Embed Size (px)
Citation preview
News You Need to Succeed
What’s Inside
F E B R U A R Y 2 0 1 6
SHAZAM’s 2016 Forum ������������������������������������������������������������������������������������������2
SHAZAM looks back over 40 years �������������������������������������������������������������������������3
Celebrate your AAPs on Feb� 9 �������������������������������������������������������������������������������6
4 tips for managing the media during a disaster ������������������������������������������������7
Learn about fraud rules and scoring in free webinar ���������������������������������������������8
SHAZAM BOLT$ delivers the control cardholders crave ������������������������������������������9
Double swiping poses serious data compromise risk �������������������������������������������10
2 new malware threats for merchants ������������������������������������������������������������������11
Skimming fraud increases at fuel pumps �������������������������������������������������������������12
Beware of chip card phishing scam ���������������������������������������������������������������������13
Always report fraud, even if you forgo a chargeback ���������������������������������������������14
FFIEC updates Management booklet in IT Handbook��������������������������������������������16
Stop social engineering in 3 easy steps ���������������������������������������������������������������17
Cybercrime costs shoot to $15 million yearly per business ���������������������������������18
Thinking of hiring a managed security provider? ���������������������������������������������������19
Consumer education on EMV still necessary ��������������������������������������������������������20
Reduce residency fees by cleaning up your card database ���������������������������������21
SHAZAM training ��������������������������������������������������������������������������������������������������23
‘Indulge in Rewards’ winners ��������������������������������������������������������������������������������24
Spotlight on Service 2
SHAZAM’s 2016 Forum
des moines marriott downtown
april 12–14
shazam.net/forum
don’t miss out on fun extras
Visit shazam.net/forum to register and learn more about SHAZAM’s 2016 Forum.
Our Forum blog previews all of the great things you can expect and how the event will be igniting new opportunities. The blog includes details about sessions, offers you won’t want to miss and much more! Check back weekly so you don’t miss out!
If you haven’t made a hotel reservation, please do so now. The cutoff date for the discount room rate of $119 is 5 p.m. CT on March 29. Let the Marriott know you’re with the SHAZAM Forum to receive the discounted pricing. Once the block is full, rooms will be on a space-available basis at the hotel’s normal rate.
Des Moines Marriot Downtown515.245.5500 or 800.514.4681Make your reservation online
SHAZAM facilities tour Get a behind-the-scenes look at the workings of SHAZAM. This tour will showcase both buildings where you’ll be able to talk personally to client support and fraud representatives, see the data center and more. A tour will be offered on April 12 at 12:30 p.m. Transportation will be provided. Make sure to RSVP when you register.
Welcome receptionCatch up with friends and make a few more through networking and fun trivia. SHAZAM senior management and staff will be on hand to mix and mingle.
Deuces Wild! dueling pianosThis electrifying duo was so well received last year that we brought them back! For over 14 years Dave Eichholz and Ted Manderfeld have traveled coast to coast and are the most sought after dueling piano act in the country. Their high energy mix of comedy, music and extensive audience participation makes this show unlike any other!
Roundtable discussionsGet the latest scoop on SHAZAM’s product development achievements and the roadmap ahead. Then, take part in an interactive brainstorming session to develop a new product or service that you’d like to see come to market.
register today
follow the Forum blog
1 31 16
$250 $300
$150 $200
*From the same financial institution
pricing details after 1 31 16. .. .
Spotlight on Service 3
In the Spotlight
SHAZAM’s pastAs we pored through our archives and tapped our collective memories to prepare this installment, one thing became abundantly clear: SHAZAM’s past has always been about the future!
SHAZAM has focused our every move, from upgrades and enhancements to exciting innovations, with your future in mind. With all the changes that can come to a company — let alone an industry — in 40 years, one thing hasn’t changed: YOU are SHAZAM.
We’re grateful for the guidance and forward thinking of our boards of directors, member financial institutions, industry associations, merchants, key partners, employees and leaders since our start in 1976. Our combined strength has shaped the SHAZAM you know today.
Humble beginnings: The 1970sIn the earliest stages of electronic funds transfer (EFT), SHAZAM’s founding members recognized that for
their community financial institutions to offer ATM and debit services, the existing systems needed to be more efficient. They also knew forming a network would give them a collective voice in the industry.
The Iowa Transfer System network, later known as ITS, Inc. and SHAZAM, was formed in 1976. After key EFT legislation passed in Iowa, the network began a period of intense development.
In addition to programming cutting-edge switch technology, the new network had the foresight to lay down the rules, card standards and operating procedures needed for future interoperability and growth. By 1977, we had processed our first debit transaction, a $10 deposit.
As transaction numbers grew, SHAZAM worked to hone and perfect our systems. In 1979, we moved the network onto our own hardware. Owning and operating our own system allowed the network to be more efficient, reliable and flexible. Since then, the switch has exceeded a 99.9 percent uptime.
The 1980sAt the same time, SHAZAM made strides toward enabling debit payments right at the cash register. By 1981, SHAZAM became the first network in the world to implement and operate an integrated pilot POS system.
Throughout the 1980s, SHAZAM continued offering innovations to help financial institutions compete in the marketplace. We formed Nationet, a national EFT network, with another network more than four years ahead of Cirrus® and Plus®. Later, SHAZAM would secure a direct link to the Cirrus switch through our principal membership, lowering fees for participants.
In 1985, we introduced the SHAZAM name and logo to increase brand recognition for the rapidly expanding network. This replaced the previous “Convenient Banking” image.
SHAZAM looks back over 40 yearsSHAZAM celebrates its 40th anniversary March 22, 2016! Leading up to this occasion, we’re presenting a three-part series about our past, present and future. To kick off the series, here are some highlights from SHAZAM’s history.
– Continued on next page
Spotlight on Service 4
SHAZAM then added fuel pump and online POS payments, started a generic card program, began sending reports electronically (which seems so simple now) and piloted an electronic benefits transfer (EBT) program in Iowa.
The 1990sBy 1991, the network had formed Card Services-Member Association (CSMA), a company that let our institutions issue Visa® or MasterCard® credit cards, and also began offering automated clearing house (ACH) origination services.
SHAZAM, Inc. was incorporated in 1994 to consolidate ITS, Inc. and our Card Services and ACH associations. That same year, SHAZAM expanded our direct debit POS networks by becoming a principal member of Interlink® and Maestro® online.
To cap off the 1990s, SHAZAM provided new programs to help our institutions and their cardholders, including Privileged Status®, a surcharge-free ATM alliance open to
all participants, and SHAZAM Easy PIN®, to allow cardholders to choose their own PINs. SHAZAM also worked diligently to ensure systems remained stable throughout the millennium rollover.
The 2000sIn the 2000s, SHAZAM recognized even more opportunities to help participants in ways that went beyond reliable, cost-effective EFT services.
SHAZAM introduced SHAZAM Access, the first comprehensive and secure Internet-based product suite among EFT networks. We also formed ITS Bank, saving participants a quarter million dollars or more each year in Visa membership fees.
SHAZAM’s Card Authorization Service (CAS) module allowed our financial institutions to issue and authorize their own cards for the first time, instead of relying on larger competitors.
To help our institutions and merchants navigate growing security concerns and complex industry regulations, SHAZAM launched SHAZAM Secure®. And to help our institutions slash fraud losses, SHAZAM introduced FICO® Falcon® Fraud Manager.
In 2006, SHAZAM held our first-ever SHAZAM Forum for financial institution staff members and executives, providing unique networking and learning opportunities as well as access to industry experts.
The 2010sSHAZAM made noise in 2010 when chip-enabled (EMV®) card technology began moving forward in the U.S. We founded the Debit Network Alliance (DNA) with nine other networks. During the following five years, SHAZAM made significant contributions to the DNA, resulting in 2015’s shared Debit Application Identifier (common AID) for EMV debit transactions. This ensured community financial institutions would continue to have a choice in networks.
SHAZAM started providing the latest advancements in core banking technology in 2010 with our acquisition of Cardinal Software™ (now known as SHAZAM Core Services).
In 2012, SHAZAM delivered the first of many mobile solutions with SHAZAM
® BOLT$™ for timely fraud alerts and balance information. By 2015, SHAZAM added mobile person-to-person (P2P) payments and Transaction Control, a revolutionary fraud prevention feature that allows cardholders to pause transactions on their cards themselves.
SHAZAM has always stood for independence and being a competitive choice for our owners
and partners.
Past – Continued from previous page
– Continued on next page
In the Spotlight
Spotlight on Service 5
SHAZAM began offering cost-effective advertising and marketing agency services to our participants in 2013, a successful and popular program that continues to grow. That year SHAZAM also launched SHAZAM Insight with Data Select, giving our institutions direct access to data, such as transaction history, and customizable reports to help them make better-informed business decisions.
To culminate years of hard work, SHAZAM processed our first successful MasterCard and Visa EMV debit transactions in 2015. Also
in 2015, SHAZAM began offering media training to help our partners succeed with news coverage, crisis management and social media.
“The network has always been about doing things others aren’t able to do,” said Terry Dooley, SHAZAM executive vice president & CIO. “Our desire to serve our owners the right way is sometimes at odds with others in the industry, but that’s OK. SHAZAM has always stood for independence and being a competitive choice for our owners and partners. Our vision and passion have only grown stronger over the last 40 years.”
Thank youAlthough these are just some of the highlights from our first 40 years, we can’t help but reflect on these milestones with pride and gratitude. Together, we’ve grown, expanded across the U.S. and transformed challenges into opportunities.
Coming upFor insight on where SHAZAM is today, look for the second article in this series in next month’s Spotlight on Service newsletter.
Past – Continued from previous page
In the Spotlight
Spotlight on Service 6
There are more than 4,000 Accredited Automated Clearing House (ACH) Professionals (AAPs) in the U.S. today, and they’re the elite of payments professionals.
Having an AAP on staff reinforces that your organization is at the forefront of changes and updates to the ACH rules, as well as federal and state payments industry regulations.
To raise awareness and highlight the importance of the AAP accreditation, NACHA — The Electronic Payments Association® and the regional payments associations will celebrate National AAP Recognition Day on Feb. 9, 2016.
This annual event aims to bring a higher profile to this significant achievement among payments professionals. On AAP Recognition Day, a U.S. flag will be flown above the Capitol building in Washington, D.C., in recognition of all AAPs. The flag will then be awarded to one lucky recipient at the annual AAP reception at NACHA’s PAYMENTS 2016 conference April 17–20 in Phoenix, Arizona.
Celebrate your AAPs on Feb. 9
SHAZAM recognizes the contributions AAPs make to ensure the ACH network is safe and secure. Please join us in recognizing them on Feb. 9.
Three professionals in the SHAZAM, Inc. ACH Association region achieved the AAP designation for the first time in 2015. SHAZAM congratulates the following people for their achievement:
• Misty Enderson SHAZAM, Inc.; Johnston, Iowa
• Justin Stroud Hills Bank and Trust Company; Hills, Iowa
• Tyler Trimble SHAZAM, Inc.; Johnston, Iowa
C o n g r a t u l a t i o n s
Training
Spotlight on Service 7
Most institutions are aware that business continuity plans (BCPs) are a must. A key component to every BCP is having a plan to deal with the media during a crisis.
When a disruptive event affects your financial institution’s ability to continue operations, the public must be informed. Imagine how unprepared your employees and management might be if the situation weren’t rehearsed ahead of time!
We’ve summarized the response steps recommended by the Federal Financial Institutions
Examination Council (FFIEC) in its FFIEC IT Examination Handbook.
1. Prepare responses ahead of timeBefore a disaster strikes, prepare responses for the most likely disaster situations and have them approved by your board and shareholders, if applicable.
2. Assign a media contactYour spokesperson should be adequately informed, credible, have strong communication skills and be accessible to the media so
accurate information is broadcast to the public. Only confirmed information should be shared and the spokesperson should discuss what the financial institution is doing to mitigate any potential threats.
3. Educate your employeesInstruct employees to refer any questions to your official media contact.
4. Keep everyone updatedTo ease your customers’ and employees’ concerns, it’s a good idea to conduct regular media briefings until the emergency has ended.
4 tips for managing the media during a disaster
SHAZAM now offers media relations training for the financial services sector — a unique and significant opportunity for your financial institution. The training is led by Patrick Dix, SHAZAM’s senior public relations manager and a veteran television anchor with 25 years of experience.
We offer a variety of training courses to suit your needs, including Media Fundamentals and Media Interview Techniques, plus advanced workshops that focus on crisis communications and social media skills.
With this training, we’ll empower your institution to work more effectively with your local media. Here are a few of the benefits:
• Build confidence and strengthen relationships with the media.
• Prepare for media interviews, tough questions, critical incidents and natural disasters.
• Deliver your message precisely.
• Leverage social media to engage your customers and enrich your message.
• Strengthen your business continuity plan and meet FFIEC regulatory requirements.
For a free quote, call 800-537-5427, ext. 2901, or email [email protected]. We look forward to discussing your needs.
T a k e c o n t r o l o f y o u r m e d i a o p p o r t u n i t i e s t o d a y
Patrick Dix has been recognized for
outstanding reporting with awards from
the Society of Professional Journalists,
the William Randolph Hearst Foundation
and the Midwest Broadcast News
Association�
Training
Spotlight on Service 8
Mark your calendar for Feb. 17 from 10 to 11 a.m. CT., when the SHAZAM fraud department will host its biannual onFraud webinar, “Understanding Falcon Rules and Scoring.”
If you’ve ever wondered, “Why did this valid transaction score so high?” or “Why didn’t this transaction score high enough?,” this is the session for you!
Sign up to learn how FICO® Falcon® Fraud Manager scoring works, how transactions are affected and how we use trends to create specialty rules. We’ll share how these rules work with EMV® card transactions, plus spend some time answering your questions.
Look for your email invitation in early February.
If you have any fraud-related questions, you can always call SHAZAM fraud operations at 800-537-5427, ext. 2899.
Learn about fraud rules and scoring in free webinar
Check your junk mail folder or add do_not_reply@shazam .net to your safe senders list to ensure you’re getting important emails from SHAZAM, including the upcoming onFraud webinar invitation.
M i s s i n g s o m e t h i n g ?
Training
Spotlight on Service 9
Often, the development of payments technology is based on the desires of your cardholders. So what do cardholders really want? Industry trends indicate pure control of their debit cards via mobile devices is high on the list.
Cardholders of all ages want the ability to pay with cards, set alerts and view transactions with their mobile devices. The mobile empowerment of these consumers already exists in the audio, home security, fitness, transportation and grocery industries, and is now on the horizon for the financial industry.
“Mobility is rapidly rewiring the way consumers think. Mobile-toting Americans demand simplicity, any-time convenience, immediate answers, pre-emptive alerts, personally relevant information and advice — all done safely and securely,” says Mark Schwanhausser, director of omnichannel financial services at Javelin Strategy & Research.
SHAZAM BOLT$SHAZAM is aware of this growing trend and is on pace to satisfy cardholder desires.
With our recent release of the Transaction Control feature for the SHAZAM
® BOLT$™ mobile app, cardholders can turn their cards on or off with a quick tap of a button on their mobile devices. Transaction Control allows both financial institutions and their cardholders to fight fraud, improves confidence in financial management and further evolves the relationship between the cardholder and his or her financial institution.
The opportunity to empower cardholders is endless. Transaction Control can be used in many everyday situations. Just think — parents can control their children’s cards, travelers can relax on the beach without worry and a night out on the town doesn’t need to end in a panic when a debit card is left behind at a restaurant.
Cardholders have the power to block or unblock their own cards, much like a temporary card block. This fast and simple security feature gives cardholders peace of mind, knowing they have control over their accounts, ultimately saving you money by not having to replace cards found a short time later.
The adoption of new mobile technologies will allow companies, including SHAZAM, to empower
cardholders, deliver unlimited possibilities and strengthen relationships with an increasingly independent market. The SHAZAM BOLT$ app will continue to evolve as SHAZAM uncovers additional customer desires and insights.
For more informationFor more details on the SHAZAM BOLT$ app or the Transaction Control feature, please contact your SHAZAM account executive. To sign up for Transaction Control, simply email a request to customerimplementation @shazam.net or fax a request to 800-267-0549.
SHAZAM BOLT$ delivers the control cardholders crave
With Transaction Control, cardholders can turn
their cards on or off with a quick tap of a button on their mobile devices.
Products and Services
Spotlight on Service 1 0
Visa® has issued a reminder that secondary card reads, or “double swiping,” can result in the unnecessary storage of sensitive authentication data and is prohibited by Visa operating rules. This applies even when the first card read is completed by dipping a chip card or via a contactless transaction.
In most cases, the secondary card read is unrelated to completion of the transaction. Merchants usually complete this secondary card read to collect account data from the magnetic stripe and use it to create a separate record that supports the merchant’s accounting, reporting or customer-relationship management programs (for example: loyalty and rewards).
Risks of double swipingPlease remind your merchants of the significant risks associated with a secondary card read. The secondary card read often results in the merchant capturing and retaining static data encoded on the magnetic stripe, which violates Visa rules and unnecessarily increases the merchant’s exposure to potential payment account data compromise.
Both the Visa rules and the Payment Card Industry Data Security Standard (PCI DSS) prohibit storage of the full contents of the magnetic stripe after a transaction authorization. This data, if compromised, can be used by criminals to create counterfeit cards.
Visa rules complianceMerchants aren’t permitted to use or request Visa account data for any purpose that’s not related to payment for goods and services. Visa has provided the following best practices for merchants to avoid using the dreaded double swipe:
• Use alternative identifiers for loyalty and rewards to link cardholder relationships.
• Ensure all systems and applications that store, process or transmit Visa account data comply with the PCI DSS, including systems and applications that may have been used to capture data through a secondary card read.
• Use service providers included on the Visa Global Registry of Service Providers and POS applications validated against the PCI Payment Application Data Security Standard (PA-DSS).
For more information If you have any questions about Visa’s rules regarding this issue, please call Jim McCool, SHAZAM risk analyst, at 866-537-5427, ext. 4220.
Double swiping poses serious data compromise risk
Merchants
Spotlight on Service 1 1
Security experts have identified two new types of malware that put merchant POS systems at risk.
Below are details on both the Cherry Picker and ModPOS malware. Please pass this information on to any merchants sponsored by your financial institution.
Cherry Picker malwareTrustwave® SpiderLabs® researchers have analyzed a family of targeted POS malware that has gone virtually undetected for the past four years. The threat earns its nickname, Cherry Picker, because it patiently targets only one thing: the specific process in the POS system that contains cardholder data.
Cherry Picker uses a new memory scraping algorithm, a file infector for persistence and cleaner malware that removes all traces of the infection. This sophisticated functionality has
helped the malware remain under the radar of many security companies.
For more technical details on Cherry Picker, review the SpiderLabs Blog published Nov. 16, 2015.
ModPOS malwareResearchers at iSIGHT PartnersSM
have identified a new malware
called ModPOS (Modular POS) that targets retail payments systems. This malware has modules for:
• Scraping payment card numbers from the memory of POS systems
• Logging the keystrokes of computer users
• Transmitting stolen data
According to iSIGHT Partners, ModPOS is the most sophisticated POS malware it’s seen to date and can go undetected by even the most modern security defenses.
For more technical details, including indicators of a possible compromise, review iSIGHT Partner’s free ModPOS intelligence report.
For more informationIf you have any questions, please call Jim McCool, merchant risk analyst, at 800-537-5427, ext. 4220.
2 new malware threats for merchants
Merchants
Spotlight on Service 1 2
Card skimmers are devices added to POS or ATM terminals to steal track data and PINs when a payment card is swiped. Thieves then use the data to create counterfeit cards to steal funds from the victims’ accounts.
Card skimming isn’t new. In fact, chip-enabled (EMV®) cards and standards were developed to make creating counterfeit cards impossible. However, not all cards and devices are compatible yet, leaving many cardholders vulnerable to this type of fraud.
One group of terminals has seen a marked increase in skimming lately: automated fuel dispensers (AFD), or pay-at-the-pump terminals. AFD retailers have until October 2017 to retrofit or replace their AFD terminals for EMV, making this a much more attractive target for skimming fraud.
Identifying skimmersSkimmers can be added to AFD terminals externally or internally.
External devices, like those used on ATMs or POS terminals, are fashioned to look like they belong on the pump, often with a matching shape and color. View the example pictured above.
Internal skimmers are inserted inside the pump. Many pumps have a common, factory default key which thieves can use to get inside the dispenser to install the device. Or, criminals can gain insider assistance by bribing attendants or maintenance technicians to install the electronics for them. The skimmer is installed within the circuit for the reader and keypad and often uses the pump’s own power source, allowing it to run indefinitely.
With either type of skimmer, thieves often install an external camera to capture the cardholder’s PIN as well. The camera could be mounted in another piece of look-alike casing attached to the pump or in a fake plastic credit card application holder or advertisement kiosk.
PreventionTo help your cardholders avoid skimming fraud while paying at the pump, please share these prevention tips with them:
• Look for things that seem out of place or different. An external skimmer can usually be noticed, if you look for it. Most skimmers are attached with tape or Velcro, so they can be retrieved. Grasp the external part of the reader and tug on it — a skimmer might come off in your hand.
• Internal skimmers are more difficult to detect. Most retailers use some sort of tamper-resistant tape as a seal between the access panel and the case. If there isn’t any tape, look at a few other pumps on the premises. If they have tape and yours doesn’t, or the tape shows signs of tampering, don’t use that pump. If there’s an emergency contact telephone number on the pump, report the lack of tape or tampering.
• Keep a close watch on your account transactions. If you find transactions that you didn’t make, report them to your card issuer immediately.
Skimming fraud increases at fuel pumps
Terminals
Unaltered card reader (left) vs. skimmer (right)
Spotlight on Service 1 3
Fraud and Risk Management
As the U.S. migrates to EMV® chip card technology, the Federal Trade Commission (FTC) is alerting consumers to a new type of phishing scam.
Criminals are posing as issuing financial institutions to take advantage of consumers who haven’t received a chip card yet. The scammer asks the consumer to provide personal card information over the telephone to receive a new chip card.
Keep your customers from falling victim to this scam by telling them your plans for issuing EMV chip cards. Also, ensure they know you won’t call them to ask for card information.
For more informationIf you have any questions, please call SHAZAM fraud operations at 800-537-5427, ext. 2899.
Beware of chip card phishing scam
Spotlight on Service 1 4
Fraud and Risk Management
When researching fraud on a cardholder’s account, it’s important to report fraud to SHAZAM regardless of whether chargeback rights are available. SHAZAM then reports the fraud to MasterCard® or Visa® on your behalf.
Below are several reasons why it’s critical to report each approved, posted fraudulent item:
• MasterCard and Visa requirethat fraud be reported to them.SHAZAM provides this service atno cost to you.
• Visa occasionally providesreimbursement to financialinstitutions on large trackdata compromises. It uses thefraud information you report todetermine if you should receivereimbursement for fraud lossesdue to the compromise.
• MasterCard and Visa may allowchargebacks for fraudulentmerchant activity.
• MasterCard and Visa researchreported fraud to try to identifycommon points of purchase,which can result in compromisedcard notices.
• SHAZAM logs all fraud reportingin an internal database, which wealso use to research fraud losses.
Data aids in developmentSHAZAM is considering the development of several reports or analysis tools to help financial institutions determine their fraud costs or savings. In addition, SHAZAM has other projects that rely on fraud data. The only way to guarantee we’re working with accurate data is for you to send in all approved fraud.
Handling signature-based fraudTo request a chargeback and/or report fraud for a signature-based transaction, start by viewing the purchase in SHAZAM Access Transaction Detail. Click Submit Exception Form at the top of the transaction and then follow the steps below for pursuing a chargeback or reporting fraud.
Fraud and chargebackSelect Request a fraud-related chargeback and then complete the required fields to tell us:
• Who initiated the dispute
• The reason for the request
• The cardholder’s name
• The fraud reason
• The hot-card date (if applicable)
Always report fraud, even if you forgo a chargebackKeeping tabs on fraud helps SHAZAM, MasterCard and Visa research trends. Here’s how you can report fraud, with or without a chargeback request.
MasterCard and Visa require that fraud
be reported to them. SHAZAM provides this
service at no cost to you.
– Continued on next page
Spotlight on Service 1 5
Fraud and Risk Management
Please Note: Before requesting a chargeback, make sure you’ve hot-carded the affected card with a “pick up” response. Visa requires this step for chargebacks. MasterCard doesn’t require a card to be hot-carded; however, failure to hot-card may result in a loss of chargeback rights.
Fraud onlySelect Report fraud only and then complete the hot-card date (if applicable) and the fraud reason. No supporting documentation is required.
Handling PIN-based fraudChargeback rights aren’t available for PIN-based fraudulent transactions.
To report PIN-based fraud, complete and fax in the Reporting for PIN-Based Fraud or Card Not Received form. This form, which is available in SHAZAM Resource, allows you to provide the transaction information and type of fraud. No supporting documentation is required.
For more informationTo learn more about chargebacks and fraud reporting, please see the Exception Item Processing Manual in SHAZAM Resource or refer to the Help tab in SHAZAM Access.
If you have questions regarding chargebacks, please call SHAZAM client support at 800-537-5427 (options 4, 3) or submit a service request online using SHAZAM
® Web Rep.
If you have questions regarding fraud, please call SHAZAM fraud operations at 800-537-5427, ext. 2899.
Fraud – Continued from previous page
Spotlight on Service 1 6
The Federal Financial Institutions Examination Council (FFIEC) has issued a revised Management booklet that provides guidance to assist examiners in evaluating the information technology (IT) governance at financial institutions and service providers.
The information provided in the booklet applies to all Federal Deposit Insurance Corp. (FDIC)-supervised institutions offering online banking services.
The revised Management booklet:
• Outlines the principles of IT governance
• Outlines the stages of the IT risk-management process, including risk identification, measurement, mitigation, monitoring and reporting
• Incorporates cybersecurity concepts as part of IT risk management
The booklet is part of the FFIEC IT Examination Handbook (IT Handbook).
FFIEC updates Management booklet in IT Handbook
Fraud and Risk Management
Spotlight on Service 1 7
Social engineering penetration testing is when a company hires security professionals, such as the SHAZAM Secure® team, to run a fake attack against its employees. The test is designed to find out how well employees fare against the latest social engineering tactics.
Here are three prevention steps you can share with your employees to bolster your defenses against social engineering.
1. Awareness — Employees need to know they’re prime targets for attacks because systems are harder to crack than human nature.
2. Identification — Employees need to know how to spot an attack. First, make sure your employees understand your policies about sharing information via email or over the telephone. Consider giving employees opportunities to practice recognizing and denying requests for sensitive information.
3. Response — Make sure employees know the proper channels for reporting suspected attacks. Give employees a checklist of email and telephone security practices and the authority to deny requests for information, no matter who’s supposedly asking.
Stop social engineering in 3 easy steps
To learn more about SHAZAM Secure, please call Tom Quist, SHAZAM Secure account executive, at 800-537-5427, ext. 4370.
L e a r n m o r e
Fraud and Risk Management
Spotlight on Service 1 8
Fraud and Risk Management
A recent study commissioned by Hewlett-Packard (HP®) revealed the average cost of cybercrime in the U.S. increased to $15 million annually per company — 20 percent more than the previous year’s findings.
While the annual cost per company tends to increase with company size, smaller organizations have a significantly higher cost per capita than larger ones.
The 2015 Cost of Cyber Crime Study from the Ponemon Institute also outlined the most costly cybercrimes and the most effective prevention practices for reducing cybercrime costs.
Most expensive cybercrimesAccording to this study, denial of service, malicious insiders and malicious code accounted for more than 50 percent of cybercrime costs, making these a high priority for prevention. View the glossary above for definitions of these crimes.
Cost of containmentThe average cost to recover from a cyberattack has also increased. The average time to resolve was 46 days, which incurred an average cost of $1.9 million annually per company — a 22 percent increase from the previous year. However, malicious insider attacks can take even longer to contain, with an average of 63 days to resolve.
PreventionThe study showed security awareness and enterprisewide security measures have been the most effective in reducing the costs of cybercrime.
The following cybersecurity measures had the most impact on reducing cybercrime costs, according to the study:
• Deploying a security information and event management (SIEM) solution
• Budgeting an appropriate amount toward security, given the potential costs of an attack
• Employing or hiring security experts
• Having a high-level security leader within the organization
• Using encryption technologies
• Implementing access controls, data loss prevention tools and policy management tools
SHAZAM SecureSHAZAM Secure® is a portfolio of information security services that can help your institution identify and defend against cybercrime vulnerabilities.
To learn more about SHAZAM Secure, please call Tom Quist, SHAZAM Secure account executive, at 800-537-5427, ext. 4370.
For more informationPlease see the January 2016 Spotlight on Service for more information on creating an effective security awareness program and evaluating your cybersecurity risk.
Cybercrime costs shoot to $15 million yearly per business
Denial of service attackAn attack to prevent legitimate users from accessing information or services by flooding the victim’s website or system with information.
Malicious insider A current or former employee, contractor or other business partner who has or had authorized access to an organization’s network, system or data and intentionally misused that access.
Malicious codeMalware, viruses, worms, robots or any unauthorized code designed to disrupt legitimate activity or steal money or information from the victim.
C y b e r c r i m e g l o s s a r y
Spotlight on Service 1 9
Fraud and Risk Management
The decision to hire a managed security services provider can be difficult. Security and compliance can be complex, time consuming and may be best handled by outside professionals who are up on the latest technology and threats. However, you may wish to keep your security professionals on staff for more direct control of your security.
To help your organization get a better idea of which way to go, Trustwave® has created a flow chart. While not scientific or the final word, it could help you answer some of the key questions needed to make this important decision.
View the flow chart to get started.
Thinking of hiring a managed security provider?Check out this handy flowchart to help guide your decision.
Spotlight on Service 2 0
As EMV® chip cards become more immersed in the U.S. payments industry, educating consumers on proper use of the new technology becomes very important.
However, according to an Associated Press poll from July, only a quarter of Americans say they understand very or extremely well why they’re receiving these new cards in the first place.
Topics to communicateAs your financial institution works toward EMV migration, topics you should consider communicating to your cardholders include:
• How consumers will have to change the way they pay
• Chips are more secure for card-present transactions
• EMV doesn’t solve online fraud
For more details on this topic, check out a recent article from PaymentsSource.com.
Consumer education on EMV still necessary
SHAZAM has many educational, ready-made inserts and Web banners available for ordering on our self-serve SHAZAM Power Marketing Program website.
If you’re looking for something more custom, the award-winning SHAZAM Marketing Services team can work with your financial institution to create customized, affordable EMV marketing materials that:
• Educate your customers
• Build your brand
• Promote increased debit card use
To request unique EMV marketing materials, email us at [email protected] or call 855-316-9378.
E M V m a r k e t i n g m a t e r i a l s
Cards
Spotlight on Service 2 1
Cards
It’s the beginning of a new year and a good time to take stock of your card database at SHAZAM.
We recommend keeping your card database up to date by deleting old or expired card authorization file (CAF) records and plastics records that are no longer used.
A well-maintained card database benefits you in three ways:
1. Allows more accurate card counts for MasterCard® and Visa® reporting
2. Reflects the cards you actually have in circulation today
3. Results in reduced residency fees
Below we’ll explain what each part of the card record is for and how to maintain it.
Plastics recordsPlastics information in the card database is all about the card order. Plastics records contain the:
• Cardholder’s name, mailing address, Social Security number (SSN) and telephone number
• Image ID (for SHAZAM myPic Studio®)
• Number of reissue months
• Expiration date
• Current card status, so we’ll know whether to reissue the card
Deleted plastics records will still appear in SHAZAM Access, but they won’t be reissued. Once the card has been expired without reissuance or deleted for 24 months, the record will be purged from SHAZAM Access automatically. Please Note: Primary account numbers (PANs) with a hot-card status won’t reissue, regardless of the plastics record status.
CAF recordsWhen we talk about cleaning up your card database, the CAF record is our primary concern. The CAF record is what makes the card work for positive file financial institutions. It contains the PAN, card status, deposit limits, withdrawal limits, last activity date, last maintenance date and more.
The CAF remains in SHAZAM Access until you delete it, no matter the card’s status. SHAZAM doesn’t automatically purge CAF records. For a card with a hot status, SHAZAM recommends you wait until the card has expired before deleting.
MasterCardWhile SHAZAM will retain a hot status until the CAF is deleted, MasterCard only retains the hot status for 180 days. This is only important if/when MasterCard stands in. MasterCard recommends hot-carding the card every 180 days until expiration; however, this isn’t required.
VisaVisa deletes the record based on the purge date entered when the card is hot-carded. If no purge date is entered, the purge date will default to one year.
Reduce residency fees by cleaning up your card database
– Continued on next page
Spotlight on Service 2 2
For more information If you have any questions about the maintenance tools available and how to use them, please call SHAZAM client support at 800-537-5427 (option 3) or submit a service request online using SHAZAM Web Rep.
Tools to maintain your CAF records
Tool Description How to Use Availability
Positive/Negative File report
This report contains all your CAF information in an easy-to-use Microsoft® Excel® spreadsheet.
Use this report to find all cards with a hot or deleted status.
To request this report, complete the Plastics Report Request form (#514) in SHAZAM
® Web Rep > eForms. Or, call SHAZAM client support at 800-537-5427 (option 3). Thisreport is free once per year.
SHAZAM Warning Bulletin (SCD010)
This report lists the following information:
• Debit cards reported as lostor stolen and the warningnotice regions each card islisted in, if applicable
• Number of cards for eachaction code
• Number of cards listed inmultiple regions
• Foreign (non-SHAZAM)networks to which the hot-card record was reported
Use this report to regularly monitor for expired hot cards and delete them as they arise.
Available daily in the SHAZAM Access Files SETL folder.
Plastics Reissuance (CM250-R) report
This report identifies expiring plastics.
Use this report as a reminder to delete any expired cards that are no longer active.
The report is available on the eighth day of each month and remains on the system for 21 days. You can find this report in the SHAZAM Access Files SETL folder.
Mass maintenance request
SHAZAM deletes old/expired cards on your behalf.
Use it to clean your card database without affecting your staff.
To request this report, call SHAZAM client support at 800-537-5427 (option 3). Fees vary.
Records – Continued from previous page
Cards
Training
Spotlight on Service 2 3
For more details on training events, visit our Training Solutions page.
SHAZAM Lost and Stolen Cards webinarFeb. 11: 9:30–11 a.m. CT Feb. 23: 1:30–3 p.m. CT
Description: Learn what you should do when a cardholder reports a card lost or stolen. We’ll also cover when you should hot-card or delete the card record, what fees are involved and what reports you can review to monitor the hot-card process.
SHAZAM Debit Card Fraud webinarMarch 10: 9:30–11:30 a.m. CT March 29: 1:30–3:30 p.m. CT
Description: Prevent, identify and recover fraud losses for your organization. We’ll cover various fraud categories, including lost and stolen cards, counterfeit cards, cards not present and identity theft. We’ll also cover the SHAZAM fraud prevention products and services available to your institution.
February 2016
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29
SHAZAM trainingMarch 2016
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31
SHAZAM Debit Card and ATM Operations regional seminarMarch 23: Bloomington, Minnesota Embassy Suites Minneapolis — Airport 7901 34th Ave. South 952-854-1000
Description: Learn everything you need to know about your ATM card, debit card and ATM programs. Topics include:
• Settlement and related reports
• Prefunding
• The authorization process
• PIN-based adjustments and disputes
• Lost and stolen cards
• Captured card rules
• Monthly reporting and billing
• SHAZAM Access
• Recent product developments
Spotlight on Service 2 4
‘Indulge in Rewards’ winners
• Onyeka A. of Iowa City, Iowa (Hills Bank and Trust Co.; Hills, Iowa)
• Donna K. of North Liberty, Iowa (Bellevue State Bank; Bellevue, Iowa)
• Ruth C. of Central City, Iowa (Citizens Savings Bank; Anamosa, Iowa)
• Lisa C. of Dyersville, Iowa (Dupaco Community Credit Union; Asbury, Iowa)
• Kimberly T. of Ocala, Florida (Ocala Community Credit Union; Ocala, Florida)
• Jacklyn M. of Boone, Iowa (First National Bank; Ames, Iowa)
• April R. of Chatham, Louisiana (Peoples Bank; Chatham, Louisiana)
• Leah B. of Polo, Missouri (The Hamilton Bank; Hamilton, Missouri)
D e c e m b e r w i n n e r s
Spotlight on Service, winner of 14 awards of publication excellence, provides you with information on the financial services industry. It’s not a definitive analysis of the subjects discussed and is not an alternative to the requirements of any regulatory agency.
To join the Spotlight on Service subscription list, send us your name, account number and email address. We also welcome your questions or comments about the newsletter.
SHAZAM, Inc. 6700 Pioneer ParkwayJohnston, IA 50131 shazam.net | @SHAZAMNetwork
Contacts
Fax numbers Chargebacks 515-558-7614Customer implementation & support 800-267-0549Fraud operations 515-558-7616Merchant services 515-558-7612
Client support Call 800-537-5427 or submit a service request in SHAZAM® Web Rep.
About the newsletter
Congratulations to our grand prize winner, April C. of Creston, Iowa. April won a $500 Williams-Sonoma® gift card in the “Indulge in Rewards” Debit Rewards campaign, which ran October–December 2015. April is a customer of The First National Bank in Creston, Iowa.
We’d also like to congratulate our December monthly winners listed at right, who each received a $50 Gourmet gift card.
Debit Rewards Winners
