330 likes | 517 Views
Fraud Prevention and Risk: Protecting Your Procurement Card Program. Presented By Patricia Larkin Green, VP, Relationship Manager J.P.Morgan, Wholesale Card & Procurement Services Betty Heimansohn, CPPB, Procurement Card Manager University of Colorado April 20, 2009. Overview.
E N D
Fraud Prevention and Risk: Protecting Your Procurement Card Program Presented By Patricia Larkin Green, VP, Relationship Manager J.P.Morgan, Wholesale Card & Procurement Services Betty Heimansohn, CPPB, Procurement Card Manager University of Colorado April 20, 2009
Overview • Patricia Larkin Green, J.P.Morgan • Evolving History and Trends • Steps J.P.Morgan is taking to Combat Fraud • Betty Heimansohn, University of Colorado • How CU is Keeping Credit Card Fraud at Bay • Addendum • Questions, Concerns
3 Types of Fraud • Lost: Recovery varies • Stolen: Recovery varies • Non-receipt: NRI - Non-receipt of card • Internet: Card Not Present/MOTO/Internet: Recovery is good • Counterfeit/skimming: Card present - Recovery unlikely thru chargeback process • Stolen/compromised number: Recovery varies • Account takeover: True name fraud
4 Fraud by Type 4Q06 – 3Q07 Counterfeit and Card Not Present Fraud are the fastest growing fraud type today Card Not Present Counterfeit Lost NRI Acct Takeover Stolen Misc Consumer Credit and Commercial Card
5 Fraud types change and continue to evolve Fraud Trends • Increase in Counterfeit Cases– 1Q09 trending higher than FY08. • Test Merchants– Method in which fraudsters test the status of the card. • Gift Cards– Counterfeit card used to purchase gift cards from a retail merchant. • Day to Day Living Expenses– Not easily detected in the tools. • Gas Pumps– Focused on states with fewer controls.
Industry Landscape Fraud activity - Dynamic and nimble. “Carder” Sites - Well organized with business like structures. Wireless Technology - One of the leading drivers in hacking events. Skimming - Continues to challenge the industry.
Association Alerts Four step process is followed to validate a compromise occurred. Issued after confirmation that account data has been accessed by an intruder. JPM Commercial Card handles about twelve alerts per week. Not a breach involving JPM systems. Assessment is done by JPM to determine level of risk and strategy. JPM cannot reveal the name of the merchant or company involved in the breach.
Fraud Strategy and Case Analytics • Review of fraud cases to identify fraud trends and patterns of test (probe) merchants. • Adjust fraud tools and strategies to target the most recent trends or test merchants. • Review false positive fraud ratios weekly and revise strategies if needed to reduce fraud exposure without impacting spend • Participate in regular meetings with processors, Associations and other issuers to validate industry trending. • Identify Common Points of Purchase(CPP) in relation to confirmed fraud cases. We turn this over to the Associations for forensic investigation. • Work with law enforcement on large fraud cases that involve suspected fraud rings. • Suggest and implement enhancements to further refine fraud detection tools.
What is JPMC Doing? Analyze accounts queued in the Fraud Detection Systems or via Association Alerts to detect fraud, misuse or credit related risks (i.e. NSF Payments). Contact Cardholders to validate transactional activity. Work with the Program Administrators in reaching card members. Block accounts, flag fraud transaction(s), fraud report confirmed fraud to Associations. Process replacement card requests. Initiate recommendations on strategic opportunities related to trends and test merchants. Handle Inbound calls to verify transaction activity. Partner with Program Coordinators on potential misuse in escalation to the Program Administrators.
10 1. Unique designed credit card What is J.P.Morgan Doing to Prevent Fraud? • Hologram • Tamper-evident signature panel • Unique Magnetic strip encoding
11 2. Partner with Visa and MasterCard What is J.P.Morgan Doing to Prevent Fraud? • E-mail alerts are generated from Visa/MasterCard notifying of account number compromise • J.P.Morgan security representatives review accounts and make proper contact with cardholders or administrators based on information obtained from Visa and MC alerts • J.P.Morgan security representatives contacts appropriate agency – FBI, Secret Service, or other law enforcement agencies with pertinent fraud information based on requirements within the Visa or MC alert
12 What is J.P.Morgan Doing to Prevent Fraud? 3. Cardholder and client awareness • J.P.Morgan works with program administrators to develop proper card control to reduce risk i.e: • MCC codes • credit limits • purchase velocity limits • Participate at conferences and forums to educate cardholders and clients on current trends and fraud prevention
13 What is J.P.Morgan Doing to Prevent Fraud? 4. Fraud detection systems • FlexibleFraud detection systems are used that provide the ability to target both general fraud trends as well as specific trends • Criteria/rules dynamically defined based on analysis of current fraud trends • Fraud patterns • Specific MCC • Dollar amounts • Geographic location • Specific merchants
14 What is J.P.Morgan Doing to Prevent Fraud? 4. Fraud detection systems (cont) • When authorizations meet these pre-defined criteria, the account is sent to queue • J.P.Morgan security representatives analyze account and determine if contact with cardholder and/or program administrator is needed • Merchant referral status put on account if appropriate
15 Fraud Investigations and Recovery Fraud Department Structure • Partner with Program Coordinators on potential misuse in escalation to Program Administrators. • Initiate recommendations to Clients on strategic opportunities related to improved authorization controls. • Open Fraud Cases • Fraud Report to the Associations • Send Affidavit • Request and initiate chargeback for recoveries via Association regulations • Investigate High Risk Merchant Category Codes to identify potential suspect • Analyze for account history for potential point of compromise • Work with various law enforcement agencies
16 SALE Fraud Chargeback Process • J.P.Morgan puts temporary credit on account • Orders copy of sales draft-30 days • Affidavit sent and customer to return within 30 days • Customer calls to report fraud • If merchant contests, case in arbitration with Visa-30 days • Representment of charge to merchant • Merchant can dispute-45 days • Settlement of decision by Visa • Second representment of charge to merchant-30 days
17 Fraud Investigations and Recovery Fraud Department Structure • Recovery Investigations • Upon receipt of the signed affidavit the Recovery Investigator will initiate request to the merchant(s) to obtain documentation on the fraud transaction(s) (This process takes approximately 45-90 days) • If JPMorgan Chase recovers the loss via the Association Regulations the Recovery Investigator will issue credit(s) for the fraud dollars to the old (lost/stolen) account to offset the initial debit that was placed on the old account when the case was initially opened.
Minimize Risk – Your Role Use card controls available: Restrict MCCs when possible, especially high risk MCCs. Set daily velocity and dollar limits on MCCs. Review the credit limits and determine based on usage. Set limits for the expected usage. Cash access should only be granted as needed. Flag can be set to restrict all foreign transactions in some cases.
Minimize Risk – Your Role Program Monitoring: Review transactions for exceptions and declines. Educate your cardholders to: review their transactions and statements. go into a bank to get cash or use a bank owned ATM. Use account blocking for temporary leaves or infrequent travelers.
Case Study Company A Fraud Losses 2006 $88,000 2007 $86,000 2008(YTD) $18,448 Increase in fraud loss trend detected. MCC changes implemented May, 2007. Over $50,000 in fraud losses avoided in two months. Common point of compromise identified and reported to Association. Investigation resulted in confirmation of a merchant breach.
University of Colorado Denver campus Anschutz Medical campus Colorado Springs campus Boulder campus
$83M in Spend Last Year 309,000 Transactions 5000 Cardholders 900 Approvers Unrecoverable Fraud is Minimal CU’s Procurement Card Program
Controls on the Cards Merchant Category Codes (MCC) Groups Include Groups No Gas or Travel Cardholder Limits Maximum Single Purchase Limit $ Limit per Cycle # of Transactions per Day Protecting CU’s Procurement Card Program
Keep the End-Users Informed Bi-Weekly Newsletter Email Alerts Ad Hoc Immediate Notification of Transactions Procurement Card Program Handbook Protecting CU’s Procurement Card Program
Special Section in the CU Procurement Card Handbook on Security Considerations:
Watch for Red Flags Excessive Declines Unusual Merchants Cardholder Awareness Small $ Purchases Pay Attention to Notifications of Charges Phishing Emails Protecting CU’s Procurement Card Program
Guarding the Data Use Encryption Program (Some are free!) Don’t Keep Card #s or Personal Information on the Desktop Work with IT to Make Sure Systems are PCI Compliant Protecting CU’s Procurement Card Program
Betty Heimansohn, CPPB University of Colorado Procurement Card Manager 303-315-2778 betty.heimansohn@cu.edu CU Procurement Card Program https://www.cusys.edu/psc/purchasing/procurementcard/ Patricia Green, VP Product Specialist JPMorgan patricia.m.green@jpmchase.com abuse@jpmc.com to report scams Resources
Top Merchant Category Codes – Fraud Losses 5310 Discount Stores 5411 Grocery Stores and Supermarkets 5200 Home Supply Warehouse 5941 Sporting Goods 5311 Department Stores 5541 Service Station 5542 Automated Gas Pump 5912 Drug Store and Pharmacy (Gift Cards) Other High Risk Merchant Category Codes 5732 Electronic 5944 Jewelry Watch and Clocks 5945 Hobby Toy and Game Store 5948 Luggage and Leather Goods 5722 Household Appliances 5300 Wholesale Clubs 5734 Computer Software 4812 Telecommunication Equipment Including Telephone Sales Resources High Risk MCCs Block or Data-Mine These MCCs
Resources Why are my passwords so complex? Did you know how long it tacks a hacker to crack a password?
http://www.ic3.gov http://www.fbi.gov http://www.ftc.gov http://www.lookstoogoodtobetrue.com/ Resources Where can I go for more information? We can all play a significant part in thwarting Fraudulent activity by practicing strong computer security habits such as updating anti-virus software, using strong passwords and employing good email and web security practices.