Cameras at the POINT OF SALE? Worldpay Trial Analysis

As a risk, security, fraud, compliance specialist; I should be shouting from the rooftops that this MUST be a great idea to reduce the risks and add a layer of security to the transactions. But in reality, it is not that simple, and veers towards being a big mistake and a legal and operational disaster waiting to happen.

EMV Chip Card

CUSTOMER POSITION

I am also a customer. I am a customer of a bank that issues me with a card and a customer of a retailer where I shop. As a customer of a bank who issues me with a card, I might be happy to let them have a picture of me to put on my card or to make sure that it is me that visits their ATM. But when I signed up for a trial 20 years ago for this, I had to give explicit consent for my issuer to store and use these details on the card and on their systems.

In this case, it is not my issuer that is collecting my photograph or checking it. It is not even the retailer that I am transacting with who is collecting it; it is the bank who is processing the card for the merchant; and as a customer, I DO NOT WANT MY PHOTO taken, kept or processed by the retailer, nor do I want the merchant’s acquirer to keep or store it without my consent.

This is an invasion of my privacy. Do not do it. You have no consent from me to take, keep, store or use my personal details (my photo and card details) for any other purpose than is necessary to undertake the transaction. Indeed, you should be encrypting and anonymising my personal details as is required by many anti-fraud measures, and mandates in-play at the moment. Just how legal this is we will no doubt learn from the Information Commissioner in days, weeks to come. The fraud issue is one for my card issuer, and is of no interest to the acquirer (or merchant) so long as I use a card with a CHIP and a PIN and an EMV protocol.

SECURITY POSITION

OK – so in the customer journey, there is no justification, but what about the security. We have already established that this is not the acquirer’s problem. The acquirers need to focus their attentions upon making their part of the process secure, with encryption, stronger depersonalisation (tokenisation) of the transaction, storing less data, and not losing data. They should also focus upon looking for unusual transactions that are likely to cause future difficulties and improving security at the till, staff training, improving merchant awareness, ensuring PCI DSS conformity and clarity and better terminal and tampering awareness and notifications; all of which could help stop compromises, data theft and attacks that cause £€$millions in losses and crime at the point of sale.

It is a pure folly to introduce a ‘photo at the point of sale’ (as well as a customer invasion of privacy), and certainly NOTHING to do with improved security or reduced fraud: and a big diversion from more important things that MUST be done at the point-of-sale to help security, and help the merchants.

Equally, it is not too great a security foundation to start letting ALL acquirers (WorldPay is one of many 100s globally) store data somewhere without controls. And how legal is it for them to store pictures for those from other countries, or of a picture of my child hanging on to me.

STRATEGY

I would suspect that the eye catching ‘biometric trials’ headlines will make it all sound like a good idea, and let’s all applaud Worldpay for ‘doing something’ – even if it has not been fully thought out yet. But I would suspect that these trials are not very big at all yet – maybe just a staff canteen? – as the legal issues may not yet have been addressed or looked at properly yet. I am also certain that the Information Commissioner will not have been involved either – but I’d hope it will be on the agenda with Christopher Graham’s  when I see him tomorrow morning!

The whole industry though is also racing faster into biometrics with fingerprints via Applepay and Androidpay / Googlepay etc. with the added security of tokenisation, secure element, customer control of the biometric (i.e. it is stored nowhere other than on the phone by the customer), etc. So, what happened to the transaction if there is no PIN, or if it is an NFC payment. Mmmmmm – more thinking to be done somewhere about where all this is going.

PRACTICALITIES

And let’s not ignore the issues around whether I change my hairstyle, make-up, or remove my beard this week, wrap-up warmer with a hat as we will do next month etc.

SCHEME RULES

Is this allowed by the schemes? Is there a compliance issue here? Yes – dammed right there is; The message collected with the card must comply to a format, the full messaging must be sent to the issuer, and it is the issuer that must make the authorisation decision about the customer – NOT THE ACQUIRER. If the card schemes have been involved and/or permitted this – which I doubt – then the normal route that is taken with these things is for the scheme to join in with the publicity and announcements – which I have not yet seen.

Great idea Worldpay, great initiative, but it is not for me as a customer, as a merchant, nor as an issuer or as a card scheme.

For further information, contact Bill Trueman or Kevin Smith  both eminent risk and fraud specialist, or you can contact at http://www.riskskill.com/ and enquiries@riskskill.com

News Source

Risk Review FAQ – A Guide to Risk Review

Fraud Specialist, Risk Specialist, Compliance Specialist, Due Diligence Specialist

A Comprehensive Guide to Commercial Risk Review, Risk Management, Fraud Prevention, Business Loss Prevention, Bank Fraud Prevention, Due Diligence, Compliance, Audit, and Much More…

Recently Bill Trueman (an independent fraud and risk specialist) director of RiskSkill, wrote a comprehensive article on Risk Review, Due Diligence, Compliance, Fraud Prevention, Risk Management, Fraud Detection, Mobile Payment Risks, Card Risks, and lot more. After reading this article you will get answers of all the following questions.

What should I do to prevent Losses in my Business/ Bank/ Organisation/ etc?
What can I do to Stop/Detect/Prevent any kind of risk in my Organisation?
How a Risk Specialist Can Help to Stop Losses in a Company/ Bank/ Organisation?
How to Review the risk within an organisation before making an acquisition?
What is Due Diligence?
What is Compliance?
What is Operational Risk Review?
What is Credit Risk Review?
What is Financial Risk Review?
What is Enterprise Risk Management?
Can Fraud/Risk be Prevented ?
Can Card Fraud be Prevented ?
What is a Risk Review?
Can Mobile Payment Fraud be Prevented ?
How can Frauds be Prevented in Insurance Companies?
How can Frauds be Prevented in Telecom Companies?
Is Hiring a Fraud & Risk Professional is Costly Affair?
Where can I Find a Good Reliable Risk & Fraud Specialist?
Does RiskSkill Provide its Services Globally?
When Should I take Solutions provided by Riskskill or other Consultants?
What is VISA/MasterCard Compliance?
Our organisation has been instructed to perform an independent risk review by one or more the international cards schemes, what should we do?
Is hiring a Risk / Fraud professional expensive?
What are the Benefits of Hiring a Risk Specialist?
What does a Risk Specialist do?
How to Hire a Risk Specialist?
Where to Hire a Risk Specialist from?

I hope you got lots of good & useful information about risk review and fraud prevention, if you like this article please also share this with  others.

Other Posts Which You May Also Like:

What is Risk Management? Definition & Importance

11 FAQs on EMV Chip & Pin Credit Card Technology

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Top Technology Trends in Payments, Risk and Fraud in 2014

 

Judges Pave Way for Banks in US to Sue Target over 2013 Data Breach

EMV Chip Card

I read with interest that news in Finextra and elsewhere that the banks have been given the go-ahead to sue Target for $30m for the reissue costs associated with the data compromise in 2013. This puzzles me, as I then want to know how the figure of $1200 per card is calculated.

The cost of re-issue will be less than a tenth of that per card. How they can justify that size of loss based upon a reissue alone is not conceivable.

Accordingly, this figure MUST be calculated to include some of the ‘consequential loss’ – i.e. that the compromised cards were then used. Accordingly the banks will have to show a loss on their cards (as well as the costs to them of re-issue).

If I were in Target (and/or the Lawyers in the the defence team) then I would have plenty of defence arguments to tender:

  1. a) What did the banks do to mitigate the losses.
  2. b) What did their systems look for in the unusual transactional activity.
  3. c) As the cards were compromised with limited security feature details lost, why did the banks not check the security feature details and prevent the transactions at the time of the authorisations for the fraud losses on these cards (as is done in most other banks – certainly around the rest of the world).
  4. d) As a preventative solution, why had the banks not implemented greater security with EMV (and/ or EMV with CHIP and PIN) as this would have significantly (or completely) removed the possibility that these cards could have been of use. The US issuers involved are far behind the global ‘curve’ on upgrading to the latest technology that was introduced across the rest of the world 15 – 10 years ago.

Someone please introduce me – or any other card-fraud/risk/loss specialist to the consortium of banks or their lawyers to help build their case against Target – or better still to the Target people (and/or their indemnity insurers) – they probably have the much better and more fun case to present to the courts.

In all cases and scenarios, this will be a superb case to watch; and reveals how poor the infrastructure in the USA is, and how far behind both the infrastructure and the thinking actually is – on all sides of the argument.

Thanks

Bill Trueman

 

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Fraud Specialist, Risk Specialist, Compliance Specialist, Due Diligence Specialist

I do not agree with this at all, we should exercise some degree of balance:

Maybe we should have called for a ‘national’ business-case to be written – as this has not been done.

Perhaps we should have examined the global context too: USA is only one country in the world, and just about the only one that has not attempted to create the business case, and the only one where the retailers are/have been (allegedly) feeling this way. Again, the US is the ONLY developed country that has not implemented this USA designed and led initiative.

In many (most?) countries, the retail consortia / lobbying groups have driven these initiatives forward in order to make the sales process better and smoother. For instance, in most countries now, the retailer no longer even touches (or sees) the card – the customer simply dips the card – on his/her/its side of the counter, enters a PIN and removed the card and leaves with a printed receipt. Retailers have insisted on this to:

  1. a) Ensure that the process is speeded up
  2. b) To increase / improve security – by avoiding retailer ‘touched’ on the card
  3. c) To make the transaction fully electronic and thereby reduce chargebacks, a need for paper handling and re-handling when chargebacks and disputes occur.

There needs to be a lot better thinking before we start calling EMV the “Money Pit” for Retailers.

Author (Bill Trueman) is Payments, Fraud and Risk Specialist helping businesses worldwide for risk review, risk management, due diligence, compliance solutions, fraud prevention, mobile payment fraud prevention, card fraud prevention, and much more.

Also visit another blog post on EMV Chip and Pin by Kevin Smith, an eminent fraud and risk specialist and Joint Chief Executive at AIRFA.

For more information on EMV Chip and Pin technology, fraud, risks, pros and cons visit http://chipandpinusa.com/

Other Posts Which You Would Also Find Useful:

25 FAQs on Risk Review, Risk Management, Compliance, Due Diligence and Fraud Prevention

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

11 FAQs on EMV Chip & Card Technology

UK Banks Covering up Cyber Crime Losses – City of London Police

A widely-held suspicion that UK banks are covering up the true scale of cybercrime has been confirmed by the City of London Police chief Adrian Leppard, who says that up to 80% of online crime goes unreported to the authorities.

Speaking at a Tech UK conference, Leppard says that the vast gap between what is reported and the actual threat level arises “primarily because banks are happy to write off incidents as costs, thereby costing the consumer collectively and funding ongoing cyber-criminality”.The Commissioner told the audience that the scale of the threat is much greater than the public think, so much so that it may have even surpassed what drugs have delivered to the criminal economy.He argues that the banks’ unwillingness to report the true extent of cybercrime, makes it harder to gain an accurate picture of the threat to the national economy and the resources required by police to counter the criminals.In November last year, a Treasury Select Committee hearing into cybercrime and fraud heard evidence from Dr Richard Clayton, a senior researcher in security economics at the University of Cambridge, who said that “insider” accounts of fraud losses at banks are double the numbers generally reported publicly.This followed a July Home Affairs Committee report on e-crime that accused British banks of letting cyber-crooks carry out crime in a ‘black hole’ of impunity by failing to report or investigate fraud.

Comments by Bill Trueman over this News:

We need to be very careful about articles like this, and comments like this too.

The issue here is about REPORTING not dealing with (investigating, prosecuting and deterring) the crime.

The real question here is, of the crimes that are reported to the authorities (i.e. the police), how many are investigated and how many are prosecuted and how many organised gangs identified and stopped and how many opportunists deterred. We can assume that the answer to these will be “almost ZERO %” on all counts.

I have sat with senior COL police people over many years (mainly in the 1990s) – who have refused to accept reports of fraud from banks, because they have no resources to investigate and prosecute. Accordingly £100 millions’s of card fraud ARE reported and not progressed, and £100 million’s of insurance fraud go the same way without even being reported – except for the MAJOR, MAJOR cases that are accepted by the police from the Insurance fraud bureau.

Try and get Leppard to accet such cases is nigh on impossible as only the top – fraction of 1% are progressed. And do not even start talking about or reporting to the police the Inland Revenue, Local Authority, NHS, Benefits etc. fraud because they won’t look there either.

In the UK, we are held up globally (mainly the banks) for the exceptional fraud collation and reporting on card and banking fraud and insurance fraud – and we were leading with the statistical collation of fraud as UKPLC. This was all done 20 years ago as a fall-out from the Levi Home Office reporting – and ‘wrapped up nicely’ except for the police investigation, and prosecution bit, which is still absent.

So it is easy, but also abhorrent that a police officer shoudl stand up and throw stones at an industry that has been doing its bit for a long time. The industry also funds the fraud reporting centre that HE RUNS as part of the COL police force – so it is actually a) Under his control and b) HIS issue too!

BUT…. lets look at what we are talking about here….. We are asked to believe that banks are “covering up Cybercrime”. What is this cybercrime? As far as the banks are involved, the banks lose money from criminals who are attacking the banks to obtain money through the abuse of the systems and processes. This is always how it has happenned and the banks are good at losing money in this way. Just because a new term started to be used 3-4 years ago – does not change the fraud position:

– Banks are attacked and lose money

– Some of it will always get misrecorded as bad-debt when the crooks have managed to con the banks that it was thus. The agreement with all parties has always been that this will not be considrered as fraud (Cybercrime) and will not get reported. The police adamantly refuse to accept such reports too – believeing that the banks have brought this upon themselves by lending money in the first place to these cybercriminals (Ironic eh?).

– Cybercrime / fraud losses are experienced, reported and not investigated.

It is OK to moan at the banks these days – for everything, and often they are to blame for a lot of their mistakes, but in this case we must be careful to spot that here we have a big policeman throwing stones from a very big greenhouse.

Perhaps we should start asking him a few big questions and stop this outrageous reporting. It is probably too that he was taken out of context in this reporting, as I am afraif that I cannot believe that a responsible policeman would be so stupid as to criticise his partner banks, his funding bodies and people who are patiently waiting for him to do his job rather than trying to do theirs.

Bill Trueman is Director of Riskskill(http://www.riskskill.com/)

 

Source News: http://www.finextra.com/news/fullstory.aspx?newsitemid=27226

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

Riskskill has been approved as a trusted vendor for Visa Inc., and specifically as a Global Acquirer Risk Standards programme (GARS) reviewer. The Visa Inc. risk team monitor acquirer performance – i.e. organisations, often major banks, who process card transactions and other electronic payments for merchants. Riskskill will now assist such acquirers that want to demonstrate their compliance with applicable legislation and card scheme rules.

There are only a small number of similar approved vendors globally and most of these are based in California. With the addition of Riskskill on the Visa Inc. programme, there is now payment and risk management expertise available to acquirers in EMEA and around the globe, including across the wider USA.

Riskskill is a business advisory and management-consulting specialist, which focuses upon risk management practices and compliance within financial services and retail businesses.

The Riskskill team is heavily engaged in this part of the payments sector and has helped many acquirers (and large merchants) to review and grow their business in the right way with strong risk and exposure controls.

Visa Inc, proposes that acquirers engage a Visa-approved reviewer such as Riskskill to carry out a GARS review. They will then work on-site with management and teams at an acquirer to look at current practices and procedures to identify business improvements.

Within a GARS review, Riskskill advises on all aspects of the merchant acquiring business, including merchant and third-party partner/agent recruitment and management, underwriting and sales policy and practice; agreements and contracts; settlement operations and procedures; portfolio quality, ongoing merchant management and monitoring; merchant closure and termination; fraud, chargebacks and compliance programmes; merchant training; and data/systems security.

Kevin Smith, who manages the acquirer GARS practice at Riskskill commented that: “With a deep knowledge of the payments business and risk management requirements, the team at Riskskill look forward to working closely with more acquirers that want to improve their acquiring performance and be able to independently demonstrate this to other organisations such as Visa Inc. We are delighted that Visa Inc. recognises the skills and expertise at Riskskills, and our capabilities in global risk management.”

About Riskskill (www.riskskill.com)

Riskskill is a leading Europe-based risk management consultancy, with an impressive international track record of eliminating the risk of losses, reducing risks and exposures, and working with clients to put in place strategies and programmes of work to remove or prevent losses, regulatory issues and other fraud or bad-debt and compliance problems. Its people are widely accepted as some of Europe’s leading risk and fraud experts and they are frequent commentators on the issues involved. The key team have a wide experience in banking, insurance and the financial services and payments sectors and are thought leaders at the forefront of many industry wide and international debates.

Riskskill(http://www.riskskill.com/) is just one of only six organisations globally that have been confirmed as qualified and approved to complete GARS Reviews for Visa Inc.

For further information, contact:  Bill Trueman or Kevin Smith at Riskskill.com
enquiries@riskskill.com
or
Leigh Richards, The Right Image PR, 0844 561 7586 – leigh.richards@therightimage.co.uk

Read the full story here: http://www.pr.com/press-release/614755

How Enterprise Risk Management can Help a Company?

Fraud Prevention Specialist, Risk Review Specialist

Risks in enterprises can cover a multitude of things and present themselves in many different ways. They can be simple and easy to address, or they can get left and at some point become catastrophic.

Risks can cover a multitude of things and present themselves in many different ways. They can be simple and easy to address, or they can get left and at some point become catastrophic. They can also be known and accepted, or just unknown, misunderstood or arise suddenly to surprise your organisation. Accordingly, it is imperative to understand and to assess the risks as they change, which is fundamentally the root-cause of much legislation across the globe.  Today, it has become very much a cliché that ‘change is the only constant in business’, which makes for the need for continuous risk review, understanding and implementation of new protections and measurements. This is why we see in the media (and the reason why we work with a lot of our clients) details of sudden failures that usually stem from an absence of an understanding of the risks associated with a businesses.  This is also why internal and external shareholders alike are often emphasising scrutiny and expectations of their risk management functions.

What is Enterprise Risk Management?

A lot is talked about ‘Enterprise Risk Management’ (ERM) as a framework to measure, understand, assess and report upon wider business risks and uncertainties; and we also offer such ‘formalised’ services, but at the end of the day, this is a ‘new name’ for a very old concept of better understanding our risks, taking a break from 100% selling and growing a business, starting to consider, manage, and understand the risk in most business decisions; but also then in understand and implement the right solutions. ‘Enterprise risk management consulting services’ or whatever you want to call them, not only refocus a business upon better decision-making but make sure that there is a continuing consideration of the risks and a maintenance of an intelligent culture within a business.

How ‘Enterprise Risk Management’ can help a company?

Again, let’s not get too hung-up on the terminology. The principles are about striking a balance between getting and keeping new business, and making sure that the risks that could destroy a business, or make it less profitable are mitigated.  So it is about ‘applying a framework’ to identify, assess, communicate and address the risks. A risk-management framework can consist of many things, but these should form the core of any such framework:

a)      Risk Governance, Management, and Culture development – i.e. the direction, policy and strategy.

b)      Risk Prevention – by spending the time to put in protections.

c)       Risk Assessment – i.e. looking at the risks

d)      Risk Quantification and aggregation – to evaluate the priorities.

e)      Risk Monitoring – to keep these in-mind and managed.

f)       And Risk Reporting

Smaller businesses do not have such great challenges, as decisions every day are made (often by individuals) upon how to do things. Within larger businesses, it is hard for the CEO or the board-level people to make the right risk-based decisions when their businesses are so widely spread-out, and with so much else to do to please customers, shareholders, markets and (often) the public. Applying the latest ‘ethereal’  model to assess and manage risks, often imposed by legislation, is often the way that the biggest of companies go; and they do this without having a fundamental understanding or without properly thinking about what is actually needed as a bespoke solution for THEIR business.

Advise – What can you do?

a)     Don’t adopt a single framework and try and squeeze it into your organisation and expect it to work. The design will depend upon your organisation’s culture and will want to ‘marry-up with’ your business development requirements – i.e. it has to be right for your business.

b)     Build an understanding and consideration of the risks of new projects and doing business within your culture. We believe that all businesses (internally) should be transparent in including the risks in all decision making and take a broader view on understanding the risk vs. Business trade-offs. We never find that there is a need with the organisations that we work with, to change the existing organisation structure and management; but to improve communication of the risk-adjusted exposures-measurement and decision-making.

c)     Conduct risk management reviews within your business and identify ways that the risk management functions can improve business growth rather than accepting that risk management is a business inhibitor. People buy and work with companies that are safe and have considered the risks properly. In addition, fraudsters and exploiters attack those with the lowest protections and risk management.

Bill Trueman is Director and CEO of UKFraud(ukfraud.co.uk) and RiskSkill(riskskill.com) and member of AIRFA.

Source Article: http://www.ukfraud.co.uk/articles/enterprise-risk-management.html