers, risk analysts, compliance officers, and financial system managers who are looking for effective ways to reduce payment card fraud. Advice offered about: Using 3-D Secure for online purchasing in the EU and other global regions Understanding risks of relying solely on 3-D Secure for fraud prevention Supplementing 3-D Secure authentication with comprehensive risk management 2

The 3-D Secure Authentication Tool Extra layer of security for online payment card transactions Required by some card issuers Can help reduce risk, with some drawbacks Fraud prevention requires more than the 3-D Secure tool Fraud Management and the Role of 3-D Secure It s an endless cycle in IT security: first you discover a problem, gradually tools emerge to address aspects of the problem, and eventually vendors integrate key related technologies and automate processes to maximize security and ease manageability. Simply relying on one tool can bring a swift path to exploitation. A good example is fraud management, which is the process of minimizing potential losses from payment card fraud and chargebacks. Payment card fraud is a big, complex problem for online merchants and card issuers. Merchants cannot solve this problem only by using a single tool, or even by passing the annual compliance audit for the PCI Data Security Standard. Effective fraud management requires using all components of a comprehensive solution. This paper describes the 3-D Secure authentication tool and its role in executing an effective fraud management strategy. The 3-D Secure protocol was created to instill confidence by online buyers, and to reduce fraud losses by merchants and issuers. 1 3-D Secure implements an extra step of security into the online purchasing process by requiring a user to authenticate themselves by a method determined by their card issuer. 3-D Secure essentially is a way to implement two-factor authentication. 3-D Secure is an XML-based protocol now used by some card brands, and issuers and merchants in the European Union and other global regions. Merchants who use 3-D Secure receive the benefit of extra authentication. In certain cases, merchants also benefit from a financial liability shift to the issuer for fraudulent transactions. Due to the varying nature of 3-D Secure implementations, using the protocol may bring potential risks and drawbacks. This paper will describe those considerations in context of comprehensive risk management. The main idea in this paper is that while 3-D Secure can be a useful tool, it alone does not constitute a comprehensive fraud prevention strategy. For this reason, online merchants should adopt a broader strategy for fraud prevention and use a comprehensive approach to risk management. 1 See 3-D Secure in Wikipedia, http://en.wikipedia.org/wiki/3-d_secure. 3

Authentication for PCI Compliance 3-D Secure provides an extra measure of cardholder authentication, which is an important element of security noted in Requirement 8 of the Payment Card Industry Data Security Standard: "Assign a unique ID to each person with computer access." Note that authentication is just one of many requirements for compliance with PCI DSS; see the standard for details. A Tool for Authentication of Online Purchasing Fraud prevention entails managing risk in multiple vectors with an array of security technologies and processes. Multi-factor authentication is one tool among many. The 3-D Secure protocol adds a second factor to online purchase transactions with payment cards. The goal is reducing chargebacks due to unauthorized transactions. Deployment Considerations Merchants can use 3-D Secure implementations from American Express, JCB International, MasterCard and Visa. Implementations may work only in specified regions, such as the EU. In many cases use of the 3-D Secure protocol is optional. Also note that merchants are not required to use or audit 3-D Secure for compliance with the Payment Card Industry Data Security Standard version 2.0. Service Providers who furnish 3-D Secure hosting are required to have that capability pass their annual assessment for PCI DSS compliance. 2. Potential Risks and Drawbacks 3-D Secure can pose potential risks and drawbacks that merchants should consider before deployment. Issues may include a reduction in transaction completions, achieving only partial shifting of liability, and implementation insecurity. A 3-D Secure implementation can sabotage transactions by discouraging users from finishing the process. One culprit is Activation During Shopping (ADS), a process used by issuers that often requires a user to sign up for 3-D Secure if they don t have an account with the issuer. Barring alternatives, the user might not want to sign up for 3-D Secure and by default, terminates the transaction. Moreover, the ADS pop-up window or inline frame is not subject to certificate verification, so again the user is unable to confirm authenticity of the registration site. Another glitch can occur if a merchant s site is not enabled for mobile browsers. In this case, the mobile device browser might be unable to properly render required pop-up windows or inline frames, which also kills the transaction. 3 4 2 PCI Security Standards Council, Attestation of Compliance Self-Assessment Questionnaire D Service Provider Edition. https://www.pcisecuritystandards.org/documents/aoc_saq_d_service_providers.pdf

Liability shift is another issue that should be considered in context of a merchant s overall fraud management posture. For example, if a 3-D Secureenabled transaction results in a fraudulent charge, liability for the chargeback normally shifts to the issuer. Even so, that incident of fraud is not exempt from the merchant s monthly fraud threshold. Penalties for exceeding the fraud threshold are unrelated to liability shift for 3-D Secure-related chargebacks. The only way for merchants to control fraud rates is to use comprehensive risk management. Finally, a degree of insecurity exists for every 3-D Secure implementation because users cannot confirm if the browser pop-up window or script-based inline frame requesting a 3-D Secure password is from the card issuer. 3 These are unable to access a SSL server certificate to confirm credentials of the 3-D Secure implementation. If a user has been lured to a fraudulent phishing site, that person s act of entering a personal 3-D Secure credential can enable a man-in-the-middle attack and compromise that person s account. The risk of insecurity for a 3-D Secure implementation is lower with a closed-loop process (such as SafeKey from American Express) where the acquirer and issuer are the same, and they control the interoperability domain or infrastructure used to process 3-D Secure transactions. The presence of issues like these can result in the opposite of what issuers and merchants both want: secure transactions and more sales. But beyond two-factor authentication, and whether or not a merchant uses 3-D Secure, it s important that your organization also consider other security controls addressing a comprehensive range of threats for card fraud. 3 See Steven J. Murdoch and Ross Anderson (Computer Laboratory, Univ. of Cambridge), Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication, Financial Cryptography and Data Security 10, 25-28 January 2010, Tenerife (pre-proceedings draft), http://www.cl.cam.ac.uk/~rja14/papers/fc10vbvsecurecode.pdf. 5

Comprehensive Fraud & Chargeback Management by Accertify Accertify provides fully integrated and proven fraud screening and chargeback management solutions with: Customized Fraud Rules Transaction Filtering and Prioritization Real-time Decisioning Automated and Simplified Chargeback Monitoring and Processing Advanced & Custom Reporting Augmenting 3-D Secure for Fraud Prevention Card fraud can entail many vectors of risk. Consequently, a comprehensive risk management strategy should employ multiple controls to rapidly identify and eliminate points of risk. Monitor All Transaction Data Fraud prevention requires pervasive monitoring of transaction data. The more data you can monitor, the better for reducing the risk of fraud. Card-notpresent transactions can occur via PCs and the web, from mobile devices, and call centers. Payment methods for these transactions can include credit and debit cards, e-wallet, Bill Me Later, and PayPal. To effectively reduce risk, there should be no limits on the type, format, quantity, or source of data related to transactions. At a minimum, these should include CAV2/CID/CVC2/CVV2 security codes, cardmember name, billing address and postal code, telephone number, cardmember email address, IP address, and others. The fraud management system should also automatically tie into external data sources such as credit bureaus and analytical services. Use Advanced Analytics Fraud prevention requires merchants to use sophisticated screening, filtering, and prioritizing for resolution of risky events. Comprehensive risk analysis requires rules tailored for transactional events, purchase transactions, and other data flows that employ negative / positive lists, advanced analytics, and reference tables. Tools like these will keep analysts focused on the riskiest transactions and ensure that consistent procedures are applied. Results of analytics should be displayed on a single monitor to enable faster and more accurate decision making. Automate End-to-End Fraud Controls Fraud prevention requires automating as much of the risk assessment process and workflows as possible. Automation should support case management with rapid queuing and review to accept or reject a risky transaction. Fraud prevention also requires an end-to-end system of coverage, including payment processing and chargeback management. By addressing all these, a merchant can implement effective risk management to prevent fraud. 6

Recommendations Despite a measure of popularity, 3-D Secure is not a silver bullet for fraud prevention. 3-D Secure is a point solution for authenticating card-not-present transactions and no more. Accertify recommends two guidelines for merchants who are serious about preventing card fraud and increasing legitimate transactions. Evaluate 3-D Secure if its use is optional to confirm whether this tool is appropriate for your business. Do not rely solely on 3-D Secure for fraud prevention. Adopt a strategy for comprehensive risk management and deploy a system of controls to minimize risk and reduce losses caused by card-not-present fraud. We invite you to contact your local Accertify sales representative to learn more about comprehensive risk management and fraud prevention or visit www.accertify.com. 7

About Accertify Accertify Inc., a wholly owned subsidiary of American Express, based in Itasca, IL, is a leader in providing e-commerce companies with hosted software solutions, tools and strategies for preventing online fraud and mitigating enterprise-wide risks. Its Interceptas platform integrates every component of fraud prevention, applies state-of-theart automation to each step in process and offers advanced capabilities for managing fraud data. Built with a merchant's perspective, Interceptas delivers flexibility in preventing various types of criminal behavior, including fraud related to card-not-present purchases, online scams and policy abuse, merchandise returns and exchanges and other data management challenges. Accertify is committed to providing online companies with the most cost-effective solution to fraud available. Accertify World Headquarters North America 1075 Hawthorn Drive Itasca, IL 60143 Phone: 630.735.4400 Accertify UK/Europe 1st Floor Belgrave House 76 Buckingham Palace Rd. London SW1W 9AX UK Phone: +44 (0) 1273 693555 Accertify Latin America 1111 Brickell Ave, Ste. 1600 Miami, FL 33131 Phone: +1 305.671.3627 Accertify Asia Pacific 12 Shelley Street 9th Level Sydney NSW 2234 Phone: +61 (29) 271.1194 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback