reducing payment system risks in retail delivery - july 20, 2004

82
Reducing Payment Systems Risks in the Retail Delivery Channel NYS Society Of CPA’s Technology Assurance Committee July 20, 2004

Upload: shelly38

Post on 30-Apr-2015

1.200 views

Category:

Documents


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Reducing Payment Systems Risks in the Retail Delivery Channel

NYS Society Of CPA’sTechnology Assurance Committee

July 20, 2004

Page 2: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Presentation Objectives

Assist Auditors who have Retail and DataProcessing Clients by: Identifying dynamic payment methods

and channels. Reviewing risks and mitigation

techniques. Discussing secure payment options for

the “virtual” or web delivery channel.

Page 3: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Point of Sale Crimes

External Domestic – individuals / gangs. Global – individuals / gangs (organized crime type). Attacks can be physical or logical. Published threats of physical attacks available.

Page 4: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Point of Sale Crimes (cont’d)

Internal Disgruntled employees / highly trusted

individuals. Attack can be physical or logical access. Published fraud not readily available.

Page 5: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Retail PaymentDelivery Channels & Methods

ATM Networks Debit and Check Cards. Credit Cards Branded by MC, VISA, Discover, Amex. Third Party Processors. ACH Networks. Electronic Check Truncation. Web Based Methods.

Page 6: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Key Point

Retailers are almost always sponsored into a payment network.

Retailers should check their liability to the sponsor, regarding network rules compliance.

The sponsor may hold the retailer liable for losses or breach of required security procedures.

Check your contract !

Page 7: Reducing Payment System Risks in Retail Delivery - July 20, 2004

How Is Each Method Different ?

ATM cards can be used with a pin. Pin-based allows real time

authorization. Same day settlement/no Float. Secure. Preferred by merchants due to lower

cost. Authorization time can be slower.

Page 8: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Check Cards

ATM cards can be authorized with a pin or signature.

ATM cards often branded with a NYCE, Star and/or MasterCard or VISA logo.

When authorized with a signature, authorization and settlement are batched based.

Check cards are prone to high fraud rates vs. ATM only cards.

Page 9: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Check Cards (cont’d)

At their zenith of popularity. Usage will flatten due to MC/VISA loss in

class action anti-trust suit. Retailers must obtain electronic

authorization. Follow floor limit rules. Follow CVC/CVV counterfeit card

protections.

Page 10: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Check Cards (cont’d)

Hot carding procedures essential. Fraud Risk/Velocity check essential. Not a good idea for internet or MOTO

transactions. Banks love them due to high

interchange.

Page 11: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Check Cards (cont’d)

Retailers win the Walmart anti-trust suit. After 1/1/04, retailers need not accept

them. Learn more about fraud management by

obtaining Visa's Check Card Risk Management Overview (doc# V10524-0698) and Check Card Card Risk Management Brochure.

MasterCard has similar documents.

Page 12: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Third Party Processors & ACH Networks

3rd Party Processors provide data processing, settlement and authorization services to retailers.

Automated Clearinghouse Services (ACH) provide settlement services for the retailer and their processor.

Check cards present a higher risk due to charge back and delayed settlement.

Page 13: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Check Truncation

Electronic capture, transmission and authorization of physical checks.

Faster authorization. Less float and credit risk.

Page 14: Reducing Payment System Risks in Retail Delivery - July 20, 2004

POS Debit Crime - External

Skimming: Magnetic card reader device (about the size

of a Palm Pilot or a duplicate POS device). Debit card is swiped through the “skimmer”

as well as the legitimate POS device. Card data is collected from the magnetic

strip of the card. Make bogus cards from collected data…

make purchases from victims’ accounts.

Page 15: Reducing Payment System Risks in Retail Delivery - July 20, 2004

POS Crime – External (cont’d)

Skimming: Device attached to an legitimate ATM. Captures card data. Camera records customer entering PIN or

thief obtains PIN by “shoulder surfing”. Make bogus cards from captured data.

Create false deposits to inflate account balance. Make withdrawal.

Page 16: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Industry Trends Driving Risk

Merchants prefer PIN-based debit. Accepting PINs saves merchants $$$$

BUT… PIN-based debit means merchants

assume risk of data loss or theft, if they fail to observe card association and network rules.

Page 17: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Industry Trends Driving Risk(cont’d)

Increased network security requirements. FTC adopts Banking Privacy Rules (GLBA). More sophisticated card “skimming”. Retailers begin deploying ATMs in their

stores.

Page 18: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Industry Trends Driving Risk(cont’d)

Exploding pin-based volumes. Check card volumes almost equal credit card

volume. Retailers win Anti-trust suit. Retailers enter the web delivery channel. FTC successfully sues retailer for privacy

violations.

Page 19: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Industry Trends Driving Risk(cont’d)

Expensive, security driven technology changes: New Encryption Algorithms. New Fraud Checking – CVC2. Wireless Technology at the check out lane. Loyalty Cards create more data storage of

non-public cardholder data.

Page 20: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Card Association & Network Requirements

VISA Cardholder Information Security Program (CISP).

ATM Networks require compliance with PIN Security Rules.

Retailers need financial institution sponsors to accept debit.

Page 21: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Implications

Retailers will need expertise in: Card Technology Card Security Retail Encryption Standards Privacy & Identity Management Access Controls Security Audits Needed – VISA CISP

Page 22: Reducing Payment System Risks in Retail Delivery - July 20, 2004

PIN Debit

What Risks Do Retailers Need to

Manage ?

Page 23: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Card Skimming Has Reached Epidemic Proportions

Examples: Breaches of logical security. Installation of a “parasite” or sniffer on

the key pad or controller. Low tech “double swipe technique”. Wireless POS may broadcast data.

Page 24: Reducing Payment System Risks in Retail Delivery - July 20, 2004

What Is The Risk?

Cardholder PIN Security depends upon the retailers implemented Key Management Procedures.

Can you survive… Replacing Citibank’s, Bank of America’s or

any large institution’s cards? The brand damage to your institution? Disconnection from a payment brand ?

Page 25: Reducing Payment System Risks in Retail Delivery - July 20, 2004

What PIN-based Standards Retailers Must Know

Identify Liability to their SponsorIdentify Liability to their ProcessorPractice a Standard of reasonable

care=ANSI Standards x9.8 and X9.24Major ATM Networks(Star, NYCE, Interlink) follow these

standards

Page 26: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Standards for PIN and Key Management

American National Standards Institute (ANSI) published standards for Retail Banking to provide protection of: PIN Issuance. All PIN’ed Transactions during Interchange. Symmetric Cryptographic Keys

used in Retail Banking Payment Infrastructure,

to protect PINs

* Standards are voluntary

Page 27: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Standards for PIN and Key Management Some retailers deploying in store

ATMs to earn surcharge and interchange

Knowledge of

Page 28: Reducing Payment System Risks in Retail Delivery - July 20, 2004

How Does Retail Encryption Work ?

To lock up information to

share with Castle B

Chest

123

45

Chest

12345

Castle BCastle A

Same Key

To lock up information to share with Castle A

PINsPINs

KeysKeysData

Chest 12345

Page 29: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Authenticating the Card Holder - ANS X9.8:

Any Bank Retailer's PIN

PAD

• The PIN is a means of verifying the identity of a customer within an Electronic Funds Transfer (EFT) System.

•The objective of PIN Management is to protect the PIN against unauthorized disclosure and compromise and misuse throughout its life cycle.

•PIN Security depends on sound key management. Maintaining the secrecy of the Cryptographic Keys is of the utmost importance, because the compromise of the key allows the compromise of any PIN ever enciphered under it.

• Using an ANY Bank card at an

Oregon Bank owned ATM.

Customer

E. PEK(P

IN b

lock

)

Page 30: Reducing Payment System Risks in Retail Delivery - July 20, 2004

PIN Verification by the Issuer Host (on-us or not-on-us):

Oregon Bank

Retailer PED

NYCE

Other switches

Star

PULSE

Federal CU

Third Party Processor

(TPP)

FCU cardholder

1) TPP does not verify PIN at ATM, transaction transported to FCU host center.

2) OB performs a PIN translation to transport transaction to network.

3) E.AWK(PIN) 4) Network performs a PIN translation to transport to FCU Issuer.

5) PIN is verified at FCU host center and authorization

Page 31: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Pin Debit Growth

Implications for Retailers Recent Anti –Trust victory spurs volume. Savings due to lower Interchange. ATM Network Rules much more

important. Retailers efforts to comply with ATM

Network Rules, must be meaningful!

Page 32: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Assess the key management health of yourretailer client.

Audit your retail client’s third party processor. Ensure your client does not store magnetic stripe

data (prohibited by VISA due to risk of counterfeit cards).

What can CPAs do to help Retailers Reduce Payments Exposure?

Page 33: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Other Revenue Opportunities for CPAs

Prepare your clients for rules driven change Design and implement a rollout plan to

replace non-compliant POS PAD ATMs and “global” keys.

Secure PIN PAD Management. DUKPT and Triple DES Algorithms.

Page 34: Reducing Payment System Risks in Retail Delivery - July 20, 2004

What else can CPAs do?

Education of all key management operations personnel, for compliant implementation of key life cycle needed.

Understanding of Network Operating Rules and applicable ANS Standards.

Adequate written policies and procedures needed.

Acquisition of applicable PIN and Key Management Standards.

Page 35: Reducing Payment System Risks in Retail Delivery - July 20, 2004

What else can CPAs do?

Review position papers. Best practices for PIN Debit Security.

http://www.nyce.net/pdf/PIN_debit_encryption.pdf Preparing for the Industry Migration to Triple DES.

http://www.nyce.net/pdf/triple_des.pdf Get involved in the ANS Work Group F6. http://www.x9.org to locate the standards and audit

programs

Page 36: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Privacy Risks for Retailers

Why do Retailers Need to Care ? Answer: Collecting Debit, Credit and

Check Payments, require the retailer to acquire and store, non- public, personally identifiable information (NPI).

This triggers FTC liabilities.

Page 37: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Privacy Standards For Retailers

Federal Trade Commission (FTC) Adopts FFIEC Interagency Standards for Customer Information.

April 2000, FTC Fair Information Practice Principles. Merchants now subject to banking rules through

the FTC.

Page 38: Reducing Payment System Risks in Retail Delivery - July 20, 2004

June 26,2000 - FFIEC issues Interagency Standards for customer information (Federal Register, Vol. 65/123/39475).

Regulators expect Banks and Service Providers to develop “Information Security Programs to ensure the security and confidentiality of customer information and protect against any anticipated threats to the security or integrity of such information….”

Privacy Standards For Retailers (cont’d)

Page 39: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Privacy Standards For Retailers (cont’d)

“..protect against unauthorized access to, or use of customer information that could… result in substantial harm/inconvenience

to customer. present a “safety & soundness risk.”

Page 40: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Opt-out exceptions to FTC/GLBA Privacy Risks only: For marketing arrangements. Services if the customer authorizes. For fraud protection/risk reduction. Error resolution.

Privacy Standards For Retailers (cont’d)

Page 41: Reducing Payment System Risks in Retail Delivery - July 20, 2004

No exceptions to encryption mentioned.

Restriction on sharing of data, not intended to be limited to telemarketing only.

Privacy Standards For Retailers(cont’d)

Page 42: Reducing Payment System Risks in Retail Delivery - July 20, 2004

FTC Actions Vs. Non-Compliant Retailer

Guess settles FTC Security Charges; third FTC case targets false claims about Information Security.

Agency alleges security flaws placed consumers' credit card numbers at risk to hackers.

Page 43: Reducing Payment System Risks in Retail Delivery - July 20, 2004

FTC Actions Vs. Non-CompliantRetailer (cont’d)

In the FTC's third case targeting companies that misrepresent the security of consumers' personal information, designer clothing and accessory marketer, Guess Incorporated, has agreed to settle Federal Trade Commission charges, that it exposed consumers' personal information, including credit card numbers to commonly known attacks by hackers.

Page 44: Reducing Payment System Risks in Retail Delivery - July 20, 2004

FTC Actions Vs. Non-CompliantRetailer (cont’d)

Contrary to the company's claims, FTC alleges that Guess did not use reasonable or appropriate measures to prevent consumer information from being accessed at its Web site: Guess.com.

The settlement will require that Guess implement a comprehensive information security program, for Guess.com and its other Web sites.

Page 45: Reducing Payment System Risks in Retail Delivery - July 20, 2004

FTC Actions Vs. Non-CompliantRetailer (cont’d)

"Consumers have every right to expect that a business that says it's keeping personal information secure, is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. "It's not just good business, it's the law," he said.

Page 46: Reducing Payment System Risks in Retail Delivery - July 20, 2004

FTC Actions Vs. Non-Compliant Retailer (cont’d)

“Information would be secure and protected.” The company's claims included… "This site has security measures in place to protect the loss, misuse and alteration of information under our control" and “all of your personal information, including your credit card information and sign-in password are stored in an unreadable, encrypted format at all times."

Page 47: Reducing Payment System Risks in Retail Delivery - July 20, 2004

FTC Actions Vs. Non-Compliant Retailer (cont’d)

In fact, according to the FTC, the personal information was not stored in an unreadable, encrypted format at all times and Guess' security measures failed to protect against SQL and other commonly known attacks. In February 2002, a visitor to the Web site, using an SQL injection attack, was able to read in clear text credit card numbers, stored in Guess' databases, according to the FTC.

Page 48: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Requirements

Part II of the Proposed Order requires an Infosec Program in writing, that is reasonably designed to protect the security, confidentiality and integrity of personal information, collected from, or about consumers. Designate an employee or employees to

coordinate and be accountable for the Information Security Program.

Page 49: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Requirements (cont’d)

Identify material, internal and external risks to the security, confidentiality and integrity of customer information, that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information and assess the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation.

Page 50: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Requirements (cont’d)

Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor, the effectiveness of the safeguards' key controls, systems, and procedures.

Evaluate and adjust its Information Security Program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Guess knows or has reason to know, may have a material impact on its Information Security Program.

Page 51: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Requirements (cont’d)

Perform an assessment and report certifying that: A security program provides protections

that meet or exceed, the protections required by Part II of this order and…

The security program is operating with sufficient effectiveness, to provide reasonable assurance that the security, confidentiality, and integrity of consumer's personal information has been protected.

Page 52: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Enforcing Privacy Promises

It's important that all retailers on-line and off, honor the privacy promises they make to consumers. The FTC has encouraged web sites to post privacy notices and honor the promises in them. Many web sites indeed, (nearly all of the Top 100 Sites) now post their privacy policies. The FTC has already brought a number of cases under Section 5 of the FTC Act, to enforce the promises in privacy statements. The FTC will also investigate claims touting the privacy and security features of products and services.

Page 53: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Enforcing Privacy Promises(cont’d)

Retain the documents for three years after the date that each assessment is prepared.

Submit compliance reports to the FTC. Some states, (California) pass onerous privacy

laws. Encryption on bank-controlled links is a black and

white issue. Other state laws…a wild card. More info: http://www.ftc.gov/privacy/index.html

Page 54: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Revenue Opportunities for CPAs

Assess whether or not your retail clients have a privacy program.

Regulatory Compliance Risk Assessment.

Information Security Assessments.

Page 55: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Check Truncation Act

Emerging Trend Electronically captures MICR Data. MICR Data = A one time debit. MICR Data forwarded to check processor. Check processor forwards to ACH or ATM Switch.

Page 56: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Check Truncation- Business Issues

Changed Float and Availability Schedules.

Time Value of Money. Retailers win: less float, less check

fraud. Checks move electronically in lieu of

trains, planes and automobiles. May facilitate data theft.

Page 57: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Why Bother Encrypting?

It’s an FTC Regulatory Requirement. Check Truncation is premised on increasing

confidence in Electronic Check Acceptance vs. Increasing Check Fraud Risk.

Enticement to steal account holder data, increases dramatically when large numbers of checking account numbers are transmitted and stored in clear text.

Page 58: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Encrypting checking account information, offsets new flavors of old risks. Account takeover (mailbox fraud). Impersonating (spoofing) the

check processor of merchant. These risks could retard product

acceptance if they are not managed and balanced with cost and implementation issues.

Why Bother Encrypting Truncated Check Files if we don’t Encrypt Individual Checks?

Page 59: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Why Bother Encrypting?

Insert a data sniffer between the Store Controller and the Check Processor. Insert a data sniffer between the Check Processor

and the Switch, or the Switch and FI. Use a data program to logically inspect data

packets. Thousands of retail locations create ample

opportunity.

Page 60: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Data sniffers are commonplace. Work clandestinely - without a trace. Not a controlled item. Common to all telecommunications

personnel. Check fraud would be most like be

perpetrated by insiders – technicians.

This risk is no different than the risk in on line POS – where encryption is used

Why Bother Encrypting?

Page 61: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Collect MICR numbers in bulk. Transfer to desktop publishing device

packages. Print on high quality paper.

Check paper can be purchased for $8.00.

Forge large numbers of checks under the bank signature review threshold.

How Could the Check Fraud Occur?

Page 62: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Hardware Encryption. Customer Account/MICR Data. Similar to existing encryption of PIN Block. Leverage existing PIN PAD Infrastructure.

Software encryption. Encrypt same Data as with Hardware

Encryption. Link or End-to-End encryption.

Encrypts the entire message. Processor Indemnification (least desirable).

What are Viable Safeguards ?

Page 63: Reducing Payment System Risks in Retail Delivery - July 20, 2004

How do I Know That Encryption is Really Viable?

Common uses of line encryptors. EFT Switch to settlement ACH banks. ACH processing - debit and credit

applications. Remote Banking and E-Commerce.

Page 64: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Link encryptors used successfully since 1980‘s.

Most common problems are in key synchronization.

These issues are not characterized by users as severe.

Transaction throughput no longer an issue, as processor speeds have increased.

Average cost per node is about $1800.

More Info About Encryptors

Page 65: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Who makes line encryptors?

Racal Cylink Ravlin

Page 66: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Who Makes Line Encryptors?

What about the Telecommunications Protocol? RACAL and Cylink product literature state that

they support: TCP/IP Routers Simple Network Management Protocol Asynchronous Transmission Full Duplex PBX Multiple Data Transfer Rates Frame Relay up to 256 kbps Dial-up Remote Support

Page 67: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Who Makes Line Encryptors?

Can hackers easily defeat encryption? The product literature indicates support for

strong encryption. Triple DES Diffie Hellman

Scant economic incentive for hackers to attempt to attack data, encrypted with strong methods.

Requires over 20 years and several million dollars to decrypt Triple DES or stronger encrypted data.

Page 68: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Implications

Summary

Truncating check data and converting it to electronic format, could facilitate mass theft

of customer information, because the incentive to steal increases when the reward

increases and the risk of detection is minimal.

Page 69: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Privacy Implications for Retailers

The Federal Trade Commission, the nation's consumer protection champion, plays a vital role in protecting consumers' privacy. The agency'spro-privacy agenda emphasizes both enforcement and education.

Any non-cash payment triggers obligations.

Page 70: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Web Payment Channels

Risks retailers need to manage. Account Information Theft. Card not present fraud. Card Skimming/Counterfeit. Fraudulent Applications and Identity Theft.

Page 71: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Web Payment Fraud Trends

Increased card compromises at third party processors and merchants attract payment network and regulatory attention.

VISA launches its Cardholder Information Security Program (CISP).

Merchants must comply or may lose access to the VISA brand.

MasterCard has similar intentions.

Page 72: Reducing Payment System Risks in Retail Delivery - July 20, 2004

4 - Key Characteristics of an Acceptable Web Payment Solution

Prevent Session/Credential Theft or Replay.

Authenticate User. Authenticate Terminal. Authenticate Access Device.

Page 73: Reducing Payment System Risks in Retail Delivery - July 20, 2004

How Does CISP Work?

CISP defines a standard of due care for safeguarding cardholder information.

Compliance Audits for High Risk Merchants.

Self-Assessment for all other. VISA or third party processors will

push requirements to merchants. 12 - key CISP control objectives.

Page 74: Reducing Payment System Risks in Retail Delivery - July 20, 2004

12 - CISP Control Objectives

Install a working firewall. Keep security patches updated. Protect stored data. Encrypt data transmissions using

public networks. Use and update anti-virus software. Restrict access by need-to-know.

Page 75: Reducing Payment System Risks in Retail Delivery - July 20, 2004

12 - CISP Control Objectives

Assign unique IDs. No use of default passwords. User ID tracking and

accountability. Test security systems. Implement a security policy. Restrict physical access to data.

Page 76: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Web Payment Channels

More info on VISA CISP available by email at: [email protected]

Some insurers require security audits as a condition of coverage for fraud & computer crime.

Page 77: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Opportunities for CPAs

Become a Visa Certified Provider. SSAE Type Reviews. Encryption Key Management

Reviews.

Page 78: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Other Business Risks

Regulation E. You must provide adequate

receipts. Time, Locator Number. Amount. Dispute Resolution.

Page 79: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Another Risk with Receipts

Regulation E requires truncation of card and account numbers on receipts.

Beware of Dumpster Diving.

Page 80: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Performance Risk

Do everything you can to promote a higher uptime and authorization rate.

Help your client avoid the “melting ice-cream syndrome.”

Consider DSL, Ethernet and IP-based networks.

Better handle electronic checks, loyalty programs and data mining.

Page 81: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Performance Risk

Caveat. All Ethernet, IP and DSL Networks,

require a firewall. Beware of wireless risks at the POS. More info: http://www/cisecurity.org

Page 82: Reducing Payment System Risks in Retail Delivery - July 20, 2004

Questions ?

Thanks for your attendance!