Online fraud is still a big problem and as long as the number of online shoppers continues to grow, so will the

number of fraud cases. According to the European Central Bank there were 7.9 million cases of fraud with a value of

1.16 billion euros in 2011 of which 56% took place in e-commerce.

European Merchant Services organizes the EMS RISK EVENT annually for retailers who are active in e-commerce

and multichannel. It is an excellent opportunity to increase your knowledge in the field of online fraud, risk

management and advanced fraud prevention and detection tools. We help you to stay ahead of online fraudsters

and to protect your online business by sharing the knowledge and experience of our fraud and risk experts, our

customers and our partners.

Do you want to attend next year’s EMS RISK EVENT?

Please contact the EMS Marketing Department at T +31 20 660 3054 or send an email to marketing@emscard.com.

For more information visit www.emscard.com/riskevent

Follow us on:

© Copyright 2011 | First Data Corporation

Fraud Worldwide

24th September 2013

4| © Copyright 2011 | First Data Corporation

Agenda

• First Data Credit and Risk Management

• Merchant Portfolios

• Security / Fraud Functions

• Detections / Investigations

• Current Issues and Case Examples

5| © Copyright 2011 | First Data Corporation

First Data Credit and Risk Management

• First Data Corporation – Global industry leader with over 40 years payment

processing

• Serving over 6 million merchant locations worldwide

• Credit and Risk Management – Integral group within First Data’s Global

Finance Team.

• Responsible for identifying risk scenarios and preventing significant loss

• 370 employees located in 16 locations across 13 countries

• Security Fraud Management Team – manages potential fraud risk through

daily monitoring of entire merchant base to uncover unusual Credit and Debit

card activity

• On average over 100,000 merchants break various rules each month

6| © Copyright 2011 | First Data Corporation

Merchant Portfolios EMEA/APAC

• Australia

• Brunei

• Germany

• Hong Kong

• India

• Ireland

• Italy

• Macau

• Malaysia

• Netherlands

• Poland

• UK

(Close working relationship with our colleagues in the US)

7| © Copyright 2011 | First Data Corporation

Security / Fraud Functions

• Merchant Monitoring

• Identify & Mitigate Fraud

• Merchant Protection

• Fraud Reduction / Disruption

• Scheme Adherence

• Fraud Investigations

• Merchant Communication

• Education / Credit Issues

• Mitigation

• Termination

• Scheme Issues

• Data Compromise

• Support Law Enforcement

8| © Copyright 2011 | First Data Corporation

Detections / Fraud Investigations

System Detections

Fraud Reviews

Jan – July 2013 Year End 2012

187,549 421,437

Jan – July 2013 Year End 2012

7,811 13,734

9| © Copyright 2011 | First Data Corporation

• The majority of frauds are organised and carried out by career criminals who make a living by deliberately and systematically cheating others

• Robust tools and procedures with a multi layered approach are required to detect and prevent fraud

• Protect the weakest link and company profits

Current Fraud Issues

10| © Copyright 2011 | First Data Corporation

Card Not Present Fraud

Fraud has migrated to CNP with the introduction of Chip & PIN and the growth of Internet Commerce

• Organised Fraud / Merchants Targeted

• Social Engineering

• Warning signs

• Indiscriminate or bulk orders

• Multiple card numbers

• Orders from overseas

• In store collection

• Unusual requests – cash wires

• Create and follow robust procedures

• Fraud detection solutions – Validate customer, Velocity , IP & phone checking

• Industry solutions, AVS, Card Security Code, 3DSecure

• Train all staff to recognise and deal with fraud / Sense check orders

• Maintain records of fraud

11| © Copyright 2011 | First Data Corporation

Card Not Present Case Study

• Hospitality merchants across EMEA are being targeted with CNP fraud scams

• Hotels, Restaurants, Travel related services, Coaches, Tours

• These are usually email booking for the merchants usual services

• Merchants may be duped into taking payment for additional services

• Translator / Tour Guide

• Bulk quantities of; alcohol / food / goods

• Money transfers

• Payment is often made over several cards, usually some are declined & US cards often feature

• Last minute the booking is cancelled with request to return funds ;

• to a bank account

• or via a money transfer

12| © Copyright 2011 | First Data Corporation

Card Not Present Case Study

1st Email

DEAR SIRS,

ME AND MY FAMILY WANT TO KNOW IF YOU HAVE SOME SPACE IN YOUR REPUTABLE HOTEL FOR OUR SUMMER HOLIDAY.WE PROPOSE THE DATE AS (CHECKING ..14TH AUGUST /2010,. CHECKOUT. 31TH AUGUST/2010

NAMES..(1) MR AND MRS XIE(1 DOUBLE ROOM)(2) MUSILIU XIE 20 YEARS ( 1 SINGLE ROOM)(3) SAHEED XIE 18 YEARS (1 SINGLE ROOM)(4) TAOFEEK XIE 16 YEARS (1 SINGLE ROOM)

LET ME KNOW THE CONDITION OF YOUR CANCELLATION INCLUDED .KINDLY QUOTE THE PRICE AND THE CONDITION,IF AVAILABLE,CALCULATE THE ALL NIGHTS TOTAL TOGETHER FOR 3 SINGLE ROOMS AND 1 DOUBLE ROOM,LET ME KNOW THE CREDIT CARD TYPE YOU WELCOME FOR THE PAYMENT.THANKS FOR YOUR ANTICIPATEDBUSINESS RELATIONSHIP AND COOPERATION.

Last Email

Dear Silvia,

I got a huge problem in my life at the moment. My wife is at the hospital since last 2 days. she got LEUKEMIA DISEASE !!!!! BLOOD CANCER!!!! which is so difficult for me to explain.Therefore.It has been confirmed from my bank that the amount of € 6.655as been deducted from my Credit card for the reservation i made in your Hotel.I sincerely apologise for any inconvenience this might have caused your hotel and i do understand that you have been holding the reservations for somedays now and might attract a cancellation fee.

Unfortunately, I lost my wallet during the process of saving my wife's life.kindly transfer my money less the cancellation fee to my Bank account stated below since my credit cards were lost together in wallet.I have contacted my cards issuer to stop any transactionfor now until I get a replacement.

Bank Name : Name on Account..Account number: Sort code..Iban: bic:

13| © Copyright 2011 | First Data Corporation

Card Present – Point of Sale

• Suspicious customer behaviour

• Avoiding eye contact, nervous or aggressive behaviour

• Attempts to distract sales staff

• Difficulty remembering PIN

• Use of a ‘friends’ card

• Swiped transactions / Counterfeit Cards

• Damaged signature panels / blurred printing

• Card numbers on the front and back of card not matching

• Follow terminal and processing procedures

• Protect your terminal in the same way as your cash register

• Authorisation

• Never accept an authorisation code from a cardholder

• Or following a phone call from 3rd Party

14| © Copyright 2011 | First Data Corporation

Refund Fraud

• Organised Hacks

• Merchant’s user account information compromised

• Criminal hacks into the merchants payment gateway / 3rd party software

• Criminal submits credit refunds to card accounts lined up for fraud abuse

• Bogus Engineers

• Merchant Visits

• Telephone Calls

• Staff Fraud

• Create and follow robust procedures

• Train staff

• Store ID’s and Passwords in encrypted form

• Change passwords regularly (lifespan of no more than 90 days)

• Be vigilant towards social engineering – email and VOIP phishing

• Undertake reconciliation of source debit transaction

• Only refund card with original sale / do not give cash refunds

15| © Copyright 2011 | First Data Corporation

Refund Fraud Case Study

• July – August 2012 refund fraud attempted

• 70 merchants received telephone calls by bogus terminal engineer

• 38 merchants were tricked into processing refund transactions and in some cases sale transactions into their merchant facility

• 69 Refunds totalling 151,121 keyed by merchants

• Detection system identified and blocked majority of refunds

• Sales were processed to reverse the refunds that were processed

• Emergency strategy deployed to stop the fraud

• Majority of fraud mitigated

• IPSO and UK Cards Association raised awareness and education to merchants via press coverage, TV and radio interviews

• Same scam attempted this summer but most merchants aware of the scam and few refunds were processed

16| © Copyright 2011 | First Data Corporation

Refund Fraud Case Study

17| © Copyright 2011 | First Data Corporation

Third Party Processing

• Merchant approached to process for a 3rd party

• Usually involves high risk products / services such as Time Share or brand damaging products / services

• Card holders do not recognise the merchant name on statement & charge backs received

• Merchant chargeback liability

• Card Scheme non compliance / possible penalties

18| © Copyright 2011 | First Data Corporation

Third Party Processing Case Study

• Early 2012 a legitimate EMS travel merchant engaged a businessman to buy his dormant letting company

• The travel merchant promised to acquire the dormant company only if the businessman was able to obtain a merchant acquiring facility

• The businessman was able to obtain a merchant acquiring facility from a UK acquirer and then sold his company for 7,000 Euros to the travel merchant

• In August 2012 the travel merchant refunded all transactions he had processed via EMS during the months of June and July

• EMS was able to stop these illegitimate refunds

• He then went on reprocessing all transactions via the letting company in the name (and liability) of the businessman in an attempt to be credited a second time

• Thanks to the actions take by EMS and the UK acquirer, the travel merchant was arrested

• He is currently under house arrest and waiting to be prosecuted for the fraudulent actions he had committed during the 2012 summer

19| © Copyright 2011 | First Data Corporation

Data Compromise

• Card data remains a top commodity for fraudsters

• Data is plentiful and relatively easy to convert to cash

• Card data is easy for criminals to buy on the internet

• This data is utilised against merchants to facilitate CNP fraud

• Forensic Investigation

• Cost of compliance / deadlines

• Scheme penalties

• Protect your customers card data and personal identifier information

• Protect your reputation

20| © Copyright 2011 | First Data Corporation

Data Compromise Case Study

• In 2012 EMS was informed that the Romanian police arrested an individual and found a file with 40,000 card numbers

• All card numbers were used at one merchant of EMS

• A forensic investigation started immediately to try to identify the causes

• It was found that administrator and critical user accounts on the merchant environment were configured with weak and easily guessable passwords

• Personal firewall was not properly configured, allowing connections to the main servers from outside the internal network

• The environment was not properly configured, files with configurations and settings containing authentication passwords in clear have been found in the merchant’s server

• Fraudsters had been able to access the merchant’s environment, due to weak protection, and were able to harvest card data

• Following the investigation the merchant was found responsible for not complying with PCI DSS and was therefore charged 10,000 Euros by Visa and 3,000 Euros by MasterCard, plus having to cover the investigation costs (25,000 Euros)

21| © Copyright 2011 | First Data Corporation

Questions?

Julie Sanders

jsander1@firstdatacorp.co.uk

0044 (0)1268 296265

Simone Aurighi

saurighi@emscard.com

0031 (0)20 6603016