1Confidential

THE NEW PAYMENTSECOSYSTEM: FAST, OPEN, SECURE AND DISRUPTIVE

SECURE! How realtime and opennesschange the payment fraud ecosystem.

2Confidential

FOREWORD BY SETH RUDEN AND JOEL VAN ARSDALEWith payment DISRUPTION comes greater complexity. Fraud management practices and systems need to evolve faster to counter increasingly sophisticated attacks. New trends such as FASTer payments or OPEN APIs will be game changers, especially with the shift towards real-time cross border payments. Processors will be at the front line for ensuring that their clients have the tools necessary for providing Real-Time Controls in the new channels and new regulations will push the responsibility of ensuring the safety of any application integrations onto FinTechs. Mitigating fraud in such a complex environment requires investment in new processes, technology, and education of employees and customers.

Seth Ruden, Senior Fraud Consultant, ACI Worldwide

Smart, effective fraud management is paramount in a digital world. While digital commerce introduces great convenience, so to does it create vulnerabilities to the payments ecosystem. Fortunately, the tools available to banks, merchants, processors, and FinTechs are better than ever and best practices are increasingly established and shared among these stakeholders. PSD2’s strong authentication requirements have energized the ongoing debate about the balance of security and frictionless commerce. The payment providers that succeed in the future will be those that find the right answer.

Joel Van Arsdale, Managing Director Europe, First Annapolis

3Confidential

WHAT IS SECURE?SECURITY is the protection of identity, privacy and property.

What is security? • Protection of your identity – avoiding

impersonation, only I am me.• Protection of privacy – maintaining

confidentiality of personal matters and data.• Protection of property – protecting money

and assets.

What are the threats to security? • Viruses/Malware.• Targeted cyber attacks/hacking.• Data breaches.• Cloud computing creates vulnerabilities.• Mobile devices creates vulnerabilities.

… data protection is the key to fraud prevention.

File fraud clearing follows the money …

FRAUD

4Confidential

SECURE MUST COEXIST WITH CONVENIENCE There will never be perfect SECURITY or perfect convenience.

Reduce friction in commerceMust be fast, must be easy.

Ease of enablementThere are two sides to all transactions, each must be able to easily enable the security measures.

Product features and functionalityNotifications, rich data, integrated loyalty, etc.

Reliability“My account needs to function at all times”.

Ever changing technologyMobile, contactless, etc.

Changing control dynamicsMore recurring and IoT payments which are not one-for-one initiated and approved by the payer.

SECURITYCONVENIENCE

5Confidential

DIGITAL COMMERCE INTRODUCES NEW RISKS……but digital technologies also introduces new tools to tackle risks.

Machine learning and AI.Encryption and tokenization.Digital fingerprints, device recognition / detection (IMEI/MEID/UDID).Digital avatars, pervasiveness of internet/social identities.Identity recognition, detection and digital identities (official, government sanctioned).Immobilizing technologies.More sophisticated firewalls protecting IT infrastructure.Secure communication networks.Device reputation analysis.Multi-factor authentication (aliases, passwords, AVS, CVV2, phone number, address, credit history, codes, encryption keys, social, biometrics, etc.).KBA (Knowledge Based Authentication).Alert services.Automated screening / detection .Among others.

NEW TOOLSNEW RISK

COMPLEXITYFRAGMENTATIONDIGITALISATIONGLOBAL ECOMMERCE

P

…

Malware / spyware / intrusion.Real-time, scaled attacks.Cross-border fraud.Stolen IDs

• Account take-over.• New account fraud (bust-out).

Fake IDs, synthetic IDs.Bots, emulators, spoofing – falsifying digital IDs.Application reverse engineering.Entrapment and skimming devices.Phishing (online/mobile/phone).

6Confidential

Account take-over

Account bust-outs

Counter-feiting

Phishing

Employee fraud /

tampering

Social engineer-

ing

Loyalty & Marketing

Offers

Selection, Ordering

CheckoutCustomer ID

Fulfill-ment

Intel & Data

PAYMENTS ARE AT THE CENTER OF IDENTITIES AND COMMERCE. MINIMIZING FRAUD IS THE IMPERATIVE.

Fraud, which comes in many forms, is the key threat to SECURE payments.

PaymentsPayments

7Confidential

FRAUD CONTINUES TO EXPAND WITH A FOCUS ON CARD-NOT-PRESENTReducing the rates of fraud is a victory, but this battle does not end (nominal fraud amounts are still growing).

1 IN 3 CONSUMERSHAVE EXPERIENCED CARD FRAUD

IN THE PAST 5 YEARS

DEBIT AND CREDIT CARD HOLDERSHAVE EXPERIENCED FRAUD MULTIPLE

TIMES DURING THE PAST 5 YEARS

17%

Source: Aite Global Consumer SurveySources: UK Cards Association; e-Commerce Europe; Banque de France (Observatory for Payment Card Security); Financial Fraud Action UK; First Annapolis estimates

1,7 1,4

18

26

1,6 1,2

12

24

1,6 1,0

13

21

UK France UK France

Card Present(basis points of card turnover)

Card-Not-Present(basis points of card turnover)

2013 2014 2015

CAGR in Total Amount of Fraud

-6%

15%

-15%

6%

Card Fraud Rates in the UK and France

2013 2014 2015 2013 2014 2015 2013 2014 2015

8Confidential

Early 2000s: Device Fingerprinting

Different device parameter forming a unique identifier.

WE HAVE COME A LONG WAY IN MANAGING DIGITAL FRAUDFraud management is an ongoing journey.

Early 2000s: Merchant fraud rules

Dedicated fraud modules are now also common on the merchant side.

1990s: EMVChip and PIN transactions

are possible now.

1990s: AVS

Address verification allows background checks.

2010s: Phone # verification / Reverse Lookup

Once deployed, it can also reduce manual efforts through

SMS verifications.

2000s: CVC3Dynamic CVC3 for NFC

makes contactless payments more secure.

Early 2000s: TokenizationTokenization of card data

reduces challenges caused by compliance.

2010s: Artificial intelligenceInter-organizational, AI

enhanced anti fraud systems come up.

Early 2000s: BiometricsFingerprint for

Apple/Android/Samsung Pay, experiments with other

biometrics.

1950s: Credit history checkCredit bureaus offering credit history

checks for payment default prevention.

1990s: CVC2A simple copy of the card’s

magstripe is not sufficient anymore.

Early 1990s: Score based fraud tracking

Evolution to more sophisticated score based tracking.

2017: StrongAuthentication

PSD2 requires strong authentication for

e/mCommerce payments.

9Confidential

THE NEW, REAL-TIME PAYMENT ECOSYSTEM REQUIRES NEW APPROACHESTO FRAUD MANAGEMENT

With increased complexity must come increased capability.

AUTHENTICATION

AUTHORISATION

PAYMENT ECOSYSTEM

NEW PAYMENT ECOSYSTEM

Vulnerabilities: CNP, Stolen, POS Counterfeiting Vulnerabilities: Account takeover, Online Banking Fraud, Cross-border

Signature EMV

CVV 2 Factor Auth.

Multi-Factor Auth. Tokenization

Device and IP Analysis

Block Alert

Monitor

Universal Acct No. Geolocation

Actionable Alerting Rules

Behavioral Profiling

Predictive Analytics

Means of Payment

Card

Invoice

Internet Bank Transfer

Card on File

Pay-later Checkout

Digital Wallet

Mobile Banking

PSD2 / TPP

REALTIME

Session Navigation

10Confidential

DATA BREACHES HAVE EXPOSED VULNERABILITIESExpanding data thefts have laid bare the vulnerabilities of non-authenticated cards.

January, 200746 million cards

January, 2009130 million cards

March, 20121.5 million cards

December, 201340 million cards

September, 201456 million cards

February, 20161,025 locations

Selected Major Card Data Breaches(c. 40-50% of global payment card fraud in 2015 arose from stolen U.S. card data)

Source: Press releases, Nilson Report

11Confidential

OPEN IS HELPING TO MODERNIZE THE PAYMENTS ECOSYSTEMBut open technologies come with their own vulnerabilities.

IMPACT of open:

HOW WILL PROCESSORS BE AFFECTED?• Boutique fraud shops and next generation multi-tenant

solutions become standard: revenue and marketing opportunity.

• Aggregation, analysis and action-ability of fraud data and threat intelligence becomes indirectly monetized.

HOW WILL FINTECHS BE AFFECTED?• Security and abuse must be carefully considered/prioritized or

adoption and ubiquity will be at risk.

NEW PAYMENTS ECOSYSTEM

NEBULOUS MICRO TRANSACTIONS

NEBULOUS PAYMENT SERVICE PROVIDERS

APIs

PROCESSORS

BANK / ACCOUNTS

AISP, PISP

12Confidential

EFFECTIVE IDENTITY AUTHENTICATION IS KEY TO SECURITYAnd there is still much room for improvement for both SECURE and convenient authentication.

Point of Sale Transaction (In-Store)

eCommerce Transaction (Online)

PIN

Chip (with encryption keys)

Biometrics

Alias + Password

Address Verification

One-time Codes

App-based encryption

keysBiometrics

13Confidential

FOR MERCHANTS, THE KEY IS FRAUD DETECTION AND SMART DECISIONINGFraud detection should occur throughout the customer journey.

Before the payment… During the payment… After the payment…

• Know the patterns (what does a fraudster look like?).

• Screen the data.• Predict the risk.

Execute a Decision Tree

Try Again

Step-Up ‘We’ll get back to you’

Accept Reject

• Post-authorization (last-look prior to shipping).

• Post-fulfillment (root causes analysis on fraud to inform detection).

Mer

chan

t To

olbo

x

DuringBefore During or After After• Rules engines.• Fraud scoring.• Velocity checks.• AI-based fraud engines.• Dynamic authentication.

• Login.• Data capture (cookies, device

IDs, IP address, geo-location).• Digital certificates.• Message encryption.

• Blacklists.• Pattern recognition.• Browser and malware tracking.

• Investigation.• Machine learning.• Alert services.• Cross-channel management.

14Confidential

USING THE EVER-EXPANDING UNIVERSE OF DATA IS KEY TO SMART DECISIONSParticipants must find the right tools to meet their needs.

Traditional Fraud Management Data and Processes New Fraud Management Data & Processes

Drivenbyproprietarydatasourcesandclunky

processes

Application DataAccount Data

Social Data

Device Data

Black Lists

Data Aggregators

Drivenbyopendatasources&real-time

processes

15Confidential

THE ECOSYSTEM IS EVOLVING TO BETTER ADDRESS DIGITAL FRAUDWe can and are improving with ever-more-sophisticated tools.

What is it? How does it prevent fraud?Example Tools:

1. Tokenization

2. Strong Authentication

3. Digital Identity

4. Device IDs / Fingerprints

5. Biometrics

6. Artificial IntelligenceUses pattern recognition and learning to

avoid repeat fraud events.

Tokens have no value by themselves.

Everything we do online leaves traces that can be used to validate who we are.

Form of recognition that allows for association of a device with a person.

Touch ID demonstrates the convenience advantages of well crafted biometrics.

Multi-layer screening helps to preventID theft.

Card data replaced with ‘token’ by merchant or scheme.

Something you know, something you have, or something you are.

Our online digital avatar.

Predictive behavioral analytics.

Biological identifier, suchas fingerprint.

Unique device identifiers.

16Confidential

BEST PRACTICES ARE INCREASINGLY WELL ESTABLISHED AND ACHIEVABLEAdopting an enterprise wide strategy is the first step.

Best practices for fraud management:

INNOVATE:Operationalize Fraud Detection BEFORE launching new products, Real-Time for faster payments (non-batch) is imperative.

AGILE:Develop agility in the integration of new feeds, data elements and channels reduces residual risk in channel, increases response strength and capabilities.

SECURE:Posturing security as strong and robust IS a customer oriented position. Friction as a byproduct of security is a myth, and can be mitigated.

TEST:Penetration testing reveals gaps, foundational weakness and control strength; “Fencing-in” risk.

CENTRALIZE / ENTERPRISE-WIDE:Centralize payment infrastructures, transaction processing, authentication, fraud, AML alerting and align vendors (e.g. device reputation, malware, etc.) where possible into one solution.

17Confidential

REGULATORS ARE ACTIVE IN THE FIGHT FOR SECURE PAYMENTS AND DATA PROTECTION

Privacy and data protection is getting increasingly important for regulators.

PSD2PSD2 introduces enhanced security measures to be implemented by all payment service providers, including banks;ü Additional safeguards and increased consumer choice around Direct Debit.ü Harmonized timelines for payment processing.ü Increased Chargeback and Refund Periods. ü More stringent rules for the authentication of online payments (strong authentication).ü Demand for tokenization.

Data Privacy and ProtectionDirectives concerning data privacy and protection are getting increasingly important, e.g.;ü General Data Protection Regulation (to come into force in 2018): The European

Commission will intend to strengthen and unify data protection from individuals within the EU, and also addresses exportation of data outside of the EU.

ü EU-US Privacy Shield: The European Commission and the US agreed to establish a new framework for transatlantic data flows in February 2016.

SECURITY REGULATION

18Confidential

PSD2’S STRONG AUTHENTICATION COULD HAVE A DRAMATIC IMPACTON THE MARKET

Merchants and providers must adjust to new means of authentication as a result of PSD2.

Today’s card checkout is typically not strongly authenticated.

Wallets which require a simple login + password such as PayPal do not comply with strong authentication.

Strong Authentication Generally Not Used Today: So how far will the regulation go?

Roughly 50% of UK eCommercetransactions are

not direct authenticated at

all (i.e., cardon file).

Merchants and their providers will need to adapt to new means of authentication.

19Confidential

PSD2’S GOALS FOR OPEN BANKING WILL NOT SUCCEED WITHOUT REDUCING FRICTION IN AUTHENTICATION AND A SYSTEM OF TRUST

Smart phones and improved digital identities are likely the answer.

New 4-Corner Model Must Enable Trusted Exceptions…

… and Reduced Friction and Strong Authentication

Digital identities. Registries and white lists.

Smartphones can enable reduced friction and strong authentication in line with transacting.

Present transaction

(amount and beneficiary)

and Authorize. MSPPISP

Initiate and send SCT

12

3

4

5

6

7

7

Beneficiary Bank“AS PSP”

Merchant(“Payee”, “Beneficiary”)

Consumer

20Confidential

COLLABORATION BETWEEN ACCOUNT SERVICERS AND MERCHANTS IS THECORNERSTONE OF SECURE PAYMENTS

Fraud prevention collaboration is easier with an open payments ecosystem.

SECUREPAYMENTS

Networks

Collaboration

Account Servicers

Merchants

Key Enablers

The Cornerstones of Secure Payments Stakeholders Connected to Fight FraudCardholder

Issuer

Merchant

Acquirer

Regulators –Fraud Prevention

Partnership and collaboration are increasingly easy within an OPEN payments ecosystem.

Scheme

Collaboration

Processors

21Confidential

FINTECH INNOVATORS WILL DISRUPT TRADITIONAL PAYMENT ECOSYSTEMSIF THE BALANCE OF CONVENIENCE AND SECURITY IS NOT RIGHT

FinTech and social networks will be part of the future payments ecosystem.

Consumer Merchant“Payee”, ”Beneficiary”

“AS PSP”

FinTech

New Market Players May Disrupt The Traditional Payment Ecosystems

Beneficiary Bank

22Confidential

EVOLUTION OF FRAUD MANAGEMENT FOR PROCESSORSProcessors must be both thorough and agile.

MAP A PATH TOWARDS ENTERPRISE(ACCOUNT BASED) FRAUD MANAGEMENT:

DEPLOYAGILE FRAUD SOLUTIONS:

CreateCENTERS OF EXCELLENCE

for fraud operations, data concentration/ warehouse.

ONE SOLUTIONto meet client cross-channel needswith Increased DETECTION and

SECURITY as a competitive advantage.

CLOUD, On-Demand modelspeed up integration and

deployment.

Strong INTEGRATIONwith authentication, device and malware vendors and 3rd party service providers.

INTEGRATE and COMMUNICATEto clients’ customers any alerts/security status of accounts.

OPEN SOLUTIONScan provide greater visibility to

fraud events.

React in REAL-TIME to EMERGING THREATS

Expose and deploy new data elements rapidly.

Custom Rules authoring and business intelligence, analytics,

reporting and forecasting.Integrate into

BACK-END SYSTEMSto automate status update and

auto alerting.

1

23Confidential

EVOLUTION OF FRAUD MANAGEMENT FOR FINTECHBeing open while protecting vulnerabilities.

FINTECHS NEED TO THINK ABOUT OPPORTUNITIES FOR ABUSE, POINTS FOR CASH-OUT AND HOW MONETIZATION CAN OCCUR

IN THE NEW PAYMENT ECOSYSTEM:

ADOPTION AND UBIQUITY RELIES ON TRUST, CONTROLS OFALL STAKEHOLDERS IN THE NEW PAYMENT ECOSYSTEM:

ENDPOINTSFunding sources and destinations/outputs

introducing risk to ecosystem.

Detection ofFRAUD PATTERNS

Anti-Money Laundering Requirements (especially for Money Service Businesses).

Know your CUSTOMERand Customer Due Diligence

controls.

Getting AHEAD of REGULATIONby helping to ensure that financial crime risks are mitigated before exploits are

realized as losses.

APIs are NOT UNLIMITED ACCESSDemonstrate security as a core competency.

Place boundaries on transactions, alerting mechanismson “ceiling thresholds” reached.

Real-Time declines in a real-time environment.

API

NON-TRADITIONAL PLAYERSmay not anticipate the rate of fraud shift to new vulnerabilities.May carry traditional risks and the new risks of their partners.

24Confidential

APPENDIX

25Confidential

APPENDIX I : ABBREVIATIONS AND REFERENCE BOOK (1/3)Term Explanation

2 Factor / Multi Factor Authentication

A multi-factor authentication (e.g. 2 factor) means, that two different authentication methods are used. E.g., username/password (1) and a confirmation on the mobile phone for the login (2).

Acquirer Entity in the payments ecosystem providing the terminal to the merchant, connecting it to schemes and paying the merchant funds customers have spent at the shop.

AI / Artificial Intelligence Artificial Intelligence is an automation of intelligent behavior by machines and programs.

AISP / Account information service provider

Entity providing (payments) account information to companies or individuals in a compliant way.

API / Application programming interface Interface to access systems / programs via a standardized interface.

AS PSP / Account services payment service provider

Entity enabling the connection between an online shop and other market participants such as banks or credit card acquirers.

CVV / CVCA numerical code for card transactions. Used for POS transactions (CVC1, encoded on the card’s magnetic stripe), eCommerce transactions (CVC2, printed on the back of the card) or contactless transactions (CVC3, dynamic, on the contactless chip).

Device Fingerprinting A technology to identify a device by accumulating the information the device transmits when (e.g.) visiting a website to a (relatively) unique fingerprint.

26Confidential

APPENDIX I : ABBREVIATIONS AND REFERENCE BOOK (2/3)Term Explanation

IoT / Internet of thingsThe internet of things is the integration of physical devices to the internet. Enriched with internet connectivity, these devices can interact with other devices, services or humans. Examples include, but are not limited to, security systems, irrigation systems,traffic surveillance, etc.

IMEI / MEID / UDID These IDs are unique serial numbers to identify mobile devices (GSM/UMTS: IMEI; CDMA: MEID; iPhone: UDID).

Issuer Entity in the payments ecosystem providing the card to the cardholder, often his bank.

KBA / Knowledge Based Authentication

Authentication method where the to be authenticated person is asked a personal question only the authorized person is able toanswer.

Tokenization The substitution of a sensitive data element (e.g. credit card number) with a non-sensitive token to reduce compliance complexity.

TPP (Third Party Payment Service Provider) A TPP will have an IT and Operations platform meant to take care of all back office activities for processing transactions.

Malware Malware includes all kind of MALicious softWARE (e.g., viruses, trojans, etc.).

Phishing Trying to capture sensitive data (e.g., login credentials) via fake websites or emails.

27Confidential

APPENDIX I : ABBREVIATIONS AND REFERENCE BOOK (3/3)Term Explanation

PISP / Payment initiation service provider An entity that can initiate a compliant payment order at a request sent by a payment service user (e.g., business or individual).

Rich data Is used to predict consumer behavior by accumulating as much information as possible (in contrast to predicting trends what big data does).

Skimming device A device used to fraudulently copy card holder data.

Social Engineering Interpersonal manipulation to illegally get confidential information (e.g., person calling the accounting department and claiming to be the CEO, asking for last quarter’s sales figures).

Strong Authentication Multi-factor authentication for eCommerce and mCommerce transactions.

28ConfidentialConfidential

The last millennium experienced steady incremental innovation in payments with card the principal disruptive element. Today, regulators and consumers are

demanding FAST, OPEN and SECURE payments causing the pace of innovation to accelerate and payment models to become fragmented.

Welcome to a new era of DISRUPTION in payments!

www.aciworldwide.comAmericas +1 402 390 7600Asia Pacific +65 6334 4843Europe, Middle East, Africa +44 (0) 1923 816393

© Copyright ACI Worldwide, Inc. 2017ACI, ACI Worldwide, ACI Payment Systems, the ACI logo, ACI Universal Payments, UP, the UP logo, ReD and all ACI product names are trademarks or registered trademarks of ACI Worldwide, Inc., or one of its subsidiaries, in the United States, othercountries or both. Other parties’ trademarks referenced are the property of their respective owners.