Treasury and Trade Solutions | Citi Commercial Cards
A History of Achievement. A Future of Innovation. | October 2015
2015 Citi Annual Training Conference Processing Platform Upgrade & Fraud, Misuse and Abuse Update
Presentation Agenda 1. Processing platform upgrade 2. How are cards compromised? 3. How thieves use these stolen accounts 4. Citi’s approach to fighting fraud 5. How you and your cardholders can help fight fraud
A History of Achievement. A Future of Innovation. 2
Processing Platform Upgrade (TS2)
Benefits of the Processing Platform Upgrade Citi has made a strategic investment decision to upgrade to the TS2 platform. This upgrade will allow Citi to serve our clients more efficiently and will deliver numerous client benefits.
A History of Achievement. A Future of Innovation.
4
Citi Client Engagement Primary impact to clients will be to its interfaces with Citi, including field formats and values contained in files exchanged with Citi.
A History of Achievement. A Future of Innovation.
5
Fraud Update
Fraud Overview Credit Card Fraud occurs when one individual illegally obtains the account number of another with the intent to utilize the information to make purchases.
• Credit Card Fraud is an industry-wide issue, regardless of brand • Issuers, Acquirers, Merchants and Consumers all work toward fraud prevention • Historically, fraud was easier to detect and mitigate… – Fraud used to follow patterns that included: • High-value transactions that did not fit into T&E or P-card portfolios such as Jewelry and Electronics • Test transactions intended to validate stolen card data ($1 gas or vending machine auth) – Now fraud is happening: • At lower dollar amounts and at common merchant types like grocery stores and gas stations • In the home area of the cardholder
A History of Achievement. A Future of Innovation. 7
Detection Challenges Detecting and mitigating fraud is a balance. At Citi, our goal is to keep card-usage high but fraud low. Industry trends and client needs dictate how this is done.
• Cardholder account data is obtained through multiple compromise events and comingled making detection of CPP difficult; Additionally merchant information is sold alongside the stolen card numbers so that fraud transactions can be centralized to the home area of the cardholder
Top 10 Merchants with Fraud: 1. Gas Pumps 2. Airlines 3. Grocery Stores 4. Hotels
• Fraud transactions are intended to “blend” with normal card use, such as low-dollar use at common merchant locations
5. Restaurants
• An uptick in fraud centered around T&E merchants, including airlines, railways, hotels and restaurants means that activity completely normal for a traveler now have to be scrutinized for potential fraud
8. Convenience Stores
A History of Achievement. A Future of Innovation. 8
6. Home Supply Stores 7. Miscellaneous Stores 9. Travel Agencies 10. Electronics Stores
Citi’s Fraud Strategy What we are doing?: Citi is investing in
What are we doing?:
2015 New Product Launches including: Chip & PIN, 3D Secure and Tokenization How it benefits you?: Blocks fraud via PoS, Online channels and Protects your data
What are we doing?: Citi
in-house Black Ops resources troll blackmarket sites to detect breaches Ensuring that all fraudulent charges are credited back to your accounts How it benefits you?: Assures you receive all fraud charges removed from bill Innovation, Efficiency, Simplicity.
9
industry leading models and tools How it benefits you?: Help catching fraud sooner and prevent loss
Upgrading fraud models and rules engine How it benefits you?: Reduced negative cardholder experience at PoS, improved falsepositive rate, increased positive detection rate
Analytics
New Product Development
Citi’s Fraud Strategy
Security Operations
What are we doing?:
Fraud Rules and Scoring
Customer Contact Strategy
What are we doing?:
Communicate timely and via multiple channels when fraud occurs (email, voice and text) How it benefits you?: Shorter timelines, increased contact rates and less PoS disruptions and claims
Chip and PIN Cards: How they work! Watch the Chip and PIN cards video to learn more
A History of Achievement. A Future of Innovation. 10
Chip and PIN Migration Chip and PIN cards are the next generation of payment card technology
October 1st is the date of the fraud liability shift All Active accounts should have already received a new Chip card. Accounts that were not reissued were closed by Citi on Oct.1 Mag Stripe only cards have been deactivated Some Chip cards activated but no PIN set Cardholder Confusion with Chip & Signature Merchants in the U.S. are expected to continue rapidly enabling their terminals with Chip capabilities Program Administrators can access additional information on the Citi website to include in cardholder communications In-depth discussion on Chip and PIN will continue during presentations and roundtable discussions today A History of Achievement. A Future of Innovation. 11
Customer Contact Strategy We have extended our communication channels to include voice, 2-way email, 2-way text and voice notifications, to help minimize cardholder impacts Benefits to Clients
Key Features
Security: Verify charges by replying to Citi’s text message—free of charge
SMS and Voice Two way text and voice message alerts to potentially fraudulent activity on your account Two-way text allows cardholders to easily report fraud and approve transactions
Timeliness: Receive immediate notification of suspect transactions for immediate action
E-mail Notice Our one and two way e-mail notifications are another way for you to stay in touch—whether you’re at your desk, out of the office or traveling abroad
Convenience: Confirm or refute suspicious activity immediately, even when traveling
E-mail
SMS
Voice
Sends e-mail to the cardholder
Citi sends Text Message (SMS) to the cardholder
Recorded system places call to the cardholder
Cardholder confirms or denies charge by calling Citi
Cardholder confirms or denies charge thru SMS or by calling Citi
Cardholder confirms or denies charge during call with Citi
A History of Achievement. A Future of Innovation.
12
Strictly Private and Confidential
Security Operations We work to ensure that all fraudulent charges are credited back to the account, dependent upon the cardholder returning the Declaration of Unauthorized Use form Receiving Credit for Fraud Transactions • At the time of account closure, cardholders are advised about the Declaration of Unauthorized Use form, which is sent via email • In accordance with association guidelines, cardholders have 60 days from transaction date to return the form, which can be sent back electronically, by mail or fax • Once the form has been received and pending any additional investigation, credits are issued within 1-2 billing cycles • Cardholders should review their statements to ensure all credits have been received A History of Achievement. A Future of Innovation.
13
Product Development – Chip & PIN Merchants and issuers in the US have begun converting systems to allow for Chip-enabled transactions. As such a shift will occur with fraud tactics. How Does it Work?
UK Fraud Trends Pre and Post Chip&Pin Rollout
Credit cards have embedded microchips Microchip generates a dynamic one-time use token (a cryptogram)
11%
29% 2003
Prevents the data being reused to create counterfeit cards Requires a PIN instead of a signature to verify the transaction
2%
7%
8%
13% 10%
2013
27%
67% 26%
CNP
Counterfeit
Lost/Stolen
Mail fraud
ID Theft
What’s the Benefit? Fraudsters today are able to obtain magnetic stripe data and produce duplicate cards However, the microchip cryptogram is unable to be duplicated Does this Eliminate Fraud? It helps, but fraud will shift to other channels We can expect a drastic drop in counterfeit (card-present) fraud but an uptick in online (card-not-present) fraud
Source: Verizon, UK Cards Association Fraud Statistics and TSYS/Euromonitor.
14
Canadian Payment Card Fraud Losses Post Chip & Pin
New Product Development –3D Secure •
3D Secure is an Online fraud prevention tool which shares data between merchants and issuers to help improve fraud detection
•
Provides an additional layer of security and utilizes cardholder specific behavior models to evaluate transactions for fraud
•
Branded as MasterCard Secure Code™ or Verified by Visa™
•
In a small percent of cases where we have reason to suspect fraud, U.S. cardholders may be prompted to enter a one-time password to complete the transaction
•
One-time passwords are sent via email or text message or through a series of question and answers
•
One-time passwords will go-live May 23rd and is expected to impact