Select Committee on Science and Technology Minutes of Evidence


Memorandum by Visa Europe

EXECUTIVE SUMMARY

  Visa Europe is a payment solutions company owned and controlled by over 4,500 European member banks. The company's role is to provide products and services that make transactions fast, secure and convenient.

  Visa secures the payment system by building multiple layers of protection around each component of the transaction chain. We are constantly striving to improve security. As a result, the overall fraud rate (fraud to sales by cards issued) is at an all time low of just 0.051 per cent. Due to the introduction of Chip and PIN, counterfeit fraud has been reduced. The fastest growing type of fraud, however, is "card not present", which now accounts for 40 per cent of cases. Visa has introduced a number of tools to help cut this type of fraud. These include Verified by Visa, which make online transactions more secure; CVV2, which make mail order and telephone order transactions more secure; Address Verification Service, which allows for the authentication of cardholder details; an Electronic Commerce Indicator, which validates e-commerce transactions.

  Visa Europe is currently piloting Dynamic Passcode Authentication, which will make a further contribution to a safer online environment. VISOR (Visa Intelligent Scoring of Risk) is Visa's fraud detection system which uses neural networking technology to assess the validity of individual transactions. Account Information Security is designed to protect sensitive account and transaction data in the retail environment. It is currently being adopted across Europe. A variety of other technologies are explained in the attached paper.

  Visa Europe has a dedicated resource that is responsible for investigating the phishing emails and contacting the host to get such sites shut down. In April 2006, Visa signed an agreement with the Child Exploitation and Online Protection Centre (CEOP). CEOP provides a single point of contact for the public, law enforcers and the communications industry, enabling suspicious activity to be reported direct, 24-hours a day. CEOP also offers advice to parents and potential victims.

  Visa is committed to increasing and developing new forms of internet security. It understands the seriousness of the issue and the wide ranging damage that can be caused, not just financially, but to confidence in the whole economic system.

ABOUT VISA EUROPE

  Visa Europe is a leading payment solutions company owned and controlled by over 4,500 European member banks. Through our brand, services, systems and operating regulations, we enable our member banks to meet the needs of their customers and merchants but also to take part in the global Visa system.

  Our role is to provide products and services that make transactions fast, secure and convenient. To achieve this, we connect the different parties in the payment process.

  Through Visa:

    —  Issuing banks provide consumers with a universal payment method.

    —  Consumers benefit from convenience and security.

    —  Retailers benefit from speed, lower cash handling costs and security and provide their customers with a popular payment service.

    —  Acquiring banks provide retailers and merchants a popular, universal way to accept payments.

  Visa has recently announced plans to globally restructure its organisation. Its businesses in the USA, Canada, Asia Pacific, Latin America and Caribbean, Central and Eastern Europe, Middle East and Africa (CEMEA) will be merged to become a publicly-traded company, Visa Inc. In Europe, Visa Europe will remain as an independent membership association, owned and governed by its 4,500 European member banks.

  The decision to retain Visa Europe's membership-owned, not-for-profit association structure, will enable it to directly support the development of the European internal market in payments and the Single Euro Payments Area (SEPA). At the same time, Visa Europe will receive an exclusive licence from Visa Inc, ensuring global inter-operability.

FRAUD—GENERAL

  There are many parties involved in a Visa transaction—a cardholder, a merchant, often a processor, and issuing and acquiring banks. Visa secures the global payment system by building multiple layers of protection around each component of the transaction chain. Occasionally criminals may exploit one component of the payment system, but our multiple layers of protection respond quickly and minimise impact to cardholders. Sophisticated neural networks rapidly identify suspicious activity and allow banks to take action.

  From the moment we plan an activity, we do all we can to minimise risk and maximise confidence though our security initiatives. Our approach is to anticipate, analyse and address issues, provide guidance and clear communication, while fostering co-operation.

  To remain one step ahead of criminals, Visa continuously enhances security by improving technologies, leading cross-industry collaborations and working with law enforcement authorities. Visa also supports consumer education and awareness programmes. Many of these advances are targeted at protecting online purchases and securing data in the digital world. Visa aims to prevent fraud, and when it does occur, to minimise the impact. As a result of our efforts, the overall Visa Europe fraud rate (fraud to sales by cards issued) is at an all-time low of just 0.051 per cent. Due to the introduction of chip and PIN in the UK, counterfeit fraud has been reduced. The fastest growing fraud type is now "card not present" (CNP) which accounts for 40 per cent of fraud. Visa has a wide armoury of tools to combat CNP fraud (fraud in the telephone, mail order/telephone order (MOTO) and internet environment).

VERIFIED BY VISA (VBV)—MAKING ONLINE TRANSACTIONS MORE SECURE

  Verified by Visa is an authentication system based on cross-industry standards. A free service to the cardholder, Verified by Visa provides proof that a genuine cardholder and a genuine Visa retailer are taking part in an online transaction.

  Cardholders who enrol for the scheme choose their own password. When they make a purchase at participating Verified by Visa e-tailers, they are prompted for the password to prove they are who they say they are.

  In the UK, there are currently over 12,000 retailers signed up to Verified by Visa, including NEXT, Dixons, Dabs, British Airways, John Lewis, Opodo and Tesco, and numbers are growing fast. In the UK, there are more than three million cardholders enrolled in Verified by Visa and this number is increasing by 90,000 to 120,000 per month. Approximately one in eight online UK Visa transactions are Verified by Visa transactions.

CVV2—MAKING MAIL ORDER/TELEPHONE ORDER (MOTO) TRANSACTIONS MORE SECURE

  Particularly for telephone orders and online shopping, one of the most effective yet simple security measures is the three-figure CVV2 number—a "static" authentication code—printed on the reverse of the card on the signature stripe. Merchants request the number as evidence that the shopper has possession of the card when making a purchase. CVV2 numbers have been incorporated on all UK cards for some years.

ADDRESS VERIFICATION SERVICE (AVS)—AUTHENTICATING CARDHOLDER DETAILS

  AVS provides another level of security, by authenticating the billing address on the card. In the event the card has been stolen or cloned, corresponding billing address info will not be available. If the billing address details are incorrect or not known, this is flagged to the issuing bank which can decline authorisation.

ELECTRONIC COMMERCE INDICATOR (ECI)—VALIDATING E-COMMERCE TRANSACTIONS

  ECI indicates e-commerce transactions and identifies the merchant type, ie: flowers, hotel, etc. This allows banks to identify such transactions and make informed authorisation decisions. E-commerce transactions which pass through the Visa system are grouped and reported to Visa member banks.

DYNAMIC PASSCODE AUTHENTICATION—CREATING A SAFER ONLINE ENVIRONMENT

  Another advance—known as "dynamic passcode authentication"—is being piloted by Visa Europe. Dynamic passcode authentication brings the added security of chip and PIN to online transactions and is being gradually rolled-out by Member banks for e-commerce transactions at VbV merchants. We are currently exploring how dynamic passcode authentication can work for telephone order transactions (using VbV) and pilots are being planned in a few major markets within Europe.

  Devices (known as "Form Factor") to enable dynamic passcode authentication can vary but generally the cardholders would be given a pocket-sized reader. Each time the cardholder makes a purchase at a Verified by Visa e-tailer, they insert their card into the handheld reader. They then type into the reader's keypad their PIN code—validating they are in possession of their card—and prompting the reader to generate a one-time "dynamic" passcode based on chip and PIN cryptographic algorithms. When the cardholder comes to pay at the website's checkout page, they type in their card number and this will generate a request for the dynamic passcode. For added security the cardholder may be given a "challenge" that would also be entered into the reader and together with the PIN, a "response" would be generated by the reader that would be sent securely to the Member bank for verification.

  The dynamic passcode authentication is therefore based on "two factor" authentication ie testing that the card is in the cardholder's possession and that the individual knows the corresponding PIN code. The one-time passcode is useless for subsequent transactions and the reader is always offline and therefore not at the mercy of hackers.

  In addition to measures targeted specifically at protecting CNP transactions, Visa has other security measures, which protect banks, retailers and cardholders from fraud in all purchasing situations. These include:

VISA INTELLIGENT SCORING OF RISK (VISOR)—VISA'S FRAUD DETECTION SOLUTION

  VISOR is a Visa Europe fraud detection solution that employs neural networking technology, which mimics the processes of the human mind to assess the likely validity of individual transactions. Every transaction that passes through VisaNet is closely scrutinised by VISOR. VISOR uses a number of components to provide a highly accurate score you can rely on.

  Components include:

    —  Visa Europe Model—trained and refreshed once a year with both current fraudulent and genuine spending patterns.

    —  Cardholder profiles.

    —  Merchant profiles.

    —  Sophisticated fraud detection rules.

  Each time a transaction passes through VisaNet it is automatically routed to the VISOR neural network for analysis and scoring. The transaction will pass through the Visa Europe model, cardholder and merchant profiles and will generate a score based on the interactions between the profiles and the model. The higher the score, the higher the probability of fraud. The issuing bank can then decide whether to authorise or decline the transaction.

  In addition to providing accurate risk scores, VISOR also acts on sophisticated fraud detection rules to target particular types of high-risk transactions. Rules are specifically useful when combating emerging fraud trends or "flash frauds" that would otherwise not be detected by the neural network. Rules can be global, country or Member specific.

ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME

  The AIS programme is designed to protect sensitive account and transaction data in the acceptance environment, when it is used and stored at merchants and third-party service providers. The programme protects the interests of all participants—banks, merchants and cardholders.

  Visa was the first in the industry to create such a programme, including standards, best practices and self-assessment security tools. AIS is now a cross-industry standard (known as PCI DSS—payment card industry data security standard). In order to qualify as "AIS compliant", individual banks, merchants and service providers have to prove that they meet standards controlling their data handling and storage procedures. AIS is currently being adopted across Europe.

OTHER PROGRAMS AND INITIATIVES

  Visa Europe systems constantly monitor transactions, detecting patterns which require investigation, checking identities and validating payments. We know where risks are prevalent and where vulnerable points need to be observed or addressed.

Visa Merchant Alert Service (VMAS)

  The Visa Merchant Alert Service combines monitoring programmes for issuers and acquirers alike, identifying disproportionate losses, especially in cross-border transactions.

  The service allows acquirers to assess a merchant's past record before signing them up. At every opportunity we help connect a network of anti-fraud organisations through the regular publication and sharing of relevant data. A database of terminated merchants is also made available.

Risk Identification Service (RIS)

  The objective of RIS is to help Acquirers reduce fraud by identifying merchant locations where risk-related activity is taking place. The RIS system gathers and analyses transaction and fraud data from a variety of sources and compares risk-related activity occurring at merchant locations against a set of parameters (also known as Visa standards). If risk activity at a merchant exceeds any of the parameters, RIS produces an identification report that is sent to the Acquirer for investigation. Depending on the severity of the identification, ie which parameter has been exceeded and by how much, Visa may require additional action to be taken to control the fraud.

Visa Account Bulletin (VAB)

  The Visa Account Bulletin is an online tool used to alert member banks to specific account numbers that may be at risk or of immediate concern. In the event of accounts being compromised the Visa Account Bulletin is a rapid and secure distribution tool that provides account numbers to each specific member.

  The application focuses on distribution to Issuers, and uses the Issuer BIN (first six digits on the card), extracted from the account number in order to contact the Issuer. The Issuers are contacted via email and the account number details are stored on VOL (Visa Online, a dedicated Visa extranet application). Once the Issuer has received an email alert, they should log onto the system and download account numbers, and details of the alert.

  Alerts are sent to some or all issuing banks, depending on the situation, drawing their attention to issues and actions required to contain the problem. There is also a news section, which summarises recent developments, as well as a link through to the Global Fraud Information Service (GFIS).

Global Fraud Information Service (GFIS)

  The GFIService is an online resource, providing timely information and tools to the wider fraud-fighting community—ie beyond the immediate Visa network.

  GFIS publicises trends, issues alerts, provides information about investigations, and lists contacts (within Visa, its members and law enforcement bodies). GFIS also publicises products, programmes, relevant courses and best practice guides.

  With a useful search facility, it enables Visa, its members and global contacts to stay updated and equipped in the battle against fraud, both regionally and worldwide. GFIS also provides benchmarking data to enable banks to compare performance against their competitors.

ANTI- PHISHING MEASURES

  Criminals have developed effective and sophisticated methods to collect personal information from unsuspecting cardholders by using emails and also "spoofing" legitimate Internet websites. Unsuspecting cardholders are caught in these schemes where their Visa account information or personal information is captured and then used to commit fraud. Visa Europe has a dedicated resource that is responsible for investigating the phishing emails and contacting the host to get sites shut down. Visa actively informs its members by placing alerts on the GFIS to inform and communicate these phishing instances.

TRAINING AND EDUCATION

  A vital aspect of Visa's work is training and educating members and law enforcement agencies. By providing a range of courses and best practice guides we help members to gain a better understanding of the issues relating to CNP fraud and how to combat the problem using some of the risk management tools. Also, we maximise every opportunity to provide advice to cardholders on this matter through our PR activities and via our website.

  A course we have recently developed is focused on the Internet and Phishing. It is aimed at fraud investigators at member banks to inform them of the tools and methods available for tracing and combating Internet fraud and phishing.

  When shopping online, many of the simplest and most effective preventative measures are in the hands of cardholders. Visa advises customers:

    —  If suspicious, check an e-tailer's security credentials or call its customer helpline for reassurance.

    —  Only use a computer that has appropriate levels of up-to-date security eg anti-virus software and a firewall.

    —  Keep passwords private and change them often. Create passwords that would be difficult to guess, preferably a mix of letters and numbers.

    —  Keep transaction records, just as you would save your receipt in a shop, including the merchant's contact details and internet address.

    —  Beware of unauthorised e-mails or sites requesting information such as PINs, do not divulge information unless given explicit instructions by your bank. Do not accept instructions via e-mail, as these may be fraudulent.

    —  When asked to provide payment details, ensure you are at the correct site. Check for presence of the "padlock" security symbol in the browser window and click on the padlock to reveal information regarding the owner of the website security certificate.

CEOP—THE CHILD EXPLOITATION AND ONLINE PROTECTION CENTRE

  Visa cards and products are not to be used for any unlawful purposes. While laws governing child pornography may vary from country to country, we are unequivocal about our position on this activity. Very simply, we do not allow Visa products to be used to facilitate these transactions.

  Visa will work with its members to ensure that acceptance privileges are terminated for any merchant dealing in child abuse images anywhere in the world, irrespective of local laws or customs.

  Visa will continue to support a programme to combat, and if possible, prevent its products being used for the acquisition of such material.

  In April 2006, Visa signed a three-year partnership agreement with the newly created Child Exploitation and Online Protection Centre (CEOP). CEOP provides a single point of contact for the public, law enforcers and the communications industry, enabling suspicious activity to be reported direct, 24-hours a day. The unit, staffed by about 100 police, computer technicians and child welfare specialists, also offers advice to parents and potential victims.

  Visa will provide financial support and all its knowledge and resources to strengthen CEOP's finance desk, which identifies people engaged in the sexual exploitation of children for profit and sets out to confiscate offender's assets and disrupt their activities.

CONCLUSION

  Visa is committed to increasing and developing new forms of internet security. It understands the seriousness of the issue and the wide ranging damage that can be caused, not just financially, but to confidence in the whole economic system.

  Visa believes that Government could do more to promote new anti-fraud measures by using them within its own services to citizens. For instance by asking HM Customs and Revenue and HMSO to use Verified by Visa, many more people could be encouraged to sign up to the service. This would make the whole payments environment more secure.

  Whilst Visa realises that the Government alone cannot deal with the whole issue of personal Internet security, we believe that more can be done to get consumers to take responsibility for keeping their financial information secure. Government departments are well placed to do this and Visa would be happy to support any government initiative highlighting the seriousness of this issue to the public.

October 2006


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007