Equifax Announces Comprehensive Consumer Settlement Arising From 2017 Cybersecurity Incident

Posted on by
Reply

Jul 22, 2019 Agreements Establish Restitution Fund for Consumers

ATLANTA, July 22, 2019 /PRNewswire/ — Equifax Inc. (NYSE: EFX) today announced a comprehensive resolution of significant U.S. consumer-related litigation and regulatory matters facing the company related to its 2017 cybersecurity incident. 

EFX logo - Powering the World with Knowledge (PRNewsfoto/Equifax Inc.)

The $671 million resolution includes settlement agreements that would resolve the multi-district consumer class action litigation, as well as investigations by the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), the Attorneys General of 48 states, Puerto Rico and the District of Columbia, and the New York Department of Financial Services (NYDFS).

If approved by the Court, a consumer restitution fund of up to $425 million will be available to pay for three-bureau credit monitoring for consumers whose information was impacted in the 2017 breach, actual out-of-pocket losses related to the breach, and other consumer benefits such as identity restoration services. Equifax has been providing free credit monitoring services to consumers since September 2017.

“This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,” said Equifax Chief Executive Officer, Mark W. Begor. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data – and reflects the seriousness with which we take this matter. We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth.”

As part of the resolution, Equifax has agreed to continue the significant steps it has taken in the wake of the cybersecurity incident to enhance its information security and technology program. It also has agreed to make payments totaling $290.5 million directly to certain state and federal regulatory agencies and to pay attorneys’ fees and costs in the multi-district litigation. Equifax recorded an accrual of $690 million in the first quarter of 2019 and expects to increase its accrual by approximately $11 million in the second quarter of 2019 principally related to the comprehensive consumer settlement, resulting in a total $701 million accrual related to the 2017 cybersecurity incident.

If the Court approves, members of the settlement class will receive notification of their rights and options as part of the multi-district litigation. More information can be found at www.equifaxbreachsettlement.com.

Additional detail on the terms of the proposed settlement in our Form 8-K filed today with the Securities and Exchange Commission.

Equifax CEO Mark Begor will provide details in the following conference calls:

  • 9:00 a.m. ET Conference call for investors, analysts and others
    U.S. and Canadian participants should dial: (888) 254-3590.
    International callers should dial: (786) 789-4797. 
    A replay of this conference call will be available beginning Monday, July 22 at 12:00 p.m. ET and ending at 12:00 p.m. ET on Monday, July 29.  To access the replay, please register.
  • 9:30 a.m. ET Conference call for media
    U.S. and Canadian participants should dial: (800) 289-0438. International callers should dial: (786) 789-4783.

Please dial the appropriate number 5-10 minutes prior to the start of the calls to complete registration. Name and affiliation/company are required to join.

Forward-Looking Statements

This release contains forward-looking statements and forward-looking information. These statements can be identified by expressions of belief, expectation or intention, as well as statements that are not historical fact. These statements are based on certain factors and assumptions. While the company believes these factors and assumptions to be reasonable based on information currently available, they may prove to be incorrect.

Several factors could cause actual results to differ materially from those expressed or implied in the forward-looking statements, including, but not limited to, potential adverse developments in new and pending legal proceedings or government investigations, including the failure to obtain final court approval of the agreements which make up the Consumer Settlement; uncertainties regarding the ultimate amount and timing of payments the Company may be required to make in connection with the Consumer Settlement; the cost of compliance with the Company’s non-monetary obligations associated with the Consumer Settlement; uncertainties regarding the outcome of the remaining legal proceedings or government investigations related to the 2017 cybersecurity incident; and limitations on the Company’s ability to access the capital markets and corresponding effects on the Company’s ability to finance its obligations. A summary of additional risks and uncertainties can be found in the Company’s Annual Report on Form 10-K for the year ended December 31, 2018, including without limitation under the captions “Item 1. Business — Governmental Regulation” and “— Forward-Looking Statements” and “Item 1A. Risk Factors,” and in the Company’s other filings with the U.S. Securities and Exchange Commission. Forward-looking statements are given only as at the date of this release and the company disclaims any obligation to update or revise the forward-looking statements, whether as a result of new information, future events or otherwise, except as required by law.

About Equifax 
Equifax is a global data, analytics, and technology company and believes knowledge drives progress. The Company blends unique data, analytics, and technology with a passion for serving customers globally, to create insights that power decisions to move people forward. Headquartered in Atlanta, Equifax operates or has investments in 24 countries in North America, Central and South America, Europe and the Asia Pacific region. It is a member of Standard & Poor’s (S&P) 500® Index, and its common stock is traded on the New York Stock Exchange (NYSE) under the symbol EFX. Equifax employs approximately 11,000 employees worldwide. For more information, visit Equifax.com and follow the company’s news on Twitter and LinkedIn.

Brighterion and Elavon to Fight Fraud with Artificial Intelligence

Posted on by
Reply

Leading AI capabilities deliver more sophisticated and efficient fraud protection

SAN FRANCISCO and ATLANTA, July 09, 2019 – While the global implementation of EMV chip technology has reduced fraud activity for card payments, the payment’s ecosystem is still battling the threat of new and emerging fraud payment schemes online. Brighterion, a Mastercard company, and Elavon, a global payments provider and subsidiary of U.S. Bank, have announced they will work together to integrate Brighterion’s advanced artificial intelligence (AI) platform into Elavon’s network to minimize fraud and manage risk.

“The explosion of ecommerce has been matched with a rise in digital fraud,” said Ajay Bhalla, president, cyber & intelligence at Mastercard. “AI has proven itself critical in managing the complexities of today’s evolving world. We’re pleased to collaborate with Elavon as they take a leadership role in fighting fraud in the industry.”

With the ability to analyze nearly 100 billion transactions annually, Brighterion will enable Elavon to better discover and identify transaction anomalies, which helps mitigate risk and maintain the integrity of Elavon’s global systems.

“The increasing sophistication of fraudsters demands smarter, more nimble and innovative fraud tools that allow us to stay one step ahead,” said Tim Miller, senior vice president, global credit and risk, Elavon. “We look forward to bringing the strength and flexibility of Brighterion’s AI platform to our fight against fraud.”

In addition to Brighterion’s AI capabilities, Mastercard’s AI and machine learning technologies, such as AI Express, provide real-time intelligence across data sources regardless of type, complexity or volume. AI Express helps companies develop a tailored AI model and was designed to help address key business priorities, including anti-money laundering, fraud risk management, cyber security, credit risk prediction and operational efficiencies.

“Banks, processors and large merchants are rapidly adopting advanced machine learning technologies to combat fraud,” said Julie Conroy, research director for Aite Group’s Fraud and AML practice. “Our research shows that these technologies provide substantial lift in fraud detection compared to legacy rules-based systems, while at the same time reducing the false positives that can be so detrimental to the customer experience.”

The companies will work with merchants in the United States, Europe and Latin America to incorporate fraud monitoring into their systems.

About Brighterion, Inc.

Brighterion, a Mastercard company, was founded in 2000 and acquired by Mastercard in 2017. We deliver a leading artificial intelligence and machine learning platform that provides real-time mission critical intelligence from any data source, regardless of type, complexity or volume. Our AI solution secures billions of transactions monthly and is used and trusted by many of the world’s leading organizations and governments in payments, compliance, financial markets, security and defense, healthcare, Internet of Things, marketing and more. Currently we serve 74 out of 100 of the largest U.S. banks and more than 2,000 customers worldwide, analyzing nearly 100 billion transactions annually.

About Elavon

Elavon provides end-to-end payment processing solutions and services to more than 1.3 million customers in the United States, Europe, Canada, Mexico, and Puerto Rico. As the leading provider for airlines and a top five provider in hospitality, healthcare, retail, and public sector/education, Elavon’s innovative payment solutions are designed to solve pain points for businesses from small to enterprise-sized.

Magento mandatory upgrade for PCI Compliance

Posted on by
Reply

Merchants must replace Magento version 2.1.x summer 2019. The Magento 2.1.18 software release marks the final supported software release for Magento version 2.1.x. As of June 30 2019, Magento 2.1.x will no longer receive security updates or product quality fixes now that its support window has expired.

PCI compliance requires the installation of critical software security patches within 30 days. When a software or related service provider no longer offers security patches, then merchants must replace or upgrade within 30 days. This is the same reason merchants using Microsoft Windows XP would not be PCI compliant.

I previously reported the Magento vulnerabilities and patch requirements in April 2019. Merchants should not rely on their business partners to automatically perform updates. Here’s a handy web site to check your Magento version now.

Now is a great time to also do a payment gateway checkup.

Call Christine Speedy, PCI Council QIR certified, to reduce merchant fees with new or existing merchant account at 954-942-0483, 9-5 ET.

EMVCo Launches EMV 3-D Secure 2.2.0 Testing Programme

Posted on by
Reply

Confirms that EMV 3-D Secure products support merchant whitelisting functionality and authentication of additional e-commerce payment scenarios.

25 June 2019 – EMVCo has updated the EMV® 3-D Secure (EMV 3DS) Testing Programme which includes test platform and process updates to support the EMV 3DS 2.2.0 Core Specification and EMV 3DS 2.2.0 SDK Specification released in December 2018.
Using the EMV 3DS Test Platform, EMV 3DS product providers can validate that their products support all the enhancements introduced in EMV 3DS 2.2.0, such as the exemptions to Strong Consumer Authentication (SCA) for the European Second Payment Services Directive (PSD2). Additionally, the test platform will also validate support for FIDO enhancements, and authentication for new payment scenarios, such as mail order and telephone purchase transactions.

“Testing and approving 3DS products using the EMV 3DS Test Platform provides the industry with confidence that 3DS products are aligned with the EMV 3DS specifications to ensure delivery of effective and convenient e-commerce authentication,” comments Karteek Patel, EMVCo Executive Committee Chair. “Our specifications and testing frameworks can’t be static. EMVCo works with industry experts to ensure the 3DS infrastructure supports the latest requirements of e-commerce stakeholders.”


EMVCo’s EMV 3DS Testing Programme, launched in August 2018, has approved more than 100 3DS products to date. This update to the Test Platform references additional features for merchants and issuers to maximise the benefit of the available SCA exemptions, including the ability of a consumer to whitelist a merchant.
EMV 3DS is a messaging protocol that promotes secure, frictionless consumer authentication for card-not-present, e-commerce purchases across channels and connected devices. To learn more about EMV 3DS, please read the FAQ that is available for download from the EMVCo website.

EBA publishes an Opinion on the elements of strong customer authentication under PSD2

Posted on by
Reply

The European Banking Authority (EBA) published today an Opinion on the elements of strong customer authentication (SCA) under the revised Payment Services Directive (PSD2). The Opinion is a response to continued queries from market actors as to which authentication approaches the EBA considers to be compliant with SCA. The Opinion also addresses concerns about the preparedness and compliance of some actors in the payments chain with the SCA requirements that apply as of 14 September 2019.

Today’s Opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant. The Opinion does so separately for each of the three SCA elements of knowledge, possession and inherence, and also provides clarifications regarding combinations of these elements.

The Opinion also responds to the concerns about market preparedness, by clarifying that the EBA is legally not able to postpone an application date that is set out in EU law. The Opinion also explains that sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition of SCA had been set out in PSD2 when it was published in 2015, which gave clear indications that existing authentication approaches would need to be phased out, and because PSD2 already granted an additional 18-month period for the industry to implement SCA.

However, the Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not payment service providers (PSPs) and, therefore, not directly subject to PSD2 and the EBA’s technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by 14 September 2019.  

The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time. This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.

This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their NCA, and will execute the plan in an expedited manner.

In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.

Background

The revised Payment Services Directive was published in November 2015, entered into force on 13 January 2016 and applies since 13 January 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.

SCA is defined in the Directive as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.” The Directive also provides that SCA is to be applied to all electronic payments, unless one of the exemptions applies.

The EBA had been mandated to support the Directive by developing regulatory technical standards (RTS) setting out the details on strong customer authentication and common and secure communication (RTS on SCA and CSC), including its exemptions, and to regulate the access to customer payment account data held in account servicing payment service providers.

The RTS were developed in 2015/16, consulted on during 2016/17, adopted as Commission Delegated Regulation (EU) 2018/389 on 27 November 2017, published in the Official Journal on 13 March 2018, and will legally apply from 14 September 2019. The RTS deliberately refrains from referring to any particular authentication approaches in the industry, in order to ensure that the RTS remains technology neutral and future-proof.

Legal basis

The EBA issued the Opinion in accordance with Article 29(1)(a) of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.