Transcript Slide 1
Fighting Fraud
Using Today’s Technology
Kathryne Daniels, CTP
Senior Vice President
Government Banking
May 2009
Agenda
Introductions
Regulatory Issues
Role and Responsibilities
Payments Fraud
Check Fraud
ACH Fraud
Online Security
Payments Fraud Prevention Best Practices
Credit Card Data Security
Why Credit Card Data Security is Important
Anatomy of a Data Compromise
Reducing the Risk of Compromise via PCI Compliance
Data Security Best Practices
Open Discussion
Regulatory Impacts
Uniform Commercial Code Articles 3 and 4
Reg E
Expedited Funds Availability Act and Fed Reg CC
Role and Responsibilities
Agencies
Must exercise ordinary care. If an agency does not exercise “ordinary care”
your financial institution may no longer be held wholly liable.
Definition
of ordinary care as I understand it:
“The adherence to reasonable commercial standards prevailing in a
company’s region and industry”
Financial Institutions
Bank’s share in the responsibility for establishing systems and controls to
help prevent fraud on deposit accounts from occurring.
Payments Fraud
October 7, 2008
Why Should I Care?
“I
have nothing to worry about, my bank will automatically
reimburse us if check fraud occurs.”
“I
have too many other goals to attain this year to shave the
bottom line -- I have to install that ERP system”
“We’ve
never been hit with check fraud…”
Check Fraud: How Simple
More
than 1.2 million worthless checks each day enter the
banking system
Easy
to get away with
Simple
Easily
technology readily available
obtainable bank account information
Available
authorized signatures
Fraud Prevention Tools
Positive Pay
Dollar and date controls
Check outsourcing
Check stock security features
Positive Pay Services
Traditional
Positive Pay
Teller
Positive Pay
Payee
Positive Pay
Dollar and Date Controls
Maximum
dollar controls
Reviews and returns checks presented over a specified amount
Stale
date controls
Reviews and returns checks that exceed your designated “stale”
timeframe
Check Outsourcing
Eliminates
need to order and store check stock
Safeguards
signatures
Prints
and mails checks
Creates
positive pay issuance file
Provides
postal discounts
Check Stock Security Features: Do They Matter?
Watermarks
Controlled safety paper
COPY BAN + VOID pantograph
Micro printing
Thermachromic ink
Laid lines
Warning bands
Secure number font
Chemical VOIDS
Image-survivable features
About Check 21
Check 21 became effective
October 28, 2004
Purpose
Improves
efficiency in the U.S. banking system by eliminating
the need to transport paper checks between banks
Encourages innovation in the payment system by removing key
barriers to check truncation
What
it means
Allows banks to create and provide a substitute check in lieu of
an original check
Banks must process substitute checks if received
Check Payment Transformation
Check conversion and check truncation are
distinct alternatives to transform a check
Conversion
ACH: POP, ARC, RCK
EFT networks: SafeCheck,
Visa POS Check
Truncation
• Check conversion transforms a check to
electronic settlement
vs.
• Check truncation transforms a check to
image-enabled electronic or paper settlement
Image Exchange
Substitute Checks
Image Survivable
Automated
recognition
Bar-coding
Seal-encoding
Digital
watermarks
Automated Payee Recognition
Compares
payee name on image to issuance database
Character-by-character
Digital interrogation
Only
true exceptions reported
Limited
integration with traditional Positive Pay
Bar-coding
Key
data encrypted into bar-code on the check surface
Resembles
Read
a UPC symbol
by issuing bank and compared to the image
Seal-encoding
Unique
graphic printed on check using vendor supplied software
Check information encoded within seal
Automated interrogation and validation
Permutation keys and secret identifiers
Replaces formal bank signature verification
Seal will fail to decode properly if tampered with
Digital Watermarks
Hidden
message on the front surface of check
Similar
to seal-encoding capability
Digital
scanners compare the digital watermark to MICR and
visual data
Real-time
identification of alterations possible
ACH Payments
Reduces
exposure to costly check fraud activity
Reduces costs
B-2-B payment growth
Electronic payroll solution:
deposit – save $0.89 per payment
Establish dual control over file preparation
Have your bank forward historical origination files to your internal
auditors
Direct
Payroll
cards
Provides employees with ATM cash access and a safe way to make
purchases
Potential Fraud Growth
WEB
TEL
POS/POP
ACH Blocks and Filters
Debit
blocks
Prevent all ACH debits and/or credits from posting
Prevent consumer entry class debits
Debit
filters
Permit ACH debits and/or credits from known trading partners
only
Cumulative daily amount limits by trading partner
Online Security
Strong
128-bit
authentication mechanisms, such as digital certificates
Single Socket Layer encryption
Dual
administration, customizable permissions and
authorizations.
Comprehensive
Network
audit logs and activity tracking.
perimeter and application protection that includes
round-the-clock monitoring of firewalls, anti-virus systems and
intrusion detection and prevention technologies.
Best Practices
Internal
Controls
Practice
separation of duties
Keep policies and procedures up to date and associates trained.
Notify bank and law enforcement authorities as soon as suspect fraud.
Perform background checks on new associates, observe employee behavior
Use separate accounts for electronic and paper transactions
Reconcile your accounts daily (or at least within 30 days)
Reconcile ACH transactions daily
Make sure check stock is image-able
Control physical security of check stock, signature plates, temporary access
and employee ID cards.
Use laser printed checks with security features
Deliver outgoing checks to mailroom as late in day as possible
Properly destroy critical accounting information
Take advantage of fraud products
Best Practices
Online
Controls
Practice
safe computing
Use firewall, anti-virus, and spy-ware prevention tools
Do not allow users to download unauthorized software on business PCs
Limit physical access to treasury computers
Assign permissions only for what is needed
Delete old user accounts and access to bank systems
Ensure users do not share passwords
Encrypt sensitive information in storage
Take advantage of bank provided application controls:
Dual administration
Dual approval of payments
User transaction limits
Audit Logging
Why Credit Card Data Security is Important
1001011001
If
you accept payments via credit card, debit, or prepaid cards,
your fraud prevention efforts must include the protection of any
cardholder account data handled by you, or on your behalf.
If card account information is stolen from you, or a service
provider working on your behalf, it can be used by criminals to
commit fraud.
Financial
Impact: You may be subject to significant fines and losses arising
from such fraud and from not properly protecting card account information.
Reputation Impact: Potentially more damaging than the financial impacts,
public trust and confidence in your organization can be negatively impacted
by this type of data security breach.
Card Data Security in the Headlines
“11 Charged in Theft of 41 Million Card Numbers…. Federal prosecutors have charged 11
people with stealing more than 41 million credit and debit card numbers, cracking what officials
said on Tuesday appeared to be the largest hacking and identity theft ring ever exposed.”
– August 5, 2008 – New York Times
[Major grocery store chain] Malware used in “a massive data breach that compromised up to
4.2 million credit and debit cards…”
– March 28, 2008, Boston Globe
[Major retailer] “Breach of data… is called the biggest ever - stolen card numbers put at
45.7 million … Credit and debit card numbers were stolen by hackers who accessed the
computer systems…”
– March 29, 2007, Boston Globe
Anatomy of a Data Compromise
A
data compromise is an incident involving the breach of a
system or network where cardholder data is processed, stored or
transmitted.
A data compromise can also involve the suspected or confirmed
loss or theft of any material or records that contain cardholder
data.
There are three basic types of data security breaches that can lead
to a data compromise:
Physical Breach – theft of documents or equipment
Electronic Breach – electronic breach of a system or network
environment
Skimming – capture of card magnetic stripe data using an
external device
Reducing the Risk of Compromise via PCI
Compliance
The major credit card companies, including Visa and MasterCard, require any
business which accepts credit, debit, or prepaid card payments to comply with
the Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS is a global standard for protecting cardholder account
information to reduce the risk of data compromise
The PCI DSS consists of 12, “digital dozen,” requirements for protecting card
account information, and operates on the following principles:
If you don’t need cardholder account data, don’t store it.
Never store sensitive authentication data (i.e. full magnetic card stripe data,
card verification values, or PIN/PIN block data), after transaction
authorization.
If you store permitted cardholder account data (i.e. full Primary Account
Number, cardholder name, service code, and expiration date), it must be
protected in accordance with the PCI DSS “digital dozen” requirements.
If you use a service provider(s) to handle cardholder account data on your
behalf, you must ensure your service provider(s) handles this data in
accordance with PCI DSS requirements.
Data Security Best Practices: Beyond PCI
Compliance
Merchants
may also benefit from applying additional data
security measures which go beyond the baseline PCI DSS
requirements, such as:
Tokens
Internal Network Segmentation
Encryption of Private Networks
Database Activity Monitoring
Data Loss Prevention
Network Admission Control
Depending
on your card payment acceptance method, the above
measures may or may not apply.
Next Step for Merchants
Contact your acquirer for guidance.
Familiarize yourself with online, card brand resources.
Understand your cardholder data environment.
Consider engaging a Qualified Security Assessor (QSA) and/or
Approved Scanning Vendor (ASV).
Validate PCI DSS Compliance.
Q&A
Thank you!
Kathryne Daniels
SVP, Sr. Client Manager
Government Banking
Tel: 925.827.3959 • Fax: 916.326.3176
[email protected]
Bank of America
2290 Oak Grove Rd, Walnut Creek, CA 94598
This presentation is for informational purposes only. It does not constitute an offer
or commitment to buy or sell or a solicitation of an offer to buy or sell a security
or any financial instrument, or a commitment to enter into a transaction, of the type generally
described herein. The information contained herein, and any other communications or information
provided by Bank of America, is not intended to be,
and shall not be regarded or construed as, a recommendation for transactions or
tax or investment advice, and Bank of America shall not be relied upon for the same without a
specific, written agreement between us.
Information contained in this presentation has been obtained from sources believed
to be reliable, but its accuracy or completeness is not guaranteed by Bank of America.
Also, certain information contained in this presentation speaks as of the date of this presentation (or
another date, if so noted) and is subject to change without notice.
This presentation is intended solely for your use and under no circumstances may
a copy of this presentation be shown, copied, transmitted, or otherwise given to any
person other than your authorized representatives.