E-Money Risk, Fraud & Compliance Advisory Service by RiskSkill

About RiskSkill’s e-Money Compliance Services

Mobile Payment Fraud Prevention

RiskSkill help businesses avoid €multi-million fines and embarrassing brand damaging mistakes from regulatory non-compliance and process and regulatory mistakes. We help clear up the mess when we are called in later.

E-money Licence Changes:

Recent new financial services legislation in the UK, has led to the Financial Conduct Authority (FCA) introducing a Payments Systems Regulator from April 2014. The ECB, and the European Commission are also proposing ways to regulate and police the whole e-money arena, as are the international card schemes. The FCA is now also starting to review and audit the e-money licences they have granted previously and for observance with ALL regulations and also best-practices.

We believe that the FCA have seen that the governance of payment systems, including e-money issuers, is a difficult and continuous task and needs several layers of supervision and oversight in the way that other payment methods have already established (e.g. through the regulations of the international card schemes).

Requirements:

As an e-money licence holder, you need to ensure that your organisation and all of its agents, including passport holders, are fully conversant with and engaged in all due diligence in customer selection and identification, transaction/event screening, suspicion reporting, record-keeping, corporate assessment of exposures and risk, and the Base II (and III) capital assignment to the exposures. Having reporting to the FCA, a clear payment strategy and ABOVE ALL understanding and observance of laws relating to payments in all areas of operation are all also essential.

The main legislation that is pertinent is the meeting of the requirements of the Money Laundering regulations for all countries in which an e-money licence holder, and its agents and Passport Holders, operates. Not doing what is right by the European Money Laundering directives is the quickest way of losing money, being fined, suffering crippling bad media attention, or losing a market – or a full e-money licence (which will happen when firms are reviewed).

emv chip and pin online payment fraud

ACTIONS 

In advance of the FCA performing its own validation on individual license holders (and making high profile examples of those who are not fully compliant), you need to:

A. Make sure that all your processes, operations and compliance teams are all fully observant of all applicable regulatory requirements, laws and best practices.

B. More importantly though, are you confident that your third party agents are also fully compliant?

We Can and Will Help You In: 

1. Determining your current state of preparedness and identify areas for attention and action before the FCA requests an onsite review of your business.

2. Review the state of compliance and preparedness of your third party agents or passport-licences and report to you on them as the principal e-money licence holder?

We can provide you with our credentials when you need help, as we are a team of payment industry specialists, that have previously worked in many banks and card schemes, and now help organisations assess their current operational status, and become and remain compliant. We have also worked extensively with the rules, regulations, legislation and best practice across the sector, in the UK and across Europe and advise payment organisations on market strategy and direction rather than simply focusing on ‘tick-box’ auditing.

Contact RiskSkill for our Services for all Risks, Fraud and Compliance solutions for e-money, e-payment, internet payments, e-funds, e payment systems, online payment and digital cash’s safe transactions. RiskSkill is also a permanent member of AIRFA an independent and global risk and fraud advisors organization.

Advertisements

How to Protect from Being Victim of Mobile Payment & Internet Banking Fraud?

All About Safe ‘Mobile Payments’ and Internet Banking Transactions

What is Mobile Payments and what are the top 10 things that we should be doing to stop us from losing all our money?

Mobile Payment Fraud Prevention

Well as technology moves forward we’re now increasingly using our ‘mobile devices’ – we used to call them phones – to make payments. In its simplest form it is calling the bank to make a payment to someone; or using an iPhone/android app to contact our Bank to make a payment, or pay for something with a credit card. Looking forwards there’s the prospect that our mobiles will become the main payment device in shops and cinemas etc. We will probably just ‘tap and go’ for small transactions. There is naturally then a lot of evolution that has happened and this will continue as everyone from credit card companies to banks jump on the bandwagon. In response phone companies are rapidly integrating device and software technology to make payment by phone easier and easier.

The pace of technology protection for consumers is also developing, but not as fast as the growing number of solutions or providers that are involved. Things like encryption, virus protection and chips and PINS, secret codes and memorable passwords etc are all protections, but the weakest point in the chain is you and me as the users. We are only human, and have to be careful too. More of us will run the risk of having our identities stolen, and with them have all our money stolen and our lives invaded by the people behind these attacks.

How can we Protect Ourselves, and Make Sure that we do not Become the Victims of Mobile Payment and Internet Banking Frauds?

  1. Don’t think that it will not happen to me.Because it will. With more technology use, and easier access to our data, and through more routes, the identities of people in their teens and twenties is increasingly becoming more of a problem as they are the group most eager to embrace new technology.
  2. Stop people from getting to our technology.There are password locks on most devices now. Use them. And make sure that they are not easy to guess, no “PASSWORD”, “0000”, or “Mary” if you or your best friend or dogs are called “Mary”.
  3. Do not keep data on your devices that could be used by others.Invest in an app that password protects your data / details. They only cost a small amount, and make sure that the details are then stored encrypted. If you have to store details on the device without these things, put them behind a code that only you can understand.
  4. Keep key information in different places.A lot of fraud and losses occur because people are still ‘silly’ with their details. Keeping a PIN with the card number, with address details and/or personal details that will help a fraudster. Whilst the advice used to be ‘do not write your PIN on your card”; now it should be ‘do not keep the log on details and password with the web access address!
  5. Beware of Phishing emails.Many fraudsters, half way across the world get your details from you WITH YOUR HELP. They make an email look like it is from your bank, a delivery company or someone else you are expecting emails from – like Paypal, the tax office, Facebook or Ebay; and then present you with a screen to sign on with your password. Then they have your private details. Be extra cautious of such incoming emails.
  6. Beware of sharp talking callers.Many frauds still start with crooks who call/text/email you or me and explain that there has been a problem on your account that has been blocked, and to disclose your card details/PINs addresses or other information, in order to unblock the account. Remember, if they want to ID you, who contacted who? Identify them first.
  7. Do not make payments in a hurry or when you do not want to.This is when we make mistakes and expose ourselves.
  8. Only use machines that you know.Internet Cafes can be infiltrated, have software added, hardware added or any combinations. DO NOT MAKE PAYMENTS from other people’s machines unless you really know what you are doing and you have a safe, end-to-end secure conversation going on; that you know that you are not being overseen, that there is no hardware/software running etc. And do not enter / remember passwords on any machines, especially not strange machines.
  9. Avoid using the same passwords.Obvious that one isn’t it, but so many people do!
  10. Look after all personal details.Be protective with personal details. Do not use your PINs, card numbers, card expiry dates, addresses, phone numbers or mother’s maiden names etc. in public, in earshot of others. Type PINs and passwords covered up, and always assume that someone is watching or that there is a micro-camera installed by crooks anywhere that you are putting, reading or typing personal details.

Remember, that as the technology and connectivity leaps forward it is the fundamentals and people issues that become the biggest weaknesses, and we all have to work to ‘mind the gap’ that this leaves open; until we have remote/mobile real-time DNA testing – which is a long, long way off.

Bill Trueman is a leading payment, risk & fraud expert who provide payment fraud prevention consultancy services to card issuers, banks, and business organizations worldwide. For more information one can visit website at RiskSkill, apart from this Bill is also a permanent member of AIRFA.

Card payments – Who am I dealing with? The parties involved are changing… again

Bill Trueman from Riskskill.com talks about who is involved in the four-party payment models and how and why these are changing

In four party models (those that involve Mastercard and Visa), include:

  • Cardholders – like us.
  • Merchants – the shops that we use, whether in the high-street or on-line.
  • Card Issuers: usually banks that provide us with the plastic-card, the CHIP, PIN and then our statements and customer services.
  • Merchant Acquirers: which provide the equipment to accept payments, but which also settle against the issuers globally through the card schemes and most importantly take the risks involved in doing so.

How these parties operate with one another is shown in figure 1 below. Contracts exist between each party, whether formal, OR

a) the sale of goods and services contract (in shop),
b) Visa and Mastercard rules and contracts – through which issuers and acquirers connect globally.

Base four-party model for Card Payments.png
Base four-party model for Card Payments

This is how the processes have worked in the past, but things are changing and getting increasingly complicated.

Newer Parties

Businesses have evolved because of a need for evolution, and/or because of an evolving internet, mobile technology, increasing demands of ‘new solutions’ from merchants and the need to serve ever-newer cardholder services. Acquirers of yesteryear (banks) did not or could not change with market demands. The types of organisations that have evolved include:

Sales/Introducer organisations

Organisations that ‘sell to’ merchants on behalf of acquirers. Often these ‘take a cut’ of all transactions, and often contractually taking some of the work and the risks.

Technical Gateways

Companies that provide merchants with specialist connectivity / IT solutions in the process; aim to link the merchants to the acquirer akin to an internal IT department for payments. These may include specialist data security and tokenization solutions.

Intermediate Processors – PSPs/ Payment Facilitators

Companies that work with the merchants to process transactions to acquirers, and/or other parties for ‘other’ payment types; adding services that acquirers did not or could not provide. These may be specialisms for particular markets or for particular software or applications. Elements of technical gateways and/or specialist data security and tokenization solutions may be involved.

Acquirer Processors

Companies who will provide the processing services for multiple acquirers, or increasingly, also act as acquirers too; and/or offer ‘white-label’ acquiring solutions/platforms and services.

These are shown in figure 2 – Complications include:

– Many different ‘names’ for parties involved across geographies, by the organisations themselves, through the categorisation of these by the card schemes/ regulators. These names change as the market changes.

– Many of these parties overlap into one another e.g.

  • A sales/introducer may also start to provide equipment or software, a gateway solution, and/or become an intermediate processor themselves.
  • Intermediate processors, may apply for their own acquiring licences to become banks and/or Visa / Mastercard licensed businesses; or set-up or acquire sales businesses.
  • Acquirers may buy or establish intermediate processors, or other parties in the chain and;
  • Technical transaction processors (Gateways) may become sales businesses or provide intermediate processing and/or other services to the merchants.

– Three-party card schemes such as American Express and Diners can also be processed through the different parties involved above, in parallel or separately.

– AliPay and WeChat Pay are making big inroads in Europe, and are now by many reports bigger than Mastercard and Visa and have big ambitions.

– Domestic card schemes operate in many markets across the EU.

– Other payments schemes – electronic money, wallets, digital currencies.

Acquirer intermediates and disintermediation.png
Acquirer intermediates and disintermediation

Challenges

The challenges that arise and cause difficulties include:

a) Bank regulators required Banks to understand, monitor and continually manage all risks involved. The ‘art’ of doing so is being lost as other parties move into acquiring without the same regulation and knowledge.

b) Risks are often not identified, with credit risk largely uncalculated, untracked or ‘priced for’.

c) Customer identification can become diluted when multiple parties are involved; especially when contracts are written without it being clear who is responsible for the risks/exposures; so problems evolve.

d) Regulators and card schemes introduce many and varying rules and requirements that are often hard to understand and to communicate.

e) Capital adequacy / liquidity – banks are always required to manage this; but as non-bank acquirers develop, there is no non-bank regulator to force these business protection solutions with active regulators examining progress.

f) The fallacy that “acquiring is simple”, has led to more ‘new breed’ acquirers emerging with many quickly failing or required to stop trading when things ‘go wrong’.

Common Challenges that must be mitigated

1. Understand a) exposures, b) risk of failure, c) reward for exposures/risks; as well as all the ‘tricks’ used to con acquirers.

2. Have a clear strategy, policy, procedures, documented risk appetite, calculation methodology, management information and reporting structure.

3. Ensure that all card scheme, regulator, AML and other laws and rules are understood, stayed abreast of and corrected when they arise

4. Measure and manage all changes in business models, exposures, risks, management etc.

5. Look for daily / real-time unusual business features and ‘blips’ in the transactions away from norms and then act upon them.

6. Manage and monitor all third-parties employed or delegated-to in the process of card acquiring.

About Riskskill

Riskskill is a leading Europe-based payments and risk management consultancy, with an impressive international track record of helping payments businesses to find and mitigate payments challenges and risks. The firm works with clients to put in place strategies and programmes of work to make payments businesses or functions more profitable, less susceptible to losses, risks and regulatory issues and compliance problems. Riskskill.com is a global GARS Reviewer for Visa.

For further information, please contact: Bill Trueman or Kevin Smith at enquiries@riskskill.com

About Bill Trueman

Bill Trueman is a professional banker and a payments and risk specialist, with over 25 years of experience. He headed-up risk functions and special investigations in Lloyds Bank issuing and acquiring; acquiring and processing at First Data, and then for insurance risks at RBS / Direct Line. For the last 12 years he has been diving-into many other businesses: largely advising merchants, acquirers and others in the payment chain; to reduce risks and costs, and to find improved ways to do business and/or to make significant organisational change. He is a mentor for innovative payments startups and sits on working parties and panels for the UK regulators.

Source: https://www.thepaypers.com/expert-opinion/card-payments-who-am-i-dealing-with-the-parties-involved-are-changing-again-/776837

In Wake of EMV Switch, US e-Commerce Fraud Soars!

Payments Specialist, Risk Specialist

As the US switched to EMV chip cards system, e-commerce fraud rates jumped by 33% last year, according to Experian. In late 2015 the US finally followed much of the rest of the world when Visa and other card schemes switched the liability for fraud-related losses to retailers that have not upgraded their hardware for EMV.

Experian notes that the increase in e-commerce fraud follows a similar trend pattern from countries that previously rolled out EMV cards – UK, France, Australia, and Canada – that also saw gradual increases in card-not-present fraud.

“We suspect that the EMV liability switch and increased adoption by merchants of chip-and-pin enabled terminals have had a profound impact on driving up e-commerce attacks,” says the firm.

Fraudsters that typically relied on committing counterfeit fraud have shifted their focus to the digital channels where they could have more success, and as more attackers enter a rapidly growing mobile and online commerce space it becomes increasingly difficult for merchants to spot them.

This means that businesses need to expect the increase in e-commerce fraud to continue over time and to be prepared to deal with it by employing a multi-layered approach that pairs transactional data elements with details about the user and their device.

Experian says that the biggest component of credit card fraud trends is the fact that 2016 was a record year for data breaches. There were 1,093 breaches, a 40% increase from 2015, according to the Identity Theft Resource Center.

Meanwhile, the Federal Trade Commission recently revealed a jump in consumers who reported that their stolen data was used for credit card fraud, from 16% in 2015 to more than 32% in 2016.

The record number of data breaches is a signal that future fraudulent activities will take place, warns Experian.

What Bill Trueman, an Eminent Risk Specialist Says About This:

1. Of course e-commerce fraud will rise. It is rising everywhere as e-commerce and m-commerce get used more.

2. Naturally, if you stop fraudsters using cards at the point of sale with EMV, they will move to CNP.

3. If you do not put in protections in your CNP channel, fraud will rise.

4. USA fails to adopt (or plan for) protections in the e-commerce channel.

5. The late adoption of EMV in the USA, has caused a lot more data compromises for longer in this market.

6. EMV adoption is starting to see fraudsters deterred from CO fraud opportunities already as they move to other softer targets.

Bill Trueman is an eminent independent payments and risk specialist helping business and bank owners manage risk & fraud and save millions. He is director of globally well known RiskSkill, and is an active member of a worldwide fraud and risk advisors organization i.e. AIRFA.

Cameras at the POINT OF SALE? Worldpay Trial Analysis

As a risk, security, fraud, compliance specialist; I should be shouting from the rooftops that this MUST be a great idea to reduce the risks and add a layer of security to the transactions. But in reality, it is not that simple, and veers towards being a big mistake and a legal and operational disaster waiting to happen.

EMV Chip Card

CUSTOMER POSITION

I am also a customer. I am a customer of a bank that issues me with a card and a customer of a retailer where I shop. As a customer of a bank who issues me with a card, I might be happy to let them have a picture of me to put on my card or to make sure that it is me that visits their ATM. But when I signed up for a trial 20 years ago for this, I had to give explicit consent for my issuer to store and use these details on the card and on their systems.

In this case, it is not my issuer that is collecting my photograph or checking it. It is not even the retailer that I am transacting with who is collecting it; it is the bank who is processing the card for the merchant; and as a customer, I DO NOT WANT MY PHOTO taken, kept or processed by the retailer, nor do I want the merchant’s acquirer to keep or store it without my consent.

This is an invasion of my privacy. Do not do it. You have no consent from me to take, keep, store or use my personal details (my photo and card details) for any other purpose than is necessary to undertake the transaction. Indeed, you should be encrypting and anonymising my personal details as is required by many anti-fraud measures, and mandates in-play at the moment. Just how legal this is we will no doubt learn from the Information Commissioner in days, weeks to come. The fraud issue is one for my card issuer, and is of no interest to the acquirer (or merchant) so long as I use a card with a CHIP and a PIN and an EMV protocol.

SECURITY POSITION

OK – so in the customer journey, there is no justification, but what about the security. We have already established that this is not the acquirer’s problem. The acquirers need to focus their attentions upon making their part of the process secure, with encryption, stronger depersonalisation (tokenisation) of the transaction, storing less data, and not losing data. They should also focus upon looking for unusual transactions that are likely to cause future difficulties and improving security at the till, staff training, improving merchant awareness, ensuring PCI DSS conformity and clarity and better terminal and tampering awareness and notifications; all of which could help stop compromises, data theft and attacks that cause £€$millions in losses and crime at the point of sale.

It is a pure folly to introduce a ‘photo at the point of sale’ (as well as a customer invasion of privacy), and certainly NOTHING to do with improved security or reduced fraud: and a big diversion from more important things that MUST be done at the point-of-sale to help security, and help the merchants.

Equally, it is not too great a security foundation to start letting ALL acquirers (WorldPay is one of many 100s globally) store data somewhere without controls. And how legal is it for them to store pictures for those from other countries, or of a picture of my child hanging on to me.

STRATEGY

I would suspect that the eye catching ‘biometric trials’ headlines will make it all sound like a good idea, and let’s all applaud Worldpay for ‘doing something’ – even if it has not been fully thought out yet. But I would suspect that these trials are not very big at all yet – maybe just a staff canteen? – as the legal issues may not yet have been addressed or looked at properly yet. I am also certain that the Information Commissioner will not have been involved either – but I’d hope it will be on the agenda with Christopher Graham’s  when I see him tomorrow morning!

The whole industry though is also racing faster into biometrics with fingerprints via Applepay and Androidpay / Googlepay etc. with the added security of tokenisation, secure element, customer control of the biometric (i.e. it is stored nowhere other than on the phone by the customer), etc. So, what happened to the transaction if there is no PIN, or if it is an NFC payment. Mmmmmm – more thinking to be done somewhere about where all this is going.

PRACTICALITIES

And let’s not ignore the issues around whether I change my hairstyle, make-up, or remove my beard this week, wrap-up warmer with a hat as we will do next month etc.

SCHEME RULES

Is this allowed by the schemes? Is there a compliance issue here? Yes – dammed right there is; The message collected with the card must comply to a format, the full messaging must be sent to the issuer, and it is the issuer that must make the authorisation decision about the customer – NOT THE ACQUIRER. If the card schemes have been involved and/or permitted this – which I doubt – then the normal route that is taken with these things is for the scheme to join in with the publicity and announcements – which I have not yet seen.

Great idea Worldpay, great initiative, but it is not for me as a customer, as a merchant, nor as an issuer or as a card scheme.

For further information, contact Bill Trueman or Kevin Smith  both eminent risk and fraud specialist, or you can contact at http://www.riskskill.com/ and enquiries@riskskill.com

News Source

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Fraud Specialist, Risk Specialist, Compliance Specialist, Due Diligence Specialist

I do not agree with this at all, we should exercise some degree of balance:

Maybe we should have called for a ‘national’ business-case to be written – as this has not been done.

Perhaps we should have examined the global context too: USA is only one country in the world, and just about the only one that has not attempted to create the business case, and the only one where the retailers are/have been (allegedly) feeling this way. Again, the US is the ONLY developed country that has not implemented this USA designed and led initiative.

In many (most?) countries, the retail consortia / lobbying groups have driven these initiatives forward in order to make the sales process better and smoother. For instance, in most countries now, the retailer no longer even touches (or sees) the card – the customer simply dips the card – on his/her/its side of the counter, enters a PIN and removed the card and leaves with a printed receipt. Retailers have insisted on this to:

  1. a) Ensure that the process is speeded up
  2. b) To increase / improve security – by avoiding retailer ‘touched’ on the card
  3. c) To make the transaction fully electronic and thereby reduce chargebacks, a need for paper handling and re-handling when chargebacks and disputes occur.

There needs to be a lot better thinking before we start calling EMV the “Money Pit” for Retailers.

Author Bill Trueman is a leading payment, risk & fraud expert who provide payment fraud prevention consultancy services to card issuers and banks worldwide. For more information one can visit website at RiskSkill, and AIRFA.

Also visit another blog post on EMV Chip and Pin by Kevin Smith, an eminent fraud and risk specialist and Joint Chief Executive at AIRFA.

For more information on EMV Chip and Pin technology, fraud, risks, pros and cons visit here.

Other Posts Which You Would Also Find Useful:

25 FAQs on Risk Review, Risk Management, Compliance, Due Diligence and Fraud Prevention

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

11 FAQs on EMV Chip & Card Technology