Kevin Christensen, Vice President of Audit · 2020-03-31 · Interchange fee limitations The...
Transcript of Kevin Christensen, Vice President of Audit · 2020-03-31 · Interchange fee limitations The...
Payment Card Network Update
Kevin Christensen, Vice President of Audit
AgendaIndustry Trends
Third Party Risk Management
Windows XP
PCI Validation
Social Media
NIST Cybersecurity
Marijuana and Banking
Disclaimer
The following does not constitute legal advice and does not create any attorney-client relationship.The information provided herein may not be applicable in all situations, should not be treated as legal advice, and should not be acted upon without specific legal advice from your counsel based on the facts and circumstances of your institution.SHAZAM makes no representations or warranties as to the accuracy or completeness of this information.
Industry Trends
In a word …
2014 Electronic Transaction Processing Environment
Multiple new technologies
Exclusivity of acceptance
Multiple new players
Concentration of issuer mass
Forces at Play
2014 Electronic Transaction Processing Environment
TokenizationBrands including American Express® and Discover® dictating standards forcard-not-present transactions
Mobile and NFC Controlled standards by PCI and EMVCo dictating transaction path
EMV — Technology controlled by MasterCard® and Visa® dictating transaction path
Multiple Technologies
2014 Electronic Transaction Processing Environment
2014 Electronic Transaction Processing Environment
Person to Person MasterCard Money Send, VISA OCT,Square® Cash, PayPal, Braintree Venmo
Decoupled Debit Target® REDcard
Merchant Controlled Closed Loop SystemsMerchant Customer Exchange (MCX)
Nontraditional DebitPaypal™, Bitcoin, Dwolla®, Apple®, Amazon®
Multiple Players
2014 Electronic Transaction Processing Environment
Willingness of the larger cores to trade routing options and costs for processing revenue
Through its members, stopped Same-Day ACH―preventing competition to their tightly controlled product
Controls 70% of consumer transaction accounts by top 5 institutions
The Clearing House Association
Massive acceptance leverage (clearXchange P2P)
Concentration of Issuer Mass
2014 Electronic Transaction Processing Environment
Ultimately, the only payments stakeholder not controlled by Regulation II rules
Enormous power by the acquirer processors to aggregate merchant acceptance in exchange for processing revenue
Integration of Payment Verticals
2014 Electronic Transaction Processing Environment
Regulation II challenges
Market forces
Loss of Federal Reserve volumes
Federal preemption
Regulatory Intervention
NACS vs. Board of Governors of the Federal Reserve System
Challenge filed by a group of merchant trade associations and individual merchants to the interchange fee limitations and network
exclusivity requirements set forth in Regulation II, Debit Card Interchange Feesand Routing (“Regulation II”)
Basis of the Challenge
Interchange fee limitations The inclusion of not only incremental costs
incurred by an issuer with respect to authorization, clearance, or settlement of a particular electronic debit transaction (referred to as “incremental ACS costs”), but also certain fixed costs the Board found to be specific to a particular transaction
Routing and exclusivity Requiring the enablement of at least two unaffiliated
networks on a debit card, regardless of the authentication type (i.e., one PIN network and one signature network)
Case History and Status
D.C. District Court ruled in favor of the
merchants
Board appealed to the Court of Appeals in Washington D.C.
Oral arguments January 17, 2014
Court of Appeals ruled in favor of the Federal
Reserve on March 21, 2014
Final Decision
The Federal Reserve Board (FRB) didn’t exceed Congress’s intent in setting the new “swipe fee” limits. The appeals court ruled the provision in the law was written in such a way the FRB had discretion to set the interchange fee standard as the agency saw fit.
Upheld the FRB’s rule which prohibits payment card network exclusivity arrangements and routing restrictions for debit card transactions.
Final Decision
Further explanation is needed from the FRB as to justify why so-called “transactions monitoring costs” were treated as a separate allowable cost from the conditional fraud-prevention adjustment component of interchange.
Pending this explanation, regulated institutions with more than $10 billion in assets will not see any changes in interchange.
The court of appeals decision usually will be the final word in the case, however, an appeal to the U.S. Supreme Court is possible.
Third Party Risk Management
The Future
Third Party Risk Management
Increased reliance on non-bank providers prompted agencies to re-release guidance related to third party risk management
Third party service providers are defined as all entities that have entered into a relationship to provide business functions
or activities
Third Party Risk Management
Assess your risk Identify and inventory
vendors based on criticality of the services provided
Vendor concentration Develop a vendor risk
program proportionate with risk and complexity level of third party relationship
Third Party Risk Management
An effective third party risk program usually includes: Strategy outlining how to select,
assess, and oversee vendors Due diligence in selecting a vendor Agreements outlining rights and
responsibilities of all those involved Ongoing performance monitoring Concentration review
Third Party Risk Management
An effective third party risk program usually includes: Roles and responsibilities clearly assigned for managing
the relationship and risk management process Documentation outlining all
steps of a third party program Business continuity and
contingency process for effectively terminating a relationship
Independent reviews to allow management oversight
Third Party Risk Management
Windows XP
Windows XP
Microsoft® ended support for the operating system on April 8, 2014
Estimated 95% of all American ATMs run on Windows® XP
Windows XP
FDIC guidance Migrate to a supported operating system
Christensen guidance Assess your risk• Limited physical access to ATM
• High-risk activities disabled
• Dedicated lines or VPNs protect communications
Implement risk mitigation• Increased monitoring
• Isolation from threats
Windows XP
SHAZAM protections ATM parameter controlled internally
ATM router level security
“Defense-in-depth” strategy
Multiple defensive security layers, including:
Authentication & password security
Demilitarized zones (DMZ)
Firewalls
Hashing passwords
Logging & auditing
Network monitors
Physical security
Internet security awareness training (anti-social engineering)
Virtual private network (VPN)
Intrusion protection system
Windows XP – Internal Efforts
Worked diligently to implement a migration plan to remove Windows XP from all internal uses
Worked diligently to implement a migration plan to remove Windows XP from all internal uses
Successfully completed upgrades for all internal systems by goal date of April 1, 2014Successfully completed upgrades for all internal systems by goal date of April 1, 2014
ATM Cash-out Attacks FDIC and FFIEC released a joint statement warning
about the risks of cyberintrusion Increased cyberattack activity for the purpose of
gaining access and altering settings within ATM web-based control panels in small- to medium-sized institutions
Attack is initiated by phishing emails that install malware within the institution network
Once installed, employee credentials are obtained and web-based ATM control panels are infiltrated
ATM Cash-out Attacks
SHAZAM’s Defense ATM parameters for terminals driven by
SHAZAM use an internal process, rather than web-based control panels
Cardholder limit information is managed through SHAZAM Access web portal
SHAZAM Access is a multilayered application with security redundancies implemented across network layers
Controls are tested and validated through SSAE 16 SOC 1 report, FFIEC, PCI, and internal audits
ATM Cash-out Attacks
What you can do
Assess your riskAssess your risk
Information security program Penetration tests Ability to detect phishing email attacks
Information security program Penetration tests Ability to detect phishing email attacks
SHAZAM services Trusteer Rapport FICO® Falcon® Fraud Manager
SHAZAM services Trusteer Rapport FICO® Falcon® Fraud Manager
Card Verification and Risk Mitigation SHAZAM Secure®
PCI Compliance vs. Validation
PCI Compliance vs. Validation
All members of the various card brands (Visa®, MasterCard®, Amex®,
Discover®) are required to be PCI compliant as part of their operating rules
Requirements for validation of compliance varies• Example of validation would be to have a Qualified Security Assessor (QSA) verify an institution’s PCI compliance
Currently NO requirements from any card brand to validate
compliance with PCI Data Security Standards through a QSA
As long as an issuer has a strong GLB information
security program in place, and the program is
validated annually, no need to supplement the program with any type of
PCI review
Ensure cardholder data (e.g. card number, exp date) is included in the scope of the existing information
security program
PCI Compliance vs. Validation
Issuer
Assess your risk -implement a risk-based program for merchants. As an
acquiring FI, you are responsible for all activities of your
merchants.
Program can allow smaller merchants to
self-assess their compliance and share results with FI. FI can review and follow up if
necessary.
Higher volume merchants would want to consider a more active review.
External validation by a QSA not required for any merchant until they process more
than 6 million transactions annually.
PCI Compliance vs. Validation
Acquiring Member
Any service provider processing over 300,000
branded transactions annually needs to formally validate,
through a QSA and scanning vendor, compliance with PCI
Document each of your service provider’s compliance
with PCI
SHAZAM documents are available on SHAZAM Access, Audit and Compliance page
PCI Compliance vs. Validation
Service Provider
Social Media
Social Media
Social Media Social Media is interaction among people in which
they create, share and/or exchange information and ideas in virtual communities and networks
Fastest growing channel for marketing and customer engagement
Adults ages 45-54 are the swiftest growing segment of social media users
Social Media Guidance Overview
Social Media: Consumer Compliance Risk Management Guidance For the purposes of the Guidance, social media is
defined as a form of interactive, online communication in which users can generate and share contentthrough text, images, audio, and/or video
No new requirement imposed as a result of the Guidance
Social Media Guidance Key Points
Assess your risk• Create a risk program
proportionate with involvement in the medium
• Document a policy
• Follow third party risk guidelines if outsourcing
• Develop employee training
• Communicate regularly with senior management and board of directors
Cybersecurity
Cybersecurity
The President issued Executive Order 13636,
Improving Critical Infrastructure
Cybersecurity, directing the development of
framework
The President issued Executive Order 13636,
Improving Critical Infrastructure
Cybersecurity, directing the development of
framework
February 2013National Institute of
Standards and Technology (NIST)
formally released the first version of the Framework
for Improving Critical Infrastructure Cybersecurity
National Institute of Standards and
Technology (NIST) formally released the first version of the Framework
for Improving Critical Infrastructure Cybersecurity
February 2014
Cybersecurity Framework Flow
Cybersecurity Framework Core
Cybersecurity Framework Example
Cybersecurity
National Breach Notification
46 state breach notification statutes
exist today
Federal notification law has been proposed,
currently under committee review
Marijuana and Banking
Approximately 20 states have authorized
marijuana use for medical purposes
In November 2012, two states
authorized recreational use
(Colorado & Washington)
Federal law continues to
make possession and use of
marijuana illegal
Marijuana and Banking
U.S. government released guidance February 2014 allowing banks to legally provide services to licensed marijuana businesses
Guidance is not enough
16 members of Congress have asked federal regulators to implement new banking guidance
Marijuana and Banking
ResourcesThird Party Risk Management
www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html
www.federalreserve.gov/bankinforeg/srletters/sr1319a1.pdf
Windows XP www.communitybankingconnections.org/articles/2013/Q4/Community-Bank-Operations.cfm
Social Media www.fdic.gov/news/news/financial/2013/fil13056a.pdf
NIST Cybersecurity www.nist.gov/cyberframework/
Marijuana and Banking FAQ www.aba.com/Tools/Comm-Tools/Documents/ABAMarijuanaAndBankingFAQFeb2014.pdf
Thank you!