In Wake of EMV Switch, US e-Commerce Fraud Soars!

Payments Specialist, Risk Specialist

As the US switched to EMV chip cards system, e-commerce fraud rates jumped by 33% last year, according to Experian. In late 2015 the US finally followed much of the rest of the world when Visa and other card schemes switched the liability for fraud-related losses to retailers that have not upgraded their hardware for EMV.

Experian notes that the increase in e-commerce fraud follows a similar trend pattern from countries that previously rolled out EMV cards – UK, France, Australia, and Canada – that also saw gradual increases in card-not-present fraud.

“We suspect that the EMV liability switch and increased adoption by merchants of chip-and-pin enabled terminals have had a profound impact on driving up e-commerce attacks,” says the firm.

Fraudsters that typically relied on committing counterfeit fraud have shifted their focus to the digital channels where they could have more success, and as more attackers enter a rapidly growing mobile and online commerce space it becomes increasingly difficult for merchants to spot them.

This means that businesses need to expect the increase in e-commerce fraud to continue over time and to be prepared to deal with it by employing a multi-layered approach that pairs transactional data elements with details about the user and their device.

Experian says that the biggest component of credit card fraud trends is the fact that 2016 was a record year for data breaches. There were 1,093 breaches, a 40% increase from 2015, according to the Identity Theft Resource Center.

Meanwhile, the Federal Trade Commission recently revealed a jump in consumers who reported that their stolen data was used for credit card fraud, from 16% in 2015 to more than 32% in 2016.

The record number of data breaches is a signal that future fraudulent activities will take place, warns Experian.

What Bill Trueman, an Eminent Risk Specialist Says About This:

1. Of course e-commerce fraud will rise. It is rising everywhere as e-commerce and m-commerce get used more.

2. Naturally, if you stop fraudsters using cards at the point of sale with EMV, they will move to CNP.

3. If you do not put in protections in your CNP channel, fraud will rise.

4. USA fails to adopt (or plan for) protections in the e-commerce channel.

5. The late adoption of EMV in the USA, has caused a lot more data compromises for longer in this market.

6. EMV adoption is starting to see fraudsters deterred from CO fraud opportunities already as they move to other softer targets.

Bill Trueman is an eminent independent payments and risk specialist helping business and bank owners manage risk & fraud and save millions. He is director of globally well known RiskSkill, and UKFraud and is an active member of a worldwide fraud and risk advisors organization i.e. AIRFA.

Is the Existing Business Worth Buying: Due Diligence?

Due Diligence Specialist, Business Acquisition Consultant, Business Merger Consultant

Is the Existing Business Worth Buying: Due Diligence?

There are times when you might see worth in buying an existing business. You might find the prospective promising and profiting. This is the time when due diligence should start with accessing the records and books of that business. You receive a suitable time to investigate various facts and figures, which will give you a genuine picture of its performance and prospects. It will also present you with the points / issues / problems / loopholes that would require prior warranties or guarantees, before the signing of contract.

Due Diligence

If you are new in purchasing existing but working businesses, then you should educate yourself on the elementary three categories of due diligence that are to be followed, without fail. Also, you might want to hire separate adviser for each of the due diligence that are mentioned below:

Commercial Due Diligence: It includes assessing the credibility of the business in the market, evaluating its competitors and determining the regulatory environment.

Financial Due Diligence: It comprises gauging and comparing the numbers to ensure that there are no loop holes / black holes or hidden monetary matters

Legal Due Diligence: When you venture into a contract of sale & purchase, lawyers should judge the legal title of business to sell. Lawyers should also appraise ownership of every asset along with ensuring that all the litigation and regulation issues are completely addressed.

When to Start Due Diligence?

First agree on a price and terms with the selling business, then begin the due diligence process. There is possibility that they might withdraw their business from the market during your enquiry. This period is called “exclusivity period” and for this the seller generally demands a down payment to ascertain its security. In most cases, this period spans to minimum three to four weeks. Remember that this investigation period is passable.

Where to Get Help From?

One of the most standard and common method of due diligence is to employ solicitors and accountants on your payroll. They will classify the risk zones for you. However, in case the Existing Business which you are buying, is registered with Companies House, you can get hold of reproductions of its accounts, annual returns and various other important documents with the prospect business. For this, you can use the Companies House WebCHeck service.

You can download the documents from the website of Companies House. Note that there might be a small fee for this facility of evaluating the businesses value along with its assets.

What Points to Examine During Due Diligence?

You must understand the it’s just not about finances; due diligence spans across this one important factor. The “exclusivity period” should end with positive results, yielding all-inclusive information about the business and concerning prospects. You should know exactly what you are buying; what will need your immediate attention; what should be fixed; what will be cost of correcting the negative aspects / risks; and lastly whether their business is a right investment for you or not.

In other words, at the end of “exclusivity period”, you must have the answer to whether The Existing Business Is Worth Buying. Due Diligence should cover following points:

Commercial Management that should include marketing, client service, research and development:

Issues related to environment
IT Systems and other technologies
Foremost orders and contracts
Unsettled litigation
Terms and conditions of employment
Information Sources

When carrying out due diligence, make sure to go to depths and find every possible information regarding the business. The information can be unearthed in the form or documents or other ways. You must find out:

Employment Contracts
Payroll Records
Staff Files
Staff Manual

In some cases, following copies might also be relevant:

Financial Statements
Pension and Profit-Sharing Plans
Union Contracts

Rest, you should also contact bank, government taxation department and other external sources.

For more information on Due Diligence and Due Diligence Service one can contact Bill Trueman a highly experienced specialist in risk review and due diligence. He is permanent member of AIRFA, and director of RiskSkill and UKFraud.

Mitigating Third-Party Risks with Due Diligence

Due Diligence Specialist

Mitigating Third-Party Risks

The entire world is globalized and the new era presents a series of challenges in every domain, including doing business with overseas companies. It has become the need of the hour to implement an approach, which is streamlined, efficient in all the resources and sustainable as well. Through this approach, the third party risks can be mitigated, compliance can be supervised, and issues as well as investigations can be managed more efficiently.

Precis

Expansion of business always brings revenues but it also opens up a window to new risks through third-party relationships that may be with a distributor, supplier, lawyer or even a client. Some common types of risks which they bring are related to IT security, environmental, quality, regulatory compliance, corruption, health and safety. Most of the general risks can be assessed and dealt with by the business / company itself. However, with third-party deals there is always extra scope of risks that can only be minimized through due diligence.

The Catch

If the risks are not identified and mitigated at early stage, they can convert into an avalanche and sabotage the company’s reputation as well as profitability. Adding salt to the wound, in case the fault is of third-party, the original company who made a deal with it, will be held responsible. Hence, one side of coin has progress & growth of their business, the other side has a lot of risks associated with it.

The Solution

“Due Diligence” it the pathway not only to mitigate third-party risks but also to inspect compliance, carry out assessments related to due diligence, finding of gaps that might convert into risk / compliance violation and proactively remediate the found issues.

Key Instances of Third-Party Violation

  • In 2009, there was a case in Dallas where a healthcare provider caught its contract security guard for hacking into various computers, which comprised the systems on which the confidential data of the patients was stored
  • In 2011, a UK based international insurance intermediary was fined by FSA as it failed its anti-bribery and corruption systems controls.
  • In 2012, a third-party contractor was found in violation of most of the rules regarding labor and working conditions in its factories that brought unwanted negative publicity to the top technology manufacturing companies.

Mitigating Third-Party Risks with Due Diligence

There are a series of fragmented approaches being followed by companies based globally in order to develop effective systems that will manage the compliance of third-party risks. Still the companies tend to fall short of a fool-proof system for mitigating the third-party risks. Some companies find themselves between a rock and a hard place concerning the constant changes. Whereas there are few companies, who focus only on managing the third-party. Hence, the companies fail on the ethical aspects such as bribery, regulatory violations, security breaches, money laundering and others.

In such situation, a comprehensive framework is required that will assist in 100% third-party due diligence. Important factors in this regard are:

  • Audits
  • Controls
  • Investigations
  • Risk Assessments
  • Policies
  • Timely Issue Remediation
  • Training Programs

If such a strong and comprehensive framework is made and implemented, then not only the the third-party risks will be mitigated, but the companies will be able to forge more credibility in the international arena.

Challenges Related to Third-Party Business Deals

1) The third-party network can be quite complicated. Since they cannot be managed directly like permanent employees of a company, an indirect approach is followed for the management purposes. This makes it very difficult for the main businesses.

2) Redundancies can be seen in case a specific third-party is managed by more than one departments of a business. Duplicate and double efforts are common in this case.

3) High cost are always present that cause the businesses to ignore the due diligence after the deal is made.

4) Regulatory compliance

5) Restricted transparency and huge volume of data to be processed

Highlights of Mitigating Third-Party Risks by Strengthening Due Diligence

The companies or businesses should make a blueprint of schemes or procedures that they need to implement so that risks are reduced to minimum.

1) Take enough time: Businesses should take enough time to conduct background checks on each and every third-party. They should NEVER be casual within even one parameter, as it can lead to unforeseen risks and credibility issues.

2) Conduct comprehensive risk assessment: Companies should consider the country, regions, international laws & regulations, labor issues & guidelines and other related factors will assessing the risks associated with an international third-party deal.

3) Create your own policies and code of conduct rules and make sure to communicate these completely to the third parties. This keeps both the parties on same level and improves the understanding amidst them.

4) Due diligent should be performed without fail for Mitigating Third-Party Risks, especially in the cross border deal.

Authors of this post are Bill Trueman is an eminent payment, due diligence, risk & fraud expert who provide his consultancy services to card issuers, banks, corporates and business organizations all over the world. He is chief executives of RiskSkill, UKFraud and member of AIRFA.

How Can Due Diligence Prevent Fraud in International Contracts

Corporate Due Diligence

Whenever someone makes a contract with an organization, there are definite chances of frauds, either very less or very high. However, the organizations always claim to have utmost transparency. As an investor / consumer, you should be aware of the fact that there no thing as 100% transparency or 100% fraud proof contract in any domain. Even though cheating some other party intentionally is considered as criminal offense under law, still frauds are prevalent, if not more than definitely on the small scale.

Commercial frauds are something, which have even caught the attention of the UN that has termed it among the present era’s supreme coercions. They have acknowledged commercial frauds as an international level event that harms the stability of the economics of every country.

General Commercial Frauds: These are related to activities like Deceptive Advertising or Marketing, False Reporting, Falsifying Documents, Non-Delivery, Piracy, Overriding of Regulatory Breaches and Thefts.

Popular Scandals: Deutsche Morgan Grenfell in England and Enron in the U.S.

Be Cautious in International Contracts

If you plan to get into an agreement, then it is recommended to audit the other contracting party for the relevant matters such as financial records, past complaints / clients etc. This step is very crucial during the negotiations stage and should be continued even after the end of negotiations. This small step will help to minimize your financial loss and prevent from getting into any legal trouble.

Few relevant matters of investigation are:

1. Government rules and regulations of each nation
2. Indemnities, loans and other financial arrangements
3. Information technology such as security of system, upgrades etc.
4. Language or cultural obstructions
5. Potential in the market and prospects of future performance

Stay Safe from Frauds in International Contracts

With every passing year, new fraud surface either at large level or at small. It is only by being self-conscious that you can protect yourself / your company / your investment from fraud in the international contracts. Also, below are some pointers that will guide you in safeguarding yourself from the fraudsters:

Specialization is necessary. You can take assistance of lawyers or consultants, who specialize not just in the international contracts but also in the domain wherein you are dealing in. This is very beneficial if you are not an expert yourself. In addition, you can spend your money in acquiring marketing and accounting specialization.

Use Secure Payment Methods and Letter of Credit. Whether you are dealing with a known entity or not, you should still take all possible precautions to draft clear and secure terms. In the banking industry, there are strong terms for “Letters of Credit” that come with the bank’s guarantee for partial payment or seller’s payment on behalf of buyers. Although the risk is not entirely eliminated, but these can be instrumental for novice traders in mitigating the chances of fraud.

Mention Important Clauses in Contracts. In the international contracts, frauds can be avoided or their chances reduced by the inclusion of important points that can be called negotiating requirements, for instance certification, currency, product samples, insurance, and other regulatory documentation.

Authors of this post are Bill Trueman and Kevin Smith who are eminent payment, due diligence, risk & fraud expert who provide their consultancy services to card issuers, banks, corporates and business organizations worldwide. They are chief executives of RiskSkill, UKFraud and member of AIRFA which is a worldwide known independent organization.

Understanding Online Payment Frauds

online payment fraud

If you are an e-commerce owner, then the term “payment fraud” must be well known to you. The main reason for its popularity is the huge cost burden caused by these frauds to your business, not to mention the degradation of your credibility as well as client’s trust.

Generally, a payment fraud can be understood as an illegal or false transaction done over the Internet. Since all the e-commerce businesses sell products online, their payment is done online as well and hence there is maximum chance of payment frauds for them. It can be said that such frauds are unstoppable, however if an e-commerce owner uses an efficacious anti-fraud protection in its website / system, then the frauds can be avoided.

Cyber thieves are on constant look out for even the smallest patch or glitch in the online system (website, payment gateways etc.). Through these glitches or patches, they can steal the private information. Various ways of doing so are directly contacting the owners of credit cards via SMS or email (known as phishing frauds); redirecting the transaction to a fraudulent website; or even calling them by pretending the customer care executive of the concerned e-commerce website.

Common Scenarios of Payment Frauds:
Credit Card Frauds
Disagreement in accepting product delivery
Fake Returns

1. Credit Card Frauds

Ranked among the common crimes related to online payments, the easiest way to misuse is that fraudster steals the card and using it, they shop online for various products. In this scenario, the affected party (consumer) can get that specific amount back after some efforts, but the merchant loses that amount as well as the product.

2. Disagreement in accepting product delivery

In this scenario, fraudsters places online order for products then merchants sends the order to fraudsters, who then put forwards the claim that he/she did not collected the product. In this case, the truth lies somewhere between the rock and a hard place, hence is hard to determine.

3. Fake Returns

In this case, the customer puts in effort to win over the merchant over the statement that the ordered items are sent back to him and money should be refunded to him. However, those items never reach the merchant. In its spinoff setting, customer can claim the presence more than the actual number of items returned to merchant and hence claim a complete refund.

Through this information, merchants should understand that although “client is king” but client is not always honest and truthful. Therefore, they should implement suitable measures and policies to counter the aforementioned payment frauds.

For more information about the online fraud, payment fraud, commercial fraud, cyber frauds and fraud prevention strategies visit website http://www.riskskill.com/

How to Keep Payment Frauds at Bay?

Mobile Payment Fraud Prevention

Skimmers & cybercriminals are some of the terms used for fraudsters, who are responsible for payment frauds. Such criminals strip the funds, property, and crucial personal information of victims. Generally, three scenarios can result in payment frauds. First, being stolen / lost goods; second being unauthorized transactions on Internet; and lastly false requests for refund or similar scenario. The main reason of these being prevalent factors for online frauds is the immense boom in e-commerce sector, which majorly relies on online payments for selling / buying of goods.

There is various modus operandi or interactions that the fraudsters follow for acquiring sensitive information and make an online fraud possible. The popular ways are Email, instant messaging, online auctions, phone calls, rerouting internet traffic to fallacious websites and lastly by sending text containing malware to smart phones. Since everything is online nowadays, there are an increasing number of gaps or patches or glitches in some online systems. These are the weakness, which is targeted by the cybercriminals. Even if there is firewall, which is not updated as per new technology, then also it can be explored by fraudsters to steal user’s sensitive data and make payment fraud a possibility.

There are some ways by which you and e-commerce industry can help reducing or keeping the payment frauds at bay. The first method is to ensure regular automatic update of your anti-virus, anti-malware, and firewall. These software programs play the role of shield against hackers and blocks their attempts to gain access to a secure network. Hence, their continuous update is necessary. Talking about few other ways to safeguard your online presence and shopping experience are mentioned below:

1. Stay update with the latest fraud trends. You can subscribe to a newsletter of reputed organization delivering such service
2. Always pay online via the authorized and well-known payment gateway
3. Change your login credentials and tokens on regular basis
4. For each transaction, customer should log in to complete the payment.
5. Keep checking your system with the anti-virus and anti-malware software
6. Try using an encryption program for emails and / or transactions where important information sharing is needed

Types of Payment Frauds

Phishing Scams: These are the most common forms of payment frauds. These frauds are prevalent in those emails or URLs wherein it is required to enter private / personal data. Some examples are bank account and credit card login credentials. You can stay away from the phishing swindles by trusting only the known and original websites of the merchants. In case you receive an e-mail from unknown account or person, then just mark it as spam.

Page jacking: Here, the hackers take control on some part of an e-commerce website through which they reroute the website traffic to a different website that may have malicious codes that can be used to access a network security system. It is the responsibility of e-commerce business owners to be aware of such activities.

Identity theft: This type of fraud is not limited to Internet; it is possible offline as well. Once the user’s personal information is stolen by a fraudster, it is used under false pretense – this is identity theft. One way of avoiding it is NOT to log into public Wi-Fi.

Authors of this post are Bill Trueman and Kevin Smith who are leading payment, risk & fraud expert who provide their payment fraud prevention consultancy services to card issuers and banks worldwide. For more information one can visit their website at http://riskskill.com/

 

Cameras at the POINT OF SALE? Worldpay Trial Analysis

As a risk, security, fraud, compliance specialist; I should be shouting from the rooftops that this MUST be a great idea to reduce the risks and add a layer of security to the transactions. But in reality, it is not that simple, and veers towards being a big mistake and a legal and operational disaster waiting to happen.

EMV Chip Card

CUSTOMER POSITION

I am also a customer. I am a customer of a bank that issues me with a card and a customer of a retailer where I shop. As a customer of a bank who issues me with a card, I might be happy to let them have a picture of me to put on my card or to make sure that it is me that visits their ATM. But when I signed up for a trial 20 years ago for this, I had to give explicit consent for my issuer to store and use these details on the card and on their systems.

In this case, it is not my issuer that is collecting my photograph or checking it. It is not even the retailer that I am transacting with who is collecting it; it is the bank who is processing the card for the merchant; and as a customer, I DO NOT WANT MY PHOTO taken, kept or processed by the retailer, nor do I want the merchant’s acquirer to keep or store it without my consent.

This is an invasion of my privacy. Do not do it. You have no consent from me to take, keep, store or use my personal details (my photo and card details) for any other purpose than is necessary to undertake the transaction. Indeed, you should be encrypting and anonymising my personal details as is required by many anti-fraud measures, and mandates in-play at the moment. Just how legal this is we will no doubt learn from the Information Commissioner in days, weeks to come. The fraud issue is one for my card issuer, and is of no interest to the acquirer (or merchant) so long as I use a card with a CHIP and a PIN and an EMV protocol.

SECURITY POSITION

OK – so in the customer journey, there is no justification, but what about the security. We have already established that this is not the acquirer’s problem. The acquirers need to focus their attentions upon making their part of the process secure, with encryption, stronger depersonalisation (tokenisation) of the transaction, storing less data, and not losing data. They should also focus upon looking for unusual transactions that are likely to cause future difficulties and improving security at the till, staff training, improving merchant awareness, ensuring PCI DSS conformity and clarity and better terminal and tampering awareness and notifications; all of which could help stop compromises, data theft and attacks that cause £€$millions in losses and crime at the point of sale.

It is a pure folly to introduce a ‘photo at the point of sale’ (as well as a customer invasion of privacy), and certainly NOTHING to do with improved security or reduced fraud: and a big diversion from more important things that MUST be done at the point-of-sale to help security, and help the merchants.

Equally, it is not too great a security foundation to start letting ALL acquirers (WorldPay is one of many 100s globally) store data somewhere without controls. And how legal is it for them to store pictures for those from other countries, or of a picture of my child hanging on to me.

STRATEGY

I would suspect that the eye catching ‘biometric trials’ headlines will make it all sound like a good idea, and let’s all applaud Worldpay for ‘doing something’ – even if it has not been fully thought out yet. But I would suspect that these trials are not very big at all yet – maybe just a staff canteen? – as the legal issues may not yet have been addressed or looked at properly yet. I am also certain that the Information Commissioner will not have been involved either – but I’d hope it will be on the agenda with Christopher Graham’s  when I see him tomorrow morning!

The whole industry though is also racing faster into biometrics with fingerprints via Applepay and Androidpay / Googlepay etc. with the added security of tokenisation, secure element, customer control of the biometric (i.e. it is stored nowhere other than on the phone by the customer), etc. So, what happened to the transaction if there is no PIN, or if it is an NFC payment. Mmmmmm – more thinking to be done somewhere about where all this is going.

PRACTICALITIES

And let’s not ignore the issues around whether I change my hairstyle, make-up, or remove my beard this week, wrap-up warmer with a hat as we will do next month etc.

SCHEME RULES

Is this allowed by the schemes? Is there a compliance issue here? Yes – dammed right there is; The message collected with the card must comply to a format, the full messaging must be sent to the issuer, and it is the issuer that must make the authorisation decision about the customer – NOT THE ACQUIRER. If the card schemes have been involved and/or permitted this – which I doubt – then the normal route that is taken with these things is for the scheme to join in with the publicity and announcements – which I have not yet seen.

Great idea Worldpay, great initiative, but it is not for me as a customer, as a merchant, nor as an issuer or as a card scheme.

For further information, contact Bill Trueman or Kevin Smith  both eminent risk and fraud specialist, or you can contact at http://www.riskskill.com/ and enquiries@riskskill.com

News Source