WIXLIB

Threat Landscape: Skimmingat the Point of SaleTia D. Ilori, Sr. Director, Visa, Global Fraud & Breach InvestigationsChris Forsythe, Sr. Risk Analyst, Visa, Payment Fraud Disruption & Intelligence28 June 2016Skimming at the Point of Sale I 28 June 2016Visa Public1

DisclaimerThe information or recommendations contained herein are provided "AS IS" and intended for informationalpurposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or otheradvice. When implementing any new strategy or practice, you should consult with your legal counsel to determinewhat laws and regulations may apply to your specific circumstances. The actual costs, savings and benefits of anyrecommendations or programs may vary based upon your specific business needs and program requirements. Bytheir nature, recommendations are not guarantees of future performance or results and are subject to risks,uncertainties and assumptions that are difficult to predict or quantify. Assumptions were made by us in light of ourexperience and our perceptions of historical trends, current conditions and expected future developments andother factors that we believe are appropriate under the circumstance. Recommendations are subject to risks anduncertainties, which may cause actual and future results and trends to differ materially from the assumptions orrecommendations. Visa is not responsible for your use of the information contained herein (including errors,omissions, inaccuracy or non-timeliness of any kind) or any assumptions or conclusions you might draw from itsuse. Visa makes no warranty, express or implied, and explicitly disclaims the warranties of merchantability andfitness for a particular purpose, any warranty of non-infringement of any third party's intellectual property rights,any warranty that the information will meet the requirements of a client, or any warranty that the information isupdated and will be error free. To the extent permitted by applicable law, Visa shall not be liable to a client or anythird party for any damages under any theory of law, including, without limitation, any special, consequential,incidental or punitive damages, nor any damages for loss of business profits, business interruption, loss ofbusiness information, or other monetary loss, even if advised of the possibility of such damages.Skimming at the Point of Sale I 28 June 2016Visa Public2

Agenda Global Data Compromise Landscape Modus Operandi of a Typical Skimming Attack Safeguarding Against Skimming Detecting, Responding and Reporting a SkimmingIncident Key TakeawaysSkimming at the Point of Sale I 28 June 2016Visa Public3

Global Data CompromiseLandscapeTia D. IloriSenior Director, Global Fraud and Breach InvestigationsVisa Inc.Skimming at the Point of Sale I 28 June 2016Visa Public4

Visa Security PillarsRemove sensitive dataDevalueDataRender data uselessfor criminals,reducing incentive forpayment breaches Tokenization EMVPrevent fraudHarnessDataProtectDataIdentify fraud beforeit occurs and increaseconfidence inapproving goodtransactions Risk-BasedAuthenticationSafeguardpayment data Encryption One-timePasscode PCI DSS Dynamic CVV2 BreachResponseSkimming at the Point of Sale I 28 June 2016Visa PublicEmpowerConsumersEngage cardholdersas an underutilizedresource in fightingfraud TransactionAlerts SpendControls Geolocation5

Transactional Threat IntelligenceIntelligence comes from recognizingfraud patterns, predicting fraud activity– Cardholders report fraud to theirbank– Banks report fraud to Visa (CPP)– Visa reports fraud to other banks– Breach found, stoppedBreach Detection CycleCardholderIssuing BankOne major limitation: What if there’s nofraud?Merchant BankSkimming at the Point of Sale I 28 June 2016Visa Public6

Global Fraud and BreachInvestigation TrendsBreach Events by Entity Type and Merchant LevelEntity TypeAgent201320142015Level 22016*%%%%Level 11%1% 1%0%Level 21%1% 1%1%Level 34%4%5%9%Level 492%93%91%87%1%1%3%2%Other 1%0%0%0%Total100%100%100%100% Level 1As a proportion of the total number of breachevents, Level 4 (L4) merchants represent 90% ofcompromise cases investigated in 2015 Nearly half of the at-risk accounts distributedthrough CAMS in 2015 were attributed to L4merchants Small merchant compromises are fueled by use ofinsecure Integrator/Resellers Threat actors continue to target smallerinterconnected merchants in large numbers 17%-29%2013 20142015*2016Visa investigated fewer large merchant breaches in2015; Down 29% from 2014 However, skimming attacks across the grocer and retailverticals are on the rise U.S. large breaches comprised 53% of the total at-riskaccounts distributed in 2015 – related to large hoteland restaurant events*2016 year-to-date through MaySource: Compromised Account Management System (CAMS) – Original “IC” and “PA” AlertsSkimming at the Point of Sale I 28 June 2016Visa Public7

Global CAMS DistributionPercentage of CompromisesCompromise Account Management System (CAMS) - Alerts Distributed by %57%20132014NALAC2015VE In 2015, total CAMS alerts increased to thehighest level in 3 years The sheer magnitude of the number of smallmerchants worldwide, especially in the UnitedStates, comprise the majority of reportedcompromises11 % Investigations revealed cyber criminalsexploiting inadequate controls to gainunauthorized access to the POS systems ofsmall level 4 merchants and then ultimately totheir payment card data*2016APCEMEA*2016 year-to-date through MaySource: Compromised Account Management System (CAMS) – Original “IC” and “PA” AlertsSkimming at the Point of Sale I 28 June 2016Visa Public8

Fraud Migration to Other ChannelsFraud migrating to e-commerce, automated fuel dispensers, and ATMsFraud and attacks will continue in CNP / ecommerce channelsAttackers will exploit insecure websites andmis-configured security settingsInternet facing websites at-risk Scan for vulnerabilitiesBe aware of OWASP Top 10 AFD EMV liability shift in October 2017Stations in remote locations often targetedSkimmers and overlays more sophisticatedand harder to detect Regularly check pumps for devicesReview POS for overlaysKnow who to contact if known orsuspected attack ATM EMV liability shift in October 2017Overlays and cameras are moresophisticatedRemote locations at higher risk Regularly check ATMsEnsure software is kept up to dateKnow who to contact if known orsuspected attackSkimming at the Point of Sale I 28 June 2016Visa Public 9

Card Skimming: ATM TrendsSkimming continues to be the #1 cause offraud loss on ATMs Criminal techniques have grownincreasingly sophisticated and diversifiedto avoid anti-skimming defenses An arms race:- Industrialization- Avoidance techniques- Sabotage- Side ChannelsSkimming at the Point of Sale I 28 June 2016Visa Public10

Rise in Skimming AttacksCriminals are targeting mag stripe data Criminals are shifting their attacks toskimming Increase in report skimming attacks inthe news Criminals are targeting:– Self-checkout terminals– Automated fuel dispensers– White-label ATMs Increasing in sophistication of attacksand technology All stores targeted – regardless if they are100% EMV enabled Skimming Overlays– 3D printers leveraged by criminals– Placed in seconds not minutes aswith physical swaps– Easier to deploy in large numbersSkimming at the Point of Sale I 28 June 2016Visa Public11

Modus Operandi of a TypicalSkimming AttackChris ForsytheSenior Risk Analyst, Payment Fraud Disruption and Intelligence VisaInc.Skimming at the Point of Sale I 28 June 2016Visa Public12

Modus Operandi of a Typical Attack Suspects will operate in groups of 2 to 3– 1st suspect places device– 2nd suspect provides cover - shielding anyview of the device placement; may utilizelarge items at checkout– 3rd suspect acts as lookout and providingcounter surveillance– Suspects may scout a location prior toplacing a device so be aware of individualsthat appear out of place Targeted terminals include:––––Self checkout lanesCoffee standsDeli countersRegularly unattended devicesSkimmers Caught on Tape (Video)Skimming at the Point of Sale I 28 June 2016Visa Public13

Overlay ExamplesSkimming at the Point of Sale I 28 June 2016Visa Public14

Criminal Lab Raid: GermanySkimming at the Point of Sale I 28 June 2016Visa Public15

Safeguarding Against SkimmingSkimming at the Point of Sale I 28 June 2016Visa Public16

Device Inventory Management Daily checks of POS terminals– Use teams when inspecting devices Maintain a log of devices and their locations within thebusiness Use unique markings/stickers on your devices to quicklyidentify overlays Utilize tamper screws or cable locks Identify key risk areas where attacks may occur– High volume– Unattended– Areas with limited visibilitySkimming at the Point of Sale I 28 June 2016Visa Public17

Use of Contactless Card Readers toMinimize Skimming RisksMagnetic Stripe VulnerabilitiesContactless Security Benefits Markets that use magnetic stripe are morevulnerable to counterfeit Reduces the risk for card data to beskimmed since there is no dip or swipe EMV chip cards reduce the risk Excellent migration properties Card skimming still occurs in EMVmarkets, because the data can be used innon-EMV markets Just one solution reduce the riskSkimming at the Point of Sale I 28 June 2016Visa Public18

Always Use PCI Approved Devices Follow Visa deployment requirements for use of only PCIapproved PIN Entry Devices As a best practice:– Use only PCI approved Unattended Payment Terminals (UPT)– Use devices that are PCI approved for Secure Reading and Exchange ofData (SRED) Switch to EMV terminals Monitor for changes to internal serial numbers of devices Monitor for connectivity changesSkimming at the Point of Sale I 28 June 2016Visa Public19

Detecting, Responding and Reportinga Skimming IncidentSkimming at the Point of Sale I 28 June 2016Visa Public20

Responding to a Skimming IncidentWhat to do if a skimmer is foundDo not approach or confront anyonewho looks suspiciousDocument and take pictures of theskimming device as-isMight be installing or removing askimming deviceDocument before and after removalDocument date/timeMay be armed and dangerousUse protective gloves to remove thedeviceContact the local authorities and theU.S. Secret Service (U.S.S.S.)Criminals may leave DNA on deviceKeep in protective bag and storesecurelyU.S.S.S is the law enforcement branchresponsible for investigating thesecrimesReview CCTV for surveillance ofsuspectsNotify your acquirer who willcoordinate the investigation with VisaSkimming at the Point of Sale I 28 June 2016Visa Public21

How to Report a Compromise to VisaReview Compromised GuidelinesComplete QuestionnaireSend to Visa / Acquirer1. Complete Incident Questionnaire2.3.4.5. Issuers send to Visa Fraud and Breach Investigations Merchants send to Acquirer (who will forward to Visa)Skimming incidents often involve the compromise of highly sensitive PIN dataIssuers must be notified of the potential at-risk accounts quicklyTry to determine the potential Window of Exposure of the eventPulling at-risk accounts Issuers pull and send compromised accounts to Visa via CAMS* Acquirers pull and send in the compromised accounts on behalf of the merchant via CAMS6. Visa will distribute the at-risk accounts to the affected Issuers via CAMS* Note – Most Issuers are set up as CAMS receivers only, send email to VAA VRM@Visa.com to be a submitterSkimming at the Point of Sale I 28 June 2016Visa Public22

Key TakeawaysSkimming at the Point of Sale I 28 June 2016Visa Public23