You are on page 1of 119

WEB FRAUD

PREVENTION,
ONLINE
AUTHENTICATION
&
DIGITAL IDENTITY
MARKET GUIDE
2015 / 2016

LATEST TRENDS
AND INSIGHTS INTO
SECURING DIGITAL
IDENTITIES AND
TRANSACTIONS

Building

MRC

Better Commerce
Fraud & Payments Professionals

In the ever evolving and highly complex


ecommerce industry, The Paypers Web
Fraud Guide is a vital resource for fraud
professionals. It encompasses a wealth
of information on the latest security
developments, fraud prevention strategies,
digital challenges and upcoming web
trends. This Guide is of great value
because it is a compilation of past year
insights and future expectations.
Danielle Nagao - CEO
MRC

Ecommerce Europe is pleased to endorse


The Paypers Web Fraud Prevention,
Online Authentication & Digital Identity
Market Guide. The analysis is a reliable
reference source on the latest trends in
the digital identity & web fraud ecosystem
for both payment fraud professionals and
readers interested in getting more in-depth
information in this field.
Elaine Oldhoff
Ecommerce Europe

Companyname
Title

Platte tekst

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

WEB FRAUD PREVENTION,


ONLINE AUTHENTICATION & DIGITAL
IDENTITY MARKET GUIDE 2015 / 2016

LATEST TRENDS AND


INSIGHTS INTO SECURING
DIGITAL IDENTITIES AND
TRANSACTIONS

AUTHORS
Mirela Amariei

RELEASE

Tiberiu Avram

VERSION 1.0

Ionela Barbuta
Simona Cristea
Oana Ifrim

DECEMBER 2015
COPYRIGHT THE PAYPERS BV
ALL RIGHTS RESERVED

Sebastian Lupu
Mihaela Mihaila
Andreea Nita
Adriana Screpnic

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

Introduction

When it comes to security and fraud, we can safely state that

industry associations and leading market players. In 2015, the

2015 has been a time of great change - and 2016 will definitely

transactional space has been mostly influenced by the long-

follow the same trend. The online world as well as the payments

awaited October deadline for the US EMV migration. With the

landscape have been witnessing considerable transformation for a

new chip embedded credit and debit cards as well as the new

while now. Latest technology developments, regulatory changes,

POS terminals, experts from the Smart Payment Association

the entire digital revolution that has been undergoing for the last

express their fear that fraudsters will focus their efforts on

couple of years, have made a significant impact on virtually every

other vulnerabilities in the payments ecosystem, including

aspect of the financial and payments industry. However, in the

ecommerce and m-commerce channels. Moreover, according to

middle of all these groundbreaking changes, internet fraud remains

a survey conducted by Fattmerchant, despite the fact that 72%

a constant reminder of the fact that with greater opportunities,

of businesses have not adopted EMV-compliant technology, the

come greater risks. The numerous, almost never-ending data

migration is still expected to lead to a considerable increase in

breaches and tremendous rise of cybercrime in basically every

card-not-present (CNP) fraud. The topic of EMV and its impact

sector have shaken consumers confidence regarding privacy and

on US businesses is also approached by CardinalCommerce,

data protection.

which provides a piece of advice on how merchants can protect


themselves against CNP fraud.

Considering this evil face of the transaction space, it has become


quite clear for all market players that measures ought to be taken

Part 1 also includes valuable input regarding projects and

to block further increasing levels of payments fraud. With this in

measures aimed at regulating the way data is collected, stored

mind, retailers, fraud prevention services providers, payment

and processed. Hence, Time.lex provides an insight into the Safe

service providers and policy makers have begun to feel the

Harbour agreement and what it means to merchants and web

pressure and are currently struggling to develop advanced fraud

shops. Additionally, on the regulation front, the EPC shares an

prevention solutions and establish a legal framework in order to

interesting perspective on the EBA Guidelines on the security of

keep fraudsters at bay and maintain sensitive data secure.

internet payments.

Therefore, taking into account that fraud detection & prevention,

Key matters such as machine learning and the need for a more

online security, risk management, digital identity and consumer

coordinated collaboration between technology and human

authentication are instrumental in defining and securing the

development have been highly debated by ACI Worldwide and

transactional ecosystem, special attention must continue to be

Feedzai and briefly addressed by Risk Ident in an interview.

paid to these aspects. As The Paypers is committed to deliver an

As always, cross-border ecommerce is at the forefront of the

annual analysis of the current state-of-affaires of the industry and

industry. Bearing in mind that an increasing number of companies

point out the key participants that are aimed at setting the scene

decide to expand across borders, it became more obvious that

for future developments in the fight against fraud, a new edition of

fraud is one of the most challenging barriers that needs to be

the Web Fraud Prevention, Online Authentication & Digital Identity

overcome. Ecommerce Europe presents e-ID schemes as a

Market Guide has been compiled.

solution to improve data protection and to increase convenience


and consumer trust. All these major points are complemented

Featuring a two-part structure, the latest edition provides payment

by interesting perspectives on the Internet of Things and a new

professionals with up-to-date data on the major cybersecurity

concept in managing identities the Identity of Things (IDoT).

highlights that have influenced the industry in 2015. Part 1 is a


series of insightful perspectives on key aspects of the global
digital identity transactional & web fraud detection space from

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Additionally, in the case fraud vs consumer authentication &


verification, contributions from Consult Hyperion, the Biometrics
Institute, MyBank, Natural Security Alliance and Wirecard
feature unique views on the importance of authenticating online
transactions. Finally, other thought leaders and some of the major
industry associations which have provided their valuable input
include Accertify, Signicat, the MRC, Neira Jones and Perseuss.
They all have provided a resourceful analysis on the ever-changing
digital identity, web fraud prevention and detection landscape.
Part 2 of the Guide is an outline of in-depth company profiles
which allows readers unprecedented access to the global digital
identity & web fraud market and complements the industry
analysis.
The Web Fraud Prevention, Online Authentication & Digital
Identity Market Guide is an insightful reference source
highlighting key facts & trends into the global digital identity
transactional and web fraud prevention & detection ecosystem.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

Table of contents

INTRODUCTION

THOUGHT LEADERSHIP SECTION

TRENDS & DEVELOPMENTS IN SECURING THE TRANSACTIONAL ECOSYSTEM

10 Securing the User's Shopping Experience: Five Fraud Trends from 2015 | Markus Bergthaler, Global Director of Programs
and Marketing, MRC and Mike Splichal, Program Manager, MRC US
12

Confronting Card Fraud in the Global Travel Industry 2005 -2015 | Jan-Jaap Kramer, Chairman, Perseuss

14

Transacting with Retailers Is Now Omnichannel and So Is Fraud | Mark Beresford Director, Edgar, Dunn & Company

16

Exclusive interview with Neira Jones | Advisory Board Member & Ambassador, Emerging Payments Association

19

BEST PRACTICES IN IDENTIFYING FRAUDSTERS & PREVENTING FRAUD LOSSES

20 Machine Learning Keeping US One Step Ahead of Fraudsters | Jackie Barwell, Director of Fraud and Risk Product Management,
ACI Worldwide

22

Addressing Delivery and Returns Fraud to Protect Profits | Catherine Tong, General Manager, Accertify

24

Exclusive interview with Roberto Valerio | CEO, Risk Ident

26

Myths About Machine Learning | Dr. Pedro Bizarro, Chief Science Officer, Feedzai

28

Work Smart Does Your Fraud Team Suffer from Decision Fatigue | Mark Goldspink, Chief Executive Officer, ai Corporation

30

The Future is Mobile | Neil Caldwell, VP European Sales, CyberSource

32

360-Degrees Fraud Management: Securing the Customer Journey | Hugo Lwinger, Digital Identity & Fraud Management, Innopay

34

E-ID: Fraud and Risk Prevention in Cross-Border Ecommerce | Elaine Oldhoff, Ecommerce Europe

37

REGULATION, PRIVACY AND DATA PROTECTION

38

Security of Internet Payments: the EBA Two-Step Approach | Javier Santamara, Chair, The European Payments Council

40

How EMV will Change Online Business in the US | Michael Roche, VP of Consumer Authentication, CardinalCommerce

42

Doing Business in Europe? Mandatory Data Protection Compliance in Every Single Country | Edwin Jacobs, Partner, time.lex

44

Will EMV Eliminate Card Fraud in the US? | Nicolas Raffin, President, Smart Payment Association

WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015

47

STRONGER CONSUMER AUTHENTICATION TO COMBAT ECOMMERCE FRAUD

48

Moving Beyond Passwords: Next Steps in Consumer Authentication | Carlos Huser, Executive Vice President, Wirecard AG

50

Tokenization: From Account Security to Digital Identity | Tim Richards, Principal Consultant, Consult Hyperion

52

Exclusive interview with Isabelle Moeller | Chief Executive, Biometrics Institute

54 Bring Your Own Authentication: The Next Revolution against Web Fraud | Andr Delaforge, Head of Communication Advisory
Committee, Natural Security Alliance

57

INSIGHTS INTO ELECTRONIC IDENTITIES IN EUROPE

58

Digital Marble - Onboarding in the Age of Electronic Identity | Gunnar Nordseth, CEO, Signicat

60

Electronic Identity Verification: How MyBank Can Help | Fatouma Sy, Head of Product Development, MyBank and John Broxis,
Managing Director, MyBank

63

DIGITAL IDENTITIES AND TECHNOLOGIES AT THE HEART OF SECURITY

64

Identity of Things (IDoT): A New Concept in Managing Identities | Emma Lindley, Managing Director, Innovate Identity

66

The Advent of IoT: Are We Facing A Trade-off Between Convenience & Security? | Ionela Barbuta, Senior Editor, The Paypers

68 COMPANY PROFILES
110

GLOSSARY

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

THOUGHT
LEADERSHIP

TRENDS &
DEVELOPMENTS
IN SECURING THE
TRANSACTIONAL
ECOSYSTEM

MRC
Securing the User's Shopping Experience: Five Fraud Trends from 2015

As ecommerce enters its third decade, competition among

3. Mobile fraud

companies to attract and retain customers is as intense as ever.

Worldwide, mobile commerce sales will account for nearly half

While global Business-to-Consumer ecommerce sales (excluding

of total internet sales by 2018, according to Goldman Sachs.

travel and event tickets) are projected to hit a staggering USD 1.6

As more businesses introduce mobile apps and/or mobile-friendly

trillion in 2015, this total represents less than 7% of worldwide

websites, fraudsters will try to exploit merchants' fraud checks.

retail sales. It is clear that ecommerce still has tremendous growth

Businesses must do more than just extend their fraud solutions

potential. With that in mind, we have examined five ecommerce

to mobile platforms from the start. Merchants should leverage

fraud trends as 2015 draws to a close.

mobile-specific identifiers wherever possible, such as Mobile


Equipment Identifiers (MEIDs) and International Mobile Subscriber

1. Account takeover

Identities (IMSIs). As consumers increasingly use mobile phones

Fraudsters can and will target any company or consumer who is

and tablets to order goods and services online, businesses should

vulnerable. As larger businesses invest more resources to prevent

also ensure their fraud solutions support any mobile-specific or

large scale compromises and breaches, a greater number of

mobile-friendly features, such as letting consumers use a mobile

small and medium-sized businesses are expected to be targeted.

number in place of an e-mail address when creating an account.

The use of mobile two-factor authentication is a growing trend


to help protect customer accounts. In this case, a one-time use

4. Digital goods

code is sent to the consumer's mobile phone via SMS or a special

For merchants offering downloadable content, such as games,

app as an additional layer of account validation. Biometrics are

apps/software, music, videos, and e-books, a big challenge to

also expected to play a larger role in consumer authentication as

fraud prevention efforts is customers' expectation of near-instant

more smartphone models with fingerprint readers are sold and

fulfillment. Merchants need to strike a balance between debt

companies experiment with alternatives to passwords such as

from fraud, chargebacks, etc. and revenue. As quick reviews

selfies.

are essential in preventing legitimate customers from shopping


elsewhere, it is imperative that companies leverage the power

2. Omnichannel / multichannel retailing

of data to help make decisions, whether those decisions are

As more businesses integrate their physical retail presences with

automated or manual. By joining a professional organisation such

their online presences, companies need to ensure they have

as the Merchant Risk Council (MRC), key fraud and payments

systems and processes in place to address potential exploits from

personnel can gain valuable insights, discuss emergent threats and

all channels. For example, if a merchant offers in-store pickup

trends, and share best practices with other industry professionals.

on its website, fraud checks should still be performed, including


scenarios in which the delivery method is changed from one
channel to another (delivery to in-store pickup, for example). Store

5. US EMV rollout

personnel should also be trained on the importance of validating

As of October 1st, liability for card-present transactions in the

in-store pickup orders and need to be prepared to handle more

US has shifted. Now, merchants can be held liable, unless they

complex circumstances such as identity theft.

replace their point-of-sale hardware with technology compatible


with the card chip standard known as EMV.

10

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Markus Bergthaler

Building

MRC

Global Director of

Better Commerce

Programs and Marketing

Fraud & Payments Professionals

MRC
However, until merchants switch to authenticating purchases
using the chips on EMV cards, instead of magnetic stripes, the
change is unlikely to significantly reduce the incidence of fraud

Mike Splichal

lost to counterfeit cards. Also, unlike the European rollout of EMV,

Program Manager

the US rollout is less coordinated and PINs are not mandated.

MRC US

As a result, it is doubtful that there will be a drastic shift in fraud


from the card-present to the card-not-present environment, at
least initially. Ecommerce companies cannot become complacent,
however. The MRC recommends most companies to use a layered
approach with machine learning and manual reviews, with a focus

About Markus Bergthaler: Markus Bergthaler,

on reducing friction for legitimate customers.

MRC Global Director of Programs and Marketing,


oversees benchmarking, education, committees,

Conclusion

communities, marketing and event content.

A common theme with these trends is customer experience.


Fraud detection is more than just preventing illegitimate transactions

About Mike Splichal: Mike Splichal, MRC

from being processed, it is also about ensuring legitimate

US Program Manager, coordinates content

customers are not adversely impacted by automated and manual

for committees, presentation archives and

reviews. While online fraud remains a challenging space, we believe

community forums. He also develops member

that those companies which balance prevention with customer

training and certification programs.

experience will be best positioned to reap the rewards of the rapidly


growing ecommerce landscape.

About MRC: The MRC is an unbiased global


community providing a platform for ecommerce
fraud and payments professionals to come
together and share information. As a not-for-profit
entity, the MRCs vision is to make commerce
safe and profitable by offering proprietary
education, training and networking as well as a
forum for timely and relevant discussions.
www.merchantriskcouncil.org

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

11

Perseuss
Confronting Card Fraud in the Global Travel Industry 2005 - 2015

For the past ten years, service suppliers in the travel industry

long time online, but occasional meetings in person re-inforce and

(airlines, train companies, shipping lines, online travel agents) have

accelerate that trust.

progressed from taking their first baby steps in online payments


to a point where online transactions represent the vast majority

Technology-wise collaboration

of all ticket purchases. This period has seen significant change

The next step in industry-wide collaboration is sharing data. When

right across the sector. The industry has faced an extraordinary

the working group is small, this can be done via e-mail messages,

battering from card fraudsters and has had to reorganise rapidly to

but once groups start to grow, automation is vital. Groups will need

face this unexpected threat.

to establish steering committees to choose a neutral technology


supplier who develops the various online forums and databases.

Looking back, we can now see that there were certain key
developments which, collectively, led to a reversal of fortunes for
the initially successful fraudsters. Businesses are now back in

Data sharing

control of their payment operations and fraud has been reduced to


manageable levels.

Collaboration between competitors


By far, the most important development has been the ability of
fraud analysts to exchange information between each other
in an informal manner: first, in meetings, secondly, in secure
online forums. There are two main types of information, namely,
structured data such as names and e-mails that need to be crosschecked against a database, and tips and best practices that can
be shared informally.

Merchant
Sees suspect transaction
so checks details against

Merchant
SHARED
DATABASE

Notices that a particular


pattern is frequently

database. This shows two


other instances of same
details used fraudulently.

used by fraudsters.
Focuses own fraud
detection efforts on that

Analyst reviews case and

pattern and identifies


many costly fraudulent
transactions.

declines booking.

Some of the meetings and online forums are for members only.
Others are open to verified fraud analysts and professionals from
any accredited organisation. For an individual who may be the
only fraud-fighter in their organisation and with no-one else nearby
to offer advice, these forums are like a life-support machine.

Collaboration between corporates

The data-sharing technology itself has to be cloud-based and highly

At a strategic level, the travel sector has created an industry-wide

secure. It has to enable businesses to submit and share suspected

body where executives can meet and coordinate actions, both

fraud data legally, while always retaining ownership of the data.

regionally and globally. There is a regular program of working

This way, a business can remain completely in control of its data,

groups that takes place at venues across Europe, Asia-Pacific and

even after it has shared it. The database must be developed with a

elsewhere in the world.

high degree of participation and input from working fraud analysts


so the screens and layouts blend naturally into the operational

Key to the success of both personal and corporate collaboration

workflow. This increases efficiency and improves decision-making.

is that people from different organisations continue to meet


regularly face-to-face. Bonds of trust, once formed, can last a

12

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Jan-Jaap Kramer
Chairman

Perseuss Steering Group

Collaboration with partners


Merchants who provide travel services rely on a vast network of
partners to oil the wheels of the industry and make everything

About Jan-Jaap Kramer: As Payments Manager

work. Among these partners are payment service providers,

for Martinair, Jan-Jaap was responsible for

software suppliers, banks, card schemes, industry associations,

processing all ecommerce and call centre

legal entities, national police forces, as well as international law

bookings. In 2011, he both established his own

enforcement agencies.

consultancy to help other businesses fight fraud


and was elected Chairman of the Perseuss

The travel industry had the foresight long ago to involve all of these

Steering Group.

bodies in the global war against card fraud. Since 2013, all of these
organisations have been mobilised into a number of concerted

About Perseuss: Perseuss is the global travel

drives to break up fraud gangs and arrest their members at the

industry's own solution to the battle against

moment of committing crime. Hundreds of perpetrators have been

fraud. Its flagship offering is an online shared

charged with offences including human smuggling, drug trafficking

negative database, recently updated to include

and international prostitution. In many cases, the secondary crimes

email age verification and artificial intelligence.

are far more serious than the card fraud, which first brought them to

It also operates FraudChasers, an online forum

the attention of the authorities.

for anti-fraud professionals. Perseuss plays a


major role in cross-border police Action Days to

All this collaboration has allowed the travel industry to present a

apprehend fraudsters.

truly joined-up front against fraud gangs. The gangs themselves


are becoming increasingly sophisticated and technology-savvy.

www.perseuss.com

It is vital that the industry continues to make and strengthen


connections with its partners to counter this ever-present threat.

Cross-industry collaboration
A very exciting prospect is for the travel industry to work with
entirely different business sectors to fight fraud. Criminals do not
recognise industry boundaries, so why should we?
Of course, the scale of operations will be significantly increased.
There will be problems and challenges. But the lesson of the last
ten years is that we must all collaborate more in order to isolate
criminal gangs. If we do not, they will exploit the gaps between
us and take the initiative. Then, we will find ourselves cut off,
surrounded and struggling to catch up. That must not be permitted
to happen.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

13

Edgar, Dunn & Company


Transacting with Retailers Is Now Omnichannel and So Is Fraud

As retailers have enhanced their technical and business operations

This can lead to customers revealing information about thetransaction

to better serve consumers across several channels, there has

and fraudsters are able to change the arrangementsfor collection

been a gap in dealing with fraudsters who are also adopting

of the goods. The call will seem genuine and fraudsters will often

a cross-channel approach. In this respect, it is interesting to

quote titbits of the individuals confidential transaction history

see that there are several exceptions to a standard purchase

information, such as their full name, address, account numbers,

transaction, particularlyreturned goods. It has been a specific

all information that the fraudster gleaned from an earlier hack of

area where different customer points of interaction did not

a retailer or financial institution. The ability to create a profile of

properly communicate with each other. This means that fraudsters

a target customer is progressively easier to achieve by organised

are targeting the loopholes that have appeared due to the lack of

criminals operating at a distance.

connectivity across channels.

Data mining
Edgar, Dunn & Company (EDC) has found that many retailers do

Usually, the fraudster will spoof the collection arrangements and

not treat different customer points of interaction individually.

change the location to a store more convenient for him to pick-

Instead, they take into account consumer behaviour and location

up the goods. This information is meant to make the conversation

to build a fraud strategy for each point of interaction be it call

more credible, luring the customer into revealing additional

centre, in-store customer service desk, a click-and-collect service

information that can be used to arrange the collection of their new

desk, online, or at the point-of-sale. Retailers are aiming to ensure

purchased items. These products can be quickly sold on auction

a seamless customer experience across channels and they should

websites afterwards.

equally tackle fraud across all channels. They need a cross-channel


view of their customers purchasing history, browsing history and

Another example would be fraudsters who send targeted phishing

preferred channel history - in-store, smartphone, tablet, laptop,

emails on behalf of the retailer or the bank in order to capture

desktop, in-store kiosk - to ensure that a customer is a good

information about the customer. Fraud protection vendors are most

customer and is not deviating from their normal channel behaviour.

concerned about evolving methods of phone fraud, especially

Transacting with retailers is now omnichannel.

because it is the least protected area when it comes to card-notprotected (CNP) transactions and, therefore, the most vulnerable

False positives

means of attack in a multi-channel environment, as found in large

Declining a customer that is a good customer can lead to dramatic

modern retailers.

and detrimental customer behaviours. This is commonly the case


where a customer could be known to be good on a certain

Alternative forms of payment

device but, then, uses a different device and he is declined when

A lot of retailers and fraud prevention vendors commonly collect

engaging with the retailer simply because the fraud detection rules

fraud statistics for legacy products such as debit and credit

are not updated for the new device.

cards. The more innovative retailers are issuing and accepting


mobile wallets, carrier billing, prepaid payment products, loyalty

As merchants aim to serve customers across channels, fraudsters

and reward products, gift cards, social and peer-to-peer payment

are also using the lack of joined up thinking by impersonating

products. Multichannel retailers are even starting to accept bank

a service centre. They will cold call a customer, for example,

transfers such as Barclays Pingit.

claiming that their credit card or bank account has been subject to
fraud during the transaction with the retailer.

14

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Mark Beresford
Director

Edgar, Dunn & Company

As consumers become more familiar with Apple Pay and


in-app purchases, they are expected to gradually become more
adventurous in the selection of different methods of payment

About Mark Beresford: Mark Beresford,

at different points of interaction with the retailer. If the store is

Director at Edgar, Dunn & Company, has over

closed, the Pingit app can be used by scanning a QR code on

20 years experience in the payments sector.

the shop window next to the goods on sale. However, the point of

He heads the Retailer Payments Practice at

interaction could most likely be on an advertisement at a bus stop

EDC and works on strategic client engagements

or at the back of a taxi, not necessarily in the store.

for major omnichannel retailers and payment


service providers globally.

Fraudsters are able to program a smartphone to act as a false POS


terminal, deface a QR code to redirect funds to another account,

About Edgar, Dunn & Company: Edgar, Dunn

or even make a smartphone to act as a false payment card. An

& Company is an independent global payments

attack that used to require insightful hardware engineering at

consultancy founded in 1978. The company is

the POS to by-pass EMV technology is now just a software

widely regarded as a trusted adviser, providing

app. The emergence of new sales channels (and the integration

a full range of strategy consulting services,

between these channels) unfortunately enables fraudsters to

expertise and market insight. EDC clients

play one channel against another, or identify potential cracks in

include payment brands, issuer and acquiring

omnichannel processes.

banks, processors and merchants.

Fraud is an ever-evolving art and fraudsters are very creative

www.edgardunn.com

in leveraging the retailers lack of fully integrated multichannel


solutions. They are already preparing for a new wave of crosschannel fraudulent strategies in order to trick consumers at a wide
variety ofretailer interactions.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

15

Emerging Payments Association

In the interview, Neira Jones points out that managing fraud in a hyper-connected environment will force businesses to
manage risk effectively to support growth, performance and reputation.

The online landscape is changing at a faster pace

I believe consumer-centric Identity & Access Management

and fraudsters are getting better at stealing money

(IAM) vendors will start to provide enterprise grade solutions

and identities. The industry needs a more reliable

and enterprise IAM vendors will start moving from role-based

authentication system to create a safer environment.

access control (RBAC) to attribute-based access control (ABAC).

What do you see as a next step in consumer

Biometrics, behavioural/contextual analysis and low-latency

authentication?

threat monitoring/ fraud prevention will all play a role in building a

By the end of 2015, there will be 7.2 billion people with an employment

successful ecosystem.

ratio of 60% representing 4.3 billion people (International Labour


Organisation, World Bank). By then, 1.3 billion people (30%) will

So, it is not so much that we need an authentication system.

routinely work remotely (Symantec, August 2014) and by 2019,

We actually need several ways to manage identity and authentication

there will be 24 billion networked devices around the world, with an

that are proportional and commensurate to the potential risk

average of 3.2 connections per person. The pace of technological

associated with any interaction (be it human or machine) and with

advancement, as well as increased sophistication and adaptability

the necessary addition of appropriate operational processes to

of criminals, have made identity theft and social engineering most

support them. The most sophisticated identity or authentication

successful. Indeed, in the UK, ID crime represented 48% of all

technologies can be deployed, but if appropriate governance

fraud in 2014, with 82% of ID-related crimes committed online

processes are not equally matched, it will only be money down

(CIFAS Fraudscape 2015). Worryingly, 23% of recipients open

the drain.

phishing e-mails and 11% click on attachments, and a phishing


campaign of just 10 e-mails has a 90% success rate (Verizon DBIR

Cybercrime has also gone mobile, do you think there

2015). In addition, machine-to-machine connections will triple to

is a need for multichannel fraud detection & prevention

10.5 billion by 2019 (CISCO, May 2015). All this connectivity means

solutions to detect and manage fraud effectively,

new opportunities for countries, businesses, people, as well as,

irrespective of channel?

unfortunately, fraudsters.

Cybercrime has indeed gone mobile and, with the growth of the
Internet of Things (IoT), equally hyper-connected. There is, however,

I like to link identity and authentication to social engineering

at this stage, little evidence of serious harm. Indeed, with the rise

because, if legitimate credentials fall into the hands of criminals,

of mobile devices and BYOD, we could have expected significant

all bets are off. Technology alone cannot stop fraud, as evidenced

threats to organisations. But, as suggested by the Verizon DBIR

many times, and most recently, when a UK company handed over

2015, there were less than 0.03% mobile devices infected with

an unprecedented GBP 1 million to a phone scammer that led

mobile malware each year, and the rise of the IoT did not exhibit

an employee to transfer the money to bogus bank accounts, or

a surge of attacks through that channel. Instead, criminals relied

when BitPay lost USD 1.8 million through a spear phishing attack.

on phishing attacks, misuse of credentials and new varieties of


malware that plague organisations of all sizes. Managing fraud in this
hyper-connected environment will force businesses to manage risk
effectively to support growth, performance and reputation. In this
environment, comprehensive, real-time analytics will play a key role.

16

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Neira Jones

In this hyper-connected environment,


comprehensive, real-time analytics will
play a key role

Advisory Board Member


& Ambassador

Emerging Payments
Association

IoT promises to be "the next big thing". Apart from the

About Neira Jones: Neira chairs the Advisory

innovation and convenience that it brings, the system

Board for mobile innovator Ensygnia & the

is not flawless. What are the main vulnerabilities we

Global Advisory Board for the Centre for

need to be aware of?

Strategic Cybercrime & Security Science and

As the IoT evolves, so should the understanding of its security

is a Founding Advisory Board Member for

requirements. The online web environment has had years to

GiveADay UK. She sits on the Advisory Board

mature, in line with the understanding of what needs to be done

of the Emerging Payments Association.

to secure it. As we all know, data breaches continue to happen


in the traditional online channel and old vulnerabilities continue
to be exploited. Exciting developments in the IoT should take

Twitter: twitter.com/neirajones

LinkedIn: www.linkedin.com/in/neirajones

advantage of what has already been learned in online and other


digital channels, and implement security by design rather than

About Emerging Payments Association:

as an afterthought. Key to this will be authentication of devices

The Emerging Payments Association (EPA) is

(and individuals) and data security as these technologies will

a community for the worlds most progressive

increasingly collect more and more personal data. From a process

payments companies. The EPA helps them to

and regulatory stance, data will be key as are the many contractual

have influence over the payments landscape

implications that will ensue due to an ever extended supply chain.

and get access to the people operating in it,


whether they are buyers, sellers or partners.

Would wearable technology transform the payments


industry? And where do we stand from a security point

www.emergingpayments.org

of view?
Wearable technology is only a subset of the IoT and, therefore, the
same issues apply, with the added emphasis on data collection,
protection and privacy as there is a direct link to individuals.
Will it "transform" the payments industry? I dont think so. Will it
contribute to its evolution towards a payments ecosystem that is
frictionless and secure? I sincerely hope so. We are already seeing
some interesting deployments in the loyalty and engagement space
as well as in the production of new form factors (e.g. contactless
rings), which is where, I think, wearables will make the most impact
in payments.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

17

MARCH 7-10 | ARIA RESORT & CASINO

Experience the excitement


at MRC Vegas 2016 with
over 1,500 attendees, 65
educational sessions, 450
companies and individuals
from over 30 countries.

1,500+

ATTENDEES

65

450 COMPANIES

COUNTRIES

EDUCATIONAL
SESSIONS

SAVE

$800

WITH
OUR

EARLY BIRD DISCOUNT


Register now for one of the largest and
most rewarding events uniting online and
multi-channel retailers, card networks
and issuers, law enforcement and solution
providers all committed to making
eCommerce safe and profitable.

Building

MRC

MERCHANTRISKCOUNCIL.ORG/EVENTS/MRCVEGAS

Better Commerce
Fraud & Payments Professionals

BEST PRACTICES
IN IDENTIFYING
FRAUDSTERS
& PREVENTING
FRAUD LOSSES

ACI Worldwide
Machine Learning Keeping US One Step Ahead of Fraudsters

Machine learning is a hot topic in fraud prevention, with both

more complex scale. This allows fraud analysts to understand both

financial institutions and merchants looking to exploit advances

localised and widespread occurrences of fraud. It also enables

in IT infrastructure and intelligent computing to protect their

these complex processes to be accomplished faster, frequently in

businesses from risk. But, what really is machine learning and how

real-time.

effective is it in detecting and preventing fraud?


Additionally, other information, such as data resulting from webMachine learning relies on algorithms which employ pattern

behaviour analysis, can be fed into the predictive models, creating

recognition techniques to explore and learn the underlying

a new and valuable dimension to the models accuracy.

structures in the data. By using past transaction data from fraudulent


activity, alongside information from genuine customer transactions,

The development of new algorithms, machine learning techniques

these algorithms can be used to build predictive models which can

and programming expertise have also all kept pace with changes

forecast the probability of a transaction being fraudulent.

in the payments and ecommerce landscape, with these latest


techniques giving businesses the power to explore a much larger

Predictive models deliver very tangible results in fraud detection.

search area in the model optimisation space and increase detection

Their ability to extract meaning from complicated data means that

rates.

they can be used to identify patterns and highlight trends which


are too complex to be noticed either by humans or through other

While it is clear that machine learning has a lot to offer to financial

automated techniques. By running specific, effective algorithms

institutions and merchants in an effort to detect and prevent fraud,

and using them to make automated decisions, or generate alerts

the approach does have its limitations.

for suspicious activity, these techniques can save manual review


time, reduce the number of false positives and quickly stop

Because they learn from experience, predictive models cannot

attempted fraud.

learn or spot monolithic events such as data breaches. For these


you need to be running a rules-based model which uses negative

But this approach is by no means new. In fact, predictive models

lists and, preferably, consortium data.

first became popular almost two decades ago, particularly with


financial institutions which successfully used models to detect

Predictive models are also less adaptive at learning one-off events

significant volumes of card-present fraudulent transactions and

or transient phenomena. Our experience with customers around

save millions.

the world has taught us that combining predictive models with


a customised rules engine delivers the optimal fraud prevention

Back then, however, fraud problems were simpler and patterns

solution. The ability and flexibility of a comprehensive rules

were easier to identify. Fraudsters have since become savvier

engine to deal with seasonal changes, emerging trends and one-

and more innovative, driving demand for further change in fraud

time events complements the sophisticated pattern recognition

detection techniques to ensure that defensive capabilities can

techniques deployed by predictive models.

match fraudsters offensive capabilities.


At ACI, we firmly believe in the future of advanced machine learning

20

Technology advances over the last decade in particular have aided

and predictive models as an integral and vital part of a winning

the evolution of machine learning and ensured it has remained an

fraud strategy. We have our own patented predictive models

effective fraud prevention measure. For instance, the increased

which have been used by customers for many years. Backed by

availability and scale of raw computing power means that we can

these predictive models, ACIs rules-based systems are constantly

now process, segment and analyse data on a much larger and

updated to augment performance and provide multifaceted

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Jackie Barwell
Director of Fraud and Risk
Product Management
ACI Worldwide
coverage and protection. It is this holistic approach to fraud
prevention that provides effective protection against the risk
of fraud without compromising customer service, driving costs

About Jackie Barwell: Jackie is the Director

further upwards, or increasing the demand on scarce in-house

of Fraud and Risk Product Management at

resources.

ACI Worldwide, having joined the ACI family as


part of their acquisition of ReD in 2014. Jackie
has more than 27 years experience within the
financial crime arena.
About ACI Worldwide: ACI Worldwide,
the Universal Payments company, powers
electronic payments and banking for more than
5,600 financial institutions, retailers, billers and
processors worldwide. ACI software processes
USD 13 trillion each day in payments and
securities transactions.
www.aciworldwide.com

Predictive models - part of a multi-dimensional fraud management


solution

Developments and enhancements will, of course, need to continue to


meet the ever-changing needs of the industry as both consumers
and fraudsters adapt their behaviour. At ACI, we are now exploring
the use of smaller, more focused and tactical models, trained
specifically on a closely targeted set of data for example, a
specific merchant sector or geography. This will enable merchants
to benefit from more sophisticated solutions which are faster to
deploy and designed to address their specific trading landscapes.
As fraud develops, predictive models will too, enabling us to keep
one step ahead.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

21

Accertify
Addressing Delivery and Returns Fraud to Protect Profits

A fraud team usually focuses on the actions of professional

The many guises of delivery and returns fraud

fraudsters. These are the criminal pros who attempt to steal on

One of the challenges of fighting this type of fraud is that there are

a large scale using automation and thousands of stolen payment

multiple guises it can take.

cards. It makes sense to aim the artillery at big threats. Now, a


different kind of smaller scale fraud scenario perpetrated by

Wardrobing Want to go to a party and wear that expensive dress

amateurs is gaining traction on the fraud battlefront. Its called

or tuxedo? With this tactic, you dont have to pay a penny to have

delivery and returns fraud.

that special outfit. Wardrobing is making a legitimate purchase


with the intention of using the item and returning it for the full value.

The unknown challenge

Delivery denial I never received my goods and want a refund!

How many retailers really understand all the areas of shrinkage

But you did receive the goods. You didnt have to sign for the

or loss in their business and quantify these losses accurately?

parcel and so who knows whether the delivery driver did in fact

Delivery and returns fraud, the act of defrauding a retailer via

leave it. Or, if you were to claim you never saw it, even though it is

the returns process, is an increasing issue where fraudsters

on your kitchen table, whos to know?

are exploiting supply chain processes. We are not talking false

B ait-and-switch That 1 year guarantee seems to be timed

payment data here, but something a bit harder to detect. Akin to

perfectly to when something breaks, and it is only a couple of

electronic shoplifting, an individual attempts one low-value fraud

weeks outside that timeframe. Purchasing a working item and

action, one retailer at a time. Some incidents involve fraud via a

returning a damaged or defective identical item that was already

delivery channel, while others use variants of fraudulent returns.

owned, however, is still not a legitimate transaction.

Sometimes customers come across this type of fraud by accident

C ourier fraud orders are intercepted and never received by

as they realise weaknesses in retailer processes, but because they

the consumer. It is worth remembering that it is not always the

see it as a small scale cost to a retailer, they do not perceive it to

end customer who is committing the fraud. Multiple people are

be fraud. Whether on a small scale, or something which becomes

involved in the supply of a product from retailer to customer and

a customer habit, ultimately the customer is ending up with either

understanding if it is someone involved before reaching your

product or refunds they should not have received.

customer is just as important.


The common theme here is that each of these tactics can result in

Historically, retailers have focused on chargeback losses. However,

the retailer losing a product and sale from it, therefore impacting

as retailers have brought this area of risk under control, either new

profitability - but in many cases without recognising the underlying

areas of risk have become more visible, or the fraudsters have

causes of this decreased profitability.

started to change their behavior. Delivery and returns fraud may


seem small scale even to the retailer, but collectively the losses

Monitoring and addressing delivery and returns fraud

can add up quickly. Many businesses do not have the visibility

Retailers have been applying various methods to address

of how big a problem this is becoming. According to the 2014

this issue, with many being very manual and non-sustainable

National Retail Federation Return Fraud Survey, the industry

processes. Many have struggled with being able to track regular

was estimated to lose USD 10.9 billion in 2014 alone.

offenders and stop them before they attempt this type of fraud
again. Many have also faced the challenge that some customers
only show this behaviour once or twice.

22

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Catherine Tong
General Manager
Accertify

Accertify believes the key to reducing delivery and returns fraud


is to target who is involved in the delivery or return of the product.
Retailers can leverage our platform to analyse each consumers

About Catherine Tong: Catherine Tong is

behaviour and identify out-of-pattern returns and other delivery

General Manager for Accertify in EMEA leading

anomalies.

a team of fraud specialists, and partnering with


companies from a variety of industries on their

Our multi-merchant database allows each participating retailer to

fraud management strategies as they enter and

benefit from collective knowledge about returns fraud and thereby

grow in new markets. Before joining Accertify,

try to limit its losses. Retailers learning from each other is invaluable,

Catherine held various senior risk roles at

they can now use this tool to benefit from other participating

retailer, Tesco and PwC.

customers who have already leveraged data associated with prior

About Accertify: Accertify Inc., a wholly owned

fraudulent deliveries and returns.

subsidiary of American Express, is a leading


Retailers are now able to manage a much broader set of risks in

provider of fraud prevention, chargeback

one place, improving efficiency for their business, whilst bringing on

management and payment gateway solutions to

new ways to help protect themselves. They can still have different

merchant customers spanning diverse industries

teams managing these different aspects of their business, but

worldwide. Accertifys suite of products and

managing all the data and fraudulent behaviour in the same place

services, including machine learning, help

enables them to be able to track changes in fraudster behaviour

ecommerce companies grow their business

more easily and collaborate internally.

by driving down the total cost of fraud and


protecting their brand.
www.accertify.com

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

23

Risk Ident

Risk Ident points out that technology should not replace fraud managers. Instead, it should be used to empower them
to take an educated, proactive approach by identifying and tackling fraud at the source.

In todays ever-changing online environment, identifying

Machine learning should not be used to the detriment of human

fraudulent transactions has become a major hurdle.

detectives, who are crucial for judging data choices to ensure

How can companies like Risk Ident help merchants

legal compliance, and for giving individual consideration to any

detect and stop suspicious transactions?

borderline cases that need the application of human processing.

Ecommerce is in a continuous state of evolution and is expected to


be worth GBP 185.44 billion (EUR 219.44 billion) in 2016. This makes

Modern methods of data science and software engineering help

online payments more and more of an attractive option for fraudsters

provide smarter technology that works more intelligently than

whose increasingly sophisticated techniques create a moving target

traditional anti-fraud processes, pooling data for analysis that

for merchants looking to identify and tackle fraudulent transactions.

helps guard against repeat fraudsters without requiring private


personal information. Ultimately, technology should not replace

At Risk Ident we deliver the best use of quality anti-fraud data in

fraud managers. Instead, it should be used to empower them to

Europe by using machine learning and behavioural analytics to

take an educated, proactive approach by identifying and tackling

help support fraud managers by intelligently processing a wide

fraud at the source.

range of input sources, such as device identification. Using rules


alone or monitoring single transactions is no longer as effective

What are some of the main changes that you would

at detecting and stopping suspicious transactions. Establishing

expect to impact the fraud prevention landscape

relationships between transactions helps merchants recognise

following the Safe Harbour ruling from the ECJ?

potential fraud patterns without the need for expensive additional

The recent ECJ decision to suspend Safe Harbour could catalyse

databases, acting fast to protect them from fraud.

major changes for the fraud prevention landscape, affecting the


data privacy and anti-fraud processes of businesses on both

Some herald the combination of machine learning

sides of the Atlantic. The ruling will have especially significant

and 'human detectives' as the next major revolution in

ramifications for businesses which depend on sharing data with

fighting fraud. How do you feel about this combination

organisations in the US in order to stay secure. Companies that

of man and machine to find and fix weaknesses of the

want to establish more local, European-based data centres for

system?

customers data in the EU will have to adhere to European data

We are passionate in our belief that man and machine together

privacy laws, which are traditionally much stricter. However, this

offer the strongest possible defence against fraud when used in

still does not offer a total solution to EU businesses as the US

combination. Machine-led intelligence has undoubtedly enhanced

Freedom Act, Section 702 (FAA 702) remains in use by the US

the proficiency of fraud prevention thanks to advanced algorithms

government, which allows them to obtain data stored in Europe by

which outshine the more traditional rule-based approach. It is

US companies.

important that companies take advantage of this technology and


use it to further boost their fraud managers knowledge of their

The ruling is potentially good news for European businesses and

own fraud problems.

customers however, as it has brought the focus back to customer


privacy. We do not expect it to be a huge barrier to businesses.

24

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Too many organisations argue that its


in the users best interest to give up
more privacy as it will keep them safer
online. This is not necessarily true

Roberto Valerio
CEO

Risk Ident

But, it will undoubtedly cause friction and uncertainty before an

About Roberto Valerio: Roberto Valerio is

alternative is agreed on in 2016. The ruling, together with the recent

the CEO of Risk Ident, leading the day-to-day

high-profile Weltimmo and Schrems cases, has certainly brought

management of the company. He is responsible

data privacy and the ethics of data sharing into concentration for EU

for driving the development of the business to

businesses. It is still possible to promote security while maintaining

serve merchants in need of a modern, intelligent

privacy by anonymising data, and it is something we very strongly

approach to online fraud prevention.

believe in.

About Risk Ident: Risk Ident offers anti-fraud


From your point of view, what is the best approach

solutions for companies within the ecommerce

to gaining customers trust when it comes to data

and financial sectors, empowering fraud

privacy and fraud protection?

managers with intelligence and self-learning

Risk Ident was founded and built specifically with European privacy

machine technology to provide stronger fraud

laws in mind and we strongly believe in smarter fraud prevention

prevention. Risk Ident are experts in device

technology that helps maintain privacy without compromising

fingerprinting and behavioural analytics, while

security. We welcome moves by the European authorities that

its products are specifically tailored to comply

publically and legislatively recognise the importance of data privacy

with European data privacy regulations.

in Europe.

www.riskident.com/en
There are far too many organisations out there that give customers
the impression that giving up more of their privacy is in their
best interests in order to stay safer online in the long run. This is
definitely not the case. It is possible for personalised information
to be kept separate from anonymised data, such as device
identification, and to gain customers trust while keeping their
payments safe. It is paramount that businesses are transparent
with their customers and fully available to help manage any data
sharing concerns.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

25

Feedzai
Myths about Machine Learning

The fintech revolution has begun and machine learning is at the

community grows, more developers are creating new applications

forefront of this next wave of innovation. Machine learning, a branch

and APIs that are highly specific to your business or technology

of artificial intelligence, is now enabling computer systems to have

stack. Open-source machine learning services are already available

sophisticated judgment and decision-making capabilities (remember

in C++ and Python with more languages to follow. Lastly, the growth

that self-driving cars were thought impossible only a few years ago).

of cloud computing provides access to shared machine processing


infrastructure. The cloud, open-source adoption, combined with

Machine learning, I think, will have a larger impact over the

APIs, are the factors that are removing technology barriers for

next 20 years, than mobile had over the past 20.

machine learning adoption.

-Sun Microsystems co-founder and venture capitalist Vinod

Myth 2: Machine learning takes away my ability to

Khosla-

control my business
As machines do more work and make more decisions, the fear of

As Google and Facebook continue to usher in the era of machine

losing control or not understanding the blackbox machine logic

learning, the ripple effects can be felt in the financial services

is understandable. However, advances in human-to-machine

industry. Machine learning is radically changing the nature of

interfaces have been made in recent years, such as whitebox

money and financial services. Now is a great time to dispel the

scoring methods, that demystify the underlying decision-making.

common myths about machine learning.

Whitebox approach is essentially a semantic layer, turning data and


decisions into descriptions that anyone can read without resorting to

Myth 1: Machine learning is only for big companies

complicated and obscure machine logic or reason codes.

The declining cost of computing - due to factors such as improvements


in computer processing speeds, cheaper data storage, increased

Additionally, as you implement machine learning in your business,

communications bandwidth, and broader availability of data

it frees up time for your fraud and risk management team. They spend

sources, to name a few - have leveled the playing field for companies

less time manually reviewing orders and payments or manually

and businesses of all sizes to be able to use machine learning

processing numerous chargebacks every week. These alone result

technologies. The range of businesses that can now use machine

in huge time-saver for your team, time which is reclaimed to spend

learning is very wide - ranging from giants like Google and First

running your business.

Data, to ecommerce startup merchants like LongboardsUSA.

Myth 3: I want the Uber-model that is best for all


First, there is no single best machine learning model that is
universally better in all situations. Choosing the best model
depends on the problem type, size, available resources, etc.
However, just like teams of people working together, groups
can often make better decisions than individual members.
Thats because individuals each have their own biases.

26

Source: Deloitte, Computing Cost-performance (1992-2012)

The same is true in the case of machine learning with the use

Furthermore, with the advances in software development technology,

models together in order to help compensate for individual bias.

machine learning can be integrated into your system seamlessly

Ensemble methods combine the opinion of multiple learners to

using APIs or plug-ins. At the same time, as the open-sourced

achieve superior collective performance. Moreover, ensembles are

of ensemble methods. Ensemble methods is using multiple

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Dr. Pedro Bizarro


Chief Science Officer
Feedzai

inherently parallel, which means they work efficiently side by side.


For fraud prevention systems, this is vital because it requires far

About Dr. Pedro Bizarro: Pedro is the Chief

less training time to set up the initial models.

Science Officer at Feedzai where he leads


Not only does combining multiple models make the system safer, it

a team of data scientists who are keeping

also keeps it more relevant. By including different models, evolution

commerce safe. He is a recognized researcher

will take place at a much faster rate, with less need for human

in machine learning and holds a PhD from the

supervision.

University of Wisconsin at Madison.

Myth 4: Machine learning is all about the model

About Feedzai: Feedzai was founded in 2009

It cannot be denied that you need a good model or ensemble of

by data scientists and aerospace engineers to

models to make machine learning efforts effective. However, simply

make commerce safe for business customers

having effective models isnt enough. Fraudsters are incessantly

through the use of artificially intelligent machine

finding new loopholes and cracks in your system. The only way to

learning. Feedzais Fraud Prevention That

stay one step ahead of them is to continually feed new data sources

Learns technology is used by large financial

and strengthen the intelligence by introducing new real-world data

services companies to risk-score over USD

and connections. A machine-learning model is only as good as

1 billion of commerce transactions each day.

what data it ingests.

Feedzai is a US-based company and is funded


by major venture capital investors including
OAK HC/FT, Sapphire Ventures and Data
Collective.
www.feedzai.com

Data Sources
The fintech revolution is well underway. As electronic commerce
continues to rise, fraudsters have access to more sophisticated
tools and increased channels to commit fraud. To combat fastevolving fraud, organisations must adopt more sophisticated
methods. Machine learning, when combined with human intelligence
and intuition, can now have superior judgment and decision-making
capabilities so organisations can eradicate fraud.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

27

ai Corporation
Work Smart Does Your Fraud Team Suffer from Decision Fatigue?

Right now, consumers have never had such a broad range of

Many young graduates join a fraud team in order to start a corporate

options to pay for goods and services. What is more, the channels

career. Invariably they would start by managing alerts after some

through which the consumer may purchase their goods and

kind of induction programme. It is now well-evidenced in the field

services have never been more diverse.

of behavioural economics that as familiarity regarding a role grows,


other human biases start to become more pronounced; in other

The cost of these new payment options and omni-channel

words, the greater experience a fraud analyst has, the greater the

engagement methods has increased the complexity and associated

risk that they will subconsciously be influenced to wander from

costs for issuing banks, acquiring banks and merchants; it is a cost

the ideal resolution. At ai we have spent a lot of time studying

they must bear in order to stay competitive through this consumer

the psychology associated with this decision fatigue and have

self-service point of sales revolution.

developed our software to mitigate its damaging effects.

The increase in complexity has created both opportunity and great

The below graph demonstrates the otherwise hidden trend in

risk for three key groups. Firstly, consumers have the opportunity

human behaviour being influenced by external factors. In this case,

to choose how and where to buy like never before. This creates

judges presiding over a parole board discover their decisions are

the opportunity for the second group, sellers, to increase volume

being dramatically influenced by something entirely human - their

of sales. But with complexity comes confusion, and the third

appetite. Do fraud analysts suffer from this?

group, fraudsters, has taken full advantage.


Todays fraudsters are highly sophisticated and very well
organised. To combat this, legitimate businesses that want to stay
competitive need to be both equipped to stop the fraud, and able
to do this in an efficient and cost-effective manner.

A balance between man and machine


It is this need for efficiency and effectiveness in the face of everincreasing and more complex fraudulent activity that drives
ais product development. Our automated systems have been
developed to be more effective than manual human decisionmaking. The efficiency improvements that come with reliable and
consistent performance are beyond what any human could be
expected to achieve.
It is often said of ai that we are a people business. We agree it

28

is people that drive any successful business and, as our clients

Let machines handle the repetitive tasks

testify, it is often our people that help drive other businesses. So,

ais mantra to automate tedious routines to release human

in the case of the fraud management world, what are we doing to

creativity aligns with the mounting scientific evidence presented in

ensure we support this principle? If we think about the motivation

the field of behavioural economics. In fact, one of the International

for a fraudster versus an employee in an increasingly burdened

Institute of Analytics top ten predictions for 2015 was that analytics,

fraud department, you could argue that it is incredible we manage

machine learning and automated decision-making would come of

to stop fraud the way we do. So how do we tackle this imbalance?

age in 2015.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Mark Goldspink
Chief Executive Officer
ai Corporation

With the 2015 launch of ais neural modelling and automated rule
set engines, we believe they were right.

About Mark Goldspink : Mark has spent 25


ai is very proud of our technical relationship with one of the worlds

years in general management roles. Mark joined

leading academic institution who is helping us provide state of

ai Corporation (ai) in 2013 to work with Ashley

the art machine learning solutions. Over the past 2 years we have

Head on developing and expanding a whole

invested over 40% of revenues into research and development.

series of inter-related payment businesses


globally, but with main focus on ai.
About ai Corporation: ai provides fraud
prevention solutions to some of the worlds
largest financial institutions, merchants and
PSPs. Our unique self-service solutions,
including our new state-of-the-art neural
technology, protect and enrich payments
experiences for more than 100 banks, 3 million
multichannel merchants monitoring over 20
billion transactions a year.
www.aicorporation.com

At ai, we believe some jobs are best done by machines, leaving


creative decisions to humans. Therefore, our tools have been
designed to complement business teams, automating many of the
repetitive activities and allowing our customers to focus on the
more complex issues.

Scientifically proven
There is undeniable evidence through peer-reviewed studies that
external influences cause human decision-making to change
during the day, leading to intraday inconsistencies. Isnt it human
nature to think about the weekend and evening events rather than
maintain complete focus through a work shift? For fraud teams,
such distraction could result in serious financial repercussions, but
is entirely foreseeable and indeed natural for humans to become
distracted like this, more so when working in an increasingly
complex payments environment.
The questions you should perhaps be asking are: could your fraud
team or fraud service provider be suffering from decision fatigue
and if so, how can you counter this?

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

29

CyberSource
The Future is Mobile

When I talk to businesses about their ambitions for digital

The data available from mobile devices is different from non-

commerce growth, one of the key messages I consistently hear is

mobile devices, and even differs via type of mobile device.

that the future is mobile. Whatever the size or industry, businesses

For example, Apple devices provide a more diluted device

understandably want to take advantage of the continuing growth of

fingerprint than Android due to the locked down nature of

smartphone and tablet penetration, and their use by consumers to

Apples OS.

purchase goods and services.


The detection tools used in fraud management may not change,
Whilst most businesses appreciate the need to tailor their ecommerce

but the importance of them may vary, depending on the information

experience and user interface for mobile websites and apps, many

available via different devices.

are not tailoring their fraud management strategy in the same way.
All the differences in behaviour, data and tools require a set of rules
The latest CyberSource fraud survey reports that 45% of survey

specifically for the mobile channel, and a channel specific mobile

respondents cite the inability to accurately measure fraud rates

fraud strategy. The rules created at first will no doubt depend on

by sales channels (causing operational efficiencies) as one of the

the data that you can capture, the behavioural patterns and fraud

fraud challenges of greatest concern (CyberSource 2015 UK Fraud

trends that are understood to be relevant by your business, and the

Report Series: Part 1 The World of Mobile Fraud). Which is not

level of sophistication that suits your organisations requirements

surprising when the following findings are also reported:

and risk profile.

- 43% of respondents track fraud from mobile commerce channels


- 89% of those who do track mobile orders, use the same fraud

Managing mCommerce Fraud Risk A Framework for Action

tools as used to screen ecommerce orders


When businesses dont track or adapt their fraud strategies to the
mobile channel, they can become vulnerable in two ways risking
higher rates of fraud coming via the mobile channel, or they risk
blocking orders from genuine customers. The last thing needed in
trying to grow the mobile channel is that customers may have a less
than ideal experience.

mCommerce fraud strategy


While there are many similarities between eCommerce and
mCommerce, there is a number of important differences particularly
relevant for fraud management:
Consumer behaviour is different on a mobile device than on a
normal PC (laptop or desktop) with purchases being made at
different times of the day and the type of purchases made: thus,
rules designed for traditional eCommerce purchases may flag
mobile behaviour as anomalous.

30

The framework above provides a process-based approach to work


through the differences between mCommerce and eCommerce for
fraud management. Working through the process step by step can
help you understand the implications of the mobile channel for
fraud management, and equip you to decide on the best course of
action for your organisation.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Neil Caldwell
Vice President
European Sales
CyberSource
For those just starting out with a fraud management strategy,
I recommend three simple steps to help get started:
- Start tracking mobile transactions. Measuring mobile chargebacks,

About Neil Caldwell: Neil Caldwell, VP of

rejection and review rates will enable informed decisions to be

European Sales, is responsible for spearheading

made about when and how to act.

the expansion of CyberSources European

- Create a distinct mobile profile, even if at first the rules applied

business and overseeing the sales and account


management functions within the company.

are an exact copy of existing ecommerce rules.


- Start capturing the device type and operating system, even if no

An accomplished and dynamic sales leader,

rules are immediately implemented based on the differences in

Neils background has given him outstanding

fraud pressure between the devices.

expertise in financial services and eCommerce


payments.

You cant manage what you cant measure


The mobile space is relatively new and, as it grows and matures,

About CyberSource: CyberSource, a wholly-

fraudster strategies and exploits are likely to evolve. Consumer

owned subsidiary of Visa Inc., is a payment

behaviours and purchasing patterns are likely to continue to change.

management company. Over 400,000 businesses

So, in my opinion, it is important to monitor, measure, analyse and

worldwide use CyberSource and Authorize.Net

fine-tune fraud management strategies, more than established

brand solutions to process online payments,

channels.

streamline fraud management, and simplify


payment security. CyberSource operates in

Fraudsters will move between channels as they try to exploit both

Europe under agreement with Visa Europe.

eCommerce and mCommerce. As important as it is to segment


these channels, it is equally as important to be able to integrate

www.cybersource.co.uk

them for analysis and to spot activity and patterns in one channel
that affect actions in another.
In my experience, businesses that actively manage mobile fraud can
achieve fraud rates similar to rates achieved on other channels, and
for those experiencing above average rates, it is usually a sign that a
mobile-specific fraud strategy either is not in place, or needs to be
fine-tuned.
The ability to understand how consumer behaviour differs on mobile
devices; to capture the data that is relevant to the mobile channel
and implement appropriate fraud management tools and rules; to
track and analyse mcommerce chargeback, rejection and review
rates and fine tune your mobile strategy in response all have clear
implications for the experience that both customers and fraudsters
have when they interact with you through your mobile channel.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

31

Innopay
360-Degrees Fraud Management: Securing the Customer Journey

When asked in the 1930s why he robbed banks Willie Slick Sutton

Dont get me wrong: we desperately need these experts, today

replied: because thats where the money is. Sure, banking has

more than ever! However, just as we would do not rely exclusively

since then largely moved online, and so have criminals. However,

on the finance department to be profitable, we cannot expect the

what was true then remains as true today: criminals target financial

risk-, security, or fraud department to, by themselves, keep our

institutions because thats where the money is. As a result, both the

customers data and money safe, especially not from within the

top- and bottom line suffer.

second line. How then do we close this gap?

Fraud: an inevitable surprise

It starts with an integrated, customer centric view

We know that at some point we will be confronted with fraud,

At Innopay we use a three-tiered approach called 360-degrees

we just dont know exactly when and in which form. We are in a

fraud management which consists of a comprehensive set of

constant balancing act between customer convenience, fraud

tools enabling organisations to come to grips with the wicked-

control and cost containment.

problem that fraud is. Below you will find a primer.

The top line suffers as customer journeys are cut short for being

Tier 1: Mission control

overly burdensome because of security measures. Think of

It is important to define clear roles and responsibilities that are

prospects having to come to the branch, or getting stuck in paper

as integrated with regular governance as possible to avoid

heavy processes during onboarding, hampering conversion rates.

unnecessary cost and preserve organisational agility.

The bottom line hurts because implementing and maintaining anti-

Proper orchestration will allow the organisation to take action when

fraud measures can have serious (opportunity) costs that come on

a new M.O. (modus operandi or specific fraud pattern) emerges,

top of actual fraud loss- and repair cost.

before fraudsters get a chance to ramp-up and/or branch-out their


operation. It will also help the organisation identify consolidation

Fundamentally, fraud is a business issue so lets treat

opportunities for fraud measures, which is important given the

it as as such

ongoing commoditization of available solutions.

So, why is it that something with as much impact on both the


organisation and its customers as fraud is often treated like an

Tier 2: Customer journey

afterthought, and is still frequently offloaded to risk managers,

The customer journey is at the heart of the approach, because

security officers and fraud advisors outside the primary process?

ultimately this is what the organisation is all about: providing


convenient, secure and cost effective service to their customers.
It is paramount that we strike the right balance and make sure that
the most convenient options are secure. There is nothing like a
burdensome security measure to make customers look for easier,
and often less secure alternatives, sometimes at the competition.
Customer authentication (during login and transaction signing) and
fraud detection are the key ingredients of this defence layer. Today
we see new technologies being implemented such as mobile centric
authentication, fingerprint-, behavioural- and voice recognition
resulting in an easier and truly omnichannel customer experience if
and when properly designed.

32

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Hugo Lwinger
Digital Identity & Fraud
Management
Innopay
Tier 3: Knowledge position
Last but certainly not least is the knowledge position of the organisation
which is essential in taking well informed decisions and action.

About Hugo Lwinger: Hugo Lwinger brings

Many organisations are exchanging fraud intelligence, both quid-

over a decade of experience in business driven

pro-quo and commercially. This intelligence ranges from stolen

fraud and authentication strategy at large

credentials (e.g. usernames, passwords) retrieved from underground

financial institutions. Hugo leads the digital

forums, to suspicious IP addresses, skimmed cards and sometimes

identity practice at Innopay and previously

even alerts from risk engines.

fulfilled strategic positions at a.o. ING Bank and

Not only should knowledge be shared with peers. It is also important

Capgemini Consulting.

we do not shun our customers out of fear of spooking them. As a


result of high profile fraud incidents and security breaches, customers

About Innopay: Innopay is an independent

are much more aware of potential risks. We should acknowledge

consulting company, specialised in online

their concern by providing them with actionable information.

payments, digital identity and e-business. We

When applied the right way, knowledge can be a true multiplier of

help our clients, including financial institutions,

defence effectiveness.

governments and corporates, develop the


compelling strategies and digital services for

Putting it all together: a 360-degree approach to

consumers and companies that are key for

business driven defence-in-depth fraud management

successful competition in a rapidly digitising

To meet customer expectations in a secure manner, organisations

world.

make fraud management a natural part of the design, continuous


development and management of their customer journeys. This takes

www.innopay.com

tools and methods that business owners feel comfortable applying


and is exactly where the 360-degrees approach can help.
When asked: why is fraud managed driven from within the business
at Innopay we reply: because thats where the solutions are!

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

33

Ecommerce Europe
E-ID: Fraud and Risk Prevention in Cross-border Ecommerce
Cross-border ecommerce

e-ID as a solution

The growth rate of the European B2C ecommerce sector reached

Fortunately, in order to improve data protection and to increase

double digits in 2014. However, the full potential of the European

convenience and consumer trust, many Member States are

ecommerce market has not been achieved yet. Currently, only

currently working on (or already working with) national e-ID

15% of consumers shop online from another EU country. In order

schemes. Interoperable online identities verified directly by the

to stimulate cross-border ecommerce, European stakeholders

government, or indirectly by other trusted parties, will help reduce

should work together in removing remaining barriers.

risks of cybercrime and (payment) fraud. e-ID can guarantee the


unambiguous identification of a consumer and enables effective

Ecommerce Europe believes interoperable e-identification is a

age verification for age-dependent services (such as online

precondition to unlock the potential of cross-border ecommerce.

gambling) or certain product markets (such as alcohol, tobacco

In the online payments sphere, fraud is believed to be one of the

and medication).

main barriers, with identity theft as one of the fastest growing


crimes. e-ID solutions enable the prevention of fraud and identity

Especially with regard to payments, e-identification brings great

theft, and stimulate the development of consumer trust and

opportunities to solve problems caused by complicated check-

convenience. The e-ID landscape develops quickly. However,

out processes. By reusing formerly verified information, delivery

for interoperable e-identification to evolve, hurdles should be

and payment preferences, the checkout solution can be simplified,

overcome.

which adds much to the seamless shopping experience of the


consumer. At the same time, this so-called one-click-buy solution

Barriers for cross border ecommerce

guarantees maximum reach and conversion at fair cost for

As a recent survey by Experian shows, most of organisations

merchants and consumers.

(78%) across Europe, the Middle East and Africa consider online
fraud the biggest challenge at the moment. In particular, identity
theft, which is currently a major issue for 24% of businesses in
EMEA, is expected to double in the next five years and become
a serious concern for 48% of businesses. Ecommerce Europe
believes that the main reason for this problem is the lack of safe,
reusable and interoperable e-identities. This deficiency forces
online services providers to each provide their own consumer
registration and login solutions. Within the variety of solutions,
safe and secure digital interactions between businesses and
consumers are not always guaranteed.
In June 2015, Ecommerce Europe published the outcome of
the survey Barriers to Growth in ecommerce. Consumer
identification was specifically mentioned as a concrete example
when it came to barriers linked to online payments. The absence
of reusable e-identities proved to be a barrier for merchants who
wanted to participate in cross-border ecommerce.

34

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Elaine Oldhoff
Policy Advisor

Thuiswinkel.org

eIDAS Regulation: interoperability on its way


In order to fully benefit from e-ID opportunities, interoperability
between e-ID schemes in different Member States should be

About Elaine Oldhoff: Elaine Oldhoff works as

stimulated. The recently adopted eIDAS Regulation requires

a policy advisor for the Dutch association for

Member States to recognise each others e-ID means; if under its

online stores Thuiswinkel.org. She is a member

national law or administrative practice, it is required to access a

of the e-Regulations Committee and the

public service. This applies as long as the means is issued under

e-Payments Committee of Ecommerce Europe.

an electronic identification scheme that is notified to and included

On a daily basis she focusses on the potential

in the list published by the European Commission.

of e-identification for the digital economy.

The effort done by the Commission in drafting the eIDAS regulation

About Ecommerce Europe: Ecommerce

looks like a step in the right direction. The interoperability of national

Europe is the association representing around

electronic identification schemes across borders is however still in

25,000 companies selling products and/

its infancy. Ecommerce Europe believes that the eIDAS regulation

or services online to consumers in Europe.

lacks the obligation for Member States to notify their national

Ecommerce Europe offers to be a one-stop-

schemes to the European Commission.

shop for the European Institutions for all


ecommerce related issues. Ecommerce Europe

Ecommerce Europe calls upon national governments to notify

can be consulted on market research and

their national schemes to the European Commission in order

data, policy questions and in-depth country

to enable an interoperable e-ID landscape throughout Europe.

knowledge.

An interoperable e-ID will be a driver for innovation and, eventually,


will reduce cybercrime and fraud risk. To continue the growth rate

www.ecommerce-europe.eu

of B2C ecommerce, consumer trust should be reinforced.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

35

The Global Event for


Payment/Identification/Mobility

tcommeterre.com

BECOMES

Register now on www.cartes.com

17 19
Nov. 2015

HALLS 3 & 4
Paris Nord
Villepinte
France

www.cartes.com

REGULATION,
PRIVACY
AND DATA
PROTECTION

The European Payments Council


Security of Internet Payments: the EBA Two-Step Approach

The European Banking Authority (EBA), as part of its mission to

In response to the consultation, the EPC recommended a third

ensure effective, consistent and prudential regulation, as well

option (called option c): a scenario whereby the EBA guidelines

as supervision across the European banking sector, drafted

would be issued only after the entry into force of PSD2 and the

implementation guidelines on the security of internet payments in

publication of the regulatory technical standards as mandated by

2014. The guidelines were based on the recommendations issued

PSD2, following a consultation of the market and safeguarding an

in January 2013 by the European Forum on the Security of Retail

adequate timeframe for implementation.

Payments (SecuRe Pay) for the security of internet payments.


The EBA consulted the payment stakeholder community on those

If the EBA were to not accept the recommended option c, the EPC

guidelines in late 2014. Due to the fact that the finalised EBA

had a preference for option a, i.e. the two-step approach.

implementation guidelines would apply prior to the entry into force


of the revised Payment Services Directive 2 (PSD2), the European

The EPC also pointed out that, in the last two decades, many

Payments Council (EPC) suggested an alternative approach.

security solutions were implemented, only to have been rendered

The EBA, however, decided that the implementation guidelines

obsolete and be replaced by safer solutions as technology

would come into force on 1 August 2015 and, then, stronger

evolved. Therefore, stakeholders are permanently in search of

requirements would emerge at a later date under the PSD2.

solutions that master the subtle balance between security and

The EPC is now looking forward to the EBAs consultative process

user convenience. Since 2010, new threats have appeared,

on the updated security requirements of internet payments, which

authentication solutions have evolved and the preferred platform

should meet the more stringent principles of the PSD2.

for internet payments has changed from PCs to mobile devices.


This field of expertise is highly dynamic. The EPC, therefore,

The 2014 EBA consultation on implementation

suggested that new developments (e.g. tokenization, risk-based

guidelines for internet payments and the EPC

authentication) should be taken into account when finalising the

response

guidelines.

During the consultation process, the EBA focused specifically on


implementation rather than the substance of the requirements as

Finalised EBA guidelines on the security of internet

the negotiations of the PSD2 could have affected them. The EBA

payments

issued these guidelines to ensure consistent regulation across

The finalised guidelines, published by the EBA in December 2014,

the European Union (EU) and provide legal certainty for market

set the minimum security requirements that Payment Service

participants.

Providers (PSPs) in the EU were expected to implement. The EBA


retained the two-step approach whereby the guidelines, which

The consultation on these guidelines asked the question: Do you

were implemented on 1 August 2015, will be replaced at a later

prefer for the EBA guidelines to:

stage by more stringent requirements necessary under the PSD2.

a) E nter into force, as consulted on 1 August 2015 with the

The EBA therefore concluded that a delay in the implementation

substance set out in this consultation paper, which means

of the guidelines until the transposition of the PSD2 in 2017/2018

they would apply during a transitional period until stronger

would not be feasible in view of the continuously high and growing

requirements enter into force at a later date under PSD2

levels of fraud in the domain of internet payments.

(option a)
b) A nticipate these stronger PSD2 requirements and include
them in the final guidelines under PSD1 that enter into force on
1 August 2015, the substance of which would then continue to
apply under PSD2 (option b)?

38

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Javier Santamara
Chair

The European Payments


Council
Some countries announced they were unable to
comply with the EBA guidelines
The EBA guidelines are based on a 'comply or explain' principle:

About Javier Santamara: Javier Santamara

national competent authorities need to inform the EBA about

is the Chair of the EPC and a Senior Vice

whether they will be able to comply and, if not, they are asked

President with Banco Santander. He is a member

to provide an explanation. The majority of the national competent

of the Board of the Euro Banking Association, a

authorities advised that they would comply or intend to comply

Director of the SWIFT Board and Chair of the

with the EBA guidelines on the security of internet payments.

Iberpay Board.

However, the UK, Slovakia, Estonia and Iceland communicated


that they are unable to, while Cyprus and Sweden will partially

About The European Payments Council: The

comply.

European Payments Council is an international


not-for-profit association, representing payment

Towards more stringent EBA guidelines compliant

service providers, which aims to support

with the PSD2

and promote European payments integration

A key question covered in the PSD2, though with certain ambiguities,

and development, notably the Single Euro

is the authentication of the payment service user. To this end, the

Payments Area (SEPA), through the development

EBA is tasked with developing and drafting regulatory technical

and management of pan-European payment

standards on strong customer authentication, which should be

schemes and the formulation of positions on

submitted to the European Commission within 12 months of the

European payment issues.

PSD2 entering into force, i.e. by the end of 2016.

www.europeanpaymentscouncil.eu
In this context, the EPC strongly advises against the possibility
for third-party PSPs to use the personal security credentials of
the customer to get access to its account. The EPC reiterates
that personalised security credentials should not be shared with
third parties and hopes that the EBA will take this concern into
consideration.
The EPC, furthermore, looks forward to the EBAs consultative
process in this area and the opportunity it will provide to contribute
to achieving secure and convenient internet payments, as well as
technological neutrality.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

39

CardinalCommerce
How EMV Will Change Online Business in the US

Everyone in the payments ecosystem is talking about EMV and the

Historically, in other regions, as EMV cards have been rolled out,

October 2015 deadline for liability shift in the US. For merchants

POS-related fraud, as would be expected, went down. CNP fraud,

who have installed the EMV card readers in their brick-and-mortar

however, skyrocketed. In the UK, online fraud jumped from GBP

locations, this means that they will not be liable for fraud at the

45 million the year before the cards were introduced to GBP 181.7

point-of-sale terminal (or point-of-sale fraud). But, for omnichannel

million five years later. Experts expect the same to happen in the

and online merchants, how will the use of EMV cards impact their

US. To combat the threat of CNP fraud, the use of 3D Secure was

ecommerce fraud level?

mandated in other regions, and merchants implemented protocols


like Verified by Visa, MasterCard Secure Code, American Express

Many banks and retailers in the US are now using the EMV system

SafeKey, and others. As a result, CNP fraud in those areas has

because of recent data breaches. Long used in Europe and other

decreased, but has recently started to rise in the US.

regions, this system uses credit cards with an embedded chip, thus
requiring new POS readers on the merchant side. The chip makes

How can online merchants protect themselves?

cards more difficult to counterfeit for in-person use. This new

To thwart the influx of online fraud, many ecommerce merchants

system, though expensive to implement for both merchants and

have dialed up their fraud tools. This helps control the increasing

banks, will make POS transactions much more secure. However,

levels of fraud, but also creates false positives, such as transactions

it also introduces the threat of fraud in card-not-present (CNP

that the fraud tool flags as potential threats and the merchant

transactions) because the chip provides no benefit when the card

declines what are actually good orders. This is almost as harmful to

is not present.

a merchant as the fraud attack itself because it results in lost sales


and potential insults to good consumers.

History of EMV
EMV is not a new technology, even though it is news in the US.

This puts online merchants in a difficult spot. Because EMV cards

Introduced in the 90s, EMV has almost completely replaced the

cannot be used for in-person fraud, the fraudsters look for the path

magnetic stripe cards in Europe, and is in wide use in Asia, South

of least resistance, the CNP world. But there is a way to prevent

America, Canada and Mexico. The US, the last major holdout, is

fraud. Cardinal Consumer Authentication (CCA) protects online

converting now, with a recent liability shift deadline in October 2015.

transactions the way EMV cards prevent fraud at the cash register.
CCAs patented technology works with the 3D Secure protocols to

One of the major benefits of EMV cards is around how the chip

authenticate transactions with the card-issuing bank during online

works. Each time the card is used in person, the chip creates a

transactions. Our more than 15 years of experience in protecting

unique transaction code that cannot be re-used. Therefore, if a card

CNP transactions benefits merchants. And, by combining CCA

number is stolen in a breach, and a counterfeit card created, the

with a fraud tool, merchants can increase their good orders by up

stolen number and transaction code would not be usable and any

to 15% vs using a fraud tool alone.

fraudulent attempts at point-of sale would be denied. This is also


a drawback because the chip is not read for a CNP transaction,

Its rules-based approach gives merchants choice in how each

whereas a stolen EMV card number can be and increasingly are

transaction is authenticated, and control over the amount of

used to make fraudulent CNP transactions.

consumer friction during checkout. In some cases, where a


merchant has high ticket items (like fine jewelry or travel) or SKUs
that have a history of fraud, introducing friction into the checkout
experience in the form of a challenge can be what the merchant
intends. The authentication rules allow merchants to balance the
risk of the transaction with the consumer experience.

40

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Michael Roche
VP of Consumer
Authentication

CardinalCommerce
Passive authentication happens behind the scenes, with no friction
during checkout for the consumer, using things the merchant
and the issuer know about the cardholder - like IP address,

About Michael Roche: Michael Roche is the

device identification, buying patterns, or any other data point the

VP of Consumer Authentication and focuses on

merchant collects.

improving current products and shaping new


product development, as well as developing

Consumer Authentication has other benefits for online and mobile

and strengthening relationships with enterprise

transactions. Merchants usually benefit from increased sales,

partners in order to provide them with ecommerce

liability shift on chargebacks, less manual review and potential

solutions tailored to their needs.

interchange fee savings. Merchants see a sales increase with


a Consumer Authentication solution because there are fewer

About CardinalCommerce: CardinalCommerce

false positives that might ordinarily be declined, internally and

is the pioneer and global leader in enabling

externally. Merchants also enjoy a liability shift with fraudulent

authenticated payment transactions in the card-

chargebacks on Cardinal Consumer Authentication transactions

not-present payments industry, and the largest

because the issuing banks take on the risk if any transactions

authentication network in the world. Through

result in fraud.

One Connection to the proprietary Cardinal


SafeCloud, we enable friction-free, technology-

To wrap up, EMVs rollout in the US is a good thing for brick-

neutral authentication and alternative payment

and-mortar merchants, but will open up opportunity for fraud for

services (including digital wallets and mobile

CNP merchants. Online merchants in the US should be aware of

commerce services).

the shift from fraud at POS to CNP fraud due to EMV, and protect
their online business with the 3D Secure protocols (like MasterCard

www.cardinalcommerce.com

SecureCode, Verified by Visa and others), as well as take advantage


of the liability shift on authenticated transactions and potential
savings on interchange and manual review.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

41

time.lex
Doing Business in Europe? Mandatory Data Protection Compliance in Every
Single Country
A lot has been written about two recent court cases related

2. How to transfer data from Europe to the US

to Facebook. The first one is the case of the Austrian student

In the Schrems case, the Court of Justice of the European Union

Maximilian Schrems against the Data Protection Commissioner

found that the existence of the European Commission Decision

(European Court of Justice, case C-362/14, of 6 October 2015),

about the so-called 'Safe Harbour' arrangement with the US did

finding the Safe Harbour arrangement invalid for the transfer of

not prevent a national data protection authority from investigating

personal data from Europe to the US. The second case is the

individual complaints relating to the transfer of personal data to

one by the Belgian privacy commission against Facebook of

the US. The CJEU found the Safe Harbour Decision to be invalid.

9 November 2015 in Brussels. But what is the impact for cross-

The so-called Article 29 Working Party, the body of representatives

border ecommerce business in the European Union? Here are

which includes representatives from the European Member States'

three takeaways for every company doing business in Europe,

data protection authorities, as well as representatives from

from merchants selling goods or services online in Europe to cloud

the European Commission and the European Data Protection

computing providers, social media platforms and many others.

Supervisor, clarified a number of consequences that derived


from the decision in the Schrems case. Meanwhile, the European

1. Comply in every single country, or else

Commission issued a communication on 6 November 2015 as

The first clear message from both court cases is that data

well, with a practical guidance.

protection and privacy compliance must be taken seriously,


especially when personal data is transferred outside the European

What are the practical consequences for (ecommerce) merchants in

Union. Ensuring cross-border compliance with data protection

Europe, cloud computing providers, or social media platforms etc.?

law has become a top priority for data protection authorities and
courts all over Europe.

No transfer to the US may be based solely on the invalidated


regime. This means that you can only transfer data to the US using

A much-debated issue in the Brussels court was the territorial

the means still allowed. Transfers are only allowed if you:

application of the national data protection legislation and the

M
 ake use of the Model Contractual Clauses issued by the European

international jurisdiction of the local courts. Facebook argued

Commission and properly notified to the local data protection

that, because Facebooks European headquarters are in Ireland,

authority (in Belgium there is the Privacy commission);

only the Irish data protection legislation apply and that only the

Make use of Binding Corporate Rules issued as outlined in the

Irish courts have jurisdiction. The Brussels court disagreed.

templates drafted by the Article 29 Working Party and again

All international companies with several establishments in the EU

properly notified to the local authorities;

must comply with national data privacy laws, and not just with

There are also exceptions - such as transfer based on consent -

the law of the companys main European establishment, which

but this can only be used in exceptional circumstances and not

was recently confirmed by the CJEU in its Weltimmo judgement

for systematic transfers to the US.

(C-230/14). The same goes for companies without any EU

In some EU member states you can make use of your own ad

establishments, but which make use of so-called 'equipment'

hoc contractual provisions or binding corporate rules which

located on the territory of several EU member states. Such

have been properly notified and/or approved according to local

companies will be subject to the regulatory regime of multiple

legislation;

national data protection authorities.

42

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Edwin Jacobs
Partner

time.lex

Note that the Article 29 Working Party has indicated that, for now,
the model contractual clauses or the binding corporate rules
are still accepted but that they too may be re-evaluated in 2016

About Edwin Jacobs: Edwin Jacobs is a partner

if no progress has been made on a political level to come to an

at time.lex and a lecturer at the University of

acceptable and valid regime for data transfers between the US

Leuven and Antwerp.

and the EU. Meanwhile, a new Safe Harbour regime between the
US and the EU is expected early 2016. Any new Safe Harbour

edwin.jacobs@timelex.eu

agreement should include obligations on the necessary oversight


of access by public authorities, transparency, proportionality and

About time.lex: time.lex is a law firm specialised

redress. A new Safe Harbour agreement will probably not mean

in fintech, information and technology law in the

that the national data protection authorities will suddenly back

broadest sense, including privacy protection,

down.

data and information management, e-business,


intellectual property, online media and

3. U sing social media plug-ins on your company


website?
The owner of a website must properly inform its website visitors of

telecommunications.
www.timelex.eu

the kind of information he is collecting, the purposes for which it


is used, the types of cookies, the social media plug-ins he is using
and the duration of storage of the cookie or plug-in on the surfers
computer. But that is not all. Before activating some types of
cookies and plug-ins, the surfers prior express consent is needed.
Even the mere collection of your visitors IP address by using
cookies or social plugins is already considered as processing of
personal data.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

43

Smart Payment Association


Will EMV Eliminate Card Fraud in the US?

Does the end of swipe and sign means the end of card payment

And at least one of the authenticators must be dynamic; which

fraud in the US? It is a simple question. And the answer is simple

is to say it must be unique by payment transaction, and the

too: No.

authenticators must be independent from a security perspective.

The case for EMV adoption is beyond doubt. Countries with

Translating experience to the US

completed EMV implementations have registered significantly

What we, at the SPA, find most striking and most encouraging

lower rates for card fraud. In 2012, for example, the card fraud

about the PSD2 is its global nature. Its objectives and its principles

loss ratio across the European Union stood at 0.038%. In a pre-

can be considered of universal importance when seeking to

EMV US, the figure was over two and a half times higher, reaching

combat CNP fraud. The principles laid out in the PSD2 are not

more than 1%.

constrained by geography or specific regulatory environment and,


thus, offer a hugely exciting opportunity for global standardisation.

But, as we see, even in mature EMV markets fraud does not


disappear. It just moves online. Card-Not-Present (CNP) fraud is

Certainly, the outlined principles are entirely consistent with the

nothing new, of course. Back in 2007, Frances Observatory for

Criteria Discussion Draft document for a better payment system

Payment Card Security estimated that half of all card payment

released by the Federal Reserve-backed US Faster Payments

fraud was committed without the card being present. Currently,

Task Force.

this figure exceeds some 70%. Therefore, the following question


arises: what to do about CNP fraud in the broader context of EMV
implementation in the US and supporting programmes across the

The EMVCos announcement that, in 2016, its EMV 3DS 2.0

world?

specification will be published alongside corresponding testing


and approval processes, points to a growing desire for global

Addressing CNP fraud in SEPA

transparency and constitutes a major step forward.

Certainly, the European SEPA region (among others) has taken


steps to address the problems of CNP fraud - albeit with differing

Multi-functional benefits of EMV payment cards

levels of success. And, while CNP authentication exists, there are

While PSD2 is technology agnostic, it seems logical that todays

few commonly adopted authentication methods that mirror the

multi-functional card technologies offer a powerful balance of

integrity of a face-to-face POS transaction.

assurance and convenience to satisfy both regulatory objective


and consumer demand.

The European Payment Service Directive (PSD2), approved in


October 2015 by the European Parliament, is set out to change

EMV chip and pin cards often support functions such as one-

all this by providing a European Regulatory framework for retail

time-password (OTP) generator, on-card displays or the possibility

payments and introducing a range of provisions designed to

to use the EMV card with a card reader connected to a personal

tackle CNP fraud.

computer, for example.

In particular, the PSD2 provides a legal definition for strong

These functionalities allow providers to provide, and users to

authentication. It is the first time this has happened and is, therefore,

use, the strong authentication, now defined in law - generating

of great significance. According to the definition, a secure payment

dynamic proof that both the legitimate card and the legitimate user

process must include at least two out of the three classical

are present during the CNP transaction.

authentication mechanisms (something you have, something you


know, something you are).

44

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Nicolas Raffin
President

Smart Payment
Association
Global answers to the CNP question
So, if a new generation of EMV cards can offer a much more secure
CNP environment, the US move in this direction will potentially be

About Nicolas Raffin: Nicolas Raffin is

significant in addressing both card-present and card not present

President of the Smart payment Association

fraud. And its also an exciting opportunity to address CNP security

(SPA) and Head of Strategic Marketing,

on a global level.

Payments at Oberthur Technologies. Nicolas


started his career with numeric photo group

With such high levels of consistency between US and EU objectives,

PhotoMe as product manager. He holds a

harmonising regulatory approaches will certainly create a more

Master in Marketing and a MSc in Technology &

secure ecommerce environment.

Innovation Management.

Indeed, by sharing experiences and best practice, and delivering

About Smart Payment Association: The

that consistent global approach, we can accelerate the adoption

Smart Payment Association addresses the

of appropriate CNP protections by merchants and banks across

challenges of the evolving payment ecosystem,

the world.

offering leadership and expert guidance to


help its members and their financial institution

And, while its impossible to entirely eliminate card payment fraud, a

customers realize the opportunities of smart,

global collaboration around a set of shared principles seems a logical

secure and personalised payment systems &

place to begin.

services both now and for the future.

For our part, having already contributed to the European Banking

www.smartpaymentassociation.com

Authoritys (EBA) public consultations on secure ecommerce, the


SPA will continue to advocate a comprehensive set of security
rules for CNP based on the aforementioned seven principles as
PSD2 moves into its next phase of life.
Not only will we continue to work with the wider card payment
industry, but also with standards bodies and regulators to help
deliver on the promise of a global approach to protecting online
payments.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

45

DON'T MISS THE OPPORTUNITY OF BEING PART OF


LARGE-SCALE PAYMENTS INDUSTRY OVERVIEW
The Paypers offers the most valuable source of information and guidance for all parties
interested in the current state of affairs of the payments industry
Paul Alfing, Chairman e-Payments Committee, Ecommerce Europe
Once a year, The Paypers releases three large-scale industry overviews covering the latest trends, developments, disruptive
innovations and challenges that define the global online/mobile payments, e-invoicing, B2B payments, ecommerce and web
fraud prevention & digital identity space. Industry consultants, policy makers, service providers, merchants from all over the world
share their views and expertise on different key topics within the industry. Listings and advertorial options are also part of the
Guides for the purpose of ensuring effective company exposure at a global level.

ONLINE PAYMENTS:
An all-in-one reference guide
on (online) payments
& ecommerce industry trends,
evolving business models, top
players and relevant (alternative)
payment methods.

B2B PAYMENTS, SCF

WEB FRAUD PREVENTION,

Industry voices from the online

IDENTITY:

& E-INVOICING:

finance space share insights


into the dynamic B2B payment,
e-invoicing, supply chain finance
industries to support innovative
solutions & thriving businesses.

ONLINE SECURITY & DIGITAL


In-depth source of information
highlighting key facts &
trends into the global digital
identity transactional and web
fraud prevention & detection
ecosystem.

For the latest edition, please check the Reports section

STRONGER

CONSUMER

AUTHENTICATION
TO COMBAT

ECOMMERCE
FRAUD

Wirecard AG
Moving Beyond Passwords: Next Steps in Consumer Authentication

The way in which consumers verify their identity is rapidly changing,

and simple to install, meaning that they can be integrated into

a development which is being driven forward by biometric data.

different payment channels, such as point-of-sale terminals or


ATMs. Therefore, they increase the recognition factor within the

Consumers should probably not be too surprised if they soon

context of financial transactions.

find themselves being addressed queries like: Dear customer,


please turn on your webcam and have your ID at the ready. We will

On account of their great potential, further biometric identification

shortly conduct a brief ID check. This kind of procedure may, for

measures are currently being discussed. For example, there is

example, be introduced for opening an online account in order to

heartbeat authentication, although it will admittedly take a while for

verify a customers identity, thereby making the personal signature

identification methods such as these to become reality, let alone

a thing of the past.

accepted. However, in the future, further multi-modal means of


biometric identification are expected that is to say, processes

But what does this trend mean for customers, online merchants

which react to a combination of biometric sensors as a security

and banks who, up until now, have traditionally used passwords

feature. These range from face and iris recognition to keystroke

and signatures? Moreover, how safe are these new means of

dynamics.

identification?

New EU rules reduce online payment risk


The fact is that traditional passwords are increasingly being

The European Banking Authority (EBA) has stated that online

supplemented by new means of authentication. One of the reasons

merchants will require two mutually independent customer

is that customer identification has become one of the most

identifiers before accepting payment in the future. Directives such

important aspects of payment processing. In case of doubt, it offers

as the Secure Pay Directive (PSD II) demonstrate the European

more effective protection against fraud than a credit check, as it will

Commissions commitment to making cross-border payments

rarely detect falsified customer identity. In contrast, modern means

quicker and safer, while also reducing the risk to the end customer.

of authentication are able to do this.

Linked to this is an effective method of combating data theft and


abuse. This is known as two-factor authentication.

Increased importance assigned to biometric data


It is for this exact reason that measures are being put in place.

This involves the user being asked for specific identifiers and the

The measures go further than conventional password authentication.

combination of two different communication channels. For example,

It is very likely that biometric data will become more important as a

a customer may be asked only for their card number and CVC code

result of the strong growth in the m-commerce market. Consulting

online. Afterwards, via a second level of security, they receive a

company Acuity Market Intelligence has recently stated that they

one-time password or verification code delivered via SMS to their

expect biometric data to be integrated in approximately 65% of all

smartphone, which they use to confirm the transaction.

m commerce transactions by 2020. Furthermore, a global study


conducted by Mobey Forum shows that 22% of banks already use

Additional biometric identifiers, or the use of (hardware) tokens,

some form of biometric data for the purpose of authentication, while

are also possible. Ensuring a simple and brief form of media

a further 65% plan to introduce this type of service in the future.

disruption is involved in the payment process that makes it much


harder for hackers to attack, without compromising its customer-

Initial studies have shown, for example, that the use of fingerprint

friendly nature.

sensors increases user friendliness. Thus, users can quickly use


the fingerprint recognition service on their smartphone to confirm
a mobile transaction. Scanners have now become relatively cheap

48

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Carlos Huser
Executive Vice President
Wirecard AG

Further safety standards may increase acceptance


Obviously, there are some critics who fear that surplus data will
be stored alongside the electronically captured personal, physical

About Carlos Huser: Carlos Huser is

and behavioural data. Additional information may relate to a

Executive Vice President responsible for the

persons character, their health or ethnic background.

Payment & Risk/Shared Services divisions at


Wirecard AG. He is also Managing Director of
Wirecard Technologies GmbH and, therefore,
responsible for strategic development at the
Munich-based payment processing firm.
About Wirecard AG: Wirecard AG is a global
technology group that supports companies
in accepting electronic payments from all
sales channels. As a leading supplier, the
Wirecard Group offers outsourcing and white
label solutions for electronic payments.
A global platform bundles international payment
acceptances and methods with supplementary
fraud prevention solutions. Wirecard AG is listed
on the Frankfurt Securities Exchange.
www.wirecard.com

This means that all users of biometric identification methods are


obliged not to pass on the respective data to any third-parties.
Confidential data must also be deleted immediately after it is
no longer relevant for its original, stipulated use. The European
Commission will therefore be required to issue directives aimed at
ensuring mass suitability of new security measures.
Biometric identification methods can increase the acceptance and
use of electronic payments such as mobile payments around the
world. The use of fingerprint sensors improves user-friendliness.
For example, a user can quickly enter information without the
need to remember a PIN, password or a swipe pattern. At the
same time, the function increases the customers sense of security
because a mobile payment can only be made once a fingerprint
reading has been approved. These are decisive factors in the
acceptance of all new electronic payment methods.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

49

Consult Hyperion
Tokenization: From Account Security to Digital Identity

Tokenization, the process of replacing a card account number (PAN)

Then, they need to pass requests back to the schemes in order to

with an alias (token) which can only be used in defined domains, is

de-tokenize and have to pay for the privilege. Unsurprisingly, there

a technology that has been around for years. However, in a world

is a move to unbundle tokenization services so that such issuers

in which consumers can pay from multiple devices using the same

can tokenize their own cards using either in-house or non-scheme

bank account, tokenization is now a core technology for payment

outsourced TSPs.

companies, rather than an esoteric sideline.

Managing risk in a tokenized environment


Simplifying the multi-device payment challenge

Tokenization improves bank account security because the fewer

If consumers want to store their card details on a website to

places the real PAN is stored in, the less likely it is to be stolen.

simplify future payments, then their PAN can be sent to a Token

The obvious downside of this is that the additional processes of

Service Provider (TSP) to generate and return a token. The retailer

tokenizing and de-tokenizing add processing time and costs to

stores the token and uses it when the consumer wants to transact

the issuing and authorisation processes. Perhaps the less obvious

by sending the tokenized payment transaction to the TSP to

downside is that tokenization moves the locus of attacks away

de-tokenize the token back to the PAN before it is passed onto the

from retailers and onto the TSPs who hold the Token Vaults linking

issuer for authorisation. Because the merchant stores the token

PANs and Tokens. It is not hard to see how these organisations

and not the PAN and because the token can only be used on that

will become attractive targets for organised crime.

specific website, the impact of any data breach at the merchant is


vastly reduced.

Despite this, placing the security of PANs in the hands of a relatively


small number of specialist TSPs should improve the overall security

Added to this mix is the use of tokens for mobile EMV payment

of the payments ecosystem. It also reduces the security burden on

methods like Apple Pay and Android Pay. The rationale for using

retailers and mobile wallet providers who can concentrate on their

tokens in the mobile EMV space is twofold: firstly, a stolen token

primary objective of satisfying the consumer.

is of little use without the handset, which constitutes its domain of


use and, secondly, the issuer does not have to issue a new card

Risk management is the current hole in tokenization solutions.

they can simply create a token for an existing one and use the

A token is not just a PAN, it is a PAN plus a set of domain controls

same underlying bank account. Neatly, this allows mobile EMV

determining who and where it can be used. A token issued to a

issuance to be done in real-time, because all that is being issued

retailer can only be used by that retailer, a token issued to a mobile

is a tokenized replica of an already issued physical card so KYC

device can only be used from that device, a token issued for a

and AML processes are already complete.

specific time period can only be used during that period, and so on.

Currently, the most popular model of TSP deployment is within

More work is needed on these domain controls to refine and make

the payment networks for example, Visa and MasterCard have

them properly usable and interoperable. Additionally, having the

developed their own tokenization services. For the schemes, this

same card tokenized to lots of different locations makes risk-

has the advantage of driving traffic through their networks and it

based transaction analysis difficult someones behaviour when

offers a straightforward solution for issuers. It is less popular with

using a physical card may be different to how they use a mobile

issuers who acquire their own transactions, bypassing the scheme

NFC device or an ecommerce website. These are all recognised

networks.

issues and are being worked on by standardisation groups and


vendors, but it serves to remind us that tokenization is still a work
in progress.

50

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Tim Richards
Principal Consultant
Consult Hyperion

Tokenizing identity
Tokenization offers issuers other opportunities. At the moment,
some merchants use PANs as a rudimentary form of digital

About Tim Richards: Tim Richards has over

identity. However, because this identity is linked directly to a bank

25 years experience designing secure smart

account, they risk exposing the cardholder details to attackers,

card solutions across payments, mobile,

as seen in the Ashley Madison attack: a token does not carry the

transit, identity, passport, healthcare and

same risk. As a token is linked to a bank account at the TSP, not

loyalty solutions covering both issuance and

the retailer, and as most bank accounts require that the cardholder

transaction processing.

has already undergone identity checks, a token can be used as a


form of digital identity. A token issued for this purpose, with the

About Consult Hyperion: Consult Hyperion

appropriate domain controls in place, could then be authorised

is an independent consultancy. We hold a key

by the issuer without compromising the security of the account.

position at the forefront of innovation and the

So, digital identity tokens could be used for age verification or

future of transactions technology, identity

geographical location checking without revealing any underlying

and payments. We are globally recognised

details of the cardholder or the account.

as thought leaders and experts in the areas


of mobile, identity, contactless and NFC

In summary, tokenization increases account security with the

payments, EMV and ticketing.

downside of increased costs which may not be able to be passed


onto merchants and cardholders. But, it also opens up new

www.chyp.com

business opportunities for issuers and, in a densely connected


digital environment, the value of these opportunities will vastly
outweigh the costs.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

51

Biometrics Institute

Biometric authentication has become commonplace in an array of fields, payments included. In this interview, the
Biometrics Institute emphasizes on how biometrics could be a privacy enhancing technology, if implemented responsibly.

What is the mission of the Institute?

end security is provided through government accredited networks,

Our mission is to promote the responsible use of biometrics in an

compliance processes for privacy and record keeping legislation,

independent and impartial international organisation. I would like to

assurance mechanisms involving partnerships and processes

highlight a few of our achievements starting with the development

around access to data, for example. When some organisations

of a first Biometrics Privacy Code, which was approved by the

are involved, the end-to-end security and assurance just might

Australian Privacy Commissioner in 2006. It has now developed

not exist what happens with your face, your fingerprints in that

into international privacy guidelines promoting best practices for

environment is potentially riskier and requires far more than just a

biometrics.

technology solution.

In 2008, we developed a Biometric Vulnerability Assessment

Another question is control and data retention. What happens to that

Methodology, which led us to setting up the Biometrics Institute

biometric? Who looks after it, at what point in time is it destroyed?

Vulnerability Assessment Expert Group (BVAEG) in 2010. It consists of

Should it be after a person leaves school or a particular job?

UK and German government representatives, as well as academics

What processes exist for managing any compromise of identity data,

from the US, Europe and Japan. The BVAEG has regular exchanges

for re-establishing confidence in identity, for redress?

to raise awareness about the need for vulnerability testing, to find a


common methodology and engage with the standards community

We have seen many successful implementations where biometrics

at the same time.

have helped transform identity management, privacy protection


and identity security like electronic passports facilitating a better

Biometric authentication seems to become

and more secure travel experience. Likewise, large-scale identity

commonplace in the payments industry. Is the

management systems, such as the Indian Unique Identity (UID)

biometrics-based recognition system a friend or foe

scheme, facilitate the delivery of governments services to the poor

when it comes to privacy?

and marginalised. If we get the privacy and vulnerability issues

If implemented responsibly, it is certainly a privacy enhancing

addressed and create trust and control for the consumer, I think

technology. Biometric authentication has the potential to ease

biometrics have a great future.

the burden of security given its simplicity and usability. All security
technologies have flaws, including PINs and passwords.

When it comes to wearable technologies and

Under determined attack, none will guarantee absolute security.

authentication, what are the implications of using

Most biometrics are not secret and should be used with a secure

personal biometric data as the virtual keys that

second factor. Security relies not only on one factor but also on

unlock our very real lives?

combining them, such as relying on a PIN and fingerprint.

We are seeing biometrics appear more and more in everyday


life, as predicted by the Biometrics Institute survey in 2014 and

There are a number of technologies, both software and hardware,

again 2015. Their use offers consumers great convenience and

which can be used to detect such spoofing attacks. When we

increased security at the same time. We are seeing a growing

provide a biometric or other sensitive personal data, it does come

number of wearable devices and the use of fingerprint biometrics

down to a question of trust and control. Governments are typically

on mobile devices.

required to put very robust trust models in place to ensure end-to-

52

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Isabelle Moeller

Biometric authentication has the


potential to ease the burden of security
given its simplicity and usability

Chief Executive

Biometrics Institute

With a biometric on a wearable device, users are now able to

About Isabelle Moeller: Isabelle is a biometrics

query that device and authenticate themselves as the user of

expert instrumental in the growing network of

that device. If that device is stolen, that authentication does not

The Biometrics Institute. She has played a key

work. So, it provides that extra level of security which allows those

role in the establishment of independent and

devices to be used securely, for payments purposes, for example.

impartial international Biometrics Institute in

The person gets identified more accurately and securely than with

particular through bringing together biometrics

PINs and passwords.

experts from around the world.

Do you know if there is any legislation and regulation

About Biometrics Institute: The Biometrics

in place to cover the privacy and security aspects of

Institute is a not-for-profit membership organisation

biometric technology?

with offices in the UK and Australia. Since 2001

The public requires assurance that biometrics managers are giving

it has been promoting the responsible use of

due consideration to privacy and data protection when they are

biometrics and providing an un-biased forum

considering, designing, implementing and managing biometrics-

offering information, education and training on

based projects. The Institute, for instance, has therefore developed

biometrics.

several best practice documents to help guide members along the


way, namely the Biometrics Institute Privacy Awareness Checklist

www.biometricsinstitute.org

and Biometrics Privacy Guideline.


Different countries have different legislation. Australia, for example,
introduced new privacy principles in March 2014. Science and
Technology Committee of the UK government proposed
an open and public debate around the use of biometrics by the
Government to build trust in biometrics. The Committee released
its "Science and Technology - Sixth Report: Current and
future uses of biometric data and technologies".
The Biometrics Institute is also working on a proposal to create
a trustmark. The trustmark is aimed at giving consumers in the
private sector and users of government services access to personal
records and confidence in the responsible use of an identity product
or service that incorporates biometrics. This will give biometric
solutions providers and operators a tool to demonstrate that due
consideration has been given to privacy and trust during planning
and implementation.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

53

Natural Security Alliance


Bring Your Own Authentication: The Next Revolution against Web Fraud

Two major trends in the field of online payments have been confirmed

But, the generalisation of biometrics is not restricted to simply

in the past two years. First of all, the increase in fraud is undeniable,

becoming a standard for unlocking telephones. It opens the world

while users are turning to smooth systems to authenticate their online

of the telephone to proximity payments (Apple Pay, Samsung

transactions.

Pay) and especially to in-app payments. Users can thus make a


transaction on their mobile phone without having to enter a card

We will quickly look at the first trend by illustrating it with a few

number or password.

figures for the French market. A study published by the French


National Supervisory Body on Crime and Punishment (ONDRP)

We are also witnessing the generalisation of Bring Your Own

revealed that more than 800,000 households have been victims

Authentication (BYOA), following on from Bring Your Own Device.

of banking fraud. Of those that managed to identify how they

These technologies and new approaches to ergonomics break

were scammed, one third had their payment details stolen while

with the authentication systems traditionally provided by banks.

shopping online.

Up to now, they have provided technologies chosen by them: they


will now have to rely on third-party systems, without having full

To resolve this, regulators have issued a number of recommendations

visibility of performance. These new systems are opening the way

at the European level: Revised Payment Services Directive (PSD2)

for new payment players (e.g. wallet, electronic cash, SEPA) by

and Guidelines on the Security of Internet Payments (European

offering a wider choice for the end user in terms of online payment.

Banking Authoritys Guidelines).


However, many questions concerning implementation, openness
But, in terms of technology, the power is in the users' hands. They decide

and evaluation have not been sufficiently addressed. A prime

whether to use and adopt a technology or not. A few years ago,

example of the consequences can be seen in the recent disclosure

there were those who refused standard office automation tools and

that the Android OS contains malware capable of potentially

turned to tablets (more mobile, better suited for viewing content) and

stealing fingerprint data from devices, such as Samsung Galaxy

smartphones (to be connected without being at a desk) instead.

S5s fingerprint reader, before they reach a secure processor. The


market is clearly waiting for certain key details to be fleshed out

The Bring Your Own Device (BYOD) system, which is a rejection

before biometrics can really take off.

of over-complex systems, has spread in the field of payments.


Users massively refused One Time Password (OTP) and, in

There is still work to be done on evaluating the different implemen

general, all systems which require fastidious data entry to make

tations for authenticating access to value-added services.

an online payment.

The spread of biometric solutions also signals a change in business


models, as new actors become a necessary link in the transaction

These examples illustrate that users always opt for simplicity.

and value chains.

The position of smartphone manufacturers (Apple, Samsung)


and of social networks (Facebook, Twitter, LinkedIn) is a good

In this rationale of IT consumerisation, we will see new devices

illustration of the need for simplification and standardisation.

(for example, SesameTouch developed by Trust Designer) emerge,

To unlock a telephone, all you need to do is put your finger on a

devices which can be used to authenticate oneself and make

biometric sensor. To connect to a social network account, you just

online payments without having to use a system provided by a

have to enter a password. Easy access is now the first condition

bank. These devices represent a third avenue as they are in line

for using a service.

with open logics, depending on evaluation and certification


schemes, for example.

54

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Andr Delaforge
Head of Communication
Advisory Committee

Natural Security Alliance


A study recently published by Mobey Forum (Mobey Forums
Biometrics Survey Results, July 2015) clearly shows strong
demand for open interfaces. 83% of surveyed companies

About Andr Delaforge: Andr joined Natural

considered open interface implementation of fingerprint sensors

Security in February 2010 to lead various aspects

as an opportunity, allowing banks or trusted service providers to

of marketing and business development.

control the authentication data.

Prior to joining Natural Security, Andr was in


charge of business development for biometric

In the BYOA rationale, there is clearly a place and demand for

and RFID technologies for a large electronic

authenticators which make online transactions possible where the

manufacturer.

user can choose the platform of the transaction.

About Natural Security Alliance: The Natural


Broadly speaking, the term authenticator refers to any technology

Security Alliance is a global community of

that can authenticate a user before he or she reaches an interface

preeminent companies dedicated to accelerating

that provides access to a service. Authenticators can come in

the adoption and ongoing development of

different formats, such as a chip card and reader (e.g. for payment

Natural Security Technology based solutions.

in a store), an OTP token or even a simple login and password

It is comprised of some of the most influential

on a computer. Biometrics is becoming increasingly commonplace

companies in world from the retail, banking,

for authenticators, but, as previously stated, there still are a couple

payment and IT communities.

of issues that need to be addressed. For example, interoperability


must be made standard, so that service providers can accept the

www.naturalsecurityalliance.org

authenticators deployed, and consumers are not limited to where


they can shop for goods and services.
These authenticators will, and should, rely on an open architecture
paving the way for an "Implementing an evaluation scheme"
in order to create an open ecosystem of technologies suited to
different use cases.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

55

PAY360
DIGITAL
PAYMENTS

SPONSORSHIP
AND EXHIBITION
OPPORTUNITIES

AVAILABLE

AN ANNUAL CONFERENCE BY THE EPA


27-28 June 2016, Liverpool Exhibition Centre, Liverpool
Dont miss...
The international gathering of leading payments
professionals to pool their insights about what is
driving success in digital payments.

Lead sponsor

Themes

In partnership with

Retail, Mobile and Banking

Interested in Sponsorship opportunities?


Keri.Farrell@emergingpayments.org
+44 20 7378 9890
Join the conversation
@EPAssoc #EPADigital

Register your interest events@emergingpayments.org


Use code Paypers10 to save 10% off our current registration rate.

INSIGHTS INTO
ELECTRONIC
IDENTITIES IN
EUROPE

Signicat
Digital Marble - Onboarding in the Age of Electronic Identity
Background

infrastructure. The new European regulation on electronic identity

A century ago, banks managed to establish trust in the public at

and trust services (eIDAS), which was approved in 2014, will also

large by building bank palaces made of marble.

contribute to driving acceptance and interoperability of e-ID and


e-signature in the European market.

Nowadays, banks need to establish trust in a virtual world.


In particular, they need to prove the identity of their customers

However, the ongoing establishment of cross-industry schemes or

online. This is difficult enough for banks operating in a single

federations for e-ID is equally interesting. These are established

market. For banks operating in a pan-European market, it becomes

by banks, telecommunications companies and others who want

an even major hurdle.

to exploit the network effect of providing electronic identity


across industries and businesses. Examples of such ecosystems

Luckily, a digital marble that can be used to establish trust online

include the recent partnership between Dutch banks to establish a

exists in the form of electronic identity. In markets where electronic

federation of electronic identity, the MyBank initiative by the EBA

identity is readily available, experience shows that using electronic

and GSMA Mobile Connect.

identity for online onboarding can lead to a dramatic increase in


conversion rates.

What is common to these initiatives is that they connect existing


electronic identity in federations. Thus, a customer of a Dutch

Nordic practice

bank can use his online banking login to establish a customer

The Nordic countries Denmark, Finland, Norway and Sweden,

relationship with an ecommerce retailer. Initiatives like the Dutch

stand out among the regions where electronic identity has been

interbank login and MyBank hold significant potential for the rapid

widely deployed. In these countries, a large majority of the adult

deployment of digital onboarding. They build on existing electronic

population has access to electronic identity that has been issued by

identity that already is in frequent use for internet banking,

the banks, the government or a telco.

sidestepping the need for costly and time consuming deployment


of new electronic identity.

Key to the success of these identities is that they can be utilised


across a wide range of services in the public and private sector.

Uniting the fragmented e-ID landscape

This ensures a high frequency of usage, which lowers the barrier

The development of e-ID in Europe has mainly been done within

for using the e-ID. Cooperation between the parties involved is

a national scope, with limited degree of coordination. This has

based on acknowledging that the value of a common platform is

resulted in a fragmented infrastructure that presents challenges to

greater than the sum of its parts. This has led to the emergence

service providers aiming to reach a broad audience.

of common technology and regulations ensuring the electronic ID


interoperability across sectors.

For instance, a service provider in Norway who wants to address


the largest possible audience would need to implement support not

The European dimension

only for Norwegian BankID and the Buypass eID, but also for the

The Nordic countries have been pioneers in the use of electronic

MinID eID and the Commfides eID.

identity for digital onboarding. However, the rest of Europe is now


following suit.

If service providers run a pan-Nordic operation, which is often the


case, they would need to implement support for up to 12 different

58

Countries like Germany and Spain continue to develop their

e-IDs. In the absence of a universal (or at least regional) e-ID

national infrastructure for electronic ID, while Estonia and Belgium

scheme, the implementation effort soon becomes unmanageable.

have made considerable progress in deploying a national e-ID

This situation will prevail also in a post-eIDAS Europe: while eIDAS

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Gunnar Nordseth
CEO

Signicat

ensures a common framework for electronic identity and electronic


signature, it will not guarantee technical interoperability in any way.

About Gunnar Nordseth: Gunnar is a veteran


Identity hubs as new paradigm for solving fragmentation

of the software industry and a founder of three

A new kind of service offering has emerged to address the need for

software companies all based in Trondheim.

simple integration with the e-ID infrastructure. Currently, Signicat

Since 2007 he has been involved in establishing

has over 150 customers hooked up to its online identity hub.

Signicat as a global leader of cloud-based


services for electronic identity and electronic

Signicats customers are typically banks, finance and insurance

signature.

companies that want to use publicly available e-ID for strong


authentication or electronic signatures. The company operates

About Signicat: Signicat is a leading provider

as an identity hub or identity broker. Its customers select which

of identity services in Northern Europe.

e-IDs they want to accept and Signicat sets up a service providing

The company offers a unique identity-as-

access to them. In addition to giving access to third-party e-IDs,

a-Service, giving multinational, national

Signicat can also play the part of an e-ID issuer for customers who

companies and government institutions easy

want to provide their end-customers with a proprietary e-ID.

access to a range of national e-ID infrastructures


through a single point of integration. Customers
use Signicat services for authentication, digital
signature of documents/text and long term
validation and archiving.
www.signicat.com

Vision for Europe


Trust and digital identity is a prerequisite for cross-border
transactions. Without them, the growth potential will be limited.
Merchants wishing to do cross-border commerce need to
know their customers, and the only realistic way to do this is
through electronic identity. The best solution is to outsource the
complexity of identification and authentication to specialists, just
as the merchants did with payments. Identity providers do not
only specialise in protecting customers from identity theft, but also
in allowing customers to re-use their existing IDs and credentials,
thus preventing the build-up of a digital key chain.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

59

MyBank
Electronic Identity Verification: How MyBank Can Help

In recent years, ecommerce has been experiencing a great degree of

transactions, particularly for reasons of security: avoiding fraud,

technological upheaval: e-wallets, NFC (near field communication),

securing against identity theft, complying with anti-terrorism

Apple/Samsung/Google pay, third-party access to the account

concerns and so forth.

how you pay for things is now becoming as important as what you
pay for.

In a traditional brick-and-mortar business, identity verification is


relatively straightforward: a merchant requests your ID (national ID

Underlying these changes is trustworthy identity verification,

card, passport etc.), you hand it over and, presuming everything is

which means customers and other actors identify themselves

OK, you receive your goods (e.g. alcohol in a supermarket). But,

digitally to third-parties that require their information. This is the

in other settings, this can be onerously time consuming. If you

keystone that future online commerce will be built on.

want to apply for a loan, you will probably have to manually fill out
sheets of paper and send them all through the mail.

Electronic identity verification (or e-identity for short) has been

Digital has its challenges. How can merchants be sure their

featured prominently in regulatory discussions in recent years.

customers are who they say they are when both sides never

Electronic identity legislative frameworks (either directly or indirectly)

physically interact? Can merchants be confident that purchases

have moved to the front of the agenda at the beginning of the

carried out are not tainted by fraudulent activity?

phrase. This is due to the revised Payment Services Directive (PSD2),

Digital experts at Innopay [Internal MyBank research conducted

the recommendations developed by the European Forum on the

in conjunction with Innopay Consulting] estimate that there are

Security of Retail Payments (SecuRe Pay), the Regulation (EU) No

currently 225 billion authentication transactions per year across

910/2014 on electronic identification and trust services for electronic

e-mail, social media, ecommerce and e-government. Ecommerce

transactions in the internal market and repealing Directive 1999/93/

and e-government account for 5.5 billion transactions.

EC (e-IDAS) and the 4th Anti-Money Laundering (AML) Directive.

How will MyBank play a role in this area?


Furthermore, businesses are daily being confronted with new

MyBank and their Payment Service Providers (PSPs) partners with

challenges as society switches to digital channels. Some of the

their experience of processing complex, sensitive transactions,

most common are:

can bring real value to the market. With MyBank, consumers

How to verify identity: who are businesses really dealing with?

and businesses can already re-use their existing online banking

How to verify age?

account credentials to safely instruct their banks to provide

How to perform customer due diligence?

account-related data to third-parties and purchase items online.

How to obtain consent to sign up services?


The online bank account is already the central repository for
With no standardised electronic means of verifying such functions,

sensitive data in the form of payment information - it makes sense

businesses face rising costs and are often obliged to implement

to re-use information linked to existing processes to facilitate the

workarounds that usually involve consumers physically handing

expansion of new services. Account Servicing PSPs are legally

over large quantities of private data, or filling out paper forms.

obliged to investigate that you are who you say you are before
letting you create an account.

How does online identity verification work?

60

Online identity verification is an electronic means of proving that

MyBank is distributed to participants (PSPs) which, in turn,

you are who you say you are and that the attributes you claim

contract with their clients (e.g. merchants) to make use of the

to possess (name, age, address, passport number etc.) really

service. The standard MyBank four corner model, which underpins

are yours. This is of highest importance in facilitating online

all MyBank services, is detailed below.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Fatouma Sy
Head of Product
Development
MyBank

John Broxis
Managing Director
MyBank

Figure 1: MyBank Operating Model

About Fatouma Sy: Fatouma Sy is Head of


Banks and other payment service providers (PSPs) are important

Product Development at MyBank. She has

players in this arena for a number of reasons:

worked on the development of the solution since

a. R ich and accurate customer data (''Know your Customer

EBA Clearing decided to launch an E-services


initiative in 2010.

information).
b. Proven, fraud-resistant authentication mechanisms.
c. Experience of a collaborative network.

About John Broxis: John Broxis is the Managing

d. Reach encompassing all citizens.

Director of MyBank. Prior to heading up MyBank,

e. Trustworthiness. Consumers trust their own bank.

John was director of STEP2 at EBA Clearing.

The online bank account is primed to become a central hub for

About MyBank: MyBank is a pan-European

online activity. Most of us already consult our account balance on

e-authorisation solution which enables safe

our computer or mobile app on a regular basis. Some of us also

digital payments and identity authentication

hold insurance through our bank. We already trust our bank with

through a consumers own online banking

much of our most precious data. It is clear why consumers would

portal or mobile device. With its participant

be eager to extend the benefits of the online bank account to

banks, MyBank went live in March 2013 with

validate their age or other sensitive information.

SEPA Credit Transfers. Since then, MyBank


has launched SEPA electronic mandate

As a pan-European solution, MyBank facilitates the:

services and is now piloting MyBank Identity

Unbundling of valuable authentication services from payments.

Verification.

Enabling of controlled online availability of valuable information.


Creation and positioning of digital identity services toward the

www.mybank.eu

market via a harmonised and recognised user experience.


Elimination of fragmentation.
The MyBank Identity Verification pilot involving PSPs, merchants
and technical integrators began in November 2015 and will
continue into early 2016. The objective of the pilot is to test the
use cases, refine the business model and ensure that the technical
model is best fitted to the markets needs.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

61

VISIT OUR ENHANCED ONLINE


COMPANY PROFILES DATABASE

ALL COMPANY PROFILES IN THE WEB FRAUD PREVENTION,


ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE ARE
AVAILABLE ONLINE IN AN ENHANCED COMPANY PROFILES
DATABASE, COMPLETE WITH KEYWORDS, COMPANY LOGO
AND ADVANCED SEARCH FUNCTIONALITY

http://webfraud-eidentity.thepaypers.com/

DIGITAL
IDENTITIES AND
TECHNOLOGIES
AT THE HEART
OF SECURITY

Innovate Identity
Identity of Things (IDoT): A New Concept in Managing Identities

Gartner predicts that there will be 4.9 billion connected things in

With more connections and points of entry, IoT inherently increases

use by 2015. This figure is expected to rise to anywhere between

exposure to cyber risk. And, within the hyper-connected domain

25 billion or 50 billion by 2020, depending on which report you

of IoT, one small data breach can have a domino effect across

read.

several connections. This data also creates issues for the user
around privacy, consent and control over their personal data.

The Identity of Things (IDoT) is an extension to identity management

Who owns the data? Who can share it? Where is it stored? Can it

and encompasses all entity identities, whatever form the entities

be shared with third-parties without the users knowledge?

may take. The identities are then used to define relationships


among the entities, namely between a device and an individual, a
device and another device, a device and an application/service, or
(as in traditional Identity Access Management) an individual and an
application/service.
This skyrocketing growth, in connected devices such as those
in the health sector, means that, in many cases, the user and
the device are linked to each other. By having the users sharing
data with the device, they gain more value from the device itself.
The more data users share, the more value they get back.
The Internet of Things, therefore, means an increase of data
production, location data, personal preference data, health data,
usage data and so on.
This data is incredibly valuable for the organisations collecting

Why identity underpins IoT

it. If a user had a health band, it means that insurance could be

So, what do we mean by identity? Identity is the collective aspect of

underwritten based on the individuals level of fitness, allowing

the characteristics set via which a thing is definitively recognisable

access to better insurance premiums. Affiliated marketing would

or known. As the IoT network gets more sophisticated, and more

target the users around sports they enjoy or even offer location-

data is taken, the more links are made between person and device.

based special offers for local stores. This data is also valuable for

Moreover, as this length of time increases, the more valuable

the users to share amongst their peers, allowing them to bench

that data becomes. Identity is therefore intrinsically linked to IoT.

mark their fitness against others.

Additionally, as the IoT network grows, so do the issues around


security of data, user consent, control and privacy.

But, what are the security consequences of generating and storing


such data? Central repositories of data create attractive targets for

Identity is generally proved through a sophisticated and complex

hackers and, with high profile data breaches in the press, daily,

set of identity verification and authentication techniques. However,

this issue shows no sign of slowing down.

there are no set standards across the board on how we should deal
with identity, which leaves multiple threat vectors for fraudsters to
exploit.

64

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Emma Lindley
CEO

Innovate Identity

Some countries have centralised government systems for identity.


However, these centralised systems are open to attack. In some
cases, due to vulnerabilities, these centralised systems have be

About Emma Lindley: Emma has over a decade

subject to widespread identity fraud at a national level.

of experience working with technology led


identity and age verification systems. Herfocus

Organisations creating connected devices have their own ways

is the intersection of technology, digital life,

of dealing with security and identity. Still, they too are effectively

identity and privacy, and she is passionate about

mini-centralised systems, meaning that they are no less vulnerable

solutions which enable trust and inclusion on

to attackers, but arguably less attractive due to their size.

the Internet.Emma founded Innovate Identity


in 2012 to address the need to provide thought

Conclusion

leadership, clarity and practical solutions into

As we hand over more and more of our decision-making to our

a changing and increasing complex identity

connected devices, it is imperative that we have identity-focused

market place.

and secure infrastructures in place that are capable of managing


the growing complexity of the emerging connected world.

About Innovate Identity: Innovate Identity


(InID) is an independent consultancy working

An overall decentralised identity scheme, similar in size and scale

with clients from fintech start ups through to

to the payments scheme, is required to deal with the security,

major blue chip supporting their identity needs.

privacy, consent and control issues we have with identities. Such a

From Know Your Customer and Anti Money

scheme would allow many organisations to offer identity solutions

Laundering regulatory requirements, fraud

developed to the standards set, and those developing connected

prevention, security and data privacy, through

devices to adopt those solutions.

to delivery of new identity propositions such as


attribute exchange, personal data stores and

IoT devices will need to be mapped to this scheme, which will

blockchain technologies.

need to ensure there are ways to make it easy for the end user (the
ultimate data owner) to understand and embrace. IoT presents a

www.innovateidentity.com

huge opportunity. However, in order to grow, it requires an identity


layer to underpin it and allow scale in a secure way.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

65

The Paypers
The Advent of IoT: Are We Facing A Trade-off Between Convenience &
Security?
The online world has never been more dynamic or more challenging

Furthermore, data jointly released by Cisco and logistics service

than it is nowadays. The internet and groundbreaking technology

provider DHL reveals there are actually expected to be around 50

enhancements have reshaped our lives and transformed the way

billion internet-connected devices by 2020, which would represent

we do things, both in a business environment and in our personal

a significant increase in the number of connections. And this

space. Over the past few years, technologies such as cloud, mobile

is not all. The IoT will definitely continue to grow. According to

solutions, big data and analytics, which were once the frontier of the

estimations by the McKinsey Global Institute, the IoT will have a

payments industry, have become commonplace. And most recently,

total economic impact of up to USD 11 trillion by 2025. The same

the Internet of Things (IoT) has been perceived as the new game

source mentions that more than two thirds of the value will

changer. But what exactly is the IoT and why has it been heralded

be generated in business-to-business settings and business

as the next major revolution in business computing?

customers and consumers will likely capture more than 90% of


the value created.

The Internet of Things refers to the networking of physical objects


through the use of embedded sensors, actuators and other devices

The IoT a force that is driving innovation and digital

that can collect or transmit information about the objects. Basically,

transformation in financial services

via the IoT, individual components communicate with each other

The impact of such connectivity provided by the IoT cannot be

and a service center, allowing for virtually endless connections to

fully grasped yet. The IoT is expected to transform all industries,

take place. Additionally, a business model can now include not only

including banking. A Deloitte analysis suggests that as many

services, but also position those services in the center of the model

as one quarter of sensors deployed in 2013 could be of use to

the so-called everything-as-a-service trend. Intelligent products,

financial institutions, rising to one third in 2015 and then to about

connected in real-time to the internet and managed via intelligent

50% by 2020. In total, the growth in sensor deployments for

network, allow organisations to develop new business models and

financial services is expected to be very strong, ranging from just

become digital disruptors. Until now, the IoT has been mostly linked

over 20% to 100% annually on a compounded basis, depending

with machine-to-machine (M2M) communication. Products built

on the sector. Big data analytics, combined with a large number

with M2M communication capabilities are often referred to as being

of connected devices and environments through the IoT, are set

smart. The IoT is expected to connect many of the devices we

to empower data-driven management, reshape processes and

have in our homes, from smart thermostats to smart fridges. Big

deliver significant benefits. The banking and securities industry will

market players such as Google and Samsung already understand

continue to innovate around mobile and micropayment technology

this and are active participants in this transformation. Google

using POS terminals and will invest in improved physical security

bought smart thermostat maker, Nest Labs, for USD 3.2 billion,

systems.

while Samsung purchased connected home company SmartThings


for USD 200 million.

The IoT from a security and privacy perspective


The IoT really seems to be the next big thing. However, this giant

According to a report from Gartner, by the end of 2015, there will

that presents tremendous opportunities for development, that

be almost 5 billion things connected to the internet. By the end of

promises convenience and amazing experiences, is not without its

2020, the figure is forecasted to rise to over 25 billion. In other words,

shortcomings. The first and most important side effect that comes

there will be more than three things connected to the internet for

up is the issue of security and privacy. How can businesses and

each person on the planet.

consumers be certain their data is protected with such an explosion


of devices and sensors?

66

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY MARKET GUIDE 2015 / 2016

Ionela Barbuta
Senior Editor

The Paypers

Cybersecurity will definitely take on a whole new dimension and


digital vulnerabilities are likely to expand in more ways than we can
currently imagine. Therefore, one of the most pressing problems

About Ionela Barbuta: As Senior Editor at The

for businesses planning to take advantage of the IoT is protecting

Paypers, Ionela is in charge of managing projects

company and customer data. Numerous IoT-based applications

and writing research articles on Security & Fraud.

depend on access to consumer data, including data collected

Ionela holds a Master's Degree in International

passively from customers behaviour. For instance, one use of the

Business and Intercultural Strategies.

technology could be fully automated checkout in retail settings.


Customers could literally walk out the door of a store without having

About The Paypers: The Paypers is the

to wait in line or even swipe a card: data-gathering beacons can

leading independent source of news and

scan tags on all the items in a shopping cart, total the bill and debit

analysis for professionals in the global payment

the customers account, perhaps even deducting money from the

community. Our products are created by

customers smartphone.

payment experts and have a special focus on


all major developments in payments - related

In this context, each sensor could be a potential entry point for

industries including online/mobile payment,

hackers and the consequences of a data breach can be devastating.

ecommerce, e-invoicing, online fraud prevention

To prevent this, companies should take on the responsibility to

innovations and the most significant trends in

work with technology vendors and heavily invest in data-security

the digital identity space.

capabilities. They should also build protections for their own


data and intellectual property when they implement IoT systems.

www.thepaypers.com

Notwithstanding the high risk of IoT, there is a lot of potential.


With greater connectivity, there comes greater convenience and
customers have a higher expectation of services and support.

LATEST TRENDS AND INSIGHTS IN SECURING DIGITAL IDENTITIES AND TRANSACTIONS

67

Companyname
Title

Platte tekst

COMPANY
PROFILES

Company

Accertify
Accertify Inc., a wholly owned subsidiary of American Express, is a leading provider of fraud
prevention, chargeback management, and payment gateway solutions to merchant customers
spanning diverse industries worldwide. Accertifys suite of products and services help ecommerce
companies grow their business by driving down the total cost of fraud and protecting their brand.

Website

www.accertify.com

Keywords for online profile

fraud, chargeback, payment gateway, risk, protect, loss, Accertify

Business model

Software-as-a-service (SaaS)

Target market

Online shoppers, financial institutions, payment services providers, online communities / web
merchants, gaming & gambling, other online businesses

Contact

emea@accertify.com

Geographical presence

Global

Active since

2007

Service provider type

Digital identity service provider, technology vendor, web fraud detection company, payment service
provider (PSP)

Member of industry association


and or initiatives

Merchant Risk Council, Direct Response Forum, Vendorcom, AMIPCI

Services
Unique selling points

Accertify leverages its flexible platform to enable merchants to screen for multiple fraud use cases,
including, but not limited to payment, loyalty, claims, staff and social media reputation. Our unique
capabilities allow genuine customers to be efficiently removed from fraud processes, supporting
merchant growth.

Core services

Accertifys core suite of services includes fraud management, chargeback management, and
payment gateway.

Pricing Model

For more details contact our sales team at emea@accertify.com.

Fraud prevention partners

Accertify is integrated to multiple third party services which includes, but not limited to: Lexis
Nexis, Whitepagespro, Experian, InAuth, iovation, Threat Metrix, Perseuss, emailage, Neustar,
Maxmind, ebureau, Mastercard, Discover.

Other services

Professional Fraud Services, Decision Sciences, Manual Review outsourcing 24/7, Support
Services, Rule Management and improvement, Best Practice consulting,Training services.

Third party connection

United Parcel Services (UPS) and FedEx to obtain proof of delivery signatures; eFax (inbound and
outbound fax receipt).

Technology: anti-fraud detection tools available


Address verifications services

Yes

CNP transactions

Yes

Card Verification Value (CVV)

Yes

Bin lookup

Yes

Geo-location Checks

Yes

Device Fingerprint

Yes through integrated partners

Payer Authentication

Yes

Velocity Rules Purchase Limit


Rules

Yes

White list/black list database:

Yes

KYC Know Your Customer

Yes; complemented with integrated partners

Credit Rating

No

Follow up action

Additional authentication (out of band authentication) and transaction verification capabilities.

Other

Profiling (dynamic summarization and aggregation)

COMPANY PROFILES

69

Authentication Context
Online

Yes

Mobile

Yes

ATM

No

POS

Yes

Call centre

Yes

other

Kiosk (unattended terminal)

Reference Data connectivity


Connectivity to governmental data

No (unless provided via partner for example Experian or Lexis Nexis)

Other databases

BIN, Oanda, Global latitude/longitude, Accertify Risk ID (multi-merchant negative dB), Accertify
Index (multi-merchant positive dB), Amex Risk Information Management dB

Fraud management system type


Single-channel fraud prevention
system

Yes

Multi-channel fraud prevention


system

Yes

Certification
Type

PCIDSS Level 1, ISO 27001

Regulation

For more details contact our sales team at emea@accertify.com.

Other quality programms

For more details contact our sales team at emea@accertify.com.

Other remarks

For more details contact our sales team at emea@accertify.com.

Clients

70

Main clients / references

Marks and Spencer, British Airways, easyJet, Autotrader, Bazaarvoice, TUI

Future developments

For more details contact our sales team at emea@accertify.com.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

TURN SUSCEPTIBLE INTO SECURE.


Protect your online payments while driving business growth.
aciworldwide.com/onlinefraudprevention

Company

ACI Worldwide
Specialist provider of fraud prevention and management solutions for all payment transaction
types to merchants, issuers, acquirers, processors and switches. Through our ACI ReD Shield,
ACI ReDi, ACI ReD Fraud Xchange and ACI ReD Alerts we deliver real-time, multi-tiered
fraud solutions which are managed by our expert risk analysts. Our analysts and systems are
informed by our unrivalled access to data and business intelligence and its ability to connect
merchants, acquirers and issuers in the fight against fraud.

Website

www.aciworldwide.com

Keywords for online profile

online fraud prevention, ecommerce, online fraud, fraud analytics, Card Not Present (CNP)

Business model

Direct and via our PSP channel.

Target market

Online ecommerce merchants, financial institutions, payment services providers, government


services, acquirers, gaming, retail, hospitality, loyalty, telecommunications, travel and entertainment

Contact

Andy McDonald (andy.mcdonald@aciworldwide.com or +44 (0)7785 627494)

Geographical presence

Global

Active since

1975

Service provider type

Digital identity service provider, technology vendor, web fraud detection company, payment service
provider (PSP), issuer, acquirer

Member of industry association


and or initiatives

Merchant Risk Council, IMRG, Direct Response Forum, Vendorcom, Cross-Border eCommerce
Community

Services
Unique selling points

Automated processes and dedicated support from expert risk analysts. Global fraud data, fraud
solutions tailored to sector and customer needs, predictive models and unlimited, flexible rules.
Holistic fraud management real-time and post-transaction monitoring using our unrivalled
business intelligence solution. Presence across the payments chain, supporting merchant and
issuer collaboration in the fight against fraud.

Core services

Card Not Present (online, IVR, call centre and mobile) and card present fraud prevention; fraud and
risk consultancy; payment services

Pricing Model

Flexible

Fraud prevention partners

ACI partners with leading PSPs around the globe (see a full list at http://www.aciworldwide.com/
who-we-are/partners/our-partners.aspx).

Other services

Payment services: Base 24 EPS, Postilion, ACI Proactive Risk Manager, ACI Universal Online
Banker. Please visit www.aciworldwide.com to view all services available from ACI

Third party connection

For more information, please contact ACI.

Technology: anti-fraud detection tools available


Address verifications services

Yes

CNP transactions

Yes

Card Verification Value (CVV)

Yes

Bin lookup

Yes

Geo-location Checks

Yes

Device Fingerprint

Yes

Payer Authentication

Yes

Velocity Rules Purchase Limit


Rules

Yes, unlimited and flexible.

White list/black list database:

Yes

KYC Know Your Customer

Yes

Credit Rating

No

Follow up action

Yes

Other

Compliance list checking, AML, additional black lists

COMPANY PROFILES

73

Authentication Context
Online

Yes

Mobile

Yes

ATM

Yes

POS

Yes

Call centre

Yes

Other

For more information, please contact the sales team.

Reference Data connectivity


Connectivity to governmental data

For more information, please contact ACI.

Other databases

Commercial attribute providers, e.g. credit databases

Fraud management system type


Single-channel fraud prevention
system

Yes

Multi-channel fraud prevention


system

Yes

Certification
Type

PCI DSS v3.0, ISO 27001, SAS70

Regulation

EU Data Protection

Other quality programms

UK Payments Administration accreditation, Visa Account Information Security (AIS and CISP)
accreditation, Amex Data Security Operating Policy

Other remarks

For more information, please contact the sales team.

Clients

74

Main clients / references

Upon Request

Future developments

For more information, please contact ACI.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Company

The ai Corporation
ai provides fraud prevention solutions to some of the worlds largest financial institutions,
merchants and PSPs. Our unique self-service solutions, including our new state of the art neural
technology, protect and enrich payments experiences for more than 100 banks, 3 million multichannel merchants monitoring over 20 billion transaction a year.

Website

www.aicorporation.com

Keywords for online profile

fraud prevention, analytics, neural, risk, detection, self-service, white label

Business model

Direct and indirect licenced software sales through select partners.


SaaS Direct hosting and/or managed service

Target market

Online merchants, multi channel merchants (traditional, mobile and online), financial institutions,
card issuers credit, debit, prepaid, fuel card, T&E, card acquirers/ISOs/payment facilitators,
alternative payment providers (e-vouchers, e-wallets), payment services providers, government
services, online communities/web merchants, gaming & gambling, other online businesses

Contact

Nick Walker (nick.walker@aicorporation.com or +44 7901 920573)

Geographical presence

Global

Active since

1998

Service provider type

Software technology vendor, SaaS managed service provider

Member of industry association


and or initiatives

None

Services
Unique selling points

Self-service real-time rules engine and neural model builder, empowering the user to easily
build, deploy and operate their own fraud strategies quickly and efficiently without the need for
expensive, lengthy and often ineffective third party services. The software also allows for non fraud
analytics and rules deployment.

Core services

Omni-channel and enterprise wide fraud prevention technology and managed services.

Pricing Model

Licence fees or service fees

Fraud prevention partners

PayVector, InAuth, FISH, PanInteligence, Azuka

Other services

Business intelligence, cardholder/consumer engagement, enterprise case management

Third party connection

Data providers, card management systems, transaction switches, PSPs

Technology: anti-fraud detection tools available


Address verifications services

Partner

CNP transactions

Yes

Card Verification Value (CVV)

Yes

Bin lookup

Yes

Geo-location Checks

Partner

Device Fingerprint

Partner

Payer Authentication

Yes

Velocity Rules Purchase Limit


Rules

Yes with auto rule generator SmartRule.

White list/black list database:

Yes

KYC Know Your Customer

Partner

Credit Rating

Partner

Follow up action

Enterprise wide case management.

Other

More information available upon request.

COMPANY PROFILES

75

Authentication Context
Online

Yes

Mobile

Yes

ATM

Yes

POS

Yes

Call centre

Yes

Other

Yes

Reference Data connectivity


Connectivity to governmental data

Partner

Other databases

Partner

Fraud management system type


Single-channel fraud prevention
system

Yes

Multi-channel fraud prevention


system

Yes

Certification
Type

ISO 27001 in progress.

Regulation

PCI

Other quality programs

KII, SmartMinds

Other remarks

More information available upon request.

Clients

76

Main clients / references

Shell, Barclaycard, Nedbank, Mashreq, AFS, Global Payments, IBQ

Future developments

More data feeds, more third party interfaces, full automation of fraud detection.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

ADVERTISEMENT

How EMV will Change


Online Business in the U.S.
Everyone in the payments world is talking about EMV in the U.S.
But for omni-channel and online merchants, how will the use of
EMV cards impact their eCommerce fraud?

Benefits of EMV Cards

A major benefit of chip cards is how the chips work at POS. Each time the card is used
in person, the chip creates a unique code that cannot be re-used. So if a card number
is stolen in a breach, the stolen number and transaction code would not be usable and
any fraudulent attempts at point-of sale would be denied.
Another benefit of the chip card is that the chips cannot be cloned by counterfeiters if
they steal a card number, so counterfeit cards cannot be used for in-person
transactions. This is also a drawback: because the chips are not read for a
card-not-present transaction, stolen chip card numbers can be and increasingly
are used to make fraudulent CNP transactions.

How Can Online Merchants Protect


Themselves?

To thwart the influx of online fraud, many eCommerce merchants have dialed
up their fraud tools. This helps control the increased fraud, but also creates
false positives transactions that the fraud tool flags and the merchant declines
that are actually good orders. This is almost as harmful to a merchant as the
fraud because it results in lost sales and insults to good consumers.
This puts online merchants in a difficult spot. Because chip cards cant be used
for in-person fraud, the fraudsters look for the path of least resistance, the
card-not-present world. But there is a way to prevent fraud.
Cardinal Consumer Authentication (CCA) protects online
transactions the way chip cards prevent fraud at the cash register.
And combining CCA with a fraud tool, merchants can increase
their good orders by up to 15% vs using a fraud tool alone.
CCAs rules-based approach gives merchants choice in how each
transaction is authenticated, and control over the amount of
consumer friction during checkout. In many cases, using CCA,
authentication happens behind the scenes, with no friction during
checkout for the consumer, using things like IP address, device
identification, buying patterns, or any data point the merchant
collects.

Other benefits of Cardinal Consumer


Authentication include:
Increased sales fewer false positives and the opportunity to sell in regions where 3-D Secure is mandated.
Improved margins liability shift on fraudulent chargebacks, potential interchange savings, and less manual review.
Enhanced consumer experience the merchant controls the amount of friction during checkout with dynamic rules that
can be applied transaction by transaction.
To learn more about how EMV can affect your CNP business, and what you can do to protect yourself, contact Cardinal.

visit: www.cardinalcommerce.com

call: (877) 352-8444

Company

CardinalCommerce Corporation
CardinalCommerce is the pioneer and global leader in enabling authenticated payment transactions
in the card-not-present payments industry, and the largest authentication network in the
world. Through One Connection to the proprietary Cardinal SafeCloud, we enable friction-free,
technology-neutral authentication and alternative payment services (including digital wallets and
mobile commerce services).

Website

www.cardinalcommerce.com

Keywords for online profile

consumer authentication, 3-D Secure, prevent online fraud, prevent fraudulent chargebacks

Business model

Sell directly to online merchants and financial institutions; sell through partners

Target market

Financial institutions, payment services providers, online communities/web merchants, gaming and
gambling

Contact

info@cardinalcommerce.com

Geographical presence

Global we do business in Europe, Asia, Africa, Australia, North and South America

Active since

1999

Service provider type

Technology vendor

Member of industry association


and or initiatives

Member of Merchant Risk Council (MRC) and Merchant Advisory Group (MAG); North American
Board member of MRC

Services
Unique selling points

With Cardinal Consumer Authentication you can increase sales, improve margins, control consumer
friction during checkout and eliminate fraudulent chargebacks for your online business. With your
One Connection to Cardinal, you can add alternative payment brands and digital wallets quickly
and easily, to give your consumers the payment options they want.

Core services

Cardinal Consumer Authentication, leveraging the 3-D Secure protocols to give merchants choice
of which transactions to authenticate and control over checkout friction.

Pricing Model

Transaction volume based pricing, starting at USD 29.99 US per month.

Fraud prevention partners

Visa(CyberSource), ACI (Retail Decisions)

Other services

Consumer authentication, alternative payment brands, digital wallets

Third party connection

Visa (CyberSource), ACI (Retail Decisions), PayPal

Technology: anti-fraud detection tools available


Address verifications services

Through a partner

CNP transactions

Yes

Card Verification Value (CVV)

Yes

Bin lookup

Through a partner

Geo-location Checks

Through a partner

Device Fingerprint

Yes

Payer Authentication

Cardinal Consumer Authentication

Velocity Rules Purchase Limit


Rules

Yes

White list/black list database:

Yes

KYC Know Your Customer

Yes

Credit Rating

No

Follow up action

Additional authentication (out of band authentication) and transaction verification capabilities.

Other

N/A

Authentication Context
Online

Yes

Mobile

Yes

ATM

N/A

POS

N/A

COMPANY PROFILES

79

Call centre

N/A

Other

N/A

Reference Data connectivity


Connectivity to governmental data

N/A

Other databases

N/A

Fraud management system type


Single-channel fraud prevention
system

N/A

Multi-channel fraud prevention


system

N/A

Certification
Type

N/A

Regulation

N/A

Other quality programms

N/A

Other remarks

N/A

Clients

80

Main clients / references

Contact Cardinal Commerce for specific information.

Future developments

Contact Cardinal Commerce for specific information.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Company

CASHRUN
Fraud Protection & Global Payment Solution

CashRun
CashRun has vast experience in the fraud industry protecting online merchants from high risk and
costs associated with online fraud. Our 100% chargeback protection allows merchants to focus
on their core business competencies and at the same time achieve higher revenue growth through
effective fraud risk management.

Website

www.cashshield.com

Keywords for online profile

fraud solution, big data, machine learning, optimization

Business model

CashRun offers leading fraud protection technology, solely designed and developed by us.

Target market

Online communities/web merchants, financial institutions, payment services providers, government


services, gaming and gambling, other online businesses

Contact

enquiries@cashrun.com

Geographical presence

Global

Active since

2007

Service provider type

Web fraud detection company, payment service provider (PSP), technology vendor, digital identity
service provider

Member of industry association


and or initiatives

MRC Premium Sponsor

Services
Unique selling points

CashShields fraud management solution is based on a combination of fraud detection technology,


big data, machine learning that are optimized through a risk management algorithm. Our fully
managed service helps you fight fraud hassle-free, with an added protection of an unprecedented
100% chargeback protection, for both tangible and intangible goods.

Core services

Comprehensive online fraud risk management for online merchants and PSPs.

Pricing Model

Unsecured Transactions (Paypal, Non 3D-Secured ) CashShield Enterprise (100% Chargeback


Guarantee) fee a percentage of the value of transactions depending on industry risk. Secured
Transactions (3D-Secured transactions) CashShield Core fee fixed fee per transaction.

Fraud prevention partners

CashRun designs and develops its own fraud protection solutions.

Other services

Online payment service provider

Third party connection

N/A

Technology: anti-fraud detection tools available


Address verifications services

Yes

CNP transactions

Yes

Card Verification Value (CVV)

Yes

Bin lookup

Yes

Geo-location Checks

Yes

Device Fingerprint

Yes

Payer Authentication

Yes

Velocity Rules Purchase Limit


Rules

No CashShield does not use hard rules and limits that hampers growth.

White list/black list database:

Yes

KYC Know Your Customer

No

Credit Rating

No

Follow up action

Our fully managed service tailors and configures the merchants risk template for them, giving them
only two optimized decisions: accept or reject. We make decisions, not predictions.

Other

CashShields machine learning system is updated daily with new fraud trends and data, to raise
alerts on potential threats.

COMPANY PROFILES

81

Authentication Context
Online

Yes

Mobile

Yes

ATM

No

POS

No

Call centre

No

Other

Yes Mobile Apps

Reference Data connectivity


Connectivity to governmental data

No

Other databases

Yes

Fraud management system type


Single-channel fraud prevention
system

Yes

Multi-channel fraud prevention


system

Yes

Certification
Type

More information available upon request.

Regulation

More information available upon request.

Other quality programms

PCI Compliance

Other remarks

More information available upon request.

Clients

82

Main clients / references

Telecommunications, gaming publishers, prepaid products, software, digital goods, PSPs,


acquirers, marketplaces, travels, airlines, ticketing, hotels, ecommerce retailers

Future developments

Constantly enhancing our system to stay one step ahead of the latest fraud schemes and provide
online merchants with the most comprehensive verification.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

We make decisions,
not predictions.
ACCEPT

REJECT

CashShield is here to simplify your verication process. We congure the risk


template for you, which allows us to take full responsibility of our risk decisions
instead of passing this responsibility back to you, while ensuring that we boost
your sales conversion rates with two straight forward decisions: accept or reject.
Get ahead of fraud with our unprecedented 100% Chargeback Protection (including
digital goods) and intelligent technology that combines machine learning, big data
and risk optimization. CashShield secures both 3DS and non-3DS transactions and
eliminates hard limits. Boost your sales and say goodbye to false positives,
unnecessary buying restrictions, and most importantly, fraud.

For more information, please visit


www.cashshield.com

Accept more orders,


with less frAud.
Our integrated payment, fraud and security management
services can help speed up time-to-market, streamline
operations and help you accept payments securely
online and through mobile devices, across the globe.

if you Are A merchAnt selling online, we cAn help you:


mAnAge
moBile
frAud

mAnAge
gloBAl
frAud
increAse
order
AcceptAnce

Our range of tools can help


you to confidently sell through
the mobile channel, while
managing fraud to the same
levels as with traditional
eCommerce channels.

We can help you optimise your


fraud management operations
to protect the customer
experience and accept more
genuine orders.

Our range of solutions can


help you accept orders
from international markets
with confidence.

Learn more about our fraud management solutions


www.cybersource.co.uk

Contact us:
europe@cybersource.co.uk

+44 (0)118 990 7300

cybersource.co.uk

About cybersource: CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 400,000 businesses worldwide use CyberSource and
Authorise.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. The company is headquartered in Foster City,
California and maintains offices throughout the world, with regional headquarters in Singapore, Tokyo, Miami/Sao Paulo and Reading, UK. CyberSource operates in Europe
under agreement with Visa Europe. For more information, please visit www.cybersource.co.uk
2015 CyberSource Corporation. All rights reserved.

Company Name

CyberSource Ltd.
CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over
400,000 businesses worldwide use CyberSource and Authorize.Net brand solutions to process
online payments, streamline fraud management, and simplify payment security. The company
is headquartered in Foster City, California and maintains offices throughout the world, with
regional headquarters in Singapore, Tokyo, Miami / Sao Paulo and Reading, UK. CyberSource
operates in Europe under agreement with Visa Europe. For more information, please visit
www.cybersource.co.uk.

Website

www.cybersource.co.uk

Keywords for online profile

fraud management, risk management, payment security, ecommerce, payments, payment gateway,
rules based payer authentication

Business model

Software as a Service (SaaS)

Target market

Retail, travel, financial institutions, media and entertainment

Contact

CyberSource Ltd. Reading International Business Park, Reading, Berkshire RG2 6DH
VAT No: GB 927 433123

Geographical presence

Worldwide

Active since

1994

Service provider type

Payment Service Provider (PSP), fraud management company, web fraud detection, device
identification

Member of industry association


and or initiatives

Merchant Risk Council, IMRG, Vendorcom

Services
Unique selling points

The only global payment management platform built on secure Visa infrastructurewith
integrations to the worlds largest network of connected commerce partners and transaction
insightsCyberSource solutions power businesses to create new brand experiences, grow sales
and engagement, and keep payment operations safe.

Core services

CyberSource provides fraud management services to help manage the entire life cycle of payment
fraud, including account creation and takeover risk.

Pricing Model

Tiered SaaS-based pricing model.

Fraud prevention partners

ThreatMetrix, Cardinal Commerce, Neustar

Other services

More information available upon request.

Third party connection

Neustar, LexisNexis, Whitepages.com, Perseuss, Computer Services

Technology: anti-fraud detection tools available


Address verifications services

Yes

CNP transactions

Yes

Card Verification Value (CVV)

Yes

Bin lookup

Yes

Geo-location Checks

Yes

Device Fingerprint

Yes

Payer Authentication

Yes

Velocity Rules Purchase Limit


Rules

Yes

White list/black list database:

Yes

KYC Know Your Customer

No

Credit Rating

No

Follow up action

Additional authentication (out of band authentication) and transaction verification capabilities.

Other

More information available upon request.

COMPANY PROFILES

85

Authentication Context
Online

Yes

Mobile

Yes

ATM

No

POS

No

Call centre

Yes

other

More information available upon request

Reference Data connectivity


Connectivity to governmental data

No

Other databases

Commercial attribute providers, e.g. credit databases

Fraud management system type


Single-channel fraud prevention
system

No

Multi-channel fraud prevention


system

Yes

Certification
Type

More information available upon request.

Regulation

More information available upon request.

Other quality programms

More information available upon request.

Other remarks

Contact europe@cybersource.com for more information.

Clients

86

Main clients / references

Turkish Airlines, China Eastern, Cinpolis, Webjet, Backcountry, ESET

Future developments

For more information contact europe@cybersource.com.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Company

Entersekt
Please use the version without the mark in
very large or very small applications

Entersekt is an innovator in transaction authentication, securing digital banking and payments by


harnessing the power of electronic certificate technology with the convenience of mobile phones.
Financial institutions look to Entersekt to strengthen the bonds of trust they share with their
customers and to deepen those relationships through innovative new services.
Website

www.entersekt.com

Keywords for online profile

Mobile security, mobile banking, online banking, card-not-present, out-of-band authentication,


multi-factor authentication, push-based authentication, 3-D Secure

Business model

Direct and through partners

Target market

Financial institutions, card issuers, insurers, payment service providers

Contact

Entersekt sales team: sales@entersekt.com

Geographical presence

Africa, Europe, Middle East, North America

Active since

2008

Service provider type

Digital identity service provider

Member of industry associations


and intiatives

FIDO Alliance, WASPA

Services
Core services

Mobile-appbased, multi-factor authentication and transaction signing of online banking, mobile


banking, and card-not-present payments.

Other services

Authentication in the consumer space (LastPass, Google Chrome), non-app-based out-of-band


authentication and SIM-swap protection through push USSD.

Unique selling points

Entersekts patented emCert technology generates public/private key pairs to uniquely identify
enrolled mobile devices and validate two-way communications. A self-contained cryptographic
stack and communications layer enables an end-to-end encrypted channel distinct from that
initiated by the device, so transactions originating from the phone can still be authenticated out
ofband.

Pricing model

Per user subscription

Partners

Amazon Web Services, Citrix, IBM, Netcetera, Visa, MasterCard, American Express

Offering: authentication technology used


Technology used

Industry-standard X.509 digital certificates; proprietary validation techniques developed specifically


for the mobile phone; FIPS 140-2 Level 3 on-premise hardware appliance; dynamic public key
pinning; secure browser pattern; device and application context for context-based risk scoring;
advanced detection of rooting, jailbreaking, or similar mobile operating system security bypass
hacks; support for fingerprint biometrics; NI USSD for non-app-based out-of-band authentication
and SIM-swap protection.

Authentication context
Online

Yes

Mobile

Yes

ATM

No

Branch/Point of Sale

No

Call Centre

Yes

Other:

Card-not-present payments (3-D Secure), e-mail

Issuing process (if applicable)


Assurance levels conformity

N/A

Online issuing process (incl lead


time in working days)

Yes. Identity proofing and enrolment processes are set by the implementing institution, but there is
no reason why remote device registration should take more than a few minutes. Options available
for enroling a user include phone-based registration via one-time password, scanning a printed QR
code, and a combination of scanning a bank card and inputting the associated PIN.

Face-to-face issuing (incl lead time


in working days)

Yes. Identity proofing and enrolment processes are set by the implementing institution, but there is
no reason why in-branch device registration should take more than a few minutes.

Issuing network

Bank branches, online services

COMPANY PROFILES

87

Attributes offered
Persons

Level of trust (e.g. biometric data, password); signed authentication message

Companies

For more information, please contact our sales team.

Reference data connectivity


Connectivity to governmental data

N/A

Other databases

N/A

Certification
Type

Entersekts flagship product, Transakt, is FIDO Certified as a U2F (universal second factor)
authenticator. Transakt is also validated with the Ready for IBM Security Intelligence program and
Citrix XenApp. Entersekts card-not-present authentication solution is fully accredited by Visa,
MasterCard, and American Express.

Regulation

Entersekts solutions are engineered specifically for the heavily regulated financial sector and
adhere to all major digital banking security mandates, including the requirements set out by the
European Central Bank, the FFIEC, and the Monetary Authority of Singapore. They are compliant
with ISO 21188:2006 (Public key infrastructure for financial services) and utilize hardware
security modules certified as FIPS 140-2 Security Level 3 for encrypting and decrypting all
authenticationdata.

Other quality programs

The underlying technology is regularly validated by independent third parties to ensure it is


invulnerable to new attack vectors.

Other remarks

For more information, please contact our sales team.

Clients

88

Main clients / references

Those listed in the public domain: Capitec Bank; Equity Bank; Investec; Nedbank; Old Mutual;
Swisscard. For others, please contact our sales team.

Future developments

For more information, please contact our sales team.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Digital banking and payments are a


work in progress. Their future will
be built on trust.
Banks around the world look to Entersekt to strengthen the bonds
of trust they share with their customers, and to help deepen those
relationships by launching innovative new digital services.
Discover how our mobile-enabled authentication product Transakt
can help your organization build richer, more satisfying online and
mobile banking experiences, unrestricted by security concerns.

entersekt.com

aMobile SDK or app


aPush-based
aOut of band
aMulti-factor
U2F

Transakt opens up digital banking.

Security in your pocket

Using artificially intelligent algorithms, Feedzai


keeps your payment safe and your commerce moving.
Its modern fraud science made simple.
Feedzai is the easy, straightforward solution
for risk teams to upgrade to advanced
machine learning fraud models. With
Feedzai, todays risk professionals in
businesses large and small can now have
the power of advanced data science to fight
fraud and false alarms.

Reduce fraud by up to
80% with Feedzai.
Schedule a demo today to
see what Feedzai can do
in real-time for your own
business data.

info@feedzai.com
US: 650-260-8924
EUR: +351-239-402-166

Company

Feedzai
Feedzai was founded in 2009 by data scientists and aerospace engineers to make commerce safe
for business customers through the use of artificially intelligent machine learning. Feedzais Fraud
Prevention That Learns technology is used by large financial services companies to risk-score over
USD 1 billion of commerce transactions each day.

Website

www.feedzai.com

Keywords for online profile

Machine learning platform to manage risk and prevent fraud.

Business model

Software-as-a-service (SaaS)

Target market

Online shoppers,financial institutions,payment services providers, government services, online


communities / web merchants, gaming and gambling, other online businesses

Contact

info@feedzai.com

Geographical presence

Global

Active since

2009

Service provider type

Technology vendor, web fraud detection company

Member of industry association


and or initiatives

More information available upon request.

Services
Unique selling points

Feedzai makes commerce safe for business customers and creates a better experience for their
consumers through artificially intelligent machine learning. Financial services companies use
Feedzais anti-fraud technology to keep commerce moving safely.

Core services

Feedzai offers a machine learning platform to manage risk and prevent fraud that can process
transactions at big data scale.

Pricing Model

For more details contact our sales team at sales@feedzai.com.

Fraud prevention partners

SAP, Emailage, Socure, Deloitte, EnCap Security, Azul Systems, Cloudera, Datastax

Other services

More information available upon request.

Third party connection

More information available upon request.

Technology: anti-fraud detection tools available


Address verifications services

Yes

CNP transactions

Yes

Card Verification Value (CVV)

No

Bin lookup

Yes

Geo-location Checks

Yes

Device Fingerprint

Yes

Payer Authentication

Yes

Velocity Rules Purchase Limit


Rules

Yes

White list/black list database:

Yes

KYC Know Your Customer

Yes

Credit Rating

Yes

Follow up action

Additional authentication (out of band authentication) and transaction verification capabilities.

Other

Machine learning

Authentication Context
Online

Yes

Mobile

Yes

ATM

Yes

POS

Yes

Call centre

Yes

Other

More information available upon request.

COMPANY PROFILES

91

Reference Data connectivity


Connectivity to governmental data

More information available upon request.

Other databases

More information available upon request.

Fraud management system type


Single-channel fraud prevention
system

No

Multi-channel fraud prevention


system

Yes

Certification
Type

PCIDSS Level 1

Regulation

Directive 95/46/EC

Other quality programms

More information available upon request.

Other remarks

More information available upon request.

Clients

92

Main clients / references

First Data, top-tier banks

Future developments

Deep learning

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Company

iovation Inc.
iovation protects online businesses and their end users against fraud and abuse, and identifies
trustworthy customers through a combination of advanced device identification, shared device
reputation, device-based authentication and real-time risk evaluation.

Website

www.iovation.com

Keywords for online profile

device identification, device reputation, online fraud prevention, mobile fraud, account takeover
prevention, device-based authentication, customer authentication, trust scoring

Business model

SaaS

Target market

Online businesses such as retailers, financial institutions, lenders, prepaid cards, insurers, social
networks and dating sites, logistics, gaming/MMO, gambling operators, online auction sites, and
travel and ticketing companies.

Contact

Connie Gougler, Director of Marketing, connie.gougler@iovation.com, 503-943-6748

Geographical presence

Global: iovations business is 51% US and 49% international

Active since

2004

Service provider type

Device Identification
Web Fraud Detection, Customer Authentication

Member of industry association


and or initiatives

Merchant Risk Council, Online Lenders Association

Services
Unique selling points

iovation provides real-time SaaS for authentication and fraud prevention that tells our clients if a
customer visiting their site is risky based upon specific criteria for evaluating the transaction or
activity. iovation provides a score and result (allow, review, deny) for every transaction, allowing
our clients to use an automated workflow. iovations global consortium contains the reputations
of nearly 3 billion devices and 25 million fraud events such as chargebacks, identity theft, account
takeovers, online scams and many more.

Core services

iovation offers fraud prevention, customer authentication services and trust scoring/services.

Pricing Model

Per transaction fee based on system usage depending on volume, type of transaction, and length
of contract.

Fraud prevention partners

Fiserv, Equifax, ID Analytics, Accertify, Kaspersky, ACI Worldwide, Verisk, Callcredit, Imperva, Zoot

Other services

Our clients have access to the Fraud Force Community, an exclusive private B2B network of
the worlds foremost security experts sharing intelligence about cybercrime prevention, device
identification, new threats and other fraud-related topics.

Third party connection

iovation delivers data in XML format, allowing output to be integrated easily with third-party systems.

Technology: anti-fraud detection tools available


Address verifications services

No: While we do not offer AVS services, we capture the IP address and its geolocation. We can flag
transactions from blocked countries, as well as notify clients when mismatches occur between
the IP address shown by the users browser and the IP address we collect with our Real IP proxy
unmasking feature.

CNP transactions

Yes: iovations service is primarily used to detect high risk activity at login, account creation, fund
transfer and checkout. In addition, our iovation score helps identity the most trustworthy customers
in our clients review queues so that they can take good business immediately, and offer highervalue promotions to their preferred customers.

Card Verification Value (CVV)

No: This service is handled through our clients payment processor.

Bin lookup

No: This service is handled through our clients payment processor.

Geo-location Checks

Yes: iovations clients can flag transactions when activity is coming from an unauthorized country
or through a proxy, and they can use our Real IP technology to pinpoint the users actual location.

Device Fingerprint

Yes: iovation offers a defense-in-depth approach to device recognition, supporting native and web
integrations for mobile, tablet and desktop devices.

Payer Authentication

No: This service is handled through our clients payment processor.

Device-based Authentication

Yes: iovations authentication service allows clients to use their customers known devices to help
verify identity. Authentication happens in real-time, behind the scenes, reducing unnecessary friction.

COMPANY PROFILES

93

Velocity Rules Purchase Limit


Rules

Yes: iovations velocity rules flag transactions when thresholds are exceeded. These may include
situations where too many accounts are accessed per device, or too many new accounts are
created within a timeframe. Specific rules include Accounts per Device, Accounts Created per
Device, Countries per Account, Countries per Device, Transactions per Account, and Transactions
per Device. Our service also flags transaction value thresholds, and other transactional velocities.

White list/black list database:

Yes: iovation clients can flag transactions based on custom-built lists. These can be positive or
negative lists. List types include accounts, devices, IP ranges, ISPs, locations and others, and are
easily managed across rule sets.

Device Anomalies

Yes: iovation clients can flag transactions when device settings are anomalous and indicative of
risk. While individual device characteristics may not be proof of risk, certain characteristics may be
worth monitoring, and several in combination with each other may indicate attempts by the user to
evade detection.

Fraud and Abuse Records

Yes: iovation clients can flag transactions that originate from an account or device already
associated with fraud or abuse. Previous fraud or abuse is recorded in our system as evidence. The
customer sets the types of evidence they want to consider, and decides whether to leverage only
the evidence they log, or consider the evidence of other iovation subscribers.

KYC Know Your Customer

No

Credit Rating

No

Follow up action

iovations fraud prevention service provides an Allow, Review or Deny result for each transaction.
Clients then decide the best course of action to take in response to these results. iovation also
returns detailed information about the device associated with the transaction; clients can store this
data and correlate it back to identity management and other systems as needed.

Authentication Context
Online

Yes

Mobile

Yes: iovations mobile SDK for iOS and Android identifies jailbroken or rooted devices, and captures
device location through IP address, network-based geo-location information, and GPS data. The
location services expose mismatches between the reported time zone and location, long distances
between transactions made in short periods of time, and other location-based anomalies. It also
detects transactions originating from virtual machines or emulators.

ATM

No

POS

No

Call centre

No

Reference Data connectivity


Connectivity to governmental data

No

Other databases

MaxMind IP geolcation

Fraud management system type


Single-channel fraud prevention
system

Yes: iovation delivers comprehensive online fraud prevention for mobile, tablet and PC-based
transactions.

Multi-channel fraud prevention


system

Our services focus on online transactions and complement a multi-channel prevention system.

Certification
Type
Regulation

iovation supports FFIEC compliance by providing device identification and device-based


authentication services.

Other quality programms

iovation follows strict Quality Assurance processes for new products and services, and offers
Service Level Agreements (SLAs) which include 99.9% uptime as a part of all customer
agreements.

Other remarks
Clients

94

Main clients / references

NetSpend, Bazaarvoice, Intuit, CashStar, Aviva Insurance, New Era Tickets, AT&T Performing Arts
Center, SG North and hundreds more.

Future developments

For more information, please contact iovation at info@iovation.com

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Company

Mitek (formerly IDChecker)


Mitek (NASDAQ: MITK) is a global leader in mobile capture and identity verification software
solutions. Miteks ID document verification and facial recognition allow an enterprise to verify a
users identity during a mobile transaction, enabling financial institutions, payments companies and
other businesses operating in highly regulated markets to transact business safely while increasing
revenue from the mobile channel. Mitek acquired IDChecker in June of 2015.

Website

www.miteksystems.com

Keywords for online profile

ID document verification, biometric authentication

Business model

Transaction model

Target market

Card issuers, acquirers, payment processors, government services, business services

Contact

sales@miteksystems.com

Geographical presence

Global

Active since

2004

Service provider type

Identity verification

Member of industry associations


and intiatives

More information available upon request.

Services
Core services

Mobile capture, ID document verification and biometric authentication.

Other services

More information available upon request.

Unique selling points

Mobile ID verification bridges the gap between usability and security with mobile capture and ID
docment verification. This boosts conversion rates, lowers onboarding costs and allows you to
safely and securely approve more good customers for mobile transactions.

Pricing model

Transaction based

Partners

Experian Contego Crif Vix

Offering: authentication technology used


Technology used

Saas

Authentication context
Online

Yes

Mobile

Yes

ATM

No

Branch/Point of Sale

Yes

Call Centre

No

Other:

Document Expert Examination

Issuing proces (if applicable)


Assurance levels conformity

ISO 27001

Online issuing process (incl lead


time in working days)

N/A

Face-to-face issuing (incl lead time


in working days)

N/A

Issuing network

N/A

Attributes offered
Persons

ID document Verification including age verification

Companies

N/A

Reference data connectivity


Connectivity to governmental data

N/A

Other databases

N/A

COMPANY PROFILES

95

Certification
Type

ISO 27001

Regulation

KYC

Other quality programs

N/A

Other remarks

N/A

Clients

96

Main clients / references

Paypal GWK Travelex Experian Randstad Group

Future developments

N/A

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Company

Perseuss
Perseuss is the global travel industrys own solution to the battle against fraud. Its flagship offering
is an online shared negative database, recently updated to include email age verification and
artificial intelligence. It also operates FraudChasers, an online forum for anti-fraud professionals.
Perseuss plays a major role in cross-border police Action Days to apprehend fraudsters.

Website

www.perseuss.com

Keywords for online profile

fraud prevention, data sharing, collaboration, artificial intelligence, trusted platform, fraud data,
negative database, positive database

Business model

Subscription service

Target market

Airlines, online travel agents, rail companies, hotels, car rentals, gaming and gambling, other online
businesses

Contact

info@perseuss.com

Geographical presence

Global

Active since

2009

Service provider type

Technology vendor

Member of industry association


and or initiatives

IATA

Services
Unique selling points

Perseuss is a secure community platform where merchants can legally share information about
fraud cases they have encountered. Each member has access to the common database containing
details of online purchases which were involved in either suspicious transactions or in confirmed
fraud. It allows each business to verify their own sales data to identify any suspicious transactions.

Core services

Data sharing platform including analysis, reporting, scoring and e-mail age verification.

Pricing Model

Please ask company for more information.

Fraud prevention partners

Please ask company for more information.

Other services

Please ask company for more information.

Third party connection

Accertify, ACI Universal Payments, Adyen, DataCash, Ingenico Payment Services, Wirecard,
Worldpay, Ypsilon

Technology: anti-fraud detection tools available


Address verifications services

No

CNP transactions

No

Card Verification Value (CVV)

No

Bin lookup

Yes

Geo-location Checks

No

Device Fingerprint

No

Payer Authentication

No

Velocity Rules Purchase Limit


Rules

No

White list/black list database:

Yes; watch list

KYC Know Your Customer

No

Credit Rating

No

Follow up action

No

Other

E-mail age verification, Social Media check

Authentication Context
Online

More information available upon request.

Mobile

More information available upon request.

ATM

More information available upon request.

POS

More information available upon request.

COMPANY PROFILES

97

Call centre

More information available upon request.

Other

More information available upon request.

Reference Data connectivity


Connectivity to governmental data

No

Other databases

No

Fraud management system type


Single-channel fraud prevention
system

More information available upon request.

Multi-channel fraud prevention


system

More information available upon request.

Certification
Type

More information available upon request.

Regulation

More information available upon request.

Other quality programms

More information available upon request.

Other remarks

More information available upon request.

Clients

98

Main clients / references

Please ask company for more information.

Future developments

Please ask company for more information.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

The global travel industrys own


solution to battle against fraud
How Perseuss members use the system in everyday operations

Company A
(e.g. Travel Agent)
Sees suspect transaction so checks
details against database. This shows
two other instances of same details
used fraudulently. Analyst reviews
case, decides to decline booking and
adds the booking data to Perseuss.

PERSEUSS
DATABASE

Company B
(e.g. Airline)
A few hours later Company B has
a match with one of the data
elements uploaded by Company
A. This uncovers a whole series of
bookings that turn out to be fraud.

Travel companies upload fraudulent bookings data

Contact Us
Perseuss
Schellingweg 17D
NL-1507 DR. Zaandam
The Netherlands
+31 75 653 94 04
info@perseuss.com

ALWAYS ONE
STEP AHEAD OF THE
FRAUDSTERS

Reduce fraud and grow profits with smarter fraud prevention from Risk Ident

BOOST CUSTOMER NUMBERS


REDUCE FALSE POSITIVES
ACCURATELY PINPOINT GENUINE FRAUD
IDENTIFY ACCOUNT TAKEOVERS
CUT AFFILIATE FRAUD
PREVENT IDENTITY FRAUD

We protect millions of transactions every week,


so your customers can buy securely and with confidence.
Contact us today:
www.riskident.com | +44 (0) 203 668 3611 | contact@riskident.uk

RETAIL

TRAVEL

TELECOMS

PAYMENTS

FINANCIAL SERVICES

GAMING

Company

Risk Ident
Risk Ident offers anti-fraud solutions for companies within the ecommerce and financial sectors,
empowering fraud managers with intelligence and self-learning machine technology to provide
stronger fraud prevention. Risk Ident are experts in device fingerprinting and behavioural analytics,
while its products are specifically tailored to comply with European data privacy regulations.

Website

http://riskident.com

Keywords for online profile

online fraud prevention, account takeover prevention, device indentification, worlwide device pool,
automatic fraud detection, fraud case processing, credit risk evaluation, credit scoring

Business model

Direct and through partners within the credit scoring industry.

Target market

Web merchants, financial institutions, payment services providers, online communities, gaming and
gambling, other online businesses

Contact

contact@riskident.com

Geographical presence

90% Europe, 10% international

Active since

2013

Service provider type

Technology vendor, web fraud detection company

Member of industry association


and or initiatives

Merchant Risk Council

Services
Unique selling points

Risk Ident is a leading software developer for credit risk and fraud prevention tools. We are
experts in applying trending algorythms and other machine learing components on different data
feeds to indentify consumer credit and fraud risks in ecommerce. We also offer our own device
fingerprinting solution, specializing in recognition of mobile devices.

Core services

Fraud detection, credit scoring software and device fingerprinting services.

Pricing Model

Monthly fees per user (fraud and credit software) / per transaction (device fingerprinting)

Fraud prevention partners

Credit References Agencies: SCHUFA, CRIF

Other services

More information available upon request.

Third party connection

Yes

Technology: anti-fraud detection tools available


Address verifications services

Yes

CNP transactions

Yes

Card Verification Value (CVV)

Yes

Bin lookup

Yes

Geo-location Checks

Yes

Device Fingerprint

Yes

Payer Authentication

Yes

Velocity Rules Purchase Limit


Rules

Yes

White list/black list database:

Yes

KYC Know Your Customer

Yes

Credit Rating

Yes

Follow up action

Various

Other

More information available upon request.

Authentication Context
Online

Yes

Mobile

Yes

ATM

More information available upon request.

POS

(Yes)

COMPANY PROFILES

101

Call centre

More information available upon request.

Other

More information available upon request.

Reference Data connectivity


Connectivity to governmental data

More information available upon request.

Other databases

Identity & Address Providers, Credit Scoring Providers

Fraud management system type


Single-channel fraud prevention
system

Yes

Multi-channel fraud prevention


system

Yes

Certification
Type

ISO 27001 Data Center

Regulation

More information available upon request.

Other quality programms

More information available upon request.

Other remarks

Fully EU data privacy compliance

Clients

102

Main clients / references

Client lists for DE, CH, AT, UK, FR on request / Key investor Otto Group (#2 European online
merchant)

Future developments

Full credit and fraud risk service for online merchants and financial institutions.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Company

Signicat
Signicat is a secure identity cloud service provider with deep expertise in online electronic id
(e-ID), advanced electronic signatures and PKI solutions. Wide coverage of national and public
e-IDs in Europe accessible through one single point of integration. Signicat offers a secure and
smooth integration for more than 150 customers cross border in industries like financial services,
ecommerce and public sector. The services are available cross channel on multiple devices.

Website

www.signicat.com

Keywords for online profile

European e-IDs and eSignatures as a Service.

Business model

Cloud Services (SaaS)

Target market

Horizontal, with focus on financial services industry including card issuers and PSPs, telco and
government

Contact

Arne Vidar Haug, VP Bus Dev & Ole Christian Olssn, VP Sales

Geographical presence

Norway, Sweden, Denmark, Finland, the Netherlands, Estonia, Lithuania, Latvia, Spain

Active since

2007

Service provider type

E-identity service provider and eSignature services.

Member of industry associations


and intiatives

Kantara Initiative, STORK 2.0, ePractice.eu, OSWALD,

Services
Core services

Signicat offers customers access to wide range of European national e-IDs and eSignature services
including timestamping, long term archiving and re-signing as a service. The company also
provides issuing of IDs like password with SMS-otp and app-based Mobile ID in addition to single
sign-on and identity services.

Other services

Secure Web Forms, Single Sign-On based on pure SAML 1/2, ready made integration with IBM
Tivoli, JAVA, .NET, SharePoint Oracle IAM and WebCenter/UCM.

Unique selling points

Extend customer relationships, dialogue and self-service capabilities through our range of services.
Connecting to available services through one standard interface (saml 1/2 etc.) that shortens time
to market, improves ROI and offers customers the ability to focus on their core business.

Pricing model

One time connection fee, pluss combination of monthly subscription and transaction fees.

Partners

Close relationships with ISVs, Sis, tech companies (IBM, Oracle, Microsoft) and Biznode among
others. Plug-ins to SalesForce and SuperOffice among others.

Offering: authentication technology used


Technology used

Cloud based services on industrial standardized protocols like XML, SOAP, SAML and HTTP.

Authentication context
Online

Yes, through our own cloud service including eSignature.

Mobile

Yes, through our own cloud service including eSignature.

ATM

N/A

Branch/Point of Sale

Standardized interfaces available for integration.

Call Centre

Standardized interfaces available for integration.

Other:

Standardized interfaces available for integration for multiple services in need of authentication and
digital signatures.

Issuing proces (if applicable)


Assurance levels conformity

N/A

Online issuing process (incl lead


time in working days)

Self service process, issued in a minute. Establishment of solution takes approx 2-5 days.

Face-to-face issuing (incl lead time


in working days)

Issuer process face-to-face is handled by public or national eID issuer dependant on country.

Issuing network

Online services like e-mail and SMS in addition to postal network, bank branches, notaries.

COMPANY PROFILES

103

Attributes offered
Persons

Name, address, SSN, birthplace, age, country, etc. Information available depends on selected
e-IDused.

Companies

Name, address, company registration no.(where applicable), procurists, signatory rights

Reference data connectivity


Connectivity to governmental data

Citizens public register, company register

Other databases

Commercial attribute providers, e.g. credit databases

Certification
Type

ISA 3000 revision on ISO 27001 Information Security Policy in progress.

Regulation

EU Signature Directive, ETSI in addition to the national directives for countries in Europe based on
the EU Directive.

Other quality programs

OWASP, ETSI

Other remarks

Winner of IDDY (Identity Deployment of the Year)-award 2009.

Clients

104

Main clients / references

Norwegian Post, SEB, If, Santander, Nykredit, Bank Norwegian and Norwegian Educational State
Fund among others.

Future developments

Continued support for new e-IDs in Europe including enhancements to Signature solutions, for
example German nPA, Dutch eHerkenning and Swiss SwissID.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Company

Socure
Socure is the leader in digital identity verification. By applying machine-learning techniques
with biometrics and intelligence from e-mail, phone, IP and online/offline and social media data,
Socure bolsters fraud prevention and KYC/OFAC compliance programs for enterprises conducting
business in over 180 countries, helping them to combat identity fraud, prevent account takeover,
and increase consumer acceptance.

Website

www.socure.com

Keywords for online profile

identity verification, biometrics, fraud risk mitigation, KYC compliance, AML, OFAC, technology

Business model

Subscription-based SaaS

Target market

Financial institutions

Contact

info@socure.com +1.866.932.9013

Geographical presence

Headquarters in New York City, used in over 180 countries worldwide

Active since

2012

Service provider type

Digital identity service provider, technology vendor, web fraud detection company

Member of industry association


and or initiatives

ETA, BAI, MRC, SafeHarbor Certified

Services
Unique selling points

Patented technology that uniquely blends trusted email, phone, online and offline data including
social media network data and facial recognition. Ability to resolve identities across broad
population using alternative data and provide fraud risk estimation assistance, easily integrates into
existing processes. Technology is adaptive machine learning, where AI compensates to learn from
false positives and improve predictive power over time, both globally and on a per-client basis.

Core services

Socure provides identity verification services, fraud risk mitigation, CIP/KYC program compliance,
financial inclusion, facial biometrics for transation verification.

Pricing Model

Annual subscription, billed per API call.

Fraud prevention partners

Feedzai, Zoot, Sphonic

Other services

Transaction authentication, facial recognition, biometric identification

Third party connection

More information available upon request.

Technology: anti-fraud detection tools available


Address verifications services

Yes

CNP transactions

Yes

Card Verification Value (CVV)

No

Bin lookup

No

Geo-location Checks

Yes

Device Fingerprint

Yes

Payer Authentication

Yes

Velocity Rules Purchase Limit


Rules

No

White list/black list database:

Yes

KYC Know Your Customer

Yes

Credit Rating

No

Follow up action

Additional authentication (out of band authentication) and transaction verification capabilities.

Other

OFAC checks

Authentication Context
Online

Yes

Mobile

Yes

ATM

No

POS

Yes

COMPANY PROFILES

105

Call centre

No

other

More information available upon request.

Reference Data connectivity


Connectivity to governmental data

Customizable

Other databases

Commercial attribute providers, e.g. credit databases

Fraud management system type


Single-channel fraud prevention
system

Yes

Multi-channel fraud prevention


system

Yes

Certification
Type

US/EU Safe Harbor, US SOC-2 (imminent)

Regulation

KYC, CIP, AML, OFAC

Other quality programms

Privacy compliance

Other remarks

More information available upon request.

Clients

106

Main clients / references

More information available upon request.

Future developments

More information available upon request.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

Company

Wirecard AG
Wirecard AG is one of the worlds leading independent providers of outsourcing and white label
solutions for electronic payment transactions. Wirecard`s global multi-channel platform bundles
international payment acceptances, methods and fraud prevention. Wirecard provides companies
with an end-to-end infrastructure for issuing products, including the requisite licenses for card and
account products.

Website

www.wirecard.com

Keywords for online profile

ecommerce, mobile payment, risk management, acquiring, issuing, credit cards, online banking,
POS payment processing

Business model

Please contact Wirecard for more information.

Target market

Online shoppers, financial institutions, payment services providers, government services, online
communities/web merchants, gaming and gambling, other online businesses

Contact

sales@wirecard.com I +49 89 4424 1400

Geographical presence

Europe, Middle East/Africa, Asia/Pacific

Active since

1999

Service provider type

Digital identity service provider, technology vendor, web fraud detection company, payment service
provider (PSP), issuer, acquirer

Member of industry association


and or initiatives

Please contact Wirecard for more information.

Services
Unique selling points

Industry-specific and customizable fraud prevention models, continuous improvement of fraud


prevention models based on direct access to fraud notifications of issuing banks, check of all
transactions per merchant on every sales channel (eCom, mobile/mPOS, MOTO, POS + BSP/ATO/
CTO for airlines) due to close technical integration with Wirecard Bank as acquirer.

Core services

Fraud prevention for card payments and alternative payment methods, credit scoring, decision
logics for credit limit calculation, transaction checks, merchant monitoring

Pricing Model

Flexible pricing models, depending on requirements and volumes.

Fraud prevention partners

Wirecard is integrated into multiple third party fraud prevention partners.

Other services

Fraud analytics for customers, international address verification

Third party connection

Providers of negative databases, credit agencies, international phone number verification

Technology: anti-fraud detection tools available


Address verifications services

Yes

CNP transactions

Yes

Card Verification Value (CVV)

Yes

Bin lookup

Yes

Geo-location Checks

Yes

Device Fingerprint

Yes

Payer Authentication

Yes

Velocity Rules Purchase Limit


Rules

Yes

White list/black list database:

Yes

KYC Know Your Customer

Yes

Credit Rating

Yes

Follow up action

Additional authentication (out of band authentication) and transaction verification capabilities.

Other

Fraud Prevention Suite with detailled Business Intelligence tools, 3D-Secure, CUP-Secure, Trust
Evaluation Suite

COMPANY PROFILES

107

Authentication Context
Online

Yes

Mobile

Yes

ATM

Yes

POS

Yes

Call centre

Yes

Other

Industry-specific sales channels, e.g. BSP/ATO/CTO for airlines, mPOS

Reference Data connectivity


Connectivity to governmental data

Sanction lists, e.g. EG 2580/2001, EG 881/2002, US DPL, US SDN, US entity list

Other databases

Commercial attribute providers, e.g. credit databases, PEP screening

Fraud management system type


Single-channel fraud prevention
system

Yes

Multi-channel fraud prevention


system

Yes

Certification
Type

e.g. PCI-DSS certified; for more information please contact Wirecard.

Regulation

KYC (KWG 24c), Anti Money Loundering (AML)

Other quality programms

N/A

Other remarks

N/A

Clients

108

Main clients / references

More than 20,000 merchants from various industries.

Future developments

Not to be disclosed.

WEB FRAUD PREVENTION, ONLINE AUTHENTICATION & DIGITAL IDENTITY GUIDE 2015 / 2016

FINANCIAL
TECHNOLOGY FOR
MORE THAN 20,000
CUSTOMERS.
Wirecard is the leading
specialist for payment
processing and issuing.

wirecard.com

Glossary
A

Authentication

Account takeover

The methods used to verify the origin of a message or to verify the

A form of identity theft where a criminal gains complete control of

identity of a participant connected to a system and to confirm that

a consumers account, such as obtaining the PIN or changing the

a message has not been modified or replaced in transit.

statement mailing address.

Authorization
Account Creation Fraud

Is the function of specifying access rights to resources related

Using stolen, compromised or synthetic identities, typically through

to information security and computer security in general and to

a spoofed location, to create a new account to access online

access control in particular.

services or obtain lines of credit.

Account Login Fraud

Bank Identification Numbers (BIN)

Attacks targeted at taking over user accounts using previously

The first four to six digits on a credit card, which can be used to

stolen credentials available in the wild or credentials compromised

identify the Issuing Bank that issued the card. BINs are traditionally

by malware or Man-in-the-Middle attacks.

used by online merchants as a way to detect fraud by matching the


geographic area where the cardholder is located to the geographic

Address Verification System (AVS)

area identified in the Bank Identification Number.

A system used to verify the address of a person claiming to own a


credit card. The system will check the billing address of the credit

Big Data

card provided by the user with the address on file at the credit

Large data sets that may be analysed computationally to reveal

card company. The other security features for the credit card

patterns, trends, and associations relating to human behaviour

include the CVV2 number.

and interactions. By developing predictive models based on both


historical and real-time data, companies can identify suspected

Anti-Money Laundering (AML)

fraudulent claims in the early stages.

Procedures, laws or regulations designed to stop the practice of


making money that comes from illegal sources look like it came

Biometrics

from legitimate sources. The sum of legal controls that require

The use of a computer user's unique physical characteristics such

financial institutions and other regulated entities to prevent, detect,

as fingerprints, voice and retina to identify that user.

and report money laundering activities

Biometric Data
Application fraud

A general term used to refer to any computer data that is created

A form of identity theft where a criminal uses the users personal

during a biometric process. This includes samples, models,

information to open new accounts and applications without his/her

fingerprints, similarity scores and all verification or identification

knowledge.

data excluding the individual's name and demographics.

ATM fraud

Biometric Verification

Fraud related to ATM card accounts where a card is used to

Any means by which a person can be either a) Identified or b) Verified

withdraw funds from a consumers account using a PIN-based

(authenticated), by evaluating one or more distinguishing biological

transaction at an ATM.

traits. An identification system (eg AFIS) consists of the original trait


and a database of stored traits, by comparing of a sample for close
matches.

110

WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015

BYOD

Cookie

Bring your own device (BYOD) is an IT policy where employees

A small data file that is automatically stored on a users computer

are allowed or encouraged to use their personal mobile devices

for record-keeping purposes. It contains information about the

and, increasingly, notebook PCs to access enterprise data

user in relation to a particular website, such as their username and

and systems.

preferences.

Credential

Card Capture Device

Data issued to an individual by a third party with a relevant authority

A device inserted into an ATM card slot which captures the data

or assumed competence to do so that is presented to provide

contained on the card.

evidence of a claim. A credential is a piece of information asserting


to the integrity of certain stated facts.

Cardholder-not-present fraud
Using stolen cards or card details and personal information, a

Credit card fraud

fraudster purchases good or services remotely - online, by telephone

Fraud committed using a credit card or any similar payment mechanism

or by mail order.

as a fraudulent source of funds in a transaction. The purpose may be


to obtain goods without paying, or to obtain unauthorized funds

Change of address fraud

from an account. Credit card fraud is also an adjunct to identity

Occurs when the fraudster obtains details of a genuine customers

theft.

account and then contacts the business to advise that he has


changed address. This is usually accompanied or followed by

Crimeware Tools

a request for items of value such as a chequebook, debit card

Crimeware refers to malware specifically designed to automate

or statement of account to be sent to the bogus new address.

cybercrime. These tools help fraudsters create, customize and

A false change of address is used to facilitate previous address

distribute malware to perpetrate identity theft through social

fraud and account/facility takeover fraud.

engineering or technical stealth.

Chargeback

Criminal organisation

Chargeback occurs when a credit cardholder contacts their credit

A group of individuals who collude together to commit fraud.

card-issuing bank to initiate a refund for a purchase made on their


credit card. Chargebacks are generally the result of a cardholder

Counterfeiting

changing their mind, being dissatisfied with their purchase or a

The fraudulent reproduction of original documents/instruments in

case of fraud. The fraud can result from the unauthorized use of

a manner that enables the fraudster to pass them off as genuine/

their credit card (stolen card) or the cardholder purposely seeking

original items.

to dispute a legitimate purchase they made (see delivery and


returns fraud).

Cybercrime (cyber fraud)


The term encompasses criminal actions that target computer, internet,

Consumer authentication

or network utility, damaging functionality or infiltrating systems and

The term used to describe tools intended to verify that the person

processes. Specifically, cybercrime can include malware, spyware,

making the transaction is actually the person authorized to do so,

phishing, pharming, viruses and worms.

in both in-person and Card-Not-Present transactions.

GLOSSARY

111

Cryptography

Detection rate

Protecting information or hiding its meaning by converting it into a

The amount of fraud detected by a fraud prevention system at a

secret code before sending it out over a public network.

given level of account reviews.

Digital Identity

Data breach

A collection of identity attributes, an identity in an electronic form

Unintentional release of secure information to an untrusted environment.

(e.g. electronic identity).

Data capture

Dual-Factor Identification Rules

The action or process of gathering data, especially from an automatic

Requirement that banks implement another type of password in

device, control system, or sensor.

addition to the standard username and password combination. Many


banks present a picture that the consumer chooses in addition to

Delivery and returns fraud


Is the act of defrauding a store via the return process. Delivery and
return fraud (also known as friendly fraud) involves legitimate
customers using valid payment cards and is akin to electronic.

their password in order to recognize the bank.

E-ID services
Services for entity authentication and signing data.

Device ID
The unique serial number or fingerprint that a particular device has

Electronic data interchange (EDI)

embedded in it. It can be the combination of several components

Is an electronic communication method that provides standards for

(e.g. CPU + graphics card) and can include a threshold (i.e. less

exchanging data. By adhering to the same standard, companies

than 100% matching) to allow for partial upgrades, such as with

that use EDI can transfer data from one branch to another and even

the iPass (proprietary) solution.

across the world.

Device Spoofing

Encryption

Hackers delete and change browser settings in order to change

The process of converting data into cipher text to prevent it from

their device identity or fingerprint, or attempt to appear to come

being understood by an unauthorized party.

from a victims device. Cookieless device identification is able


to detect returning visitors even when cookies are deleted or

End-to-end encryption

changes are made to browser settings.

Uninterrupted protection of the integrity and confidentiality of


transmitted data by encoding it at the start and decoding it at the

Debit card fraud

end of the transaction.

Fraud related to debit card accounts where a card is used to withdraw


funds from a consumers account.

Endpoint authentication
A security system that verifies the identity of a remotely connected

Denial of Service Attack

device (and its user) such as a PDA or laptop before allowing

An attack on a computer system or network that causes a loss

access to enterprise network resources or data.

of service to users. A network of computers is used to bombard

112

and overwhelm another network of computers with the intention

EMV

of causing the server to crash. A Distributed Denial of Service

EMV stands for Europay, MasterCard and Visa, a global standard for

(DDoS) attack relies on brute force by using attacks from multiple

inter-operation of integrated circuit cards (IC cards or "chip cards") and

computers. These attacks can be used to extort money from the

IC card capable point-of-sale (POS) terminals and automated teller

businesses targeted.

machines (ATMs), for authenticating credit and debit card transactions.

WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015

Fraud prevention

Face recognition

Pro-active steps taken by a company to insure itself against fraudulent

Biometric modality that uses an image of the visible physical

activity. This is usually in the form of enacted policies, systems and

structure of an individual face for recognition purposes.

controls in place to detect and monitor for fraudulent activity, and


communications to employees that instill ethical behavior.

False Positive
The amount of good or true accounts flagged by the fraud prevention

Fraud screening

system as fraudulent.

A checking system that identifies potentially fraudulent transactions.


Fraud screening helps reduce fraudulent credit card transactions,

Firewall

reducing the need for manual reviews, minimizing bad sales and

Computer hardware or software designed to prevent unauthorised

improving a companys bottom line.

access to the system via the internet.

Friendly fraud
Fraud detection

When a consumer (or someone with access to a credit card) makes

A rule-based, image-enabled suite of products that offers a variety

a purchase and then initiates a chargeback, saying they did not

of fraud detection capabilities at the point of presentment used to

make the purchase and/or did not receive the goods or services.

prevent or mitigate losses associated with deposit and payment


fraud.

Geo Location Detection


Federated identity

Set of diverse and ideally automated tests which help fraud protection

A single user identity that can be used to access a group of websites

solutions assess the risk of fraud involved in a specific order passing

bound by the ties of federation. Without federated identity, users are

through a merchants website. These tests might include IP to Zip

forced to manage different credentials for every site they use. This

Code, IP to Billing Address, High IP Cross Referencing, IP Geo

collection of IDs and passwords becomes difficult to manage and

Location & Proxy Detection, and NPA NXX Area Code Web Service.

control over time, offering inroads for identity theft.

Geographical IP Detector (GID)


Fingerprint recognition

A web shop or a fraud protection solution equipped with a GID

Biometric modality that uses the physical structure of the user

can easily locate the real physical (geographical) location of the

fingerprint for recognition. In most of fingerprint recognition

device, by tracking the IP Address.

processes the biometric samples are compressed in minutiae points


that reduce the size of data and accelerate the process.

Ghost terminal
Skimming device where a fake ATM touch pad and reader are

First-party fraud

placed over a legitimate ATM. Reader obtains card information and

Fraud committed against a financial institution by one of its own

PIN, but will not process the transaction since the legitimate ATM

customers.

does not function.

Forgery

Global Address Verification Directories

The process of making or adapting documents, such as checks,

This feature enables fraud protection solutions compare the address

with the intent to deceive.

introduced by the visitor with the existing address, detecting any


fake data. It also helps emerchants keep their customers easily
reachable.

GLOSSARY

113

Identity theft

Hacker

Identity theft happens when fraudsters access enough information

A person who uses computers to gain unauthorized access to data,

about someones identity (such as their name, date of birth,

or a person who seeks and exploits weaknesses in a computer

current or previous addresses) to commit identity fraud. Identity

system or network.

theft can take place whether the fraud victim is alive or deceased.

Hash function

Identity Provider

A function that can be used to map digital data of arbitrary size to

Also known as Identity Assertion Provider is an authentication

digital data of fixed size. The values returned by a hash function

module which verifies a security token as an alternative to

are called hash values, hash codes, hash sums, or simply hashes.

explicitly authenticating a user within a security realm.

With Bitcoin, a cryptographic hash function takes input data of


any size, and transforms it into a compact string.

InfoSec (information security)


The practice of defending information from unauthorized access,

Host Card Emulation (HCE)

use, disclosure, disruption, modification, perusal, inspection,

On-device technology that permits a phone to perform card

recording or destruction.

emulation on an NFC-enabled device. With HCE, critical payment


credentials are stored in a secure shared repository (the issuer

Interchange fees

data center or private cloud) rather than on the phone. Limited

The interchange fee, also called the discount rate or swipe fee,

use credentials are delivered to the phone in advance to enable

is the sum paid by merchants to the credit card processor as a

contactless transactions to take place.

fee for accepting credit cards. The amount of the rate will vary
depending on the type of transaction, but averages about 2% of

the purchase amount. The interchange fee is typically higher for

Identity

online purchases than for in-person purchases, because in the

The fact of being what an entity (person or a thing) is, and the

latter, the card is physically present and available for inspection.

characteristics determining this. It is a collection of attributes.

Internet of Things (IoT)


Identity of Things (IDoT)

The network of physical objects that feature an IP address for

An area of endeavor that involves assigning unique identifiers

internet connectivity, and the communication that occurs between

(UID) with associated metadata to devices and objects (things),

these objects and other internet-enabled devices and systems.

enabling them to connect and communicate effectively with other


entities over the internet.

Interoperability
A situation in which payment instruments belonging to a given

Identity provider

scheme may be used in other countries and in systems installed

A service provider that creates, maintains and manages identity

by other schemes. Interoperability requires technical compatibility

information for principals and may provide user authentication to

between systems, but can only take effect where commercial

service providers (e.g within a federation).

agreements have been concluded between the schemes concerned.

Identity Spoofing

Internet fraud

Using a stolen identity, credit card or compromised username /

An illegal activity wherein a person in possession of internet banking

password combination to attempt fraud or account takeover. Typically,

details of another person, impersonates them to use their funds.

identity spoofing is detected based on high velocity of identity usage


for a given device, detecting the same device accessing multiple
unrelated user accounts or unusual identity linkages and usage.

114

WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015

IP Address Spoofing

Malware

Cybercriminals use proxies to bypass traditional IP geolocation

Or malicious software, is software used or created to disrupt

filters, and use IP spoofing techniques to evade velocity filters

computer operation, gather sensitive information, or gain access

and blacklists. ThreatMetrix directly detects IP spoofing via both

to private computer systems. It can appear in the form of code,

active and passive browser and network packet fingerprinting

scripts, active content and other software.

techniques.

Man-in-the-browser
A form of internet threat related to man-in-the-middle (MITM),

Key Stroke Logger

is a proxy Trojan horse that infects a web browser by taking

Hardware or software that records the keystrokes and mouse

the advantage of vulnerabilities in browser security to modify

movements made on a particular computer. Hardware loggers can

web pages, modify transaction content or insert additional

be placed by dishonest staff or unauthorised visitors. Software

transactions, all in a completely covert fashion invisible to both the

loggers can be installed in the same way, or more usually by

user and host web application.

malicious email or malware. Authorised key loggers may be used


in order to facilitate an audit trail.

Man-in-the-middle
In cryptography and computer security it is a form of active

Know Your Customer (KYC)

eavesdropping in which the attacker makes independent

The term refers to due diligence activities that financial institutions

connections with the victims and relays messages between them,

and other regulated companies must perform to ascertain relevant

making them believe that they are talking directly to each other

information from their clients for the purpose of doing business

over a private connection, when in fact the entire conversation is

with them. Know your customer policies are becoming increasingly

controlled by the attacker.

important globally to prevent identity theft, financial fraud, money


laundering and terrorist financing.

Mail Order Telephone Order (MOTO)


MOTO accounts are required when more than 30% of credit
cards cannot be physically swiped. Merchants that have a

Level of assurance (LoA)

MOTO merchant account usually process credit card payments

A quality-indicator for digital identity. It describes four identity

by entering the credit card information directly into a terminal

authentication assurance levels for e-government transactions.

that contains a keypad, by using terminal software installed on a

Each assurance level describes the agencys degree of certainty

personal computer, or by using a virtual terminal that allows the

that the user has presented an identifier (a credential in this context)

merchant to use a normal web browser to process transactions on

that refers to his or her identity. In this context, assurance is defined

a payment service providers website.

as the degree of confidence in the vetting process used to establish


the identity of the individual to whom the credential was issued, and

Money laundering

the degree of confidence that the individual who uses the credential

The process of concealing the source of money obtained by

is the individual to whom the credential was issued.

illicit means. The methods by which money may be laundered

are varied and can range in sophistication. Many regulatory


and governmental authorities quote estimates each year for the

Machine learning

amount of money laundered, either worldwide or within their

An artificial intelligence (AI) discipline geared toward the

national economy.

technological development of human knowledge. Machine learning


allows computers to handle new situations via analysis, selftraining, observation and experience.

GLOSSARY

115

Multi-factor authentication

Payment Card Industry Data Security Standard (PCI-DSS)

An approach to security authentication, which requires that the user

A mandatory set of rules and regulations created to reduce credit

of a system provide more than one form of verification in order to

card fraud. PCI Compliance currently has six objectives: to build

prove their identity and allow access to the system. Multi-factor

and maintain a secure network, to protect cardholder data, to

authentication takes advantage of a combination of several factors of

maintain a vulnerability management program, implement strong

authentication, three major factors include verification by something

access control measures, regularly monitor and test networks, and

a user knows (such as a password), something the user has (such as

to maintain an information security policy. The PCI requirements

a smart card or a security token), and something the user is (such as

have been developed by the PCI Security Standards Council,

the use of biometrics).

which includes American Express, Discover, JCB International,


MasterCard and Visa.

One-time password

Pharming

A password that can be used only once, usually randomly generated

Occurs when a divert is set-up from a companys real website,

by special software.

without their knowledge, to a bogus website. When customers


attempt to access the real website the fraudsters gather customers

Online fraud

account details and passwords which can then be used to facilitate

Any kind of fraudulent and/or criminal activity which is made via

frauds.

online services such as email, messaging applications or websites.


The most common forms of online fraud affecting emerchants are

Phishing

in the form of chargebacks, identity theft and credit card fraud.

A method which allows criminals to gain access to sensitive


information (like usernames or passwords). It is a method of social

Online fraudster

engineering. Very often, phishing is done by electronic mail. This

A person who commits fraud online, especially in business dealings.

mail appears to come from a bank or other service provider. It


usually says that because of some change in the system, the users

OpenID

need to re-enter their usernames/passwords to confirm them. The

An open standard that describes how users can be authenticated

emails usually have a link to a page which is similar to the one of

in a decentralized manner, eliminating the need for services

the real bank.

to provide their own ad hoc systems and allowing users to


consolidate their digital identities. Users may create accounts

PIN

with their preferred OpenID identity providers, and then use those

A numeric code that is used as confirmation to finish a transaction

accounts as the basis for signing on to any website which accepts

via payment card. The PIN number is used by entering it into a

OpenID authentication.

keypad which grants authorisation.

Public Key Infrastructure (PKI)

Password

The infrastructure needed to support the use of Digital Certificates.

A word or other collection of characters used for authentication.

It includes Registration Authorities, Certificate Authorities, relying

It serves as a security device to gain access to a resource.

parties, servers, PKCS and OCSP protocols, validation services,


revocation lists. Uses include secure e-mail, file transfer, document

PA DSS

management services, remote access, web-based transactions,

Also known as Payment Application Data Security Standard, it is a

services, non-repudiation, wireless networks and virtual private

system designed by the Payment Card Industry Security Standards

networks, corporate networks, encryption, and ecommerce.

Council and adopted worldwide. This system prevents payment


application from third parties from storing prohibited secured data.

116

WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015

Point-to-point encryption (P2PE)

Risk-Based Authentication

A solution that encrypts card data from the entry point of a merchant's

Risk-based authentication uses multiple factors to determine

point-of-sale (POS) device to a point of secure decryption outside

whether or not a person is who they claim to be online. Typically, this t

the merchant's environment, such as a payment processor like TSYS

echnique includes the traditional username and password in

Acquiring Solutions. The purpose of P2PE is to address the risk of

addition to who the user is, from where they are logging in, and

unauthorized interception associated with cardholder data-in-motion

what kind of device they are using. Information such as historical

during the transmission from the POS terminal to the payment

data is also used, which includes attributes provided from the

processor.

session as well as user behavior and transaction patterns.

Privacy

Privacy is the ability of a person to control the availability of information

Smart card

about and exposure of himself or herself. It is related to being able to

An access card that contains encoded information used to identify

function in society anonymously (including pseudonymous or blind

the user.

credential identification).

Secure element
Proofing

A tamper-proof Smart Card chip capable to embed smart card-

Identity proofing is a common term used to describe the act of

grade applications with the required level of security and features.

verifying a persons identity, as in verifying the proof of an ID.

In the NFC architecture, the secure element will embed contactless

Other terms to describe this process include identity verification and

and NFC-related applications and is connected to the NFC chip

identity vetting.

acting as the contactless front end. The secure element could be

integrated in various form factors: SIM cards, embedded in the


handset or SD Card.

Real-time risk management


A process which allows risk associated with payments between

Security

payment system participants to be managed immediately and

In ecommerce terms, security is ensuring that transactions are not

continuously.

open to fraud. In ecommerce systems, security protocols protect


the consumer, the merchant and the bank from hackers and

Relying party (RP)

fraudsters.

A website or application that wants to verify the end-user's identifier.


Other terms for this party include "service provider" or the now

Security threat and risk assessment

obsolete "consumer".

A method that identifies general business and security risks for the
purpose of determining the adequacy of security controls with the

Retail loss prevention

service and mitigating those risks.

A set of practices employed by retail companies to reduce and deter


losses from theft and fraud, colloquially known as "shrink reduction".

Security token (authentication token)


Is a small hardware device that the owner carries to authorize access

Risk assessment

to a network service. The device may be in the form of a smart card

The process of studying the vulnerabilities, threats to, and likelihood

or may be embedded in a commonly used object such as a key fob.

of attacks on a computer system or network.

GLOSSARY

117

Skimming

Card skimming is the illegal copying of information from the magnetic

Threat

strip of a credit or ATM card. It is a more direct version of a phishing

A threat consists of an adverse action performed by a threat agent

scam. In biometrics and ID it could be the act of obtaining data from

on an asset.

an unknowing end user who is not willing to submit the sample at


that time.

Examples of threats are:


a hacker (with substantial expertise, standard equipment, and

Social engineering

being paid to do so) remotely copying confidential files from a

Manipulating people so they give up confidential information.

company network or from card;

The types of information these criminals are seeking can vary, but
when individuals are targeted the criminals are usually trying to

a worm seriously degrading the performance of a wide-area


network;

trick people into giving their passwords or bank information, or

a system administrator violating user privacy;

access their computer to secretly install malicious software that

someone on the internet listening in on confidential electronic

will give them access to passwords and bank information as well

communication.

as giving them control over their computer.

Third-party fraud
Social Security Fraud

Fraud committed against an individual by an unrelated or unknown

Occurs when a fraudster uses ones Social Security Number in order

third-party.

to get other personal information. An example of this would include


applying for more credit in ones name and not paying the bills.

Third-party
A security authority trusted by other entities with respect to security

Spear Phishing

related activities.

A phishing e-mail that looks as if it came from someone the user


knows. Typically the e-mail contains a file that, when opened, will

Token

infect the computer with a bot or a key logger.

Any hardware or software that contains credentials related to


attributes. Tokens may take any form, ranging from a digital data

Spoofs

set to smart cards or mobile phones. Tokens can be used for both

Various scams in which fraudsters attempt to gather personal

data/entity authentication (authentication tokens) and authorisation

information directly from unwitting individuals. The methods could

purposes (authorisation tokens).

include letters, telephone calls, canvassing, websites, e-mails or


street surveys.

Tokenization
The process of substituting a sensitive data with an easily reversible

3DSecure

benign substitute. In the payment card industry, tokenization is one

3D Secure (3DS) is the program jointly developed by Visa and

means of protecting sensitive cardholder PII in order to comply with

MasterCard to combat online credit card fraud. Cardholders

industry standards and government regulations. The technology is

introduce their password to verify their identity whenever they

meant to prevent the theft of the credit card information in storage.

make an online purchase. E-merchants willing to offer this security


service to its customers must be registered as a participating

Trust

merchant in the program. Only cardholders registered at Verify

The firm belief in the competence of an entity to act dependably,

by Visa or MasterCard SecureCode can actually be requested to

securely, and reliably within a specified context.

verify their data when purchasing online.

118

WEB FRAUD PREVENTION, ONLINE SECURITY & DIGITAL IDENTITY MARKET GUIDE 2014 / 2015

Trusted framework

Vishing

A certification program that enables a party who accepts a digital

The act of using the telephone in an attempt to scam the user into

identity credential (called the relying party) to trust the identity,

surrendering private information that will be used for identity theft.

security and privacy policies of the party who issues the credential

The scammer usually pretends to be a legitimate business, and

(called the identity service provider) and vice versa.

fools the victim into thinking he or she will profit.

Trusted third-party

Voice authorization

An entity trusted by multiple other entities within a specific context

An approval response that is obtained through interactive

and which is alien to their internal relationship.

communication between an issuer and an acquirer, their authorizing


processors or stand-in processing or through telephone, facsimile

Two-factor authentication

or telex communications.

Two-factor authentication is a security process in which the user


provides two means of identification, one of which is typically a

Voice over IP (VoIP, or voice over Internet Protocol)

physical token, such as a card, and the other of which is typically

Refers to the communication protocols, technologies, methodologies

something memorized, such as a security code.

and transmission techniques involved in the delivery of voice

communications and multimedia sessions over Internet Protocol (IP)


networks, such as the internet. Other terms commonly associated

User account

with VoIP are IP telephony, internet telephony, voice over broadband

The collection of data used by a system to identify a single user,

(VoBB), broadband telephony, IP communications and broadband

authenticate a user and control that user's access to resources.

phone.

Unique identity
A partial identity in which at least a part of the attributes are
identifiers. Since at least some of the attributes (or combinations
thereof) are identifiers, the entity can be uniquely identified through
the unique identity within a certain context. A unique identity is an
identifier such as a unique number or any set of attributes that
allows one to determine precisely who or what the entity is.

Validation
Confirming that information given is correct, often by seeking
independent corroboration or assurance.

Verification
The process or an instance of establishing the truth or validity of
something.

Virus
A program that can replicate itself by inserting (possibly modified)
copies of itself into other programs, documents or file systems;
this process is described as the infection of a host.

GLOSSARY

119