1 credit card operation and the recent cardsystems incident hong kong monetary authority 4 july 2005
TRANSCRIPT
![Page 1: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/1.jpg)
11
Credit card operation Credit card operation and the recent CardSystems incidentand the recent CardSystems incident
HONG KONG MONETARY AUTHORITYHONG KONG MONETARY AUTHORITY
4 July 20054 July 2005
![Page 2: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/2.jpg)
22
CONTENTCONTENT
• Credit card system overview
• The CardSystems incident
• Impact on credit cardholders in Hong Kong
• Liability for financial loss
• Follow-up actions by the HKMA
– Impact assessment
– Risk evaluation
![Page 3: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/3.jpg)
33
CREDIT CARD SYSTEM OVERVIEWCREDIT CARD SYSTEM OVERVIEW
• Network operators (Visa, MasterCard, American Express, Diners, JCB, China UnionPay)
• Card issuers (mainly banks)
• Merchant acquirers (mainly banks)
• Merchants
• Cardholders
• Third party service providers
– Third-party processors
– IT processors
![Page 4: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/4.jpg)
44
AUTHORISATION FLOWAUTHORISATION FLOW
MerchantThird-party
processor
Merchant acquirer
Network operatorCard issuer
Cardholder
(1) Transaction (2) Seek authorisation
(3) Transaction information
(4) Transaction information
(5) Requests authorisation for purchase
(6) Authorisation for purchase
(7) Authorisation
(8)Authorisation
(9)Authorisation(10) Completes purchase
Third-party’s network
Network operator’s network
![Page 5: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/5.jpg)
55
Network operator
Settlement bank of network operator
Merchant acquirer
(1)Transaction details (2) Net Obligation Settlement
report
Network operator’s network
Card issuer
(3) Settlement notification
Clearing (usually within 1 day)
Settlement (usually within 3 days)
Settlement bank of network operator
Merchant acquirer
Card issuer
(1) Payment via
local RTGS Merchant
(3) Credit to merchant account
(2) Payment via
local RTGS
Bill cardholder
CLEARING AND SETTLEMENT FLOWCLEARING AND SETTLEMENT FLOW
![Page 6: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/6.jpg)
66
THE CARDSYSTEMS INCIDENTTHE CARDSYSTEMS INCIDENT
• CardSystems is a third-party processor providing authorisation and validation processes on behalf of the merchant/merchant acquirer
• Cardholder information stored after completion of authorisation and system hacked
• Compromised data could be used for fraudulent transactions
![Page 7: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/7.jpg)
77
THE CARDSYSTEMS INCIDENTTHE CARDSYSTEMS INCIDENT
• CardSystems reportedly breached the security standards set by the network operators:
– NOT to retain sensitive cardholder information after completion of authorisation process
– to encrypt the information should such information be retained for special business, legal or regulatory purposes
![Page 8: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/8.jpg)
88
IMPACT ON CARDHOLERS IN HKIMPACT ON CARDHOLERS IN HK
• Cardholders in HK may be affected if
– purchase retail outlets in the US (at the point-of-sale or through Internet); and
– retail outlets in the US submit transaction information to merchant acquirer through CardSystems
• About 12,000 credit cards issued by AIs in Hong Kong potentially affected
• No financial loss to cardholders in this case
![Page 9: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/9.jpg)
99
LIABILITY FOR FINANCIAL LOSSLIABILITY FOR FINANCIAL LOSS
Card issuers will bear the full loss incurred:
• when faults have occurred in the terminals, or other systems used, which cause cardholders to suffer direct loss (section 30.1(c) of the Code of Banking Practice); and
• when transactions are made through the use of counterfeit cards (section 30.1(d)).
![Page 10: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/10.jpg)
1010
FOLLOW-UP ACTIONS OF THE HKMA - FOLLOW-UP ACTIONS OF THE HKMA - IMPACT ASSESSMENTIMPACT ASSESSMENT
• AIs contacted most of the potentially affected cardholders for card replacement
• For cardholders who cannot be contacted, transactions conducted through their cards are monitored closely
![Page 11: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/11.jpg)
1111
FOLLOW-UP ACTIONS OF THE HKMA - FOLLOW-UP ACTIONS OF THE HKMA - EVALUATION OF RISKEVALUATION OF RISK
• Risk of occurrence of similar incident in Hong Kong is relatively low
– Comprehensive guidance issued to AIs, including: Outsourcing
Technology risk management
Supervision of Internet banking
– Prior approval from the HKMA before entering into an outsourcing contract
– Submission of annual IT controls self-assessment reports to the HKMA by all major AIs
• HKMA’s specialist IT on-site examinations cover the review of IT controls of AIs and their service providers
![Page 12: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/12.jpg)
1212
FOLLOW-UP ACTIONS OF THE HKMA - FOLLOW-UP ACTIONS OF THE HKMA - EVALUATION OF RISK AND STRENGTHENING OF EVALUATION OF RISK AND STRENGTHENING OF
SECURITY SYSTEMSECURITY SYSTEM
• Letters issued to AIs and credit card companies, and other companies handling credit card/debit card data:
– Requesting AIs to re-assess the adequacy and effectiveness of controls over customer data security, retention and confidentiality (including AIs and their service providers)
– Requesting credit card companies, consumer credit bureau and debit card operators to assess the security controls over internal and outsourced processing of consumer and transaction data and to strengthen their companies’ security system where necessary
– Liaising with Privacy Commissioner’s Office
![Page 13: 1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005](https://reader036.vdocument.in/reader036/viewer/2022072005/56649cc95503460f94991288/html5/thumbnails/13.jpg)
1313
End of PresentationEnd of Presentation