Memorandum by Visa Europe
EXECUTIVE SUMMARY
Visa Europe is a payment solutions company owned
and controlled by over 4,500 European member banks. The company's
role is to provide products and services that make transactions
fast, secure and convenient.
Visa secures the payment system by building
multiple layers of protection around each component of the transaction
chain. We are constantly striving to improve security. As a result,
the overall fraud rate (fraud to sales by cards issued) is at
an all time low of just 0.051 per cent. Due to the introduction
of Chip and PIN, counterfeit fraud has been reduced. The fastest
growing type of fraud, however, is "card not present",
which now accounts for 40 per cent of cases. Visa has introduced
a number of tools to help cut this type of fraud. These include
Verified by Visa, which make online transactions more secure;
CVV2, which make mail order and telephone order transactions more
secure; Address Verification Service, which allows for the authentication
of cardholder details; an Electronic Commerce Indicator, which
validates e-commerce transactions.
Visa Europe is currently piloting Dynamic Passcode
Authentication, which will make a further contribution to a safer
online environment. VISOR (Visa Intelligent Scoring of Risk) is
Visa's fraud detection system which uses neural networking technology
to assess the validity of individual transactions. Account Information
Security is designed to protect sensitive account and transaction
data in the retail environment. It is currently being adopted
across Europe. A variety of other technologies are explained in
the attached paper.
Visa Europe has a dedicated resource that is
responsible for investigating the phishing emails and contacting
the host to get such sites shut down. In April 2006, Visa signed
an agreement with the Child Exploitation and Online Protection
Centre (CEOP). CEOP provides a single point of contact for the
public, law enforcers and the communications industry, enabling
suspicious activity to be reported direct, 24-hours a day. CEOP
also offers advice to parents and potential victims.
Visa is committed to increasing and developing
new forms of internet security. It understands the seriousness
of the issue and the wide ranging damage that can be caused, not
just financially, but to confidence in the whole economic system.
ABOUT VISA
EUROPE
Visa Europe is a leading payment solutions company
owned and controlled by over 4,500 European member banks. Through
our brand, services, systems and operating regulations, we enable
our member banks to meet the needs of their customers and merchants
but also to take part in the global Visa system.
Our role is to provide products and services
that make transactions fast, secure and convenient. To achieve
this, we connect the different parties in the payment process.
Through Visa:
— Issuing banks provide consumers with
a universal payment method.
— Consumers benefit from convenience
and security.
— Retailers benefit from speed, lower
cash handling costs and security and provide their customers with
a popular payment service.
— Acquiring banks provide retailers
and merchants a popular, universal way to accept payments.
Visa has recently announced plans to globally
restructure its organisation. Its businesses in the USA, Canada,
Asia Pacific, Latin America and Caribbean, Central and Eastern
Europe, Middle East and Africa (CEMEA) will be merged to become
a publicly-traded company, Visa Inc. In Europe, Visa Europe will
remain as an independent membership association, owned and governed
by its 4,500 European member banks.
The decision to retain Visa Europe's membership-owned,
not-for-profit association structure, will enable it to directly
support the development of the European internal market in payments
and the Single Euro Payments Area (SEPA). At the same time, Visa
Europe will receive an exclusive licence from Visa Inc, ensuring
global inter-operability.
FRAUD—GENERAL
There are many parties involved in a Visa transaction—a
cardholder, a merchant, often a processor, and issuing and acquiring
banks. Visa secures the global payment system by building multiple
layers of protection around each component of the transaction
chain. Occasionally criminals may exploit one component of the
payment system, but our multiple layers of protection respond
quickly and minimise impact to cardholders. Sophisticated neural
networks rapidly identify suspicious activity and allow banks
to take action.
From the moment we plan an activity, we do all
we can to minimise risk and maximise confidence though our security
initiatives. Our approach is to anticipate, analyse and address
issues, provide guidance and clear communication, while fostering
co-operation.
To remain one step ahead of criminals, Visa
continuously enhances security by improving technologies, leading
cross-industry collaborations and working with law enforcement
authorities. Visa also supports consumer education and awareness
programmes. Many of these advances are targeted at protecting
online purchases and securing data in the digital world. Visa
aims to prevent fraud, and when it does occur, to minimise the
impact. As a result of our efforts, the overall Visa Europe fraud
rate (fraud to sales by cards issued) is at an all-time low of
just 0.051 per cent. Due to the introduction of chip and PIN in
the UK, counterfeit fraud has been reduced. The fastest growing
fraud type is now "card not present" (CNP) which accounts
for 40 per cent of fraud. Visa has a wide armoury of tools to
combat CNP fraud (fraud in the telephone, mail order/telephone
order (MOTO) and internet environment).
VERIFIED BY
VISA (VBV)—MAKING
ONLINE TRANSACTIONS
MORE SECURE
Verified by Visa is an authentication system
based on cross-industry standards. A free service to the cardholder,
Verified by Visa provides proof that a genuine cardholder and
a genuine Visa retailer are taking part in an online transaction.
Cardholders who enrol for the scheme choose
their own password. When they make a purchase at participating
Verified by Visa e-tailers, they are prompted for the password
to prove they are who they say they are.
In the UK, there are currently over 12,000 retailers
signed up to Verified by Visa, including NEXT, Dixons, Dabs, British
Airways, John Lewis, Opodo and Tesco, and numbers are growing
fast. In the UK, there are more than three million cardholders
enrolled in Verified by Visa and this number is increasing by
90,000 to 120,000 per month. Approximately one in eight online
UK Visa transactions are Verified by Visa transactions.
CVV2—MAKING
MAIL ORDER/TELEPHONE
ORDER (MOTO) TRANSACTIONS
MORE SECURE
Particularly for telephone orders and online
shopping, one of the most effective yet simple security measures
is the three-figure CVV2 number—a "static" authentication
code—printed on the reverse of the card on the signature
stripe. Merchants request the number as evidence that the shopper
has possession of the card when making a purchase. CVV2 numbers
have been incorporated on all UK cards for some years.
ADDRESS VERIFICATION
SERVICE (AVS)—AUTHENTICATING
CARDHOLDER DETAILS
AVS provides another level of security, by authenticating
the billing address on the card. In the event the card has been
stolen or cloned, corresponding billing address info will not
be available. If the billing address details are incorrect or
not known, this is flagged to the issuing bank which can decline
authorisation.
ELECTRONIC COMMERCE
INDICATOR (ECI)—VALIDATING
E-COMMERCE TRANSACTIONS
ECI indicates e-commerce transactions and identifies
the merchant type, ie: flowers, hotel, etc. This allows banks
to identify such transactions and make informed authorisation
decisions. E-commerce transactions which pass through the Visa
system are grouped and reported to Visa member banks.
DYNAMIC PASSCODE
AUTHENTICATION—CREATING
A SAFER
ONLINE ENVIRONMENT
Another advance—known as "dynamic
passcode authentication"—is being piloted by Visa Europe.
Dynamic passcode authentication brings the added security of chip
and PIN to online transactions and is being gradually rolled-out
by Member banks for e-commerce transactions at VbV merchants.
We are currently exploring how dynamic passcode authentication
can work for telephone order transactions (using VbV) and pilots
are being planned in a few major markets within Europe.
Devices (known as "Form Factor") to
enable dynamic passcode authentication can vary but generally
the cardholders would be given a pocket-sized reader. Each time
the cardholder makes a purchase at a Verified by Visa e-tailer,
they insert their card into the handheld reader. They then type
into the reader's keypad their PIN code—validating they
are in possession of their card—and prompting the reader
to generate a one-time "dynamic" passcode based on chip
and PIN cryptographic algorithms. When the cardholder comes to
pay at the website's checkout page, they type in their card number
and this will generate a request for the dynamic passcode. For
added security the cardholder may be given a "challenge"
that would also be entered into the reader and together with the
PIN, a "response" would be generated by the reader that
would be sent securely to the Member bank for verification.
The dynamic passcode authentication is therefore
based on "two factor" authentication ie testing that
the card is in the cardholder's possession and that the individual
knows the corresponding PIN code. The one-time passcode is useless
for subsequent transactions and the reader is always offline and
therefore not at the mercy of hackers.
In addition to measures targeted specifically
at protecting CNP transactions, Visa has other security measures,
which protect banks, retailers and cardholders from fraud in all
purchasing situations. These include:
VISA INTELLIGENT
SCORING OF
RISK (VISOR)—VISA'S
FRAUD DETECTION
SOLUTION
VISOR is a Visa Europe fraud detection solution
that employs neural networking technology, which mimics the processes
of the human mind to assess the likely validity of individual
transactions. Every transaction that passes through VisaNet is
closely scrutinised by VISOR. VISOR uses a number of components
to provide a highly accurate score you can rely on.
Components include:
— Visa Europe Model—trained and
refreshed once a year with both current fraudulent and genuine
spending patterns.
— Sophisticated fraud detection rules.
Each time a transaction passes through VisaNet
it is automatically routed to the VISOR neural network for analysis
and scoring. The transaction will pass through the Visa Europe
model, cardholder and merchant profiles and will generate a score
based on the interactions between the profiles and the model.
The higher the score, the higher the probability of fraud. The
issuing bank can then decide whether to authorise or decline the
transaction.
In addition to providing accurate risk scores,
VISOR also acts on sophisticated fraud detection rules to target
particular types of high-risk transactions. Rules are specifically
useful when combating emerging fraud trends or "flash frauds"
that would otherwise not be detected by the neural network. Rules
can be global, country or Member specific.
ACCOUNT INFORMATION
SECURITY (AIS) PROGRAMME
The AIS programme is designed to protect sensitive
account and transaction data in the acceptance environment, when
it is used and stored at merchants and third-party service providers.
The programme protects the interests of all participants—banks,
merchants and cardholders.
Visa was the first in the industry to create
such a programme, including standards, best practices and self-assessment
security tools. AIS is now a cross-industry standard (known as
PCI DSS—payment card industry data security standard). In
order to qualify as "AIS compliant", individual banks,
merchants and service providers have to prove that they meet standards
controlling their data handling and storage procedures. AIS is
currently being adopted across Europe.
OTHER PROGRAMS
AND INITIATIVES
Visa Europe systems constantly monitor transactions,
detecting patterns which require investigation, checking identities
and validating payments. We know where risks are prevalent and
where vulnerable points need to be observed or addressed.
Visa Merchant Alert Service (VMAS)
The Visa Merchant Alert Service combines monitoring
programmes for issuers and acquirers alike, identifying disproportionate
losses, especially in cross-border transactions.
The service allows acquirers to assess a merchant's
past record before signing them up. At every opportunity we help
connect a network of anti-fraud organisations through the regular
publication and sharing of relevant data. A database of terminated
merchants is also made available.
Risk Identification Service (RIS)
The objective of RIS is to help Acquirers reduce
fraud by identifying merchant locations where risk-related activity
is taking place. The RIS system gathers and analyses transaction
and fraud data from a variety of sources and compares risk-related
activity occurring at merchant locations against a set of parameters
(also known as Visa standards). If risk activity at a merchant
exceeds any of the parameters, RIS produces an identification
report that is sent to the Acquirer for investigation. Depending
on the severity of the identification, ie which parameter has
been exceeded and by how much, Visa may require additional action
to be taken to control the fraud.
Visa Account Bulletin (VAB)
The Visa Account Bulletin is an online tool
used to alert member banks to specific account numbers that may
be at risk or of immediate concern. In the event of accounts being
compromised the Visa Account Bulletin is a rapid and secure distribution
tool that provides account numbers to each specific member.
The application focuses on distribution to Issuers,
and uses the Issuer BIN (first six digits on the card), extracted
from the account number in order to contact the Issuer. The Issuers
are contacted via email and the account number details are stored
on VOL (Visa Online, a dedicated Visa extranet application). Once
the Issuer has received an email alert, they should log onto the
system and download account numbers, and details of the alert.
Alerts are sent to some or all issuing banks,
depending on the situation, drawing their attention to issues
and actions required to contain the problem. There is also a news
section, which summarises recent developments, as well as a link
through to the Global Fraud Information Service (GFIS).
Global Fraud Information Service (GFIS)
The GFIService is an online resource, providing
timely information and tools to the wider fraud-fighting community—ie
beyond the immediate Visa network.
GFIS publicises trends, issues alerts, provides
information about investigations, and lists contacts (within Visa,
its members and law enforcement bodies). GFIS also publicises
products, programmes, relevant courses and best practice guides.
With a useful search facility, it enables Visa,
its members and global contacts to stay updated and equipped in
the battle against fraud, both regionally and worldwide. GFIS
also provides benchmarking data to enable banks to compare performance
against their competitors.
ANTI- PHISHING
MEASURES
Criminals have developed effective and sophisticated
methods to collect personal information from unsuspecting cardholders
by using emails and also "spoofing" legitimate Internet
websites. Unsuspecting cardholders are caught in these schemes
where their Visa account information or personal information is
captured and then used to commit fraud. Visa Europe has a dedicated
resource that is responsible for investigating the phishing emails
and contacting the host to get sites shut down. Visa actively
informs its members by placing alerts on the GFIS to inform and
communicate these phishing instances.
TRAINING AND
EDUCATION
A vital aspect of Visa's work is training and
educating members and law enforcement agencies. By providing a
range of courses and best practice guides we help members to gain
a better understanding of the issues relating to CNP fraud and
how to combat the problem using some of the risk management tools.
Also, we maximise every opportunity to provide advice to cardholders
on this matter through our PR activities and via our website.
A course we have recently developed is focused
on the Internet and Phishing. It is aimed at fraud investigators
at member banks to inform them of the tools and methods available
for tracing and combating Internet fraud and phishing.
When shopping online, many of the simplest and
most effective preventative measures are in the hands of cardholders.
Visa advises customers:
— If suspicious, check an e-tailer's
security credentials or call its customer helpline for reassurance.
— Only use a computer that has appropriate
levels of up-to-date security eg anti-virus software and a firewall.
— Keep passwords private and change
them often. Create passwords that would be difficult to guess,
preferably a mix of letters and numbers.
— Keep transaction records, just as
you would save your receipt in a shop, including the merchant's
contact details and internet address.
— Beware of unauthorised e-mails or
sites requesting information such as PINs, do not divulge information
unless given explicit instructions by your bank. Do not accept
instructions via e-mail, as these may be fraudulent.
— When asked to provide payment details,
ensure you are at the correct site. Check for presence of the
"padlock" security symbol in the browser window and
click on the padlock to reveal information regarding the owner
of the website security certificate.
CEOP—THE CHILD
EXPLOITATION AND
ONLINE PROTECTION
CENTRE
Visa cards and products are not to be used for
any unlawful purposes. While laws governing child pornography
may vary from country to country, we are unequivocal about our
position on this activity. Very simply, we do not allow Visa products
to be used to facilitate these transactions.
Visa will work with its members to ensure that
acceptance privileges are terminated for any merchant dealing
in child abuse images anywhere in the world, irrespective of local
laws or customs.
Visa will continue to support a programme to
combat, and if possible, prevent its products being used for the
acquisition of such material.
In April 2006, Visa signed a three-year partnership
agreement with the newly created Child Exploitation and Online
Protection Centre (CEOP). CEOP provides a single point of contact
for the public, law enforcers and the communications industry,
enabling suspicious activity to be reported direct, 24-hours a
day. The unit, staffed by about 100 police, computer technicians
and child welfare specialists, also offers advice to parents and
potential victims.
Visa will provide financial support and all
its knowledge and resources to strengthen CEOP's finance desk,
which identifies people engaged in the sexual exploitation of
children for profit and sets out to confiscate offender's assets
and disrupt their activities.
CONCLUSION
Visa is committed to increasing and developing
new forms of internet security. It understands the seriousness
of the issue and the wide ranging damage that can be caused, not
just financially, but to confidence in the whole economic system.
Visa believes that Government could do more
to promote new anti-fraud measures by using them within its own
services to citizens. For instance by asking HM Customs and Revenue
and HMSO to use Verified by Visa, many more people could be encouraged
to sign up to the service. This would make the whole payments
environment more secure.
Whilst Visa realises that the Government alone
cannot deal with the whole issue of personal Internet security,
we believe that more can be done to get consumers to take responsibility
for keeping their financial information secure. Government departments
are well placed to do this and Visa would be happy to support
any government initiative highlighting the seriousness of this
issue to the public.
October 2006
| 
