Mastercard - Securing the evolving payments world by Global Risk Leadership

Securing the evolving payments world

Connected payments A foreword by Ajay Bhalla, president, enterprise risk and security, Mastercard

very day, billions of people around

that everyone connected to Mastercard

the world use the Internet to share

can be confident they are protected. In

ideas, buy and sell things and keep in

an age when the payments ecosystem and

touch with family, friends, and colleagues.

digital world are converging, challenges

It enables us all to develop and learn at a

and opportunities are emerging in equal

pace that once seemed impossible.

measure. We aim to provide considered

Now, through the Internet of Things (IoT) people can seamlessly connect via multiple devices, sending and

leadership, helping to enable digital payments to expand while replacing cash. We see this publication as a call to

receiving data - from business and

action for the industry, raising awareness

sensitive communications, to personal

among those who can make a difference.

conversations and everything in between

This is vital for all those who seek to

- across the globe. There can be no doubt

remain one step ahead; helping to change

it has become a powerful force for both

the current mindset from seeing security

business transformation and consumers'

innovations as optional, to seeing it as an

lives. However, one consequence

absolute necessity built in from the start

of increased connectivity is greater

of every project.

vulnerability to attack.

Through the right global standards,

How can we take advantage of a truly

best products and services, and a desire

connected world while ensuring we keep

for continual innovation, we can ensure

ourselves secure?

everyone, everywhere, is protected and

As a business, we are committed to

financially included, which will ultimately

innovating and evolving our safety and

define and enable the future of trusted

security capabilities constantly, to ensure

and secure payments. â&#x2013;

In an age when the payments ecosystem and digital world are converging, challenges and opportunities are emerging in equal measure

Securing the payments world

From biometrics to encryption of data to national and even international protocols, layers of technology keep our digital money safe

A safe new world The threat landscape and security response

Technology may have changed the way we buy beyond recognition, but now it has to work fast to keep payments secure and stay one step ahead of cybercrime

he first online purchase was made over

But the payments industry is meeting these

20 years ago. Since then, the integra-

challenges head-on. Technology is changing

tion of the internet into everyone’s lives

how we keep our payments secure; where

has led to the proliferation of payment tech-

once we needed a locked safe behind steel

nologies that can improve online transaction

bars in a padlocked underground vault for our

processing, electronic funds transfers, data

physical cash, now we can employ a secure

interchanges and mobile technology.

web of digital security measures. From biom-

These technologies have vastly changed the

etrics to encryption of data to national and

way consumers live and businesses run, and

even global protocols, layers of technology

continue to grow in popularity. From digital

keep our digital money secure.

wallets to social payments to virtual currencies, there are ever more options to buy goods

Adopting new technology

and services, and easier methods with which

Moreover, stakeholders in the payments

to make a purchase.

industry — from issuers to merchants, from

maintains the global EMV standard.

61% of organizations

see data theft and cybercrime as their greatest threat yet...

50% said they are

confident about the security they have in place

EMV has led to some big improvements in places where the technology has been adopted. For example, in the US, counterfeit card fraud at chip-activated merchants fell by 54 percent in April 2016 compared to the same period in the previous year. In addition, contactless technology, which

$500bn Total cost of cybercrime worldwide

uses Near Field Communication to enable a quick and seamless transfer of data from both cards and mobile phones, has also grown; in April the Smart Payment Association reported

Source: Forbes, 2016

that tap-and-go functionality was present on 82 percent of its cards shipped in North Asia.

With this plethora of ways to pay comes a

terminal operators to ATM manufacturers —

plethora of ways to steal. Cybercrime is a huge

are working together to improve and stand-

threat to businesses and the rewards for crim-

ardize security measures on a global scale.

out in a store, and is driving big change in the

inals can be huge. Adrian Leppard, former

Adoption rates for EMV chip technology —

payments industry, with smartphones and

commissioner of the City of London Police,

which replaces the static data of magnetic

wearables becoming the future wallet.

recently warned that in some instances cyber-

stripe cards with dynamic data generated by

Technology has driven a big change in how

crime may be more lucrative than the drugs

computer chips — are increasing substantially.

we shop too. We buy through mobiles and tab-

trade. The Carbanak attacks showed how a

By the end of 2015, the number of EMV chip

lets, we buy while on the bus en route to work

cybercrime gang acting as a modern-day Bon-

payment cards in global circulation increased,

or while watching TV in the evenings; 66 per-

nie and Clyde stole an estimated $1 billion by

year-on-year, by 1.4 billion to 4.8 billion,

cent of Europeans used a smartphone or tab-

infecting issuers’ systems with malware.

according to EMVCo, the industry body that

let to shop in 2016, compared with 58 percent

Source: Ponemon Institute, 2016

l Total cost of cybercrime worldwide

It brings huge benefits to both consumers and

l 8 0% of attacks are of a known variety – the other 20% cause the most damage

merchants, reducing the time it takes to check

20%

Source: IBM, 2016

2014 4

A safe new world

Securing the payments world

84% of payment

The move away from clunky passwords is resulting in new real-time and dynamic authentication processes

professionals think security remains the biggest concern Source: Edgar Dunn, Advanced Payments Report 2016

180% increase in distributed

denial of service (DDoS) attacks 2014 to 2015 Source: tripwire, 2016

A digital evolution

hanges in the payments sphere are by no means over. We may have taken a technological leap in the past decade, but we are likely to see even more changes in the next.

Part of the change will come at a national level, as immediate payment sys-

tems are implemented more widely (35 countries have implemented or scheduled hard launch dates for immediate payment systems, according to CapGemini’s Top Ten Trends in Payments in 2016 report). Such systems improve the speed of transactions, reducing risk of fraud and driving business growth. Change is likely too from the Internet of Things (IoT) — the increasing

No more passwords

interconnectedness of everyday devices. It may be only a few short steps

in 2015, according to the ING International

The global mobile biometrics by fingerprint

from a home heating system that alerts you to the need to reorder fuel, to one

Survey on Mobile Banking 2016 report. Our new

recognition market is predicted to reach

that will provide a payment mechanism as well. Connected devices may soon

habits offer significant benefits for merchants,

$12 billion by 2020, growing at a compound

become commerce devices and it is vital they are secure from the start.

but pose a new challenge for the payment

annual growth rate of almost 103 percent,

industry; there has been a rise in online fraud

according to Technavio’s 2016 prediction. The

payment network Bitcoin. There are plenty of unanswered questions around

and more diverse types of fraud, with criminals

move away from clunky passwords, so often

virtual currencies — regulation is just one — but the technology behind it could

seeking out and exploiting the weakest link.

forgotten by the consumer or chosen to be

drive previously unforeseeable changes.

Technology has brought us blockchain, which has given rise to digital

But the technology to counter the threat is

easy to remember and hence easy to guess,

available. One such technology layer is biom-

is resulting in new real-time and dynamic

technology behind that will help merchants provide a more personalized

Our payment habits are increasingly being analyzed and assessed, and the

etrics; from fingerprint sensors to face rec-

authentication processes.

service, potentially deepening and changing the relationship between supplier

ognition, it enables safe and secure authen-

Not all threats involve cutting-edge tech-

tication of a consumer, and makes it more

nology; however, the theft of data can prove

and customer, and helping to ensure more genuine transactions are approved.

convenient than ever for consumers making

lucrative, whether from identity fraud or

uncertain and fragmenting landscape, an experienced and trusted voice will

digital payments.

phishing scams. As cybercrime tools become

always be valued. ■

Predicting the future is hard given the state of flux in digital evolution. In an

easier to access and utilize, small businesses

Internet of things by numbers

in particular are targets for this type of crime (nearly half of cyberattacks worldwide in 2015 were against small businesses with fewer than 250 workers, according to Symantec’s 2016

$2.1trn

3.3bn internet users

7bn

people on the planet

cost of breaches through digitisation of consumers and enterprise in 2019

10bn

connected things in use in 2016

Internet Security Threat Report). As a result, global standards bodies like the PCI Security Standards Council are working in partnership to offer help and advice to all merchants, regardless of size. Technology is changing the world of personal finances more rapidly than ever before, as customers demand a financial environment

30bn

connected devices by 2020

that is compatible with the personalized and immediate service available in other aspects of their lives. Keeping one step ahead of evolving security threats is a demanding task, but the payment industry is already meeting that challenge, with all stakeholders in the purchasing chain coming together to keep con-

Sources: Juniper research, 2015; eMarketer, 2016; TSG, 2016

A safe new world

sumers safe. ■

Securing the payments world

Crime waves With payment technology becoming ever more advanced, cyberattacks are becoming ever more sophisticated, putting us all at risk

Certainly it is a concern for consumers.

ous business keeping one step ahead of the cybercriminals who pose a threat to your financial security. For one, financial protection advice used to revolve around making sure no one was watching as you keyed in your pin. But the arrival of online payments has been a game changer for both consumers and thieves; now, criminals no longer have to be anywhere near you to steal your usernames or passwords, and this anonymity is to their advantage. As our lives become increasingly interconnected via the Internet of Things (IoT), the opportunities for cybercriminals to find a weak point in your defences increase. Market analyst Juniper Research in 2015 forecast that the cost of data breaches will rise to $2.1 trillion globally by 2019, four times the estimated cost in 2015.

Crime waves

both consumers and payment providers must

the payment. At a global-network level, this

take a multi-layered approach. For the con-

means monitoring trends for unusual activity

sumer, it means being aware of the many ways

across billions of transactions to detect and

in which connected devices can be hacked;

block large-scale cyberattacks. This capability

even clicking on a YouTube link that comes up

allows Mastercard to protect their partners by

on your Facebook page, for example, could be

using products such as Safety Net.

the equivalent of leaving your door unlocked,

It also means being one step ahead of the

as it infects your device with a virus or leaves

criminals. Mastercard’s DigiSec laboratory

you open to ransomware (where criminals lock

focuses on proactively testing threats to dig-

a device and demand payment — often elec-

ital payments using leading technology from

tronically — to unlock it). According to 2016

alternative disciplines (like lasers used in

research from advisory firm Aite Group, more

astronomy or X-rays used in medical labs) to

than half (54 percent) of consumers exhibit

mimic attackers. This is in addition to working with leading cybersecurity specialists to evolve thinking around safer payments. According to Ajay

Risky behavior

At a global network level this means monitoring trends for unusual activity across billions of transactions to identify and isolate large-scale cyberattacks

of encryption and tokenization, which protects

higher risk of fraud.

do methods of stealing your money. Given the importance of ensuring

the continued advancement and deployment

at least one risky behavior, putting them at

s payment methods proliferate, so too

consumers trust digital payments, it’s a seri-

Sadly, there is no single silver bullet that can secure our lives against cybercrime; instead,

One step ahead

Bhalla, president of enterprise risk and secu-

For payment providers like Mastercard, it means

rity at Mastercard, it is part of a commitment

providing a secure, multi-layered approach.

to “share insights, solutions and best prac-

This ranges from identifying the individual mak-

tices to deliver the highest levels of security

ing a purchase as the owner of the card — per-

while better enabling the consumer to pay

haps with fingerprint or facial recognition — to

conveniently”. ■

Safety and security measures have reduced the amount lost to fraud to just over six cents for every $100 spent on major global cards

According to the European Commission’s 2016 report on cybersecurity, one of the most common concerns when using online banking or shopping was the security of online payments (mentioned by 42 percent of internet users in the European Union). Yet digital payments remain one of the most secure ways to pay — the payment industry’s safety and security measures have reduced the amount lost to fraud to just over six cents for every $100 spent on major global cards, according to The Nilson Report.

75% of websites are

estimated to have unpatched vulnerabilities Source: 2016 Internet Security Threat Report , 2016

Securing the payments world

Merchant adoption of security measures l Customer authentication method(s) supported by issuers for online and mobile transactions

48%

34%

Changing habits

24%

14%

A rapid increase in CNP purchases has brought with it a new level of fraud that can only be fought with the introduction of new technology and standards worldwide

Changing habits

raud that occurs during remote transac-

or in-app purchases. Customers would like

A Device authentication

tions (a card-not-present, or “CNP” pur-

to buy with one tap of the screen — and mer-

B Randomized PIN pad

chase) is among the most difficult for the

chants also prefer this seamless method of

C Multi-factor authentication

payment.

D Dynamic authentication (one-time password)

security industry to track accurately. With the changing habits of consumers leading to more widespread adoption of EMV security meas-

E Biometric solution (e.g. fingerprint, voice) Checkout security One way to handle checkout friction is to

tion of global fraud: from about half in 2015 to

shift the perceived risk of the transaction

80 percent by 2018, according to Javelin. CNP

from the consumer to either the merchant or

fraud in the US alone is predicted to be more

the issuer. Now it’s the issuers and merchants

than $7 billion by 2020, according to a 2016

responsibility to decide if they need additional

report by Aite.

evidence to verify a consumer’s identity. Mer-

Traditionally, authentication relied upon

chants have transaction and device history so

an extra layer of security where the cardholder

can decide not to ask for authentication; issu-

is asked to verify themselves through some-

ers can make similar decisions and it is only

thing they know, like a password or PIN. This

when the transaction looks suspicious that

was effective but not wholly popular with mer-

actual authentication needs to occur. Who-

chants as it interrupted the flow of a purchase

ever chooses not to authenticate takes the risk

and was thought to lead to cart abandonment,

of the transaction, not the consumer.

with the legitimate concern that adding layers

That may work for the consumer, but has

of complication for the customer could lead

obvious downsides for merchants and issu-

to a loss of sales. In the commercial world,

ers. The challenge for the payment indus-

where margins can be slender, it’s often the

try has been to find a method that com-

case that security is where companies look for

bines greater security with a simpler and

compromises.

convenient

consumer

experience.

But consumer demand for the ease and

The answer lies in evolving technology and

convenience of online purchasing is clear,

standards, like the second generation of

not to mention increasing, via smartphones

3D Secure (3DS 2.0), now an industry-wide

t’s tempting to think of a cybercriminal as some sort of evil character in his lair, plotting against honest businesses and probably stroking a cat (think Austin Powers). But if Javvad Malik, security advocate

at AlienVault, is right, it’s slightly more mundane.

F 3D Secure

ures, CNP fraud is expected to rise as a propor-

The security game “Fraudsters operate like any other business. They want to follow the

Source: Cognizant 2016

Security through layers

path of least resistance to get the maximum return on investment. Since chip-and-PIN cards have been introduced, physically using the card has become more difficult, not to mention risky. Cloning an EMV chip is

PREVENT attacks Secure the physical account Secure devices and infrastructure Secure the cardholder - verify Identity

beyond the capability or appetite of most fraudsters and most ATMs will look for the presence of a chip if the card has been issued with one. “This leaves CNP or MOTO (mail order/telephone order) as the preferred channel, as it does not require use of the chip, nor does it require knowledge of the PIN.” Interestingly, the gaming industry could also provide inspiration for methods of working effectively with consumers to ensure good

DETECT fraud

security practice by enticing them into making more security-respon-

Secure the transaction - stopping fraudulent behavior

sible choices. Through the use of 3D graphics, security can be turned into a game that makes the process of passing through security checks

Screen & detect evolving cyber security treats

altogether less onerous.

ENHANCE experience

by more nimble competitors, payment providers need to look at all

Improve consumer experience Increase approvals Resolve disputes

Given the increasing disruption of traditional financial players aspects of our lives — even social media. Facebook Messenger is being used to transfer money between friends. And, of course, the use of selfies as payment authentication is a clear example of how our lives and our finances are becoming increasingly intertwined. ■

Source: Mastercard , 2016

Securing the payments world

Value of fraudulent online transactions

2015

messaging protocol that enables consumers to verify their identity with either a password or a biometric. “We are constantly striving to find the most effective and easiest way to match identity to a transaction,” says John Beric, vice president for product development and innovation at Mastercard. “Soon we will move to 3DS 2.0,

$10.7bn

which will allow the issuer, with the consumers’ permission, to collect data on the envi-

In consumer trials, 92 percent found biometric authentication more convenient than passwords, and many believed it would reduce fraud

ronment in which the consumer is making the transaction. They’ll be able to get a biometric through the device and information around the device itself. If all transactions emanate from the same point of origin, then the issuer will have greater confidence that it’s the genuine card owner, despite the transaction being out of pattern.”

+239%

3DS 2.0 is owned by industry standards body

manufacturers, the network has to be able to

consideration when the solution is adopted in

EMVCo, giving both consumers and merchants

handle a myriad of different systems of mul-

markets where the use of smartphones is less

confidence that it is robust. Utilizing this new

tiple ages. 3DS 2.0 will not only work across

widespread. If necessary, authentication can

standard will be Mastercard Identity Check

all card types and brands, but it will also work

take place via SMS rather than an app, while

Mobile, a biometric authentication solution

with both new and old technology — a key

the technology is being constantly updated to

that’s accessible on consumers’ smartphones

2020

CNP is sometimes viewed as the weak

an issuer’s app. In consumer trials, 92 percent

link in a secure system — the simplest

of participants found it more convenient and more secure than passwords. Interoperability One strength of the current global payment network has been interoperability, across

$25.6bn

By 2020...

$4 in every $1,000 of

online payments will be fraudulent

way for criminals to take money from stolen cards now that the EMV chip has been introduced. One solution is multi-factor authentication. By increasing the “layers” of information that can be utilized, including device characteristics, biometrics and

both devices and issuers. A card from the

cryptograms, genuinely suspicious activity can

UK can be used from Argentina to Zimbabwe,

be more accurately detected. This process is

wherever you see the Mastercard acceptance

not only more robust but the level of accuracy

logo. That’s 39 million locations worldwide, all of which are required to deliver a consistent and secure connection. As technology makes it possible to move

Source: Juniper research, 2016

keep pace with new systems too.

as either a standalone app or integrated into

$16bn in online retail

reduces erroneous detection, making for a more fluent user experience. Further bene-

fraud alone

fits of tokenization and integration with digi-

Source: Juniper Research, 2016

tal wallets like Masterpass will be increasingly

from a piece of plastic produced by the

realized as the Internet of Things becomes

issuer to digital devices like mobiles and

more established. But the goal remains to cre-

wearables produced by a host of different

ate an interoperable world in which payments are safe, simple and secure. ■

Changing habits

Securing the payments world

Source: Nilson, 2016

Issuer use of fraud prevention tools

$21.8bn

Benefits and concerns of biometrics

Source: Cognizant 2016

2020

2016

Fighting payment fraud

Estimated total card fraud losses

$31.7bn+

Source: Dunn & Company, Advanced Payments Report 2016 *for payment industry executives

Transaction screening (software-driven) Rule-based alerts Analytics (predictive, pattern matching, etc)

Transaction screening (manual) Real-time fraud scoring Neural networks

Biometrics can bring benefits such as ease of ‘card not present’ transactions and eliminate the need for a physical wallet

Data privacy is a major issue with biometrics

Cost of implementation is a major issue with biometrics

None

10%

20%

30%

40%

50%

Currently using Plan to use in future

Merchant fraud prevention capabilities l D o you have a common set of fraud prevention capabilities across all channels today?

Unsure

Source: ACI Universal payments, 2016

l D o you have a common set of payment security capabilities across all channels today?

Biometric technologies will be deployed as an additional layer of security to tokenization and EMV

Artificial intelligence

Biometric technologies will become mainstream in the future but implementation and adoption will take time

Financial services biometrics l The gap between issuers’ interest and deployment plans for biometrics

3 78% 4 72% 5 69%

l C onsumer appetite for biometrics

93% Consumers’ position

Yes

2 79%

49%

Yes

53%

82%

Source: Mastercard & Oxford University banking research

Gap on action

39%

Issuers’ perception

42% No

92%

59%

interested in adopting biometrics

expect to have deployed Biometrics by 2018

58%

Unsure

Fighting payment fraud

Securing the payments world

A question of trust

Consumer payment behavior and sentiment

As consumers become more aware — and less tolerant —of payment fraud, more needs to be done to win their trust in digital transactions

78%

57%

54%

46%

of online shoppers believe that they need more protection

have doubts that e-commerce sites will keep their personal information secure and confidential

do not trust giving credit card information online

of internet users will purchase products online by 2017

Sources: AITE; Statista; Chargebacks911, 2016

rust is key to the success of all pay-

negative impression of payment security.

ment technologies. Consumers need to believe their money, identity and

privacy are safe before using digital payments. Most of us do have faith. But millennials – those aged between 18 and 35 — are less tolerant of fraud incidents than previous generations; a survey from US credit agency FICO published in June 2016 found 22 percent of US consumers will close an account after a fraud

Payments have never been safer, but criminals have never been smarter – and the noise never louder

When firms are assessing an approach attacks getting through. Companies need to

But the consumer also has a part to play

to take any action to protect themselves,” says

accept that no matter how good their pre-

understanding what technology can and

Trueman. “Payments have never been safer,

vention techniques are, they will be hacked

cannot do. For instance, people need to be

And as long as consumers take reasonable

but criminals have never been smarter – and

and so must also be able to detect breaches

cautious when using free public Wi-Fi hot-

precautions and inform their issuers if they

the noise never louder.”

quickly and efﬁciently, before isolating and

spots, and ensure any security apps are from

spot suspicious activity, they have peace of

resolving them.

a trusted source in order to prevent their

mind that they are protected against fraud,

smartphone being compromised.

no matter where they are, by Mastercard’s

Security breaches

It is vital, as Trueman explains, to build

without headlines declaring another secu-

in-store or online and are trusted by consum-

rity breach for an online brand; for example,

ers, merchants and issuers. “Using technology

Dropbox recently admitted that 68 million

to make better, more intelligent decisions is

passwords had been dumped on the web by

a key part of that.” To that end, Mastercard

hackers. The fundamental challenge is to pre-

is leading the drive to replace passwords and

vent a loss of consumer confidence in digital

enable the use of biometrics, as well as rein-

phones, together with the immediacy of social

payments, otherwise its adoption could be

forcing EMV adoption globally.

media, means they won’t stand for inaction

stymied. As technologies and providers pro-

from issuers or merchants. “Social media has

liferate, consumers will be forced to make

Consumer understanding

taught them that everything can happen in an

choices on who they trust.

Global EMV standard chip technologies, such

wasn’t handled properly. Paul Trueman, senior vice president of product advancement at Mastercard, says the way consumers interact with smart-

- Paul Trueman

instant. There is no point in writing a letter of

Social media has enabled us to evaluate

as Mastercard’s M/Chip Digital, work on smart-

complaint to someone; Tweet them and they

trust via a star rating and reviews, but where

phones, wearables and contactless payments

will respond quickly.”

money or identity are at stake consumers

and sit securely behind all the payment activ-

Indeed, FICO found that 14 percent of US

adopt more rigour in who and what they trust.

ity on a given device. Combined with tokeniza-

consumers had written a negative social media

For Mastercard, trust in the ability to pay

tion and biometric authentication techniques,

post about a fraud incident — a 100 percent

securely, wherever you are, is clearly central

such as fingerprint or facial recognition, these

rise year-on-year, creating a misleadingly

to its ethos.

technologies are going a long way in enabling

A question of trust

to wear a seatbelt,” says Trueman. “It isn’t

will happen securely, with no need for them

mobile digital payment systems that work

close all accounts with that issuer if they feel it

as the car has an airbag, there’s no need

helping to prevent fraudulent activity.

they must first and foremost try to prevent

The “noise” is constant. Not a week goes by

incident, while 29 percent of millennials will

remote and contactless payments while still

“People are almost assuming these things

“It’s like getting a car and deciding that,

appropriate. You need to think for yourself as well.”

global Zero Liability promise. ■

Securing the payments world

the practical steps being taken in the fight against fraud. It is a member of EMVCo, an organization set up to facilitate the worldwide acceptance of secure payments. Global group Mastercard is also in partnership with the Merchant Risk Council and the Payment Card Industry Council, which assesses security standards across the payments sector. Yet another area of collaboration is Mastercard’s

A winning team

Fraud Advisory Committee, made up of financial groups in various regions, with a global group made up of international institutions. “At these forums we put everything on the table — the technology and the threats,” O’Malley says. “Then, when each member goes

The landscape for fraud is constantly evolving, and countries and groups need to share information in order to build a global defence

back to their regions they share that informaohan Gerber, executive vice president

time — means an open dialogue between

tion with local issuers and government, help-

for security and decision products at

anti-fraud stakeholders is vital. On one level,

ing to spread key messages.”

Mastercard, spends a lot of time on the

sharing information helps agencies adapt

But coordination on a global level takes

move, meeting with customers, regulators and

their defences and build new applications to

time. John Beric, vice president for prod-

policy-makers. This is all part of a key element

prevent future attacks. On another, should an

uct development and innovation at Master-

in maintaining the security of the digital pay-

attack happen, fast and fluid communications

card compares it to the creation of ATM cash

ments sphere: the sharing of information.

can alert relevant parties around the world

machine networks, which were initially run by

“Without cooperation you are blind,” he

A winning team

individual issuers and closed off to competi-

says, illustrating the need for joined-up action

perspective and add tangible value to those

tors before being opened up to other custom-

on fraud. “The ability to coordinate gives you

Sharing intelligence

we work with. We are linking up with other

ers, first domestically and then internationally.

access to data — intelligence that you would

“Information flow is a big deal,” says Gerber.

organizations and other vendors. We work

“It took three migrations and three major

Cooperation between countries and groups within them is absolutely essential

closely with regulators around the world to

investments to get the ATM network to where

make sure there is a flow of information and

the issuers wanted it to be. It shows that what

we can understand how to cooperate more.”

might be locally right, initially, could turn out

- Johan Gerber

regional customers, regulators, law enforce-

With global cybersecurity threats becoming

ment, merchants and issuers. We have a

ever more sophisticated, potent and opaque,

not otherwise see.”

“Something happening in Japan won’t take

In sport, the best teams are those in which

long to spread to China or Singapore, from Sin-

individuals cooperate and work seamlessly

gapore to London and then to the US or Brazil.

together. The same can be said of the fight

“Sharing intelligence early in the cycle

against global fraud. Individual countries

allows everyone to tweak their protection

may have robust procedures, but without a

systems and be on the lookout for these new

coordinated approach, cybercriminals will

trends coming down the line. Without these

find vulnerabilities in international security

channels of information-sharing, organiza-

structures.

tions and countries are vulnerable to emerg-

“Cooperation

and prevent it from spreading.

between

countries

and

ing threats.”

The information exchange could be any-

to be internationally wrong.

thing from informal meetings and corre-

“When it comes to security, it is a compli-

spondence between groups to major inter-

cated process to manage the information flow.

national conferences, events and cooperative

But the best markets are those who are believ-

structures like anti-fraud councils and focus

ers in intelligence sharing and where there are

groups. “Every year, in different regions,

semi-formal cooperative networks for the issu-

we host global risk leadership conferences,

ers to share best practice inside and beyond

where we sit around the table with our

national borders.”

groups within them is absolutely essential.

Mastercard is an active participant in the

Divided everyone is weakened,” says Gerber.

anti-fraud fight, which comprises national

“Crooks have developed an integrated eco-

governments, regulators, security agencies,

system; they have specialists and each sells

private businesses and supranational groups

conversation about fraud, the risks, the new

it is important that communications channels

a unique service. They work together to get

like the European Union.

trends, how we work together, what tech they

remain open. By sharing information and

have,"

best-practice advice, global institutions can

the best results — and they now work globally,

“In every region we have people in our fran-

says Nancy O’Malley chief payments

which is why it is considered organized crime.”

chise working with law enforcement to under-

This, coupled with the fact that the land-

stand what they see and help with any threats

Mastercard works closely with government

but can also help shape the solutions that

scape for fraud is constantly changing — with

or trends on our side,” says Gerber. “Being a

bodies like the European Commission to share

will keep payments safe against the threats

new vulnerabilities being targeted all the

global network enables us to have a unique

information and educate policy-makers on

of tomorrow. ■

system integrity officer, Mastercard.

not only stay one step ahead of criminals,

Securing the payments world

transactions

some countries invest millions of pounds

magnetic stripe cards, according to Aite

between consumers and businesses are no

global

marketplace,

in security infrastructure each year, others

Group. But this is decreasing rapidly, accord-

longer confined by national borders. Buyers

do not.

ing to a 2016 study by the Aite Group.

hungry for the best products and the lowest

“Crooks are looking to minimize cost and

Fortunately, the industry has done much

prices increasingly look to overseas suppliers

maximize profits,” says John Beric, vice pres-

to even up the unequal field. It’s been 10

for the best deals, swelling cross-border and

ident for product development and innova-

years since the establishment of the Pay-

global trade.

tion at Mastercard. “Our job is to make the

ment Card Industry Security Standards

cost of an attack so high that the criminal

Council, a global body that develops pay-

can’t make a profit.”

ment security standards.

While the fanning out of commerce creates opportunities for business, it also throws up challenges for fraud prevention.

Unfortunately, he adds, fighting cyber-

More recently, Mastercard has launched

If trade is worldwide, then security must

crime differs from country to country, usually

Safety Net, a global tool that harnesses the

be too. Only global standards and a global

depending on economic strength, regulatory

power of Mastercard’s worldwide reach to

view

whose

pressures and budget priorities. “No one

spot unusual behavior.

outlook is just as international as any legitimate

wants to leave themselves exposed, but some

Down at the individual cardholder level,

business.

countries have more assets at their disposal to

location-alert services are capable of help-

tackle these issues.

ing authenticate transactions when custom-

will

defeat

the

fraudsters

“Consider the following scenario,” says Johan Gerber, executive vice president for

“Others are facing more pressing issues,

ers travel domestically or abroad. Location

security and decision products at Mastercard.

so cybercrime is further down the priority

technology is leveraged through your mobile

“A criminal sitting at an address in Malay-

list, which means there is an uneven ability to

phone, meaning there’s a lower chance of

withstand attacks.”

legitimate transactions being declined.

Percentage of card-present transactions that are EMV

Playing catch-up

The US, the world’s biggest economy, and

practical problems for the agencies that seek

to prevent it.”

been slower than many other countries to

complex

payments environment,

had

Global cybersecurity is a chain with hun-

adopt EMV chip technology. As a result, it

dreds of links, and is only as strong as the

is expected to suffer $4.5 billion worth of

weakest of those connections. But while

fraud this year due to cloning and counterfeit

97.3%

96,6%

visible technologies are becoming available, empowering issuers to make better fraud management decisions, reducing the number

87.9%

is all done by utilizing the intelligence available

71.8%

85.4%

Better decisions But, it doesn’t stop there. New, near-in-

Source: EMVCo 2016

1.7m

to create new connections, while employing machine-learning technology to ensure deci-

58.0%

sions get ever more accurate over time.

Chip-active merchant locations on US Mastercard network

These advanced services are also aimed at mitigating the vulnerabilities in existing systems and supporting national security infrastructure efforts. It’s clear, given the growing problem of global fraud, that more needs to

374% Europe Zone 2

is the global nature of fraud and it presents

EMV in the US

of legitimate transactions being declined. This

Europe Zone 1

It’s not always down to economic strength.

Canada, Latin America, & The Carribbean

in London and has it shipped to Australia. This

40.3%

Slower to adapt

27.0%

80.0%

He uses it to buy something from a merchant

Africa & The Middle East

Markets need to come together to find a collaborative solution to fight cybercrime, but with varying levels of security and technology advancement it’s an uneven field

2015

Asia

Playing catch-up

2014

87.1%

sia hacks into a database located in Brazil.

be done. By approaching fraud collectively and working cohesively, the global community will be stronger and better for it. Only by approaching

Increase in chip terminal adoption since October 1, 2015

the problem of fraud collectively will countries at all stages of economic development be able to fight the global menace of cybercrime. ■

Securing the payments world

Global cognitive systems budget

technologies behind the scenes help facilitate this and bring even greater advantage when integrated with a digital wallet like Masterpass. This, in turn, benefits global adoption rates for mobile payments. Leading-edge mobile payment technologies do not just feature biometrics. Arti-

The future looks bright After initial skepticism, consumers are saying goodbye to passwords and are embracing new identification solutions. Now the race is on to get new technologies to the mass market

ficial intelligence (AI) and machine learning extracts approved information from the data that payment providers have available, and learns from it to enable smarter decisions to be made over time helping to reduce fraud. Artificial intelligence then applies those outfundamental to managing the risk of fraud and intelligent decisioning.

mize instances of what consumers find most

Forgotten passwords

big data is meaningless unless we can bring

annoying — so-called “false declines” — when

experience,

Consumers have responded positively to the

it to bear on that split-second decision when

your card, online or mobile payment is refused for seemingly no good reason.

user

increasing numbers of consumers are

technology — perhaps because 53 percent

you dip, swipe your card, or click buy on the

adopting biometric data solutions to power

of shoppers forget crucial passwords more

Internet or on an app,” says Johan Gerber,

These can also be mitigated by the intro-

their mobile payments.

than once a week, losing more than 10 minutes

executive vice president for security and deci-

duction of “intelligent friction”, where the

sion products at Mastercard.

consumer benefits from experiencing the

Until a few years ago, most consumers’ only

when they reset their accounts, according to

dealings with anything biometric were likely to

2015 research from Mastercard. Added to that

“The only way in which we can extract

security at work: for instance, when complet-

be governmental: the chip in the passport or

is the fact that the best and most secure pass-

insight from such a mass of data and bring it

ing a very large transaction, like buying jewelry,

the fingerprint reader at the airport.

words — a mix of numbers and letters, using

to bear on a single decision or transaction is

you want it to be easy for you, but not easy for

This first generation of biometrics was used

both capitals and lower case — are awkward to

through machine learning. It gives us the abil-

a fraudster.

for premises access and to track lawbreak-

use on a mobile, as it involves switching back

ity to look at hundreds of different variables

Critically, to ensure payment technologies

ers — it felt either scary or an imposition,

and forth between screens.

that track those patterns and relationships

reach mass-market penetration, standards

recalls Bob Reany, executive vice president

Nine out of ten participants in a 2016 pilot

between behaviors, and that tells us if some-

are vital. Companies looking to provide pay-

for identity solutions at Mastercard. “It wasn’t

study conducted by Mastercard in the Nether-

thing makes sense for you as a consumer or if

ment solutions also benefit from a partner-

familiar and it was used for things that peo-

lands indicated that they would like to replace

it looks more like a fraudulent transaction.”

ship with an experienced vendor that covers

ple would rather have avoided. What changed

their password with biometric identification,

was accessibility, convenience and familiarity

and other manufacturers like Samsung are also

Behavioral data

the process more secure, since it limits the

— and a lot of that was driven by the mobile

adding biometrics into their tech. Mastercard

Mastercard is also adding complex behavio-

potential points of vulnerability, but it allows

phone platform. A smartphone is something

is not just catering for those smartphones with

ral data into the mix. Its algorithms can use

the payment provider to leverage best secu-

you’re familiar with; it’s always within reach,

fingerprint sensors, however.

thousands of data points to make decisions

rity practices.

Mastercard’s Identity Check Mobile app

The turning point came three years ago,

provides an additional and alternative form

when Apple came out with its trademarked

of authentication via face recognition. It lev-

Touch ID. Using a fingerprint to unlock your

erages the fact that all smartphones have

phone instead of having to use a passcode

decent-quality cameras now. It also means

sold biometrics as an everyday tech, to the

that secure forms of mobile payments are still

benefit of the payment industry.

viable in countries where the iPhone and other

biometrics; I’m never going to let anybody have my fingerprint’ to ‘I’m going to wait in line overnight to get this phone’,” says Reany.

premium-priced smartphones are beyond the budgets of most people. Users want transactions to feel seamless and virtually invisible; biometrics and other

all aspects of the payments chain. Not only is

in nanoseconds.

$33.2bn

All these technologies are helping to mini-

“When it comes to real-time decisioning,

authentication

“People went from saying ‘I will never use

The future looks bright

World issuers

$8.3bn

- Bob Reany

n a market that needs to balance robust and

20 percent of the $41.5 billion global cognitive systems budget will be accounted for by the world’s issuers by 2019

comes to transactions. Together, they are

and you own it.”

People went from saying ‘I will never use biometrics’ to ‘I’m going to wait in line overnight to get this phone’

“If you create a lot of propriety solutions it’s

Source: IDC, 2016

The impact of the IoT on payments A

84% 68% B

hard for merchants and issuers. That’s why it's

67% of people believe

that online security concerns will drive adoption of digital wallets Source: Edgar, Dunn & Company, Advanced Payments Report 2016

key to make something that works for everybody” explains Reany. To this end, Mastercard has recently announced a joint biometric standard with Visa and EMVCo. The days of the password – and having to remember dozens of them – may truly be numbered, and we should all be more secure with its demise. ■

A S ecurity remains the biggest concern when sensitive financial data is involved, data privacy and security related issues need to be resolved B I oT will revolutionize the payments industry as every connected device can be a vehicle for commerce Source: Edgar, Dunn & Company, Advanced Payments Report 2016

Securing the payments world

A double-edged sword It’s hard to find a balance between protecting and inconveniencing customers, and the latest security measures must be able to offer them a seamless transaction experience

here’s nothing more infuriating or

identity authentication. If, during payment,

embarrassing than having a transaction

further verification is required then a simple

turned down when you know you’re one

request is sent and the customer can respond

of the good guys. One in every six cardholders has experienced at least one decline because of suspected fraud in the past year, according to research from market analyst Javelin. Knowing that the decline could be a measure to protect you from fraud is no consolation. Improving security measures can often prove a double-edged sword. In a bid to spot unusual or out-of-the-ordinary transactions, issuers use transaction and tracking intel to look for anomalies — all well and good while we go about our usual business, but go on holiday or buy from a different store, and your purchases may show up as unusual, leading to

The race is on to find more effective ways of analyzing transactions to reduce false declines, while still protecting against fraud

your payment being declined.

instantly. This has usually meant typing in a password — often hard to remember and difficult to do on a mobile. With Identity Check Mobile, they may blink into the device’s camera (to show they are not holding up a photo) and Mastercard’s facial recognition software will confirm that the image captured is real and will then compare this to a digitized image created at registration. Alternatively, consumers can use the phone’s fingerprint identification capability. “The age of the password is over and biometrics will be a crucial part of a winning solution,” says Bob Reany, executive vice president for identity solutions at Mastercard. “Pass-

Balancing ease of purchase with security

words today are ineffective, especially as we

is not easy. But payment technology compa-

have more of them across more devices. Con-

nies have a range of solutions that aim to help

venience is going to win the day.”

improve commerce, reduce fraud and enable a seamless shopping experience — solutions that can be linked together to provide layer after layer of security, much of which (like device recognition or risk profiling) is invisible

82% of people have

False declines Reducing

fraud

without

inconveniencing

shoppers is a hard balance to strike. With stringent anti-fraud measures in place, the

Mobile allows customers to utilize biomet-

stopped doing business with a company due to a bad experience

rics, selfies or their fingerprints, as a form of

Source: Forbes 2016

be declined. But this means many legitimate

to the card user. For example, Mastercard’s Identity Check

amount and value of digital payment crime can be reduced. In some South American markets, up to half of all credit card transactions can

Securing the payments world

Intelligent decisioning

the system needs to switch from preventing

Issuers that are currently achieving their

The availability of new data, intelligence and

and detecting the bad guys to enhancing the

standard decline and fraud rates may not

the ability to identify yourself using your

experience of the good guys.

realize they could be losing as much as $101

device means security can be increased,

The benefits at a global network level are

in declined transactions for every $1 they

protecting customers without introducing

also a balancing act. Mastercard Safety Net

are saving in fraud. False declines aggravate

more friction into their lives. Mastercard

was created to address a growing threat from

shoppers, who will often stop using a merchant

has recently launched Decision Intelligence,

organized cross-market large-scale attacks on

that has turned them down previously.

which uses AI and combines advanced fraud

issuers. It constantly monitors and analyzes

The merchant loses and the consumer is

detection with intelligent decisioning capabil-

the entirety of a issuer’s network, looking out

inconvenienced.

ity. It does this by looking not just at the trans-

for recognized signs of unusual activity that

consumers

suffer

declined

transactions.

So the race is on to find more effective

action at that moment but at the norms of

could result in cybercriminals working in a

ways of analyzing transactions to reduce false

behavior of that card over time. Every transac-

sophisticated manner across many markets

declines, while still protecting against fraud.

tion is then graded against this behavior, with

with the ambition to withdraw millions in a

Mastercard is utilizing machine learning to

a higher score indicating that the transaction

short period. Safety Net can identify attacks

improve the way it analyzes transactions; this

is in keeping with previous activities. While the

as they happen and will alert issuers to take

technology evaluates fraudulent transactions

data remains strictly private, the benefits for

protective action or step in on their behalf,

and identifies typical scenarios where the

protecting cardholders is obvious, as issuers

isolating only the accounts under attack while

crime occurs — then applies those scenarios to

and merchants are able to make better-in-

enabling the rest of the issuers’ customers to

other transactions to assess the risk of fraud.

formed decisions.

continue unaffected. Gerber says the system

Artificial Intelligence (AI) machine learning is an

“Most fraud technology is looking at assess-

enhancement to “rules-based” systems, where

ing the risk associated with a transaction — we

has successfully identified five attacks in 2016

humans decide on a set of scenarios that lead

call it fraud scoring,” says Gerber. “Within

Keeping ahead of the increasingly sophis-

to a transaction being blocked.

Decision Intelligence, we are doing the oppo-

ticated criminal networks is a challenge, but

alone.

Johan Gerber, executive vice president for

site. We are looking at the odds that this

with focus, expertise, and strong collabora-

security and decision products at Mastercard,

transaction is actually genuine, by looking at

tion, payments can be kept secure. The overall

says: “There has been a belief that security

your past and most recent behavior as well as

experience for consumers, issuers and mer-

and customer experience are at odds; if you

your digital footprint. This is in essence a clear

chants can improve, leading to easy, seamless

tweak one, the other one has to suffer. But,

example of AI at work, refining the decisioning

shopping while rooting out fraud. ■

moving into the digital world, we believe this is

based on the most recent data without human

changing tremendously.”

intervention.” The focus at certain points in

What ROI would you expect if you increased investment in payments?

55%

Enhanced customer experience

38% 36% 34% 40% 38% 34%

Introduce new payment services/tools Launch value-added services (e.g. loyalty) Increased range of payment options Reduced business costs Improved speed of clearance & settlement Reduced payment frictions

29% 29%

Accelerated authorization and processing Reduced PCI-DSS liabilities

41%

Gain competitive advantage

34%

Increased number of consumer touch points

27%

Enable monetized services l Customer experience

A double-edged sword

l Payment streamlining

l Commercial benefit

Source: Ovum, 2015 Global Payments Insight Survey, 2015

ÂŠ2016 Mastercard