View
0
Download
0
Category
Preview:
Citation preview
Implement a Consumer Authentication System throughout the US.
Managerial Applications of Information Technology – MIS535
Keller Graduate School of Management
November 9, 2014
Implement a Consumer Authentication System throughout the US.
Table of Contents
Abstract 3
Visa and MasterCard Company Background 3
Business Problems 5
General Benefits 6
High-Level Solution 7
Approach 7
Detailed Options / Solutions 11
High-level Implementation Plan 13
Conclusion 15
Summary of Recommendations 17
References 18
2
Implement a Consumer Authentication System throughout the US.
Abstract
The business problem is to reduce fraudulent activity with credit card and identity theft
throughout the United States by Implementing a Consumer Authentication System. To assimilate
Consumer Authentication System we prevent future data breaches of sensitive and confidential
information copied, transmitted, stolen or used by an unauthorized person. This System would
also reduce chargebacks for the consumer, increase sales, lower interchange rates, and reduce IT
costs. Credit card and debit card fraud had $11.27 billion dollar in losses in 2012. Card issuers
incurred 63% of these losses and merchants incurred 37%. Losses occur mainly at the point of
sale with counterfeit cards while merchant losses occur mainly on card not present (CNP)
transactions online, through phone transactions or mail order.
Retailers incur $580.5 million in debit card fraud losses and spend $6.47 billion annually on
credit and debit card fraud prevention annually. (2014, Evolution Finance, Inc.) Less than half of
the merchants in the US use a consumer authentication solution today. US merchants need to
start thinking of a consumer authentication solution because a few chargebacks could hurt their
businesses.
Visa and MasterCard Background
The rise of the electronic payments has stimulated economic growth while delivering value to
consumers, merchants and governments. From the earliest days of credit cards, to the wireless
payment options of today’s electronic payment are driving this evolution. Eighty five percent of
the world‘s transactions still done with cash and checks, there is plenty of room for a
implementation of a Consumer Authentication System to help America to trust in electronic
3
Implement a Consumer Authentication System throughout the US.
payments and benefit from our innovations as we pursue a world beyond cash. (2014,
MasterCard)
Visa
Visa was started back in 1958 by Bank of America launching their Bank Americard. It was the
first consumer credit card available to the middle class consumers and small to medium sized
merchants in the United States. The Bank Americard became an independent entity under the
global brand Visa in 1970, international in 1974 and introduced the debit card in 1975. Visa also
launched Visa Net in the 1970s becoming the World’s first electronic authorization clearing and
settlement system that allowed transactions to be completed within seconds. These events helped
to awaken the fragile business and brought reliability, security and presence. In 2007 Visa Inc.
was formed by banks across the World that included United States, Canada, Latin America,
Caribbean, Asia Pacific, Central Europe, Middle East and Africa regions. The company went
public in March of 2008 making it one of the largest and successful IPOs in history.
Now Visa operates in over 200 countries and products and services are available on laptop, tablet
and mobile device. The founder Dee Hock vision was to be the best way to pay and be paid, for
everyone, everywhere. (2014, Visa)
MasterCard
In 1966-1968 a bank owned member association which later became MasterCard extended its
payment network into, Mexico, Japan, and Europe making it the leading global payment system.
In 1980 they launched Maestro a global online debit program in partnership with Europay
4
Implement a Consumer Authentication System throughout the US.
international and they became the first payment card issued in the People’s Republic of China. In
the 90’s they took advantage of peoples behaviors and capitalized by launching a campaign,
Priceless to build brand awareness and to resonate with consumers worldwide. In 2002 partnered
with Europay International and became a private share corporation. In 2005 became a new,
customer-focused franchisor which helped to position them as a processor and advisor for their
public offering in 2006. In 2010 established MasterCard Labs their location for new ideas and
Data Cash. Then in 2011 they acquired the prepaid card program management operations of
Travelex, currently called Access Prepaid Worldwide. They also partnered with Telefonica to
create a joint venture to offer mobile financial solutions in Latin America and also partner with
Western Union to fuel growth of electronic payments.
Today MasterCard is a key player in the payments industry, also building financial inclusions
and changing the way people pay. (2014, MasterCard)
Business Problem
To Provide the United States with a more secure consumer authentication strategy to help
prevent fraud and data breaches for online and mobile transactions for all Credit Card
Companies.
In the United States and other Countries fraudulent activity amongst credit cards and identity
theft is an ongoing issue for consumers, merchants and government. In this past year it was one
of the most difficult on record due to multiple factors challenging their fraud prevention efforts.
There was a massive amount of data breaches on the black market with stolen card numbers,
mobile and alternative payments and virtual currency. Merchants lost 0.68% of their revenue
with each dollar of fraud costing them $3.08 in 2013. (2014, LexisNexis) The average time from
when fraud is committed until it is detected is 18 months. Most cases involve more than one
5
Implement a Consumer Authentication System throughout the US.
scheme, 30% have two to three schemes, 58% of the victim organization had not recovered their
losses, and 14% made a full recovery. Around 77% of fraud is committed by individuals working
in the following departments: accounting, operations, sales, executive/upper management,
customer service, purchasing and finance. The United States is the last market to implement this
approach in credit cards.
General Benefits
By implementing a consumer authentication System it will not only provide fraud protection but
merchants will benefit from increased sales, liability shift and lower interchangeable fees. The
credit card companies are responsible for 50% of their losses and only receive 24% of all credit
card sales. The United States has had the largest credit card fraud totaling over 5 billion in the
last five years and increasing by 14.5%. EMV cards create a new encryption for every sale and
traditional cards have static data that can easily be copied. (2014, Square, Inc.) The EMV card
allows you to store information, send and receive sensitive financial data in a secure manner and
provides greater cardholder verification methods.
The consumer will feel more secured in doing online, mobile and mail order transactions and
sales will increase. By providing a more reliable system it will enable fewer investigations with
IT personnel on determining where the breach comes from, less consumer liability, less
fraudulent chargebacks for the merchants and less manual reviews.
6
Implement a Consumer Authentication System throughout the US.
High-level Solution
To Provide the United States with a Consumer Authentication System using the EMV (Europay,
MasterCard, and Visa) card for consumers to help lesson fraudulent activity and set a global
standardization in the US. EMV (aka Smartcard) is a chip enabled payment device that with a
microchip embedded in the credit card that transmits the data to the terminal or POS system. In
order to authenticate your transaction you will set up a chip + pin or chip + signature which
provides a greater level of security for your business and customer.
The EMV standards define the interaction at the physical, electrical, data and application levels
between IC cards and IC card processing devices for financial transactions. The EMV banking
smartcard is part of the chip authentication program (CAP). CAP is a form of two-factor
authentication as both a smartcard and a valid PIN must be present for a transaction to succeed.
(2014, CAP, Wikipedia) The CAP/EMV allows users to be able to authenticate payment
transactions through telephone, online or mobile. In verifying the authenticity on every use the
card’s chip, signature or Pin must match which requires a higher degree of assurance for each
transaction and less fraudulent activity.
Approach
To determine if EMV Cards will lesson fraudulent activity and data breaches in the United States
for all Credit Card Companies.
Through the use of subject matter experts for Fraud Reduction, Data Mining, Digital Payments
through EMV to determine if implementing EMV cards is cost effective and a reduction of fraud.
The subject matter experts are knowledgeable in payment process, risk mitigation and business
7
Implement a Consumer Authentication System throughout the US.
analytics they provide the advanced knowledge needed to do these implementations. (2014,
Square, Inc.)
Merchants must contact Visa which provides the TIP (Technology Innovation Program) to assist
with terminals for contact and contactless chip acceptance implementation and to eliminate their
PCI validation requirements. (2012, BNG) The PCI (Payment Card Industry Data Security
Standard) (PCI DSS) is requirements developed by the major card brands to facilitate a set of
consistent data security measures. Below are those requirements:
Build and Maintain a Secure Network for PCI DSS Requirements for the US
Requirement 1 – Install and maintain a firewall configuration to protect cardholder data
Requirement 2 – Do not use vendor–supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
Requirement 3 – Protect stored cardholder data
Requirement 4 – Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5 – Use and regularly update anti–virus software
Requirement 6 – Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7 – Restrict access to cardholder data by business need–to–know
Requirement 8 – Assign a unique ID to each person with computer access
8
Implement a Consumer Authentication System throughout the US.
Requirement 9 – Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10 – Track and monitor all access to network resources and cardholder
data
Requirement 11 – Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12 – Maintain a policy that addresses information security
(2014, Authorize.Net)
Below are the steps to Credit Card Processing and how funds are transmitted to merchants from
consumers. Since most fraud happens at point of sale the EMV card is the best choice due to a
higher authentication required to access personal and financial information.
The 7 Steps of Credit Card Processing
Step 1 - The customer submits his credit card for payment.
Step 2 - Authorize.Net manages the complex routing of the data on behalf of the merchant
through the following steps/entities.
Step 3 - Authorize.Net passes the secure transaction information via a secure connection to the
Processor. The Merchant Bank's Processor submits the transaction to the credit card network
(like Visa or MasterCard). The credit card network routes the transaction to the bank that issued
the credit card to the customer.
9
Implement a Consumer Authentication System throughout the US.
Step 4 - The issuing bank approves or declines the transaction based on the customer's available
funds and passes the transaction results back to the credit card network.
The credit card network relays the transaction results to the merchant bank's processor. The
processor relays the transaction results to Authorize.Net.
Step 5 - Authorize.Net stores the transaction results and sends them to the website for the
customer and merchant to see.
Step 6 - The merchant delivers goods or services to the buyer.
Step 7 - The issuing bank sends the appropriate funds for the transaction to the credit card
network, which passes the funds to the merchant's bank and then deposits funds into the
merchant’s bank which takes 2 – 4 business days.
(2014, Authorize.Net)
To implement this standard below are the following cost:
Replacing Cards for the US is estimated at $8 billion with the US currently having 5
billion magnetic strip cards. (2014, Total System Services, Inc.)
Replacing terminals estimated cost $500 million with the US currently having 15 billion
POS terminals. (2014, Total System Services, Inc.)
10
Implement a Consumer Authentication System throughout the US.
Detailed Options/Solutions
EMV Card:
The EMV Card has a secure chip that stores payment information, has a chip card authorization
to prevent fraudulent activity, has cardholder private verification authentication, and has online
or offline authorization. The smart card was originally patented in France, Germany and Japan in
the 1970’s due to the concept of being able to store bank account information securely on a card.
It also allows technology to handle decision and data from the card. (2014, Paragon) These cards
are provided through your bank or credit card companies.
Reader Options: Readers that take the EMV cards are made with chip-enabled readers and
support Android and IOS devices to take payments on the go or from the countertop.
11
Implement a Consumer Authentication System throughout the US.
Square Reader
The Square Reader for EMV Cards is sophisticated and affordable and works with Apple and
Android Devices. There are no long term contracts or termination fees and is only $29 dollars.
The Square Reader reads both EMV Cards and Magnetic Strip Cards which is great until
everyone has transferred over to the EMV cards. (2014, Square, Inc.)
12
Implement a Consumer Authentication System throughout the US.
Square Stand Integrated Reader
The Square Stand Integrated Reader is an independent system that works via USB hardware hub
and set up takes minutes. The square stand integrated reader EMV or magnetic strip cards. There
are no long term contracts or termination fees and is only $39 dollars.
It is a 2.75% for swiped transactions when using the above readers and 3.5% for manual
transactions. No hidden fees for activation, early termination, interchange, chargebacks, cash
payments, refunds, inactivity, and PCI compliance. Merchants upon activation link an account
and funds are deposited in those accounts the next business day.
Additional reader accessories below:
APG Vasario 1616 USB Driven cash drawer (VB554A-BL1616) $230.00
Star Micronics TSP143UII Eco Thermal Receipt Printer (39464010) $220.00
Motorola Symbol LS2208 bar code scanner (LS2208-7AZU0100ZNA) $135.00
High-level Implementation Plan
Implementing to EMV cards is scheduled in the US and below is the key dates in making this
change. It is not a requirement but based on the liability changes it would be to all Credit Card
Companies to switch to this form of payment because it will not only lower their liability, but
ensure consumer satisfaction due to a more secure way to pay. When the consumer is happy they
buy more and take more chances with payment options. Fraud in a whole is large but based on
individual may not be and this option gives us a chance to lower fraud and increase sales.
13
Implement a Consumer Authentication System throughout the US.
Visa – Key Dates:
• August 2011 – The announcement of the Visa chip migration is announced and
discouraged due to cost.
• October 1, 2012 – Visa’s Technology Innovation Program (TIP) is extended to U.S.
merchants. To qualify, merchants must process at least 75% of their Visa transactions on
terminals capable of both contact and contactless EMV to support contact and contactless
chip. Merchants must still comply with PCI rules and TIP eliminate requirement for PCI
compliance.
• April 1, 2013 – Acquirer processors are required to support merchant acceptance of chip
transactions; some infrastructure updates will be required.
• October 1, 2015 – Liability will shift to acquirers for domestic and cross-border
counterfeit fraud card-present POS transactions if the merchant does not have an EMV-
enabled POS device.
• October 1, 2017 – Liability shift takes effect for transactions generated from automated
fuel dispensers -- this allows more transition time to account for higher equipment/pump
costs. (2014, TSYS, Inc.)
MasterCard – Key Dates:
• February 2012 – MasterCard offers incentive to merchants that choose to use EMV cards
with PINs at point of sale.
14
Implement a Consumer Authentication System throughout the US.
• October 2012 – Merchant’s liability is reduced by 50% for card-reissuance and fraud
costs in the case of a data breach, if the merchant processes at least 75% of its MasterCard
transactions on terminals capable of both contact and contactless EMV.
• April 2013 – Acquirers and sub-processors must be able to fully process EMV
transactions and ATM liability shifts to non-EMV ATMs.
• October 2013 – Account Data Compromise (ADC) relief takes effective (50%). ADC
represents that if the merchant’s data is breached, MasterCard is offering shift in liability,
depending on whether the merchant has EMV POS devices. The amount of protection
depends on the level of EMV supported (chip and signature has less protection than chip and
PIN).
• October 2015 – ADC relief takes effect (100%) if the merchant is processing at least 95%
of its MasterCard transactions on EMV devices. Merchant acquirers’ liability hierarchy takes
effect (excluding fuel dispensers).
• October 2017 – Merchant acquirers’ liability hierarchy takes effect at fuel dispensers.
• MasterCard’s will employ a “liability hierarchy” and give an option based on hierarchy
for PINs to be used more than signature. This hierarchy is stating that the signature is the less
secure approach and that cost of fraud will be the responsibility of the method they choose
for PIN or Signature and more liability is required with signature.
• MasterCard is also offering financial benefits to installing the devices. They are offering
15
Implement a Consumer Authentication System throughout the US.
(2014, TSYS, Inc.)
Conclusion
The reason for this proposal was to determine if switching to a Consumer Authentication
System by using EMV Cards in the United States as a standard instead of magnetic strip
card. In adopting this new way to pay in a more secure way of payment provides the US with
catching up to the rest of the World who is already utilizing this feature. This will also allow
the countries that are utilizing this method to also use their payment more securely across the
World which will promote more freedom on those wanting to purchase in the US. The
overall cost to implement this plan to EMV Cards is very high but in the long run will be
worth the cost due to lowering fraud and providing the consumer with a better and more
secure way to pay.
16
Implement a Consumer Authentication System throughout the US.
Summary of Recommendations
Send notification with informative data to all Merchants about this change and key dates.
Contact a Visa/MasterCard subject matter expert to assist with implementation and to
make sure all PCI requirements are meet.
Also reach out to the Visa’s Technology Innovation Program (TIP) for Visa
implementation to help fulfill PCI requirements.
Train all employees that service the terminals about the EMV Card and the new terminal.
Create new advertising and video online regarding the new EMV Cards and its benefits
for consumers and merchants.
Start replacing POS Terminals across the US to a contact or non-contactless terminal that
accepts chip embedded cards.
Once all terminals have been replaced or at least 60%, start replacing magnetic strip cards
with the EMV Cards Worldwide.
17
Implement a Consumer Authentication System throughout the US.
References
Visa (1996-2014) the History of Visa
Retrieved from the Visa website:
http://usa.visa.com/about-visa/our-business/history-of-visa.jsp
MasterCard (1994-2014) Our History & Vision Mission Values
Retrieved from the MasterCard website:
http://www.mastercard.com/corporate/ourcompany/about-us.html
Association of Certified Fraud Examiners (ACFE) (2014) 2014 Global Fraud Study / Report to
the Nations on Occupational Fraud and Abuse
Retrieved from the ACFE website:
http://www.acfe.com/rttn-summary.aspx
LexisNexis: Risk Solutions (2014) True Cost of Fraud 2014 Study: Post-Recession Revenue
Growth Hampered by Fraud
Retrieved from the LexisNexis website:
http://www.lexisnexis.com/risk/insights/true-cost-fraud.aspx
John Kiernan (2014) Evolution Finance, Inc. - Credit Card & Debit Card Fraud Statistics
Retrieved from the Evolution Finance, Inc. website:
http://www.cardhub.com/edu/credit-debit-card-fraud-statistics/
18
Implement a Consumer Authentication System throughout the US.
Cardinal Commerce (2014)
Retrieved from the Cardinal Commerce website:
http://www.cardinalcommerce.com/
Wikipedia (October 18, 2014) Chip Authentication Program
Retrieved from the Wikipedia website:
http://en.wikipedia.org/wiki/Chip_Authentication_Program
EFSAG European Financial Services Advisory Group (2014)
What is a Chip Authentication Program – CAP
Retrieved from EFSAG website:
http://www.mypaymentsolutions.com/4549/what-CAP/
EMV Connection (2014) – A Smartcard Alliance Site
EMV FAQ
Retrieved from EMV website:
http://www.emv-connection.com/emv-faq/#q3
(2009–2014) Square, Inc. EMV & Chip Cards (2009–2014) get ready for the nationwide switch
to chip cards.
Retrieved from Square up website:
19
Implement a Consumer Authentication System throughout the US.
https://squareup.com/emv?gclid=CP_ylNDjw8ICFSRo7AodVn4Asw
BNG Design (November 1, 2012) BNG Holdings Inc. - EMV in the US: When do you need to be
ready?
Retrieved by BNG Design website:
http://www.bngholdingsinc.com/emv-in-the-us-when-do-you-need-to-be-ready/
Authorize.Net (2014) Understanding PCI Compliance
Retrieved by the Authorize Net website:
http://www.authorize.net/resources/pcicompliance/
Paragon Application Systems (2014) the Basics: EMV and Chip Cards
Retrieved by the Paragon Application Systems:
http://www.paragonedge.com/news/industry-insights/comparing-chip-card-and-magnetic-
stripe-card-transaction-flows.html
Total System Services, Inc. (2014) U.S. EMV Adoption: Lessons Learned from a Canadian-
Based Value Added Resource (VAR) TSYS People-Centered Payments
Retrieved by the TSYS website:
http://www.tsys.com/acquiring/engage/white-papers/United-States-EMV-Adoption.cfm#2
20
Recommended