Security and Risk Backgrounder
The payments industry faces increased security challenges as payment card counterfeiters and other criminals employ more sophisticated techniques and technologies to defraud financial institutions and their customers.
MasterCard® has been an industry leader internationally and here in Canada in developing security features, including the first tamper-evident signature panel, the use of three-dimensional holograms and card validation codes. As criminals become increasingly resourceful, MasterCard continues to build on its history of innovation by developing and delivering new security initiatives that strengthen fraud prevention.
As the Internet continues to grow as a channel of commerce for consumers and businesses, the security of payment information has never been more critical. MasterCard is focused on implementing best practices and technologies to protect its member financial institutions, consumers and merchants from online fraud while ensuring their privacy is respected. The following provides a brief sample of the technologies and programs MasterCard is using to fight fraud and protect financial transactions.
TECHNOLOGIES AND PROGRAMS
MasterCard develops and supports innovative technologies that protect Canadian consumers and merchants from card fraud and unsafe transactions when purchasing products or services person to person, by phone and mail, or over the Internet. Through its many fraud-fighting programs, MasterCard Canada works proactively with its members, the industry, law enforcement and the public to build consumer confidence and increase the security of transactions. More details on some of the initiatives mentioned below can be found on MasterCard Canada’s website at www.mastercard.ca.
MasterCard Site Date Protection (SDP) Service™ – In the spring of 2001, MasterCard announced a solution to assist online merchants in defending against Internet hackers. MasterCard SDP is a multi-tiered, comprehensive set of global e-commerce and financial security services designed to help protect the websites of its members and online merchants. SDP proactively defends against hackers by identifying possible vulnerabilities in an acquirer or merchant’s online system and makes recommendations for short-and long-term security improvements. This includes Internet fraud, which leads to charge backs, damage to brand image and consumer concerns about the safety of their account numbers. Unlike other hacker prevention services that are referral-based, MasterCard delivers SDP directly to its acquiring members, who in turn will offer the service to merchants.
MasterCard Secure Payment Application (SPA™) – With the growing number of online payment transactions, MasterCard has developed an innovative solution for securing credit and debit payments between cardholders, online merchants and member financial institutions. SPA provides the online merchant with the equivalent of a cardholder signature, thus providing assurance that the issuer has verified the cardholder prior to completion of the payment transaction. Based on an open specification, SPA is easily implemented because it readily integrates into existing issuer security solutions, including server-based wallets and pseudo-account numbers. The solution is also flexible with payment transactions conducted via smart cards, PDAs, cell phones and other wireless devices.
Universal Cardholder Authentication Field (UCAF™) – MasterCard has developed a universal standard called UCAF™ for use by members, merchants and MasterCard in collecting and transporting accountholder authentication data generated by issuer and accountholder security solutions. UCAF is intended to be security scheme independent and offers standardized fields and messages used by merchants and MasterCard members to collect and transport authentication information. Once collected by a merchant and their acquirer, this information is communicated to the issuer in the payment authorization request and provides explicit evidence that the transaction was originated by the accountholder. UCAF is intended to be a universal platform that supports a variety of issuer security and authentication approaches, including SPA, issuer servers, smart cards and more. Having this universal payment mechanism simplifies compatibility and interoperability issues, and keeps costs relatively low when new technologies or upgrades are implemented.
SET Secure Electronic Transaction™ – The SET™ protocol safeguards personal information contained on a consumer’s credit and debit cards. SET uses the highest level of data encryption to transport customer data and payment information over the Internet. Digital certificates enable parties to positively identify each other, much in the same way that a driver’s license or passport does.
Card Validation Code 2 (CVC2) – CVC2 consists of a three-digit value uniquely derived for each account and indent printed, not embossed, on the tamper evident signature panel of all MasterCard cards. This is one way that a merchant can verify that the cardholder physically has the card in their possession in a card-not-present environment.
RiskFinder™ – MasterCard’s proprietary neural network – RiskFinder – developed in collaboration with HNC Software, Inc., is an advanced system for detecting fraud in near real time. RiskFinder models are built using MasterCard’s broad range of historical Banknet data and provide extremely accurate predictions. RiskFinder scores both credit and debit transactions and has received excellent performance reviews. This technology helps MasterCard members in the early detection and prevention of fraud.
Smart Cards – MasterCard is investing in the development of smart card technologies that will provide a whole new level of security. Digital identification can be placed on a smart card, making it totally portable and the ultimate security tool. Once consumers have a smart card imbedded with their digital identification, they can take that card anywhere, insert it into any personal computer that has a chip reader, enter their personal identification number (PIN) and begin shopping or receiving information securely. Smart cards offer consumers greater mobility and added security by ensuring that someone cannot sit down at a computer and pose as the cardholder simply by logging on, as the physical card must be present and inserted into a card reader. As smart cards are introduced around the world, hardware manufacturers are increasingly installing smart card readers as standard equipment on their PCs.
Biometrics – Since 1995, MasterCard has researched biometric technologies that use unique physical characteristics to positively identify cardholders. MasterCard has rolled out a biometrics program utilizing finger minutiae at its Purchase, N.Y.-based headquarters. The next step in this approach is to match the image value calculated from the finger minutiae with the value stored on a smart card. The smart card, operating on the MULTOS platform, would ultimately combine functionality such as stored value and loyalty to the physical and logistical access applications, and would allow all to coexist on a secure platform.
System to Avoid Fraud Effectively (SAFE) – As the central repository for fraud data within MasterCard, SAFE supports fraud prevention programs and security efforts. All MasterCard issuers are required to report fraudulent transactions to SAFE at least monthly. SAFE then generates reports for both issuers and acquirers, which include peer group, country, worldwide and basis point information. SAFE serves as the data feeder for other security and risk management programs like RiskFinder and various merchant audit programs.
Member Alert to Control High-Risk (Merchants) (MATCH)/ Special Merchant File – MATCH is a file of merchants who have been terminated for cause. It is available either online or through batch process. The Special Merchant File, a sub file of MATCH, contains a list of merchants who have been classified as special merchants as a result of an audit or other information developed by MasterCard. MATCH acts as an important tool to help assess risk prior to a member signing a merchant. Through MasterCard’s partnership with another global payment company, the power of MATCH has been significantly increased.
Fraud Velocity Monitoring – A formidable first line of defense against fraudulent activity, Fraud Velocity Monitoring program provides an early warning of suspicious authorization activity using two powerful tools: Authorization Velocity Monitoring (AVM), which can alert issuers to suspicious cardholder activity; and Merchant Velocity Monitoring (MVM), which can alert acquirers to questionable merchant activity.
First Alert – First Alert provides an early warning to member financial institutions on a daily basis by identifying transactions occurring on accounts that have been classified for credit or fraud reasons. The warnings come in the form of specialized reports tailored for acquirers or issuers. Members can customize the information that appears on their daily reports.
Address Verification (AVS) – AVS protects against fraudulent card use in non face-to-face transactions by verifying the cardholder's billing address during the authorization process.
Merchant Audit and Excessive
Counterfeit Special Merchant Program –
The merchant audit program consists of three components – watch, violator, and merchant tracking. The watch and violator components continually track merchant transactions for fraudulent activity, alerting member institutions to merchant locations having a fraud/sales ratio greater than the set parameters. For merchants identified by the violator program, acquirers must either accept charge back liability or terminate the merchant.
The merchant tracking program identifies merchants that have exceeded violator program parameters with one acquirer and have simultaneous merchant agreement(s) with another acquirer.
The excessive counterfeit special merchant program audits the worldwide merchant base and identifies merchants with excessive numbers of counterfeit transactions. Acquirers must then either terminate the merchant or accept charge back liability.
Fraud Strategy Forums – Fraud Strategy Forums are comprised MasterCard members and staff and are held regularly throughout the world. These meetings provide staff with feedback on security programs and insight for future efforts. Additionally, regional task forces have been established to work with law enforcement to respond to local fraud concerns and other regional issues.
MasterCard Alerts – MasterCard Alerts is a personal computer application that facilitates law enforcement agencies worldwide, MasterCard security and risk staff, and MasterCard members' security and risk staff to interact directly regarding fraudulent activities and concerns. MasterCard Alerts is available through MasterCard Online to member security personnel worldwide.
Working with Members and Law Enforcement – MasterCard has established a number of additional programs with international and Canadian law enforcement agencies and members to investigate fraudulent transactions, including;
- A 24-hour Law Enforcement Hotline, providing a direct line to law enforcement agencies worldwide
- Operations reviews of issuers and acquirers with high-fraud activityInvestigative support to members and law enforcement agencies
- Vendor inspections to assure compliance with minimum security standards
- Security Administration Management Services (SAMS), providing specialty services that offer members expert guidance in processing workflow management
$0 Liability for Unauthorized Use – MasterCard cardholders in North America have protection from losses related to unauthorized card use regardless of when the loss or theft of a card is reported, per the zero-dollar liability limit policy.
MasterCard Canada is committed to educating its member financial institutions and cardholders about fraud. The programs below illustrate the broad scope and intensity of that commitment.
Best Practices – MasterCard provides educational materials that identify best practices for issuers and acquirers, which focus on industry proven methods of combating fraud. MasterCard has also taken into account the virtual environment and continues to develop best practices for combating new types of online fraud as well.
Law Enforcement Training Seminars – MasterCard engages in law enforcement training seminars around the world. It provides critical training in areas often overlooked by multi-tasked law enforcement agencies. Every year here in Canada, MasterCard partners with the International Association of Financial Crimes Investigators to train new law enforcement officers. MasterCard also regularly participates in local and national police conferences.
Educational Videos – MasterCard has designed a number of videos to educate members and merchants about fraud prevention.
Government – MasterCard Canada routinely interfaces with RCMP, Canadian Bankers’ Assoc., Canada Post, Customs & Immigration, Phonebusters, Industry Canada, and counterpart organizations throughout the world to help facilitate investigations and prosecution of financial payment card fraud.
Legislation – MasterCard Canada actively pursues the development of fraud legislation to protect accountholders in countries throughout the world that lack such statutes, or where such legislation is deemed ineffective. For example, MasterCard recently joined several industry partners to lobby for changes to the Canadian Criminal Code to define laws and penalties specific to counterfeit payment cards.