Kevin Christensen, Vice President of Audit · 2020-03-31 · Interchange fee limitations The...

Payment Card Network Update

Kevin Christensen, Vice President of Audit

AgendaIndustry Trends

Third Party Risk Management

Windows XP

PCI Validation

Social Media

NIST Cybersecurity

Marijuana and Banking

Disclaimer

The following does not constitute legal advice and does not create any attorney-client relationship.The information provided herein may not be applicable in all situations, should not be treated as legal advice, and should not be acted upon without specific legal advice from your counsel based on the facts and circumstances of your institution.SHAZAM makes no representations or warranties as to the accuracy or completeness of this information.

Industry Trends

In a word …

2014 Electronic Transaction Processing Environment

Multiple new technologies

Exclusivity of acceptance

Multiple new players

Concentration of issuer mass

Forces at Play


TokenizationBrands including American Express® and Discover® dictating standards forcard-not-present transactions

Mobile and NFC Controlled standards by PCI and EMVCo dictating transaction path

EMV — Technology controlled by MasterCard® and Visa® dictating transaction path

Multiple Technologies



Person to Person MasterCard Money Send, VISA OCT,Square® Cash, PayPal, Braintree Venmo

Decoupled Debit Target® REDcard

Merchant Controlled Closed Loop SystemsMerchant Customer Exchange (MCX)

Nontraditional DebitPaypal™, Bitcoin, Dwolla®, Apple®, Amazon®

Multiple Players


Willingness of the larger cores to trade routing options and costs for processing revenue

Through its members, stopped Same-Day ACH―preventing competition to their tightly controlled product

Controls 70% of consumer transaction accounts by top 5 institutions

The Clearing House Association

Massive acceptance leverage (clearXchange P2P)

Concentration of Issuer Mass


Ultimately, the only payments stakeholder not controlled by Regulation II rules

Enormous power by the acquirer processors to aggregate merchant acceptance in exchange for processing revenue

Integration of Payment Verticals


Regulation II challenges

Market forces

Loss of Federal Reserve volumes

Federal preemption

Regulatory Intervention

NACS vs. Board of Governors of the Federal Reserve System

Challenge filed by a group of merchant trade associations and individual merchants to the interchange fee limitations and network

exclusivity requirements set forth in Regulation II, Debit Card Interchange Feesand Routing (“Regulation II”)

Basis of the Challenge

Interchange fee limitations The inclusion of not only incremental costs

incurred by an issuer with respect to authorization, clearance, or settlement of a particular electronic debit transaction (referred to as “incremental ACS costs”), but also certain fixed costs the Board found to be specific to a particular transaction

Routing and exclusivity Requiring the enablement of at least two unaffiliated

networks on a debit card, regardless of the authentication type (i.e., one PIN network and one signature network)

Case History and Status

D.C. District Court ruled in favor of the

merchants

Board appealed to the Court of Appeals in Washington D.C.

Oral arguments January 17, 2014

Court of Appeals ruled in favor of the Federal

Reserve on March 21, 2014

Final Decision

The Federal Reserve Board (FRB) didn’t exceed Congress’s intent in setting the new “swipe fee” limits. The appeals court ruled the provision in the law was written in such a way the FRB had discretion to set the interchange fee standard as the agency saw fit.

Upheld the FRB’s rule which prohibits payment card network exclusivity arrangements and routing restrictions for debit card transactions.

Final Decision

Further explanation is needed from the FRB as to justify why so-called “transactions monitoring costs” were treated as a separate allowable cost from the conditional fraud-prevention adjustment component of interchange.

Pending this explanation, regulated institutions with more than $10 billion in assets will not see any changes in interchange.

The court of appeals decision usually will be the final word in the case, however, an appeal to the U.S. Supreme Court is possible.

The Future


Increased reliance on non-bank providers prompted agencies to re-release guidance related to third party risk management

Third party service providers are defined as all entities that have entered into a relationship to provide business functions

or activities


Assess your risk Identify and inventory

vendors based on criticality of the services provided

Vendor concentration Develop a vendor risk

program proportionate with risk and complexity level of third party relationship


An effective third party risk program usually includes: Strategy outlining how to select,

assess, and oversee vendors Due diligence in selecting a vendor Agreements outlining rights and

responsibilities of all those involved Ongoing performance monitoring Concentration review


An effective third party risk program usually includes: Roles and responsibilities clearly assigned for managing

the relationship and risk management process Documentation outlining all

steps of a third party program Business continuity and

contingency process for effectively terminating a relationship

Independent reviews to allow management oversight

Windows XP

Windows XP

Microsoft® ended support for the operating system on April 8, 2014

Estimated 95% of all American ATMs run on Windows® XP

Windows XP

FDIC guidance Migrate to a supported operating system

Christensen guidance Assess your risk• Limited physical access to ATM

• High-risk activities disabled

• Dedicated lines or VPNs protect communications

Implement risk mitigation• Increased monitoring

• Isolation from threats

Windows XP

SHAZAM protections ATM parameter controlled internally

ATM router level security

“Defense-in-depth” strategy

Multiple defensive security layers, including:

Authentication & password security

Demilitarized zones (DMZ)

Firewalls

Hashing passwords

Logging & auditing

Network monitors

Physical security

Internet security awareness training (anti-social engineering)

Virtual private network (VPN)

Intrusion protection system

Windows XP – Internal Efforts

Worked diligently to implement a migration plan to remove Windows XP from all internal uses

Worked diligently to implement a migration plan to remove Windows XP from all internal uses

Successfully completed upgrades for all internal systems by goal date of April 1, 2014Successfully completed upgrades for all internal systems by goal date of April 1, 2014

ATM Cash-out Attacks FDIC and FFIEC released a joint statement warning

about the risks of cyberintrusion Increased cyberattack activity for the purpose of

gaining access and altering settings within ATM web-based control panels in small- to medium-sized institutions

Attack is initiated by phishing emails that install malware within the institution network

Once installed, employee credentials are obtained and web-based ATM control panels are infiltrated

ATM Cash-out Attacks

SHAZAM’s Defense ATM parameters for terminals driven by

SHAZAM use an internal process, rather than web-based control panels

Cardholder limit information is managed through SHAZAM Access web portal

SHAZAM Access is a multilayered application with security redundancies implemented across network layers

Controls are tested and validated through SSAE 16 SOC 1 report, FFIEC, PCI, and internal audits

ATM Cash-out Attacks

What you can do

Assess your riskAssess your risk

Information security program Penetration tests Ability to detect phishing email attacks

Information security program Penetration tests Ability to detect phishing email attacks

SHAZAM services Trusteer Rapport FICO® Falcon® Fraud Manager

SHAZAM services Trusteer Rapport FICO® Falcon® Fraud Manager

Card Verification and Risk Mitigation SHAZAM Secure®

PCI Compliance vs. Validation


All members of the various card brands (Visa®, MasterCard®, Amex®,

Discover®) are required to be PCI compliant as part of their operating rules

Requirements for validation of compliance varies• Example of validation would be to have a Qualified Security Assessor (QSA) verify an institution’s PCI compliance

Currently NO requirements from any card brand to validate

compliance with PCI Data Security Standards through a QSA

As long as an issuer has a strong GLB information

security program in place, and the program is

validated annually, no need to supplement the program with any type of

PCI review

Ensure cardholder data (e.g. card number, exp date) is included in the scope of the existing information

security program


Issuer

Assess your risk -implement a risk-based program for merchants. As an

acquiring FI, you are responsible for all activities of your

merchants.

Program can allow smaller merchants to

self-assess their compliance and share results with FI. FI can review and follow up if

necessary.

Higher volume merchants would want to consider a more active review.

External validation by a QSA not required for any merchant until they process more

than 6 million transactions annually.


Acquiring Member

Any service provider processing over 300,000

branded transactions annually needs to formally validate,

through a QSA and scanning vendor, compliance with PCI

Document each of your service provider’s compliance

with PCI

SHAZAM documents are available on SHAZAM Access, Audit and Compliance page


Service Provider

Social Media

Social Media Social Media is interaction among people in which

they create, share and/or exchange information and ideas in virtual communities and networks

Fastest growing channel for marketing and customer engagement

Adults ages 45-54 are the swiftest growing segment of social media users

Social Media Guidance Overview

Social Media: Consumer Compliance Risk Management Guidance For the purposes of the Guidance, social media is

defined as a form of interactive, online communication in which users can generate and share contentthrough text, images, audio, and/or video

No new requirement imposed as a result of the Guidance

Social Media Guidance Key Points

Assess your risk• Create a risk program

proportionate with involvement in the medium

• Document a policy

• Follow third party risk guidelines if outsourcing

• Develop employee training

• Communicate regularly with senior management and board of directors

Cybersecurity

Cybersecurity

The President issued Executive Order 13636,

Improving Critical Infrastructure

Cybersecurity, directing the development of

framework

The President issued Executive Order 13636,

Improving Critical Infrastructure

Cybersecurity, directing the development of

framework

February 2013National Institute of

Standards and Technology (NIST)

formally released the first version of the Framework

for Improving Critical Infrastructure Cybersecurity

National Institute of Standards and

Technology (NIST) formally released the first version of the Framework

for Improving Critical Infrastructure Cybersecurity

February 2014

Cybersecurity Framework Flow

Cybersecurity Framework Core

Cybersecurity Framework Example

Cybersecurity

National Breach Notification

46 state breach notification statutes

exist today

Federal notification law has been proposed,

currently under committee review

Approximately 20 states have authorized

marijuana use for medical purposes

In November 2012, two states

authorized recreational use

(Colorado & Washington)

Federal law continues to

make possession and use of

marijuana illegal


U.S. government released guidance February 2014 allowing banks to legally provide services to licensed marijuana businesses

Guidance is not enough

16 members of Congress have asked federal regulators to implement new banking guidance


ResourcesThird Party Risk Management

www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html

www.federalreserve.gov/bankinforeg/srletters/sr1319a1.pdf

Windows XP www.communitybankingconnections.org/articles/2013/Q4/Community-Bank-Operations.cfm

Social Media www.fdic.gov/news/news/financial/2013/fil13056a.pdf

NIST Cybersecurity www.nist.gov/cyberframework/

Marijuana and Banking FAQ www.aba.com/Tools/Comm-Tools/Documents/ABAMarijuanaAndBankingFAQFeb2014.pdf

Thank you!

Kevin Christensen, Vice President of Audit · 2020-03-31 · Interchange fee limitations The...

Documents

Transcript of Kevin Christensen, Vice President of Audit · 2020-03-31 · Interchange fee limitations The...