Transcript Slide 1
Fighting Fraud Using Today’s Technology Kathryne Daniels, CTP Senior Vice President Government Banking May 2009 Agenda Introductions Regulatory Issues Role and Responsibilities Payments Fraud Check Fraud ACH Fraud Online Security Payments Fraud Prevention Best Practices Credit Card Data Security Why Credit Card Data Security is Important Anatomy of a Data Compromise Reducing the Risk of Compromise via PCI Compliance Data Security Best Practices Open Discussion Regulatory Impacts Uniform Commercial Code Articles 3 and 4 Reg E Expedited Funds Availability Act and Fed Reg CC Role and Responsibilities Agencies Must exercise ordinary care. If an agency does not exercise “ordinary care” your financial institution may no longer be held wholly liable. Definition of ordinary care as I understand it: “The adherence to reasonable commercial standards prevailing in a company’s region and industry” Financial Institutions Bank’s share in the responsibility for establishing systems and controls to help prevent fraud on deposit accounts from occurring. Payments Fraud October 7, 2008 Why Should I Care? “I have nothing to worry about, my bank will automatically reimburse us if check fraud occurs.” “I have too many other goals to attain this year to shave the bottom line -- I have to install that ERP system” “We’ve never been hit with check fraud…” Check Fraud: How Simple More than 1.2 million worthless checks each day enter the banking system Easy to get away with Simple Easily technology readily available obtainable bank account information Available authorized signatures Fraud Prevention Tools Positive Pay Dollar and date controls Check outsourcing Check stock security features Positive Pay Services Traditional Positive Pay Teller Positive Pay Payee Positive Pay Dollar and Date Controls Maximum dollar controls Reviews and returns checks presented over a specified amount Stale date controls Reviews and returns checks that exceed your designated “stale” timeframe Check Outsourcing Eliminates need to order and store check stock Safeguards signatures Prints and mails checks Creates positive pay issuance file Provides postal discounts Check Stock Security Features: Do They Matter? Watermarks Controlled safety paper COPY BAN + VOID pantograph Micro printing Thermachromic ink Laid lines Warning bands Secure number font Chemical VOIDS Image-survivable features About Check 21 Check 21 became effective October 28, 2004 Purpose Improves efficiency in the U.S. banking system by eliminating the need to transport paper checks between banks Encourages innovation in the payment system by removing key barriers to check truncation What it means Allows banks to create and provide a substitute check in lieu of an original check Banks must process substitute checks if received Check Payment Transformation Check conversion and check truncation are distinct alternatives to transform a check Conversion ACH: POP, ARC, RCK EFT networks: SafeCheck, Visa POS Check Truncation • Check conversion transforms a check to electronic settlement vs. • Check truncation transforms a check to image-enabled electronic or paper settlement Image Exchange Substitute Checks Image Survivable Automated recognition Bar-coding Seal-encoding Digital watermarks Automated Payee Recognition Compares payee name on image to issuance database Character-by-character Digital interrogation Only true exceptions reported Limited integration with traditional Positive Pay Bar-coding Key data encrypted into bar-code on the check surface Resembles Read a UPC symbol by issuing bank and compared to the image Seal-encoding Unique graphic printed on check using vendor supplied software Check information encoded within seal Automated interrogation and validation Permutation keys and secret identifiers Replaces formal bank signature verification Seal will fail to decode properly if tampered with Digital Watermarks Hidden message on the front surface of check Similar to seal-encoding capability Digital scanners compare the digital watermark to MICR and visual data Real-time identification of alterations possible ACH Payments Reduces exposure to costly check fraud activity Reduces costs B-2-B payment growth Electronic payroll solution: deposit – save $0.89 per payment Establish dual control over file preparation Have your bank forward historical origination files to your internal auditors Direct Payroll cards Provides employees with ATM cash access and a safe way to make purchases Potential Fraud Growth WEB TEL POS/POP ACH Blocks and Filters Debit blocks Prevent all ACH debits and/or credits from posting Prevent consumer entry class debits Debit filters Permit ACH debits and/or credits from known trading partners only Cumulative daily amount limits by trading partner Online Security Strong 128-bit authentication mechanisms, such as digital certificates Single Socket Layer encryption Dual administration, customizable permissions and authorizations. Comprehensive Network audit logs and activity tracking. perimeter and application protection that includes round-the-clock monitoring of firewalls, anti-virus systems and intrusion detection and prevention technologies. Best Practices Internal Controls Practice separation of duties Keep policies and procedures up to date and associates trained. Notify bank and law enforcement authorities as soon as suspect fraud. Perform background checks on new associates, observe employee behavior Use separate accounts for electronic and paper transactions Reconcile your accounts daily (or at least within 30 days) Reconcile ACH transactions daily Make sure check stock is image-able Control physical security of check stock, signature plates, temporary access and employee ID cards. Use laser printed checks with security features Deliver outgoing checks to mailroom as late in day as possible Properly destroy critical accounting information Take advantage of fraud products Best Practices Online Controls Practice safe computing Use firewall, anti-virus, and spy-ware prevention tools Do not allow users to download unauthorized software on business PCs Limit physical access to treasury computers Assign permissions only for what is needed Delete old user accounts and access to bank systems Ensure users do not share passwords Encrypt sensitive information in storage Take advantage of bank provided application controls: Dual administration Dual approval of payments User transaction limits Audit Logging Why Credit Card Data Security is Important 1001011001 If you accept payments via credit card, debit, or prepaid cards, your fraud prevention efforts must include the protection of any cardholder account data handled by you, or on your behalf. If card account information is stolen from you, or a service provider working on your behalf, it can be used by criminals to commit fraud. Financial Impact: You may be subject to significant fines and losses arising from such fraud and from not properly protecting card account information. Reputation Impact: Potentially more damaging than the financial impacts, public trust and confidence in your organization can be negatively impacted by this type of data security breach. Card Data Security in the Headlines “11 Charged in Theft of 41 Million Card Numbers…. Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials said on Tuesday appeared to be the largest hacking and identity theft ring ever exposed.” – August 5, 2008 – New York Times [Major grocery store chain] Malware used in “a massive data breach that compromised up to 4.2 million credit and debit cards…” – March 28, 2008, Boston Globe [Major retailer] “Breach of data… is called the biggest ever - stolen card numbers put at 45.7 million … Credit and debit card numbers were stolen by hackers who accessed the computer systems…” – March 29, 2007, Boston Globe Anatomy of a Data Compromise A data compromise is an incident involving the breach of a system or network where cardholder data is processed, stored or transmitted. A data compromise can also involve the suspected or confirmed loss or theft of any material or records that contain cardholder data. There are three basic types of data security breaches that can lead to a data compromise: Physical Breach – theft of documents or equipment Electronic Breach – electronic breach of a system or network environment Skimming – capture of card magnetic stripe data using an external device Reducing the Risk of Compromise via PCI Compliance The major credit card companies, including Visa and MasterCard, require any business which accepts credit, debit, or prepaid card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) The PCI DSS is a global standard for protecting cardholder account information to reduce the risk of data compromise The PCI DSS consists of 12, “digital dozen,” requirements for protecting card account information, and operates on the following principles: If you don’t need cardholder account data, don’t store it. Never store sensitive authentication data (i.e. full magnetic card stripe data, card verification values, or PIN/PIN block data), after transaction authorization. If you store permitted cardholder account data (i.e. full Primary Account Number, cardholder name, service code, and expiration date), it must be protected in accordance with the PCI DSS “digital dozen” requirements. If you use a service provider(s) to handle cardholder account data on your behalf, you must ensure your service provider(s) handles this data in accordance with PCI DSS requirements. Data Security Best Practices: Beyond PCI Compliance Merchants may also benefit from applying additional data security measures which go beyond the baseline PCI DSS requirements, such as: Tokens Internal Network Segmentation Encryption of Private Networks Database Activity Monitoring Data Loss Prevention Network Admission Control Depending on your card payment acceptance method, the above measures may or may not apply. Next Step for Merchants Contact your acquirer for guidance. Familiarize yourself with online, card brand resources. Understand your cardholder data environment. Consider engaging a Qualified Security Assessor (QSA) and/or Approved Scanning Vendor (ASV). Validate PCI DSS Compliance. Q&A Thank you! Kathryne Daniels SVP, Sr. Client Manager Government Banking Tel: 925.827.3959 • Fax: 916.326.3176 [email protected] Bank of America 2290 Oak Grove Rd, Walnut Creek, CA 94598 This presentation is for informational purposes only. It does not constitute an offer or commitment to buy or sell or a solicitation of an offer to buy or sell a security or any financial instrument, or a commitment to enter into a transaction, of the type generally described herein. The information contained herein, and any other communications or information provided by Bank of America, is not intended to be, and shall not be regarded or construed as, a recommendation for transactions or tax or investment advice, and Bank of America shall not be relied upon for the same without a specific, written agreement between us. Information contained in this presentation has been obtained from sources believed to be reliable, but its accuracy or completeness is not guaranteed by Bank of America. Also, certain information contained in this presentation speaks as of the date of this presentation (or another date, if so noted) and is subject to change without notice. This presentation is intended solely for your use and under no circumstances may a copy of this presentation be shown, copied, transmitted, or otherwise given to any person other than your authorized representatives.