TransArmor^SM Solution Piloted by Spectrum of Brick-and-Mortar and Card-Not-Present Retailers; First Commercial Transaction Tokenized on STAR® Network

RSA CONFERENCE 2010 – SAN FRANCISCO, March 1, 2010 – First Data Corporation, a global leader in electronic commerce and payment processing, today announced the expansion of a merchant pilot of the First Data^® TransArmor^SM solution. More than 400 U.S. merchants of all sizes will assess the comprehensive data security solution over the next four months. The TransArmor solution (previously called First Data^® Secure Transaction Management^SM) was developed in close partnership with EMC Corporation (NYSE: EMC).

The TransArmor secure payments service is designed with the needs of merchants in mind, and it has the opportunity to fundamentally change the way merchants secure and manage cardholder data. The TransArmor solution addresses the root cause of merchant data security issues by removing payment card data from the merchant environment as part of processing the transaction, significantly reducing risk and the scope of PCI compliance efforts.

Deploys RSA SafeProxyâ„¢ Architecture
The solution leverages the RSA SafeProxy^TM architecture, a powerful combination of asymmetric encryption, tokenization and key management engineered to provide the benefit of end-to-end protection and eliminate on-site cardholder data storage for merchants. Unique features of the token make it possible for merchants to continue to handle key business functions such as returns, recurring billing, loyalty programs and other analysis, without enabling card data to be used for fraudulent transactions.

On Feb. 26, 2010, the TransArmor solution tokenized the very first commercial transaction over the STAR® Network at the Center of Science & Industry (COSI) in Columbus, Ohio. A First Data company, STAR is one of the nation’s leading electronic funds transfer (EFT) networks with more than two million retail and ATM locations.

As an early participant in the TransArmor pilot, COSI is already experiencing the benefits of the solution. “Like most consumers today, several of our customers had concerns about the safety of their credit and debit card data while visiting our center. TransArmor gives us peace of mind that their payment card data is locked in a virtual vault at First Data and nowhere on site at COSI,” said Brad Morgan, senior IT operations manager at COSI.

Works with Existing Merchant Hardware
Unlike some solutions in the marketplace, the TransArmor solution can be implemented without the need for new hardware or back-end IT operations. The solution works with First Data as well as other terminals or point-of-sale systems and can be consistently applied across brick-and-click environments.

“The response from merchants interested in participating in this trial has been enormous and a testament to the sought-after service TransArmor delivers,” said Craig Tieken, vice president of Merchant Product Management at First Data. “Up until now, there have been few easy and cost-effective solutions to the growing problem of managing the risks of handling sensitive payment card data. TransArmor represents a fundamental change in how merchants can confidently protect and manage cardholder data.”

The consequences of a merchant data compromise in legal, financial, consumer confidence and brand loyalty terms can be overwhelming. According to the 2009 U.S. Cost of a Data Breach Study by the Ponemon Institute, the average cost for merchants coping with a data breach in 2009 rose to $6.7 million with the cost per customer record breached estimated at $204. With the TransArmor solution, customer card information is retained only at the processor and protects merchants from the dangers of malicious attacks designed to steal payment card data in transit or in storage from merchant databases.

“Implementing effective data security can’t mean more complexity for businesses,” said Brian Fitzgerald, vice president, Marketing, RSA, The Security Division of EMC. “TransArmor successfully embeds industry-leading security technology into the payment processing infrastructure to make it available to, and more importantly, usable, by merchants of all sizes. TransArmor is an example of the type of partnerships required from industry leaders that will reduce the reliance on point solutions and enable an industry ecosystem with pervasive built-in security.”

Teams from RSA and EMC Consulting worked collaboratively with First Data through product strategy development and technology proof of concept for a successful pilot and product launch.

About First Data
First Data powers the global economy by making it easy, fast and secure for people and businesses to buy goods and services using virtually any form of electronic payment. Whether the choice of payment is a gift card, a credit or debit card or a check, First Data securely processes the transaction and harnesses the power of the data to deliver intelligence and insight for millions of merchant locations and thousands of card issuers in 36 countries

Why check for address instead of CVV for mail orders to protect against fraud? Shouldn’t CVV or CVV2 be checked before anything else? The difference really lies in the way your firm processes orders and the need to be PCI Compliant.

MO/TO or MOTO stands for Mail orders/telephone orders. The same rules apply for fax orders.

Mail orders or fax orders generally involve a pre-printed form returned with the buyers selection and pricing. The card is then scanned with an OCR device or the order is keypunched. BEWARE IF YOUR form asks for the CVV or CID code, this presents a security risk from the moment it leaves the senders hands. Therefore, when the order is received, the merchant MUST PROTECT THIS DATA AND MUST NOT STORE IT. You can also choose to find a way to process the order that does not require a CVV code, but still protects the merchant from fraud. The AVS or address verification then becomes essential to prevent fraud.  If using a virtual terminal, the terminal should require an AVS check.

If you complete Phone orders by keypunching the cardholders data while on the phone with the customer, you can ask for the CVV or CVV2 code. The assumption is that you are using a PCI Compliant solution whether it be software or a virtual terminal, that does not store the CVV data.  A secure method such as a virtual terminal can prompt for the CVV code and also perform an address check. There is still some risk by taking CVV over the phone because the data is exposed to whoever handles the order. If the merchant writes down transaction information to be keypunched later, merchants should be avoid writing down CVV whenever possible; if they are written down, follow special PCI Compliance standards to protect the data temporarily until it is securely shredded.

The AVS response can be a full match, partial match, no match, unavailable, or retry.

Full match - both the zip code and address match.

partial match- only the zip code or address match, but not both. You may wish to determine what risk you are willing to assume based on the order value.

no match- zip and address don’t match. This is a sign of fraud and further steps should be taken to verify it’s a valid transaction. If you’re on the phone ask questions and get the CVV. If you’re not on the phone, you might want to invest time for a little research depending on the value of the order. For example, I’ve used whitepages.com to research name, phone and address. If the person moved, there could be a legitimate reason, but the person should be able to recite their old address.

Unavailable- The system is unavailable or the card issuer does not support it. US card issuers must support AVS, but this is not true worldwide. For merchants that have a lot of transactions from foreigners, requiring AVS can be a problem because they can’t pass. However, all cards should be able to pass CVV. Merchants lose all chargeback prevention rights for card not present transactions if the CVV or AVS response is U.

Retry - The card issuers system is anavailble- try again later.

For more details, please see the Visa Card Acceptance Guide.

If the merchant performs an address check and gets a full match, plus has a CVV match, they’ll be in a better position to win chargeback disputes. However, your customer types, order processing methods, employees and industry all are factors in assessing risk and determining what steps are best for you to mitigate risk. Whatever methods you choose, be sure to communicate policies with employees and always review PCI Data Security Standards.

CenPOS is a technology solution with numerous controls to help management set criteria globally and down to the cashier level. Settings include AVS (full and partial) and CVV plus dollar thresholds.

In conclusion,  whether you require CVV or not is a business decision for MOTO transactions. You must factor in the risk of not taking the CVV and of having data exposed until you’ve used it and then shredded it vs possible credit card fraud. For small ticket orders, you might wish to skip it to reduce risk. For large value orders, you may not want to risk your product going out the door. In that case, be sure to have a PCI Compliance program in place, and train employees. AVS should be required to pass without exception.

Fraud control measures heavily employed to mitigate risk and reduce exposure

March 26, 2009 Deteriorating financial conditions in 2008 coupled with the emergence of new payments types and the growth of electronic payments opened up new opportunities for payment fraud, according to the 2009 AFP Payments and Fraud Control Survey. The assault on payments is widespread: over seventy percent of organizations surveyed experienced attempted or actual payments fraud in 2008.  The survey was sponsored by J.P. Morgan Treasury Services.

Large organizations were more likely to have experienced payments fraud than were smaller ones. Eighty percent of organizations with annual revenues over $1 billion were victims of payments fraud in 2008 compared with 63 percent of organizations with annual revenues under $1 billion.

Since 2005, the Association for Financial Professionals (AFP) has examined the nature and frequency of fraudulent attacks on business-to-business payments and the industry fraud-risk tools that organizations use to control payments fraud.   Continuing that research, in January 2009 AFP conducted its Payments and Fraud Control Survey to capture the payments experiences of organizations during 2008.

Thirty percent of survey respondents report that incidents of fraud increased in 2008 compared to 2007. Further, nearly forty percent of organizations experienced increased fraud activity during the second half of 2008 as economic conditions worsened in the U.S.

According to Nasreen Quibria, Director of Payments for AFP, the fraud attacks on payment activities have occurred at a greater frequency than we’ve seen in the past.  Now, the vulnerability of all payment methods, especially checks, demands a range of fraud-fighting tools and the vigilance of financial and treasury professionals responsible for protecting organizations assets.

Nine out of ten organizations (91 percent) that experienced attempted or actual payments fraud in 2008 were victims of check fraud. The percentage of organizations affected by payments fraud via other payment method were: ACH debit (28 percent); consumer credit/debit cards (18 percent); corporate/commercial cards (14 percent); ACH credits (seven percent); and wire transfers (six percent).

Sixty-three percent of organizations that were victims of actual and/or attempted payments fraud in 2008 experienced no financial loss, and among organizations that did suffer a financial loss resulting from payments fraud in 2008, the typical loss was relatively small at $15,200.

Many organizations are mitigating financial loss from fraud by turning to a number of defensive measures provided by their banks, including:

• Positive pay/reverse positive pay (82 percent)
• ACH debit blocks (71 percent)
• ACH debit filters (55 percent)
• Payee positive pay (50 percent)
• Post no checks restriction on depository accounts (34 percent)

Organizations can also develop and/or modify internal business processes to minimize potential payments fraud risks.  The processes considered important include:

• Stopping the provision of payment instructions by phone or fax (86 percent);
• Increasing the use of electronic payments for business-to-consumer and business-to-business transactions (82 percent); and
• Reducing the number of bank accounts (82 percent).

J.P. Morgan is highly sensitive to the need for vigilance in protecting client assets from fraud, said Iqbal M. Khan, executive director, J.P. Morgan Treasury Services.  We are pleased to sponsor the 2009 AFP Payments and Fraud Control Survey.  We look forward to the data being used to foster important discussion around this issue and to seeing the financial community continue to develop anti-fraud tools that provide the critical safeguards corporates want and need.

The survey includes responses from 629 corporate treasury and finance professionals including assistant treasurers, controllers, cash managers, analysts, and directors.  To obtain a complete report of the 2009 Payments Fraud and Control Survey go to www.AFPonline.org/research.
About AFP
The Association for Financial Professionals (AFP) serves a network of more than 16,000 treasury and finance professionals. Headquartered in Bethesda, MD, AFP provides members with breaking news, economic research and data on the evolving world of treasury and finance, as well as world-class treasury certification programs, networking events, financial analytical tools, training, and public policy representation to legislators and regulators. AFP is the daily resource for treasury and finance professionals.

AFP’s global reach extends to over 150,000 treasury and financial professionals worldwide, including AFP of Canada; London-based AFP’s gtnews, an on-line resource for the treasury and finance community; and bobsguide, a financial IT solutions network.