Securing the evolving payments world
Connected payments A foreword by Ajay Bhalla, president, enterprise risk and security, Mastercard
E
very day, billions of people around
that everyone connected to Mastercard
the world use the Internet to share
can be confident they are protected. In
ideas, buy and sell things and keep in
an age when the payments ecosystem and
touch with family, friends, and colleagues.
digital world are converging, challenges
It enables us all to develop and learn at a
and opportunities are emerging in equal
pace that once seemed impossible.
measure. We aim to provide considered
Now, through the Internet of Things (IoT) people can seamlessly connect via multiple devices, sending and
leadership, helping to enable digital payments to expand while replacing cash. We see this publication as a call to
receiving data - from business and
action for the industry, raising awareness
sensitive communications, to personal
among those who can make a difference.
conversations and everything in between
This is vital for all those who seek to
- across the globe. There can be no doubt
remain one step ahead; helping to change
it has become a powerful force for both
the current mindset from seeing security
business transformation and consumers'
innovations as optional, to seeing it as an
lives. However, one consequence
absolute necessity built in from the start
of increased connectivity is greater
of every project.
vulnerability to attack.
Through the right global standards,
How can we take advantage of a truly
best products and services, and a desire
connected world while ensuring we keep
for continual innovation, we can ensure
ourselves secure?
everyone, everywhere, is protected and
As a business, we are committed to
financially included, which will ultimately
innovating and evolving our safety and
define and enable the future of trusted
security capabilities constantly, to ensure
and secure payments. â–
In an age when the payments ecosystem and digital world are converging, challenges and opportunities are emerging in equal measure
Securing the payments world
3
From biometrics to encryption of data to national and even international protocols, layers of technology keep our digital money safe
A safe new world The threat landscape and security response
Technology may have changed the way we buy beyond recognition, but now it has to work fast to keep payments secure and stay one step ahead of cybercrime
he first online purchase was made over
T
But the payments industry is meeting these
20 years ago. Since then, the integra-
challenges head-on. Technology is changing
tion of the internet into everyone’s lives
how we keep our payments secure; where
has led to the proliferation of payment tech-
once we needed a locked safe behind steel
nologies that can improve online transaction
bars in a padlocked underground vault for our
processing, electronic funds transfers, data
physical cash, now we can employ a secure
interchanges and mobile technology.
web of digital security measures. From biom-
These technologies have vastly changed the
etrics to encryption of data to national and
way consumers live and businesses run, and
even global protocols, layers of technology
continue to grow in popularity. From digital
keep our digital money secure.
wallets to social payments to virtual currencies, there are ever more options to buy goods
Adopting new technology
and services, and easier methods with which
Moreover, stakeholders in the payments
to make a purchase.
industry — from issuers to merchants, from
maintains the global EMV standard.
61% of organizations
see data theft and cybercrime as their greatest threat yet...
50% said they are
confident about the security they have in place
EMV has led to some big improvements in places where the technology has been adopted. For example, in the US, counterfeit card fraud at chip-activated merchants fell by 54 percent in April 2016 compared to the same period in the previous year. In addition, contactless technology, which
$500bn Total cost of cybercrime worldwide
uses Near Field Communication to enable a quick and seamless transfer of data from both cards and mobile phones, has also grown; in April the Smart Payment Association reported
Source: Forbes, 2016
that tap-and-go functionality was present on 82 percent of its cards shipped in North Asia.
With this plethora of ways to pay comes a
terminal operators to ATM manufacturers —
plethora of ways to steal. Cybercrime is a huge
are working together to improve and stand-
threat to businesses and the rewards for crim-
ardize security measures on a global scale.
out in a store, and is driving big change in the
inals can be huge. Adrian Leppard, former
Adoption rates for EMV chip technology —
payments industry, with smartphones and
commissioner of the City of London Police,
which replaces the static data of magnetic
wearables becoming the future wallet.
recently warned that in some instances cyber-
stripe cards with dynamic data generated by
Technology has driven a big change in how
crime may be more lucrative than the drugs
computer chips — are increasing substantially.
we shop too. We buy through mobiles and tab-
trade. The Carbanak attacks showed how a
By the end of 2015, the number of EMV chip
lets, we buy while on the bus en route to work
cybercrime gang acting as a modern-day Bon-
payment cards in global circulation increased,
or while watching TV in the evenings; 66 per-
nie and Clyde stole an estimated $1 billion by
year-on-year, by 1.4 billion to 4.8 billion,
cent of Europeans used a smartphone or tab-
infecting issuers’ systems with malware.
according to EMVCo, the industry body that
let to shop in 2016, compared with 58 percent
Source: Ponemon Institute, 2016
l Total cost of cybercrime worldwide
It brings huge benefits to both consumers and
l 8 0% of attacks are of a known variety – the other 20% cause the most damage
merchants, reducing the time it takes to check
20%
Source: IBM, 2016
2014 4
A safe new world
Securing the payments world
5
84% of payment
The move away from clunky passwords is resulting in new real-time and dynamic authentication processes
professionals think security remains the biggest concern Source: Edgar Dunn, Advanced Payments Report 2016
180% increase in distributed
denial of service (DDoS) attacks 2014 to 2015 Source: tripwire, 2016
A digital evolution
C
hanges in the payments sphere are by no means over. We may have taken a technological leap in the past decade, but we are likely to see even more changes in the next.
Part of the change will come at a national level, as immediate payment sys-
tems are implemented more widely (35 countries have implemented or scheduled hard launch dates for immediate payment systems, according to CapGemini’s Top Ten Trends in Payments in 2016 report). Such systems improve the speed of transactions, reducing risk of fraud and driving business growth. Change is likely too from the Internet of Things (IoT) — the increasing
No more passwords
interconnectedness of everyday devices. It may be only a few short steps
in 2015, according to the ING International
The global mobile biometrics by fingerprint
from a home heating system that alerts you to the need to reorder fuel, to one
Survey on Mobile Banking 2016 report. Our new
recognition market is predicted to reach
that will provide a payment mechanism as well. Connected devices may soon
habits offer significant benefits for merchants,
$12 billion by 2020, growing at a compound
become commerce devices and it is vital they are secure from the start.
but pose a new challenge for the payment
annual growth rate of almost 103 percent,
industry; there has been a rise in online fraud
according to Technavio’s 2016 prediction. The
payment network Bitcoin. There are plenty of unanswered questions around
and more diverse types of fraud, with criminals
move away from clunky passwords, so often
virtual currencies — regulation is just one — but the technology behind it could
seeking out and exploiting the weakest link.
forgotten by the consumer or chosen to be
drive previously unforeseeable changes.
Technology has brought us blockchain, which has given rise to digital
But the technology to counter the threat is
easy to remember and hence easy to guess,
available. One such technology layer is biom-
is resulting in new real-time and dynamic
technology behind that will help merchants provide a more personalized
Our payment habits are increasingly being analyzed and assessed, and the
etrics; from fingerprint sensors to face rec-
authentication processes.
service, potentially deepening and changing the relationship between supplier
ognition, it enables safe and secure authen-
Not all threats involve cutting-edge tech-
tication of a consumer, and makes it more
nology; however, the theft of data can prove
and customer, and helping to ensure more genuine transactions are approved.
convenient than ever for consumers making
lucrative, whether from identity fraud or
uncertain and fragmenting landscape, an experienced and trusted voice will
digital payments.
phishing scams. As cybercrime tools become
always be valued. ■
Predicting the future is hard given the state of flux in digital evolution. In an
easier to access and utilize, small businesses
Internet of things by numbers
in particular are targets for this type of crime (nearly half of cyberattacks worldwide in 2015 were against small businesses with fewer than 250 workers, according to Symantec’s 2016
$2.1trn
3.3bn internet users
7bn
people on the planet
cost of breaches through digitisation of consumers and enterprise in 2019
10bn
connected things in use in 2016
Internet Security Threat Report). As a result, global standards bodies like the PCI Security Standards Council are working in partnership to offer help and advice to all merchants, regardless of size. Technology is changing the world of personal finances more rapidly than ever before, as customers demand a financial environment
30bn
connected devices by 2020
that is compatible with the personalized and immediate service available in other aspects of their lives. Keeping one step ahead of evolving security threats is a demanding task, but the payment industry is already meeting that challenge, with all stakeholders in the purchasing chain coming together to keep con-
Sources: Juniper research, 2015; eMarketer, 2016; TSG, 2016
6
A safe new world
sumers safe. ■
Securing the payments world
7
Crime waves With payment technology becoming ever more advanced, cyberattacks are becoming ever more sophisticated, putting us all at risk
A
Certainly it is a concern for consumers.
ous business keeping one step ahead of the cybercriminals who pose a threat to your financial security. For one, financial protection advice used to revolve around making sure no one was watching as you keyed in your pin. But the arrival of online payments has been a game changer for both consumers and thieves; now, criminals no longer have to be anywhere near you to steal your usernames or passwords, and this anonymity is to their advantage. As our lives become increasingly interconnected via the Internet of Things (IoT), the opportunities for cybercriminals to find a weak point in your defences increase. Market analyst Juniper Research in 2015 forecast that the cost of data breaches will rise to $2.1 trillion globally by 2019, four times the estimated cost in 2015.
8
Crime waves
both consumers and payment providers must
the payment. At a global-network level, this
take a multi-layered approach. For the con-
means monitoring trends for unusual activity
sumer, it means being aware of the many ways
across billions of transactions to detect and
in which connected devices can be hacked;
block large-scale cyberattacks. This capability
even clicking on a YouTube link that comes up
allows Mastercard to protect their partners by
on your Facebook page, for example, could be
using products such as Safety Net.
the equivalent of leaving your door unlocked,
It also means being one step ahead of the
as it infects your device with a virus or leaves
criminals. Mastercard’s DigiSec laboratory
you open to ransomware (where criminals lock
focuses on proactively testing threats to dig-
a device and demand payment — often elec-
ital payments using leading technology from
tronically — to unlock it). According to 2016
alternative disciplines (like lasers used in
research from advisory firm Aite Group, more
astronomy or X-rays used in medical labs) to
than half (54 percent) of consumers exhibit
mimic attackers. This is in addition to working with leading cybersecurity specialists to evolve thinking around safer payments. According to Ajay
Risky behavior
At a global network level this means monitoring trends for unusual activity across billions of transactions to identify and isolate large-scale cyberattacks
of encryption and tokenization, which protects
higher risk of fraud.
do methods of stealing your money. Given the importance of ensuring
the continued advancement and deployment
at least one risky behavior, putting them at
s payment methods proliferate, so too
consumers trust digital payments, it’s a seri-
Sadly, there is no single silver bullet that can secure our lives against cybercrime; instead,
One step ahead
Bhalla, president of enterprise risk and secu-
For payment providers like Mastercard, it means
rity at Mastercard, it is part of a commitment
providing a secure, multi-layered approach.
to “share insights, solutions and best prac-
This ranges from identifying the individual mak-
tices to deliver the highest levels of security
ing a purchase as the owner of the card — per-
while better enabling the consumer to pay
haps with fingerprint or facial recognition — to
conveniently”. ■
Safety and security measures have reduced the amount lost to fraud to just over six cents for every $100 spent on major global cards
According to the European Commission’s 2016 report on cybersecurity, one of the most common concerns when using online banking or shopping was the security of online payments (mentioned by 42 percent of internet users in the European Union). Yet digital payments remain one of the most secure ways to pay — the payment industry’s safety and security measures have reduced the amount lost to fraud to just over six cents for every $100 spent on major global cards, according to The Nilson Report.
75% of websites are
estimated to have unpatched vulnerabilities Source: 2016 Internet Security Threat Report , 2016
Securing the payments world
9
Merchant adoption of security measures l Customer authentication method(s) supported by issuers for online and mobile transactions
48%
34%
34%
Changing habits
24%
14%
6%
A
A rapid increase in CNP purchases has brought with it a new level of fraud that can only be fought with the introduction of new technology and standards worldwide
10
Changing habits
F
B
C
D
E
F
raud that occurs during remote transac-
or in-app purchases. Customers would like
A Device authentication
tions (a card-not-present, or “CNP” pur-
to buy with one tap of the screen — and mer-
B Randomized PIN pad
chase) is among the most difficult for the
chants also prefer this seamless method of
C Multi-factor authentication
payment.
D Dynamic authentication (one-time password)
security industry to track accurately. With the changing habits of consumers leading to more widespread adoption of EMV security meas-
E Biometric solution (e.g. fingerprint, voice) Checkout security One way to handle checkout friction is to
tion of global fraud: from about half in 2015 to
shift the perceived risk of the transaction
80 percent by 2018, according to Javelin. CNP
from the consumer to either the merchant or
fraud in the US alone is predicted to be more
the issuer. Now it’s the issuers and merchants
than $7 billion by 2020, according to a 2016
responsibility to decide if they need additional
report by Aite.
evidence to verify a consumer’s identity. Mer-
Traditionally, authentication relied upon
chants have transaction and device history so
an extra layer of security where the cardholder
can decide not to ask for authentication; issu-
is asked to verify themselves through some-
ers can make similar decisions and it is only
thing they know, like a password or PIN. This
when the transaction looks suspicious that
was effective but not wholly popular with mer-
actual authentication needs to occur. Who-
chants as it interrupted the flow of a purchase
ever chooses not to authenticate takes the risk
and was thought to lead to cart abandonment,
of the transaction, not the consumer.
with the legitimate concern that adding layers
That may work for the consumer, but has
of complication for the customer could lead
obvious downsides for merchants and issu-
to a loss of sales. In the commercial world,
ers. The challenge for the payment indus-
where margins can be slender, it’s often the
try has been to find a method that com-
case that security is where companies look for
bines greater security with a simpler and
compromises.
more
convenient
consumer
experience.
But consumer demand for the ease and
The answer lies in evolving technology and
convenience of online purchasing is clear,
standards, like the second generation of
not to mention increasing, via smartphones
3D Secure (3DS 2.0), now an industry-wide
I
t’s tempting to think of a cybercriminal as some sort of evil character in his lair, plotting against honest businesses and probably stroking a cat (think Austin Powers). But if Javvad Malik, security advocate
at AlienVault, is right, it’s slightly more mundane.
F 3D Secure
ures, CNP fraud is expected to rise as a propor-
The security game “Fraudsters operate like any other business. They want to follow the
Source: Cognizant 2016
Security through layers
path of least resistance to get the maximum return on investment. Since chip-and-PIN cards have been introduced, physically using the card has become more difficult, not to mention risky. Cloning an EMV chip is
PREVENT attacks Secure the physical account Secure devices and infrastructure Secure the cardholder - verify Identity
beyond the capability or appetite of most fraudsters and most ATMs will look for the presence of a chip if the card has been issued with one. “This leaves CNP or MOTO (mail order/telephone order) as the preferred channel, as it does not require use of the chip, nor does it require knowledge of the PIN.” Interestingly, the gaming industry could also provide inspiration for methods of working effectively with consumers to ensure good
DETECT fraud
security practice by enticing them into making more security-respon-
Secure the transaction - stopping fraudulent behavior
sible choices. Through the use of 3D graphics, security can be turned into a game that makes the process of passing through security checks
Screen & detect evolving cyber security treats
altogether less onerous.
ENHANCE experience
by more nimble competitors, payment providers need to look at all
Improve consumer experience Increase approvals Resolve disputes
Given the increasing disruption of traditional financial players aspects of our lives — even social media. Facebook Messenger is being used to transfer money between friends. And, of course, the use of selfies as payment authentication is a clear example of how our lives and our finances are becoming increasingly intertwined. ■
Source: Mastercard , 2016
Securing the payments world
11
Value of fraudulent online transactions
2015
messaging protocol that enables consumers to verify their identity with either a password or a biometric. “We are constantly striving to find the most effective and easiest way to match identity to a transaction,” says John Beric, vice president for product development and innovation at Mastercard. “Soon we will move to 3DS 2.0,
$10.7bn
which will allow the issuer, with the consumers’ permission, to collect data on the envi-
In consumer trials, 92 percent found biometric authentication more convenient than passwords, and many believed it would reduce fraud
ronment in which the consumer is making the transaction. They’ll be able to get a biometric through the device and information around the device itself. If all transactions emanate from the same point of origin, then the issuer will have greater confidence that it’s the genuine card owner, despite the transaction being out of pattern.”
+239%
3DS 2.0 is owned by industry standards body
manufacturers, the network has to be able to
consideration when the solution is adopted in
EMVCo, giving both consumers and merchants
handle a myriad of different systems of mul-
markets where the use of smartphones is less
confidence that it is robust. Utilizing this new
tiple ages. 3DS 2.0 will not only work across
widespread. If necessary, authentication can
standard will be Mastercard Identity Check
all card types and brands, but it will also work
take place via SMS rather than an app, while
Mobile, a biometric authentication solution
with both new and old technology — a key
the technology is being constantly updated to
that’s accessible on consumers’ smartphones
2020
CNP is sometimes viewed as the weak
an issuer’s app. In consumer trials, 92 percent
link in a secure system — the simplest
of participants found it more convenient and more secure than passwords. Interoperability One strength of the current global payment network has been interoperability, across
$25.6bn
By 2020...
$4 in every $1,000 of
online payments will be fraudulent
way for criminals to take money from stolen cards now that the EMV chip has been introduced. One solution is multi-factor authentication. By increasing the “layers” of information that can be utilized, including device characteristics, biometrics and
both devices and issuers. A card from the
cryptograms, genuinely suspicious activity can
UK can be used from Argentina to Zimbabwe,
be more accurately detected. This process is
wherever you see the Mastercard acceptance
not only more robust but the level of accuracy
logo. That’s 39 million locations worldwide, all of which are required to deliver a consistent and secure connection. As technology makes it possible to move
Source: Juniper research, 2016
keep pace with new systems too.
as either a standalone app or integrated into
$16bn in online retail
reduces erroneous detection, making for a more fluent user experience. Further bene-
fraud alone
fits of tokenization and integration with digi-
Source: Juniper Research, 2016
tal wallets like Masterpass will be increasingly
from a piece of plastic produced by the
realized as the Internet of Things becomes
issuer to digital devices like mobiles and
more established. But the goal remains to cre-
wearables produced by a host of different
ate an interoperable world in which payments are safe, simple and secure. ■
12
Changing habits
Securing the payments world
13
Source: Nilson, 2016
Issuer use of fraud prevention tools
$21.8bn
Benefits and concerns of biometrics
Source: Cognizant 2016
2020
2016
Fighting payment fraud
Estimated total card fraud losses
$31.7bn+
Source: Dunn & Company, Advanced Payments Report 2016 *for payment industry executives
1
Transaction screening (software-driven) Rule-based alerts Analytics (predictive, pattern matching, etc)
2
Transaction screening (manual) Real-time fraud scoring Neural networks
Biometrics can bring benefits such as ease of ‘card not present’ transactions and eliminate the need for a physical wallet
4
Data privacy is a major issue with biometrics
5
Cost of implementation is a major issue with biometrics
None
10%
20%
30%
40%
50%
Currently using Plan to use in future
Merchant fraud prevention capabilities l D o you have a common set of fraud prevention capabilities across all channels today?
8%
Unsure
Source: ACI Universal payments, 2016
l D o you have a common set of payment security capabilities across all channels today?
Biometric technologies will be deployed as an additional layer of security to tokenization and EMV
3
Artificial intelligence
0%
Biometric technologies will become mainstream in the future but implementation and adoption will take time
Financial services biometrics l The gap between issuers’ interest and deployment plans for biometrics
3 78% 4 72% 5 69%
l C onsumer appetite for biometrics
93% Consumers’ position
Yes
No
2 79%
49%
Yes
53%
82%
Source: Mastercard & Oxford University banking research
Gap on action
39%
1
Issuers’ perception
42% No
92%
59%
interested in adopting biometrics
expect to have deployed Biometrics by 2018
58%
9%
Unsure
14
Fighting payment fraud
Securing the payments world
15
A question of trust
Consumer payment behavior and sentiment
As consumers become more aware — and less tolerant —of payment fraud, more needs to be done to win their trust in digital transactions
78%
57%
54%
46%
of online shoppers believe that they need more protection
have doubts that e-commerce sites will keep their personal information secure and confidential
do not trust giving credit card information online
of internet users will purchase products online by 2017
Sources: AITE; Statista; Chargebacks911, 2016
T
rust is key to the success of all pay-
negative impression of payment security.
ment technologies. Consumers need to believe their money, identity and
privacy are safe before using digital payments. Most of us do have faith. But millennials – those aged between 18 and 35 — are less tolerant of fraud incidents than previous generations; a survey from US credit agency FICO published in June 2016 found 22 percent of US consumers will close an account after a fraud
Payments have never been safer, but criminals have never been smarter – and the noise never louder
When firms are assessing an approach attacks getting through. Companies need to
But the consumer also has a part to play
to take any action to protect themselves,” says
accept that no matter how good their pre-
understanding what technology can and
Trueman. “Payments have never been safer,
vention techniques are, they will be hacked
cannot do. For instance, people need to be
And as long as consumers take reasonable
but criminals have never been smarter – and
and so must also be able to detect breaches
cautious when using free public Wi-Fi hot-
precautions and inform their issuers if they
the noise never louder.”
quickly and efficiently, before isolating and
spots, and ensure any security apps are from
spot suspicious activity, they have peace of
resolving them.
a trusted source in order to prevent their
mind that they are protected against fraud,
smartphone being compromised.
no matter where they are, by Mastercard’s
Security breaches
It is vital, as Trueman explains, to build
without headlines declaring another secu-
in-store or online and are trusted by consum-
rity breach for an online brand; for example,
ers, merchants and issuers. “Using technology
Dropbox recently admitted that 68 million
to make better, more intelligent decisions is
passwords had been dumped on the web by
a key part of that.” To that end, Mastercard
hackers. The fundamental challenge is to pre-
is leading the drive to replace passwords and
vent a loss of consumer confidence in digital
enable the use of biometrics, as well as rein-
phones, together with the immediacy of social
payments, otherwise its adoption could be
forcing EMV adoption globally.
media, means they won’t stand for inaction
stymied. As technologies and providers pro-
from issuers or merchants. “Social media has
liferate, consumers will be forced to make
Consumer understanding
taught them that everything can happen in an
choices on who they trust.
Global EMV standard chip technologies, such
wasn’t handled properly. Paul Trueman, senior vice president of product advancement at Mastercard, says the way consumers interact with smart-
- Paul Trueman
instant. There is no point in writing a letter of
Social media has enabled us to evaluate
as Mastercard’s M/Chip Digital, work on smart-
complaint to someone; Tweet them and they
trust via a star rating and reviews, but where
phones, wearables and contactless payments
will respond quickly.”
money or identity are at stake consumers
and sit securely behind all the payment activ-
Indeed, FICO found that 14 percent of US
adopt more rigour in who and what they trust.
ity on a given device. Combined with tokeniza-
consumers had written a negative social media
For Mastercard, trust in the ability to pay
tion and biometric authentication techniques,
post about a fraud incident — a 100 percent
securely, wherever you are, is clearly central
such as fingerprint or facial recognition, these
rise year-on-year, creating a misleadingly
to its ethos.
technologies are going a long way in enabling
16
A question of trust
to wear a seatbelt,” says Trueman. “It isn’t
will happen securely, with no need for them
mobile digital payment systems that work
close all accounts with that issuer if they feel it
as the car has an airbag, there’s no need
helping to prevent fraudulent activity.
they must first and foremost try to prevent
The “noise” is constant. Not a week goes by
incident, while 29 percent of millennials will
remote and contactless payments while still
“People are almost assuming these things
“It’s like getting a car and deciding that,
appropriate. You need to think for yourself as well.”
global Zero Liability promise. ■
Securing the payments world
17
the practical steps being taken in the fight against fraud. It is a member of EMVCo, an organization set up to facilitate the worldwide acceptance of secure payments. Global group Mastercard is also in partnership with the Merchant Risk Council and the Payment Card Industry Council, which assesses security standards across the payments sector. Yet another area of collaboration is Mastercard’s
A winning team
Fraud Advisory Committee, made up of financial groups in various regions, with a global group made up of international institutions. “At these forums we put everything on the table — the technology and the threats,” O’Malley says. “Then, when each member goes
The landscape for fraud is constantly evolving, and countries and groups need to share information in order to build a global defence
J
back to their regions they share that informaohan Gerber, executive vice president
time — means an open dialogue between
tion with local issuers and government, help-
for security and decision products at
anti-fraud stakeholders is vital. On one level,
ing to spread key messages.”
Mastercard, spends a lot of time on the
sharing information helps agencies adapt
But coordination on a global level takes
move, meeting with customers, regulators and
their defences and build new applications to
time. John Beric, vice president for prod-
policy-makers. This is all part of a key element
prevent future attacks. On another, should an
uct development and innovation at Master-
in maintaining the security of the digital pay-
attack happen, fast and fluid communications
card compares it to the creation of ATM cash
ments sphere: the sharing of information.
can alert relevant parties around the world
machine networks, which were initially run by
“Without cooperation you are blind,” he
A winning team
individual issuers and closed off to competi-
says, illustrating the need for joined-up action
perspective and add tangible value to those
tors before being opened up to other custom-
on fraud. “The ability to coordinate gives you
Sharing intelligence
we work with. We are linking up with other
ers, first domestically and then internationally.
access to data — intelligence that you would
“Information flow is a big deal,” says Gerber.
organizations and other vendors. We work
“It took three migrations and three major
Cooperation between countries and groups within them is absolutely essential
closely with regulators around the world to
investments to get the ATM network to where
make sure there is a flow of information and
the issuers wanted it to be. It shows that what
we can understand how to cooperate more.”
might be locally right, initially, could turn out
- Johan Gerber
regional customers, regulators, law enforce-
With global cybersecurity threats becoming
ment, merchants and issuers. We have a
ever more sophisticated, potent and opaque,
not otherwise see.”
“Something happening in Japan won’t take
In sport, the best teams are those in which
long to spread to China or Singapore, from Sin-
individuals cooperate and work seamlessly
gapore to London and then to the US or Brazil.
together. The same can be said of the fight
“Sharing intelligence early in the cycle
against global fraud. Individual countries
allows everyone to tweak their protection
may have robust procedures, but without a
systems and be on the lookout for these new
coordinated approach, cybercriminals will
trends coming down the line. Without these
find vulnerabilities in international security
channels of information-sharing, organiza-
structures.
tions and countries are vulnerable to emerg-
“Cooperation
18
and prevent it from spreading.
between
countries
and
ing threats.”
The information exchange could be any-
to be internationally wrong.
thing from informal meetings and corre-
“When it comes to security, it is a compli-
spondence between groups to major inter-
cated process to manage the information flow.
national conferences, events and cooperative
But the best markets are those who are believ-
structures like anti-fraud councils and focus
ers in intelligence sharing and where there are
groups. “Every year, in different regions,
semi-formal cooperative networks for the issu-
we host global risk leadership conferences,
ers to share best practice inside and beyond
where we sit around the table with our
national borders.”
groups within them is absolutely essential.
Mastercard is an active participant in the
Divided everyone is weakened,” says Gerber.
anti-fraud fight, which comprises national
“Crooks have developed an integrated eco-
governments, regulators, security agencies,
system; they have specialists and each sells
private businesses and supranational groups
conversation about fraud, the risks, the new
it is important that communications channels
a unique service. They work together to get
like the European Union.
trends, how we work together, what tech they
remain open. By sharing information and
have,"
best-practice advice, global institutions can
the best results — and they now work globally,
“In every region we have people in our fran-
says Nancy O’Malley chief payments
which is why it is considered organized crime.”
chise working with law enforcement to under-
This, coupled with the fact that the land-
stand what they see and help with any threats
Mastercard works closely with government
but can also help shape the solutions that
scape for fraud is constantly changing — with
or trends on our side,” says Gerber. “Being a
bodies like the European Commission to share
will keep payments safe against the threats
new vulnerabilities being targeted all the
global network enables us to have a unique
information and educate policy-makers on
of tomorrow. ■
system integrity officer, Mastercard.
not only stay one step ahead of criminals,
Securing the payments world
19
I
n
transactions
some countries invest millions of pounds
magnetic stripe cards, according to Aite
between consumers and businesses are no
a
global
marketplace,
in security infrastructure each year, others
Group. But this is decreasing rapidly, accord-
longer confined by national borders. Buyers
do not.
ing to a 2016 study by the Aite Group.
hungry for the best products and the lowest
“Crooks are looking to minimize cost and
Fortunately, the industry has done much
prices increasingly look to overseas suppliers
maximize profits,” says John Beric, vice pres-
to even up the unequal field. It’s been 10
for the best deals, swelling cross-border and
ident for product development and innova-
years since the establishment of the Pay-
global trade.
tion at Mastercard. “Our job is to make the
ment Card Industry Security Standards
cost of an attack so high that the criminal
Council, a global body that develops pay-
can’t make a profit.”
ment security standards.
While the fanning out of commerce creates opportunities for business, it also throws up challenges for fraud prevention.
Unfortunately, he adds, fighting cyber-
More recently, Mastercard has launched
If trade is worldwide, then security must
crime differs from country to country, usually
Safety Net, a global tool that harnesses the
be too. Only global standards and a global
depending on economic strength, regulatory
power of Mastercard’s worldwide reach to
view
whose
pressures and budget priorities. “No one
spot unusual behavior.
outlook is just as international as any legitimate
wants to leave themselves exposed, but some
Down at the individual cardholder level,
business.
countries have more assets at their disposal to
location-alert services are capable of help-
tackle these issues.
ing authenticate transactions when custom-
will
defeat
the
fraudsters
“Consider the following scenario,” says Johan Gerber, executive vice president for
“Others are facing more pressing issues,
ers travel domestically or abroad. Location
security and decision products at Mastercard.
so cybercrime is further down the priority
technology is leveraged through your mobile
“A criminal sitting at an address in Malay-
list, which means there is an uneven ability to
phone, meaning there’s a lower chance of
withstand attacks.”
legitimate transactions being declined.
Percentage of card-present transactions that are EMV
20
Playing catch-up
The US, the world’s biggest economy, and
practical problems for the agencies that seek
a
to prevent it.”
been slower than many other countries to
complex
payments environment,
had
Global cybersecurity is a chain with hun-
adopt EMV chip technology. As a result, it
dreds of links, and is only as strong as the
is expected to suffer $4.5 billion worth of
weakest of those connections. But while
fraud this year due to cloning and counterfeit
97.3%
96,6%
visible technologies are becoming available, empowering issuers to make better fraud management decisions, reducing the number
87.9%
is all done by utilizing the intelligence available
71.8%
85.4%
Better decisions But, it doesn’t stop there. New, near-in-
Source: EMVCo 2016
1.7m
to create new connections, while employing machine-learning technology to ensure deci-
58.0%
sions get ever more accurate over time.
Chip-active merchant locations on US Mastercard network
These advanced services are also aimed at mitigating the vulnerabilities in existing systems and supporting national security infrastructure efforts. It’s clear, given the growing problem of global fraud, that more needs to
374% Europe Zone 2
is the global nature of fraud and it presents
EMV in the US
of legitimate transactions being declined. This
Europe Zone 1
It’s not always down to economic strength.
Canada, Latin America, & The Carribbean
in London and has it shipped to Australia. This
40.3%
Slower to adapt
27.0%
80.0%
He uses it to buy something from a merchant
Africa & The Middle East
Markets need to come together to find a collaborative solution to fight cybercrime, but with varying levels of security and technology advancement it’s an uneven field
2015
Asia
Playing catch-up
2014
87.1%
sia hacks into a database located in Brazil.
be done. By approaching fraud collectively and working cohesively, the global community will be stronger and better for it. Only by approaching
Increase in chip terminal adoption since October 1, 2015
the problem of fraud collectively will countries at all stages of economic development be able to fight the global menace of cybercrime. ■
Securing the payments world
21
Global cognitive systems budget
technologies behind the scenes help facilitate this and bring even greater advantage when integrated with a digital wallet like Masterpass. This, in turn, benefits global adoption rates for mobile payments. Leading-edge mobile payment technologies do not just feature biometrics. Arti-
The future looks bright After initial skepticism, consumers are saying goodbye to passwords and are embracing new identification solutions. Now the race is on to get new technologies to the mass market
I
ficial intelligence (AI) and machine learning extracts approved information from the data that payment providers have available, and learns from it to enable smarter decisions to be made over time helping to reduce fraud. Artificial intelligence then applies those outfundamental to managing the risk of fraud and intelligent decisioning.
mize instances of what consumers find most
Forgotten passwords
big data is meaningless unless we can bring
annoying — so-called “false declines” — when
experience,
Consumers have responded positively to the
it to bear on that split-second decision when
your card, online or mobile payment is refused for seemingly no good reason.
user
increasing numbers of consumers are
technology — perhaps because 53 percent
you dip, swipe your card, or click buy on the
adopting biometric data solutions to power
of shoppers forget crucial passwords more
Internet or on an app,” says Johan Gerber,
These can also be mitigated by the intro-
their mobile payments.
than once a week, losing more than 10 minutes
executive vice president for security and deci-
duction of “intelligent friction”, where the
sion products at Mastercard.
consumer benefits from experiencing the
Until a few years ago, most consumers’ only
when they reset their accounts, according to
dealings with anything biometric were likely to
2015 research from Mastercard. Added to that
“The only way in which we can extract
security at work: for instance, when complet-
be governmental: the chip in the passport or
is the fact that the best and most secure pass-
insight from such a mass of data and bring it
ing a very large transaction, like buying jewelry,
the fingerprint reader at the airport.
words — a mix of numbers and letters, using
to bear on a single decision or transaction is
you want it to be easy for you, but not easy for
This first generation of biometrics was used
both capitals and lower case — are awkward to
through machine learning. It gives us the abil-
a fraudster.
for premises access and to track lawbreak-
use on a mobile, as it involves switching back
ity to look at hundreds of different variables
Critically, to ensure payment technologies
ers — it felt either scary or an imposition,
and forth between screens.
that track those patterns and relationships
reach mass-market penetration, standards
recalls Bob Reany, executive vice president
Nine out of ten participants in a 2016 pilot
between behaviors, and that tells us if some-
are vital. Companies looking to provide pay-
for identity solutions at Mastercard. “It wasn’t
study conducted by Mastercard in the Nether-
thing makes sense for you as a consumer or if
ment solutions also benefit from a partner-
familiar and it was used for things that peo-
lands indicated that they would like to replace
it looks more like a fraudulent transaction.”
ship with an experienced vendor that covers
ple would rather have avoided. What changed
their password with biometric identification,
was accessibility, convenience and familiarity
and other manufacturers like Samsung are also
Behavioral data
the process more secure, since it limits the
— and a lot of that was driven by the mobile
adding biometrics into their tech. Mastercard
Mastercard is also adding complex behavio-
potential points of vulnerability, but it allows
phone platform. A smartphone is something
is not just catering for those smartphones with
ral data into the mix. Its algorithms can use
the payment provider to leverage best secu-
you’re familiar with; it’s always within reach,
fingerprint sensors, however.
thousands of data points to make decisions
rity practices.
Mastercard’s Identity Check Mobile app
The turning point came three years ago,
provides an additional and alternative form
when Apple came out with its trademarked
of authentication via face recognition. It lev-
Touch ID. Using a fingerprint to unlock your
erages the fact that all smartphones have
phone instead of having to use a passcode
decent-quality cameras now. It also means
sold biometrics as an everyday tech, to the
that secure forms of mobile payments are still
benefit of the payment industry.
viable in countries where the iPhone and other
biometrics; I’m never going to let anybody have my fingerprint’ to ‘I’m going to wait in line overnight to get this phone’,” says Reany.
premium-priced smartphones are beyond the budgets of most people. Users want transactions to feel seamless and virtually invisible; biometrics and other
all aspects of the payments chain. Not only is
in nanoseconds.
$33.2bn
All these technologies are helping to mini-
“When it comes to real-time decisioning,
authentication
“People went from saying ‘I will never use
The future looks bright
World issuers
$8.3bn
- Bob Reany
n a market that needs to balance robust and
20 percent of the $41.5 billion global cognitive systems budget will be accounted for by the world’s issuers by 2019
comes to transactions. Together, they are
and you own it.”
22
People went from saying ‘I will never use biometrics’ to ‘I’m going to wait in line overnight to get this phone’
“If you create a lot of propriety solutions it’s
Source: IDC, 2016
The impact of the IoT on payments A
84% 68% B
hard for merchants and issuers. That’s why it's
67% of people believe
that online security concerns will drive adoption of digital wallets Source: Edgar, Dunn & Company, Advanced Payments Report 2016
key to make something that works for everybody” explains Reany. To this end, Mastercard has recently announced a joint biometric standard with Visa and EMVCo. The days of the password – and having to remember dozens of them – may truly be numbered, and we should all be more secure with its demise. ■
A S ecurity remains the biggest concern when sensitive financial data is involved, data privacy and security related issues need to be resolved B I oT will revolutionize the payments industry as every connected device can be a vehicle for commerce Source: Edgar, Dunn & Company, Advanced Payments Report 2016
Securing the payments world
23
A double-edged sword It’s hard to find a balance between protecting and inconveniencing customers, and the latest security measures must be able to offer them a seamless transaction experience
T
here’s nothing more infuriating or
identity authentication. If, during payment,
embarrassing than having a transaction
further verification is required then a simple
turned down when you know you’re one
request is sent and the customer can respond
of the good guys. One in every six cardholders has experienced at least one decline because of suspected fraud in the past year, according to research from market analyst Javelin. Knowing that the decline could be a measure to protect you from fraud is no consolation. Improving security measures can often prove a double-edged sword. In a bid to spot unusual or out-of-the-ordinary transactions, issuers use transaction and tracking intel to look for anomalies — all well and good while we go about our usual business, but go on holiday or buy from a different store, and your purchases may show up as unusual, leading to
The race is on to find more effective ways of analyzing transactions to reduce false declines, while still protecting against fraud
your payment being declined.
instantly. This has usually meant typing in a password — often hard to remember and difficult to do on a mobile. With Identity Check Mobile, they may blink into the device’s camera (to show they are not holding up a photo) and Mastercard’s facial recognition software will confirm that the image captured is real and will then compare this to a digitized image created at registration. Alternatively, consumers can use the phone’s fingerprint identification capability. “The age of the password is over and biometrics will be a crucial part of a winning solution,” says Bob Reany, executive vice president for identity solutions at Mastercard. “Pass-
Balancing ease of purchase with security
words today are ineffective, especially as we
is not easy. But payment technology compa-
have more of them across more devices. Con-
nies have a range of solutions that aim to help
venience is going to win the day.”
improve commerce, reduce fraud and enable a seamless shopping experience — solutions that can be linked together to provide layer after layer of security, much of which (like device recognition or risk profiling) is invisible
82% of people have
False declines Reducing
fraud
without
inconveniencing
shoppers is a hard balance to strike. With stringent anti-fraud measures in place, the
Mobile allows customers to utilize biomet-
stopped doing business with a company due to a bad experience
rics, selfies or their fingerprints, as a form of
Source: Forbes 2016
be declined. But this means many legitimate
to the card user. For example, Mastercard’s Identity Check
amount and value of digital payment crime can be reduced. In some South American markets, up to half of all credit card transactions can
Securing the payments world
25
Intelligent decisioning
the system needs to switch from preventing
Issuers that are currently achieving their
The availability of new data, intelligence and
and detecting the bad guys to enhancing the
standard decline and fraud rates may not
the ability to identify yourself using your
experience of the good guys.
realize they could be losing as much as $101
device means security can be increased,
The benefits at a global network level are
in declined transactions for every $1 they
protecting customers without introducing
also a balancing act. Mastercard Safety Net
are saving in fraud. False declines aggravate
more friction into their lives. Mastercard
was created to address a growing threat from
shoppers, who will often stop using a merchant
has recently launched Decision Intelligence,
organized cross-market large-scale attacks on
that has turned them down previously.
which uses AI and combines advanced fraud
issuers. It constantly monitors and analyzes
The merchant loses and the consumer is
detection with intelligent decisioning capabil-
the entirety of a issuer’s network, looking out
inconvenienced.
ity. It does this by looking not just at the trans-
for recognized signs of unusual activity that
consumers
suffer
declined
transactions.
So the race is on to find more effective
action at that moment but at the norms of
could result in cybercriminals working in a
ways of analyzing transactions to reduce false
behavior of that card over time. Every transac-
sophisticated manner across many markets
declines, while still protecting against fraud.
tion is then graded against this behavior, with
with the ambition to withdraw millions in a
Mastercard is utilizing machine learning to
a higher score indicating that the transaction
short period. Safety Net can identify attacks
improve the way it analyzes transactions; this
is in keeping with previous activities. While the
as they happen and will alert issuers to take
technology evaluates fraudulent transactions
data remains strictly private, the benefits for
protective action or step in on their behalf,
and identifies typical scenarios where the
protecting cardholders is obvious, as issuers
isolating only the accounts under attack while
crime occurs — then applies those scenarios to
and merchants are able to make better-in-
enabling the rest of the issuers’ customers to
other transactions to assess the risk of fraud.
formed decisions.
continue unaffected. Gerber says the system
Artificial Intelligence (AI) machine learning is an
“Most fraud technology is looking at assess-
enhancement to “rules-based” systems, where
ing the risk associated with a transaction — we
has successfully identified five attacks in 2016
humans decide on a set of scenarios that lead
call it fraud scoring,” says Gerber. “Within
Keeping ahead of the increasingly sophis-
to a transaction being blocked.
Decision Intelligence, we are doing the oppo-
ticated criminal networks is a challenge, but
alone.
Johan Gerber, executive vice president for
site. We are looking at the odds that this
with focus, expertise, and strong collabora-
security and decision products at Mastercard,
transaction is actually genuine, by looking at
tion, payments can be kept secure. The overall
says: “There has been a belief that security
your past and most recent behavior as well as
experience for consumers, issuers and mer-
and customer experience are at odds; if you
your digital footprint. This is in essence a clear
chants can improve, leading to easy, seamless
tweak one, the other one has to suffer. But,
example of AI at work, refining the decisioning
shopping while rooting out fraud. ■
moving into the digital world, we believe this is
based on the most recent data without human
changing tremendously.”
intervention.” The focus at certain points in
What ROI would you expect if you increased investment in payments?
55%
Enhanced customer experience
38% 36% 34% 40% 38% 34%
Introduce new payment services/tools Launch value-added services (e.g. loyalty) Increased range of payment options Reduced business costs Improved speed of clearance & settlement Reduced payment frictions
29% 29%
Accelerated authorization and processing Reduced PCI-DSS liabilities
41%
Gain competitive advantage
34%
Increased number of consumer touch points
27%
Enable monetized services l Customer experience
26
A double-edged sword
l Payment streamlining
l Commercial benefit
Source: Ovum, 2015 Global Payments Insight Survey, 2015
Š2016 Mastercard