It takes a network to defeat a network

Fraud Prevention @ IATA

Anca Dolocan

Portfolio Manager, Card & Services Contents

Fraud Prevention @ IATA 3

Industry Cooperation, Communication, Support 4

Industry Standards for Fraud Prevention 13

IATA Fraud Prevention Standards Governance Groups 16

Q&A 17

4 Fraud Prevention @ IATA High-level Overview

Current initiatives led or managed by IATA for the airlines industry and where airlines and travel agents should play an active role:

 Regional Fraud Prevention Workshops  Global Airports Action Days (GAAD) in cooperation with Europol  IATA Frequent Flyer Program Fraud Prevention Workshop & Advisory Forum  IATA Global Fraud Prevention Event  IATA Strategic Partners Briefing Day  IATA Strategic Partnership program for fraud prevention  IATA Standards Governance fraud prevention groups Cooperation, Education, Support GAAD Overall Stats

Airline participation Cooperation, Education, Support 2019 Satisfaction Survey - NPS 71

Overall Rating of the FFP Fraud Prevention Workshop (Day 1 & 2)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Networking

Interaction

Agenda

Excellent Satisfactory Average N/A

Overall Rating of the FFP Fraud Prevention Advisory Forum (Day 3)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Excellent Satisfactory Average N/A See you in 2020 at

Dallas, USA

Save the Date 23-25 June 2020 Cooperation, Education, Support www.iata.org/global-fraud-prevention Cooperation, Education, Support https://www.iata.org/about/sp/Documents/industry_fraud_prevention.pdf Industry Standards

simplify common processes,

reduce costs and complexity Passenger Standards Conference (PSC)

 re-organized as of 1 November 2018

 manages all standards activity touching passenger

processes, coding and scheduling

 has ultimate decision-making authority over all

standard setting activity within its scope

 every member airline is able to attend and vote

 adopts or changes Resolutions and Recommended

Practices

 elects the Board Members to oversee the standards

across each business domain Pay-Account Standards Board (PASB)

 Made up of 18 airlines  Have oversight across the strategy and direction of standards within their domain  Manage implementation and ensure that standard setting activities are prioritized based on airline requirements  Explore new areas where industry standards could add value and propose areas where industry standards should be discontinued. Payment FP Group Members FFP FP Group Members

Chair Vice-Chair Chair Vice-Chair

Secretary Secretary Thank you!

Anca Dolocan [email protected]

AND… See you in 2020!

Destination will be announced at the end of the IATA World Financial Symposium – Stay tuned!

www.iata.org The Economy Its impacts upon fraud

IATA World Financial Symposium: Miami 2019

Dr Michael McGuire University of Surrey 22 Themes & Aims

• To briefly explore a key trend in Cybercrime – the emergence of a complex set of (criminal) trading relations – the cybercrime economy

• To consider the relationships between this economy and fraud

• To evaluate some implications of this for enterprise, in particular the aviation industry

23 Research focus

• Based upon findings of an 18 month piece of research - The Web of Profit project, which aimed to understand the outputs of cybercrime, not its inputs

• That is:

• Not what cybercriminals ‘do’ - attack vectors, malware types, perpetrators, computer dependent v computer enabled crime variants, etc etc

• Why cybercriminals ‘do’ - Revenues, laundering, spending investments etc etc.

• Methodology included: interviews with convicted cybercriminals; covert observation and simulated purchases on darknet; analysis of listings; expert/practitioner surveys

24 Changing Perceptions of Cybercrime

• We once thought `cybercrime’ happened in a place called ‘cyberspace’ • It involved ‘technical’ things like viruses or network compromises • It involved clever young computer experts - hackers, crackers etc. • It was about stealing credit card numbers, personal credentials etc. • Enhancing cybersecurity (perimeter protection & firefighting) was the optimal response

25 The New Cybercrime

BUT

The research identified a range of more fundamental, less discussed factors now seemingly crucial to cybercrime

26 The New Cybercrime – NEW REVENUE GENERATION

$$ Counterfeits $$ $$ IP Theft $$

A dizzying range of methods & mechanisms for generating $$ Trade Secrets $$ $$ Data Trading $$ revenues, often at industrial scales

$$ Crimeware $$ $$ Skills hire $$

$$ Advertising $$ $$ Crypto Mining $$

27 The New Cybercrime – NEW VALUE FORMS

• A new form of raw material and trading commodity - the extraction and exchange of data. • Not just data from stolen credit or debit cards • A range of newer data forms with value : - hotel/airline loyalty points, - Netflix logins - ‘likes’ on Facebook - soft drink formulas - healthcare records

28 The New Cybercrime – NEW EXCHANGE MECHANISMS

• Rapidly expanding range of supporting digital financial tools • Digital currencies • payment systems • P2P banking apps • Mobile payments & banking

29 The New Cybercrime – NEW ECONOMIC AGENTS

• Specialised economic agents - such as producers, suppliers, service providers and consumers

• Tool supply, technical support and provision of skills and expertise

• Training, professionalization, recommendations and references.

• New markets & dedicated Production Zones

Râmnicu Vâlcea hacker village (Romania)

30 A Cybercrime Economy

Cybercrimes Revenues Laundering

Other Spending crime

31 Cybercrime Revenues

Cybercrime Economy now worth:

$1.5 trillion in revenues annually - at minimum

32 Scale of Cybercrime economy

• $1.5 tn likely to be a conservative estimate

• Many revenue categories were not included/lacked sufficient data to calculate - for example:

• Figure for illicit online included only pharmaceuticals, drugs and counterfeits • Estimates for the Crimeware category included only Ddos Hire, Trojan related malware & hacker for hire revenues. BUT - Malware sales; exploits; etc also generate significant (as yet uncosted) revenues • Numerous categories of fraud eg ticket fraud, auction fraud not included

33 The Cybercrime Economy and fraud

• Two key connections:

(1) The emerging cybercrime economy (and its success) highly dependent upon fraud. For example, many of the key ingredients of this economy derived from fraud

(2) In turn, the cybercrime economy is changing fraud and fraud practices

34 The Cybercrime Economy – dependence upon fraud

$1.5 trillion in revenues =

Illicit/illegal online markets Fraudulent goods & counterfeiting $860bn per annum Trade Secret/IP theft Spoofing, Impersonation, Sale of product $500bn per annum designs Data Trading Card fraud, chargeback/friendly fraud, loyalty $160bn per annum Crimeware/CaaS Account takeovers, $1.6bn per annum Ransomware $1bn per annum 35 The Cybercrime Economy – FOUR impacts upon fraud

1: The Cybercrime economy generates more incentives to engage in fraud ● Economy worth more than combined profits of top 3 Fortune 500 companies (Walmart, Apple & Berkshire Hathaway) ● Economy worth more than annual GDP of Saudi Arabia ($.75tn) ● Highest earners can make up to $2m/£1.4m – almost as much as a FTSE250 CEO, Mid-level operators can make up to $372,000/£263,000 ● Result: Projected total global fraud losses amounted to nearly USD $4 trillion in 2018 ● Organizations lose up to 5% of their annual revenues to fraud ● Airlines projected to lose up to $3bn to fraud by 2021

36 Global rise in fraud/economic crime

37 The Cybercrime Economy – FOUR impacts upon fraud

2: The Cybercrime economy is more varieties of fraud • Trade in tools enabling spread of ransomware fraud attacks on airports – recent (2018-19) attacks on Cleveland airport; Louisville Airport, Bristol & Atlanta • Invoices being traded in this economy enabling serious financial frauds for airlines. JAL recently lost nearly 400m yen ($3.4m) after payments for leased airplanes were diverted by cybercriminals • Lost 24m yen in a similar ploy involving fake emails from a US cargo business. • Huge amounts of data relating to membership/loyalty accounts for sale on darknet. Up to 72% airline loyalty programs have an issue • We were offered details of airline executive cv’s, vacation plans and other personal details by darknet vendors.

38 The Cybercrime Economy – FOUR impacts upon fraud

3: Cyber Frauds creating increasing financial & reputational costs

• BA hack of card details, CVV codes and email addresses resulted in £183m fine; costs in reputational damage unknown … • Heathrow airport fined £120,000 for failing to secure sensitive data following employees loss of a USB stick • Cathy Pacific facing expensive class actions after biggest aviation databreach in history - 9.4m customers had data including passport numbers, identity card numbers, travel history, email addresses compromised • Protests to Air Canada mount after passport data on their app (used by 1.7m customers) was accessed in 2018

39 The Cybercrime Economy – FOUR impacts upon fraud

4: The Cybercrime economy enabling easier movement & concealment of fraud revenues • 4% of European cyber revenues alone now laundered by crypto currency (around $80bn) • 10 - 20% of cybercriminals use PayPal or other DPS systems to launder money • 95% of all ransomware profits were laundered through BTC-e Bitcoin exchange in 2017-18 • Airlines being drawn into this burgeoning industry: - Physical transportation of cash (staff and passengers) - Exploitation of 3rd parties (eg travel agents) & suppliers - Airline ticketing identified as a potential transmitter by

regulators like FSA & FinCEN 40 The Cybercrime Economy & fraud – Conclusions?

Aviation industry cannot tackle complexities of cybercrime economy on its own. But:

• Need to appreciate complexity of what is encountering them

• Work more closely with businesses across all sectors in sharing intelligence and good practice

• Need closer co-operation with law enforcement, academics & other experts

• Need to monitor darknet, crypto-currency exchanges and other key nodes within cybercrime economy 41 Thank you.

Dr Michael McGuire University of Surrey [email protected]

42 Account takeover attacks vs bottom line protection

Felix Tabary Business Development Director Riskified FIGHTING ATO ATTACKS: Protect your brand and your customers

September 26, 2019 AGENDA

01 02 03 04 05 ATO attacks: How fraudsters Common Detecting & Key Background get credentials ATO methods preventing ATO takeaways MEET RISKIFIED

Account Pre-Auth & PSD2 Bank Chargeback Recover Deco Representment Protection Optimization Relationships Guarantee

Login Checkout Authorization Capture/Decline Chargeback WHAT IS AN ACCOUNT TAKEOVER ATTACK?

Fraudster gains High success rates Looks like a legitimate, access to account for CNP fraud returning customer HOW DO Large scale Smaller scale hacks: hacks: FRAUDSTERS ● Marriott - 2018 ● websites (mocks) PULL OFF ATO ● Quora - 2018 ● Phishing emails ATTACKS? ● Facebook - 2019

It starts with a data breach PHISHING (“SPOOFED”) WEBSITES CREDENTIAL STUFFING

Most stolen credentials don’t Data thieves need to verify that the work, credentials or aren’t for interesting sites work before they commit fraud, or sell them ● Users changed info ● Bots: simple software application that automates credential phishing ● Accounts out of use

● Not an eCommerce site CREDENTIAL STUFFING

Failed logins over a two month span NOW THAT THE Dark Web Market: CREDENTIALS ● British Airways credentials - £31.94 ARE VERIFIED…. ● Best Buy credentials - $12 ● Netflix credentials- £8.19 Shopping spree or sell the credentials? WHAT DO Three most common MOs: FRAUDSTERS DO ● “Mismatched” ATO ONCE THEY’RE ● Loyalty Fraud IN? ● Stored payment method Order goods! MISMATCHED Fraudsters rarely obtain a credit card to match the ATO account owner, so they buy an unrelated card on dark Online fraud using Account A web with unrelated Credit Card B MISMATCHED ATO EXAMPLE:

Order details: The scheme

● Order placed at TRAVEL MERCHANT ● Used a random stolen card, from the same country as

● Logged in as “Kevin Durant” the billing info in account,

● Email: [email protected] ● Kept billing info the same - including name

● Ordered hotel in Barcelona for 5 nights ● Put empty name slot on the booking and probably intended to resell it on a marketplace

Kevin Durant had been a customer for 5 years, and this was his real email! LOYALTY FRAUD ● Even more serious brand & operational impact

● Points are resold on the Darkweb Online fraud which takes advantage of loyalty points - no need for a credit card!

In-store credit on account, frequent flyer miles, rewards points THE SECONDARY Airlines Number of miles Price MARKET FOR in package LOYALTY POINTS British Airways 50,000 €57.74

Delta (SkyMiles) 45,000 $101

Emirates Skywards 100,000 $884

● Redeemed for rewards at participating retailers ● Take advantage of systems for transfering miles to friends and family

● Fake travel agent

Source: comparitech, 2018 STORED PAYMENT

METHODBest case scenario for fraudsters! DETECTING ATO ATTACKS Best Case: Detect at Login

● If you catch them at checkout, info is already compromised

● Accuracy and response time are critical DETECTING BEHAVIORAL AND DEVICE CHANGES

Similar principles to traditional fraud detection.

Need to look for:

Geographic Device Different time Password entry Browsing time IP change change of day behavior before login BOT DETECTION Detectable based on:

● Keystroke velocity Critical, for preventing credential phishing ● Velocity of login attempts ● Mouse movements

● Scroll pattern

● Mobile device orientation sensors POST DETECTION: You won’t always arrive at a clear decision for a login HOW TO attempt. RESPOND ● Create a plan for edge cases

● Set thresholds for block vs verify vs allow VERIFICATION RATE A tradeoff between accuracy and customer friction

Hyper-aggressive

Aggressive

Baseline DEVELOP YOUR Plenty of options

VERIFICATION PLAN ● SMS

● Captcha For pre-determined edge cases, request verification ● Emails ● Security questions

● Hard vs Soft? OTHER ● Soft vs Hard VERIFICATION ● Verification for edge cases is a necessary evil THOUGHTS ● Less damaging than a false decline or allowing an ATO

Soft Hard KEY TAKEAWAYS Behavioral & device changes at point of login might indicate an ATO. Detect bots with velocity measures, keyboard & mouse movements.

Develop a plan to deal with edge cases:

● Determine acceptable risk thresholds

● Map appropriate verification measures

● Deploy them automatically

Don’t fear verification: it’s better than a false decline, or being the victim of an ATO attack. ATO PREVENTION BY RISKIFIED

Delivers clear Merchants can opt “allow”/“block” /“verify” decision for Riskified to deploy verification on their behalf

Login analysis prevents Link across network of bad actors, including 1500+ merchants for extremely stuffing bots accurate decisions ACCOUNT An additional checkpoint allows us to approve orders more aggressively: PROTECTION BY RISKIFIED

Before Account Synergy with fraud review Protection: at checkout

With Account Protection: Thank you for your time!

For a free consultation and an evaluation of your ATO prevention process, email us: [email protected]

For additional information, visit: www.riskified.com CONFIDENTIAL

Dynamic Fraud Prevention for Dynamic Fraudsters Stuart Barwood, IATA World Financial Symposium

26th September 2019, Miami

89 CONFIDENTIAL

Fraud – An ever evolving challenge

90 CONFIDENTIAL

Deliver Experience Or Reduce Risk? – A Balancing Act

V

Personalization & S Rising threats customer experience & complexity

Airlines must provide a smooth, Airlines are high risk targets for fraud individualized experience. 91 CONFIDENTIAL

Fraud takes on many forms

Enhanced Coupon abuse Marketplace abuse Refund abuse Private label account security card applications

Loyalty point Referral abuse Reseller abuse Account abuse protection

92 CONFIDENTIAL What this means in practice: Play Defense With Rules And Manual Reviews 85% Orders Auto- Decisioned

Online checkout Multiple tools Rule Engine 15% Orders manually reviewed Customer Service

Poor customer experience resulting from delayed decisions Lots of operational overhead required to maintain Rules tend to over-correct - - There are too many legitimate orders rejected Even in this defensive mode, chargebacks still occur more frequently than they should 93 CONFIDENTIAL

Airline Impacts

94 CONFIDENTIAL

Rules based solutions are not a good fit for airlines

• Rules are aimed to target anything that looks “risky” – effectively casting a wide net

• There are a high number legitimate bookings also rejected

• Airlines have moved away from RM using segment limits but rules effectively still using the same approach in fraud

95 CONFIDENTIAL

Mitigating & Managing Fraud 2.0

96 CONFIDENTIAL What we are aiming to achieve

Approve more Stop more In real time good customers fraudsters

Provide consistent At any Scale Automatically experience across adjust and evolve 97 the ecosystem CONFIDENTIAL Personas: Probabilistic Soft Linking Exact Match Linking Is Insufficient

Geo Indicators

Email Jason variations Carter [email protected]

Pattern Domain <> reputation Service Class Name Phones Name Standard (mostly) variations Jasmine Weber Jason Barber +19197675384 +19195555384 Jason C +18184645384 [email protected] Jasmin Carter +19294348384 [email protected] Jasmine C Berenice R +13235646384 [email protected] [email protected] Jason Prince [email protected] CONFIDENTIAL Multi-layered Approach What we should be looking at

Elastic Identity & Storytelling

● Social media enrichment ● Similar shipping address surge ● Naming patterns ● Ability to link personas even when not a single data point matches

Cyber Intelligence

● Proxy piercing ● Protocol error manipulation ● Multi-device fingerprinting ● Language profiling

Behavioral Analysis

● Browsing Habits ● Personal buying ● Click heat maps patterns ● Scrolling ● Time on site ● Plugin usage ● Purchase 99 leading activities CONFIDENTIAL

Effective strategy requires human + AI

Post-transactions Gap Analysis Risk Strategy Site Activity Transactions & auto risk escalation Data Enrichment Risk Product Insights Merchant Attributes Commercial Insights 6,000 Data points Merchant Modeling Escalation Identity Checkpoint-Specific Gap Analysis Database Models Powered by Dark Web Feedback Experts Velocity

100 CONFIDENTIAL

How we approach this at Forter

Proprietary inputs Real-time Reliable End-to-End <700ms 99.999% protection

● Stolen card fraud 6000+ ● Account takeover Enterprise Unique data Secure ● Loyalty points theft points grade SOC 2, PCI DSS 1 GDPR ● Marketplaces platform Compliant capabilities ● Seller fraud ● Promotion and Return abuse 1000+ Accurate Unique data Expertise sources Winning 100% of Automated bake offs machine driven by fraud research

101 Powerful network effect: 75% of transactions made by people known to Forter CONFIDENTIAL

Get In Touch

Stuart Barwood [email protected] +44 7425 189593

102 The trojan horse: A from loyality fraudsters

Felix Eckhardt Managing Director RISK IDENT The Trojan Horse A Gift from Loyalty Fraudsters

About me

POINTS REPLACING BITCOIN AS THE FAVORED DARK WEB CURRENCY? Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean at lacus efficitur, congue orci a, porttitor enim. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Fusce volutpat diam ut est egestas aliquam. Cras purus risus, feugiat non lacus at, tincidunt ultricies arcu. Nulla facilisi. Sed non nibh a ex tempor tempus id ac erat. Morbi venenatis scelerisque neque quis pulvinar. Duis sit amet suscipit nisl. Aenean id nulla gravida tortor faucibus commodo non sed sapien. In eu nulla dignissim, consequat dui convallis, dapibus ex. Integer sodales in nunc in pulvinar. Vivamus ultrices est ipsum, vel rhoncus leo sollicitudin quis. Nullam luctus massa at purus semper, at varius sem placerat. Nullam ut volutpat nibh.

Fusce et lectus blandit ante efficitur mattis. Quisque porttitor, sem at placerat efficitur, lacus urna porta elit, quis dictum orci enim vitae ligula. Proin vitae ultrices enim. Vivamus a magna eget tellus iaculis tincidunt et sed risus. Quisque imperdiet justo at dui pretium, ac luctus velit efficitur. Praesent congue, metus non dictum efficitur, nisi risus lobortis purus, vel rhoncus ante eros eget quam. Vestibulum sed dui lobortis nisi scelerisque sagittis. Pellentesque fermentum lacus non lorem tempus viverra. Nam suscipit arcu elit, in vestibulum ex aliquam ut. Mauris vulputate interdum tellus eu bibendum. Nullam eros elit, consequat sit amet augue non, auctor rhoncus quam. Sed feugiat elit in pulvinar hendrerit. Etiam nibh nulla, gravida sodales rhoncus vel, auctor a mi. Nam quis ex cursus erat molestie consectetur ac eget lectus. Nunc sit amet ex non massa gravida sollicitudin non in magna. Donec in mattis sapien, eu porttitor nunc. Nam vitae sem varius, auctor mauris non, tincidunt augue. Nullam purus felis, cursus tempor est eu, ornare suscipit lacus. Nulla let’s become a fraudster Network Level Bots-Network

Device Device Fingerprinting

User Behaviour Analytics

Global Repots, Anomaly Detection Miles Gift Cards

Convert Hack in to Buy Gift Cards Account Crime World - Sell gift cards Google

http://www.awesome-airline.com Awesome Airlines

https://www.awesome-airlines.com Awesome Airlines same (pattern) username

felixeckhardt81

PIN must have exact 6 digits ********** 123456 is allowed

Login Airline faces record £183m fine for data breach1 Hackers stole 9.4 million records2

330 Million Twitter Credentials May Have Been Leaked3 [1] www.komando.com, [2] www.forbes.com [3] bbc.com Google

https://www.google.com downloading tor, buying bitcoins, searching for a page which offers hacked accounts, buy the stuff 1000-breach-username-password-09092019.csv

Download

Awesome Airlines

https://www.awesome-airlines.com Awesome Airlines

ljays28

Login

Awesome Airlines

https://www.awesome-airlines.com Awesome Airlines

ljays28

********

Login Awesome Airlines

https://www.awesome-airlines.com Awesome Airlines

Welcome back Linnet Jays! You have 1.2000.000 miles in your account

Redeem miles Awesome Airlines

Select your card Awesome Airlines

Thank you! Your redeem code is on the way!

how does the fraud officer sees this attack? Network Level Bots-Network

Device Device Fingerprinting

User Behaviour Analytics

Global Repots, Anomaly Detection GeForce 750 M 129 Fonts installed Mac Intel Prozessor Battery 75% German Keyboard Macbook Air 2013 Laufzeit 14:30:20

8 CPU Chrome 72.0.36 Hamburg Mac OS 10.14.2 1440x900 T-Mobile ISP no VPN used Dial-in Timezone GMT+0100 FritzBox 192.168.178.14 MTU 1500 ljays28 abritland29 wpounds2c cbellamy2d Awesome Airlines

We are sorry Your order could not be processed. Please contact customer services for assistance Type I Google

http://www.some-other-airline.com

Type II Type III how to hide my device id

Awesome Airlines

https://www.awesome-airlines.com

Awesome Airlines

Login GeForce 750 M 129 Fonts installed Mac Intel Prozessor Battery 75% German Keyboard Macbook Air 2013 Laufzeit 14:30:20

8 CPU Chrome 72.0.36 Hamburg Mac OS 10.14.2 1440x900 T-Mobile ISP no VPN used Dial-in Timezone GMT+0100 FritzBox 192.168.178.14 MTU 1500 Unknown Card 10 Fonts installed AMD CPU Battery 100% English Keyboard Macbook Air 2013 Laufzeit 24:30:20

8 CPU Firefox 69.0 Sydney Windows 10 1903 1560x1440 T-Mobile ISP no VPN used Dial-in Timezone GMT+0500 FritzBox - MTU 1500 ljays28 abritland29 wpounds2c cbellamy2d ljays28 abritland29 wpounds2c cbellamy2d ljays28 abritland29 wpounds2c cbellamy2d What now?

2FA Relying on 2FA alone has implications for CX and can cause dropouts and user frustration.*

www.gartner.com

Awesome Airlines

We are sorry Your order could not be processed. Please contact customer services for assistance Type I use a device fingerprinting with trojan detection

find fraud by device connections

detect bot networks

identify a trojan device Thank you

Felix Eckhardt @felixthelucky1 [email protected] FRAUD AT AIRPORTS CAN IMPACT THE BOTTOM LINE

Judy Morris, Senior Product Specialist SITA 26 September 2019 A BIT ABOUT SITA …

Business Intelligence

BORDER AIRCRAFT Operations BAGGAGE PASSENGER Management / Operations @ AIRPORTS Management Processing Biometrics PASSENGER Processing

PLATFORM DATA INDUSTRY TRENDS

Increasing More Rapidly Passenger Demanding Changing Numbers Travellers Technologies CHANGING REGULATORY REQUIREMENTS / MANDATES • Vary by country/region • Security/Standards, validation required • Lack of consistency from airport to airport, difficult for airlines • Impact the passenger journey, from check-in to boarding • Multiple PCI Standards – What Applies When? To Who? • GDPR • EU PSD2 SCA – What’s Next? Fraudulent Use Of Identity Becomes More Difficult

Your identity Your biometric Your itinerary Secure ‘token’ + +

To identify you during your journey… MOBILE ASSISTED SELF-SERVICE SELF-SERVICE SECURITY SELF-SERVICE CHECK-IN CHECK-IN CHECK-IN BAG DROP SCREENING BOARDING …addressing the critical challenges of payments

REGULATORY Evolving laws and regulations, with penalties COMPLIANCE (e.g., PCI DSS, EU PSD2 SCA)

PASSENGER Expectations: Convenience, consistency, secure EXPERIENCE

REPUTATIONAL Long-term effects on airline and airport DAMAGE

BUSINESS Resources re-allocated to recovery, forensics study with authorities and bank, rebuild consumer confidence

FINANCIAL Direct Costs: Fraudulent charges, chargebacks, fines Indirect Costs: Stock prices The Bottom Line Technology in Payment Security Evolved – ATI Has Not

1994

Airline XS PAST -- Pre Chip Card

1991 2010 2025 Unencrypted, Fraud Risks, GDPR Exposure, CURRENT / FUTURE ATI Increased Chargebacks Minimize Counterfeit and Fraud Risks PAYMENT OPTIONS TO MEET REGULATIONS

1. Stop taking payments 2. Improve Payment Security (PCI DSS, but not chip?) 3. Dedicated solution, airline by airline (… a costly option) 4. Common Use Chip and Pin terminals (CUTE/CUPPS, Kiosks, Self-bag drop) 5. Continue with MSR (high cost / high risk of bank declines)

Why should an airport care? Fraud Reduction = Cost Reduction Why should an airline care? PCI P2PE

Source: PCI SSC Fraud Reduction Can be Made Simple at Airports

Airport -- Chip and Pin Terminals Secure payment environment Managed Services Reduces PCI scope for airlines PCI Point to Point Encryption Data devalued if breached; Reduced PCI DSS scope We believe that smarter airports that use improved security are better airports

[email protected] Networking Coffee Break

Sponsored by