WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

The MRC observed a tremendous shift in e-fraud and e-security trends Building this year. It is therefore important for our merchant members to carry-out a Better Commerce Fraud & Payments Professionals constant review of the techniques, solutions and tools available in the market. We welcome The Web Fraud Prevention, Security & Digital Identity Market Guide 2013 that supports this objective.

Nicolas Vedrenne - Managing Director - MRC Europe

WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

Authors Mirela Amariei Tiberiu Avram Ionela Barbuta Simona Cristea Mihaela Mihaila Adriana Screpnic

RELEASE | VERSION 1.0 | DECEMBER 2013 | COPYRIGHT © THE PAYPERS BV | ALL RIGHTS RESERVED 2 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 INTRODUCTION

Introduction

You are reading the second edition of the Web Fraud Prevention, where people can buy products and services without ever leaving Security & Digital Identity Market Guide, put together by The their homes, credit cards, with their designs and black stripe on Paypers, the industry-leading provider of news and analyses for the back, have become outmoded (the essence is that the seller the global payments community. does not know the buyer and vice versa not so much that you do not have to leave your home) Web fraud prevention & digital identity – pressing issues for the payments community Furthermore, the key to the future growth of ecommerce and Given the ever increasing importance of ecommerce for the e-business lies in more collaboration between the players in this global economy, online fraud and digital identity have emerged as field, as improving trust on the web is not something one party can pressing issues for the business community and individuals alike - do on its own. Therefore, it is imperative that all parties involved in treatable but not curable yet, if ever. the payments industry (including consumers) start reconsidering their approach to preventing fraud. Instead of adopting individual

With the fast growing digital economy, digital identity becomes measures, they should realise that coordinated efforts on indispensable for organisations offering digital services. But given preventing, detecting and responding to fraud can be beneficial to that fraud prevention, online security, risk management, digital all parties involved. identity and e-authentication have emerged as pivotal elements in the payments process, special attention must be paid to these Web Fraud Prevention, Security & Digital Identity aspects, all the more so since they have a vital role in ensuring Market Guide customer trust and in boosting ecommerce transaction volumes. Within a context where new players, technologies, business models and rivalries emerge every day, the Web Fraud Prevention, As fraud is hindering both economic and ecommerce growth, Security & Digital Identity Market Guide 2013 aims to serve a the need to build trust online becomes critical, especially at a twofold purpose. On the one hand, it aims to provide an arena cross-border level. In order to maximise cross-border growth where voices from all across the industry – regulators, technology opportunities, the industry needs to come up with more efficient companies, banks, payments processors and fraud prevention solutions, both payments and fraud-related. Cybercrime causes and risk management services providers – can interact. This guide more damage to society than the worldwide trade in soft drugs, allows them to expose their vision, discuss topics such as fraud cocaine and heroin together. EU estimates that more than 1 million management and cross-industry collaboration, the digital identity people a day fall victim to online fraud. Losses due to these kinds ecosystem and identity management schemes, as well as argue of criminal activities are estimated at EUR 290 billion a year only the case for what they consider to be the way forward in online in Europe. In this context, fraud and cybercrime will definitely fraud mitigation and digital identity theft prevention. remain an increasingly important concern for policy-makers, businesses and citizens alike. In order to address this, various On the other hand, the Web Fraud Prevention, Security & Digital developments focused on a single aspect of the payment process Identity Market Guide 2013 aims to be a comprehensive source or those driving the harmonization of specifications in the identity of information for industry professionals, who gain access to an all- space and the web fraud detection market are a constant in the in-one reference material which lists in-depth company companies payments market equation. in the web fraud prevention and digital identity ecosystem as well as thought leadership articles, providing information and food for If we want in an ideal world with smooth payments and fraud thought. limitation and risk reduction, we need to rethink the transactional model for ecommerce. Credit cards were not designed for the internet. As the online channel emerged as a global marketplace INTRODUCTION WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 3

Guide quick overview Part 2 also features an article by Gunnar Nordseth, CEO, Signicat, Our partner in putting together the Web Fraud Prevention, Security a provider of eID services, who speaks about electronic identity & Digital Identity Market Guide 2013 is a powerful industry organi­ being deployed in more and more European countries and sation: The MRC, a global not-for-profit organization that fully 'Know your customer' (KYC), as one of many areas where the supports and promotes operational excellence for fraud, payments use of eIDs is becoming widely accepted. In his editorial, David and risk professionals within ecommerce. Pope, European Marketing Director at credentials management company Jumio, provides insights on identity theft, by examining The Guide has a three-part structure, with Part 1 dedicated to how fraudsters steal identities and then go on to conduct acts of insights from industry stakeholders and associations. Nicolas fraud against businesses. Emma Lindley, Director at independent Vedrenne, Managing Director, Europe, MRC discusses the top consultancy Innovate Identity, focuses on the main tactics into the three fraud trends in ecommerce, with a particular focus on clean decision-making process within a business which make it easier fraud, reshipping and account takeover. In his article, Simon when choosing the right identity system.

Lelieveldt, Senior Advisor at the Electronic Money Association (the European trade body representing electronic money issuers, Finally, David Birch, Director at consulting company Consult payment institutions, banks and payment schemes) discusses the Hyperion, discusses tokenization as the way forward for wallets, need for a balanced approach for strong authentication. while Neira Jones, Partner at consultancy company Accourt, speaks about 21st century payments and the industry`s security- Also featured is an article by two representatives of Fido Alliance, a related concerns while striving for innovation. non-profit organisation which addresses the lack of interoperability among strong authentication devices, which focuses around the Most complete market overview need to identify the next big thing in secure mobility and pay­ Part 3 presents in-depth company profiles mapping out key players ments. In order to encompass the diversity and complexity of the in the global digital identity transactional ecosystem and web ecosystem, special attention has also been given to industry and fraud detection space. Also, an enhanced online company government initiatives, among which The National Strategy for profiles database with advanced search functionality will Trusted Identities in Cyberspace (NSTIC) and Scoping the Single complement the PDF version of the guide, allowing readers European Digital Identity Community (SSEDIC). unprecedented access to and visibility into the global web fraud prevention and digital identity market. Part 2 is a section dedicated to exposing expert views, opinion pieces and exposés on key aspects of the global digital identity The Web Fraud Prevention, Security & Digital Identity Market transactional and web fraud detection ecosystem from web fraud Guide 2013 is a great means to stay informed and keep up to date detection services providers, technology vendors, as well as with the latest industry perspectives, trends and developments, a digital identity services providers. It features insights from thought highly useful document that should be kept at hand at all times. leaders, including ReD, a global provider of fraud prevention and Finally, this document has been put together with the utmost care. payment services, and Threatmetrix, an US provider of integrated If you discover that, despite our efforts, it features information that cybercrime prevention solutions, whose contributions deal with is unclear or erroneous, we very much appreciate your feedback. cross-channel fraud strategies. Part 2 also includes exclusive Please feel free to drop us a line at any time at: contributions from Ogone, Wirecard, DataCash and Device Ident, [email protected]. whose editorials address various approaches to fraud monitoring and management. Adriana Screpnic, Editor-in-Chief, The Paypers 4 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 TABLE OF CONTENT

Table of contents

2 Introduction

5 VOICE OF THE INDUSTRY SECTION

6 Fraud 2.0 - A Look at the Top Three Fraud Trends in Ecommerce | Nicolas Vedrenne, Managing Director – Europe, MRC

10 Strong Authentication: The Search for a Balanced Approach | Simon Lelieveldt, Senior advisor, Electronic Money Association

12 How to Secure Mobile Users and their Transactions | Michael Barrett and Sebastien Taveau, FIDO Alliance

14 The Proliferation of Shopping Channels and Online Services Has Resulted In a Proliferation of Authentication Methods; Can Natural Security Help Reduce the Clutter? | André Delaforge, Institutional Relationships & Brand Strategy Manager, Natural Security

18 Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers’ Funds and Data with Payment Account Access Services | x Javier Santamaría, Chairman, European Payments Council

22 Progress Towards a Digital Europe Continues | Jon Shamah, Thematic Network Coordinator, SSEDIC

24 Trusted Identities and Privacy Go Hand-in-Hand | Naomi Lefkovitz, Senior Privacy Policy Advisor, NIST

12 THOUGHT LEADERSHIP SECTION

28 ReD | Fraud Monitoring and Mitigation Strategies by Channel

32 ThreatMetrix | Cybercrooks Use Multiple Channels to Take Over an Online Account - Sophisticated Cross-Channel Fraud Can Crack Tough Security

36 DataCash | Fraud data analysis - are you optimising the information available to you?

38 Device Ident | Data Privacy Topics to Consider Using Fraud Prevention Tools in Europe

40 Wirecard | Fraud Prevention Tools in Accordance With the New Consumer Behaviour

42 Ogone | Cross-Border Expansion – Resolving Local Issues

46 Innovate Identity | Anyone for Identipedia? - How To Make Sense of the Identity and Fraud Market Place

48 Jumio | Preview of the Fraudster’s Playbook: Insights on Identity Theft

50 Signicat | Know Your Customers and Contract Them Online with Electronic IDs

54 Consult Hyperion | Tokenization – the way forward for wallets

56 Neira Jones | 21st Century Payments: When Innovation Meets Trust

58 Innopay | The Broader Scope of Payment Risk

74 COMPANY PROFILES VOICE OF THE INDUSTRY 6 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 VOICE OF THE INDUSTRY

Building Better Commerce MRC Fraud & Payments Professionals

Fraud 2.0 According to an MRC merchant poll, the most common fraud A Look at the Top Three Fraud Trends in trend is clean fraud. Dynamic and ever-changing, there is no real E-commerce pattern, to speak of, that merchants can look out for or monitor. Clean fraud is the purchase of goods or services with at least one Merchants who accept card-not-present transactions, frankly, do stolen credit card. Often, patient fraudsters will start with a handful not have it easy. Yes, the transaction highlights a new and more of smaller USD/EUR orders and over time build up to larger orders. modern way of doing business, but at what cost? According to the This allows the fraudster to build a reputable order history and 2013 LexisNexis True Cost of Fraud Study, for every USD 1 / EUR allows them to fly under the merchant’s order threshold, spiking 74 in fraud, the true cost to merchants is USD 2.79 / EUR 2.05. no alarms or red flags. Only when a diligent consumer notices This includes loss of goods, payment, bank fines and staffing. these charges or when merchants identify individual consumers Yet alarming, what's more disturbing, is that despite the increase beyond IP addresses is the fraudster shut down. in fraud mitigation tools over the last five years, the volume of

fraud is increasing. Fraudsters are more determined than ever, The next type of fraud that we are seeing is reshipping. Reshipping using new black-market technologies and naive consumers to has been on the rise in the last two years and is characteristic of illegitimately get what they want. In light of these metrics, we savvy fraudsters taking advantage of naive consumers and luring encourage merchants to be aware of what others are seeing in them in by way of legitimate looking work from home job adver­ the fraud industry. We have provided three of the top fraud trends tisements. Once connected, the fraudster uses stolen credit cards currently being addressed by MRC merchant members, so that to purchase goods and has the consumer, otherwise known as the you can stay ahead of fraud 2.0 in 2014 and beyond. mule, receive and reship these goods—often to foreign countries. VOICE OF THE INDUSTRY WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 7

Nicolas Vedrenne, Managing Director – Europe, MRC

For the merchant, it is hard to prevent reshipping as it is quite typical for a purchaser’s billing address to be different than the receiver’s address (i.e. gifts) and the owners of both the stolen credit cards ABOUT THE ORGANISATION: THE MRC IS and the addresses are usually associated with positive purchasing THE FOREMOST GLOBAL NOT-FOR-PROFIT histories. In addition, the mule/fraudster relationship is typically ORGANIZATION THAT FULLY SUPPORTS AND short-lived as the mule almost never receives payment, rendering PROMOTES OPERATIONAL EXCELLENCE FOR an addition to a negative list useless. However, merchants can use FRAUD, PAYMENTS AND RISK PROFESSIONALS systems that can provide more information on the shipping address WITHIN E-COMMERCE. MEMBERSHIP as well as look for established relationships between buyers and INCLUDES NEARLY 400 OF THE WORLD’S MOST recipients and in some cases can anonymously share negative PROMINENT MERCHANTS, TO INCLUDE 95% purchase data with fellow retailers in real time. OF THE TOP 20 E-COMMERCE COMPANIES IN THE WORLD, OVER 82% OF THE TOP 50 Finally, online merchants should be aware of account takeover. AND OVER 60% OF THE TOP 100 AND MORE This, too, is on the upward trend. The MRC has seen the rate THAN 60 CATEGORY LEADING SOLUTION of account takeover grow exponentially in the last year and it PROVIDERS. MRC MEMBERS REPORT 45% is expanding from digital companies such as gaming or digital LESS REVENUE LOSS DUE TO FRAUD THAN download to several large companies that ship physical products. NON-MEMBERS, EXPERIENCE MORE THAN 50% According to numerous studies, the average consumer has LESS MANUAL REVIEWS AND BOAST 50% LESS 27 online accounts, but only an average of five passwords. FRAUD RELATED CHARGEBACKS. **SOURCE: This makes it fairly simple for a fraudster to try a username/pass­ CYBERSOURCE/MRC 2012 FRAUD SURVEY word combination that may have been discovered during a breach HEADQUARTERED IN SEATTLE, WASHINGTON, and use these on several large merchant websites to gain access THE MRC’S EUROPEAN OFFICE IS LOCATED to a consumer’s online account credentials that, often times, IN MADRID, SPAIN. LEARN MORE AT WWW. also contains a stored card on file. Because the user account is MERCHANTRISKCOUNCIL.ORG legitimate and has an established history, the fraudster can place several orders either on the stored card or a new card without being detected. Likewise, since an existing account is being used, ABOUT THE AUTHOR: WITH A MASTER FROM typical fraud indicators and behaviour patterns provide little value in PARIS BUSINESS SCHOOL (ESG PARIS), preventing, detecting and eliminating account takeovers. NICOLAS VEDRENNE DEVELOPED ITS CAREER IN FRANCE, UK, LATIN AMERICA AND SPAIN Whether merchants experience one of the above fraud attacks or WITH SOCIÉTÉ GÉNÉRALE, SEMA GROUP AND another form of fraud, it is important to stay ahead of fraudsters by MONEXT, SPECIALIZING IN PAYMENT SYSTEMS, working with solution providers and other e-commerce professio­ FRAUD PREVENTION, RISK MANAGEMENT nals to understand current fraud trends and to learn about the AND CREDIT BUREAUX. IN 1999, HE TOOK latest tools and techniques to mitigate your net risk. The MRC THE RESPONSIBILITY OF SEVERAL EXPERIAN fosters these types of merchant to merchant in-person discussions BUSINESSES AS PRESIDENT HISPANO AMERICA four times per year, several virtual networking opportunities, as AND CEO SPAIN. well as monthly webinars resulting in 45 less revenue loss due to fraud for MRC members compared to non-members. www.merchantriskcouncil.org Payments and fraud are dynamic and ever-changing. MRC membership allows me to stay at the forefront of the industry by providing the latest informWation, trends and solutions. Danielle Nagao, VP, Financial Operations, Tickets.com

Subscribing to the MRC is the fi rst expenditure I make annually to reduce Fraud and increase Payments for my company. Diarmuid Considine, Commerce Platform Manager, Skype

Optimizing payments and protecting our investment is mission critical. The MRC provides the tools, resourcesand industry contacts for us to stay ahead of the curve. Pete Pouridis, VP, Loss Prevention, Neiman Marcus Group

| Optimizing PAYMENTS FRAUD | Maximizi imizing ng ROI Min COMPLIMENTARY PASSES & DISCOUNTS On all MRC conferences, products and services PROFESSIONAL DEVELOPMENT | NETWORKING 70+ Free webinars per year, 10 global roadshows and 4 annual conferences. Register up to 5 colleagues KNOWLEDGE SHARING Online forums and active committees dedicated to networking, payments, fraud, education, benchmarking, advocacy and law enforcement CRITICAL INFORMATION | INDUSTRY BENCHMARKING DATA Fraud, payments and security information, biweekly newsletter, white papers and case studies

The MRC is the foremost organization that fully supports and promotes operational excellence for fraud, security, risk and payments professionals. For more information contact [email protected] ONLINE AUTHENTICATION: PRACTICAL INSIGHTS AND ANALYSIS 10 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 VOICE OF THE INDUSTRY

EMA

Strong Authentication: The Search for a PSPs are consistently using additional information (geo-location Balanced Approach information, IP address matching, IP address pattern detection, industry blacklists, comparison against a customer’s existing In July 2013, the European Commission has published a proposal “profile” etc.) to validate the interaction with a user. for a revised Payment Services Directive (PSD). The proposal requires ‘strong customer authentication’ when a payer initiates There is still much to gain by combining the expertise of both an electronic payment transaction. This is a procedure for the the ‘classic’ and more recently-established providers of payment validation of the identification of a natural or legal person based services. Customers will be using all kinds of devices as a service on two or more elements categorized as knowledge, possession entry point and this requires a flexible approach to authentication. and inherence. These elements are independent, in that the Rather than two-factor authentication we could speak of multi- breach of one does not compromise the reliability of the others factor authentication, which would include the specific user- and is designed in such a way as to protect the confidentiality of payment service provider interaction context.

the authentication data. The proposed PSD-requirements The concept of strong authentication is in itself nothing new. The new PSD requires two-factor authentication for all payment What is new however, is its appearance as a detailed regulatory transactions. Exemptions to this rule are possible on the basis requirement. So far, both the Payment Services Directive and the of guidelines of the European Banking Authority (EBA). The Electronic Money Directive contained a more generic requirement underlying message is clear: only two-factor authentication does for licensed operators to demonstrate that their governance the job and other payment authentication methods are mostly arrangements, control mechanisms and procedures are relevant for low-value, low risk payments. proportionate, appropriate, sound and adequate. Under the revised PSD, the customers of PSPs that do not use Different market approaches to customer authenti­ strong authentication cannot be held liable for unauthorized cation transactions unless they acted fraudulently. This will also be the Traditionally, the banking sector and the card schemes have played case, when a number of companies are involved in a chain of a major role in the payments industry. For a long time they acted as payments and one of them has not used strong authentication. the main channel through which new technological developments were introduced. In this process, strong authentication in a range The drafting of further security requirements on authentication by of countries became a standard for use in payments. Further the EBA must be undertaken in a period of two years after the security measures for use in transactions over the internet were revised PSD has been agreed. This leads to an incomplete process then being developed as an add-on to the basic design. to remove confusion on the mechanics of appropriate ‘strong customer authentication’. While the regulator finds authentication More recently, Payment Service Providers (PSPs) have entered the important enough to highlight it as a specific requirement, it leaves payments value chain using the internet as their basic transaction the definition of appropriate authentication methods to a new processing initiation channel. As a result, their approach to regulatory body. This does not provide the industry with sufficient payment security tends to be based on a variety of methods, to be upfront clarity. able to counter a range of attacks associated with this inherently unsafe environment. PSPs have had to move very quickly up the e-payment security learning curve and found out that they must remain vigilant with respect to new threats. VOICE OF THE INDUSTRY WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 11

Simon Lelieveldt, Senior advisor, Electronic Money Association

The Forum Recommendations on security In the meantime, the Secure Pay forum released a set of Recommendations this year with respect to the security of internet payments, to be applied as of February 2015. This forum consists of the European supervisors that have a role in assessing security of retail payments. It stresses two-factor authentication as the norm, but the requirements do not cover all situations. There is a set of recommendations forthcoming, which covers the issue of third party access to bank accounts, while another set of recommendations for mobile phones is now being consulted with the market.

It may be expected that the future EBA Guidelines will draw considerably upon the work of the Secure Pay forum. Still, it should be noted that the Forum Recommendations do not cover payments that are exempted from the PSD, in-house payments or low-value payments. The net effect of the current approach is that ABOUT THE ASSOCIATION: THE ELECTRONIC the requirements for the security for retail payments are skewed MONEY ASSOCIATION (EMA) IS THE EUROPEAN to a specific type of authentication, without the supporting TRADE BODY REPRESENTING ELECTRONIC comprehensive analysis required to do so. MONEY ISSUERS, PAYMENT INSTITUTIONS (PIS), BANKS AND PAYMENT SCHEMES. THE A balanced approach EMA ACTS AS A FORUM FOR INDUSTRY, It is not unlikely that the envisaged inclusion of a detailed ENABLING THE SHARING OF KNOW-HOW AND requirement on strong authentication may distort the current THE DEVELOPMENT OF GOOD PRACTICE. IT market developments rather than allow for further innovation and REPRESENTS ITS MEMBERS IN DISCUSSIONS market development. A more balanced approach is therefore WITH GOVERNMENT, EU ORGANISATIONS, welcome. CONSUMER BODIES AND OTHER INTERESTED PARTIES. In my view, such an approach could be to allow for a broader 'multi-factor authentication' which includes authentication ABOUT THE AUTHOR: SIMON LELIEVELDT based on the user-interaction context. Alternatively, it might be IS SENIOR ADVISOR WITH THE ELECTRONIC considered not to include this specific requirement in this revision MONEY ASSOCIATION AND HAS WORKED of the PSD. The requirement will then still be relevant, but foremost FOR MORE THAN 20 YEARS IN THE PAYMENT as a part of the actual supervisory reviews, during which a more INDUSTRY. HE WAS THE MEMBER OF THE balanced context-based assessment can be made. BIS-WORKING GROUP ON THE SECURITY OF ELECTRONIC MONEY AND HE WAS CLOSELY INVOLVED IN THE SUPERVISION OF E-MONEY SCHEMES IN THE NETHERLANDS.

www.e-ma.org 12 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 VOICE OF THE INDUSTRY

™

FIDO Alliance

How to Secure Mobile Users and Their standards. Standards make strong authentication easy to adopt Transactions because methods and devices become interoperable across the digital ecosystem. Email/password, mobile/PIN and card/signature credentialing schemes, while still effective when combined with advanced FIDO specifications allow mobile device sensors (such as back-end risk management capabilities, are losing effectiveness cameras, microphones and FPS) to be leveraged not only for across the ecosystem due to an increasing rate of theft and convenience, but also for better security that is easy to use and identity fraud, i.e., Bitcointalk.org Warns Passwords In Danger private! FIDO standards strengthen mobile security by moving After DNS Attack and Pony' botnet steals 2 million user logins away from password dependency to using biometrics or hardware for Facebook, Google, Twitter, ADP. that leverages Near Field Communications (NFC), Bluetooth Low Energy (BLE) or embedded Secure Elements (eSE) and devices Security teams proactively moving off of legacy systems and onto themselves that comply with open, interoperable standards.

the authentication modality that FIDO specifications outline for strong authentication, can accommodate end-users with extra­ FIDO-ready devices and applications are coming now to the ordinary convenience and improved security. At the same time, marketplace. These first implementations begin to equip users providers on the back-end have many more options to control with devices able to perform strong authentication. FIDO and manage risk. Breaches and fraud like those referenced specifications put users in control of their personal identifying become a thing of the past when personal information is never information, while RPs on the back-end can leverage users’ shared over the network or in the cloud. This is especially new strong authentication capabilities to manage their risk with important to m-commerce, which cannot reach full potential until enhanced verification capabilities that ensure secure mobile mobile banking and payment transactions ensure easy-to-use transactions and more. authentication that can be trusted. Security+privacy at last! What is the next big thing in secure mobility and Founding FIDO Alliance members and the 65 organizations that payments? have joined the Alliance since the public launch in February 2013, Mobile users demand convenience. Mobile transactions and recognize that FIDO specifications must include new mechanisms secure mobile access require strong authentication that employs and privacy protections for consumer-centric strong authentication multiple factors to secure transactions in a consumer-driven to take off. mobile economy. Until recently, security and convenience were mutually exclusive. Adding friction at the user experience level or FIDO specifications add user privacy where it has not existed tuning down the level of security were really the only two options before, by putting control of personal identifying information, such considered by RPs wanting to protect their users. as a biometric, entirely in the hands of consumers. FIDO protocols create a public/private key pair when users register a FIDO device Until Apple introduced the iPhone 5s with Touch ID, mobile with an application or service. FIDO specifications eliminate central devices weren’t perceived to have biometric capabilities (in databases of stored personal information that can be tapped in secure hardware). With Touch ID, the world took only three dragnet hacks. FIDO specifications emphasize a device-centric days to move from an expectation of ‘security’ to a love of and model. Authentication over the wire happens using public key demand for ‘convenience’ in mobile transactions. Though even cryptography. The user’s device registers the user to a server by with the markets’ exuberance over Touch ID, integrating strong registering a public key. To authenticate the user, the device signs authentication cost-effectively with all the cloud-based services a challenge from the server using the private key that it holds. The in today’s enterprise or consumer environments requires open keys on the device are unlocked by a local user gesture - such WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 13

Michael Barrett (left) and Sebastien Taveau

as a biometric or pressing a button. The server has the choice Where are the standards to support the mobile of replacing the password depending on the choice of local ecosystem? authentication. FIDO protocols are designed with a core focus on The FIDO Alliance will define an open, scalable, interoperable set privacy -- the key issued by a user’s device to each account on each of mechanisms that universally authenticate users and reduce server is unique to avoid link-ability. Whether a user unlocks their reliance on passwords. FIDO standards create an interoperable device with a biometric or PIN to locally authenticate, the identifier “shim” between FIDO enabled devices (which could be biometrics stays on the local device and is never shared with the cloud. or PIN-protected secure elements) and applications, both native Apps and online services accessed through a FIDO-compliant Traditional biometric authentication systems used by governments, web browser. health groups and military have required central databases of biometric templates. Under ‘natural ID’ or consumer-grade The FIDO Alliance welcomes and cooperates with all other secure biometry, service providers or RPs don’t want to maintain a massive identity initiatives, such as OATH, NSTIC, OpenID, and GSMA. database of biometric or other personal identifying information­ The FIDO Alliance has begun certifying FIDO-ready products for (PII) for many reasons - risk of breach, privacy, storage and the enterprise and mobile users and applications. Thanks to FIDO general usability. standards for strong authentication, mobile transactions are about to become more secure, private and easy-to-use. In a FIDO framework, law enforcement agencies, like the NSA, would need a warrant to access data specific to a user and a device. Digital blanket dragnet access won’t work. Even a criminal hacker attack on a FIDO device would require the attacker to ABOUT MICHAEL BARRETT: MICHAEL BARRETT perform two completely different types of attacks just to complete IS PRESIDENT OF THE FIDO ALLIANCE, AN a single unscaleable one-off spoof! A hacker targeting a fingerprint OPEN STANDARDS ORGANIZATION ENABLING A biometric would first have to access the fingerprint, and then gain ‘POST PASSWORD’ WORLD. FROM 2006 TO 2013, physical access to a user’s device. This is very time consuming, MR. BARRETT WAS THE CHIEF INFORMATION expensive, and riskier than an attack in which the hacker phishes SECURITY OFFICER FOR PAYPAL. IN THIS for a user's password digitally. An unscaleable attack of this ROLE, HE WAS RESPONSIBLE FOR ENSURING magnitude suggests only a very high value target. Under FIDO- THE SECURITY OF PAYPAL’S 130M ACTIVE specified authentication, if a user’s unchanging fingerprint were ACCOUNTS WORLDWIDE. physically lifted, the user would not necessarily be at risk, since FIDO authenticators never share users’ biometric template. Users ABOUT SEBASTIEN TAVEAU: AT VALIDITY, can always erase/delete or reset any FIDO enabled device with SEBASTIEN’S FOCUS WAS TO DEFINE THE any FIDO compliant online service. Also, the type of sensors used ROLE OF NATURAL ID WITHIN THE MOBILE in today’s consumer devices have evolved so a binding between ECOSYSTEM. AS CTO, SEBASTIEN LED THE the sensor and the template allows for revocation of the time- STRATEGY FOR THE MOBILE BUSINESS AND stamped template and generation of a new one. TECHNOLOGY CHOICES AS WELL AS ADVANCED PROJECTS DEVELOPMENT. THIS RESULTED IN Similar mechanisms exists with the U2F effort from the FIDO THE ACQUISITION OF VALIDITY BY SYNAPTICS Alliance, using secure element and device independent OTP token FOR A DEAL VALUED AT USD255M. generator, completely dissociating the source of authentication from the host being used to execute the FIDO authenticator function. www.fidoalliance.org 14 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 VOICE OF THE INDUSTRY

Natural Security

The Proliferation of Shopping Channels on three fundamental cornerstones: business focus, ensuring and Online Services Has Resulted In a interoperability with existing technology and other members of Proliferation of Authentication Methods; the ecosystem, global innovation (keeping the total value chain in Can Natural Security Help Reduce the mind) and zero compromise on security and privacy. Creating a Clutter? strong user experience was also vital as this is a crucial factor in the widespread adoption of technologies. Banks and retailers go to great lengths to safeguard their cus­ tomers’ personal information and finances, however, the rapid The strong authentication standard adoption of multi-channel strategies has increased the pressure The Natural Security standard is based on a unique combination on current authentication practices. A multi-factor authentication of wireless technologies, a personal device and biometrics. approach that uses biometrics alongside other security factors to The standard offers the same level of security and the same user maximise protection has become the commonplace solution used experience for all types of transactions (e.g. proximity and remote

by banks, retailers and service providers. payment) no matter where they take place (e.g. at home, in-store or branch). As an added layer of security, biometrics replaces or But, we’re now at a point where authentication solutions are a complements PINs so a transaction can only take place when melting pot of passwords, PINs and security keys, which are both the user and the device are present. difficult for customers to remember, expensive for businesses to implement and unsuited to the requirements of newer technology. Incorporating biometrics can invoke user concerns surrounding The marketplace for alternative strong authentication solutions privacy of data. However, the Natural Security standard uses a trying to cater to these new demands is also growing, but it’s very personal device to store applications and data used to authenticate exclusive and increasingly disparate. Solutions are created by the user, avoiding the use of biometric databases and resolving independent technology providers and linked to specific techno­ some of these privacy issues. logy products, such as mobile phones, which severely limits the user base and potential for widespread adoption. The standard can be implemented in various form factors (including smartcard, micro-SD Card, SIM card and token) addressing all What the authentication market needs now is a unifying force to market segments including those without smartphones. bring together all the independent technology suppliers, banks and retailers to standardise strong authentication across the board. Wireless communication technology (Zigbee and Bluetooth Low Energy) spares users the need to physically handle this device. Natural Security: building the standard They simply place their finger on a reader to complete a transaction, Natural Security was created to set up a universal standard for and use this same action and device whether performing the strong authentication that was able to break down the exclusivity transaction online or in person. The transaction process allows barriers as well as provide a modern, secure authentication solution.­ strong authentication to be completed in a matter of seconds, The standard needed to traverse the market and be compatible ensuring it’s efficient and convenient for customers, merchants and with all types of technology and channels including smartphones, service providers in any environment. tablets, PCs and in-store POS, because there’s no longer a separation between the online and physical environments. The Natural Security Alliance… To advance and standardise the authentication market and support Uniquely the standard was created with direct input from banks, widespread adoption of the standard, the specifications need to merchants and service providers to ensure it fulfils their specific be shared with industry stakeholders and development continued authentication requirements. With this input, the standard is based based on their requirements and input. This includes making VOICE OF THE INDUSTRY WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 15

André Delaforge, Institutional Relationships & Brand Strategy Manager, Natural Security

the specifications available to all vendors, so an ecosystem of The taskforce is open to all entities with an interest in strong hardware, services and solutions based on common foundations authentication. So, not only will the Alliance support with the can be developed. inclusive technical development of a strong authentication solution that provides a secure, simple and convenient user experience The Natural Security Alliance is a global community of preeminent across all channels, it will unify the currently highly segregated companies dedicated to accelerating the adoption and ongoing authentication industry. development of Natural Security standard based solutions, and has been created to facilitate this next stage. The Alliance is comprised of some of the most influential companies in world, from the retail, banking, payment provider and IT communities. All members share a strategic commitment to delivering strong authentication and payment solutions based on biometric technology. ABOUT THE ALLIANCE: THE NATURAL SECURITY As well as creating a space for members from all areas of the ALLIANCE IS A COMMUNITY DEDICATED TO payments ecosystem to collaborate, a priority for the Alliance ACCELERATING THE ADOPTION AND ONGOING will be implementing a certification process that can be used DEVELOPMENT OF NATURAL SECURITY to guarantee a certain level of interoperability with existing TECH­NO­LOGY BASED SOLUTIONS. THIS OPEN infrastructure, consistency and compliance with technical and INITIATIVE IS COMPRISED OF SOME OF THE MOST security regulations for any product that adheres to the standard. INFLUENTIAL COMPANIES IN WORLD FROM THE The recognised certification, developed alongside other regulators RETAIL, BANKING, PAYMENT PROVIDER AND IT and industry bodies, will build confidence in the standard at all COMMUNITIES. ALL ALLIANCE MEMBERS SHARE levels of the payments chain, encouraging widespread adoption A STRATEGIC COMMITMENT TO DELIVERING from the top (vendors) to the bottom (end users). MISSION-CRITICAL AUTHENTICATION AND PAY­MENT SOLUTIONS BASED ON BIOMETRIC TECHNOLOGY.

ABOUT THE AUTHOR: ANDRÉ JOINED NATURAL SECURITY IN FEBRUARY 2010 TO LEAD VARIOUS ASPECTS OF MARKETING AND BUSINESS DEVELOPMENT. HE’S ALSO PRESIDENT OF THE BIOMETRICS ALLIANCE INITIATIVE. PRIOR TO THIS, ANDRÉ HEADED UP BUSINESS DEVELOPMENT FOR BIOMETRIC AND RFID TECHNOLOGIES FOR A LARGE ELECTRONIC MANUFACTURER AND LED CONSULTING ACTIVITIES FOR INNOVATION, INTERNET AND TECHNOLOGIES AT SEVERAL TECHNOLOGY MARKET RESEARCH FIRMS.

www.naturalsecurityalliance.org

KEY CONSIDERATIONS WITH REGARD TO ACCESS TO CONSUMERS' PAYMENT ACCOUNTS - A SECURITY PERSPECTIVE 18 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 VOICE OF THE INDUSTRY

European Payments Council

On the Difference between Innovation The SecuRe Pay Forum clarifies that, unlike PSPs, non- and the Wild West: How to Ensure the licensed third-party service providers offering payment account Security of Bank Customers’ Funds and access services ‘are not subject to supervisory requirements.’ Data with Payment Account Access The SecuRe Pay draft recommendations distinguish between two Services types of internet-based payment account access services, which are offered by PSPs and third-party service providers, namely, On 24 July 2013, the European Commission (the Commission) account information services and payment initiation services. published its proposal for a revised Payment Services Directive (PSD). The Commission invited the European Union (EU) legisla­tor, The EU legislator might decide to include currently non-licensed, i.e. the European Parliament and the Council of the EU representing non-supervised third-party service providers, whose business EU Member States, to reach an agreement on the Commission’s model requires access to consumers’ payment accounts, in the proposal by Spring 2014. Considering that the Commission scope of the revised PSD. These entities would then become

proposes that EU Member States are given two years to implement PSPs and, consequently, subject to the legal regime governing the this revised EU Directive into national law, the forthcoming revised operations of PSPs. It has to be noted however, as outlined above, PSD could take effect at the earliest in 2016. The Commission’s that adoption of the revised PSD by the EU legislator, followed by proposal for a revised PSD includes rules on access to payment implementation of the Directive in all EU Member States, might accounts of bank customers. Payment account access services take several years. are also offered by providers currently operating outside the scope of the PSD i.e. that are neither licensed nor supervised. This article Some may argue that the current legal vacuum with regard to addresses key considerations of the European Payments Council payment account access services simply reflects the thrill and (EPC) with regard to access to consumers’ payment accounts excitement of payment innovation in action. From the perspective by currently non-licensed, non-supervised third-party service of PSPs, who are responsible for safeguarding their customers’ providers. funds and data privacy, the current situation detailed above is best described as the Wild West of payment account access ser­ Convenience is a priority. Security is indispensable. vices. On a more general note: innovative payment services must Promoting payment innovation to the benefit of both be convenient and easy to use for both payers and payees. payers and payees requires combining the two However, convenience should never come at the cost of security. In January 2013, the European Central Bank published the draft Anyone with an interest in incentivising payers and payees to “Recommendations for Payment Account Access Services” embrace innovative payment solutions – regardless of whether developed by the European Forum on the Security of Retail these are offered by ‘banks’ or ‘non-banks’, existing or new Payments (SecuRe Pay Forum). The draft recommendations players – should adhere to the principle of ‘safety first’. The impact explain that payment account access services can be offered by of any security breach on customers’ trust in forward-looking PSPs, i.e. regulated and supervised entities as defined in the PSD payment technologies will hardly be conducive to realising the (‘account servicing PSPs’). The SecuRe Pay Forum points out that Commission’s vision of Europe being “at the cutting edge of what payment account access services are also offered by ‘third-party ‘making a payment’ could mean in the future.” service providers’ that ‘are often merely non-licensed service providers and not PSPs’. This is a more recent development. VOICE OF THE INDUSTRY WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 19

Javier Santamaría, Chairman, European Payments Council

The EPC considers it essential that there is an appropriate The legislative process leading to the adoption of the revised PSD level of security to protect consumers against the risk of fraud should contribute to create a coherent legal framework governing and abuse of sensitive private data in the online banking and Single Euro Payments Area online payments including internet- payment environment. The EPC, therefore, emphasises the need based payment account access services. In the interest, first and for the new regulatory and supervisory regime (the revised PSD foremost, of the account-holding payer, the joint commitment of and other legislative and regulatory initiatives) to address key both account servicing PSPs and third-party service providers requirements related to payment account access services such as must be to preserve customers’ trust in the safety and reliability of supervision and licensing, security, consumer and data protection, payment methods. transparency, liability allocation and the need for explicit consent. Regulators must take the following actions to ensure the continued security of consumers’ funds and data:

• The EU legislator, i.e. the European Parliament and the Council of the EU representing EU Member States, will have to define appropriate legal and security requirements to be included within ABOUT THE COMPANY: THE EUROPEAN the revised PSD regarding access to consumers’ accounts by PAYMENTS COUNCIL (EPC) IS THE COORDI­ third-party service providers. NATION AND DECISION-MAKING BODY OF THE EUROPEAN BANKING INDUSTRY IN RELATION • To safeguard a level playing field in the payments market, TO PAYMENTS. THE EPC DEVELOPS THE PAY­ proper licensing and supervision of all types of service providers MENT SCHEMES AND FRAMEWORKS WHICH (including third-party service providers offering payment account HELP TO REALISE THE SINGLE EURO PAYMENTS access services) should be ensured. Payment account access AREA (SEPA). SEPA IS A EUROPEAN UNION (EU) services should become part of the scope of ‘payment services’ PAYMENT INTEGRATION INITIATIVE DESIGNED under the revised PSD. TO ACHIEVE THE COMPLETION OF THE EU INTERNAL MARKET AND MONETARY UNION. • Regulators and supervisory authorities must address the current legal vacuum, i.e. create an interim solution, which gives certainty ABOUT THE AUTHOR: MR. SANTAMARÍA to PSPs on how to handle requests for access to consumers’ IS SENIOR VICE PRESIDENT WITH BANCO accounts by non-licensed, non-supervised third-party service SANTANDER. HE REPRESENTS THE BANK providers until the revised PSD becomes effective. IN SEVERAL ORGANISATIONS RELATED TO PAYMENT SYSTEMS AND TRANSACTION The EPC stresses that the only means to effectively implement BANKING IN ADDITION TO THE EPC: HE IS legal and security requirements applicable to payment account MEMBER OF THE BOARD OF THE EURO BANKING access services are contracts between the parties concerned in ASSOCIATION, A DIRECTOR OF THE SWIFT line with established market best practice. BOARD AND OF THE IBERPAY BOARD.

www.epc-cep.eu STAY INFORMED WITH THE PAYPERS!

[email protected]

Online | Paypers Mobile | Paypers E-invoicing | Paypers SEPA | Paypers

Your subscription package includes:

Full-year personal subscription to any 2 / all 4 Paypers premium newsletters Newsletters with news, analysis, opinions and interviews News | Paypers (daily/weekly headlines) with news and events Newsletters delivered to 1-2 email addresses within your company

Also available on iPhone and Android! GLOBAL AND REGIONAL INDUSTRY INITIATIVES 22 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 VOICE OF THE INDUSTRY

SSEDIC

Progress Towards a Digital Europe e-ID, which are seen to be the most critical factors affecting wide- Continues scale e-ID adoption. Taken into account are other factors such as: public private partnership, ID Governance, regulations and privacy; Introduction standards and interoperability and education and awareness. Slowly but surely the move towards a Digital Europe is continuing. In 2014, the new regulations on trust services will liberate the use In more detail, the draft recommendations to the EU can be of digital signatures and digital IDs (e-IDs), bringing new oppor­ summa­rised as: tunities to exploit the benefits of digitisation. Although primarily aimed at e-government services, the hot debate on the detailed The EU should be: implementation and the far reaching impact and certainty of the new rules means that they will be taken on board as the norm in ENCOURAGING MOBILE E-ID E-GOV SERVICES the commercial sector as well. ADOPTION 1.1 Encourage EU Member States to accept mobile e-IDs, as Coupled with this new regulation, there is a new focus at the being an acceptable option for cross-border e-gov use. Euro­­­pean Commission. The ‘Horizon 2020’1 work plan, replacing 1.2 Review standards for mobile e-signatures urgently to make ‘Framework 7’ is taking a new look at research and development them easier to implement and use. and will encourage innovation, more risk-taking and supportive 1.3 Invest in research into interoperability of multifactor3 authen­ outcomes. Small and medium enterprises (SMEs) are also likely to tication mechanisms using personal mobile devices. be the main winners in this change of direction. 1.4 Invest in a coordinated approach to education in identity This is not to say that all the work is now done on trust and e-ID. domains­ such as internet, social media, telecommunications, Some important blocks will soon be in place, but it is recognised citizens-eIDs, travel, health etc. that there is a long way to go. 1.5 Stimulate faster mobile e-ID and mobile signature take-up by rewarding fast adoption. The ‘Scoping the European Digital Identity Community’ network (SSEDIC) was established by the European Commission to look HARMONIZING ATTRIBUTE MANAGEMENT AND at what will be needed above and beyond the current efforts in EXCHANGE order to reduce the ‘friction’ of digitisation. The SSEDIC network 2.1 Support the development and evaluation of procedures for of over 100 organisations and 200 experts has produced over 20 linking attributes to e-IDs. whitepapers, numerous surveys and international workshops over 2.2 Initiate or revitalize the decision processes towards a harmo­ its three years of existing. More importantly, it has produced a set nization of attribute descriptions (semantic interoperabi­li­ty) of draft recommendations to the European Commission on what and legal value. additional work needs to be conducted over the coming years. 2.3 Act on the need for standardisation in the attribute manage­ ment area; organise workshops and projects that bring Recommendations to the EU to­gether stakeholders to initiate standardisation. The need for These draft recommendations evolved after a series of workshops standards should be clearly communicated to policy makers were conducted followed by intensive debate across the SSEDIC 2.4 Develop a normative framework to balance the user’s right community. They are not meant to be exhaustive but reflect the to privacy with the need of online service providers/e-gover­ considered opinion of the many experts involved. nment services to use, process and exchange user attributes. Attention should be paid on how this can be done adequately The draft recommendations cover the mobile-eID, liability, in an interoperability scenario. Special attention should be paid authenti­­­ cation­­­ and attribute2 management aspects of trust and to attribute trade and attributes that are generated through VOICE OF THE INDUSTRY WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 23

Jon Shamah, Thematic Network Coordinator, SSEDIC

the use of online services (such as ratings on ecom­merce 4.3 Consider that if EU policies on electronic identification intend websites). to cover attribute provision as well (i.e. including in cases where 2.5 Conduct a study and evaluate procedures for efficient attribute end users will not be personally identifiable on the basis of verification. Appropriate ways to ensure accountability and the provided identity information), then a legal framework dispute resolution should be developed and implemented. needs to be defined that also covers the responsibilities 2.6 Build on the interest in certified attributes by many e-commerce and liabilities of attribute providers. The currently proposed and industry stakeholders to gain their attention for the goal Regul­ation does not do this. of increased use of e-IDs. Conclusions RATIONALISING THE CHOICE OF AUTHENTICATION It is believed that by adopting these recommendations, Digital ASSURANCE Europe will be accelerated in adoption, and while they are not 3.1 Promote the establishment of an appropriate, easy-to-use exhaustive, they are considered by the SSEDIC community to be

framework for the assessment of authentication technologies key enabling factors for Europe’s future. including alternative authentication methods (so that they can be exploited where appropriate or discounted where not suitable.)

3.2 Strongly promote internationally the establishment of an inter­ 1 http://ec.europa.eu/research/horizon2020/index_en.cfm

operability framework for authentication based on results and 2 Attributes are information objects that are associated with the citizen,

experiences like the ones provided by STORK, FutureID and such as address, passport number etc

other European projects on electronic identification. 3 Authentication using more than one delivery channel: such as smartcard

3.3 Encourage the development of services that are usable by as well as a One Time Password the average citizen and complement this with appropriate education.

LIABILITY ABOUT THE NETWORK: A SINGLE EUROPEAN 4.1 Consider that liability provisions in the e-ID and trust services DIGITAL COMMUNITY WILL BE A MAJOR regulation need to be revised and updated, taking into account TRANSFORMATIONAL IMPETUS TO FURTHER the different roles of identity providers in the Member States, ENHANCE THE ECONOMIC STRENGTH AND who can be either public or private sector entities. It may POLITICAL COHESION OF EUROPEAN SOCIETY therefore be necessary to consider separating the liability AS THE NEXT LOGICAL STEP FROM THE of Member States from identity providers, as they may be ACHIEVEMENTS OF THE SINGLE MARKET. separate entities. 4.2 Review liability provisions in the e-ID and trust services regu­ THE OBJECTIVE OF SSEDIC IS TO PROVIDE A lation to ensure that they are clear with respect to liability PLATFORM FOR ALL THE STAKEHOLDERS OF EID limitations and any possibility of liability caps. Various options (ELECTRONIC IDENTITY) TO WORK TOGETHER are possible, ranging from no liability, unlimited liability AND COLLABORATE TO PREPARE THE AGENDA to explicitly specifying liability caps in terms of financial FOR A PROPOSED SINGLE EUROPEAN DIGITAL amounts (possibly linked to e-ID quality levels); The primary IDENTITY COMMUNITY AS ENVISAGED BY THE requirement is that liability implications are clear to anyone DIGITAL AGENDA (DAE) IN ITS KEY ACTION 16. who relies on the trustworthiness of identities covered by the Regulation. www.eid-ssedic.eu 24 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 VOICE OF THE INDUSTRY

NSTIC

Trusted Identities and Privacy Go Hand- Certain types of privacy-enhancing technologies employ well- in-Hand researched methods of cryptography and can provide strong assurances about users’ credentials without the need for detailed 2013 was an unprecedented year for consumer concerns about exchanges of personal information. Imagine a customer providing privacy online. Yet, the need for better cybersecurity and more a valid driver’s license to prove her age without actually revealing trusted digital credentials only continues to intensify. At the her full birth date or other unnecessary information. Moreover, same time, consumers are more frustrated than ever with having privacy-enhancing cryptography can prevent the credential to manage another password. Evidently, 38% of Americans issuer from tracking service providers while still providing valid would rather scrub their toilet than create a new username and identification. In other words, service providers can realize the password.1 benefits of outsourcing identity management without also enabling credential issuers to build profiles of their customers to sell to Signed by President Obama in 2011, the National Strategy for competitors.

Trusted Identities in Cyberspace (NSTIC) envisions an ‘Identity Ecosystem’ that curbs unneeded sharing of personal data and Building a trustworthy and privacy-enhancing identity helps limit comprehensive tracking of people through their identity ecosystem transactions, while still providing for a robust marketplace of trust­ The National Institute of Standards and Technology (NIST) has worthy and secure digital credentials. Trusted identities provide funded a number of initiatives to support the development of a variety of benefits: enhanced security, improved privacy, new the NSTIC Identity Ecosystem. These initiatives include pilots types of transactions, reduced costs, easier to use credentials that aim to introduce new identity solutions into the market and and better customer service. Minimizing the data collected in make commercial use of privacy-enhancing cryptography that transactions not only protects consumers’ privacy, it can enhance has been around for decades, but has yet to achieve widespread businesses’ ability to protect their reputation. However, many adoption. Other pilots are leveraging innovative uses of multi- transactions require effectively validating that customers are factor authentication technology, including wearable devices who they claim to be – particularly in the payment industry and and mobile-embedded credentials to merge security with user- enabling new financial services in this mobile economy. friendly implementations. NIST also has provided start-up funding to the private sector-led Identity Ecosystem Steering Group (IDESG), which is working to develop an Identity Ecosystem Framework that provides guidance for implementing convenient, interoperable, secure, and privacy-enhancing trusted solutions for digital identity. Lastly, NIST is partnering with the United States Postal Service to implement a pilot - known as the Federal Cloud Credential Exchange - to enable consumers to use their own log-in credentials issued by commercial organizations to access services at federal government websites with built-in privacy and security.

1 “Online Americans Fatigued by Password Overload Janrain Study Finds”

Janrain and Harris Interactive, August 2012, at http://janrain.com/about/

newsroom/press-releases/online-americans-fatigued-by-password-

overload-janrain-study-finds/ VOICE OF THE INDUSTRY WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 25

Naomi Lefkovitz, Senior Privacy Policy Advisor, NIST

These initiatives have many positive implications for the payment industry. Financial sector organizations are participating in the pilots and the IDESG has a sector-specific committee dedicated ABOUT THE COMPANY: THE NATIONAL to addressing issues around identity solutions and financial STRATEGY FOR TRUSTED IDENTITIES IN services. Many financial organizations know their customers well CYBERSPACE (NSTIC) IS FOCUSED ON OFFERING and could increase brand value and ‘stickiness’ by allowing their CONSUMERS MORE SECURE, CONVENIENT customers to access federal services with their digital credentials AND PRIVACY-ENHANCING EXPERIENCES through integration with the Federal Cloud Credential Exchange. EVERYWHERE THEY GO ONLINE. IT AIMS TO SOLVE TWO PROBLEMS: 1) PASSWORDS ARE As a cornerstone of online commerce, financial sector participation BROKEN AND 2) THERE’S NO GOOD WAY TO in the Identity Ecosystem is vital for the adoption of secure and PROVE WHO YOU ARE IN CYBERSPACE. privacy-enhancing identity solutions. NSTIC pilots and the IDESG WITH ITS IMPLEMENTATION BEING LED BY provide tangible opportunities to shape the future of online identity THE PRIVATE SECTOR, IN PARTNERSHIP WITH and privacy and introduce consumers to innovative and mobile THE US GOVERNMENT, NSTIC WILL ENHANCE financial products and services. ONLINE TRUST, GIVING CONSUMERS AND COMPANIES MORE CONFIDENCE TO CONDUCT Join the ID Steering Group at http://www.idecosystem.org/, follow BUSINESS ONLINE. the NPO at @nsticnpo, and learn more about the NSTIC pilots by visiting www.nstic.gov. ABOUT THE AUTHOR: NAOMI LEFKOVITZ IS THE SENIOR PRIVACY POLICY ADVISOR IN THE INFORMATION TECHNOLOGY LAB AT THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE. HER PORTFOLIO INCLUDES WORK ON THE NATIONAL STRATEGY FOR TRUSTED IDENTITIES IN CYBERSPACE (NSTIC), THE CONSUMER PRIVACY BILL OF RIGHTS, PRIVACY- ENHANCING TECHNOLOGIES, CYBERSECURITY AND STANDARDS DEVELOPMENT.

BEFORE JOINING NIST, SHE WAS THE DIREC­ TOR FOR PRIVACY AND CIVIL LIBERTIES IN THE CYBERSECURITY DIRECTORATE OF THE NATIONAL SECURITY STAFF IN THE EXECUTIVE OFFICE OF THE PRESIDENT. HER PORTFOLIO INCLUDED THE NSTIC AS WELL AS ADDRESSING THE PRIVACY AND CIVIL LIBERTIES IMPACT OF THE OBAMA ADMINISTRATION’S CYBER­ SECURITY INITIATIVES AND PROGRAMS.

www.nist.gov 26 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Company name

Title

Text

THOUGHT LEADERSHIP SECTION OMNI-CHANNEL RETAIL AND FRAUD MONITORING & MITIGATION STRATEGIES 28 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

ReD

Fraud Monitoring and Mitigation Holistic and segmented fraud prevention Strategies by Channel A combination of holistic and segmented fraud prevention strategies is essential for omni-channel merchants. Tailoring Retailers are increasingly adopting an omni-channel approach to of fraud rules by channel (as well as geography and perhaps sales, accepting transactions across multiple channels such as product) is important as there is no one-size-fits-all fraud solution. in-store, mail order, call centres, online and via mobile. A retailing Fraudsters do not stick to one channel but migrate to what is strategy of this kind can yield significant benefits, providing cross- perceived as the weak link. Rules that work for online payments border access to new markets, speeding up transactions and will not necessarily work for a call centre or mobile payments. increasing consumer choice. This, in turn, can lead to enhanced cus­tomer satisfaction and retention. Mobile payments, for example, give rise to specific issues in regard to user verification and rule setting for fraud prevention There are other benefits, too. Survey evidence suggests that purposes. Although transaction volumes are small today, ReD is

omni-channel consumers spend more. According to the IDC Retail seeing higher than average fraud rates over the mobile channel. Insight Western European Retail Survey 2011, customers who use As mobile phone users are by definition moving around, historic multiple channels spend between 15 and 30% more than those rule sets relating to IP velocities need to be reviewed. There can who use a single channel. Omni-channel consumers benefit from be issues with shared phones, for example used by several family more choice and convenience, able to pay where and when they members with very different purchasing profiles and authentication want and often choosing to use different channels at different solutions such as 3D Secure represent a more significant times of the day. challenge on mobile. Bespoke rules tailored to the profile of those likely to make a mobile payment are required to reflect the reality The increasing use of multiple channels is recognised by Forrester of m-commerce. Research, who predicts that ‘cross channel retail sales’ will reach USD 1.8 trillion in the US by 2017, up from USD 1.2 trillion Call centres, which are often seen as providing a premium cus­ in 2012. By this they mean transactions that have involved the tomer service, present a different fraud challenge, with fraudsters internet in some way, whether to research the product or make a engaging in social engineering to manipulate call centre agents, purchase. Forrester concludes that the web will influence over half increased opportunities for staff collusion with fraudsters, the of US retail sales by 2017, while e-commerce, including mobile absence of data on device and IP address and the absence of payments, will account for around a fifth of the total. 3D Secure as an authentication option. And IVR, while offering great convenience for the consumer and cost efficiencies for As well as researching and purchasing over different channels, the merchant, carries greater fraud risks associated with the consumers may well begin a transaction in one channel and limited­ ability to gather intelligence with which to verify genuine complete­ it in another. It’s important that the retailer avoids any customers. disconnect between channels, to deliver a seamless buying experience. A holistic view of data collection and usage is needed across channels, so that the customer is recognised and handled appropriately, however he or she chooses to interact with the company. THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 29

Kieran Mongey, Senior Fraud Consultant, ReD

In essence, then, each channel needs to be assessed individually, taking into account product and user profiles as well as geography and a flexible customised fraud strategy developed for each ABOUT THE COMPANY: RED IS A SPECIALIST channel. At the same time, you need a cross-channel view of your PROVIDER OF FRAUD PREVENTION SERVICES customer’s activity and history, to ensure that a customer of good WORLDWIDE. THE COMPANY PROTECTS history is not unnecessarily declined when they engage via a new ALL PAYMENT TRANSACTION TYPES AND channel. While rules need to be targeted for a specific channel, all WORKS WITH MERCHANTS, PSPS, ISSUERS, need to be underpinned by a generic rule-set so that, for example, ACQUIRERS, PROCESSORS AND SWITCHES. velocity rules can be applied across channels, to manage the OUR SOLUTIONS ARE DELIVERED BY INDUSTRY- business’s total relationship with the consumer. A single holistic LEADING RISK ANALYSTS. view of the customer, analysed by experts, is still essential. RED PROTECTS BILLIONS OF TRANSACTIONS It isn’t only sales channels that need to be aligned. These channels AND GATHERS DATA FROM MORE THAN 190 need alignment with other areas of the business too - including COUNTRIES. OUR CUSTOMER BASE INCLUDES marketing, customer service and fulfilment - to ensure that ser­ BLUE-CHIP COMPANIES FROM RETAIL, vice and the customer experience remain consistent. As an BANKING, TRAVEL, TELECOMMUNICATIONS, example,­ customers are increasingly combining online or mobile GAMING, OIL AND OTHER SECTORS. payment with in-store collection. This means fraud mitigation strategies must be appropriate to tighter fulfilment deadlines. In some instances, ‘click and collect’ transactions require that the ABOUT THE AUTHOR: KIERAN IS A SENIOR product is available for in-store collection within five minutes of FRAUD CONSULTANT TO RED’S MERCHANT the transaction being completed. With such a small delivery CUSTOMERS IN EMEA, HELPING THEM window, fraud risks are higher and you need the richest possible TO IDENTIFY WHERE TAILORED FRAUD information, available very quickly, to ensure that customer STRATEGIES CAN ENABLE BUSINESS AND service is maintained while holding down manual checks and CREATE ADDITIONAL REVENUES. chargebacks. BEFORE TAKING UP THIS ROLE IN 2013, KIERAN Finally, then, merchants need a combination of fraud rules tailored LED THE EMEA RISK TEAM AT RED. HE HAS by channel and consistent cross-channel strategies that support ALSO HELD FRAUD MANAGEMENT POSITIONS the customer experience. It is significant that a fifth of UK retailers WITHIN LEADING MERCHANTS INCLUDING do not record fraud by channel today. If you don’t know which JOHN LEWIS AND VODAFONE. channel your customer is using, it is very hard to ensure that your fraud strategies are appropriate and effectively tailored to enable www.redworldwide.com good business, while preventing fraud. NEW IN 2013 !

CROSS-BORDER ECOMMERCE RESEARCH SECTION

THE COUNTRY REPORTS CAN BE DOWNLOADED FOR FREE VIA THE PAYPERS

The Paypers, in close collaboration with the Cross-Border Ecommerce Community (CBEC), a strategic initiative started by Payvision, PAY.ON, ReD and WorldItLawyers has launched a new section called Cross-border Ecommerce Research.

Through The Paypers, the CBEC enables Merchants, Payment Service Providers, ISOs and Acquiring Banks to access country and regional ecommerce facts, figures and insights - valuable content about mature and developing markets that can support strategic decision-making. The obstacles which hinder cross-border expansion are explored, and the payment methods, ecommerce law, online fraud and risk issues that affect individual countries are addressed.

The newly introduced section currently offers Cross-border Ecommerce Reports & Infographics for major countries from all over the world. Research consists of country-specific Ecommerce facts & figures, mature and emerging markets, preferred payment methods, payment service providers, risk and fraud as well as ecommerce legislation & regulation.

The section will be continuously updated with all the major and emerging ecommerce countries.

Cross-border ecommerce is a topic of interest to merchants across the globe. There is much to play for, but the challenges are also significant and this initiative will help merchants to gain a better understanding of the countries and payment environments into which they are seeking to expand. The contributing companies bring complementary experience to the table and the initial outputs combine a wealth of data and insight that isn’t available in one place anywhere else. I salute the companies involved in bringing this together

Johannes Ditterich, CEO Limango - Germany's leading web merchant, and part of Otto Group

Endorsed by: CHALLENGES FOR BANKS IN CROSS- CHANNEL FRAUD PREVENTION 32 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

ThreatMetrix

Cybercrooks Use Multiple Channels to Cross-session fraud, where a cybercrook uses the same channel Take Over an Online Account - for multiple activities, is a variant of cross-channel fraud. The same Sophisticated Cross-Channel Fraud Can is true of social engineering attacks, where people are unwittingly Crack Tough Security leveraged or manipulated by fraudsters or hackers. Here is a good example of a cross-session, social engineering attack perpetrated Customers can access their accounts through many channels. on European banks where malware (a Ramnit Trojan) injected very They can use the web through a computer, call a customer service convincing, interactive and real-time messages into a customer’s center or launch a mobile app. Fortunately, most organizations are web banking session: confident in their ability to secure each individual channel. 1. Malware avoids detection by going into idle sleep mode until its However, organizations are much less confident in their ability to intended victim logs into their online bank account detect fraud when a cybercriminal enters from multiple channels. 2. Malware activates and presents a fraudulent phishing message

3. Malware variants present the victim with new input fields, security Here’s why: warnings and customized text during login, account navigation­ • Different backend systems serve each channel and transactions • Data is not shared between channels 4. While the victim is reading the messages, the Ramnit connects • When cybercriminals use online channels only to gather infor­ to its command and control server and obtains the details of a mation, the activity is typically not recorded designated money laundering bank account • If a security breach occurs, forensic research focuses only on the 5. A wire transfer is initiated point of failure, not the interactions leading up to it Clearly, cross-channel fraud has changed the cybercrime battle­ In an effort to accommodate customer demands for speed and ground, forcing organizations to take a look at their online fraud convenience, organizations rely heavily on information technology strategies from a different perspective. capabilities where automated processes use rules to validate a person’s identity and approve a transaction. If a cybercriminal suc­ Now, the best way to catch a thief perpetrating a cross-channel cessfully­ penetrates one channel, the smart thief can then navigate fraud theft is to take a high level look at their behaviour as they through other channels without setting off any security alarms. interact across channels. Once a thief has assumed the persona of the target, they are able to provide account login and security information at each step that the closed system perceives as genuine.

For example, cross-channel fraud is one of the most common tech­­niques cybercriminals use to take over a bank account (‘account takeover’). When successful, a bank account is emptied and the money is simply gone. This is an example of how cross- channel fraud operates:

The thief first used malware to steal a user’s credentials, then logged in from a different environment and, finally, leveraged a second channel – a call center. For more information click here THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 33

Andreas Baumhof, Chief Technology Officer, ThreatMetrix

As fraud patterns get more sophisticated and cross more With global intelligence networks tracking billions of web organizational silos, organizations need to invest in integrated trans­actions, cybercriminals have little room to manoeuver. analytics as well as traditional channel security. For example, Their digital footprints are either a matter of record or easily banks are starting to take cross-channel fraud seriously and are detected. By integrating this intelligence across all channels and looking at ways to fight it head on. At the top of their list is imple­ blocking malware-infected devices, organizations can go a long menting a common platform that identifies both trusted users and way toward stopping cross-channel fraud. potential threats across multiple channels – the web, mobile web, applications, call center and onsite. With a 360° view of customer interactions, suspicious behaviour is much easier to spot.

Cross-channel fraud is usually made possible because a smart cybercrook is able to go way beyond the theft of an account number, password and pin code. They use social media, web browsing and research within the target’s bank account history to completely assume their victim’s identity. They understand how ABOUT THE COMPANY: THREATMETRIX™ IS THE traditional security systems work and prepare themselves to be FASTEST-GROWING PROVIDER OF INTEGRATED able to breach every security layer in every channel. CYBERCRIME PREVENTION SOLUTIONS. THREATMETRIX’ TRUSTDEFENDER™ CYBER­ So one key way to stop cross-channel fraud is for an organization CRIME PROTECTION PLATFORM HELPS COM­ to have a more complete profile of their customer than a cyber­ PANIES PREVENT UNAUTHORIZED ACCESS TO crook could possibly obtain. This requires understanding their WEB AND MOBILE APPLICATIONS, PROTECT customer’s online behaviour over time, where they are likely to be SENSITIVE DATA, AND SECURE TRANSACTIONS located, what device(s) they use and what activities they normally AGAINST ACCOUNT TAKEOVER, PAYMENT execute. Thanks to advanced technologies and powerful global FRAUD, IDENTITY SPOOFING, AND MALWARE. data repositories, this information is now available to organizations THREATMETRIX PROCESSES OVER 500 MILLION in real-time. If someone logs in from an unknown device or exhibits LOGIN, PAYMENT AND WIRE TRANSFERS EVERY unusual online behaviour, they can be immediately spotted and MONTH, PROTECTING OVER 9,000 WEBSITES. flagged for further review. ABOUT THE AUTHOR: ANDREAS BAUMHOF, Another tool to block cross-channel fraud is malware detection. CHIEF TECHNOLOGY OFFICER, THREATMETRIX, Technologies now exist that spot malware, enabling banks to block IS AN INTERNATIONALLY RENOWNED CYBER­ transactions or online activity from infected devices. Organizations SECURITY THOUGHT LEADER AND EXPERT can also alert their customers about the problem, and use other WITH DEEP EXPERIENCE IN THE ENCRYPTION, ways to authenticate trusted customers so they can still complete PKI, MALWARE AND PHISHING MARKETS. transactions. PRIOR TO THREATMETRIX, HE WAS EXECUTIVE DIRECTOR, CEO AND CO-FOUNDER OF TRUSTDEFENDER. MR. BAUMHOF DEVELOPED THE FIRST SSL PROXY AND HAS PATENTS PENDING IN EUROPE AND THE U.S.

www.threatmetrix.com RECOGNIZING INNOVATION & LEADERSHIP IN ECOMMERCE PAYMENTS & RISK

Has your company employed an innovative payments or risk system? Is your company a beacon of light and hope for other merchants when it comes to implementing best practices that thwart fraudulent behavior and lower risk? Share your success story with the MRC and you may win the coveted Merchant Spotlight Award for your efforts. Examples include: • Improved or innovative fraud and risk systems implemented in a cross-functional environment • Payment acceptance success during global expansion • Collaborative case study • Innovative use of technology • Positive impact on the bottom line due to fraud prevention or increased revenue through accepting more transactions

MRC’s Emerging Technology Award (META) honors successful innovation and the newest technologies in the ecommerce industry. Awards are presented to solution providers whose creative innovations and advanced technologies have contributed to the commercial and operational success of online and multi-channel merchants, and ultimately, the betterment of the ecommerce industry. • Best innovative emerging technology deployed by a start up or small company • Best innovative emerging technology deployed by an established company

Finalists will receive a complimentary registration and an invitation to present at the MRC 2014 eCommerce Payments & Risk Conference, 17-20 March, Las Vegas and the MRC’s European Congress 14-16 May, Disneyland, Paris.

All submissions will be reviewed by a panel of leading global merchants and are due by 30 January, 2014. For more information, please visit www.merchantriskcouncil.org RECOGNIZING INNOVATION & LEADERSHIP IN ECOMMERCE PAYMENTS & RISK

Has your company employed an innovative payments or risk system? Is your company a beacon of light and hope for other merchants when it comes to implementing best practices that thwart fraudulent behavior and lower risk? Share your success story with the MRC and you may win the coveted Merchant Spotlight Award for your efforts. Examples include: VARIOUS • Improved or innovative fraud and risk systems implemented in a cross-functional environment • Payment acceptance success during global expansion • Collaborative case study • Innovative use of technology APPROACHES • Positive impact on the bottom line due to fraud prevention or increased revenue through accepting more transactions

MRC’s Emerging Technology Award (META) honors successful innovation and the newest technologies in the ecommerce industry. Awards are presented to TO FRAUD solution providers whose creative innovations and advanced technologies have contributed to the commercial and operational success of online and multi-channel merchants, and ultimately, the betterment of the ecommerce industry. • Best innovative emerging technology deployed by a start up or small company • Best innovative emerging technology deployed by an established MONITORING AND company

Finalists will receive a complimentary registration and an invitation to present at the MRC 2014 eCommerce Payments MANAGEMENT & Risk Conference, 17-20 March, Las Vegas and the MRC’s European Congress 14-16 May, Disneyland, Paris.

All submissions will be reviewed by a panel of leading global merchants and are due by 30 January, 2014. For more information, please visit www.merchantriskcouncil.org 36 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

DataCash

Fraud Data Analysis - Are You Optimising taken. For example, sophisticated rules can be used to provide a the Information Available To You? good indication of whether payment details provided are genuine but they are not designed to detect bots. Negative lists, on the Data analysis is a critical element of any effective fraud manage­ other hand, are a good way of detecting repeat offenders but will ment strategy. It is how you identify your long standing customers, not detect first time fraud. An effective strategy would therefore whatever channel they may approach you from, from a fraudster be to employ layers of fraud mitigation techniques at every stage posing as them. Furthermore, it is only by questioning fraud KPIs, of the payment lifecycle – from account registration, through number of chargebacks, transactions declined or sent for review, multi-layered transaction screening to evaluation and refinement. versus those which were accepted, then analysing the reasons, Look to incorporate 3-D Secure, AVS/CV2 checks, sophisticated that you are able to refine and optimise your fraud prevention rules, good and bad lists, behavioural analytics, device ID, shared efforts. databases, manual review of transactions which are not clearly fraudulent or genuine, third party callouts and chargeback/rules

Any fraud management system is only as strong as its weakest analysis as a minimum. According to Gartner, device ID alone link and if data analysis is not complete, thorough and fed back gives even the most 'fraud-fighting-savvy' enterprises a 15% to into the fraud system, you are fighting a losing battle. This article 25% lift in fraud detection. covers best practices around ensuring optimum data analysis. Within these multiple layers, fraud screening needs to incorporate More data please... com­plex rules which can take into account more complicated The decision around whether a transaction is genuine or fraudulent logic, such as whether the shopping time correlates with the IP is based around the analysis of payment (cardholder name, address’ business hours. Also ‘Confidence Indexing’ which is a account number, CV2), personal (email address, billing address, strategy­ designed to identify the level of positive characteristics etc) and product (goods/services bought, etc) data elements. asso­ciated with a transaction, indicating whether it has been For that decision to be accurate it is crucial that enough data initia­ted by a genuine customer. elements are collected in the first place. As fraud becomes cleaner and fraudsters are more able to imitate genuine cardholders it Where a business model allows, secondary screening, which takes is crucial that a fraud management system has more than the place just after the initial real-time screen, should be carried out to account number, cardholder name and CV2 number to analyse. apply further checks and limit manual reviews. This only takes up to 15 minutes but ultimately increases the fraud system’s ability to Customer registration is a good way to obtain more personal accurately identify fraud and genuine customers. information that can be cross referenced and analysed. Equally, it is important to collect and process data elements such as ‘’The only source of knowledge is experience’’ shipping address, billing address, IP address, product information, – Einstein the channel the transaction has originated from and even the device ID where possible. Analyse, share and refine Fraud management systems cannot simply be plugged in and left Sophisticated, multi-layered analysis alone for months, or even days on end if you expect them to keep When it comes to fraud management, if you rely on basic 3-D chargebacks to a minimum without hampering genuine sales. Secure checks, validation or velocity rules in isolation they will detect some fraud but may also end up alienating a great deal of The known outcome of historical transactions is one of the greatest genuine customers. There is no one silver bullet against fraud and indicators as to whether a current transaction is genuine or fraudu­ best practice stipulates that a multi-layered approach should be lent. As fraudsters pummel an account until they are stopped, THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 37

Steve Tyas, Fraud Product Specialist, DataCash - a MasterCard Worldwide company

once specific account details result in a chargeback it is highly As demonstrated, fraud data analysis comes into play at every probable that future transactions will also result in fraud. That’s why stage of transaction processing. It plays a crucial role in a robust too much emphasis cannot be placed around the importance of system which is able to effectively mitigate fraud without impacting uploading chargeback information to your fraud system – so that it the genuine customer experience. Without fraud data analysis, a can be cross referenced in future. fraud system is unable to learn and adapt to the changing nature of fraud and is destined to deteriorate when it comes to delivering Equally important is the analysis of chargebacks – looking at on KPIs. whether more or less fraud is occurring from one specific channel, pay­ment type or product line, etc – so that your rules can be refined accordingly and the fraud system has the ability to learn. This is not a monthly or yearly task, but a daily or weekly one as fraud patterns and trends are constantly evolving.

Rules performance also needs to be constantly assessed. Look at which rules successfully trigger against fraudulent purchases and which fail. Also look at significance and efficiency ratios, ABOUT THE COMPANY: DATACASH, A MASTER­ essentially how frequently rules are trigger and how accurate they CARD COMPANY, PROVIDES MULTI-CHANNEL are. A rule which detects fraud with 100% accuracy is a mainstay GLOBAL PAYMENT PROCESSING SERVICES – but it may only trigger 1/10,000 fraudulent transactions. Rules AND ADVANCED FRAUD PREVENTION AND RISK that trigger frequently but have less than 10% accuracy can be MANAGEMENT SOLUTIONS TO MERCHANTS­ AND useful when layered against other rules. The overall score of BANKS. AS A GLOBAL PARTNER TO SOME OF these rules used in combination is what clearly marks whether a THE WORLD’S MOST RECOGNISABLE BRANDS transaction is fraudulent or genuine. IN THE GAMING, TRAVEL, RETAIL AND FINANCE SECTORS, DATACASH COMBINES SMART THINKING AND AN END-TO-END SOLUTION TO HELP ITS CUSTOMERS TRANSCEND THE COMPLEXITIES AND EXPENSE ASSOCIATED WITH PAYMENT PRO­CESSING

ABOUT THE AUTHOR: STEVE TYAS IS RESPON­ SIBLE FOR DATACASH’S FRAUD PRODUCT STRATEGY AND ROADMAP. AS A 17-YEAR VETE­RAN OF THE FRAUD INDUSTRY AND THE ORIGINAL­ CREATOR OF GATEKEEPER:2.0, DATACASH’S INDUSTRY LEADING FRAUD MANA­GEMENT SOLUTION, MR. TYAS HAS UNPARALLELED­ EXPERTISE AROUND THE FRAUD CHALLENGES FACED BY MERCHANTS AND THE SOLUTIONS NEEDED TO ADDRESS THEM.

www.datacash.com 38 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Device Ident

Data Privacy Topics to Consider Using collecting and processing of personal data of individuals is only Fraud Prevention tools in Europe legitimate…

Data privacy is key in Europe …if the data controller or a third party has a legitimate interest Customers in Europe are increasingly aware of their privacy rights. in doing so, so long as this interest does affect the interests of Our clients have seen a significant rise in customer inquiries about the data subject, or infringe on his or her fundamental rights, in what data privacy policies they have in place. Local regulations particular the right to privacy. This provision establishes the need are still very individual and efforts by the EU to adapt to a single to strike a reasonable balance between the data controllers' European policy will take some time to come into force. Therefore, business interests and the privacy of data subjects." you should be aware of country-specific regulations and make sure your fraud-prevention tools are aligned to local law. If one of In other words, you need a specific cause to collect data and their suppliers does not meet the adequate requirements it will be the cause has to be justified by your specific business interest.

the company that will be held liable, not the supplier. Fraud prevention is a legitimate cause for collecting personal data if done within the boundaries of a transaction, especially if the Safe Harbor is not a safe harbor anymore merchant has to assume a specific risk such as credit payments. A few years ago most US suppliers could join the US-EU Safe Harbor agreement to ensure their compliance with EU data Data criteria privacy regulations. Their customers would rely on this agreement In most EU countries, the collection and evaluation of personal and use different US based services for fraud prevention. The US data for online transactions is legal if the following criteria are met: Patriot Act has changed this, as US companies, including their EU subsidiaries, have now become legally bound to provide data to - Data is collected at the time of the transaction or shortly after­ US agencies, including their client’s personal data. And because wards. of PRISM, there is an ongoing discussion about whether or not - Data is only being used to provide services in conjunction with the to abandon the US-EU Safe Harbor agreement entirely. European transaction. This includes a range of fraud prevention measures. companies considering the use of US owned suppliers for fraud - Data is not shared with third parties unless they are participating prevention should be aware of the risks if these products are in the fulfillment of the transaction and are bound by the same offered as a service and not as a local installation at the customer’s data privacy regulations. premises. If you want to make sure you comply with all European data Article 29 is key privacy regulations, we would recommend an organized 3-step The new EU-wide data-privacy regulations mentioned before will approach: most likely be based on the recommendations of the Article 29 group. In general, this will refer to Directive 95/46/EC governing the Step 1: Classify data protection of individuals with regard to the processing of personal Firstly, you must analyze and classify all data you want to use data: Every individual ‘data subject’ must be informed and must for fraud prevention measures. Ask yourself simple questions give his/her consent with regard to any personal identifiable data for every data set you collect directly from your customer or that collected from him/her. you receive from third parties in conjunction with any customer transaction: There are some exceptions to this rule, but in general, every com­ pany collecting personal data must demonstrate a legitimate - What data do I collect from my visitors/customers? interest in doing so: "Under the Data Protection Directive (the) - Is the data considered anonymous or personal identifiable? THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 39

Roberto Valerio, Managing Director, Device Ident

- Do I need the customers consent on the data collection? • If yes, is it enough to inform the customer about it? • Or do I have to actively ask him about his/her consent? ABOUT THE COMPANY: DEVICE IDENT OFFERS - What is the purpose of collecting the data? SELF-DEVELOPED ANTI-FRAUD SOLUTIONS - Is it necessary or optional for my purposes and the purposes of FOR COMPANIES WITHIN THE RETAIL, the customer? DIGITAL GOODS, PAYMENT AND FINANCIAL SERVICES SECTOR. THE COMPANY’S If you managed to classify all data it will be easier to discuss all PRODUCT PORTFOLIO INCLUDES DEVICE- data privacy matters with your legal department and data privacy FINGERPRINTING AND BEHAVIORAL-ANALYTICS officer. SERVICES. OUR NEW KEY PRODUCT IS THE FRAUD MANAGER, WHICH IS LOCALLY Step 2: Gather local requirements INSTALLED FRAUD ANALYTICS SOFTWARE THAT Europe is a local and fragmented market. If you want to offer your SUPPORTS AUTOMATIC FRAUD IDENTIFICATION goods or services within a couple of countries there are numerous BASED ON MACHINE LEARNING AND GRAPH regulations in place to be considered before evaluating and im­ple­ DATA STRUCTURES. THE COMPANY WAS menting fraud prevention tools. It is advisable to work with suppliers FOUNDED IN EARLY 2013 AS A SPIN-OFF that are aware of country-specific peculiarities before you start to OF THE OTTO GROUP, EUROPE’S SECOND implement any products. Be sure to cross-check this information LARGEST ONLINE RETAILER. BY NOVEMBER with a local law firm or a certified data privacy officer. In some 2013, THE COMPANY HAS ALREADY SECURED instances,­ the vendor may be able to provide you with expert ONLINE TRANSACTIONS IN EXCESS OF EUROS reports from an independent third party. If the vendor knows the 500 MILLION PER MONTH AND HAS SHOWN market, he/she will also be able to advise you on best practices. PHENOMENAL GROWTH. PLEASE CONTACT This could save you time and resources. Always speak to more DEVICE IDENT DIRECTLY FOR A DEMO OF than one vendor and perform tests in order to profit from their THEIR PRODUCTS AND SERVICES: .

Step 3: Evaluate your suppliers ABOUT THE AUTHOR: ROBERTO VALERIO IS Now you can put your classified data sets and country-specific A STARTUP VETERAN HAVING FOUNDED AT data privacy requirements into a matrix to highlight cases where WORKED AT DIFFERENT WEB STARTUPS WITHIN certain tools do not match legal requirements. Make sure you talk THE LAST 15 YEARS. HE HAS 20 YEARS OF to your vendors to see if they are aware of any data privacy issues PROGRAMMING KNOWLEDGE AND LOVES TO with their tools for certain markets. If in doubt, ask them to provide HEAD PRODUCT DEVELOPMENT FOR HIGHLY you with a written statement that these problems are correctly SCALABLE WEB APPLICATIONS. ROBERTO addressed within their tools or services. VALERIO FOUNDED DEVICE IDENT AS A SPIN- OFF OUT OF THE OTTO GROUP, GERMANY. Although this will not free you from any legal problems, it will ensure the vendors are aware of the issue and thus, data privacy www.deviceident.com issue risks can be shared. It is likely that the vendor will be proactive about informing you of any changes in regulations con­ cerning his/her product or services at no extra cost. 40 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Wirecard

Fraud Prevention Tools in Accordance be top of the agenda at all times for online retailers. They are well With the New Consumer Behaviour advised to rely on a service provider specialised in risk manage­ ment, which offers effective tools for fraud prevention and The world of shopping is only one mouse click away. This is combating incidences of fraud online. reflected in today's highly competitive global e-commerce market. In addition, breath-taking growth rates for mobile internet use Identifying and avoiding payment risks in real time demonstrate that customers live more mobile than ever before Retailers’ demands for effective solutions to combat fraud are now. The advantages that come with mobile devices are clear. becoming increasingly complex. Modern risk management and They allow easy access to the internet and as a result also to every fraud prevention software is more important than ever before. online shop of the world: 24/7, 365 days a year. Merchants can This combines different methods for intelligent guidelines and benefit from this development, but success in e-commerce and decision-making strategies, according to which transactions m-commerce also depends on the company’s ability to accept a are verified before they are completed. Individual industry and

wide range of payment methods. But who supports and consults business-specific parameters as well as basket analyses are also merchants when deciding to approve or refuse a payment? taken into account. This allows retailers to identify a range of fraud patterns in real time and make substantiated decisions as The changes taking place in today's world towards a mobile to whether they accept or reject a transaction. If professional and society have resulted in a new kind of consumer behaviour effective risk management is important to retailers, preventative developing. People increasingly search, inform themselves action is needed and it will not suffice to identify risks after fraud and shop online on desktop PCs and more recently, on mobile has been committed. Instances of fraud can be more rapidly devices. The latter has become possible because of the increased and effectively prevented if comprehensive processes precede prevalence of smartphones and tablets, which make it possible to payment transactions and extensive checks are carried out in real shop at any time. In addition, mobile devices encourage today’s time. customers to make cross-channel purchases: consumers often switch from one sales channel to another because of the many Fraud prevention solutions evaluate all transactions according options available to them today, whether online, mobile or at offline to a diverse range of criteria: IP addresses or credit cards which high street retailers. However, the crux of this new behaviour is have already been linked to fraud cases on a number of occasions that it aims to offer an optimum, secure shopping experience to are just two examples of fraud indicators that can result in soft­ consumers across all sales channels, whilst also guaranteeing ware rejecting a payment. Alarm bells are also sounded for card sales for retailers. Integrated and automated risk management in payments when there is no plausible connection between the combination with the necessary payment services are therefore country of the card issuing bank and the customer's internet essential for all shops which accept payment online. connection.

Always a step ahead of fraud – service providers help Even simple tools can help protect against payment risks. The greatest factor holding back the growth of online sales is For example, before selecting the payment method, real-time the higher incidence of fraud, because those committing it are verification of consumer data, including identity, address, age and becoming ever more ingenious and developing their methods creditworthiness, can be carried out. The result can then be used to in tandem with new prevention technology. Identity theft and immediately decide which payment options to offer customers and hacking, in particular, have increased in recent years and cause the maximum amount to which a particular payment is justifiable. enormous financial damage. As the internationalisation of online retailers progresses, the fraud patterns that emerge are becoming increasingly sophisticated. The issue of security should therefore THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 41

Heiner Kallweit, Head of Product Line Risk & Fraud Prevention, Wirecard AG

Tools for increased transparency Intelligent guidelines and decision bases help retailers protect themselves against payment default. Solutions that provide maximum transparency for retailers add further value. In practice, they provide graphical representations which clearly show the development of fraud-related key performance indicators over time, for example chargeback and fraud rates. Retailers receive an aggregated perspective of their overall fraud prevention and can see precisely what proportions of transactions were denied and the reasons for the rejection. At the same time, retailers can recognise whether the software works effectively or if there is too high a number of false positives (rejected genuine transactions).

The set of rules applied in the fraud prevention software is not a static construct, and with good reason: fraud patterns are constantly changing and retailers must be in a position to continuously adapt their fraud prevention to match these developments. It is therefore important that the software is transparent and operates in a clear ABOUT THE COMPANY: WIRECARD AG IS ONE way. Only then will retailers be able to continually verify their risk OF THE WORLD’S LEADING INDEPENDENT management as well as sustainably optimising their decision basis PROVIDERS OF OUTSOURCING AND WHITE and rules. LABEL SOLUTIONS FOR ELECTRONIC PAYMENT TRANSACTIONS. WIRECARD SUPPORTS Conclusion COMPANIES IN ACCEPTING ELECTRONIC Today, professional risk management is a crucial success factor PAYMENTS FROM ALL SALES CHANNELS. A and a core aspect of modern online retail. Up-to-date, transparent GLOBAL MULTI-CHANNEL PLATFORM BUNDLES software gives retailers maximum control when managing their INTERNATIONAL PAYMENT ACCEPTANCES fraud prevention and maximising sales. The options for preventing AND METHODS, SUPPLEMENTED BY FRAUD losses through integrated, scalable solutions are as wide- PREVENTION SOLUTIONS. WIRECARD AG ranging as the needs of individual retailers. Support is offered IS LISTED ON THE FRANKFURT SECURITIES by professional payment service providers, which offer tailored EXCHANGE (TECDAX, ISIN DE0007472060, WDI). strategies to ensure online retail continues to be valuable for both customers and retailers. ABOUT THE AUTHOR: HEINER KALLWEIT HAS BEEN PART OF THE PROFESSIONAL SERVICES TEAM AT WIRECARD AG SINCE 2003. HE STARTED AS A PROJECT MANAGER. IN 2009 HE BECAME HEAD OF PRODUCT LINE RISK & FRAUD PREVENTION AND HAS SINCE THEN BEEN RESPONSIBLE FOR RISK MANAGEMENT SYSTEMS TO COMBAT FRAUD.

www.wirecard.com 42 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Ogone

Cross-Border Expansion – Resolving Different challenges Local Issues For merchants wishing to expand cross-border, e-commerce brings opportunities and challenges. Each market is different, with E-commerce is growing rapidly, both globally and within Europe. differing logistics, local preferred payment methods, varied levels Current forecasts (eMarketer) are that the B2C e-commerce of fraud and indeed differing attitudes to fraud. Just in regard to market will reach USD 1.85 trillion by 2016. While North America payment methods within Europe, for example, there are a variety (USD 580 billion) and Asia Pacific (USD 707 billion) lead the way, of practices: credit card payments and local card schemes are Western Europe’s share of the market will be USD 388 billion. mainstream in the UK, France and Belgium; German consumers are far more likely to use a direct debit transfer; in the Netherlands As e-commerce grows its share of retail transactions, so does over 70% of payments are made via iDEAL, enabling direct the potential for merchants to expand cross-border without the transfers from the customer’s bank account. need for a physical presence in each country. Market growth will

be determined by a number of factors that will vary from country Merchants wishing to grow sales in these countries must offer the to country, including: internet penetration, age distribution of the preferred payment options. population, geographical spread, customer confidence with new payment mechanisms and income distribution. An additional factor Apart from consumer behaviour, merchant attitudes to the will be the availability of products and services via existing physical importance of fraud prevention will also vary in individual markets outlets. depending on current market size and experience of fraudulent attacks. Research carried out by Ogone found that in certain Increasing opportunities bring new threats European countries such as Germany CNP fraud was not yet E-commerce growth has resulted in a shift in the way criminals considered a major issue and merchants in these countries were address payment fraud. The fight to contain plastic fraud levels has less likely to consider fraud management a priority. Online fraud been likened to the action of pressing down on a balloon (as you is evolving at different rates in each country and needs to be press down on one area so another increases in size). E-commerce monitored continually. In each instance, taking into account market expansion has coincided with the introduction of EMV business margins, strategic objectives and in-house expertise, technology at the point-of-sale in many countries. As the potential merchants will need to find an optimal balance between minimizing for counterfeit fraud has been addressed so criminals have looked both the direct and indirect costs of fraud. As e-commerce grows, increasingly at transactions where the card is not present (CNP) large numbers of manual checks are not an economically viable as an appealing avenue for fraud. In UK, while counterfeit fraud response to online fraud. is around a quarter of its 2008 level, CNP now accounts for 63% of total fraud. The European Central Bank Second Report on From a global perspective, there will be some variation in the tools Card Fraud (2013) looked at card fraud experience across 27 EU available to merchants monitoring potential frauds. Whereas 3-D countries. It found that (depending on the individual country) fraud Secure is widely used in countries like Switzerland and Belgium to sales ratios in a CNP environment were up to 30 times higher in Europe (with over 60% of transactions using this authentication than for transactions where the card was present. For the US, tool), usage is far less frequent in Germany (below 35%) and which is in the process of addressing EMV, the message is clear France (less than 20%). Despite proven result in decreasing risk, and merchants will need to anticipate the potential threat of CNP one other implication of this is that when this authentication fraud as chip migration progresses. method is used then it is more likely that shoppers, being unused to the practice, will abandon their shopping basket. Besides, 3-D Secure is not available in the US. Similarly, AVS, which is widely used in UK, is not supported in continental Europe. THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 43

Elie Casamitjana, Product Manager, Fraud Prevention Solutions, Ogone BVBA/SPRL

Optimised fraud prevention Whilst it is important to prevent fraud when entering a new market, it is also essential to build customer relationships. A strong Online & mobile payments: prevention policy may lower fraud levels but if it is at the expense New opportunities of slower transactions and large numbers of genuine transactions & threats being refused then this will have an immediate impact on revenue Autumn 2013 earning opportunities, customer satisfaction levels and brand reputation.

Given the diversity of the markets studied, is there a viable universal approach to e-commerce fraud prevention? Each product, sector and country will have its own fraud challenges. Combining software with industry and geographical knowledge can make prevention more efficient and less complex. What is needed is a refined, flexible, speedy and dynamic solution - and data is key.

Ogone’s research has found that merchants want an international solution that: • is cost-effective, user-friendly and unobtrusive to customers • is comprehensive - providing customer data, card and IP address checks • provides ‘yes or no’ decisions in real time • uses negative and positive lists to optimise fraud management • minimises the need for manual intervention.

In the context of cross-border transactions, the solution needs to be customisable, enabling merchants to maintain control of their fraud prevention strategy at any point. ABOUT THE COMPANY: OGONE, AN INGENICO COMPANY, IS A LEADING GLOBAL ONLINE Merchants wishing to expand cross-border into new markets PAYMENT SERVICE PROVIDER. MORE THAN will need to prioritise online fraud prevention whilst maximising 42,000 BUSINESSES IN OVER 70 COUNTRIES customer service and sales revenues. With the right fraud solution WORLDWIDE USE OGONE TO MANAGE AND and a flexible approach to market entry, based on understanding SECURE THEIR ONLINE AND MOBILE PAYMENTS, of local preferences and behaviour, the opportunities are endless. HELP PREVENT FRAUD AND DRIVE THEIR BUSINESS. OGONE’S SCALABLE SOLUTION ALLOWS THEIR CUSTOMERS TO INCREASE THEIR CHECKOUT CONVERSION AND HELPS THEM ENHANCE SALES, BOTH DOMESTIC AND CROSS-BORDER.

www.ogone.com VOICE OF THE INDUSTRY

This Voice of the Industry section http://www.thepaypers.com/voice-of-the-industry is designed to provide industry leaders with the great opportunity to share their views on specific developments in the global payments market and to promote their innovative products or services.

The Voice of the Industry section includes:

Expert opinion Aims to provide the world’s leading experts and industry thought leaders with the opportunity to expose and share their vision and expertise on specific developments in the global payments market with our readership. Visibility: - Added on website and daily & weekly headlines which are sent out to our > 16.000 subscribers - 2 days display in daily headlines

Case study Is a retrospective on a successful market implementation of a product/service or a strategic acquisition carried out by a company. This product is conceived as an overview of a specific product or service deployment, a successful partnership or else finalized product launch, outlining the business case, results to date and best practices derived as a result of this implementation. Visibility: - Added on website and daily & weekly headlines which are sent out to our > 16.000 subscribers - 2 days display in daily headlines

The Product/Service Briefing Allows organizations to provide existing and potential new customers as well as the industry at large with an in-depth look at new and innovative products/services / business models they are about to launch (the definition of innovation is: a change in a product offering, service, business model or operations which meaningfully improves the experience of a large number of stakeholders) Visibility: - Added on website and daily & weekly headlines which are sent out to our > 16.000 subscribers - 2 days display in daily headlines A CLOSER LOOK AT IDENTITY MANAGEMENT SCHEMES & E-IDENTITY IN A TRANSACTIONAL CONTEXT 46 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Innovate Identity

Anyone for Identipedia? - How To Make There is a balance with all of these systems (whatever we decide Sense of the Identity and Fraud Market to call them) and the loss verses optimisation curve is the way in Place which businesses should measure what is the right approach for them. Getting good customers over the line with a good customer A Google search for ‘anti-fraud systems’ throws up 589 of the experience whilst preventing risk is key. most ‘relevant’ results. On the first page alone links range from anti-virus software to national systems used for fraud to the repor­ ted number of losses by the National Fraud Authority (NFA).

Typing in ‘identity verification service’ and I get a similar number of results- anything from two factor authentication to device finger­ printing to credit referencing agencies.

Scary stuff and I don’t just mean the amount of fraud reported by the NFA.

What isn’t helping is the seemingly endless and apparently inter­ change­able terminology: one person’s ‘identity’ or ‘fraud' isn’t the same as another’s. Maybe it’s about time we created our very own CyberSource (2001) http://www.google.com/patents/US7865427 dictionary? Identipedia? Internalising the following ideas and tactics into your decision- As an industry, we are so focused on making things sound sexy making process will make it easier when choosing the right but we have forgotten we are supposed to make it clear to cus­ identity system for you. tom­ers how to make a purchasing decision. Define your requirements - An ex-military friend of mine From a merchant’s perspective, wading through the plethora uses the following saying: “Time spent in resonance is seldom of systems and trying to understand what is beyond the sales wasted”. Never a truer word has been spoken in relation to pur­ pitch can be difficult and confusing. In some cases this has dire chasing decisions with these types of technology. consequences. Organisations should spend time clearly defining their business I recently saw a client who had not reviewed their systems for a requirements, needs, and strategy before buying any technology. number of years. Upon analysis they found that with the “silver Systems can increase efficiency but only when used correctly bullet” system they had in place, 83% of fraud cases passed and in the right process. Technology should only be considered straight through their identity checks. But didn’t someone say that once the customer journey and experience has been defined and identity systems stopped fraud!? business rules are created. Without this technology can work against you, making things less efficient, not more. So what do we know? I’m a big advocate for keeping things simple. So whilst we’re all People and process - People and process are the under­ swimming in a sea of acronyms we should also never lose sight pin­ning for any system. You must ensure that the technology of the basics. is not expected to replace good people and process. It’s about augmentation, not replacement. THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 47

Emma Lindley, Director, Innovate Identity

Bring fraud and marketing together - Traditionally, fraud one such issue. Recent initiatives like the launching of The Open and marketing teams do not make decisions together, leading to Identity Exchange’s OiXnet aim to provide clarity for the identity each department buying a different point solution. Instead, the two market though an online registry. teams can work together using the same logic of identifying and And others are doing their bit too. The MRC continues to ensure preventing bad customers to enable decisions on how to identify that presentations at its events are driven by the merchant, giving the good ones. real life practical examples rather than just a sales pitch. Despite complications there is a huge opportunity for merchants Test - Never buy without completing benchmark testing making in getting this right. Combining classic theories like Moore’s Law a side-by-side comparison of suppliers. The type of fraud your with trends such as big data, social and mobile means that the organisation is experiencing or your customer demographics may acceleration­ of innovation is beyond what we have ever expe­ be similar to another company but it will not be exactly the same. rienced before. Spend some time designing the test around the outcomes you The market has to move towards increased customer centricity. are looking to prove. Supplier test data typically should only be Simply because, unless customers get a good on-boarding expe­ used for technical integration testing, not to assess if the system rience, they will go elsewhere. prevents fraud or can be used for identity proofing. For merchants that can manage their risk effectively and create a great experience, these profitable customers are there on the table Keep it simple - A well-implemented, simple system that can for the taking. be tailored will deliver ten times the value of a poorly implemented, off-the-shelf system. It is possible that re-visiting and optimising an existing system can also deliver value and may not require additional integration work. ABOUT THE COMPANY: INNOVATE IDENTITY IS AN INDEPENDENT CONSULTANCY PROVIDING Change will happen - Flexibility is critical since things will ADVISORY SERVICES FOCUSED ON DIGITAL always change. It tends to follow a pattern similar to this: TRUST, DATA AND TECHNOLOGY INNOVATION 1. Fraud threats change WITHIN THE GLOBAL ONLINE COMMUNITY. 2. Business needs change OUR AREAS OF EXPERTISE INCLUDE GLOBAL 3. Regulatory needs change IDENTITY PROOFING, ’MIDATA’, IDENTITY 4. Customer behaviour changes VERIFICATION, AGE VERIFICATION, KNOW YOUR 5. Technology changes CUSTOMER, ANTI-MONEY LAUNDERING, DATA PRIVACY AND ANTI-FRAUD TECHNOLOGIES. So we need technology that is flexible, on-demand to deal with such change and provided by suppliers that adapt to the market. In addition to adaptive technology, we need to be making syste­ ABOUT THE AUTHOR: EMMA LINDLEY HAS matic reviews of any changes. There also needs to be some level of OVER 14 YEARS’ EXPERIENCE WORKING WITH tailoring to people, process and technology to ensure continuous TECHNOLOGY-LED IDENTITY, COMPLIANCE optimisation. That way, we get more of the good customers and AND FRAUD SYSTEMS. SHE WORKS WITH less of the bad ones… MERCHANTS, REGULATORS AND GOVERNMENTS GLOBALLY HELPING THEM BUILD BEST The oportunity PRACTICE FOR IDENTITY AND RISK. As an industry, we are starting to recognise the issues that merchants might be having in understanding the market. Clarity is www.innovateidentity.com 48 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Jumio

Preview of the Fraudster’s Playbook: How does Jumio tackle the fraud challenge? Insights on Identity Theft What if there was a new way of implementing checkout on websites­ to make life difficult for fraudsters and at the same Nearly two thousand years ago, the famous military strategist, Sun time help increase revenue by tackling the problem of basket Tzu, wrote in his infamous book, ‘The Art of War’ that to beat the abandonment? At Jumio, we specialise in computer vision enemy you had to get to know the enemy. It’s with this in mind that which is another way of saying that we think it’s old fashioned Jumio is publishing this white paper, to help us to get to know the to key in payment and personal data when we can be getting enemy so that we can all win more battles against the fraudsters. our (increasingly clever) devices to do the work for us by using a webcam or a mobile device camera. Here are a couple of Jumio researchers spent many days talking to convicted ex-fraud­ examples of how Jumio’s com­puter vision is helping companies sters, professional criminologists, law enforcement practitioners prevent fraud whilst redu­cing payment friction: and fraud managers to uncover some of the exploits that fraud­

sters use. The content of this white paper presents what we heard first hand - how convicted fraudsters steal and exploit identities. This is the first of a series of white papers in which Jumio examines how fraudsters steal identities and then go on to conduct acts of fraud against businesses. The first conversation with one of the convicted fraudsters we spoke to revealed a whole new dictionary of fraud terms and yielded insight into the roles of players in the underground economy. A deeper understanding of this underground economy will help us all, as professionals in fraud prevention, and as consumers, to make life harder for the fraudsters. For this purpose, via the first installment of “The Fraudsters’ Playbook” we share our insight into the first stage of the fraud process: identity theft. In our second installment, we will share our insight into the second and subsequent stages of fraud, the act of ID fraud and card fraud and how criminals profit from it. Here are our findings on five ways in which fraudsters are trying to steal your identity.

Five ways in which fraudsters steal identities: How to make a card-not-present transaction more present 1) The Wi-Fi crack: Savour the smell of freshly roasted coffee 1) Websites using Jumio offer their customers the option to 2) The local government census: The fraudster always knocks twice checkout by scanning their card with their device camera or 3) Social media techniques: My virtual friend, the real life fraudster webcam. 4) The loyalty discount offer: If it looks too good to be true... 2) Jumio scans the card number, expiry date, customer name 5) The Fraud Forums: Pop to the market and use the retailers’ own (and sort code and account number if needed) and sends them data directly into checkout basket. 3) Customer evidences that they have the physical card and flies To download the complete version of the Fraudster’s Playbook, through checkout and order is complete. please visit jumio.com/fraudstersplaybook. THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 49

How to validate high-risk transactions as if the customer is standing right there in front of you Websites using Jumio offer their customer the option to checkout ABOUT THE COMPANY: USING ADVANCED by scanning their card with their device camera or webcam. COMPUTER VISION TECHNOLOGY, JUMIO IS A NEXT GENERATION CREDENTIALS MANAGE­ MENT COMPANY OFFERING PAYMENTS AND ID SCANNING & VALIDATION PRODUCTS FOR MOBILE AND WEB TRANSACTIONS. DESIGNED TO REDUCE FRAUD AND INCREASE REVENUE BY MINIMIZING FRICTION IN CUSTOMER TRANS­ ACTIONS, JUMIO’S PRODUCTS INTEGRATE­ EASILY INTO MOBILE APPS OR WEBSITES­ AND CREATE GREAT CUSTOMER EXPERIENCES. JUMIO’S NETSWIPE® AND NETVERIFY® ARE WIDELY USED BY LEADING RETAILERS, MARKETPLACES AND FINANCIAL INSTITUTIONS, INCLUDING WESTERN UNION, AIRBNB, TRAVELOCITY’S HOTEL DEALS BY LASTMINUTE.COM AND OTHERS.

www.jumio.com

1) Websites using Jumio prompt high-risk customers/transactions to use the webcam or mobile device to scan their driving license or other photo ID …fraudsters drop out and move onto less well-protected sites. 2) Jumio validates customer ID document and checks the security features. 3) Jumio captures the image of the customer via webcam or device camera and Jumio completes a Face Match to check that the face in the ID document is the same as the face behind the transaction …fraudsters drop out and move onto less well- protected websites.

To hear more about how fraudsters are targeting your business and how Jumio can help prevent your fraud and decrease payment friction email [email protected]. 50 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Signicat

Know Your Customers and Contract Bank and finance institutions have also been at the forefront when Them Online with Electronic IDs it comes to using the eID infrastructure for innovative purposes. A prime use case example continues to be internet banking, ‘Know your customer’ (KYC) is as important as ever before for the with KYC related to customer acquisition as another successful prevention­­ of identity theft and financial fraud, including money example. But other, innovative use cases are coming up. laun­dering and terrorist financing. However, the due diligence activi­ties that are necessary to establish the required level of trust Electronic signature as killer app in a customer’s identity have traditionally been cumbersome and One promising area with huge potential is electronic signature. expensive. Denmark’s second largest bank, Nykredit, is planning to use Signicat’s electronic signature services for online signing of This state of affairs is about to change and to be addressed, as mortgages. The potential for savings when e-signature is substi­ electronic IDs are increasingly being used to onboard customers tuted for pen and ink is huge, but even more importantly, this

online. Financial institutions in the Nordic region, Spain and makes the banks’ financial products more available and more Germany are reporting huge savings and increased attractiveness attractive to customers. of their services since eID-based KYC became possible for the first time three years ago. KYC is only one of many areas where Cross border operations and eID use of eIDs are becoming widely accepted and used. The development of eID in the region has mainly been done within a national scope, with limited degree of European coordination. Cost reduction and faster processing are obviously strong moti­ This has resulted in a fragmented infrastructure that presents vations for enterprises to start using electronic IDs, but even more challenges to service providers wishing to reach a broad audience. important is the fact that customers are now driving e-signature adoption, expecting that a variety of transactions can be finalized For instance, a service provider in Norway who wants to address online without requiring the use of ink and paper. the largest possible audience would need to implement support for Norwegian BankID, as well as the Buypass eID, the MinID eID The main factor that has made this possible is the emergence of and the Commfides eID. strong electronic identity solutions with wide distribution in these countries. Since the beginning of the 2000s, more than 50 million If a service provider runs a pan-Nordic operation, which is often the eIDs have been issued to citizens and in the Nordic region more case, they would need to implement support for up to 12 different than 70% of the adult population currently have strong electronic eIDs. In the absence of a universal (or at least region-wide) eID IDs that can be used for KYC purposes. scheme, the implementation effort soon becomes unmanageable.

Uniting the fragmented e-ID landscape Identity hubs as new paradigm for solving fragmentation The driving forces behind this development have been the banks A new kind of service offering has emerged to address the need and the governments, respectively. Among the former are BankID for simple integration with the eID infrastructure. Signicat, one of in Norway and Sweden (same name, different organisations the leading suppliers of this kind of service in Northern Europe, and technology), NemID in Denmark, TUPAS in Finland, Neue currently has over 100 customers hooked up to its online identity Personalausweis in Germany and DIN-e in Spain. Other eID hub. The purpose of the service is to provide easy access for issuers are also present in the market, resulting in a situation where service providers to the eID infrastructure of the Nordic region presently there are a multitude of issuers of strong eID in Europe. and beyond. This concept is very similar to the payments industry where PSPs offer the solution to the fragmented landscape of payment methods. Signicat started to offer its service in Northern THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 51

Gunnar Nordseth, CEO, Signicat

Europe, but is now expanding it to the Benelux region and Spain to meet customer’s demand for increased coverage.

Signicat’s customers are typically banks, finance and insurance companies that want to use publicly available eID for strong authentication or electronic signatures. In addition to this, there are also an increasing number of customers doing high-value e-commerce and peer-to-peer lending that have joined up. Common for these customers is that they need to support all available eIDs in the markets in which they operate, and they do not want to invest heavily in order to implement this. Some of the customers that use Signicat in this way are Banco Santander,

BMW Financial Services and large Nordic region insurance and finance companies like SEB, If Insurance and Tryg. Signicat operates as an identity hub, or identity broker. Its customers tick off which eIDs they want to accept and Signicat sets up a service ABOUT THE COMPANY: SIGNICAT IS A SECURE providing access to whichever eIDs their customer wants to use. IDENTITY CLOUD SERVICE PROVIDER OF In addition to giving access to third-party eIDs, Signicat can also ONLINE ELECTRONIC ID (EID), ADVANCED play the part of an eID issuer for customers who want to provide ELECTRONIC­ SIGNATURES AND PKI-BASED their end-customers with a proprietary eID. SER­VICES AND SOLUTIONS. SIGNICAT OFFERS THE WIDEST COVERAGE OF NATIONAL AND Vision for Europe PUBLIC EIDS IN EUROPE, THROUGH ONE Trust and digital identity is a requisite for cross-border SINGLE POINT OF INTEGRATION (SAML, XML, transactions. Without trust and digital identity, the growth potential REST), WITH CONNECTORS TO LEADING will be limited. Merchants wishing to do cross-border commerce PLATFORMS SUCH AS JAVA AND .NET. MORE need to know their customers and the only realistic way to do this THAN 100 CUSTOMERS, CROSS BORDER IN THE is through electronic identity. FINANCIAL SERVICES INDUSTRY, E-COMMERCE AND PUBLIC SECTOR, RELY ON SIGNICAT. The best solution is to outsource the complexity of identification and authentication to specialists, just as the merchants did with ABOUT THE AUTHOR: GUNNAR NORDSETH HAS payments. Identity providers not only specialize in protecting MORE THAN 20 YEARS OF EXPERIENCE WITH customers from identity theft, but also allow customers to re-use INFORMATION SECURITY, PKI AND DIGITAL their existing IDs and credentials, preventing the build-up of a IDEN­TITY, AS A CONSULTANT AND FROM 2006 ‘digital key chain’. AS CEO OF SIGNICAT. SIGNICAT, WINNER OF THE 2009 IDDY AWARD FROM KANTARA INITIATIVE, WAS CO-FOUNDED BY GUNNAR AS A SPIN-OFF IN 2006. GUNNAR HAS A MASTER'S DEGREE IN NUMERICAL MATHEMATHICS FROM THE NORWEGIAN INSTITUTE OF TECHNOLOGY.

www.signicat.com THE PAYPERS - INSIGHTS IN PAYMENTS

The Paypers (www.thepaypers.com) is the leading independent source of news and analyses for professionals in the global payment industry. Our products are created by payment professionals and cover all significant develop­ ments in financial transactions, with a special focus on online payments, online banking, mobile payments, e-invoicing, e-identity and SEPA. Our portfolio includes headlines, newsletters, company profiles, publications, events, jobs, buyer’s guides and advertising via multiple media channels and social networks.

Insights in payments – this is what the Paypers is all about. On the one hand readers get deep insight into the payment industry and on the other hand for companies the Paypers offers a great advertising portfolio. For example, with our DIMOCO hub we handle mobile payment transactions in the Central- and Eastern European countries. That means that we are a niche player and the Paypers is an ideal partner for us

Margit Anglmaier - Vice President Corporate Communications - DIMOCO

News and analysis

The Paypers offers a wide range of news and analysis products: • Real-time online news on our website, with breaking news on Twitter and LinkedIn • Free daily headlines, covering the fast-paced developments in the global payment industry • News | Paypers, weekly overview of this week’s most important news into your mailbox. • RSS feeds for all news articles, selectable by category • Online database with a searchable news archive dating back 7 years. • Premium newsletters providing a bi-weekly overview of industry news and analysis • Analyses on current market developments and future opportunities • Research reports detailing developments in specific markets and industry niches • Annual payment topic guides with a global market overview of companies, services and products.

The Paypers readership TECHNOLOGY TOPICS IN A PAYMENTS CONTEXT 54 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Consult Hyperion

Tokenization – The Way Forward for So how is tokenization coming along? Well, Visa already has some Wallets experience with this with one of their Spanish issuers, BankInter. The BankInter mobile app generates a token (in this case, a one- At the 2013 Money 2020 gathering in Las Vegas, one of the use PAN that is valid for a short time only) and passes this to the new technology topics under discussion was one of 2013’s merchant terminal. Since it is a standard PAN, it wends its way most important trends in the retail transactions world, namely across the network back to BankInter, where it is converted back ‘tokenization’. to the customer's debit PAN and authorised. The solution re-uses the existing rails so it is not especially expensive to implement. Visa, MasterCard and American Express announced they have started cooperating on standards for tokenization around digital It is hardly a new idea: one-use PANs have been around for wallets. The idea is, essentially, that when you want to buy e-commerce from the earliest days of web commerce but they something, your digital wallet will generate a special ‘alias’ primary are a hassle for consumers because they had to run something to

account number (PAN, the number on the front of your payment generate the PAN, then copy it over to the whatever form you're cards) and send this to the merchant. The merchant’s acquirer filling out on the web. And they are a hassle for merchants because then passes this back and this issuer (or the scheme) replaces there are other issues to do with refunds and so forth. But when a it with the real PAN for processing. By doing this, the merchants mobile app is doing it for them, consumers won't even know that (and eavesdropping criminal hackers) don’t get to see the real PAN it's not their ‘real’ PAN that is being passed to the merchant. which should hopefully mean that a) there will be less card fraud and b) there is no need to store real card details in the handset The BankInter case study flags up a particular attraction for issuing where they may be attacked by criminals. banks in the mobile world. It means that the app does not need to use the Secure Element (SE) on the SIM (which is under control) In Las Vegas, the early discussion ranged around what I have because there are no real card details held in the app. People have taken to calling ‘weak’ tokenization (ie, these limited use PANs that been looking around for NoSE (No Secure Element) solutions for run over the existing rails) and what I have taken to calling ‘strong’ retail payments for a while, since it became clear that it was going tokenization (ie, the consumer's identity in some form or other to be harder than people thought for banks and mobile operators running over old or new rails). I would rather think that in the long and schemes and handset manufacturers to co-operate in this run the card schemes and others will adopt a long-term strategy field, the approach has been boosted by Google’s decision to to shift to strong tokenization and I cannot see why this would open up Host Card Emulation (HCE) in Android 4.4. This means be restricted to e-commerce. It would surely be logical to allow that apps in the handset can have direct access to the NFC people to continue legacy card use at POS for limited purposes interface in phones to emulate contactless cards. but to shift both card-present and card-not-present transactions to the ‘something present’ model. Thus, as a consumer, I have the same payment experience whether in-store, online or via mobile. When I want to buy something, a message pops up on my phone asking me to authorize the transaction, which I do, irrespective of the relative locations of me and the retailer. THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 55

David G.W. Birch, Director, Consult Hyperion

While the schemes have yet to give any definitive ruling on NoSE, it is unlikely they will rule against it. What’s more, the synergy between NoSE and tokenization looks very powerful. It makes sense for the ABOUT THE COMPANY: CONSULT HYPERION schemes to integrate into their tokenization roadmap and set out HELPS ORGANISATIONS AROUND THE WORLD the basic security requirements that will be needed for certification. TO EXPLOIT NEW TECHNOLOGY FOR SECURE This can clearly be done: I already have a PingIt app on my iPhone ELECTRONIC TRANSACTION SERVICES FROM that gives direct access to my bank account. If it is possible to find MOBILE PAYMENTS AND “CHIP AND PIN” TO countermeasures that give the right risk analysis balance for that CONTACTLESS TICKETING AND SMART IDENTI­ app, it is possible to find countermeasures for a Visa, MasterCard, TY CARDS. Amex or Discover app with API interfaces to retailer apps. OUR AIM IS TO ASSIST CUSTOMERS IN REACHING­ THEIR GOALS IN A TIMELY AND COST-EFFECTIVE This means that apps will begin to use NFC for convenience, not WAY. for security. A retailer and a bank, for example, might integrate WE SUPPORT THE DEPLOYMENT OF PRACTICAL payments via HCE into the retailers own app, bringing together SOLUTIONS USING THE MOST APPROPRIATE Bluetooth Low Energy (BLE) and NFC to provide a seamless TECHNOLOGIES AND HAVE GLOBALLY RECOG­ customer experience. You walk into the store and get personalized NISED EXPERTISE AT EVERY STEP IN THE ELEC­ attention through the app - which now knows which shelf you are TRONIC TRANSACTION VALUE CHAIN, FROM standing in front of - and the app downloads a payment token AUTHENTICATION, ACCESS AND NETWORKS, TO from the bank via mobile, WiFi, BLE or whatever. When you’ve TRANSACTIONAL SYSTEMS AND APPLICATIONS. finished shopping you tap and pay at the unmodified POS terminal using that same retailer app which now feeds the bank token to the POS across the NFC interface. An HCE/NFC/BLE world seems ABOUT THE AUTHOR: DAVID G.W. BIRCH IS rather attractive from a consumer experience perspective. A DIRECTOR OF CONSULT HYPERION, THE TECHNICAL AND STRATEGIC CONSULTANCY One day soon, my Waitrose app will obtain tokens from my V.Me THAT SPECIALISES IN ELECTRONIC TRANS­ wallet, my MasterPass wallet, my PingIt app, my Zapp app and ACTIONS. HERE HE PROVIDES SPECIALIST any other wallets it can find on my phone through a standard CON­SUL­TANCY SUPPORT TO CLIENTS AROUND discovery process and standard API. Then when I check out at THE WORLD, INCLUDING ALL OF THE LEA­DING Waitrose, my app will pop up and take care of business. Maybe PAYMENT BRANDS, MAJOR TELECOMMUNI­ ­ I will have configured my MasterPass wallet, which is where my CATIONS PROVIDERS, GOVERNMENTS BODIES John Lewis MasterCard will be stored, to allow the Waitrose app AND INTERNATIONAL ORGANISATIONS to charge GBP 100 without additional authorisation. Who knows IN­CLUDING THE OECD. BEFORE HELPING how it will work. But we do know that tokenization means that the TO FOUND CONSULT HYPERION IN 1986, mobile wallet world will see accelerated development in 2014. HE SPENT SEVERAL YEARS WORKING AS A CONSULTANT IN EUROPE, THE FAR EAST AND NORTH AMERICA. HE GRADUATED FROM THE UNIVERSITY OF SOUTHAMPTON WITH A B.SC (HONS.) IN PHYSICS.

www.chyp.com 56 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Neira Jones

21st Century Payments: When Innovation New models Meets Trust… With numerous payments innovations, ranging from QR codes to biometrics or sound waves, traditional players are still in catch-up The visionary starts with a clean sheet of paper and reimagines the mode. GoBank, an entirely digital business, launched in January world… Malcolm Gladwell, 2013 2013 with no overdraft or penalty fees, no minimum balance and only charges for four things: Whether you are a CEO, a student, a busy parent, or a journalist, • Putting a personal photo on your debit card (USD 9) our hyper-connected world - where continuous availability has • Using an out-of-network ATM (USD 2.50) redefined how we access information and interact with others - • Spending money abroad (3%) has become the great equaliser giving us all the power to impact • Paying your membership fee (discretionary). the world around us. This model was greeted with scepticism by the industry and The pace of change criticised by customers for its harsh cheque deposit policy The United Nations predicts a world population of 7.5 billion by (cheques can be held for up to 10 days before clearing). 2020 and by then, the number of interconnected ‘things’ will have Nevertheless, the bank held about USD 245 million in deposits reached 40 billion (Cisco, January 2013). Every year, we share as of June 2013 and there are rumours that the remote cheque more of ourselves online, and each time, we place our information deposit capture policy may be soon relaxed, suggesting effective and our faith in the security measures taken by those managing it risk management. Additionally, companies such as Lenddo on our behalf. Unsurprisingly, identity fraud cost the UK economy and Moven are putting a social/digital spin on credit scoring by GBP 3.3 billion in 2012, affected 27% of the adult population and assessing their customers’ worthiness through their social media represented 36% of all fraud against individuals (National Fraud activity and connections. Is identity being redefined? Authority, June 2013). With that, it is estimated that more people own a mobile than own a toothbrush, iPhone sales alone outpace Can financial services keep up with innovation? births, the average person has their mobile in reach 14 hours per American Express launched Amex Sync to enable cardholders day (Mobilenomics, March 2013), and mobile is set to outpace to get products and offers by tweeting special hashtags whilst other payment methods in the next 5 years (Javelin, April 2013). Starbucks launched Tweet-a-coffee to enable customers to send a USD 5 Starbucks Card e-gifts to twitter friends. From paper to digital In 2009, the UK Payments Council announced the withdrawal BMW hopes to have 10 million connected cars by 2018 (currently of cheques and subsequently made a U-turn. Recently, it stated 3 million), positioning itself as a software and cloud company. its wish to explore options including moving away from paper Ford announced that its open source AppLink API will enable to cheque imaging. In the meantime, financial services group developers to adapt their apps to communicate wirelessly with USAA deployed cheque imaging in mid-2009 and today, Bank of Ford cars and interact using voice recognition to request a band, America, the US second largest bank, counts 13 million mobile album or playlist from Spotify. Is the ‘internet of things’ real?... banking smartphones users depositing an average of 100,000 Samsung, with its T9000 smart fridge running on Android, keeps cheques per day. Many other US financial services institutions track of ingredients, orders groceries, acts as a baby monitors now offer this service, suggesting that security and risk concerns using built-in cameras. Will we soon see the Ford e-wallet? Pay- have been addressed. by-car to book a hotel room or a restaurant? The Samsung/ Waitrose loyalty card?... THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 57

Neira Jones

The more connected we become, the more privacy The digital economy brings dramatic transformation, creating we erode new business models, supply chains, revenue streams and Whilst striving for innovation, security often becomes a secondary partnerships. Whilst security and risk management have traditio­ ­ concern, sometimes with disastrous consequences. Privacy is nally been seen as business inhibitors, we live in a world where front of mind, perhaps enabling crypto-currencies such as Bitcoin trust is ever present and increasingly a ground for opportunity. to generate much interest due to their anonymous nature. The successful business leaders will understand the implications of what Gartner very aptly calls The Nexus of Forces: social, mobile, Security concerns are nevertheless justified: stolen credentials information, cloud. and basic security lapses were at the core of 2012 data breaches and whilst very few breaches happened in the mobile space, mobile malware increased by 400% (Trustwave Global Security Report 2013). Are we prepared? ABOUT NEIRA JONES: WITH 20 YEARS IN • 60% mobile apps don't have a privacy policy notifying consumers FINANCIAL SERVICES, NEIRA BELIEVES which of their data they access. (InfoWorld March 2012) IN CHANGE THROUGH INNOVATION AND • 55% of merchants can’t detect whether a transaction originates COLLABORATION AND STRIVES TO DEMYSTIFY from a mobile device (60% believe it’s an ‘important’ or ‘very RISK, INFORMATION SECURITY AND PAYMENTS. important’ requirement). (Kount 2013) SHE IS REGULARLY INVITED TO ADVISE • 45% of service providers, 40% of card issuers and half of acquirers ORGANISATIONS AND SPEAK TO GLOBAL & card schemes use device identification for mobile fraud pre­ AUDIENCES. WHILST DIRECTOR OF PAYMENT vention. (Kount 2013) SECURITY & FRAUD AT BARCLAYCARD, SHE • Only 11% of merchant use mobile device identification; 32% use MANAGED PAYMENTS RISK & COMPLIANCE authentication or secure m-payments. (Kount 2013) FOR 100K MERCHANTS. SHE CHAIRS THE • Mobile-related data breaches are expected to grow as mobile ADVISORY BOARD FOR MOBILE INNOVATOR payment systems become more common. (Verizon DBIR 2013) ENSYGNIA AND THE GLOBAL ADVISORY BOARD • 33.6% of consumers believe managing fraud risk and addressing FOR CSCSS, IS A FELLOW OF THE BRITISH security concerns is a priority for the adoption of mobile commerce, COMPUTER SOCIETY AND WAS ON THE PCI SSC a close second to convenience at 36%. (Kount 2013), a marked BOARD OF ADVISORS FOR 4 YEARS. MERCHANT change from previous years. PAYMENTS ECOSYSTEM NOMINATED HER ACQUIRING PERSONALITY OF THE YEAR Understandably, a number of government initiatives aim to 2013, SHE RECEIVED THE FSTECH APRIL 2013 address digital identities: COMPLIANCE PROJECT OF THE YEAR & ANTI- • The US Clearing Group and its 22 member banks are developing FRAUD/SECURITY STRATEGY OF THE YEAR a dynamic credentialing solution to improve the safety digital AWARD, THE 2012 SC MAGAZINE INFORMATION payments. SECURITY PERSON OF THE YEAR AWARD AND • The UK government selected eight suppliers (including Paypal) WAS INDUCTED TO THE INFOSECURITY EUROPE for the provision of a secure online identity registration service 2011 HALL OF FAME. for people accessing public services. NEIRA CAN BE CONTACTED VIA LINKEDIN, • In 2010, Denmark deployed a joint government/ banking initia­ TWITTER AND GOOGLE+ tive providing common digital identities for internet banks, government websites and some private companies. http://neirajones.blogspot.co.uk/ 58 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Innopay

The Broader Scope of Payment Risk payment needs to be shifted to trust in the customer and the customer relationship. Merchants need to know their customers Fraud is about more than just payments, risk is about and employ digital identity solutions to recognize them. Of course, more than just fraud. criminals realize this too and so credit card theft is evolving into identity theft (e.g. credential theft). This is especially true for In online business, the world never stands still. Technology, business cross-border transactions, where the lack of trust and digital models and customer behaviour are evolving. Unfortunately, this identity is really limiting growth potential. Currently in the EU it is also applies to online crime: online fraudsters are constantly looking nearly impossible for Eastern European or Russian consumers to for new avenues to exploit. How are global e-commerce trends purchase from Western European shops because credit card fraud reflected in the trends of online crime and what can merchants do and identity fraud mean customers from these regions are rarely to stay ahead of the game? accepted. The best solution for merchants is to outsource the complexity

of identification and authentication to specialists, just as they did with payments. Identity providers not only specialize in protecting customers from identity theft, but also allow customers to re-use their existing IDs and credentials, preventing the buildup of a ‘digital key chain’.

Trend 2: Offline and online are converging Traditional retailers continue to move online. There is hardly a Trend 1: Payment methods follow users brick-and-mortar company left without an accompanying web Once upon a time, credit cards were the only way to pay online. But store. At the same time, e-commerce increases its presence credit cards were never designed for the web and new dedicated offline, enabling purchases through scanned QR codes and online payment methods quickly arose. Many of these either opening physical stores and distribution channels. took the form of global platforms such as PayPal or of networked solutions created by banks such as iDEAL in the Netherlands and Fraudsters will of course always look for the weakest link and Giropay in Germany. On top of both old and new systems, add-ons also combine channels, for example using personal information have been built and continue to be developed for mobile, wallets, gathered offline for online social engineering. Another example virtual payment cards, social payments, micropayments etc. is transferring online criminal gains to physical prepaid cards or Although international payments are still dominated by credit cards, gift cards which can then be used in the relative anonymity of a there are huge local variances in preferred payment methods. physical store outlet. This has led to massive fragmentation in the online payment market. Trend 3: ‘m’ is the next ‘e’ The massive fragmentation is fortunately not a big problem Mobile internet use is quickly surpassing the desktop and mobile for merchants, because they can make use of payment service is already starting to become an important tool for shopping providers that take care of the complexity for them. But as both online and in physical stores. However, the security of payments expand beyond credit cards, so does fraud. Where old smartphones still lags behind that of desktop computers, lacking systems of fraud detection were completely built around the credit for example good virus scanners or secure user interfaces. card paradigm, new systems require a different approach. Furthermore, the convenience of the mobile experience is often With the merchant having to support so many new and different more important than the security of an app, with long passwords payment systems across multiple channels, the trust in the often avoided in favor of shorter PIN-codes, for example. THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 59

Jacob Boersma, Senior Consultant, Innopay

But there is hope for the mobile channel. The hardware of modern Understanding all these factors means creating a risk profile. For smartphones with an increasing number of sensors (camera, example digital goods, which can easily be transferred across the microphone, etc.) makes certain forms of biometric identification globe in the blink of an eye, and possibly resold quickly to launder and risk based authentication techniques (e.g. geolocation) a money have a different risk profile from physical goods which realistic proposition. This can turn the smartphone from a security need to be shipped to a customer’s home address. risk into a tool for not only securing mobile commerce but other online and offline activities as well. As we have seen, changing customer behaviour means that fraud is increasingly not just about payments but about identity, trust Trend 4: Checkout becoming more complex and other intangible assets. Evolving technology gives rise to Not only are customers confronted with new payment methods new threats but also to new opportunities. To determine which and new channels, but they are also more often confronted measures to take you need to understand your complete risk with loyalty schemes, special offers and coupons at checkout. profile. In online business and online fraud, the world never stands

Often the customer’s social network and personal information is still. Are you keeping up? leveraged for example by giving a discount for tweeting or sharing on Facebook. Criminals also follow this trend of finding other revenue streams than merely money. Identity theft we already discussed earlier, but ABOUT THE COMPANY: INNOPAY IS AN also using consumer’s computers to power botnets and transmit INDEPENDENT CONSULTING FIRM, SPECIALIZED spam. And the advertising networks themselves, while offering IN INTERNET PAYMENTS AND RELATED easy ways for websites to automate their ads, can be used by TRANSACTION SERVICES. WE PROVIDE OUR cyber criminals to spread malware. Again we see that criminals CLIENTS (BANKS, ONLINE MERCHANTS, PSPS, always look for the weakest link. GOVERNMENT) WITH EXPERT KNOWLEDGE OF ONLINE PAYMENTS, E-INVOICING, DIGITAL Understanding your context is key IDENTITY, MOBILE PAYMENTS AND INFOR­ The key to managing evolving online fraud lies in understanding MATION SECURITY. INNOPAY COMBINES IN the components of the online (and sometimes offline) transaction DEPTH TECHNICAL KNOWLEDGE WITH KNOW­ context. This means understanding the relationship with your LEDGE OF THE BUSINESS, REGULATION AND client (and being able to securely identify him where needed), ONLINE TRENDS. WE LIVE AND BREATHE understanding the kind of product you sell, the location you’re TRANSACTIONS. selling to and the timing of agreement, payment and delivery. ABOUT THE AUTHOR: JACOB BOERSMA IS A SENIOR CONSULTANT AT INNOPAY SINCE 2010, WORKING IN ONLINE PAYMENTS, DIGITAL IDENTITY AND INFORMATION SECURITY. JACOB HELPED DEVELOP THE SEPA COMPLIANT IDEAL PAYMENT SYSTEM FOR DUTCH BANKS AS WELL AS GOVERNMENT E-ID SCHEME E-RECOGNITION. HE’S THE LEAD OF INNOPAY’S SECU­RITY AND FRAUD PRACTICE.

www.innopay.com 60 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Glossary

A ACH Network Automated teller machine (ATM) The ACH Network is an electronic network for direct consumer, An electromechanical device that allows authorised users, business, and government payments. It is the vehicle for direct typically using machine-readable plastic cards, to withdraw cash account-to-account electronic transactions, and “via ACH” is from their accounts and/or access other services, such as balance the differentiating phrase that links ACH payments back to the enquiries, transfer of funds or acceptance of deposits. ATMs may Network. be operated either online with real-time access to an authorisation database or offline. ACH Credits ACH credit entries occur when an Originator initiates a transfer Automated Clearing House to move funds into a Receiver's account. For example, when The Automated Clearing House (ACH) Network refers to the batch an employer offers Direct Deposit, the employer originates processing, store-and-forward system that enables electronic

the payment through the ODFI, which then initiates the credit funds processing. Rather than sending each payment separately, transaction to transfer the money into the consumer/employee's ACH transactions are accumulated and sorted by destination for account; the consumer is the Receiver. transmission during a predetermined time.

ACH Debits Authentication In an ACH debit transaction, funds are collected from a Receiver's The process of verifying the identity of the party connecting to the account and transferred to an Originator's account, even though system. the Originator initiated the entry. For example, consumers authorize a cable access company to debit their accounts for their Authorisation monthly bills. Once a month the cable access company initiates Online payments often involve direct authorisation from the bank a debit file through its ODFI to withdraw the money from the of the consumer making the payment. This means that a check is consumers' accounts. The cable company is the Originator, and carried out immediately to check whether the consumer is entitled the consumers are the Receivers. and in a position to make the payment.

Acquiring B An acquiring bank (or acquirer) is the bank or financial institution Boleto Bancario that processes credit and/or debit card payments for products or A credit transfer service which enables customers in Brazil to services for a merchant. The term acquirer indicates that the bank purchase software online and pay offline at any Brazilian post accepts or acquires credit card transactions from the card-issuing office, bank branch or through internet banking. banks within an association. C Alternative payments Chargeback Payment methods that are used as an alternative to credit card Reversal of a credit card payment. Chargeback is only possible payments. Most alternative payment methods address a domestic after settlement to the merchant has taken place. economy or have been specifically developed for e-commerce and the payment systems are generally supported and operated by local banks. Each alternative payment method has its own unique application and settlement process, language and currency support and is subject to domestic rules and regulations. THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 61

D CNP (Card Not Present) Debit card Transaction type for credit cards where the card cannot be shown Card enabling the holder to have his purchases directly charged physically to the retailer, for instance in the case of e-commerce to funds on his account at a deposit-taking institution (may transactions and MOTO transactions. Is the opposite of Card sometimes be combined with another function, that of a cash card Present (CP) transactions. or cheque guarantee card).

Card/Cash on Delivery (CoD) Direct debit Payment method with which payment (cash or by card) takes Preauthorized debit on the payer’s bank account initiated by the place when goods are delivered. payee.

CP (Card Present) Direct Payment Transaction type for credit cards where the card is physically The use of funds for making a payment. Individuals or organizations present during the transaction and can be read, via a magnetic can send or receive a Direct Payment as an ACH credit or debit. stripe or chip. E Credit card Electronic money A card indicating that the holder has been granted a line of credit. Value stored electronically in a device such as a chip card or a It enables the holder to make purchases and/or withdraw cash up hard drive in a personal computer. to a prearranged ceiling; the credit granted can be settled in full by the end of a specified period or can be settled in part, with the E-wallet balance taken as extended credit. Prepaid wallet that allows consumers to maintain a credit that can be used for (micro) payments on the internet. Most wallets can Credit card company also contain information regarding the payment account and credit A company which owns the trademark of a particular credit card, card, making it possible to ‘upload’ credit from these accounts. and may also provide a number of marketing, processing or other The wallet can also be used to pay for online purchases using the services to its members using the card services. credit card information (stored on the wallet).

Customer ELV (Elektronisches LastschriftVerfahren) A buyer, seller or holder of securities and financial instruments that German Direct Debit system for online payment. Payment method does not participate directly in a system. A participant’s holdings which is very popular in Germany, although the payment is not in a system often include securities and financial instruments of guaranteed. ELV is a debit card, which in online transactions which the participant’s customers are the beneficial owners. behaves like a credit card.

Customer-not-present EMV Customer-not-present transactions the cardholder is not physically A standard for credit cards that contain a chip. By having this chip at the location when payments is taken. This is usually made read by payment terminals more secure transactions are possible. online or by telephone/fax. Customer-not-present transactions The EMV chip will replace the signature on the sales slip of a credit often require additional security questions or processes to avoid card transaction. fraud. 62 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Escrow payment N Payment that involves the services of an independent third party NACHA - The Electronic Payments Association (Trusted Third Party, or TTP). The third party removes the distrust The national association which establishes the standards, rules that may exist between parties by safeguarding the money (or and procedures which enable depository financial institutions to delivery) until the other party has fulfilled his part of the deal. exchange payments on a national basis.

I O iDEAL Omni-channel retailing iDEAL is an internet payment method in the Netherlands, based Omni-channel retailing is very similar to, and an evolution of, on online banking. Introduced in 2005, this payment method multi-channel retailing, but is concentrated more on a seamless allows customers to buy securely on the internet using direct approach to the consumer experience through all available online transfers from their bank account. shopping channels, i.e. mobile internet devices, computers, bricks-and-mortar, television, catalog, and so on. M Mobile payment Online shopping (online retailing) Also referred to as mobile money, mobile money transfer and A form of e-commerce which enables consumers to buy goods mobile wallet generally refer to payment services operated under or services from a seller over the internet without an intermediary financial regulation and performed from or via a mobile device. service. An online shop, e-shop, e-store, internet shop, webshop, Mobile payment is an alternative payment method. Instead of webstore, online store, or virtual store evokes the physical analogy paying with cash, check, or credit cards, a consumer can use a of buying products or services at a bricks-and-mortar retailer or mobile phone to pay for a wide range of services and digital or shopping centre. The process is called business-to-consumer hard goods. (B2C) online shopping.

Money transfer Open invoice Generally refers to one of the following cashless modes of payment Details the amount a company owes to vendors and suppliers, or payment systems: wire transfer, an international expedited along with a due date for sending payment. Invoices can also bank-to-bank funds transfer, electronic funds transfer, an umbrella include additional information that relates to the past business term mostly used for bank card-based payments, e-mail Money transaction. Accounts payable clerks are often responsible for Transfer, an online banking transfer between Canadian banks, opening mail and finding all open invoices sent by vendors and Giro, also known as direct deposit, money order, transfer by postal suppliers. These individuals are the first employees to handle the cheque, MoneyGram and others. invoices.

Multi-channel retailing P Multi-channel retailing is the merging of retail operations in such Payment gateway a manner that enables the transacting of a customer via many An e-commerce application service provider service that connected channels. Channels include: retail stores, online stores, authorizes payments for e-businesses, online retailers, bricks mobile stores, mobile app stores, telephone sales and any other and clicks, or traditional brick and mortar. It is the equivalent of method of transacting with a customer. Transacting incudes a physical point of sale terminal located in most retail outlets. browsing, buying, returning as well as pre and post sale service. Payment gateways protect credit card details by encrypting sensitive information, such as credit card numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor. THOUGHT LEADERSHIP WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 63

Payment method POS A generic way in which a payment is carried out, for instance Point of sale (POS) or checkout is the location where a transaction by PIN card, credit card, internet banking, COD, premium SMS. occurs. A "checkout" refers to a POS terminal or more generally to When a payment method is not generic but specific, it is called a the hardware and software used for checkouts, the equivalent of payment product. an electronic cash register.

Payment product Prepaid A specific version of a payment method used by a (commercial) A payment that is made in advance for a service that has not yet provider, for instance Visa and MasterCard, the internet banking been used. The ‘credit’ can be stored on a(n) (electronic) carrier. product of a particular bank, TPG Post COD services, the premium SMS product of a provider, Mobile2Pay, Way2Pay, Rabo Direct R Betalen, MiniTix. In some cases a (specific) payment tool is used. Remittances A remittance is a transfer of money by a foreign worker to his or Payment tool her home country. A tool that is used to carry out a payment with a payment product, for instance a card, random reader, money transfer form, S ‘acceptgiro’, mobile telephone. SEPA ‘Single Euro Payments Area’. This is the vision, directive and Payment processor goal of the European Commission which means that citizens and A company (often a third party) appointed by a merchant to handle companies within the European Union have to be able to pay with credit card transactions for merchant acquiring banks. They are a single set of payment instruments. This set is the combination of usually broken down into two types: front-end and back-end. a bank account and instruments like money transfer, direct debit and cards. SEPA signifies the end of international payments within Payment Service Provider (PSP) Europe. A company that offers service in the area of payments. These services consist of, for example, various payment modalities, T Electronic Bill Presentment and Escrow services. A Payment Third-Party Processors Service Provider acts as intermediary between buyer and seller. For merchants that do not qualify or do not want a merchant account, a third-party processor is a company that processes PCI-DSS payments (e.g. credit cards) on behalf of a merchant. With most A payment card security standard that evaluates payment account third-party processors, customers are typically forwarded from the data security by assessing the company’s network architecture, merchant's website to the payment processor's site to complete software design, security policies, procedures and protective the transaction. practices. The PCI requirements have been developed by the PCI Security Standards Council, which includes American Express, V Discover, JCB International, MasterCard and Visa. Virtual goods Non-physical objects purchased for use in online communities or PIN online games. Digital goods, on the other hand, may be a broader A personal identification number (PIN) is a secret numeric category including digital books, music, and movies. Virtual goods password shared between a user and a system that can be have no intrinsic value and are intangible by definition. used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token (the user ID) and a confidential PIN to gain access to the system. 64 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 THOUGHT LEADERSHIP

Company name

Title

Text

COMPANY PROFILES

66 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

Company Clearsale Leader in authentication for online sales in Brazil, processing over 75% of all transactions in this market. ClearSale helps companies go even further, safely, providing a great shopping experience for customers. By quickly and efficiently approving an order, ClearSale increases sales and respects the consumer, with fewer cancellations and a lower risk of chargebacks.

Website www.clearsale.com.br www.clearsale.com.br/us Keywords for online profile Fraud risk management, credit card fraud, chargeback, e-commerce, fraud prevention, fraud detection, online fraud, increase sales Business model Please contact Clearsale Target market Retail, financial institutions, payment services providers, travel, other online businesses, telecommunications Contact [email protected] Geographical presence Brazil Active since 2001 Service provider type Web fraud detection and prevention, technology vendor, fraud and risk consultancy, credit analysis Member of industry association and Endeavor Association, E-commerce Brasil, ABCOMM, Camara-e.net, Great Place to Work or initiatives SERVICES Unique selling points ClearSale’s fraud risk management delivers to its clients the decision to sell and is committed to achieve the best balance between fraud rate, total approval rate and analysis time. ClearSale does not approve or decline transactions based exclusively on rules or score: good orders with risky behavior are approved with manual analysis. Core services Advanced fraud & risk management solutions Pricing Model Contact Clearsale for more information Fraud prevention partners N/A Other services Credit Analysis, First Payment Default Fraud Detection, Internal Sales Fraud Detection Third party connection No TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) No Bin lookup Yes Geo-location Checks Yes Device Fingerprint Yes Payer Authentication No Velocity Rules – Purchase Limit Yes Rules White list/black list database: Yes KYC – Know Your Customer Yes Credit Rating Yes Follow up action Attack detection - Clearsale maintains a team that is solely focused on detecting attacks targeting segments, specific companies, geographical regions, etc, in order to reduce the possibility of a mass attack against our clients. Other Authentication rating COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 67

AUTHENTICATION CONTEXT Online Yes Mobile No ATM No POS No Call center Yes other N/A REFERENCE DATA CONNECTIVITY Connectivity to governmental data N/A Other databases Os principais bureaux brasileiros, Threat Metrix, Neustar FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention No system Multi-channel fraud prevention Yes system CERTIFICATION Type Microsoft Gold Partner in Application Development (.NET). Regulation N/A Other quality programms This information is not available Other remarks This information is not available CLIENTS Main clients / references 8 of the 10 largest online retailers are our clients, like Americanas, Submarino, Magazine Luiza, Extra, Ponto Frio. 4 of the 5 largest telecom companies, like Vivo and Nextel. 2 of the 4 largest airlines companies: Gol Linhas Aéreas and Avianca. Future developments Solutions for mobile and POS authentication transactions. Expand successfully into new markets

Protects customer experience and detects fraud with pin-point accuracy regardless of channel or geographic market

• Screens transactions from over 180 countries • Industry leading low chargeback rates

Proven to increase sales revenues

www.datacash.com I twitter.com/datacashgroup I [email protected] I +44 (0) 20 7421 9280 I linkedin.com/company/datacash

Datacash a4_ad v4.indd 1 25/10/2013 16:27 COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 69

Company DataCash - a MasterCard company DataCash, a MasterCard company, provides multi-channel global payment processing services and advanced fraud prevention and risk management solutions to merchants and banks. As a global partner to some of the world’s most recognisable brands, DataCash combines smart thinking and an end-to-end solution to help its customers transcend the complexities and expense associated with payment processing. Website www.datacash.com Keywords for online profile Payments processing, international, fraud prevention, multi-channel, risk management, online payments, outsourced fraud & risk management Business model For more details, please contact our sales team Target market Merchants, acquiring banks, partners Contact DataCash sales team: [email protected] DataCash partners team: [email protected] Tel: +44 (0) 20 7421 9280 Geographical presence Europe, North/Latin America, Middle East/Africa, Asia/Pacific Active since 1996 Service provider type Global fraud monitoring, detection and prevention, multi-channel global payment processing Member of industry association Merchant Risk Council and or initiatives SERVICES Unique selling points DataCash leverages a unique global view of payment data, multiple layers of advanced technologies & innovation, unrivalled expertise, and exclusive relationships with world-class providers to extend fraud insight beyond traditional detection. Our merchants grow their businesses by reducing their overall costs of fraud whilst approving more genuine online orders. Core services Advanced automated fraud & risk screening solutions, which fit within any business model to screen all card and alternative payment types from around the world. Option to review transactions with intuitive & efficient case management system via secure & dynamic web-based user interface. Sophisticated fraud modelling, analytics & reports. Flexible outsource of fraud & risk management. Multi-channel payment processing. Pricing Model For current pricing please contact our sales team: [email protected], +44 (0)870 727 4761 Fraud prevention partners DataCash is integrated into multiple third party fraud prevention partners including but not limited Expand successfully into new markets to: 192.com, Google Maps, Perseuss, MasterCard, Electoral roll, GB Group, Maxmind. Other services Fraud & risk management outsource: review queue management (24/7 or out of hours/peak times), rules management, reporting and administration of chargebacks, all actions around user accounts and back office systems. Payment processing: cardholder present solution, mobile payment service, hosted pages & tokenisation solutions, dynamic currency conversion, split shipment, recurring payments, payouts. Third party connection Contact the DataCash sales team for more information TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Protects customer experience Address verifications services Yes and detects fraud with pin-point CNP transactions Yes Card Verification Value (CVV) Yes accuracy regardless of channel Bin lookup Yes or geographic market Geo-location Checks Yes Device Fingerprint Yes • Screens transactions from over 180 countries Payer Authentication Yes • Industry leading low chargeback rates Velocity Rules – Purchase Limit Yes Rules Proven to increase sales revenues White list/black list database: Yes KYC – Know Your Customer Yes Credit Rating No www.datacash.com I twitter.com/datacashgroup I [email protected] I +44 (0) 20 7421 9280 I linkedin.com/company/datacash Follow up action Case management inclusive of third party callouts.

Datacash a4_ad v4.indd 1 25/10/2013 16:27 70 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

Other Full verification tools, fraud scoring, globally shared negative database with integration into MasterCard’s global negative database, +130 rich data capture & checks, +350 complex rules specific to Industry, behavioral analytics, sophisticated fraud modelling & analytics. AUTHENTICATION CONTEXT Online Yes Mobile Yes ATM No POS Yes Call centre Yes other N/A REFERENCE DATA CONNECTIVITY Connectivity to governmental data N/A Other databases Perseuss, MasterCard Global Negative List, MasterCard Expert Monitoring System, 192.com, GB Group Verification and Electoral Roll, BIN List, Maxmind IP List FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention Yes system Multi-channel fraud prevention Yes system CERTIFICATION Type PCI DSS 2.0, Bacs and Ecogra; Datacenter is SAS70 and ISO27001. Regulation For more details, please contact our sales team. Other quality programms For more details, please contact our sales team. Other remarks For more details, please contact our sales team. CLIENTS Main clients / references For more details, please contact our sales team. Future developments For more details, please contact our sales team.

72 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

Company Device Ident GmbH Device Ident offers self-developed anti-fraud solutions for companies within the retail, digital goods, payment and financial services sector. The company’s product portfolio includes device- fingerprinting and behavioral-analytics services. New key product is the Fraud Manager, a locally installed fraud analytics software that supports automatic fraud identification based on machine learning and graph data structures. Website http://deviceident.com Keywords for online profile Online fraud prevention, account takeover prevention, device identification, worldwide device pool, automatic fraud detection, fraud case processing Business model Direct and through partners within the payment and credit scoring industry. Target market Web merchants Financial institutions Payment services providers Online communities Gaming & gambling Other online businesses Contact [email protected] Geographical presence Europe Active since 2013 Service provider type Web fraud detection company Technology vendor Member of industry association Merchant Risk Council and or initiatives SERVICES Unique selling points Device Ident is an expert in device fingerprinting, specialising in recognition of desktop and mobile devices. Furthermore clients can install the Fraud Manager to automatically filter and analyse their customer databased based on strict rules and/or machine learning algorythms. Core services Device Fingerprinting Services. Fraud Detection and Analytics Software. Pricing Model Per transaction (device fingerprinting); software licence (fraud manager). Fraud prevention partners N/A Other services N/A Third party connection Yes TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) No Bin lookup N/A Geo-location Checks Yes Device Fingerprint Yes Payer Authentication Yes Velocity Rules – Purchase Limit Yes Rules White list/black list database: Yes KYC – Know Your Customer N/A Credit Rating Yes Follow up action Scores and alerts via API or mail. Other N/A COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 73

AUTHENTICATION CONTEXT Online Yes Mobile Yes ATM N/A POS N/A Call centre N/A other N/A REFERENCE DATA CONNECTIVITY Connectivity to governmental data N/A Other databases Identity & address providers, credit scoring providers FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention Yes system Multi-channel fraud prevention Yes system CERTIFICATION Type N/A Regulation N/A Other quality programms N/A Other remarks N/A CLIENTS Main clients / references For more details, please contact us at [email protected] Future developments For more details, please contact us at [email protected] 74 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

Company ID Analytics, Inc. ID Analytics is a leader in consumer and enterprise risk management with proprietary cross- industry data, patented analytics, and real-time insight into consumer behavior. Website www.idanalytics.com Keywords for online profile eCommerce, mobile, risk management, fraud, card not present, identity Business model Offer risk management solutions which utilise unique data and patented analytics to leading organisations. Target market Any company with an online presence: financial institutions, payment services providers, government services and online communities/web merchants. Contact Aaron Kline, Director of eCommerce, [email protected], 858-312-6200 Geographical presence US Active since 2002 Service provider type Digital identity service provider Web fraud detection company Member of industry association MRC, ETA and or initiatives SERVICES Unique selling points ID Analytics takes a comprehensive, identity-based approach to understanding and mitigating risk. Core services Risk management solutions for identity, eCommerce, authentication/compliance, and credit. Pricing Model Per-Click Fraud prevention partners iovation, ThreatMetrix, IdentityMind, Norse Corp Other services For more details, please contact our sales team. Third party connection For more details, please contact our sales team. TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Address verifications services No CNP transactions Yes Card Verification Value (CVV) No Bin lookup No Geo-location Checks Yes Device Fingerprint Yes Payer Authentication No Velocity Rules – Purchase Limit Yes Rules White list/black list database: Yes KYC – Know Your Customer Yes Credit Rating No Follow up action Yes Other No AUTHENTICATION CONTEXT Online Yes Mobile Yes ATM No POS Yes Call centre Yes other No COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 75

REFERENCE DATA CONNECTIVITY Connectivity to governmental data No Other databases No FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention For more details, please contact our sales team. system Multi-channel fraud prevention Yes system CERTIFICATION Type For more details, please contact our sales team. Regulation GLB Other quality programs For more details, please contact our sales team. Other remarks For more details, please contact our sales team. CLIENTS Main clients / references Confidential Future developments For more details, please contact our sales team. ONLINE IDENTIFICATION MADE EASY

Turn red-tape processes into a high-speed user experience using everyday devices. IDchecker’s EASY ONBOARD, STRONG ID and recently added FACELINK bring together our years of experience into one powerful solution for your business.

ENROLL AND VERIFY IN 3 SIMPLE STEPS

1. EASY ONBOARD 2. STRONG ID 3. FACELINK Use a smartphone’s camera or Get the best global solution Connect the person to the webcam to scan any for online id document Identity Document with ID document worldwide. verification available. face recognition technology.

Reduce fraud and costs A truely global solution Until now, asking your customer for proof-of- address or photo-ID STRONG ID supports 3500 different types of passports, driver’s in an online verification process meant asking them to step out of licenses and identity cards from every country on Earth. the online process. This increases the risk of customer drop-off But it does more. It can also read and process utility bills, bank and lost revenue. STRONG ID changes all that. statements, credit cards, telephone bills and many more relevant documents. Optimize user experience Thanks to a userfriendly capturing tool and fast ID document Tying the person to the ID document verification, customers can upload their documents with the It gets even better. Meet and even exceed your KYC devices they use every day. The easy-to-use (mobile) requirements by using face recognition technology to connect solutions will get them moving swiftly through the process. the actual person to the verified documents in real time. This is the only verification solution thats absolutely guarantees your customers identity.

For more information please visit idchecker.com or contact us at [email protected] COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 77

Company IDchecker.com ONLINE IDENTIFICATION MADE EASY IDchecker turns red-taped KYC processes into a high-speed user experience using everyday devices. The market leading solutions EASY ONBOARD, STRONG ID and recently added FACELINK bring together many years of experience into one powerful solution. Turn red-tape processes into a high-speed user experience using everyday devices. Website www.idchecker.com IDchecker’s EASY ONBOARD, STRONG ID and recently added FACELINK bring Keywords for online profile ID verification, biometric, idcheck together our years of experience into one powerful solution for your business. Target market Online shoppers, Financial institutions, Payment services providers, Government services, Online communities/web merchants, Gaming & gambling, Other online businesses Contact [email protected] Geographical presence Europe: Amsterdam Area, The Netherlands, US: Bay Area, San Fransisco, CA Active since 2006 Service provider type Digital identity service provider, Technology vendor, Web fraud detection company

ENROLL AND VERIFY IN 3 SIMPLE STEPS Member of industry association Merchant Risk Council and or initiatives SERVICES Unique selling points Fast onboarding, strong verification, global coverage, stand-alone solution, easy integration for web and mobile. Core services ID document verification, biometric check, idcheck, person identification, onboarding, enrollment Pricing Model Transactional Other services Processing non-ID documents like utillity bills, bank statements, credit cards. TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Address verifications services No CNP transactions No Card Verification Value (CVV) No Bin lookup No Geo-location Checks No 1. EASY ONBOARD 2. STRONG ID 3. FACELINK Device Fingerprint No Use a smartphone’s camera or Get the best global solution Connect the person to the webcam to scan any for online id document Identity Document with Payer Authentication No ID document worldwide. face recognition technology. verification available. Velocity Rules – Purchase Limit No Rules White list/black list database: No KYC – Know Your Customer Yes Credit Rating No Follow up action Additional authentication (out of band authentication) and transaction verification capabilities. Reduce fraud and costs A truely global solution AUTHENTICATION CONTEXT Until now, asking your customer for proof-of- address or photo-ID STRONG ID supports 3500 different types of passports, driver’s Online Yes in an online verification process meant asking them to step out of licenses and identity cards from every country on Earth. Mobile Yes the online process. This increases the risk of customer drop-off But it does more. It can also read and process utility bills, bank ATM No and lost revenue. STRONG ID changes all that. statements, credit cards, telephone bills and many more relevant documents. POS Yes Optimize user experience Call centre No Thanks to a userfriendly capturing tool and fast ID document Tying the person to the ID document other No verification, customers can upload their documents with the It gets even better. Meet and even exceed your KYC REFERENCE DATA CONNECTIVITY devices they use every day. The easy-to-use (mobile) requirements by using face recognition technology to connect Connectivity to governmental data None solutions will get them moving swiftly through the process. the actual person to the verified documents in real time. Other databases Commercial attribute providers, e.g. credit databases This is the only verification solution thats absolutely guarantees your customers identity.

For more information please visit idchecker.com or contact us at [email protected] 78 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention For more details, please contact us at [email protected] system Multi-channel fraud prevention For more details, please contact us at [email protected] system CERTIFICATION Type ISO 27001 Regulation None CLIENTS Main clients / references Undisclosed Future developments Undisclosed

A GREAT MEANS TO STAY INFORMED AND KEEP UP TO DATE WITH THE LATEST INDUSTRY PERSPECTIVES, TRENDS AND DEVELOPMENTS COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 79

Company iovation Inc. iovation protects online businesses and their end users against fraud and abuse through an industry-leading combination of advanced device identification, shared device reputation and real- time risk evaluation.

Website www.iovation.com Keywords for online profile Device identification, online fraud prevention, mobile fraud protection, device reputation, enterprise risk management, web fraud detection, risk management, device fingerprinting Business model Deliver real-time SaaS risk analysis to businesses based on device-intelligence Target market Online retail, travel, shipping, logistics, airlines, telcos; Financial institutions; Prepaid Cards, Subprime Loans; Online communities/dating sites/social networks; Gaming/MMO; Gambling Contact Scott Olson, Vice President of Product, [email protected] Geographical presence Global service Active since Jun-04 Service provider type Digital identity service provider Technology vendor, device reputation technology Web fraud detection company Member of industry association Merchant Risk Council and or initiatives SERVICES Unique selling points ReputationManager 360 is a real-time SaaS service that effectively tells our clients if a customer visiting their site is likely to be risky based on the client’s specific business rules for evaluating the transaction. iovation delivers a reputation score and recommendation for every transaction sent to us that allows our clients to use an automated workflow, determining if they should proceed with the transaction, pass it to the risk team for review, or deny it outright. Core services ReputationManager 360: Global Device Reputation Intelligence Services Pricing Model Per transaction fee based on system usage depending on volume, type of transaction, and length of contract. Fraud prevention partners Equifax, ID Analytics, Fiserv, Accertify, ReD, MaxMind Other services Fraud Force Community: iovation clients have access to an exclusive virtual crime-fighting network of the world’s foremost security experts sharing intelligence about cybercrime prevention, device identification and other fraud-related topics. Third party connection ReputationManager 360 delivers data in XML format, allowing output to be integrated easily with any third party systems. TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Address verifications services While we do not offer AVS, ReputationManager 360 captures the IP Address and its geolocation, and can flag transactions from ‘blocked’ countries, as well as when mismatches occur between the IP Address shown by the user’s browser and the IP Address we collect with our Real IP proxy piercing feature. CNP transactions ReputationManager 360 service is used extensively for CNP transactions. Our Business Rules Editor allows clients to customise rules and rule sets for each customer touchpoint—including login, account creation, funds transfer and checkout, in order to detect high risk CNP transactions. Card Verification Value (CVV) This service is handled through the customer’s payment processor. Bin lookup This service is handled through the customer’s payment processor. Geo-location Checks iovation clients can flag transactions when activity is coming from an unauthorised country, through a proxy, or use iovation’s Real IP technology to get the user’s actual location. Device Fingerprint ReputationManager 360 offers advanced device identification technology supporting native and web integrations for mobile and desktop devices. Our service recognises any Internet-enabled devices such as PCs, laptops, smartphones, tablets, smart TVs and more. Payer Authentication This service is handled through the customer’s payment processor. Our service does flag transactions that exceed custom transaction value limits, as well as credit card velocity. 80 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

Velocity Rules – Purchase Limit iovation’s velocity rules flag transactions when thresholds are exceeded. These may include Rules situations where too many accounts are accessed per device, too many new accounts are created within a timeframe (seconds, minutes, hours, days), or the number of devices accessing an account has been exceeded within a certain timeframe. Specific rules include Accounts per Device, Accounts Created per Device, Devices per Account, Countries per Account, Countries per Device, Transactions per Account, Transactions per Device. Our service also flags transaction value thresholds, and credit card usage velocity. White list/black list database: iovation clients can flag transactions based on custom-built lists. These lists can be positive or negative lists. Lists types include accounts, devices, IP ranges, ISPs, locations and others, and are easily managed with ReputationManager 360’s List Manager which enables sharing lists across rule sets. Device Anomaly Rules iovation clients can flag transactions when device settings are anomalous and indicative of risk. While Individual device characteristics may not be proof of risk, certain characteristics may be worth monitoring, and several in combination with each other may indicate attempts by the user to evade detection. Examples of anomalies associated with risk are when the time zone of the device differes from the time zone of its geolocation by more than 3 hours. Risk Profile Rules Profile rules look at the relative risk of specific combinations of device characteristics. When devices exhibiting similar profiles are active, the relative risk (a ratio of similar devices that are associated with ‘evidence’) ratio is raised. Evidence Rules (Fraud and Abuse iovation clients can flag transactions that originate from an account or device already associated Records) with fraud or abuse. Previous fraud or abuse is recorded in our system as ‘evidence’. The customer sets the types of evidence they want to consider, and decides whether to leverage only the evidence they log, or consider the evidence of other iovation subscribers. Other Rules ReputationManager 360 provides ‘age based’ rules to measure transaction risk. Rules include ‘Device new to customer’ and ‘New association’ (device and account not previoulsy associated). For example, activity from a new device that has never been previously associated with an account in your system, can be flagged to offer an additional authentication step before giving account access might prevent unauthorised access. KYC – Know Your Customer N/A Credit Rating N/A Follow up action iovation ReputationManager 360 provides an Allow, Review or Deny response. Additional authentication could include out of band authentication. Other iovation offers three implementation choices: web service implementation, gateway, and through third-party platforms. AUTHENTICATION CONTEXT Online Yes Mobile Yes ATM N/A POS N/A Call centre N/A other N/A REFERENCE DATA CONNECTIVITY Connectivity to governmental data N/A Other databases MaxMind - IP geolocation FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention Yes, iovation delivers comprehensive online fraud prevention for mobile, tablet and system PC based transactions. Multi-channel fraud prevention Our services focus on online transactions and complement a multi-channel prevention system. system COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 81

CERTIFICATION Type N/A Regulation iovation supports FFIEC compliance by providing complex device identification, as well as with Phone Verification (Out of Band authentication). Other quality programms We follow strict Quality Assurance processes for new products and features, and offer Service Level Agreements (SLA) as part of our customer agreements. Other remarks Because iovation’s core ReputationManager 360 system utilizes fact-based reputation monitoring, our false positive rates are essentially zero. Forrester’s Total Economic Impact (TEI) study found a false positive rate of only 0.0028%. CLIENTS Main clients / references NetSpend, Bazaarvoice, GreenDot, Elance, Aviva Insurance, RevWorldwide, New Era Tickets Future developments For more information, please contact our sales team.

A UNIQUE PERSPECTIVE ON THE WORLDWIDE WEB FRAUD PREVENTION, SECURITY AND DIGITAL IDENTITY SPACE Enhance Your Mobile Application With Real-time Credit Card or ID Scanning & Validation

Jumio’s solutions are designed to:

% Reduce fraud & chargebacks

% Increase revenue by reducing payment friction

% Create a ‘cool’ factor in customer experiences

Utilizing advanced computer vision technology, Jumio is a next generation credentials management company offering payments and ID scanning & validation products for mobile and web transactions. Designed to reduce fraud and increase revenue by minimizing friction in customer transactions, Jumio’s products integrate easily into mobile apps or websites and create great customer experiences.

For more information, visit jumio.com/paypers or contact [email protected]. See It. Believe it. COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 83

Enhance Your Mobile Application With Company Jumio Inc. Utilising advanced computer vision technology, Jumio is a next-generation credentials management company offering payments and ID scanning and validation products for mobile Real-time Credit Card or ID Scanning & Validation and web transactions. Designed to reduce fraud and increase revenue by minimising friction in customer transactions, Jumio’s products integrate easily into mobile apps or websites and create great customer experiences. Jumio’s Netswipe and Netverify are widely used by leading retailers, marketplaces and financial institutions, including Western Union, Airbnb, Travelocity’s mobile apps and others. Jumio’s solutions are designed to: Website jumio.com Keywords for online profile ID verification, credit card scanner, ID scanner, online checkout tools, payment verification tool, % Reduce fraud & chargebacks increase shopping cart conversion, KYC, efficient account creation tools Business model Direct and through partners % Increase revenue by reducing Target market Financial services payment friction Payment services providers Government services % Create a ‘cool’ factor in Online communities/ web merchants (e-commerce) & retail customer experiences Gaming & gambling & adult Other online businesses Contact [email protected] Geographical presence Global Active since 2010 Service provider type Digital identity service provider Technology vendor Web fraud detection company Member of industry association N/A and or initiatives SERVICES Core services Credit card and ID scanning and verification solutions for websites and mobile applications. Pricing Model SaaS based pricing model Fraud prevention partners This information is not available yet Other services This information is not available yet Third party connection This information is not available yet TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) Yes Bin lookup No Geo-location Checks Yes Device Fingerprint No Payer Authentication Yes Velocity Rules – Purchase Limit No Rules White list/black list database: Yes black list/No white list KYC – Know Your Customer Yes Credit Rating Yes Utilizing advanced computer vision technology, Jumio is a next generation credentials management Follow up action No company offering payments and ID scanning & validation products for mobile and web transactions. Other N/A Designed to reduce fraud and increase revenue by minimizing friction in customer transactions, Jumio’s products integrate easily into mobile apps or websites and create great customer experiences.

For more information, visit jumio.com/paypers or contact [email protected]. See It. Believe it. 84 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

AUTHENTICATION CONTEXT Online Yes Mobile Yes ATM No POS Yes Call centre No other N/A REFERENCE DATA CONNECTIVITY Connectivity to governmental data No Other databases No FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention Yes system Multi-channel fraud prevention Yes system CERTIFICATION Type None Regulation KYC Other quality programms PCI Level I Other remarks None CLIENTS Main clients / references Airbnb, Travelocity, Transfast Future developments Bar code scanning, form fill capabilities

86 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

Company Ogone BVBA/SPRL Ogone, an Ingenico company, is a leading global online Payment Service Provider. More than 42,000 businesses in over 70 countries worldwide use Ogone to manage and secure their online and mobile payments, help prevent fraud and drive their business. Ogone’s scalable solution allows their customers to increase their checkout conversion and helps them enhance sales, both domestic and cross-border. Website www.ogone.com Keywords for online profile Ogone, payment, payments, gateway, online, merchant, internet, fraud, fraud detection, fraud prevention, mobile, collecting Target market E-commerce merchants, Financial institutions, Web developers, Referrers/Resellers/Partners, Online communities/web merchants, Gaming, Travel, Retail, Ticketing, Leisure, Utilities, Telecoms, General, Other online businesses Contact Ludovic Houri, Chief Sales Officer Geographical presence Global with over 200+ acquiring connections worldwide Active since 1996 Service provider type Online payment service provider Member of industry association Various and or initiatives SERVICES Unique selling points Seamless & secure, trusted online & mobile payments Core services Online payment processing, fraud prevention, reconciliation, mobile payments, collecting services Pricing Model Please contact our Sales Team – [email protected] Fraud prevention partners Ethoca, Perseuss Other services Consultancy, merchant account facilitation Third party connection Specific industry solutions partners: Amadeus, Sabre Airline Solutions, Radixx, micros fidelio, Ticketscript Shop software connectors: Magento, ePages, Actinic, XT Commerce, OS Commerce, Oxid TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) Yes Bin lookup Yes Geo-location Checks Yes Device Fingerprint Yes Payer Authentication Yes Velocity Rules – Purchase Limit Yes Rules White list/black list database: Yes KYC – Know Your Customer No Credit Rating No Follow up action Ogone fraud detection solutions provides the ability to review transactions where risk is identified as well as to process authentication if certain level of risk is identified. This last functionality is available through ‘Smart 3-D Secure’ functionality. Other Second layer of protection with Ogone Fraud Expert recommendation based on: - Industry specific knowledge, - Neural network capabilities with self-learning system, - Cross-merchant intelligence. Smart 3-D Secure deactivation. Managed services with ad hoc and monthly consultancies and reports. COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 87

AUTHENTICATION CONTEXT Online Yes Mobile Yes ATM No POS No Call centre Yes other Please contact our Sales Team for more information – [email protected] REFERENCE DATA CONNECTIVITY Connectivity to governmental data Please contact our Sales Team for more information – [email protected] Other databases Please contact our Sales Team for more information – [email protected] FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention Yes system Multi-channel fraud prevention Yes system CERTIFICATION Type HTTPS, SSL+, PCI-DSS Level 1 CLIENTS Main clients / references See website: www.ogone.com Take control of the board.

Call ReD on +44 (0) 1483 728700 for a strategic advantage in the fi ght against payments fraud.

www.redworldwide.com

MAKING PAYMENTS SIMPLE AND SECURE. COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 89

Company ReD (Retail Decisions) Specialist provider of fraud prevention and payment services worldwide, for all payment transaction types to merchants, issuers, acquirers, processors and switches. Through our ReD Shield, ReD PRISM, ReDi and ReD Fraud Xchange solutions and ReD1 Gateway we protect over 17 billion transactions and gather data from 190 countries. Website www.redworldwide.com Keywords for online profile Online fraud prevention, e-commerce/online fraud, fraud analytics Business model Directly and indirectly, through partners Target market Online e-commerce merchants, financial institutions, payment services providers, government services, gaming, gambling, retail, telecommunications, travel and entertainment Contact Manish Patel ([email protected] or +44 1483 728700) Geographical presence Europe, Middle East, South Africa, Australia, China, North America and Latin America Take control of the board Active since 20+ years . Service provider type Web fraud detection and prevention, technology vendor, fraud and risk consultancy, card present fraud prevention, payment solution provider Member of industry association Merchant Risk Council, IMRG, Fevad, Direct Response Forum, Vendorcom, Cross-Border Call ReD on +44 (0) 1483 728700 for a strategic and or initiatives Ecommerce Community advantage in the fi ght against payments fraud. SERVICES Unique selling points Automated processes + dedicated support from expert risk analysts. Global fraud data, fraud www.redworldwide.com solutions tailored to sector and customer needs, neural models and unlimited rules. Presence across the payments value chain, supporting merchant and issuer collaboration in the fight against fraud. Core services Online, IVR, call centre, mobile and card present fraud prevention; fraud and risk consultancy; payment services. Pricing Model Tailored pricing for services to meet customer needs. Fraud prevention partners ReD partners with leading PSPs around the globe (see a full list at www.redworldwide.com/ partners) Other services N/A Third party connection Sample: Iovation, Quova, 192.com, WhitePages PRO TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) Yes Bin lookup Yes Geo-location Checks Yes Device Fingerprint Yes Payer Authentication Yes Velocity Rules – Purchase Limit Yes, unlimited and flexible Rules White list/black list database: Yes KYC – Know Your Customer Yes Credit Rating No Follow up action Yes Other Compliance list checking, AML, additional black lists

MAKING PAYMENTS SIMPLE AND SECURE. 90 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

AUTHENTICATION CONTEXT Online Yes Mobile Yes ATM Yes POS Yes Call centre Yes other N/A REFERENCE DATA CONNECTIVITY Connectivity to governmental data Compliance list checking Other databases Commercial attribute providers e.g credit databases FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention No system Multi-channel fraud prevention Yes system CERTIFICATION Type PCI DSS v2.0, ISO 27001, ISO 9001, SAS70 Regulation EU Data Protection, Safe Harbor Other quality programms UK Payments Administration accreditation, Visa Account Information Security (AIS and CISP) accreditation, Amex Data Security Operating Policy Other remarks N/A CLIENTS Main clients / references Sample: John Lewis, O2, Screwfix, Ikea, Liverpool Football Club, Karmaloop, Privalia, FinishLine, Rakuten.com, Singapore Airlines Future developments For further details, please contact the sales team. COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 91

Company Signicat Signicat is a secure identity cloud service provider with deep expertise in online electronic ID (e-ID), advanced electronic signatures and PKI solutions. Wide coverage of national and public e-IDs in Europe accessible through one single point of integration. Signicat offers a secure and smooth integration for more than 100 high customers cross border in industries like financial services, e-commerce and public sector. The services are available cross channel on multiple devices. Website www.signicat.com Keywords for online profile European e-IDs and e-Signatures as a Service Business model Cloud Services (SaaS) Target market Horizontal, with focus on financial services industry including card issuers and PSPs, telcos and government. Contact Arne Vidar Haug, VP Bus Dev & Ole Christian Olssøn, VP Sales Geographical presence Norway, Sweden, Denmark, Finland, Estonia, Lithuania, Latvia, Spain Active since 2007 Service provider type E-identity service provider and e-signature services Member of industry associations Kantara Initiative, STORK 2.0, ePractice.eu, OSWALD and intiatives SERVICES Core services Signicat offer customers access to a wide range of European national e-IDs and e-signature services including timestamping, long term archiving and re-signing as a service. The company provides also issuing of IDs like password with sms-otp and app based Mobile ID. Other services Secure Forms, Single Sign-On based on pure SAML 1/2, ready made integration with IBM Tivoli, JAVA,.NET, SharePoint Oracle IAM and WebCenter/UCM. Unique selling points We help customers extend customer relationships, dialogue and self service capabilities through our range of services. Connecting to available services through one standard interfaces (saml1/2 etc) shortens time to market, improves ROI and offers customers the ability to focus on their core business. Pricing model One time Connection Fee, plus combination of monthly subscription and transaction fees. Partners Close relationships with ISVs, SIs, tech companies (IBM, Oracle, Microsoft) and Soliditet among others. OFFERING: AUTHENTICATION TECHNOLOGY USED Technology used Cloud-based services on industrial standardised protocols like XML, SOAP, SAML and HTTP AUTHENTICATION CONTEXT Online Yes, through our own cloud service including e-signature Mobile Yes, through our own cloud service including e-signature ATM N/A Branch/Point of Sale Standardised interfaces available for integration Call Centre Standardised interfaces available for integration Other: Standardised interfaces available for integration for multiple services in need of authentication and digital signatures. ISSUING PROCES (IF APPLICABLE) Assurance levels conformity N/A Online issuing process (incl lead Self service process, issued in a minute. Establishment of solution takes approx. 2-5 days. time in working days) Face-to-face issuing (incl lead time Issuer process face-to-face is handled by public or national e-ID issuer dependant on country. in working days) Issuing network Online services like e-mail and SMS in addition to postal network, bank branches, notaries. ATTRIBUTES OFFERED Persons Name, address, SSN, birthplace, age, country, etc. Information available depends on selected e-ID used. Companies Name, address, company registration no. (where applicable), procurists, signatory rights 92 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

REFERENCE DATA CONNECTIVITY Connectivity to governmental data Citizens public register, company register Other databases Commercial attribute providers, e.g. credit databases CERTIFICATION Type ISA 3000 revision on ISO 27001 Information Security Policy in progress Regulation EU Signature Directive, ETSI in addition to the national directives for countries in Europe based on the EU Directive. Other quality programs OWASP, ETSI Other remarks Winner of IDDY(Identity Deployment of the Year)-award 2009 CLIENTS Main clients / references Norwegian Post, SEB, If, Santander, Nykredit and Norwegian Educational State Fund among others. Future developments Continued support for new e-IDs in Europe including enhancements to signature solutions, f.eks German nPA, Dutch eHerkenning and Swiss SwissID.

INSIGHTS FROM TOP PLAYERS IN THE GLOBAL WEB FRAUD PREVENTION, DIGITAL IDENTITY AND SECURITY INDUSTRY ThreatMetrix_Ad_121113_Print.pdf 1 12/11/13 11:26 AM

Is Your Online Visitor Good? Bad? Or Both?

C

M

Y

CM

MY

CY

CMY

K With ThreatMetrix, You Will Know.

Would you like to stop account takeovers, payment fraud, and fraudulent account registrations on your site, before they happen? Cybercriminals are increasingly using malware on your customers’ laptops, desktops and mobile devices to commit fraud. This means your own customers may unwittingly be the source of fraud on your ecommerce or online banking website. The ThreatMetrix™ Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform that you can have up and running in just days. It tells you, in real time, which visitor is a cybercriminal and which a good customer. Plus, you’ll know if the good customer has been infected with malware so you can block the malware while securely completing the transaction. Schedule a demo and we'll show you. You’ll see how to protect customer data and secure transactions against fraud, malware, data breaches, as well as man-in-the-browser (MitB) and Trojan attacks. You’ll see how this is done in real-time, leveraging a worldwide network sharing live fraud information. Plus, all this is done without relying on passwords, user names and cookies. Contact us to learn more.

Call +31 (0)70 8200 508 to schedule a demo, or visit www.threatmetrix.com

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, the ThreatMetrix Cloud-Based Fraud Prevention Platform, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners. 94 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

Company ThreatMetrix ThreatMetrix is the fastest-growing provider of integrated cybercrime prevention solutions, processing over 500 million login, payment and wire transfers monthly. ThreatMetrix’ TrustDefender Cybercrime Protection Platform helps companies prevent unauthorised access to web and mobile applications, protect sensitive data and secure transactions against account takeover, payment fraud, identity spoofing, and malware. Website www.threatmetrix.com Keywords for online profile Account takeover, fraud, identity spoofing, malware, user authentication, payment fraud, digital identity, mobile payments Business model Direct and through partners Target market Online shopping, Financial institutions, Payment services providers, Government services, Online communities/web merchants, Gaming & gambling, Other online businesses Contact [email protected] Geographical presence Worldwide Active since 2005 Service provider type Digital identity service provider, Web fraud detection Technology vendor Web fraud detection company Member of industry association Merchant Risk Council (MRC) and or initiatives SERVICES

Unique selling points ThreatMetrix protects customer data and secure transactions against fraud, malware, data breaches, as well as man-in-the-browser (MitB) and Trojan attacks in real-time, leveraging a worldwide network sharing live fraud information. Plus, all this is cost-effectively done without relying on passwords, user names and cookies Core services Integrated device identification and malware detection SaaS. Malware protection client. Mobile SDK. Professional services Pricing Model Based on services and products needed. Fraud prevention partners Accertify, ActivIdentity, Cybersource, Entrust, Imperva, IQT, Qast Software Group, SIA, SignatureLink, Veda Advantage, Verifi, Zoot Other services N/A Third party connection Yes TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Address verifications services Yes CNP transactions No Card Verification Value (CVV) No Bin lookup No Geo-location Checks Yes Device Fingerprint Yes Payer Authentication Yes Velocity Rules – Purchase Limit Yes Rules White list/black list database: Yes KYC – Know Your Customer No Credit Rating Yes Follow up action Risk score and alerts Other N/A COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 95

AUTHENTICATION CONTEXT Online Yes Mobile Yes ATM No POS No Call centre No other N/A REFERENCE DATA CONNECTIVITY Connectivity to governmental data Yes Other databases Yes FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention Yes system Multi-channel fraud prevention Yes system CERTIFICATION Type N/A Regulation N/A Other quality programms N/A Other remarks N/A CLIENTS Main clients / references Rabobank, BestBuy.com, Microsoft, Xoom, GoPro, eMerchantPay, markt.de, Lloyds Future developments For more information, please contact us at [email protected].

COMPANY PROFILES WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 97

Company Wirecard AG Wirecard AG is one of the world’s leading independent providers of outsourcing and white label solutions for electronic payment transactions. Wirecard`s global multi-channel platform bundles international payment acceptances, methods and fraud prevention. Wirecard provides companies with an end-to-end infrastructure for issuing products, including the requisite licenses for card and account products. Website www.wirecard.com Keywords for online profile E-commerce, risk management, acquiring, issuing, fraud prevention, transaction checks, consumer checks, decision logic Business model Please contact Wirecard for more information. Target market Airlines, Hotels, Travel Sites, Travel Agents, Cruise Lines, Mail order, TV Shopping, Brick and mortar shops, Direct sales, Distributions, Downloads (Music/Software), Sports betting, Poker, Casino, Games, MNO, Financial Institutions Contact [email protected] I +49 89 4424 1400 Geographical presence Europe, Middle East/Africa, Asia/Pacific Active since 1999 Service provider type Web fraud detection and prevention, payment service provider, global payment gateway, issuing processing platform, mobile wallet platform, acquirer, processor, issuer, bank, call center Member of industry association Please contact Wirecard for more information. and or initiatives SERVICES Unique selling points Industry-specific and customisable fraud prevention models, continuous improvement of fraud prevention models based on direct access to fraud notifications of issuing banks, check of all transactions per merchant on every sales channel (eCom, mobile/mPOS, MOTO, POS + BSP/ATO/ CTO for airlines) due to close technical integration with Wirecard Bank as acquirer Core services (max. 20 words) Fraud Prevention for card payments and alternative payment methods, credit scoring, decision logics for credit limit calculation, transaction checks, merchant monitoring Pricing Model Flexible pricing model Fraud prevention partners Wirecard is integrated into multiple third party fraud prevention partners Other services Fraud analytics for customers, international address verification Third party connection Providers of negative databases, credit agencies, international phone number verification TECHNOLOGY: ANTI-FRAUD DETECTION TOOLS AVAILABLE Address verifications services Yes CNP transactions Yes Card Verification Value (CVV) Yes Bin lookup Yes Geo-location Checks Yes Device Fingerprint Yes Payer Authentication Yes Velocity Rules – Purchase Limit Yes Rules White list/black list database: Yes KYC – Know Your Customer Yes Credit Rating Yes Follow up action Additional authentication (out of band authentication) and transaction verification capabilities. Other Fraud Prevention Suite with detailled Business Intelligence tools, 3D-Secure, CUP-Secure. 98 WEB FRAUD PREVENTION, SECURITY & DIGITAL IDENTITY MARKET GUIDE 2013 COMPANY PROFILES

AUTHENTICATION CONTEXT Online Yes Mobile Yes ATM Yes POS Yes Call centre Yes other Industry-specific sales channels, e.g. BSP/ATO/CTO for airlines, mPOS REFERENCE DATA CONNECTIVITY Connectivity to governmental data Sanction lists, e.g. EG 2580/2001, EG 881/2002, US DPL, US SDN, US entity list Other databases Commercial attribute providers, e.g. credit databases, PEP screening FRAUD MANAGEMENT SYSTEM TYPE Single-channel fraud prevention Yes system Multi-channel fraud prevention Yes system CERTIFICATION Type e.g. PCI-DSS certified; for more information please contact Wirecard. Regulation KYC (KWG 24c), Anti-money Laundering (AML) Other quality programms N/A Other remarks N/A CLIENTS Main clients / references More than 15,000 merchants from various industries. Future developments N/A